Bug 487721, deliver NSS 3.12.4 RC0 to mozilla-central
authorKai Engert <kaie@kuix.de>
Tue, 21 Apr 2009 03:51:56 +0200
changeset 27559 36f215de943333d59249cb9a9e41c2448ecb9690
parent 27558 a6b1b49f7d7ed93abd30a1e9599033f9ab913070
child 27560 176afb7235f8d8676cd6f0f7da8b7293dcc7f297
push id6613
push userkaie@kuix.de
push dateTue, 21 Apr 2009 01:52:20 +0000
treeherdermozilla-central@36f215de9433 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs487721
milestone1.9.2a1pre
Bug 487721, deliver NSS 3.12.4 RC0 to mozilla-central r=wtc
security/coreconf/OSF1.mk
security/coreconf/coreconf.dep
security/coreconf/location.mk
security/nss/cmd/lib/SECerrs.h
security/nss/cmd/lib/secutil.c
security/nss/cmd/platlibs.mk
security/nss/cmd/shlibsign/Makefile
security/nss/lib/Makefile
security/nss/lib/certdb/alg1485.c
security/nss/lib/certhigh/certvfypkix.c
security/nss/lib/ckfw/Makefile
security/nss/lib/ckfw/builtins/certdata.c
security/nss/lib/ckfw/builtins/certdata.txt
security/nss/lib/ckfw/builtins/nssckbi.h
security/nss/lib/freebl/Makefile
security/nss/lib/freebl/alg2268.c
security/nss/lib/freebl/config.mk
security/nss/lib/freebl/des.c
security/nss/lib/freebl/desblapi.c
security/nss/lib/freebl/md5.c
security/nss/lib/freebl/nsslowhash.c
security/nss/lib/freebl/os2_rand.c
security/nss/lib/freebl/rijndael.c
security/nss/lib/freebl/sha512.c
security/nss/lib/freebl/sha_fast.h
security/nss/lib/libpkix/include/pkix_certsel.h
security/nss/lib/libpkix/include/pkix_certstore.h
security/nss/lib/libpkix/include/pkix_errorstrings.h
security/nss/lib/libpkix/include/pkix_params.h
security/nss/lib/libpkix/include/pkix_pl_system.h
security/nss/lib/libpkix/include/pkixt.h
security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c
security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.c
security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.h
security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c
security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c
security/nss/lib/libpkix/pkix/checker/pkix_targetcertchecker.c
security/nss/lib/libpkix/pkix/params/pkix_procparams.c
security/nss/lib/libpkix/pkix/params/pkix_procparams.h
security/nss/lib/libpkix/pkix/store/pkix_store.c
security/nss/lib/libpkix/pkix/top/pkix_build.c
security/nss/lib/libpkix/pkix/util/pkix_tools.c
security/nss/lib/libpkix/pkix/util/pkix_tools.h
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.c
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.h
security/nss/lib/nss/config.mk
security/nss/lib/nss/nss.h
security/nss/lib/pk11wrap/pk11nobj.c
security/nss/lib/smime/config.mk
security/nss/lib/softoken/config.mk
security/nss/lib/softoken/legacydb/config.mk
security/nss/lib/softoken/legacydb/lowcert.c
security/nss/lib/softoken/legacydb/pcertdb.c
security/nss/lib/softoken/legacydb/pcertt.h
security/nss/lib/softoken/lgglue.c
security/nss/lib/softoken/lgglue.h
security/nss/lib/softoken/pkcs11.c
security/nss/lib/softoken/sftkdb.c
security/nss/lib/softoken/sftkdb.h
security/nss/lib/softoken/sftkpwd.c
security/nss/lib/softoken/softkver.h
security/nss/lib/ssl/config.mk
security/nss/lib/util/nssutil.h
security/nss/lib/util/secerr.h
security/nss/lib/util/secoid.c
security/nss/lib/util/secoidt.h
security/nss/tests/chains/chains.sh
security/nss/tests/cipher/cipher.sh
--- a/security/coreconf/OSF1.mk
+++ b/security/coreconf/OSF1.mk
@@ -67,8 +67,14 @@ endif
 MKSHLIB    += ld -shared -expect_unresolved "*" -soname $(notdir $@)
 ifdef MAPFILE
 MKSHLIB += -hidden -input $(MAPFILE)
 endif
 PROCESS_MAP_FILE = grep -v ';+' $< | grep -v ';-' | \
  sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,^,-exported_symbol ,' > $@
 
 DSO_LDOPTS += -shared
+
+# required for freebl
+USE_64=1
+# this platform name does not use a bit tag due to only having a 64-bit ABI
+64BIT_TAG=
+
--- a/security/coreconf/coreconf.dep
+++ b/security/coreconf/coreconf.dep
@@ -38,8 +38,9 @@
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
 
+/* NSS 3.12.4 Beta */
--- a/security/coreconf/location.mk
+++ b/security/coreconf/location.mk
@@ -78,9 +78,25 @@ endif
 ifdef NSS_INCLUDE_DIR
     INCLUDES += -I$(NSS_INCLUDE_DIR)
 endif
 
 ifndef NSS_LIB_DIR
     NSS_LIB_DIR = $(DIST)/lib
 endif
 
+ifdef NSSUTIL_INCLUDE_DIR
+    INCLUDES += -I$(NSSUTIL_INCLUDE_DIR)
+endif
+
+ifndef NSSUTIL_LIB_DIR
+    NSSUTIL_LIB_DIR = $(DIST)/lib
+endif
+
+ifdef SOFTOKEN_INCLUDE_DIR
+    INCLUDES += -I$(SOFTOKEN_INCLUDE_DIR)
+endif
+
+ifndef SOFTOKEN_LIB_DIR
+    SOFTOKEN_LIB_DIR = $(DIST)/lib
+endif
+
 MK_LOCATION = included
--- a/security/nss/cmd/lib/SECerrs.h
+++ b/security/nss/cmd/lib/SECerrs.h
@@ -550,8 +550,15 @@ ER3(SEC_ERROR_LIBPKIX_INTERNAL,      		(
 ER3(SEC_ERROR_PKCS11_GENERAL_ERROR,      		(SEC_ERROR_BASE + 167),
 "A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred.")
 
 ER3(SEC_ERROR_PKCS11_FUNCTION_FAILED,      		(SEC_ERROR_BASE + 168),
 "A PKCS #11 module returned CKR_FUNCTION_FAILED, indicating that the requested function could not be performed.  Trying the same operation again might succeed.")
 
 ER3(SEC_ERROR_PKCS11_DEVICE_ERROR,      		(SEC_ERROR_BASE + 169),
 "A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot.")
+
+ER3(SEC_ERROR_BAD_INFO_ACCESS_METHOD,      		(SEC_ERROR_BASE + 170),
+"Unknown information access method in certificate extension.")
+
+ER3(SEC_ERROR_CRL_IMPORT_FAILED,        		(SEC_ERROR_BASE + 171),
+"Error attempting to import a CRL.")
+
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -2346,17 +2346,17 @@ SECU_PrintRDN(FILE *out, CERTRDN *rdn, c
     rdns[0] = rdn;
     rdns[1] = NULL;
     SECU_PrintName(out, &name, msg, level);
 }
 
 void
 SECU_PrintName(FILE *out, CERTName *name, char *msg, int level)
 {
-    char *nameStr;
+    char *nameStr = NULL;
     char *str;
     SECItem my;
 
     if (!name) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return;
     }
     if (!name->rdns || !name->rdns[0]) {
--- a/security/nss/cmd/platlibs.mk
+++ b/security/nss/cmd/platlibs.mk
@@ -82,24 +82,17 @@ endif
 
 ifdef USE_STATIC_LIBS
 
 # can't do this in manifest.mn because OS_ARCH isn't defined there.
 ifeq ($(OS_ARCH), WINNT)
 
 DEFINES += -DNSS_USE_STATIC_LIBS
 # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
-CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
-ifdef MOZILLA_SECURITY_BUILD
-	CRYPTOLIB=$(DIST)/lib/crypto.lib
-endif
-ifdef MOZILLA_BSAFE_BUILD
-	CRYPTOLIB+=$(DIST)/lib/bsafe$(BSAFEVER).lib
-	CRYPTOLIB+=$(DIST)/lib/freebl.lib
-endif
+CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
 
 PKIXLIB = \
 	$(DIST)/lib/$(LIB_PREFIX)pkixcertsel.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixchecker.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixparams.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixresults.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixutil.$(LIB_SUFFIX) \
@@ -138,24 +131,17 @@ EXTRA_LIBS += \
 # $(PROGRAM) has NO explicit dependencies on $(OS_LIBS)
 #OS_LIBS += \
 	wsock32.lib \
 	winmm.lib \
 	$(NULL)
 else
 
 # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
-CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
-ifdef MOZILLA_SECURITY_BUILD
-	CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
-endif
-ifdef MOZILLA_BSAFE_BUILD
-	CRYPTOLIB+=$(DIST)/lib/$(LIB_PREFIX)bsafe.$(LIB_SUFFIX)
-	CRYPTOLIB+=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
-endif
+CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
 
 PKIXLIB = \
 	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixutil.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixsystem.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixcrlsel.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixmodule.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixstore.$(LIB_SUFFIX) \
@@ -197,16 +183,17 @@ ifeq ($(OS_ARCH), AIX)
 EXTRA_SHARED_LIBS += -brtl 
 endif
 
 # $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
 # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
 	$(SQLITE) \
+	-L$(NSSUTIL_LIB_DIR) \
 	-lnssutil3 \
 	-L$(NSPR_LIB_DIR) \
 	-lplc4 \
 	-lplds4 \
 	-lnspr4 \
 	$(NULL)
 endif
 
@@ -248,16 +235,17 @@ endif
 
 # $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
 # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
 	-lssl3 \
 	-lsmime3 \
 	-lnss3 \
+	-L$(NSSUTIL_LIB_DIR) \
 	-lnssutil3 \
 	-L$(NSPR_LIB_DIR) \
 	-lplc4 \
 	-lplds4 \
 	-lnspr4 \
 	$(NULL)
 endif
 
--- a/security/nss/cmd/shlibsign/Makefile
+++ b/security/nss/cmd/shlibsign/Makefile
@@ -75,16 +75,17 @@ EXTRA_SHARED_LIBS += \
 
 endif
 
 
 # sign any and all shared libraries that contain the word freebl
 
 CHECKLIBS = $(DIST)/lib/$(DLL_PREFIX)softokn3.$(DLL_SUFFIX)
 CHECKLIBS += $(wildcard $(DIST)/lib/$(DLL_PREFIX)freebl*3.$(DLL_SUFFIX))
+CHECKLIBS += $(DIST)/lib/$(DLL_PREFIX)nssdbm3.$(DLL_SUFFIX)
 CHECKLOC = $(CHECKLIBS:.$(DLL_SUFFIX)=.chk)
 
 MD_LIB_RELEASE_FILES = $(CHECKLOC)
 ALL_TRASH += $(CHECKLOC)
 
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
--- a/security/nss/lib/Makefile
+++ b/security/nss/lib/Makefile
@@ -79,23 +79,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
 #######################################################################
 
 
 
 #######################################################################
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
 
-ifdef MOZILLA_SECURITY_BUILD
-FILES=$(shell ls -d $(CORE_DEPTH)/../../ns/security/lib/crypto/*)
-
-export::
-	if test -d $(CORE_DEPTH)/../../ns/security/lib/crypto; then \
-	    $(NSINSTALL) -D crypto; \
-	    for file in $(FILES) ; do \
-		if test -f $$file; then \
-		    $(INSTALL) -m 444 $$file crypto; \
-		fi; \
-	    done;  \
-	    $(INSTALL) -m 444 freebl/sha_fast.c crypto; \
-	    $(INSTALL) -m 444 freebl/sha_fast.h crypto; \
-	fi
-endif
--- a/security/nss/lib/certdb/alg1485.c
+++ b/security/nss/lib/certdb/alg1485.c
@@ -752,19 +752,21 @@ CERT_GetOidString(const SECItem *oid)
 		CGET(i, m);              \
 		if (!n) goto unsupported \
 		/* fall-through */
 
 	    switch (bytesBeforeLast) {
 	    CASE(3, 0x7f);
 	    CASE(2, 0x7f);
 	    CASE(1, 0x7f);
-	    case 0: n |= last[0]; /* most significant bit is zero. */
+	    case 0: n |= last[0] & 0x7f;
 		break;
 	    }
+	    if (last[0] & 0x80)
+	    	goto unsupported;
       
 	    if (!rvString) {
 		/* This is the first number.. decompose it */
 		PRUint32 one = PR_MIN(n/40, 2); /* never > 2 */
 		PRUint32 two = n - (one * 40);
         
 		rvString = PR_smprintf("OID.%lu.%lu", one, two);
 	    } else {
@@ -780,19 +782,21 @@ CERT_GetOidString(const SECItem *oid)
 	    CASE(8, 0x7f);
 	    CASE(7, 0x7f);
 	    CASE(6, 0x7f);
 	    CASE(5, 0x7f);
 	    CASE(4, 0x7f);
 	    CGET(3, 0x7f);
 	    CGET(2, 0x7f);
 	    CGET(1, 0x7f);
-	        n |= last[0]; /* most significant bit is zero. */
+	    CGET(0, 0x7f);
 		break;
 	    }
+	    if (last[0] & 0x80)
+	    	goto unsupported;
       
 	    if (!rvString) {
 		/* This is the first number.. decompose it */
 		PRUint64 one = PR_MIN(n/40, 2); /* never > 2 */
 		PRUint64 two = n - (one * 40);
         
 		rvString = PR_smprintf("OID.%llu.%llu", one, two);
 	    } else {
@@ -900,28 +904,32 @@ get_hex_string(SECItem *data)
  *
  * As a simplification, we assume the value is correctly encoded for 
  * its encoding type.  That is, we do not test that all the characters
  * in a string encoded type are allowed by that type.  We assume it.
  */
 static SECStatus
 AppendAVA(stringBuf *bufp, CERTAVA *ava, CertStrictnessLevel strict)
 {
+#define TMPBUF_LEN 384
     const NameToKind *pn2k   = name2kinds;
     SECItem     *avaValue    = NULL;
     char        *unknownTag  = NULL;
     char        *encodedAVA  = NULL;
     PRBool       useHex      = PR_FALSE;  /* use =#hexXXXX form */
+    PRBool       truncateName  = PR_FALSE;
+    PRBool       truncateValue = PR_FALSE;
     SECOidTag    endKind;
     SECStatus    rv;
     unsigned int len;
-    int          nameLen, valueLen;
+    unsigned int nameLen, valueLen;
+    unsigned int maxName, maxValue;
     EQMode       mode        = minimalEscapeAndQuote;
     NameToKind   n2k         = { NULL, 32767, SEC_OID_UNKNOWN, SEC_ASN1_DS };
-    char         tmpBuf[384];
+    char         tmpBuf[TMPBUF_LEN];
 
 #define tagName  n2k.name    /* non-NULL means use NAME= form */
 #define maxBytes n2k.maxLen
 #define tag      n2k.kind
 #define vt       n2k.valueType
 
     /* READABLE mode recognizes more names from the name2kinds table
      * than do STRICT or INVERTIBLE modes.  This assignment chooses the
@@ -966,71 +974,112 @@ AppendAVA(stringBuf *bufp, CERTAVA *ava,
 	avaValue = get_hex_string(&ava->value);
 	if (!avaValue) {
 	    if (unknownTag) 
 	    	PR_smprintf_free(unknownTag);
 	    return SECFailure;
 	}
     }
 
-    if (strict == CERT_N2A_READABLE) {
-    	if (maxBytes > sizeof(tmpBuf) - 4)
-	    maxBytes = sizeof(tmpBuf) - 4;
-	/* Check value length.  Must be room for "..." */
-	if (avaValue->len > maxBytes + 3) {
-	    /* avaValue is a UTF8 string, freshly allocated and returned to us 
-	    ** by CERT_DecodeAVAValue or get_hex_string just above, so we can
-	    ** modify it here.  See if we're in the middle of a multi-byte
-	    ** UTF8 character.
-	    */
-	    len = maxBytes;
-	    while (((avaValue->data[len] & 0xc0) == 0x80) && len > 0) {
-	       len--;
-	    }
-	    /* add elipsis to signify truncation. */
-	    avaValue->data[len++] = '.'; 
-	    avaValue->data[len++] = '.';
-	    avaValue->data[len++] = '.';
-	    avaValue->data[len]   = 0;
-	    avaValue->len = len;
-	}
-    }
-
     nameLen  = strlen(tagName);
     valueLen = (useHex ? avaValue->len : 
 		cert_RFC1485_GetRequiredLen(avaValue->data, avaValue->len, 
 					    &mode));
     len = nameLen + valueLen + 2; /* Add 2 for '=' and trailing NUL */
 
+    maxName  = nameLen;
+    maxValue = valueLen;
     if (len <= sizeof(tmpBuf)) {
     	encodedAVA = tmpBuf;
-    } else if (strict == CERT_N2A_READABLE) {
-	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+    } else if (strict != CERT_N2A_READABLE) {
+	encodedAVA = PORT_Alloc(len);
+	if (!encodedAVA) {
+	    SECITEM_FreeItem(avaValue, PR_TRUE);
+	    if (unknownTag) 
+		PR_smprintf_free(unknownTag);
+	    return SECFailure;
+	}
     } else {
-	encodedAVA = PORT_Alloc(len);
+	/* Must make output fit in tmpbuf */
+	unsigned int fair = (sizeof tmpBuf)/2 - 1; /* for = and \0 */
+
+	if (nameLen < fair) {
+	    /* just truncate the value */
+	    maxValue = (sizeof tmpBuf) - (nameLen + 6); /* for "=...\0",
+                                                           and possibly '"' */
+	} else if (valueLen < fair) {
+	    /* just truncate the name */
+	    maxName  = (sizeof tmpBuf) - (valueLen + 5); /* for "=...\0" */
+	} else {
+	    /* truncate both */
+	    maxName = maxValue = fair - 3;  /* for "..." */
+	}
+	if (nameLen > maxName) {
+	    PORT_Assert(unknownTag && unknownTag == tagName);
+	    truncateName = PR_TRUE;
+	    nameLen = maxName;
+	}
+    	encodedAVA = tmpBuf;
     }
-    if (!encodedAVA) {
-	SECITEM_FreeItem(avaValue, PR_TRUE);
-	if (unknownTag) 
-	    PR_smprintf_free(unknownTag);
-	return SECFailure;
+
+    memcpy(encodedAVA, tagName, nameLen);
+    if (truncateName) {
+	/* If tag name is too long, we know it is an OID form that was 
+	 * allocated from the heap, so we can modify it in place 
+	 */
+	encodedAVA[nameLen-1] = '.';
+	encodedAVA[nameLen-2] = '.';
+	encodedAVA[nameLen-3] = '.';
     }
-    memcpy(encodedAVA, tagName, nameLen);
+    encodedAVA[nameLen++] = '=';
     if (unknownTag) 
     	PR_smprintf_free(unknownTag);
-    encodedAVA[nameLen++] = '=';
-    
+
+    if (strict == CERT_N2A_READABLE && maxValue > maxBytes)
+	maxValue = maxBytes;
+    if (valueLen > maxValue) {
+    	valueLen = maxValue;
+	truncateValue = PR_TRUE;
+    }
     /* escape and quote as necessary - don't quote hex strings */
     if (useHex) {
-	memcpy(encodedAVA + nameLen, (char *)avaValue->data, avaValue->len);
-	encodedAVA[nameLen + avaValue->len] = '\0';
+	char * end = encodedAVA + nameLen + valueLen;
+	memcpy(encodedAVA + nameLen, (char *)avaValue->data, valueLen);
+	end[0] = '\0';
+	if (truncateValue) {
+	    end[-1] = '.';
+	    end[-2] = '.';
+	    end[-3] = '.';
+	}
 	rv = SECSuccess;
-    } else 
+    } else if (!truncateValue) {
 	rv = escapeAndQuote(encodedAVA + nameLen, len - nameLen, 
-		    	    (char *)avaValue->data, avaValue->len, &mode);
+			    (char *)avaValue->data, avaValue->len, &mode);
+    } else {
+	/* must truncate the escaped and quoted value */
+	char bigTmpBuf[TMPBUF_LEN * 3 + 3];
+	rv = escapeAndQuote(bigTmpBuf, sizeof bigTmpBuf,
+			    (char *)avaValue->data, valueLen, &mode);
+
+	bigTmpBuf[valueLen--] = '\0'; /* hard stop here */
+	/* See if we're in the middle of a multi-byte UTF8 character */
+	while (((bigTmpBuf[valueLen] & 0xc0) == 0x80) && valueLen > 0) {
+	    bigTmpBuf[valueLen--] = '\0';
+	}
+	/* add ellipsis to signify truncation. */
+	bigTmpBuf[++valueLen] = '.';
+	bigTmpBuf[++valueLen] = '.';
+	bigTmpBuf[++valueLen] = '.';
+	if (bigTmpBuf[0] == '"')
+	    bigTmpBuf[++valueLen] = '"';
+	bigTmpBuf[++valueLen] = '\0';
+	PORT_Assert(nameLen + valueLen <= (sizeof tmpBuf) - 1);
+	memcpy(encodedAVA + nameLen, bigTmpBuf, valueLen+1);
+    }
+
     SECITEM_FreeItem(avaValue, PR_TRUE);
     if (rv == SECSuccess)
 	rv = AppendStr(bufp, encodedAVA);
     if (encodedAVA != tmpBuf)
     	PORT_Free(encodedAVA);
     return rv;
 }
 
--- a/security/nss/lib/certhigh/certvfypkix.c
+++ b/security/nss/lib/certhigh/certvfypkix.c
@@ -199,17 +199,17 @@ cert_NssKeyUsagesToPkix(
      * fixed in NSS */
     /* pkixKeyUsage |= PKIX_DECIPHER_ONLY; */
 
     *pPkixKeyUsage = pkixKeyUsage;
 
     PKIX_RETURN(CERTVFYPKIX);
 }
 
-extern char* ekuOidStrings[];
+extern SECOidTag ekuOidStrings[];
 
 enum {
     ekuIndexSSLServer = 0,
     ekuIndexSSLClient,
     ekuIndexCodeSigner,
     ekuIndexEmail,
     ekuIndexTimeStamp,
     ekuIndexStatusResponder,
@@ -484,16 +484,17 @@ cert_CreatePkixProcessingParams(
     PKIX_ProcessingParams *procParams = NULL;
     PKIX_CertSelector     *certSelector = NULL;
     PKIX_ComCertSelParams *certSelParams = NULL;
     PKIX_CertStore        *certStore = NULL;
     PKIX_List             *certStores = NULL;
     PKIX_RevocationChecker *revChecker = NULL;
     PKIX_UInt32           methodFlags = 0;
     void                  *plContext = NULL;
+    CERTStatusConfig      *statusConfig = NULL;
     
     PKIX_ENTER(CERTVFYPKIX, "cert_CreatePkixProcessingParams");
     PKIX_NULLCHECK_TWO(cert, pprocParams);
  
     PKIX_CHECK(
         PKIX_PL_NssContext_Create(0, useArena, wincx, &plContext),
         PKIX_NSSCONTEXTCREATEFAILED);
 
@@ -534,16 +535,24 @@ cert_CreatePkixProcessingParams(
                                                       certSelParams, plContext),
         PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED);
     
     PKIX_CHECK(
         PKIX_ProcessingParams_SetTargetCertConstraints(procParams,
                                                        certSelector, plContext),
         PKIX_PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED);
 
+    /* Turn off quialification of target cert since leaf cert is
+     * already check for date validity, key usages and extended
+     * key usages. */
+    PKIX_CHECK(
+        PKIX_ProcessingParams_SetQualifyTargetCert(procParams, PKIX_FALSE,
+                                                   plContext),
+        PKIX_PROCESSINGPARAMSSETQUALIFYTARGETCERTFLAGFAILED);
+
     PKIX_CHECK(
         PKIX_PL_Pk11CertStore_Create(&certStore, plContext),
         PKIX_PK11CERTSTORECREATEFAILED);
     
     PKIX_CHECK(
         PKIX_List_Create(&certStores, plContext),
         PKIX_UNABLETOCREATELIST);
     
@@ -596,44 +605,52 @@ cert_CreatePkixProcessingParams(
 
     /* add CRL revocation method for other certs in the chain. */
     PKIX_CHECK(
         PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams,
                                          PKIX_RevocationMethod_CRL, methodFlags,
                                          0, NULL, PKIX_FALSE, plContext),
         PKIX_REVOCATIONCHECKERADDMETHODFAILED);
     
-    /* OCSP method flags */
-    methodFlags =
-        PKIX_REV_M_TEST_USING_THIS_METHOD |
-        PKIX_REV_M_ALLOW_NETWORK_FETCHING |         /* 0 */
-        PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE |  /* 0 */
-        PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE |    /* 0 */
-        PKIX_REV_M_IGNORE_MISSING_FRESH_INFO |      /* 0 */
-        PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO;
+    /* For compatibility with the old code, need to check that
+     * statusConfig is set in the db handle and status checker
+     * is defined befor allow ocsp status check on the leaf cert.*/
+    statusConfig = CERT_GetStatusConfig(CERT_GetDefaultCertDB());
+    if (statusConfig != NULL && statusConfig->statusChecker != NULL) {
 
-    /* Disabling ocsp fetching when checking the status
-     * of ocsp response signer. Here and in the next if,
-     * adjust flags for ocsp signer cert validation case. */
-    if (disableOCSPRemoteFetching) {
-        methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING;
-    }
-
-    if (ocsp_FetchingFailureIsVerificationFailure()
-        && !disableOCSPRemoteFetching) {
-        methodFlags |=
-            PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO;
-    }
-
-    /* add OCSP revocation method to check only the leaf certificate.*/
-    PKIX_CHECK(
-        PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams,
+        /* Enable OCSP revocation checking for the leaf cert. */
+        /* OCSP method flags */
+        methodFlags =
+            PKIX_REV_M_TEST_USING_THIS_METHOD |
+            PKIX_REV_M_ALLOW_NETWORK_FETCHING |         /* 0 */
+            PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE |  /* 0 */
+            PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE |    /* 0 */
+            PKIX_REV_M_IGNORE_MISSING_FRESH_INFO |      /* 0 */
+            PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO;
+        
+        /* Disabling ocsp fetching when checking the status
+         * of ocsp response signer. Here and in the next if,
+         * adjust flags for ocsp signer cert validation case. */
+        if (disableOCSPRemoteFetching) {
+            methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING;
+        }
+        
+        if (ocsp_FetchingFailureIsVerificationFailure()
+            && !disableOCSPRemoteFetching) {
+            methodFlags |=
+                PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO;
+        }
+        
+        /* add OCSP revocation method to check only the leaf certificate.*/
+        PKIX_CHECK(
+            PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams,
                                      PKIX_RevocationMethod_OCSP, methodFlags,
                                      1, NULL, PKIX_TRUE, plContext),
-        PKIX_REVOCATIONCHECKERADDMETHODFAILED);
+            PKIX_REVOCATIONCHECKERADDMETHODFAILED);
+    }
 
     PKIX_CHECK(
         PKIX_ProcessingParams_SetAnyPolicyInhibited(procParams, PR_FALSE,
                                                     plContext),
         PKIX_PROCESSINGPARAMSSETANYPOLICYINHIBITED);
 
     PKIX_CHECK(
         PKIX_ProcessingParams_SetExplicitPolicyRequired(procParams, PR_FALSE,
@@ -1201,17 +1218,25 @@ cert_VerifyCertChainPkix(
     CERTCertList          *validChain = NULL;
 #endif /* DEBUG */
 
 #ifdef PKIX_OBJECT_LEAK_TEST
     int  leakedObjNum = 0;
     int  memLeakLoopCount = 0;
     int  objCountTable[PKIX_NUMTYPES]; 
     int  fnInvLocalCount = 0;
+    PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine;
 
+    if (usePKIXValidationEngine) {
+        /* current memory leak testing implementation does not allow
+         * to run simultaneous tests one the same or a different threads.
+         * Setting the variable to false, to make additional chain
+         * validations be handled by old nss. */
+        usePKIXValidationEngine = PR_FALSE;
+    }
     testStartFnStackPosition = 2;
     fnStackNameArr[0] = "cert_VerifyCertChainPkix";
     fnStackInvCountArr[0] = 0;
     PKIX_Boolean abortOnLeak = 
         (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
                                                    PKIX_FALSE : PKIX_TRUE;
     runningLeakTest = PKIX_TRUE;
 
@@ -1315,16 +1340,17 @@ cleanup:
     if (abortOnLeak) {
         PORT_Assert(leakedObjNum == 0);
     }
 
 } while (errorGenerated);
 
     runningLeakTest = PKIX_FALSE; 
     PR_AtomicDecrement(&parallelFnInvocationCount);
+    usePKIXValidationEngine = savedUsePkixEngFlag;
 #endif /* PKIX_OBJECT_LEAK_TEST */
 
     return rv;
 }
 
 PKIX_CertSelector *
 cert_GetTargetCertConstraints(CERTCertificate *target, void *plContext) 
 {
@@ -1409,49 +1435,16 @@ cleanup:
 	cert_PkixErrorToNssCode(error, &nssErr, plContext);
         PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
 	PORT_SetError(nssErr);
     }
 
     return r;
 }
 
-/* XXX
- *  There is no NSS SECItem -> PKIX OID
- *  conversion function. For now, I go via the ascii
- *  representation 
- *  this should be in PKIX_PL_*
- */
-
-PKIX_PL_OID *
-CERT_PKIXOIDFromNSSOid(SECOidTag tag, void*plContext)
-{
-    char *oidstring = NULL;
-    char *oidstring_adj = NULL;
-    PKIX_PL_OID *policyOID = NULL;
-    SECOidData *data;
-
-    data =  SECOID_FindOIDByTag(tag);
-    if (data != NULL) {
-        oidstring = CERT_GetOidString(&data->oid);
-        if (oidstring == NULL) {
-            goto cleanup;
-        }
-        oidstring_adj = oidstring;
-        if (PORT_Strncmp("OID.",oidstring_adj,4) == 0) {
-            oidstring_adj += 4;
-        }
-
-        PKIX_PL_OID_Create(oidstring_adj, &policyOID, plContext);
-    }
-cleanup:
-    if (oidstring != NULL) PR_smprintf_free(oidstring);
-
-    return policyOID;
-}
 
 struct fake_PKIX_PL_CertStruct {
         CERTCertificate *nssCert;
 };
 
 /* This needs to be part of the PKIX_PL_* */
 /* This definitely needs to go away, and be replaced with
    a real accessor function in PKIX */
@@ -1474,18 +1467,18 @@ PKIX_List *cert_PKIXMakeOIDList(const SE
     int i;
 
     error = PKIX_List_Create(&policyList, plContext);
     if (error != NULL) {
 	goto cleanup;
     }
 
     for (i=0; i<oidCount; i++) {
-        policyOID = CERT_PKIXOIDFromNSSOid(oids[i],plContext);
-        if (policyOID == NULL) {
+        error = PKIX_PL_OID_Create(oids[i], &policyOID, plContext);
+        if (error) {
             goto cleanup;
         }
         error = PKIX_List_AppendItem(policyList, 
                 (PKIX_PL_Object *)policyOID, plContext);
         if (error != NULL) {
             PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext);
             goto cleanup;
         }
@@ -2056,16 +2049,25 @@ SECStatus CERT_PKIXVerifyCert(
 
     void *plContext = NULL;
 
 #ifdef PKIX_OBJECT_LEAK_TEST
     int  leakedObjNum = 0;
     int  memLeakLoopCount = 0;
     int  objCountTable[PKIX_NUMTYPES];
     int  fnInvLocalCount = 0;
+    PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine;
+
+    if (usePKIXValidationEngine) {
+        /* current memory leak testing implementation does not allow
+         * to run simultaneous tests one the same or a different threads.
+         * Setting the variable to false, to make additional chain
+         * validations be handled by old nss. */
+        usePKIXValidationEngine = PR_FALSE;
+    }
     testStartFnStackPosition = 1;
     fnStackNameArr[0] = "CERT_PKIXVerifyCert";
     fnStackInvCountArr[0] = 0;
     PKIX_Boolean abortOnLeak = 
         (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
                                                    PKIX_FALSE : PKIX_TRUE;
     runningLeakTest = PKIX_TRUE;
 
@@ -2275,12 +2277,13 @@ cleanup:
     if (abortOnLeak) {
         PORT_Assert(leakedObjNum == 0);
     }
     
 } while (errorGenerated);
 
     runningLeakTest = PKIX_FALSE; 
     PR_AtomicDecrement(&parallelFnInvocationCount);
+    usePKIXValidationEngine = savedUsePkixEngFlag;
 #endif /* PKIX_OBJECT_LEAK_TEST */
 
     return r;
 }
--- a/security/nss/lib/ckfw/Makefile
+++ b/security/nss/lib/ckfw/Makefile
@@ -36,19 +36,19 @@
 # ***** END LICENSE BLOCK *****
 MAKEFILE_CVS_ID = "@(#) $RCSfile: Makefile,v $ $Revision: 1.16 $ $Date: 2008/12/03 18:44:24 $"
 
 include manifest.mn
 include $(CORE_DEPTH)/coreconf/config.mk
 include config.mk
 include $(CORE_DEPTH)/coreconf/rules.mk
 
-#ifdef MOZILLA_CLIENT
-#NSS_BUILD_CAPI = 1
-#endif
+ifdef MOZILLA_CLIENT
+NSS_BUILD_CAPI = 1
+endif
 
 # This'll need some help from a build person.
 
 # The generated files are checked in, and differ from what ckapi.perl
 # will produce.  ckapi.perl is currently newer than the targets, so
 # these rules are invoked, causing the wrong files to be generated.
 # Turning off to fix builds.
 #
--- a/security/nss/lib/ckfw/builtins/certdata.c
+++ b/security/nss/lib/ckfw/builtins/certdata.c
@@ -30,17 +30,17 @@
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.52 $ $Date: 2009/01/15 22:35:15 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.52 $ $Date: 2009/01/15 22:35:15 $";
+static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.53 $ $Date: 2009/04/13 02:40:04 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.53 $ $Date: 2009/04/13 02:40:04 $";
 #endif /* DEBUG */
 
