Bug 669061, Upgrade to NSS 3.13, starting with NSS_3_13_BETA1, r=wtc
authorKai Engert <kaie@kuix.de>
Fri, 19 Aug 2011 17:27:10 +0200
changeset 75563 33000157292b4cef2533a8769a49cd7d1e86d64d
parent 75562 79399ce1a1fbd1f10e22f9328d2af72b7cb0dcff
child 75564 be9c15f7dd336427a760a05a0d292f6b6646ba92
push id21040
push userbmo@edmorley.co.uk
push dateSun, 21 Aug 2011 18:16:59 +0000
treeherdermozilla-central@482742e6fff7 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerswtc
bugs669061
milestone9.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 669061, Upgrade to NSS 3.13, starting with NSS_3_13_BETA1, r=wtc
security/coreconf/Darwin.mk
security/coreconf/Linux.mk
security/coreconf/WIN32.mk
security/coreconf/coreconf.dep
security/nss/TAG-INFO
security/nss/cmd/addbuiltin/addbuiltin.c
security/nss/cmd/bltest/blapitest.c
security/nss/cmd/bltest/tests/sha224/ciphertext0
security/nss/cmd/bltest/tests/sha224/ciphertext1
security/nss/cmd/bltest/tests/sha224/numtests
security/nss/cmd/bltest/tests/sha224/plaintext0
security/nss/cmd/bltest/tests/sha224/plaintext1
security/nss/cmd/certutil/certutil.c
security/nss/cmd/chktest/Makefile
security/nss/cmd/chktest/chktest.c
security/nss/cmd/chktest/manifest.mn
security/nss/cmd/lib/Makefile
security/nss/cmd/lib/NSPRerrs.h
security/nss/cmd/lib/SECerrs.h
security/nss/cmd/lib/SSLerrs.h
security/nss/cmd/lib/manifest.mn
security/nss/cmd/lib/pk11table.c
security/nss/cmd/lib/secerror.c
security/nss/cmd/lib/secutil.c
security/nss/cmd/lib/secutil.h
security/nss/cmd/manifest.mn
security/nss/cmd/modutil/install.c
security/nss/cmd/modutil/instsec.c
security/nss/cmd/pk11mode/pk11mode.c
security/nss/cmd/pk12util/pk12util.c
security/nss/cmd/pp/pp.c
security/nss/cmd/ppcertdata/Makefile
security/nss/cmd/ppcertdata/manifest.mn
security/nss/cmd/ppcertdata/ppcertdata.c
security/nss/cmd/selfserv/selfserv.c
security/nss/cmd/shlibsign/manifest.mn
security/nss/cmd/shlibsign/shlibsign.c
security/nss/cmd/signtool/sign.c
security/nss/cmd/signtool/util.c
security/nss/cmd/signtool/verify.c
security/nss/cmd/signver/signver.c
security/nss/cmd/strsclnt/strsclnt.c
security/nss/cmd/symkeyutil/symkey.man
security/nss/cmd/tests/encodeinttest.c
security/nss/cmd/tests/manifest.mn
security/nss/cmd/tstclnt/tstclnt.c
security/nss/cmd/vfychain/vfychain.c
security/nss/lib/certdb/alg1485.c
security/nss/lib/certdb/cert.h
security/nss/lib/certdb/certdb.c
security/nss/lib/certdb/certdb.h
security/nss/lib/certdb/certi.h
security/nss/lib/certdb/certt.h
security/nss/lib/certdb/crl.c
security/nss/lib/certdb/genname.c
security/nss/lib/certdb/manifest.mn
security/nss/lib/certhigh/certhtml.c
security/nss/lib/certhigh/certvfy.c
security/nss/lib/certhigh/manifest.mn
security/nss/lib/certhigh/ocsp.c
security/nss/lib/certhigh/ocsp.h
security/nss/lib/ckfw/builtins/certdata.c
security/nss/lib/ckfw/builtins/certdata.txt
security/nss/lib/ckfw/capi/cfind.c
security/nss/lib/ckfw/capi/ckcapi.h
security/nss/lib/ckfw/capi/cobject.c
security/nss/lib/ckfw/capi/crsa.c
security/nss/lib/ckfw/hash.c
security/nss/lib/ckfw/session.c
security/nss/lib/crmf/cmmf.h
security/nss/lib/crmf/crmf.h
security/nss/lib/crmf/crmffut.h
security/nss/lib/crmf/crmfi.h
security/nss/lib/cryptohi/cryptohi.h
security/nss/lib/cryptohi/keyhi.h
security/nss/lib/cryptohi/keythi.h
security/nss/lib/cryptohi/manifest.mn
security/nss/lib/cryptohi/sechash.c
security/nss/lib/cryptohi/seckey.c
security/nss/lib/cryptohi/secsign.c
security/nss/lib/dev/ckhelper.c
security/nss/lib/dev/devt.h
security/nss/lib/dev/devtoken.c
security/nss/lib/freebl/Makefile
security/nss/lib/freebl/blapi.h
security/nss/lib/freebl/blapii.h
security/nss/lib/freebl/blapit.h
security/nss/lib/freebl/camellia.c
security/nss/lib/freebl/des.c
security/nss/lib/freebl/dh.c
security/nss/lib/freebl/dsa.c
security/nss/lib/freebl/ec.c
security/nss/lib/freebl/ecl/ecp_mont.c
security/nss/lib/freebl/hasht.h
security/nss/lib/freebl/ldvector.c
security/nss/lib/freebl/loader.c
security/nss/lib/freebl/loader.h
security/nss/lib/freebl/manifest.mn
security/nss/lib/freebl/mgf1.c
security/nss/lib/freebl/mpi/Makefile
security/nss/lib/freebl/mpi/README
security/nss/lib/freebl/mpi/hpma512.s
security/nss/lib/freebl/mpi/hppa20.s
security/nss/lib/freebl/mpi/make-logtab
security/nss/lib/freebl/mpi/make-test-arrays
security/nss/lib/freebl/mpi/mpi-config.h
security/nss/lib/freebl/mpi/mpi-priv.h
security/nss/lib/freebl/mpi/mpi.c
security/nss/lib/freebl/mpi/mpi.h
security/nss/lib/freebl/mpi/mpi_arm.c
security/nss/lib/freebl/mpi/mpmontg.c
security/nss/lib/freebl/mpi/target.mk
security/nss/lib/freebl/mpi/utils/primegen.c
security/nss/lib/freebl/mpi/utils/ptab.pl
security/nss/lib/freebl/nsslowhash.c
security/nss/lib/freebl/rawhash.c
security/nss/lib/freebl/ret_cr16.s
security/nss/lib/freebl/rijndael.c
security/nss/lib/freebl/rsa.c
security/nss/lib/freebl/secmpi.h
security/nss/lib/freebl/sha512.c
security/nss/lib/freebl/sha_fast.h
security/nss/lib/freebl/shvfy.c
security/nss/lib/freebl/stubs.c
security/nss/lib/freebl/stubs.h
security/nss/lib/freebl/tlsprfalg.c
security/nss/lib/jar/config.mk
security/nss/lib/jar/jarver.c
security/nss/lib/jar/manifest.mn
security/nss/lib/libpkix/pkix/certsel/manifest.mn
security/nss/lib/libpkix/pkix/checker/manifest.mn
security/nss/lib/libpkix/pkix/crlsel/manifest.mn
security/nss/lib/libpkix/pkix/params/manifest.mn
security/nss/lib/libpkix/pkix/results/manifest.mn
security/nss/lib/libpkix/pkix/store/manifest.mn
security/nss/lib/libpkix/pkix/top/manifest.mn
security/nss/lib/libpkix/pkix/util/manifest.mn
security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
security/nss/lib/libpkix/pkix_pl_nss/pki/manifest.mn
security/nss/lib/libpkix/pkix_pl_nss/system/manifest.mn
security/nss/lib/nss/manifest.mn
security/nss/lib/nss/nss.def
security/nss/lib/nss/nss.h
security/nss/lib/nss/nssinit.c
security/nss/lib/pk11wrap/debug_module.c
security/nss/lib/pk11wrap/dev3hack.c
security/nss/lib/pk11wrap/manifest.mn
security/nss/lib/pk11wrap/pk11akey.c
security/nss/lib/pk11wrap/pk11cert.c
security/nss/lib/pk11wrap/pk11err.c
security/nss/lib/pk11wrap/pk11load.c
security/nss/lib/pk11wrap/pk11mech.c
security/nss/lib/pk11wrap/pk11merge.c
security/nss/lib/pk11wrap/pk11nobj.c
security/nss/lib/pk11wrap/pk11obj.c
security/nss/lib/pk11wrap/pk11pbe.c
security/nss/lib/pk11wrap/pk11pk12.c
security/nss/lib/pk11wrap/pk11pub.h
security/nss/lib/pk11wrap/pk11skey.c
security/nss/lib/pkcs12/manifest.mn
security/nss/lib/pkcs12/p12.h
security/nss/lib/pkcs12/p12d.c
security/nss/lib/pkcs7/manifest.mn
security/nss/lib/pki/certificate.c
security/nss/lib/pki/pki3hack.c
security/nss/lib/pki/pki3hack.h
security/nss/lib/pki/pkistore.c
security/nss/lib/smime/cms.h
security/nss/lib/smime/cmsasn1.c
security/nss/lib/smime/cmscinfo.c
security/nss/lib/smime/cmsdecode.c
security/nss/lib/smime/cmsdigdata.c
security/nss/lib/smime/cmsencdata.c
security/nss/lib/smime/cmsencode.c
security/nss/lib/smime/cmsenvdata.c
security/nss/lib/smime/cmslocal.h
security/nss/lib/smime/cmsmessage.c
security/nss/lib/smime/cmssigdata.c
security/nss/lib/smime/cmssiginfo.c
security/nss/lib/smime/cmst.h
security/nss/lib/smime/cmsudf.c
security/nss/lib/smime/cmsutil.c
security/nss/lib/smime/manifest.mn
security/nss/lib/smime/smime.def
security/nss/lib/smime/smime.h
security/nss/lib/smime/smimeutil.c
security/nss/lib/softoken/fipstest.c
security/nss/lib/softoken/legacydb/keydb.c
security/nss/lib/softoken/legacydb/lgattr.c
security/nss/lib/softoken/legacydb/lgcreate.c
security/nss/lib/softoken/legacydb/lgdb.h
security/nss/lib/softoken/legacydb/lgfind.c
security/nss/lib/softoken/legacydb/lginit.c
security/nss/lib/softoken/legacydb/lowcert.c
security/nss/lib/softoken/legacydb/lowkey.c
security/nss/lib/softoken/legacydb/lowkeyi.h
security/nss/lib/softoken/legacydb/lowkeyti.h
security/nss/lib/softoken/legacydb/manifest.mn
security/nss/lib/softoken/legacydb/pcertdb.c
security/nss/lib/softoken/legacydb/pcertt.h
security/nss/lib/softoken/legacydb/pk11db.c
security/nss/lib/softoken/lowpbe.c
security/nss/lib/softoken/manifest.mn
security/nss/lib/softoken/pk11pars.h
security/nss/lib/softoken/pkcs11.c
security/nss/lib/softoken/pkcs11c.c
security/nss/lib/softoken/pkcs11i.h
security/nss/lib/softoken/rsawrapr.c
security/nss/lib/softoken/sftkdb.c
security/nss/lib/softoken/sftkmod.c
security/nss/lib/softoken/sftkpwd.c
security/nss/lib/softoken/softkver.h
security/nss/lib/softoken/softoken.h
security/nss/lib/ssl/SSLerrs.h
security/nss/lib/ssl/derive.c
security/nss/lib/ssl/manifest.mn
security/nss/lib/ssl/notes.txt
security/nss/lib/ssl/ssl.def
security/nss/lib/ssl/ssl.h
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/ssl3ext.c
security/nss/lib/ssl/ssl3gthr.c
security/nss/lib/ssl/sslauth.c
security/nss/lib/ssl/sslcon.c
security/nss/lib/ssl/sslerr.h
security/nss/lib/ssl/sslerrstrs.c
security/nss/lib/ssl/sslerrstrs.h
security/nss/lib/ssl/sslimpl.h
security/nss/lib/ssl/sslinfo.c
security/nss/lib/ssl/sslinit.c
security/nss/lib/ssl/sslnonce.c
security/nss/lib/ssl/sslreveal.c
security/nss/lib/ssl/sslsecur.c
security/nss/lib/ssl/sslsnce.c
security/nss/lib/ssl/sslsock.c
security/nss/lib/ssl/sslutil.h
security/nss/lib/util/SECerrs.h
security/nss/lib/util/errstrs.c
security/nss/lib/util/errstrs.h
security/nss/lib/util/manifest.mn
security/nss/lib/util/nssb64d.c
security/nss/lib/util/nssutil.def
security/nss/lib/util/nssutil.h
security/nss/lib/util/pkcs11n.h
security/nss/lib/util/quickder.c
security/nss/lib/util/secasn1e.c
security/nss/lib/util/secdig.c
security/nss/lib/util/secitem.c
security/nss/lib/util/secoid.c
security/nss/lib/util/secoidt.h
security/nss/lib/zlib/Makefile
security/nss/lib/zlib/README
security/nss/lib/zlib/README.nss
security/nss/lib/zlib/adler32.c
security/nss/lib/zlib/compress.c
security/nss/lib/zlib/crc32.c
security/nss/lib/zlib/deflate.c
security/nss/lib/zlib/deflate.h
security/nss/lib/zlib/example.c
security/nss/lib/zlib/gzclose.c
security/nss/lib/zlib/gzguts.h
security/nss/lib/zlib/gzio.c
security/nss/lib/zlib/gzlib.c
security/nss/lib/zlib/gzread.c
security/nss/lib/zlib/gzwrite.c
security/nss/lib/zlib/infback.c
security/nss/lib/zlib/inffast.c
security/nss/lib/zlib/inffast.h
security/nss/lib/zlib/inflate.c
security/nss/lib/zlib/inflate.h
security/nss/lib/zlib/inftrees.c
security/nss/lib/zlib/inftrees.h
security/nss/lib/zlib/manifest.mn
security/nss/lib/zlib/minigzip.c
security/nss/lib/zlib/patches/msvc-vsnprintf.patch
security/nss/lib/zlib/patches/prune-zlib.sh
security/nss/lib/zlib/trees.c
security/nss/lib/zlib/trees.h
security/nss/lib/zlib/uncompr.c
security/nss/lib/zlib/zconf.h
security/nss/lib/zlib/zlib.h
security/nss/lib/zlib/zutil.c
security/nss/lib/zlib/zutil.h
security/nss/tests/cert/cert.sh
security/nss/tests/cipher/cipher.txt
security/nss/tests/pkcs11/netscape/suites/security/ssl/sslc.c
security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.c
--- a/security/coreconf/Darwin.mk
+++ b/security/coreconf/Darwin.mk
@@ -32,34 +32,36 @@
 # and other provisions required by the GPL or the LGPL. If you do not delete
 # the provisions above, a recipient may use your version of this file under
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
 
 include $(CORE_DEPTH)/coreconf/UNIX.mk
 
-DEFAULT_COMPILER = cc
+DEFAULT_COMPILER = gcc
 
-CC		= cc
-CCC		= c++
+CC		= gcc
+CCC		= g++
 RANLIB		= ranlib
 
 ifndef CPU_ARCH
 # When cross-compiling, CPU_ARCH should already be defined as the target
 # architecture, set to powerpc or i386.
 CPU_ARCH	:= $(shell uname -p)
 endif
 
 ifeq (,$(filter-out i%86,$(CPU_ARCH)))
 ifdef USE_64
 CC              += -arch x86_64
+override CPU_ARCH	= x86_64
 else
 OS_REL_CFLAGS	= -Di386
 CC              += -arch i386
+override CPU_ARCH	= x86
 endif
 else
 OS_REL_CFLAGS	= -Dppc
 CC              += -arch ppc
 endif
 
 ifneq (,$(MACOS_SDK_DIR))
     GCC_VERSION_FULL := $(shell $(CC) -dumpversion)
@@ -102,17 +104,17 @@ endif
 # The meaning of a common is ambiguous.  It may be a true definition:
 #     int x = 0;
 # or it may be a declaration of a symbol defined in another file:
 #     extern int x;
 # Use the -fno-common option to force all commons to become true
 # definitions so that the linker can catch multiply-defined symbols.
 # Also, common symbols are not allowed with Darwin dynamic libraries.
 
-OS_CFLAGS	= $(DSO_CFLAGS) $(OS_REL_CFLAGS) -Wmost -fpascal-strings -fno-common -pipe -DDARWIN -DHAVE_STRERROR -DHAVE_BSD_FLOCK $(DARWIN_SDK_CFLAGS)
+OS_CFLAGS	= $(DSO_CFLAGS) $(OS_REL_CFLAGS) -Wall -fno-common -pipe -DDARWIN -DHAVE_STRERROR -DHAVE_BSD_FLOCK $(DARWIN_SDK_CFLAGS)
 
 ifdef BUILD_OPT
 ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
 	OPTIMIZER       = -Oz
 else
 	OPTIMIZER	= -O2
 endif
 ifdef MOZ_DEBUG_SYMBOLS
--- a/security/coreconf/Linux.mk
+++ b/security/coreconf/Linux.mk
@@ -197,13 +197,10 @@ MKSHLIB         = $(CC) $(DSO_LDOPTS) -W
 
 ifdef MAPFILE
 	MKSHLIB += -Wl,--version-script,$(MAPFILE)
 endif
 PROCESS_MAP_FILE = grep -v ';-' $< | \
         sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
 
 ifeq ($(OS_RELEASE),2.4)
-# Softoken 3.13 uses NO_FORK_CHECK only.
-# Softoken 3.12 uses NO_FORK_CHECK and NO_CHECK_FORK.
-# Don't use NO_CHECK_FORK in new code.
-DEFINES += -DNO_FORK_CHECK -DNO_CHECK_FORK
+DEFINES += -DNO_FORK_CHECK
 endif
--- a/security/coreconf/WIN32.mk
+++ b/security/coreconf/WIN32.mk
@@ -138,17 +138,18 @@ ifdef NS_USE_GCC
 	OPTIMIZER  += -g
 	NULLSTRING :=
 	SPACE      := $(NULLSTRING) # end of the line
 	USERNAME   := $(subst $(SPACE),_,$(USERNAME))
 	USERNAME   := $(subst -,_,$(USERNAME))
 	DEFINES    += -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USERNAME)
     endif
 else # !NS_USE_GCC
-    OS_CFLAGS += -W3 -nologo -D_CRT_SECURE_NO_WARNINGS
+    OS_CFLAGS += -W3 -nologo -D_CRT_SECURE_NO_WARNINGS \
+		 -D_CRT_NONSTDC_NO_WARNINGS
     OS_DLLFLAGS += -nologo -DLL -SUBSYSTEM:WINDOWS
     ifeq ($(_MSC_VER),$(_MSC_VER_6))
     ifndef MOZ_DEBUG_SYMBOLS
 	OS_DLLFLAGS += -PDB:NONE
     endif
     endif
     ifdef USE_DYNAMICBASE
 	OS_DLLFLAGS += -DYNAMICBASE
--- a/security/coreconf/coreconf.dep
+++ b/security/coreconf/coreconf.dep
@@ -38,8 +38,9 @@
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
 
+
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_12_11_RTM
+NSS_3_13_BETA1
--- a/security/nss/cmd/addbuiltin/addbuiltin.c
+++ b/security/nss/cmd/addbuiltin/addbuiltin.c
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Tool for converting builtin CA certs.
  *
- * $Id: addbuiltin.c,v 1.14.68.1 2011/03/23 20:07:57 kaie%kuix.de Exp $
+ * $Id: addbuiltin.c,v 1.16 2011/04/13 00:10:21 rrelyea%redhat.com Exp $
  */
 
 #include "nssrenam.h"
 #include "nss.h"
 #include "cert.h"
 #include "certdb.h"
 #include "secutil.h"
 #include "pk11func.h"
@@ -63,32 +63,32 @@ void dumpbytes(unsigned char *buf, int l
     }
     printf("\n");
 }
 
 char *getTrustString(unsigned int trust)
 {
     if (trust & CERTDB_TRUSTED) {
 	if (trust & CERTDB_TRUSTED_CA) {
-		return "CKT_NETSCAPE_TRUSTED_DELEGATOR|CKT_NETSCAPE_TRUSTED";
+		return "CKT_NSS_TRUSTED_DELEGATOR";
 	} else {
-		return "CKT_NETSCAPE_TRUSTED";
+		return "CKT_NSS_TRUSTED";
 	}
     } else {
 	if (trust & CERTDB_TRUSTED_CA) {
-		return "CKT_NETSCAPE_TRUSTED_DELEGATOR";
+		return "CKT_NSS_TRUSTED_DELEGATOR";
 	} else if (trust & CERTDB_VALID_CA) {
-		return "CKT_NETSCAPE_VALID_DELEGATOR";
-	} else if (trust & CERTDB_VALID_PEER) {
-		return "CKT_NETSCAPE_VALID";
+		return "CKT_NSS_VALID_DELEGATOR";
+	} else if (trust & CERTDB_TERMINAL_RECORD) {
+		return "CKT_NSS_NOT_TRUSTED";
 	} else {
-		return "CKT_NETSCAPE_TRUST_UNKNOWN";
+		return "CKT_NSS_MUST_VERIFY_TRUST";
 	}
     }
-    return "CKT_NETSCAPE_TRUST_UNKNOWN"; /* not reached */
+    return "CKT_NSS_TRUST_UNKNOWN"; /* not reached */
 }
 
 static const SEC_ASN1Template serialTemplate[] = {
     { SEC_ASN1_INTEGER, offsetof(CERTCertificate,serialNumber) },
     { 0 }
 };
 
 static SECStatus
@@ -128,17 +128,17 @@ ConvertCertificate(SECItem *sdder, char 
     printf("END\n");
     printf("CKA_VALUE MULTILINE_OCTAL\n");
     dumpbytes(sdder->data,sdder->len);
     printf("END\n");
 
     PK11_HashBuf(SEC_OID_SHA1, sha1_hash, sdder->data, sdder->len);
     PK11_HashBuf(SEC_OID_MD5, md5_hash, sdder->data, sdder->len);
     printf("\n# Trust for Certificate \"%s\"\n",nickname);
-    printf("CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST\n");
+    printf("CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST\n");
     printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
     printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
     printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
     printf("CKA_LABEL UTF8 \"%s\"\n",nickname);
     printf("CKA_CERT_SHA1_HASH MULTILINE_OCTAL\n");
     dumpbytes(sha1_hash,SHA1_LENGTH);
     printf("END\n");
     printf("CKA_CERT_MD5_HASH MULTILINE_OCTAL\n");
@@ -154,23 +154,23 @@ ConvertCertificate(SECItem *sdder, char 
     
     printf("CKA_TRUST_SERVER_AUTH CK_TRUST %s\n",
 				 getTrustString(trust->sslFlags));
     printf("CKA_TRUST_EMAIL_PROTECTION CK_TRUST %s\n",
 				 getTrustString(trust->emailFlags));
     printf("CKA_TRUST_CODE_SIGNING CK_TRUST %s\n",
 				 getTrustString(trust->objectSigningFlags));
 #ifdef notdef
-    printf("CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED\n");*/
-    printf("CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_NON_REPUDIATION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NSS_TRUSTED\n");
+    printf("CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_NON_REPUDIATION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
 #endif
     printf("CKA_TRUST_STEP_UP_APPROVED CK_BBOOL %s\n",
                 trust->sslFlags & CERTDB_GOVT_APPROVED_CA ? 
                 "CK_TRUE" : "CK_FALSE");
 
 
     PORT_Free(sdder->data);
     return(rv);
@@ -210,17 +210,17 @@ void printheader() {
 "# use your version of this file under the terms of the MPL, indicate your\n"
 "# decision by deleting the provisions above and replace them with the notice\n"
 "# and other provisions required by the GPL or the LGPL. If you do not delete\n"
 "# the provisions above, a recipient may use your version of this file under\n"
 "# the terms of any one of the MPL, the GPL or the LGPL.\n"
 "#\n"
 "# ***** END LICENSE BLOCK *****\n"
      "#\n"
-     "CVS_ID \"@(#) $RCSfile: addbuiltin.c,v $ $Revision: 1.14.68.1 $ $Date: 2011/03/23 20:07:57 $\"\n"
+     "CVS_ID \"@(#) $RCSfile: addbuiltin.c,v $ $Revision: 1.16 $ $Date: 2011/04/13 00:10:21 $\"\n"
      "\n"
      "#\n"
      "# certdata.txt\n"
      "#\n"
      "# This file contains the object definitions for the certs and other\n"
      "# information \"built into\" NSS.\n"
      "#\n"
      "# Object definitions:\n"
@@ -234,17 +234,17 @@ void printheader() {
      "#  CKA_MODIFIABLE           CK_BBOOL                CK_FALSE\n"
      "#  CKA_LABEL                UTF8                    (varies)\n"
      "#  CKA_CERTIFICATE_TYPE     CK_CERTIFICATE_TYPE     CKC_X_509\n"
      "#  CKA_SUBJECT              DER+base64              (varies)\n"
      "#  CKA_ID                   byte array              (varies)\n"
      "#  CKA_ISSUER               DER+base64              (varies)\n"
      "#  CKA_SERIAL_NUMBER        DER+base64              (varies)\n"
      "#  CKA_VALUE                DER+base64              (varies)\n"
-     "#  CKA_NETSCAPE_EMAIL       ASCII7                  (unused here)\n"
+     "#  CKA_NSS_EMAIL            ASCII7                  (unused here)\n"
      "#\n"
      "#    Trust\n"
      "#\n"
      "#  -- Attribute --              -- type --          -- value --\n"
      "#  CKA_CLASS                    CK_OBJECT_CLASS     CKO_TRUST\n"
      "#  CKA_TOKEN                    CK_BBOOL            CK_TRUE\n"
      "#  CKA_PRIVATE                  CK_BBOOL            CK_FALSE\n"
      "#  CKA_MODIFIABLE               CK_BBOOL            CK_FALSE\n"
@@ -271,17 +271,17 @@ void printheader() {
      "#  (other trust attributes can be defined)\n"
      "#\n"
      "\n"
      "#\n"
      "# The object to tell NSS that this is a root list and we don't\n"
      "# have to go looking for others.\n"
      "#\n"
      "BEGINDATA\n"
-     "CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_BUILTIN_ROOT_LIST\n"
+     "CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST\n"
      "CKA_TOKEN CK_BBOOL CK_TRUE\n"
      "CKA_PRIVATE CK_BBOOL CK_FALSE\n"
      "CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"
      "CKA_LABEL UTF8 \"Mozilla Builtin Roots\"\n");
 }
 
 static void Usage(char *progName)
 {
--- a/security/nss/cmd/bltest/blapitest.c
+++ b/security/nss/cmd/bltest/blapitest.c
@@ -45,17 +45,17 @@
 #include "prtime.h"
 #include "prsystem.h"
 #include "plstr.h"
 #include "nssb64.h"
 #include "secutil.h"
 #include "plgetopt.h"
 #include "softoken.h"
 #include "nspr.h"
-#include "nss.h"
+#include "nssutil.h"
 #include "secoid.h"
 
 #ifdef NSS_ENABLE_ECC
 #include "ecl-curve.h"
 SECStatus EC_DecodeParams(const SECItem *encodedParams, 
 	ECParams **ecparams);
 SECStatus EC_CopyParams(PRArenaPool *arena, ECParams *dstParams,
 	      const ECParams *srcParams);
@@ -73,17 +73,17 @@ char *testdir = NULL;
 #define BLTEST_DEFAULT_CHUNKSIZE 4096
 
 #define WORDSIZE sizeof(unsigned long)
 
 #define CHECKERROR(rv, ln) \
     if (rv) { \
 	PRErrorCode prerror = PR_GetError(); \
 	PR_fprintf(PR_STDERR, "%s: ERR %d (%s) at line %d.\n", progName, \
-                   prerror, SECU_Strerror(prerror), ln); \
+	prerror, NSS_Strerror(prerror,formatSimple), ln); \
 	exit(-1); \
     }
 
 /* Macros for performance timing. */
 #define TIMESTART() \
     time1 = PR_IntervalNow();
 
 #define TIMEFINISH(time, reps) \
@@ -687,16 +687,17 @@ typedef enum {
     bltestRSA,		  /* Public Key Ciphers	   */
 #ifdef NSS_ENABLE_ECC
     bltestECDSA,	  /* . (Public Key Sig.)   */
 #endif
     bltestDSA,		  /* .                     */
     bltestMD2,		  /* Hash algorithms	   */
     bltestMD5,		  /* .			   */
     bltestSHA1,           /* .			   */
+    bltestSHA224,         /* .			   */
     bltestSHA256,         /* .			   */
     bltestSHA384,         /* .			   */
     bltestSHA512,         /* .			   */
     NUMMODES
 } bltestCipherMode;
 
 static char *mode_strings[] =
 {
@@ -721,16 +722,17 @@ static char *mode_strings[] =
 #ifdef NSS_ENABLE_ECC
     "ecdsa",
 #endif
     /*"pqg",*/
     "dsa",
     "md2",
     "md5",
     "sha1",
+    "sha224",
     "sha256",
     "sha384",
     "sha512",
 };
 
 typedef struct
 {
     bltestIO key;
@@ -1761,16 +1763,56 @@ sha1_restart(unsigned char *dest, const 
     }
     SHA1_End(cx, dest, &len, MD5_LENGTH);
 finish:
     SHA1_DestroyContext(cx, PR_TRUE);
     return rv;
 }
 
 SECStatus
+SHA224_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+    SECStatus rv = SECSuccess;
+    SHA224Context *cx, *cx_cpy;
+    unsigned char *cxbytes;
+    unsigned int len;
+    unsigned int i, quarter;
+    cx = SHA224_NewContext();
+    SHA224_Begin(cx);
+    /* divide message by 4, restarting 3 times */
+    quarter = (src_length + 3) / 4;
+    for (i=0; i < 4 && src_length > 0; i++) {
+	SHA224_Update(cx, src + i*quarter, PR_MIN(quarter, src_length));
+	len = SHA224_FlattenSize(cx);
+	cxbytes = PORT_Alloc(len);
+	SHA224_Flatten(cx, cxbytes);
+	cx_cpy = SHA224_Resurrect(cxbytes, NULL);
+	if (!cx_cpy) {
+	    PR_fprintf(PR_STDERR, "%s: SHA224_Resurrect failed!\n", progName);
+	    rv = SECFailure;
+	    goto finish;
+	}
+	rv = PORT_Memcmp(cx, cx_cpy, len);
+	if (rv) {
+	    SHA224_DestroyContext(cx_cpy, PR_TRUE);
+	    PR_fprintf(PR_STDERR, "%s: SHA224_restart failed!\n", progName);
+	    goto finish;
+	}
+	
+	SHA224_DestroyContext(cx_cpy, PR_TRUE);
+	PORT_Free(cxbytes);
+	src_length -= quarter;
+    }
+    SHA224_End(cx, dest, &len, MD5_LENGTH);
+finish:
+    SHA224_DestroyContext(cx, PR_TRUE);
+    return rv;
+}
+
+SECStatus
 SHA256_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
 {
     SECStatus rv = SECSuccess;
     SHA256Context *cx, *cx_cpy;
     unsigned char *cxbytes;
     unsigned int len;
     unsigned int i, quarter;
     cx = SHA256_NewContext();
@@ -2052,16 +2094,24 @@ cipherInit(bltestCipherInfo *cipherInfo,
 	break;
     case bltestSHA1:
 	restart = cipherInfo->params.hash.restart;
 	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
 			  SHA1_LENGTH);
 	cipherInfo->cipher.hashCipher = (restart) ? sha1_restart : SHA1_HashBuf;
 	return SECSuccess;
 	break;
+    case bltestSHA224:
+	restart = cipherInfo->params.hash.restart;
+	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+			  SHA224_LENGTH);
+	cipherInfo->cipher.hashCipher = (restart) ? SHA224_restart 
+	                                          : SHA224_HashBuf;
+	return SECSuccess;
+	break;
     case bltestSHA256:
 	restart = cipherInfo->params.hash.restart;
 	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
 			  SHA256_LENGTH);
 	cipherInfo->cipher.hashCipher = (restart) ? SHA256_restart 
 	                                          : SHA256_HashBuf;
 	return SECSuccess;
 	break;
@@ -2493,16 +2543,17 @@ cipherFinish(bltestCipherInfo *cipherInf
     case bltestRSA: /* keys are alloc'ed within cipherInfo's arena, */
     case bltestDSA: /* will be freed with it. */
 #ifdef NSS_ENABLE_ECC
     case bltestECDSA:
 #endif
     case bltestMD2: /* hash contexts are ephemeral */
     case bltestMD5:
     case bltestSHA1:
+    case bltestSHA224:
     case bltestSHA256:
     case bltestSHA384:
     case bltestSHA512:
 	return SECSuccess;
 	break;
     default:
 	return SECFailure;
     }
@@ -2846,16 +2897,17 @@ get_params(PRArenaPool *arena, bltestPar
 	               bltestBase64Encoded);
 	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "ciphertext",j);
 	load_file_data(arena, &params->ecdsa.sig, filename, bltestBase64Encoded);
 	break;
 #endif
     case bltestMD2:
     case bltestMD5:
     case bltestSHA1:
+    case bltestSHA224:
     case bltestSHA256:
     case bltestSHA384:
     case bltestSHA512:
 	/*params->hash.restart = PR_TRUE;*/
 	params->hash.restart = PR_FALSE;
 	break;
     default:
 	break;
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha224/ciphertext0
@@ -0,0 +1,2 @@
+Iwl9IjQF2CKGQqR3vaJVsyqtvOS9oLP342ydpw==
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha224/ciphertext1
@@ -0,0 +1,2 @@
+dTiLFlEndsxdul2h/YkBULDGRVy09YsZUlIlJQ==
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha224/numtests
@@ -0,0 +1,1 @@
+2
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha224/plaintext0
@@ -0,0 +1,1 @@
+abc
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha224/plaintext1
@@ -0,0 +1,1 @@
+abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -1101,18 +1101,18 @@ static void luE(enum usage_level ul, con
 static void luCommonDetailsAE()
 {
     FPS "%-20s Specify the nickname of the certificate to add\n",
         "   -n cert-name");
     FPS "%-20s Set the certificate trust attributes:\n",
         "   -t trustargs");
     FPS "%-25s trustargs is of the form x,y,z where x is for SSL, y is for S/MIME,\n", "");
     FPS "%-25s and z is for code signing. Use ,, for no explicit trust.\n", "");
-    FPS "%-25s p \t valid peer\n", "");
-    FPS "%-25s P \t trusted peer (implies p)\n", "");
+    FPS "%-25s p \t prohibited\n", "");
+    FPS "%-25s P \t trusted peer\n", "");
     FPS "%-25s c \t valid CA\n", "");
     FPS "%-25s T \t trusted CA to issue client certs (implies c)\n", "");
     FPS "%-25s C \t trusted CA to issue server certs (implies c)\n", "");
     FPS "%-25s u \t user cert\n", "");
     FPS "%-25s w \t send warning\n", "");
     FPS "%-25s g \t make step-up cert\n", "");
     FPS "%-20s Specify the password file\n",
         "   -f pwfile");
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/chktest/Makefile
@@ -0,0 +1,79 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include ../platrules.mk
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/chktest/chktest.c
@@ -0,0 +1,76 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Kai Engert <kengert@redhat.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "blapi.h"
+#include "secutil.h"
+
+static int Usage()
+{
+    fprintf(stderr, "Usage:  chktest <full-path-to-shared-library>\n");
+    fprintf(stderr, "        Will test for valid chk file.\n");
+    fprintf(stderr, "        Will print SUCCESS or FAILURE.\n");
+    exit(1);
+}
+
+int main(int argc, char **argv)
+{
+    SECStatus rv = SECFailure;
+    PRBool good_result = PR_FALSE;
+
+    if (argc != 2)
+      return Usage();
+    
+    rv = RNG_RNGInit();
+    if (rv != SECSuccess) {
+        SECU_PrintPRandOSError("");
+        return -1;
+    }
+    rv = BL_Init();
+    if (rv != SECSuccess) {
+        SECU_PrintPRandOSError("");
+        return -1;
+    }
+    RNG_SystemInfoForRNG();
+
+    good_result = BLAPI_SHVerifyFile(argv[1]);
+    printf("%s\n", 
+      (good_result ? "SUCCESS" : "FAILURE"));
+    return (good_result) ? SECSuccess : SECFailure;
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/chktest/manifest.mn
@@ -0,0 +1,59 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../..
+
+MODULE = nss
+
+#REQUIRES = seccmd dbm softoken
+REQUIRES = seccmd dbm
+
+#INCLUDES += -I$(CORE_DEPTH)/nss/lib/softoken
+
+PROGRAM = chktest
+
+ USE_STATIC_LIBS = 1
+
+EXPORTS = \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	$(NULL)
+
+CSRCS = \
+	chktest.c \
+	$(NULL)
+
--- a/security/nss/cmd/lib/Makefile
+++ b/security/nss/cmd/lib/Makefile
@@ -73,10 +73,9 @@ include $(CORE_DEPTH)/coreconf/rules.mk
 
