bug 985201 - rename insanity::pkix to mozilla::pkix r=cviecco r=briansmith
authorDavid Keeler <dkeeler@mozilla.com>
Thu, 20 Mar 2014 14:29:21 -0700
changeset 174672 04ea38d3515f3dd7e739cfed8005fa70634c06fb
parent 174671 817ccd4562d0c518751b6b1e01ef64da1838014e
child 174673 98e17f725ba235fcd1fe65e5c640b47e1b788005
push id5831
push usercbook@mozilla.com
push dateFri, 21 Mar 2014 14:35:55 +0000
treeherderfx-team@fb2e04672ea6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerscviecco, briansmith
bugs985201
milestone31.0a1
bug 985201 - rename insanity::pkix to mozilla::pkix r=cviecco r=briansmith
security/apps/AppSignatureVerification.cpp
security/apps/AppTrustDomain.cpp
security/apps/AppTrustDomain.h
security/apps/moz.build
security/certverifier/CertVerifier.cpp
security/certverifier/CertVerifier.h
security/certverifier/ExtendedValidation.cpp
security/certverifier/NSSCertDBTrustDomain.cpp
security/certverifier/NSSCertDBTrustDomain.h
security/certverifier/OCSPCache.cpp
security/certverifier/OCSPCache.h
security/certverifier/moz.build
security/insanity/include/insanity/ScopedPtr.h
security/insanity/include/insanity/bind.h
security/insanity/include/insanity/nullptr.h
security/insanity/include/insanity/pkix.h
security/insanity/include/insanity/pkixtypes.h
security/insanity/lib/pkixbind.cpp
security/insanity/lib/pkixbuild.cpp
security/insanity/lib/pkixcheck.cpp
security/insanity/lib/pkixcheck.h
security/insanity/lib/pkixder.cpp
security/insanity/lib/pkixder.h
security/insanity/lib/pkixkey.cpp
security/insanity/lib/pkixocsp.cpp
security/insanity/lib/pkixutil.h
security/insanity/moz.build
security/insanity/test/lib/moz.build
security/insanity/test/lib/pkixtestutil.cpp
security/insanity/test/lib/pkixtestutil.h
security/manager/ssl/src/SSLServerCertVerification.cpp
security/manager/ssl/src/TransportSecurityInfo.cpp
security/manager/ssl/src/moz.build
security/manager/ssl/src/nsCMS.cpp
security/manager/ssl/src/nsCertOverrideService.cpp
security/manager/ssl/src/nsCertPicker.cpp
security/manager/ssl/src/nsCertTree.cpp
security/manager/ssl/src/nsCrypto.cpp
security/manager/ssl/src/nsNSSCallbacks.cpp
security/manager/ssl/src/nsNSSCertCache.cpp
security/manager/ssl/src/nsNSSCertificate.cpp
security/manager/ssl/src/nsNSSCertificate.h
security/manager/ssl/src/nsNSSCertificateDB.cpp
security/manager/ssl/src/nsNSSComponent.cpp
security/manager/ssl/src/nsNSSIOLayer.cpp
security/manager/ssl/src/nsPKCS12Blob.cpp
security/manager/ssl/src/nsRecentBadCerts.cpp
security/manager/ssl/tests/gtest/moz.build
security/manager/ssl/tests/unit/test_cert_overrides.js
security/manager/ssl/tests/unit/test_cert_signatures.js
security/manager/ssl/tests/unit/test_cert_trust.js
security/manager/ssl/tests/unit/test_certificate_usages.js
security/manager/ssl/tests/unit/test_ev_certs.js
security/manager/ssl/tests/unit/test_getchain.js
security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
security/manager/ssl/tests/unit/test_name_constraints.js
security/manager/ssl/tests/unit/test_ocsp_caching.js
security/manager/ssl/tests/unit/test_ocsp_required.js
security/manager/ssl/tests/unit/test_ocsp_stapling.js
security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
security/manager/ssl/tests/unit/tlsserver/cmd/Makefile.in
security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
security/manager/ssl/tests/unit/tlsserver/lib/moz.build
security/pkix/include/pkix/ScopedPtr.h
security/pkix/include/pkix/bind.h
security/pkix/include/pkix/nullptr.h
security/pkix/include/pkix/pkix.h
security/pkix/include/pkix/pkixtypes.h
security/pkix/lib/pkixbind.cpp
security/pkix/lib/pkixbuild.cpp
security/pkix/lib/pkixcheck.cpp
security/pkix/lib/pkixcheck.h
security/pkix/lib/pkixder.cpp
security/pkix/lib/pkixder.h
security/pkix/lib/pkixkey.cpp
security/pkix/lib/pkixocsp.cpp
security/pkix/lib/pkixutil.h
security/pkix/moz.build
security/pkix/test/lib/moz.build
security/pkix/test/lib/pkixtestutil.cpp
security/pkix/test/lib/pkixtestutil.h
toolkit/components/telemetry/Histograms.json
--- a/security/apps/AppSignatureVerification.cpp
+++ b/security/apps/AppSignatureVerification.cpp
@@ -5,17 +5,17 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifdef MOZ_LOGGING
 #define FORCE_PR_LOG 1
 #endif
 
 #include "nsNSSCertificateDB.h"
 
-#include "insanity/pkix.h"
+#include "pkix/pkix.h"
 #include "mozilla/RefPtr.h"
 #include "CryptoTask.h"
 #include "AppTrustDomain.h"
 #include "nsComponentManagerUtils.h"
 #include "nsCOMPtr.h"
 #include "nsHashKeys.h"
 #include "nsIFile.h"
 #include "nsIInputStream.h"
@@ -28,17 +28,17 @@
 #include "ScopedNSSTypes.h"
 
 #include "base64.h"
 #include "certdb.h"
 #include "secmime.h"
 #include "plstr.h"
 #include "prlog.h"
 
-using namespace insanity::pkix;
+using namespace mozilla::pkix;
 using namespace mozilla;
 using namespace mozilla::psm;
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
 
 namespace {
@@ -520,19 +520,19 @@ ParseMF(const char* filebuf, nsIZipReade
   }
 
   return NS_OK;
 }
 
 nsresult
 VerifySignature(AppTrustedRoot trustedRoot,
                 const SECItem& buffer, const SECItem& detachedDigest,
-        /*out*/ insanity::pkix::ScopedCERTCertList& builtChain)
+        /*out*/ mozilla::pkix::ScopedCERTCertList& builtChain)
 {
-  insanity::pkix::ScopedPtr<NSSCMSMessage, NSS_CMSMessage_Destroy>
+  mozilla::pkix::ScopedPtr<NSSCMSMessage, NSS_CMSMessage_Destroy>
     cmsMsg(NSS_CMSMessage_CreateFromDER(const_cast<SECItem*>(&buffer), nullptr,
                                         nullptr, nullptr, nullptr, nullptr,
                                         nullptr));
   if (!cmsMsg) {
     return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING;
   }
 
   if (!NSS_CMSMessage_IsSigned(cmsMsg.get())) {
@@ -555,23 +555,23 @@ VerifySignature(AppTrustedRoot trustedRo
   // Set digest value.
   if (NSS_CMSSignedData_SetDigestValue(signedData, SEC_OID_SHA1,
                                        const_cast<SECItem*>(&detachedDigest))) {
     return NS_ERROR_CMS_VERIFY_BAD_DIGEST;
   }
 
   // Parse the certificates into CERTCertificate objects held in memory, so that
   // AppTrustDomain will be able to find them during path building.
-  insanity::pkix::ScopedCERTCertList certs(CERT_NewCertList());
+  mozilla::pkix::ScopedCERTCertList certs(CERT_NewCertList());
   if (!certs) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
   if (signedData->rawCerts) {
     for (size_t i = 0; signedData->rawCerts[i]; ++i) {
-      insanity::pkix::ScopedCERTCertificate
+      mozilla::pkix::ScopedCERTCertificate
         cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
                                      signedData->rawCerts[i], nullptr, false,
                                      true));
       // Skip certificates that fail to parse
       if (cert) {
         if (CERT_AddCertToListTail(certs.get(), cert.get()) == SECSuccess) {
           cert.release(); // ownership transfered
         } else {
@@ -661,17 +661,17 @@ OpenSignedAppFile(AppTrustedRoot aTruste
   Digest sfCalculatedDigest;
   rv = FindAndLoadOneEntry(zip, NS_LITERAL_CSTRING(JAR_SF_SEARCH_STRING),
                            sfFilename, sfBuffer, &sfCalculatedDigest);
   if (NS_FAILED(rv)) {
     return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
   }
 
   sigBuffer.type = siBuffer;
-  insanity::pkix::ScopedCERTCertList builtChain;
+  mozilla::pkix::ScopedCERTCertList builtChain;
   rv = VerifySignature(aTrustedRoot, sigBuffer, sfCalculatedDigest.get(),
                        builtChain);
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   ScopedAutoSECItem mfDigest;
   rv = ParseSF(char_ptr_cast(sfBuffer.data), mfDigest);
--- a/security/apps/AppTrustDomain.cpp
+++ b/security/apps/AppTrustDomain.cpp
@@ -5,30 +5,30 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifdef MOZ_LOGGING
 #define FORCE_PR_LOG 1
 #endif
 
 #include "AppTrustDomain.h"
 #include "certdb.h"
-#include "insanity/pkix.h"
+#include "pkix/pkix.h"
 #include "mozilla/ArrayUtils.h"
 #include "nsIX509CertDB.h"
 #include "prerror.h"
 #include "secerr.h"
 
 // Generated in Makefile.in
 #include "marketplace-prod-public.inc"
 #include "marketplace-prod-reviewers.inc"
 #include "marketplace-dev-public.inc"
 #include "marketplace-dev-reviewers.inc"
 #include "xpcshell.inc"
 
-using namespace insanity::pkix;
+using namespace mozilla::pkix;
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
 
 namespace mozilla { namespace psm {
 
 AppTrustDomain::AppTrustDomain(void* pinArg)
@@ -83,17 +83,17 @@ AppTrustDomain::SetTrustedRoot(AppTruste
   }
 
   return SECSuccess;
 }
 
 SECStatus
 AppTrustDomain::FindPotentialIssuers(const SECItem* encodedIssuerName,
                                      PRTime time,
-                             /*out*/ insanity::pkix::ScopedCERTCertList& results)
+                             /*out*/ mozilla::pkix::ScopedCERTCertList& results)
 {
   MOZ_ASSERT(mTrustedRoot);
   if (!mTrustedRoot) {
     PR_SetError(PR_INVALID_STATE_ERROR, 0);
     return SECFailure;
   }
 
   results = CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),
@@ -163,17 +163,17 @@ AppTrustDomain::GetCertTrust(EndEntityOr
   *trustLevel = InheritsTrust;
   return SECSuccess;
 }
 
 SECStatus
 AppTrustDomain::VerifySignedData(const CERTSignedData* signedData,
                                   const CERTCertificate* cert)
 {
-  return ::insanity::pkix::VerifySignedData(signedData, cert, mPinArg);
+  return ::mozilla::pkix::VerifySignedData(signedData, cert, mPinArg);
 }
 
 SECStatus
 AppTrustDomain::CheckRevocation(EndEntityOrCA,
                                 const CERTCertificate*,
                                 /*const*/ CERTCertificate*,
                                 PRTime time,
                                 /*optional*/ const SECItem*)
--- a/security/apps/AppTrustDomain.h
+++ b/security/apps/AppTrustDomain.h
@@ -2,44 +2,44 @@
 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef mozilla_psm_AppsTrustDomain_h
 #define mozilla_psm_AppsTrustDomain_h
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "nsDebug.h"
 #include "nsIX509CertDB.h"
 
 namespace mozilla { namespace psm {
 
-class AppTrustDomain MOZ_FINAL : public insanity::pkix::TrustDomain
+class AppTrustDomain MOZ_FINAL : public mozilla::pkix::TrustDomain
 {
 public:
   AppTrustDomain(void* pinArg);
 
   SECStatus SetTrustedRoot(AppTrustedRoot trustedRoot);
 
-  SECStatus GetCertTrust(insanity::pkix::EndEntityOrCA endEntityOrCA,
+  SECStatus GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA,
                          SECOidTag policy,
                          const CERTCertificate* candidateCert,
                  /*out*/ TrustLevel* trustLevel) MOZ_OVERRIDE;
   SECStatus FindPotentialIssuers(const SECItem* encodedIssuerName,
                                  PRTime time,
-                         /*out*/ insanity::pkix::ScopedCERTCertList& results)
+                         /*out*/ mozilla::pkix::ScopedCERTCertList& results)
                                  MOZ_OVERRIDE;
   SECStatus VerifySignedData(const CERTSignedData* signedData,
                              const CERTCertificate* cert) MOZ_OVERRIDE;
-  SECStatus CheckRevocation(insanity::pkix::EndEntityOrCA endEntityOrCA,
+  SECStatus CheckRevocation(mozilla::pkix::EndEntityOrCA endEntityOrCA,
                             const CERTCertificate* cert,
                             /*const*/ CERTCertificate* issuerCertToDup,
                             PRTime time,
                             /*optional*/ const SECItem* stapledOCSPresponse);
 private:
   void* mPinArg; // non-owning!
-  insanity::pkix::ScopedCERTCertificate mTrustedRoot;
+  mozilla::pkix::ScopedCERTCertificate mTrustedRoot;
 };
 
 } } // namespace mozilla::psm
 
 #endif // mozilla_psm_AppsTrustDomain_h
--- a/security/apps/moz.build
+++ b/security/apps/moz.build
@@ -11,15 +11,15 @@ SOURCES += [
 ]
 
 FAIL_ON_WARNINGS = True
 
 FINAL_LIBRARY = 'xul'
 
 LOCAL_INCLUDES += [
     '../certverifier',
-    '../insanity/include',
     '../manager/ssl/src',
+    '../pkix/include',
 ]
 
 DEFINES['NSS_ENABLE_ECC'] = 'True'
 for var in ('DLL_PREFIX', 'DLL_SUFFIX'):
     DEFINES[var] = '"%s"' % CONFIG[var]
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -3,28 +3,28 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "CertVerifier.h"
 
 #include <stdint.h>
 
-#include "insanity/pkix.h"
+#include "pkix/pkix.h"
 #include "ExtendedValidation.h"
 #include "NSSCertDBTrustDomain.h"
 #include "cert.h"
 #include "ocsp.h"
 #include "secerr.h"
 #include "prerror.h"
 #include "sslerr.h"
 
-// ScopedXXX in this file are insanity::pkix::ScopedXXX, not
+// ScopedXXX in this file are mozilla::pkix::ScopedXXX, not
 // mozilla::ScopedXXX.
-using namespace insanity::pkix;
+using namespace mozilla::pkix;
 using namespace mozilla::psm;
 
 #ifdef PR_LOGGING
 PRLogModuleInfo* gCertVerifierLog = nullptr;
 #endif
 
 namespace mozilla { namespace psm {
 
@@ -60,17 +60,17 @@ InitCertVerifierLog()
 #ifdef PR_LOGGING
   if (!gCertVerifierLog) {
     gCertVerifierLog = PR_NewLogModule("certverifier");
   }
 #endif
 }
 
 #if 0
-// Once we migrate to insanity::pkix or change the overridable error
+// Once we migrate to mozilla::pkix or change the overridable error
 // logic this will become unnecesary.
 static SECStatus
 insertErrorIntoVerifyLog(CERTCertificate* cert, const PRErrorCode err,
                          CERTVerifyLog* verifyLog){
   CERTVerifyLogNode* node;
   node = (CERTVerifyLogNode *)PORT_ArenaAlloc(verifyLog->arena,
                                               sizeof(CERTVerifyLogNode));
   if (!node) {
@@ -218,27 +218,27 @@ BuildCertChainForOneKeyUsage(TrustDomain
         PR_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE, 0);
       }
     }
   }
   return rv;
 }
 
 SECStatus
-CertVerifier::InsanityVerifyCert(
+CertVerifier::MozillaPKIXVerifyCert(
                    CERTCertificate* cert,
                    const SECCertificateUsage usage,
                    const PRTime time,
                    void* pinArg,
                    const Flags flags,
       /*optional*/ const SECItem* stapledOCSPResponse,
-  /*optional out*/ insanity::pkix::ScopedCERTCertList* validationChain,
+  /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
   /*optional out*/ SECOidTag* evOidPolicy)
 {
-  PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of InsanityVerifyCert\n"));
+  PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of MozillaPKIXVerifyCert\n"));
 
   PR_ASSERT(cert);
   PR_ASSERT(usage == certificateUsageSSLServer || !(flags & FLAG_MUST_BE_EV));
 
   if (validationChain) {
     *validationChain = nullptr;
   }
   if (evOidPolicy) {
@@ -262,17 +262,17 @@ CertVerifier::InsanityVerifyCert(
   // TODO(bug 970750): anyExtendedKeyUsage
   // TODO: encipherOnly/decipherOnly
   // S/MIME Key Usage: http://tools.ietf.org/html/rfc3850#section-4.4.2
   // S/MIME EKU:       http://tools.ietf.org/html/rfc3850#section-4.4.4
 
   // TODO(bug 915931): Pass in stapled OCSP response in all calls to
   //                   BuildCertChain.
 