 #ifndef BUILTINS_H
 #include "builtins.h"
 #endif /* BUILTINS_H */
 
 static const CK_BBOOL ck_false = CK_FALSE;
 static const CK_BBOOL ck_true = CK_TRUE;
@@ -811,25 +811,43 @@ static const CK_ATTRIBUTE_TYPE nss_built
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_252 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_253 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
 };
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_254 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_255 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_256 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_257 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_258 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_259 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
+};
 #ifdef DEBUG
 static const NSSItem nss_builtins_items_0 [] = {
   { (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"CVS ID", (PRUint32)7 },
   { (void *)"NSS", (PRUint32)4 },
-  { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.52 $ $Date: 2009/01/15 22:35:15 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.52 $ $Date: 2009/01/15 22:35:15 $", (PRUint32)160 }
+  { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.53 $ $Date: 2009/04/13 02:40:04 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.53 $ $Date: 2009/04/13 02:40:04 $", (PRUint32)160 }
 };
 #endif /* DEBUG */
 static const NSSItem nss_builtins_items_1 [] = {
   { (void *)&cko_netscape_builtin_root_list, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Mozilla Builtin Roots", (PRUint32)22 }
@@ -17096,16 +17114,378 @@ static const NSSItem nss_builtins_items_
 , (PRUint32)92 },
   { (void *)"\002\001\102"
 , (PRUint32)3 },
   { (void *)&ckt_netscape_untrusted, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_untrusted, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_untrusted, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
+static const NSSItem nss_builtins_items_254 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"IGC/A", (PRUint32)6 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\205\061\013\060\011\006\003\125\004\006\023\002\106\122"
+"\061\017\060\015\006\003\125\004\010\023\006\106\162\141\156\143"
+"\145\061\016\060\014\006\003\125\004\007\023\005\120\141\162\151"
+"\163\061\020\060\016\006\003\125\004\012\023\007\120\115\057\123"
+"\107\104\116\061\016\060\014\006\003\125\004\013\023\005\104\103"
+"\123\123\111\061\016\060\014\006\003\125\004\003\023\005\111\107"
+"\103\057\101\061\043\060\041\006\011\052\206\110\206\367\015\001"
+"\011\001\026\024\151\147\143\141\100\163\147\144\156\056\160\155"
+"\056\147\157\165\166\056\146\162"
+, (PRUint32)136 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\205\061\013\060\011\006\003\125\004\006\023\002\106\122"
+"\061\017\060\015\006\003\125\004\010\023\006\106\162\141\156\143"
+"\145\061\016\060\014\006\003\125\004\007\023\005\120\141\162\151"
+"\163\061\020\060\016\006\003\125\004\012\023\007\120\115\057\123"
+"\107\104\116\061\016\060\014\006\003\125\004\013\023\005\104\103"
+"\123\123\111\061\016\060\014\006\003\125\004\003\023\005\111\107"
+"\103\057\101\061\043\060\041\006\011\052\206\110\206\367\015\001"
+"\011\001\026\024\151\147\143\141\100\163\147\144\156\056\160\155"
+"\056\147\157\165\166\056\146\162"
+, (PRUint32)136 },
+  { (void *)"\002\005\071\021\105\020\224"
+, (PRUint32)7 },
+  { (void *)"\060\202\004\002\060\202\002\352\240\003\002\001\002\002\005\071"
+"\021\105\020\224\060\015\006\011\052\206\110\206\367\015\001\001"
+"\005\005\000\060\201\205\061\013\060\011\006\003\125\004\006\023"
+"\002\106\122\061\017\060\015\006\003\125\004\010\023\006\106\162"
+"\141\156\143\145\061\016\060\014\006\003\125\004\007\023\005\120"
+"\141\162\151\163\061\020\060\016\006\003\125\004\012\023\007\120"
+"\115\057\123\107\104\116\061\016\060\014\006\003\125\004\013\023"
+"\005\104\103\123\123\111\061\016\060\014\006\003\125\004\003\023"
+"\005\111\107\103\057\101\061\043\060\041\006\011\052\206\110\206"
+"\367\015\001\011\001\026\024\151\147\143\141\100\163\147\144\156"
+"\056\160\155\056\147\157\165\166\056\146\162\060\036\027\015\060"
+"\062\061\062\061\063\061\064\062\071\062\063\132\027\015\062\060"
+"\061\060\061\067\061\064\062\071\062\062\132\060\201\205\061\013"
+"\060\011\006\003\125\004\006\023\002\106\122\061\017\060\015\006"
+"\003\125\004\010\023\006\106\162\141\156\143\145\061\016\060\014"
+"\006\003\125\004\007\023\005\120\141\162\151\163\061\020\060\016"
+"\006\003\125\004\012\023\007\120\115\057\123\107\104\116\061\016"
+"\060\014\006\003\125\004\013\023\005\104\103\123\123\111\061\016"
+"\060\014\006\003\125\004\003\023\005\111\107\103\057\101\061\043"
+"\060\041\006\011\052\206\110\206\367\015\001\011\001\026\024\151"
+"\147\143\141\100\163\147\144\156\056\160\155\056\147\157\165\166"
+"\056\146\162\060\202\001\042\060\015\006\011\052\206\110\206\367"
+"\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002"
+"\202\001\001\000\262\037\321\320\142\305\063\073\300\004\206\210"
+"\263\334\370\210\367\375\337\103\337\172\215\232\111\134\366\116"
+"\252\314\034\271\241\353\047\211\362\106\351\073\112\161\325\035"
+"\216\055\317\346\255\253\143\120\307\124\013\156\022\311\220\066"
+"\306\330\057\332\221\252\150\305\162\376\027\012\262\027\176\171"
+"\265\062\210\160\312\160\300\226\112\216\344\125\315\035\047\224"
+"\277\316\162\052\354\134\371\163\040\376\275\367\056\211\147\270"
+"\273\107\163\022\367\321\065\151\072\362\012\271\256\377\106\102"
+"\106\242\277\241\205\032\371\277\344\377\111\205\367\243\160\206"
+"\062\034\135\237\140\367\251\255\245\377\317\321\064\371\175\133"
+"\027\306\334\326\016\050\153\302\335\361\365\063\150\235\116\374"
+"\207\174\066\022\326\243\200\350\103\015\125\141\224\352\144\067"
+"\107\352\167\312\320\262\130\005\303\135\176\261\250\106\220\061"
+"\126\316\160\052\226\262\060\270\167\346\171\300\275\051\073\375"
+"\224\167\114\275\040\315\101\045\340\056\307\033\273\356\244\004"
+"\101\322\135\255\022\152\212\233\107\373\311\335\106\100\341\235"
+"\074\063\320\265\002\003\001\000\001\243\167\060\165\060\017\006"
+"\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\013"
+"\006\003\125\035\017\004\004\003\002\001\106\060\025\006\003\125"
+"\035\040\004\016\060\014\060\012\006\010\052\201\172\001\171\001"
+"\001\001\060\035\006\003\125\035\016\004\026\004\024\243\005\057"
+"\030\140\120\302\211\012\335\053\041\117\377\216\116\250\060\061"
+"\066\060\037\006\003\125\035\043\004\030\060\026\200\024\243\005"
+"\057\030\140\120\302\211\012\335\053\041\117\377\216\116\250\060"
+"\061\066\060\015\006\011\052\206\110\206\367\015\001\001\005\005"
+"\000\003\202\001\001\000\005\334\046\330\372\167\025\104\150\374"
+"\057\146\072\164\340\135\344\051\377\006\007\023\204\112\253\317"
+"\155\240\037\121\224\370\111\313\164\066\024\274\025\335\333\211"
+"\057\335\217\240\135\174\365\022\353\237\236\070\244\107\314\263"
+"\226\331\276\234\045\253\003\176\063\017\225\201\015\375\026\340"
+"\210\276\067\360\154\135\320\061\233\062\053\135\027\145\223\230"
+"\140\274\156\217\261\250\074\036\331\034\363\251\046\102\371\144"
+"\035\302\347\222\366\364\036\132\252\031\122\135\257\350\242\367"
+"\140\240\366\215\360\211\365\156\340\012\005\001\225\311\213\040"
+"\012\272\132\374\232\054\074\275\303\267\311\135\170\045\005\077"
+"\126\024\233\014\332\373\072\110\376\227\151\136\312\020\206\367"
+"\116\226\004\010\115\354\260\276\135\334\073\216\117\301\375\232"
+"\066\064\232\114\124\176\027\003\110\225\010\021\034\007\157\205"
+"\010\176\135\115\304\235\333\373\256\316\262\321\263\270\203\154"
+"\035\262\263\171\361\330\160\231\176\360\023\002\316\136\335\121"
+"\323\337\066\201\241\033\170\057\161\263\361\131\114\106\030\050"
+"\253\205\322\140\126\132"
+, (PRUint32)1030 }
+};
+static const NSSItem nss_builtins_items_255 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"IGC/A", (PRUint32)6 },
+  { (void *)"\140\326\211\164\265\302\145\236\212\017\301\210\174\210\322\106"
+"\151\033\030\054"
+, (PRUint32)20 },
+  { (void *)"\014\177\335\152\364\052\271\310\233\275\040\176\251\333\134\067"
+, (PRUint32)16 },
+  { (void *)"\060\201\205\061\013\060\011\006\003\125\004\006\023\002\106\122"
+"\061\017\060\015\006\003\125\004\010\023\006\106\162\141\156\143"
+"\145\061\016\060\014\006\003\125\004\007\023\005\120\141\162\151"
+"\163\061\020\060\016\006\003\125\004\012\023\007\120\115\057\123"
+"\107\104\116\061\016\060\014\006\003\125\004\013\023\005\104\103"
+"\123\123\111\061\016\060\014\006\003\125\004\003\023\005\111\107"
+"\103\057\101\061\043\060\041\006\011\052\206\110\206\367\015\001"
+"\011\001\026\024\151\147\143\141\100\163\147\144\156\056\160\155"
+"\056\147\157\165\166\056\146\162"
+, (PRUint32)136 },
+  { (void *)"\002\005\071\021\105\020\224"
+, (PRUint32)7 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
+};
+static const NSSItem nss_builtins_items_256 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Security Communication EV RootCA1", (PRUint32)34 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061"
+"\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040"
+"\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117"
+"\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023"
+"\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156"
+"\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103"
+"\101\061"
+, (PRUint32)98 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061"
+"\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040"
+"\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117"
+"\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023"
+"\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156"
+"\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103"
+"\101\061"
+, (PRUint32)98 },
+  { (void *)"\002\001\000"
+, (PRUint32)3 },
+  { (void *)"\060\202\003\175\060\202\002\145\240\003\002\001\002\002\001\000"
+"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
+"\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061\045"
+"\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040\124"
+"\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117\056"
+"\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023\041"
+"\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156\151"
+"\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103\101"
+"\061\060\036\027\015\060\067\060\066\060\066\060\062\061\062\063"
+"\062\132\027\015\063\067\060\066\060\066\060\062\061\062\063\062"
+"\132\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120"
+"\061\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115"
+"\040\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103"
+"\117\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013"
+"\023\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165"
+"\156\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164"
+"\103\101\061\060\202\001\042\060\015\006\011\052\206\110\206\367"
+"\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002"
+"\202\001\001\000\274\177\354\127\233\044\340\376\234\272\102\171"
+"\251\210\212\372\200\340\365\007\051\103\352\216\012\064\066\215"
+"\034\372\247\265\071\170\377\227\165\367\057\344\252\153\004\204"
+"\104\312\246\342\150\216\375\125\120\142\017\244\161\016\316\007"
+"\070\055\102\205\120\255\074\226\157\213\325\242\016\317\336\111"
+"\211\075\326\144\056\070\345\036\154\265\127\212\236\357\110\016"
+"\315\172\151\026\207\104\265\220\344\006\235\256\241\004\227\130"
+"\171\357\040\112\202\153\214\042\277\354\037\017\351\204\161\355"
+"\361\016\344\270\030\023\314\126\066\135\321\232\036\121\153\071"
+"\156\140\166\210\064\013\363\263\321\260\235\312\141\342\144\035"
+"\301\106\007\270\143\335\036\063\145\263\216\011\125\122\075\265"
+"\275\377\007\353\255\141\125\030\054\251\151\230\112\252\100\305"
+"\063\024\145\164\000\371\221\336\257\003\110\305\100\124\334\017"
+"\204\220\150\040\305\222\226\334\056\345\002\105\252\300\137\124"
+"\370\155\352\111\317\135\154\113\257\357\232\302\126\134\306\065"
+"\126\102\152\060\137\302\253\366\342\075\077\263\311\021\217\061"
+"\114\327\237\111\002\003\001\000\001\243\102\060\100\060\035\006"
+"\003\125\035\016\004\026\004\024\065\112\365\115\257\077\327\202"
+"\070\254\253\161\145\027\165\214\235\125\223\346\060\016\006\003"
+"\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003"
+"\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006"
+"\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001"
+"\000\250\207\351\354\370\100\147\135\303\301\146\307\100\113\227"
+"\374\207\023\220\132\304\357\240\312\137\213\267\247\267\361\326"
+"\265\144\267\212\263\270\033\314\332\373\254\146\210\101\316\350"
+"\374\344\333\036\210\246\355\047\120\033\002\060\044\106\171\376"
+"\004\207\160\227\100\163\321\300\301\127\031\232\151\245\047\231"
+"\253\235\142\204\366\121\301\054\311\043\025\330\050\267\253\045"
+"\023\265\106\341\206\002\377\046\214\304\210\222\035\126\376\031"
+"\147\362\125\344\200\243\153\234\253\167\341\121\161\015\040\333"
+"\020\232\333\275\166\171\007\167\231\050\255\232\136\332\261\117"
+"\104\054\065\216\245\226\307\375\203\360\130\306\171\326\230\174"
+"\250\215\376\206\076\007\026\222\341\173\347\035\354\063\166\176"
+"\102\056\112\205\371\221\211\150\204\003\201\245\233\232\276\343"
+"\067\305\124\253\126\073\030\055\101\244\014\370\102\333\231\240"
+"\340\162\157\273\135\341\026\117\123\012\144\371\116\364\277\116"
+"\124\275\170\154\210\352\277\234\023\044\302\160\151\242\177\017"
+"\310\074\255\010\311\260\230\100\243\052\347\210\203\355\167\217"
+"\164"
+, (PRUint32)897 }
+};
+static const NSSItem nss_builtins_items_257 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Security Communication EV RootCA1", (PRUint32)34 },
+  { (void *)"\376\270\304\062\334\371\166\232\316\256\075\330\220\217\375\050"
+"\206\145\144\175"
+, (PRUint32)20 },
+  { (void *)"\042\055\246\001\352\174\012\367\360\154\126\103\077\167\166\323"
+, (PRUint32)16 },
+  { (void *)"\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061"
+"\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040"
+"\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117"
+"\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023"
+"\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156"
+"\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103"
+"\101\061"
+, (PRUint32)98 },
+  { (void *)"\002\001\000"
+, (PRUint32)3 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
+};
+static const NSSItem nss_builtins_items_258 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"OISTE WISeKey Global Root GA CA", (PRUint32)32 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\110"
+"\061\020\060\016\006\003\125\004\012\023\007\127\111\123\145\113"
+"\145\171\061\033\060\031\006\003\125\004\013\023\022\103\157\160"
+"\171\162\151\147\150\164\040\050\143\051\040\062\060\060\065\061"
+"\042\060\040\006\003\125\004\013\023\031\117\111\123\124\105\040"
+"\106\157\165\156\144\141\164\151\157\156\040\105\156\144\157\162"
+"\163\145\144\061\050\060\046\006\003\125\004\003\023\037\117\111"
+"\123\124\105\040\127\111\123\145\113\145\171\040\107\154\157\142"
+"\141\154\040\122\157\157\164\040\107\101\040\103\101"
+, (PRUint32)141 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\110"
+"\061\020\060\016\006\003\125\004\012\023\007\127\111\123\145\113"
+"\145\171\061\033\060\031\006\003\125\004\013\023\022\103\157\160"
+"\171\162\151\147\150\164\040\050\143\051\040\062\060\060\065\061"
+"\042\060\040\006\003\125\004\013\023\031\117\111\123\124\105\040"
+"\106\157\165\156\144\141\164\151\157\156\040\105\156\144\157\162"
+"\163\145\144\061\050\060\046\006\003\125\004\003\023\037\117\111"
+"\123\124\105\040\127\111\123\145\113\145\171\040\107\154\157\142"
+"\141\154\040\122\157\157\164\040\107\101\040\103\101"
+, (PRUint32)141 },
+  { (void *)"\002\020\101\075\162\307\364\153\037\201\103\175\361\322\050\124"
+"\337\232"
+, (PRUint32)18 },
+  { (void *)"\060\202\003\361\060\202\002\331\240\003\002\001\002\002\020\101"
+"\075\162\307\364\153\037\201\103\175\361\322\050\124\337\232\060"
+"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201"
+"\212\061\013\060\011\006\003\125\004\006\023\002\103\110\061\020"
+"\060\016\006\003\125\004\012\023\007\127\111\123\145\113\145\171"
+"\061\033\060\031\006\003\125\004\013\023\022\103\157\160\171\162"
+"\151\147\150\164\040\050\143\051\040\062\060\060\065\061\042\060"
+"\040\006\003\125\004\013\023\031\117\111\123\124\105\040\106\157"
+"\165\156\144\141\164\151\157\156\040\105\156\144\157\162\163\145"
+"\144\061\050\060\046\006\003\125\004\003\023\037\117\111\123\124"
+"\105\040\127\111\123\145\113\145\171\040\107\154\157\142\141\154"
+"\040\122\157\157\164\040\107\101\040\103\101\060\036\027\015\060"
+"\065\061\062\061\061\061\066\060\063\064\064\132\027\015\063\067"
+"\061\062\061\061\061\066\060\071\065\061\132\060\201\212\061\013"
+"\060\011\006\003\125\004\006\023\002\103\110\061\020\060\016\006"
+"\003\125\004\012\023\007\127\111\123\145\113\145\171\061\033\060"
+"\031\006\003\125\004\013\023\022\103\157\160\171\162\151\147\150"
+"\164\040\050\143\051\040\062\060\060\065\061\042\060\040\006\003"
+"\125\004\013\023\031\117\111\123\124\105\040\106\157\165\156\144"
+"\141\164\151\157\156\040\105\156\144\157\162\163\145\144\061\050"
+"\060\046\006\003\125\004\003\023\037\117\111\123\124\105\040\127"
+"\111\123\145\113\145\171\040\107\154\157\142\141\154\040\122\157"
+"\157\164\040\107\101\040\103\101\060\202\001\042\060\015\006\011"
+"\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000"
+"\060\202\001\012\002\202\001\001\000\313\117\263\000\233\075\066"
+"\335\371\321\111\152\153\020\111\037\354\330\053\262\306\370\062"
+"\201\051\103\225\114\232\031\043\041\025\105\336\343\310\034\121"
+"\125\133\256\223\350\067\377\053\153\351\324\352\276\052\335\250"
+"\121\053\327\146\303\141\134\140\002\310\365\316\162\173\073\270"
+"\362\116\145\010\232\315\244\152\031\301\001\273\163\246\327\366"
+"\303\335\315\274\244\213\265\231\141\270\001\242\243\324\115\324"
+"\005\075\221\255\370\264\010\161\144\257\160\361\034\153\176\366"
+"\303\167\235\044\163\173\344\014\214\341\331\066\341\231\213\005"
+"\231\013\355\105\061\011\312\302\000\333\367\162\240\226\252\225"
+"\207\320\216\307\266\141\163\015\166\146\214\334\033\264\143\242"
+"\237\177\223\023\060\361\241\047\333\331\377\054\125\210\221\240"
+"\340\117\007\260\050\126\214\030\033\227\104\216\211\335\340\027"
+"\156\347\052\357\217\071\012\061\204\202\330\100\024\111\056\172"
+"\101\344\247\376\343\144\314\301\131\161\113\054\041\247\133\175"
+"\340\035\321\056\201\233\303\330\150\367\275\226\033\254\160\261"
+"\026\024\013\333\140\271\046\001\005\002\003\001\000\001\243\121"
+"\060\117\060\013\006\003\125\035\017\004\004\003\002\001\206\060"
+"\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377"
+"\060\035\006\003\125\035\016\004\026\004\024\263\003\176\256\066"
+"\274\260\171\321\334\224\046\266\021\276\041\262\151\206\224\060"
+"\020\006\011\053\006\001\004\001\202\067\025\001\004\003\002\001"
+"\000\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000"
+"\003\202\001\001\000\113\241\377\013\207\156\263\371\301\103\261"
+"\110\363\050\300\035\056\311\011\101\372\224\000\034\244\244\253"
+"\111\117\217\075\036\357\115\157\275\274\244\366\362\046\060\311"
+"\020\312\035\210\373\164\031\037\205\105\275\260\154\121\371\066"
+"\176\333\365\114\062\072\101\117\133\107\317\350\013\055\266\304"
+"\031\235\164\305\107\306\073\152\017\254\024\333\074\364\163\234"
+"\251\005\337\000\334\164\170\372\370\065\140\131\002\023\030\174"
+"\274\373\115\260\040\155\103\273\140\060\172\147\063\134\305\231"
+"\321\370\055\071\122\163\373\214\252\227\045\134\162\331\010\036"
+"\253\116\074\343\201\061\237\003\246\373\300\376\051\210\125\332"
+"\204\325\120\003\266\342\204\243\246\066\252\021\072\001\341\030"
+"\113\326\104\150\263\075\371\123\164\204\263\106\221\106\226\000"
+"\267\200\054\266\341\343\020\342\333\242\347\050\217\001\226\142"
+"\026\076\000\343\034\245\066\201\030\242\114\122\166\300\021\243"
+"\156\346\035\272\343\132\276\066\123\305\076\165\217\206\151\051"
+"\130\123\265\234\273\157\237\134\305\030\354\335\057\341\230\311"
+"\374\276\337\012\015"
+, (PRUint32)1013 }
+};
+static const NSSItem nss_builtins_items_259 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"OISTE WISeKey Global Root GA CA", (PRUint32)32 },
+  { (void *)"\131\042\241\341\132\352\026\065\041\370\230\071\152\106\106\260"
+"\104\033\017\251"
+, (PRUint32)20 },
+  { (void *)"\274\154\121\063\247\351\323\146\143\124\025\162\033\041\222\223"
+, (PRUint32)16 },
+  { (void *)"\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\110"
+"\061\020\060\016\006\003\125\004\012\023\007\127\111\123\145\113"
+"\145\171\061\033\060\031\006\003\125\004\013\023\022\103\157\160"
+"\171\162\151\147\150\164\040\050\143\051\040\062\060\060\065\061"
+"\042\060\040\006\003\125\004\013\023\031\117\111\123\124\105\040"
+"\106\157\165\156\144\141\164\151\157\156\040\105\156\144\157\162"
+"\163\145\144\061\050\060\046\006\003\125\004\003\023\037\117\111"
+"\123\124\105\040\127\111\123\145\113\145\171\040\107\154\157\142"
+"\141\154\040\122\157\157\164\040\107\101\040\103\101"
+, (PRUint32)141 },
+  { (void *)"\002\020\101\075\162\307\364\153\037\201\103\175\361\322\050\124"
+"\337\232"
+, (PRUint32)18 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
+};
 
 builtinsInternalObject
 nss_builtins_data[] = {
 #ifdef DEBUG
   { 7, nss_builtins_types_0, nss_builtins_items_0, {NULL} },
 #endif /* DEBUG */
   { 5, nss_builtins_types_1, nss_builtins_items_1, {NULL} },
   { 11, nss_builtins_types_2, nss_builtins_items_2, {NULL} },
@@ -17354,16 +17734,22 @@ nss_builtins_data[] = {
   { 13, nss_builtins_types_245, nss_builtins_items_245, {NULL} },
   { 11, nss_builtins_types_246, nss_builtins_items_246, {NULL} },
   { 13, nss_builtins_types_247, nss_builtins_items_247, {NULL} },
   { 11, nss_builtins_types_248, nss_builtins_items_248, {NULL} },
   { 13, nss_builtins_types_249, nss_builtins_items_249, {NULL} },
   { 11, nss_builtins_types_250, nss_builtins_items_250, {NULL} },
   { 13, nss_builtins_types_251, nss_builtins_items_251, {NULL} },
   { 11, nss_builtins_types_252, nss_builtins_items_252, {NULL} },
-  { 13, nss_builtins_types_253, nss_builtins_items_253, {NULL} }
+  { 13, nss_builtins_types_253, nss_builtins_items_253, {NULL} },
+  { 11, nss_builtins_types_254, nss_builtins_items_254, {NULL} },
+  { 13, nss_builtins_types_255, nss_builtins_items_255, {NULL} },
+  { 11, nss_builtins_types_256, nss_builtins_items_256, {NULL} },
+  { 13, nss_builtins_types_257, nss_builtins_items_257, {NULL} },
+  { 11, nss_builtins_types_258, nss_builtins_items_258, {NULL} },
+  { 13, nss_builtins_types_259, nss_builtins_items_259, {NULL} }
 };
 const PRUint32
 #ifdef DEBUG
-  nss_builtins_nObjects = 253+1;
+  nss_builtins_nObjects = 259+1;
 #else
-  nss_builtins_nObjects = 253;
+  nss_builtins_nObjects = 259;
 #endif /* DEBUG */
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -29,17 +29,17 @@
 # under the terms of either the GPL or the LGPL, and not to allow others to
 # use your version of this file under the terms of the MPL, indicate your
 # decision by deleting the provisions above and replace them with the notice
 # and other provisions required by the GPL or the LGPL. If you do not delete
 # the provisions above, a recipient may use your version of this file under
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
-CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.51 $ $Date: 2009/01/15 22:35:15 $"
+CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.52 $ $Date: 2009/04/13 02:40:06 $"
 
 #
 # certdata.txt
 #
 # This file contains the object definitions for the certs and other
 # information "built into" NSS.
 #
 # Object definitions:
@@ -17623,8 +17623,400 @@ CKA_ISSUER MULTILINE_OCTAL
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\102
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_UNTRUSTED
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_UNTRUSTED
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_UNTRUSTED
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "IGC/A"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "IGC/A"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\205\061\013\060\011\006\003\125\004\006\023\002\106\122
+\061\017\060\015\006\003\125\004\010\023\006\106\162\141\156\143
+\145\061\016\060\014\006\003\125\004\007\023\005\120\141\162\151
+\163\061\020\060\016\006\003\125\004\012\023\007\120\115\057\123
+\107\104\116\061\016\060\014\006\003\125\004\013\023\005\104\103
+\123\123\111\061\016\060\014\006\003\125\004\003\023\005\111\107
+\103\057\101\061\043\060\041\006\011\052\206\110\206\367\015\001
+\011\001\026\024\151\147\143\141\100\163\147\144\156\056\160\155
+\056\147\157\165\166\056\146\162
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\205\061\013\060\011\006\003\125\004\006\023\002\106\122
+\061\017\060\015\006\003\125\004\010\023\006\106\162\141\156\143
+\145\061\016\060\014\006\003\125\004\007\023\005\120\141\162\151
+\163\061\020\060\016\006\003\125\004\012\023\007\120\115\057\123
+\107\104\116\061\016\060\014\006\003\125\004\013\023\005\104\103
+\123\123\111\061\016\060\014\006\003\125\004\003\023\005\111\107
+\103\057\101\061\043\060\041\006\011\052\206\110\206\367\015\001
+\011\001\026\024\151\147\143\141\100\163\147\144\156\056\160\155
+\056\147\157\165\166\056\146\162
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\005\071\021\105\020\224
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\002\060\202\002\352\240\003\002\001\002\002\005\071
+\021\105\020\224\060\015\006\011\052\206\110\206\367\015\001\001
+\005\005\000\060\201\205\061\013\060\011\006\003\125\004\006\023
+\002\106\122\061\017\060\015\006\003\125\004\010\023\006\106\162
+\141\156\143\145\061\016\060\014\006\003\125\004\007\023\005\120
+\141\162\151\163\061\020\060\016\006\003\125\004\012\023\007\120
+\115\057\123\107\104\116\061\016\060\014\006\003\125\004\013\023
+\005\104\103\123\123\111\061\016\060\014\006\003\125\004\003\023
+\005\111\107\103\057\101\061\043\060\041\006\011\052\206\110\206
+\367\015\001\011\001\026\024\151\147\143\141\100\163\147\144\156
+\056\160\155\056\147\157\165\166\056\146\162\060\036\027\015\060
+\062\061\062\061\063\061\064\062\071\062\063\132\027\015\062\060
+\061\060\061\067\061\064\062\071\062\062\132\060\201\205\061\013
+\060\011\006\003\125\004\006\023\002\106\122\061\017\060\015\006
+\003\125\004\010\023\006\106\162\141\156\143\145\061\016\060\014
+\006\003\125\004\007\023\005\120\141\162\151\163\061\020\060\016
+\006\003\125\004\012\023\007\120\115\057\123\107\104\116\061\016
+\060\014\006\003\125\004\013\023\005\104\103\123\123\111\061\016
+\060\014\006\003\125\004\003\023\005\111\107\103\057\101\061\043
+\060\041\006\011\052\206\110\206\367\015\001\011\001\026\024\151
+\147\143\141\100\163\147\144\156\056\160\155\056\147\157\165\166
+\056\146\162\060\202\001\042\060\015\006\011\052\206\110\206\367
+\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002
+\202\001\001\000\262\037\321\320\142\305\063\073\300\004\206\210
+\263\334\370\210\367\375\337\103\337\172\215\232\111\134\366\116
+\252\314\034\271\241\353\047\211\362\106\351\073\112\161\325\035
+\216\055\317\346\255\253\143\120\307\124\013\156\022\311\220\066
+\306\330\057\332\221\252\150\305\162\376\027\012\262\027\176\171
+\265\062\210\160\312\160\300\226\112\216\344\125\315\035\047\224
+\277\316\162\052\354\134\371\163\040\376\275\367\056\211\147\270
+\273\107\163\022\367\321\065\151\072\362\012\271\256\377\106\102
+\106\242\277\241\205\032\371\277\344\377\111\205\367\243\160\206
+\062\034\135\237\140\367\251\255\245\377\317\321\064\371\175\133
+\027\306\334\326\016\050\153\302\335\361\365\063\150\235\116\374
+\207\174\066\022\326\243\200\350\103\015\125\141\224\352\144\067
+\107\352\167\312\320\262\130\005\303\135\176\261\250\106\220\061
+\126\316\160\052\226\262\060\270\167\346\171\300\275\051\073\375
+\224\167\114\275\040\315\101\045\340\056\307\033\273\356\244\004
+\101\322\135\255\022\152\212\233\107\373\311\335\106\100\341\235
+\074\063\320\265\002\003\001\000\001\243\167\060\165\060\017\006
+\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\013
+\006\003\125\035\017\004\004\003\002\001\106\060\025\006\003\125
+\035\040\004\016\060\014\060\012\006\010\052\201\172\001\171\001
+\001\001\060\035\006\003\125\035\016\004\026\004\024\243\005\057
+\030\140\120\302\211\012\335\053\041\117\377\216\116\250\060\061
+\066\060\037\006\003\125\035\043\004\030\060\026\200\024\243\005
+\057\030\140\120\302\211\012\335\053\041\117\377\216\116\250\060
+\061\066\060\015\006\011\052\206\110\206\367\015\001\001\005\005
+\000\003\202\001\001\000\005\334\046\330\372\167\025\104\150\374
+\057\146\072\164\340\135\344\051\377\006\007\023\204\112\253\317
+\155\240\037\121\224\370\111\313\164\066\024\274\025\335\333\211
+\057\335\217\240\135\174\365\022\353\237\236\070\244\107\314\263
+\226\331\276\234\045\253\003\176\063\017\225\201\015\375\026\340
+\210\276\067\360\154\135\320\061\233\062\053\135\027\145\223\230
+\140\274\156\217\261\250\074\036\331\034\363\251\046\102\371\144
+\035\302\347\222\366\364\036\132\252\031\122\135\257\350\242\367
+\140\240\366\215\360\211\365\156\340\012\005\001\225\311\213\040
+\012\272\132\374\232\054\074\275\303\267\311\135\170\045\005\077
+\126\024\233\014\332\373\072\110\376\227\151\136\312\020\206\367
+\116\226\004\010\115\354\260\276\135\334\073\216\117\301\375\232
+\066\064\232\114\124\176\027\003\110\225\010\021\034\007\157\205
+\010\176\135\115\304\235\333\373\256\316\262\321\263\270\203\154
+\035\262\263\171\361\330\160\231\176\360\023\002\316\136\335\121
+\323\337\066\201\241\033\170\057\161\263\361\131\114\106\030\050
+\253\205\322\140\126\132
+END
+
+# Trust for Certificate "IGC/A"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "IGC/A"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\140\326\211\164\265\302\145\236\212\017\301\210\174\210\322\106
+\151\033\030\054
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\014\177\335\152\364\052\271\310\233\275\040\176\251\333\134\067
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\205\061\013\060\011\006\003\125\004\006\023\002\106\122
+\061\017\060\015\006\003\125\004\010\023\006\106\162\141\156\143
+\145\061\016\060\014\006\003\125\004\007\023\005\120\141\162\151
+\163\061\020\060\016\006\003\125\004\012\023\007\120\115\057\123
+\107\104\116\061\016\060\014\006\003\125\004\013\023\005\104\103
+\123\123\111\061\016\060\014\006\003\125\004\003\023\005\111\107
+\103\057\101\061\043\060\041\006\011\052\206\110\206\367\015\001
+\011\001\026\024\151\147\143\141\100\163\147\144\156\056\160\155
+\056\147\157\165\166\056\146\162
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\005\071\021\105\020\224
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "Security Communication EV RootCA1"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Security Communication EV RootCA1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061
+\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040
+\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117
+\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023
+\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156
+\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103
+\101\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061
+\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040
+\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117
+\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023
+\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156
+\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103
+\101\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\000
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\175\060\202\002\145\240\003\002\001\002\002\001\000
+\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061\045
+\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040\124
+\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117\056
+\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023\041
+\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156\151
+\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103\101
+\061\060\036\027\015\060\067\060\066\060\066\060\062\061\062\063
+\062\132\027\015\063\067\060\066\060\066\060\062\061\062\063\062
+\132\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120
+\061\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115
+\040\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103
+\117\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013
+\023\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165
+\156\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164
+\103\101\061\060\202\001\042\060\015\006\011\052\206\110\206\367
+\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002
+\202\001\001\000\274\177\354\127\233\044\340\376\234\272\102\171
+\251\210\212\372\200\340\365\007\051\103\352\216\012\064\066\215
+\034\372\247\265\071\170\377\227\165\367\057\344\252\153\004\204
+\104\312\246\342\150\216\375\125\120\142\017\244\161\016\316\007
+\070\055\102\205\120\255\074\226\157\213\325\242\016\317\336\111
+\211\075\326\144\056\070\345\036\154\265\127\212\236\357\110\016
+\315\172\151\026\207\104\265\220\344\006\235\256\241\004\227\130
+\171\357\040\112\202\153\214\042\277\354\037\017\351\204\161\355
+\361\016\344\270\030\023\314\126\066\135\321\232\036\121\153\071
+\156\140\166\210\064\013\363\263\321\260\235\312\141\342\144\035
+\301\106\007\270\143\335\036\063\145\263\216\011\125\122\075\265
+\275\377\007\353\255\141\125\030\054\251\151\230\112\252\100\305
+\063\024\145\164\000\371\221\336\257\003\110\305\100\124\334\017
+\204\220\150\040\305\222\226\334\056\345\002\105\252\300\137\124
+\370\155\352\111\317\135\154\113\257\357\232\302\126\134\306\065
+\126\102\152\060\137\302\253\366\342\075\077\263\311\021\217\061
+\114\327\237\111\002\003\001\000\001\243\102\060\100\060\035\006
+\003\125\035\016\004\026\004\024\065\112\365\115\257\077\327\202
+\070\254\253\161\145\027\165\214\235\125\223\346\060\016\006\003
+\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003
+\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006
+\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001
+\000\250\207\351\354\370\100\147\135\303\301\146\307\100\113\227
+\374\207\023\220\132\304\357\240\312\137\213\267\247\267\361\326
+\265\144\267\212\263\270\033\314\332\373\254\146\210\101\316\350
+\374\344\333\036\210\246\355\047\120\033\002\060\044\106\171\376
+\004\207\160\227\100\163\321\300\301\127\031\232\151\245\047\231
+\253\235\142\204\366\121\301\054\311\043\025\330\050\267\253\045
+\023\265\106\341\206\002\377\046\214\304\210\222\035\126\376\031
+\147\362\125\344\200\243\153\234\253\167\341\121\161\015\040\333
+\020\232\333\275\166\171\007\167\231\050\255\232\136\332\261\117
+\104\054\065\216\245\226\307\375\203\360\130\306\171\326\230\174
+\250\215\376\206\076\007\026\222\341\173\347\035\354\063\166\176
+\102\056\112\205\371\221\211\150\204\003\201\245\233\232\276\343
+\067\305\124\253\126\073\030\055\101\244\014\370\102\333\231\240
+\340\162\157\273\135\341\026\117\123\012\144\371\116\364\277\116
+\124\275\170\154\210\352\277\234\023\044\302\160\151\242\177\017
+\310\074\255\010\311\260\230\100\243\052\347\210\203\355\167\217
+\164
+END
+
+# Trust for Certificate "Security Communication EV RootCA1"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Security Communication EV RootCA1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\376\270\304\062\334\371\166\232\316\256\075\330\220\217\375\050
+\206\145\144\175
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\042\055\246\001\352\174\012\367\360\154\126\103\077\167\166\323
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061
+\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040
+\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117
+\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023
+\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156
+\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103
+\101\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\000
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "OISTE WISeKey Global Root GA CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "OISTE WISeKey Global Root GA CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\110
+\061\020\060\016\006\003\125\004\012\023\007\127\111\123\145\113
+\145\171\061\033\060\031\006\003\125\004\013\023\022\103\157\160
+\171\162\151\147\150\164\040\050\143\051\040\062\060\060\065\061
+\042\060\040\006\003\125\004\013\023\031\117\111\123\124\105\040
+\106\157\165\156\144\141\164\151\157\156\040\105\156\144\157\162
+\163\145\144\061\050\060\046\006\003\125\004\003\023\037\117\111
+\123\124\105\040\127\111\123\145\113\145\171\040\107\154\157\142
+\141\154\040\122\157\157\164\040\107\101\040\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\110
+\061\020\060\016\006\003\125\004\012\023\007\127\111\123\145\113
+\145\171\061\033\060\031\006\003\125\004\013\023\022\103\157\160
+\171\162\151\147\150\164\040\050\143\051\040\062\060\060\065\061
+\042\060\040\006\003\125\004\013\023\031\117\111\123\124\105\040
+\106\157\165\156\144\141\164\151\157\156\040\105\156\144\157\162
+\163\145\144\061\050\060\046\006\003\125\004\003\023\037\117\111
+\123\124\105\040\127\111\123\145\113\145\171\040\107\154\157\142
+\141\154\040\122\157\157\164\040\107\101\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\101\075\162\307\364\153\037\201\103\175\361\322\050\124
+\337\232
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\361\060\202\002\331\240\003\002\001\002\002\020\101
+\075\162\307\364\153\037\201\103\175\361\322\050\124\337\232\060
+\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201
+\212\061\013\060\011\006\003\125\004\006\023\002\103\110\061\020
+\060\016\006\003\125\004\012\023\007\127\111\123\145\113\145\171
+\061\033\060\031\006\003\125\004\013\023\022\103\157\160\171\162
+\151\147\150\164\040\050\143\051\040\062\060\060\065\061\042\060
+\040\006\003\125\004\013\023\031\117\111\123\124\105\040\106\157
+\165\156\144\141\164\151\157\156\040\105\156\144\157\162\163\145
+\144\061\050\060\046\006\003\125\004\003\023\037\117\111\123\124
+\105\040\127\111\123\145\113\145\171\040\107\154\157\142\141\154
+\040\122\157\157\164\040\107\101\040\103\101\060\036\027\015\060
+\065\061\062\061\061\061\066\060\063\064\064\132\027\015\063\067
+\061\062\061\061\061\066\060\071\065\061\132\060\201\212\061\013
+\060\011\006\003\125\004\006\023\002\103\110\061\020\060\016\006
+\003\125\004\012\023\007\127\111\123\145\113\145\171\061\033\060
+\031\006\003\125\004\013\023\022\103\157\160\171\162\151\147\150
+\164\040\050\143\051\040\062\060\060\065\061\042\060\040\006\003
+\125\004\013\023\031\117\111\123\124\105\040\106\157\165\156\144
+\141\164\151\157\156\040\105\156\144\157\162\163\145\144\061\050
+\060\046\006\003\125\004\003\023\037\117\111\123\124\105\040\127
+\111\123\145\113\145\171\040\107\154\157\142\141\154\040\122\157
+\157\164\040\107\101\040\103\101\060\202\001\042\060\015\006\011
+\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000
+\060\202\001\012\002\202\001\001\000\313\117\263\000\233\075\066
+\335\371\321\111\152\153\020\111\037\354\330\053\262\306\370\062
+\201\051\103\225\114\232\031\043\041\025\105\336\343\310\034\121
+\125\133\256\223\350\067\377\053\153\351\324\352\276\052\335\250
+\121\053\327\146\303\141\134\140\002\310\365\316\162\173\073\270
+\362\116\145\010\232\315\244\152\031\301\001\273\163\246\327\366
+\303\335\315\274\244\213\265\231\141\270\001\242\243\324\115\324
+\005\075\221\255\370\264\010\161\144\257\160\361\034\153\176\366
+\303\167\235\044\163\173\344\014\214\341\331\066\341\231\213\005
+\231\013\355\105\061\011\312\302\000\333\367\162\240\226\252\225
+\207\320\216\307\266\141\163\015\166\146\214\334\033\264\143\242
+\237\177\223\023\060\361\241\047\333\331\377\054\125\210\221\240
+\340\117\007\260\050\126\214\030\033\227\104\216\211\335\340\027
+\156\347\052\357\217\071\012\061\204\202\330\100\024\111\056\172
+\101\344\247\376\343\144\314\301\131\161\113\054\041\247\133\175
+\340\035\321\056\201\233\303\330\150\367\275\226\033\254\160\261
+\026\024\013\333\140\271\046\001\005\002\003\001\000\001\243\121
+\060\117\060\013\006\003\125\035\017\004\004\003\002\001\206\060
+\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377
+\060\035\006\003\125\035\016\004\026\004\024\263\003\176\256\066
+\274\260\171\321\334\224\046\266\021\276\041\262\151\206\224\060
+\020\006\011\053\006\001\004\001\202\067\025\001\004\003\002\001
+\000\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
+\003\202\001\001\000\113\241\377\013\207\156\263\371\301\103\261
+\110\363\050\300\035\056\311\011\101\372\224\000\034\244\244\253
+\111\117\217\075\036\357\115\157\275\274\244\366\362\046\060\311
+\020\312\035\210\373\164\031\037\205\105\275\260\154\121\371\066
+\176\333\365\114\062\072\101\117\133\107\317\350\013\055\266\304
+\031\235\164\305\107\306\073\152\017\254\024\333\074\364\163\234
+\251\005\337\000\334\164\170\372\370\065\140\131\002\023\030\174
+\274\373\115\260\040\155\103\273\140\060\172\147\063\134\305\231
+\321\370\055\071\122\163\373\214\252\227\045\134\162\331\010\036
+\253\116\074\343\201\061\237\003\246\373\300\376\051\210\125\332
+\204\325\120\003\266\342\204\243\246\066\252\021\072\001\341\030
+\113\326\104\150\263\075\371\123\164\204\263\106\221\106\226\000
+\267\200\054\266\341\343\020\342\333\242\347\050\217\001\226\142
+\026\076\000\343\034\245\066\201\030\242\114\122\166\300\021\243
+\156\346\035\272\343\132\276\066\123\305\076\165\217\206\151\051
+\130\123\265\234\273\157\237\134\305\030\354\335\057\341\230\311
+\374\276\337\012\015
+END
+
+# Trust for Certificate "OISTE WISeKey Global Root GA CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "OISTE WISeKey Global Root GA CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\131\042\241\341\132\352\026\065\041\370\230\071\152\106\106\260
+\104\033\017\251
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\274\154\121\063\247\351\323\146\143\124\025\162\033\041\222\223
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\110
+\061\020\060\016\006\003\125\004\012\023\007\127\111\123\145\113
+\145\171\061\033\060\031\006\003\125\004\013\023\022\103\157\160
+\171\162\151\147\150\164\040\050\143\051\040\062\060\060\065\061
+\042\060\040\006\003\125\004\013\023\031\117\111\123\124\105\040
+\106\157\165\156\144\141\164\151\157\156\040\105\156\144\157\162
+\163\145\144\061\050\060\046\006\003\125\004\003\023\037\117\111
+\123\124\105\040\127\111\123\145\113\145\171\040\107\154\157\142
+\141\154\040\122\157\157\164\040\107\101\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\101\075\162\307\364\153\037\201\103\175\361\322\050\124
+\337\232
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--- a/security/nss/lib/ckfw/builtins/nssckbi.h
+++ b/security/nss/lib/ckfw/builtins/nssckbi.h
@@ -70,18 +70,18 @@
  *     ...
  *   - NSS 3.30 branch: 250-255
  *
  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
  * whether we may use its full range (0-255) or only 0-99 because
  * of the comment in the CK_VERSION type definition.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 73
-#define NSS_BUILTINS_LIBRARY_VERSION "1.73"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 74
+#define NSS_BUILTINS_LIBRARY_VERSION "1.74"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
 #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
 