 
 #######################################################################
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
 
 export:: private_export
 
-$(OBJDIR)/secerror$(OBJ_SUFFIX): NSPRerrs.h SECerrs.h SSLerrs.h 
 
deleted file mode 100644
--- a/security/nss/cmd/lib/NSPRerrs.h
+++ /dev/null
@@ -1,153 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* General NSPR 2.0 errors */
-/* Caller must #include "prerror.h" */
-
-ER2( PR_OUT_OF_MEMORY_ERROR, 	"Memory allocation attempt failed." )
-ER2( PR_BAD_DESCRIPTOR_ERROR, 	"Invalid file descriptor." )
-ER2( PR_WOULD_BLOCK_ERROR, 	"The operation would have blocked." )
-ER2( PR_ACCESS_FAULT_ERROR, 	"Invalid memory address argument." )
-ER2( PR_INVALID_METHOD_ERROR, 	"Invalid function for file type." )
-ER2( PR_ILLEGAL_ACCESS_ERROR, 	"Invalid memory address argument." )
-ER2( PR_UNKNOWN_ERROR, 		"Some unknown error has occurred." )
-ER2( PR_PENDING_INTERRUPT_ERROR,"Operation interrupted by another thread." )
-ER2( PR_NOT_IMPLEMENTED_ERROR, 	"function not implemented." )
-ER2( PR_IO_ERROR, 		"I/O function error." )
-ER2( PR_IO_TIMEOUT_ERROR, 	"I/O operation timed out." )
-ER2( PR_IO_PENDING_ERROR, 	"I/O operation on busy file descriptor." )
-ER2( PR_DIRECTORY_OPEN_ERROR, 	"The directory could not be opened." )
-ER2( PR_INVALID_ARGUMENT_ERROR, "Invalid function argument." )
-ER2( PR_ADDRESS_NOT_AVAILABLE_ERROR, "Network address not available (in use?)." )
-ER2( PR_ADDRESS_NOT_SUPPORTED_ERROR, "Network address type not supported." )
-ER2( PR_IS_CONNECTED_ERROR, 	"Already connected." )
-ER2( PR_BAD_ADDRESS_ERROR, 	"Network address is invalid." )
-ER2( PR_ADDRESS_IN_USE_ERROR, 	"Local Network address is in use." )
-ER2( PR_CONNECT_REFUSED_ERROR, 	"Connection refused by peer." )
-ER2( PR_NETWORK_UNREACHABLE_ERROR, "Network address is presently unreachable." )
-ER2( PR_CONNECT_TIMEOUT_ERROR, 	"Connection attempt timed out." )
-ER2( PR_NOT_CONNECTED_ERROR, 	"Network file descriptor is not connected." )
-ER2( PR_LOAD_LIBRARY_ERROR, 	"Failure to load dynamic library." )
-ER2( PR_UNLOAD_LIBRARY_ERROR, 	"Failure to unload dynamic library." )
-ER2( PR_FIND_SYMBOL_ERROR, 	
-"Symbol not found in any of the loaded dynamic libraries." )
-ER2( PR_INSUFFICIENT_RESOURCES_ERROR, "Insufficient system resources." )
-ER2( PR_DIRECTORY_LOOKUP_ERROR, 	
-"A directory lookup on a network address has failed." )
-ER2( PR_TPD_RANGE_ERROR, 		
-"Attempt to access a TPD key that is out of range." )
-ER2( PR_PROC_DESC_TABLE_FULL_ERROR, "Process open FD table is full." )
-ER2( PR_SYS_DESC_TABLE_FULL_ERROR, "System open FD table is full." )
-ER2( PR_NOT_SOCKET_ERROR, 	
-"Network operation attempted on non-network file descriptor." )
-ER2( PR_NOT_TCP_SOCKET_ERROR, 	
-"TCP-specific function attempted on a non-TCP file descriptor." )
-ER2( PR_SOCKET_ADDRESS_IS_BOUND_ERROR, "TCP file descriptor is already bound." )
-ER2( PR_NO_ACCESS_RIGHTS_ERROR, "Access Denied." )
-ER2( PR_OPERATION_NOT_SUPPORTED_ERROR, 
-"The requested operation is not supported by the platform." )
-ER2( PR_PROTOCOL_NOT_SUPPORTED_ERROR, 
-"The host operating system does not support the protocol requested." )
-ER2( PR_REMOTE_FILE_ERROR, 	"Access to the remote file has been severed." )
-ER2( PR_BUFFER_OVERFLOW_ERROR, 	
-"The value requested is too large to be stored in the data buffer provided." )
-ER2( PR_CONNECT_RESET_ERROR, 	"TCP connection reset by peer." )
-ER2( PR_RANGE_ERROR, 		"Unused." )
-ER2( PR_DEADLOCK_ERROR, 	"The operation would have deadlocked." )
-ER2( PR_FILE_IS_LOCKED_ERROR, 	"The file is already locked." )
-ER2( PR_FILE_TOO_BIG_ERROR, 	
-"Write would result in file larger than the system allows." )
-ER2( PR_NO_DEVICE_SPACE_ERROR, 	"The device for storing the file is full." )
-ER2( PR_PIPE_ERROR, 		"Unused." )
-ER2( PR_NO_SEEK_DEVICE_ERROR, 	"Unused." )
-ER2( PR_IS_DIRECTORY_ERROR, 	
-"Cannot perform a normal file operation on a directory." )
-ER2( PR_LOOP_ERROR, 		"Symbolic link loop." )
-ER2( PR_NAME_TOO_LONG_ERROR, 	"File name is too long." )
-ER2( PR_FILE_NOT_FOUND_ERROR, 	"File not found." )
-ER2( PR_NOT_DIRECTORY_ERROR, 	
-"Cannot perform directory operation on a normal file." )
-ER2( PR_READ_ONLY_FILESYSTEM_ERROR, 
-"Cannot write to a read-only file system." )
-ER2( PR_DIRECTORY_NOT_EMPTY_ERROR, 
-"Cannot delete a directory that is not empty." )
-ER2( PR_FILESYSTEM_MOUNTED_ERROR, 
-"Cannot delete or rename a file object while the file system is busy." )
-ER2( PR_NOT_SAME_DEVICE_ERROR, 	
-"Cannot rename a file to a file system on another device." )
-ER2( PR_DIRECTORY_CORRUPTED_ERROR, 
-"The directory object in the file system is corrupted." )
-ER2( PR_FILE_EXISTS_ERROR, 	
-"Cannot create or rename a filename that already exists." )
-ER2( PR_MAX_DIRECTORY_ENTRIES_ERROR, 
-"Directory is full.  No additional filenames may be added." )
-ER2( PR_INVALID_DEVICE_STATE_ERROR, 
-"The required device was in an invalid state." )
-ER2( PR_DEVICE_IS_LOCKED_ERROR, "The device is locked." )
-ER2( PR_NO_MORE_FILES_ERROR, 	"No more entries in the directory." )
-ER2( PR_END_OF_FILE_ERROR, 	"Encountered end of file." )
-ER2( PR_FILE_SEEK_ERROR, 	"Seek error." )
-ER2( PR_FILE_IS_BUSY_ERROR, 	"The file is busy." )
-ER2( PR_IN_PROGRESS_ERROR,
-"Operation is still in progress (probably a non-blocking connect)." )
-ER2( PR_ALREADY_INITIATED_ERROR,
-"Operation has already been initiated (probably a non-blocking connect)." )
-
-#ifdef PR_GROUP_EMPTY_ERROR
-ER2( PR_GROUP_EMPTY_ERROR, 	"The wait group is empty." )
-#endif
-
-#ifdef PR_INVALID_STATE_ERROR
-ER2( PR_INVALID_STATE_ERROR, 	"Object state improper for request." )
-#endif
-
-#ifdef PR_NETWORK_DOWN_ERROR
-ER2( PR_NETWORK_DOWN_ERROR,	"Network is down." )
-#endif
-
-#ifdef PR_SOCKET_SHUTDOWN_ERROR
-ER2( PR_SOCKET_SHUTDOWN_ERROR,	"The socket was previously shut down." )
-#endif
-
-#ifdef PR_CONNECT_ABORTED_ERROR
-ER2( PR_CONNECT_ABORTED_ERROR,	"TCP Connection aborted." )
-#endif
-
-#ifdef PR_HOST_UNREACHABLE_ERROR
-ER2( PR_HOST_UNREACHABLE_ERROR,	"Host is unreachable." )
-#endif
-
-/* always last */
-ER2( PR_MAX_ERROR, 		"Placeholder for the end of the list" )
--- a/security/nss/cmd/lib/manifest.mn
+++ b/security/nss/cmd/lib/manifest.mn
@@ -39,27 +39,22 @@ CORE_DEPTH	= ../../..
 LIBRARY_NAME	= sectool
 
 # MODULE public and private header  directories are implicitly REQUIRED.
 MODULE		= nss
 
 DEFINES		= -DNSPR20
 
 PRIVATE_EXPORTS	= secutil.h \
-		  NSPRerrs.h \
-		  SECerrs.h \
-		  SSLerrs.h \
 		  pk11table.h \
 		  $(NULL)
 
 CSRCS		= secutil.c \
 		secpwd.c    \
 		derprint.c \
 		moreoids.c \
 		pppolicy.c \
 		secerror.c \
 		ffs.c \
 		pk11table.c \
 		$(NULL)
 
-REQUIRES	= dbm
-
 NO_MD_RELEASE	= 1
--- a/security/nss/cmd/lib/pk11table.c
+++ b/security/nss/cmd/lib/pk11table.c
@@ -150,20 +150,20 @@ const Constant _consts[] = {
 	mkEntry(CKO_DATA, Object),
 	mkEntry(CKO_CERTIFICATE, Object),
 	mkEntry(CKO_PUBLIC_KEY, Object),
 	mkEntry(CKO_PRIVATE_KEY, Object),
 	mkEntry(CKO_SECRET_KEY, Object),
 	mkEntry(CKO_HW_FEATURE, Object),
 	mkEntry(CKO_DOMAIN_PARAMETERS, Object),
 	mkEntry(CKO_KG_PARAMETERS, Object),
-	mkEntry(CKO_NETSCAPE_CRL, Object),
-	mkEntry(CKO_NETSCAPE_SMIME, Object),
-	mkEntry(CKO_NETSCAPE_TRUST, Object),
-	mkEntry(CKO_NETSCAPE_BUILTIN_ROOT_LIST, Object),
+	mkEntry(CKO_NSS_CRL, Object),
+	mkEntry(CKO_NSS_SMIME, Object),
+	mkEntry(CKO_NSS_TRUST, Object),
+	mkEntry(CKO_NSS_BUILTIN_ROOT_LIST, Object),
 
 	mkEntry(CKH_MONOTONIC_COUNTER, Hardware),
 	mkEntry(CKH_CLOCK, Hardware),
 
 	mkEntry(CKK_RSA, KeyType),
 	mkEntry(CKK_DSA, KeyType),
 	mkEntry(CKK_DH, KeyType),
 	mkEntry(CKK_ECDSA, KeyType),
@@ -183,17 +183,17 @@ const Constant _consts[] = {
 	mkEntry(CKK_RC5, KeyType),
 	mkEntry(CKK_IDEA, KeyType),
 	mkEntry(CKK_SKIPJACK, KeyType),
 	mkEntry(CKK_BATON, KeyType),
 	mkEntry(CKK_JUNIPER, KeyType),
 	mkEntry(CKK_CDMF, KeyType),
 	mkEntry(CKK_AES, KeyType),
 	mkEntry(CKK_CAMELLIA, KeyType),
-	mkEntry(CKK_NETSCAPE_PKCS8, KeyType),
+	mkEntry(CKK_NSS_PKCS8, KeyType),
 
 	mkEntry(CKC_X_509, CertType),
 	mkEntry(CKC_X_509_ATTR_CERT, CertType),
 
 	mkEntry2(CKA_CLASS, Attribute, Object),
 	mkEntry2(CKA_TOKEN, Attribute, Bool),
 	mkEntry2(CKA_PRIVATE, Attribute, Bool),
 	mkEntry2(CKA_LABEL, Attribute, None),
@@ -247,28 +247,28 @@ const Constant _consts[] = {
 	mkEntry2(CKA_ECDSA_PARAMS, Attribute, None),
 	mkEntry2(CKA_EC_PARAMS, Attribute, None),
 	mkEntry2(CKA_EC_POINT, Attribute, None),
 	mkEntry2(CKA_SECONDARY_AUTH, Attribute, None),
 	mkEntry2(CKA_AUTH_PIN_FLAGS, Attribute, None),
 	mkEntry2(CKA_HW_FEATURE_TYPE, Attribute, Hardware),
 	mkEntry2(CKA_RESET_ON_INIT, Attribute, Bool),
 	mkEntry2(CKA_HAS_RESET, Attribute, Bool),
-	mkEntry2(CKA_NETSCAPE_URL, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_EMAIL, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_SMIME_INFO, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_SMIME_TIMESTAMP, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PKCS8_SALT, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PASSWORD_CHECK, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_EXPIRES, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_KRL, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PQG_COUNTER, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PQG_SEED, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PQG_H, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PQG_SEED_BITS, Attribute, None),
+	mkEntry2(CKA_NSS_URL, Attribute, None),
+	mkEntry2(CKA_NSS_EMAIL, Attribute, None),
+	mkEntry2(CKA_NSS_SMIME_INFO, Attribute, None),
+	mkEntry2(CKA_NSS_SMIME_TIMESTAMP, Attribute, None),
+	mkEntry2(CKA_NSS_PKCS8_SALT, Attribute, None),
+	mkEntry2(CKA_NSS_PASSWORD_CHECK, Attribute, None),
+	mkEntry2(CKA_NSS_EXPIRES, Attribute, None),
+	mkEntry2(CKA_NSS_KRL, Attribute, None),
+	mkEntry2(CKA_NSS_PQG_COUNTER, Attribute, None),
+	mkEntry2(CKA_NSS_PQG_SEED, Attribute, None),
+	mkEntry2(CKA_NSS_PQG_H, Attribute, None),
+	mkEntry2(CKA_NSS_PQG_SEED_BITS, Attribute, None),
 	mkEntry2(CKA_TRUST_DIGITAL_SIGNATURE, Attribute, Trust),
 	mkEntry2(CKA_TRUST_NON_REPUDIATION, Attribute, Trust),
 	mkEntry2(CKA_TRUST_KEY_ENCIPHERMENT, Attribute, Trust),
 	mkEntry2(CKA_TRUST_DATA_ENCIPHERMENT, Attribute, Trust),
 	mkEntry2(CKA_TRUST_KEY_AGREEMENT, Attribute, Trust),
 	mkEntry2(CKA_TRUST_KEY_CERT_SIGN, Attribute, Trust),
 	mkEntry2(CKA_TRUST_CRL_SIGN, Attribute, Trust),
 	mkEntry2(CKA_TRUST_SERVER_AUTH, Attribute, Trust),
@@ -487,18 +487,18 @@ const Constant _consts[] = {
 	mkEntry(CKM_SEED_CBC, Mechanism),
 	mkEntry(CKM_SEED_MAC, Mechanism),
 	mkEntry(CKM_SEED_MAC_GENERAL, Mechanism),
 	mkEntry(CKM_SEED_CBC_PAD, Mechanism),
 	mkEntry(CKM_SEED_ECB_ENCRYPT_DATA, Mechanism),
 	mkEntry(CKM_SEED_CBC_ENCRYPT_DATA, Mechanism),
 	mkEntry(CKM_DSA_PARAMETER_GEN, Mechanism),
 	mkEntry(CKM_DH_PKCS_PARAMETER_GEN, Mechanism),
-	mkEntry(CKM_NETSCAPE_AES_KEY_WRAP, Mechanism),
-	mkEntry(CKM_NETSCAPE_AES_KEY_WRAP_PAD, Mechanism),
+	mkEntry(CKM_NSS_AES_KEY_WRAP, Mechanism),
+	mkEntry(CKM_NSS_AES_KEY_WRAP_PAD, Mechanism),
 	mkEntry(CKM_NETSCAPE_PBE_SHA1_DES_CBC, Mechanism),
 	mkEntry(CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, Mechanism),
 	mkEntry(CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC, Mechanism),
 	mkEntry(CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC, Mechanism),
 	mkEntry(CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4, Mechanism),
 	mkEntry(CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4, Mechanism),
 	mkEntry(CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC, Mechanism),
 	mkEntry(CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN, Mechanism),
@@ -588,23 +588,22 @@ const Constant _consts[] = {
 	mkEntry(CKR_INFORMATION_SENSITIVE, Result),
 	mkEntry(CKR_STATE_UNSAVEABLE, Result),
 	mkEntry(CKR_CRYPTOKI_NOT_INITIALIZED, Result),
 	mkEntry(CKR_CRYPTOKI_ALREADY_INITIALIZED, Result),
 	mkEntry(CKR_MUTEX_BAD, Result),
 	mkEntry(CKR_MUTEX_NOT_LOCKED, Result),
 	mkEntry(CKR_VENDOR_DEFINED, Result),
 
-	mkEntry(CKT_NETSCAPE_TRUSTED, Trust),
-	mkEntry(CKT_NETSCAPE_TRUSTED_DELEGATOR, Trust),
-	mkEntry(CKT_NETSCAPE_UNTRUSTED, Trust),
-	mkEntry(CKT_NETSCAPE_MUST_VERIFY, Trust),
-	mkEntry(CKT_NETSCAPE_TRUST_UNKNOWN, Trust),
-	mkEntry(CKT_NETSCAPE_VALID, Trust),
-	mkEntry(CKT_NETSCAPE_VALID_DELEGATOR, Trust),
+	mkEntry(CKT_NSS_TRUSTED, Trust),
+	mkEntry(CKT_NSS_TRUSTED_DELEGATOR, Trust),
+	mkEntry(CKT_NSS_NOT_TRUSTED, Trust),
+	mkEntry(CKT_NSS_MUST_VERIFY_TRUST, Trust),
+	mkEntry(CKT_NSS_TRUST_UNKNOWN, Trust),
+	mkEntry(CKT_NSS_VALID_DELEGATOR, Trust),
 
 	mkEntry(CK_EFFECTIVELY_INFINITE, AvailableSizes),
 	mkEntry(CK_UNAVAILABLE_INFORMATION, CurrentSize),
 };
 
 const Constant *consts = &_consts[0];
 const int constCount = sizeof(_consts)/sizeof(_consts[0]);
 
@@ -1247,17 +1246,17 @@ const Commands _commands[] = {
 "NewTemplate varName attributeList\n\n"
 "Create a new empty template and populate the attribute list\n"
 " varName        variable name of the new template\n"
 " attributeList  comma separated list of CKA_ATTRIBUTE types\n",
 	{ArgVar|ArgNew, ArgVar, ArgNone, ArgNone, ArgNone, 
 	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
     {"NewMechanism", F_NewMechanism,
 "NewMechanism varName mechanismType\n\n"
-"Create a new CK_MECHANISM object with type NULL paramters and specified type\n"
+"Create a new CK_MECHANISM object with type NULL parameters and specified type\n"
 " varName        variable name of the new mechansim\n"
 " mechanismType  CKM_ mechanism type value to set int the type field\n",
 	{ArgVar|ArgNew, ArgULong, ArgNone, ArgNone, ArgNone, 
 	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
     {"BuildTemplate", F_BuildTemplate,
 "BuildTemplate template\n\n"
 "Allocates space for the value in a template which has the sizes filled in,\n"
 "but no values allocated yet.\n"
--- a/security/nss/cmd/lib/secerror.c
+++ b/security/nss/cmd/lib/secerror.c
@@ -28,83 +28,18 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-#include "nspr.h"
-
-struct tuple_str {
-    PRErrorCode	 errNum;
-    const char * errString;
-};
-
-typedef struct tuple_str tuple_str;
-
-#define ER2(a,b)   {a, b},
-#define ER3(a,b,c) {a, c},
-
-#include "secerr.h"
-#include "sslerr.h"
-
-const tuple_str errStrings[] = {
-
-/* keep this list in asceding order of error numbers */
-#include "SSLerrs.h"
-#include "SECerrs.h"
-#include "NSPRerrs.h"
-
-};
-
-const PRInt32 numStrings = sizeof(errStrings) / sizeof(tuple_str);
+#include "prtypes.h"
+#include "nssutil.h"
 
 /* Returns a UTF-8 encoded constant error string for "errNum".
- * Returns NULL of errNum is unknown.
+ * Returns NULL if errNum is unknown.
  */
 const char *
 SECU_Strerror(PRErrorCode errNum) {
-    PRInt32 low  = 0;
-    PRInt32 high = numStrings - 1;
-    PRInt32 i;
-    PRErrorCode num;
-    static int initDone;
-
-    /* make sure table is in ascending order.
-     * binary search depends on it.
-     */
-    if (!initDone) {
-	PRErrorCode lastNum = ((PRInt32)0x80000000);
-    	for (i = low; i <= high; ++i) {
-	    num = errStrings[i].errNum;
-	    if (num <= lastNum) {
-	    	fprintf(stderr, 
-"sequence error in error strings at item %d\n"
-"error %d (%s)\n"
-"should come after \n"
-"error %d (%s)\n",
-		        i, lastNum, errStrings[i-1].errString, 
-			num, errStrings[i].errString);
-	    }
-	    lastNum = num;
-	}
-	initDone = 1;
-    }
-
-    /* Do binary search of table. */
-    while (low + 1 < high) {
-    	i = (low + high) / 2;
-	num = errStrings[i].errNum;
-	if (errNum == num) 
-	    return errStrings[i].errString;
-        if (errNum < num)
-	    high = i;
-	else 
-	    low = i;
-    }
-    if (errNum == errStrings[low].errNum)
-    	return errStrings[low].errString;
-    if (errNum == errStrings[high].errNum)
-    	return errStrings[high].errString;
-    return NULL;
+    return NSS_Strerror(errNum, formatSimple);
 }
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -78,25 +78,19 @@ static char consoleName[] =  {
 #ifdef XP_OS2
     "\\DEV\\CON"
 #else
     "CON:"
 #endif
 #endif
 };
 
-
-char *
-SECU_GetString(int16 error_number)
-{
-
-    static char errString[80];
-    sprintf(errString, "Unknown error string (%d)", error_number);
-    return errString;
-}
+#include "nssutil.h"
+#include "ssl.h"
+
 
 void 
 SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...)
 {
     va_list args;
     PRErrorCode err = PORT_GetError();
     const char * errString = SECU_Strerror(err);
 
@@ -1511,16 +1505,80 @@ const SEC_ASN1Template secuPBEV2Params[]
     { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
         SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
     { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg),
         SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
     { 0 }
 };
 
 void
+secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level)
+{
+    PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    SECStatus rv;
+    SECKEYRSAPSSParams param;
+    SECAlgorithmID maskHashAlg;
+
+    if (m) {
+	SECU_Indent(out, level);
+	fprintf (out, "%s:\n", m);
+    }
+
+    if (!pool) {
+	SECU_Indent(out, level);
+	fprintf(out, "Out of memory\n");
+	return;
+    }
+
+    PORT_Memset(&param, 0, sizeof param);
+
+    rv = SEC_QuickDERDecodeItem(pool, &param,
+				SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate),
+				value);
+    if (rv == SECSuccess) {
+	if (!param.hashAlg) {
+	    SECU_Indent(out, level+1);
+	    fprintf(out, "Hash algorithm: default, SHA-1\n");
+	} else {
+	    SECU_PrintObjectID(out, &param.hashAlg->algorithm,
+			       "Hash algorithm", level+1);
+	}
+	if (!param.maskAlg) {
+	    SECU_Indent(out, level+1);
+	    fprintf(out, "Mask algorithm: default, MGF1\n");
+	    SECU_Indent(out, level+1);
+	    fprintf(out, "Mask hash algorithm: default, SHA-1\n");
+	} else {
+	    SECU_PrintObjectID(out, &param.maskAlg->algorithm,
+			       "Mask algorithm", level+1);
+	    rv = SEC_QuickDERDecodeItem(pool, &maskHashAlg,
+		     SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
+		     &param.maskAlg->parameters);
+	    if (rv == SECSuccess) {
+		SECU_PrintObjectID(out, &maskHashAlg.algorithm,
+				   "Mask hash algorithm", level+1);
+	    } else {
+		SECU_Indent(out, level+1);
+		fprintf(out, "Invalid mask generation algorithm parameters\n");
+	    }
+	}
+	if (!param.saltLength.data) {
+	    SECU_Indent(out, level+1);
+	    fprintf(out, "Salt length: default, %i (0x%2X)\n", 20, 20);
+	} else {
+	    SECU_PrintInteger(out, &param.saltLength, "Salt Length", level+1);
+	}
+    } else {
+	SECU_Indent(out, level+1);
+	fprintf(out, "Invalid RSA-PSS parameters\n");
+    }
+    PORT_FreeArena(pool, PR_FALSE);
+}
+
+void
 secu_PrintKDF2Params(FILE *out, SECItem *value, char *m, int level)
 {
     PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     SECStatus rv;
     secuPBEParams param;
 
     if (m) {
 	SECU_Indent(out, level);
@@ -1620,17 +1678,21 @@ SECU_PrintAlgorithmID(FILE *out, SECAlgo
 	    secu_PrintPKCS5V2Params(out, &a->parameters, "MAC", level+1);
 	    break;
 	default:
 	    secu_PrintPBEParams(out, &a->parameters, "Parameters", level+1);
 	    break;
 	}
 	return;
     }
-	
+
+    if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
+	secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level+1);
+	return;
+    }
 
     if (a->parameters.len == 0
 	|| (a->parameters.len == 2
 	    && PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) {
 	/* No arguments or NULL argument */
     } else {
 	/* Print args to algorithm */
 	SECU_PrintAsHex(out, &a->parameters, "Args", level+1);
@@ -2379,17 +2441,17 @@ SECU_PrintName(FILE *out, CERTName *name
 
 void
 printflags(char *trusts, unsigned int flags)
 {
     if (flags & CERTDB_VALID_CA)
 	if (!(flags & CERTDB_TRUSTED_CA) &&
 	    !(flags & CERTDB_TRUSTED_CLIENT_CA))
 	    PORT_Strcat(trusts, "c");
-    if (flags & CERTDB_VALID_PEER)
+    if (flags & CERTDB_TERMINAL_RECORD)
 	if (!(flags & CERTDB_TRUSTED))
 	    PORT_Strcat(trusts, "p");
     if (flags & CERTDB_TRUSTED_CA)
 	PORT_Strcat(trusts, "C");
     if (flags & CERTDB_TRUSTED_CLIENT_CA)
 	PORT_Strcat(trusts, "T");
     if (flags & CERTDB_TRUSTED)
 	PORT_Strcat(trusts, "P");
@@ -3204,18 +3266,18 @@ SECU_PrintPKCS7ContentInfo(FILE *out, SE
 
 /*
 ** End of PKCS7 functions
 */
 
 void
 printFlags(FILE *out, unsigned int flags, int level)
 {
-    if ( flags & CERTDB_VALID_PEER ) {
-	SECU_Indent(out, level); fprintf(out, "Valid Peer\n");
+    if ( flags & CERTDB_TERMINAL_RECORD ) {
+	SECU_Indent(out, level); fprintf(out, "Terminal Record\n");
     }
     if ( flags & CERTDB_TRUSTED ) {
 	SECU_Indent(out, level); fprintf(out, "Trusted\n");
     }
     if ( flags & CERTDB_SEND_WARN ) {
 	SECU_Indent(out, level); fprintf(out, "Warn When Sending\n");
     }
     if ( flags & CERTDB_VALID_CA ) {
@@ -3245,16 +3307,39 @@ SECU_PrintTrustFlags(FILE *out, CERTCert
     SECU_Indent(out, level+1); fprintf(out, "SSL Flags:\n");
     printFlags(out, trust->sslFlags, level+2);
     SECU_Indent(out, level+1); fprintf(out, "Email Flags:\n");
     printFlags(out, trust->emailFlags, level+2);
     SECU_Indent(out, level+1); fprintf(out, "Object Signing Flags:\n");
     printFlags(out, trust->objectSigningFlags, level+2);
 }
 
+int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level)
+{
+    PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    CERTName *name;
+    int rv = SEC_ERROR_NO_MEMORY;
+
+    if (!arena)
+	return rv;
+
+    name = PORT_ArenaZNew(arena, CERTName);
+    if (!name)
+	goto loser;
+
+    rv = SEC_ASN1DecodeItem(arena, name, SEC_ASN1_GET(CERT_NameTemplate), der);
+    if (rv)
+	goto loser;
+
+    SECU_PrintName(out, name, m, level);
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return rv;
+}
+
 int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m,
 			   int level, SECU_PPFunc inner)
 {
     PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     CERTSignedData *sd;
     int rv = SEC_ERROR_NO_MEMORY;
 
     if (!arena)
@@ -3276,17 +3361,16 @@ int SECU_PrintSignedData(FILE *out, SECI
     SECU_PrintAlgorithmID(out, &sd->signatureAlgorithm, "Signature Algorithm",
 			  level+1);
     DER_ConvertBitString(&sd->signature);
     SECU_PrintAsHex(out, &sd->signature, "Signature", level+1);
     SECU_PrintFingerprints(out, der, "Fingerprint", level+1);
 loser:
     PORT_FreeArena(arena, PR_FALSE);
     return rv;
-
 }
 
 SECStatus
 SEC_PrintCertificateAndTrust(CERTCertificate *cert,
                              const char *label,
                              CERTCertTrust *trust)
 {
     SECStatus rv;
@@ -3506,133 +3590,16 @@ SECU_GetOptionArg(const secuCommand *cmd
 	if (optionNum < 0 || optionNum >= cmd->numOptions)
 		return NULL;
 	if (cmd->options[optionNum].activated)
 		return PL_strdup(cmd->options[optionNum].arg);
 	else
 		return NULL;
 }
 