-  insanity::pkix::ScopedCERTCertList builtChain;
+  mozilla::pkix::ScopedCERTCertList builtChain;
   switch (usage) {
     case certificateUsageSSLClient: {
       // XXX: We don't really have a trust bit for SSL client authentication so
       // just use trustEmail as it is the closest alternative.
       NSSCertDBTrustDomain trustDomain(trustEmail, ocspFetching, mOCSPCache,
                                        pinArg);
       rv = BuildCertChain(trustDomain, cert, time, MustBeEndEntity,
                           KU_DIGITAL_SIGNATURE,
@@ -384,18 +384,18 @@ CertVerifier::InsanityVerifyCert(
     }
 
     case certificateUsageVerifyCA:
     case certificateUsageStatusResponder: {
       // XXX This is a pretty useless way to verify a certificate. It is used
       // by the implementation of window.crypto.importCertificates and in the
       // certificate viewer UI. Because we don't know what trust bit is
       // interesting, we just try them all.
-      insanity::pkix::EndEntityOrCA endEntityOrCA;
-      insanity::pkix::KeyUsages keyUsage;
+      mozilla::pkix::EndEntityOrCA endEntityOrCA;
+      mozilla::pkix::KeyUsages keyUsage;
       SECOidTag eku;
       if (usage == certificateUsageVerifyCA) {
         endEntityOrCA = MustBeCA;
         keyUsage = KU_KEY_CERT_SIGN;
         eku = SEC_OID_UNKNOWN;
       } else {
         endEntityOrCA = MustBeEndEntity;
         keyUsage = KU_DIGITAL_SIGNATURE;
@@ -444,20 +444,20 @@ CertVerifier::VerifyCert(CERTCertificate
                          const SECCertificateUsage usage,
                          const PRTime time,
                          void* pinArg,
                          const Flags flags,
                          /*optional out*/ ScopedCERTCertList* validationChain,
                          /*optional out*/ SECOidTag* evOidPolicy,
                          /*optional out*/ CERTVerifyLog* verifyLog)
 {
-  if (mImplementation == insanity) {
-    return InsanityVerifyCert(cert, usage, time, pinArg, flags,
-                              stapledOCSPResponse, validationChain,
-                              evOidPolicy);
+  if (mImplementation == mozillapkix) {
+    return MozillaPKIXVerifyCert(cert, usage, time, pinArg, flags,
+                                 stapledOCSPResponse, validationChain,
+                                 evOidPolicy);
   }
 
   if (!cert)
   {
     PR_NOT_REACHED("Invalid arguments to CertVerifier::VerifyCert");
     PORT_SetError(SEC_ERROR_INVALID_ARGS);
     return SECFailure;
   }
@@ -794,17 +794,17 @@ pkix_done:
 
 SECStatus
 CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert,
                      /*optional*/ const SECItem* stapledOCSPResponse,
                                   PRTime time,
                      /*optional*/ void* pinarg,
                                   const char* hostname,
                                   bool saveIntermediatesInPermanentDatabase,
-                 /*optional out*/ insanity::pkix::ScopedCERTCertList* certChainOut,
+                 /*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut,
                  /*optional out*/ SECOidTag* evOidPolicy)
 {
   PR_ASSERT(peerCert);
   // XXX: PR_ASSERT(pinarg)
   PR_ASSERT(hostname);
   PR_ASSERT(hostname[0]);
 
   if (certChainOut) {
--- a/security/certverifier/CertVerifier.h
+++ b/security/certverifier/CertVerifier.h
@@ -2,17 +2,17 @@
 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef mozilla_psm__CertVerifier_h
 #define mozilla_psm__CertVerifier_h
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "OCSPCache.h"
 
 namespace mozilla { namespace psm {
 
 class CertVerifier
 {
 public:
   typedef unsigned int Flags;
@@ -24,37 +24,37 @@ public:
   // *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV
   // Only one usage per verification is supported.
   SECStatus VerifyCert(CERTCertificate* cert,
           /*optional*/ const SECItem* stapledOCSPResponse,
                        const SECCertificateUsage usage,
                        const PRTime time,
                        void* pinArg,
                        const Flags flags = 0,
-      /*optional out*/ insanity::pkix::ScopedCERTCertList* validationChain = nullptr,
+      /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain = nullptr,
       /*optional out*/ SECOidTag* evOidPolicy = nullptr ,
       /*optional out*/ CERTVerifyLog* verifyLog = nullptr);
 
   SECStatus VerifySSLServerCert(
                     CERTCertificate* peerCert,
        /*optional*/ const SECItem* stapledOCSPResponse,
                     PRTime time,
        /*optional*/ void* pinarg,
                     const char* hostname,
                     bool saveIntermediatesInPermanentDatabase = false,
-   /*optional out*/ insanity::pkix::ScopedCERTCertList* certChainOut = nullptr,
+   /*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut = nullptr,
    /*optional out*/ SECOidTag* evOidPolicy = nullptr);
 
 
   enum implementation_config {
     classic = 0,
 #ifndef NSS_NO_LIBPKIX
     libpkix = 1,
 #endif
-    insanity = 2
+    mozillapkix = 2
   };
 
   enum missing_cert_download_config { missing_cert_download_off = 0, missing_cert_download_on };
   enum crl_download_config { crl_local_only = 0, crl_download_allowed };
   enum ocsp_download_config { ocsp_off = 0, ocsp_on };
   enum ocsp_strict_config { ocsp_relaxed = 0, ocsp_strict };
   enum ocsp_get_config { ocsp_get_disabled = 0, ocsp_get_enabled = 1 };
 
@@ -75,23 +75,23 @@ public:
   const bool mMissingCertDownloadEnabled;
   const bool mCRLDownloadEnabled;
 #endif
   const bool mOCSPDownloadEnabled;
   const bool mOCSPStrict;
   const bool mOCSPGETEnabled;
 
 private:
-  SECStatus InsanityVerifyCert(CERTCertificate* cert,
+  SECStatus MozillaPKIXVerifyCert(CERTCertificate* cert,
       const SECCertificateUsage usage,
       const PRTime time,
       void* pinArg,
       const Flags flags,
       /*optional*/ const SECItem* stapledOCSPResponse,
-      /*optional out*/ insanity::pkix::ScopedCERTCertList* validationChain,
+      /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
       /*optional out*/ SECOidTag* evOidPolicy);
 
   OCSPCache mOCSPCache;
 };
 
 void InitCertVerifierLog();
 } } // namespace mozilla::psm
 
--- a/security/certverifier/ExtendedValidation.cpp
+++ b/security/certverifier/ExtendedValidation.cpp
@@ -4,17 +4,17 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "ExtendedValidation.h"
 
 #include "cert.h"
 #include "certdb.h"
 #include "base64.h"
-#include "insanity/nullptr.h"
+#include "pkix/nullptr.h"
 #include "pk11pub.h"
 #include "secerr.h"
 #include "prerror.h"
 #include "prinit.h"
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -5,28 +5,28 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "NSSCertDBTrustDomain.h"
 
 #include <stdint.h>
 
 #include "ExtendedValidation.h"
 #include "certdb.h"
-#include "insanity/pkix.h"
+#include "pkix/pkix.h"
 #include "mozilla/Telemetry.h"
 #include "nss.h"
 #include "ocsp.h"
 #include "pk11pub.h"
 #include "prerror.h"
 #include "prmem.h"
 #include "prprf.h"
 #include "secerr.h"
 #include "secmod.h"
 
-using namespace insanity::pkix;
+using namespace mozilla::pkix;
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gCertVerifierLog;
 #endif
 
 namespace mozilla { namespace psm {
 
 const char BUILTIN_ROOTS_MODULE_DEFAULT_NAME[] = "Builtin Roots Module";
@@ -48,17 +48,17 @@ NSSCertDBTrustDomain::NSSCertDBTrustDoma
   , mOCSPCache(ocspCache)
   , mPinArg(pinArg)
 {
 }
 
 SECStatus
 NSSCertDBTrustDomain::FindPotentialIssuers(
   const SECItem* encodedIssuerName, PRTime time,
-  /*out*/ insanity::pkix::ScopedCERTCertList& results)
+  /*out*/ mozilla::pkix::ScopedCERTCertList& results)
 {
   // TODO: normalize encodedIssuerName
   // TODO: NSS seems to be ambiguous between "no potential issuers found" and
   // "there was an error trying to retrieve the potential issuers."
   results = CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),
                                        encodedIssuerName, time, true);
   return SECSuccess;
 }
@@ -126,32 +126,32 @@ NSSCertDBTrustDomain::GetCertTrust(EndEn
   *trustLevel = InheritsTrust;
   return SECSuccess;
 }
 
 SECStatus
 NSSCertDBTrustDomain::VerifySignedData(const CERTSignedData* signedData,
                                        const CERTCertificate* cert)
 {
-  return ::insanity::pkix::VerifySignedData(signedData, cert, mPinArg);
+  return ::mozilla::pkix::VerifySignedData(signedData, cert, mPinArg);
 }
 
 SECStatus
 NSSCertDBTrustDomain::CheckRevocation(
-  insanity::pkix::EndEntityOrCA endEntityOrCA,
+  mozilla::pkix::EndEntityOrCA endEntityOrCA,
   const CERTCertificate* cert,
   /*const*/ CERTCertificate* issuerCert,
   PRTime time,
   /*optional*/ const SECItem* stapledOCSPResponse)
 {
   // Actively distrusted certificates will have already been blocked by
   // GetCertTrust.
 
   // TODO: need to verify that IsRevoked isn't called for trust anchors AND
-  // that that fact is documented in insanity.
+  // that that fact is documented in mozillapkix.
 
   PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
          ("NSSCertDBTrustDomain: Top of CheckRevocation\n"));
 
   PORT_Assert(cert);
   PORT_Assert(issuerCert);
   if (!cert || !issuerCert) {
     PORT_SetError(SEC_ERROR_INVALID_ARGS);
--- a/security/certverifier/NSSCertDBTrustDomain.h
+++ b/security/certverifier/NSSCertDBTrustDomain.h
@@ -2,17 +2,17 @@
 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef mozilla_psm__NSSCertDBTrustDomain_h
 #define mozilla_psm__NSSCertDBTrustDomain_h
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "secmodt.h"
 #include "CertVerifier.h"
 
 namespace mozilla { namespace psm {
 
 SECStatus InitializeNSS(const char* dir, bool readOnly);
 
 void DisableMD5();
@@ -38,46 +38,46 @@ void UnloadLoadableRoots(const char* mod
 void
 SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled,
                        CertVerifier::ocsp_strict_config strict,
                        CertVerifier::ocsp_get_config get);
 
 // Caller must free the result with PR_Free
 char* DefaultServerNicknameForCert(CERTCertificate* cert);
 
-void SaveIntermediateCerts(const insanity::pkix::ScopedCERTCertList& certList);
+void SaveIntermediateCerts(const mozilla::pkix::ScopedCERTCertList& certList);
 
-class NSSCertDBTrustDomain : public insanity::pkix::TrustDomain
+class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain
 {
 
 public:
   enum OCSPFetching {
     NeverFetchOCSP = 0,
     FetchOCSPForDVSoftFail = 1,
     FetchOCSPForDVHardFail = 2,
     FetchOCSPForEV = 3,
     LocalOnlyOCSPForEV = 4,
   };
   NSSCertDBTrustDomain(SECTrustType certDBTrustType, OCSPFetching ocspFetching,
                        OCSPCache& ocspCache, void* pinArg);
 
   virtual SECStatus FindPotentialIssuers(
                         const SECItem* encodedIssuerName,
                         PRTime time,
-                /*out*/ insanity::pkix::ScopedCERTCertList& results);
+                /*out*/ mozilla::pkix::ScopedCERTCertList& results);
 
-  virtual SECStatus GetCertTrust(insanity::pkix::EndEntityOrCA endEntityOrCA,
+  virtual SECStatus GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA,
                                  SECOidTag policy,
                                  const CERTCertificate* candidateCert,
                          /*out*/ TrustLevel* trustLevel);
 
   virtual SECStatus VerifySignedData(const CERTSignedData* signedData,
                                      const CERTCertificate* cert);
 
-  virtual SECStatus CheckRevocation(insanity::pkix::EndEntityOrCA endEntityOrCA,
+  virtual SECStatus CheckRevocation(mozilla::pkix::EndEntityOrCA endEntityOrCA,
                                     const CERTCertificate* cert,
                           /*const*/ CERTCertificate* issuerCert,
                                     PRTime time,
                        /*optional*/ const SECItem* stapledOCSPResponse);
 
 private:
   SECStatus VerifyAndMaybeCacheEncodedOCSPResponse(
     const CERTCertificate* cert, CERTCertificate* issuerCert, PRTime time,
--- a/security/certverifier/OCSPCache.cpp
+++ b/security/certverifier/OCSPCache.cpp
@@ -23,24 +23,24 @@
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gCertVerifierLog;
 #endif
 
 namespace mozilla { namespace psm {
 
 void
-Insanity_PK11_DestroyContext_true(PK11Context* context)
+MozillaPKIX_PK11_DestroyContext_true(PK11Context* context)
 {
   PK11_DestroyContext(context, true);
 }
 
-typedef insanity::pkix::ScopedPtr<PK11Context,
-                                  Insanity_PK11_DestroyContext_true>
-                                  ScopedPK11Context;
+typedef mozilla::pkix::ScopedPtr<PK11Context,
+                                 MozillaPKIX_PK11_DestroyContext_true>
+                                 ScopedPK11Context;
 
 // Let derIssuer be the DER encoding of the issuer of aCert.
 // Let derPublicKey be the DER encoding of the public key of aIssuerCert.
 // Let serialNumber be the bytes of the serial number of aCert.
 // The value calculated is SHA384(derIssuer || derPublicKey || serialNumber).
 // Because the DER encodings include the length of the data encoded,
 // there do not exist A(derIssuerA, derPublicKeyA, serialNumberA) and
 // B(derIssuerB, derPublicKeyB, serialNumberB) such that the concatenation of
@@ -133,19 +133,19 @@ OCSPCache::FindInternal(const CERTCertif
 }
 
 void
 OCSPCache::LogWithCerts(const char* aMessage, const CERTCertificate* aCert,
                         const CERTCertificate* aIssuerCert)
 {
 #ifdef PR_LOGGING
   if (PR_LOG_TEST(gCertVerifierLog, PR_LOG_DEBUG)) {
-    insanity::pkix::ScopedPtr<char, mozilla::psm::PORT_Free_string>
+    mozilla::pkix::ScopedPtr<char, mozilla::psm::PORT_Free_string>
       cn(CERT_GetCommonName(&aCert->subject));
-    insanity::pkix::ScopedPtr<char, mozilla::psm::PORT_Free_string>
+    mozilla::pkix::ScopedPtr<char, mozilla::psm::PORT_Free_string>
       cnIssuer(CERT_GetCommonName(&aIssuerCert->subject));
     PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, (aMessage, cn.get(), cnIssuer.get()));
   }
 #endif
 }
 
 void
 OCSPCache::MakeMostRecentlyUsed(size_t aIndex,
--- a/security/certverifier/OCSPCache.h
+++ b/security/certverifier/OCSPCache.h
@@ -15,17 +15,17 @@
  * limitations under the License.
  */
 
 #ifndef mozilla_psm_OCSPCache_h
 #define mozilla_psm_OCSPCache_h
 
 #include "certt.h"
 #include "hasht.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "mozilla/Mutex.h"
 #include "mozilla/Vector.h"
 #include "prerror.h"
 
 namespace mozilla { namespace psm {
 
 // make SHA384Buffer be of type "array of uint8_t of length SHA384_LENGTH"
 typedef uint8_t SHA384Buffer[SHA384_LENGTH];
--- a/security/certverifier/moz.build
+++ b/security/certverifier/moz.build
@@ -11,20 +11,20 @@ UNIFIED_SOURCES += [
 ]
 
 if not CONFIG['NSS_NO_EV_CERTS']:
     UNIFIED_SOURCES += [
         'ExtendedValidation.cpp',
     ]
 
 LOCAL_INCLUDES += [
-    '../insanity/include',
+    '../pkix/include',
 ]
 
 DIRS += [
-    '../insanity',
+    '../pkix',
 ]
 
 FAIL_ON_WARNINGS = True
 
 LIBRARY_NAME = 'certverifier'
 
 FINAL_LIBRARY = 'xul'
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -91,17 +91,17 @@
 // an SSL handshake) and the PSM NSS I/O layer are not thread-safe, and because
 // we need the event to interrupt the PR_Poll that may waiting for I/O on the
 // socket for which we are validating the cert.
 
 #include "SSLServerCertVerification.h"
 
 #include <cstring>
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "CertVerifier.h"
 #include "CryptoTask.h"
 #include "ExtendedValidation.h"
 #include "NSSCertDBTrustDomain.h"
 #include "nsIBadCertListener2.h"
 #include "nsICertOverrideService.h"
 #include "nsISiteSecurityService.h"
 #include "nsNSSComponent.h"
@@ -309,32 +309,32 @@ MapCertErrorToProbeValue(PRErrorCode err
     case SEC_ERROR_EXPIRED_CERTIFICATE:                return 10;
   }
   NS_WARNING("Unknown certificate error code. Does MapCertErrorToProbeValue "
              "handle everything in PRErrorCodeToOverrideType?");
   return 0;
 }
 
 SECStatus
-InsanityDetermineCertOverrideErrors(CERTCertificate* cert,
-                                    const char* hostName, PRTime now,
-                                    PRErrorCode defaultErrorCodeToReport,
-                                    /*out*/ uint32_t& collectedErrors,
-                                    /*out*/ PRErrorCode& errorCodeTrust,
-                                    /*out*/ PRErrorCode& errorCodeMismatch,
-                                    /*out*/ PRErrorCode& errorCodeExpired)
+MozillaPKIXDetermineCertOverrideErrors(CERTCertificate* cert,
+                                       const char* hostName, PRTime now,
+                                       PRErrorCode defaultErrorCodeToReport,
+                                       /*out*/ uint32_t& collectedErrors,
+                                       /*out*/ PRErrorCode& errorCodeTrust,
+                                       /*out*/ PRErrorCode& errorCodeMismatch,
+                                       /*out*/ PRErrorCode& errorCodeExpired)
 {
   MOZ_ASSERT(cert);
   MOZ_ASSERT(hostName);
   MOZ_ASSERT(collectedErrors == 0);
   MOZ_ASSERT(errorCodeTrust == 0);
   MOZ_ASSERT(errorCodeMismatch == 0);
   MOZ_ASSERT(errorCodeExpired == 0);
 
-  // Assumes the error prioritization described in insanity::pkix's
+  // Assumes the error prioritization described in mozilla::pkix's
   // BuildForward function. Also assumes that CERT_VerifyCertName was only
   // called if CertVerifier::VerifyCert succeeded.
   switch (defaultErrorCodeToReport) {
     case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
     case SEC_ERROR_UNKNOWN_ISSUER:
     {
       collectedErrors = nsICertOverrideService::ERROR_UNTRUSTED;
       errorCodeTrust = defaultErrorCodeToReport;
@@ -702,24 +702,24 @@ CreateCertErrorRunnable(CertVerifier& ce
 #endif
       rv = NSSDetermineCertOverrideErrors(certVerifier, cert, stapledOCSPResponse,
                                           infoObject, now,
                                           defaultErrorCodeToReport,
                                           collected_errors, errorCodeTrust,
                                           errorCodeMismatch, errorCodeExpired);
       break;
 
-    case CertVerifier::insanity:
-      rv = InsanityDetermineCertOverrideErrors(cert,
-                                               infoObject->GetHostNameRaw(),
-                                               now, defaultErrorCodeToReport,
-                                               collected_errors,
-                                               errorCodeTrust,
-                                               errorCodeMismatch,
-                                               errorCodeExpired);
+    case CertVerifier::mozillapkix:
+      rv = MozillaPKIXDetermineCertOverrideErrors(cert,
+                                                  infoObject->GetHostNameRaw(),
+                                                  now, defaultErrorCodeToReport,
+                                                  collected_errors,
+                                                  errorCodeTrust,
+                                                  errorCodeMismatch,
+                                                  errorCodeExpired);
       break;
 
     default:
       MOZ_CRASH("unexpected CertVerifier implementation");
       PR_SetError(defaultErrorCodeToReport, 0);
       return nullptr;
 