 /* These version numbers detail the semantic changes to ckbi itself 
  * (new PKCS #11 objects), etc. */
 #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@@ -72,21 +72,25 @@ endif
 
 ifdef USE_ABI32_FPU
 	DEFINES += -DNSS_USE_ABI32_FPU
 endif
 
 ifdef FREEBL_NO_DEPEND
 	DEFINES += -DFREEBL_NO_DEPEND
 endif
-# some code wants _X86_ defined for intel CPUs.
-# coreconf does this for windows, but not for Linux, FreeBSD, etc.
-ifeq (,$(filter-out x86 x86_64,$(CPU_ARCH)))
-ifneq (,$(filter-out WIN%,$(OS_TARGET)))
-	DEFINES += -D_X86_
+# NSS_X86 means the target is a 32-bits x86 CPU architecture
+# NSS_X64 means the target is a 64-bits x64 CPU architecture
+# NSS_X86_OR_X64 means the target is either x86 or x64
+ifeq (,$(filter-out x386 x86 x86_64,$(CPU_ARCH)))
+        DEFINES += -DNSS_X86_OR_X64
+ifdef USE_64
+        DEFINES += -DNSS_X64
+else
+        DEFINES += -DNSS_X86
 endif
 endif
 
 ifeq ($(OS_TARGET),OSF1)
     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_NO_MP_WORD
     MPI_SRCS += mpvalpha.c
 endif
 
@@ -140,17 +144,17 @@ ifeq ($(USE_N32),1)
     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
     DEFINES += -DMP_USE_UINT_DIGIT
 endif
 endif
 
 ifeq ($(OS_TARGET),Linux)
 ifeq ($(CPU_ARCH),x86_64)
     ASFILES  = arcfour-amd64-gas.s mpi_amd64_gas.s
-    ASFLAGS += -march=opteron -m64 -fPIC
+    ASFLAGS += -march=opteron -m64 -fPIC -Wa,--noexecstack
     DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY
     DEFINES += -DNSS_USE_COMBA
     DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
 #   DEFINES += -DMPI_AMD64_ADD
     # comment the next two lines to turn off intel HW accelleration
     DEFINES += -DUSE_HW_AES
     ASFILES += intel-aes.s
     MPI_SRCS += mpi_amd64.c mp_comba.c
@@ -401,17 +405,16 @@ else
 	DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY
 	DEFINES += -DNSS_USE_COMBA -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
 	# comment the next two lines to turn off intel HW accelleration
 	DEFINES += -DUSE_HW_AES
 	ASFILES += intel-aes.s
 	MPI_SRCS += mpi_amd64.c
     else
 	# Solaris x86
-	DEFINES += -D_X86_
 	DEFINES += -DMP_USE_UINT_DIGIT
 	DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
 	DEFINES += -DMP_ASSEMBLY_DIV_2DX1D
 	ASFILES  = mpi_i86pc.s
  	ifndef NS_USE_GCC
  	   MPCPU_SRCS =
  	   ASFILES += mpcpucache_x86.s
  	endif
--- a/security/nss/lib/freebl/alg2268.c
+++ b/security/nss/lib/freebl/alg2268.c
@@ -32,17 +32,17 @@
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
-/* $Id: alg2268.c,v 1.8 2008/11/18 19:48:21 rrelyea%redhat.com Exp $ */
+/* $Id: alg2268.c,v 1.9 2009/04/09 22:11:07 julien.pierre.boogz%sun.com Exp $ */
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 
 #include "blapi.h"
 #include "secerr.h"
 #ifdef XP_UNIX_XXX
@@ -100,17 +100,17 @@ struct RC2ContextStr {
     output[4] =  (PRUint8)(R[2]);   output[5] = (PRUint8)(R[2] >> 8); \
     output[6] =  (PRUint8)(R[3]);   output[7] = (PRUint8)(R[3] >> 8);
 #define STORE_EASY(R) \
     ((PRUint16 *)output)[0] =  R[0]; \
     ((PRUint16 *)output)[1] =  R[1]; \
     ((PRUint16 *)output)[2] =  R[2]; \
     ((PRUint16 *)output)[3] =  R[3];   
 
-#if defined (_X86_)
+#if defined (NSS_X86_OR_X64)
 #define LOAD(R)  LOAD_EASY(R)
 #define STORE(R) STORE_EASY(R)
 #elif !defined(IS_LITTLE_ENDIAN)
 #define LOAD(R)  LOAD_HARD(R)
 #define STORE(R) STORE_HARD(R)
 #else
 #define LOAD(R) if ((ptrdiff_t)input & 1) { LOAD_HARD(R) } else { LOAD_EASY(R) }
 #define STORE(R) if ((ptrdiff_t)input & 1) { STORE_HARD(R) } else { STORE_EASY(R) }
--- a/security/nss/lib/freebl/config.mk
+++ b/security/nss/lib/freebl/config.mk
@@ -86,32 +86,34 @@ RESNAME = freebl.rc
 
 ifndef WINCE
 OS_LIBS += shell32.lib
 endif
 
 ifdef NS_USE_GCC
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
+	-L$(NSSUTIL_LIB_DIR) \
 	-lnssutil3 \
 	-L$(NSPR_LIB_DIR) \
 	-lnspr4 \
 	$(NULL)
 else # ! NS_USE_GCC
 EXTRA_SHARED_LIBS += \
 	$(DIST)/lib/nssutil3.lib \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
 	$(NULL)
 endif # NS_USE_GCC
 
 else
 
 ifndef FREEBL_NO_DEPEND
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
+	-L$(NSSUTIL_LIB_DIR) \
 	-lnssutil3 \
 	-L$(NSPR_LIB_DIR) \
 	-lnspr4 \
 	$(NULL)
 else
 #drop pthreads as well
 OS_PTHREAD=
 endif
--- a/security/nss/lib/freebl/des.c
+++ b/security/nss/lib/freebl/des.c
@@ -395,17 +395,17 @@ static const HALF PC2[8][64] = {
 */
 
 #define FLIP_RIGHT_DIAGONAL(word, temp) \
     temp  = (word ^ (word >> 18)) & 0x00003333; \
     word ^=  temp | (temp << 18); \
     temp  = (word ^ (word >> 9)) & 0x00550055; \
     word ^=  temp | (temp << 9);
 
-#if defined(__GNUC__) && defined(_X86_)
+#if defined(__GNUC__) && defined(NSS_X86_OR_X64)
 #define BYTESWAP(word, temp) \
     __asm("bswap	%0" : "+r" (word));
 #else
 #define BYTESWAP(word, temp) \
     word = (word >> 16) | (word << 16); \
     temp = 0x00ff00ff; \
     word = ((word & temp) << 8) | ((word >> 8) & temp); 
 #endif
@@ -430,17 +430,17 @@ void
 DES_MakeSchedule( HALF * ks, const BYTE * key,   DESDirection direction)
 {
     register HALF left, right;
     register HALF c0, d0;
     register HALF temp;
     int           delta;
     unsigned int  ls;
 
-#if defined(_X86_)
+#if defined(NSS_X86_OR_X64)
     left  = HALFPTR(key)[0]; 
     right = HALFPTR(key)[1]; 
     BYTESWAP(left, temp);
     BYTESWAP(right, temp);
 #else
     if (((ptrdiff_t)key & 0x03) == 0) {
 	left  = HALFPTR(key)[0]; 
 	right = HALFPTR(key)[1]; 
@@ -581,17 +581,17 @@ DES_MakeSchedule( HALF * ks, const BYTE 
     left  ^= temp << 4; 
 
 void 
 DES_Do1Block(HALF * ks, const BYTE * inbuf, BYTE * outbuf)
 {
     register HALF left, right;
     register HALF temp;
 
-#if defined(_X86_)
+#if defined(NSS_X86_OR_X64)
     left  = HALFPTR(inbuf)[0]; 
     right = HALFPTR(inbuf)[1]; 
     BYTESWAP(left, temp);
     BYTESWAP(right, temp);
 #else
     if (((ptrdiff_t)inbuf & 0x03) == 0) {
 	left  = HALFPTR(inbuf)[0]; 
 	right = HALFPTR(inbuf)[1]; 
@@ -652,17 +652,17 @@ DES_Do1Block(HALF * ks, const BYTE * inb
     ** above.  switch left and right here. 
     */
     temp  = (left >> 3) | (left << 29); 
     left  = (right >> 3) | (right << 29); 
     right = temp;
 
     FP(left, right, temp);
 
-#if defined(_X86_)
+#if defined(NSS_X86_OR_X64)
     BYTESWAP(left, temp);
     BYTESWAP(right, temp);
     HALFPTR(outbuf)[0]  = left; 
     HALFPTR(outbuf)[1]  = right; 
 #else
     if (((ptrdiff_t)outbuf & 0x03) == 0) {
 #if defined(IS_LITTLE_ENDIAN)
 	BYTESWAP(left, temp);
--- a/security/nss/lib/freebl/desblapi.c
+++ b/security/nss/lib/freebl/desblapi.c
@@ -44,17 +44,17 @@
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 
 #include "des.h"
 #include <stddef.h>
 #include "secerr.h"
 
-#if defined(_X86_)
+#if defined(NSS_X86_OR_X64)
 /* Intel X86 CPUs do unaligned loads and stores without complaint. */
 #define COPY8B(to, from, ptr) \
     	HALFPTR(to)[0] = HALFPTR(from)[0]; \
     	HALFPTR(to)[1] = HALFPTR(from)[1]; 
 #elif defined(USE_MEMCPY)
 #define COPY8B(to, from, ptr) memcpy(to, from, 8)
 #else
 #define COPY8B(to, from, ptr) \
--- a/security/nss/lib/freebl/md5.c
+++ b/security/nss/lib/freebl/md5.c
@@ -470,17 +470,17 @@ MD5_Update(MD5Context *cx, const unsigne
 		/* Remaining input. */
 		inputLen -= bytesToConsume;
 		input += bytesToConsume;
 	}
 
 	/* Iterate over 64-byte chunks of the message. */
 	while (inputLen >= MD5_BUFFER_SIZE) {
 #ifdef IS_LITTLE_ENDIAN
-#ifdef _X86_
+#ifdef NSS_X86_OR_X64
 		/* x86 can handle arithmetic on non-word-aligned buffers */
 		wBuf = (PRUint32 *)input;
 #else
 		if ((ptrdiff_t)input & 0x3) {
 			/* buffer not aligned, copy it to force alignment */
 			memcpy(cx->inBuf, input, MD5_BUFFER_SIZE);
 			wBuf = cx->u.w;
 		} else {
--- a/security/nss/lib/freebl/nsslowhash.c
+++ b/security/nss/lib/freebl/nsslowhash.c
@@ -28,17 +28,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: nsslowhash.c,v 1.2 2008/11/27 15:20:44 wtc%google.com Exp $ */
+/* $Id: nsslowhash.c,v 1.3 2009/04/15 21:31:55 rrelyea%redhat.com Exp $ */
 
 #include "stubs.h"
 #include "prtypes.h"
 #include "secerr.h"
 #include "pkcs11t.h"
 #include "blapi.h"
 #include "sechash.h"
 #include "nsslowhash.h"
@@ -262,33 +262,54 @@ struct NSSLOWInitContextStr {
 };
 
 struct NSSLOWHASHContextStr {
     const SECHashObject *hashObj;
     void *hashCtxt;
    
 };
 
+static int nsslow_GetFIPSEnabled(void) {
+#ifdef LINUX
+    FILE *f;
+    char d;
+    size_t size;
+
+    f = fopen("/proc/sys/crypto/fips_enabled", "r");
+    if (!f)
+        return 1;
+
+    size = fread(&d, 1, 1, f);
+    fclose(f);
+    if (size != 1)
+        return 0;
+    if (d != '1')
+        return 0;
+#endif
+    return 1;
+}
+
+
 static int post = 0;
 
 static NSSLOWInitContext dummyContext = { 0 };
 
 NSSLOWInitContext *
 NSSLOW_Init(void)
 {
     SECStatus rv;
     CK_RV crv;
     PRBool nsprAvailable = PR_FALSE;
 
 
     rv = FREEBL_InitStubs();
     nsprAvailable = (rv ==  SECSuccess ) ? PR_TRUE : PR_FALSE;
 	
 
-    if (!post) {
+    if (!post && nsslow_GetFIPSEnabled()) {
 	crv = freebl_fipsPowerUpSelfTest();
 	if (crv != CKR_OK) {
 	    return NULL;
 	}
     }
     post = 1;
 
     
--- a/security/nss/lib/freebl/os2_rand.c
+++ b/security/nss/lib/freebl/os2_rand.c
@@ -364,10 +364,10 @@ static void rng_systemJitter(void)
     dwFileToRead++;
     if (dwFileToRead >= dwNumFiles) {
 	dwFileToRead = 0;
     }
 }
 
 size_t RNG_SystemRNG(void *dest, size_t maxLen)
 {
-    return rng_systemFromNoise(dest,maxlen);
+    return rng_systemFromNoise(dest,maxLen);
 }
--- a/security/nss/lib/freebl/rijndael.c
+++ b/security/nss/lib/freebl/rijndael.c
@@ -28,17 +28,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: rijndael.c,v 1.24 2008/12/04 18:16:31 rrelyea%redhat.com Exp $ */
+/* $Id: rijndael.c,v 1.25 2009/04/09 22:11:07 julien.pierre.boogz%sun.com Exp $ */
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 
 #include "prinit.h"
 #include "prerr.h"
 #include "secerr.h"
@@ -558,17 +558,17 @@ static SECStatus
 rijndael_encryptBlock128(AESContext *cx, 
                          unsigned char *output,
                          const unsigned char *input)
 {
     unsigned int r;
     PRUint32 *roundkeyw;
     rijndael_state state;
     PRUint32 C0, C1, C2, C3;
-#if defined(_X86_)
+#if defined(NSS_X86_OR_X64)
 #define pIn input
 #define pOut output
 #else
     unsigned char *pIn, *pOut;
     PRUint32 inBuf[4], outBuf[4];
 
     if ((ptrdiff_t)input & 0x3) {
 	memcpy(inBuf, input, sizeof inBuf);
@@ -634,17 +634,17 @@ rijndael_encryptBlock128(AESContext *cx,
           (BYTE1WORD(T3(STATE_BYTE(1))))   |
           (BYTE2WORD(T0(STATE_BYTE(6))))   |
           (BYTE3WORD(T1(STATE_BYTE(11)))))  ^
           *roundkeyw++;
     *((PRUint32 *) pOut     )  = C0;
     *((PRUint32 *)(pOut + 4))  = C1;
     *((PRUint32 *)(pOut + 8))  = C2;
     *((PRUint32 *)(pOut + 12)) = C3;
-#if defined(_X86_)
+#if defined(NSS_X86_OR_X64)
 #undef pIn
 #undef pOut
 #else
     if ((ptrdiff_t)output & 0x3) {
 	memcpy(output, outBuf, sizeof outBuf);
     }
 #endif
     return SECSuccess;
@@ -654,17 +654,17 @@ static SECStatus
 rijndael_decryptBlock128(AESContext *cx, 
                          unsigned char *output,
                          const unsigned char *input)
 {
     int r;
     PRUint32 *roundkeyw;
     rijndael_state state;
     PRUint32 C0, C1, C2, C3;
-#if defined(_X86_)
+#if defined(NSS_X86_OR_X64)
 #define pIn input
 #define pOut output
 #else
     unsigned char *pIn, *pOut;
     PRUint32 inBuf[4], outBuf[4];
 
     if ((ptrdiff_t)input & 0x3) {
 	memcpy(inBuf, input, sizeof inBuf);
@@ -726,17 +726,17 @@ rijndael_decryptBlock128(AESContext *cx,
     pOut[13] = SINV(STATE_BYTE( 9));
     pOut[14] = SINV(STATE_BYTE( 6));
     pOut[15] = SINV(STATE_BYTE( 3));
     /* final key addition */
     *((PRUint32 *)(pOut + 12)) ^= *roundkeyw--;
     *((PRUint32 *)(pOut +  8)) ^= *roundkeyw--;
     *((PRUint32 *)(pOut +  4)) ^= *roundkeyw--;
     *((PRUint32 *) pOut      ) ^= *roundkeyw--;
-#if defined(_X86_)
+#if defined(NSS_X86_OR_X64)
 #undef pIn
 #undef pOut
 #else
     if ((ptrdiff_t)output & 0x3) {
 	memcpy(output, outBuf, sizeof outBuf);
     }
 #endif
     return SECSuccess;
--- a/security/nss/lib/freebl/sha512.c
+++ b/security/nss/lib/freebl/sha512.c
@@ -31,24 +31,24 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sha512.c,v 1.13 2008/11/19 21:10:52 nelson%bolyard.com Exp $ */
+/* $Id: sha512.c,v 1.14 2009/04/09 22:11:07 julien.pierre.boogz%sun.com Exp $ */
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 
 #include "prcpucfg.h"
-#if (defined(_X86_) && !defined(__x86_64__)) || defined(SHA_NO_LONG_LONG)
+#if defined(NSS_X86) || defined(SHA_NO_LONG_LONG)
 #define NOUNROLL512 1
 #undef HAVE_LONG_LONG
 #endif
 #include "prtypes.h"	/* for PRUintXX */
 #include "secport.h"	/* for PORT_XXX */
 #include "blapi.h"
 #include "sha256.h"	/* for struct SHA256ContextStr */
 
@@ -98,17 +98,17 @@ static const PRUint32 H256[8] = {
     0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
 };
 
 #if (_MSC_VER >= 1300)
 #include <stdlib.h>
 #pragma intrinsic(_byteswap_ulong)
 #define SHA_HTONL(x) _byteswap_ulong(x)
 #define BYTESWAP4(x)  x = SHA_HTONL(x)
-#elif defined(_MSC_VER) && defined(_X86_)
+#elif defined(_MSC_VER) && defined(NSS_X86_OR_X64)
 #ifndef FORCEINLINE
 #if (_MSC_VER >= 1200)
 #define FORCEINLINE __forceinline
 #else
 #define FORCEINLINE __inline
 #endif
 #endif
 #define FASTCALL __fastcall
@@ -120,17 +120,17 @@ swap4b(PRUint32 dwd)
     	mov   eax,dwd
 	bswap eax
     }
 }
 
 #define SHA_HTONL(x) swap4b(x)
 #define BYTESWAP4(x)  x = SHA_HTONL(x)
 
-#elif defined(__GNUC__) && defined(_X86_)
+#elif defined(__GNUC__) && defined(NSS_X86_OR_X64)
 static __inline__ PRUint32 swap4b(PRUint32 value)
 {
     __asm__("bswap %0" : "+r" (value));
     return (value);
 }
 #define SHA_HTONL(x) swap4b(x)
 #define BYTESWAP4(x)  x = SHA_HTONL(x)
 
--- a/security/nss/lib/freebl/sha_fast.h
+++ b/security/nss/lib/freebl/sha_fast.h
@@ -58,17 +58,17 @@ struct SHA1ContextStr {
 };
 
 #if defined(_MSC_VER)
 #include <stdlib.h>
 #if defined(IS_LITTLE_ENDIAN) 
 #if (_MSC_VER >= 1300)
 #pragma intrinsic(_byteswap_ulong)
 #define SHA_HTONL(x) _byteswap_ulong(x)
-#elif defined(_X86_)
+#elif defined(NSS_X86_OR_X64)
 #ifndef FORCEINLINE
 #if (_MSC_VER >= 1200)
 #define FORCEINLINE __forceinline
 #else
 #define FORCEINLINE __inline
 #endif /* _MSC_VER */
 #endif /* !defined FORCEINLINE */
 #define FASTCALL __fastcall
@@ -78,17 +78,17 @@ swap4b(PRUint32 dwd)
 {
     __asm {
     	mov   eax,dwd
 	bswap eax
     }
 }
 
 #define SHA_HTONL(x) swap4b(x)
-#endif /* _X86_ */
+#endif /* NSS_X86_OR_X64 */
 #endif /* IS_LITTLE_ENDIAN */
 
 #pragma intrinsic (_lrotr, _lrotl) 
 #define SHA_ROTL(x,n) _lrotl(x,n)
 #define SHA_ROTL_IS_DEFINED 1
 #endif /* _MSC_VER */
 
 #if defined(__GNUC__) 
@@ -103,33 +103,33 @@ static __inline__ PRUint64 SHA_ROTL(PRUi
 #else 
 static __inline__ PRUint32 SHA_ROTL(PRUint32 t, PRUint32 n)
 {
     return ((t << n) | (t >> (32 - n)));
 }
 #endif
 #define SHA_ROTL_IS_DEFINED 1
 
-#if defined(_X86_) || defined(__x86_64__) || defined(__x86_64) 
+#if defined(NSS_X86_OR_X64)
 static __inline__ PRUint32 swap4b(PRUint32 value)
 {
     __asm__("bswap %0" : "+r" (value));
     return (value);
 }
 #define SHA_HTONL(x) swap4b(x)
 #endif /* x86 family */
 
 #endif /* __GNUC__ */
 
 #if !defined(SHA_ROTL_IS_DEFINED)
 #define SHA_NEED_TMP_VARIABLE 1
 #define SHA_ROTL(X,n) (tmp = (X), ((tmp) << (n)) | ((tmp) >> (32-(n))))
 #endif
 
-#if defined(_X86_) || defined(__x86_64__) || defined(__x86_64) 
+#if defined(NSS_X86_OR_X64)
 #define SHA_ALLOW_UNALIGNED_ACCESS 1
 #endif
 
 #if !defined(SHA_HTONL)
 #define SHA_MASK      0x00FF00FF
 #if defined(IS_LITTLE_ENDIAN)
 #undef  SHA_NEED_TMP_VARIABLE 
 #define SHA_NEED_TMP_VARIABLE 1
--- a/security/nss/lib/libpkix/include/pkix_certsel.h
+++ b/security/nss/lib/libpkix/include/pkix_certsel.h
@@ -113,47 +113,43 @@ extern "C" {
  *
  */
 
 /*
  * FUNCTION: PKIX_CertSelector_MatchCallback
  * DESCRIPTION:
  *
  *  This callback function determines whether the specified Cert pointed to by
- *  "cert" matches the criteria of the CertSelector pointed to by "selector",
- *  and stores the result at "pResult". If the Cert matches the CertSelector's
- *  criteria, a value of PKIX_TRUE will be stored at "pResult"; otherwise a
- *  value of PKIX_FALSE will be stored.
+ *  "cert" matches the criteria of the CertSelector pointed to by "selector".
+ *  If the Cert does not matches the CertSelector's criteria, an exception will
+ *  be thrown.
  *
  * PARAMETERS:
  *  "selector"
  *      Address of CertSelector whose MatchCallback logic and parameters are
  *      to be used. Must be non-NULL.
  *  "cert"
  *      Address of Cert that is to be matched using "selector".
  *      Must be non-NULL.
- *  "pResult"
- *      Address where Boolean value will be stored. Must be non-NULL.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe
  *
  *  Multiple threads must be able to safely call this function without
  *  worrying about conflicts, even if they're operating on the same object.
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns a CertSelector Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 typedef PKIX_Error *
 (*PKIX_CertSelector_MatchCallback)(
         PKIX_CertSelector *selector,
         PKIX_PL_Cert *cert,
-        PKIX_Boolean *pResult,
         void *plContext);
 
 /*
  * FUNCTION: PKIX_CertSelector_Create
  * DESCRIPTION:
  *
  *  Creates a new CertSelector using the Object pointed to by
  *  "certSelectorContext" (if any) and stores it at "pSelector". As noted
@@ -1791,13 +1787,73 @@ PKIX_ComCertSelParams_GetMatchAllSubjAlt
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 PKIX_ComCertSelParams_SetMatchAllSubjAltNames(
         PKIX_ComCertSelParams *params,
         PKIX_Boolean match,
         void *plContext);
 
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetLeafCertFlag
+ * DESCRIPTION:
+ *
+ * Return "leafCert" flag of the ComCertSelParams structure. If set to true,
+ * the flag indicates that a selector should filter out all cert that are not
+ * qualified to be a leaf cert according to the specified key/ekey usages.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object used to determine whether all
+ *      subject alternative names must be matched. Must be non-NULL.
+ *  "pLeafFlag"
+ *      Address of returned value.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error*
+PKIX_ComCertSelParams_GetLeafCertFlag(
+        PKIX_ComCertSelParams *params,
+        PKIX_Boolean *pLeafFlag,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetLeafCertFlag
+ * DESCRIPTION:
+ *
+ * Sets a flag that if its value is true, indicates that the selector
+ * should only pick certs that qualifies to be leaf for this cert path
+ * validation.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose match flag is to be set.
+ *      Must be non-NULL.
+ *  "leafFlag"
+ *      Boolean value used to set the leaf flag.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetLeafCertFlag(
+        PKIX_ComCertSelParams *params,
+        PKIX_Boolean leafFlag,
+        void *plContext);
+
 #ifdef __cplusplus
 }
 #endif
 
 #endif /* _PKIX_CERTSEL_H */
--- a/security/nss/lib/libpkix/include/pkix_certstore.h
+++ b/security/nss/lib/libpkix/include/pkix_certstore.h
@@ -136,16 +136,18 @@ extern "C" {
  *
  * PARAMETERS:
  *  "store"
  *      Address of CertStore from which Certs are to be retrieved.
  *      Must be non-NULL.
  *  "selector"
  *      Address of CertSelector whose criteria must be satisfied.
  *      Must be non-NULL.
+ *  "verifyNode"
+ *      Parent log node for tracking of filtered out certs.
  *  "pNBIOContext"
  *      Address at which platform-dependent information is stored if the
  *      operation is suspended for non-blocking I/O. Must be non-NULL.
  *  "pCerts"
  *      Address where object pointer will be stored. Must be non-NULL.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
@@ -157,16 +159,17 @@ extern "C" {
  *  Returns NULL if the function succeeds.
  *  Returns a CertStore Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 typedef PKIX_Error *
 (*PKIX_CertStore_CertCallback)(
         PKIX_CertStore *store,
         PKIX_CertSelector *selector,
+        PKIX_VerifyNode *verifyNode,
         void **pNBIOContext,
         PKIX_List **pCerts,  /* list of PKIX_PL_Cert */
         void *plContext);
 
 /*
  * FUNCTION: PKIX_CertStore_CertContinue
  * DESCRIPTION:
  *
@@ -189,16 +192,18 @@ typedef PKIX_Error *
  *
  * PARAMETERS:
  *  "store"
  *      Address of CertStore from which Certs are to be retrieved.
  *      Must be non-NULL.
  *  "selector"
  *      Address of CertSelector whose criteria must be satisfied.
  *      Must be non-NULL.
+ *  "verifyNode"
+ *      Parent log node for tracking of filtered out certs.
  *  "pNBIOContext"
  *      Address at which platform-dependent information is stored if the
  *      operation is suspended for non-blocking I/O. Must be non-NULL.
  *  "pCerts"
  *      Address where object pointer will be stored. Must be non-NULL.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
@@ -210,24 +215,26 @@ typedef PKIX_Error *
  *  Returns NULL if the function succeeds.
  *  Returns a CertStore Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 PKIX_CertStore_CertContinue(
         PKIX_CertStore *store,
         PKIX_CertSelector *selector,
+        PKIX_VerifyNode *verifyNode,
         void **pNBIOContext,
         PKIX_List **pCerts,  /* list of PKIX_PL_Cert */
         void *plContext);
 
 typedef PKIX_Error *
 (*PKIX_CertStore_CertContinueFunction)(
         PKIX_CertStore *store,
         PKIX_CertSelector *selector,
+        PKIX_VerifyNode *verifyNode,
         void **pNBIOContext,
         PKIX_List **pCerts,  /* list of PKIX_PL_Cert */
         void *plContext);
 
 /*
  * FUNCTION: PKIX_CertStore_CRLCallback
  * DESCRIPTION:
  *
--- a/security/nss/lib/libpkix/include/pkix_errorstrings.h
+++ b/security/nss/lib/libpkix/include/pkix_errorstrings.h
@@ -223,19 +223,24 @@ PKIX_ERRORENTRY(CERTSELECTORFAILED,certS
 PKIX_ERRORENTRY(CERTSELECTORGETCOMCERTSELPARAMSFAILED,PKIX_CertSelector_GetComCertSelParams failed,0),
 PKIX_ERRORENTRY(CERTSELECTORGETCOMMONCERTSELECTORPARAMFAILED,PKIX_CertSelector_GetCommonCertSelectorParam failed,0),
 PKIX_ERRORENTRY(CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED,PKIX_CertSelector_GetCommonCertSelectorParams failed,0),
 PKIX_ERRORENTRY(CERTSELECTORGETMATCHCALLBACKFAILED,PKIX_CertSelector_GetMatchCallback failed,0),
 PKIX_ERRORENTRY(CERTSELECTORMATCHAUTHKEYIDFAILED,pkix_CertSelector_Match_AuthKeyId failed,0),
 PKIX_ERRORENTRY(CERTSELECTORMATCHBASICCONSTRAINTFAILED,pkix_CertSelector_Match_BasicConstraint failed,0),
 PKIX_ERRORENTRY(CERTSELECTORMATCHCALLBACKFAILED,PKIX_CertSelector_MatchCallback failed,0),
 PKIX_ERRORENTRY(CERTSELECTORMATCHCERTIFICATEVALIDFAILED,pkix_CertSelector_Match_CertificateValid failed,0),
-PKIX_ERRORENTRY(CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED,pkix_CertSelector_Match_ExtendedKeyUsage failed,0),
+PKIX_ERRORENTRY(CERTSELECTORMATCHCERTISSUERFAILED,cert does not match issuer name,0),
+PKIX_ERRORENTRY(CERTSELECTORMATCHCERTOBJECTFAILED,cert does not match cert object,0),
+PKIX_ERRORENTRY(CERTSELECTORMATCHCERTSERIALNUMFAILED,cert does not match serial number,0),
+PKIX_ERRORENTRY(CERTSELECTORMATCHCERTSUBJECTFAILED,cert does not match subject name,0),
+PKIX_ERRORENTRY(CERTSELECTORMATCHCERTVERSIONFAILED,cert does not match cert version,0),
+PKIX_ERRORENTRY(CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED,pkix_CertSelector_Match_ExtendedKeyUsage failed,SEC_ERROR_INADEQUATE_CERT_TYPE),
 PKIX_ERRORENTRY(CERTSELECTORMATCHFAILED,certSelectorMatch failed,0),
-PKIX_ERRORENTRY(CERTSELECTORMATCHKEYUSAGEFAILED,pkix_CertSelector_Match_KeyUsage failed,0),
+PKIX_ERRORENTRY(CERTSELECTORMATCHKEYUSAGEFAILED,pkix_CertSelector_Match_KeyUsage failed,SEC_ERROR_INADEQUATE_KEY_USAGE),
 PKIX_ERRORENTRY(CERTSELECTORMATCHNAMECONSTRAINTSFAILED,pkix_CertSelector_Match_NameConstraints failed,0),
 PKIX_ERRORENTRY(CERTSELECTORMATCHPATHTONAMESFAILED,pkix_CertSelector_Match_PathToNames failed,0),
 PKIX_ERRORENTRY(CERTSELECTORMATCHPOLICIESFAILED,pkix_CertSelector_Match_Policies failed,0),
 PKIX_ERRORENTRY(CERTSELECTORMATCHSUBJALTNAMESFAILED,pkix_CertSelector_Match_SubjAltNames failed,0),
 PKIX_ERRORENTRY(CERTSELECTORMATCHSUBJKEYIDFAILED,pkix_CertSelector_Match_SubjKeyId failed,0),
 PKIX_ERRORENTRY(CERTSELECTORMATCHSUBJPKALGIDFAILED,pkix_CertSelector_Match_SubjPKAlgId failed,0),
 PKIX_ERRORENTRY(CERTSELECTORMATCHSUBJPUBKEYFAILED,pkix_CertSelector_Match_SubjPubKey failed,0),
 PKIX_ERRORENTRY(CERTSELECTORSELECTFAILED,pkix_CertSelector_Select failed,0),
@@ -278,32 +283,34 @@ PKIX_ERRORENTRY(COLLECTIONCERTSTORECONTE
 PKIX_ERRORENTRY(COMCERTSELPARAMSCREATEFAILED,PKIX_ComCertSelParams_Create failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSGETAUTHORITYKEYIDENTIFIERFAILED,PKIX_ComCertSelParams_GetAuthorityKeyIdentifier failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSGETBASICCONSTRAINTSFAILED,PKIX_ComCertSelParams_GetBasicConstraints failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSGETCERTIFICATEFAILED,PKIX_ComCertSelParams_GetCertificate failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED,PKIX_ComCertSelParams_GetCertificateValid failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED,PKIX_ComCertSelParams_GetExtendedKeyUsage failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSGETISSUERFAILED,PKIX_ComCertSelParams_GetIssuer failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSGETKEYUSAGEFAILED,PKIX_ComCertSelParams_GetKeyUsage failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSGETLEAFCERTFLAGFAILED,PKIX_ComCertSelParams_GetLeafCertFlag failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSGETMATCHALLSUBJALTNAMESFAILED,PKIX_ComCertSelParams_GetMatchAllSubjAltNames failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSGETNAMECONSTRAINTSFAILED,PKIX_ComCertSelParams_GetNameConstraints failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSGETPATHTONAMESFAILED,PKIX_ComCertSelParams_GetPathToNames failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSGETPOLICYFAILED,PKIX_ComCertSelParams_GetPolicy failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSGETSERIALNUMBERFAILED,PKIX_ComCertSelParams_GetSerialNumber failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSGETSUBJALTNAMESFAILED,PKIX_ComCertSelParams_GetSubjAltNames failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSGETSUBJECTFAILED,PKIX_ComCertSelParams_GetSubject failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSGETSUBJKEYIDENTIFIERFAILED,PKIX_ComCertSelParams_GetSubjKeyIdentifier failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSGETSUBJPKALGIDFAILED,PKIX_ComCertSelParams_GetSubjPKAlgId failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSGETSUBJPUBKEYFAILED,PKIX_ComCertSelParams_GetSubjPubKey failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSGETVERSIONFAILED,PKIX_ComCertSelParams_GetVersion failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSSETBASICCONSTRAINTSFAILED,PKIX_ComCertSelParams_SetBasicConstraints failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSSETCERTIFICATEFAILED,PKIX_ComCertSelParams_SetCertificate failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSSETCERTIFICATEVALIDFAILED,PKIX_ComCertSelParams_SetCertificateValid failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSSETEXTKEYUSAGEFAILED,PKIX_ComCertSelParams_SetExtendedKeyUsage failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSSETKEYUSAGEFAILED,PKIX_ComCertSelParams_SetKeyUsage failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSSETLEAFCERTFLAGFAILED,PKIX_ComCertSelParams_SetLeafCertFlag failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSSETNISTPOLICYENABLEDFAILED,PKIX_ComCertSelParams_SetNISTPolicyEnabled failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSSETPATHTONAMESFAILED,PKIX_ComCertSelParams_SetPathToNames failed,0),
 PKIX_ERRORENTRY(COMCERTSELPARAMSSETSUBJECTFAILED,PKIX_ComCertSelParams_SetSubject failed,0),
 PKIX_ERRORENTRY(COMCRLSELPARAMSADDISSUERNAMEFAILED,PKIX_ComCRLSelParams_AddIssuerName failed,0),
 PKIX_ERRORENTRY(COMCRLSELPARAMSCREATEFAILED,PKIX_ComCRLSelParams_Create failed,0),
 PKIX_ERRORENTRY(COMCRLSELPARAMSEQUALSFAILED,pkix_ComCRLSelParams_Equals failed,0),
 PKIX_ERRORENTRY(COMCRLSELPARAMSGETDATEANDTIMEFAILED,PKIX_ComCRLSelParams_GetDateAndTime failed,0),
 PKIX_ERRORENTRY(COMCRLSELPARAMSGETISSUERNAMESFAILED,PKIX_ComCRLSelParams_GetIssuerNames failed,0),
@@ -922,16 +929,17 @@ PKIX_ERRORENTRY(PROCESSINGPARAMSSETCERTS
 PKIX_ERRORENTRY(PROCESSINGPARAMSSETDATEFAILED,PKIX_ProcessingParams_SetDate failed,0),
 PKIX_ERRORENTRY(PROCESSINGPARAMSSETEXPLICITPOLICYREQUIRED,PKIX_ProcessingParams_SetExplicitPolicyRequired failed,0),
 PKIX_ERRORENTRY(PROCESSINGPARAMSSETHINTCERTSFAILED,PKIX_ProcessingParams_SetHintCerts failed,0),
 PKIX_ERRORENTRY(PROCESSINGPARAMSSETINITIALPOLICIESFAILED,PKIX_ProcessingParams_SetInitialPolicies failed,0),
 PKIX_ERRORENTRY(PROCESSINGPARAMSSETNISTREVOCATIONENABLEDFAILED,PKIX_ProcessingParams_SetNISTRevocationEnabled failed,0),
 PKIX_ERRORENTRY(PROCESSINGPARAMSSETPOLICYMAPPINGINHIBITED,PKIX_ProcessingParams_SetPolicyMappingInhibited failed,0),
 PKIX_ERRORENTRY(PROCESSINGPARAMSSETREVOCATIONCHECKERFAILED,PKIX_ProcessingParams_SetRevocationChecker failed,0),
 PKIX_ERRORENTRY(PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED,PKIX_ProcessingParams_SetTargetCertConstraints failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSSETQUALIFYTARGETCERTFLAGFAILED,ProcessingParams_SetQualifyTargetCertFlag failed,0),
 PKIX_ERRORENTRY(PRPOLLFAILED,PR_Poll failed,0),
 PKIX_ERRORENTRY(PRPOLLRETBADFILENUM,PR_Poll failed,0),
 PKIX_ERRORENTRY(PRRECVFAILED,PR_Recv failed,0),
 PKIX_ERRORENTRY(PRRECVREPORTSNETWORKCONNECTIONCLOSED,PR_Recv reports network connection is closed,0),
 PKIX_ERRORENTRY(PRSENDFAILED,PR_Send failed,0),
 PKIX_ERRORENTRY(PRSHUTDOWNFAILED,PR_Shutdown failed,0),
 PKIX_ERRORENTRY(PRSMPRINTFFAILED,PR_smprintf failed,0),
 PKIX_ERRORENTRY(PRSNPRINTFFAILED,PR_snprintf failed,0),
@@ -1047,16 +1055,17 @@ PKIX_ERRORENTRY(UNDEFINEDCALLBACK,Undefi
 PKIX_ERRORENTRY(UNDEFINEDCLASSTABLEENTRY,Undefined class table entry,0),
 PKIX_ERRORENTRY(UNDEFINEDCOMPARATOR,Undefined Comparator,0),
 PKIX_ERRORENTRY(UNDEFINEDDUPLICATEFUNCTION,Undefined Duplicate function,0),
 PKIX_ERRORENTRY(UNDEFINEDEQUALSCALLBACK,Undefined equals callback,0),
 PKIX_ERRORENTRY(UNEXPECTEDERRORINESTABLISHINGCONNECTION,Unexpected error in establishing connection,0),
 PKIX_ERRORENTRY(UNEXPECTEDRESULTCODEINRESPONSE,Unexpected result code in Response,SEC_ERROR_BAD_LDAP_RESPONSE),
 PKIX_ERRORENTRY(UNKNOWNFORMAT,Unknown format,SEC_ERROR_INVALID_ARGS),
 PKIX_ERRORENTRY(UNKNOWNINFOACCESSTYPE,Unknown InfoAccess type,SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE),
+PKIX_ERRORENTRY(UNKNOWNINFOACCESSMETHOD,Unknown InfoAccess method,SEC_ERROR_BAD_INFO_ACCESS_METHOD),
 PKIX_ERRORENTRY(UNKNOWNOBJECTOID,Unknown object OID,0),
 PKIX_ERRORENTRY(UNKNOWNOBJECTTYPE,Unknown object type,0),
 PKIX_ERRORENTRY(UNKNOWNTYPEARGUMENT,Unknown type argument,0),
 PKIX_ERRORENTRY(UNLOCKOBJECTFAILED,pkix_UnlockObject failed,0),
 PKIX_ERRORENTRY(UNRECOGNIZEDCRITICALEXTENSION,Unrecognized Critical Extension,SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION),
 PKIX_ERRORENTRY(UNRECOGNIZEDCRLENTRYCRITICALEXTENSION,Unrecognized CRLEntry Critical Extension,SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION),
 PKIX_ERRORENTRY(UNRECOGNIZEDPROTOCOLREQUESTED,Unrecognized protocol requested,0),
 PKIX_ERRORENTRY(UNRECOGNIZEDREQUESTMETHOD,Unrecognized request method,0),
--- a/security/nss/lib/libpkix/include/pkix_params.h
+++ b/security/nss/lib/libpkix/include/pkix_params.h
@@ -748,16 +748,47 @@ PKIX_ProcessingParams_GetUseAIAForCertFe
  */
 PKIX_Error *
 PKIX_ProcessingParams_SetUseAIAForCertFetching(
         PKIX_ProcessingParams *params,
         PKIX_Boolean useAIA,  
         void *plContext);
 