-static char SECUErrorBuf[64];
-
-char *
-SECU_ErrorStringRaw(int16 err)
-{
-    if (err == 0)
-	SECUErrorBuf[0] = '\0';
-    else if (err == SEC_ERROR_BAD_DATA)
-	sprintf(SECUErrorBuf, "Bad data");
-    else if (err == SEC_ERROR_BAD_DATABASE)
-	sprintf(SECUErrorBuf, "Problem with database");
-    else if (err == SEC_ERROR_BAD_DER)
-	sprintf(SECUErrorBuf, "Problem with DER");
-    else if (err == SEC_ERROR_BAD_KEY)
-	sprintf(SECUErrorBuf, "Problem with key");
-    else if (err == SEC_ERROR_BAD_PASSWORD)
-	sprintf(SECUErrorBuf, "Incorrect password");
-    else if (err == SEC_ERROR_BAD_SIGNATURE)
-	sprintf(SECUErrorBuf, "Bad signature");
-    else if (err == SEC_ERROR_EXPIRED_CERTIFICATE)
-	sprintf(SECUErrorBuf, "Expired certificate");
-    else if (err == SEC_ERROR_EXTENSION_VALUE_INVALID)
-	sprintf(SECUErrorBuf, "Invalid extension value");
-    else if (err == SEC_ERROR_INPUT_LEN)
-	sprintf(SECUErrorBuf, "Problem with input length");
-    else if (err == SEC_ERROR_INVALID_ALGORITHM)
-	sprintf(SECUErrorBuf, "Invalid algorithm");
-    else if (err == SEC_ERROR_INVALID_ARGS)
-	sprintf(SECUErrorBuf, "Invalid arguments");
-    else if (err == SEC_ERROR_INVALID_AVA)
-	sprintf(SECUErrorBuf, "Invalid AVA");
-    else if (err == SEC_ERROR_INVALID_TIME)
-	sprintf(SECUErrorBuf, "Invalid time");
-    else if (err == SEC_ERROR_IO)
-	sprintf(SECUErrorBuf, "Security I/O error");
-    else if (err == SEC_ERROR_LIBRARY_FAILURE)
-	sprintf(SECUErrorBuf, "Library failure");
-    else if (err == SEC_ERROR_NO_MEMORY)
-	sprintf(SECUErrorBuf, "Out of memory");
-    else if (err == SEC_ERROR_OLD_CRL)
-	sprintf(SECUErrorBuf, "CRL is older than the current one");
-    else if (err == SEC_ERROR_OUTPUT_LEN)
-	sprintf(SECUErrorBuf, "Problem with output length");
-    else if (err == SEC_ERROR_UNKNOWN_ISSUER)
-	sprintf(SECUErrorBuf, "Unknown issuer");
-    else if (err == SEC_ERROR_UNTRUSTED_CERT)
-	sprintf(SECUErrorBuf, "Untrusted certificate");
-    else if (err == SEC_ERROR_UNTRUSTED_ISSUER)
-	sprintf(SECUErrorBuf, "Untrusted issuer");
-    else if (err == SSL_ERROR_BAD_CERTIFICATE)
-	sprintf(SECUErrorBuf, "Bad certificate");
-    else if (err == SSL_ERROR_BAD_CLIENT)
-	sprintf(SECUErrorBuf, "Bad client");
-    else if (err == SSL_ERROR_BAD_SERVER)
-	sprintf(SECUErrorBuf, "Bad server");
-    else if (err == SSL_ERROR_EXPORT_ONLY_SERVER)
-	sprintf(SECUErrorBuf, "Export only server");
-    else if (err == SSL_ERROR_NO_CERTIFICATE)
-	sprintf(SECUErrorBuf, "No certificate");
-    else if (err == SSL_ERROR_NO_CYPHER_OVERLAP)
-	sprintf(SECUErrorBuf, "No cypher overlap");
-    else if (err == SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE)
-	sprintf(SECUErrorBuf, "Unsupported certificate type");
-    else if (err == SSL_ERROR_UNSUPPORTED_VERSION)
-	sprintf(SECUErrorBuf, "Unsupported version");
-    else if (err == SSL_ERROR_US_ONLY_SERVER)
-	sprintf(SECUErrorBuf, "U.S. only server");
-    else if (err == PR_IO_ERROR)
-	sprintf(SECUErrorBuf, "I/O error");
-
-    else if (err == SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE)
-        sprintf (SECUErrorBuf, "Expired Issuer Certificate");
-    else if (err == SEC_ERROR_REVOKED_CERTIFICATE)
-        sprintf (SECUErrorBuf, "Revoked certificate");
-    else if (err == SEC_ERROR_NO_KEY)
-        sprintf (SECUErrorBuf, "No private key in database for this cert");
-    else if (err == SEC_ERROR_CERT_NOT_VALID)
-        sprintf (SECUErrorBuf, "Certificate is not valid");
-    else if (err == SEC_ERROR_EXTENSION_NOT_FOUND)
-        sprintf (SECUErrorBuf, "Certificate extension was not found");
-    else if (err == SEC_ERROR_EXTENSION_VALUE_INVALID)
-        sprintf (SECUErrorBuf, "Certificate extension value invalid");
-    else if (err == SEC_ERROR_CA_CERT_INVALID)
-        sprintf (SECUErrorBuf, "Issuer certificate is invalid");
-    else if (err == SEC_ERROR_CERT_USAGES_INVALID)
-        sprintf (SECUErrorBuf, "Certificate usages is invalid");
-    else if (err == SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION)
-        sprintf (SECUErrorBuf, "Certificate has unknown critical extension");
-    else if (err == SEC_ERROR_PKCS7_BAD_SIGNATURE)
-        sprintf (SECUErrorBuf, "Bad PKCS7 signature");
-    else if (err == SEC_ERROR_INADEQUATE_KEY_USAGE)
-        sprintf (SECUErrorBuf, "Certificate not approved for this operation");
-    else if (err == SEC_ERROR_INADEQUATE_CERT_TYPE)
-        sprintf (SECUErrorBuf, "Certificate not approved for this operation");
-
-    return SECUErrorBuf;
-}
-
-char *
-SECU_ErrorString(int16 err)
-{
-    char *error_string;
-
-    *SECUErrorBuf = 0;
-    SECU_ErrorStringRaw (err);
-
-    if (*SECUErrorBuf == 0) { 
-	error_string = SECU_GetString(err);
-	if (error_string == NULL || *error_string == '\0') 
-	    sprintf(SECUErrorBuf, "No error string found for %d.",  err);
-	else
-	    return error_string;
-    }
-
-    return SECUErrorBuf;
-}
-
 
 void 
 SECU_PrintPRandOSError(char *progName) 
 {
     char buffer[513];
     PRInt32     errLen = PR_GetErrorTextLength();
     if (errLen > 0 && errLen < sizeof buffer) {
         PR_GetErrorText(buffer);
--- a/security/nss/cmd/lib/secutil.h
+++ b/security/nss/cmd/lib/secutil.h
@@ -47,16 +47,17 @@
 #include <stdio.h>
 
 #define SEC_CT_PRIVATE_KEY		"private-key"
 #define SEC_CT_PUBLIC_KEY		"public-key"
 #define SEC_CT_CERTIFICATE		"certificate"
 #define SEC_CT_CERTIFICATE_REQUEST	"certificate-request"
 #define SEC_CT_PKCS7			"pkcs7"
 #define SEC_CT_CRL			"crl"
+#define SEC_CT_NAME			"name"
 
 #define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----"
 #define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----"
 
 #define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
 #define NS_CERT_TRAILER "-----END CERTIFICATE-----"
 
 #define NS_CRL_HEADER  "-----BEGIN CRL-----"
@@ -254,16 +255,19 @@ int SECU_CheckCertNameExists(CERTCertDBH
 
 /* Dump contents of cert req */
 extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m,
 	int level);
 
 /* Dump contents of certificate */
 extern int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level);
 
+/* Dump contents of a DER certificate name (issuer or subject) */
+extern int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level);
+
 /* print trust flags on a cert */
 extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, 
                                  int level);
 
 /* Dump contents of an RSA public key */
 extern int SECU_PrintRSAPublicKey(FILE *out, SECItem *der, char *m, int level);
 
 extern int SECU_PrintSubjectPublicKeyInfo(FILE *out, SECItem *der, char *m, 
@@ -437,22 +441,16 @@ char *
 SECU_GetOptionArg(const secuCommand *cmd, int optionNum);
 
 /*
  *
  *  Error messaging
  *
  */
 
-/* Return informative error string */
-char *SECU_ErrorString(int16 err);
-
-/* Return informative error string. Does not call XP_GetString */
-char *SECU_ErrorStringRaw(int16 err);
-
 void printflags(char *trusts, unsigned int flags);
 
 #if !defined(XP_UNIX) && !defined(XP_OS2)
 extern int ffs(unsigned int i);
 #endif
 
 /* Finds certificate by searching it in the DB or by examinig file
  * in the local directory. */
--- a/security/nss/cmd/manifest.mn
+++ b/security/nss/cmd/manifest.mn
@@ -43,16 +43,17 @@ REQUIRES = nss nspr libdbm
 DIRS = lib  \
  addbuiltin \
  atob  \
  bltest \
  btoa  \
  certcgi \
  certutil  \
  checkcert  \
+ chktest  \
  crlutil  \
  crmftest \
  dbtest \
  derdump  \
  digest  \
  fipstest  \
  makepqg  \
  multinit \
--- a/security/nss/cmd/modutil/install.c
+++ b/security/nss/cmd/modutil/install.c
@@ -31,16 +31,17 @@
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #include "install.h"
 #include "install-ds.h"
+#include <prerror.h>
 #include <prlock.h>
 #include <prio.h>
 #include <prmem.h>
 #include <prprf.h>
 #include <prsystem.h>
 #include <prproces.h>
 
 #ifdef XP_UNIX
@@ -56,17 +57,17 @@
 extern /*"C"*/
 int Pk11Install_AddNewModule(char* moduleName, char* dllPath,
                               unsigned long defaultMechanismFlags,
                               unsigned long cipherEnableFlags);
 extern /*"C"*/
 short Pk11Install_UserVerifyJar(JAR *jar, PRFileDesc *out,
 	PRBool query);
 extern /*"C"*/
-const char* mySECU_ErrorString(int16);
+const char* mySECU_ErrorString(PRErrorCode errnum);
 extern 
 int Pk11Install_yyparse();
 
 #define INSTALL_METAINFO_TAG "Pkcs11_install_script"
 #define SCRIPT_TEMP_FILE "pkcs11inst.tmp"
 #define ROOT_MARKER "%root%"
 #define TEMP_MARKER "%temp%"
 #define PRINTF_ROOT_MARKER "%%root%%"
@@ -413,17 +414,17 @@ Pk11Install_DoInstall(char *jarFile, con
 	} else {
 		status = JAR_pass_archive(jar, jarArchGuess, jarFile, "url");
 	}
 	if( (status < 0) || (jar->valid < 0) ) {
 		if (status >= JAR_BASE && status <= JAR_BASE_END) {
 			error(PK11_INSTALL_JAR_ERROR, jarFile, JAR_get_error(status));
 		} else {
 			error(PK11_INSTALL_JAR_ERROR, jarFile,
-			  mySECU_ErrorString((int16) PORT_GetError()) );
+			  mySECU_ErrorString(PORT_GetError()));
 		}
 		ret=PK11_INSTALL_JAR_ERROR;
 		goto loser;
 	}
 	/*printf("passed the archive\n");*/
 
 	/*
 	 * Show the user security information, allow them to abort or continue
@@ -465,17 +466,17 @@ Pk11Install_DoInstall(char *jarFile, con
 	} else {
 		status = JAR_verified_extract(jar, installer, SCRIPT_TEMP_FILE);
 	}
 	if(status) {
 		if (status >= JAR_BASE && status <= JAR_BASE_END) {
 			error(PK11_INSTALL_JAR_EXTRACT, installer, JAR_get_error(status));
 		} else {
 			error(PK11_INSTALL_JAR_EXTRACT, installer,
-			  mySECU_ErrorString((int16) PORT_GetError()) );
+			  mySECU_ErrorString(PORT_GetError()));
 		}
 		ret = PK11_INSTALL_JAR_EXTRACT;
 		goto loser;
 	} else {
 		made_temp_file = PR_TRUE;
 	}
 
 	/*
@@ -687,17 +688,17 @@ DoInstall(JAR *jar, const char *installD
 			status = JAR_verified_extract(jar, (char*)file->jarPath, dest);
 		}
 		if(status) {
 			if (status >= JAR_BASE && status <= JAR_BASE_END) {
 				error(PK11_INSTALL_JAR_EXTRACT, file->jarPath,
                   JAR_get_error(status));
 			} else {
 				error(PK11_INSTALL_JAR_EXTRACT, file->jarPath,
-				  mySECU_ErrorString((int16) PORT_GetError()) );
+				  mySECU_ErrorString(PORT_GetError()));
 			}
 			ret=PK11_INSTALL_JAR_EXTRACT;
 			goto loser;
 		}
 		if(feedback) {
 			PR_fprintf(feedback, msgStrings[INSTALLED_FILE_MSG],
 				file->jarPath, dest);
 		}
--- a/security/nss/cmd/modutil/instsec.c
+++ b/security/nss/cmd/modutil/instsec.c
@@ -30,16 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #include <plarena.h>
+#include <prerror.h>
 #include <prio.h>
 #include <prprf.h>
 #include <seccomon.h>
 #include <secmod.h>
 #include <jar.h>
 #include <secutil.h>
 
 /* These are installation functions that make calls to the security library.
@@ -170,12 +171,12 @@ PR_fgets(char *buf, int size, PRFileDesc
     return buf;
 }
 
 /**************************************************************************
  *
  * m y S E C U _ E r r o r S t r i n g
  *
  */
-const char* mySECU_ErrorString(int16 errnum)
+const char* mySECU_ErrorString(PRErrorCode errnum)
 {
 	return SECU_Strerror(errnum);
 }
--- a/security/nss/cmd/pk11mode/pk11mode.c
+++ b/security/nss/cmd/pk11mode/pk11mode.c
@@ -878,28 +878,31 @@ CK_RV PKM_KeyTests(CK_FUNCTION_LIST_PTR 
         CK_ULONG    mechanism;
         const char *mechanismStr;
     };
 
     typedef struct mech_str mech_str;
 
     mech_str digestMechs[] = {
         {CKM_SHA_1, "CKM_SHA_1 "},
+        {CKM_SHA224, "CKM_SHA224"},
         {CKM_SHA256, "CKM_SHA256"},
         {CKM_SHA384, "CKM_SHA384"},
         {CKM_SHA512, "CKM_SHA512"}
     };
     mech_str hmacMechs[] = {
         {CKM_SHA_1_HMAC, "CKM_SHA_1_HMAC"}, 
+        {CKM_SHA224_HMAC, "CKM_SHA224_HMAC"},
         {CKM_SHA256_HMAC, "CKM_SHA256_HMAC"},
         {CKM_SHA384_HMAC, "CKM_SHA384_HMAC"},
         {CKM_SHA512_HMAC, "CKM_SHA512_HMAC"}
     };
     mech_str sigRSAMechs[] = {
         {CKM_SHA1_RSA_PKCS, "CKM_SHA1_RSA_PKCS"}, 
+        {CKM_SHA224_RSA_PKCS, "CKM_SHA224_RSA_PKCS"},
         {CKM_SHA256_RSA_PKCS, "CKM_SHA256_RSA_PKCS"},
         {CKM_SHA384_RSA_PKCS, "CKM_SHA384_RSA_PKCS"},
         {CKM_SHA512_RSA_PKCS, "CKM_SHA512_RSA_PKCS"}
     };
 
     CK_ULONG digestMechsSZ = NUM_ELEM(digestMechs);
     CK_ULONG sigRSAMechsSZ = NUM_ELEM(sigRSAMechs);
     CK_ULONG hmacMechsSZ = NUM_ELEM(hmacMechs);
@@ -5118,17 +5121,17 @@ CK_RV PKM_Digest(CK_FUNCTION_LIST_PTR pF
                  CK_MECHANISM *digestMech, CK_OBJECT_HANDLE hSecretKey,
                  const CK_BYTE *  pData, CK_ULONG pDataLen) {
     CK_RV crv = CKR_OK;
     CK_BYTE digest1[MAX_DIGEST_SZ];
     CK_ULONG digest1Len = 0 ;
     CK_BYTE digest2[MAX_DIGEST_SZ];
     CK_ULONG digest2Len = 0;
 
-    /* Tested with CKM_SHA_1, CKM_SHA256, CKM_SHA384, CKM_SHA512 */
+    /* Tested with CKM_SHA_1, CKM_SHA224, CKM_SHA256, CKM_SHA384, CKM_SHA512 */
 
     memset(digest1, 0, sizeof(digest1));
     memset(digest2, 0, sizeof(digest2));
     
     NUMTESTS++; /* increment NUMTESTS */
 
     crv = pFunctionList->C_DigestInit(hSession, digestMech);
     if (crv != CKR_OK) {
--- a/security/nss/cmd/pk12util/pk12util.c
+++ b/security/nss/cmd/pk12util/pk12util.c
@@ -555,27 +555,27 @@ loser:
     }
     
     return rv;
 }
 
 static void
 p12u_DoPKCS12ExportErrors()
 {
-    int error_value;
+    PRErrorCode error_value;
 
     error_value = PORT_GetError();
     if ((error_value == SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY) ||
 	(error_value == SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME) ||
 	(error_value == SEC_ERROR_PKCS12_UNABLE_TO_WRITE)) {
-	fputs(SECU_ErrorStringRaw((int16)error_value), stderr);
+	fputs(SECU_Strerror(error_value), stderr);
     } else if(error_value == SEC_ERROR_USER_CANCELLED) {
 	;
     } else {
-	fputs(SECU_ErrorStringRaw(SEC_ERROR_EXPORTING_CERTIFICATES), stderr);
+	fputs(SECU_Strerror(SEC_ERROR_EXPORTING_CERTIFICATES), stderr);
     }
 }
 
 static void
 p12u_WriteToExportFile(void *arg, const char *buf, unsigned long len)
 {
     p12uContext *p12cxt = arg;
     int writeLen;
--- a/security/nss/cmd/pp/pp.c
+++ b/security/nss/cmd/pp/pp.c
@@ -33,17 +33,17 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Pretty-print some well-known BER or DER encoded data (e.g. certificates,
  * keys, pkcs7)
  *
- * $Id: pp.c,v 1.9 2007/09/25 03:46:23 nelson%bolyard.com Exp $
+ * $Id: pp.c,v 1.10 2010/09/03 19:25:02 nelson%bolyard.com Exp $
  */
 
 #include "secutil.h"
 
 #if defined(__sun) && !defined(SVR4)
 extern int fprintf(FILE *, char *, ...);
 #endif
 
@@ -57,17 +57,18 @@ static void Usage(char *progName)
 {
     fprintf(stderr,
 	    "Usage:  %s -t type [-a] [-i input] [-o output]\n",
 	    progName);
     fprintf(stderr, "%-20s Specify the input type (must be one of %s,\n",
 	    "-t type", SEC_CT_PRIVATE_KEY);
     fprintf(stderr, "%-20s %s, %s, %s,\n", "", SEC_CT_PUBLIC_KEY,
 	    SEC_CT_CERTIFICATE, SEC_CT_CERTIFICATE_REQUEST);
-    fprintf(stderr, "%-20s %s or %s)\n", "", SEC_CT_PKCS7, SEC_CT_CRL);    
+    fprintf(stderr, "%-20s %s, %s or %s)\n", "", SEC_CT_PKCS7, SEC_CT_CRL,
+            SEC_CT_NAME);    
     fprintf(stderr, "%-20s Input is in ascii encoded form (RFC1113)\n",
 	    "-a");
     fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n",
 	    "-i input");
     fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
 	    "-o output");
     exit(-1);
 }
@@ -161,16 +162,18 @@ int main(int argc, char **argv)
     } else if (PORT_Strcmp(typeTag, SEC_CT_PRIVATE_KEY) == 0) {
 	rv = SECU_PrintPrivateKey(outFile, &data, "Private Key", 0);
 #endif
     } else if (PORT_Strcmp(typeTag, SEC_CT_PUBLIC_KEY) == 0) {
 	rv = SECU_PrintSubjectPublicKeyInfo(outFile, &data, "Public Key", 0);
     } else if (PORT_Strcmp(typeTag, SEC_CT_PKCS7) == 0) {
 	rv = SECU_PrintPKCS7ContentInfo(outFile, &data,
 					"PKCS #7 Content Info", 0);
+    } else if (PORT_Strcmp(typeTag, SEC_CT_NAME) == 0) {
+	rv = SECU_PrintDERName(outFile, &data, "Name", 0);
     } else {
 	fprintf(stderr, "%s: don't know how to print out '%s' files\n",
 		progName, typeTag);
 	SECU_PrintAny(outFile, &data, "File contains", 0);
 	return -1;
     }
 
     if (inFile != PR_STDIN)
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/ppcertdata/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2010
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/ppcertdata/manifest.mn
@@ -0,0 +1,55 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2010
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#	Nelson Bolyard <nelson@bolyard.me>
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH	= ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss 
+
+# This next line is used by .mk files
+# and gets translated into $LINCS in manifest.mnw
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = seccmd 
+
+#DEFINES = -DNSPR20
+
+CSRCS = ppcertdata.c
+
+PROGRAM	= ppcertdata
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/ppcertdata/ppcertdata.c
@@ -0,0 +1,132 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the CertData.txt review helper program.
+ *
+ * The Initial Developer of the Original Code is
+ * Nelson Bolyard
+ * Portions created by the Initial Developer are Copyright (C) 2009-2010
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include <stdio.h>
+#include <string.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include "secutil.h"
+#include "nss.h"
+
+unsigned char  binary_line[64 * 1024];
+
+int
+main(int argc, const char ** argv)
+{
+    int            skip_count = 0;
+    int            bytes_read;
+    char           line[133];
+
+    if (argc > 1) {
+    	skip_count = atoi(argv[1]);
+    }
+    if (argc > 2 || skip_count < 0) {
+        printf("Usage: %s [ skip_columns ] \n", argv[0]);
+	return 1;
+    }
+
+    NSS_NoDB_Init(NULL);
+
+    while (fgets(line, 132, stdin) && (bytes_read = strlen(line)) > 0 ) {
+	int    bytes_written;
+	char * found;
+	char * in          = line       + skip_count; 
+	int    left        = bytes_read - skip_count;
+	int    is_cert;
+	int    is_serial;
+	int    is_name;
+	int    is_hash;
+	int    use_pp      = 0;
+	int    out = 0;
+	SECItem der = {siBuffer, NULL, 0 };
+
+	line[bytes_read] = 0;
+	if (bytes_read <= skip_count) 
+	    continue;
+	fwrite(in, 1, left, stdout);
+	found = strstr(in, "MULTILINE_OCTAL");
+	if (!found) 
+	    continue;
+	fflush(stdout);
+
+	is_cert   = (NULL != strstr(in, "CKA_VALUE"));
+	is_serial = (NULL != strstr(in, "CKA_SERIAL_NUMBER"));
+	is_name   = (NULL != strstr(in, "CKA_ISSUER")) ||
+		    (NULL != strstr(in, "CKA_SUBJECT"));
+	is_hash   = (NULL != strstr(in, "_HASH"));
+	while (fgets(line, 132, stdin) && 
+	       (bytes_read = strlen(line)) > 0 ) {
+	    in   = line       + skip_count; 
+	    left = bytes_read - skip_count;
+
+	    if ((left >= 3) && !strncmp(in, "END", 3))
+		break;
+	    while (left >= 4) {
+		if (in[0] == '\\'  && isdigit(in[1]) && 
+		    isdigit(in[2]) && isdigit(in[3])) {
+		    left -= 4;
+		    binary_line[out++] = ((in[1] - '0') << 6) |
+					 ((in[2] - '0') << 3) | 
+					  (in[3] - '0');
+		    in += 4;
+		} else 
+		    break;
+	    }
+	}
+	der.data = binary_line;
+	der.len  = out;
+	if (is_cert)
+	    SECU_PrintSignedData(stdout, &der, "Certificate", 0,
+				 SECU_PrintCertificate);
+	else if (is_name)
+	    SECU_PrintDERName(stdout, &der, "Name", 0);
+	else if (is_serial) {
+	    if (out > 2 && binary_line[0] == 2 &&
+	        out == 2 + binary_line[1]) {
+		der.data += 2;
+		der.len  -= 2;
+		SECU_PrintInteger(stdout, &der, "DER Serial Number", 0);
+	    } else
+		SECU_PrintInteger(stdout, &der, "Raw Serial Number", 0);
+	} else if (is_hash) 
+	    SECU_PrintAsHex(stdout, &der, "Hash", 0);
+	else 
+	    SECU_PrintBuf(stdout, "Other", binary_line, out);
+    }
+    NSS_Shutdown();
+    return 0;
+}
+
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -1486,28 +1486,24 @@ do_accepts(
 PRFileDesc *
 getBoundListenSocket(unsigned short port)
 {
     PRFileDesc *       listen_sock;
     int                listenQueueDepth = 5 + (2 * maxThreads);
     PRStatus	       prStatus;
     PRNetAddr          addr;
     PRSocketOptionData opt;
-    PRUint16           socketDomain = PR_AF_INET;
 
     addr.inet.family = PR_AF_INET;
     addr.inet.ip     = PR_INADDR_ANY;
     addr.inet.port   = PR_htons(port);
 
-    if (PR_GetEnv("NSS_USE_SDP")) {
-        socketDomain = PR_AF_INET_SDP;
-    }
-    listen_sock = PR_OpenTCPSocket(socketDomain);
+    listen_sock = PR_NewTCPSocket();
     if (listen_sock == NULL) {
-        errExit("PR_OpenTCPSocket error");
+	errExit("PR_NewTCPSocket");
     }
 
     opt.option = PR_SockOpt_Nonblocking;
     opt.value.non_blocking = PR_FALSE;
     prStatus = PR_SetSocketOption(listen_sock, &opt);
     if (prStatus < 0) {
         PR_Close(listen_sock);
 	errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
--- a/security/nss/cmd/shlibsign/manifest.mn
+++ b/security/nss/cmd/shlibsign/manifest.mn
@@ -41,19 +41,16 @@ CORE_DEPTH = ../../..
 MODULE = nss
 
 DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\"
 
 CSRCS = \
 	shlibsign.c \
 	$(NULL)
 
-# headers for the MODULE (defined above) are implicitly required.
-REQUIRES = dbm seccmd
-
 # WINNT uses EXTRA_LIBS as the list of libs to link in.
 # Unix uses     OS_LIBS for that purpose.
 # We can solve this via conditional makefile code, but 
 # can't do this in manifest.mn because OS_ARCH isn't defined there.
 # So, look in the local Makefile for the defines for the list of libs.
 
 PROGRAM = shlibsign
 
--- a/security/nss/cmd/shlibsign/shlibsign.c
+++ b/security/nss/cmd/shlibsign/shlibsign.c
@@ -41,17 +41,17 @@
  *
  * The generated .chk files must be put in the same directory as
  * the NSS libraries they were generated for.
  *
  * When in FIPS 140 mode, the NSS Internal FIPS PKCS #11 Module will
  * compute the checksum for the NSS cryptographic boundary libraries
  * and compare the checksum with the value in .chk file.
  *
- * $Id: shlibsign.c,v 1.18.20.1 2011/04/08 04:04:27 wtc%google.com Exp $
+ * $Id: shlibsign.c,v 1.19 2011/04/08 04:02:53 wtc%google.com Exp $
  */
 
 #ifdef XP_UNIX
 #define USES_LINKS 1
 #endif
 
 #include <assert.h>
 #include <stdio.h>
--- a/security/nss/cmd/signtool/sign.c
+++ b/security/nss/cmd/signtool/sign.c
@@ -301,17 +301,17 @@ create_pk7 (char *dir, char *keyName, in
     status = SignFile (out, in, cert);
 
     CERT_DestroyCertificate (cert);
     fclose (in);
     fclose (out);
 
     if (status) {
 	PR_fprintf(errorFD, "%s: PROBLEM signing data (%s)\n",
-	    PROGRAM_NAME, SECU_ErrorString ((int16) PORT_GetError()));
+	    PROGRAM_NAME, SECU_Strerror(PORT_GetError()));
 	errorCount++;
 	return - 1;
     }
 
     return 0;
 }
 
 
--- a/security/nss/cmd/signtool/util.c
+++ b/security/nss/cmd/signtool/util.c
@@ -45,17 +45,17 @@ static int	is_dir (char *filename);
  * Nasty hackish function definitions
  */
 
 long	*mozilla_event_queue = 0;
 
 #ifndef XP_WIN
 char	*XP_GetString (int i)
 {
-    return SECU_ErrorStringRaw ((int16) i);
+    return SECU_Strerror (i);
 }
 #endif
 
 void	FE_SetPasswordEnabled()
 {
 }
 
 
--- a/security/nss/cmd/signtool/verify.c
+++ b/security/nss/cmd/signtool/verify.c
@@ -79,17 +79,17 @@ VerifyJar(char *filename)
 	    "\nNOTE -- \"%s\" archive DID NOT PASS crypto verification.\n",
 	     filename);
 	if (status < 0) {
 	    char	*errtext;
 
 	    if (status >= JAR_BASE && status <= JAR_BASE_END) {
 		errtext = JAR_get_error (status);
 	    } else {
-		errtext = SECU_ErrorString ((int16) PORT_GetError());
+		errtext = SECU_Strerror(PORT_GetError());
 	    }
 
 	    PR_fprintf(outputFD, "  (reported reason: %s)\n\n",
 	         errtext);
 
 	    /* corrupt files should not have their contents listed */
 
 	    if (status == JAR_ERR_CORRUPT)
@@ -310,17 +310,17 @@ JarWho(char *filename)
 	     filename);
 	retval = -1;
 	if (jar->valid < 0 || status != -1) {
 	    char	*errtext;
 
 	    if (status >= JAR_BASE && status <= JAR_BASE_END) {
 		errtext = JAR_get_error (status);
 	    } else {
-		errtext = SECU_ErrorString ((int16) PORT_GetError());
+		errtext = SECU_Strerror(PORT_GetError());
 	    }
 
 	    PR_fprintf(outputFD, "  (reported reason: %s)\n\n", errtext);
 	}
     }
 
     PR_fprintf(outputFD, "\nSigner information:\n\n");
 
--- a/security/nss/cmd/signver/signver.c
+++ b/security/nss/cmd/signver/signver.c
@@ -315,17 +315,17 @@ int main(int argc, char **argv)
 	    PORT_SetError(0);
 	    if (SEC_PKCS7VerifyDetachedSignature (cinfo, usage,
 				   &digest, digestType, PR_FALSE)) {
 		fprintf(outFile, "yes");
 	    } else {
 		fprintf(outFile, "no");
 		if (verbose) {
 		    fprintf(outFile, ":%s",
-			    SECU_ErrorString((int16)PORT_GetError()));
+			    SECU_Strerror(PORT_GetError()));
 		}
 	    }
 	    fprintf(outFile, "\n");
 	    result = 0;
 	}
 done:
 	SEC_PKCS7DestroyContentInfo(cinfo);
     }
--- a/security/nss/cmd/strsclnt/strsclnt.c
+++ b/security/nss/cmd/strsclnt/strsclnt.c
@@ -275,17 +275,17 @@ mySSLAuthCertificate(void *arg, PRFileDe
     CERT_DestroyCertificate(peerCert);
     /* error, if any, will be displayed by the Bad Cert Handler. */
     return rv;  
 }
 
 static SECStatus
 myBadCertHandler( void *arg, PRFileDesc *fd)
 {
-    int err = PR_GetError();
+    PRErrorCode err = PR_GetError();
     if (!MakeCertOK)
 	fprintf(stderr, 
 	    "strsclnt: -- SSL: Server Certificate Invalid, err %d.\n%s\n", 
             err, SECU_Strerror(err));
     return (MakeCertOK ? SECSuccess : SECFailure);
 }
 
 void 
@@ -355,31 +355,30 @@ printSecurityInfo(PRFileDesc *fd)
 }
 
 /**************************************************************************
 ** Begin thread management routines and data.
 **************************************************************************/
 
 #define MAX_THREADS 128
 
-typedef int startFn(void *a, void *b, int c, int d);
+typedef int startFn(void *a, void *b, int c);
 
 
 static PRInt32     numConnected;
 static int         max_threads;    /* peak threads allowed */
 
 typedef struct perThreadStr {
     void *	a;
     void *	b;
     int         tid;
     int         rv;
     startFn  *  startFunc;
     PRThread *  prThread;
     PRBool	inUse;
-    PRInt32     socketDomain;
 } perThread;
 
 perThread threads[MAX_THREADS];
 
 void
 thread_wrapper(void * arg)
 {
     perThread * slot = (perThread *)arg;
@@ -425,34 +424,32 @@ thread_wrapper(void * arg)
             if (--remaining_connections >= 0) { /* protected by threadLock */
                 doop = PR_TRUE;
             } else {
                 done = PR_TRUE;
             }
         }
         PR_Unlock(threadLock);
         if (doop) {
-            slot->rv = (* slot->startFunc)(slot->a, slot->b, slot->tid,
-                                           slot->socketDomain);
+            slot->rv = (* slot->startFunc)(slot->a, slot->b, slot->tid);
             PRINTF("strsclnt: Thread in slot %d returned %d\n", 
                    slot->tid, slot->rv);
         }
         if (dosleep) {
             PR_Sleep(PR_SecondsToInterval(1));
         }
     } while (!done && (!failed_already || ignoreErrors));
 }
 
 SECStatus
 launch_thread(
     startFn *	startFunc,
     void *	a,
     void *	b,
-    int         tid,
-    int         sockDom)
+    int         tid)
 {
     PRUint32 i;
     perThread * slot;
 
     PR_Lock(threadLock);
 
     PORT_Assert(numUsed < MAX_THREADS);
     if (! (numUsed < MAX_THREADS)) {
@@ -460,18 +457,17 @@ launch_thread(
         return SECFailure;
     }
 
     i = numUsed++;
     slot = &threads[i];
     slot->a = a;
     slot->b = b;
     slot->tid = tid;
-    slot->socketDomain = sockDom;
-    
+
     slot->startFunc = startFunc;
 
     slot->prThread      = PR_CreateThread(PR_USER_THREAD,
                                       thread_wrapper, slot,
 				      PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD,
 				      PR_JOINABLE_THREAD, 0);
     if (slot->prThread == NULL) {
 	PR_Unlock(threadLock);
@@ -584,18 +580,17 @@ lockedVars_AddToCount(lockedVars * lv, i
     PR_Unlock(lv->lock);
     return rv;
 }
 
 int
 do_writes(
     void *       a,
     void *       b,
-    int          c,
-    int          d)
+    int          c)
 {
     PRFileDesc *	ssl_sock	= (PRFileDesc *)a;
     lockedVars *	lv 		= (lockedVars *)b;
     int			sent  		= 0;
     int 		count		= 0;
 
     while (sent < bigBuf.len) {
 
@@ -627,17 +622,17 @@ handle_fdx_connection( PRFileDesc * ssl_
     lockedVars         lv;
     char               *buf;
 
 
     lockedVars_Init(&lv);
     lockedVars_AddToCount(&lv, 1);
 
     /* Attempt to launch the writer thread. */
-    result = launch_thread(do_writes, ssl_sock, &lv, connection, -1 /*not used*/);
+    result = launch_thread(do_writes, ssl_sock, &lv, connection);
 
     if (result != SECSuccess) 
     	goto cleanup;
 
     buf = PR_Malloc(RD_BUF_SIZE);
 
     if (buf) {
 	do {
@@ -746,32 +741,31 @@ myHandshakeCallback(PRFileDesc *socket, 
 
 /* one copy of this function is launched in a separate thread for each
 ** connection to be made.
 */
 int
 do_connects(
     void *	a,
     void *	b,
-    int         tid,
-    PRInt32     socketDomain)
+    int         tid)
 {
     PRNetAddr  *        addr		= (PRNetAddr *)  a;
     PRFileDesc *        model_sock	= (PRFileDesc *) b;
     PRFileDesc *        ssl_sock	= 0;
     PRFileDesc *        tcp_sock	= 0;
     PRStatus	        prStatus;
     PRUint32            sleepInterval	= 50; /* milliseconds */
     SECStatus   	result;
     int                 rv 		= SECSuccess;
     PRSocketOptionData  opt;
 
 retry:
 
-    tcp_sock = PR_OpenTCPSocket(socketDomain);
+    tcp_sock = PR_OpenTCPSocket(addr->raw.family);
     if (tcp_sock == NULL) {
 	errExit("PR_OpenTCPSocket");
     }
 
     opt.option             = PR_SockOpt_Nonblocking;
     opt.value.non_blocking = PR_FALSE;
     prStatus = PR_SetSocketOption(tcp_sock, &opt);
     if (prStatus != PR_SUCCESS) {
@@ -1089,17 +1083,16 @@ client_main(
     const char *	hostName,
     const char *	sniHostName)
 {
     PRFileDesc *model_sock	= NULL;
     int         i;
     int         rv;
     PRStatus    status;
     PRNetAddr   addr;
-    PRInt32    socketDomain;
 
     status = PR_StringToNetAddr(hostName, &addr);
     if (status == PR_SUCCESS) {
     	addr.inet.port = PR_htons(port);
     } else {
 	/* Lookup host */
 	PRAddrInfo *addrInfo;
 	void       *enumPtr   = NULL;
@@ -1117,23 +1110,16 @@ client_main(
 		 addr.raw.family != PR_AF_INET6);
 	PR_FreeAddrInfo(addrInfo);
 	if (enumPtr == NULL) {
 	    SECU_PrintError(progName, "error looking up host address");
 	    return;
 	}
     }
 
-    /* check if SDP is going to be used */
-    if (!PR_GetEnv("NSS_USE_SDP")) {
-        socketDomain = addr.raw.family;
-    } else {
-        socketDomain = PR_AF_INET_SDP;
-    }
-
     /* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */
     NSS_SetDomesticPolicy();
 
     /* all the SSL2 and SSL3 cipher suites are enabled by default. */
     if (cipherString) {
         int ndx;
 
         /* disable all the ciphers, then enable the ones we want. */
@@ -1180,18 +1166,18 @@ client_main(
 			cipher);
 		failed_already = 1;
 		return;
 	    }
         }
     }
 
     /* configure model SSL socket. */
-    
-    model_sock = PR_OpenTCPSocket(socketDomain);
+
+    model_sock = PR_OpenTCPSocket(addr.raw.family);
     if (model_sock == NULL) {
 	errExit("PR_OpenTCPSocket for model socket");
     }
 
     model_sock = SSL_ImportFD(NULL, model_sock);
     if (model_sock == NULL) {
 	errExit("SSL_ImportFD");
     }
@@ -1285,26 +1271,26 @@ client_main(
 
     remaining_connections = total_connections = connections;
     total_connections_modulo_100 = total_connections % 100;
     total_connections_rounded_down_to_hundreds =
         total_connections - total_connections_modulo_100;
 
     if (!NoReuse) {
         remaining_connections = 1;
-	rv = launch_thread(do_connects, &addr, model_sock, 0, socketDomain);
+	rv = launch_thread(do_connects, &addr, model_sock, 0);
 	/* wait for the first connection to terminate, then launch the rest. */
 	reap_threads();
         remaining_connections = total_connections - 1 ;
     }
     if (remaining_connections > 0) {
         active_threads  = PR_MIN(active_threads, remaining_connections);
 	/* Start up the threads */
 	for (i=0;i<active_threads;i++) {
-	    rv = launch_thread(do_connects, &addr, model_sock, i, socketDomain);
+	    rv = launch_thread(do_connects, &addr, model_sock, i);
 	}
 	reap_threads();
     }
     destroy_thread_data();
 
     PR_Close(model_sock);
 }
 
--- a/security/nss/cmd/symkeyutil/symkey.man
+++ b/security/nss/cmd/symkeyutil/symkey.man
@@ -22,17 +22,17 @@ DESCRIPTION
 
     As with certutil, symkeyutil takes two types of arguments, commands and
     options. Most commands fall into one of two catagories: commands which
     create keys and commands which extract or destroy keys. 
 