   }
@@ -804,17 +804,17 @@ private:
                                TransportSecurityInfo* infoObject,
                                CERTCertificate* cert,
                                SECItem* stapledOCSPResponse,
                                uint32_t providerFlags,
                                PRTime time);
   const RefPtr<SharedCertVerifier> mCertVerifier;
   const void* const mFdForLogging;
   const RefPtr<TransportSecurityInfo> mInfoObject;
-  const insanity::pkix::ScopedCERTCertificate mCert;
+  const mozilla::pkix::ScopedCERTCertificate mCert;
   const uint32_t mProviderFlags;
   const PRTime mTime;
   const TimeStamp mJobStartTime;
   const ScopedSECItem mStapledOCSPResponse;
 };
 
 SSLServerCertVerificationJob::SSLServerCertVerificationJob(
     const RefPtr<SharedCertVerifier>& certVerifier, const void* fdForLogging,
@@ -904,17 +904,17 @@ AuthCertificate(CertVerifier& certVerifi
                 CERTCertificate* cert, SECItem* stapledOCSPResponse,
                 uint32_t providerFlags, PRTime time)
 {
   MOZ_ASSERT(infoObject);
   MOZ_ASSERT(cert);
 
   SECStatus rv;
 
-  // TODO: Remove this after we switch to insanity::pkix as the
+  // TODO: Remove this after we switch to mozilla::pkix as the
   // only option
   if (certVerifier.mImplementation == CertVerifier::classic) {
     if (stapledOCSPResponse) {
       CERTCertDBHandle* handle = CERT_GetDefaultCertDB();
       rv = CERT_CacheOCSPResponseFromSideChannel(handle, cert, PR_Now(),
                                                  stapledOCSPResponse,
                                                  infoObject);
       if (rv != SECSuccess) {
@@ -960,17 +960,17 @@ AuthCertificate(CertVerifier& certVerifi
     }
   }
 
   // We want to avoid storing any intermediate cert information when browsing
   // in private, transient contexts.
   bool saveIntermediates =
     !(providerFlags & nsISocketProvider::NO_PERMANENT_STORAGE);
 
-  insanity::pkix::ScopedCERTCertList certList;
+  mozilla::pkix::ScopedCERTCertList certList;
   SECOidTag evOidPolicy;
   rv = certVerifier.VerifySSLServerCert(cert, stapledOCSPResponse,
                                         time, infoObject,
                                         infoObject->GetHostNameRaw(),
                                         saveIntermediates, nullptr,
                                         &evOidPolicy);
 
   // We want to remember the CA certs in the temp db, so that the application can find the
@@ -1085,21 +1085,21 @@ SSLServerCertVerificationJob::Run()
     Telemetry::ID failureTelemetry;
     switch (mCertVerifier->mImplementation) {
       case CertVerifier::classic:
         successTelemetry
           = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_CLASSIC;
         failureTelemetry
           = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC;
         break;
-      case CertVerifier::insanity:
+      case CertVerifier::mozillapkix:
         successTelemetry
-          = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_INSANITY;
+          = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX;
         failureTelemetry
-          = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_INSANITY;
+          = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX;
         break;
 #ifndef NSS_NO_LIBPKIX
       case CertVerifier::libpkix:
         successTelemetry
           = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_LIBPKIX;
         failureTelemetry
           = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX;
         break;
--- a/security/manager/ssl/src/TransportSecurityInfo.cpp
+++ b/security/manager/ssl/src/TransportSecurityInfo.cpp
@@ -1,17 +1,17 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "TransportSecurityInfo.h"
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "nsNSSComponent.h"
 #include "nsIWebProgressListener.h"
 #include "nsNSSCertificate.h"
 #include "nsIX509CertValidity.h"
 #include "nsIDateTimeFormat.h"
 #include "nsDateTimeFormatCID.h"
 #include "nsICertOverrideService.h"
 #include "nsIObjectInputStream.h"
@@ -750,17 +750,17 @@ AppendErrorTextMismatch(const nsString &
                         nsIX509Cert* ix509,
                         nsINSSComponent *component,
                         bool wantsHtml,
                         nsString &returnedMessage)
 {
   const char16_t *params[1];
   nsresult rv;
 
-  insanity::pkix::ScopedCERTCertificate nssCert;
+  mozilla::pkix::ScopedCERTCertificate nssCert;
 
   nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(ix509, &rv);
   if (cert2)
     nssCert = cert2->GetCert();
 
   if (!nssCert) {
     // We are unable to extract the valid names, say "not valid for name".
     params[0] = host.get();
--- a/security/manager/ssl/src/moz.build
+++ b/security/manager/ssl/src/moz.build
@@ -90,17 +90,17 @@ UNIFIED_SOURCES += [
 ]
 
 FAIL_ON_WARNINGS = True
 
 FINAL_LIBRARY = 'xul'
 
 LOCAL_INCLUDES += [
     '../../../certverifier',
-    '../../../insanity/include',
+    '../../../pkix/include',
 ]
 
 if CONFIG['NSS_DISABLE_DBM']:
     DEFINES['NSS_DISABLE_DBM'] = '1'
 
 DEFINES['SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES'] = 'True'
 DEFINES['NSS_ENABLE_ECC'] = 'True'
 for var in ('DLL_PREFIX', 'DLL_SUFFIX'):
--- a/security/manager/ssl/src/nsCMS.cpp
+++ b/security/manager/ssl/src/nsCMS.cpp
@@ -1,17 +1,17 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsCMS.h"
 
 #include "CertVerifier.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "nsISupports.h"
 #include "nsNSSHelper.h"
 #include "nsNSSCertificate.h"
 #include "smime.h"
 #include "cms.h"
 #include "nsICMSMessageErrors.h"
 #include "nsIArray.h"
 #include "nsArrayUtils.h"
@@ -510,17 +510,17 @@ NS_IMETHODIMP nsCMSMessage::CreateEncryp
   for (i=0; i<recipientCertCount; i++) {
     nsCOMPtr<nsIX509Cert> x509cert = do_QueryElementAt(aRecipientCerts, i);
 
     nssRecipientCert = do_QueryInterface(x509cert);
 
     if (!nssRecipientCert)
       return NS_ERROR_FAILURE;
 
-    insanity::pkix::ScopedCERTCertificate c(nssRecipientCert->GetCert());
+    mozilla::pkix::ScopedCERTCertificate c(nssRecipientCert->GetCert());
     recipientCerts.set(i, c.get());
   }
   
   // Find a bulk key algorithm //
   if (NSS_SMIMEUtil_FindBulkAlgForRecipients(recipientCerts.getRawArray(), &bulkAlgTag,
                                             &keySize) != SECSuccess) {
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't find bulk alg for recipients\n"));
     rv = NS_ERROR_CMS_ENCRYPT_NO_BULK_ALG;
@@ -548,17 +548,17 @@ NS_IMETHODIMP nsCMSMessage::CreateEncryp
   cinfo = NSS_CMSEnvelopedData_GetContentInfo(envd);
   if (NSS_CMSContentInfo_SetContent_Data(m_cmsMsg, cinfo, nullptr, false) != SECSuccess) {
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't set content data\n"));
     goto loser;
   }
 
   // Create and attach recipient information //
   for (i=0; i < recipientCertCount; i++) {
-    insanity::pkix::ScopedCERTCertificate rc(recipientCerts.get(i));
+    mozilla::pkix::ScopedCERTCertificate rc(recipientCerts.get(i));
     if ((recipientInfo = NSS_CMSRecipientInfo_Create(m_cmsMsg, rc.get())) == nullptr) {
       PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't create recipient info\n"));
       goto loser;
     }
     if (NSS_CMSEnvelopedData_AddRecipient(envd, recipientInfo) != SECSuccess) {
       PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't add recipient info\n"));
       goto loser;
     }
@@ -579,18 +579,18 @@ NS_IMETHODIMP nsCMSMessage::CreateSigned
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateSigned\n"));
   NSSCMSContentInfo *cinfo;
   NSSCMSSignedData *sigd;
   NSSCMSSignerInfo *signerinfo;
-  insanity::pkix::ScopedCERTCertificate scert;
-  insanity::pkix::ScopedCERTCertificate ecert;
+  mozilla::pkix::ScopedCERTCertificate scert;
+  mozilla::pkix::ScopedCERTCertificate ecert;
   nsCOMPtr<nsIX509Cert2> aSigningCert2 = do_QueryInterface(aSigningCert);
   nsresult rv = NS_ERROR_FAILURE;
 
   /* Get the certs */
   if (aSigningCert2) {
     scert = aSigningCert2->GetCert();
   }
   if (!scert) {
--- a/security/manager/ssl/src/nsCertOverrideService.cpp
+++ b/security/manager/ssl/src/nsCertOverrideService.cpp
@@ -1,17 +1,17 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsCertOverrideService.h"
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "nsIX509Cert.h"
 #include "NSSCertDBTrustDomain.h"
 #include "nsNSSCertificate.h"
 #include "nsNSSCertHelper.h"
 #include "nsCRT.h"
 #include "nsAppDirectoryServiceDefs.h"
 #include "nsStreamUtils.h"
 #include "nsNetUtil.h"
@@ -389,17 +389,17 @@ static nsresult
 GetCertFingerprintByOidTag(nsIX509Cert *aCert,
                            SECOidTag aOidTag, 
                            nsCString &fp)
 {
   nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert);
   if (!cert2)
     return NS_ERROR_FAILURE;
 
-  insanity::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
+  mozilla::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
   if (!nsscert)
     return NS_ERROR_FAILURE;
 
   return GetCertFingerprintByOidTag(nsscert.get(), aOidTag, fp);
 }
 
 static nsresult
 GetCertFingerprintByDottedOidString(CERTCertificate* nsscert,
@@ -427,17 +427,17 @@ static nsresult
 GetCertFingerprintByDottedOidString(nsIX509Cert *aCert,
                                     const nsCString &dottedOid, 
                                     nsCString &fp)
 {
   nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert);
   if (!cert2)
     return NS_ERROR_FAILURE;
 
-  insanity::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
+  mozilla::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
   if (!nsscert)
     return NS_ERROR_FAILURE;
 
   return GetCertFingerprintByDottedOidString(nsscert.get(), dottedOid, fp);
 }
 
 NS_IMETHODIMP
 nsCertOverrideService::RememberValidityOverride(const nsACString & aHostName, int32_t aPort, 
@@ -450,17 +450,17 @@ nsCertOverrideService::RememberValidityO
     return NS_ERROR_INVALID_ARG;
   if (aPort < -1)
     return NS_ERROR_INVALID_ARG;
 
   nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert);
   if (!cert2)
     return NS_ERROR_FAILURE;
 
-  insanity::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
+  mozilla::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
   if (!nsscert)
     return NS_ERROR_FAILURE;
 
   char* nickname = DefaultServerNicknameForCert(nsscert.get());
   if (!aTemporary && nickname && *nickname)
   {
     ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
     if (!slot) {
--- a/security/manager/ssl/src/nsCertPicker.cpp
+++ b/security/manager/ssl/src/nsCertPicker.cpp
@@ -1,15 +1,15 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsCertPicker.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "nsMemory.h"
 #include "nsCOMPtr.h"
 #include "nsXPIDLString.h"
 #include "nsIServiceManager.h"
 #include "nsNSSComponent.h"
 #include "nsNSSCertificate.h"
 #include "nsReadableUtils.h"
 #include "nsICertPickDialogs.h"
@@ -45,24 +45,24 @@ NS_IMETHODIMP nsCertPicker::PickByUsage(
   char16_t **certNicknameList = nullptr;
   char16_t **certDetailsList = nullptr;
   CERTCertListNode* node = nullptr;
   nsresult rv = NS_OK;
 
   {
     // Iterate over all certs. This assures that user is logged in to all hardware tokens.
     nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
-    insanity::pkix::ScopedCERTCertList allcerts(
+    mozilla::pkix::ScopedCERTCertList allcerts(
       PK11_ListCerts(PK11CertListUnique, ctx));
   }
 
   /* find all user certs that are valid and for SSL */
   /* note that we are allowing expired certs in this list */
 
-  insanity::pkix::ScopedCERTCertList certList( 
+  mozilla::pkix::ScopedCERTCertList certList(
     CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(), 
                               (SECCertUsage)certUsage,
                               !allowDuplicateNicknames,
                               !allowInvalid,
                               ctx));
   if (!certList) {
     return NS_ERROR_NOT_AVAILABLE;
   }
--- a/security/manager/ssl/src/nsCertTree.cpp
+++ b/security/manager/ssl/src/nsCertTree.cpp
@@ -1,15 +1,15 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsCertTree.h"
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "nsNSSComponent.h" // for PIPNSS string bundle calls.
 #include "nsITreeColumns.h"
 #include "nsIX509Cert.h"
 #include "nsIX509CertValidity.h"
 #include "nsIX509CertDB.h"
 #include "nsXPIDLString.h"
 #include "nsReadableUtils.h"
 #include "nsUnicharUtils.h"
@@ -633,17 +633,17 @@ nsCertTree::GetCertsByTypeFromCertList(C
 
 nsresult 
 nsCertTree::GetCertsByType(uint32_t           aType,
                            nsCertCompareFunc  aCertCmpFn,
                            void              *aCertCmpFnArg)
 {
   nsNSSShutDownPreventionLock locker;
   nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext();
-  insanity::pkix::ScopedCERTCertList certList(
+  mozilla::pkix::ScopedCERTCertList certList(
     PK11_ListCerts(PK11CertListUnique, cxt));
   return GetCertsByTypeFromCertList(certList.get(), aType, aCertCmpFn,
                                     aCertCmpFnArg);
 }
 
 nsresult 
 nsCertTree::GetCertsByTypeFromCache(nsINSSCertCache   *aCache,
                                     uint32_t           aType,
@@ -804,17 +804,17 @@ nsCertTree::DeleteEntryObject(uint32_t i
           } 
         }
         else {
           if (addonInfo && addonInfo->mUsageCount > 1) {
             // user is trying to delete a perm trusted cert,
             // although there are still overrides stored,
             // so, we keep the cert, but remove the trust
 
-            insanity::pkix::ScopedCERTCertificate nsscert;
+            mozilla::pkix::ScopedCERTCertificate nsscert;
 
             nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(cert);
             if (cert2) {
               nsscert = cert2->GetCert();
             }
 
             if (nsscert) {
               CERTCertTrust trust;
--- a/security/manager/ssl/src/nsCrypto.cpp
+++ b/security/manager/ssl/src/nsCrypto.cpp
@@ -65,17 +65,17 @@
 #include "pk11pqg.h"
 #include "cmmf.h"
 #include "nssb64.h"
 #include "base64.h"
 #include "cert.h"
 #include "certdb.h"
 #include "secmod.h"
 #include "ScopedNSSTypes.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 
 #include "ssl.h" // For SSL_ClearSessionCache
 
 #include "nsNSSCleaner.h"
 
 #include "nsNSSCertHelper.h"
 #include <algorithm>
 #include "nsWrapperCacheInlines.h"
@@ -1037,17 +1037,17 @@ nsFreeCertReqMessages(CRMFCertReqMsg **c
 static nsresult
 nsSetEscrowAuthority(CRMFCertRequest *certReq, nsKeyPairInfo *keyInfo,
                      nsNSSCertificate *wrappingCert)
 {
   if (!wrappingCert ||
       CRMF_CertRequestIsControlPresent(certReq, crmfPKIArchiveOptionsControl)){
     return NS_ERROR_FAILURE;
   }
-  insanity::pkix::ScopedCERTCertificate cert(wrappingCert->GetCert());
+  mozilla::pkix::ScopedCERTCertificate cert(wrappingCert->GetCert());
   if (!cert)
     return NS_ERROR_FAILURE;
 
   CRMFEncryptedKey *encrKey = 
       CRMF_CreateEncryptedKeyWithEncryptedValue(keyInfo->privKey, cert.get());
   if (!encrKey)
     return NS_ERROR_FAILURE;
 
@@ -1937,17 +1937,17 @@ nsCrypto::GenerateCRMFRequest(JSContext*
   bool willEscrow = false;
   if (!aEaCert.IsVoid()) {
     SECItem certDer = {siBuffer, nullptr, 0};
     SECStatus srv = ATOB_ConvertAsciiToItem(&certDer, aEaCert.get());
     if (srv != SECSuccess) {
       aRv.Throw(NS_ERROR_FAILURE);
       return nullptr;
     }
-    insanity::pkix::ScopedCERTCertificate cert(
+    mozilla::pkix::ScopedCERTCertificate cert(
       CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
                               &certDer, nullptr, false, true));
     if (!cert) {
       aRv.Throw(NS_ERROR_FAILURE);
       return nullptr;
     }
 
     escrowCert = nsNSSCertificate::Create(cert.get());
@@ -2206,17 +2206,17 @@ nsCryptoRunnable::Run()
 //Quick helper function to check if a newly issued cert
 //already exists in the user's database.
 static bool
 nsCertAlreadyExists(SECItem *derCert)
 {
   CERTCertDBHandle *handle = CERT_GetDefaultCertDB();
   bool retVal = false;
 
-  insanity::pkix::ScopedCERTCertificate cert(
+  mozilla::pkix::ScopedCERTCertificate cert(
     CERT_FindCertByDERCert(handle, derCert));
   if (cert) {
     if (cert->isperm && !cert->nickname && !cert->emailAddr) {
       //If the cert doesn't have a nickname or email addr, it is
       //bogus cruft, so delete it.
       SEC_DeletePermCertificate(cert.get());
     } else if (cert->isperm) {
       retVal = true;
@@ -2368,17 +2368,17 @@ nsCrypto::ImportUserCertificates(const n
     CMMF_DestroyCertResponse(currResponse);
   }
   //Let the loser: label take care of freeing up our reference to
   //nickname (This way we don't free it twice and avoid crashing.
   //That would be a good thing.
 