 /*
+ * FUNCTION: PKIX_ProcessingParams_SetQualifyTargetCert
+ * DESCRIPTION:
+ *
+ * Sets a boolean value that tells if libpkix needs to check that
+ * the target certificate satisfies the conditions set in processing
+ * parameters. Includes but not limited to date, ku and eku checks.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose List of TrustAnchors are to
+ *      be stored. Must be non-NULL.
+ *  "qualifyTargetCert"
+ *      boolean value if set to true will trigger qualification of the
+ *      target certificate.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetQualifyTargetCert(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean qualifyTargetCert,
+        void *plContext);
+
+/*
  * FUNCTION: PKIX_ProcessingParams_GetHintCerts
  * DESCRIPTION:
  *
  *  Retrieves a pointer to a List of Certs supplied by the user as a suggested
  *  partial CertChain (subject to verification), that are set in the
  *  ProcessingParams pointed to by "params", and stores it at "pHintCerts".
  *  The List returned may be empty or NULL.
  *
--- a/security/nss/lib/libpkix/include/pkix_pl_system.h
+++ b/security/nss/lib/libpkix/include/pkix_pl_system.h
@@ -1457,44 +1457,61 @@ PKIX_PL_ByteArray_GetLength(
         PKIX_PL_ByteArray *byteArray,
         PKIX_UInt32 *pLength,
         void *plContext);
 
 /*
  * FUNCTION: PKIX_PL_OID_Create
  * DESCRIPTION:
  *
- *  Creates a new OID using the string pointed to by "stringRep" and stores it
- *  at "pOID". The string representation is a null-terminated char * consisting
- *  of decimal components separated by dots. All other characters are illegal.
- *  The first field must be be 0, 1 or 2. If the first field is 0 or 1, the
- *  second field must be between 0 and 39. All fields must be ASCII decimal
- *  digits less than or equal to 2^32. Once created, an OID is immutable.
- *
- *  The regexp format is as follows:
- *   OID := [0,1,2](.NUM)+
- *   NUM := [0-9]+
+ *  Creates a new OID using NSS oid tag.
  *
  * PARAMETERS:
- *  "stringRep"
- *      Address of character data representing an OID. Must be non-NULL.
+ *  "idtag"
+ *      nss oid id tag.
  *  "pOID"
  *      Address where object pointer will be stored. Must be non-NULL.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns an OID Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 PKIX_PL_OID_Create(
-        char *stringRep,
+        SECOidTag idtag,
+        PKIX_PL_OID **pOID,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_OID_CreateBySECItem
+ * DESCRIPTION:
+ *
+ *  Creates a new OID using a DER encoded OID stored as SECItem.
+ *
+ * PARAMETERS:
+ *  "derOid"
+ *      Address of SECItem that holds DER encoded OID.
+ *  "pOID"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an OID Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_OID_CreateBySECItem(
+        SECItem *derOid,
         PKIX_PL_OID **pOID,
         void *plContext);
 
 /*
  * FUNCTION: PKIX_PL_BigInt_Create
  * DESCRIPTION:
  *
  *  Creates a new BigInt using the source String pointed to by "stringRep" and
--- a/security/nss/lib/libpkix/include/pkixt.h
+++ b/security/nss/lib/libpkix/include/pkixt.h
@@ -468,28 +468,36 @@ PKIX_Error* PKIX_ALLOC_ERROR(void);
  * chain following this certificate. If the pathLen has the value
  * of this constant, then the length of the chain is unlimited
  */
 #define PKIX_UNLIMITED_PATH_CONSTRAINT ((PKIX_Int32) -1)
 
 /*
  * Define Certificate Extension hard-coded OID's
  */
-#define PKIX_CERTKEYUSAGE_OID                  "2.5.29.15"
-#define PKIX_CERTSUBJALTNAME_OID               "2.5.29.17"
-#define PKIX_BASICCONSTRAINTS_OID              "2.5.29.19"
-#define PKIX_CRLREASONCODE_OID                 "2.5.29.21"
-#define PKIX_NAMECONSTRAINTS_OID               "2.5.29.30"
-#define PKIX_CERTIFICATEPOLICIES_OID           "2.5.29.32"
-#define PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID "2.5.29.32.0"
-#define PKIX_POLICYMAPPINGS_OID                "2.5.29.33"
-#define PKIX_POLICYCONSTRAINTS_OID             "2.5.29.36"
-#define PKIX_EXTENDEDKEYUSAGE_OID              "2.5.29.37"
-#define PKIX_INHIBITANYPOLICY_OID              "2.5.29.54"
-#define PKIX_NSCERTTYPE_OID "2.16.840.1.113730.1.1"
+#define PKIX_UNKNOWN_OID                       SEC_OID_UNKNOWN
+#define PKIX_CERTKEYUSAGE_OID                  SEC_OID_X509_KEY_USAGE
+#define PKIX_CERTSUBJALTNAME_OID               SEC_OID_X509_SUBJECT_ALT_NAME
+#define PKIX_BASICCONSTRAINTS_OID              SEC_OID_X509_BASIC_CONSTRAINTS
+#define PKIX_CRLREASONCODE_OID                 SEC_OID_X509_REASON_CODE
+#define PKIX_NAMECONSTRAINTS_OID               SEC_OID_X509_NAME_CONSTRAINTS
+#define PKIX_CERTIFICATEPOLICIES_OID           SEC_OID_X509_CERTIFICATE_POLICIES
+#define PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID SEC_OID_X509_ANY_POLICY
+#define PKIX_POLICYMAPPINGS_OID                SEC_OID_X509_POLICY_MAPPINGS
+#define PKIX_POLICYCONSTRAINTS_OID             SEC_OID_X509_POLICY_CONSTRAINTS
+#define PKIX_EXTENDEDKEYUSAGE_OID              SEC_OID_X509_EXT_KEY_USAGE
+#define PKIX_INHIBITANYPOLICY_OID              SEC_OID_X509_INHIBIT_ANY_POLICY 
+#define PKIX_NSCERTTYPE_OID                    SEC_OID_NS_CERT_EXT_CERT_TYPE
+#define PKIX_KEY_USAGE_SERVER_AUTH_OID         SEC_OID_EXT_KEY_USAGE_SERVER_AUTH
+#define PKIX_KEY_USAGE_CLIENT_AUTH_OID         SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH
+#define PKIX_KEY_USAGE_CODE_SIGN_OID           SEC_OID_EXT_KEY_USAGE_CODE_SIGN
+#define PKIX_KEY_USAGE_EMAIL_PROTECT_OID       SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT
+#define PKIX_KEY_USAGE_TIME_STAMP_OID          SEC_OID_EXT_KEY_USAGE_TIME_STAMP
+#define PKIX_KEY_USAGE_OCSP_RESPONDER_OID      SEC_OID_OCSP_RESPONDER
+
 
 /* Available revocation method types. */
 typedef enum PKIX_RevocationMethodTypeEnum {
     PKIX_RevocationMethod_CRL = 0,
     PKIX_RevocationMethod_OCSP,
     PKIX_RevocationMethod_MAX,
 } PKIX_RevocationMethodType;
 
--- a/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c
+++ b/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c
@@ -291,18 +291,17 @@ pkix_CertSelector_Match_Policies(
             PKIX_CHECK(PKIX_PL_Cert_GetPolicyInformation
                 (cert, &certPolicyInfos, plContext),
                 PKIX_CERTGETPOLICYINFORMATIONFAILED);
 
             /* No hope of a match if cert has no policies */
             if (!certPolicyInfos) {
                 PKIX_CERTSELECTOR_DEBUG("Certificate has no policies\n");
                 *pResult = PKIX_FALSE;
-                goto cleanup;
-
+                PKIX_ERROR(PKIX_CERTSELECTORMATCHPOLICIESFAILED);
             }
 
             PKIX_CHECK(PKIX_List_GetLength
                 (constraintPolicies, &numConstraintPolicies, plContext),
                 PKIX_LISTGETLENGTHFAILED);
 
             if (numConstraintPolicies > 0) {
 
@@ -329,20 +328,18 @@ pkix_CertSelector_Match_Policies(
                                 (PKIX_PL_Object *)polOID,
                                 &result,
                                 plContext),
                                 PKIX_LISTCONTAINSFAILED);
                         PKIX_DECREF(policyInfo);
                         PKIX_DECREF(polOID);
                 }
                 if (!result) {
-                        PKIX_CERTSELECTOR_DEBUG
-                                ("Certificate has no acceptable policies\n");
-                        *pResult = PKIX_FALSE;
-                        goto cleanup;
+                    *pResult = PKIX_FALSE;
+                    PKIX_ERROR(PKIX_CERTSELECTORMATCHPOLICIESFAILED);
                 }
             }
         }
 
 cleanup:
 
         PKIX_DECREF(constraintPolicies);
         PKIX_DECREF(certPolicyInfos);
@@ -402,17 +399,19 @@ pkix_CertSelector_Match_CertificateValid
         /* If the validityTime is not set, all certificates are acceptable */
         if (validityTime) {
                 PKIX_CHECK(PKIX_PL_Cert_CheckValidity
                         (cert, validityTime, plContext),
                         PKIX_CERTCHECKVALIDITYFAILED);
         }
 
 cleanup:
-
+        if (PKIX_ERROR_RECEIVED) {
+            *pResult = PKIX_FALSE;
+        }
         PKIX_DECREF(validityTime);
 
         PKIX_RETURN(CERTSELECTOR);
 }
 
 /*
  * FUNCTION: pkix_CertSelector_Match_NameConstraints
  * DESCRIPTION:
@@ -461,16 +460,19 @@ pkix_CertSelector_Match_NameConstraints(
         if (nameConstraints != NULL) {
 
                 PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints
                     (cert, nameConstraints, plContext),
                     PKIX_CERTCHECKNAMECONSTRAINTSFAILED);
         }
 
 cleanup:
+        if (PKIX_ERROR_RECEIVED) {
+            *pResult = PKIX_FALSE;
+        }
 
         PKIX_DECREF(nameConstraints);
         PKIX_RETURN(CERTSELECTOR);
 }
 
 /*
  * FUNCTION: pkix_CertSelector_Match_PathToNames
  * DESCRIPTION:
@@ -526,19 +528,18 @@ pkix_CertSelector_Match_PathToNames(
 
             if (nameConstraints != NULL) {
 
                 PKIX_CHECK(PKIX_PL_CertNameConstraints_CheckNamesInNameSpace
                         (pathToNamesList, nameConstraints, &passed, plContext),
                         PKIX_CERTNAMECONSTRAINTSCHECKNAMESINNAMESPACEFAILED);
 
                 if (passed != PKIX_TRUE) {
-                        PKIX_CERTSELECTOR_DEBUG("PathToName Match failed\n");
-                        *pResult = PKIX_FALSE;
-                        goto cleanup;
+                    *pResult = PKIX_FALSE;
+                    PKIX_ERROR(PKIX_CERTSELECTORMATCHPATHTONAMESFAILED);
                 }
             }
 
         }
 
 cleanup:
 
         PKIX_DECREF(nameConstraints);
@@ -602,69 +603,62 @@ pkix_CertSelector_Match_SubjAltNames(
                     PKIX_COMCERTSELPARAMSGETSUBJALTNAMESFAILED);
 
         if (subjAltNamesList != NULL) {
 
             PKIX_CHECK(PKIX_PL_Cert_GetSubjectAltNames
                     (cert, &certSubjAltNames, plContext),
                     PKIX_CERTGETSUBJALTNAMESFAILED);
 
-            if (certSubjAltNames != NULL) {
+            if (certSubjAltNames == NULL) {
+                *pResult = PKIX_FALSE;
+                PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
+            }
 
-                PKIX_CHECK(PKIX_List_GetLength
-                        (subjAltNamesList, &numItems, plContext),
-                        PKIX_LISTGETLENGTHFAILED);
-
-                for (i = 0; i < numItems; i++) {
-
-                        PKIX_CHECK(PKIX_List_GetItem
-                            (subjAltNamesList,
+            PKIX_CHECK(PKIX_List_GetLength
+                       (subjAltNamesList, &numItems, plContext),
+                       PKIX_LISTGETLENGTHFAILED);
+            
+            for (i = 0; i < numItems; i++) {
+                
+                PKIX_CHECK(PKIX_List_GetItem
+                           (subjAltNamesList,
                             i,
                             (PKIX_PL_Object **) &name,
                             plContext),
-                            PKIX_LISTGETITEMFAILED);
-
-                        PKIX_CHECK(pkix_List_Contains
-                            (certSubjAltNames,
+                           PKIX_LISTGETITEMFAILED);
+                
+                PKIX_CHECK(pkix_List_Contains
+                           (certSubjAltNames,
                             (PKIX_PL_Object *) name,
                             &checkPassed,
                             plContext),
-                            PKIX_LISTCONTAINSFAILED);
-
-                        PKIX_DECREF(name);
-
-                        if (checkPassed == PKIX_TRUE) {
-
-                            if (matchAll == PKIX_FALSE) {
-                                /* one match is good enough */
-                                matchCount = numItems;
-                                break;
-                            } else {
-                            /* else continue checking next */
-                                matchCount++;
-                            }
-
-                        }
-
+                           PKIX_LISTCONTAINSFAILED);
+                
+                PKIX_DECREF(name);
+                
+                if (checkPassed == PKIX_TRUE) {
+                    
+                    if (matchAll == PKIX_FALSE) {
+                        /* one match is good enough */
+                        matchCount = numItems;
+                        break;
+                    } else {
+                        /* else continue checking next */
+                        matchCount++;
+                    }
+                    
                 }
-
-                if (matchCount != numItems) {
-                        PKIX_CERTSELECTOR_DEBUG("SubjAltName Match failed\n");
-                        *pResult = PKIX_FALSE;
-                        goto cleanup;
-                }
-
-            } else {
-
-                PKIX_CERTSELECTOR_DEBUG
-                        ("SubjAltName Match failed: Cert has no SubjAltName\n");
+                
+            }
+            
+            if (matchCount != numItems) {
                 *pResult = PKIX_FALSE;
-                goto cleanup;
+                PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
             }
-
         }
 
 cleanup:
 
         PKIX_DECREF(name);
         PKIX_DECREF(certSubjAltNames);
         PKIX_DECREF(subjAltNamesList);
 
@@ -745,20 +739,18 @@ pkix_CertSelector_Match_ExtendedKeyUsage
                     (PKIX_PL_Object *)ekuOid,
                     &isContained,
                     plContext),
                     PKIX_LISTCONTAINSFAILED);
 
                 PKIX_DECREF(ekuOid);
 
                 if (isContained != PKIX_TRUE) {
-                        PKIX_CERTSELECTOR_DEBUG
-                                ("Extended Key Usage Match failed\n");
-                        *pResult = PKIX_FALSE;
-                        goto cleanup;
+                    *pResult = PKIX_FALSE;
+                    PKIX_ERROR(PKIX_CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED);
                 }
             }
         }
 
 cleanup:
 
         PKIX_DECREF(ekuOid);
         PKIX_DECREF(extKeyUsageList);
@@ -814,16 +806,19 @@ pkix_CertSelector_Match_KeyUsage(
 
             PKIX_CHECK(PKIX_PL_Cert_VerifyKeyUsage
                         (cert, keyUsage, plContext),
                         PKIX_CERTVERIFYKEYUSAGEFAILED);
 
         }
 
 cleanup:
+        if (PKIX_ERROR_RECEIVED) {
+            *pResult = PKIX_FALSE;
+        }
 
         PKIX_RETURN(CERTSELECTOR);
 }
 
 /*
  * FUNCTION: pkix_CertSelector_Match_SubjKeyId
  * DESCRIPTION:
  *
@@ -869,34 +864,31 @@ pkix_CertSelector_Match_SubjKeyId(
                     PKIX_COMCERTSELPARAMSGETSUBJKEYIDENTIFIERFAILED);
 
         if (selSubjKeyId != NULL) {
 
                 PKIX_CHECK(PKIX_PL_Cert_GetSubjectKeyIdentifier
                     (cert, &certSubjKeyId, plContext),
                     PKIX_CERTGETSUBJECTKEYIDENTIFIERFAILED);
 
-                if (certSubjKeyId != NULL) {
-                        PKIX_CHECK(PKIX_PL_Object_Equals
-                                ((PKIX_PL_Object *)selSubjKeyId,
-                                (PKIX_PL_Object *)certSubjKeyId,
-                                &equals,
-                                plContext),
-                                PKIX_OBJECTEQUALSFAILED);
+                if (certSubjKeyId == NULL) {
+                    *pResult = PKIX_FALSE;
+                    PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED);
+                }
 
-                        if (equals != PKIX_TRUE) {
-                            PKIX_CERTSELECTOR_DEBUG("SubjKeyId Match failed\n");
-                            *pResult = PKIX_FALSE;
-                            goto cleanup;
-                        }
-                } else {
-                    PKIX_CERTSELECTOR_DEBUG
-                        ("SubjKeyId Match failed: Cert has no SubjKeyId\n");
+                PKIX_CHECK(PKIX_PL_Object_Equals
+                           ((PKIX_PL_Object *)selSubjKeyId,
+                            (PKIX_PL_Object *)certSubjKeyId,
+                            &equals,
+                            plContext),
+                           PKIX_OBJECTEQUALSFAILED);
+                
+                if (equals != PKIX_TRUE) {
                     *pResult = PKIX_FALSE;
-                    goto cleanup;
+                    PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED);
                 }
         }
 
 cleanup:
 
         PKIX_DECREF(selSubjKeyId);
         PKIX_DECREF(certSubjKeyId);
 
@@ -949,34 +941,30 @@ pkix_CertSelector_Match_AuthKeyId(
                     PKIX_COMCERTSELPARAMSGETAUTHORITYKEYIDENTIFIERFAILED);
 
         if (selAuthKeyId != NULL) {
 
                 PKIX_CHECK(PKIX_PL_Cert_GetAuthorityKeyIdentifier
                     (cert, &certAuthKeyId, plContext),
                     PKIX_CERTGETAUTHORITYKEYIDENTIFIERFAILED);
 
-                if (certAuthKeyId != NULL) {
-                        PKIX_CHECK(PKIX_PL_Object_Equals
-                                ((PKIX_PL_Object *)selAuthKeyId,
-                                (PKIX_PL_Object *)certAuthKeyId,
-                                &equals,
-                                plContext),
-                                PKIX_OBJECTEQUALSFAILED);
-
-                        if (equals != PKIX_TRUE) {
-                            PKIX_CERTSELECTOR_DEBUG("AuthKeyId Match failed\n");
-                            *pResult = PKIX_FALSE;
-                            goto cleanup;
-                        }
-                } else {
-                    PKIX_CERTSELECTOR_DEBUG
-                        ("AuthKeyId Match failed: Cert has no AuthKeyId\n");
+                if (certAuthKeyId == NULL) {
                     *pResult = PKIX_FALSE;
-                    goto cleanup;
+                    PKIX_ERROR(PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
+                }
+                PKIX_CHECK(PKIX_PL_Object_Equals
+                           ((PKIX_PL_Object *)selAuthKeyId,
+                            (PKIX_PL_Object *)certAuthKeyId,
+                            &equals,
+                            plContext),
+                           PKIX_OBJECTEQUALSFAILED);
+                
+                if (equals != PKIX_TRUE) {
+                    *pResult = PKIX_FALSE;
+                    PKIX_ERROR(PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
                 }
         }
 
 cleanup:
 
         PKIX_DECREF(selAuthKeyId);
         PKIX_DECREF(certAuthKeyId);
 
@@ -1030,34 +1018,29 @@ pkix_CertSelector_Match_SubjPKAlgId(
 
         if (selPKAlgId != NULL) {
 
                 PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKeyAlgId
                     (cert, &certPKAlgId, plContext),
                     PKIX_CERTGETSUBJECTPUBLICKEYALGIDFAILED);
 
                 if (certPKAlgId != NULL) {
-                        PKIX_CHECK(PKIX_PL_Object_Equals
-                                ((PKIX_PL_Object *)selPKAlgId,
-                                (PKIX_PL_Object *)certPKAlgId,
-                                &equals,
-                                plContext),
-                                PKIX_OBJECTEQUALSFAILED);
-
-                        if (equals != PKIX_TRUE) {
-                            PKIX_CERTSELECTOR_DEBUG
-                                ("SubjPKAlgId Match failed\n");
-                            *pResult = PKIX_FALSE;
-                            goto cleanup;
-                        }
-                } else {
-                    PKIX_CERTSELECTOR_DEBUG
-                        ("SubjPKAlgId Match failed: Cert has no SubjPKAlgId\n");
                     *pResult = PKIX_FALSE;
-                    goto cleanup;
+                    PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
+                }
+                PKIX_CHECK(PKIX_PL_Object_Equals
+                           ((PKIX_PL_Object *)selPKAlgId,
+                            (PKIX_PL_Object *)certPKAlgId,
+                            &equals,
+                            plContext),
+                           PKIX_OBJECTEQUALSFAILED);
+                
+                if (equals != PKIX_TRUE) {
+                    *pResult = PKIX_FALSE;
+                    PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
                 }
         }
 
 cleanup:
 
         PKIX_DECREF(selPKAlgId);
         PKIX_DECREF(certPKAlgId);
 
@@ -1110,36 +1093,30 @@ pkix_CertSelector_Match_SubjPubKey(
                     PKIX_COMCERTSELPARAMSGETSUBJPUBKEYFAILED);
 
         if (selPK != NULL) {
 
                 PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
                     (cert, &certPK, plContext),
                     PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
 
-                if (certPK != NULL) {
-                        PKIX_CHECK(PKIX_PL_Object_Equals
-                                ((PKIX_PL_Object *)selPK,
-                                (PKIX_PL_Object *)certPK,
-                                &equals,
-                                plContext),
-                                PKIX_OBJECTEQUALSFAILED);
-
-                        if (equals != PKIX_TRUE) {
-                            PKIX_CERTSELECTOR_DEBUG
-                                ("Subject Public Key Match failed\n");
-                            *pResult = PKIX_FALSE;
-                            goto cleanup;
-                        }
-
-                } else {
-                    PKIX_CERTSELECTOR_DEBUG
-                        ("SubjPubKey Match failed: Cert has no SubjPubKey\n");
+                if (certPK == NULL) {
                     *pResult = PKIX_FALSE;
-                    goto cleanup;
+                    PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
+                }
+                PKIX_CHECK(PKIX_PL_Object_Equals
+                           ((PKIX_PL_Object *)selPK,
+                            (PKIX_PL_Object *)certPK,
+                            &equals,
+                            plContext),
+                           PKIX_OBJECTEQUALSFAILED);
+                
+                if (equals != PKIX_TRUE) {
+                    *pResult = PKIX_FALSE;
+                    PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
                 }
         }
 
 cleanup:
 
         PKIX_DECREF(selPK);
         PKIX_DECREF(certPK);
 
@@ -1147,19 +1124,18 @@ cleanup:
 }
 
 /*
  * FUNCTION: pkix_CertSelector_DefaultMatch
  * DESCRIPTION:
  *
  *  This default match function determines whether the specified Cert pointed
  *  to by "cert" matches the criteria of the CertSelector pointed to by
- *  "selector". If the Cert satisfies the CertSelector's criteria, PKIX_TRUE
- *  is stored at "pResult". If the Cert does not match the CertSelector's
- *  criteria, PKIX_FALSE is stored at "pResult". 
+ *  "selector". If the Cert does not match the CertSelector's
+ *  criteria, an error will be thrown.
  *
  *  This default match function understands how to process the most common
  *  parameters. Any common parameter that is not set is assumed to be disabled,
  *  which means this function will select all certificates without regard to
  *  that particular disabled parameter. For example, if the SerialNumber
  *  parameter is not set, this function will not filter out any certificate
  *  based on its serial number. As such, if no parameters are set, all are
  *  disabled and any certificate will match. If a parameter is disabled, its
@@ -1170,59 +1146,53 @@ cleanup:
  *
  * PARAMETERS:
  *  "selector"
  *      Address of CertSelector whose MatchCallback logic and parameters are
  *      to be used. Must be non-NULL.
  *  "cert"
  *      Address of Cert that is to be matched using "selector".
  *      Must be non-NULL.
- *  "pResult"
- *      Address of PKIX_Boolean that returns the match result.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Conditionally Thread Safe
  *      (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns a CertSelector Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 static PKIX_Error *
 pkix_CertSelector_DefaultMatch(
         PKIX_CertSelector *selector,
         PKIX_PL_Cert *cert,
-        PKIX_Boolean *pResult,
         void *plContext)
 {
         PKIX_ComCertSelParams *params = NULL;
         PKIX_PL_X500Name *certSubject = NULL;
         PKIX_PL_X500Name *selSubject = NULL;
         PKIX_PL_X500Name *certIssuer = NULL;
         PKIX_PL_X500Name *selIssuer = NULL;
         PKIX_PL_BigInt *certSerialNumber = NULL;
         PKIX_PL_BigInt *selSerialNumber = NULL;
         PKIX_PL_Cert *selCert = NULL;
         PKIX_PL_Date *selDate = NULL;
-        PKIX_UInt32 requiredKeyUsage = 0;
         PKIX_UInt32 selVersion = 0xFFFFFFFF;
         PKIX_UInt32 certVersion = 0;
         PKIX_Boolean result = PKIX_TRUE;
 
 #ifdef PKIX_BUILDDEBUG
         PKIX_PL_String *certString = NULL;
         void *certAscii = NULL;
         PKIX_UInt32 certAsciiLen;
 #endif
 
         PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_DefaultMatch");
-        PKIX_NULLCHECK_THREE(selector, cert, pResult);
-
-        *pResult = PKIX_TRUE;
+        PKIX_NULLCHECK_TWO(selector, cert);
 
         PKIX_INCREF(selector->params);
         params = selector->params;
 
         if (params == NULL){
                 goto cleanup;
         }
 
@@ -1231,19 +1201,17 @@ pkix_CertSelector_DefaultMatch(
                     PKIX_COMCERTSELPARAMSGETVERSIONFAILED);
 
         if (selVersion != 0xFFFFFFFF){
                 PKIX_CHECK(PKIX_PL_Cert_GetVersion
                             (cert, &certVersion, plContext),
                             PKIX_CERTGETVERSIONFAILED);
 
                 if (selVersion != certVersion) {
-                        PKIX_CERTSELECTOR_DEBUG("Version Match FAILED\n");
-                        *pResult = PKIX_FALSE;
-                        goto cleanup;
+                        PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTVERSIONFAILED);
                 }
         }
 
         PKIX_CHECK(PKIX_ComCertSelParams_GetSubject
                     (params, &selSubject, plContext),
                     PKIX_COMCERTSELPARAMSGETSUBJECTFAILED);
 
         if (selSubject){
@@ -1252,26 +1220,20 @@ pkix_CertSelector_DefaultMatch(
                             PKIX_CERTGETSUBJECTFAILED);
 
                 if (certSubject){
                         PKIX_CHECK(PKIX_PL_X500Name_Match
                             (selSubject, certSubject, &result, plContext),
                             PKIX_X500NAMEMATCHFAILED);
 
                         if (result == PKIX_FALSE){
-                                PKIX_CERTSELECTOR_DEBUG
-                                        ("Subject Match FAILED\n");
-                                *pResult = PKIX_FALSE;
-                                goto cleanup;
+                            PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSUBJECTFAILED);
                         }
                 } else { /* cert has no subject */
-                        PKIX_CERTSELECTOR_DEBUG("Subject Match FAILED\n");
-                        *pResult = PKIX_FALSE;
-                        goto cleanup;
-
+                        PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSUBJECTFAILED);
                 }
         }
 
         PKIX_CHECK(PKIX_ComCertSelParams_GetIssuer
                     (params, &selIssuer, plContext),
                     PKIX_COMCERTSELPARAMSGETISSUERFAILED);
 
         if (selIssuer){
@@ -1279,19 +1241,17 @@ pkix_CertSelector_DefaultMatch(
                             (cert, &certIssuer, plContext),
                             PKIX_CERTGETISSUERFAILED);
 
                 PKIX_CHECK(PKIX_PL_X500Name_Match
                             (selIssuer, certIssuer, &result, plContext),
                             PKIX_X500NAMEMATCHFAILED);
 
                 if (result == PKIX_FALSE){
-                        PKIX_CERTSELECTOR_DEBUG("Issuer Match FAILED\n");
-                        *pResult = PKIX_FALSE;
-                        goto cleanup;
+                        PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTISSUERFAILED);
                 }
         }
 
         PKIX_CHECK(PKIX_ComCertSelParams_GetSerialNumber
                     (params, &selSerialNumber, plContext),
                     PKIX_COMCERTSELPARAMSGETSERIALNUMBERFAILED);
 
         if (selSerialNumber){
@@ -1302,182 +1262,96 @@ pkix_CertSelector_DefaultMatch(
                 PKIX_CHECK(PKIX_PL_Object_Equals
                             ((PKIX_PL_Object *)selSerialNumber,
                             (PKIX_PL_Object *)certSerialNumber,
                             &result,
                             plContext),
                             PKIX_OBJECTEQUALSFAILED);
 
                 if (result == PKIX_FALSE){
-                        PKIX_CERTSELECTOR_DEBUG("Serial Number Match FAILED\n");
-                        *pResult = PKIX_FALSE;
-                        goto cleanup;
+                        PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSERIALNUMFAILED);
                 }
         }
 
         PKIX_CHECK(PKIX_ComCertSelParams_GetCertificate
                     (params, &selCert, plContext),
                     PKIX_COMCERTSELPARAMSGETCERTIFICATEFAILED);
 
         if (selCert){
                 PKIX_CHECK(PKIX_PL_Object_Equals
                             ((PKIX_PL_Object *) selCert,
                             (PKIX_PL_Object *) cert,
                             &result,
                             plContext),
                             PKIX_OBJECTEQUALSFAILED);
 
                 if (result == PKIX_FALSE){
-                        PKIX_CERTSELECTOR_DEBUG("Certificate Match FAILED\n");
-                        *pResult = PKIX_FALSE;
-                        goto cleanup;
+                        PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTOBJECTFAILED);
                 }
         }
 
-
         PKIX_CHECK(PKIX_ComCertSelParams_GetCertificateValid
                     (params, &selDate, plContext),
                     PKIX_COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED);
 
         if (selDate){
                 PKIX_CHECK(PKIX_PL_Cert_CheckValidity
                             (cert, selDate, plContext),
                             PKIX_CERTCHECKVALIDITYFAILED);
         }
 
-        PKIX_CHECK(PKIX_ComCertSelParams_GetKeyUsage
-                    (params, &requiredKeyUsage, plContext),
-                    PKIX_COMCERTSELPARAMSGETKEYUSAGEFAILED);
-
-        if (requiredKeyUsage != 0) {
-                PKIX_CHECK(PKIX_PL_Cert_VerifyKeyUsage
-                            (cert, requiredKeyUsage, plContext),
-                            PKIX_CERTVERIFYKEYUSAGEFAILED);
-        }
-
         PKIX_CHECK(pkix_CertSelector_Match_BasicConstraint
                     (params, cert, &result, plContext),
                     PKIX_CERTSELECTORMATCHBASICCONSTRAINTFAILED);
 
-        if (result == PKIX_FALSE){
-                PKIX_CERTSELECTOR_DEBUG("BasicConstraint Match FAILED\n");
-                *pResult = PKIX_FALSE;
-                goto cleanup;
-        }
-
         PKIX_CHECK(pkix_CertSelector_Match_Policies
                     (params, cert, &result, plContext),
                     PKIX_CERTSELECTORMATCHPOLICIESFAILED);
 
-        if (result == PKIX_FALSE){
-                PKIX_CERTSELECTOR_DEBUG("Policies Match FAILED\n");
-                *pResult = PKIX_FALSE;
-                goto cleanup;
-        }
-
         PKIX_CHECK(pkix_CertSelector_Match_CertificateValid
                     (params, cert, &result, plContext),
                     PKIX_CERTSELECTORMATCHCERTIFICATEVALIDFAILED);
 
-        if (result == PKIX_FALSE){
-                PKIX_CERTSELECTOR_DEBUG("CertificateValid Match FAILED\n");
-                *pResult = PKIX_FALSE;
-                goto cleanup;
-        }
-
         PKIX_CHECK(pkix_CertSelector_Match_NameConstraints
                     (params, cert, &result, plContext),
                     PKIX_CERTSELECTORMATCHNAMECONSTRAINTSFAILED);
 
-        if (result == PKIX_FALSE){
-                PKIX_CERTSELECTOR_DEBUG("NameConstraints Match FAILED\n");
-                *pResult = PKIX_FALSE;
-                goto cleanup;
-        }
-
         PKIX_CHECK(pkix_CertSelector_Match_PathToNames
                     (params, cert, &result, plContext),
                     PKIX_CERTSELECTORMATCHPATHTONAMESFAILED);
 
-        if (result == PKIX_FALSE){
-                PKIX_CERTSELECTOR_DEBUG("PathToNames Match FAILED\n");
-                *pResult = PKIX_FALSE;
-                goto cleanup;
-        }
-
         PKIX_CHECK(pkix_CertSelector_Match_SubjAltNames
                     (params, cert, &result, plContext),
                     PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
 
-        if (result == PKIX_FALSE){
-                PKIX_CERTSELECTOR_DEBUG("SubjAltNames Match FAILED\n");
-                *pResult = PKIX_FALSE;
-                goto cleanup;
-        }
-
+        /* Next two check are for user supplied additional KU and EKU. */
         PKIX_CHECK(pkix_CertSelector_Match_ExtendedKeyUsage
                     (params, cert, &result, plContext),
                     PKIX_CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED);
 
-        if (result == PKIX_FALSE){
-                PKIX_CERTSELECTOR_DEBUG("ExtendedKeyUsage Match FAILED\n");
-                *pResult = PKIX_FALSE;
-                goto cleanup;
-        }
-
         PKIX_CHECK(pkix_CertSelector_Match_KeyUsage
                     (params, cert, &result, plContext),
                     PKIX_CERTSELECTORMATCHKEYUSAGEFAILED);
 
-        if (result == PKIX_FALSE){
-                PKIX_CERTSELECTOR_DEBUG("KeyUsage Match FAILED\n");
-                *pResult = PKIX_FALSE;
-                goto cleanup;
-        }
-
         PKIX_CHECK(pkix_CertSelector_Match_SubjKeyId
                     (params, cert, &result, plContext),
                     PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED);
 