     Exceptions to these catagories are listed first:
 
     -H    takes no additional options. It lists a more detailed help message.
-    -L    takes the standard set of options. It lists all the keys in a the 
+    -L    takes the standard set of options. It lists all the keys in the 
           specified token (NSS Internal DB Token is the default).  Only the 
           -L option accepts the all option for tokens to list all the fixed 
           keys.
 
     Key Creation commands:
     For these commands, the key type (-t) option is always required. 
     In addition, the -s option may be required for certain key types.
     The standard set of options may be specified.
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/tests/encodeinttest.c
@@ -0,0 +1,93 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2011
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include <stdio.h>
+
+#include "secasn1.h"
+
+struct TestCase {
+    long value;
+    unsigned char data[5];
+    unsigned int len;
+};
+
+static struct TestCase testCase[] = {
+    /* XXX NSS doesn't generate the shortest encoding for negative values. */
+#if 0
+    { -128, { 0x80 }, 1 },
+    { -129, { 0xFF, 0x7F }, 2 },
+#endif
+
+    { 0, { 0x00 }, 1 },
+    { 127, { 0x7F }, 1 },
+    { 128, { 0x00, 0x80 }, 2 },
+    { 256, { 0x01, 0x00 }, 2 },
+    { 32768, { 0x00, 0x80, 0x00 }, 3 }
+};
+
+int main()
+{
+    PRBool failed = PR_FALSE;
+    unsigned int i;
+    unsigned int j;
+
+    for (i = 0; i < sizeof(testCase)/sizeof(testCase[0]); i++) {
+        SECItem encoded;
+        if (SEC_ASN1EncodeInteger(NULL, &encoded, testCase[i].value) == NULL) {
+            fprintf(stderr, "SEC_ASN1EncodeInteger failed\n");
+            failed = PR_TRUE;
+            continue;
+        }
+        if (encoded.len != testCase[i].len ||
+            memcmp(encoded.data, testCase[i].data, encoded.len) != 0) {
+            fprintf(stderr, "Encoding of %ld is incorrect:",
+                    testCase[i].value);
+            for (j = 0; j < encoded.len; j++) {
+                fprintf(stderr, " 0x%02X", (unsigned int)encoded.data[j]);
+            } 
+            fputs("\n", stderr);
+            failed = PR_TRUE;
+        }
+        PORT_Free(encoded.data);
+    }
+
+    if (failed) {
+        fprintf(stderr, "FAIL\n");
+        return 1;
+    }
+    printf("PASS\n");
+    return 0;
+}
--- a/security/nss/cmd/tests/manifest.mn
+++ b/security/nss/cmd/tests/manifest.mn
@@ -39,16 +39,17 @@ CORE_DEPTH = ../../..
 
 # MODULE public and private header  directories are implicitly REQUIRED.
 MODULE = nss
 
 CSRCS = \
 	baddbdir.c \
 	conflict.c \
 	dertimetest.c \
+	encodeinttest.c \
 	nonspr10.c \
 	remtest.c \
 	$(NULL)
 
 # The MODULE is always implicitly required.
 # Listing it here in REQUIRES makes it appear twice in the cc command line.
 REQUIRES = seccmd dbm
 
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -533,17 +533,16 @@ int main(int argc, char **argv)
     int                headerSeparatorPtrnId = 0;
     int                error = 0;
     PRUint16           portno = 443;
     char *             hs1SniHostName = NULL;
     char *             hs2SniHostName = NULL;
     PLOptState *optstate;
     PLOptStatus optstatus;
     PRStatus prStatus;
-    PRUint16           socketDomain;
 
     progName = strrchr(argv[0], '/');
     if (!progName)
 	progName = strrchr(argv[0], '\\');
     progName = progName ? progName+1 : argv[0];
 
     tmp = PR_GetEnv("NSS_DEBUG_TIMEOUT");
     if (tmp && tmp[0]) {
@@ -695,27 +694,21 @@ int main(int argc, char **argv)
 	if (enumPtr == NULL) {
 	    SECU_PrintError(progName, "error looking up host address");
 	    return 1;
 	}
     }
 
     printHostNameAndAddr(host, &addr);
 
-    /* check if SDP is going to be used */
-    if (!PR_GetEnv("NSS_USE_SDP")) {
-        socketDomain = addr.raw.family;
-    } else {
-        socketDomain = PR_AF_INET_SDP;
-    }
     if (pingServerFirst) {
 	int iter = 0;
 	PRErrorCode err;
 	do {
-	    s = PR_OpenTCPSocket(socketDomain);
+	    s = PR_OpenTCPSocket(addr.raw.family);
 	    if (s == NULL) {
 		SECU_PrintError(progName, "Failed to create a TCP socket");
 	    }
 	    opt.option             = PR_SockOpt_Nonblocking;
 	    opt.value.non_blocking = PR_FALSE;
 	    prStatus = PR_SetSocketOption(s, &opt);
 	    if (prStatus != PR_SUCCESS) {
 		PR_Close(s);
@@ -743,17 +736,17 @@ int main(int argc, char **argv)
 	    PR_Sleep(PR_MillisecondsToInterval(WAIT_INTERVAL));
 	} while (++iter < MAX_WAIT_FOR_SERVER);
 	SECU_PrintError(progName, 
                      "Client timed out while waiting for connection to server");
 	return 1;
     }
 
     /* Create socket */
-    s = PR_OpenTCPSocket(socketDomain);
+    s = PR_OpenTCPSocket(addr.raw.family);
     if (s == NULL) {
 	SECU_PrintError(progName, "error creating socket");
 	return 1;
     }
 
     opt.option = PR_SockOpt_Nonblocking;
     opt.value.non_blocking = PR_TRUE;
     PR_SetSocketOption(s, &opt);
--- a/security/nss/cmd/vfychain/vfychain.c
+++ b/security/nss/cmd/vfychain/vfychain.c
@@ -124,21 +124,18 @@ Usage(const char *progName)
 ** 
 ** Error and information routines.
 **
 **************************************************************************/
 
 void
 errWarn(char *function)
 {
-    PRErrorCode  errorNumber = PR_GetError();
-    const char * errorString = SECU_Strerror(errorNumber);
-
-    fprintf(stderr, "Error in function %s: %d\n - %s\n",
-		    function, errorNumber, errorString);
+    fprintf(stderr, "Error in function %s: %s\n",
+		    function, SECU_Strerror(PR_GetError()));
 }
 
 void
 exitErr(char *function)
 {
     errWarn(function);
     /* Exit gracefully. */
     /* ignoring return value of NSS_Shutdown as code exits with 1 anyway*/
@@ -205,17 +202,17 @@ getCert(const char *name, PRBool isAscii
     if (cert) {
         return cert;
     }
 
     /* Don't have a cert with name "name" in the DB. Try to
      * open a file with such name and get the cert from there.*/
     fd = PR_Open(name, PR_RDONLY, 0777); 
     if (!fd) {
-	PRIntn err = PR_GetError();
+	PRErrorCode err = PR_GetError();
     	fprintf(stderr, "open of %s failed, %d = %s\n", 
 	        name, err, SECU_Strerror(err));
 	return cert;
     }
 
     rv = SECU_ReadDERFromFile(&item, fd, isAscii);
     PR_Close(fd);
     if (rv != SECSuccess) {
@@ -228,17 +225,17 @@ getCert(const char *name, PRBool isAscii
 	return cert;
     }
 
     cert = CERT_NewTempCertificate(defaultDB, &item, 
                                    NULL     /* nickname */, 
                                    PR_FALSE /* isPerm */, 
 				   PR_TRUE  /* copyDER */);
     if (!cert) {
-	PRIntn err = PR_GetError();
+	PRErrorCode err = PR_GetError();
 	fprintf(stderr, "couldn't import %s, %d = %s\n",
 	        name, err, SECU_Strerror(err));
     }
     PORT_Free(item.data);
     return cert;
 }
 
 
@@ -533,22 +530,22 @@ main(int argc, char *argv[], char *envp[
     }
 breakout:
     if (status != PL_OPT_OK)
 	Usage(progName);
 
     if (usePkix < 2) {
         if (oidStr) {
             fprintf(stderr, "Policy oid(-o) can be used only with"
-                    " CERT_PKIXVerifyChain(-pp) function.\n");
+                    " CERT_PKIXVerifyCert(-pp) function.\n");
             Usage(progName);
         }
         if (trusted) {
             fprintf(stderr, "Cert trust flag can be used only with"
-                    " CERT_PKIXVerifyChain(-pp) function.\n");
+                    " CERT_PKIXVerifyCert(-pp) function.\n");
             Usage(progName);
         }
     }
 
     if (!useDefaultRevFlags && parseRevMethodsAndFlags()) {
         fprintf(stderr, "Invalid revocation configuration specified.\n");
         goto punt;
     }
@@ -581,17 +578,17 @@ breakout:
 	switch(optstate->option) {
 	default  : Usage(progName);                           break;
 	case 'a' : isAscii  = PR_TRUE;                        break;
 	case 'r' : isAscii  = PR_FALSE;                       break;
 	case 't' : trusted  = PR_TRUE;                       break;
 	case  0  : /* positional parameter */
             if (usePkix < 2 && trusted) {
                 fprintf(stderr, "Cert trust flag can be used only with"
-                        " CERT_PKIXVerifyChain(-pp) function.\n");
+                        " CERT_PKIXVerifyCert(-pp) function.\n");
                 Usage(progName);
             }
 	    cert = getCert(optstate->value, isAscii, progName);
 	    if (!cert) 
 	        goto punt;
 	    rememberCert(cert, trusted);
 	    if (!firstCert)
 	        firstCert = cert;
@@ -783,11 +780,12 @@ punt:
     }
     PORT_Free(progName);
     PORT_Free(certDir);
     PORT_Free(oidStr);
     freeRevocationMethodData();
     if (pwdata.data) {
         PORT_Free(pwdata.data);
     }
+    PL_ArenaFinish();
     PR_Cleanup();
     return rv;
 }
--- a/security/nss/lib/certdb/alg1485.c
+++ b/security/nss/lib/certdb/alg1485.c
@@ -98,22 +98,29 @@ static const NameToKind name2kinds[] = {
     { "postalAddress", 128, SEC_OID_AVA_POSTAL_ADDRESS, SEC_ASN1_DS},
     { "postalCode",     40, SEC_OID_AVA_POSTAL_CODE,    SEC_ASN1_DS},
     { "postOfficeBox",  40, SEC_OID_AVA_POST_OFFICE_BOX,SEC_ASN1_DS},
     { "houseIdentifier",64, SEC_OID_AVA_HOUSE_IDENTIFIER,SEC_ASN1_DS},
 /* end of IANA registered type names */
 
 /* legacy keywords */
     { "E",             128, SEC_OID_PKCS9_EMAIL_ADDRESS,SEC_ASN1_IA5_STRING},
-
-#if 0 /* removed.  Not yet in any IETF draft or RFC. */
+    { "STREET",        128, SEC_OID_AVA_STREET_ADDRESS, SEC_ASN1_DS},
     { "pseudonym",      64, SEC_OID_AVA_PSEUDONYM,      SEC_ASN1_DS},
-#endif
 
-    { 0,           256, SEC_OID_UNKNOWN                      , 0},
+/* values defined by the CAB Forum for EV */
+    { "incorporationLocality", 128, SEC_OID_EV_INCORPORATION_LOCALITY,
+                                                        SEC_ASN1_DS},
+    { "incorporationState",    128, SEC_OID_EV_INCORPORATION_STATE,
+                                                        SEC_ASN1_DS},
+    { "incorporationCountry",    2, SEC_OID_EV_INCORPORATION_COUNTRY,
+                                                    SEC_ASN1_PRINTABLE_STRING},
+    { "businessCategory",       64, SEC_OID_BUSINESS_CATEGORY, SEC_ASN1_DS},
+
+    { 0,               256, SEC_OID_UNKNOWN,            0},
 };
 
 /* Table facilitates conversion of ASCII hex to binary. */
 static const PRInt16 x2b[256] = {
 /* #0x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
 /* #1x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
 /* #2x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
 /* #3x */  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, -1, -1, -1, -1, -1, -1, 
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * cert.h - public data structures and prototypes for the certificate library
  *
- * $Id: cert.h,v 1.80.2.3 2011/04/08 22:54:34 kaie%kuix.de Exp $
+ * $Id: cert.h,v 1.86 2011/07/24 13:48:09 wtc%google.com Exp $
  */
 
 #ifndef _CERT_H_
 #define _CERT_H_
 
 #include "utilrename.h"
 #include "plarena.h"
 #include "plhash.h"
@@ -293,23 +293,16 @@ CERT_GetCertificateRequestExtensions(CER
                                      CERTCertExtension ***exts);
 
 /*
 ** Extract a public key object from a certificate
 */
 extern SECKEYPublicKey *CERT_ExtractPublicKey(CERTCertificate *cert);
 
 /*
- * used to get a public key with Key Material ID. Only used for fortezza V1
- * certificates.
- */
-extern SECKEYPublicKey *CERT_KMIDPublicKey(CERTCertificate *cert);
-
-
-/*
 ** Retrieve the Key Type associated with the cert we're dealing with
 */
 
 extern KeyType CERT_GetCertKeyType (CERTSubjectPublicKeyInfo *spki);
 
 /*
 ** Initialize the certificate database.  This is called to create
 **  the initial list of certificates in the database.
@@ -445,22 +438,22 @@ extern SECStatus CERT_AddOKDomainName(CE
 **	"copyDER" is true if the DER should be copied, false if the
 **		existing copy should be referenced
 **	"nickname" is the nickname to use in the database.  If it is NULL
 **		then a temporary nickname is generated.
 */
 extern CERTCertificate *
 CERT_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nickname);
 /*
-** Decode a DER encoded CRL/KRL into an CERTSignedCrl structure
-**	"derSignedCrl" is the DER encoded signed crl/krl.
-**	"type" is this a CRL or KRL.
+** Decode a DER encoded CRL into a CERTSignedCrl structure
+**	"derSignedCrl" is the DER encoded signed CRL.
+**	"type" must be SEC_CRL_TYPE.
 */
 #define SEC_CRL_TYPE	1
-#define SEC_KRL_TYPE	0
+#define SEC_KRL_TYPE	0 /* deprecated */
 
 extern CERTSignedCrl *
 CERT_DecodeDERCrl (PLArenaPool *arena, SECItem *derSignedCrl,int type);
 
 /*
  * same as CERT_DecodeDERCrl, plus allow options to be passed in
  */
 
@@ -517,22 +510,16 @@ void CERT_CRLCacheRefreshIssuer(CERTCert
 SECStatus CERT_CacheCRL(CERTCertDBHandle* dbhandle, SECItem* newcrl);
 
 /* remove a previously added CRL object from the CRL cache. It is OK
    for the application to free the memory after a successful removal
 */
 SECStatus CERT_UncacheCRL(CERTCertDBHandle* dbhandle, SECItem* oldcrl);
 
 /*
-** Decode a certificate and put it into the temporary certificate database
-*/
-extern CERTCertificate *
-CERT_DecodeCertificate (SECItem *derCert, char *nickname,PRBool copyDER);
-
-/*
 ** Find a certificate in the database
 **	"key" is the database key to look for
 */
 extern CERTCertificate *CERT_FindCertByKey(CERTCertDBHandle *handle, SECItem *key);
 
 /*
 ** Find a certificate in the database by name
 **	"name" is the distinguished name to look up
@@ -1301,19 +1288,16 @@ CERT_CheckForEvilCert(CERTCertificate *c
 
 CERTGeneralName *
 CERT_GetCertificateNames(CERTCertificate *cert, PLArenaPool *arena);
 
 CERTGeneralName *
 CERT_GetConstrainedCertificateNames(CERTCertificate *cert, PLArenaPool *arena,
                                     PRBool includeSubjectCommonName);
 
-char *
-CERT_GetNickName(CERTCertificate   *cert, CERTCertDBHandle *handle, PLArenaPool *nicknameArena);
-
 /*
  * Creates or adds to a list of all certs with a give subject name, sorted by
  * validity time, newest first.  Invalid certs are considered older than
  * valid certs. If validOnly is set, do not include invalid certs on list.
  */
 CERTCertList *
 CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
 			   SECItem *name, PRTime sorttime, PRBool validOnly);
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -34,17 +34,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Certificate handling code
  *
- * $Id: certdb.c,v 1.104.2.5 2011/08/05 01:16:27 wtc%google.com Exp $
+ * $Id: certdb.c,v 1.116 2011/08/05 01:13:14 wtc%google.com Exp $
  */
 
 #include "nssilock.h"
 #include "prmon.h"
 #include "prtime.h"
 #include "cert.h"
 #include "certi.h"
 #include "secder.h"
@@ -476,67 +476,16 @@ GetKeyUsage(CERTCertificate *cert)
 	cert->keyUsage |= KU_NS_GOVT_APPROVED;
 	cert->rawKeyUsage |= KU_NS_GOVT_APPROVED;
     }
     
     return(SECSuccess);
 }
 
 
-/*
- * determine if a fortezza V1 Cert is a CA or not.
- */
-static PRBool
-fortezzaIsCA( CERTCertificate *cert) {
-    PRBool isCA = PR_FALSE;
-    CERTSubjectPublicKeyInfo *spki = &cert->subjectPublicKeyInfo;
-    int tag;
-
-    tag = SECOID_GetAlgorithmTag(&spki->algorithm);
-    if ((tag == SEC_OID_MISSI_KEA_DSS_OLD) ||
-       (tag == SEC_OID_MISSI_KEA_DSS) ||
-       (tag == SEC_OID_MISSI_DSS_OLD) ||
-       (tag == SEC_OID_MISSI_DSS) ) {
-	SECItem rawkey;
-	unsigned char *rawptr;
-	unsigned char *end;
-	int len;
-
-	rawkey = spki->subjectPublicKey;
-	DER_ConvertBitString(&rawkey);
-	rawptr = rawkey.data;
-	end = rawkey.data + rawkey.len;
-
-	/* version */	
-	rawptr += sizeof(((SECKEYPublicKey*)0)->u.fortezza.KMID)+2;
-
-	/* clearance (the string up to the first byte with the hi-bit on */
-	while ((rawptr < end) && (*rawptr++ & 0x80));
-	if (rawptr >= end) { return PR_FALSE; }
-
-	/* KEAPrivilege (the string up to the first byte with the hi-bit on */
-	while ((rawptr < end) && (*rawptr++ & 0x80));
-	if (rawptr >= end) { return PR_FALSE; }
-
-	/* skip the key */
-	len = (*rawptr << 8) | rawptr[1];
-	rawptr += 2 + len;
-
-	/* shared key */
-	if (rawptr >= end) { return PR_FALSE; }
-	/* DSS Version is next */
-	rawptr += 2;
-
-	/* DSSPrivilege (the string up to the first byte with the hi-bit on */
-	if (*rawptr & 0x30) isCA = PR_TRUE;
-	
-   }
-   return isCA;
-}
-
 static SECStatus
 findOIDinOIDSeqByTagNum(CERTOidSequence *seq, SECOidTag tagnum)
 {
     SECItem **oids;
     SECItem *oid;
     SECStatus rv = SECFailure;
     
     if (seq != NULL) {
@@ -698,22 +647,16 @@ cert_ComputeCertType(CERTCertificate *ce
 	if (basicConstraintPresent && basicConstraint.isCA ) {
 	    nsCertType |= (NS_CERT_TYPE_SSL_CA   |
 		           NS_CERT_TYPE_EMAIL_CA |
 		           EXT_KEY_USAGE_STATUS_RESPONDER);
 	}
 	/* allow any ssl or email (no ca or object signing. */
 	nsCertType |= NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER |
 	              NS_CERT_TYPE_EMAIL;
-
-	/* if the cert is a fortezza CA cert, then allow SSL CA and EMAIL CA */
-	if (fortezzaIsCA(cert)) {
-		nsCertType |= NS_CERT_TYPE_SSL_CA;
-		nsCertType |= NS_CERT_TYPE_EMAIL_CA;
-	}
     }
 
     if (encodedExtKeyUsage.data != NULL) {
 	PORT_Free(encodedExtKeyUsage.data);
     }
     if (extKeyUsage != NULL) {
 	CERT_DestroyOidSequence(extKeyUsage);
     }
@@ -723,53 +666,32 @@ cert_ComputeCertType(CERTCertificate *ce
 /*
  * cert_GetKeyID() - extract or generate the subjectKeyID from a certificate
  */
 SECStatus
 cert_GetKeyID(CERTCertificate *cert)
 {
     SECItem tmpitem;
     SECStatus rv;
-    SECKEYPublicKey *key;
     
     cert->subjectKeyID.len = 0;
 
     /* see of the cert has a key identifier extension */
     rv = CERT_FindSubjectKeyIDExtension(cert, &tmpitem);
     if ( rv == SECSuccess ) {
 	cert->subjectKeyID.data = (unsigned char*) PORT_ArenaAlloc(cert->arena, tmpitem.len);
 	if ( cert->subjectKeyID.data != NULL ) {
 	    PORT_Memcpy(cert->subjectKeyID.data, tmpitem.data, tmpitem.len);
 	    cert->subjectKeyID.len = tmpitem.len;
 	    cert->keyIDGenerated = PR_FALSE;
 	}
 	
 	PORT_Free(tmpitem.data);
     }
     
-    /* if the cert doesn't have a key identifier extension and the cert is
-     * a V1 fortezza certificate, use the cert's 8 byte KMID as the
-     * key identifier.  */
-    key = CERT_KMIDPublicKey(cert);
-
-    if (key != NULL) {
-	
-	if (key->keyType == fortezzaKey) {
-
-	    cert->subjectKeyID.data = (unsigned char *)PORT_ArenaAlloc(cert->arena, 8);
-	    if ( cert->subjectKeyID.data != NULL ) {
-		PORT_Memcpy(cert->subjectKeyID.data, key->u.fortezza.KMID, 8);
-		cert->subjectKeyID.len = 8;
-		cert->keyIDGenerated = PR_FALSE;
-	    }
-	}
-		
-	SECKEY_DestroyPublicKey(key);
-    }
-
     /* if the cert doesn't have a key identifier extension, then generate one*/
     if ( cert->subjectKeyID.len == 0 ) {
 	/*
 	 * pkix says that if the subjectKeyID is not present, then we should
 	 * use the SHA-1 hash of the DER-encoded publicKeyInfo from the cert
 	 */
 	cert->subjectKeyID.data = (unsigned char *)PORT_ArenaAlloc(cert->arena, SHA1_LENGTH);
 	if ( cert->subjectKeyID.data != NULL ) {
@@ -1341,18 +1263,16 @@ CERT_CheckKeyUsage(CERTCertificate *cert
 
 	switch (keyType) {
 	case rsaKey:
 	    requiredUsage |= KU_KEY_ENCIPHERMENT;
 	    break;
 	case dsaKey:
 	    requiredUsage |= KU_DIGITAL_SIGNATURE;
 	    break;
-	case fortezzaKey:
-	case keaKey:
 	case dhKey:
 	    requiredUsage |= KU_KEY_AGREEMENT;
 	    break;
 	case ecKey:
 	    /* Accept either signature or agreement. */
 	    if (!(cert->keyUsage & (KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT)))
 		 goto loser;
 	    break;
@@ -1659,18 +1579,17 @@ finish:
 /*
  * If found:
  *   - subAltName contains the extension (caller must free)
  *   - return value is the decoded namelist (allocated off arena)
  * if not found, or if failure to decode:
  *   - return value is NULL
  */
 CERTGeneralName *
-cert_GetSubjectAltNameList(CERTCertificate *cert,
-                           PRArenaPool *arena)
+cert_GetSubjectAltNameList(CERTCertificate *cert, PRArenaPool *arena)
 {
     CERTGeneralName * nameList       = NULL;
     SECStatus         rv             = SECFailure;
     SECItem           subAltName;
 
     if (!cert || !arena)
       return NULL;
 
@@ -2062,90 +1981,78 @@ CERT_GetCertIssuerAndSN(PRArenaPool *are
 char *
 CERT_MakeCANickname(CERTCertificate *cert)
 {
     char *firstname = NULL;
     char *org = NULL;
     char *nickname = NULL;
     int count;
     CERTCertificate *dummycert;
-    CERTCertDBHandle *handle;
     
-    handle = cert->dbhandle;
-    
-    nickname = CERT_GetNickName(cert, handle, cert->arena);
-    if (nickname == NULL) {
-	firstname = CERT_GetCommonName(&cert->subject);
-	if ( firstname == NULL ) {
-	    firstname = CERT_GetOrgUnitName(&cert->subject);
-	}
-
-	org = CERT_GetOrgName(&cert->issuer);
+    firstname = CERT_GetCommonName(&cert->subject);
+    if ( firstname == NULL ) {
+	firstname = CERT_GetOrgUnitName(&cert->subject);
+    }
+
+    org = CERT_GetOrgName(&cert->issuer);
+    if (org == NULL) {
+	org = CERT_GetDomainComponentName(&cert->issuer);
 	if (org == NULL) {
-	    org = CERT_GetDomainComponentName(&cert->issuer);
-	    if (org == NULL) {
-		if (firstname) {
-		    org = firstname;
-		    firstname = NULL;
-		} else {
-		    org = PORT_Strdup("Unknown CA");
-		}
+	    if (firstname) {
+		org = firstname;
+		firstname = NULL;
+	    } else {
+		org = PORT_Strdup("Unknown CA");
 	    }
 	}
-
-	/* can only fail if PORT_Strdup fails, in which case
-	 * we're having memory problems. */
-	if (org == NULL) {
-	    goto loser;
-	}
+    }
+
+    /* can only fail if PORT_Strdup fails, in which case
+     * we're having memory problems. */
+    if (org == NULL) {
+	goto done;
+    }
 
     
-	count = 1;
-	while ( 1 ) {
-
-	    if ( firstname ) {
-		if ( count == 1 ) {
-		    nickname = PR_smprintf("%s - %s", firstname, org);
-		} else {
-		    nickname = PR_smprintf("%s - %s #%d", firstname, org, count);
-		}
+    count = 1;
+    while ( 1 ) {
+
+	if ( firstname ) {
+	    if ( count == 1 ) {
+		nickname = PR_smprintf("%s - %s", firstname, org);
 	    } else {
-		if ( count == 1 ) {
-		    nickname = PR_smprintf("%s", org);
-		} else {
-		    nickname = PR_smprintf("%s #%d", org, count);
-		}
+		nickname = PR_smprintf("%s - %s #%d", firstname, org, count);
 	    }
-	    if ( nickname == NULL ) {
-		goto loser;
+	} else {
+	    if ( count == 1 ) {
+		nickname = PR_smprintf("%s", org);
+	    } else {
+		nickname = PR_smprintf("%s #%d", org, count);
 	    }
-
-	    /* look up the nickname to make sure it isn't in use already */
-	    dummycert = CERT_FindCertByNickname(handle, nickname);
-
-	    if ( dummycert == NULL ) {
-		goto done;
-	    }
+	}
+	if ( nickname == NULL ) {
+	    goto done;
+	}
+
+	/* look up the nickname to make sure it isn't in use already */
+	dummycert = CERT_FindCertByNickname(cert->dbhandle, nickname);
+
+	if ( dummycert == NULL ) {
+	    goto done;
+	}
 	
-	    /* found a cert, destroy it and loop */
-	    CERT_DestroyCertificate(dummycert);
-
-	    /* free the nickname */
-	    PORT_Free(nickname);
-
-	    count++;
-	}
+	/* found a cert, destroy it and loop */
+	CERT_DestroyCertificate(dummycert);
+
+	/* free the nickname */
+	PORT_Free(nickname);
+
+	count++;
     }
-loser:
-    if ( nickname ) {
-	PORT_Free(nickname);
-    }
-
-    nickname = NULL;
-    
+
 done:
     if ( firstname ) {
 	PORT_Free(firstname);
     }
     if ( org ) {
 	PORT_Free(org);
     }
     
@@ -2176,34 +2083,34 @@ static unsigned int
 cert_ComputeTrustOverrides(CERTCertificate *cert, unsigned int cType)
 {
     CERTCertTrust *trust = cert->trust;
 
     if (trust && (trust->sslFlags |
 		  trust->emailFlags |
 		  trust->objectSigningFlags)) {
 
-	if (trust->sslFlags & (CERTDB_VALID_PEER|CERTDB_TRUSTED)) 
+	if (trust->sslFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) 
 	    cType |= NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT;
 	if (trust->sslFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) 
 	    cType |= NS_CERT_TYPE_SSL_CA;
 #if defined(CERTDB_NOT_TRUSTED)
 	if (trust->sslFlags & CERTDB_NOT_TRUSTED) 
 	    cType &= ~(NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT|
 	               NS_CERT_TYPE_SSL_CA);
 #endif
-	if (trust->emailFlags & (CERTDB_VALID_PEER|CERTDB_TRUSTED)) 
+	if (trust->emailFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) 
 	    cType |= NS_CERT_TYPE_EMAIL;
 	if (trust->emailFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) 
 	    cType |= NS_CERT_TYPE_EMAIL_CA;
 #if defined(CERTDB_NOT_TRUSTED)
 	if (trust->emailFlags & CERTDB_NOT_TRUSTED) 
 	    cType &= ~(NS_CERT_TYPE_EMAIL|NS_CERT_TYPE_EMAIL_CA);
 #endif
-	if (trust->objectSigningFlags & (CERTDB_VALID_PEER|CERTDB_TRUSTED)) 
+	if (trust->objectSigningFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) 
 	    cType |= NS_CERT_TYPE_OBJECT_SIGNING;
 	if (trust->objectSigningFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) 
 	    cType |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
 #if defined(CERTDB_NOT_TRUSTED)
 	if (trust->objectSigningFlags & CERTDB_NOT_TRUSTED) 
 	    cType &= ~(NS_CERT_TYPE_OBJECT_SIGNING|
 	               NS_CERT_TYPE_OBJECT_SIGNING_CA);
 #endif
@@ -2230,20 +2137,19 @@ CERT_IsCACert(CERTCertificate *cert, uns
 
 	rv = CERT_FindBasicConstraintExten(cert, &constraints);
 	if (rv == SECSuccess && constraints.isCA) {
 	    ret = PR_TRUE;
 	    cType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
 	} 
     }
 