   //Import the root chain into the cert db.
  {
-  insanity::pkix::ScopedCERTCertList
+  mozilla::pkix::ScopedCERTCertList
     caPubs(CMMF_CertRepContentGetCAPubs(certRepContent));
   if (caPubs) {
     int32_t numCAs = nsCertListCount(caPubs.get());
     
     NS_ASSERTION(numCAs > 0, "Invalid number of CA's");
     if (numCAs > 0) {
       CERTCertListNode *node;
       SECItem *derCerts;
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
@@ -1,16 +1,16 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsNSSCallbacks.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "mozilla/Telemetry.h"
 #include "mozilla/TimeStamp.h"
 #include "nsNSSComponent.h"
 #include "nsNSSIOLayer.h"
 #include "nsIWebProgressListener.h"
 #include "nsProtectedAuthThread.h"
 #include "nsITokenDialogs.h"
 #include "nsIUploadChannel.h"
@@ -1184,17 +1184,17 @@ void HandshakeCallback(PRFileDesc* fd, v
 
     nsAutoString msg;
     msg.Append(NS_ConvertASCIItoUTF16(hostName));
     msg.Append(NS_LITERAL_STRING(" : server does not support RFC 5746, see CVE-2009-3555"));
 
     nsContentUtils::LogSimpleConsoleError(msg, "SSL");
   }
 
-  insanity::pkix::ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd));
+  mozilla::pkix::ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd));
 
   /* Set the SSL Status information */
   RefPtr<nsSSLStatus> status(infoObject->SSLStatus());
   if (!status) {
     status = new nsSSLStatus();
     infoObject->SetSSLStatus(status);
   }
 
--- a/security/manager/ssl/src/nsNSSCertCache.cpp
+++ b/security/manager/ssl/src/nsNSSCertCache.cpp
@@ -41,17 +41,17 @@ NS_IMETHODIMP
 nsNSSCertCache::CacheAllCerts()
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext();
   
-  insanity::pkix::ScopedCERTCertList newList(
+  mozilla::pkix::ScopedCERTCertList newList(
     PK11_ListCerts(PK11CertListUnique, cxt));
 
   if (newList) {
     MutexAutoLock lock(mutex);
     mCertList = new nsNSSCertList(newList, locker);
   }
   
   return NS_OK;
--- a/security/manager/ssl/src/nsNSSCertificate.cpp
+++ b/security/manager/ssl/src/nsNSSCertificate.cpp
@@ -5,17 +5,17 @@
 
 #include "nsNSSCertificate.h"
 
 #include "prmem.h"
 #include "prerror.h"
 #include "prprf.h"
 #include "CertVerifier.h"
 #include "ExtendedValidation.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "nsNSSComponent.h" // for PIPNSS string bundle calls.
 #include "nsNSSCleaner.h"
 #include "nsCOMPtr.h"
 #include "nsIMutableArray.h"
 #include "nsNSSCertValidity.h"
 #include "nsPKCS12Blob.h"
 #include "nsPK11TokenDB.h"
 #include "nsIX509Cert.h"
@@ -817,17 +817,17 @@ nsNSSCertificate::GetChain(nsIArray** _r
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   NS_ENSURE_ARG(_rvChain);
   nsresult rv;
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting chain for \"%s\"\n", mCert->nickname));
 
-  ::insanity::pkix::ScopedCERTCertList nssChain;
+  ::mozilla::pkix::ScopedCERTCertList nssChain;
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
 
   // We want to test all usages, but we start with server because most of the
   // time Firefox users care about server certs.
   certVerifier->VerifyCert(mCert.get(), nullptr,
                            certificateUsageSSLServer, PR_Now(),
                            nullptr, /*XXX fixme*/
@@ -1537,17 +1537,17 @@ nsNSSCertificate::GetValidEVPolicyOid(ns
   }
 #endif
 
   return NS_OK;
 }
 
 NS_IMPL_ISUPPORTS1(nsNSSCertList, nsIX509CertList)
 
-nsNSSCertList::nsNSSCertList(insanity::pkix::ScopedCERTCertList& certList,
+nsNSSCertList::nsNSSCertList(mozilla::pkix::ScopedCERTCertList& certList,
                              const nsNSSShutDownPreventionLock& proofOfLock)
 {
   if (certList) {
     mCertList = certList.release();
   } else {
     mCertList = CERT_NewCertList();
   }
 }
--- a/security/manager/ssl/src/nsNSSCertificate.h
+++ b/security/manager/ssl/src/nsNSSCertificate.h
@@ -14,17 +14,17 @@
 #include "nsIASN1Object.h"
 #include "nsISMimeCert.h"
 #include "nsIIdentityInfo.h"
 #include "nsCOMPtr.h"
 #include "nsNSSShutDown.h"
 #include "nsISimpleEnumerator.h"
 #include "nsISerializable.h"
 #include "nsIClassInfo.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "certt.h"
 
 class nsAutoString;
 class nsINSSComponent;
 class nsIASN1Sequence;
 
 class nsNSSCertificate : public nsIX509Cert3,
                          public nsIIdentityInfo,
@@ -49,17 +49,17 @@ public:
   nsresult FormatUIStrings(const nsAutoString& nickname,
                            nsAutoString& nickWithSerial,
                            nsAutoString& details);
   static nsNSSCertificate* Create(CERTCertificate*cert = nullptr,
                                   SECOidTag* evOidPolicy = nullptr);
   static nsNSSCertificate* ConstructFromDER(char* certDER, int derLen);
 
 private:
-  insanity::pkix::ScopedCERTCertificate mCert;
+  mozilla::pkix::ScopedCERTCertificate mCert;
   bool             mPermDelete;
   uint32_t         mCertType;
   nsresult CreateASN1Struct(nsIASN1Object** aRetVal);
   nsresult CreateTBSCertificateASN1Struct(nsIASN1Sequence** retSequence,
                                           nsINSSComponent* nssComponent);
   nsresult GetSortableDate(PRTime aTime, nsAString& _aSortableDate);
   virtual void virtualDestroyNSSReference();
   void destructorSafeDestroyNSSReference();
@@ -76,30 +76,30 @@ private:
 class nsNSSCertList: public nsIX509CertList,
                      public nsNSSShutDownObject
 {
 public:
   NS_DECL_THREADSAFE_ISUPPORTS
   NS_DECL_NSIX509CERTLIST
 
   // certList is adopted
-  nsNSSCertList(insanity::pkix::ScopedCERTCertList& certList,
+  nsNSSCertList(mozilla::pkix::ScopedCERTCertList& certList,
                 const nsNSSShutDownPreventionLock& proofOfLock);
 
   nsNSSCertList();
 
   static CERTCertList* DupCertList(CERTCertList* aCertList,
                                    const nsNSSShutDownPreventionLock&
                                      proofOfLock);
 private:
    virtual ~nsNSSCertList();
    virtual void virtualDestroyNSSReference();
    void destructorSafeDestroyNSSReference();
 
-   insanity::pkix::ScopedCERTCertList mCertList;
+   mozilla::pkix::ScopedCERTCertList mCertList;
 
    nsNSSCertList(const nsNSSCertList&) MOZ_DELETE;
    void operator=(const nsNSSCertList&) MOZ_DELETE;
 };
 
 class nsNSSCertListEnumerator: public nsISimpleEnumerator,
                                public nsNSSShutDownObject
 {
@@ -109,17 +109,17 @@ public:
 
    nsNSSCertListEnumerator(CERTCertList* certList,
                            const nsNSSShutDownPreventionLock& proofOfLock);
 private:
    virtual ~nsNSSCertListEnumerator();
    virtual void virtualDestroyNSSReference();
    void destructorSafeDestroyNSSReference();
 
-   insanity::pkix::ScopedCERTCertList mCertList;
+   mozilla::pkix::ScopedCERTCertList mCertList;
 
    nsNSSCertListEnumerator(const nsNSSCertListEnumerator&) MOZ_DELETE;
    void operator=(const nsNSSCertListEnumerator&) MOZ_DELETE;
 };
 
 
 #define NS_NSS_LONG 4
 #define NS_NSS_GET_LONG(x) ((((unsigned long)((x)[0])) << 24) | \
--- a/security/manager/ssl/src/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/src/nsNSSCertificateDB.cpp
@@ -8,17 +8,17 @@
 #define CERT_AddTempCertToPerm __CERT_AddTempCertToPerm
 
 #include "nsNSSComponent.h"
 #include "nsNSSCertificateDB.h"
 
 #include "CertVerifier.h"
 #include "ExtendedValidation.h"
 #include "NSSCertDBTrustDomain.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "nsNSSComponent.h"
 #include "mozilla/Base64.h"
 #include "nsCOMPtr.h"
 #include "nsNSSCertificate.h"
 #include "nsNSSHelper.h"
 #include "nsNSSCertHelper.h"
 #include "nsNSSCertCache.h"
 #include "nsCRT.h"
@@ -108,17 +108,17 @@ nsNSSCertificateDB::FindCertByNickname(n
 {
   NS_ENSURE_ARG_POINTER(_rvCert);
   *_rvCert = nullptr;
 
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
-  insanity::pkix::ScopedCERTCertificate cert;
+  mozilla::pkix::ScopedCERTCertificate cert;
   char *asciiname = nullptr;
   NS_ConvertUTF16toUTF8 aUtf8Nickname(nickname);
   asciiname = const_cast<char*>(aUtf8Nickname.get());
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting \"%s\"\n", asciiname));
   cert = PK11_FindCertFromNickname(asciiname, nullptr);
   if (!cert) {
     cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), asciiname);
   }
@@ -154,17 +154,17 @@ nsNSSCertificateDB::FindCertByDBKey(cons
 
   dummy = NSSBase64_DecodeBuffer(nullptr, &keyItem, aDBkey,
                                  (uint32_t)strlen(aDBkey)); 
   if (!dummy || keyItem.len < NS_NSS_LONG*4) {
     PR_FREEIF(keyItem.data);
     return NS_ERROR_INVALID_ARG;
   }
 
-  insanity::pkix::ScopedCERTCertificate cert;
+  mozilla::pkix::ScopedCERTCertificate cert;
   // someday maybe we can speed up the search using the moduleID and slotID
   // moduleID = NS_NSS_GET_LONG(keyItem.data);
   // slotID = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG]);
 
   // build the issuer/SN structure
   issuerSN.serialNumber.len = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG*2]);
   issuerSN.derIssuer.len = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG*3]);
   if (issuerSN.serialNumber.len == 0 || issuerSN.derIssuer.len == 0
@@ -198,17 +198,17 @@ nsNSSCertificateDB::FindCertNicknames(ns
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   nsresult rv = NS_ERROR_FAILURE;
   /*
    * obtain the cert list from NSS
    */
-  insanity::pkix::ScopedCERTCertList certList;
+  mozilla::pkix::ScopedCERTCertList certList;
   certList = PK11_ListCerts(PK11CertListUnique, nullptr);
   if (!certList)
     goto cleanup;
   /*
    * get list of cert names from list of certs
    * XXX also cull the list (NSS only distinguishes based on user/non-user
    */
   getCertNames(certList.get(), aType, _count, _certNames, locker);
@@ -353,17 +353,17 @@ nsNSSCertificateDB::handleCACertDownload
  
   SECItem der;
   rv=certToShow->GetRawDER(&der.len, (uint8_t **)&der.data);
 
   if (NS_FAILED(rv))
     return rv;
 
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n"));
-  insanity::pkix::ScopedCERTCertificate tmpCert;
+  mozilla::pkix::ScopedCERTCertificate tmpCert;
   CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
   tmpCert = CERT_FindCertByDERCert(certdb, &der);
   if (!tmpCert) {
     tmpCert = CERT_NewTempCertificate(certdb, &der,
                                       nullptr, false, true);
   }
   nsMemory::Free(der.data);
   der.data = nullptr;
@@ -410,17 +410,17 @@ nsNSSCertificateDB::handleCACertDownload
                                            trust.GetTrust());
 
   if (srv != SECSuccess)
     return NS_ERROR_FAILURE;
 
   // Import additional delivered certificates that can be verified.
 
   // build a CertList for filtering
-  insanity::pkix::ScopedCERTCertList certList(CERT_NewCertList());
+  mozilla::pkix::ScopedCERTCertList certList(CERT_NewCertList());
   if (!certList) {
     return NS_ERROR_FAILURE;
   }
 
   // get all remaining certs into temp store
 
   for (uint32_t i=0; i<numCerts; i++) {
     if (i == selCertIndex) {
@@ -506,17 +506,17 @@ nsNSSCertificateDB::ImportCertificates(u
   }  
   PORT_FreeArena(arena, false);
   return nsrv;
 }
 
 static 
 SECStatus 
 ImportCertsIntoPermanentStorage(
-  const insanity::pkix::ScopedCERTCertList& certChain,
+  const mozilla::pkix::ScopedCERTCertList& certChain,
   const SECCertUsage usage, const PRBool caOnly)
 {
   CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
 
   int chainLen = 0;
   for (CERTCertListNode *chainNode = CERT_LIST_HEAD(certChain);
        !CERT_LIST_END(chainNode, certChain);
        chainNode = CERT_LIST_NEXT(chainNode)) {
@@ -556,17 +556,17 @@ nsNSSCertificateDB::ImportEmailCertifica
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   SECStatus srv = SECFailure;
   nsresult nsrv = NS_OK;
   CERTCertDBHandle *certdb;
   CERTCertificate **certArray = nullptr;
-  insanity::pkix::ScopedCERTCertList certList;
+  mozilla::pkix::ScopedCERTCertList certList;
   CERTCertListNode *node;
   SECItem **rawArray;
   int numcerts;
   int i;
 
   PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
   if (!arena)
     return NS_ERROR_OUT_OF_MEMORY;
@@ -627,17 +627,17 @@ nsNSSCertificateDB::ImportEmailCertifica
   for (node = CERT_LIST_HEAD(certList);
        !CERT_LIST_END(node,certList);
        node = CERT_LIST_NEXT(node)) {
 
     if (!node->cert) {
       continue;
     }
 
-    insanity::pkix::ScopedCERTCertList certChain;
+    mozilla::pkix::ScopedCERTCertList certChain;
 
     SECStatus rv = certVerifier->VerifyCert(node->cert, nullptr,
                                             certificateUsageEmailRecipient,
                                             now, ctx, 0, &certChain);
 
     if (rv != SECSuccess) {
       nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(node->cert);
       DisplayCertificateAlert(ctx, "NotImportingUnverifiedCert", certToShow, locker);
@@ -668,17 +668,17 @@ nsNSSCertificateDB::ImportServerCertific
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   SECStatus srv = SECFailure;
   nsresult nsrv = NS_OK;
-  insanity::pkix::ScopedCERTCertificate cert;
+  mozilla::pkix::ScopedCERTCertificate cert;
   SECItem **rawCerts = nullptr;
   int numcerts;
   int i;
   nsNSSCertTrust trust;
   char *serverNickname = nullptr;
  
   PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
   if (!arena)
@@ -795,17 +795,17 @@ nsNSSCertificateDB::ImportValidCACertsIn
   /* go down the remaining list of certs and verify that they have
    * valid chains, if yes, then import.
    */
   CERTCertListNode *node;
 
   for (node = CERT_LIST_HEAD(certList);
        !CERT_LIST_END(node,certList);
        node = CERT_LIST_NEXT(node)) {
-    insanity::pkix::ScopedCERTCertList certChain;
+    mozilla::pkix::ScopedCERTCertList certChain;
     SECStatus rv = certVerifier->VerifyCert(node->cert, nullptr,
                                             certificateUsageVerifyCA,
                                             PR_Now(), ctx, 0, &certChain);
     if (rv != SECSuccess) {
       nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(node->cert);
       DisplayCertificateAlert(ctx, "NotImportingUnverifiedCert", certToShow, proofOfLock);
       continue;
     }
@@ -872,17 +872,17 @@ nsNSSCertificateDB::ImportUserCertificat
 
   ScopedPK11SlotInfo slot;
   nsAutoCString nickname;
   nsresult rv = NS_ERROR_FAILURE;
   int numCACerts;
   SECItem *CACerts;
   CERTDERCerts * collectArgs;
   PLArenaPool *arena;
-  insanity::pkix::ScopedCERTCertificate cert;
+  mozilla::pkix::ScopedCERTCertificate cert;
 
   arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
   if (!arena) {
     goto loser;
   }
 
   collectArgs = getCertsFromPackage(arena, data, length, locker);
   if (!collectArgs) {
@@ -949,17 +949,17 @@ loser:
 NS_IMETHODIMP 
 nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert)
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
   nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert);
-  insanity::pkix::ScopedCERTCertificate cert(nssCert->GetCert());
+  mozilla::pkix::ScopedCERTCertificate cert(nssCert->GetCert());
   if (!cert) return NS_ERROR_FAILURE;
   SECStatus srv = SECSuccess;
 
   uint32_t certType;
   nssCert->GetCertType(&certType);
   if (NS_FAILED(nssCert->MarkForPermDeletion()))
   {
     return NS_ERROR_FAILURE;
@@ -996,17 +996,17 @@ nsNSSCertificateDB::SetCertTrust(nsIX509
     return NS_ERROR_NOT_AVAILABLE;
   }
   nsNSSCertTrust trust;
   nsresult rv;
   nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert, &rv);
   if (!pipCert) {
     return rv;
   }
-  insanity::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert());
+  mozilla::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert());
 
   rv = attemptToLogInWithDefaultPassword();
   if (NS_WARN_IF(rv != NS_OK)) {
     return rv;
   }
 
   SECStatus srv;
   if (type == nsIX509Cert::CA_CERT) {
@@ -1049,17 +1049,17 @@ nsNSSCertificateDB::IsCertTrusted(nsIX50
   *_isTrusted = false;
 
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
   SECStatus srv;
   nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert);
-  insanity::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert());
+  mozilla::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert());
   CERTCertTrust nsstrust;
   srv = CERT_GetCertTrust(nsscert.get(), &nsstrust);
   if (srv != SECSuccess)
     return NS_ERROR_FAILURE;
 
   nsNSSCertTrust trust(&nsstrust);
   if (certType == nsIX509Cert::CA_CERT) {
     if (trustType & nsIX509CertDB::TRUSTED_SSL) {
@@ -1297,17 +1297,17 @@ nsNSSCertificateDB::FindEmailEncryptionC
   }
 
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
   char *asciiname = nullptr;
   NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname);
   asciiname = const_cast<char*>(aUtf8Nickname.get());
 
   /* Find a good cert in the user's database */
-  insanity::pkix::ScopedCERTCertificate cert;
+  mozilla::pkix::ScopedCERTCertificate cert;
   cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), asciiname, 
            certUsageEmailRecipient, true, ctx);
   if (!cert) {
     return NS_OK;
   }
 
   nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert.get());
   if (!nssCert) {
@@ -1327,17 +1327,17 @@ nsNSSCertificateDB::FindEmailSigningCert
   if (aNickname.IsEmpty())
     return NS_OK;
 