-        if (result == PKIX_FALSE){
-                PKIX_CERTSELECTOR_DEBUG("SubjKeyId Match FAILED\n");
-                *pResult = PKIX_FALSE;
-                goto cleanup;
-        }
-
         PKIX_CHECK(pkix_CertSelector_Match_AuthKeyId
                     (params, cert, &result, plContext),
                     PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
 
-        if (result == PKIX_FALSE){
-                PKIX_CERTSELECTOR_DEBUG("AuthKeyId Match FAILED\n");
-                *pResult = PKIX_FALSE;
-                goto cleanup;
-        }
-
         PKIX_CHECK(pkix_CertSelector_Match_SubjPKAlgId
                     (params, cert, &result, plContext),
                     PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
 
-        if (result == PKIX_FALSE){
-                PKIX_CERTSELECTOR_DEBUG("SubjPKAlgId Match FAILED\n");
-                *pResult = PKIX_FALSE;
-                goto cleanup;
-        }
-
         PKIX_CHECK(pkix_CertSelector_Match_SubjPubKey
                     (params, cert, &result, plContext),
                     PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
 
-        if (result == PKIX_FALSE){
-                PKIX_CERTSELECTOR_DEBUG("SubjPubKey Match FAILED\n");
-                *pResult = PKIX_FALSE;
-                goto cleanup;
-        }
-
         /* if we reach here, the cert has successfully matched criteria */
 
 
 #ifdef PKIX_BUILDDEBUG
 
         PKIX_CHECK(pkix_pl_Cert_ToString_Helper
                     (cert, PKIX_TRUE, &certString, plContext),
                     PKIX_CERTTOSTRINGHELPERFAILED);
@@ -1720,17 +1594,16 @@ cleanup:
  */
 PKIX_Error *
 pkix_CertSelector_Select(
 	PKIX_CertSelector *selector,
 	PKIX_List *before,
 	PKIX_List **pAfter,
 	void *plContext)
 {
-	PKIX_Boolean match = PKIX_FALSE;
 	PKIX_UInt32 numBefore = 0;
 	PKIX_UInt32 i = 0;
 	PKIX_List *filtered = NULL;
 	PKIX_PL_Cert *candidate = NULL;
 
         PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_Select");
         PKIX_NULLCHECK_THREE(selector, before, pAfter);
 
@@ -1742,20 +1615,20 @@ pkix_CertSelector_Select(
 
         for (i = 0; i < numBefore; i++) {
 
                 PKIX_CHECK(PKIX_List_GetItem
                         (before, i, (PKIX_PL_Object **)&candidate, plContext),
                         PKIX_LISTGETITEMFAILED);
 
                 PKIX_CHECK_ONLY_FATAL(selector->matchCallback
-                        (selector, candidate, &match, plContext),
+                        (selector, candidate, plContext),
                         PKIX_CERTSELECTORMATCHCALLBACKFAILED);
 
-                if ((!(PKIX_ERROR_RECEIVED)) && (match == PKIX_TRUE)) {
+                if (!(PKIX_ERROR_RECEIVED)) {
 
                         PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem
                                 (filtered,
                                 (PKIX_PL_Object *)candidate,
                                 plContext),
                                 PKIX_LISTAPPENDITEMFAILED);
                 }
 
--- a/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.c
+++ b/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.c
@@ -187,16 +187,18 @@ pkix_ComCertSelParams_Duplicate(
                 plContext,
                 PKIX_OBJECTDUPLICATEFAILED);
 
         PKIX_DUPLICATE(params->subjPKAlgId,
                 &paramsDuplicate->subjPKAlgId,
                 plContext,
                 PKIX_OBJECTDUPLICATEFAILED);
 
+        paramsDuplicate->leafCertFlag = params->leafCertFlag;
+
         *pNewObject = (PKIX_PL_Object *)paramsDuplicate;
 
 cleanup:
 
         if (PKIX_ERROR_RECEIVED){
                 PKIX_DECREF(paramsDuplicate);
         }
 
@@ -214,31 +216,24 @@ cleanup:
  *  Since this function is only called by PKIX_PL_Initialize, which should
  *  only be called once, it is acceptable that this function is not
  *  thread-safe.
  */
 PKIX_Error *
 pkix_ComCertSelParams_RegisterSelf(void *plContext)
 {
         extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
-        pkix_ClassTable_Entry entry;
+        pkix_ClassTable_Entry* entry = &systemClasses[PKIX_COMCERTSELPARAMS_TYPE];
 
         PKIX_ENTER(COMCERTSELPARAMS, "pkix_ComCertSelParams_RegisterSelf");
 
-        entry.description = "ComCertSelParams";
-        entry.objCounter = 0;
-        entry.typeObjectSize = sizeof(PKIX_ComCertSelParams);
-        entry.destructor = pkix_ComCertSelParams_Destroy;
-        entry.equalsFunction = NULL;
-        entry.hashcodeFunction = NULL;
-        entry.toStringFunction = NULL;
-        entry.comparator = NULL;
-        entry.duplicateFunction = pkix_ComCertSelParams_Duplicate;
-
-        systemClasses[PKIX_COMCERTSELPARAMS_TYPE] = entry;
+        entry->description = "ComCertSelParams";
+        entry->typeObjectSize = sizeof(PKIX_ComCertSelParams);
+        entry->destructor = pkix_ComCertSelParams_Destroy;
+        entry->duplicateFunction = pkix_ComCertSelParams_Duplicate;
 
         PKIX_RETURN(COMCERTSELPARAMS);
 }
 
 /* --Public-Functions--------------------------------------------- */
 
 
 /*
@@ -278,16 +273,17 @@ PKIX_ComCertSelParams_Create(
         params->date = NULL;
         params->certValid = NULL;
         params->issuer = NULL;
         params->serialNumber = NULL;
         params->authKeyId = NULL;
         params->subjKeyId = NULL;
         params->subjPubKey = NULL;
         params->subjPKAlgId = NULL;
+        params->leafCertFlag = PKIX_TRUE;
 
         *pParams = params;
 
 cleanup:
 
         PKIX_RETURN(COMCERTSELPARAMS);
 
 }
@@ -1176,8 +1172,50 @@ PKIX_ComCertSelParams_SetSubjPKAlgId(
         PKIX_CHECK(PKIX_PL_Object_InvalidateCache
                     ((PKIX_PL_Object *)params, plContext),
                     PKIX_OBJECTINVALIDATECACHEFAILED);
 
 cleanup:
 
         PKIX_RETURN(COMCERTSELPARAMS);
 }
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetLeafCertFlag
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error*
+PKIX_ComCertSelParams_GetLeafCertFlag(
+        PKIX_ComCertSelParams *params,
+        PKIX_Boolean *pLeafFlag,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetLeafCertFlag");
+        PKIX_NULLCHECK_TWO(params, pLeafFlag);
+
+        *pLeafFlag = params->leafCertFlag;
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetLeafCertFlag
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetLeafCertFlag(
+        PKIX_ComCertSelParams *params,
+        PKIX_Boolean leafFlag,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetLeafCertFlag");
+        PKIX_NULLCHECK_ONE(params);
+
+        params->leafCertFlag = leafFlag;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
--- a/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.h
+++ b/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.h
@@ -71,16 +71,17 @@ struct PKIX_ComCertSelParamsStruct {
         PKIX_PL_Date *date;
         PKIX_PL_Date *certValid;
         PKIX_PL_X500Name *issuer;
         PKIX_PL_BigInt *serialNumber;
         PKIX_PL_ByteArray *authKeyId;
         PKIX_PL_ByteArray *subjKeyId;
         PKIX_PL_PublicKey *subjPubKey;
         PKIX_PL_OID *subjPKAlgId;
+        PKIX_Boolean leafCertFlag;
 };
 
 /* see source file for function documentation */
 
 PKIX_Error *pkix_ComCertSelParams_RegisterSelf(void *plContext);
 
 #ifdef __cplusplus
 }
--- a/security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c
@@ -38,24 +38,24 @@
  * pkix_ekuchecker.c
  *
  * User Defined ExtenedKeyUsage Function Definitions
  *
  */
 
 #include "pkix_ekuchecker.h"
 
-char *ekuOidStrings[] = {
-        "1.3.6.1.5.5.7.3.1",    /* id-kp-serverAuth */
-        "1.3.6.1.5.5.7.3.2",    /* id-kp-clientAuth */
-        "1.3.6.1.5.5.7.3.3",    /* id-kp-codeSigning */
-        "1.3.6.1.5.5.7.3.4",    /* id-kp-emailProtection */
-        "1.3.6.1.5.5.7.3.8",    /* id-kp-timeStamping */
-        "1.3.6.1.5.5.7.3.9",    /* id-kp-OCSPSigning */
-        NULL
+SECOidTag ekuOidStrings[] = {
+    PKIX_KEY_USAGE_SERVER_AUTH_OID,
+    PKIX_KEY_USAGE_CLIENT_AUTH_OID,
+    PKIX_KEY_USAGE_CODE_SIGN_OID,
+    PKIX_KEY_USAGE_EMAIL_PROTECT_OID,
+    PKIX_KEY_USAGE_TIME_STAMP_OID,
+    PKIX_KEY_USAGE_OCSP_RESPONDER_OID,
+    PKIX_UNKNOWN_OID
 };
 
 typedef struct pkix_EkuCheckerStruct {
     PKIX_List *requiredExtKeyUsageOids;
     PKIX_PL_OID *ekuOID;
 } pkix_EkuChecker;
 
 
--- a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c
@@ -246,17 +246,17 @@ pkix_OcspChecker_CheckExternal(
         pkix_OcspChecker *checker = NULL;
         PKIX_PL_OcspCertID *cid = NULL;
         PKIX_PL_OcspRequest *request = NULL;
         PKIX_PL_OcspResponse *response = NULL;
         PKIX_PL_Date *validity = NULL;
         PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
         void *nbioContext = NULL;
 
-        PKIX_ENTER(OCSPCHECKER, "pkix_OcspChecker_Check");
+        PKIX_ENTER(OCSPCHECKER, "pkix_OcspChecker_CheckExternal");
 
         PKIX_CHECK(
             pkix_CheckType((PKIX_PL_Object*)checkerObject,
                            PKIX_OCSPCHECKER_TYPE, plContext),
                 PKIX_OBJECTNOTOCSPCHECKER);
 
         checker = (pkix_OcspChecker *)checkerObject;
 
--- a/security/nss/lib/libpkix/pkix/checker/pkix_targetcertchecker.c
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_targetcertchecker.c
@@ -373,24 +373,18 @@ pkix_TargetCertChecker_Check(
                             (state->certSelector,
                             &certSelectorMatch,
                             plContext),
                             PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
 
                         PKIX_CHECK(certSelectorMatch
                             (state->certSelector,
                             cert,
-                            &checkPassed,
                             plContext),
                             PKIX_CERTSELECTORMATCHFAILED);
-
-                        if (checkPassed != PKIX_TRUE){
-                                PKIX_ERROR(PKIX_CERTSELECTORCHECKFAILED);
-                        }
-
                         /*
                          * There are two Extended Key Usage Checkings
                          * available :
                          * 1) here at the targetcertchecker where we
                          *    verify the Extended Key Usage OIDs application
                          *    specifies via ComCertSelParams are included
                          *    in Cert's Extended Key Usage OID's. Note,
                          *    this is an OID to OID comparison and only last
--- a/security/nss/lib/libpkix/pkix/params/pkix_procparams.c
+++ b/security/nss/lib/libpkix/pkix/params/pkix_procparams.c
@@ -583,16 +583,17 @@ PKIX_ProcessingParams_Create(
         params->certStores = NULL;
         params->resourceLimits = NULL;
 
         params->isCrlRevocationCheckingEnabled = PKIX_TRUE;
 
         params->isCrlRevocationCheckingEnabledWithNISTPolicy = PKIX_TRUE;
 
         params->useAIAForCertFetching = PKIX_FALSE;
+        params->qualifyTargetCert = PKIX_TRUE;
 
         *pParams = params;
         params = NULL;
 
 cleanup:
 
         PKIX_DECREF(params);
 
@@ -632,16 +633,54 @@ PKIX_ProcessingParams_SetUseAIAForCertFe
         PKIX_NULLCHECK_ONE(params);
 
         params->useAIAForCertFetching = useAIA;
 
         PKIX_RETURN(PROCESSINGPARAMS);
 }
 
 /*
+ * FUNCTION: PKIX_ProcessingParams_GetQualifyTargetCert
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetValidateTargetCert(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pQualifyTargetCert,
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS,
+                   "PKIX_ProcessingParams_GetValidateTargetCert");
+        PKIX_NULLCHECK_TWO(params, pQualifyTargetCert);
+
+        *pQualifyTargetCert = params->qualifyTargetCert;
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetQualifyTargetCert
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetQualifyTargetCert(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean qualifyTargetCert,
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS,
+                   "PKIX_ProcessingParams_SetQualifyTargetCert");
+        PKIX_NULLCHECK_ONE(params);
+
+        params->qualifyTargetCert = qualifyTargetCert;
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
  * FUNCTION: PKIX_ProcessingParams_SetTrustAnchors
  * (see comments in pkix_params.h)
  */
 PKIX_Error *
 PKIX_ProcessingParams_SetTrustAnchors(
         PKIX_ProcessingParams *params,
         PKIX_List *anchors,  /* list of TrustAnchor */
         void *plContext)
--- a/security/nss/lib/libpkix/pkix/params/pkix_procparams.h
+++ b/security/nss/lib/libpkix/pkix/params/pkix_procparams.h
@@ -63,16 +63,17 @@ struct PKIX_ProcessingParamsStruct {
         PKIX_Boolean qualifiersRejected;
         PKIX_List *certChainCheckers;
         PKIX_List *certStores;
         PKIX_Boolean isCrlRevocationCheckingEnabled;
         PKIX_Boolean isCrlRevocationCheckingEnabledWithNISTPolicy;
         PKIX_RevocationChecker *revChecker;
         PKIX_ResourceLimits *resourceLimits;
         PKIX_Boolean useAIAForCertFetching;
+        PKIX_Boolean qualifyTargetCert;
 };
 
 /* see source file for function documentation */
 
 PKIX_Error *pkix_ProcessingParams_RegisterSelf(void *plContext);
 
 #ifdef __cplusplus
 }
--- a/security/nss/lib/libpkix/pkix/store/pkix_store.c
+++ b/security/nss/lib/libpkix/pkix/store/pkix_store.c
@@ -294,25 +294,27 @@ PKIX_CertStore_GetCRLCallback(
 
 /*
  * FUNCTION: PKIX_CertStore_CertContinue (see comments in pkix_certstore.h)
  */
 PKIX_Error *
 PKIX_CertStore_CertContinue(
         PKIX_CertStore *store,
         PKIX_CertSelector *selector,
+        PKIX_VerifyNode *verifyNode,
         void **pNBIOContext,
         PKIX_List **pCertList,
         void *plContext)
 {
         PKIX_ENTER(CERTSTORE, "PKIX_CertStore_CertContinue");
         PKIX_NULLCHECK_FOUR(store, selector, pNBIOContext, pCertList);
 
         PKIX_CHECK(store->certContinue
-                (store, selector, pNBIOContext, pCertList, plContext),
+                   (store, selector, verifyNode,
+                    pNBIOContext, pCertList, plContext),
                 PKIX_CERTSTORECERTCONTINUEFUNCTIONFAILED);
 
 cleanup:
 
         PKIX_RETURN(CERTSTORE);
 }
 
 /*
--- a/security/nss/lib/libpkix/pkix/top/pkix_build.c
+++ b/security/nss/lib/libpkix/pkix/top/pkix_build.c
@@ -48,24 +48,24 @@
 
 extern PRLogModuleInfo *pkixLog;
 
 /*
  * List of critical extension OIDs associate with what build chain has
  * checked. Those OIDs need to be removed from the unresolved critical
  * extension OIDs list manually (instead of by checker automatically).
  */
-static char *buildCheckedCritExtOIDs[] = {
+static SECOidTag buildCheckedCritExtOIDs[] = {
         PKIX_CERTKEYUSAGE_OID,
         PKIX_CERTSUBJALTNAME_OID,
         PKIX_BASICCONSTRAINTS_OID,
         PKIX_NAMECONSTRAINTS_OID,
         PKIX_EXTENDEDKEYUSAGE_OID,
         PKIX_NSCERTTYPE_OID,
-        NULL
+        PKIX_UNKNOWN_OID
 };
 
 /* --Private-ForwardBuilderState-Functions---------------------------------- */
 
 /*
  * FUNCTION: pkix_ForwardBuilderState_Destroy
  * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
  */
@@ -1134,17 +1134,17 @@ pkix_Build_ValidationCheckers(
 
         /*
          * Create an OID list that contains critical extensions processed
          * by BuildChain. These are specified in a static const array.
          */
         PKIX_CHECK(PKIX_List_Create(&buildCheckedCritExtOIDsList, plContext),
                 PKIX_LISTCREATEFAILED);
 
-        for (i = 0; buildCheckedCritExtOIDs[i] != NULL; i++) {
+        for (i = 0; buildCheckedCritExtOIDs[i] != PKIX_UNKNOWN_OID; i++) {
                 PKIX_CHECK(PKIX_PL_OID_Create
                         (buildCheckedCritExtOIDs[i], &oid, plContext),
                         PKIX_OIDCREATEFAILED);
 
                 PKIX_CHECK(PKIX_List_AppendItem
                         (buildCheckedCritExtOIDsList,
                         (PKIX_PL_Object *) oid,
                         plContext),
@@ -1552,17 +1552,16 @@ pkix_Build_SelectCertsFromTrustAnchors(
     void *plContext) 
 {
     int anchorIndex = 0;
     PKIX_TrustAnchor *anchor = NULL;
     PKIX_PL_Cert *trustedCert = NULL;
     PKIX_List *matchList = NULL;
     PKIX_CertSelector *certSel = NULL;
     PKIX_CertSelector_MatchCallback selectorMatchCB = NULL;
-    PKIX_Boolean certMatch = PKIX_TRUE;
 
     PKIX_ENTER(BUILD, "pkix_Build_SelectCertsFromTrustAnchors");
     
     PKIX_CHECK(PKIX_CertSelector_Create
                (NULL, NULL, &certSel, plContext),
                PKIX_CERTSELECTORCREATEFAILED);
     PKIX_CHECK(PKIX_CertSelector_SetCommonCertSelectorParams
                (certSel, certSelParams, plContext),
@@ -1577,19 +1576,18 @@ pkix_Build_SelectCertsFromTrustAnchors(
                               anchorIndex,
                               (PKIX_PL_Object **)&anchor,
                               plContext),
             PKIX_LISTGETITEMFAILED);
         PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert
                    (anchor, &trustedCert, plContext),
                    PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
         pkixErrorResult =
-            (*selectorMatchCB)(certSel, trustedCert,
-                               &certMatch, plContext);
-        if (!pkixErrorResult && certMatch) {
+            (*selectorMatchCB)(certSel, trustedCert, plContext);
+        if (!pkixErrorResult) {
             if (!matchList) {
                 PKIX_CHECK(PKIX_List_Create(&matchList,
                                             plContext),
                            PKIX_LISTCREATEFAILED);
             }
             PKIX_CHECK(
                 PKIX_List_AppendItem(matchList,
                     (PKIX_PL_Object*)trustedCert,
@@ -1791,24 +1789,26 @@ pkix_Build_GatherCerts(
                         if (nbioContext == NULL) {
                                 PKIX_CHECK(PKIX_CertStore_GetCertCallback
                                         (certStore, &getCerts, plContext),
                                         PKIX_CERTSTOREGETCERTCALLBACKFAILED);
 
                                 PKIX_CHECK(getCerts
                                         (certStore,
                                         state->certSel,
+                                        state->verifyNode,
                                         &nbioContext,
                                         &certsFound,
                                         plContext),
                                         PKIX_GETCERTSFAILED);
                         } else {
                                 PKIX_CHECK(PKIX_CertStore_CertContinue
                                         (certStore,
                                         state->certSel,
+                                        state->verifyNode,
                                         &nbioContext,
                                         &certsFound,
                                         plContext),
                                         PKIX_CERTSTORECERTCONTINUEFAILED);
                         }
 
                         if (certStoreIsCached && certsFound) {
 
@@ -3206,16 +3206,17 @@ pkix_Build_InitiateBuildChain(
 
         PKIX_List *tentativeChain = NULL;
         PKIX_ValidateResult *valResult = NULL;
         PKIX_BuildResult *buildResult = NULL;
         PKIX_List *certList = NULL;
         PKIX_TrustAnchor *matchingAnchor = NULL;
         PKIX_ForwardBuilderState *state = NULL;
         PKIX_CertStore_CheckTrustCallback trustCallback = NULL;
+        PKIX_CertSelector_MatchCallback selectorCallback = NULL;
         PKIX_PL_AIAMgr *aiaMgr = NULL;
 
         PKIX_ENTER(BUILD, "pkix_Build_InitiateBuildChain");
         PKIX_NULLCHECK_FOUR(procParams, pNBIOContext, pState, pBuildResult);
 
         nbioContext = *pNBIOContext;
         *pNBIOContext = NULL;
 
@@ -3230,20 +3231,19 @@ pkix_Build_InitiateBuildChain(
             PKIX_CHECK(PKIX_ProcessingParams_GetTrustAnchors
                     (procParams, &anchors, plContext),
                     PKIX_PROCESSINGPARAMSGETTRUSTANCHORSFAILED);
     
             PKIX_CHECK(PKIX_List_GetLength(anchors, &numAnchors, plContext),
                     PKIX_LISTGETLENGTHFAILED);
     
             /* retrieve stuff from targetCertConstraints */
-    
             PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints
-                    (procParams, &targetConstraints, plContext),
-                    PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
+                       (procParams, &targetConstraints, plContext),
+                       PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
     
             PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams
                     (targetConstraints, &targetParams, plContext),
                     PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED);
     
             PKIX_CHECK(PKIX_ComCertSelParams_GetCertificate
                     (targetParams, &targetCert, plContext),
                     PKIX_COMCERTSELPARAMSGETCERTIFICATEFAILED);
@@ -3324,20 +3324,38 @@ pkix_Build_InitiateBuildChain(
     
             PKIX_CHECK(PKIX_List_Create(&tentativeChain, plContext),
                     PKIX_LISTCREATEFAILED);
     
             PKIX_CHECK(PKIX_List_AppendItem
                     (tentativeChain, (PKIX_PL_Object *)targetCert, plContext),
                     PKIX_LISTAPPENDITEMFAILED);
     
-            /* Failure here is reportable */
-            pkixErrorResult = PKIX_PL_Cert_CheckValidity
-                    (targetCert, testDate, plContext);
-            if (pkixErrorResult) {
+            if (procParams->qualifyTargetCert) {
+                /* EE cert validation */
+                /* Sync up the time on the target selector parameter struct. */
+                PKIX_CHECK(
+                    PKIX_ComCertSelParams_SetCertificateValid(targetParams,
+                                                              testDate,
+                                                              plContext),
+                    PKIX_COMCERTSELPARAMSSETCERTIFICATEVALIDFAILED);
+                
+                PKIX_CHECK(
+                    PKIX_ComCertSelParams_SetLeafCertFlag(targetParams,
+                                                PKIX_TRUE, plContext),
+                    PKIX_COMCERTSELPARAMSSETLEAFCERTFLAGFAILED);
+
+                    PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
+                           (targetConstraints, &selectorCallback, plContext),
+                           PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
+                
+                pkixErrorResult =
+                    (*selectorCallback)(targetConstraints, targetCert,
+                                        plContext);
+                if (pkixErrorResult) {
                     pkixErrorClass = pkixErrorResult->errClass;
                     if (pkixErrorClass == PKIX_FATAL_ERROR) {
                         goto cleanup;
                     }
                     if (pVerifyNode != NULL) {
                             PKIX_Error *tempResult =
                                 pkix_VerifyNode_Create(targetCert, 0,
                                                        pkixErrorResult,
@@ -3348,16 +3366,17 @@ pkix_Build_InitiateBuildChain(
                                 pkixErrorResult = tempResult;
                                 pkixErrorCode = PKIX_VERIFYNODECREATEFAILED;
                                 pkixErrorClass = PKIX_FATAL_ERROR;
                                 goto cleanup;
                             }
                     }
                     pkixErrorCode = PKIX_CERTCHECKVALIDITYFAILED;
                     goto cleanup;
+                }
             }
     
             PKIX_CHECK(PKIX_ProcessingParams_GetCertStores
                     (procParams, &certStores, plContext),
                     PKIX_PROCESSINGPARAMSGETCERTSTORESFAILED);
     
             PKIX_CHECK(PKIX_List_GetLength
                     (certStores, &numCertStores, plContext),
--- a/security/nss/lib/libpkix/pkix/util/pkix_tools.c
+++ b/security/nss/lib/libpkix/pkix/util/pkix_tools.c
@@ -963,20 +963,20 @@ pkix_CacheCert_Lookup(
         PKIX_List *cachedValues = NULL;
         PKIX_List *cachedCertList = NULL;
         PKIX_List *selCertList = NULL;
         PKIX_PL_X500Name *subject = NULL;
         PKIX_PL_Date *invalidAfterDate = NULL;
         PKIX_PL_Date *cacheValidUntilDate = NULL;
         PKIX_CertSelector *certSel = NULL;
         PKIX_Error *cachedCertError = NULL;
+        PKIX_Error *selectorError = NULL;
         PKIX_CertSelector_MatchCallback selectorMatch = NULL;
         PKIX_Int32 cmpValidTimeResult = PKIX_FALSE;
         PKIX_Int32 cmpCacheTimeResult = 0;
-        PKIX_Boolean certMatch = PKIX_FALSE;
         PKIX_UInt32 numItems = 0;
         PKIX_UInt32 i;
 
         PKIX_ENTER(BUILD, "pkix_CacheCert_Lookup");
         PKIX_NULLCHECK_TWO(store, certSelParams);
         PKIX_NULLCHECK_TWO(pFound, pCerts);
 
         *pFound = PKIX_FALSE;
@@ -1090,32 +1090,26 @@ pkix_CacheCert_Lookup(
                             PKIX_CHECK(PKIX_PL_HashTable_Remove
                                     (cachedCertTable,
                                     (PKIX_PL_Object *) cachedKeys,
                                     plContext),
                                     PKIX_HASHTABLEREMOVEFAILED);
                             goto cleanup;
                         }
 
-                        PKIX_CHECK(selectorMatch
-                                    (certSel,
-                                    cert,
-                                    &certMatch,
-                                    plContext),
-                                    PKIX_SELECTORMATCHFAILED);
-
-                        if (certMatch){
+                        selectorError = selectorMatch(certSel, cert, plContext);
+                        if (!selectorError){
                             /* put on the return list */
                             PKIX_CHECK(PKIX_List_AppendItem
                                    (selCertList,
                                    (PKIX_PL_Object *)cert,
                                    plContext),
                                   PKIX_LISTAPPENDITEMFAILED);
-
-                            *pFound = PKIX_TRUE;
+                        } else {
+                            PKIX_DECREF(selectorError);
                         }
 
                         PKIX_DECREF(cert);
                         PKIX_DECREF(invalidAfterDate);
 
                     }
 
                     if (*pFound) {
@@ -1144,16 +1138,17 @@ cleanup:
         PKIX_DECREF(cachedKeys);
         PKIX_DECREF(cachedValues);
         PKIX_DECREF(cacheValidUntilDate);
         PKIX_DECREF(cert);
         PKIX_DECREF(cachedCertList);
         PKIX_DECREF(selCertList);
         PKIX_DECREF(invalidAfterDate);
         PKIX_DECREF(cachedCertError);
+        PKIX_DECREF(selectorError);
 
         PKIX_RETURN(BUILD);
 }
 
 /*
  * FUNCTION: pkix_CacheCert_Add
  * DESCRIPTION:
  *
--- a/security/nss/lib/libpkix/pkix/util/pkix_tools.h
+++ b/security/nss/lib/libpkix/pkix/util/pkix_tools.h
@@ -654,22 +654,26 @@ extern PLHashNumber PR_CALLBACK pkix_Err
 #define PKIX_VERIFYNODEDEBUG                      1
 #endif
 
 /*
  * XXX Both PKIX_DEBUG and PKIX_DEBUG_ARG currently use printf.
  * This needs to be replaced with Loggers.
  */
 
+#ifdef DEBUG
 #define PKIX_DEBUG(expr) \
     do { \
 	_PKIX_DEBUG_TRACE(pkixLoggersErrors, expr, PKIX_LOGGER_LEVEL_DEBUG); \
-	(void) printf("(%s: ", myFuncName); \
-	(void) printf(expr); \
+	(void) fprintf(stderr, "(%s: ", myFuncName); \
+        (void) fprintf(stderr, expr);                \
     } while (0)
+#else
+#define PKIX_DEBUG(expr)
+#endif
 
 /* Logging doesn't support DEBUG with ARG: cannot convert control and arg */
 #define PKIX_DEBUG_ARG(expr, arg) \
     do { \
 	(void) printf("(%s: ", myFuncName); \
 	(void) printf(expr, arg); \
     } while (0)
 
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.c
@@ -905,17 +905,16 @@ pkix_pl_CollectionCertStoreContext_GetSe
         PKIX_List *certList,
         PKIX_CertSelector *selector,
         PKIX_List **pSelectedCertList,
         void *plContext)
 {
         PKIX_List *selectCertList = NULL;
         PKIX_PL_Cert *certItem = NULL;
         PKIX_CertSelector_MatchCallback certSelectorMatch = NULL;
-        PKIX_Boolean pass = PKIX_TRUE;
         PKIX_UInt32 numCerts = 0;
         PKIX_UInt32 i = 0;
 
         PKIX_ENTER(COLLECTIONCERTSTORECONTEXT,
                     "pkix_pl_CollectionCertStoreContext_GetSelectedCert");
         PKIX_NULLCHECK_THREE(certList, selector, pSelectedCertList);
 
         PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
@@ -937,20 +936,20 @@ pkix_pl_CollectionCertStoreContext_GetSe
                                 i,
                                 (PKIX_PL_Object **) &certItem,
                                 plContext),
                                 PKIX_LISTGETITEMFAILED);
 
                         if (!PKIX_ERROR_RECEIVED){
                                 PKIX_CHECK_ONLY_FATAL
                                         (certSelectorMatch
-                                        (selector, certItem, &pass, plContext),
+                                        (selector, certItem, plContext),
                                         PKIX_CERTSELECTORMATCHFAILED);
 
-                                if (!PKIX_ERROR_RECEIVED && pass){
+                                if (!PKIX_ERROR_RECEIVED){
                                         PKIX_CHECK_ONLY_FATAL
                                                 (PKIX_List_AppendItem
                                                 (selectCertList,
                                                 (PKIX_PL_Object *)certItem,
                                                 plContext),
                                                 PKIX_LISTAPPENDITEMFAILED);
                                 }
                         }
@@ -1093,16 +1092,17 @@ cleanup:
  *  Returns a CertStore Error if the function fails in
  *      a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 pkix_pl_CollectionCertStore_GetCert(
         PKIX_CertStore *certStore,
         PKIX_CertSelector *selector,
+        PKIX_VerifyNode *verifyNode,
         void **pNBIOContext,
         PKIX_List **pCerts,
         void *plContext)
 {
         PKIX_PL_CollectionCertStoreContext *colCertStoreContext = NULL;
         PKIX_List *selectedCerts = NULL;
 
         PKIX_ENTER(CERTSTORE, "pkix_pl_CollectionCertStore_GetCert");
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c
@@ -585,16 +585,17 @@ cleanup:
 /*
  * FUNCTION: pkix_pl_HttpCertStore_GetCert
  *  (see description of PKIX_CertStore_CertCallback in pkix_certstore.h)
  */
 PKIX_Error *
 pkix_pl_HttpCertStore_GetCert(
         PKIX_CertStore *store,
         PKIX_CertSelector *selector,
+        PKIX_VerifyNode *verifyNode,
         void **pNBIOContext,
         PKIX_List **pCertList,
         void *plContext)
 {
         const SEC_HttpClientFcnV1 *hcv1 = NULL;
         PKIX_PL_HttpCertStoreContext *context = NULL;
         void *nbioContext = NULL;
         SECStatus rv = SECFailure;
@@ -663,16 +664,17 @@ cleanup:
 /*
  * FUNCTION: pkix_pl_HttpCertStore_GetCertContinue
  *  (see description of PKIX_CertStore_CertCallback in pkix_certstore.h)
  */
 PKIX_Error *
 pkix_pl_HttpCertStore_GetCertContinue(
         PKIX_CertStore *store,
         PKIX_CertSelector *selector,
+        PKIX_VerifyNode *verifyNode,
         void **pNBIOContext,
         PKIX_List **pCertList,
         void *plContext)
 {
         const SEC_HttpClientFcnV1 *hcv1 = NULL;
         PKIX_PL_HttpCertStoreContext *context = NULL;
         void *nbioContext = NULL;
         SECStatus rv = SECFailure;
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
@@ -1418,25 +1418,25 @@ pkix_pl_HttpDefaultClient_TrySendAndRece
 
                         /* append data after header */
                         PORT_Memcpy(&client->POSTBuf[postLen],
                                     client->send_http_data,
                                     client->send_http_data_len);
 
                         /* PR_smprintf_free original header buffer */
                         PR_smprintf_free(sendbuf);
+                        sendbuf = NULL;
                         
                 } else if (client->send_http_method == HTTP_GET_METHOD) {
-                        sendbuf = PR_smprintf
+                        client->GETBuf = PR_smprintf
                             ("GET %s HTTP/1.1\r\nHost: %s:%d\r\n\r\n",
                             client->path,
                             client->host,
                             client->portnum);
-                        client->GETBuf = sendbuf;
-                        client->GETLen = PORT_Strlen(sendbuf);
+                        client->GETLen = PORT_Strlen(client->GETBuf);
                 }
 
         }
 
         /* continue according to state */
         PKIX_CHECK(pkix_pl_HttpDefaultClient_Dispatch(client, plContext),
                 PKIX_HTTPDEFAULTCLIENTDISPATCHFAILED);
 
@@ -1492,16 +1492,19 @@ pkix_pl_HttpDefaultClient_TrySendAndRece
                         break;
         }
 
         if (pPollDesc) {
             *pPollDesc = pollDesc;
         }
 
 cleanup:
+        if (sendbuf) {
+            PR_smprintf_free(sendbuf);
+        }
 
         PKIX_RETURN(HTTPDEFAULTCLIENT);
 
 }
 
 PKIX_Error *
 pkix_pl_HttpDefaultClient_Cancel(
         SEC_HTTP_REQUEST_SESSION request,
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c
@@ -563,16 +563,17 @@ cleanup:
 /*
  * FUNCTION: pkix_pl_LdapCertStore_GetCert
  *  (see description of PKIX_CertStore_CertCallback in pkix_certstore.h)
  */
 PKIX_Error *
 pkix_pl_LdapCertStore_GetCert(
         PKIX_CertStore *store,
         PKIX_CertSelector *selector,
+        PKIX_VerifyNode *verifyNode,
         void **pNBIOContext,
         PKIX_List **pCertList,
         void *plContext)
 {
         PRArenaPool *requestArena = NULL;
         LDAPRequestParams requestParams;
         void *pollDesc = NULL;
         PKIX_Int32 minPathLen = 0;
@@ -732,16 +733,17 @@ cleanup:
 /*
  * FUNCTION: pkix_pl_LdapCertStore_GetCertContinue
  *  (see description of PKIX_CertStore_CertCallback in pkix_certstore.h)
  */
 PKIX_Error *
 pkix_pl_LdapCertStore_GetCertContinue(
         PKIX_CertStore *store,
         PKIX_CertSelector *selector,
+        PKIX_VerifyNode *verifyNode,
         void **pNBIOContext,
         PKIX_List **pCertList,
         void *plContext)
 {
         PKIX_Boolean cacheFlag = PKIX_FALSE;
         PKIX_PL_LdapCertStoreContext *lcs = NULL;
         void *pollDesc = NULL;
         PKIX_List *responses = NULL;
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c
@@ -675,38 +675,40 @@ cleanup:
 /*
  * FUNCTION: pkix_pl_Pk11CertStore_GetCert
  *  (see description of PKIX_CertStore_CertCallback in pkix_certstore.h)
  */
 PKIX_Error *
 pkix_pl_Pk11CertStore_GetCert(
         PKIX_CertStore *store,
         PKIX_CertSelector *selector,
+        PKIX_VerifyNode *parentVerifyNode,
         void **pNBIOContext,
         PKIX_List **pCertList,
         void *plContext)
 {
         PKIX_UInt32 i = 0;
         PKIX_UInt32 numFound = 0;
         PKIX_PL_Cert *candidate = NULL;
         PKIX_List *selected = NULL;
         PKIX_List *filtered = NULL;
-        PKIX_CertSelector_MatchCallback callback = NULL;
+        PKIX_CertSelector_MatchCallback selectorCallback = NULL;
         PKIX_CertStore_CheckTrustCallback trustCallback = NULL;
         PKIX_ComCertSelParams *params = NULL;
-        PKIX_Boolean pass = PKIX_TRUE;
         PKIX_Boolean cacheFlag = PKIX_FALSE;
+        PKIX_VerifyNode *verifyNode = NULL;
+        PKIX_Error *selectorError = NULL;
 
         PKIX_ENTER(CERTSTORE, "pkix_pl_Pk11CertStore_GetCert");
         PKIX_NULLCHECK_FOUR(store, selector, pNBIOContext, pCertList);
 
         *pNBIOContext = NULL;   /* We don't use non-blocking I/O */
 
         PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
-                (selector, &callback, plContext),
+                (selector, &selectorCallback, plContext),
                 PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
 
         PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams
                 (selector, &params, plContext),
                 PKIX_CERTSELECTORGETCOMCERTSELPARAMSFAILED);
 
         PKIX_CHECK(pkix_pl_Pk11CertStore_CertQuery
                 (params, &selected, plContext),
@@ -735,54 +737,64 @@ pkix_pl_Pk11CertStore_GetCert(
                         (PKIX_PL_Object **)&candidate,
                         plContext),
                         PKIX_LISTGETITEMFAILED);
 
                 if (PKIX_ERROR_RECEIVED) {
                         continue; /* just skip bad certs */
                 }
 
-                PKIX_CHECK_ONLY_FATAL(callback
-                        (selector, candidate, &pass, plContext),
-                        PKIX_CERTSELECTORFAILED);
-
-                if (!(PKIX_ERROR_RECEIVED) && pass) {
-
+                selectorError =
+                    selectorCallback(selector, candidate, plContext);
+                if (!selectorError) {
                         PKIX_CHECK(PKIX_PL_Cert_SetCacheFlag
                                 (candidate, cacheFlag, plContext),
                                 PKIX_CERTSETCACHEFLAGFAILED);
 