-    /* finally check if it's an X.509 v1 root or FORTEZZA V1 CA */
+    /* finally check if it's an X.509 v1 root CA */
     if (!ret && 
-        ((cert->isRoot && cert_Version(cert) < SEC_CERTIFICATE_VERSION_3) ||
-    	 fortezzaIsCA(cert) )) {
+        (cert->isRoot && cert_Version(cert) < SEC_CERTIFICATE_VERSION_3)) {
 	ret = PR_TRUE;
 	cType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
     }
     /* Now apply trust overrides, if any */
     cType = cert_ComputeTrustOverrides(cert, cType);
     ret = (cType & (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |
                     NS_CERT_TYPE_OBJECT_SIGNING_CA)) ? PR_TRUE : PR_FALSE;
 
@@ -2444,21 +2350,21 @@ CERT_DecodeTrustString(CERTCertTrust *tr
 	return SECFailure;
     }
 
     pflags = &trust->sslFlags;
     
     for (i=0; i < PORT_Strlen(trusts); i++) {
 	switch (trusts[i]) {
 	  case 'p':
-	      *pflags = *pflags | CERTDB_VALID_PEER;
+	      *pflags = *pflags | CERTDB_TERMINAL_RECORD;
 	      break;
 
 	  case 'P':
-	      *pflags = *pflags | CERTDB_TRUSTED | CERTDB_VALID_PEER;
+	      *pflags = *pflags | CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD;
 	      break;
 
 	  case 'w':
 	      *pflags = *pflags | CERTDB_SEND_WARN;
 	      break;
 
 	  case 'c':
 	      *pflags = *pflags | CERTDB_VALID_CA;
@@ -2500,17 +2406,17 @@ CERT_DecodeTrustString(CERTCertTrust *tr
 
 static void
 EncodeFlags(char *trusts, unsigned int flags)
 {
     if (flags & CERTDB_VALID_CA)
 	if (!(flags & CERTDB_TRUSTED_CA) &&
 	    !(flags & CERTDB_TRUSTED_CLIENT_CA))
 	    PORT_Strcat(trusts, "c");
-    if (flags & CERTDB_VALID_PEER)
+    if (flags & CERTDB_TERMINAL_RECORD)
 	if (!(flags & CERTDB_TRUSTED))
 	    PORT_Strcat(trusts, "p");
     if (flags & CERTDB_TRUSTED_CA)
 	PORT_Strcat(trusts, "C");
     if (flags & CERTDB_TRUSTED_CLIENT_CA)
 	PORT_Strcat(trusts, "T");
     if (flags & CERTDB_TRUSTED)
 	PORT_Strcat(trusts, "P");
@@ -2584,43 +2490,39 @@ CERT_ImportCerts(CERTCertDBHandle *certd
 		}
 		fcerts++;
 	    }
 	}
 
 	if ( keepCerts ) {
 	    for ( i = 0; i < fcerts; i++ ) {
                 char* canickname = NULL;
-                PRBool freeNickname = PR_FALSE;
+                PRBool isCA;
 
 		SECKEY_UpdateCertPQG(certs[i]);
                 
-                if ( CERT_IsCACert(certs[i], NULL) ) {
+                isCA = CERT_IsCACert(certs[i], NULL);
+                if ( isCA ) {
                     canickname = CERT_MakeCANickname(certs[i]);
-                    if ( canickname != NULL ) {
-                        freeNickname = PR_TRUE;
-                    }
                 }
 
-		if(CERT_IsCACert(certs[i], NULL) && (fcerts > 1)) {
+		if(isCA && (fcerts > 1)) {
 		    /* if we are importing only a single cert and specifying
 		     * a nickname, we want to use that nickname if it a CA,
 		     * otherwise if there are more than one cert, we don't
 		     * know which cert it belongs to. But we still may try
                      * the individual canickname from the cert itself.
 		     */
 		    rv = CERT_AddTempCertToPerm(certs[i], canickname, NULL);
 		} else {
 		    rv = CERT_AddTempCertToPerm(certs[i],
                                                 nickname?nickname:canickname, NULL);
 		}
 
-                if (PR_TRUE == freeNickname) {
-                    PORT_Free(canickname);
-                }
+                PORT_Free(canickname);
 		/* don't care if it fails - keep going */
 	    }
 	}
     }
 
     if ( retCerts ) {
 	*retCerts = certs;
     } else {
@@ -3119,16 +3021,18 @@ CERT_SetStatusConfig(CERTCertDBHandle *h
 }
 
 /*
  * Code for dealing with subjKeyID to cert mappings.
  */
 
 static PLHashTable *gSubjKeyIDHash = NULL;
 static PRLock      *gSubjKeyIDLock = NULL;
+static PLHashTable *gSubjKeyIDSlotCheckHash = NULL;
+static PRLock      *gSubjKeyIDSlotCheckLock = NULL;
 
 static void *cert_AllocTable(void *pool, PRSize size)
 {
     return PORT_Alloc(size);
 }
 
 static void cert_FreeTable(void *pool, void *item)
 {
@@ -3149,34 +3053,63 @@ static void cert_FreeEntry(void *pool, P
     }
 }
 
 static PLHashAllocOps cert_AllocOps = {
     cert_AllocTable, cert_FreeTable, cert_AllocEntry, cert_FreeEntry
 };
 
 SECStatus
+cert_CreateSubjectKeyIDSlotCheckHash(void)
+{
+    /*
+     * This hash is used to remember the series of a slot
+     * when we last checked for user certs
+     */
+    gSubjKeyIDSlotCheckHash = PL_NewHashTable(0, SECITEM_Hash,
+                                             SECITEM_HashCompare,
+                                             SECITEM_HashCompare,
+                                             &cert_AllocOps, NULL);
+    if (!gSubjKeyIDSlotCheckHash) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+    gSubjKeyIDSlotCheckLock = PR_NewLock();
+    if (!gSubjKeyIDSlotCheckLock) {
+        PL_HashTableDestroy(gSubjKeyIDSlotCheckHash);
+        gSubjKeyIDSlotCheckHash = NULL;
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus
 cert_CreateSubjectKeyIDHashTable(void)
 {
     gSubjKeyIDHash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
                                     SECITEM_HashCompare,
                                     &cert_AllocOps, NULL);
     if (!gSubjKeyIDHash) {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
         return SECFailure;
     }
     gSubjKeyIDLock = PR_NewLock();
     if (!gSubjKeyIDLock) {
         PL_HashTableDestroy(gSubjKeyIDHash);
         gSubjKeyIDHash = NULL;
         PORT_SetError(SEC_ERROR_NO_MEMORY);
         return SECFailure;
     }
+    /* initialize the companion hash (for remembering slot series) */
+    if (cert_CreateSubjectKeyIDSlotCheckHash() != SECSuccess) {
+	cert_DestroySubjectKeyIDHashTable();
+	return SECFailure;
+    }
     return SECSuccess;
-
 }
 
 SECStatus
 cert_AddSubjectKeyIDMapping(SECItem *subjKeyID, CERTCertificate *cert)
 {
     SECItem *newKeyID, *oldVal, *newVal;
     SECStatus rv = SECFailure;
 
@@ -3225,26 +3158,114 @@ cert_RemoveSubjectKeyIDMapping(SECItem *
     PR_Lock(gSubjKeyIDLock);
     rv = (PL_HashTableRemove(gSubjKeyIDHash, subjKeyID)) ? SECSuccess :
                                                            SECFailure;
     PR_Unlock(gSubjKeyIDLock);
     return rv;
 }
 
 SECStatus
+cert_UpdateSubjectKeyIDSlotCheck(SECItem *slotid, int series)
+{
+    SECItem *oldSeries, *newSlotid, *newSeries;
+    SECStatus rv = SECFailure;
+
+    if (!gSubjKeyIDSlotCheckLock) {
+	return rv;
+    }
+
+    newSlotid = SECITEM_DupItem(slotid);
+    newSeries = SECITEM_AllocItem(NULL, NULL, sizeof(int));
+    if (!newSlotid || !newSeries ) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        goto loser;
+    }
+    PORT_Memcpy(newSeries->data, &series, sizeof(int));
+
+    PR_Lock(gSubjKeyIDSlotCheckLock);
+    oldSeries = (SECItem *)PL_HashTableLookup(gSubjKeyIDSlotCheckHash, slotid);
+    if (oldSeries) {
+	/* 
+	 * make sure we don't leak the key of an existing entry
+	 * (similar to cert_AddSubjectKeyIDMapping, see comment there)
+	 */
+        PL_HashTableRemove(gSubjKeyIDSlotCheckHash, slotid);
+    }
+    rv = (PL_HashTableAdd(gSubjKeyIDSlotCheckHash, newSlotid, newSeries)) ?
+         SECSuccess : SECFailure;
+    PR_Unlock(gSubjKeyIDSlotCheckLock);
+    if (rv == SECSuccess) {
+	return rv;
+    }
+
+loser:
+    if (newSlotid) {
+        SECITEM_FreeItem(newSlotid, PR_TRUE);
+    }
+    if (newSeries) {
+        SECITEM_FreeItem(newSeries, PR_TRUE);
+    }
+    return rv;
+}
+
+int
+cert_SubjectKeyIDSlotCheckSeries(SECItem *slotid)
+{
+    SECItem *seriesItem = NULL;
+    int series;
+
+    if (!gSubjKeyIDSlotCheckLock) {
+	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return -1;
+    }
+
+    PR_Lock(gSubjKeyIDSlotCheckLock);
+    seriesItem = (SECItem *)PL_HashTableLookup(gSubjKeyIDSlotCheckHash, slotid);
+    PR_Unlock(gSubjKeyIDSlotCheckLock);
+     /* getting a null series just means we haven't registered one yet, 
+      * just return 0 */
+    if (seriesItem == NULL) {
+	return 0;
+    }
+    /* if we got a series back, assert if it's not the proper length. */
+    PORT_Assert(seriesItem->len == sizeof(int));
+    if (seriesItem->len != sizeof(int)) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return -1;
+    }
+    PORT_Memcpy(&series, seriesItem->data, sizeof(int));
+    return series;
+}
+
+SECStatus
+cert_DestroySubjectKeyIDSlotCheckHash(void)
+{
+    if (gSubjKeyIDSlotCheckHash) {
+        PR_Lock(gSubjKeyIDSlotCheckLock);
+        PL_HashTableDestroy(gSubjKeyIDSlotCheckHash);
+        gSubjKeyIDSlotCheckHash = NULL;
+        PR_Unlock(gSubjKeyIDSlotCheckLock);
+        PR_DestroyLock(gSubjKeyIDSlotCheckLock);
+        gSubjKeyIDSlotCheckLock = NULL;
+    }
+    return SECSuccess;
+}
+
+SECStatus
 cert_DestroySubjectKeyIDHashTable(void)
 {
     if (gSubjKeyIDHash) {
         PR_Lock(gSubjKeyIDLock);
         PL_HashTableDestroy(gSubjKeyIDHash);
         gSubjKeyIDHash = NULL;
         PR_Unlock(gSubjKeyIDLock);
         PR_DestroyLock(gSubjKeyIDLock);
         gSubjKeyIDLock = NULL;
     }
+    cert_DestroySubjectKeyIDSlotCheckHash();
     return SECSuccess;
 }
 
 SECItem*
 cert_FindDERCertBySubjectKeyID(SECItem *subjKeyID)
 {
     SECItem   *val;
  
--- a/security/nss/lib/certdb/certdb.h
+++ b/security/nss/lib/certdb/certdb.h
@@ -34,27 +34,45 @@
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifndef _CERTDB_H_
 #define _CERTDB_H_
 
 
 /* common flags for all types of certificates */
-#define CERTDB_VALID_PEER	(1<<0)
+#define CERTDB_TERMINAL_RECORD	(1<<0)
 #define CERTDB_TRUSTED		(1<<1)
 #define CERTDB_SEND_WARN	(1<<2)
 #define CERTDB_VALID_CA		(1<<3)
 #define CERTDB_TRUSTED_CA	(1<<4) /* trusted for issuing server certs */
 #define CERTDB_NS_TRUSTED_CA	(1<<5)
 #define CERTDB_USER		(1<<6)
 #define CERTDB_TRUSTED_CLIENT_CA (1<<7) /* trusted for issuing client certs */
 #define CERTDB_INVISIBLE_CA	(1<<8) /* don't show in UI */
 #define CERTDB_GOVT_APPROVED_CA	(1<<9) /* can do strong crypto in export ver */
 
+/* old usage, to keep old programs compiling */
+/* On Windows, Mac, and Linux (and other gcc platforms), we can give compile
+ * time deprecation warnings when applications use the old CERTDB_VALID_PEER
+ * define */
+#if __GNUC__ > 3
+#if (__GNUC__ == 4) && (__GNUC_MINOR__ < 5)
+typedef unsigned int __CERTDB_VALID_PEER __attribute__((deprecated));
+#else
+typedef unsigned int __CERTDB_VALID_PEER __attribute__((deprecated
+    ("CERTDB_VALID_PEER is now CERTDB_TERMINAL_RECORD")));
+#endif
+#define CERTDB_VALID_PEER  ((__CERTDB_VALID_PEER) CERTDB_TERMINAL_RECORD)
+#else
+#ifdef _WIN32
+#pragma deprecated(CERTDB_VALID_PEER)
+#endif
+#define CERTDB_VALID_PEER  CERTDB_TERMINAL_RECORD 
+#endif
 
 SEC_BEGIN_PROTOS
 
 CERTSignedCrl *
 SEC_FindCrlByKey(CERTCertDBHandle *handle, SECItem *crlKey, int type);
 
 CERTSignedCrl *
 SEC_FindCrlByName(CERTCertDBHandle *handle, SECItem *crlKey, int type);
--- a/security/nss/lib/certdb/certi.h
+++ b/security/nss/lib/certdb/certi.h
@@ -31,17 +31,17 @@
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 /*
  * certi.h - private data structures for the certificate library
  *
- * $Id: certi.h,v 1.34 2010/05/21 00:43:51 wtc%google.com Exp $
+ * $Id: certi.h,v 1.35 2011/01/29 22:17:20 nelson%bolyard.com Exp $
  */
 #ifndef _CERTI_H_
 #define _CERTI_H_
 
 #include "certt.h"
 #include "nssrwlkt.h"
 
 /*
@@ -230,24 +230,31 @@ SECStatus ShutdownCRLCache(void);
 
 /* Returns a pointer to an environment-like string, a series of
 ** null-terminated strings, terminated by a zero-length string.
 ** This function is intended to be internal to NSS.
 */
 extern char * cert_GetCertificateEmailAddresses(CERTCertificate *cert);
 
 /*
- * These functions are used to map subjectKeyID extension values to certs.
+ * These functions are used to map subjectKeyID extension values to certs
+ * and to keep track of the checks for user certificates in each slot
  */
 SECStatus
 cert_CreateSubjectKeyIDHashTable(void);
 
 SECStatus
 cert_AddSubjectKeyIDMapping(SECItem *subjKeyID, CERTCertificate *cert);
 
+SECStatus
+cert_UpdateSubjectKeyIDSlotCheck(SECItem *slotid, int series);
+
+int
+cert_SubjectKeyIDSlotCheckSeries(SECItem *slotid);
+
 /*
  * Call this function to remove an entry from the mapping table.
  */
 SECStatus
 cert_RemoveSubjectKeyIDMapping(SECItem *subjKeyID);
 
 SECStatus
 cert_DestroySubjectKeyIDHashTable(void);
--- a/security/nss/lib/certdb/certt.h
+++ b/security/nss/lib/certdb/certt.h
@@ -31,17 +31,17 @@
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 /*
  * certt.h - public data structures for the certificate library
  *
- * $Id: certt.h,v 1.54.2.1 2011/07/28 22:19:57 wtc%google.com Exp $
+ * $Id: certt.h,v 1.55 2011/07/28 21:38:14 wtc%google.com Exp $
  */
 #ifndef _CERTT_H_
 #define _CERTT_H_
 
 #include "prclist.h"
 #include "pkcs11t.h"
 #include "seccomon.h"
 #include "secmodt.h"
--- a/security/nss/lib/certdb/crl.c
+++ b/security/nss/lib/certdb/crl.c
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Moved from secpkcs7.c
  *
- * $Id: crl.c,v 1.71 2010/05/21 00:43:51 wtc%google.com Exp $
+ * $Id: crl.c,v 1.72 2011/07/24 13:48:10 wtc%google.com Exp $
  */
  
 #include "cert.h"
 #include "certi.h"
 #include "secder.h"
 #include "secasn1.h"
 #include "secoid.h"
 #include "certdb.h"
@@ -70,84 +70,36 @@ const SEC_ASN1Template SEC_CERTExtension
     { 0, }
 };
 
 static const SEC_ASN1Template SEC_CERTExtensionsTemplate[] = {
     { SEC_ASN1_SEQUENCE_OF, 0,  SEC_CERTExtensionTemplate}
 };
 
 /*
- * XXX Also, these templates, especially the Krl/FORTEZZA ones, need to
- * be tested; Lisa did the obvious translation but they still should be
- * verified.
+ * XXX Also, these templates need to be tested; Lisa did the obvious
+ * translation but they still should be verified.
  */
 
 const SEC_ASN1Template CERT_IssuerAndSNTemplate[] = {
     { SEC_ASN1_SEQUENCE,
 	  0, NULL, sizeof(CERTIssuerAndSN) },
     { SEC_ASN1_SAVE,
 	  offsetof(CERTIssuerAndSN,derIssuer) },
     { SEC_ASN1_INLINE,
 	  offsetof(CERTIssuerAndSN,issuer),
 	  CERT_NameTemplate },
     { SEC_ASN1_INTEGER,
 	  offsetof(CERTIssuerAndSN,serialNumber) },
     { 0 }
 };
 
-static const SEC_ASN1Template cert_KrlEntryTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCrlEntry) },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(CERTCrlEntry,serialNumber) },
-    { SEC_ASN1_UTC_TIME,
-	  offsetof(CERTCrlEntry,revocationDate) },
-    { 0 }
-};
-
 SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
 SEC_ASN1_MKSUB(CERT_TimeChoiceTemplate)
 
-static const SEC_ASN1Template cert_KrlTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCrl) },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-	  offsetof(CERTCrl,signatureAlg),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTCrl,derName) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCrl,name),
-	  CERT_NameTemplate },
-    { SEC_ASN1_UTC_TIME,
-	  offsetof(CERTCrl,lastUpdate) },
-    { SEC_ASN1_UTC_TIME,
-	  offsetof(CERTCrl,nextUpdate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
-	  offsetof(CERTCrl,entries),
-	  cert_KrlEntryTemplate },
-    { 0 }
-};
-
-static const SEC_ASN1Template cert_SignedKrlTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTSignedCrl) },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTSignedCrl,signatureWrap.data) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTSignedCrl,crl),
-	  cert_KrlTemplate },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-	  offsetof(CERTSignedCrl,signatureWrap.signatureAlgorithm),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_BIT_STRING,
-	  offsetof(CERTSignedCrl,signatureWrap.signature) },
-    { 0 }
-};
-
 static const SEC_ASN1Template cert_CrlKeyTemplate[] = {
     { SEC_ASN1_SEQUENCE,
 	  0, NULL, sizeof(CERTCrlKey) },
     { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof(CERTCrlKey,dummy) },
     { SEC_ASN1_SKIP },
     { SEC_ASN1_ANY, offsetof(CERTCrlKey,derName) },
     { SEC_ASN1_SKIP_REST },
     { 0 }
@@ -465,17 +417,17 @@ SECStatus CERT_CompleteCRLDecodeEntries(
         if (rv != SECSuccess) {
             extended->badExtensions = PR_TRUE;
         }
     }
     return rv;
 }
 
 /*
- * take a DER CRL or KRL  and decode it into a CRL structure
+ * take a DER CRL and decode it into a CRL structure
  * allow reusing the input DER without making a copy
  */
 CERTSignedCrl *
 CERT_DecodeDERCrlWithFlags(PRArenaPool *narena, SECItem *derSignedCrl,
                           int type, PRInt32 options)
 {
     PRArenaPool *arena;
     CERTSignedCrl *crl;
@@ -573,21 +525,18 @@ CERT_DecodeDERCrlWithFlags(PRArenaPool *
 
         rv = cert_check_crl_entries(&crl->crl);
         if (rv != SECSuccess) {
             extended->badExtensions = PR_TRUE;
         }
 
         break;
 
-    case SEC_KRL_TYPE:
-	rv = SEC_QuickDERDecodeItem
-	     (arena, crl, cert_SignedKrlTemplate, derSignedCrl);
-	break;
     default:
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	rv = SECFailure;
 	break;
     }
 
     if (rv != SECSuccess) {
 	goto loser;
     }
 
@@ -609,17 +558,17 @@ loser:
     if ((narena == NULL) && arena ) {
 	PORT_FreeArena(arena, PR_FALSE);
     }
     
     return(0);
 }
 
 /*
- * take a DER CRL or KRL  and decode it into a CRL structure
+ * take a DER CRL and decode it into a CRL structure
  */
 CERTSignedCrl *
 CERT_DecodeDERCrl(PRArenaPool *narena, SECItem *derSignedCrl, int type)
 {
     return CERT_DecodeDERCrlWithFlags(narena, derSignedCrl, type,
                                       CRL_DECODE_DEFAULT_OPTIONS);
 }
 
@@ -711,16 +660,22 @@ crl_storeCRL (PK11SlotInfo *slot,char *u
 {
     CERTSignedCrl *oldCrl = NULL, *crl = NULL;
     PRBool deleteOldCrl = PR_FALSE;
     CK_OBJECT_HANDLE crlHandle = CK_INVALID_HANDLE;
     SECStatus rv;
 
     PORT_Assert(newCrl);
     PORT_Assert(derCrl);
+    PORT_Assert(type == SEC_CRL_TYPE);
+
+    if (type != SEC_CRL_TYPE) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
 
     /* we can't use the cache here because we must look in the same
        token */
     rv = SEC_FindCrlByKeyOnSlot(slot, &newCrl->crl.derName, type,
                                 &oldCrl, CRL_DECODE_SKIP_ENTRIES);
     /* if there is an old crl on the token, make sure the one we are
        installing is newer. If not, exit out, otherwise delete the
        old crl.
@@ -734,31 +689,17 @@ crl_storeCRL (PK11SlotInfo *slot,char *u
 	    crl->pkcs11ID = oldCrl->pkcs11ID;
 	    if (oldCrl->url && !url)
 	        url = oldCrl->url;
 	    if (url)
 		crl->url = PORT_ArenaStrdup(crl->arena, url);
 	    goto done;
 	}
         if (!SEC_CrlIsNewer(&newCrl->crl,&oldCrl->crl)) {
-
-            if (type == SEC_CRL_TYPE) {
-                PORT_SetError(SEC_ERROR_OLD_CRL);
-            } else {
-                PORT_SetError(SEC_ERROR_OLD_KRL);
-            }
-
-            goto done;
-        }
-
-        if ((SECITEM_CompareItem(&newCrl->crl.derName,
-                &oldCrl->crl.derName) != SECEqual) &&
-            (type == SEC_KRL_TYPE) ) {
-
-            PORT_SetError(SEC_ERROR_CKL_CONFLICT);
+            PORT_SetError(SEC_ERROR_OLD_CRL);
             goto done;
         }
 
         /* if we have a url in the database, use that one */
         if (oldCrl->url && !url) {
 	    url = oldCrl->url;
         }
 
--- a/security/nss/lib/certdb/genname.c
+++ b/security/nss/lib/certdb/genname.c
@@ -1680,121 +1680,16 @@ done:
 	badCert = (count >= 0) ? certsList[count] : cert;
     }
     if (pBadCert)
 	*pBadCert = badCert;
 
     return rv;
 }
 
-/* Search the cert for an X509_SUBJECT_ALT_NAME extension.
-** ASN1 Decode it into a list of alternate names.
-** Search the list of alternate names for one with the NETSCAPE_NICKNAME OID.
-** ASN1 Decode that name.  Turn the result into a zString.  
-** Look for duplicate nickname already in the certdb. 
-** If one is found, create a nickname string that is not a duplicate.
-*/
-char *
-CERT_GetNickName(CERTCertificate   *cert,
- 		 CERTCertDBHandle  *handle,
-		 PRArenaPool      *nicknameArena)
-{ 
-    CERTGeneralName  *current;
-    CERTGeneralName  *names;
-    char             *nickname   = NULL;
-    char             *returnName = NULL;
-    char             *basename   = NULL;
-    PRArenaPool      *arena      = NULL;
-    CERTCertificate  *tmpcert;
-    SECStatus        rv;
-    int              count;
-    int              found = 0;
-    SECItem          altNameExtension;
-    SECItem          nick;
-
-    if (handle == NULL) {
-	handle = CERT_GetDefaultCertDB();
-    }
-    altNameExtension.data = NULL;
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, 
-				&altNameExtension);
-    if (rv != SECSuccess) { 
-	goto loser; 
-    }
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	goto loser;
-    }
-    names = CERT_DecodeAltNameExtension(arena, &altNameExtension);
-    if (names == NULL) {
-	goto loser;
-    } 
-    current = names;
-    do {
-	if (current->type == certOtherName && 
-	    SECOID_FindOIDTag(&current->name.OthName.oid) == 
-	      SEC_OID_NETSCAPE_NICKNAME) {
-	    found = 1;
-	    break;
-	}
-	current = CERT_GetNextGeneralName(current);
-    } while (current != names);
-    if (!found)
-    	goto loser;
-
-    rv = SEC_QuickDERDecodeItem(arena, &nick,
-                            SEC_ASN1_GET(SEC_IA5StringTemplate),
-			    &current->name.OthName.name);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    /* make a null terminated string out of nick, with room enough at
-    ** the end to add on a number of up to 21 digits in length, (a signed
-    ** 64-bit number in decimal) plus a space and a "#". 
-    */
-    nickname = (char*)PORT_ZAlloc(nick.len + 24);
-    if (!nickname) 
-	goto loser;
-    PORT_Strncpy(nickname, (char *)nick.data, nick.len);
-
-    /* Don't let this cert's nickname duplicate one already in the DB.
-    ** If it does, create a variant of the nickname that doesn't.
-    */
-    count = 0;
-    while ((tmpcert = CERT_FindCertByNickname(handle, nickname)) != NULL) {
-	CERT_DestroyCertificate(tmpcert);
-	if (!basename) {
-	    basename = PORT_Strdup(nickname);
-	    if (!basename)
-		goto loser;
-	}
-	count++;
-	sprintf(nickname, "%s #%d", basename, count);
-    }
-
-    /* success */
-    if (nicknameArena) {
-	returnName =  PORT_ArenaStrdup(nicknameArena, nickname);
-    } else {
-	returnName = nickname;
-	nickname = NULL;
-    }
-loser:
-    if (arena != NULL) 
-	PORT_FreeArena(arena, PR_FALSE);
-    if (nickname)
-	PORT_Free(nickname);
-    if (basename)
-	PORT_Free(basename);
-    if (altNameExtension.data)
-    	PORT_Free(altNameExtension.data);
-    return returnName;
-}
-
 #if 0
 /* not exported from shared libs, not used.  Turn on if we ever need it. */
 SECStatus
 CERT_CompareGeneralName(CERTGeneralName *a, CERTGeneralName *b)
 {
     CERTGeneralName *currentA;
     CERTGeneralName *currentB;
     PRBool found;
--- a/security/nss/lib/certdb/manifest.mn
+++ b/security/nss/lib/certdb/manifest.mn
@@ -61,14 +61,12 @@ CSRCS = \
 	stanpcertdb.c \
 	polcyxtn.c \
 	secname.c \
 	xauthkid.c \
 	xbsconst.c \
 	xconst.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 LIBRARY_NAME = certdb
 
 # This part of the code, including all sub-dirs, can be optimized for size
 export ALLOW_OPT_CODE_SIZE = 1
--- a/security/nss/lib/certhigh/certhtml.c
+++ b/security/nss/lib/certhigh/certhtml.c
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * certhtml.c --- convert a cert to html
  *
- * $Id: certhtml.c,v 1.8.66.1 2010/08/28 19:49:28 nelson%bolyard.com Exp $
+ * $Id: certhtml.c,v 1.10 2010/08/28 18:00:28 nelson%bolyard.com Exp $
  */
 
 #include "seccomon.h"
 #include "secitem.h"
 #include "sechash.h"
 #include "cert.h"
 #include "keyhi.h"
 #include "secder.h"
--- a/security/nss/lib/certhigh/certvfy.c
+++ b/security/nss/lib/certhigh/certvfy.c
@@ -574,29 +574,53 @@ cert_VerifyCertChainOld(CERTCertDBHandle
 	        if (( flags & requiredFlags ) == requiredFlags) {
 	            /* we found a trusted one, so return */
 	            rv = rvFinal; 
 	            goto done;
 	        }
 	        if (flags & CERTDB_VALID_CA) {
 	            validCAOverride = PR_TRUE;
 	        }
+		/* is it explicitly distrusted? */
+		if ((flags & CERTDB_TERMINAL_RECORD) && 
+			((flags & (CERTDB_VALID_CA|CERTDB_TRUSTED)) == 0)) {
+		    /* untrusted -- the cert is explicitly untrusted, not
+		     * just that it doesn't chain to a trusted cert */
+		    PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+		    LOG_ERROR_OR_EXIT(log,issuerCert,count+1,flags);
+		}
 	    } else {
                 /* Check if we have any valid trust when cheching for
                  * certUsageAnyCA or certUsageStatusResponder. */
                 for (trustType = trustSSL; trustType < trustTypeNone;
                      trustType++) {
                     flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
                     if ((flags & requiredFlags) == requiredFlags) {
 	                rv = rvFinal; 
 	                goto done;
                     }
                     if (flags & CERTDB_VALID_CA)
                         validCAOverride = PR_TRUE;
                 }
+		/* We have 2 separate loops because we want any single trust
+		 * bit to allow this usage to return trusted. Only if none of
+		 * the trust bits are on do we check to see if the cert is 
+		 * untrusted */
+                for (trustType = trustSSL; trustType < trustTypeNone;
+                     trustType++) {
+                    flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
+		    /* is it explicitly distrusted? */
+		    if ((flags & CERTDB_TERMINAL_RECORD) && 
+			((flags & (CERTDB_VALID_CA|CERTDB_TRUSTED)) == 0)) {
+			/* untrusted -- the cert is explicitly untrusted, not
+			 * just that it doesn't chain to a trusted cert */
+			PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+			LOG_ERROR_OR_EXIT(log,issuerCert,count+1,flags);
+		    }
+                }
             }
         }
 
 	if (!validCAOverride) {
 	    /*
 	     * Make sure that if this is an intermediate CA in the chain that
 	     * it was given permission by its signer to be a CA.
 	     */
@@ -821,16 +845,24 @@ CERT_VerifyCACertForUsage(CERTCertDBHand
 	if ( ( flags & requiredFlags ) == requiredFlags) {
 	    /* we found a trusted one, so return */
 	    rv = rvFinal; 
 	    goto done;
 	}
 	if (flags & CERTDB_VALID_CA) {
 	    validCAOverride = PR_TRUE;
 	}
+	/* is it explicitly distrusted? */
+	if ((flags & CERTDB_TERMINAL_RECORD) && 
+		((flags & (CERTDB_VALID_CA|CERTDB_TRUSTED)) == 0)) {
+	    /* untrusted -- the cert is explicitly untrusted, not
+	     * just that it doesn't chain to a trusted cert */
+	    PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+	    LOG_ERROR_OR_EXIT(log,cert,0,flags);
+	}
     }
     if (!validCAOverride) {
 	/*
 	 * Make sure that if this is an intermediate CA in the chain that
 	 * it was given permission by its signer to be a CA.
 	 */
 	/*
 	 * if basicConstraints says it is a ca, then we check the
@@ -885,16 +917,164 @@ done:
     } \
     if (PR_TRUE == requiredUsage) { \
         valid = SECFailure; \
     } \
     NEXT_USAGE(); \
 }
 