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
-  insanity::pkix::ScopedCERTCertificate cert;
+  mozilla::pkix::ScopedCERTCertificate cert;
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
   char *asciiname = nullptr;
   NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname);
   asciiname = const_cast<char*>(aUtf8Nickname.get());
 
   /* Find a good cert in the user's database */
   cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), asciiname, 
            certUsageEmailSigner, true, ctx);
@@ -1457,17 +1457,17 @@ nsNSSCertificateDB::ConstructX509(const 
     return NS_ERROR_INVALID_POINTER;
   }
 
   SECItem secitem_cert;
   secitem_cert.type = siDERCertBuffer;
   secitem_cert.data = (unsigned char*)certDER;
   secitem_cert.len = lengthDER;
 
-  insanity::pkix::ScopedCERTCertificate cert;
+  mozilla::pkix::ScopedCERTCertificate cert;
   cert =
     CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &secitem_cert,
                             nullptr, false, true);
   if (!cert)
     return (PORT_GetError() == SEC_ERROR_NO_MEMORY)
       ? NS_ERROR_OUT_OF_MEMORY : NS_ERROR_FAILURE;
 
   nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert.get());
@@ -1556,17 +1556,17 @@ nsNSSCertificateDB::get_default_nickname
       if (!tmp) {
         nickname.Truncate();
         return;
       }
       nickname = tmp;
       PR_smprintf_free(tmp);
     }
 
-    insanity::pkix::ScopedCERTCertificate dummycert;
+    mozilla::pkix::ScopedCERTCertificate dummycert;
 
     if (PK11_IsInternal(slot)) {
       /* look up the nickname to make sure it isn't in use already */
       dummycert = CERT_FindCertByNickname(defaultcertdb, nickname.get());
 
     } else {
       /*
        * Check the cert against others that already live on the smart 
@@ -1617,17 +1617,17 @@ NS_IMETHODIMP nsNSSCertificateDB::AddCer
   NS_ENSURE_SUCCESS(rv, rv);
 
   SECItem der;
   rv = newCert->GetRawDER(&der.len, (uint8_t **)&der.data);
   NS_ENSURE_SUCCESS(rv, rv);
 
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n"));
   CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
-  insanity::pkix::ScopedCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der));
+  mozilla::pkix::ScopedCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der));
   if (!tmpCert)
     tmpCert = CERT_NewTempCertificate(certdb, &der,
                                       nullptr, false, true);
   nsMemory::Free(der.data);
   der.data = nullptr;
   der.len = 0;
 
   if (!tmpCert) {
@@ -1672,17 +1672,17 @@ nsNSSCertificateDB::SetCertTrustFromStri
   CERTCertTrust trust;
 
   // need to calculate the trust bits from the aTrust string.
   SECStatus srv = CERT_DecodeTrustString(&trust,
                                          const_cast<char *>(trustString));
   if (srv != SECSuccess) {
     return MapSECStatus(SECFailure);
   }
-  insanity::pkix::ScopedCERTCertificate nssCert(cert->GetCert());
+  mozilla::pkix::ScopedCERTCertificate nssCert(cert->GetCert());
 
   nsresult rv = attemptToLogInWithDefaultPassword();
   if (NS_WARN_IF(rv != NS_OK)) {
     return rv;
   }
 
   srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nssCert.get(), &trust);
   return MapSECStatus(srv);
@@ -1693,17 +1693,17 @@ nsNSSCertificateDB::GetCerts(nsIX509Cert
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }  
 
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
   nsCOMPtr<nsIX509CertList> nssCertList;
-  insanity::pkix::ScopedCERTCertList certList(
+  mozilla::pkix::ScopedCERTCertList certList(
     PK11_ListCerts(PK11CertListUnique, ctx));
 
   // nsNSSCertList 1) adopts certList, and 2) handles the nullptr case fine.
   // (returns an empty list) 
   nssCertList = new nsNSSCertList(certList, locker);
 
   *_retval = nssCertList;
   NS_ADDREF(*_retval);
@@ -1763,17 +1763,17 @@ nsNSSCertificateDB::VerifyCertNow(nsIX50
   if (!x509Cert) {
     return NS_ERROR_INVALID_ARG;
   }
   ScopedCERTCertificate nssCert(x509Cert->GetCert());
 
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
 
-  insanity::pkix::ScopedCERTCertList resultChain;
+  mozilla::pkix::ScopedCERTCertList resultChain;
   SECOidTag evOidPolicy;
   SECStatus srv;
 
   srv = certVerifier->VerifyCert(nssCert, nullptr,
                                  aUsage, PR_Now(),
                                  nullptr, // Assume no context
                                  aFlags,
                                  &resultChain,
@@ -1806,17 +1806,17 @@ nsNSSCertificateDB::ClearOCSPCache()
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
-  if (certVerifier->mImplementation == CertVerifier::insanity) {
+  if (certVerifier->mImplementation == CertVerifier::mozillapkix) {
     certVerifier->ClearOCSPCache();
   } else {
     SECStatus srv = CERT_ClearOCSPCache();
     if (srv != SECSuccess) {
       return MapSECStatus(srv);
     }
   }
 
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@@ -966,19 +966,19 @@ void nsNSSComponent::setValidationOption
   bool ocspStaplingEnabled = Preferences::GetBool("security.ssl.enable_ocsp_stapling",
                                                   true);
   PublicSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
   PrivateSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
 
   CertVerifier::implementation_config certVerifierImplementation
     = CertVerifier::classic;
 
-  // The insanity::pkix pref overrides the libpkix pref
-  if (Preferences::GetBool("security.use_insanity_verification", false)) {
-    certVerifierImplementation = CertVerifier::insanity;
+  // The mozilla::pkix pref overrides the libpkix pref
+  if (Preferences::GetBool("security.use_mozillapkix_verification", false)) {
+    certVerifierImplementation = CertVerifier::mozillapkix;
   } else {
 #ifndef NSS_NO_LIBPKIX
   if (Preferences::GetBool("security.use_libpkix_verification", false)) {
     certVerifierImplementation = CertVerifier::libpkix;
   }
 #endif
   }
 
@@ -992,19 +992,19 @@ void nsNSSComponent::setValidationOption
 #ifndef NSS_NO_LIBPKIX
       aiaDownloadEnabled ?
         CertVerifier::missing_cert_download_on : CertVerifier::missing_cert_download_off,
       crlDownloading ?
         CertVerifier::crl_download_allowed : CertVerifier::crl_local_only,
 #endif
       odc, osc, ogc);
 
-  // insanity::pkix has its own OCSP cache, so disable the NSS cache
+  // mozilla::pkix has its own OCSP cache, so disable the NSS cache
   // if appropriate.
-  if (certVerifierImplementation == CertVerifier::insanity) {
+  if (certVerifierImplementation == CertVerifier::mozillapkix) {
     // Using -1 disables the cache. The other arguments are the default
     // values and aren't exposed by the API.
     CERT_OCSPCacheSettings(-1, 1*60*60L, 24*60*60L);
   } else {
     // Using 1000 enables the cache with the default size of 1000. Again,
     // these values are not exposed by the API.
     CERT_OCSPCacheSettings(1000, 1*60*60L, 24*60*60L);
   }
@@ -1612,17 +1612,17 @@ nsNSSComponent::Observe(nsISupports* aSu
                                                 ALPN_ENABLED_DEFAULT));
     } else if (prefName.Equals("security.OCSP.enabled")
                || prefName.Equals("security.CRL_download.enabled")
                || prefName.Equals("security.fresh_revocation_info.require")
                || prefName.Equals("security.missing_cert_download.enabled")
                || prefName.Equals("security.OCSP.require")
                || prefName.Equals("security.OCSP.GET.enabled")
                || prefName.Equals("security.ssl.enable_ocsp_stapling")
-               || prefName.Equals("security.use_insanity_verification")
+               || prefName.Equals("security.use_mozillapkix_verification")
                || prefName.Equals("security.use_libpkix_verification")) {
       MutexAutoLock lock(mutex);
       setValidationOptions(false, lock);
     } else if (prefName.Equals("network.ntlm.send-lm-response")) {
       bool sendLM = Preferences::GetBool("network.ntlm.send-lm-response",
                                          SEND_LM_DEFAULT);
       nsNTLMAuthModule::SetSendLM(sendLM);
       clearSessionCache = false;
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@@ -1,17 +1,17 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsNSSIOLayer.h"
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "nsNSSComponent.h"
 #include "mozilla/Casting.h"
 #include "mozilla/DebugOnly.h"
 #include "mozilla/Telemetry.h"
 
 #include "prlog.h"
 #include "prnetdb.h"
 #include "nsIPrefService.h"
@@ -1865,19 +1865,19 @@ nsNSS_SSLGetClientAuthData(void* arg, PR
   return runnable->mRV;
 }
 
 void
 ClientAuthDataRunnable::RunOnTargetThread()
 {
   PLArenaPool* arena = nullptr;
   char** caNameStrings;
-  insanity::pkix::ScopedCERTCertificate cert;
+  mozilla::pkix::ScopedCERTCertificate cert;
   ScopedSECKEYPrivateKey privKey;
-  insanity::pkix::ScopedCERTCertList certList;
+  mozilla::pkix::ScopedCERTCertList certList;
   CERTCertListNode* node;
   ScopedCERTCertNicknames nicknames;
   char* extracted = nullptr;
   int keyError = 0; // used for private key retrieval error
   SSM_UserCertChoice certChoice;
   int32_t NumberOfCerts = 0;
   void* wincx = mSocketInfo;
   nsresult rv;
--- a/security/manager/ssl/src/nsPKCS12Blob.cpp
+++ b/security/manager/ssl/src/nsPKCS12Blob.cpp
@@ -1,16 +1,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /* $Id: nsPKCS12Blob.cpp,v 1.49 2007/09/05 07:13:46 jwalden%mit.edu Exp $ */
 
 #include "nsPKCS12Blob.h"
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 
 #include "prmem.h"
 #include "prprf.h"
 
 #include "nsIFile.h"
 #include "nsNetUtil.h"
 #include "nsIDirectoryService.h"
 #include "nsThreadUtils.h"
@@ -302,17 +302,17 @@ nsPKCS12Blob::ExportToFile(nsIFile *file
     goto finish;
   }
   // add password integrity
   srv = SEC_PKCS12AddPasswordIntegrity(ecx, &unicodePw, SEC_OID_SHA1);
   if (srv) goto finish;
   for (i=0; i<numCerts; i++) {
     nsNSSCertificate *cert = (nsNSSCertificate *)certs[i];
     // get it as a CERTCertificate XXX
-    insanity::pkix::ScopedCERTCertificate nssCert(cert->GetCert());
+    mozilla::pkix::ScopedCERTCertificate nssCert(cert->GetCert());
     if (!nssCert) {
       rv = NS_ERROR_FAILURE;
       goto finish;
     }
     // We can only successfully export certs that are on 
     // internal token.  Most, if not all, smart card vendors
     // won't let you extract the private key (in any way
     // shape or form) from the card.  So let's punt if 
--- a/security/manager/ssl/src/nsRecentBadCerts.cpp
+++ b/security/manager/ssl/src/nsRecentBadCerts.cpp
@@ -1,17 +1,17 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsRecentBadCerts.h"
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "nsIX509Cert.h"
 #include "nsIObserverService.h"
 #include "mozilla/RefPtr.h"
 #include "mozilla/Services.h"
 #include "nsSSLStatus.h"
 #include "nsCOMPtr.h"
 #include "nsNSSCertificate.h"
 #include "nsCRT.h"
@@ -67,17 +67,17 @@ nsRecentBadCerts::GetRecentBadCert(const
         isNotValidAtThisTime = mCerts[i].isNotValidAtThisTime;
         isUntrusted = mCerts[i].isUntrusted;
       }
     }
   }
 
   if (foundDER.len) {
     CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
-    insanity::pkix::ScopedCERTCertificate nssCert(
+    mozilla::pkix::ScopedCERTCertificate nssCert(
       CERT_FindCertByDERCert(certdb, &foundDER));
     if (!nssCert) 
       nssCert = CERT_NewTempCertificate(certdb, &foundDER,
                                         nullptr, // no nickname
                                         false, // not perm
                                         true); // copy der
 
     SECITEM_FreeItem(&foundDER, false);
--- a/security/manager/ssl/tests/gtest/moz.build
+++ b/security/manager/ssl/tests/gtest/moz.build
@@ -10,13 +10,13 @@ LIBXUL_LIBRARY = True
 
 SOURCES += [
     'OCSPCacheTest.cpp',
     'TLSIntoleranceTest.cpp',
 ]
 
 LOCAL_INCLUDES += [
     '../../../../certverifier',
-    '../../../../insanity/include',
+    '../../../../pkix/include',
     '/security/manager/ssl/src',
 ]
 
 include('/ipc/chromium/chromium-config.mozbuild')
--- a/security/manager/ssl/tests/unit/test_cert_overrides.js
+++ b/security/manager/ssl/tests/unit/test_cert_overrides.js
@@ -67,76 +67,76 @@ function run_test() {
 
   add_test(function () {
     fakeOCSPResponder.stop(check_telemetry);
   });
 
   run_next_test();
 }
 
-function add_tests_in_mode(useInsanity) {
+function add_tests_in_mode(useMozillaPKIX) {
   add_test(function () {
-    Services.prefs.setBoolPref("security.use_insanity_verification",
-                               useInsanity);
+    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+                               useMozillaPKIX);
     run_next_test();
   });
 
-  add_simple_tests(useInsanity);
-  add_combo_tests(useInsanity);
-  add_distrust_tests(useInsanity);
+  add_simple_tests(useMozillaPKIX);
+  add_combo_tests(useMozillaPKIX);
+  add_distrust_tests(useMozillaPKIX);
 
   add_test(function () {
     certOverrideService.clearValidityOverride("all:temporary-certificates", 0);
     run_next_test();
   });
 }
 
-function add_simple_tests(useInsanity) {
+function add_simple_tests(useMozillaPKIX) {
   add_cert_override_test("expired.example.com",
                          Ci.nsICertOverrideService.ERROR_TIME,
                          getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_CERTIFICATE));
   add_cert_override_test("selfsigned.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                          getXPCOMStatusFromNSS(
-                            useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                        : SEC_ERROR_CA_CERT_INVALID));
+                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                           : SEC_ERROR_CA_CERT_INVALID));
   add_cert_override_test("unknownissuer.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                          getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
   add_cert_override_test("expiredissuer.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                          getXPCOMStatusFromNSS(
-                            useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                        : SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE));
+                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                           : SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE));
   add_cert_override_test("md5signature.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                          getXPCOMStatusFromNSS(
                             SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
   add_cert_override_test("mismatch.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH,
                          getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
 
   // A Microsoft IIS utility generates self-signed certificates with
   // properties similar to the one this "host" will present (see
   // tlsserver/generate_certs.sh).
   // One of the errors classic verification collects is that this
   // certificate has an inadequate key usage to sign a certificate
   // (i.e. itself). As a result, to be able to override this,
   // SEC_ERROR_INADEQUATE_KEY_USAGE must be overridable (although,
   // confusingly, this isn't the main error reported).
-  // insanity::pkix just says this certificate's issuer is unknown.
+  // mozilla::pkix just says this certificate's issuer is unknown.
   add_cert_override_test("selfsigned-inadequateEKU.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                          getXPCOMStatusFromNSS(
-                            useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                        : SEC_ERROR_CA_CERT_INVALID));
+                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                           : SEC_ERROR_CA_CERT_INVALID));
 
   // SEC_ERROR_INADEQUATE_KEY_USAGE is overridable in general for
-  // classic verification, but not for insanity::pkix verification.
-  if (useInsanity) {
+  // classic verification, but not for mozilla::pkix verification.
+  if (useMozillaPKIX) {
     add_connection_test("inadequatekeyusage.example.com",
                         getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE),
                         null,
                         function (securityInfo) {
                           // bug 754369 - no SSLStatus probably means this is
                           // a non-overridable error, which is what we're testing
                           // (although it would be best to test this directly).
                           securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
@@ -144,70 +144,70 @@ function add_simple_tests(useInsanity) {
                         });
   } else {
     add_cert_override_test("inadequatekeyusage.example.com",
                            Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                            getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE));
   }
 }
 
-function add_combo_tests(useInsanity) {
+function add_combo_tests(useMozillaPKIX) {
   // Note that "untrusted" here really is "unknown issuer" in the
-  // insanity::pkix case.
+  // mozilla::pkix case.
 
   add_cert_override_test("mismatch-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH |
                          Ci.nsICertOverrideService.ERROR_TIME,
                          getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
   add_cert_override_test("mismatch-untrusted.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH |
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                          getXPCOMStatusFromNSS(
-                            useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                        : SEC_ERROR_UNTRUSTED_ISSUER));
+                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                           : SEC_ERROR_UNTRUSTED_ISSUER));
   add_cert_override_test("untrusted-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED |
                          Ci.nsICertOverrideService.ERROR_TIME,
                          getXPCOMStatusFromNSS(
-                            useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                        : SEC_ERROR_UNTRUSTED_ISSUER));
+                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                           : SEC_ERROR_UNTRUSTED_ISSUER));
   add_cert_override_test("mismatch-untrusted-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH |
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED |
                          Ci.nsICertOverrideService.ERROR_TIME,
                          getXPCOMStatusFromNSS(
-                            useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                        : SEC_ERROR_UNTRUSTED_ISSUER));
+                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                           : SEC_ERROR_UNTRUSTED_ISSUER));
 
   add_cert_override_test("md5signature-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED |
                          Ci.nsICertOverrideService.ERROR_TIME,
                          getXPCOMStatusFromNSS(
                             SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
 }
 
-function add_distrust_tests(useInsanity) {
+function add_distrust_tests(useMozillaPKIX) {
   // Before we specifically distrust this certificate, it should be trusted.
   add_connection_test("untrusted.example.com", Cr.NS_OK);
 
   // XXX(Bug 975777): Active distrust is an overridable error when NSS-based
   // verification is used.
   add_distrust_override_test("tlsserver/default-ee.der",
                              "untrusted.example.com",
                              getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT),
-                             useInsanity
+                             useMozillaPKIX
                                 ? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT)
                                 : Cr.NS_OK);
 
   // XXX(Bug 975777): Active distrust is an overridable error when NSS-based
   // verification is used.
   add_distrust_override_test("tlsserver/other-test-ca.der",
                              "untrustedissuer.example.com",
                              getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER),
-                             useInsanity
+                             useMozillaPKIX
                                 ? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER)
                                 : Cr.NS_OK);
 }
 
 function add_distrust_override_test(certFileName, hostName,
                                     expectedResultBefore, expectedResultAfter) {
   let certToDistrust = constructCertFromFile(certFileName);
 
--- a/security/manager/ssl/tests/unit/test_cert_signatures.js
+++ b/security/manager/ssl/tests/unit/test_cert_signatures.js
@@ -44,33 +44,33 @@ function run_test() {
   load_ca("ca-rsa");
   load_ca("ca-p384");
   load_ca("ca-dsa");
 
   run_test_in_mode(true);
   run_test_in_mode(false);
 }
 
-function run_test_in_mode(useInsanity) {
-  Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
+function run_test_in_mode(useMozillaPKIX) {
+  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
   clearOCSPCache();
   clearSessionCache();
 
   check_ca("ca-rsa");
   check_ca("ca-p384");
   check_ca("ca-dsa");
 
-  // insanity::pkix does not allow CA certs to be validated for end-entity
+  // mozilla::pkix does not allow CA certs to be validated for end-entity
   // usages.
-  let int_usage = useInsanity
+  let int_usage = useMozillaPKIX
                 ? 'SSL CA'
                 : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
 
-  // insanity::pkix doesn't implement the Netscape Object Signer restriction.
-  const ee_usage = useInsanity
+  // mozilla::pkix doesn't implement the Netscape Object Signer restriction.
+  const ee_usage = useMozillaPKIX
                  ? 'Client,Server,Sign,Encrypt,Object Signer'
                  : 'Client,Server,Sign,Encrypt';
 
   let cert2usage = {
     // certs without the "int" prefix are end entity certs.
     'int-rsa-valid': int_usage,
     'rsa-valid': ee_usage,
     'int-p384-valid': int_usage,
--- a/security/manager/ssl/tests/unit/test_cert_trust.js
+++ b/security/manager/ssl/tests/unit/test_cert_trust.js
@@ -34,207 +34,207 @@ function check_cert_err_generic(cert, ex
   do_print("cert issuer cn=" + cert.issuerCommonName);
   let hasEVPolicy = {};
   let verifiedChain = {};
   let error = certdb.verifyCertNow(cert, usage,
                                    NO_FLAGS, verifiedChain, hasEVPolicy);
   do_check_eq(error,  expected_error);
 };
 
-function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useInsanity) {
+function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKIX) {
   // On reset most usages are successful
   check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
   check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageSSLCA);  // expected no bc
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useInsanity ? 0
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageObjectSigner); // expected
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INVALID_ARGS,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INVALID_ARGS,
                          certificateUsageVerifyCA); // expected no bc
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder); //expected
 
 
   // Test of active distrust. No usage should pass.
   setCertTrust(cert_to_modify_trust, 'p,p,p');
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageSSLServer);
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageSSLCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageEmailSigner);
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_UNTRUSTED_ISSUER
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INVALID_ARGS,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INVALID_ARGS,
                          certificateUsageVerifyCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 
 
   // Trust set to T  -  trusted CA to issue client certs, where client cert is
   // usageSSLClient.
   setCertTrust(cert_to_modify_trust, 'T,T,T');
-  check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                                         : SEC_ERROR_UNTRUSTED_ISSUER
+  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                                            : SEC_ERROR_UNTRUSTED_ISSUER
                                            : 0,
                          certificateUsageSSLServer);
 
-  check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER //XXX Bug 982340
-                                                         : 0
+  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER //XXX Bug 982340
+                                                            : 0
                                            : 0,
                          certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageSSLCA);
 
-  check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                                         : SEC_ERROR_UNTRUSTED_ISSUER
+  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                                            : SEC_ERROR_UNTRUSTED_ISSUER
                                            : 0,
                          certificateUsageEmailSigner);
-  check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                                         : SEC_ERROR_UNTRUSTED_ISSUER
+  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                                            : SEC_ERROR_UNTRUSTED_ISSUER
                                            : 0,
                          certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                                         : SEC_ERROR_INADEQUATE_CERT_TYPE
-                                           : useInsanity ? 0
-                                                         : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                                            : SEC_ERROR_INADEQUATE_CERT_TYPE
+                                           : useMozillaPKIX ? 0
+                                                            : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INVALID_ARGS,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INVALID_ARGS,
                          certificateUsageVerifyCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 
 
   // Now tests on the SSL trust bit
   setCertTrust(cert_to_modify_trust, 'p,C,C');
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageSSLServer);
-  check_cert_err_generic(ee_cert, useInsanity ? 0  //XXX Bug 982340
-                                              : SEC_ERROR_UNTRUSTED_ISSUER,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0  //XXX Bug 982340
+                                                 : SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageSSLCA);
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useInsanity ? 0
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INVALID_ARGS,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INVALID_ARGS,
                          certificateUsageVerifyCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 
   // Inherited trust SSL
   setCertTrust(cert_to_modify_trust, ',C,C');
-  check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                                         : SEC_ERROR_UNTRUSTED_ISSUER
+  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                                            : SEC_ERROR_UNTRUSTED_ISSUER
                                            : 0,
                          certificateUsageSSLServer);
-  check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? 0  // XXX Bug 982340
-                                                         : SEC_ERROR_UNTRUSTED_ISSUER
+  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? 0  // XXX Bug 982340
+                                                            : SEC_ERROR_UNTRUSTED_ISSUER
                                            : 0,
                          certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageSSLCA);
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useInsanity ? 0
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INVALID_ARGS,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INVALID_ARGS,
                          certificateUsageVerifyCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 
   // Now tests on the EMAIL trust bit
   setCertTrust(cert_to_modify_trust, 'C,p,C');
   check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
   check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER
-                                           : useInsanity ? SEC_ERROR_UNTRUSTED_ISSUER
-                                                         : 0, // Insanity is OK, NSS bug
+                                           : useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER
+                                                            : 0, // Insanity is OK, NSS bug
                          certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageSSLCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageEmailSigner);
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useInsanity ? 0
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INVALID_ARGS,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INVALID_ARGS,
                          certificateUsageVerifyCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 
 
   //inherited EMAIL Trust
   setCertTrust(cert_to_modify_trust, 'C,,C');
   check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
-  check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                                         : SEC_ERROR_UNTRUSTED_ISSUER
+  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                                            : SEC_ERROR_UNTRUSTED_ISSUER
                                            : 0,
                          certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageSSLCA);
-  check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                                         : SEC_ERROR_UNTRUSTED_ISSUER
+  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                                            : SEC_ERROR_UNTRUSTED_ISSUER
                                            : 0,
                          certificateUsageEmailSigner);
-  check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                                         : SEC_ERROR_UNTRUSTED_ISSUER
+  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                                            : SEC_ERROR_UNTRUSTED_ISSUER
                                            : 0,
                          certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useInsanity ? 0
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INVALID_ARGS,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INVALID_ARGS,
                          certificateUsageVerifyCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 }
 
 
-function run_test_in_mode(useInsanity) {
-  Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
+function run_test_in_mode(useMozillaPKIX) {
+  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
 
   let ca_cert = certdb.findCertByNickname(null, 'ca');
   do_check_false(!ca_cert)
   let int_cert = certdb.findCertByNickname(null, 'int');
   do_check_false(!int_cert)
   let ee_cert = certdb.findCertByNickname(null, 'ee');
   do_check_false(!ee_cert);
 
   setup_basic_trusts(ca_cert, int_cert);
-  test_ca_distrust(ee_cert, ca_cert, true, useInsanity);
+  test_ca_distrust(ee_cert, ca_cert, true, useMozillaPKIX);
 
   setup_basic_trusts(ca_cert, int_cert);
-  test_ca_distrust(ee_cert, int_cert, false, useInsanity);
+  test_ca_distrust(ee_cert, int_cert, false, useMozillaPKIX);
 }
 
 function run_test() {
   for (let i = 0 ; i < certList.length; i++) {
     load_cert(certList[i], ',,');
   }
 
   run_test_in_mode(true);
--- a/security/manager/ssl/tests/unit/test_certificate_usages.js
+++ b/security/manager/ssl/tests/unit/test_certificate_usages.js
@@ -30,46 +30,46 @@ function run_test() {
     do_print("ca_name=" + ca_name);
     var cert = certdb.findCertByNickname(null, ca_name);
   }
 
   run_test_in_mode(true);
   run_test_in_mode(false);
 }
 
-function run_test_in_mode(useInsanity) {
-  Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
+function run_test_in_mode(useMozillaPKIX) {
+  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
   clearOCSPCache();
   clearSessionCache();
 
-  // insanity::pkix does not allow CA certs to be validated for non-CA usages.
-  var allCAUsages = useInsanity
+  // mozilla::pkix does not allow CA certs to be validated for non-CA usages.
+  var allCAUsages = useMozillaPKIX
                   ? 'SSL CA'
                   : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
 
-  // insanity::pkix doesn't allow CA certificates to have the Status Responder
+  // mozilla::pkix doesn't allow CA certificates to have the Status Responder
   // EKU.
   var ca_usages = [allCAUsages,
                    'SSL CA',
                    allCAUsages,
-                   useInsanity ? ''
-                               : 'Client,Server,Sign,Encrypt,Status Responder'];
+                   useMozillaPKIX ? ''
+                                  : 'Client,Server,Sign,Encrypt,Status Responder'];
 
-  // insanity::pkix doesn't implement the Netscape Object Signer restriction.
-  var basicEndEntityUsages = useInsanity
+  // mozilla::pkix doesn't implement the Netscape Object Signer restriction.
+  var basicEndEntityUsages = useMozillaPKIX
                            ? 'Client,Server,Sign,Encrypt,Object Signer'
                            : 'Client,Server,Sign,Encrypt';
   var basicEndEntityUsagesWithObjectSigner = basicEndEntityUsages + ",Object Signer"
 
-  // insanity::pkix won't let a certificate with the "Status Responder" EKU get
+  // mozilla::pkix won't let a certificate with the "Status Responder" EKU get
   // validated for any other usage.
-  var statusResponderUsages = (useInsanity ? "" : "Server,") + "Status Responder";
+  var statusResponderUsages = (useMozillaPKIX ? "" : "Server,") + "Status Responder";
   var statusResponderUsagesFull
-      = useInsanity ? statusResponderUsages
-                    : basicEndEntityUsages + ',Object Signer,Status Responder';
+      = useMozillaPKIX ? statusResponderUsages
+                       : basicEndEntityUsages + ',Object Signer,Status Responder';
 
   var ee_usages = [
     [ basicEndEntityUsages,
       basicEndEntityUsages,
       basicEndEntityUsages,
       '',
       statusResponderUsagesFull,
       'Client,Server',
@@ -96,26 +96,26 @@ function run_test_in_mode(useInsanity) {
       'Sign,Encrypt,Object Signer',
       statusResponderUsages
     ],
 
     // The CA has isCA=true without keyCertSign.
     //
     // The 'classic' NSS mode uses the 'union' of the
     // capabilites so the cert is considered a CA.
-    // insanity::pkix and libpkix use the intersection of
+    // mozilla::pkix and libpkix use the intersection of
     // capabilites, so the cert is NOT considered a CA.
-    [ useInsanity ? '' : basicEndEntityUsages,
-      useInsanity ? '' : basicEndEntityUsages,
-      useInsanity ? '' : basicEndEntityUsages,
+    [ useMozillaPKIX ? '' : basicEndEntityUsages,
+      useMozillaPKIX ? '' : basicEndEntityUsages,
+      useMozillaPKIX ? '' : basicEndEntityUsages,
       '',
-      useInsanity ? '' : statusResponderUsagesFull,
-      useInsanity ? '' : 'Client,Server',
-      useInsanity ? '' : 'Sign,Encrypt,Object Signer',
-      useInsanity ? '' : 'Server,Status Responder'
+      useMozillaPKIX ? '' : statusResponderUsagesFull,
+      useMozillaPKIX ? '' : 'Client,Server',
+      useMozillaPKIX ? '' : 'Sign,Encrypt,Object Signer',
+      useMozillaPKIX ? '' : 'Server,Status Responder'
      ]
   ];
 
   do_check_eq(gNumCAs, ca_usages.length);
 
   for (var i = 0; i < gNumCAs; i++) {
     var ca_name = "ca-" + (i + 1);
     var verified = {};
--- a/security/manager/ssl/tests/unit/test_ev_certs.js
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@@ -114,21 +114,21 @@ function run_test() {
   // setup and start ocsp responder
   Services.prefs.setCharPref("network.dns.localDomains",
                              'www.example.com, crl.example.com');
   add_tests_in_mode(true);
   add_tests_in_mode(false);
   run_next_test();
 }
 
-function add_tests_in_mode(useInsanity)
+function add_tests_in_mode(useMozillaPKIX)
 {
   add_test(function () {
-    Services.prefs.setBoolPref("security.use_insanity_verification",
-                               useInsanity);
+    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+                               useMozillaPKIX);
     run_next_test();
   });
 
   add_test(function () {
     clearOCSPCache();
     let ocspResponder = start_ocsp_responder(
                           isDebugBuild ? ["int-ev-valid", "ev-valid"]
                                        : ["ev-valid"]);
@@ -157,18 +157,18 @@ function add_tests_in_mode(useInsanity)
   const nsIX509Cert = Ci.nsIX509Cert;
   add_test(function() {
     let evRootCA = certdb.findCertByNickname(null, evrootnick);
     certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, 0);
 
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
     check_cert_err("ev-valid",
-                   useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                               : SEC_ERROR_UNTRUSTED_ISSUER);
+                   useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                  : SEC_ERROR_UNTRUSTED_ISSUER);
     ocspResponder.stop(run_next_test);
   });
 
   // bug 917380: Chcek that a trusted EV root is trusted after disabling and
   // re-enabling trust.
   add_test(function() {
     let evRootCA = certdb.findCertByNickname(null, evrootnick);
     certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT,
@@ -181,33 +181,33 @@ function add_tests_in_mode(useInsanity)
                           isDebugBuild ? ["int-ev-valid", "ev-valid"]
                                        : ["ev-valid"]);
     check_ee_for_ev("ev-valid", isDebugBuild);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function () {
     check_no_ocsp_requests("ev-valid",
-      useInsanity ? SEC_ERROR_POLICY_VALIDATION_FAILED
-                  : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
-                                  : SEC_ERROR_EXTENSION_NOT_FOUND));
+      useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
+                     : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
+                                     : SEC_ERROR_EXTENSION_NOT_FOUND));
   });
 
   add_test(function () {
     check_no_ocsp_requests("non-ev-root",
-      useInsanity ? SEC_ERROR_POLICY_VALIDATION_FAILED
-                  : (isDebugBuild ? SEC_ERROR_UNTRUSTED_ISSUER
-                                  : SEC_ERROR_EXTENSION_NOT_FOUND));
+      useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
+                     : (isDebugBuild ? SEC_ERROR_UNTRUSTED_ISSUER
+                                     : SEC_ERROR_EXTENSION_NOT_FOUND));
   });
 
   add_test(function () {
     check_no_ocsp_requests("no-ocsp-url-cert",
-      useInsanity ? SEC_ERROR_POLICY_VALIDATION_FAILED
-                  : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
-                                  : SEC_ERROR_EXTENSION_NOT_FOUND));
+      useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
+                     : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
+                                     : SEC_ERROR_EXTENSION_NOT_FOUND));
   });
 
   // Test the EV continues to work with flags after successful EV verification
   add_test(function () {
     clearOCSPCache();
     let ocspResponder = start_ocsp_responder(
                           isDebugBuild ? ["int-ev-valid", "ev-valid"]
                                        : ["ev-valid"]);
@@ -221,18 +221,18 @@ function add_tests_in_mode(useInsanity)
       let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
                   Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
 
       let error = certdb.verifyCertNow(cert, certificateUsageSSLServer,
                                        flags, verifiedChain, hasEVPolicy);
       do_check_eq(hasEVPolicy.value, isDebugBuild);
       do_check_eq(error,
                   isDebugBuild ? 0
-                               : (useInsanity ? SEC_ERROR_POLICY_VALIDATION_FAILED
-                                              : SEC_ERROR_EXTENSION_NOT_FOUND));
+                               : (useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
+                                                 : SEC_ERROR_EXTENSION_NOT_FOUND));
       failingOcspResponder.stop(run_next_test);
     });
   });
 }
 
 // bug 950240: add FLAG_MUST_BE_EV to CertVerifier::VerifyCert
 // to prevent spurious OCSP requests that race with OCSP stapling.
 // This has the side-effect of saying an EV certificate is not EV if
--- a/security/manager/ssl/tests/unit/test_getchain.js
+++ b/security/manager/ssl/tests/unit/test_getchain.js
@@ -65,18 +65,18 @@ function check_getchain(ee_cert, ssl_ca,
   certdb.setCertTrust(ssl_ca, nsIX509Cert.CA_CERT, 0);
   check_matching_issuer_and_getchain(email_ca.serialNumber, ee_cert);
   certdb.setCertTrust(email_ca, nsIX509Cert.CA_CERT, 0);
   // Do a final test on the case of no trust. The results must
   // be cosistent (the actual value is non-deterministic).
   check_matching_issuer_and_getchain(ee_cert.issuer.serialNumber, ee_cert);
 }
 
-function run_test_in_mode(useInsanity) {
-  Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
+function run_test_in_mode(useMozillaPKIX) {
+  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
   clearOCSPCache();
   clearSessionCache();
 
   for (let i = 0 ; i < certList.length; i++) {
     load_cert(certList[i], ',,');
   }
 
   let ee_cert = certdb.findCertByNickname(null, 'ee');
--- a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
@@ -33,28 +33,28 @@ function test_cert_for_usages(certChainN
   let cert = certs[0];
   let verified = {};
   let usages = {};
   cert.getUsagesString(true, verified, usages);
   do_print("usages.value = " + usages.value);
   do_check_eq(expected_usages_string, usages.value);
 }
 
-function run_test_in_mode(useInsanity) {
-  Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
+function run_test_in_mode(useMozillaPKIX) {
+  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
 
-  // insanity::pkix doesn't support the obsolete Netscape object signing
+  // mozilla::pkix doesn't support the obsolete Netscape object signing
   // extension, but NSS does.
-  let ee_usage1 = useInsanity
+  let ee_usage1 = useMozillaPKIX
                 ? 'Client,Server,Sign,Encrypt,Object Signer'
                 : 'Client,Server,Sign,Encrypt'
 
-  // insanity::pkix doesn't validate CA certificates for non-CA uses, but
+  // mozilla::pkix doesn't validate CA certificates for non-CA uses, but
   // NSS does.
-  let ca_usage1 = useInsanity
+  let ca_usage1 = useMozillaPKIX
                 ? "SSL CA"
                 : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
 
   // Load the ca into mem
   let ca_name = "ca";
   load_cert(ca_name, "CTu,CTu,CTu");
   do_print("ca_name = " + ca_name);
   test_cert_for_usages([ca_name], ca_usage1);
@@ -80,36 +80,36 @@ function run_test_in_mode(useInsanity) {
   test_cert_for_usages(["ee-int-limited-depth", "int-limited-depth"],
                        ee_usage1);
 
   // ca
   //   int-limited-depth (cA==true, pathLenConstraint==0)
   //      int-limited-depth-invalid (cA==true)
   //
   // XXX: It seems the NSS code does not consider the path length of the
-  // certificate we're validating, but insanity::pkix does. insanity::pkix's
+  // certificate we're validating, but mozilla::pkix does. mozilla::pkix's
   // behavior is correct.
   test_cert_for_usages(["int-limited-depth-invalid", "int-limited-depth"],
-                       useInsanity ? "" : ca_usage1);
+                       useMozillaPKIX ? "" : ca_usage1);
   test_cert_for_usages(["ee-int-limited-depth-invalid",
                         "int-limited-depth-invalid",
                         "int-limited-depth"],
                        "");
 
   // int-valid-ku-no-eku has keyCertSign
   test_cert_for_usages(["int-valid-ku-no-eku"], "SSL CA");
   test_cert_for_usages(["ee-int-valid-ku-no-eku", "int-valid-ku-no-eku"],
                        ee_usage1);
 
   // int-bad-ku-no-eku has basicConstraints.cA==true and has a KU extension
-  // but the KU extension is missing keyCertSign. Note that insanity::pkix
+  // but the KU extension is missing keyCertSign. Note that mozilla::pkix
   // doesn't validate certificates with basicConstraints.Ca==true for non-CA
   // uses, but NSS does.
   test_cert_for_usages(["int-bad-ku-no-eku"],
-                       useInsanity
+                       useMozillaPKIX
                           ? ""
                           : 'Client,Server,Sign,Encrypt,Status Responder');
   test_cert_for_usages(["ee-int-bad-ku-no-eku", "int-bad-ku-no-eku"], "");
 
   // int-no-ku-no-eku has basicConstraints.cA==true and no KU extension.
   // We treat a missing KU as "any key usage is OK".
   test_cert_for_usages(["int-no-ku-no-eku"], ca_usage1);
   test_cert_for_usages(["ee-int-no-ku-no-eku", "int-no-ku-no-eku"], ee_usage1);
--- a/security/manager/ssl/tests/unit/test_name_constraints.js
+++ b/security/manager/ssl/tests/unit/test_name_constraints.js
@@ -45,18 +45,18 @@ function check_ok_ca (x) {
 function check_fail(x) {
   return check_cert_err(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
 }
 
 function check_fail_ca(x) {
   return check_cert_err_generic(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLCA);
 }
 
-function run_test_in_mode(useInsanity) {
-  Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
+function run_test_in_mode(useMozillaPKIX) {
+  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
 
   // Note that CN is only looked at when there is NO subjectAltName!
 
   // Testing with a unconstrained root, and intermediate constrained to PERMIT
   // foo.com. All failures on this section are doe to the cert DNS names
   // not being under foo.com.
   check_ok_ca(load_cert('int-nc-perm-foo.com-ca-nc', ',,'));
   // no dirName
@@ -256,17 +256,17 @@ function run_test_in_mode(useInsanity) {
   check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-ca-nc-perm-foo.com.der'));
   check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.der'));
   check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.der'));
   check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.der'));
   check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.der'));
   check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.der'));
 
   // We don't enforce dNSName name constraints on CN unless we're validating
-  // for the server EKU. libpkix gets this wrong but insanity::pkix and classic
+  // for the server EKU. libpkix gets this wrong but mozilla::pkix and classic
   // NSS get it right.
   {
     let cert = certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc.der');
     check_cert_err_generic(cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLServer);
     check_cert_err_generic(cert, 0, certificateUsageSSLClient);
   }
 }
 
--- a/security/manager/ssl/tests/unit/test_ocsp_caching.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_caching.js
@@ -42,20 +42,20 @@ function run_test() {
 
   add_tests_in_mode(true);
   add_tests_in_mode(false);
 
   add_test(function() { ocspResponder.stop(run_next_test); });
   run_next_test();
 }
 
-function add_tests_in_mode(useInsanity) {
+function add_tests_in_mode(useMozillaPKIX) {
   add_test(function () {
-    Services.prefs.setBoolPref("security.use_insanity_verification",
-                               useInsanity);
+    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+                               useMozillaPKIX);
     run_next_test();
   });
 
   // This test assumes that OCSPStaplingServer uses the same cert for
   // ocsp-stapling-unknown.example.com and ocsp-stapling-none.example.com.
 
   // Get an Unknown response for the *.exmaple.com cert and put it in the
   // OCSP cache.
@@ -102,18 +102,18 @@ function add_tests_in_mode(useInsanity) 
   add_test(function() { clearOCSPCache(); gFetchCount = 0; run_next_test(); });
 
   // A failure to retrieve an OCSP response will result in an error entry being
   // added to the cache.
   add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
                       clearSessionCache);
   add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });
 
-  // TODO(bug 977865): implement this for insanity
-  if (!useInsanity) {
+  // TODO(bug 977865): implement this for mozilla::pkix
+  if (!useMozillaPKIX) {
     // The error entry will prevent a fetch from happening for a while.
     add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
                         clearSessionCache);
     add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });
   }
 
   // The error entry must not prevent a stapled OCSP response from being
   // honored.
--- a/security/manager/ssl/tests/unit/test_ocsp_required.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_required.js
@@ -35,28 +35,28 @@ function run_test() {
   add_tests_in_mode(true);
   add_tests_in_mode(false);
 
   add_test(function () { ocspResponder.stop(run_next_test); });
 
   run_next_test();
 }
 
-function add_tests_in_mode(useInsanity)
+function add_tests_in_mode(useMozillaPKIX)
 {
   add_test(function () {
-    Services.prefs.setBoolPref("security.use_insanity_verification",
-                               useInsanity);
+    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+                               useMozillaPKIX);
     run_next_test();
   });
 
   add_connection_test("ocsp-stapling-none.example.com",
                       getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE));
   add_connection_test("ocsp-stapling-none.example.com",
                       getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE));
   add_test(function () {
-    // TODO(bug 977865): insanity::pkix keeps requesting responses from
+    // TODO(bug 977865): mozilla::pkix keeps requesting responses from
     // failing responders
-    do_check_eq(gOCSPRequestCount, useInsanity ? 2 : 1);
+    do_check_eq(gOCSPRequestCount, useMozillaPKIX ? 2 : 1);
     gOCSPRequestCount = 0;
     run_next_test();
   });
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
@@ -16,20 +16,20 @@ function add_ocsp_test(aHost, aExpectedR
       gExpectOCSPRequest = !aStaplingEnabled;
       clearOCSPCache();
       clearSessionCache();
       Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling",
                                  aStaplingEnabled);
     });
 }
 
-function add_tests_in_mode(useInsanity, certDB, otherTestCA) {
+function add_tests_in_mode(useMozillaPKIX, certDB, otherTestCA) {
   add_test(function () {
-    Services.prefs.setBoolPref("security.use_insanity_verification",
-                               useInsanity);
+    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+                               useMozillaPKIX);
     run_next_test();
   });
 
   // In the absence of OCSP stapling, these should actually all work.
   add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-revoked.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-good-other-ca.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-malformed.example.com", Cr.NS_OK, false);
@@ -49,17 +49,17 @@ function add_tests_in_mode(useInsanity, 
 
   add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, true);
 
   add_ocsp_test("ocsp-stapling-revoked.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), true);
 
   // SEC_ERROR_OCSP_INVALID_SIGNING_CERT vs SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
   // depends on whether the CA that signed the response is a trusted CA
-  // (but only with the classic implementation - insanity::pkix always
+  // (but only with the classic implementation - mozilla::pkix always
   // results in the error SEC_ERROR_OCSP_INVALID_SIGNING_CERT).
 
   // This stapled response is from a CA that is untrusted and did not issue
   // the server's certificate.
   add_test(function() {
     certDB.setCertTrust(otherTestCA, Ci.nsIX509Cert.CA_CERT,
                         Ci.nsIX509CertDB.UNTRUSTED);
     run_next_test();
@@ -108,17 +108,17 @@ function add_tests_in_mode(useInsanity, 
       clearSessionCache();
       Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
     }
   );
   add_ocsp_test("ocsp-stapling-empty.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
 
   // TODO(bug 979070): NSS can't handle this yet.
-  if (useInsanity) {
+  if (useMozillaPKIX) {
     add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
                   getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
   }
 
   // ocsp-stapling-expired.example.com and
   // ocsp-stapling-expired-fresh-ca.example.com are handled in
   // test_ocsp_stapling_expired.js
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
@@ -57,21 +57,21 @@ function run_test() {
   add_tls_server_setup("OCSPStaplingServer");
   add_tests_in_mode(true);
   add_tests_in_mode(false);
   add_test(function () { ocspResponder.stop(run_next_test); });
   add_test(check_ocsp_stapling_telemetry);
   run_next_test();
 }
 
-function add_tests_in_mode(useInsanity)
+function add_tests_in_mode(useMozillaPKIX)
 {
   add_test(function () {
-    Services.prefs.setBoolPref("security.use_insanity_verification",
-                               useInsanity);
+    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+                               useMozillaPKIX);
     run_next_test();
   });
 
   // In these tests, the OCSP stapling server gives us a stapled
   // response based on the host name ("ocsp-stapling-expired" or
   // "ocsp-stapling-expired-fresh-ca"). We then ensure that we're
   // properly falling back to fetching revocation information.
   // For ocsp-stapling-expired.example.com, the OCSP stapling server
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
@@ -39,17 +39,17 @@ function run_test() {
   add_test(function () { ocspResponder.stop(run_next_test); });
   add_test(function() {
     do_check_eq(gOCSPRequestCount, 0);
     run_next_test();
   });
   run_next_test();
 }
 
-function add_tests_in_mode(useInsanity) {
+function add_tests_in_mode(useMozillaPKIX) {
   add_test(function () {
-    Services.prefs.setBoolPref("security.use_insanity_verification",
-                               useInsanity);
+    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+                               useMozillaPKIX);
     run_next_test();
   });
 
   add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK);
 }
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/Makefile.in
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/Makefile.in
@@ -5,14 +5,14 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 include $(topsrcdir)/config/config.mk
 
 LIBS = \
   $(NSPR_LIBS) \
   $(NSS_LIBS) \
   $(MOZALLOC_LIB) \
-  ../../../../../../insanity/$(LIB_PREFIX)insanitypkix.$(LIB_SUFFIX) \
-  ../../../../../../insanity/test/lib/$(LIB_PREFIX)pkixtestutil.$(LIB_SUFFIX) \
+  ../../../../../../pkix/$(LIB_PREFIX)mozillapkix.$(LIB_SUFFIX) \
+  ../../../../../../pkix/test/lib/$(LIB_PREFIX)pkixtestutil.$(LIB_SUFFIX) \
   ../lib/$(LIB_PREFIX)tlsserver.$(LIB_SUFFIX) \
   $(NULL)
 
 DEFINES += $(TK_CFLAGS)
--- a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
@@ -8,16 +8,17 @@
 
 #include "ScopedNSSTypes.h"
 #include "TLSServer.h"
 #include "pkixtestutil.h"
 #include "secerr.h"
 
 using namespace mozilla;
 using namespace mozilla::test;
+using namespace mozilla::pkix::test;
 
 
 SECItemArray *
 GetOCSPResponseForType(OCSPResponseType aORT, CERTCertificate *aCert,
                        PLArenaPool *aArena, const char *aAdditionalCertName)
 {
   if (aORT == ORTNone) {
     if (gDebugLevel >= DEBUG_WARNINGS) {
@@ -33,17 +34,17 @@ GetOCSPResponseForType(OCSPResponseType 
     arr->items[0].len = 0;
     return arr;
   }
 
   PRTime now = PR_Now();
   PRTime oneDay = 60*60*24 * (PRTime)PR_USEC_PER_SEC;
   PRTime oldNow = now - (8 * oneDay);
 
-  insanity::test::OCSPResponseContext context(aArena, aCert, now);
+  OCSPResponseContext context(aArena, aCert, now);
 
   if (aORT == ORTGoodOtherCert) {
     context.cert = PK11_FindCertFromNickname(aAdditionalCertName, nullptr);
     if (!context.cert) {
       PrintPRError("PK11_FindCertFromNickname failed");
       return nullptr;
     }
   }
@@ -98,17 +99,17 @@ GetOCSPResponseForType(OCSPResponseType 
   if (aORT == ORTBadSignature) {
     context.badSignature = true;
   }
 
   if (!context.signerCert) {
     context.signerCert = CERT_DupCertificate(context.issuerCert.get());
   }
 
-  SECItem* response = insanity::test::CreateEncodedOCSPResponse(context);
+  SECItem* response = CreateEncodedOCSPResponse(context);
   if (!response) {
     PrintPRError("CreateEncodedOCSPResponse failed");
     return nullptr;
   }
 
   SECItemArray* arr = SECITEM_AllocArray(aArena, nullptr, 1);
   arr->items[0].data = response ? response->data : nullptr;
   arr->items[0].len = response ? response->len : 0;
--- a/security/manager/ssl/tests/unit/tlsserver/lib/moz.build
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/moz.build
@@ -5,13 +5,13 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 UNIFIED_SOURCES += [
     'OCSPCommon.cpp',
     'TLSServer.cpp',
 ]
 
 LOCAL_INCLUDES += [
-    '../../../../../../insanity/include',
-    '../../../../../../insanity/test/lib',
+    '../../../../../../pkix/include',
+    '../../../../../../pkix/test/lib',
 ]
 
 LIBRARY_NAME = 'tlsserver'
rename from security/insanity/include/insanity/ScopedPtr.h
rename to security/pkix/include/pkix/ScopedPtr.h
--- a/security/insanity/include/insanity/ScopedPtr.h
+++ b/security/pkix/include/pkix/ScopedPtr.h
@@ -1,31 +1,31 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* Copyright 2013 Mozilla Foundation
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+/* Copyright 2013 Mozilla Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 
-#ifndef insanity_pkix__ScopedPtr_h
-#define insanity_pkix__ScopedPtr_h
+#ifndef mozilla_pkix__ScopedPtr_h
+#define mozilla_pkix__ScopedPtr_h
 
-#include "insanity/nullptr.h"
+#include "pkix/nullptr.h"
 
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
 
 // Similar to boost::scoped_ptr and std::unique_ptr. Does not support copying
 // or assignment.
 template <typename T, void (*Destroyer)(T*)>
 class ScopedPtr
 {
 public:
   explicit ScopedPtr(T* value = nullptr) : mValue(value) { }
@@ -89,11 +89,11 @@ operator!=(T* a, const ScopedPtr<T, Dest
 
 template <typename T, void(*Destroyer)(T*)>
 inline bool
 operator!=(const ScopedPtr<T, Destroyer>& a, T* b)
 {
   return a.get() != b;
 }
 
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
 
-#endif // insanity_pkix__ScopedPtr_h
+#endif // mozilla_pkix__ScopedPtr_h
rename from security/insanity/include/insanity/bind.h
rename to security/pkix/include/pkix/bind.h
--- a/security/insanity/include/insanity/bind.h
+++ b/security/pkix/include/pkix/bind.h
@@ -14,28 +14,28 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 // Work around missing std::bind, std::ref, std::cref in older compilers. This
 // implementation isn't intended to be complete; rather, it is the minimal
 // implementation needed to make our use of std::bind work.
 
-#ifndef insanity_pkix__bind_h
-#define insanity_pkix__bind_h
+#ifndef mozilla_pkix__bind_h
+#define mozilla_pkix__bind_h
 
 #ifdef _MSC_VER
 #pragma warning(disable:4275) //Suppress spurious MSVC warning
 #endif
 #include <functional>
 #ifdef _MSC_VER
 #pragma warning(default:4275)
 #endif
 
-namespace insanity {
+namespace mozilla { namespace pkix {
 
 #ifdef _MSC_VER
 
 using std::bind;
 using std::ref;
 using std::cref;
 using std::placeholders::_1;
 
@@ -87,11 +87,11 @@ template <typename R, typename P1, typen
 inline internal::Bind2<R, P1, B1, B2>
 bind(R (*f)(P1&, B1&, B2&), Placeholder1 &, B1 & b1, B2 & b2)
 {
   return internal::Bind2<R, P1, B1, B2>(f, b1, b2);
 }
 
 #endif // _MSC_VER
 
-} // namespace insanity
+} } // namespace mozilla::pkix
 
-#endif // insanity_pkix__bind_h
+#endif // mozilla_pkix__bind_h
rename from security/insanity/include/insanity/nullptr.h
rename to security/pkix/include/pkix/nullptr.h
--- a/security/insanity/include/insanity/nullptr.h
+++ b/security/pkix/include/pkix/nullptr.h
@@ -10,19 +10,19 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#ifndef insanity_pkix__nullptr_h
-#define insanity_pkix__nullptr_h
+#ifndef mozilla_pkix__nullptr_h
+#define mozilla_pkix__nullptr_h
 
 // GCC does not understand nullptr until 4.6
 #if defined(__GNUC__) && !defined(__clang__)
 #if __GNUC__ * 100 + __GNUC_MINOR__ < 406
 #define nullptr __null
 #endif
 #endif
 
-#endif // insanity_pkix__nullptr_h
+#endif // mozilla_pkix__nullptr_h
rename from security/insanity/include/insanity/pkix.h
rename to security/pkix/include/pkix/pkix.h
--- a/security/insanity/include/insanity/pkix.h
+++ b/security/pkix/include/pkix/pkix.h
@@ -10,23 +10,23 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#ifndef insanity_pkix__pkix_h
-#define insanity_pkix__pkix_h
+#ifndef mozilla_pkix__pkix_h
+#define mozilla_pkix__pkix_h
 
 #include "pkixtypes.h"
 #include "prtime.h"
 
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
 
 // ----------------------------------------------------------------------------
 // LIMITED SUPPORT FOR CERTIFICATE POLICIES
 //
 // If SEC_OID_X509_ANY_POLICY is passed as the value of the requiredPolicy
 // parameter then all policy validation will be skipped. Otherwise, path
 // building and validation will be done for the given policy.
 //
@@ -113,11 +113,11 @@ SECItem* CreateEncodedOCSPRequest(PLAren
 SECStatus VerifyEncodedOCSPResponse(TrustDomain& trustDomain,
                                     const CERTCertificate* cert,
                                     CERTCertificate* issuerCert,
                                     PRTime time,
                                     const SECItem* encodedResponse,
                  /* optional out */ PRTime* thisUpdate,
                  /* optional out */ PRTime* validThrough);
 
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
 
-#endif // insanity_pkix__pkix_h
+#endif // mozilla_pkix__pkix_h
rename from security/insanity/include/insanity/pkixtypes.h
rename to security/pkix/include/pkix/pkixtypes.h
--- a/security/insanity/include/insanity/pkixtypes.h
+++ b/security/pkix/include/pkix/pkixtypes.h
@@ -10,25 +10,25 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#ifndef insanity_pkix__pkixtypes_h
-#define insanity_pkix__pkixtypes_h
+#ifndef mozilla_pkix__pkixtypes_h
+#define mozilla_pkix__pkixtypes_h
 
-#include "insanity/ScopedPtr.h"
+#include "pkix/ScopedPtr.h"
 #include "plarena.h"
 #include "cert.h"
 #include "keyhi.h"
 
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
 
 typedef ScopedPtr<PLArenaPool, PL_FreeArenaPool> ScopedPLArenaPool;
 
 typedef ScopedPtr<CERTCertificate, CERT_DestroyCertificate>
         ScopedCERTCertificate;
 typedef ScopedPtr<CERTCertList, CERT_DestroyCertList> ScopedCERTCertList;
 typedef ScopedPtr<SECKEYPublicKey, SECKEY_DestroyPublicKey>
         ScopedSECKEYPublicKey;
@@ -83,17 +83,17 @@ public:
                                  /*out*/ ScopedCERTCertList& results) = 0;
 
   // Verify the given signature using the public key of the given certificate.
   // The implementation should be careful to ensure that the given certificate
   // has all the public key information needed--i.e. it should ensure that the
   // certificate is not trying to use EC(DSA) parameter inheritance.
   //
   // Most implementations of this function should probably forward the call
-  // directly to insanity::pkix::VerifySignedData.
+  // directly to mozilla::pkix::VerifySignedData.
   virtual SECStatus VerifySignedData(const CERTSignedData* signedData,
                                      const CERTCertificate* cert) = 0;
 
   // issuerCertToDup is only non-const so CERT_DupCertificate can be called on
   // it.
   virtual SECStatus CheckRevocation(EndEntityOrCA endEntityOrCA,
                                     const CERTCertificate* cert,
                           /*const*/ CERTCertificate* issuerCertToDup,
@@ -103,11 +103,11 @@ public:
 protected:
   TrustDomain() { }
 
 private:
   TrustDomain(const TrustDomain&) /* = delete */;
   void operator=(const TrustDomain&) /* = delete */;
 };
 
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
 
-#endif // insanity_pkix__pkixtypes_h
+#endif // mozilla_pkix__pkixtypes_h
rename from security/insanity/lib/pkixbind.cpp
rename to security/pkix/lib/pkixbind.cpp
--- a/security/insanity/lib/pkixbind.cpp
+++ b/security/pkix/lib/pkixbind.cpp
@@ -12,17 +12,17 @@
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 #ifndef _MSC_VER
 
-#include "insanity/bind.h"
+#include "pkix/bind.h"
 
-namespace insanity {
+namespace mozilla { namespace pkix {
 
 Placeholder1 _1;
-  
-} // namespace insanity
+
+} } // namespace mozilla::pkix
 
 #endif // _MSC_VER
rename from security/insanity/lib/pkixbuild.cpp
rename to security/pkix/lib/pkixbuild.cpp
--- a/security/insanity/lib/pkixbuild.cpp
+++ b/security/pkix/lib/pkixbuild.cpp
@@ -10,24 +10,24 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "insanity/pkix.h"
+#include "pkix/pkix.h"
 
 #include <limits>
 
 #include "pkixcheck.h"
 #include "pkixder.h"
 
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
 
 // We assume ext has been zero-initialized by its constructor and otherwise
 // not modified.
 //
 // TODO(perf): This sorting of extensions should be be moved into the
 // certificate decoder so that the results are cached with the certificate, so
 // that the decoding doesn't have to happen more than once per cert.
 Result
@@ -167,17 +167,17 @@ BuildForwardInner(TrustDomain& trustDoma
   return Success;
 }
 
 // Recursively build the path from the given subject certificate to the root.
 //
 // Be very careful about changing the order of checks. The order is significant
 // because it affects which error we return when a certificate or certificate
 // chain has multiple problems. See the error ranking documentation in
-// insanity/pkix.h.
+// pkix/pkix.h.
 static Result
 BuildForward(TrustDomain& trustDomain,
              BackCert& subject,
              PRTime time,
              EndEntityOrCA endEntityOrCA,
              KeyUsages requiredKeyUsagesIfPresent,
              SECOidTag requiredEKUIfPresent,
              SECOidTag requiredPolicy,
@@ -358,9 +358,9 @@ BackCert::PrependNSSCertToList(CERTCertL
   if (CERT_AddCertToListHead(results, dup) != SECSuccess) { // takes ownership
     CERT_DestroyCertificate(dup);
     return FatalError;
   }
 
   return Success;
 }
 
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
rename from security/insanity/lib/pkixcheck.cpp
rename to security/pkix/lib/pkixcheck.cpp
--- a/security/insanity/lib/pkixcheck.cpp
+++ b/security/pkix/lib/pkixcheck.cpp
@@ -10,23 +10,23 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "insanity/pkix.h"
+#include "pkix/pkix.h"
 #include "pkixcheck.h"
 #include "pkixder.h"
 #include "pkixutil.h"
 #include "secder.h"
 
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
 
 Result
 CheckTimes(const CERTCertificate* cert, PRTime time)
 {
   PR_ASSERT(cert);
 
   SECCertTimeValidity validity = CERT_CheckCertValidTimes(cert, time, false);
   if (validity != secCertTimeValid) {
@@ -474,9 +474,9 @@ CheckIssuerIndependentProperties(TrustDo
   rv = CheckTimes(cert.GetNSSCert(), time);
   if (rv != Success) {
     return rv;
   }
 
   return Success;
 }
 
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
rename from security/insanity/lib/pkixcheck.h
rename to security/pkix/lib/pkixcheck.h
--- a/security/insanity/lib/pkixcheck.h
+++ b/security/pkix/lib/pkixcheck.h
@@ -10,32 +10,32 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#ifndef insanity__pkixcheck_h
-#define insanity__pkixcheck_h
+#ifndef mozilla_pkix__pkixcheck_h
+#define mozilla_pkix__pkixcheck_h
 
 #include "pkixutil.h"
 #include "certt.h"
 
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
 
 Result CheckIssuerIndependentProperties(
           TrustDomain& trustDomain,
           BackCert& cert,
           PRTime time,
           EndEntityOrCA endEntityOrCA,
           KeyUsages requiredKeyUsagesIfPresent,
           SECOidTag requiredEKUIfPresent,
           SECOidTag requiredPolicy,
           unsigned int subCACount,
           /*optional out*/ TrustDomain::TrustLevel* trustLevel = nullptr);
 
 Result CheckNameConstraints(BackCert& cert);
 
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
 
-#endif // insanity__pkixcheck_h
+#endif // mozilla_pkix__pkixcheck_h
rename from security/insanity/lib/pkixder.cpp
rename to security/pkix/lib/pkixder.cpp
--- a/security/insanity/lib/pkixder.cpp
+++ b/security/pkix/lib/pkixder.cpp
@@ -12,17 +12,17 @@
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 #include "pkixder.h"
 
-namespace insanity { namespace der {
+namespace mozilla { namespace pkix { namespace der {
 
 // not inline
 Result
 Fail(PRErrorCode errorCode)
 {
   PR_SetError(errorCode, 0);
   return Failure;
 }
@@ -73,9 +73,9 @@ ExpectTagAndGetLength(Input& input, uint
   } else {
     // We don't support lengths larger than 2^16 - 1.
     return Fail(SEC_ERROR_BAD_DER);
   }
 
   return Success;
 }
 
-} } // namespace insanity::der
+} } } // namespace mozilla::pkix::der
rename from security/insanity/lib/pkixder.h
rename to security/pkix/lib/pkixder.h
--- a/security/insanity/lib/pkixder.h
+++ b/security/pkix/lib/pkixder.h
@@ -10,29 +10,29 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#ifndef insanity_pkix__pkixder_h
-#define insanity_pkix__pkixder_h
+#ifndef mozilla_pkix__pkixder_h
+#define mozilla_pkix__pkixder_h
 
-#include "insanity/nullptr.h"
+#include "pkix/nullptr.h"
 
 #include "prerror.h"
 #include "prlog.h"
 #include "secder.h"
 #include "secerr.h"
 #include "secoidt.h"
 #include "stdint.h"
 
-namespace insanity { namespace der {
+namespace mozilla { namespace pkix { namespace der {
 
 enum Class
 {
    UNIVERSAL = 0 << 6,
 // APPLICATION = 1 << 6, // unused
    CONTEXT_SPECIFIC = 2 << 6,
 // PRIVATE = 3 << 6 // unused
 };
@@ -514,11 +514,11 @@ OptionalVersion(Input& input, /*out*/ ui
     return Failure;
   }
   if (version & 0x80) { // negative
     return Fail(SEC_ERROR_BAD_DER);
   }
   return Success;
 }
 
-} } // namespace insanity::der
+} } } // namespace mozilla::pkix::der
 
-#endif // insanity_pkix__pkixder_h
+#endif // mozilla_pkix__pkixder_h
rename from security/insanity/lib/pkixkey.cpp
rename to security/pkix/lib/pkixkey.cpp
--- a/security/insanity/lib/pkixkey.cpp
+++ b/security/pkix/lib/pkixkey.cpp
@@ -10,27 +10,27 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "insanity/pkix.h"
+#include "pkix/pkix.h"
 
 #include <limits>
 #include <stdint.h>
 
 #include "cert.h"
 #include "cryptohi.h"
 #include "prerror.h"
 #include "secerr.h"
 
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
 
 SECStatus
 VerifySignedData(const CERTSignedData* sd, const CERTCertificate* cert,
                  void* pkcs11PinArg)
 {
   if (!sd || !sd->data.data || !sd->signatureAlgorithm.algorithm.data ||
       !sd->signature.data || !cert) {
     PR_NOT_REACHED("invalid args to VerifySignedData");
@@ -81,9 +81,9 @@ VerifySignedData(const CERTSignedData* s
   if ((policy & requiredPolicy) != requiredPolicy) {
     PR_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, 0);
     return SECFailure;
   }
 
   return SECSuccess;
 }
 
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
rename from security/insanity/lib/pkixocsp.cpp
rename to security/pkix/lib/pkixocsp.cpp
--- a/security/insanity/lib/pkixocsp.cpp
+++ b/security/pkix/lib/pkixocsp.cpp
@@ -12,18 +12,18 @@
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 #include <limits>
 
-#include "insanity/bind.h"
-#include "insanity/pkix.h"
+#include "pkix/bind.h"
+#include "pkix/pkix.h"
 #include "pkixcheck.h"
 #include "pkixder.h"
 
 #include "hasht.h"
 #include "pk11pub.h"
 #include "secder.h"
 
 #ifdef _MSC_VER
@@ -31,17 +31,17 @@
 #define ENUM_CLASS  __pragma(warning(disable: 4480)) enum
 #else
 #define ENUM_CLASS enum class
 #endif
 
 // TODO: use typed/qualified typedefs everywhere?
 // TODO: When should we return SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE?
 
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
 
 static const PRTime ONE_DAY
   = INT64_C(24) * INT64_C(60) * INT64_C(60) * PR_USEC_PER_SEC;
 static const PRTime SLOP = ONE_DAY;
 
 // These values correspond to the tag values in the ASN.1 CertStatus
 ENUM_CLASS CertStatus : uint8_t {
   Good = der::CONTEXT_SPECIFIC | 0,
@@ -988,9 +988,9 @@ CreateEncodedOCSPRequest(PLArenaPool* ar
     *d++ = cert->serialNumber.data[i];
   }
 
   PR_ASSERT(d == encodedRequest->data + totalLen);
 
   return encodedRequest;
 }
 
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
rename from security/insanity/lib/pkixutil.h
rename to security/pkix/lib/pkixutil.h
--- a/security/insanity/lib/pkixutil.h
+++ b/security/pkix/lib/pkixutil.h
@@ -10,25 +10,25 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#ifndef insanity_pkix__pkixutil_h
-#define insanity_pkix__pkixutil_h
+#ifndef mozilla_pkix__pkixutil_h
+#define mozilla_pkix__pkixutil_h
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "prerror.h"
 #include "seccomon.h"
 #include "secerr.h"
 
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
 
 enum Result
 {
   Success = 0,
   FatalError = -1,      // An error was encountered that caused path building
                         // to stop immediately. example: out-of-memory.
   RecoverableError = -2 // an error that will cause path building to continue
                         // searching for alternative paths. example: expired
@@ -136,11 +136,11 @@ private:
   ScopedPLArenaPool arena;
   CERTGeneralName* constrainedNames;
   ConstrainedNameOptions cnOptions;
 
   BackCert(const BackCert&) /* = delete */;
   void operator=(const BackCert&); /* = delete */;
 };
 
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
 
-#endif // insanity_pkix__pkixutil_h
+#endif // mozilla_pkix__pkixutil_h
rename from security/insanity/moz.build
rename to security/pkix/moz.build
--- a/security/insanity/moz.build
+++ b/security/pkix/moz.build
@@ -18,11 +18,11 @@ LOCAL_INCLUDES += [
 ]
 
 DIRS += [
     'test/lib',
 ]
 
 FAIL_ON_WARNINGS = True
 
-LIBRARY_NAME = 'insanitypkix'
+LIBRARY_NAME = 'mozillapkix'
 
 FINAL_LIBRARY = 'xul'
rename from security/insanity/test/lib/moz.build
rename to security/pkix/test/lib/moz.build
rename from security/insanity/test/lib/pkixtestutil.cpp
rename to security/pkix/test/lib/pkixtestutil.cpp
--- a/security/insanity/test/lib/pkixtestutil.cpp
+++ b/security/pkix/test/lib/pkixtestutil.cpp
@@ -20,17 +20,17 @@
 #include "pkixtestutil.h"
 
 #include "cryptohi.h"
 #include "hasht.h"
 #include "pk11pub.h"
 #include "prinit.h"
 #include "secder.h"
 
-namespace insanity { namespace test {
+namespace mozilla { namespace pkix { namespace test {
 
 class Output
 {
 public:
   Output()
     : numItems(0)
     , length(0)
   {
@@ -627,9 +627,9 @@ CertStatus(OCSPResponseContext& context)
     }
     default:
       PR_NOT_REACHED("CertStatus: bad context.certStatus");
       PR_Abort();
   }
   return nullptr;
 }
 
-} } // namespace insanity::test
+} } } // namespace mozilla::pkix::test
rename from security/insanity/test/lib/pkixtestutil.h
rename to security/pkix/test/lib/pkixtestutil.h
--- a/security/insanity/test/lib/pkixtestutil.h
+++ b/security/pkix/test/lib/pkixtestutil.h
@@ -10,24 +10,24 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#ifndef insanity_test__pkixtestutils_h
-#define insanity_test__pkixtestutils_h
+#ifndef mozilla_pkix_test__pkixtestutils_h
+#define mozilla_pkix_test__pkixtestutils_h
 
-#include "insanity/ScopedPtr.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/ScopedPtr.h"
+#include "pkix/pkixtypes.h"
 #include "seccomon.h"
 
-namespace insanity { namespace test {
+namespace mozilla { namespace pkix { namespace test {
 
 class OCSPResponseContext
 {
 public:
   OCSPResponseContext(PLArenaPool* arena, CERTCertificate* cert, PRTime time);
 
   PLArenaPool* arena;
   // TODO(bug 980538): add a way to specify what certificates are included.
@@ -57,11 +57,11 @@ public:
 
 // The return value, if non-null, is owned by the arena in the context
 // and MUST NOT be freed.
 // This function does its best to respect the NSPR error code convention
 // (that is, if it returns null, calling PR_GetError() will return the
 // error of the failed operation). However, this is not guaranteed.
 SECItem* CreateEncodedOCSPResponse(OCSPResponseContext& context);
 
-} } // namespace insanity::test
+} } } // namespace mozilla::pkix::test
 
-#endif // insanity_test__pkixtestutils_h
+#endif // mozilla_pkix_test__pkixtestutils_h
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@@ -4249,23 +4249,23 @@
   "SSL_SUCCESFUL_CERT_VALIDATION_TIME_CLASSIC": {
     "expires_in_version": "never",
     "kind": "exponential",
     "high": "60000",
     "n_buckets": 50,
     "extended_statistics_ok": true,
     "description": "Time spent on a successful cert  verification in classic mode (ms)"
   },
-  "SSL_SUCCESFUL_CERT_VALIDATION_TIME_INSANITY" : {
+  "SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX" : {
     "expires_in_version": "never",
     "kind": "exponential",
     "high": "60000",
     "n_buckets": 50,
     "extended_statistics_ok": true,
-    "description": "Time spent on a successful cert verification in insanity mode (ms)"
+    "description": "Time spent on a successful cert verification in mozilla::pkix mode (ms)"
   },
   "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX" : {
     "expires_in_version": "never",
     "kind": "exponential",
     "high": "60000",
     "n_buckets": 50,
     "extended_statistics_ok": true,
     "description": "Time spent on an initially failed cert verification in libpix mode (ms)"
@@ -4273,23 +4273,23 @@
   "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC": {
     "expires_in_version": "never",
     "kind": "exponential",
     "high": "60000",
     "n_buckets": 50,
     "extended_statistics_ok": true,
     "description": "Time spent on an initially failed cert  verification in classic mode (ms)"
   },
-  "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_INSANITY" : {
+  "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX" : {
     "expires_in_version": "never",
     "kind": "exponential",
     "high": "60000",
     "n_buckets": 50,
     "extended_statistics_ok": true,
-    "description": "Time spent on an initially failed cert verification in insanity mode (ms)"
+    "description": "Time spent on an initially failed cert verification in mozilla::pkix mode (ms)"
   },
   "HEALTHREPORT_DB_OPEN_FIRSTRUN_MS": {
     "expires_in_version": "never",
     "kind": "exponential",
     "high": "20000",
     "n_buckets": 15,
     "description": "Time (ms) spent to open Firefox Health Report's database the first time, including schema setup."
   },