                         if (trustCallback) {
                                 PKIX_CHECK(PKIX_PL_Cert_SetTrustCertStore
                                     (candidate, store, plContext),
                                     PKIX_CERTSETTRUSTCERTSTOREFAILED);
                         }
 
                         PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem
                                 (filtered,
                                 (PKIX_PL_Object *)candidate,
                                 plContext),
                                 PKIX_LISTAPPENDITEMFAILED);
+                } else if (parentVerifyNode) {
+                    PKIX_CHECK_FATAL(
+                        pkix_VerifyNode_Create(candidate, 0, selectorError,
+                                               &verifyNode, plContext),
+                        PKIX_VERIFYNODECREATEFAILED);
+                    PKIX_CHECK_FATAL(
+                        pkix_VerifyNode_AddToTree(parentVerifyNode,
+                                                  verifyNode,
+                                                  plContext),
+                        PKIX_VERIFYNODEADDTOTREEFAILED);
+                    PKIX_DECREF(verifyNode);
                 }
-
+                PKIX_DECREF(selectorError);
                 PKIX_DECREF(candidate);
         }
 
         /* Don't throw away the list if one cert was bad! */
         pkixTempErrorReceived = PKIX_FALSE;
 
         *pCertList = filtered;
         filtered = NULL;
 
 cleanup:
-
+fatal:
         PKIX_DECREF(filtered);
         PKIX_DECREF(candidate);
         PKIX_DECREF(selected);
         PKIX_DECREF(params);
+        PKIX_DECREF(verifyNode);
+        PKIX_DECREF(selectorError);
 
         PKIX_RETURN(CERTSTORE);
 }
 
 /*
  * FUNCTION: pkix_pl_Pk11CertStore_GetCRL
  *  (see description of PKIX_CertStore_CRLCallback in pkix_certstore.h)
  */
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
@@ -141,24 +141,20 @@ pkix_pl_Cert_DecodePolicyInfo(
 {
 
         SECStatus rv;
         SECItem encodedCertPolicyInfo;
 
         /* Allocated in the arena; freed in CERT_Destroy... */
         CERTCertificatePolicies *certPol = NULL;
         CERTPolicyInfo **policyInfos = NULL;
-        CERTPolicyInfo *policyInfo = NULL;
-        CERTPolicyQualifier **policyQualifiers = NULL;
-        CERTPolicyQualifier *policyQualifier = NULL;
 
         /* Holder for the return value */
         PKIX_List *infos = NULL;
 
-        char *oidAscii = NULL;
         PKIX_PL_OID *pkixOID = NULL;
         PKIX_List *qualifiers = NULL;
         PKIX_PL_CertPolicyInfo *certPolicyInfo = NULL;
         PKIX_PL_CertPolicyQualifier *certPolicyQualifier = NULL;
         PKIX_PL_ByteArray *qualifierArray = NULL;
 
         PKIX_ENTER(CERT, "pkix_pl_Cert_DecodePolicyInfo");
         PKIX_NULLCHECK_TWO(nssCert, pCertPolicyInfos);
@@ -199,36 +195,32 @@ pkix_pl_Cert_DecodePolicyInfo(
         PKIX_CHECK(PKIX_List_Create(&infos, plContext),
                 PKIX_LISTCREATEFAILED);
 
         /*
          * Traverse the CERTCertificatePolicies structure,
          * building each PKIX_PL_CertPolicyInfo object in turn
          */
         while (*policyInfos != NULL) {
-                policyInfo = *policyInfos;
-                policyQualifiers = policyInfo->policyQualifiers;
+                CERTPolicyInfo *policyInfo = *policyInfos;
+                CERTPolicyQualifier **policyQualifiers =
+                                          policyInfo->policyQualifiers;
                 if (policyQualifiers) {
                         /* create a PKIX_List of PKIX_PL_CertPolicyQualifiers */
                         PKIX_CHECK(PKIX_List_Create(&qualifiers, plContext),
                                 PKIX_LISTCREATEFAILED);
 
                         while (*policyQualifiers != NULL) {
-                            policyQualifier = *policyQualifiers;
+                            CERTPolicyQualifier *policyQualifier =
+                                                         *policyQualifiers;
 
                             /* create the qualifier's OID object */
-
-                            PKIX_CHECK(pkix_pl_oidBytes2Ascii
-                                (&(policyQualifier->qualifierID),
-                                &oidAscii,
-                                plContext),
-                                PKIX_OIDBYTES2ASCIIFAILED);
-
-                            PKIX_CHECK(PKIX_PL_OID_Create
-                                (oidAscii, &pkixOID, plContext),
+                            PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
+                                (&policyQualifier->qualifierID,
+                                 &pkixOID, plContext),
                                 PKIX_OIDCREATEFAILED);
 
                             /* create qualifier's ByteArray object */
 
                             PKIX_CHECK(PKIX_PL_ByteArray_Create
                                 (policyQualifier->qualifierValue.data,
                                 policyQualifier->qualifierValue.len,
                                 &qualifierArray,
@@ -245,17 +237,16 @@ pkix_pl_Cert_DecodePolicyInfo(
                                 PKIX_CERTPOLICYQUALIFIERCREATEFAILED);
 
                             PKIX_CHECK(PKIX_List_AppendItem
                                 (qualifiers,
                                 (PKIX_PL_Object *)certPolicyQualifier,
                                 plContext),
                                 PKIX_LISTAPPENDITEMFAILED);
 
-                            PKIX_FREE(oidAscii);
                             PKIX_DECREF(pkixOID);
                             PKIX_DECREF(qualifierArray);
                             PKIX_DECREF(certPolicyQualifier);
 
                             policyQualifiers++;
                         }
 
                         PKIX_CHECK(PKIX_List_SetImmutable
@@ -264,36 +255,30 @@ pkix_pl_Cert_DecodePolicyInfo(
                 }
 
 
                 /*
                  * Create an OID object pkixOID from policyInfo->policyID.
                  * (The CERTPolicyInfo structure has an oid field, but it
                  * is of type SECOidTag. This function wants a SECItem.)
                  */
-
-                PKIX_CHECK(pkix_pl_oidBytes2Ascii
-                        (&(policyInfo->policyID), &oidAscii, plContext),
-                        PKIX_OIDBYTES2ASCIIFAILED);
-
-                PKIX_CHECK(PKIX_PL_OID_Create
-                        (oidAscii, &pkixOID, plContext),
+                PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
+                        (&policyInfo->policyID, &pkixOID, plContext),
                         PKIX_OIDCREATEFAILED);
 
                 /* Create a CertPolicyInfo object */
                 PKIX_CHECK(pkix_pl_CertPolicyInfo_Create
                         (pkixOID, qualifiers, &certPolicyInfo, plContext),
                         PKIX_CERTPOLICYINFOCREATEFAILED);
 
                 /* Append the new CertPolicyInfo object to the list */
                 PKIX_CHECK(PKIX_List_AppendItem
                         (infos, (PKIX_PL_Object *)certPolicyInfo, plContext),
                         PKIX_LISTAPPENDITEMFAILED);
 
-                PKIX_FREE(oidAscii);
                 PKIX_DECREF(pkixOID);
                 PKIX_DECREF(qualifiers);
                 PKIX_DECREF(certPolicyInfo);
 
                 policyInfos++;
         }
 
         /*
@@ -308,17 +293,16 @@ pkix_pl_Cert_DecodePolicyInfo(
 
 cleanup:
         if (certPol) {
             PKIX_CERT_DEBUG
                 ("\t\tCalling CERT_DestroyCertificatePoliciesExtension).\n");
             CERT_DestroyCertificatePoliciesExtension(certPol);
         }
 
-        PKIX_FREE(oidAscii);
         PKIX_DECREF(infos);
         PKIX_DECREF(pkixOID);
         PKIX_DECREF(qualifiers);
         PKIX_DECREF(certPolicyInfo);
         PKIX_DECREF(certPolicyQualifier);
         PKIX_DECREF(qualifierArray);
 
         PKIX_RETURN(CERT);
@@ -357,23 +341,20 @@ pkix_pl_Cert_DecodePolicyMapping(
         void *plContext)
 {
         SECStatus rv;
         SECItem encodedCertPolicyMaps;
 
         /* Allocated in the arena; freed in CERT_Destroy... */
         CERTCertificatePolicyMappings *certPolMaps = NULL;
         CERTPolicyMap **policyMaps = NULL;
-        CERTPolicyMap *policyMap = NULL;
 
         /* Holder for the return value */
         PKIX_List *maps = NULL;
 
-        char *issuerPolicyOIDAscii = NULL;
-        char *subjectPolicyOIDAscii = NULL;
         PKIX_PL_OID *issuerDomainOID = NULL;
         PKIX_PL_OID *subjectDomainOID = NULL;
         PKIX_PL_CertPolicyMap *certPolicyMap = NULL;
 
         PKIX_ENTER(CERT, "pkix_pl_Cert_DecodePolicyMapping");
         PKIX_NULLCHECK_TWO(nssCert, pCertPolicyMaps);
 
         /* get PolicyMappings as a SECItem */
@@ -403,57 +384,43 @@ pkix_pl_Cert_DecodePolicyMapping(
         PKIX_CHECK(PKIX_List_Create(&maps, plContext),
                 PKIX_LISTCREATEFAILED);
 
         /*
          * Traverse the CERTCertificatePolicyMappings structure,
          * building each CertPolicyMap object in turn
          */
         do {
-                policyMap = *policyMaps;
+                CERTPolicyMap *policyMap = *policyMaps;
 
                 /* create the OID for the issuer Domain Policy */
-
-                PKIX_CHECK(pkix_pl_oidBytes2Ascii
-                        (&(policyMap->issuerDomainPolicy),
-                        &issuerPolicyOIDAscii,
-                        plContext),
-                        PKIX_OIDBYTES2ASCIIFAILED);
-
-                PKIX_CHECK(PKIX_PL_OID_Create
-                        (issuerPolicyOIDAscii, &issuerDomainOID, plContext),
+                PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
+                        (&policyMap->issuerDomainPolicy,
+                         &issuerDomainOID, plContext),
                         PKIX_OIDCREATEFAILED);
 
                 /* create the OID for the subject Domain Policy */
-
-                PKIX_CHECK(pkix_pl_oidBytes2Ascii
-                        (&(policyMap->subjectDomainPolicy),
-                        &subjectPolicyOIDAscii,
-                        plContext),
-                        PKIX_OIDBYTES2ASCIIFAILED);
-
-                PKIX_CHECK(PKIX_PL_OID_Create
-                        (subjectPolicyOIDAscii, &subjectDomainOID, plContext),
+                PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
+                        (&policyMap->subjectDomainPolicy,
+                         &subjectDomainOID, plContext),
                         PKIX_OIDCREATEFAILED);
 
                 /* create the CertPolicyMap */
 
                 PKIX_CHECK(pkix_pl_CertPolicyMap_Create
                         (issuerDomainOID,
                         subjectDomainOID,
                         &certPolicyMap,
                         plContext),
                         PKIX_CERTPOLICYMAPCREATEFAILED);
 
                 PKIX_CHECK(PKIX_List_AppendItem
                         (maps, (PKIX_PL_Object *)certPolicyMap, plContext),
                         PKIX_LISTAPPENDITEMFAILED);
 
-                PKIX_FREE(issuerPolicyOIDAscii);
-                PKIX_FREE(subjectPolicyOIDAscii);
                 PKIX_DECREF(issuerDomainOID);
                 PKIX_DECREF(subjectDomainOID);
                 PKIX_DECREF(certPolicyMap);
 
                 policyMaps++;
         } while (*policyMaps != NULL);
 
         PKIX_CHECK(PKIX_List_SetImmutable(maps, plContext),
@@ -464,18 +431,16 @@ pkix_pl_Cert_DecodePolicyMapping(
 
 cleanup:
         if (certPolMaps) {
             PKIX_CERT_DEBUG
                 ("\t\tCalling CERT_DestroyPolicyMappingsExtension).\n");
             CERT_DestroyPolicyMappingsExtension(certPolMaps);
         }
 
-        PKIX_FREE(issuerPolicyOIDAscii);
-        PKIX_FREE(subjectPolicyOIDAscii);
         PKIX_DECREF(maps);
         PKIX_DECREF(issuerDomainOID);
         PKIX_DECREF(subjectDomainOID);
         PKIX_DECREF(certPolicyMap);
 
         PKIX_RETURN(CERT);
 }
 
@@ -2047,61 +2012,50 @@ cleanup:
  *      (see comments in pkix_pl_pki.h)
  */
 PKIX_Error *
 PKIX_PL_Cert_GetSubjectPublicKeyAlgId(
         PKIX_PL_Cert *cert,
         PKIX_PL_OID **pSubjKeyAlgId,
         void *plContext)
 {
-        CERTCertificate *nssCert = NULL;
         PKIX_PL_OID *pubKeyAlgId = NULL;
-        SECAlgorithmID algorithm;
-        SECItem algBytes;
-        char *asciiOID = NULL;
 
         PKIX_ENTER(CERT, "PKIX_PL_Cert_GetSubjectPublicKeyAlgId");
         PKIX_NULLCHECK_THREE(cert, cert->nssCert, pSubjKeyAlgId);
 
         /* if we don't have a cached copy from before, we create one */
         if (cert->publicKeyAlgId == NULL){
-
                 PKIX_OBJECT_LOCK(cert);
-
                 if (cert->publicKeyAlgId == NULL){
-
-                        nssCert = cert->nssCert;
-                        algorithm = nssCert->subjectPublicKeyInfo.algorithm;
-                        algBytes = algorithm.algorithm;
-
-                        PKIX_NULLCHECK_ONE(algBytes.data);
-                        if (algBytes.len == 0) {
-                                PKIX_ERROR_FATAL(PKIX_ALGORITHMBYTESLENGTH0);
+                        CERTCertificate *nssCert = cert->nssCert;
+                        SECAlgorithmID *algorithm;
+                        SECItem *algBytes;
+
+                        algorithm = &nssCert->subjectPublicKeyInfo.algorithm;
+                        algBytes = &algorithm->algorithm;
+                        if (!algBytes->data || !algBytes->len) {
+                            PKIX_ERROR_FATAL(PKIX_ALGORITHMBYTESLENGTH0);
                         }
-
-                        PKIX_CHECK(pkix_pl_oidBytes2Ascii
-                                    (&algBytes, &asciiOID, plContext),
-                                    PKIX_OIDBYTES2ASCIIFAILED);
-
-                        PKIX_CHECK(PKIX_PL_OID_Create
-                                    (asciiOID, &pubKeyAlgId, plContext),
+                        PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
+                                    (algBytes, &pubKeyAlgId, plContext),
                                     PKIX_OIDCREATEFAILED);
 
                         /* save a cached copy in case it is asked for again */
                         cert->publicKeyAlgId = pubKeyAlgId;
+                        pubKeyAlgId = NULL;
                 }
-
                 PKIX_OBJECT_UNLOCK(cert);
         }
 
         PKIX_INCREF(cert->publicKeyAlgId);
         *pSubjKeyAlgId = cert->publicKeyAlgId;
 
 cleanup:
-        PKIX_FREE(asciiOID);
+        PKIX_DECREF(pubKeyAlgId);
         PKIX_RETURN(CERT);
 }
 
 /*
  * FUNCTION: PKIX_PL_Cert_GetSubjectPublicKey (see comments in pkix_pl_pki.h)
  */
 PKIX_Error *
 PKIX_PL_Cert_GetSubjectPublicKey(
@@ -2408,19 +2362,17 @@ PKIX_PL_Cert_GetExtendedKeyUsage(
         PKIX_PL_Cert *cert,
         PKIX_List **pKeyUsage,  /* list of PKIX_PL_OID */
         void *plContext)
 {
         CERTOidSequence *extKeyUsage = NULL;
         CERTCertificate *nssCert = NULL;
         PKIX_PL_OID *pkixOID = NULL;
         PKIX_List *oidsList = NULL;
-        char *oidAscii = NULL;
         SECItem **oids = NULL;
-        SECItem *oid = NULL;
         SECItem encodedExtKeyUsage;
         SECStatus rv;
 
         PKIX_ENTER(CERT, "PKIX_PL_Cert_GetExtendedKeyUsage");
         PKIX_NULLCHECK_THREE(cert, cert->nssCert, pKeyUsage);
 
         /* if we don't have a cached copy from before, we create one */
         if ((cert->extKeyUsages == NULL) && (!cert->extKeyUsagesAbsent)){
@@ -2457,34 +2409,27 @@ PKIX_PL_Cert_GetExtendedKeyUsage(
                                 *pKeyUsage = NULL;
                                 goto cleanup;
                         }
 
                         PKIX_CHECK(PKIX_List_Create(&oidsList, plContext),
                                     PKIX_LISTCREATEFAILED);
 
                         while (*oids){
-                                oid = *oids++;
-
-                                PKIX_CHECK(pkix_pl_oidBytes2Ascii
-                                            (oid, &oidAscii, plContext),
-                                            PKIX_OIDBYTES2ASCIIFAILED);
-
-                                PKIX_CHECK(PKIX_PL_OID_Create
-                                            (oidAscii, &pkixOID, plContext),
+                                SECItem *oid = *oids++;
+
+                                PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
+                                            (oid, &pkixOID, plContext),
                                             PKIX_OIDCREATEFAILED);
 
                                 PKIX_CHECK(PKIX_List_AppendItem
                                             (oidsList,
                                             (PKIX_PL_Object *)pkixOID,
                                             plContext),
                                             PKIX_LISTAPPENDITEMFAILED);
-
-                                PKIX_FREE(oidAscii);
-
                                 PKIX_DECREF(pkixOID);
                         }
 
                         /* save a cached copy in case it is asked for again */
                         cert->extKeyUsages = oidsList;
                         oidsList = NULL;
                 }
 
@@ -2496,17 +2441,16 @@ PKIX_PL_Cert_GetExtendedKeyUsage(
         }
 
         PKIX_INCREF(cert->extKeyUsages);
         *pKeyUsage = cert->extKeyUsages;
 
 cleanup:
 	PKIX_OBJECT_UNLOCK(lockedObject);
 
-        PKIX_FREE(oidAscii);
         PKIX_DECREF(pkixOID);
         PKIX_DECREF(oidsList);
         CERT_DestroyOidSequence(extKeyUsage);
 
         PKIX_RETURN(CERT);
 }
 
 /*
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c
@@ -202,64 +202,46 @@ cleanup:
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 static PKIX_Error *
 pkix_pl_CRL_GetSignatureAlgId(
         PKIX_PL_CRL *crl,
         PKIX_PL_OID **pSignatureAlgId,
         void *plContext)
 {
-        CERTCrl *nssCrl = NULL;
         PKIX_PL_OID *signatureAlgId = NULL;
-        SECAlgorithmID algorithm;
-        SECItem algBytes;
-        char *asciiOID = NULL;
 
         PKIX_ENTER(CRL, "pkix_pl_CRL_GetSignatureAlgId");
         PKIX_NULLCHECK_THREE(crl, crl->nssSignedCrl, pSignatureAlgId);
 
         /* if we don't have a cached copy from before, we create one */
         if (crl->signatureAlgId == NULL){
-
                 PKIX_OBJECT_LOCK(crl);
-
                 if (crl->signatureAlgId == NULL){
-
-                        nssCrl = &(crl->nssSignedCrl->crl);
-                        algorithm = nssCrl->signatureAlg;
-                        algBytes = algorithm.algorithm;
-
-                        PKIX_NULLCHECK_ONE(algBytes.data);
-                        if (algBytes.len == 0) {
-                                PKIX_ERROR_FATAL(PKIX_OIDBYTESLENGTH0);
-                        }
+                    CERTCrl *nssCrl = &(crl->nssSignedCrl->crl);
+                    SECAlgorithmID *algorithm = &nssCrl->signatureAlg;
+                    SECItem *algBytes = &algorithm->algorithm;
 
-                        PKIX_CHECK(pkix_pl_oidBytes2Ascii
-                                    (&algBytes, &asciiOID, plContext),
-                                    PKIX_OIDBYTES2ASCIIFAILED);
-
-                        PKIX_CHECK(PKIX_PL_OID_Create
-                                    (asciiOID, &signatureAlgId, plContext),
-                                    PKIX_OIDCREATEFAILED);
-
-                        /* save a cached copy in case it is asked for again */
-                        crl->signatureAlgId = signatureAlgId;
+                    if (!algBytes->data || !algBytes->len) {
+                        PKIX_ERROR(PKIX_OIDBYTESLENGTH0);
+                    }
+                    PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
+                               (algBytes, &signatureAlgId, plContext),
+                               PKIX_OIDCREATEFAILED);
+                    
+                    /* save a cached copy in case it is asked for again */
+                    crl->signatureAlgId = signatureAlgId;
+                    signatureAlgId = NULL;
                 }
-
                 PKIX_OBJECT_UNLOCK(crl);
-
         }
-
         PKIX_INCREF(crl->signatureAlgId);
         *pSignatureAlgId = crl->signatureAlgId;
-
 cleanup:
-
-        PKIX_FREE(asciiOID);
-
+        PKIX_DECREF(signatureAlgId);
         PKIX_RETURN(CRL);
 }
 
 /*
  * FUNCTION: pkix_pl_CRL_GetCRLEntries
  * DESCRIPTION:
  *
  *  Retrieves a pointer to the List of CRLEntries found in the CRL pointed to
@@ -715,22 +697,17 @@ PKIX_PL_CRL_VerifyUpdateTime(
         CERTCrl *nssCrl = NULL;
         SECItem *nextUpdateDer = NULL;
         PKIX_Boolean haveNextUpdate = PR_FALSE;
 
         PKIX_ENTER(CRL, "PKIX_PL_CRL_VerifyUpdateTime");
         PKIX_NULLCHECK_FOUR(crl, crl->nssSignedCrl, date, pResult);
 
         nssCrl = &(crl->nssSignedCrl->crl);
-
-        PKIX_CRL_DEBUG("\t\tCalling DER_DecodeTimeChoice on date\n");
-        status = DER_DecodeTimeChoice(&timeToCheck, &(date->nssTime));
-        if (status != SECSuccess) {
-                PKIX_ERROR(PKIX_DERDECODETIMECHOICEFAILED);
-        }
+        timeToCheck = date->nssTime;
 
         /* nextUpdate can be NULL. Checking before using it */
         nextUpdateDer = &nssCrl->nextUpdate;
         if (nextUpdateDer->data && nextUpdateDer->len) {
                 haveNextUpdate = PR_TRUE;
                 status = DER_DecodeTimeChoice(&nextUpdate, nextUpdateDer);
                 if (status != SECSuccess) {
                         PKIX_ERROR(PKIX_DERDECODETIMECHOICEFORNEXTUPDATEFAILED);
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c
@@ -236,19 +236,16 @@ pkix_pl_GeneralName_Create(
         void *plContext)
 {
         PKIX_PL_GeneralName *genName = NULL;
         PKIX_PL_X500Name *pkixDN = NULL;
         PKIX_PL_OID *pkixOID = NULL;
         OtherName *otherName = NULL;
         CERTGeneralNameList *nssGenNameList = NULL;
         CERTGeneralNameType nameType;
-        SECItem *secItem = NULL;
-        char *asciiName = NULL;
-        SECStatus rv;
 
         PKIX_ENTER(GENERALNAME, "pkix_pl_GeneralName_Create");
         PKIX_NULLCHECK_TWO(nssAltName, pGenName);
 
         /* create a PKIX_PL_GeneralName object */
         PKIX_CHECK(PKIX_PL_Object_Alloc
                     (PKIX_GENERALNAME_TYPE,
                     sizeof (PKIX_PL_GeneralName),
@@ -303,65 +300,42 @@ pkix_pl_GeneralName_Create(
 
                 PKIX_CHECK(pkix_pl_DirectoryName_Create
                             (nssAltName, &pkixDN, plContext),
                             PKIX_DIRECTORYNAMECREATEFAILED);
 
                 genName->directoryName = pkixDN;
                 break;
         case certRegisterID:
-
-                PKIX_CHECK(pkix_pl_oidBytes2Ascii
-                            (&nssAltName->name.other, &asciiName, plContext),
-                            PKIX_OIDBYTES2ASCIIFAILED);
-
-                PKIX_CHECK(PKIX_PL_OID_Create(asciiName, &pkixOID, plContext),
+                PKIX_CHECK(PKIX_PL_OID_CreateBySECItem(&nssAltName->name.other,
+                                                       &pkixOID, plContext),
                             PKIX_OIDCREATEFAILED);
 
                 genName->oid = pkixOID;
                 break;
         case certDNSName:
         case certEDIPartyName:
         case certIPAddress:
         case certRFC822Name:
         case certX400Address:
         case certURI:
-
-                PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_AllocItem).\n");
-                secItem = SECITEM_AllocItem(NULL, NULL, 0);
-                if (secItem == NULL){
-                        PKIX_ERROR(PKIX_OUTOFMEMORY);
-                }
-
-                PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_CopyItem).\n");
-                rv = SECITEM_CopyItem(NULL, secItem, &nssAltName->name.other);
-                if (rv != SECSuccess) {
-                        PKIX_ERROR(PKIX_OUTOFMEMORY);
-                }
-
-                genName->other = secItem;
+                genName->other = SECITEM_DupItem(&nssAltName->name.other);
+                if (!genName->other) {
+                    PKIX_ERROR(PKIX_OUTOFMEMORY);
+                }     
                 break;
         default:
                 PKIX_ERROR(PKIX_NAMETYPENOTSUPPORTED);
         }
 
         *pGenName = genName;
-cleanup:
-
-        PKIX_FREE(asciiName);
+        genName = NULL;
 
-        if (PKIX_ERROR_RECEIVED){
-                PKIX_DECREF(genName);
-                if (secItem){
-                        PKIX_GENERALNAME_DEBUG
-                                ("\t\tCalling SECITEM_FreeItem).\n");
-                        SECITEM_FreeItem(secItem, PR_TRUE);
-                        secItem = NULL;
-                }
-        }
+cleanup:
+        PKIX_DECREF(genName);
 
         PKIX_RETURN(GENERALNAME);
 }
 
 /*
  * FUNCTION: pkix_pl_GeneralName_ToString_Helper
  * DESCRIPTION:
  *
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
@@ -38,26 +38,16 @@
  * pkix_pl_infoaccess.c
  *
  * InfoAccess Object Definitions
  *
  */
 
 #include "pkix_pl_infoaccess.h"
 
-/* XXX Following SEC_OID_PKIX defines should be merged in NSS */
-#define SEC_OID_PKIX_CA_REPOSITORY     1003
-#define SEC_OID_PKIX_TIMESTAMPING      1005
-/* XXX Following OID defines hould be moved to NSS */
-static const unsigned char siaTimeStampingOID[] = {0x2b, 0x06, 0x01, 0x05,
-                                0x05, 0x07, 0x030, 0x03};
-static const unsigned char siaCaRepositoryOID[] = {0x2b, 0x06, 0x01, 0x05,
-                                0x05, 0x07, 0x030, 0x05};
-
-
 /* --Private-InfoAccess-Functions----------------------------------*/
 
 /*
  * FUNCTION: pkix_pl_InfoAccess_Create
  * DESCRIPTION:
  *
  *  This function creates an InfoAccess from the method provided in "method" and
  *  the GeneralName provided in "generalName" and stores the result at
@@ -410,63 +400,32 @@ pkix_pl_InfoAccess_CreateList(
                 }
 
                 PKIX_CHECK(pkix_pl_GeneralName_Create
                         (nssInfoAccess[i]->location, &location, plContext),
                         PKIX_GENERALNAMECREATEFAILED);
 
                 PKIX_CERT_DEBUG("\t\tCalling SECOID_FindOIDTag).\n");
                 method = SECOID_FindOIDTag(&nssInfoAccess[i]->method);
-
-                if (method == 0) {
-
-                /* XXX
-                 * This part of code is definitely hacking, need NSS decode
-                 * support. We can reuse the CERT_DecodeAuthInfoAccessExtension
-                 * since SIA and AIA are all the same type. However NSS need
-                 * to add SIA, CaRepository, TimeStamping OID definitions and
-                 * the numerical method, timeStamping and caRepository values.
-                 *
-                 * We assume now, since method is 0, implies the method for SIA
-                 * was not decoded by CERT_DecodeAuthInfoAccessExtension()
-                 * so we compare and put value in. This part should be taken
-                 * out eventually if CERT_DecodeInfoAccessExtension (*renamed*)
-                 * is doing the job.
-                 */
-
-                        PKIX_CERT_DEBUG("\t\tCalling PORT_Strncmp).\n");
-                        if (PORT_Strncmp
-                                ((char *)nssInfoAccess[i]->method.data,
-                                (char *)siaTimeStampingOID,
-                                nssInfoAccess[i]->method.len) == 0) {
-                                method = SEC_OID_PKIX_TIMESTAMPING;
-                        } else if (PORT_Strncmp
-                                ((char *)nssInfoAccess[i]->method.data,
-                                (char *)siaCaRepositoryOID,
-                                nssInfoAccess[i]->method.len) == 0) {
-                                method = SEC_OID_PKIX_CA_REPOSITORY;
-                        }
-                }
-
                 /* Map NSS access method value into PKIX constant */
                 switch(method) {
                         case SEC_OID_PKIX_CA_ISSUERS:
                                 method = PKIX_INFOACCESS_CA_ISSUERS;
                                 break;
                         case SEC_OID_PKIX_OCSP:
                                 method = PKIX_INFOACCESS_OCSP;
                                 break;
                         case SEC_OID_PKIX_TIMESTAMPING:
                                 method = PKIX_INFOACCESS_TIMESTAMPING;
                                 break;
                         case SEC_OID_PKIX_CA_REPOSITORY:
                                 method = PKIX_INFOACCESS_CA_REPOSITORY;
                                 break;
                         default:
-                                break;
+                                PKIX_ERROR(PKIX_UNKNOWNINFOACCESSMETHOD);
                 }
 
                 PKIX_CHECK(pkix_pl_InfoAccess_Create
                         (method, location, &infoAccess, plContext),
                         PKIX_INFOACCESSCREATEFAILED);
 
                 PKIX_CHECK(PKIX_List_AppendItem
                             (infoAccessList,
@@ -645,17 +604,17 @@ pkix_pl_InfoAccess_ParseTokens(
         }
 
         /*
          * If string is a=xx, b=yy, c=zz, etc., use a=xx for filter,
          * and everything else for the base
          */
         if (numFilters > 2) numFilters = 2;
 
-        filterP = PORT_ArenaZNewArray(arena, void*, numFilters+1);
+        filterP = PORT_ArenaZNewArray(arena, char*, numFilters+1);
         if (filterP == NULL) {
             PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
         }
 
         /* Second pass: parse to fill in components in token array */
         *tokens = filterP;
         endPos = *startPos;
 
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
@@ -497,17 +497,19 @@ pkix_pl_OcspResponse_Create(
                                     (PKIX_PL_Object **)&ocspResponse,
                                     plContext),
                                     PKIX_COULDNOTCREATEOBJECT);
 
                         PKIX_INCREF(request);
                         ocspResponse->request = request;
                         ocspResponse->httpClient = httpClient;
                         ocspResponse->serverSession = serverSession;
+                        serverSession = NULL;
                         ocspResponse->sessionRequest = sessionRequest;
+                        sessionRequest = NULL;
                         ocspResponse->verifyFcn = verifyFcn;
                         ocspResponse->handle = CERT_GetDefaultCertDB();
                         ocspResponse->encodedResponse = NULL;
                         ocspResponse->arena = NULL;
                         ocspResponse->producedAt = 0;
                         ocspResponse->producedAtDate = NULL;
                         ocspResponse->pkixSignerCert = NULL;
                         ocspResponse->nssOCSPResponse = NULL;
@@ -517,20 +519,20 @@ pkix_pl_OcspResponse_Create(
 
         /* begin or resume IO to HTTPClient */
         if (httpClient && (httpClient->version == 1)) {
                 PRUint32 responseDataLen = 
                    ((PKIX_PL_NssContext*)plContext)->maxResponseLength;
 
                 hcv1 = &(httpClient->fcnTable.ftable1);
 
-                rv = (*hcv1->trySendAndReceiveFcn)(sessionRequest,
+                rv = (*hcv1->trySendAndReceiveFcn)(ocspResponse->sessionRequest,
                         (PRPollDesc **)&nbioContext,
                         &responseCode,
-                        &responseContentType,
+                        (const char **)&responseContentType,
                         NULL,   /* responseHeaders */
                         (const char **)&responseData,
                         &responseDataLen);
 
                 if (rv != SECSuccess) {
                         PKIX_ERROR(PKIX_OCSPSERVERERROR);
                 }
                 /* responseContentType is a pointer to the null-terminated
@@ -555,36 +557,34 @@ pkix_pl_OcspResponse_Create(
                         (ocspResponse->arena, NULL, responseDataLen);
                 if (ocspResponse->encodedResponse == NULL) {
                         PKIX_ERROR(PKIX_OUTOFMEMORY);
                 }
                 PORT_Memcpy(ocspResponse->encodedResponse->data,
                             responseData, responseDataLen);
         }
         *pResponse = ocspResponse;
+        ocspResponse = NULL;
 
 cleanup:
 
         if (path != NULL) {
             PORT_Free(path);
         }
-
         if (hostname != NULL) {
             PORT_Free(hostname);
         }
-
-        if (PKIX_ERROR_RECEIVED){
-            if (ocspResponse) {
-                PKIX_DECREF(ocspResponse);
-            } else {
-                if (serverSession) 
-                    hcv1->freeSessionFcn(serverSession);
-                if (sessionRequest)
-                    hcv1->freeFcn(sessionRequest);
-            }
+        if (ocspResponse) {
+            PKIX_DECREF(ocspResponse);
+        }
+        if (serverSession) {
+            hcv1->freeSessionFcn(serverSession);
+        }
+        if (sessionRequest) {
+            hcv1->freeFcn(sessionRequest);
         }
 
         PKIX_RETURN(OCSPRESPONSE);
 }
 
 /*
  * FUNCTION: pkix_pl_OcspResponse_Decode
  * DESCRIPTION:
--- a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
@@ -40,54 +40,42 @@
  * OID Object Functions
  *
  */
 
 #include "pkix_pl_oid.h"
 
 /* --Private-OID-Functions---------------------------------------- */
 
-/*
+ /*
  * FUNCTION: pkix_pl_OID_Comparator
  * (see comments for PKIX_PL_ComparatorCallback in pkix_pl_system.h)
  */
 static PKIX_Error *
 pkix_pl_OID_Comparator(
         PKIX_PL_Object *firstObject,
         PKIX_PL_Object *secondObject,
-        PKIX_Int32 *pResult,
+        PKIX_Int32 *pRes,
         void *plContext)
 {
         PKIX_PL_OID *firstOID = NULL;
         PKIX_PL_OID *secondOID = NULL;
-        PKIX_UInt32 minLength;
 
         PKIX_ENTER(OID, "pkix_pl_OID_Comparator");
-        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pRes);
 
         PKIX_CHECK(pkix_CheckTypes
                     (firstObject, secondObject, PKIX_OID_TYPE, plContext),
                     PKIX_ARGUMENTSNOTOIDS);
 
         firstOID = (PKIX_PL_OID*)firstObject;
         secondOID = (PKIX_PL_OID*)secondObject;
 
-        *pResult = 0;
-
-        minLength = (firstOID->length < secondOID->length)?
-                firstOID->length:
-                secondOID->length;
-
-        /* Check if both array contents are identical */
-        PKIX_OID_DEBUG("\tCalling PORT_Memcmp).\n");
-        *pResult = PORT_Memcmp
-                (firstOID->components,
-                secondOID->components,
-                minLength * sizeof (PKIX_UInt32));
-
+        *pRes = (PKIX_Int32)SECITEM_CompareItem(&firstOID->derOid,
+                                                &secondOID->derOid);
 cleanup:
         PKIX_RETURN(OID);
 }
 
 /*
  * FUNCTION: pkix_pl_OID_Destroy
  * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
  */
@@ -98,50 +86,46 @@ pkix_pl_OID_Destroy(
 {
         PKIX_PL_OID *oid = NULL;
 
         PKIX_ENTER(OID, "pkix_pl_OID_Destroy");
         PKIX_NULLCHECK_ONE(object);
 
         PKIX_CHECK(pkix_CheckType(object, PKIX_OID_TYPE, plContext),
                     PKIX_OBJECTNOTANOID);
-
         oid = (PKIX_PL_OID*)object;
-
-        PKIX_FREE(oid->components);
-        oid->length = 0;
+        SECITEM_FreeItem(&oid->derOid, PR_FALSE);
 
 cleanup:
-
         PKIX_RETURN(OID);
 }
 
 /*
  * FUNCTION: pkix_pl_OID_Hashcode
  * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
  */
 static PKIX_Error *
 pkix_pl_OID_Hashcode(
         PKIX_PL_Object *object,
         PKIX_UInt32 *pHashcode,
         void *plContext)
 {
-        PKIX_PL_OID *pkixOID = NULL;
+        PKIX_PL_OID *oid = NULL;
 
         PKIX_ENTER(OID, "pkix_pl_OID_HashCode");
         PKIX_NULLCHECK_TWO(object, pHashcode);
 
         PKIX_CHECK(pkix_CheckType(object, PKIX_OID_TYPE, plContext),
                     PKIX_OBJECTNOTANOID);
 
-        pkixOID = (PKIX_PL_OID *)object;
+        oid = (PKIX_PL_OID *)object;
 
         PKIX_CHECK(pkix_hash
-                    ((unsigned char *)pkixOID->components,
-                    pkixOID->length * sizeof (PKIX_UInt32),
+                    ((unsigned char *)oid->derOid.data,
+                    oid->derOid.len * sizeof (char),
                     pHashcode,
                     plContext),
                     PKIX_HASHFAILED);
 cleanup:
 
         PKIX_RETURN(OID);
 }
 
@@ -152,85 +136,76 @@ cleanup:
 static PKIX_Error *
 pkix_pl_OID_Equals(
         PKIX_PL_Object *first,
         PKIX_PL_Object *second,
         PKIX_Boolean *pResult,
         void *plContext)
 {
         PKIX_UInt32 secondType;
-        PKIX_Int32 cmpResult;
+        SECComparison cmpResult;
 
         PKIX_ENTER(OID, "pkix_pl_OID_Equals");
         PKIX_NULLCHECK_THREE(first, second, pResult);
 
         PKIX_CHECK(pkix_CheckType(first, PKIX_OID_TYPE, plContext),
                     PKIX_FIRSTARGUMENTNOTANOID);
 
         PKIX_CHECK(PKIX_PL_Object_GetType(second, &secondType, plContext),
                     PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
 
         *pResult = PKIX_FALSE;
 
         /*
          * Do a quick check that the second object is an OID.
          * If so, check that their lengths are equal.
          */
-        if ((secondType != PKIX_OID_TYPE)||
-            (((PKIX_PL_OID*)first)->length !=
-            ((PKIX_PL_OID*)second)->length)) {
+        if (secondType != PKIX_OID_TYPE) {
                 goto cleanup;
         }
 