 /*
+ * check the leaf cert against trust and usage. 
+ *   returns success if the cert is not distrusted. If the cert is
+ *       trusted, then the trusted bool will be true.
+ *   returns failure if the cert is distrusted. If failure, flags
+ *       will return the flag bits that indicated distrust.
+ */
+SECStatus
+cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage,
+	            unsigned int *failedFlags, PRBool *trusted)
+{
+    unsigned int flags;
+
+    *failedFlags = 0;
+    *trusted = PR_FALSE;
+			
+    /* check trust flags to see if this cert is directly trusted */
+    if ( cert->trust ) { 
+	switch ( certUsage ) {
+	  case certUsageSSLClient:
+	  case certUsageSSLServer:
+	    flags = cert->trust->sslFlags;
+	    
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
+		    *trusted = PR_TRUE;
+		    return SECSuccess;
+		} else { /* don't trust this cert */
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	    break;
+	  case certUsageSSLServerWithStepUp:
+	    /* XXX - step up certs can't be directly trusted, only distrust */
+	    flags = cert->trust->sslFlags;
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if (( flags & CERTDB_TRUSTED ) == 0) {	
+		    /* don't trust this cert */
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	    break;
+	  case certUsageSSLCA:
+	    flags = cert->trust->sslFlags;
+	    /* we probably should also not explicitly fail the cert 
+	     * if only the trusted DELEGATOR flag is set */
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if (( flags & CERTDB_TRUSTED_CA ) == 0) {	
+		    /* don't trust this cert */
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	    break;
+	  case certUsageEmailSigner:
+	  case certUsageEmailRecipient:
+	    flags = cert->trust->emailFlags;
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
+		    *trusted = PR_TRUE;
+		    return SECSuccess;
+		} 
+		else { /* don't trust this cert */
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	    
+	    break;
+	  case certUsageObjectSigner:
+	    flags = cert->trust->objectSigningFlags;
+
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
+		    *trusted = PR_TRUE;
+		    return SECSuccess;
+		} else { /* don't trust this cert */
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	    break;
+	  case certUsageVerifyCA:
+	  case certUsageStatusResponder:
+	    flags = cert->trust->sslFlags;
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
+		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
+		*trusted = PR_TRUE;
+		return SECSuccess;
+	    }
+	    flags = cert->trust->emailFlags;
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
+		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
+		*trusted = PR_TRUE;
+		return SECSuccess;
+	    }
+	    flags = cert->trust->objectSigningFlags;
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
+		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
+		*trusted = PR_TRUE;
+		return SECSuccess;
+	    }
+	    /* fall through to test distrust */
+	  case certUsageAnyCA:
+	  case certUsageUserCertImport:
+	    /* do we distrust these certs explicitly */
+	    flags = cert->trust->sslFlags;
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if ((flags & CERTDB_TRUSTED_CA) == 0) {
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	    flags = cert->trust->emailFlags;
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if ((flags & CERTDB_TRUSTED_CA) == 0) {
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	  case certUsageProtectedObjectSigner:
+	    flags = cert->trust->objectSigningFlags;
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if ((flags & CERTDB_TRUSTED_CA) == 0) {
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	    break;
+	}
+    }
+    return SECSuccess;
+}
+
+/*
  * verify a certificate by checking if it's valid and that we
  * trust the issuer.
  *
  * certificateUsage contains a bitfield of all cert usages that are
  * required for verification to succeed
  *
  * a bitfield of cert usages is returned in *returnedUsages
  * if requiredUsages is non-zero, the returned bitmap is only
@@ -916,16 +1096,17 @@ CERT_VerifyCertificate(CERTCertDBHandle 
     SECCertTimeValidity validity;
     CERTStatusConfig *statusConfig;
     PRInt32 i;
     SECCertUsage certUsage = 0;
     PRBool checkedOCSP = PR_FALSE;
     PRBool checkAllUsages = PR_FALSE;
     PRBool revoked = PR_FALSE;
     PRBool sigerror = PR_FALSE;
+    PRBool trusted = PR_FALSE;
 
     if (!requiredUsages) {
         /* there are no required usages, so the user probably wants to
            get status for all usages */
         checkAllUsages = PR_TRUE;
     }
 
     if (returnedUsages) {
@@ -1003,101 +1184,31 @@ CERT_VerifyCertificate(CERTCertDBHandle 
         if ( !( certType & requiredCertType ) ) {
             if (PR_TRUE == requiredUsage) {
                 PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);
             }
             LOG_ERROR(log,cert,0,requiredCertType);
             INVALID_USAGE();
         }
 
-        /* check trust flags to see if this cert is directly trusted */
-        if ( cert->trust ) { /* the cert is in the DB */
-            switch ( certUsage ) {
-              case certUsageSSLClient:
-              case certUsageSSLServer:
-                flags = cert->trust->sslFlags;
-
-                /* is the cert directly trusted or not trusted ? */
-                if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
-                    if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
-                        VALID_USAGE();
-                    } else { /* don't trust this cert */
-                        if (PR_TRUE == requiredUsage) {
-                            PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
-                        }
-                        LOG_ERROR(log,cert,0,flags);
-                        INVALID_USAGE();
-                    }
-                }
-                break;
-              case certUsageSSLServerWithStepUp:
-                /* XXX - step up certs can't be directly trusted */
-                break;
-              case certUsageSSLCA:
-                break;
-              case certUsageEmailSigner:
-              case certUsageEmailRecipient:
-                flags = cert->trust->emailFlags;
-
-                /* is the cert directly trusted or not trusted ? */
-                if ( ( flags & ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) ==
-                    ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) {
-                    VALID_USAGE();
-                }
-                break;
-              case certUsageObjectSigner:
-                flags = cert->trust->objectSigningFlags;
+	rv = cert_CheckLeafTrust(cert, certUsage, &flags, &trusted);
+	if (rv == SECFailure) {
+	    if (PR_TRUE == requiredUsage) {
+		PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+	    }
+	    LOG_ERROR(log, cert, 0, flags);
+	    INVALID_USAGE();
+	}
+	if (trusted) {
+	    VALID_USAGE();
+	}
 
-                /* is the cert directly trusted or not trusted ? */
-                if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
-                    if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
-                        VALID_USAGE();
-                    } else { /* don't trust this cert */
-                        if (PR_TRUE == requiredUsage) {
-                            PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
-                        }
-                        LOG_ERROR(log,cert,0,flags);
-                        INVALID_USAGE();
-                    }
-                }
-                break;
-              case certUsageVerifyCA:
-              case certUsageStatusResponder:
-                flags = cert->trust->sslFlags;
-                /* is the cert directly trusted or not trusted ? */
-                if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-                    ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-                    VALID_USAGE();
-                }
-                flags = cert->trust->emailFlags;
-                /* is the cert directly trusted or not trusted ? */
-                if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-                    ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-                    VALID_USAGE();
-                }
-                flags = cert->trust->objectSigningFlags;
-                /* is the cert directly trusted or not trusted ? */
-                if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-                    ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-                    VALID_USAGE();
-                }
-                break;
-              case certUsageAnyCA:
-              case certUsageProtectedObjectSigner:
-              case certUsageUserCertImport:
-                /* XXX to make the compiler happy.  Should these be
-                 * explicitly handled?
-                 */
-                break;
-            }
-        }
-
-        if (PR_TRUE == revoked || PR_TRUE == sigerror) {
-            INVALID_USAGE();
-        }
+	if (PR_TRUE == revoked || PR_TRUE == sigerror) {
+	    INVALID_USAGE();
+	}
 
         rv = cert_VerifyCertChain(handle, cert,
             checkSig, &sigerror,
             certUsage, t, wincx, log,
             &revoked);
 
         if (rv != SECSuccess) {
             /* EXIT_IF_NOT_LOGGING(log); XXX ???? */
@@ -1141,16 +1252,17 @@ CERT_VerifyCert(CERTCertDBHandle *handle
 		PRBool checkSig, SECCertUsage certUsage, int64 t,
 		void *wincx, CERTVerifyLog *log)
 {
     SECStatus rv;
     unsigned int requiredKeyUsage;
     unsigned int requiredCertType;
     unsigned int flags;
     unsigned int certType;
+    PRBool       trusted;
     PRBool       allowOverride;
     SECCertTimeValidity validity;
     CERTStatusConfig *statusConfig;
    
 #ifdef notdef 
     /* check if this cert is in the Evil list */
     rv = CERT_CheckForEvilCert(cert);
     if ( rv != SECSuccess ) {
@@ -1207,91 +1319,25 @@ CERT_VerifyCert(CERTCertDBHandle *handle
 	PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
 	LOG_ERROR_OR_EXIT(log,cert,0,requiredKeyUsage);
     }
     if ( !( certType & requiredCertType ) ) {
 	PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);
 	LOG_ERROR_OR_EXIT(log,cert,0,requiredCertType);
     }
 
-    /* check trust flags to see if this cert is directly trusted */
-    if ( cert->trust ) { /* the cert is in the DB */
-	switch ( certUsage ) {
-	  case certUsageSSLClient:
-	  case certUsageSSLServer:
-	    flags = cert->trust->sslFlags;
-	    
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
-		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
-		    goto winner;
-		} else { /* don't trust this cert */
-		    PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
-		    LOG_ERROR_OR_EXIT(log,cert,0,flags);
-		}
-	    }
-	    break;
-	  case certUsageSSLServerWithStepUp:
-	    /* XXX - step up certs can't be directly trusted */
-	    break;
-	  case certUsageSSLCA:
-	    break;
-	  case certUsageEmailSigner:
-	  case certUsageEmailRecipient:
-	    flags = cert->trust->emailFlags;
-	    
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( ( flags & ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) ==
-		( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) {
-		goto winner;
-	    }
-	    break;
-	  case certUsageObjectSigner:
-	    flags = cert->trust->objectSigningFlags;
+    rv = cert_CheckLeafTrust(cert,certUsage, &flags, &trusted);
+    if (rv  == SECFailure) {
+	PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+	LOG_ERROR_OR_EXIT(log,cert,0,flags);
+    }
+    if (trusted) {
+	goto winner;
+    }
 
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
-		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
-		    goto winner;
-		} else { /* don't trust this cert */
-		    PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
-		    LOG_ERROR_OR_EXIT(log,cert,0,flags);
-		}
-	    }
-	    break;
-	  case certUsageVerifyCA:
-	  case certUsageStatusResponder:
-	    flags = cert->trust->sslFlags;
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-		goto winner;
-	    }
-	    flags = cert->trust->emailFlags;
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-		goto winner;
-	    }
-	    flags = cert->trust->objectSigningFlags;
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-		goto winner;
-	    }
-	    break;
-	  case certUsageAnyCA:
-	  case certUsageProtectedObjectSigner:
-	  case certUsageUserCertImport:
-	    /* XXX to make the compiler happy.  Should these be
-	     * explicitly handled?
-	     */
-	    break;
-	}
-    }
 
     rv = CERT_VerifyCertChain(handle, cert, checkSig, certUsage,
 			      t, wincx, log);
     if (rv != SECSuccess) {
 	EXIT_IF_NOT_LOGGING(log);
     }
 
     /*
--- a/security/nss/lib/certhigh/manifest.mn
+++ b/security/nss/lib/certhigh/manifest.mn
@@ -55,14 +55,12 @@ CSRCS = \
 	ocsp.c \
 	certhigh.c \
  	certvfy.c \
  	certvfypkix.c \
  	certvfypkixprint.c \
  	xcrldist.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 LIBRARY_NAME = certhi
 
 # This part of the code, including all sub-dirs, can be optimized for size
 export ALLOW_OPT_CODE_SIZE = 1
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -34,17 +34,17 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Implementation of OCSP services, for both client and server.
  * (XXX, really, mostly just for client right now, but intended to do both.)
  *
- * $Id: ocsp.c,v 1.65.2.1 2011/07/13 11:13:55 kaie%kuix.de Exp $
+ * $Id: ocsp.c,v 1.67 2011/08/10 12:31:52 kaie%kuix.de Exp $
  */
 
 #include "prerror.h"
 #include "prprf.h"
 #include "plarena.h"
 #include "prnetdb.h"
 
 #include "seccomon.h"
@@ -2945,36 +2945,42 @@ ocsp_SendEncodedRequest(char *location, 
 {
     char *hostname = NULL;
     char *path = NULL;
     PRUint16 port;
     SECStatus rv;
     PRFileDesc *sock = NULL;
     PRFileDesc *returnSock = NULL;
     char *header = NULL;
+    char portstr[16];
 
     /*
      * Take apart the location, getting the hostname, port, and path.
      */
     rv = ocsp_ParseURL(location, &hostname, &port, &path);
     if (rv != SECSuccess)
 	goto loser;
 
     PORT_Assert(hostname != NULL);
     PORT_Assert(path != NULL);
 
     sock = ocsp_ConnectToHost(hostname, port);
     if (sock == NULL)
 	goto loser;
 
+    portstr[0] = '\0';
+    if (port != 80) {
+        PR_snprintf(portstr, sizeof(portstr), ":%d", port);
+    }
+
     header = PR_smprintf("POST %s HTTP/1.0\r\n"
-			 "Host: %s:%d\r\n"
+			 "Host: %s%s\r\n"
 			 "Content-Type: application/ocsp-request\r\n"
 			 "Content-Length: %u\r\n\r\n",
-			 path, hostname, port, encodedRequest->len);
+			 path, hostname, portstr, encodedRequest->len);
     if (header == NULL)
 	goto loser;
 
     /*
      * The NSPR documentation promises that if it can, it will write the full
      * amount; this will not return a partial value expecting us to loop.
      */
     if (PR_Write(sock, header, (PRInt32) PORT_Strlen(header)) < 0)
--- a/security/nss/lib/certhigh/ocsp.h
+++ b/security/nss/lib/certhigh/ocsp.h
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Interface to the OCSP implementation.
  *
- * $Id: ocsp.h,v 1.17.2.1 2010/09/27 21:22:20 wtc%google.com Exp $
+ * $Id: ocsp.h,v 1.19 2011/01/15 19:47:11 nelson%bolyard.com Exp $
  */
 
 #ifndef _OCSP_H_
 #define _OCSP_H_
 
 
 #include "plarena.h"
 #include "seccomon.h"
@@ -583,17 +583,17 @@ extern SECStatus
 CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
 				      CERTCertificate *cert,
 				      PRTime time,
 				      SECItem *encodedResponse,
 				      void *pwArg);
 
 /*
  * FUNCTION: CERT_GetOCSPStatusForCertID
- *  Returns the OCSP status contained in the passed in paramter response
+ *  Returns the OCSP status contained in the passed in parameter response
  *  that corresponds to the certID passed in.
  * INPUTS:
  *  CERTCertDBHandle *handle
  *    certificate DB of the cert that is being checked
  *  CERTOCSPResponse *response
  *    the OCSP response we want to retrieve status from.
  *  CERTOCSPCertID *certID
  *    the ID we want to look for from the response.
--- a/security/nss/lib/ckfw/builtins/certdata.c
+++ b/security/nss/lib/ckfw/builtins/certdata.c
@@ -30,34 +30,34 @@
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.67.2.10 $ $Date: 2011/08/01 06:40:03 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.67.2.10 $ $Date: 2011/08/01 06:40:03 $";
+static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.78 $ $Date: 2011/08/01 06:33:46 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.78 $ $Date: 2011/08/01 06:33:46 $";
 #endif /* DEBUG */
 