         PKIX_CHECK(pkix_pl_OID_Comparator
                     (first, second, &cmpResult, plContext),
                     PKIX_OIDCOMPARATORFAILED);
 
-        *pResult = (cmpResult == 0);
-
+        *pResult = (cmpResult == SECEqual);
 cleanup:
 
         PKIX_RETURN(OID);
 }
 
 /*
  * FUNCTION: pkix_pl_OID_ToString
  * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ * Use this function only for printing OIDs and not to make any
+ * critical security decision.
  */
 static PKIX_Error *
 pkix_pl_OID_ToString(
         PKIX_PL_Object *object,
         PKIX_PL_String **pString,
         void *plContext)
 {
-        PKIX_UInt32 *components = NULL;
-        PKIX_UInt32 length;
-        char *ascii = NULL;
+        PKIX_PL_OID *oid = NULL;
+        char *oidString = NULL;
 
         PKIX_ENTER(OID, "pkix_pl_OID_toString");
         PKIX_NULLCHECK_TWO(object, pString);
 
         PKIX_CHECK(pkix_CheckType(object, PKIX_OID_TYPE, plContext),
                     PKIX_OBJECTNOTANOID);
-
-        components = ((PKIX_PL_OID*)object)->components;
-        length = ((PKIX_PL_OID*)object)->length;
-
-        PKIX_CHECK(pkix_pl_helperBytes2Ascii
-                    (components, length, &ascii, plContext),
-                    PKIX_HELPERBYTES2ASCIIFAILED);
-
+        oid = (PKIX_PL_OID*)object;
+        oidString = CERT_GetOidString(&oid->derOid);
+        
         PKIX_CHECK(PKIX_PL_String_Create
-                (PKIX_ESCASCII, ascii, 0, pString, plContext),
+                (PKIX_ESCASCII, oidString , 0, pString, plContext),
                 PKIX_STRINGCREATEFAILED);
-
 cleanup:
-
-        PKIX_FREE(ascii);
-
+        PR_smprintf_free(oidString);
+        
         PKIX_RETURN(OID);
 }
 
 /*
  * FUNCTION: pkix_pl_OID_RegisterSelf
  * DESCRIPTION:
  *  Registers PKIX_OID_TYPE and its related functions with systemClasses[]
  * THREAD SAFETY:
@@ -239,98 +214,29 @@ cleanup:
  *  Since this function is only called by PKIX_PL_Initialize, which should
  *  only be called once, it is acceptable that this function is not
  *  thread-safe.
  */
 PKIX_Error *
 pkix_pl_OID_RegisterSelf(
         void *plContext)
 {
-
         extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
-        pkix_ClassTable_Entry entry;
+        pkix_ClassTable_Entry *entry = &systemClasses[PKIX_OID_TYPE];
 
         PKIX_ENTER(OID, "pkix_pl_OID_RegisterSelf");
 
-        entry.description = "OID";
-        entry.objCounter = 0;
-        entry.typeObjectSize = sizeof(PKIX_PL_OID);
-        entry.destructor = pkix_pl_OID_Destroy;
-        entry.equalsFunction = pkix_pl_OID_Equals;
-        entry.hashcodeFunction = pkix_pl_OID_Hashcode;
-        entry.toStringFunction = pkix_pl_OID_ToString;
-        entry.comparator = pkix_pl_OID_Comparator;
-        entry.duplicateFunction = pkix_duplicateImmutable;
-
-        systemClasses[PKIX_OID_TYPE] = entry;
-
-        PKIX_RETURN(OID);
-}
-
-/*
- * FUNCTION: pkix_pl_OID_GetNextToken
- * DESCRIPTION:
- *
- *  This function is essentially a thread safe version of strtok, except
- *  that we always use '.' (dot) for the token separator.
- *
- *  Searches for tokens in the string pointed to by "input", using '.' (dot)
- *  as the token separator. If "input" contains multiple tokens, the first
- *  token is stored at "pToken", the character immediately follow the first
- *  token is replaced by a null character, and the rekmainder of "input" is
- *  stored at "pRem". If no additional tokens are available, this function
- *  stores NULL at "pToken".
- *
- * PARAMETERS
- *  "input"
- *      Address of string to be tokenized. May be NULL.
- *  "pToken"
- *      Destination for OID token. Must be non-NULL.
- *  "pRem"
- *      Destination for pointer to remainder of string. Must be non-NULL.
- *  "plContext"
- *      Platform-specific context pointer.
- * THREAD SAFETY:
- *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- *  Returns NULL if the function succeeds.
- *  Returns an OID Error if the function fails in a non-fatal way.
- *  Returns a Fatal Error if the function fails in an unrecoverable way.
- */
-static PKIX_Error *
-pkix_pl_OID_GetNextToken(
-        char *input,
-        char **pToken,
-        char **pRem,
-        void *plContext)
-{
-        char *token = input;
-
-        PKIX_ENTER(OID, "pkix_pl_OID_GetNextToken");
-        PKIX_NULLCHECK_TWO(pToken, pRem);
-
-        if (token == NULL){
-                *pToken = token;
-                goto cleanup;
-        }
-
-        while (*input != '.' && *input != '\0'){
-                input++;
-        }
-
-        if (*input == '.'){
-                *input = 0;
-                *pRem = input + 1;
-        } else { /* NULL case */
-                *pRem = NULL;
-        }
-
-        *pToken = token;
-
-cleanup:
+        entry->description = "OID";
+        entry->typeObjectSize = sizeof(PKIX_PL_OID);
+        entry->destructor = pkix_pl_OID_Destroy;
+        entry->equalsFunction = pkix_pl_OID_Equals;
+        entry->hashcodeFunction = pkix_pl_OID_Hashcode;
+        entry->toStringFunction = pkix_pl_OID_ToString;
+        entry->comparator = pkix_pl_OID_Comparator;
+        entry->duplicateFunction = pkix_duplicateImmutable;
 
         PKIX_RETURN(OID);
 }
 
 /*
  * FUNCTION: pkix_pl_OID_GetCriticalExtensionOIDs
  * DESCRIPTION:
  *
@@ -352,203 +258,108 @@ cleanup:
  */
 PKIX_Error *
 pkix_pl_OID_GetCriticalExtensionOIDs(
         CERTCertExtension **extensions,
         PKIX_List **pOidsList,
         void *plContext)
 {
         PKIX_List *oidsList = NULL;
-        CERTCertExtension *extension = NULL;
         PKIX_PL_OID *pkixOID = NULL;
-        SECItem critical;
-        SECItem oid;
-        char *oidAscii = NULL;
 
         PKIX_ENTER(OID, "pkix_pl_OID_GetCriticalExtensionOIDs");
         PKIX_NULLCHECK_ONE(pOidsList);
 
         PKIX_CHECK(PKIX_List_Create(&oidsList, plContext),
                     PKIX_LISTCREATEFAILED);
 
-        if (extensions){
-
-                while (*extensions){
-                        extension = *extensions++;
-
-                    PKIX_NULLCHECK_ONE(extension);
-
-                    /* extension is critical */
-                    critical = extension->critical;
-
-                    if (critical.len != 0){
-
-                            if (critical.data[0] == 0xff) {
-                            oid = extension->id;
+        if (extensions) {
+            while (*extensions) {
+                CERTCertExtension *extension = NULL;
+                SECItem *critical = NULL;
+                SECItem *oid = NULL;
 
-                            PKIX_CHECK(pkix_pl_oidBytes2Ascii
-                                    (&oid, &oidAscii, plContext),
-                                    PKIX_OIDBYTES2ASCIIFAILED);
-
-                            PKIX_CHECK(PKIX_PL_OID_Create
-                                    (oidAscii, &pkixOID, plContext),
-                                    PKIX_OIDCREATEFAILED);
-
-                            PKIX_CHECK(PKIX_List_AppendItem
-                                    (oidsList,
-                                    (PKIX_PL_Object *)pkixOID,
-                                    plContext),
-                                    PKIX_LISTAPPENDITEMFAILED);
-                            }
-                    }
-
-                    PKIX_FREE(oidAscii);
-                    PKIX_DECREF(pkixOID);
+                extension = *extensions++;
+                /* extension is critical ? */
+                critical = &extension->critical;
+                if (critical->len == 0 || critical->data[0] == 0) {
+                    continue;
                 }
+                oid = &extension->id;
+                PKIX_CHECK(
+                    PKIX_PL_OID_CreateBySECItem(oid, &pkixOID, plContext),
+                    PKIX_OIDCREATEFAILED);
+                PKIX_CHECK(
+                    PKIX_List_AppendItem(oidsList, (PKIX_PL_Object *)pkixOID,
+                                         plContext),
+                    PKIX_LISTAPPENDITEMFAILED);
+                PKIX_DECREF(pkixOID);
+            }
         }
 
         *pOidsList = oidsList;
         oidsList = NULL;
         
 cleanup:
         PKIX_DECREF(oidsList);
-        PKIX_FREE(oidAscii);
         PKIX_DECREF(pkixOID);
         PKIX_RETURN(OID);
 }
 
 /* --Public-Functions------------------------------------------------------- */
 
 /*
- * FUNCTION: PKIX_PL_OID_Create (see comments in pkix_pl_system.h)
+ * FUNCTION: PKIX_PL_OID_CreateBySECItem (see comments in pkix_pl_system.h)
  */
 PKIX_Error *
-PKIX_PL_OID_Create(
-        char *stringRep,
+PKIX_PL_OID_CreateBySECItem(
+        SECItem *derOid,
         PKIX_PL_OID **pOID,
         void *plContext)
 {
         PKIX_PL_OID *oid = NULL;
-        char *strCpy1 = NULL;
-        char *strCpy2 = NULL;
-        char *token = NULL;
-        PKIX_UInt32 numTokens, i, length;
-        PKIX_UInt32 value;
-        PKIX_Boolean firstFieldTwo;
-        PKIX_UInt32 *components = NULL;
-        char *rem = NULL;
-
-        PKIX_ENTER(OID, "PKIX_PL_OID_Create");
-        PKIX_NULLCHECK_TWO(pOID, stringRep);
-
-        PKIX_OID_DEBUG("\tCalling PL_strlen).\n");
-        length = PL_strlen(stringRep);
-
-        if (length < 3) {
-                PKIX_ERROR(PKIX_OIDLENGTHTOOSHORT);
-        }
-
-        for (i = 0; i < length; i++) {
-                if ((!PKIX_ISDIGIT(stringRep[i]))&&(stringRep[i] != '.')) {
-                        PKIX_ERROR(PKIX_ILLEGALCHARACTERINOID);
-                }
-        }
-
-        /* Check that string doesn't have extra dots */
-        if ((stringRep[0] == '.') ||
-            (stringRep[length-1] == '.')||
-            (PL_strstr(stringRep, "..") != NULL)) {
-                PKIX_ERROR(PKIX_ILLEGALDOTINOID);
-        }
-
-        PKIX_OID_DEBUG("\tCalling PL_strdup).\n");
-
-        strCpy1 = PL_strdup(stringRep);
-        strCpy2 = PL_strdup(stringRep);
-
-        /* Validate and tally the number of tokens */
-
-        PKIX_CHECK(pkix_pl_OID_GetNextToken
-                    (strCpy1, &token, &rem, plContext),
-                    PKIX_OIDGETNEXTTOKENFAILED);
-
-        for (numTokens = 0; token != NULL; numTokens++){
-                if (numTokens == 0) {
-                        /* We know the string is all digits */
-                        PKIX_OID_DEBUG("\tCalling PORT_Atoi).\n");
-                        value = PORT_Atoi(token);
-                        if (value > 2) {
-                                PKIX_ERROR(PKIX_FIRSTFIELDMUSTBEBETWEEN02);
-                        }
-
-                        /* Set a flag if the first field is 2 */
-                        firstFieldTwo = (value == 2);
-                } else if (numTokens == 1) {
-                        PKIX_OID_DEBUG("\tCalling PORT_Atoi).\n");
-                        value = PORT_Atoi(token);
-                        if ((!firstFieldTwo)&&(value > 39)) {
-                                PKIX_ERROR
-                                        (PKIX_SECONDFIELDMUSTBEBETWEEN039);
-                        }
-                }
-
-                /* Check for 32-bit overflow */
-                if (pkix_pl_UInt32_Overflows(token)){
-                        PKIX_ERROR(PKIX_OIDCOMPONENTTOOBIG);
-                }
-
-                PKIX_CHECK(pkix_pl_OID_GetNextToken
-                            (rem, &token, &rem, plContext),
-                            PKIX_OIDGETNEXTTOKENFAILED);
-        }
-
-        if (numTokens < 2) {
-                PKIX_ERROR(PKIX_OIDNEEDS2ORMOREFIELDS);
-        }
-
-        PKIX_CHECK(PKIX_PL_Malloc
-                    (numTokens * sizeof (PKIX_UInt32),
-                    (void **)&components, plContext),
-                    PKIX_MALLOCFAILED);
-
-        PKIX_CHECK(pkix_pl_OID_GetNextToken
-                    (strCpy2, &token, &rem, plContext),
-                    PKIX_OIDGETNEXTTOKENFAILED);
-
-        for (i = 0; token != NULL; i++){
-                PKIX_OID_DEBUG("\tCalling PORT_Atoi).\n");
-                components[i] = PORT_Atoi(token);
-
-                PKIX_CHECK(pkix_pl_OID_GetNextToken
-                            (rem, &token, &rem, plContext),
-                            PKIX_OIDGETNEXTTOKENFAILED);
-        }
+        SECStatus rv;
+        
+        PKIX_ENTER(OID, "PKIX_PL_OID_CreateBySECItem");
+        PKIX_NULLCHECK_TWO(pOID, derOid);
 
         PKIX_CHECK(PKIX_PL_Object_Alloc
-                    (PKIX_OID_TYPE,
+                   (PKIX_OID_TYPE,
                     sizeof (PKIX_PL_OID),
                     (PKIX_PL_Object **)&oid,
                     plContext),
                     PKIX_COULDNOTCREATEOBJECT);
-
-        oid->length = numTokens;
-        oid->components = components;
-
-        *pOID = oid;
-
+        rv = SECITEM_CopyItem(NULL, &oid->derOid, derOid);
+        if (rv != SECFailure) {
+            *pOID = oid;
+            oid = NULL;
+        }
+        
 cleanup:
-
-        if (strCpy1){
-                PKIX_OID_DEBUG("\tCalling PL_strfree).\n");
-                PL_strfree(strCpy1);
-        }
-
-        if (strCpy2){
-                PKIX_OID_DEBUG("\tCalling PL_strfree).\n");
-                PL_strfree(strCpy2);
-        }
-
-        if (PKIX_ERROR_RECEIVED){
-                PKIX_FREE(components);
-        }
-
+        PKIX_DECREF(oid);
+        
         PKIX_RETURN(OID);
 }
+
+/*
+ * FUNCTION: PKIX_PL_OID_Create (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_OID_Create(
+        SECOidTag idtag,
+        PKIX_PL_OID **pOID,
+        void *plContext)
+{
+        SECOidData *oidData = NULL;
+    
+        PKIX_ENTER(OID, "PKIX_PL_OID_Create");
+        PKIX_NULLCHECK_ONE(pOID);
+
+        oidData = SECOID_FindOIDByTag((SECOidTag)idtag);
+        if (!oidData) {
+            PKIX_ERROR(PKIX_SECOIDFINDOIDTAGDESCRIPTIONFAILED);
+        }
+        
+        pkixErrorResult = 
+            PKIX_PL_OID_CreateBySECItem(&oidData->oid, pOID, plContext);
+cleanup:
+        PKIX_RETURN(OID);
+}
--- a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.h
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.h
@@ -46,18 +46,17 @@
 
 #include "pkix_pl_common.h"
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
 struct PKIX_PL_OIDStruct {
-        PKIX_UInt32 *components;
-        PKIX_UInt32 length;
+    SECItem derOid;
 };
 
 /* see source file for function documentation */
 
 PKIX_Error *
 pkix_pl_OID_RegisterSelf(void *plContext);
 
 PKIX_Error *
--- a/security/nss/lib/nss/config.mk
+++ b/security/nss/lib/nss/config.mk
@@ -48,16 +48,17 @@ SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)
 IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
 
 RES = $(OBJDIR)/$(LIBRARY_NAME).res
 RESNAME = $(LIBRARY_NAME).rc
 
 ifdef NS_USE_GCC
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
+	-L$(NSSUTIL_LIB_DIR) \
 	-lnssutil3 \
 	-L$(NSPR_LIB_DIR) \
 	-lplc4 \
 	-lplds4 \
 	-lnspr4\
 	$(NULL)
 else # ! NS_USE_GCC
 EXTRA_SHARED_LIBS += \
@@ -69,16 +70,17 @@ EXTRA_SHARED_LIBS += \
 endif # NS_USE_GCC
 
 else
 
 # $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
 # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
+	-L$(NSSUTIL_LIB_DIR) \
 	-lnssutil3 \
 	-L$(NSPR_LIB_DIR) \
 	-lplc4 \
 	-lplds4 \
 	-lnspr4 \
 	$(NULL)
 
 endif
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -31,17 +31,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: nss.h,v 1.64 2009/03/27 21:42:54 christophe.ravel.bugs%sun.com Exp $ */
+/* $Id: nss.h,v 1.65 2009/04/13 17:46:59 christophe.ravel.bugs%sun.com Exp $ */
 
 #ifndef __nss_h_
 #define __nss_h_
 
 /* The private macro _NSS_ECC_STRING is for NSS internal use only. */
 #ifdef NSS_ENABLE_ECC
 #ifdef NSS_ECC_MORE_THAN_SUITE_B
 #define _NSS_ECC_STRING " Extended ECC"
@@ -61,21 +61,21 @@
 
 /*
  * NSS's major version, minor version, patch level, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION  "3.12.3" _NSS_ECC_STRING _NSS_CUSTOMIZED
+#define NSS_VERSION  "3.12.4" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
 #define NSS_VMAJOR   3
 #define NSS_VMINOR   12
-#define NSS_VPATCH   3
-#define NSS_BETA     PR_FALSE
+#define NSS_VPATCH   4
+#define NSS_BETA     PR_TRUE
 
 #ifndef RC_INVOKED
 
 #include "seccomon.h"
 
 SEC_BEGIN_PROTOS
 
 /*
--- a/security/nss/lib/pk11wrap/pk11nobj.c
+++ b/security/nss/lib/pk11wrap/pk11nobj.c
@@ -522,16 +522,17 @@ PK11_PutCrl(PK11SlotInfo *slot, SECItem 
     object = nssToken_ImportCRL(token, NULL, 
                                 &derSubject, &derCRL, isKRL, url, PR_TRUE);
 
     if (object) {
 	rvH = object->handle;
 	nssCryptokiObject_Destroy(object);
     } else {
 	rvH = CK_INVALID_HANDLE;
+        PORT_SetError(SEC_ERROR_CRL_IMPORT_FAILED);
     }
     return rvH;
 }
 
 
 /*
  * delete a crl.
  */
--- a/security/nss/lib/smime/config.mk
+++ b/security/nss/lib/smime/config.mk
@@ -45,16 +45,17 @@ IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_
 
 RES = $(OBJDIR)/smime.res
 RESNAME = smime.rc
 
 ifdef NS_USE_GCC
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
 	-lnss3 \
+	-L$(NSSUTIL_LIB_DIR) \
 	-lnssutil3 \
 	-L$(NSPR_LIB_DIR) \
 	-lplc4 \
 	-lplds4 \
 	-lnspr4 \
 	$(NULL)
 else # ! NS_USE_GCC
 EXTRA_SHARED_LIBS += \
@@ -66,16 +67,17 @@ EXTRA_SHARED_LIBS += \
 	$(NULL)
 endif # NS_USE_GCC
 
 else
 
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
 	-lnss3 \
+	-L$(NSSUTIL_LIB_DIR) \
 	-lnssutil3 \
 	-L$(NSPR_LIB_DIR) \
 	-lplc4 \
 	-lplds4 \
 	-lnspr4 \
 	$(NULL)
 
 endif
--- a/security/nss/lib/softoken/config.mk
+++ b/security/nss/lib/softoken/config.mk
@@ -32,21 +32,16 @@
 # and other provisions required by the GPL or the LGPL. If you do not delete
 # the provisions above, a recipient may use your version of this file under
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
 
 # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
 CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
-CRYPTODIR=../freebl
-ifdef MOZILLA_SECURITY_BUILD
-	CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
-	CRYPTODIR=../crypto
-endif
 
 EXTRA_LIBS += \
 	$(CRYPTOLIB) \
 	$(NULL)
 
 # can't do this in manifest.mn because OS_TARGET isn't defined there.
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 
@@ -55,16 +50,17 @@ SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)
 IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
 
 RES = $(OBJDIR)/$(LIBRARY_NAME).res
 RESNAME = $(LIBRARY_NAME).rc
 
 ifdef NS_USE_GCC
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
+	-L$(NSSUTIL_LIB_DIR) \
 	-lnssutil3 \
 	-lsqlite3 \
 	-L$(NSPR_LIB_DIR) \
 	-lplc4 \
 	-lplds4 \
 	-lnspr4 \
 	$(NULL)
 else # ! NS_USE_GCC
@@ -80,16 +76,17 @@ EXTRA_SHARED_LIBS += \
 endif # NS_USE_GCC
 
 else
 
 # $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
 # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
+	-L$(NSSUTIL_LIB_DIR) \
 	-lnssutil3 \
 	-lsqlite3 \
 	-L$(NSPR_LIB_DIR) \
 	-lplc4 \
 	-lplds4 \
 	-lnspr4 \
 	$(NULL)
 endif
--- a/security/nss/lib/softoken/legacydb/config.mk
+++ b/security/nss/lib/softoken/legacydb/config.mk
@@ -32,21 +32,16 @@
 # and other provisions required by the GPL or the LGPL. If you do not delete
 # the provisions above, a recipient may use your version of this file under
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
 
 # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
 CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
-CRYPTODIR=../freebl
-ifdef MOZILLA_SECURITY_BUILD
-	CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
-	CRYPTODIR=../crypto
-endif
 
 EXTRA_LIBS +=	$(CRYPTOLIB) 
 
 ifndef NSS_DISABLE_DBM
 EXTRA_LIBS +=	$(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) 
 endif
 
 # can't do this in manifest.mn because OS_TARGET isn't defined there.
@@ -57,16 +52,17 @@ SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)
 IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
 
 RES = $(OBJDIR)/$(LIBRARY_NAME).res
 RESNAME = $(LIBRARY_NAME).rc
 
 ifdef NS_USE_GCC
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
+	-L$(NSSUTIL_LIB_DIR) \
 	-lnssutil3 \
 	-L$(NSPR_LIB_DIR) \
 	-lplc4 \
 	-lplds4 \
 	-lnspr4 \
 	$(NULL)
 else # ! NS_USE_GCC
 
@@ -79,16 +75,17 @@ EXTRA_SHARED_LIBS += \
 endif # NS_USE_GCC
 
 else
 
 # $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
 # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
+	-L$(NSSUTIL_LIB_DIR) \
 	-lnssutil3 \
 	-L$(NSPR_LIB_DIR) \
 	-lplc4 \
 	-lplds4 \
 	-lnspr4 \
 	$(NULL)
 endif
 
--- a/security/nss/lib/softoken/legacydb/lowcert.c
+++ b/security/nss/lib/softoken/legacydb/lowcert.c
@@ -33,17 +33,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Certificate handling code
  *
- * $Id: lowcert.c,v 1.4 2008/02/08 02:50:50 julien.pierre.boogz%sun.com Exp $
+ * $Id: lowcert.c,v 1.5 2009/04/12 01:31:45 nelson%bolyard.com Exp $
  */
 
 #include "seccomon.h"
 #include "secder.h"
 #include "nssilock.h"
 #include "lowkeyi.h"
 #include "secasn1.h"
 #include "secoid.h"
@@ -358,16 +358,20 @@ nsslowcert_KeyFromIssuerAndSN(PRArenaPoo
 			      SECItem *issuer, SECItem *sn, SECItem *key)
 {
     unsigned int len = sn->len + issuer->len;
 
     if (!arena) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	goto loser;
     }
+    if (len > NSS_MAX_LEGACY_DB_KEY_SIZE) {
+	PORT_SetError(SEC_ERROR_INPUT_LEN);
+	goto loser;
+    }
     key->data = (unsigned char*)PORT_ArenaAlloc(arena, len);
     if ( !key->data ) {
 	goto loser;
     }
 
     key->len = len;
     /* copy the serialNumber */
     PORT_Memcpy(key->data, sn->data, sn->len);
--- a/security/nss/lib/softoken/legacydb/pcertdb.c
+++ b/security/nss/lib/softoken/legacydb/pcertdb.c
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Permanent Certificate database handling code 
  *
- * $Id: pcertdb.c,v 1.9 2009/04/09 02:00:33 nelson%bolyard.com Exp $
+ * $Id: pcertdb.c,v 1.11 2009/04/13 17:23:15 nelson%bolyard.com Exp $
  */
 #include "lowkeyti.h"
 #include "pcert.h"
 #include "mcom_db.h"
 #include "pcert.h"
 #include "secitem.h"
 #include "secder.h"
 
@@ -632,26 +632,26 @@ EncodeDBCertEntry(certDBEntryCert *entry
     if ( dbitem->data == NULL) {
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
 	goto loser;
     }
     
     /* fill in database record */
     buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
     
-    buf[0] = ( entry->trust.sslFlags >> 8 ) & 0xff;
-    buf[1] = entry->trust.sslFlags & 0xff;
-    buf[2] = ( entry->trust.emailFlags >> 8 ) & 0xff;
-    buf[3] = entry->trust.emailFlags & 0xff;
-    buf[4] = ( entry->trust.objectSigningFlags >> 8 ) & 0xff;
-    buf[5] = entry->trust.objectSigningFlags & 0xff;
-    buf[6] = ( entry->derCert.len >> 8 ) & 0xff;
-    buf[7] = entry->derCert.len & 0xff;
-    buf[8] = ( nnlen >> 8 ) & 0xff;
-    buf[9] = nnlen & 0xff;
+    buf[0] = (PRUint8)( entry->trust.sslFlags >> 8 );
+    buf[1] = (PRUint8)( entry->trust.sslFlags      );
+    buf[2] = (PRUint8)( entry->trust.emailFlags >> 8 );
+    buf[3] = (PRUint8)( entry->trust.emailFlags      );
+    buf[4] = (PRUint8)( entry->trust.objectSigningFlags >> 8 );
+    buf[5] = (PRUint8)( entry->trust.objectSigningFlags      );
+    buf[6] = (PRUint8)( entry->derCert.len >> 8 );
+    buf[7] = (PRUint8)( entry->derCert.len      );
+    buf[8] = (PRUint8)( nnlen >> 8 );
+    buf[9] = (PRUint8)( nnlen      );
     
     PORT_Memcpy(&buf[DB_CERT_ENTRY_HEADER_LEN], entry->derCert.data,
 	      entry->derCert.len);
 
     PORT_Memcpy(&buf[DB_CERT_ENTRY_HEADER_LEN + entry->derCert.len],
 	      nn, nnlen);
 
     return(SECSuccess);
@@ -662,16 +662,18 @@ loser:
 
 /*
  * encode a database key for a cert record
  */
 static SECStatus
 EncodeDBCertKey(const SECItem *certKey, PRArenaPool *arena, SECItem *dbkey)
 {
     unsigned int len = certKey->len + SEC_DB_KEY_HEADER_LEN;
+    if (len > NSS_MAX_LEGACY_DB_KEY_SIZE)
+	goto loser;
     if (arena) {
 	dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, len);
     } else {
 	if (dbkey->len < len) {
 	    dbkey->data = (unsigned char *)PORT_Alloc(len);
 	}
     }
     dbkey->len = len;
@@ -701,22 +703,24 @@ EncodeDBGenericKey(const SECItem *certKe
 	    goto loser;
 	}
         dbkey->data[0] = (unsigned char) entryType;
         return(SECSuccess);
     }
     
 
     dbkey->len = certKey->len + SEC_DB_KEY_HEADER_LEN;
+    if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE)
+	goto loser;
     dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
     if ( dbkey->data == NULL ) {
 	goto loser;
     }
     PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN],
-	      certKey->data, certKey->len);
+	       certKey->data, certKey->len);
     dbkey->data[0] = (unsigned char) entryType;
 
     return(SECSuccess);
 loser:
     return(SECFailure);
 }
 
 static SECStatus
@@ -1151,20 +1155,20 @@ EncodeDBCrlEntry(certDBEntryRevocation *
     if ( dbitem->data == NULL) {
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
 	goto loser;
     }
     
     /* fill in database record */
     buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
     
-    buf[0] = ( entry->derCrl.len >> 8 ) & 0xff;
-    buf[1] = entry->derCrl.len & 0xff;
-    buf[2] = ( nnlen >> 8 ) & 0xff;
-    buf[3] = nnlen & 0xff;
+    buf[0] = (PRUint8)( entry->derCrl.len >> 8 );
+    buf[1] = (PRUint8)( entry->derCrl.len      );
+    buf[2] = (PRUint8)( nnlen >> 8 );
+    buf[3] = (PRUint8)( nnlen      );
     
     PORT_Memcpy(&buf[DB_CRL_ENTRY_HEADER_LEN], entry->derCrl.data,
 	      entry->derCrl.len);
 
     if (nnlen != 0) {
 	PORT_Memcpy(&buf[DB_CRL_ENTRY_HEADER_LEN + entry->derCrl.len],
 	      entry->url, nnlen);
     }
@@ -1447,28 +1451,25 @@ EncodeDBNicknameEntry(certDBEntryNicknam
 {
     unsigned char *buf;
     
     /* allocate space for encoded database record, including space
      * for low level header
      */
     dbitem->len = entry->subjectName.len + DB_NICKNAME_ENTRY_HEADER_LEN +
 	SEC_DB_ENTRY_HEADER_LEN;
-    
     dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
     if ( dbitem->data == NULL) {
 	goto loser;
     }
     
     /* fill in database record */
     buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
-    
-    buf[0] = ( entry->subjectName.len >> 8 ) & 0xff;
-    buf[1] = entry->subjectName.len & 0xff;
-    
+    buf[0] = (PRUint8)( entry->subjectName.len >> 8 );
+    buf[1] = (PRUint8)( entry->subjectName.len      );
     PORT_Memcpy(&buf[DB_NICKNAME_ENTRY_HEADER_LEN], entry->subjectName.data,
 	      entry->subjectName.len);
 
     return(SECSuccess);
 
 loser:
     return(SECFailure);
 }
@@ -1481,16 +1482,18 @@ EncodeDBNicknameKey(char *nickname, PRAr
 		    SECItem *dbkey)
 {
     unsigned int nnlen;
     
     nnlen = PORT_Strlen(nickname) + 1; /* includes null */
 
     /* now get the database key and format it */
     dbkey->len = nnlen + SEC_DB_KEY_HEADER_LEN;
+    if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE)
+	goto loser;
     dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
     if ( dbkey->data == NULL ) {
 	goto loser;
     }
     PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], nickname, nnlen);
     dbkey->data[0] = certDBEntryTypeNickname;
 
     return(SECSuccess);
@@ -1772,22 +1775,22 @@ EncodeDBSMimeEntry(certDBEntrySMime *ent
     if ( dbitem->data == NULL) {
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
 	goto loser;
     }
     
     /* fill in database record */
     buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
     
-    buf[0] = ( entry->subjectName.len >> 8 ) & 0xff;
-    buf[1] = entry->subjectName.len & 0xff;
-    buf[2] = ( entry->smimeOptions.len >> 8 ) & 0xff;
-    buf[3] = entry->smimeOptions.len & 0xff;
-    buf[4] = ( entry->optionsDate.len >> 8 ) & 0xff;
-    buf[5] = entry->optionsDate.len & 0xff;
+    buf[0] = (PRUint8)( entry->subjectName.len >> 8 );
+    buf[1] = (PRUint8)( entry->subjectName.len      );
+    buf[2] = (PRUint8)( entry->smimeOptions.len >> 8 );
+    buf[3] = (PRUint8)( entry->smimeOptions.len      );
+    buf[4] = (PRUint8)( entry->optionsDate.len >> 8 );
+    buf[5] = (PRUint8)( entry->optionsDate.len      );
 
     /* if no smime options, then there should not be an options date either */
     PORT_Assert( ! ( ( entry->smimeOptions.len == 0 ) &&
 		    ( entry->optionsDate.len != 0 ) ) );
     
     PORT_Memcpy(&buf[DB_SMIME_ENTRY_HEADER_LEN], entry->subjectName.data,
 	      entry->subjectName.len);
     if ( entry->smimeOptions.len ) {
@@ -1814,16 +1817,18 @@ EncodeDBSMimeKey(char *emailAddr, PRAren
 		 SECItem *dbkey)
 {
     unsigned int addrlen;
     
     addrlen = PORT_Strlen(emailAddr) + 1; /* includes null */
 
     /* now get the database key and format it */
     dbkey->len = addrlen + SEC_DB_KEY_HEADER_LEN;
+    if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE)
+	goto loser;
     dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
     if ( dbkey->data == NULL ) {
 	goto loser;
     }
     PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], emailAddr, addrlen);
     dbkey->data[0] = certDBEntryTypeSMimeProfile;
 
     return(SECSuccess);
@@ -2162,97 +2167,96 @@ EncodeDBSubjectEntry(certDBEntrySubject 
     unsigned char *buf;
     int len;
     unsigned int ncerts;
     unsigned int i;
     unsigned char *tmpbuf;
     unsigned int nnlen = 0;
     unsigned int eaddrslen = 0;
     int keyidoff;
-    SECItem *certKeys;
-    SECItem *keyIDs;
+    SECItem *certKeys = entry->certKeys;
+    SECItem *keyIDs   = entry->keyIDs;;
     
     if ( entry->nickname ) {
 	nnlen = PORT_Strlen(entry->nickname) + 1;
     }
     if ( entry->emailAddrs ) {
 	eaddrslen = 2;
 	for (i=0; i < entry->nemailAddrs; i++) {
 	    eaddrslen += PORT_Strlen(entry->emailAddrs[i]) + 1 + 2;
 	}
     }
 
     ncerts = entry->ncerts;
     
     /* compute the length of the entry */
     keyidoff = DB_SUBJECT_ENTRY_HEADER_LEN + nnlen ;
-    len = keyidoff + 4 * ncerts + eaddrslen;
+    len = keyidoff + (4 * ncerts) + eaddrslen;
     for ( i = 0; i < ncerts; i++ ) {
-	len += entry->certKeys[i].len;
-	len += entry->keyIDs[i].len;
+	if (keyIDs[i].len   > 0xffff ||
+	   (certKeys[i].len > 0xffff)) {
+    	    PORT_SetError(SEC_ERROR_INPUT_LEN);
+	    goto loser;
+	}
+	len += certKeys[i].len;
+	len += keyIDs[i].len;
     }
     
     /* allocate space for encoded database record, including space
      * for low level header
      */
     dbitem->len = len + SEC_DB_ENTRY_HEADER_LEN;
     
     dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
     if ( dbitem->data == NULL) {
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
 	goto loser;
     }
     
     /* fill in database record */
     buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
     
-    buf[0] = ( ncerts >> 8 ) & 0xff;
-    buf[1] = ncerts & 0xff;
-    buf[2] = ( nnlen >> 8 ) & 0xff;
-    buf[3] = nnlen & 0xff;
+    buf[0] = (PRUint8)( ncerts >> 8 );
+    buf[1] = (PRUint8)( ncerts      );
+    buf[2] = (PRUint8)( nnlen >> 8 );
+    buf[3] = (PRUint8)( nnlen      );
     /* v7 email field is NULL in v8 */
     buf[4] = 0;
     buf[5] = 0;
 
     PORT_Memcpy(&buf[DB_SUBJECT_ENTRY_HEADER_LEN], entry->nickname, nnlen);
-    
+    tmpbuf = &buf[keyidoff];   
     for ( i = 0; i < ncerts; i++ ) {
-
-	certKeys = entry->certKeys;
-	keyIDs = entry->keyIDs;
-
-	buf[keyidoff+i*2] = ( certKeys[i].len >> 8 ) & 0xff;
-	buf[keyidoff+1+i*2] = certKeys[i].len & 0xff;
-	buf[keyidoff+ncerts*2+i*2] = ( keyIDs[i].len >> 8 ) & 0xff;
-	buf[keyidoff+1+ncerts*2+i*2] = keyIDs[i].len & 0xff;
-    }
-    
-    /* temp pointer used to stuff certkeys and keyids into the buffer */
-    tmpbuf = &buf[keyidoff+ncerts*4];
-
+	tmpbuf[0] = (PRUint8)( certKeys[i].len >> 8 );
+	tmpbuf[1] = (PRUint8)( certKeys[i].len      );
+	tmpbuf += 2;
+    }
     for ( i = 0; i < ncerts; i++ ) {
-	certKeys = entry->certKeys;
-	PORT_Memcpy(tmpbuf, certKeys[i].data, certKeys[i].len);
-	tmpbuf = tmpbuf + certKeys[i].len;
+	tmpbuf[0] = (PRUint8)( keyIDs[i].len >> 8 );
+	tmpbuf[1] = (PRUint8)( keyIDs[i].len      );
+	tmpbuf += 2;
     }
     
     for ( i = 0; i < ncerts; i++ ) {
-	keyIDs = entry->keyIDs;
+	PORT_Memcpy(tmpbuf, certKeys[i].data, certKeys[i].len);
+	tmpbuf += certKeys[i].len;
+    }
+    for ( i = 0; i < ncerts; i++ ) {
 	PORT_Memcpy(tmpbuf, keyIDs[i].data, keyIDs[i].len);
-	tmpbuf = tmpbuf + keyIDs[i].len;
+	tmpbuf += keyIDs[i].len;
     }
 
     if (entry->emailAddrs) {
-	tmpbuf[0] =  (entry->nemailAddrs >> 8) & 0xff;
-	tmpbuf[1] =  entry->nemailAddrs  & 0xff;
+	tmpbuf[0] = (PRUint8)( entry->nemailAddrs >> 8 );
+	tmpbuf[1] = (PRUint8)( entry->nemailAddrs      );
 	tmpbuf += 2;
 	for (i=0; i < entry->nemailAddrs; i++) {
 	    int nameLen = PORT_Strlen(entry->emailAddrs[i]) + 1;
-	    tmpbuf[0] =  (nameLen >> 8) & 0xff;
-	    tmpbuf[1] =  nameLen & 0xff;
+	    tmpbuf[0] = (PRUint8)( nameLen >> 8 );
+	    tmpbuf[1] = (PRUint8)( nameLen      );
 	    tmpbuf += 2;
 	    PORT_Memcpy(tmpbuf,entry->emailAddrs[i],nameLen);
 	    tmpbuf +=nameLen;
 	}
     }
 
     PORT_Assert(tmpbuf == &buf[len]);
     
@@ -2265,16 +2269,18 @@ loser:
 /*
  * Encode a database key for a subject record
  */
 static SECStatus
 EncodeDBSubjectKey(SECItem *derSubject, PRArenaPool *arena,
 		   SECItem *dbkey)
 {
     dbkey->len = derSubject->len + SEC_DB_KEY_HEADER_LEN;
+    if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE)
+	goto loser;
     dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
     if ( dbkey->data == NULL ) {
 	goto loser;
     }
     PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], derSubject->data,
 	      derSubject->len);
     dbkey->data[0] = certDBEntryTypeSubject;
 
@@ -2283,54 +2289,51 @@ EncodeDBSubjectKey(SECItem *derSubject, 
 loser:
     return(SECFailure);
 }
 
 static SECStatus
 DecodeDBSubjectEntry(certDBEntrySubject *entry, SECItem *dbentry,
 		     const SECItem *derSubject)
 {
-    unsigned int ncerts;
-    PRArenaPool *arena;
-    unsigned int len, itemlen;
+    PRArenaPool *arena     = entry->common.arena;
     unsigned char *tmpbuf;
     unsigned char *end;
+    void        *mark      = PORT_ArenaMark(arena);
+    unsigned int eaddrlen;
     unsigned int i;
-    SECStatus rv;
     unsigned int keyidoff;
-    unsigned int nnlen, eaddrlen;
-    unsigned int stdlen;
-    
-    arena = entry->common.arena;
+    unsigned int len;
+    unsigned int ncerts    = 0;
+    unsigned int nnlen;
+    SECStatus rv;
 
     rv = SECITEM_CopyItem(arena, &entry->derSubject, derSubject);
     if ( rv != SECSuccess ) {
 	goto loser;
     }
 
     /* is record long enough for header? */
     if ( dbentry->len < DB_SUBJECT_ENTRY_HEADER_LEN ) {
 	PORT_SetError(SEC_ERROR_BAD_DATABASE);
 	goto loser;
     }
     
-    entry->ncerts = ncerts = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] );
-    nnlen = ( ( dbentry->data[2] << 8 ) | dbentry->data[3] );
-    eaddrlen = ( ( dbentry->data[4] << 8 ) | dbentry->data[5] );
-    stdlen = ncerts * 4 + DB_SUBJECT_ENTRY_HEADER_LEN + nnlen + eaddrlen;
-    if ( dbentry->len < stdlen) {
+    entry->ncerts = ncerts = (( dbentry->data[0] << 8 ) | dbentry->data[1] );
+    nnlen =                  (( dbentry->data[2] << 8 ) | dbentry->data[3] );
+    eaddrlen =               (( dbentry->data[4] << 8 ) | dbentry->data[5] );
+    keyidoff = DB_SUBJECT_ENTRY_HEADER_LEN + nnlen + eaddrlen;
+    len = keyidoff + (4 * ncerts);
+    if ( dbentry->len < len) {
 	PORT_SetError(SEC_ERROR_BAD_DATABASE);
 	goto loser;
     }
     
-    entry->certKeys = (SECItem *)PORT_ArenaAlloc(arena,
-						 sizeof(SECItem) * ncerts);
-    entry->keyIDs = (SECItem *)PORT_ArenaAlloc(arena,
-					       sizeof(SECItem) * ncerts);
-
+    entry->certKeys = PORT_ArenaNewArray(arena, SECItem, ncerts);
+    entry->keyIDs   = PORT_ArenaNewArray(arena, SECItem, ncerts);
     if ( ( entry->certKeys == NULL ) || ( entry->keyIDs == NULL ) ) {
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
 	goto loser;
     }
 
     if ( nnlen > 1 ) { /* null terminator is stored */
 	entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen);
 	if ( entry->nickname == NULL ) {
@@ -2342,17 +2345,17 @@ DecodeDBSubjectEntry(certDBEntrySubject 
 		    nnlen);
     } else {
 	entry->nickname = NULL;
     }
 
     /* if we have an old style email entry, there is only one */    
     entry->nemailAddrs = 0;
     if ( eaddrlen > 1 ) { /* null terminator is stored */
-	entry->emailAddrs = (char **)PORT_ArenaAlloc(arena, sizeof(char *));
+	entry->emailAddrs = PORT_ArenaNewArray(arena, char *, 2);
 	if ( entry->emailAddrs == NULL ) {
 	    PORT_SetError(SEC_ERROR_NO_MEMORY);
 	    goto loser;
 	}
 	entry->emailAddrs[0] = (char *)PORT_ArenaAlloc(arena, eaddrlen);
 	if ( entry->emailAddrs[0] == NULL ) {
 	    PORT_SetError(SEC_ERROR_NO_MEMORY);
 	    goto loser;
@@ -2363,97 +2366,95 @@ DecodeDBSubjectEntry(certDBEntrySubject 
 	 entry->nemailAddrs = 1;
     } else {
 	entry->emailAddrs = NULL;
     }
     
     /* collect the lengths of the certKeys and keyIDs, and total the
      * overall length.
      */
-    keyidoff = DB_SUBJECT_ENTRY_HEADER_LEN + nnlen + eaddrlen;
-    len = keyidoff + 4 * ncerts;
-
-    tmpbuf = &dbentry->data[0];
-    
+    tmpbuf = &dbentry->data[keyidoff];
+    for ( i = 0; i < ncerts; i++ ) {
+        unsigned int itemlen = ( tmpbuf[0] << 8 ) | tmpbuf[1];
+        entry->certKeys[i].len = itemlen;
+        len += itemlen;
+        tmpbuf += 2;
+    }
     for ( i = 0; i < ncerts; i++ ) {
-
-	itemlen = ( tmpbuf[keyidoff + 2*i] << 8 ) | tmpbuf[keyidoff + 1 + 2*i] ;
-	len += itemlen;
-	entry->certKeys[i].len = itemlen;
-
-	itemlen = ( tmpbuf[keyidoff + 2*ncerts + 2*i] << 8 ) |
-	    tmpbuf[keyidoff + 1 + 2*ncerts + 2*i] ;
-	len += itemlen;
-	entry->keyIDs[i].len = itemlen;
-    }
-    
-    /* is database entry correct length? */
+        unsigned int itemlen = ( tmpbuf[0] << 8 ) | tmpbuf[1] ;
+        entry->keyIDs[i].len = itemlen;
+        len += itemlen;
+        tmpbuf += 2;
+    }
+
+    /* is encoded entry large enough ? */
     if ( len > dbentry->len ){
 	PORT_SetError(SEC_ERROR_BAD_DATABASE);
 	goto loser;
     }
-    
-    tmpbuf = &tmpbuf[keyidoff + 4*ncerts];
+
     for ( i = 0; i < ncerts; i++ ) {
-	entry->certKeys[i].data =
-	    (unsigned char *)PORT_ArenaAlloc(arena, entry->certKeys[i].len);
+	unsigned int kLen = entry->certKeys[i].len;
+	entry->certKeys[i].data = (unsigned char *)PORT_ArenaAlloc(arena, kLen);
 	if ( entry->certKeys[i].data == NULL ) {
 	    PORT_SetError(SEC_ERROR_NO_MEMORY);
 	    goto loser;
 	}
-	PORT_Memcpy(entry->certKeys[i].data, tmpbuf, entry->certKeys[i].len);
-	tmpbuf = &tmpbuf[entry->certKeys[i].len];
-    }
-
+	PORT_Memcpy(entry->certKeys[i].data, tmpbuf, kLen);
+	tmpbuf += kLen;
+    }
     for ( i = 0; i < ncerts; i++ ) {
-	entry->keyIDs[i].data =
-	    (unsigned char *)PORT_ArenaAlloc(arena, entry->keyIDs[i].len);
+	unsigned int iLen = entry->keyIDs[i].len;
+	entry->keyIDs[i].data = (unsigned char *)PORT_ArenaAlloc(arena, iLen);
 	if ( entry->keyIDs[i].data == NULL ) {
 	    PORT_SetError(SEC_ERROR_NO_MEMORY);
 	    goto loser;
 	}
-	PORT_Memcpy(entry->keyIDs[i].data, tmpbuf, entry->keyIDs[i].len);
-	tmpbuf = &tmpbuf[entry->keyIDs[i].len];
-    }
-
-    end = &dbentry->data[dbentry->len];
-    if ((eaddrlen == 0) && (tmpbuf+1 < end)) {
+	PORT_Memcpy(entry->keyIDs[i].data, tmpbuf, iLen);
+	tmpbuf += iLen;
+    }
+
+    end = dbentry->data + dbentry->len;
+    if ((eaddrlen == 0) && (end - tmpbuf > 1)) {
 	/* read in the additional email addresses */
-	entry->nemailAddrs = tmpbuf[0] << 8 | tmpbuf[1];
+	entry->nemailAddrs = (((unsigned int)tmpbuf[0]) << 8) | tmpbuf[1];
 	tmpbuf += 2;
-	entry->emailAddrs = (char **)
-		PORT_ArenaAlloc(arena, entry->nemailAddrs * sizeof(char *));
+	if (end - tmpbuf < 2 * (int)entry->nemailAddrs)
+	    goto loser;
+	entry->emailAddrs = PORT_ArenaNewArray(arena, char *, entry->nemailAddrs);
 	if (entry->emailAddrs == NULL) {
 	    PORT_SetError(SEC_ERROR_NO_MEMORY);
 	    goto loser;
 	}
 	for (i=0; i < entry->nemailAddrs; i++) {
 	    int nameLen;
-	    if (tmpbuf + 2 > end) {
+	    if (end - tmpbuf < 2) {
 		goto loser;
 	    }
-
-	    nameLen = tmpbuf[0] << 8 | tmpbuf[1];
+	    nameLen = (((int)tmpbuf[0]) << 8) | tmpbuf[1];
+	    tmpbuf += 2;
+	    if (end - tmpbuf < nameLen) {
+		goto loser;
+	    }
 	    entry->emailAddrs[i] = PORT_ArenaAlloc(arena,nameLen);
 	    if (entry->emailAddrs == NULL) {
 	        PORT_SetError(SEC_ERROR_NO_MEMORY);
 	        goto loser;
 	    }
-	    if (tmpbuf + (nameLen+2) > end) {
-		goto loser;
-	    }
-	    PORT_Memcpy(entry->emailAddrs[i],&tmpbuf[2],nameLen);
-	    tmpbuf += 2 + nameLen;
+	    PORT_Memcpy(entry->emailAddrs[i], tmpbuf, nameLen);
+	    tmpbuf += nameLen;
 	}
-    }
-    
-    
+	if (tmpbuf != end) 
+	    goto loser;
+    }
+    PORT_ArenaUnmark(arena, mark);
     return(SECSuccess);
 
 loser:
+    PORT_ArenaRelease(arena, mark); /* discard above allocations */
     return(SECFailure);
 }
 
 /*
  * create a new subject entry with a single cert
  */
 static certDBEntrySubject *
 NewDBSubjectEntry(SECItem *derSubject, SECItem *certKey,
--- a/security/nss/lib/softoken/legacydb/pcertt.h
+++ b/security/nss/lib/softoken/legacydb/pcertt.h
@@ -31,17 +31,17 @@
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 /*
  * certt.h - public data structures for the certificate library
  *
- * $Id: pcertt.h,v 1.2 2007/06/13 00:24:57 rrelyea%redhat.com Exp $
+ * $Id: pcertt.h,v 1.3 2009/04/12 01:31:46 nelson%bolyard.com Exp $
  */
 #ifndef _PCERTT_H_
 #define _PCERTT_H_
 
 #include "prclist.h"
 #include "pkcs11t.h"
 #include "seccomon.h"
 #include "secoidt.h"
@@ -163,16 +163,18 @@ struct NSSLOWCERTCertificateStr {
 
 #define SEC_CERTIFICATE_VERSION_1		0	/* default created */
 #define SEC_CERTIFICATE_VERSION_2		1	/* v2 */
 #define SEC_CERTIFICATE_VERSION_3		2	/* v3 extensions */
 
 #define SEC_CRL_VERSION_1		0	/* default */
 #define SEC_CRL_VERSION_2		1	/* v2 extensions */
 
+#define NSS_MAX_LEGACY_DB_KEY_SIZE (60 * 1024)
+
 struct NSSLOWCERTIssuerAndSNStr {
     SECItem derIssuer;
     SECItem serialNumber;
 };
 
 typedef SECStatus (* NSSLOWCERTCertCallback)(NSSLOWCERTCertificate *cert, void *arg);
 
 /* This is the typedef for the callback passed to nsslowcert_OpenCertDB() */
--- a/security/nss/lib/softoken/lgglue.c
+++ b/security/nss/lib/softoken/lgglue.c
@@ -144,16 +144,17 @@ sftkdb_LoadFromPath(const char *path, co
 
     libSpec.type = PR_LibSpec_Pathname;
     libSpec.value.pathname = fullPathName;
     lib = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL);
     PORT_Free(fullPathName);
     return lib;
 }
 
+
 static PRLibrary *
 sftkdb_LoadLibrary(const char *libname)
 {
     PRLibrary *lib = NULL;
     PRFuncPtr fn_addr;
     char *parentLibPath = NULL;
 
     fn_addr  = (PRFuncPtr) &sftkdb_LoadLibrary;
@@ -183,16 +184,17 @@ done:
 
     /* still couldn't load it, try the generic path */
     if (!lib) {
 	PRLibSpec libSpec;
 	libSpec.type = PR_LibSpec_Pathname;
 	libSpec.value.pathname = libname;
 	lib = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL);
     }
+
     return lib;
 }
 
 /*
  * stub files for legacy db's to be able to encrypt and decrypt
  * various keys and attributes.
  */
 static SECStatus
@@ -265,28 +267,49 @@ sftkdb_decrypt_stub(SDB *sdb, SECItem *c
     }
     rv = sftkdb_DecryptAttribute( oldKey ? oldKey : &handle->passwordKey,
 		cipherText, plainText);
     PZ_Unlock(handle->passwordLock);
 
     return rv;
 }
 
+static const char *LEGACY_LIB_NAME = 
+	SHLIB_PREFIX"nssdbm"SHLIB_VERSION"."SHLIB_SUFFIX;
+/*
+ * 2 bools to tell us if we've check the legacy library successfully or
+ * not. Initialize on startup to false by the C BSS segment;
+ */
+static PRBool legacy_glue_libCheckFailed;    /* set if we failed the check */
+static PRBool legacy_glue_libCheckSucceeded; /* set if we passed the check */
 static PRLibrary *legacy_glue_lib = NULL;
 static SECStatus 
-sftkdbLoad_Legacy()
+sftkdbLoad_Legacy(PRBool isFIPS)
 {
     PRLibrary *lib = NULL;
     LGSetCryptFunc setCryptFunction = NULL;
 
     if (legacy_glue_lib) {
+	/* this check is necessary because it's possible we loaded the
+	 * legacydb to read secmod.db, which told us whether we were in
+	 * FIPS mode or not. */
+	if (isFIPS && !legacy_glue_libCheckSucceeded) {
+	    if (legacy_glue_libCheckFailed || 
+		!BLAPI_SHVerify(LEGACY_LIB_NAME,(PRFuncPtr)legacy_glue_open)) {
+    	    	legacy_glue_libCheckFailed = PR_TRUE;
+		/* don't clobber legacy glue to avoid race. just let it
+		 * get cleared in shutdown */
+		return SECFailure;
+	    }
+    	    legacy_glue_libCheckSucceeded = PR_TRUE;
+	} 
 	return SECSuccess;
     }
 
-    lib = sftkdb_LoadLibrary(SHLIB_PREFIX"nssdbm"SHLIB_VERSION"."SHLIB_SUFFIX);
+    lib = sftkdb_LoadLibrary(LEGACY_LIB_NAME);
     if (lib == NULL) {
 	return SECFailure;
     }
     
     legacy_glue_open = (LGOpenFunc)PR_FindFunctionSymbol(lib, "legacy_Open");
     legacy_glue_readSecmod = (LGReadSecmodFunc) PR_FindFunctionSymbol(lib,
 						 "legacy_ReadSecmodDB");
     legacy_glue_releaseSecmod = (LGReleaseSecmodFunc) PR_FindFunctionSymbol(lib,
@@ -301,29 +324,39 @@ sftkdbLoad_Legacy()
 						"legacy_SetCryptFunctions");
 
     if (!legacy_glue_open || !legacy_glue_readSecmod || 
 	    !legacy_glue_releaseSecmod || !legacy_glue_deleteSecmod || 
 	    !legacy_glue_addSecmod || !setCryptFunction) {
 	PR_UnloadLibrary(lib);
 	return SECFailure;
     }
+
+    /* verify the loaded library if we are in FIPS mode */
+    if (isFIPS) {
+	if (!BLAPI_SHVerify(LEGACY_LIB_NAME,(PRFuncPtr)legacy_glue_open)) {
+	    PR_UnloadLibrary(lib);
+	    return SECFailure;
+	}
+    	legacy_glue_libCheckSucceeded = PR_TRUE;
+    } 
+
     setCryptFunction(sftkdb_encrypt_stub,sftkdb_decrypt_stub);
     legacy_glue_lib = lib;
     return SECSuccess;
 }
 
 CK_RV
 sftkdbCall_open(const char *dir, const char *certPrefix, const char *keyPrefix, 
-		int certVersion, int keyVersion, int flags, 
+		int certVersion, int keyVersion, int flags, PRBool isFIPS,
 		SDB **certDB, SDB **keyDB)
 {
     SECStatus rv;
 
-    rv = sftkdbLoad_Legacy();
+    rv = sftkdbLoad_Legacy(isFIPS);
     if (rv != SECSuccess) {
 	return CKR_GENERAL_ERROR;
     }
     if (!legacy_glue_open) {
 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
 	return SECFailure;
     }
     return (*legacy_glue_open)(dir, certPrefix, keyPrefix, 
@@ -332,17 +365,17 @@ sftkdbCall_open(const char *dir, const c
 }
 
 char **
 sftkdbCall_ReadSecmodDB(const char *appName, const char *filename, 
 			const char *dbname, char *params, PRBool rw)
 {
     SECStatus rv;
 
-    rv = sftkdbLoad_Legacy();
+    rv = sftkdbLoad_Legacy(PR_FALSE);
     if (rv != SECSuccess) {
 	return NULL;
     }
     if (!legacy_glue_readSecmod) {
 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
 	return NULL;
     }
     return (*legacy_glue_readSecmod)(appName, filename, dbname, params, rw);
@@ -350,17 +383,17 @@ sftkdbCall_ReadSecmodDB(const char *appN
 
 SECStatus
 sftkdbCall_ReleaseSecmodDBData(const char *appName, 
 			const char *filename, const char *dbname, 
 			char **moduleSpecList, PRBool rw)
 {
     SECStatus rv;
 
-    rv = sftkdbLoad_Legacy();
+    rv = sftkdbLoad_Legacy(PR_FALSE);
     if (rv != SECSuccess) {
 	return rv;
     }
     if (!legacy_glue_releaseSecmod) {
 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
 	return SECFailure;
     }
     return (*legacy_glue_releaseSecmod)(appName, filename, dbname, 
@@ -369,17 +402,17 @@ sftkdbCall_ReleaseSecmodDBData(const cha
 
 SECStatus
 sftkdbCall_DeleteSecmodDB(const char *appName, 
 		      const char *filename, const char *dbname, 
 		      char *args, PRBool rw)
 {
     SECStatus rv;
 
-    rv = sftkdbLoad_Legacy();
+    rv = sftkdbLoad_Legacy(PR_FALSE);
     if (rv != SECSuccess) {
 	return rv;
     }
     if (!legacy_glue_deleteSecmod) {
 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
 	return SECFailure;
     }
     return (*legacy_glue_deleteSecmod)(appName, filename, dbname, args, rw);
@@ -387,17 +420,17 @@ sftkdbCall_DeleteSecmodDB(const char *ap
 
 SECStatus
 sftkdbCall_AddSecmodDB(const char *appName, 
 		   const char *filename, const char *dbname, 
 		   char *module, PRBool rw)
 {
     SECStatus rv;
 
-    rv = sftkdbLoad_Legacy();
+    rv = sftkdbLoad_Legacy(PR_FALSE);
     if (rv != SECSuccess) {
 	return rv;
     }
     if (!legacy_glue_addSecmod) {
 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
 	return SECFailure;
     }
     return (*legacy_glue_addSecmod)(appName, filename, dbname, module, rw);
@@ -422,12 +455,14 @@ sftkdbCall_Shutdown(void)
         PR_UnloadLibrary(legacy_glue_lib);
     }
     legacy_glue_lib = NULL;
     legacy_glue_open = NULL;
     legacy_glue_readSecmod = NULL;
     legacy_glue_releaseSecmod = NULL;
     legacy_glue_deleteSecmod = NULL;
     legacy_glue_addSecmod = NULL;
+    legacy_glue_libCheckFailed    = PR_FALSE;
+    legacy_glue_libCheckSucceeded = PR_FALSE;
     return crv;
 }
     
 
--- a/security/nss/lib/softoken/lgglue.h
+++ b/security/nss/lib/softoken/lgglue.h
@@ -70,17 +70,17 @@ typedef SECStatus (*LGShutdownFunc)(PRBo
 typedef void (*LGSetForkStateFunc)(PRBool);
 typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc);
 
 /*
  * Softoken Glue Functions
  */
 CK_RV sftkdbCall_open(const char *dir, const char *certPrefix, 
 		const char *keyPrefix, 
-		int certVersion, int keyVersion, int flags, 
+		int certVersion, int keyVersion, int flags, PRBool isFIPS,
 		SDB **certDB, SDB **keyDB);
 char ** sftkdbCall_ReadSecmodDB(const char *appName, const char *filename, 
 			const char *dbname, char *params, PRBool rw);
 SECStatus sftkdbCall_ReleaseSecmodDBData(const char *appName, 
 			const char *filename, const char *dbname, 
 			char **moduleSpecList, PRBool rw);
 SECStatus sftkdbCall_DeleteSecmodDB(const char *appName, 
 		      const char *filename, const char *dbname, 
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -2146,17 +2146,19 @@ SFTK_SlotReInit(SFTKSlot *slot, char *co
 	SFTKDBHandle * certHandle = NULL;
 	SFTKDBHandle *keyHandle = NULL;
 	crv = sftk_DBInit(params->configdir ? params->configdir : configdir,
 		params->certPrefix, params->keyPrefix, 
 		params->updatedir ? params->updatedir : updatedir,
 		params->updCertPrefix, params->updKeyPrefix,
 		params->updateID  ? params->updateID : updateID, 
 		params->readOnly, params->noCertDB, params->noKeyDB,
-		params->forceOpen, &certHandle, &keyHandle);
+		params->forceOpen, 
+		moduleIndex == NSC_FIPS_MODULE,
+		&certHandle, &keyHandle);
 	if (crv != CKR_OK) {
 	    goto loser;
 	}
 
 	slot->certDB = certHandle;
 	slot->keyDB = keyHandle;
     }
     if (needLogin) {
--- a/security/nss/lib/softoken/sftkdb.c
+++ b/security/nss/lib/softoken/sftkdb.c
@@ -2542,17 +2542,17 @@ sftk_hasLegacyDB(const char *confdir, co
  * calls the appropriate low level function to open the database.
  * It also figures out whether or not to setup up automatic update.
  */
 CK_RV 
 sftk_DBInit(const char *configdir, const char *certPrefix,
                 const char *keyPrefix, const char *updatedir,
 		const char *updCertPrefix, const char *updKeyPrefix, 
 		const char *updateID, PRBool readOnly, PRBool noCertDB,
-                PRBool noKeyDB, PRBool forceOpen,
+                PRBool noKeyDB, PRBool forceOpen, PRBool isFIPS,
                 SFTKDBHandle **certDB, SFTKDBHandle **keyDB)
 {
     const char *confdir;
     SDBType dbType;
     char *appName = NULL;
     SDB *keySDB, *certSDB;
     CK_RV crv = CKR_OK;
     int flags = SDB_RDONLY;
@@ -2572,39 +2572,39 @@ sftk_DBInit(const char *configdir, const
     confdir = sftk_EvaluateConfigDir(configdir, &dbType, &appName);
 
     /*
      * now initialize the appropriate database
      */
     switch (dbType) {
     case SDB_LEGACY:
 	crv = sftkdbCall_open(confdir, certPrefix, keyPrefix, 8, 3, flags,
-		noCertDB? NULL : &certSDB, noKeyDB ? NULL: &keySDB);
+		 isFIPS, noCertDB? NULL : &certSDB, noKeyDB ? NULL: &keySDB);
 	break;
     case SDB_MULTIACCESS:
 	crv = sftkdbCall_open(configdir, certPrefix, keyPrefix, 8, 3, flags,
-		noCertDB? NULL : &certSDB, noKeyDB ? NULL: &keySDB);
+		isFIPS, noCertDB? NULL : &certSDB, noKeyDB ? NULL: &keySDB);
 	break;
     case SDB_SQL:
     case SDB_EXTERN: /* SHOULD open a loadable db */
 	crv = s_open(confdir, certPrefix, keyPrefix, 9, 4, flags, 
 		noCertDB? NULL : &certSDB, noKeyDB ? NULL : &keySDB, &newInit);
 
         /*
 	 * if we failed to open the DB's read only, use the old ones if
 	 * the exists.
 	 */
 	if (crv != CKR_OK) {
 	    if ((flags == SDB_RDONLY)  &&
 	         sftk_hasLegacyDB(confdir, certPrefix, keyPrefix, 8, 3)) {
 	    /* we have legacy databases, if we failed to open the new format 
 	     * DB's read only, just use the legacy ones */
 		crv = sftkdbCall_open(confdir, certPrefix, 
-			keyPrefix, 8, 3, flags, noCertDB? NULL : &certSDB,
-			noKeyDB ? NULL : &keySDB);
+			keyPrefix, 8, 3, flags, isFIPS, 
+			noCertDB? NULL : &certSDB, noKeyDB ? NULL : &keySDB);
 	    }
 	/* Handle the database merge case.
          *
          * For the merge case, we need help from the application. Only
          * the application knows where the old database is, and what unique
          * identifier it has associated with it.
          *
          * If the client supplies these values, we use them to determine
@@ -2664,17 +2664,18 @@ sftk_DBInit(const char *configdir, const
      * mark the handle as needing update.
      */
     if (needUpdate) {
 	SDB *updateCert = NULL;
 	SDB *updateKey = NULL;
 	CK_RV crv2;
 
 	crv2 = sftkdbCall_open(confdir, certPrefix, keyPrefix, 8, 3, flags,
-		noCertDB ? NULL : &updateCert, noKeyDB ? NULL : &updateKey);
+		isFIPS, noCertDB ? NULL : &updateCert, 
+		noKeyDB ? NULL : &updateKey);
 	if (crv2 == CKR_OK) {
 	    if (*certDB) {
 		(*certDB)->update = updateCert;
 		(*certDB)->updateID = updateID && *updateID 
 				? PORT_Strdup(updateID) : NULL;
 		updateCert->app_private = (*certDB);
 	    }
 	    if (*keyDB) {
--- a/security/nss/lib/softoken/sftkdb.h
+++ b/security/nss/lib/softoken/sftkdb.h
@@ -102,17 +102,17 @@ void sftkdb_FreeUpdatePasswordKey(SFTKDB
  *                      PKCS #11 module.
  * forceOpen - Continue to force initializations even if the databases cannot
  *                      be opened.
  */
 CK_RV sftk_DBInit(const char *configdir, const char *certPrefix,
 	 	const char *keyPrefix, const char *updatedir, 
 		const char *updCertPrefix, const char *updKeyPrefix,
 		const char *updateID, PRBool readOnly, PRBool noCertDB, 
-		PRBool noKeyDB, PRBool forceOpen, 
+		PRBool noKeyDB, PRBool forceOpen, PRBool isFIPS,
 		SFTKDBHandle **certDB, SFTKDBHandle **keyDB);
 CK_RV sftkdb_Shutdown(void);
 
 SFTKDBHandle *sftk_getCertDB(SFTKSlot *slot);
 SFTKDBHandle *sftk_getKeyDB(SFTKSlot *slot);
 SFTKDBHandle *sftk_getDBForTokenObject(SFTKSlot *slot, 
                                        CK_OBJECT_HANDLE objectID);
 void sftk_freeDB(SFTKDBHandle *certHandle);
--- a/security/nss/lib/softoken/sftkpwd.c
+++ b/security/nss/lib/softoken/sftkpwd.c
@@ -681,16 +681,26 @@ sftkdb_HasPasswordSet(SFTKDBHandle *keyd
 	return SECFailure;
     }
 
     salt.data = saltData;
     salt.len = sizeof(saltData);
     value.data = valueData;
     value.len = sizeof(valueData);
     crv = (*db->sdb_GetMetaData)(db, "password", &salt, &value);
+
+    /* If no password is set, we can update right away */
+    if (((keydb->db->sdb_flags & SDB_RDONLY) == 0) && keydb->update 
+	&& crv != CKR_OK) {
+	/* update the peer certdb if it exists */
+	if (keydb->peerDB) {
+	    sftkdb_Update(keydb->peerDB, NULL);
+	}
+	sftkdb_Update(keydb, NULL);
+    }
     return (crv == CKR_OK) ? SECSuccess : SECFailure;
 }
 
 #define SFTK_PW_CHECK_STRING "password-check"
 #define SFTK_PW_CHECK_LEN 14
 
 /*
  * check if the supplied password is valid
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -52,15 +52,15 @@
 
 /*
  * Softoken's major version, minor version, patch level, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION  "3.12.3" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION  "3.12.4" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR   3
 #define SOFTOKEN_VMINOR   12
-#define SOFTOKEN_VPATCH   3
+#define SOFTOKEN_VPATCH   4
 #define SOFTOKEN_BETA     PR_FALSE
 
 #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/ssl/config.mk
+++ b/security/nss/lib/ssl/config.mk
@@ -51,16 +51,17 @@ IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_
 
 RES = $(OBJDIR)/ssl.res
 RESNAME = ssl.rc
 
 ifdef NS_USE_GCC
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
 	-lnss3 \
+	-L$(NSSUTIL_LIB_DIR) \
 	-lnssutil3 \
 	-L$(NSPR_LIB_DIR) \
 	-lplc4 \
 	-lplds4 \
 	-lnspr4 \
 	$(NULL)
 else # ! NS_USE_GCC
 EXTRA_SHARED_LIBS += \
@@ -68,47 +69,38 @@ EXTRA_SHARED_LIBS += \
 	$(DIST)/lib/nssutil3.lib \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
 	$(NULL)
 endif # NS_USE_GCC
 
 # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
-CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
-CRYPTODIR=../freebl
-ifdef MOZILLA_SECURITY_BUILD
-	CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
-	CRYPTODIR=../crypto
-endif
+CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
 
 EXTRA_LIBS += \
 	$(CRYPTOLIB) \
 	$(NULL)
 
 else
 
 # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
-CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
-CRYPTODIR=../freebl
-ifdef MOZILLA_SECURITY_BUILD
-	CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
-	CRYPTODIR=../crypto
-endif
+CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
 
 EXTRA_LIBS += \
 	$(CRYPTOLIB) \
 	$(NULL)
 
 
 # $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
 # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
 	-lnss3 \
+	-L$(NSSUTIL_LIB_DIR) \
 	-lnssutil3 \
 	-L$(NSPR_LIB_DIR) \
 	-lplc4 \
 	-lplds4 \
 	-lnspr4 \
 	$(NULL)
 
 ifeq ($(OS_ARCH), BeOS)
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -46,15 +46,15 @@
 
 /*
  * NSS utilities's major version, minor version, patch level, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>][ <Beta>]"
  */
-#define NSSUTIL_VERSION  "3.12.3"
+#define NSSUTIL_VERSION  "3.12.4 Beta"
 #define NSSUTIL_VMAJOR   3
 #define NSSUTIL_VMINOR   12
-#define NSSUTIL_VPATCH   3
-#define NSSUTIL_BETA     PR_FALSE
+#define NSSUTIL_VPATCH   4
+#define NSSUTIL_BETA     PR_TRUE
 
 #endif /* __nssutil_h_ */
--- a/security/nss/lib/util/secerr.h
+++ b/security/nss/lib/util/secerr.h
@@ -220,14 +220,17 @@ SEC_ERROR_FAILED_TO_ENCODE_DATA         
 SEC_ERROR_BAD_INFO_ACCESS_LOCATION         =	(SEC_ERROR_BASE + 165), 
 
 SEC_ERROR_LIBPKIX_INTERNAL                 =	(SEC_ERROR_BASE + 166),
 
 SEC_ERROR_PKCS11_GENERAL_ERROR             =	(SEC_ERROR_BASE + 167),
 SEC_ERROR_PKCS11_FUNCTION_FAILED           =	(SEC_ERROR_BASE + 168),
 SEC_ERROR_PKCS11_DEVICE_ERROR              =	(SEC_ERROR_BASE + 169),
 
+SEC_ERROR_BAD_INFO_ACCESS_METHOD           =    (SEC_ERROR_BASE + 170),
+SEC_ERROR_CRL_IMPORT_FAILED                =    (SEC_ERROR_BASE + 171),
+
 /* Add new error codes above here. */
 SEC_ERROR_END_OF_LIST 
 } SECErrorCodes;
 #endif /* NO_SECURITY_ERROR_ENUM */
 
 #endif /* __SEC_ERR_H_ */
--- a/security/nss/lib/util/secoid.c
+++ b/security/nss/lib/util/secoid.c
@@ -356,16 +356,18 @@ CONST_OID x509CRLDistPoints[]         		
 CONST_OID x509CertificatePolicies[]   		= { ID_CE_OID, 32 };
 CONST_OID x509PolicyMappings[]        		= { ID_CE_OID, 33 };
 CONST_OID x509AuthKeyID[]             		= { ID_CE_OID, 35 };
 CONST_OID x509PolicyConstraints[]     		= { ID_CE_OID, 36 };
 CONST_OID x509ExtKeyUsage[]           		= { ID_CE_OID, 37 };
 CONST_OID x509FreshestCRL[]           		= { ID_CE_OID, 46 };
 CONST_OID x509InhibitAnyPolicy[]           	= { ID_CE_OID, 54 };
 
+CONST_OID x509CertificatePoliciesAnyPolicy[]    = { ID_CE_OID, 32, 0 };
+
 CONST_OID x509AuthInfoAccess[]        		= { PKIX_CERT_EXTENSIONS,  1 };
 CONST_OID x509SubjectInfoAccess[]               = { PKIX_CERT_EXTENSIONS, 11 };
 
 CONST_OID x509SIATimeStamping[]                 = {PKIX_ACCESS_DESCRIPTION, 0x03};
 CONST_OID x509SIACaRepository[]                 = {PKIX_ACCESS_DESCRIPTION, 0x05};
 
 /* pkcs 12 additions */
 CONST_OID pkcs12[]                           = { PKCS12 };
@@ -1581,16 +1583,19 @@ const static SECOidData oids[SEC_OID_TOT
     OD( isoSHA1WithRSASignature, SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE,
 	"ISO SHA-1 with RSA Signature", 
 	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
 
     /* SEED algorithm OIDs */
     OD( seed_CBC, SEC_OID_SEED_CBC,
 	"SEED-CBC", CKM_SEED_CBC, INVALID_CERT_EXTENSION),
 
+    OD( x509CertificatePoliciesAnyPolicy, SEC_OID_X509_ANY_POLICY,
+ 	"Certificate Policies AnyPolicy",
+        CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
 };
 
 /* PRIVATE EXTENDED SECOID Table
  * This table is private. Its structure is opaque to the outside.
  * It is indexed by the same SECOidTag as the oids table above.
  * Every member of this struct must have accessor functions (set, get)
  * and those functions must operate by value, not by reference.
  * The addresses of the contents of this table must not be exposed 
--- a/security/nss/lib/util/secoidt.h
+++ b/security/nss/lib/util/secoidt.h
@@ -38,17 +38,17 @@
 #ifndef _SECOIDT_H_
 #define _SECOIDT_H_
 
 #include "utilrename.h"
 
 /*
  * secoidt.h - public data structures for ASN.1 OID functions
  *
- * $Id: secoidt.h,v 1.29 2009/03/13 02:59:03 nelson%bolyard.com Exp $
+ * $Id: secoidt.h,v 1.30 2009/04/14 02:04:08 alexei.volkov.bugs%sun.com Exp $
  */
 
 #include "secitem.h"
 
 typedef struct SECOidDataStr SECOidData;
 typedef struct SECAlgorithmIDStr SECAlgorithmID;
 
 /*
@@ -443,16 +443,18 @@ typedef enum {
 
     SEC_OID_PKIX_TIMESTAMPING               = 299,
     SEC_OID_PKIX_CA_REPOSITORY              = 300,
 
     SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE     = 301,
 
     SEC_OID_SEED_CBC			    = 302,
 
+    SEC_OID_X509_ANY_POLICY                 = 303,
+
     SEC_OID_TOTAL
 } SECOidTag;
 
 #define SEC_OID_SECG_EC_SECP192R1 SEC_OID_ANSIX962_EC_PRIME192V1
 #define SEC_OID_SECG_EC_SECP256R1 SEC_OID_ANSIX962_EC_PRIME256V1
 #define SEC_OID_PKCS12_KEY_USAGE  SEC_OID_X509_KEY_USAGE
 
 /* fake OID for DSS sign/verify */
--- a/security/nss/tests/chains/chains.sh
+++ b/security/nss/tests/chains/chains.sh
@@ -66,17 +66,17 @@ chains_init()
     SCRIPTNAME="chains.sh"
 
     CHAINS_DIR="${HOSTDIR}/chains"
     mkdir -p ${CHAINS_DIR}
     cd ${CHAINS_DIR}
 
     CHAINS_SCENARIOS="${QADIR}/chains/scenarios/scenarios"
 
-    CERT_SN_CNT=$(date '+%m%d%H%M%S')
+    CERT_SN_CNT=$(date '+%m%d%H%M%S' | sed "s/^0*//")
     CERT_SN_FIX=$(expr ${CERT_SN_CNT} - 1000)
 
     PK7_NONCE=$CERT_SN_CNT;
 
     AIA_FILES="${HOSTDIR}/aiafiles"
 
     CU_DATA=${HOSTDIR}/cu_data
     CRL_DATA=${HOSTDIR}/crl_data
--- a/security/nss/tests/cipher/cipher.sh
+++ b/security/nss/tests/cipher/cipher.sh
@@ -1,9 +1,9 @@
-#! /bin/sh  
+#! /bin/bash  
 #
 # ***** BEGIN LICENSE BLOCK *****
 # Version: MPL 1.1/GPL 2.0/LGPL 2.1
 #
 # The contents of this file are subject to the Mozilla Public License Version
 # 1.1 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
 # http://www.mozilla.org/MPL/