 #ifndef BUILTINS_H
 #include "builtins.h"
 #endif /* BUILTINS_H */
 
 static const CK_BBOOL ck_false = CK_FALSE;
 static const CK_BBOOL ck_true = CK_TRUE;
 static const CK_CERTIFICATE_TYPE ckc_x_509 = CKC_X_509;
 static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
 static const CK_OBJECT_CLASS cko_data = CKO_DATA;
-static const CK_OBJECT_CLASS cko_netscape_builtin_root_list = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
-static const CK_OBJECT_CLASS cko_netscape_trust = CKO_NETSCAPE_TRUST;
-static const CK_TRUST ckt_netscape_trust_unknown = CKT_NETSCAPE_TRUST_UNKNOWN;
-static const CK_TRUST ckt_netscape_trusted_delegator = CKT_NETSCAPE_TRUSTED_DELEGATOR;
-static const CK_TRUST ckt_netscape_untrusted = CKT_NETSCAPE_UNTRUSTED;
-static const CK_TRUST ckt_netscape_valid = CKT_NETSCAPE_VALID;
+static const CK_OBJECT_CLASS cko_nss_builtin_root_list = CKO_NSS_BUILTIN_ROOT_LIST;
+static const CK_OBJECT_CLASS cko_nss_trust = CKO_NSS_TRUST;
+static const CK_TRUST ckt_nss_must_verify_trust = CKT_NSS_MUST_VERIFY_TRUST;
+static const CK_TRUST ckt_nss_not_trusted = CKT_NSS_NOT_TRUSTED;
+static const CK_TRUST ckt_nss_trust_unknown = CKT_NSS_TRUST_UNKNOWN;
+static const CK_TRUST ckt_nss_trusted_delegator = CKT_NSS_TRUSTED_DELEGATOR;
 #ifdef DEBUG
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_0 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_APPLICATION,  CKA_VALUE
 };
 #endif /* DEBUG */
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_1 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL
 };
@@ -1048,21 +1048,21 @@ static const CK_ATTRIBUTE_TYPE nss_built
 #ifdef DEBUG
 static const NSSItem nss_builtins_items_0 [] = {
   { (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"CVS ID", (PRUint32)7 },
   { (void *)"NSS", (PRUint32)4 },
-  { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.67.2.10 $ $Date: 2011/08/01 06:40:03 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.67.2.10 $ $Date: 2011/08/01 06:40:03 $", (PRUint32)164 }
+  { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.78 $ $Date: 2011/08/01 06:33:46 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.78 $ $Date: 2011/08/01 06:33:46 $", (PRUint32)160 }
 };
 #endif /* DEBUG */
 static const NSSItem nss_builtins_items_1 [] = {
-  { (void *)&cko_netscape_builtin_root_list, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_builtin_root_list, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Mozilla Builtin Roots", (PRUint32)22 }
 };
 static const NSSItem nss_builtins_items_2 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
@@ -1127,17 +1127,17 @@ static const NSSItem nss_builtins_items_
 "\334\364\166\125\175\233\143\124\030\351\360\352\363\134\261\331"
 "\213\102\036\271\300\225\116\272\372\325\342\174\365\150\141\277"
 "\216\354\005\227\137\133\260\327\243\205\064\304\044\247\015\017"
 "\225\223\357\313\224\330\236\037\235\134\205\155\307\252\256\117"
 "\037\042\265\315\225\255\272\247\314\371\253\013\172\177"
 , (PRUint32)606 }
 };
 static const NSSItem nss_builtins_items_3 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GTE CyberTrust Global Root", (PRUint32)27 },
   { (void *)"\227\201\171\120\330\034\226\160\314\064\330\011\317\171\104\061"
 "\066\176\364\164"
 , (PRUint32)20 },
   { (void *)"\312\075\323\150\361\003\134\320\062\372\270\053\131\350\132\333"
@@ -1148,19 +1148,19 @@ static const NSSItem nss_builtins_items_
 "\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165"
 "\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156"
 "\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105"
 "\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142"
 "\141\154\040\122\157\157\164"
 , (PRUint32)119 },
   { (void *)"\002\002\001\245"
 , (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_4 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Thawte Server CA", (PRUint32)17 },
@@ -1244,17 +1244,17 @@ static const NSSItem nss_builtins_items_
 "\100\333\250\314\062\164\271\157\015\306\343\263\104\013\331\212"
 "\157\232\051\233\231\030\050\073\321\343\100\050\232\132\074\325"
 "\265\347\040\033\213\312\244\253\215\351\121\331\342\114\054\131"
 "\251\332\271\262\165\033\366\102\362\357\307\362\030\371\211\274"
 "\243\377\212\043\056\160\107"
 , (PRUint32)791 }
 };
 static const NSSItem nss_builtins_items_5 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Thawte Server CA", (PRUint32)17 },
   { (void *)"\043\345\224\224\121\225\362\101\110\003\264\325\144\322\243\243"
 "\365\330\213\214"
 , (PRUint32)20 },
   { (void *)"\305\160\304\242\355\123\170\014\310\020\123\201\144\313\320\035"
@@ -1270,19 +1270,19 @@ static const NSSItem nss_builtins_items_
 "\163\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124"
 "\150\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061"
 "\046\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027"
 "\163\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141"
 "\167\164\145\056\143\157\155"
 , (PRUint32)199 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_6 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Thawte Premium Server CA", (PRUint32)25 },
@@ -1369,17 +1369,17 @@ static const NSSItem nss_builtins_items_
 "\373\301\306\021\037\361\112\260\050\106\311\303\304\102\175\274"
 "\372\253\131\156\325\267\121\210\021\343\244\205\031\153\202\114"
 "\244\014\022\255\351\244\256\077\361\303\111\145\232\214\305\310"
 "\076\045\267\224\231\273\222\062\161\007\360\206\136\355\120\047"
 "\246\015\246\043\371\273\313\246\007\024\102"
 , (PRUint32)811 }
 };
 static const NSSItem nss_builtins_items_7 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Thawte Premium Server CA", (PRUint32)25 },
   { (void *)"\142\177\215\170\047\145\143\231\322\175\177\220\104\311\376\263"
 "\363\076\372\232"
 , (PRUint32)20 },
   { (void *)"\006\237\151\171\026\146\220\002\033\214\214\242\303\007\157\072"
@@ -1396,19 +1396,19 @@ static const NSSItem nss_builtins_items_
 "\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145"
 "\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110"
 "\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055"
 "\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157"
 "\155"
 , (PRUint32)209 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_8 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Equifax Secure CA", (PRUint32)18 },
@@ -1477,17 +1477,17 @@ static const NSSItem nss_builtins_items_
 "\052\247\043\111\001\004\206\102\173\374\356\177\242\026\122\265"
 "\147\147\323\100\333\073\046\130\262\050\167\075\256\024\167\141"
 "\326\372\052\146\047\240\015\372\247\163\134\352\160\361\224\041"
 "\145\104\137\372\374\357\051\150\251\242\207\171\357\171\357\117"
 "\254\007\167\070"
 , (PRUint32)804 }
 };
 static const NSSItem nss_builtins_items_9 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Equifax Secure CA", (PRUint32)18 },
   { (void *)"\322\062\011\255\043\323\024\043\041\164\344\015\177\235\142\023"
 "\227\206\143\072"
 , (PRUint32)20 },
   { (void *)"\147\313\235\300\023\044\212\202\233\262\027\036\321\033\354\324"
@@ -1495,19 +1495,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
 "\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141"
 "\170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151"
 "\146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151"
 "\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171"
 , (PRUint32)80 },
   { (void *)"\002\004\065\336\364\317"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_10 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Digital Signature Trust Co. Global CA 1", (PRUint32)40 },
@@ -1576,17 +1576,17 @@ static const NSSItem nss_builtins_items_
 "\356\202\213\061\052\223\066\205\043\210\212\074\003\150\323\311"
 "\011\017\115\374\154\244\332\050\162\223\016\211\200\260\175\376"
 "\200\157\145\155\030\063\227\213\302\153\211\356\140\075\310\233"
 "\357\177\053\062\142\163\223\313\074\343\173\342\166\170\105\274"
 "\241\223\004\273\206\237\072\133\103\172\303\212\145"
 , (PRUint32)813 }
 };
 static const NSSItem nss_builtins_items_11 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Digital Signature Trust Co. Global CA 1", (PRUint32)40 },
   { (void *)"\201\226\213\072\357\034\334\160\365\372\062\151\302\222\243\143"
 "\133\321\043\323"
 , (PRUint32)20 },
   { (void *)"\045\172\272\203\056\266\242\013\332\376\365\002\017\010\327\255"
@@ -1594,19 +1594,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
 "\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141"
 "\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163"
 "\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010"
 "\104\123\124\103\101\040\105\061"
 , (PRUint32)72 },
   { (void *)"\002\004\066\160\025\226"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_12 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Digital Signature Trust Co. Global CA 3", (PRUint32)40 },
@@ -1675,17 +1675,17 @@ static const NSSItem nss_builtins_items_
 "\143\335\136\247\342\272\237\365\367\115\245\061\173\234\051\055"
 "\114\376\144\076\354\266\123\376\352\233\355\202\333\164\165\113"
 "\007\171\156\036\330\031\203\163\336\365\076\320\265\336\347\113"
 "\150\175\103\056\052\040\341\176\240\170\104\236\010\365\230\371"
 "\307\177\033\033\326\006\040\002\130\241\303\242\003"
 , (PRUint32)813 }
 };
 static const NSSItem nss_builtins_items_13 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Digital Signature Trust Co. Global CA 3", (PRUint32)40 },
   { (void *)"\253\110\363\063\333\004\253\271\300\162\332\133\014\301\320\127"
 "\360\066\233\106"
 , (PRUint32)20 },
   { (void *)"\223\302\216\021\173\324\363\003\031\275\050\165\023\112\105\112"
@@ -1693,19 +1693,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
 "\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141"
 "\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163"
 "\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010"
 "\104\123\124\103\101\040\105\062"
 , (PRUint32)72 },
   { (void *)"\002\004\066\156\323\316"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_14 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 1 Public Primary Certification Authority", (PRUint32)56 },
@@ -1765,17 +1765,17 @@ static const NSSItem nss_builtins_items_
 "\361\202\042\135\270\261\335\201\043\243\173\045\025\106\060\171"
 "\026\370\352\005\113\224\177\035\302\034\310\343\267\364\020\100"
 "\074\023\303\137\037\123\350\110\344\206\264\173\241\065\260\173"
 "\045\272\270\323\216\253\077\070\235\000\064\000\230\363\321\161"
 "\224"
 , (PRUint32)577 }
 };
 static const NSSItem nss_builtins_items_15 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 1 Public Primary Certification Authority", (PRUint32)56 },
   { (void *)"\220\256\242\151\205\377\024\200\114\103\111\122\354\351\140\204"
 "\167\257\125\157"
 , (PRUint32)20 },
   { (void *)"\227\140\350\127\137\323\120\107\345\103\014\224\066\212\260\142"
@@ -1786,19 +1786,19 @@ static const NSSItem nss_builtins_items_
 "\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151"
 "\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
 "\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
 "\171"
 , (PRUint32)97 },
   { (void *)"\002\021\000\315\272\177\126\360\337\344\274\124\376\042\254\263"
 "\162\252\125"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_16 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 2 Public Primary Certification Authority", (PRUint32)56 },
@@ -1857,17 +1857,17 @@ static const NSSItem nss_builtins_items_
 "\025\021\151\257\235\142\215\243\003\124\153\246\276\345\356\005"
 "\030\140\004\277\102\200\375\320\250\250\036\001\073\367\243\134"
 "\257\243\334\346\046\200\043\074\270\104\164\367\012\256\111\213"
 "\141\170\314\044\277\210\212\247\016\352\163\031\101\375\115\003"
 "\360\210\321\345\170\215\245\052\117\366\227\015\027\167\312\330"
 , (PRUint32)576 }
 };
 static const NSSItem nss_builtins_items_17 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 2 Public Primary Certification Authority", (PRUint32)56 },
   { (void *)"\147\202\252\340\355\356\342\032\130\071\323\300\315\024\150\012"
 "\117\140\024\052"
 , (PRUint32)20 },
   { (void *)"\263\234\045\261\303\056\062\123\200\025\060\235\115\002\167\076"
@@ -1878,19 +1878,19 @@ static const NSSItem nss_builtins_items_
 "\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151"
 "\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
 "\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
 "\171"
 , (PRUint32)97 },
   { (void *)"\002\020\055\033\374\112\027\215\243\221\353\347\377\365\213\105"
 "\276\013"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_18 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 3 Public Primary Certification Authority", (PRUint32)56 },
@@ -1949,17 +1949,17 @@ static const NSSItem nss_builtins_items_
 "\326\046\300\166\001\127\201\222\136\041\361\321\261\377\347\320"
 "\041\130\315\151\027\343\104\034\234\031\104\071\211\134\334\234"
 "\000\017\126\215\002\231\355\242\220\105\114\344\273\020\244\075"
 "\360\062\003\016\361\316\370\350\311\121\214\346\142\237\346\237"
 "\300\175\267\162\234\311\066\072\153\237\116\250\377\144\015\144"
 , (PRUint32)576 }
 };
 static const NSSItem nss_builtins_items_19 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 3 Public Primary Certification Authority", (PRUint32)56 },
   { (void *)"\164\054\061\222\346\007\344\044\353\105\111\124\053\341\273\305"
 "\076\141\164\342"
 , (PRUint32)20 },
   { (void *)"\020\374\143\135\366\046\076\015\363\045\276\137\171\315\147\147"
@@ -1970,19 +1970,19 @@ static const NSSItem nss_builtins_items_
 "\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151"
 "\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
 "\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
 "\171"
 , (PRUint32)97 },
   { (void *)"\002\020\160\272\344\035\020\331\051\064\266\070\312\173\003\314"
 "\272\277"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_20 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 1 Public Primary Certification Authority - G2", (PRUint32)61 },
@@ -2066,17 +2066,17 @@ static const NSSItem nss_builtins_items_
 "\212\265\335\117\303\233\023\165\270\001\300\346\311\133\153\245"
 "\270\211\334\254\244\335\162\355\116\241\367\117\274\006\323\352"
 "\310\144\164\173\302\225\101\234\145\163\130\361\220\232\074\152"
 "\261\230\311\304\207\274\317\105\155\105\342\156\042\077\376\274"
 "\017\061\134\350\362\331"
 , (PRUint32)774 }
 };
 static const NSSItem nss_builtins_items_21 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 1 Public Primary Certification Authority - G2", (PRUint32)61 },
   { (void *)"\047\076\341\044\127\375\304\371\014\125\350\053\126\026\177\142"
 "\365\062\345\107"
 , (PRUint32)20 },
   { (void *)"\333\043\075\371\151\372\113\271\225\200\104\163\136\175\101\203"
@@ -2093,19 +2093,19 @@ static const NSSItem nss_builtins_items_
 "\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
 "\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
 "\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
 "\167\157\162\153"
 , (PRUint32)196 },
   { (void *)"\002\020\114\307\352\252\230\076\161\323\223\020\370\075\072\211"
 "\221\222"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_22 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 2 Public Primary Certification Authority - G2", (PRUint32)61 },
@@ -2189,17 +2189,17 @@ static const NSSItem nss_builtins_items_
 "\151\157\162\332\154\256\010\360\143\222\067\346\273\304\060\027"
 "\255\167\314\111\065\252\317\330\217\321\276\267\030\226\107\163"
 "\152\124\042\064\144\055\266\026\233\131\133\264\121\131\072\263"
 "\013\024\364\022\337\147\240\364\255\062\144\136\261\106\162\047"
 "\214\022\173\305\104\264\256"
 , (PRUint32)775 }
 };
 static const NSSItem nss_builtins_items_23 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 2 Public Primary Certification Authority - G2", (PRUint32)61 },
   { (void *)"\263\352\304\107\166\311\310\034\352\362\235\225\266\314\240\010"
 "\033\147\354\235"
 , (PRUint32)20 },
   { (void *)"\055\273\345\045\323\321\145\202\072\267\016\372\346\353\342\341"
@@ -2216,19 +2216,19 @@ static const NSSItem nss_builtins_items_
 "\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
 "\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
 "\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
 "\167\157\162\153"
 , (PRUint32)196 },
   { (void *)"\002\021\000\271\057\140\314\210\237\241\172\106\011\270\133\160"
 "\154\212\257"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_24 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 3 Public Primary Certification Authority - G2", (PRUint32)61 },
@@ -2312,17 +2312,17 @@ static const NSSItem nss_builtins_items_
 "\271\021\144\164\314\265\163\237\034\110\251\274\141\001\356\342"
 "\027\246\014\343\100\010\073\016\347\353\104\163\052\232\361\151"
 "\222\357\161\024\303\071\254\161\247\221\011\157\344\161\006\263"
 "\272\131\127\046\171\000\366\370\015\242\063\060\050\324\252\130"
 "\240\235\235\151\221\375"
 , (PRUint32)774 }
 };
 static const NSSItem nss_builtins_items_25 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 3 Public Primary Certification Authority - G2", (PRUint32)61 },
   { (void *)"\205\067\034\246\345\120\024\075\316\050\003\107\033\336\072\011"
 "\350\370\167\017"
 , (PRUint32)20 },
   { (void *)"\242\063\233\114\164\170\163\324\154\347\301\363\215\313\134\351"
@@ -2339,19 +2339,19 @@ static const NSSItem nss_builtins_items_
 "\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
 "\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
 "\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
 "\167\157\162\153"
 , (PRUint32)196 },
   { (void *)"\002\020\175\331\376\007\317\250\036\267\020\171\147\373\247\211"
 "\064\306"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_26 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 4 Public Primary Certification Authority - G2", (PRUint32)61 },
@@ -2435,17 +2435,17 @@ static const NSSItem nss_builtins_items_
 "\166\065\226\011\250\131\235\271\316\043\253\164\326\203\375\062"
 "\163\047\330\151\076\103\164\366\256\305\211\232\347\123\174\351"
 "\173\366\113\363\301\145\203\336\215\212\234\074\210\215\071\131"
 "\374\252\077\042\215\241\301\146\120\201\162\114\355\042\144\117"
 "\117\312\200\221\266\051"
 , (PRUint32)774 }
 };
 static const NSSItem nss_builtins_items_27 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 4 Public Primary Certification Authority - G2", (PRUint32)61 },
   { (void *)"\013\167\276\273\313\172\242\107\005\336\314\017\275\152\002\374"
 "\172\275\233\122"
 , (PRUint32)20 },
   { (void *)"\046\155\054\031\230\266\160\150\070\120\124\031\354\220\064\140"
@@ -2462,19 +2462,19 @@ static const NSSItem nss_builtins_items_
 "\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
 "\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
 "\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
 "\167\157\162\153"
 , (PRUint32)196 },
   { (void *)"\002\020\062\210\216\232\322\365\353\023\107\370\177\304\040\067"
 "\045\370"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_28 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GlobalSign Root CA", (PRUint32)19 },
@@ -2550,17 +2550,17 @@ static const NSSItem nss_builtins_items_
 "\014\252\202\344\231\121\335\160\267\333\126\075\141\344\152\341"
 "\134\326\366\376\075\336\101\314\007\256\143\122\277\123\123\364"
 "\053\351\307\375\266\367\202\137\205\322\101\030\333\201\263\004"
 "\034\305\037\244\200\157\025\040\311\336\014\210\012\035\326\146"
 "\125\342\374\110\311\051\046\151\340"
 , (PRUint32)889 }
 };
 static const NSSItem nss_builtins_items_29 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GlobalSign Root CA", (PRUint32)19 },
   { (void *)"\261\274\226\213\324\364\235\142\052\250\232\201\362\025\001\122"
 "\244\035\202\234"
 , (PRUint32)20 },
   { (void *)"\076\105\122\025\011\121\222\341\267\135\067\237\261\207\051\212"
@@ -2569,19 +2569,19 @@ static const NSSItem nss_builtins_items_
 "\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154"
 "\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003"
 "\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031"
 "\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147"
 "\156\040\122\157\157\164\040\103\101"
 , (PRUint32)89 },
   { (void *)"\002\013\004\000\000\000\000\001\025\113\132\303\224"
 , (PRUint32)13 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_30 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GlobalSign Root CA - R2", (PRUint32)24 },
@@ -2659,17 +2659,17 @@ static const NSSItem nss_builtins_items_
 "\301\377\357\253\156\040\304\120\311\137\235\115\233\027\214\014"
 "\345\001\311\240\101\152\163\123\372\245\120\264\156\045\017\373"
 "\114\030\364\375\122\331\216\151\261\350\021\017\336\210\330\373"
 "\035\111\367\252\336\225\317\040\170\302\140\022\333\045\100\214"
 "\152\374\176\102\070\100\144\022\367\236\201\341\223\056"
 , (PRUint32)958 }
 };
 static const NSSItem nss_builtins_items_31 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GlobalSign Root CA - R2", (PRUint32)24 },
   { (void *)"\165\340\253\266\023\205\022\047\034\004\370\137\335\336\070\344"
 "\267\044\056\376"
 , (PRUint32)20 },
   { (void *)"\224\024\167\176\076\136\375\217\060\275\101\260\317\347\320\060"
@@ -2677,19 +2677,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\114\061\040\060\036\006\003\125\004\013\023\027\107\154\157"
 "\142\141\154\123\151\147\156\040\122\157\157\164\040\103\101\040"
 "\055\040\122\062\061\023\060\021\006\003\125\004\012\023\012\107"
 "\154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125"
 "\004\003\023\012\107\154\157\142\141\154\123\151\147\156"
 , (PRUint32)78 },
   { (void *)"\002\013\004\000\000\000\000\001\017\206\046\346\015"
 , (PRUint32)13 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_32 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"ValiCert Class 1 VA", (PRUint32)20 },
@@ -2768,17 +2768,17 @@ static const NSSItem nss_builtins_items_
 "\043\313\050\201\062\303\000\171\030\354\131\027\211\311\306\152"
 "\036\161\311\375\267\164\245\045\105\151\305\110\253\031\341\105"
 "\212\045\153\031\356\345\273\022\365\177\367\246\215\121\303\360"
 "\235\164\267\251\076\240\245\377\266\111\003\023\332\042\314\355"
 "\161\202\053\231\317\072\267\365\055\162\310"
 , (PRUint32)747 }
 };
 static const NSSItem nss_builtins_items_33 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"ValiCert Class 1 VA", (PRUint32)20 },
   { (void *)"\345\337\164\074\266\001\304\233\230\103\334\253\214\350\152\201"
 "\020\237\344\216"
 , (PRUint32)20 },
   { (void *)"\145\130\253\025\255\127\154\036\250\247\265\151\254\277\377\353"
@@ -2793,19 +2793,19 @@ static const NSSItem nss_builtins_items_
 "\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
 "\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
 "\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
 "\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
 "\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
 , (PRUint32)190 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_34 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"ValiCert Class 2 VA", (PRUint32)20 },
@@ -2884,17 +2884,17 @@ static const NSSItem nss_builtins_items_
 "\041\201\031\240\062\111\050\364\304\216\126\325\122\063\375\120"
 "\325\176\231\154\003\344\311\114\374\313\154\253\146\263\112\041"
 "\214\345\265\014\062\076\020\262\314\154\241\334\232\230\114\002"
 "\133\363\316\271\236\245\162\016\112\267\077\074\346\026\150\370"
 "\276\355\164\114\274\133\325\142\037\103\335"
 , (PRUint32)747 }
 };
 static const NSSItem nss_builtins_items_35 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"ValiCert Class 2 VA", (PRUint32)20 },
   { (void *)"\061\172\052\320\177\053\063\136\365\241\303\116\113\127\350\267"
 "\330\361\374\246"
 , (PRUint32)20 },
   { (void *)"\251\043\165\233\272\111\066\156\061\302\333\362\347\146\272\207"
@@ -2909,19 +2909,19 @@ static const NSSItem nss_builtins_items_
 "\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
 "\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
 "\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
 "\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
 "\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
 , (PRUint32)190 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_36 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"RSA Root Certificate 1", (PRUint32)23 },
@@ -3000,17 +3000,17 @@ static const NSSItem nss_builtins_items_
 "\237\105\256\074\212\251\260\161\063\135\310\305\127\337\257\250"
 "\065\263\177\211\207\351\350\045\222\270\177\205\172\256\326\274"
 "\036\067\130\052\147\311\221\317\052\201\076\355\306\071\337\300"
 "\076\031\234\031\314\023\115\202\101\265\214\336\340\075\140\010"
 "\040\017\105\176\153\242\177\243\214\025\356"
 , (PRUint32)747 }
 };
 static const NSSItem nss_builtins_items_37 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"RSA Root Certificate 1", (PRUint32)23 },
   { (void *)"\151\275\214\364\234\323\000\373\131\056\027\223\312\125\152\363"
 "\354\252\065\373"
 , (PRUint32)20 },
   { (void *)"\242\157\123\267\356\100\333\112\150\347\372\030\331\020\113\162"
@@ -3025,19 +3025,19 @@ static const NSSItem nss_builtins_items_
 "\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
 "\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
 "\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
 "\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
 "\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
 , (PRUint32)190 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_38 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 1 Public Primary Certification Authority - G3", (PRUint32)61 },
@@ -3138,17 +3138,17 @@ static const NSSItem nss_builtins_items_
 "\274\070\335\260\056\021\261\153\262\102\314\232\274\371\110\042"
 "\171\112\031\017\262\034\076\040\164\331\152\303\276\362\050\170"
 "\023\126\171\117\155\120\352\033\260\265\127\261\067\146\130\043"
 "\363\334\017\337\012\207\304\357\206\005\325\070\024\140\231\243"
 "\113\336\006\226\161\054\362\333\266\037\244\357\077\356"
 , (PRUint32)1054 }
 };
 static const NSSItem nss_builtins_items_39 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 1 Public Primary Certification Authority - G3", (PRUint32)61 },
   { (void *)"\040\102\205\334\367\353\166\101\225\127\216\023\153\324\267\321"
 "\351\216\106\245"
 , (PRUint32)20 },
   { (void *)"\261\107\274\030\127\321\030\240\170\055\354\161\350\052\225\163"
@@ -3165,19 +3165,19 @@ static const NSSItem nss_builtins_items_
 "\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
 "\061\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
 "\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
 "\165\164\150\157\162\151\164\171\040\055\040\107\063"
 , (PRUint32)205 },
   { (void *)"\002\021\000\213\133\165\126\204\124\205\013\000\317\257\070\110"
 "\316\261\244"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_40 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 2 Public Primary Certification Authority - G3", (PRUint32)61 },
@@ -3278,17 +3278,17 @@ static const NSSItem nss_builtins_items_
 "\106\043\071\124\365\216\142\011\004\035\224\220\246\233\346\045"
 "\342\102\105\252\270\220\255\276\010\217\251\013\102\030\224\317"
 "\162\071\341\261\103\340\050\317\267\347\132\154\023\153\111\263"
 "\377\343\030\174\211\213\063\135\254\063\327\247\371\332\072\125"
 "\311\130\020\371\252\357\132\266\317\113\113\337\052"
 , (PRUint32)1053 }
 };
 static const NSSItem nss_builtins_items_41 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 2 Public Primary Certification Authority - G3", (PRUint32)61 },
   { (void *)"\141\357\103\327\177\312\324\141\121\274\230\340\303\131\022\257"
 "\237\353\143\021"
 , (PRUint32)20 },
   { (void *)"\370\276\304\143\042\311\250\106\164\213\270\035\036\112\053\366"
@@ -3305,19 +3305,19 @@ static const NSSItem nss_builtins_items_
 "\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
 "\062\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
 "\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
 "\165\164\150\157\162\151\164\171\040\055\040\107\063"
 , (PRUint32)205 },
   { (void *)"\002\020\141\160\313\111\214\137\230\105\051\347\260\246\331\120"
 "\133\172"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_42 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 3 Public Primary Certification Authority - G3", (PRUint32)61 },
@@ -3418,17 +3418,17 @@ static const NSSItem nss_builtins_items_
 "\124\000\317\360\361\301\307\230\060\032\073\066\026\333\243\156"
 "\352\375\255\262\302\332\357\002\107\023\212\300\361\263\061\255"
 "\117\034\341\117\234\257\017\014\235\367\170\015\330\364\065\126"
 "\200\332\267\155\027\217\235\036\201\144\341\376\305\105\272\255"
 "\153\271\012\172\116\117\113\204\356\113\361\175\335\021"
 , (PRUint32)1054 }
 };
 static const NSSItem nss_builtins_items_43 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 3 Public Primary Certification Authority - G3", (PRUint32)61 },
   { (void *)"\023\055\015\105\123\113\151\227\315\262\325\303\071\342\125\166"
 "\140\233\134\306"
 , (PRUint32)20 },
   { (void *)"\315\150\266\247\307\304\316\165\340\035\117\127\104\141\222\011"
@@ -3445,19 +3445,19 @@ static const NSSItem nss_builtins_items_
 "\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
 "\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
 "\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
 "\165\164\150\157\162\151\164\171\040\055\040\107\063"
 , (PRUint32)205 },
   { (void *)"\002\021\000\233\176\006\111\243\076\142\271\325\356\220\110\161"
 "\051\357\127"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_44 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 4 Public Primary Certification Authority - G3", (PRUint32)61 },
@@ -3558,17 +3558,17 @@ static const NSSItem nss_builtins_items_
 "\056\203\106\110\262\327\040\137\222\066\217\347\171\017\230\136"
 "\231\350\360\320\244\273\365\123\275\052\316\131\260\257\156\177"
 "\154\273\322\036\000\260\041\355\370\101\142\202\271\330\262\304"
 "\273\106\120\363\061\305\217\001\250\164\353\365\170\047\332\347"
 "\367\146\103\363\236\203\076\040\252\303\065\140\221\316"
 , (PRUint32)1054 }
 };
 static const NSSItem nss_builtins_items_45 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 4 Public Primary Certification Authority - G3", (PRUint32)61 },
   { (void *)"\310\354\214\207\222\151\313\113\253\071\351\215\176\127\147\363"
 "\024\225\163\235"
 , (PRUint32)20 },
   { (void *)"\333\310\362\047\056\261\352\152\051\043\135\376\126\076\063\337"
@@ -3585,19 +3585,19 @@ static const NSSItem nss_builtins_items_
 "\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
 "\064\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
 "\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
 "\165\164\150\157\162\151\164\171\040\055\040\107\063"
 , (PRUint32)205 },
   { (void *)"\002\021\000\354\240\247\213\156\165\152\001\317\304\174\314\057"
 "\224\136\327"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_46 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Entrust.net Secure Server CA", (PRUint32)29 },
@@ -3709,17 +3709,17 @@ static const NSSItem nss_builtins_items_
 "\310\061\306\347\356\077\343\127\165\204\172\021\357\106\117\030"
 "\364\323\230\273\250\207\062\272\162\366\074\342\075\237\327\035"
 "\331\303\140\103\214\130\016\042\226\057\142\243\054\037\272\255"
 "\005\357\253\062\170\207\240\124\163\031\265\134\005\371\122\076"
 "\155\055\105\013\367\012\223\352\355\006\371\262"
 , (PRUint32)1244 }
 };
 static const NSSItem nss_builtins_items_47 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Entrust.net Secure Server CA", (PRUint32)29 },
   { (void *)"\231\246\233\346\032\376\210\153\115\053\202\000\174\270\124\374"
 "\061\176\025\071"
 , (PRUint32)20 },
   { (void *)"\337\362\200\163\314\361\346\141\163\374\365\102\351\305\174\356"
@@ -3735,19 +3735,19 @@ static const NSSItem nss_builtins_items_
 "\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003"
 "\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164"
 "\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103"
 "\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
 "\150\157\162\151\164\171"
 , (PRUint32)198 },
   { (void *)"\002\004\067\112\322\103"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_48 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Entrust.net Premium 2048 Secure Server CA", (PRUint32)42 },
@@ -3849,17 +3849,17 @@ static const NSSItem nss_builtins_items_
 "\017\025\316\030\260\205\170\041\117\153\117\016\372\066\147\315"
 "\007\362\377\010\320\342\336\331\277\052\257\270\207\206\041\074"
 "\004\312\267\224\150\177\317\074\351\230\327\070\377\354\300\331"
 "\120\360\056\113\130\256\106\157\320\056\303\140\332\162\125\162"
 "\275\114\105\236\141\272\277\204\201\222\003\321\322\151\174\305"
 , (PRUint32)1120 }
 };
 static const NSSItem nss_builtins_items_49 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Entrust.net Premium 2048 Secure Server CA", (PRUint32)42 },
   { (void *)"\200\035\142\320\173\104\235\134\134\003\134\230\352\141\372\104"
 "\074\052\130\376"
 , (PRUint32)20 },
   { (void *)"\272\041\352\040\326\335\333\217\301\127\213\100\255\241\374\374"
@@ -3874,19 +3874,19 @@ static const NSSItem nss_builtins_items_
 "\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164"
 "\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164"
 "\162\165\163\164\056\156\145\164\040\103\145\162\164\151\146\151"
 "\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171"
 "\040\050\062\060\064\070\051"
 , (PRUint32)183 },
   { (void *)"\002\004\070\143\271\146"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_50 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Baltimore CyberTrust Root", (PRUint32)26 },
@@ -3962,17 +3962,17 @@ static const NSSItem nss_builtins_items_
 "\222\302\342\343\026\215\232\062\002\253\216\030\335\351\020\021"
 "\356\176\065\253\220\257\076\060\224\172\320\063\075\247\145\017"
 "\365\374\216\236\142\317\107\104\054\001\135\273\035\265\062\322"
 "\107\322\070\056\320\376\201\334\062\152\036\265\356\074\325\374"
 "\347\201\035\031\303\044\102\352\143\071\251"
 , (PRUint32)891 }
 };
 static const NSSItem nss_builtins_items_51 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Baltimore CyberTrust Root", (PRUint32)26 },
   { (void *)"\324\336\040\320\136\146\374\123\376\032\120\210\054\170\333\050"
 "\122\312\344\164"
 , (PRUint32)20 },
   { (void *)"\254\266\224\245\234\027\340\327\221\122\233\261\227\006\246\344"
@@ -3981,19 +3981,19 @@ static const NSSItem nss_builtins_items_
 "\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155"
 "\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171"
 "\142\145\162\124\162\165\163\164\061\042\060\040\006\003\125\004"
 "\003\023\031\102\141\154\164\151\155\157\162\145\040\103\171\142"
 "\145\162\124\162\165\163\164\040\122\157\157\164"
 , (PRUint32)92 },
   { (void *)"\002\004\002\000\000\271"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_52 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Equifax Secure Global eBusiness CA", (PRUint32)35 },
@@ -4055,17 +4055,17 @@ static const NSSItem nss_builtins_items_
 "\243\100\342\001\212\357\047\007\361\145\001\212\104\055\006\145"
 "\165\122\300\206\020\040\041\137\154\153\017\154\256\011\034\257"
 "\362\242\030\064\304\165\244\163\034\361\215\334\357\255\371\263"
 "\166\264\222\277\334\225\020\036\276\313\310\073\132\204\140\031"
 "\126\224\251\125"
 , (PRUint32)660 }
 };
 static const NSSItem nss_builtins_items_53 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Equifax Secure Global eBusiness CA", (PRUint32)35 },
   { (void *)"\176\170\112\020\034\202\145\314\055\341\361\155\107\264\100\312"
 "\331\012\031\105"
 , (PRUint32)20 },
   { (void *)"\217\135\167\006\047\304\230\074\133\223\170\347\327\175\233\314"
@@ -4074,19 +4074,19 @@ static const NSSItem nss_builtins_items_
 "\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141"
 "\170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060"
 "\053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040"
 "\123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102"
 "\165\163\151\156\145\163\163\040\103\101\055\061"
 , (PRUint32)92 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_54 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Equifax Secure eBusiness CA 1", (PRUint32)30 },
@@ -4147,17 +4147,17 @@ static const NSSItem nss_builtins_items_
 "\130\036\107\207\124\076\130\241\265\265\370\052\357\161\347\274"
 "\303\366\261\111\106\342\327\240\153\345\126\172\232\047\230\174"
 "\106\142\024\347\311\374\156\003\022\171\200\070\035\110\202\215"
 "\374\027\376\052\226\053\265\142\246\246\075\275\177\222\131\315"
 "\132\052\202\262\067\171"
 , (PRUint32)646 }
 };
 static const NSSItem nss_builtins_items_55 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Equifax Secure eBusiness CA 1", (PRUint32)30 },
   { (void *)"\332\100\030\213\221\211\243\355\356\256\332\227\376\057\235\365"
 "\267\321\212\101"
 , (PRUint32)20 },
   { (void *)"\144\234\357\056\104\374\306\217\122\007\320\121\163\217\313\075"
@@ -4166,19 +4166,19 @@ static const NSSItem nss_builtins_items_
 "\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141"
 "\170\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060"
 "\044\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040"
 "\123\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163"
 "\040\103\101\055\061"
 , (PRUint32)85 },
   { (void *)"\002\001\004"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_56 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Equifax Secure eBusiness CA 2", (PRUint32)30 },
@@ -4247,17 +4247,17 @@ static const NSSItem nss_builtins_items_
 "\342\261\344\270\232\357\303\275\316\336\013\062\064\331\336\050"
 "\355\063\153\304\324\327\075\022\130\253\175\011\055\313\160\365"
 "\023\212\224\241\047\244\326\160\305\155\224\265\311\175\235\240"
 "\322\306\010\111\331\146\233\246\323\364\013\334\305\046\127\341"
 "\221\060\352\315"
 , (PRUint32)804 }
 };
 static const NSSItem nss_builtins_items_57 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Equifax Secure eBusiness CA 2", (PRUint32)30 },
   { (void *)"\071\117\366\205\013\006\276\122\345\030\126\314\020\341\200\350"
 "\202\263\205\314"
 , (PRUint32)20 },
   { (void *)"\252\277\277\144\227\332\230\035\157\306\010\072\225\160\063\312"
@@ -4265,19 +4265,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
 "\027\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141"
 "\170\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004"
 "\013\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162"
 "\145\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062"
 , (PRUint32)80 },
   { (void *)"\002\004\067\160\317\265"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_58 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"AddTrust Low-Value Services Root", (PRUint32)33 },
@@ -4365,17 +4365,17 @@ static const NSSItem nss_builtins_items_
 "\062\312\173\306\343\253\144\106\225\370\046\151\331\125\203\173"
 "\054\226\007\377\131\054\104\243\306\345\351\251\334\241\143\200"
 "\132\041\136\041\317\123\124\360\272\157\211\333\250\252\225\317"
 "\213\343\161\314\036\033\040\104\010\300\172\266\100\375\304\344"
 "\065\341\035\026\034\320\274\053\216\326\161\331"
 , (PRUint32)1052 }
 };
 static const NSSItem nss_builtins_items_59 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"AddTrust Low-Value Services Root", (PRUint32)33 },
   { (void *)"\314\253\016\240\114\043\001\326\151\173\335\067\237\315\022\353"
 "\044\343\224\235"
 , (PRUint32)20 },
   { (void *)"\036\102\225\002\063\222\153\271\137\300\177\332\326\262\113\374"
@@ -4385,19 +4385,19 @@ static const NSSItem nss_builtins_items_
 "\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
 "\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
 "\167\157\162\153\061\041\060\037\006\003\125\004\003\023\030\101"
 "\144\144\124\162\165\163\164\040\103\154\141\163\163\040\061\040"
 "\103\101\040\122\157\157\164"
 , (PRUint32)103 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_60 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"AddTrust External Root", (PRUint32)23 },
@@ -4489,17 +4489,17 @@ static const NSSItem nss_builtins_items_
 "\163\210\077\126\033\061\070\030\264\161\017\232\315\310\016\236"
 "\216\056\033\341\214\230\203\313\037\061\361\104\114\306\004\163"
 "\111\166\140\017\307\370\275\027\200\153\056\351\314\114\016\132"
 "\232\171\017\040\012\056\325\236\143\046\036\125\222\224\330\202"
 "\027\132\173\320\274\307\217\116\206\004"
 , (PRUint32)1082 }
 };
 static const NSSItem nss_builtins_items_61 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"AddTrust External Root", (PRUint32)23 },
   { (void *)"\002\372\363\342\221\103\124\150\140\170\127\151\115\365\344\133"
 "\150\205\030\150"
 , (PRUint32)20 },
   { (void *)"\035\065\124\004\205\170\260\077\102\102\115\277\040\163\012\077"
@@ -4510,19 +4510,19 @@ static const NSSItem nss_builtins_items_
 "\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141"
 "\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060"
 "\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164"
 "\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157"
 "\164"
 , (PRUint32)113 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_62 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"AddTrust Public Services Root", (PRUint32)30 },
@@ -4610,17 +4610,17 @@ static const NSSItem nss_builtins_items_
 "\200\045\022\141\001\250\044\023\160\000\021\046\137\372\065\120"
 "\305\110\314\006\107\350\047\330\160\215\137\144\346\241\104\046"
 "\136\042\354\222\315\377\102\232\104\041\155\134\305\343\042\035"
 "\137\107\022\347\316\137\135\372\330\252\261\063\055\331\166\362"
 "\116\072\063\014\053\263\055\220\006"
 , (PRUint32)1049 }
 };
 static const NSSItem nss_builtins_items_63 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"AddTrust Public Services Root", (PRUint32)30 },
   { (void *)"\052\266\050\110\136\170\373\363\255\236\171\020\335\153\337\231"
 "\162\054\226\345"
 , (PRUint32)20 },
   { (void *)"\301\142\076\043\305\202\163\234\003\131\113\053\351\167\111\177"
@@ -4630,19 +4630,19 @@ static const NSSItem nss_builtins_items_
 "\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
 "\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
 "\167\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101"
 "\144\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103"
 "\101\040\122\157\157\164"
 , (PRUint32)102 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_64 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"AddTrust Qualified Certificates Root", (PRUint32)37 },
@@ -4731,17 +4731,17 @@ static const NSSItem nss_builtins_items_
 "\365\160\105\260\334\135\372\366\162\132\167\322\143\315\317\130"
 "\211\000\102\143\077\171\071\320\104\260\202\156\101\031\350\335"
 "\340\301\210\132\321\036\161\223\037\044\060\164\345\036\250\336"
 "\074\047\067\177\203\256\236\167\317\360\060\261\377\113\231\350"
 "\306\241"
 , (PRUint32)1058 }
 };
 static const NSSItem nss_builtins_items_65 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"AddTrust Qualified Certificates Root", (PRUint32)37 },
   { (void *)"\115\043\170\354\221\225\071\265\000\177\165\217\003\073\041\036"
 "\305\115\213\317"
 , (PRUint32)20 },
   { (void *)"\047\354\071\107\315\332\132\257\342\232\001\145\041\251\114\273"
@@ -4751,19 +4751,19 @@ static const NSSItem nss_builtins_items_
 "\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
 "\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
 "\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101"
 "\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145"
 "\144\040\103\101\040\122\157\157\164"
 , (PRUint32)105 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_66 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Entrust Root Certification Authority", (PRUint32)37 },
@@ -4869,17 +4869,17 @@ static const NSSItem nss_builtins_items_
 "\172\356\205\112\247\120\200\360\247\134\112\224\056\137\005\231"
 "\074\122\101\340\315\264\143\317\001\103\272\234\203\334\217\140"
 "\073\363\132\264\264\173\256\332\013\220\070\165\357\201\035\146"
 "\322\367\127\160\066\263\277\374\050\257\161\045\205\133\023\376"
 "\036\177\132\264\074"
 , (PRUint32)1173 }
 };
 static const NSSItem nss_builtins_items_67 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Entrust Root Certification Authority", (PRUint32)37 },
   { (void *)"\263\036\261\267\100\343\154\204\002\332\334\067\324\115\365\324"
 "\147\111\122\371"
 , (PRUint32)20 },
   { (void *)"\326\245\303\355\135\335\076\000\301\075\207\222\037\035\077\344"
@@ -4894,19 +4894,19 @@ static const NSSItem nss_builtins_items_
 "\051\040\062\060\060\066\040\105\156\164\162\165\163\164\054\040"
 "\111\156\143\056\061\055\060\053\006\003\125\004\003\023\044\105"
 "\156\164\162\165\163\164\040\122\157\157\164\040\103\145\162\164"
 "\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
 "\151\164\171"
 , (PRUint32)179 },
   { (void *)"\002\004\105\153\120\124"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_68 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"RSA Security 2048 v3", (PRUint32)21 },
@@ -4978,17 +4978,17 @@ static const NSSItem nss_builtins_items_
 "\045\102\164\005\200\050\277\275\301\044\226\130\025\261\027\041"
 "\351\211\113\333\007\210\147\364\025\255\160\076\057\115\205\073"
 "\302\267\333\376\230\150\043\211\341\164\017\336\364\305\204\143"
 "\051\033\314\313\007\311\000\244\251\327\302\042\117\147\327\167"
 "\354\040\005\141\336"
 , (PRUint32)869 }
 };
 static const NSSItem nss_builtins_items_69 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"RSA Security 2048 v3", (PRUint32)21 },
   { (void *)"\045\001\220\031\317\373\331\231\034\267\150\045\164\215\224\137"
 "\060\223\225\102"
 , (PRUint32)20 },
   { (void *)"\167\015\031\261\041\375\000\102\234\076\014\245\335\013\002\216"
@@ -4996,19 +4996,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\072\061\031\060\027\006\003\125\004\012\023\020\122\123\101"
 "\040\123\145\143\165\162\151\164\171\040\111\156\143\061\035\060"
 "\033\006\003\125\004\013\023\024\122\123\101\040\123\145\143\165"
 "\162\151\164\171\040\062\060\064\070\040\126\063"
 , (PRUint32)60 },
   { (void *)"\002\020\012\001\001\001\000\000\002\174\000\000\000\012\000\000"
 "\000\002"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_70 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GeoTrust Global CA", (PRUint32)19 },
@@ -5080,17 +5080,17 @@ static const NSSItem nss_builtins_items_
 "\256\071\246\152\164\351\332\304\347\274\115\064\036\251\134\115"
 "\063\137\222\011\057\210\146\135\167\227\307\035\166\023\251\325"
 "\345\361\026\011\021\065\325\254\333\044\161\160\054\230\126\013"
 "\331\027\264\321\343\121\053\136\165\350\325\320\334\117\064\355"
 "\302\005\146\200\241\313\346\063"
 , (PRUint32)856 }
 };
 static const NSSItem nss_builtins_items_71 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GeoTrust Global CA", (PRUint32)19 },
   { (void *)"\336\050\364\244\377\345\271\057\243\305\003\321\243\111\247\371"
 "\226\052\202\022"
 , (PRUint32)20 },
   { (void *)"\367\165\253\051\373\121\116\267\167\136\377\005\074\231\216\365"
@@ -5098,19 +5098,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\102\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
 "\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165"
 "\163\164\040\111\156\143\056\061\033\060\031\006\003\125\004\003"
 "\023\022\107\145\157\124\162\165\163\164\040\107\154\157\142\141"
 "\154\040\103\101"
 , (PRUint32)68 },
   { (void *)"\002\003\002\064\126"
 , (PRUint32)5 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_72 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GeoTrust Global CA 2", (PRUint32)21 },
@@ -5183,17 +5183,17 @@ static const NSSItem nss_builtins_items_
 "\000\315\111\271\263\154\173\123\004\032\342\250\311\252\022\005"
 "\043\302\316\347\273\004\002\314\300\107\242\344\304\051\057\133"
 "\105\127\211\121\356\074\353\122\010\377\007\065\036\237\065\152"
 "\107\112\126\230\321\132\205\037\214\365\042\277\253\316\203\363"
 "\342\042\051\256\175\203\100\250\272\154"
 , (PRUint32)874 }
 };
 static const NSSItem nss_builtins_items_73 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GeoTrust Global CA 2", (PRUint32)21 },
   { (void *)"\251\351\170\010\024\067\130\210\362\005\031\260\155\053\015\053"
 "\140\026\220\175"
 , (PRUint32)20 },
   { (void *)"\016\100\247\154\336\003\135\217\321\017\344\321\215\371\154\251"
@@ -5201,19 +5201,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\104\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
 "\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165"
 "\163\164\040\111\156\143\056\061\035\060\033\006\003\125\004\003"
 "\023\024\107\145\157\124\162\165\163\164\040\107\154\157\142\141"
 "\154\040\103\101\040\062"
 , (PRUint32)70 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_74 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GeoTrust Universal CA", (PRUint32)22 },
@@ -5318,17 +5318,17 @@ static const NSSItem nss_builtins_items_
 "\317\265\135\353\333\333\034\304\166\337\210\271\275\105\005\225"
 "\033\256\374\106\152\114\257\110\343\316\256\017\322\176\353\346"
 "\154\234\117\201\152\172\144\254\273\076\325\347\313\166\056\305"
 "\247\110\301\134\220\017\313\310\077\372\346\062\341\215\033\157"
 "\244\346\216\330\371\051\110\212\316\163\376\054"
 , (PRUint32)1388 }
 };
 static const NSSItem nss_builtins_items_75 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GeoTrust Universal CA", (PRUint32)22 },
   { (void *)"\346\041\363\065\103\171\005\232\113\150\060\235\212\057\164\042"
 "\025\207\354\171"
 , (PRUint32)20 },
   { (void *)"\222\145\130\213\242\032\061\162\163\150\134\264\245\172\007\110"
@@ -5336,19 +5336,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\105\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
 "\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165"
 "\163\164\040\111\156\143\056\061\036\060\034\006\003\125\004\003"
 "\023\025\107\145\157\124\162\165\163\164\040\125\156\151\166\145"
 "\162\163\141\154\040\103\101"
 , (PRUint32)71 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_76 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GeoTrust Universal CA 2", (PRUint32)24 },
@@ -5453,17 +5453,17 @@ static const NSSItem nss_builtins_items_
 "\175\231\364\061\366\161\251\317\054\001\047\245\005\271\252\262"
 "\110\116\052\357\237\223\122\121\225\074\122\163\216\126\114\027"
 "\100\300\011\050\344\213\152\110\123\333\354\315\125\125\361\306"
 "\370\351\242\054\114\246\321\046\137\176\257\132\114\332\037\246"
 "\362\034\054\176\256\002\026\322\126\320\057\127\123\107\350\222"
 , (PRUint32)1392 }
 };
 static const NSSItem nss_builtins_items_77 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GeoTrust Universal CA 2", (PRUint32)24 },
   { (void *)"\067\232\031\173\101\205\105\065\014\246\003\151\363\074\056\257"
 "\107\117\040\171"
 , (PRUint32)20 },
   { (void *)"\064\374\270\320\066\333\236\024\263\302\362\333\217\344\224\307"
@@ -5471,19 +5471,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
 "\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165"
 "\163\164\040\111\156\143\056\061\040\060\036\006\003\125\004\003"
 "\023\027\107\145\157\124\162\165\163\164\040\125\156\151\166\145"
 "\162\163\141\154\040\103\101\040\062"
 , (PRUint32)73 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_78 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"UTN-USER First-Network Applications", (PRUint32)36 },
@@ -5585,17 +5585,17 @@ static const NSSItem nss_builtins_items_
 "\140\105\235\361\043\232\260\000\234\150\265\230\120\323\357\216"
 "\056\222\145\261\110\076\041\276\025\060\052\015\265\014\243\153"
 "\077\256\177\127\365\037\226\174\337\157\335\202\060\054\145\033"
 "\100\112\315\150\271\162\354\161\166\354\124\216\037\205\014\001"
 "\152\372\246\070\254\037\304\204"
 , (PRUint32)1128 }
 };
 static const NSSItem nss_builtins_items_79 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"UTN-USER First-Network Applications", (PRUint32)36 },
   { (void *)"\135\230\234\333\025\226\021\066\121\145\144\033\126\017\333\352"
 "\052\302\076\361"
 , (PRUint32)20 },
   { (void *)"\277\140\131\243\133\272\366\247\166\102\332\157\032\173\120\317"
@@ -5610,19 +5610,19 @@ static const NSSItem nss_builtins_items_
 "\164\162\165\163\164\056\143\157\155\061\053\060\051\006\003\125"
 "\004\003\023\042\125\124\116\055\125\123\105\122\106\151\162\163"
 "\164\055\116\145\164\167\157\162\153\040\101\160\160\154\151\143"
 "\141\164\151\157\156\163"
 , (PRUint32)166 },
   { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\060\113\300"
 "\063\167"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_80 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"America Online Root Certification Authority 1", (PRUint32)46 },
@@ -5703,17 +5703,17 @@ static const NSSItem nss_builtins_items_
 "\060\306\307\065\206\263\371\226\137\106\333\014\105\375\363\120"
 "\303\157\306\303\110\255\106\246\341\047\107\012\035\016\233\266"
 "\302\167\177\143\362\340\175\032\276\374\340\337\327\307\247\154"
 "\260\371\256\272\074\375\164\264\021\350\130\015\200\274\323\250"
 "\200\072\231\355\165\314\106\173"
 , (PRUint32)936 }
 };
 static const NSSItem nss_builtins_items_81 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"America Online Root Certification Authority 1", (PRUint32)46 },
   { (void *)"\071\041\301\025\301\135\016\312\134\313\133\304\360\175\041\330"
 "\005\013\126\152"
 , (PRUint32)20 },
   { (void *)"\024\361\010\255\235\372\144\342\211\347\034\317\250\255\175\136"
@@ -5723,19 +5723,19 @@ static const NSSItem nss_builtins_items_
 "\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060"
 "\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040"
 "\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164"
 "\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
 "\151\164\171\040\061"
 , (PRUint32)101 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_82 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"America Online Root Certification Authority 2", (PRUint32)46 },
@@ -5848,17 +5848,17 @@ static const NSSItem nss_builtins_items_
 "\377\023\312\057\135\203\274\207\223\154\334\044\121\026\004\045"
 "\146\372\263\331\302\272\051\276\232\110\070\202\231\364\277\073"
 "\112\061\031\371\277\216\041\063\024\312\117\124\137\373\316\373"
 "\217\161\177\375\136\031\240\017\113\221\270\304\124\274\006\260"
 "\105\217\046\221\242\216\376\251"
 , (PRUint32)1448 }
 };
 static const NSSItem nss_builtins_items_83 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"America Online Root Certification Authority 2", (PRUint32)46 },
   { (void *)"\205\265\377\147\233\014\171\226\037\310\156\104\042\000\106\023"
 "\333\027\222\204"
 , (PRUint32)20 },
   { (void *)"\326\355\074\312\342\146\017\257\020\103\015\167\233\004\011\277"
@@ -5868,19 +5868,19 @@ static const NSSItem nss_builtins_items_
 "\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060"
 "\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040"
 "\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164"
 "\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
 "\151\164\171\040\062"
 , (PRUint32)101 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_84 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Visa eCommerce Root", (PRUint32)20 },
@@ -5962,17 +5962,17 @@ static const NSSItem nss_builtins_items_
 "\373\340\333\146\243\000\001\275\346\054\332\221\137\240\106\213"
 "\115\152\234\075\075\335\005\106\376\166\277\240\012\074\344\000"
 "\346\047\267\377\204\055\336\272\042\047\226\020\161\353\042\355"
 "\337\337\063\234\317\343\255\256\216\324\216\346\117\121\257\026"
 "\222\340\134\366\007\017"
 , (PRUint32)934 }
 };
 static const NSSItem nss_builtins_items_85 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Visa eCommerce Root", (PRUint32)20 },
   { (void *)"\160\027\233\206\214\000\244\372\140\221\122\042\077\237\076\062"
 "\275\340\005\142"
 , (PRUint32)20 },
   { (void *)"\374\021\270\330\010\223\060\000\155\043\371\176\353\122\036\002"
@@ -5983,19 +5983,19 @@ static const NSSItem nss_builtins_items_
 "\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
 "\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
 "\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145"
 "\103\157\155\155\145\162\143\145\040\122\157\157\164"
 , (PRUint32)109 },
   { (void *)"\002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220"
 "\034\142"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_86 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"TC TrustCenter, Germany, Class 2 CA", (PRUint32)36 },
@@ -6081,17 +6081,17 @@ static const NSSItem nss_builtins_items_
 "\312\332\203\214\006\254\353\066\155\205\221\064\004\066\364\102"
 "\360\370\171\056\012\110\134\253\314\121\117\170\166\240\331\254"
 "\031\275\052\321\151\004\050\221\312\066\020\047\200\127\133\322"
 "\134\365\302\133\253\144\201\143\164\121\364\227\277\315\022\050"
 "\367\115\146\177\247\360\034\001\046\170\262\146\107\160\121\144"
 , (PRUint32)864 }
 };
 static const NSSItem nss_builtins_items_87 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"TC TrustCenter, Germany, Class 2 CA", (PRUint32)36 },
   { (void *)"\203\216\060\367\177\335\024\252\070\136\321\105\000\234\016\042"
 "\066\111\117\252"
 , (PRUint32)20 },
   { (void *)"\270\026\063\114\114\114\362\330\323\115\006\264\246\133\100\003"
@@ -6106,19 +6106,19 @@ static const NSSItem nss_builtins_items_
 "\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
 "\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
 "\062\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
 "\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
 "\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
 , (PRUint32)191 },
   { (void *)"\002\002\003\352"
 , (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_88 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"TC TrustCenter, Germany, Class 3 CA", (PRUint32)36 },
@@ -6204,17 +6204,17 @@ static const NSSItem nss_builtins_items_
 "\273\306\253\136\013\335\075\226\304\313\251\324\371\046\346\006"
 "\116\236\014\245\172\272\156\303\174\202\031\321\307\261\261\303"
 "\333\015\216\233\100\174\067\013\361\135\350\375\037\220\210\245"
 "\016\116\067\144\041\250\116\215\264\237\361\336\110\255\325\126"
 "\030\122\051\213\107\064\022\011\324\273\222\065\357\017\333\064"
 , (PRUint32)864 }
 };
 static const NSSItem nss_builtins_items_89 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"TC TrustCenter, Germany, Class 3 CA", (PRUint32)36 },
   { (void *)"\237\307\226\350\370\122\117\206\072\341\111\155\070\022\102\020"
 "\137\033\170\365"
 , (PRUint32)20 },
   { (void *)"\137\224\112\163\042\270\367\321\061\354\131\071\367\216\376\156"
@@ -6229,19 +6229,19 @@ static const NSSItem nss_builtins_items_
 "\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
 "\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
 "\063\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
 "\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
 "\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
 , (PRUint32)191 },
   { (void *)"\002\002\003\353"
 , (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_90 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Certum Root CA", (PRUint32)15 },
@@ -6306,36 +6306,36 @@ static const NSSItem nss_builtins_items_
 "\362\274\156\144\365\132\126\220\250\307\016\114\164\017\056\161"
 "\073\367\310\107\364\151\157\025\362\021\136\203\036\234\174\122"
 "\256\375\002\332\022\250\131\147\030\333\274\160\335\233\261\151"
 "\355\200\316\211\100\110\152\016\065\312\051\146\025\041\224\054"
 "\350\140\052\233\205\112\100\363\153\212\044\354\006\026\054\163"
 , (PRUint32)784 }
 };
 static const NSSItem nss_builtins_items_91 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Certum Root CA", (PRUint32)15 },
   { (void *)"\142\122\334\100\367\021\103\242\057\336\236\367\064\216\006\102"
 "\121\261\201\030"
 , (PRUint32)20 },
   { (void *)"\054\217\237\146\035\030\220\261\107\046\235\216\206\202\214\251"
 , (PRUint32)16 },
   { (void *)"\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114\061"
 "\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145\164"
 "\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060\020"
 "\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103\101"
 , (PRUint32)64 },
   { (void *)"\002\003\001\000\040"
 , (PRUint32)5 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_92 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Comodo AAA Services root", (PRUint32)25 },
@@ -6427,17 +6427,17 @@ static const NSSItem nss_builtins_items_
 "\227\140\370\220\136\164\324\242\232\123\275\362\251\150\340\242"
 "\156\302\327\154\261\243\017\236\277\353\150\347\126\362\256\362"
 "\343\053\070\072\011\201\265\153\205\327\276\055\355\077\032\267"
 "\262\143\342\365\142\054\202\324\152\000\101\120\361\071\203\237"
 "\225\351\066\226\230\156"
 , (PRUint32)1078 }
 };
 static const NSSItem nss_builtins_items_93 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Comodo AAA Services root", (PRUint32)25 },
   { (void *)"\321\353\043\244\155\027\326\217\331\045\144\302\361\361\140\027"
 "\144\330\343\111"
 , (PRUint32)20 },
   { (void *)"\111\171\004\260\353\207\031\254\107\260\274\021\121\233\164\320"
@@ -6448,19 +6448,19 @@ static const NSSItem nss_builtins_items_
 "\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032"
 "\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040"
 "\103\101\040\114\151\155\151\164\145\144\061\041\060\037\006\003"
 "\125\004\003\014\030\101\101\101\040\103\145\162\164\151\146\151"
 "\143\141\164\145\040\123\145\162\166\151\143\145\163"
 , (PRUint32)125 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_94 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Comodo Secure Services root", (PRUint32)28 },
@@ -6553,17 +6553,17 @@ static const NSSItem nss_builtins_items_
 "\243\360\244\050\244\025\304\205\364\047\324\153\277\345\134\344"
 "\145\002\166\124\264\343\067\146\044\323\031\141\310\122\020\345"
 "\213\067\232\271\251\371\035\277\352\231\222\141\226\377\001\315"
 "\241\137\015\274\161\274\016\254\013\035\107\105\035\301\354\174"
 "\354\375\051"
 , (PRUint32)1091 }
 };
 static const NSSItem nss_builtins_items_95 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Comodo Secure Services root", (PRUint32)28 },
   { (void *)"\112\145\325\364\035\357\071\270\270\220\112\112\323\144\201\063"
 "\317\307\241\321"
 , (PRUint32)20 },
   { (void *)"\323\331\275\256\237\254\147\044\263\310\033\122\341\271\251\275"
@@ -6574,19 +6574,19 @@ static const NSSItem nss_builtins_items_
 "\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032"
 "\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040"
 "\103\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003"
 "\125\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164"
 "\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163"
 , (PRUint32)128 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_96 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Comodo Trusted Services root", (PRUint32)29 },
@@ -6681,17 +6681,17 @@ static const NSSItem nss_builtins_items_
 "\115\045\107\356\057\210\310\265\341\005\105\300\276\024\161\336"
 "\172\375\216\173\175\115\010\226\245\022\163\360\055\312\067\047"
 "\164\022\047\114\313\266\227\351\331\256\010\155\132\071\100\335"
 "\005\107\165\152\132\041\263\243\030\317\116\367\056\127\267\230"
 "\160\136\310\304\170\260\142"
 , (PRUint32)1095 }
 };
 static const NSSItem nss_builtins_items_97 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Comodo Trusted Services root", (PRUint32)29 },
   { (void *)"\341\237\343\016\213\204\140\236\200\233\027\015\162\250\305\272"
 "\156\024\011\275"
 , (PRUint32)20 },
   { (void *)"\221\033\077\156\315\236\253\356\007\376\037\161\322\263\141\047"
@@ -6703,19 +6703,19 @@ static const NSSItem nss_builtins_items_
 "\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040"
 "\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003"
 "\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162"
 "\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145"
 "\163"
 , (PRUint32)129 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_98 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"QuoVadis Root CA", (PRUint32)17 },
@@ -6835,17 +6835,17 @@ static const NSSItem nss_builtins_items_
 "\242\346\352\131\042\207\370\227\365\016\375\352\314\222\244\026"
 "\304\122\030\352\041\316\261\361\346\204\201\345\272\251\206\050"
 "\362\103\132\135\022\235\254\036\331\250\345\012\152\247\177\240"
 "\207\051\317\362\211\115\324\354\305\342\346\172\320\066\043\212"
 "\112\164\066\371"
 , (PRUint32)1492 }
 };
 static const NSSItem nss_builtins_items_99 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"QuoVadis Root CA", (PRUint32)17 },
   { (void *)"\336\077\100\275\120\223\323\233\154\140\366\332\274\007\142\001"
 "\000\211\166\311"
 , (PRUint32)20 },
   { (void *)"\047\336\066\376\162\267\000\003\000\235\364\360\036\154\004\044"
@@ -6857,19 +6857,19 @@ static const NSSItem nss_builtins_items_
 "\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
 "\171\061\056\060\054\006\003\125\004\003\023\045\121\165\157\126"
 "\141\144\151\163\040\122\157\157\164\040\103\145\162\164\151\146"
 "\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
 "\171"
 , (PRUint32)129 },
   { (void *)"\002\004\072\266\120\213"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_100 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"QuoVadis Root CA 2", (PRUint32)19 },
@@ -6979,17 +6979,17 @@ static const NSSItem nss_builtins_items_
 "\341\243\223\035\314\212\046\132\011\070\320\316\327\015\200\026"
 "\264\170\245\072\207\114\215\212\245\325\106\227\362\054\020\271"
 "\274\124\042\300\001\120\151\103\236\364\262\357\155\370\354\332"
 "\361\343\261\357\337\221\217\124\052\013\045\301\046\031\304\122"
 "\020\005\145\325\202\020\352\302\061\315\056"
 , (PRUint32)1467 }
 };
 static const NSSItem nss_builtins_items_101 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"QuoVadis Root CA 2", (PRUint32)19 },
   { (void *)"\312\072\373\317\022\100\066\113\104\262\026\040\210\200\110\071"
 "\031\223\174\367"
 , (PRUint32)20 },
   { (void *)"\136\071\173\335\370\272\354\202\351\254\142\272\014\124\000\053"
@@ -6997,19 +6997,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\105\061\013\060\011\006\003\125\004\006\023\002\102\115\061"
 "\031\060\027\006\003\125\004\012\023\020\121\165\157\126\141\144"
 "\151\163\040\114\151\155\151\164\145\144\061\033\060\031\006\003"
 "\125\004\003\023\022\121\165\157\126\141\144\151\163\040\122\157"
 "\157\164\040\103\101\040\062"
 , (PRUint32)71 },
   { (void *)"\002\002\005\011"
 , (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_102 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"QuoVadis Root CA 3", (PRUint32)19 },
@@ -7134,17 +7134,17 @@ static const NSSItem nss_builtins_items_
 "\230\231\140\224\134\043\317\132\047\227\136\013\005\006\223\067"
 "\036\073\151\066\353\251\236\141\035\217\062\332\216\014\326\164"
 "\076\173\011\044\332\001\167\107\304\073\315\064\214\231\365\312"
 "\341\045\141\063\262\131\033\342\156\327\067\127\266\015\251\022"
 "\332"
 , (PRUint32)1697 }
 };
 static const NSSItem nss_builtins_items_103 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"QuoVadis Root CA 3", (PRUint32)19 },
   { (void *)"\037\111\024\367\330\164\225\035\335\256\002\300\276\375\072\055"
 "\202\165\121\205"
 , (PRUint32)20 },
   { (void *)"\061\205\074\142\224\227\143\271\252\375\211\116\257\157\340\317"
@@ -7152,19 +7152,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\105\061\013\060\011\006\003\125\004\006\023\002\102\115\061"
 "\031\060\027\006\003\125\004\012\023\020\121\165\157\126\141\144"
 "\151\163\040\114\151\155\151\164\145\144\061\033\060\031\006\003"
 "\125\004\003\023\022\121\165\157\126\141\144\151\163\040\122\157"
 "\157\164\040\103\101\040\063"
 , (PRUint32)71 },
   { (void *)"\002\002\005\306"
 , (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_104 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Security Communication Root CA", (PRUint32)31 },
@@ -7238,17 +7238,17 @@ static const NSSItem nss_builtins_items_
 "\065\303\340\210\141\311\210\307\337\066\020\042\230\131\352\260"
 "\112\373\126\026\163\156\254\115\367\042\241\117\255\035\172\055"
 "\105\047\345\060\301\136\362\332\023\313\045\102\121\225\107\003"
 "\214\154\041\314\164\102\355\123\377\063\213\217\017\127\001\026"
 "\057\317\246\356\311\160\042\024\275\375\276\154\013\003"
 , (PRUint32)862 }
 };
 static const NSSItem nss_builtins_items_105 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Security Communication Root CA", (PRUint32)31 },
   { (void *)"\066\261\053\111\371\201\236\327\114\236\274\070\017\306\126\217"
 "\135\254\262\367"
 , (PRUint32)20 },
   { (void *)"\361\274\143\152\124\340\265\047\365\315\347\032\343\115\156\112"
@@ -7257,19 +7257,19 @@ static const NSSItem nss_builtins_items_
 "\030\060\026\006\003\125\004\012\023\017\123\105\103\117\115\040"
 "\124\162\165\163\164\056\156\145\164\061\047\060\045\006\003\125"
 "\004\013\023\036\123\145\143\165\162\151\164\171\040\103\157\155"
 "\155\165\156\151\143\141\164\151\157\156\040\122\157\157\164\103"
 "\101\061"
 , (PRUint32)82 },
   { (void *)"\002\001\000"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_106 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Sonera Class 1 Root CA", (PRUint32)23 },
@@ -7336,36 +7336,36 @@ static const NSSItem nss_builtins_items_
 "\032\270\273\075\217\251\212\070\025\367\163\320\132\140\321\200"
 "\260\360\334\325\120\315\116\356\222\110\151\355\262\043\036\060"
 "\314\310\224\310\266\365\073\206\177\077\246\056\237\366\076\054"
 "\265\222\226\076\337\054\223\212\377\201\214\017\017\131\041\031"
 "\127\275\125\232"
 , (PRUint32)804 }
 };
 static const NSSItem nss_builtins_items_107 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Sonera Class 1 Root CA", (PRUint32)23 },
   { (void *)"\007\107\042\001\231\316\164\271\174\260\075\171\262\144\242\310"
 "\125\351\063\377"
 , (PRUint32)20 },
   { (void *)"\063\267\204\365\137\047\327\150\047\336\024\336\022\052\355\157"
 , (PRUint32)16 },
   { (void *)"\060\071\061\013\060\011\006\003\125\004\006\023\002\106\111\061"
 "\017\060\015\006\003\125\004\012\023\006\123\157\156\145\162\141"
 "\061\031\060\027\006\003\125\004\003\023\020\123\157\156\145\162"
 "\141\040\103\154\141\163\163\061\040\103\101"
 , (PRUint32)59 },
   { (void *)"\002\001\044"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_108 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Sonera Class 2 Root CA", (PRUint32)23 },
@@ -7432,36 +7432,36 @@ static const NSSItem nss_builtins_items_
 "\256\364\135\304\261\022\334\312\073\250\056\235\024\132\005\165"
 "\267\354\327\143\342\272\065\266\004\010\221\350\332\235\234\366"
 "\146\265\030\254\012\246\124\046\064\063\322\033\301\324\177\032"
 "\072\216\013\252\062\156\333\374\117\045\237\331\062\307\226\132"
 "\160\254\337\114"
 , (PRUint32)804 }
 };
 static const NSSItem nss_builtins_items_109 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Sonera Class 2 Root CA", (PRUint32)23 },
   { (void *)"\067\367\155\346\007\174\220\305\261\076\223\032\267\101\020\264"
 "\362\344\232\047"
 , (PRUint32)20 },
   { (void *)"\243\354\165\017\056\210\337\372\110\001\116\013\134\110\157\373"
 , (PRUint32)16 },
   { (void *)"\060\071\061\013\060\011\006\003\125\004\006\023\002\106\111\061"
 "\017\060\015\006\003\125\004\012\023\006\123\157\156\145\162\141"
 "\061\031\060\027\006\003\125\004\003\023\020\123\157\156\145\162"
 "\141\040\103\154\141\163\163\062\040\103\101"
 , (PRUint32)59 },
   { (void *)"\002\001\035"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_110 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Staat der Nederlanden Root CA", (PRUint32)30 },
@@ -7541,17 +7541,17 @@ static const NSSItem nss_builtins_items_
 "\135\026\027\054\021\151\347\176\376\305\203\010\337\274\334\042"
 "\072\056\040\151\043\071\126\140\147\220\213\056\166\071\373\021"
 "\210\227\366\174\275\113\270\040\026\147\005\215\342\073\301\162"
 "\077\224\225\067\307\135\271\236\330\223\241\027\217\377\014\146"
 "\025\301\044\174\062\174\003\035\073\241\130\105\062\223"
 , (PRUint32)958 }
 };
 static const NSSItem nss_builtins_items_111 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Staat der Nederlanden Root CA", (PRUint32)30 },
   { (void *)"\020\035\372\077\325\013\313\273\233\265\140\014\031\125\244\032"
 "\364\163\072\004"
 , (PRUint32)20 },
   { (void *)"\140\204\174\132\316\333\014\324\313\247\351\376\002\306\251\300"
@@ -7560,19 +7560,19 @@ static const NSSItem nss_builtins_items_
 "\036\060\034\006\003\125\004\012\023\025\123\164\141\141\164\040"
 "\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061"
 "\046\060\044\006\003\125\004\003\023\035\123\164\141\141\164\040"
 "\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040"
 "\122\157\157\164\040\103\101"
 , (PRUint32)87 },
   { (void *)"\002\004\000\230\226\212"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_112 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"TDC Internet Root CA", (PRUint32)21 },
@@ -7657,17 +7657,17 @@ static const NSSItem nss_builtins_items_
 "\304\011\137\164\213\331\021\373\302\126\261\074\370\160\312\064"
 "\215\103\100\023\214\375\231\003\124\171\306\056\352\206\241\366"
 "\072\324\011\274\364\274\146\314\075\130\320\127\111\012\356\045"
 "\342\101\356\023\371\233\070\064\321\000\365\176\347\224\035\374"
 "\151\003\142\270\231\005\005\075\153\170\022\275\260\157\145"
 , (PRUint32)1071 }
 };
 static const NSSItem nss_builtins_items_113 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"TDC Internet Root CA", (PRUint32)21 },
   { (void *)"\041\374\275\216\177\154\257\005\033\321\263\103\354\250\347\141"
 "\107\362\017\212"
 , (PRUint32)20 },
   { (void *)"\221\364\003\125\040\241\370\143\054\142\336\254\373\141\034\216"
@@ -7675,19 +7675,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\103\061\013\060\011\006\003\125\004\006\023\002\104\113\061"
 "\025\060\023\006\003\125\004\012\023\014\124\104\103\040\111\156"
 "\164\145\162\156\145\164\061\035\060\033\006\003\125\004\013\023"
 "\024\124\104\103\040\111\156\164\145\162\156\145\164\040\122\157"
 "\157\164\040\103\101"
 , (PRUint32)69 },
   { (void *)"\002\004\072\314\245\114"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_114 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"TDC OCES Root CA", (PRUint32)17 },
@@ -7785,36 +7785,36 @@ static const NSSItem nss_builtins_items_
 "\071\334\342\074\306\330\125\365\025\116\310\005\016\333\306\320"
 "\142\246\354\025\264\265\002\202\333\254\214\242\201\360\233\231"
 "\061\365\040\040\250\210\141\012\007\237\224\374\320\327\033\314"
 "\056\027\363\004\047\166\147\353\124\203\375\244\220\176\006\075"
 "\004\243\103\055\332\374\013\142\352\057\137\142\123"
 , (PRUint32)1309 }
 };
 static const NSSItem nss_builtins_items_115 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"TDC OCES Root CA", (PRUint32)17 },
   { (void *)"\207\201\302\132\226\275\302\373\114\145\006\117\371\071\013\046"
 "\004\212\016\001"
 , (PRUint32)20 },
   { (void *)"\223\177\220\034\355\204\147\027\244\145\137\233\313\060\002\227"
 , (PRUint32)16 },
   { (void *)"\060\061\061\013\060\011\006\003\125\004\006\023\002\104\113\061"
 "\014\060\012\006\003\125\004\012\023\003\124\104\103\061\024\060"
 "\022\006\003\125\004\003\023\013\124\104\103\040\117\103\105\123"
 "\040\103\101"
 , (PRUint32)51 },
   { (void *)"\002\004\076\110\275\304"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_116 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"UTN DATACorp SGC Root CA", (PRUint32)25 },
@@ -7914,17 +7914,17 @@ static const NSSItem nss_builtins_items_
 "\330\300\215\355\221\172\114\000\217\162\177\135\332\335\033\213"
 "\105\153\347\335\151\227\250\305\126\114\017\014\366\237\172\221"
 "\067\366\227\202\340\335\161\151\377\166\077\140\115\074\317\367"
 "\231\371\306\127\364\311\125\071\170\272\054\171\311\246\210\053"
 "\364\010"
 , (PRUint32)1122 }
 };
 static const NSSItem nss_builtins_items_117 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"UTN DATACorp SGC Root CA", (PRUint32)25 },
   { (void *)"\130\021\237\016\022\202\207\352\120\375\331\207\105\157\117\170"
 "\334\372\326\324"
 , (PRUint32)20 },
   { (void *)"\263\245\076\167\041\155\254\112\300\311\373\325\101\075\312\006"
@@ -7938,19 +7938,19 @@ static const NSSItem nss_builtins_items_
 "\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
 "\164\162\165\163\164\056\143\157\155\061\033\060\031\006\003\125"
 "\004\003\023\022\125\124\116\040\055\040\104\101\124\101\103\157"
 "\162\160\040\123\107\103"
 , (PRUint32)150 },
   { (void *)"\002\020\104\276\014\213\120\000\041\264\021\323\052\150\006\251"
 "\255\151"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_118 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"UTN USERFirst Email Root CA", (PRUint32)28 },
@@ -8058,17 +8058,17 @@ static const NSSItem nss_builtins_items_
 "\176\161\315\274\237\351\003\033\314\373\351\254\061\301\257\174"
 "\025\164\002\231\303\262\107\246\302\062\141\327\307\157\110\044"
 "\121\047\241\325\207\125\362\173\217\230\075\026\236\356\165\266"
 "\370\320\216\362\363\306\256\050\133\247\360\363\066\027\374\303"
 "\005\323\312\003\112\124"
 , (PRUint32)1190 }
 };
 static const NSSItem nss_builtins_items_119 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"UTN USERFirst Email Root CA", (PRUint32)28 },
   { (void *)"\261\162\261\245\155\225\371\037\345\002\207\341\115\067\352\152"
 "\104\143\166\212"
 , (PRUint32)20 },
   { (void *)"\327\064\075\357\035\047\011\050\341\061\002\133\023\053\335\367"
@@ -8084,19 +8084,19 @@ static const NSSItem nss_builtins_items_
 "\004\003\023\055\125\124\116\055\125\123\105\122\106\151\162\163"
 "\164\055\103\154\151\145\156\164\040\101\165\164\150\145\156\164"
 "\151\143\141\164\151\157\156\040\141\156\144\040\105\155\141\151"
 "\154"
 , (PRUint32)177 },
   { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\045\045\147"
 "\311\211"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_120 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"UTN USERFirst Hardware Root CA", (PRUint32)31 },
@@ -8197,17 +8197,17 @@ static const NSSItem nss_builtins_items_
 "\176\307\150\345\202\201\310\152\047\371\047\210\052\325\130\120"
 "\225\037\360\073\034\127\273\175\024\071\142\053\232\311\224\222"
 "\052\243\042\014\377\211\046\175\137\043\053\107\327\025\035\251"
 "\152\236\121\015\052\121\236\201\371\324\073\136\160\022\177\020"
 "\062\234\036\273\235\370\146\250"
 , (PRUint32)1144 }
 };
 static const NSSItem nss_builtins_items_121 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"UTN USERFirst Hardware Root CA", (PRUint32)31 },
   { (void *)"\004\203\355\063\231\254\066\010\005\207\042\355\274\136\106\000"
 "\343\276\371\327"
 , (PRUint32)20 },
   { (void *)"\114\126\101\345\015\273\053\350\312\243\355\030\010\255\103\071"
@@ -8221,19 +8221,19 @@ static const NSSItem nss_builtins_items_
 "\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
 "\164\162\165\163\164\056\143\157\155\061\037\060\035\006\003\125"
 "\004\003\023\026\125\124\116\055\125\123\105\122\106\151\162\163"
 "\164\055\110\141\162\144\167\141\162\145"
 , (PRUint32)154 },
   { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\052\376\145"
 "\012\375"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_122 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"UTN USERFirst Object Root CA", (PRUint32)29 },
@@ -8333,17 +8333,17 @@ static const NSSItem nss_builtins_items_
 "\363\123\255\154\265\053\242\022\252\031\117\011\332\136\347\223"
 "\306\216\024\010\376\360\060\200\030\240\206\205\115\310\175\327"
 "\213\003\376\156\325\367\235\026\254\222\054\240\043\345\234\221"
 "\122\037\224\337\027\224\163\303\263\301\301\161\005\040\000\170"
 "\275\023\122\035\250\076\315\000\037\310"
 , (PRUint32)1130 }
 };
 static const NSSItem nss_builtins_items_123 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"UTN USERFirst Object Root CA", (PRUint32)29 },
   { (void *)"\341\055\373\113\101\327\331\303\053\060\121\113\254\035\201\330"
 "\070\136\055\106"
 , (PRUint32)20 },
   { (void *)"\247\362\344\026\006\101\021\120\060\153\234\343\264\234\260\311"
@@ -8357,19 +8357,19 @@ static const NSSItem nss_builtins_items_
 "\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
 "\164\162\165\163\164\056\143\157\155\061\035\060\033\006\003\125"
 "\004\003\023\024\125\124\116\055\125\123\105\122\106\151\162\163"
 "\164\055\117\142\152\145\143\164"
 , (PRUint32)152 },
   { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\055\340\263"
 "\137\033"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_124 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Camerfirma Chambers of Commerce Root", (PRUint32)37 },
@@ -8472,17 +8472,17 @@ static const NSSItem nss_builtins_items_
 "\170\064\074\224\233\046\355\117\161\306\031\172\275\040\042\110"
 "\132\376\113\175\003\267\347\130\276\306\062\116\164\036\150\335"
 "\250\150\133\263\076\356\142\175\331\200\350\012\165\172\267\356"
 "\264\145\232\041\220\340\252\320\230\274\070\265\163\074\213\370"
 "\334"
 , (PRUint32)1217 }
 };
 static const NSSItem nss_builtins_items_125 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Camerfirma Chambers of Commerce Root", (PRUint32)37 },
   { (void *)"\156\072\125\244\031\014\031\134\223\204\074\300\333\162\056\061"
 "\060\141\360\261"
 , (PRUint32)20 },
   { (void *)"\260\001\356\024\331\257\051\030\224\166\216\361\151\063\052\204"
@@ -8494,19 +8494,19 @@ static const NSSItem nss_builtins_items_
 "\013\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150"
 "\141\155\142\145\162\163\151\147\156\056\157\162\147\061\042\060"
 "\040\006\003\125\004\003\023\031\103\150\141\155\142\145\162\163"
 "\040\157\146\040\103\157\155\155\145\162\143\145\040\122\157\157"
 "\164"
 , (PRUint32)129 },
   { (void *)"\002\001\000"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_126 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Camerfirma Global Chambersign Root", (PRUint32)35 },
@@ -8607,17 +8607,17 @@ static const NSSItem nss_builtins_items_
 "\171\304\060\237\353\216\270\125\265\327\210\134\305\152\044\075"
 "\262\323\005\003\121\306\007\357\314\024\162\164\075\156\162\316"
 "\030\050\214\112\240\167\345\011\053\105\104\107\254\267\147\177"
 "\001\212\005\132\223\276\241\301\377\370\347\016\147\244\107\111"
 "\166\135\165\220\032\365\046\217\360"
 , (PRUint32)1225 }
 };
 static const NSSItem nss_builtins_items_127 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Camerfirma Global Chambersign Root", (PRUint32)35 },
   { (void *)"\063\233\153\024\120\044\233\125\172\001\207\162\204\331\340\057"
 "\303\322\330\351"
 , (PRUint32)20 },
   { (void *)"\305\346\173\277\006\320\117\103\355\304\172\145\212\373\153\031"
@@ -8628,19 +8628,19 @@ static const NSSItem nss_builtins_items_
 "\070\062\067\064\063\062\070\067\061\043\060\041\006\003\125\004"
 "\013\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150"
 "\141\155\142\145\162\163\151\147\156\056\157\162\147\061\040\060"
 "\036\006\003\125\004\003\023\027\107\154\157\142\141\154\040\103"
 "\150\141\155\142\145\162\163\151\147\156\040\122\157\157\164"
 , (PRUint32)127 },
   { (void *)"\002\001\000"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_128 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"NetLock Qualified (Class QA) Root", (PRUint32)34 },
@@ -8784,17 +8784,17 @@ static const NSSItem nss_builtins_items_
 "\363\166\146\211\124\244\246\076\304\120\134\272\211\030\202\165"
 "\110\041\322\117\023\350\140\176\007\166\333\020\265\121\346\252"
 "\271\150\252\315\366\235\220\165\022\352\070\032\312\104\350\267"
 "\231\247\052\150\225\146\225\253\255\357\211\313\140\251\006\022"
 "\306\224\107\351\050"
 , (PRUint32)1749 }
 };
 static const NSSItem nss_builtins_items_129 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"NetLock Qualified (Class QA) Root", (PRUint32)34 },
   { (void *)"\001\150\227\341\240\270\362\303\261\064\146\134\040\247\047\267"
 "\241\130\342\217"
 , (PRUint32)20 },
   { (void *)"\324\200\145\150\044\371\211\042\050\333\365\244\232\027\217\024"
@@ -8810,19 +8810,19 @@ static const NSSItem nss_builtins_items_
 "\151\164\145\164\164\040\113\157\172\152\145\147\171\172\157\151"
 "\040\050\103\154\141\163\163\040\121\101\051\040\124\141\156\165"
 "\163\151\164\166\141\156\171\153\151\141\144\157\061\036\060\034"
 "\006\011\052\206\110\206\367\015\001\011\001\026\017\151\156\146"
 "\157\100\156\145\164\154\157\143\153\056\150\165"
 , (PRUint32)204 },
   { (void *)"\002\001\173"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_130 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"NetLock Notary (Class A) Root", (PRUint32)30 },
@@ -8959,17 +8959,17 @@ static const NSSItem nss_builtins_items_
 "\277\134\240\012\033\341\016\172\351\342\200\303\351\351\366\375"
 "\154\021\236\320\345\050\047\053\124\062\102\024\202\165\346\112"
 "\360\053\146\165\143\214\242\373\004\076\203\016\233\066\360\030"
 "\344\046\040\303\214\360\050\007\255\074\027\146\210\265\375\266"
 "\210"
 , (PRUint32)1665 }
 };
 static const NSSItem nss_builtins_items_131 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"NetLock Notary (Class A) Root", (PRUint32)30 },
   { (void *)"\254\355\137\145\123\375\045\316\001\137\037\172\110\073\152\164"
 "\237\141\170\306"
 , (PRUint32)20 },
   { (void *)"\206\070\155\136\111\143\154\205\134\333\155\334\224\267\320\367"
@@ -8984,19 +8984,19 @@ static const NSSItem nss_builtins_items_
 "\166\141\156\171\153\151\141\144\157\153\061\066\060\064\006\003"
 "\125\004\003\023\055\116\145\164\114\157\143\153\040\113\157\172"
 "\152\145\147\171\172\157\151\040\050\103\154\141\163\163\040\101"
 "\051\040\124\141\156\165\163\151\164\166\141\156\171\153\151\141"
 "\144\157"
 , (PRUint32)178 },
   { (void *)"\002\002\001\003"
 , (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_132 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"NetLock Business (Class B) Root", (PRUint32)32 },
@@ -9109,17 +9109,17 @@ static const NSSItem nss_builtins_items_
 "\145\343\102\160\273\042\220\343\175\333\065\166\341\240\265\332"
 "\237\160\156\223\032\060\071\035\060\333\056\343\174\262\221\262"
 "\321\067\051\372\271\326\027\134\107\117\343\035\070\353\237\325"
 "\173\225\250\050\236\025\112\321\321\320\053\000\227\240\342\222"
 "\066\053\143\254\130\001\153\063\051\120\206\203\361\001\110"
 , (PRUint32)1359 }
 };
 static const NSSItem nss_builtins_items_133 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"NetLock Business (Class B) Root", (PRUint32)32 },
   { (void *)"\207\237\113\356\005\337\230\130\073\343\140\326\063\347\015\077"
 "\376\230\161\257"
 , (PRUint32)20 },
   { (void *)"\071\026\252\271\152\101\341\024\151\337\236\154\073\162\334\266"
@@ -9132,19 +9132,19 @@ static const NSSItem nss_builtins_items_
 "\006\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141"
 "\156\171\153\151\141\144\157\153\061\062\060\060\006\003\125\004"
 "\003\023\051\116\145\164\114\157\143\153\040\125\172\154\145\164"
 "\151\040\050\103\154\141\163\163\040\102\051\040\124\141\156\165"
 "\163\151\164\166\141\156\171\153\151\141\144\157"
 , (PRUint32)156 },
   { (void *)"\002\001\151"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_134 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },