Bug 1479787 - use NSS mozpkix in Firefox, r=mt,keeler,glandium
authorFranziskus Kiefer <franziskuskiefer@gmail.com>
Tue, 02 Oct 2018 14:59:34 +0200
changeset 439251 432a98e50d2bfab224328254266069aef1a474cc
parent 439250 fd2a0cc4b40afeb46ac88965237bfefaa58702ae
child 439252 6b9dea7e0a320af8c1aca99e46f61a660938599d
push id34759
push userdvarga@mozilla.com
push dateTue, 02 Oct 2018 21:48:10 +0000
treeherdermozilla-central@0d4e73bc2cd7 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmt, keeler, glandium
bugs1479787
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1479787 - use NSS mozpkix in Firefox, r=mt,keeler,glandium Differential Revision: https://phabricator.services.mozilla.com/D2725 Differential Revision: https://phabricator.services.mozilla.com/D2860
dom/crypto/moz.build
dom/media/gtest/moz.build
dom/u2f/moz.build
dom/webauthn/WebAuthnUtil.cpp
dom/webauthn/moz.build
netwerk/base/moz.build
netwerk/protocol/http/moz.build
netwerk/protocol/http/nsHttpConnection.cpp
old-configure.in
security/apps/AppSignatureVerification.cpp
security/apps/AppTrustDomain.cpp
security/apps/AppTrustDomain.h
security/apps/moz.build
security/certverifier/BRNameMatchingPolicy.h
security/certverifier/CertVerifier.cpp
security/certverifier/CertVerifier.h
security/certverifier/ExtendedValidation.cpp
security/certverifier/NSSCertDBTrustDomain.cpp
security/certverifier/NSSCertDBTrustDomain.h
security/certverifier/OCSPCache.cpp
security/certverifier/OCSPCache.h
security/certverifier/OCSPVerificationTrustDomain.h
security/certverifier/moz.build
security/ct/BTVerifier.h
security/ct/CTDiversityPolicy.h
security/ct/CTLogVerifier.cpp
security/ct/CTLogVerifier.h
security/ct/CTObjectsExtractor.cpp
security/ct/CTObjectsExtractor.h
security/ct/CTPolicyEnforcer.h
security/ct/CTSerialization.h
security/ct/CTUtils.h
security/ct/MultiLogCTVerifier.h
security/ct/SignedCertificateTimestamp.h
security/ct/moz.build
security/ct/tests/gtest/CTTestUtils.cpp
security/ct/tests/gtest/CTTestUtils.h
security/ct/tests/gtest/moz.build
security/manager/ssl/CSTrustDomain.cpp
security/manager/ssl/CSTrustDomain.h
security/manager/ssl/CertBlocklist.cpp
security/manager/ssl/CertBlocklist.h
security/manager/ssl/ContentSignatureVerifier.cpp
security/manager/ssl/NSSErrorsService.cpp
security/manager/ssl/PublicKeyPinningService.cpp
security/manager/ssl/PublicKeyPinningService.h
security/manager/ssl/SSLServerCertVerification.cpp
security/manager/ssl/TransportSecurityInfo.cpp
security/manager/ssl/TransportSecurityInfo.h
security/manager/ssl/moz.build
security/manager/ssl/nsCertTree.cpp
security/manager/ssl/nsNSSCallbacks.cpp
security/manager/ssl/nsNSSCallbacks.h
security/manager/ssl/nsNSSCertificate.cpp
security/manager/ssl/nsNSSCertificateDB.cpp
security/manager/ssl/nsNSSComponent.cpp
security/manager/ssl/nsNSSIOLayer.cpp
security/manager/ssl/nsPKCS12Blob.cpp
security/manager/ssl/nsSiteSecurityService.h
security/manager/ssl/tests/gtest/OCSPCacheTest.cpp
security/manager/ssl/tests/gtest/moz.build
security/manager/ssl/tests/unit/tlsserver/cmd/moz.build
security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
security/manager/ssl/tests/unit/tlsserver/lib/moz.build
security/moz.build
--- a/dom/crypto/moz.build
+++ b/dom/crypto/moz.build
@@ -25,13 +25,12 @@ UNIFIED_SOURCES += [
 ]
 
 include('/ipc/chromium/chromium-config.mozbuild')
 
 FINAL_LIBRARY = 'xul'
 
 LOCAL_INCLUDES += [
     '/security/manager/ssl',
-    '/security/pkix/include',
     '/xpcom/build',
 ]
 
 MOCHITEST_MANIFESTS += ['test/mochitest.ini']
--- a/dom/media/gtest/moz.build
+++ b/dom/media/gtest/moz.build
@@ -80,17 +80,16 @@ include('/ipc/chromium/chromium-config.m
 LOCAL_INCLUDES += [
     '/dom/media',
     '/dom/media/encoder',
     '/dom/media/gmp',
     '/dom/media/mp4',
     '/dom/media/platforms',
     '/dom/media/platforms/agnostic',
     '/security/certverifier',
-    '/security/pkix/include',
 ]
 
 FINAL_LIBRARY = 'xul-gtest'
 
 if CONFIG['CC_TYPE'] in ('clang', 'gcc'):
     CXXFLAGS += ['-Wno-error=shadow']
 
 if CONFIG['CC_TYPE'] == 'clang':
--- a/dom/u2f/moz.build
+++ b/dom/u2f/moz.build
@@ -20,14 +20,12 @@ include('/ipc/chromium/chromium-config.m
 
 FINAL_LIBRARY = 'xul'
 
 LOCAL_INCLUDES += [
     '/dom/base',
     '/dom/crypto',
     '/dom/webauthn',
     '/security/manager/ssl',
-    '/security/pkix/include',
-    '/security/pkix/lib',
 ]
 
 MOCHITEST_MANIFESTS += ['tests/mochitest.ini']
 BROWSER_CHROME_MANIFESTS += ['tests/browser/browser.ini']
--- a/dom/webauthn/WebAuthnUtil.cpp
+++ b/dom/webauthn/WebAuthnUtil.cpp
@@ -2,17 +2,17 @@
 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "mozilla/dom/WebAuthnUtil.h"
 #include "nsIEffectiveTLDService.h"
 #include "nsNetUtil.h"
-#include "pkixutil.h"
+#include "mozpkix/pkixutil.h"
 
 namespace mozilla {
 namespace dom {
 
 // Bug #1436078 - Permit Google Accounts. Remove in Bug #1436085 in Jan 2023.
 NS_NAMED_LITERAL_STRING(kGoogleAccountsAppId1,
   "https://www.gstatic.com/securitykey/origins.json");
 NS_NAMED_LITERAL_STRING(kGoogleAccountsAppId2,
--- a/dom/webauthn/moz.build
+++ b/dom/webauthn/moz.build
@@ -55,18 +55,16 @@ UNIFIED_SOURCES += [
 include('/ipc/chromium/chromium-config.mozbuild')
 
 FINAL_LIBRARY = 'xul'
 
 LOCAL_INCLUDES += [
     '/dom/base',
     '/dom/crypto',
     '/security/manager/ssl',
-    '/security/pkix/include',
-    '/security/pkix/lib',
 ]
 
 if CONFIG['OS_ARCH'] == 'WINNT':
     OS_LIBS += [
         'hid',
     ]
 
 MOCHITEST_MANIFESTS += ['tests/mochitest.ini']
--- a/netwerk/base/moz.build
+++ b/netwerk/base/moz.build
@@ -296,16 +296,15 @@ include('/ipc/chromium/chromium-config.m
 
 FINAL_LIBRARY = 'xul'
 
 LOCAL_INCLUDES += [
     '/docshell/base',
     '/dom/base',
     '/netwerk/protocol/http',
     '/netwerk/socket',
-    '/security/pkix/include'
 ]
 
 if CONFIG['CC_TYPE'] in ('clang', 'gcc'):
     CXXFLAGS += ['-Wno-error=shadow']
 
 if CONFIG['CC_TYPE'] == 'clang-cl':
     AllowCompilerWarnings()  # workaround for bug 1090497
--- a/netwerk/protocol/http/moz.build
+++ b/netwerk/protocol/http/moz.build
@@ -122,17 +122,16 @@ EXTRA_JS_MODULES += [
 include('/ipc/chromium/chromium-config.mozbuild')
 
 FINAL_LIBRARY = 'xul'
 
 LOCAL_INCLUDES += [
     '/dom/base',
     '/netwerk/base',
     '/netwerk/cookie',
-    '/security/pkix/include',
 ]
 
 EXTRA_COMPONENTS += [
     'UAOverridesBootstrapper.js',
     'UAOverridesBootstrapper.manifest',
     'WellKnownOpportunisticUtils.js',
     'WellKnownOpportunisticUtils.manifest',
 ]
--- a/netwerk/protocol/http/nsHttpConnection.cpp
+++ b/netwerk/protocol/http/nsHttpConnection.cpp
@@ -34,17 +34,17 @@
 #include "nsISocketTransport.h"
 #include "nsSocketTransportService2.h"
 #include "nsISSLSocketControl.h"
 #include "nsISupportsPriority.h"
 #include "nsPreloadedStream.h"
 #include "nsProxyRelease.h"
 #include "nsSocketTransport2.h"
 #include "nsStringStream.h"
-#include "pkix/pkixnss.h"
+#include "mozpkix/pkixnss.h"
 #include "sslt.h"
 #include "NSSErrorsService.h"
 #include "TunnelUtils.h"
 #include "TCPFastOpenLayer.h"
 
 namespace mozilla {
 namespace net {
 
--- a/old-configure.in
+++ b/old-configure.in
@@ -1771,18 +1771,18 @@ dnl ====================================
 MOZ_ARG_WITH_BOOL(system-nss,
 [  --with-system-nss       Use system installed NSS],
     _USE_SYSTEM_NSS=1 )
 
 if test -n "$_USE_SYSTEM_NSS"; then
     AM_PATH_NSS(3.40, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
 fi
 
+NSS_CFLAGS="$NSS_CFLAGS -I${DIST}/include/nss"
 if test -z "$MOZ_SYSTEM_NSS"; then
-   NSS_CFLAGS="-I${DIST}/include/nss"
    case "${OS_ARCH}" in
         # Only few platforms have been tested with GYP
         WINNT|Darwin|Linux|DragonFly|FreeBSD|NetBSD|OpenBSD|SunOS)
             ;;
         *)
             AC_MSG_ERROR([building in-tree NSS is not supported on this platform. Use --with-system-nss])
             ;;
    esac
--- a/security/apps/AppSignatureVerification.cpp
+++ b/security/apps/AppSignatureVerification.cpp
@@ -31,18 +31,18 @@
 #include "nsIInputStream.h"
 #include "nsIStringEnumerator.h"
 #include "nsIZipReader.h"
 #include "nsNSSCertificate.h"
 #include "nsNetUtil.h"
 #include "nsProxyRelease.h"
 #include "nsString.h"
 #include "nsTHashtable.h"
-#include "pkix/pkix.h"
-#include "pkix/pkixnss.h"
+#include "mozpkix/pkix.h"
+#include "mozpkix/pkixnss.h"
 #include "plstr.h"
 #include "secmime.h"
 
 
 using namespace mozilla::pkix;
 using namespace mozilla;
 using namespace mozilla::psm;
 
--- a/security/apps/AppTrustDomain.cpp
+++ b/security/apps/AppTrustDomain.cpp
@@ -12,17 +12,17 @@
 #include "mozilla/Casting.h"
 #include "mozilla/Preferences.h"
 #include "nsComponentManagerUtils.h"
 #include "nsIFile.h"
 #include "nsIFileStreams.h"
 #include "nsIX509CertDB.h"
 #include "nsNSSCertificate.h"
 #include "nsNetUtil.h"
-#include "pkix/pkixnss.h"
+#include "mozpkix/pkixnss.h"
 #include "prerror.h"
 
 // Generated by gen_cert_header.py, which gets called by the build system.
 #include "xpcshell.inc"
 // Add-on signing Certificates
 #include "addons-public.inc"
 #include "addons-stage.inc"
 // Privileged Package Certificates
--- a/security/apps/AppTrustDomain.h
+++ b/security/apps/AppTrustDomain.h
@@ -2,17 +2,17 @@
 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef AppTrustDomain_h
 #define AppTrustDomain_h
 
-#include "pkix/pkixtypes.h"
+#include "mozpkix/pkixtypes.h"
 #include "mozilla/StaticMutex.h"
 #include "mozilla/UniquePtr.h"
 #include "nsDebug.h"
 #include "nsIX509CertDB.h"
 #include "ScopedNSSTypes.h"
 
 namespace mozilla { namespace psm {
 
--- a/security/apps/moz.build
+++ b/security/apps/moz.build
@@ -12,17 +12,16 @@ UNIFIED_SOURCES += [
     'AppTrustDomain.cpp',
 ]
 
 FINAL_LIBRARY = 'xul'
 
 LOCAL_INCLUDES += [
     '/security/certverifier',
     '/security/manager/ssl',
-    '/security/pkix/include',
     '/third_party/rust/cose-c/include',
 ]
 
 DEFINES['NSS_ENABLE_ECC'] = 'True'
 for var in ('DLL_PREFIX', 'DLL_SUFFIX'):
     DEFINES[var] = '"%s"' % CONFIG[var]
 
 if CONFIG['CC_TYPE'] in ('clang', 'gcc'):
--- a/security/certverifier/BRNameMatchingPolicy.h
+++ b/security/certverifier/BRNameMatchingPolicy.h
@@ -2,17 +2,17 @@
 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef BRNameMatchingPolicy_h
 #define BRNameMatchingPolicy_h
 
-#include "pkix/pkixtypes.h"
+#include "mozpkix/pkixtypes.h"
 
 namespace mozilla { namespace psm {
 
 // According to the Baseline Requirements version 1.3.3 section 7.1.4.2.2.a,
 // the requirements of the subject common name field are as follows:
 // "If present, this field MUST contain a single IP address or Fully‐Qualified
 // Domain Name that is one of the values contained in the Certificate’s
 // subjectAltName extension". Consequently, since any name information present
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -18,18 +18,18 @@
 #include "cert.h"
 #include "mozilla/Assertions.h"
 #include "mozilla/Casting.h"
 #include "mozilla/IntegerPrintfMacros.h"
 #include "nsNSSComponent.h"
 #include "nsPromiseFlatString.h"
 #include "nsServiceManagerUtils.h"
 #include "pk11pub.h"
-#include "pkix/pkix.h"
-#include "pkix/pkixnss.h"
+#include "mozpkix/pkix.h"
+#include "mozpkix/pkixnss.h"
 #include "secmod.h"
 
 using namespace mozilla::ct;
 using namespace mozilla::pkix;
 using namespace mozilla::psm;
 
 mozilla::LazyLogModule gCertVerifierLog("certverifier");
 
--- a/security/certverifier/CertVerifier.h
+++ b/security/certverifier/CertVerifier.h
@@ -12,17 +12,17 @@
 #include "CTVerifyResult.h"
 #include "OCSPCache.h"
 #include "RootCertificateTelemetryUtils.h"
 #include "ScopedNSSTypes.h"
 #include "mozilla/Telemetry.h"
 #include "mozilla/TimeStamp.h"
 #include "mozilla/UniquePtr.h"
 #include "nsString.h"
-#include "pkix/pkixtypes.h"
+#include "mozpkix/pkixtypes.h"
 
 #if defined(_MSC_VER)
 #pragma warning(push)
 // Silence "RootingAPI.h(718): warning C4324: 'js::DispatchWrapper<T>':
 // structure was padded due to alignment specifier with [ T=void * ]"
 #pragma warning(disable:4324)
 #endif /* defined(_MSC_VER) */
 #include "mozilla/BasePrincipal.h"
--- a/security/certverifier/ExtendedValidation.cpp
+++ b/security/certverifier/ExtendedValidation.cpp
@@ -11,17 +11,17 @@
 #include "mozilla/ArrayUtils.h"
 #include "mozilla/Assertions.h"
 #include "mozilla/Base64.h"
 #include "mozilla/Casting.h"
 #include "mozilla/PodOperations.h"
 #include "nsDependentString.h"
 #include "nsString.h"
 #include "pk11pub.h"
-#include "pkix/pkixtypes.h"
+#include "mozpkix/pkixtypes.h"
 
 namespace mozilla { namespace psm {
 
 struct EVInfo
 {
   // See bug 1338873 about making these fields const.
   const char* dottedOid;
   const char* oidName; // Set this to null to signal an invalid structure,
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -23,19 +23,19 @@
 #include "nsCRTGlue.h"
 #include "nsNSSCertHelper.h"
 #include "nsNSSCertValidity.h"
 #include "nsNSSCertificate.h"
 #include "nsServiceManagerUtils.h"
 #include "nsThreadUtils.h"
 #include "nss.h"
 #include "pk11pub.h"
-#include "pkix/Result.h"
-#include "pkix/pkix.h"
-#include "pkix/pkixnss.h"
+#include "mozpkix/Result.h"
+#include "mozpkix/pkix.h"
+#include "mozpkix/pkixnss.h"
 #include "prerror.h"
 #include "secerr.h"
 
 #include "TrustOverrideUtils.h"
 #include "TrustOverride-StartComAndWoSignData.inc"
 #include "TrustOverride-GlobalSignData.inc"
 #include "TrustOverride-SymantecData.inc"
 #include "TrustOverride-AppleGoogleDigiCertData.inc"
--- a/security/certverifier/NSSCertDBTrustDomain.h
+++ b/security/certverifier/NSSCertDBTrustDomain.h
@@ -8,17 +8,17 @@
 #define NSSCertDBTrustDomain_h
 
 #include "CertVerifier.h"
 #include "ScopedNSSTypes.h"
 #include "mozilla/BasePrincipal.h"
 #include "mozilla/TimeStamp.h"
 #include "nsICertBlocklist.h"
 #include "nsString.h"
-#include "pkix/pkixtypes.h"
+#include "mozpkix/pkixtypes.h"
 #include "secmodt.h"
 
 namespace mozilla { namespace psm {
 
 enum class ValidityCheckingMode {
   CheckingOff = 0,
   CheckForEV = 1,
 };
--- a/security/certverifier/OCSPCache.cpp
+++ b/security/certverifier/OCSPCache.cpp
@@ -23,17 +23,17 @@
  */
 
 #include "OCSPCache.h"
 
 #include <limits>
 
 #include "NSSCertDBTrustDomain.h"
 #include "pk11pub.h"
-#include "pkix/pkixnss.h"
+#include "mozpkix/pkixnss.h"
 #include "ScopedNSSTypes.h"
 #include "secerr.h"
 
 extern mozilla::LazyLogModule gCertVerifierLog;
 
 using namespace mozilla::pkix;
 
 namespace mozilla { namespace psm {
--- a/security/certverifier/OCSPCache.h
+++ b/security/certverifier/OCSPCache.h
@@ -23,18 +23,18 @@
  */
 
 #ifndef mozilla_psm_OCSPCache_h
 #define mozilla_psm_OCSPCache_h
 
 #include "hasht.h"
 #include "mozilla/Mutex.h"
 #include "mozilla/Vector.h"
-#include "pkix/Result.h"
-#include "pkix/Time.h"
+#include "mozpkix/Result.h"
+#include "mozpkix/Time.h"
 #include "prerror.h"
 #include "seccomon.h"
 
 namespace mozilla {
 class OriginAttributes;
 }
 
 namespace mozilla { namespace pkix {
--- a/security/certverifier/OCSPVerificationTrustDomain.h
+++ b/security/certverifier/OCSPVerificationTrustDomain.h
@@ -2,17 +2,17 @@
 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef mozilla_psm__OCSPVerificationTrustDomain_h
 #define mozilla_psm__OCSPVerificationTrustDomain_h
 
-#include "pkix/pkixtypes.h"
+#include "mozpkix/pkixtypes.h"
 #include "NSSCertDBTrustDomain.h"
 
 namespace mozilla { namespace psm {
 
 typedef mozilla::pkix::Result Result;
 
 class OCSPVerificationTrustDomain : public mozilla::pkix::TrustDomain
 {
--- a/security/certverifier/moz.build
+++ b/security/certverifier/moz.build
@@ -24,23 +24,20 @@ UNIFIED_SOURCES += [
 if not CONFIG['NSS_NO_EV_CERTS']:
     UNIFIED_SOURCES += [
         'ExtendedValidation.cpp',
     ]
 
 LOCAL_INCLUDES += [
     '/security/ct',
     '/security/manager/ssl',
-    '/security/pkix/include',
-    '/security/pkix/lib',
 ]
 
 DIRS += [
     '../ct',
-    '../pkix',
 ]
 
 TEST_DIRS += [
     'tests/gtest',
 ]
 
 if CONFIG['CC_TYPE'] == 'clang-cl':
     # -Wall on clang-cl maps to -Weverything, which turns on way too
--- a/security/ct/BTVerifier.h
+++ b/security/ct/BTVerifier.h
@@ -3,18 +3,18 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef BTVerifier_h
 #define BTVerifier_h
 
 #include "BTInclusionProof.h"
-#include "pkix/Input.h"
-#include "pkix/Result.h"
+#include "mozpkix/Input.h"
+#include "mozpkix/Result.h"
 
 namespace mozilla { namespace ct {
 
 // Decodes an Inclusion Proof (InclusionProofDataV2 as defined in RFC
 // 6962-bis). This consumes the entirety of the input.
 pkix::Result DecodeInclusionProof(pkix::Reader& input,
   InclusionProofDataV2& output);
 
--- a/security/ct/CTDiversityPolicy.h
+++ b/security/ct/CTDiversityPolicy.h
@@ -5,17 +5,17 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef CTDiversityPolicy_h
 #define CTDiversityPolicy_h
 
 #include "CTLog.h"
 #include "CTVerifyResult.h"
 #include "certt.h"
-#include "pkix/Result.h"
+#include "mozpkix/Result.h"
 
 namespace mozilla { namespace ct {
 
 // Retuns the list of unique CT log operator IDs appearing in the provided
 // list of verified SCTs.
 void GetCTLogOperatorsFromVerifiedSCTList(const VerifiedSCTList& list,
                                           CTLogOperatorList& operators);
 
--- a/security/ct/CTLogVerifier.cpp
+++ b/security/ct/CTLogVerifier.cpp
@@ -5,18 +5,18 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "CTLogVerifier.h"
 
 #include <stdint.h>
 
 #include "CTSerialization.h"
 #include "hasht.h"
-#include "pkix/pkixnss.h"
-#include "pkixutil.h"
+#include "mozpkix/pkixnss.h"
+#include "mozpkix/pkixutil.h"
 
 namespace mozilla { namespace ct {
 
 using namespace mozilla::pkix;
 
 // A TrustDomain used to extract the SCT log signature parameters
 // given its subjectPublicKeyInfo.
 // Only RSASSA-PKCS1v15 with SHA-256 and ECDSA (using the NIST P-256 curve)
--- a/security/ct/CTLogVerifier.h
+++ b/security/ct/CTLogVerifier.h
@@ -8,19 +8,19 @@
 #define CTLogVerifier_h
 
 #include <memory>
 
 #include "CTLog.h"
 #include "CTUtils.h"
 #include "SignedCertificateTimestamp.h"
 #include "SignedTreeHead.h"
-#include "pkix/Input.h"
-#include "pkix/Result.h"
-#include "pkix/pkix.h"
+#include "mozpkix/Input.h"
+#include "mozpkix/Result.h"
+#include "mozpkix/pkix.h"
 
 namespace mozilla { namespace ct {
 
 // Verifies Signed Certificate Timestamps (SCTs) provided by a specific log
 // using the public key of that log. Assumes the SCT being verified
 // matches the log by log key ID and signature parameters (an error is returned
 // otherwise).
 // The verification functions return Success if the provided SCT has passed
--- a/security/ct/CTObjectsExtractor.cpp
+++ b/security/ct/CTObjectsExtractor.cpp
@@ -5,18 +5,18 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "CTObjectsExtractor.h"
 
 #include <limits>
 #include <vector>
 
 #include "hasht.h"
-#include "pkix/pkixnss.h"
-#include "pkixutil.h"
+#include "mozpkix/pkixnss.h"
+#include "mozpkix/pkixutil.h"
 
 namespace mozilla { namespace ct {
 
 using namespace mozilla::pkix;
 
 // Holds a non-owning pointer to a byte buffer and allows writing chunks of data
 // to the buffer, placing the later chunks after the earlier ones
 // in a stream-like fashion.
--- a/security/ct/CTObjectsExtractor.h
+++ b/security/ct/CTObjectsExtractor.h
@@ -2,18 +2,18 @@
 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef CTObjectsExtractor_h
 #define CTObjectsExtractor_h
 
-#include "pkix/Input.h"
-#include "pkix/Result.h"
+#include "mozpkix/Input.h"
+#include "mozpkix/Result.h"
 #include "SignedCertificateTimestamp.h"
 
 namespace mozilla { namespace ct {
 
 // Obtains a PrecertChain log entry for |leafCertificate|, a DER-encoded
 // X.509v3 certificate that contains an X.509v3 extension with the
 // OID 1.3.6.1.4.1.11129.2.4.2.
 // |issuerSubjectPublicKeyInfo| is a DER-encoded SPKI of |leafCertificate|'s
--- a/security/ct/CTPolicyEnforcer.h
+++ b/security/ct/CTPolicyEnforcer.h
@@ -4,17 +4,17 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef CTPolicyEnforcer_h
 #define CTPolicyEnforcer_h
 
 #include "CTLog.h"
 #include "CTVerifyResult.h"
-#include "pkix/Result.h"
+#include "mozpkix/Result.h"
 
 namespace mozilla { namespace ct {
 
 // Information about the compliance of the TLS connection with the
 // Certificate Transparency policy.
 enum class CTPolicyCompliance
 {
   // Compliance not checked or not applicable.
--- a/security/ct/CTSerialization.h
+++ b/security/ct/CTSerialization.h
@@ -4,18 +4,18 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef CTSerialization_h
 #define CTSerialization_h
 
 #include <vector>
 
-#include "pkix/Input.h"
-#include "pkix/Result.h"
+#include "mozpkix/Input.h"
+#include "mozpkix/Result.h"
 #include "SignedCertificateTimestamp.h"
 #include "SignedTreeHead.h"
 
 // Utility functions for encoding/decoding structures used by Certificate
 // Transparency to/from the TLS wire format encoding.
 namespace mozilla { namespace ct {
 
 // Encodes the DigitallySigned |data| to |output|.
--- a/security/ct/CTUtils.h
+++ b/security/ct/CTUtils.h
@@ -8,18 +8,18 @@
 #define CTUtils_h
 
 #include <memory>
 
 #include "cryptohi.h"
 #include "keyhi.h"
 #include "keythi.h"
 #include "pk11pub.h"
-#include "pkix/Input.h"
-#include "pkix/Result.h"
+#include "mozpkix/Input.h"
+#include "mozpkix/Result.h"
 
 #define MOZILLA_CT_ARRAY_LENGTH(x) (sizeof(x) / sizeof((x)[0]))
 
 struct DeleteHelper
 {
   void operator()(CERTSubjectPublicKeyInfo* value)
   {
     SECKEY_DestroySubjectPublicKeyInfo(value);
--- a/security/ct/MultiLogCTVerifier.h
+++ b/security/ct/MultiLogCTVerifier.h
@@ -6,19 +6,19 @@
 
 #ifndef MultiLogCTVerifier_h
 #define MultiLogCTVerifier_h
 
 #include <vector>
 
 #include "CTLogVerifier.h"
 #include "CTVerifyResult.h"
-#include "pkix/Input.h"
-#include "pkix/Result.h"
-#include "pkix/Time.h"
+#include "mozpkix/Input.h"
+#include "mozpkix/Result.h"
+#include "mozpkix/Time.h"
 #include "SignedCertificateTimestamp.h"
 
 namespace mozilla { namespace ct {
 
 // A Certificate Transparency verifier that can verify Signed Certificate
 // Timestamps from multiple logs.
 class MultiLogCTVerifier
 {
--- a/security/ct/SignedCertificateTimestamp.h
+++ b/security/ct/SignedCertificateTimestamp.h
@@ -3,18 +3,18 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef SignedCertificateTimestamp_h
 #define SignedCertificateTimestamp_h
 
 #include "Buffer.h"
-#include "pkix/Input.h"
-#include "pkix/Result.h"
+#include "mozpkix/Input.h"
+#include "mozpkix/Result.h"
 
 // Structures related to Certificate Transparency (RFC 6962).
 namespace mozilla { namespace ct {
 
 // LogEntry struct in RFC 6962, Section 3.1.
 struct LogEntry
 {
 
--- a/security/ct/moz.build
+++ b/security/ct/moz.build
@@ -26,25 +26,16 @@ UNIFIED_SOURCES += [
     'CTObjectsExtractor.cpp',
     'CTPolicyEnforcer.cpp',
     'CTSerialization.cpp',
     'CTVerifyResult.cpp',
     'MultiLogCTVerifier.cpp',
     'SignedCertificateTimestamp.cpp',
 ]
 
-LOCAL_INCLUDES += [
-    '/security/pkix/include',
-    '/security/pkix/lib',
-]
-
-DIRS += [
-    '../pkix',
-]
-
 TEST_DIRS += [
     'tests/gtest',
 ]
 
 if not CONFIG['MOZ_DEBUG']:
     DEFINES['NDEBUG'] = True
 
 if CONFIG['CC_TYPE'] == 'clang-cl':
--- a/security/ct/tests/gtest/CTTestUtils.cpp
+++ b/security/ct/tests/gtest/CTTestUtils.cpp
@@ -7,23 +7,23 @@
 #include "CTTestUtils.h"
 
 #include <stdint.h>
 #include <iomanip>
 
 #include "BTInclusionProof.h"
 #include "CTSerialization.h"
 #include "gtest/gtest.h"
-#include "pkix/Input.h"
-#include "pkix/pkix.h"
-#include "pkix/pkixnss.h"
-#include "pkix/pkixtypes.h"
-#include "pkix/Result.h"
-#include "pkixcheck.h"
-#include "pkixutil.h"
+#include "mozpkix/Input.h"
+#include "mozpkix/pkix.h"
+#include "mozpkix/pkixnss.h"
+#include "mozpkix/pkixtypes.h"
+#include "mozpkix/Result.h"
+#include "mozpkix/pkixcheck.h"
+#include "mozpkix/pkixutil.h"
 #include "SignedCertificateTimestamp.h"
 #include "SignedTreeHead.h"
 
 namespace mozilla { namespace ct {
 
 using namespace mozilla::pkix;
 
 // The following test vectors are from the CT test data repository at
--- a/security/ct/tests/gtest/CTTestUtils.h
+++ b/security/ct/tests/gtest/CTTestUtils.h
@@ -4,18 +4,18 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef CTTestUtils_h
 #define CTTestUtils_h
 
 #include <iostream>
 
-#include "pkix/Input.h"
-#include "pkix/Time.h"
+#include "mozpkix/Input.h"
+#include "mozpkix/Time.h"
 #include "seccomon.h"
 #include "SignedCertificateTimestamp.h"
 #include "SignedTreeHead.h"
 
 namespace mozilla { namespace ct {
 
 // Note: unless specified otherwise, all test data is taken from
 // Certificate Transparency test data repository at
--- a/security/ct/tests/gtest/moz.build
+++ b/security/ct/tests/gtest/moz.build
@@ -12,16 +12,14 @@ SOURCES += [
     'CTPolicyEnforcerTest.cpp',
     'CTSerializationTest.cpp',
     'CTTestUtils.cpp',
     'MultiLogCTVerifierTest.cpp',
 ]
 
 LOCAL_INCLUDES += [
     '../..',
-    '/security/pkix/include',
-    '/security/pkix/lib',
 ]
 
 if not CONFIG['MOZ_DEBUG']:
     DEFINES['NDEBUG'] = True
 
 FINAL_LIBRARY = 'xul-gtest'
--- a/security/manager/ssl/CSTrustDomain.cpp
+++ b/security/manager/ssl/CSTrustDomain.cpp
@@ -7,17 +7,17 @@
 #include "CSTrustDomain.h"
 #include "mozilla/Base64.h"
 #include "mozilla/Preferences.h"
 #include "nsNSSCertificate.h"
 #include "nsNSSComponent.h"
 #include "NSSCertDBTrustDomain.h"
 #include "nsServiceManagerUtils.h"
 #include "nsThreadUtils.h"
-#include "pkix/pkixnss.h"
+#include "mozpkix/pkixnss.h"
 
 using namespace mozilla::pkix;
 
 namespace mozilla { namespace psm {
 
 static LazyLogModule gTrustDomainPRLog("CSTrustDomain");
 #define CSTrust_LOG(args) MOZ_LOG(gTrustDomainPRLog, LogLevel::Debug, args)
 
--- a/security/manager/ssl/CSTrustDomain.h
+++ b/security/manager/ssl/CSTrustDomain.h
@@ -2,17 +2,17 @@
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef CSTrustDomain_h
 #define CSTrustDomain_h
 
-#include "pkix/pkixtypes.h"
+#include "mozpkix/pkixtypes.h"
 #include "mozilla/StaticMutex.h"
 #include "mozilla/UniquePtr.h"
 #include "nsDebug.h"
 #include "nsICertBlocklist.h"
 #include "nsIX509CertDB.h"
 #include "ScopedNSSTypes.h"
 
 namespace mozilla { namespace psm {
--- a/security/manager/ssl/CertBlocklist.cpp
+++ b/security/manager/ssl/CertBlocklist.cpp
@@ -21,17 +21,17 @@
 #include "nsILineInputStream.h"
 #include "nsISafeOutputStream.h"
 #include "nsIX509Cert.h"
 #include "nsNetCID.h"
 #include "nsNetUtil.h"
 #include "nsPromiseFlatString.h"
 #include "nsTHashtable.h"
 #include "nsThreadUtils.h"
-#include "pkix/Input.h"
+#include "mozpkix/Input.h"
 #include "prtime.h"
 
 NS_IMPL_ISUPPORTS(CertBlocklist, nsICertBlocklist)
 
 using namespace mozilla;
 using namespace mozilla::pkix;
 
 #define PREF_BACKGROUND_UPDATE_TIMER "app.update.lastUpdateTime.blocklist-background-update-timer"
--- a/security/manager/ssl/CertBlocklist.h
+++ b/security/manager/ssl/CertBlocklist.h
@@ -9,17 +9,17 @@
 #include "mozilla/Mutex.h"
 #include "nsCOMPtr.h"
 #include "nsClassHashtable.h"
 #include "nsICertBlocklist.h"
 #include "nsIOutputStream.h"
 #include "nsIX509CertDB.h"
 #include "nsString.h"
 #include "nsTHashtable.h"
-#include "pkix/Input.h"
+#include "mozpkix/Input.h"
 
 #define NS_CERT_BLOCKLIST_CID \
 {0x11aefd53, 0x2fbb, 0x4c92, {0xa0, 0xc1, 0x05, 0x32, 0x12, 0xae, 0x42, 0xd0} }
 
 enum CertBlocklistItemMechanism {
   BlockByIssuerAndSerial,
   BlockBySubjectAndPubKey
 };
--- a/security/manager/ssl/ContentSignatureVerifier.cpp
+++ b/security/manager/ssl/ContentSignatureVerifier.cpp
@@ -18,18 +18,18 @@
 #include "nsContentUtils.h"
 #include "nsISupportsPriority.h"
 #include "nsIURI.h"
 #include "nsNSSComponent.h"
 #include "nsPromiseFlatString.h"
 #include "nsSecurityHeaderParser.h"
 #include "nsStreamUtils.h"
 #include "nsWhitespaceTokenizer.h"
-#include "pkix/pkix.h"
-#include "pkix/pkixtypes.h"
+#include "mozpkix/pkix.h"
+#include "mozpkix/pkixtypes.h"
 #include "secerr.h"
 
 NS_IMPL_ISUPPORTS(ContentSignatureVerifier,
                   nsIContentSignatureVerifier,
                   nsIInterfaceRequestor,
                   nsIStreamListener)
 
 using namespace mozilla;
--- a/security/manager/ssl/NSSErrorsService.cpp
+++ b/security/manager/ssl/NSSErrorsService.cpp
@@ -1,17 +1,17 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "NSSErrorsService.h"
 
 #include "nsNSSComponent.h"
 #include "nsServiceManagerUtils.h"
-#include "pkix/pkixnss.h"
+#include "mozpkix/pkixnss.h"
 #include "secerr.h"
 #include "sslerr.h"
 
 #define PIPNSS_STRBUNDLE_URL "chrome://pipnss/locale/pipnss.properties"
 #define NSSERR_STRBUNDLE_URL "chrome://pipnss/locale/nsserrors.properties"
 
 namespace mozilla {
 namespace psm {
--- a/security/manager/ssl/PublicKeyPinningService.cpp
+++ b/security/manager/ssl/PublicKeyPinningService.cpp
@@ -10,17 +10,17 @@
 #include "mozilla/BinarySearch.h"
 #include "mozilla/Casting.h"
 #include "mozilla/Logging.h"
 #include "mozilla/Telemetry.h"
 #include "nsDependentString.h"
 #include "nsISiteSecurityService.h"
 #include "nsServiceManagerUtils.h"
 #include "nsSiteSecurityService.h"
-#include "pkix/pkixtypes.h"
+#include "mozpkix/pkixtypes.h"
 #include "seccomon.h"
 #include "sechash.h"
 
 #include "StaticHPKPins.h" // autogenerated by genHPKPStaticpins.js
 
 using namespace mozilla;
 using namespace mozilla::pkix;
 using namespace mozilla::psm;
--- a/security/manager/ssl/PublicKeyPinningService.h
+++ b/security/manager/ssl/PublicKeyPinningService.h
@@ -6,17 +6,17 @@
 #define PublicKeyPinningService_h
 
 #include "CertVerifier.h"
 #include "ScopedNSSTypes.h"
 #include "cert.h"
 #include "nsNSSCertificate.h"
 #include "nsString.h"
 #include "nsTArray.h"
-#include "pkix/Time.h"
+#include "mozpkix/Time.h"
 
 namespace mozilla {
 class OriginAttributes;
 }
 
 using mozilla::OriginAttributes;
 
 namespace mozilla {
--- a/security/manager/ssl/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/SSLServerCertVerification.cpp
@@ -125,18 +125,18 @@
 #include "nsNetUtil.h"
 #include "nsNSSCertificate.h"
 #include "nsNSSComponent.h"
 #include "nsNSSIOLayer.h"
 #include "nsServiceManagerUtils.h"
 #include "nsString.h"
 #include "nsURLHelper.h"
 #include "nsXPCOMCIDInternal.h"
-#include "pkix/pkix.h"
-#include "pkix/pkixnss.h"
+#include "mozpkix/pkix.h"
+#include "mozpkix/pkixnss.h"
 #include "secerr.h"
 #include "secoidt.h"
 #include "secport.h"
 #include "ssl.h"
 #include "sslerr.h"
 
 extern mozilla::LazyLogModule gPIPNSSLog;
 
--- a/security/manager/ssl/TransportSecurityInfo.cpp
+++ b/security/manager/ssl/TransportSecurityInfo.cpp
@@ -18,17 +18,17 @@
 #include "nsIX509CertValidity.h"
 #include "nsNSSCertHelper.h"
 #include "nsNSSCertificate.h"
 #include "nsNSSComponent.h"
 #include "nsNSSHelper.h"
 #include "nsReadableUtils.h"
 #include "nsServiceManagerUtils.h"
 #include "nsXULAppAPI.h"
-#include "pkix/pkixtypes.h"
+#include "mozpkix/pkixtypes.h"
 #include "secerr.h"
 
 //#define DEBUG_SSL_VERBOSE //Enable this define to get minimal
                             //reports when doing SSL read/write
 
 //#define DUMP_BUFFER  //Enable this define along with
                        //DEBUG_SSL_VERBOSE to dump SSL
                        //read/write buffer to a log.
--- a/security/manager/ssl/TransportSecurityInfo.h
+++ b/security/manager/ssl/TransportSecurityInfo.h
@@ -15,17 +15,17 @@
 #include "mozilla/Mutex.h"
 #include "mozilla/RefPtr.h"
 #include "nsDataHashtable.h"
 #include "nsIClassInfo.h"
 #include "nsIInterfaceRequestor.h"
 #include "nsITransportSecurityInfo.h"
 #include "nsNSSCertificate.h"
 #include "nsString.h"
-#include "pkix/pkixtypes.h"
+#include "mozpkix/pkixtypes.h"
 
 namespace mozilla { namespace psm {
 
 enum class EVStatus {
   NotEV = 0,
   EV = 1,
 };
 
--- a/security/manager/ssl/moz.build
+++ b/security/manager/ssl/moz.build
@@ -171,17 +171,16 @@ UNIFIED_SOURCES += [
 ]
 
 FINAL_LIBRARY = 'xul'
 
 LOCAL_INCLUDES += [
     '/dom/base',
     '/dom/crypto',
     '/security/certverifier',
-    '/security/pkix/include',
 ]
 
 LOCAL_INCLUDES += [
     '!/dist/public/nss',
 ]
 
 GENERATED_FILES = [
     'nsSTSPreloadList.h',
@@ -196,16 +195,20 @@ if CONFIG['NSS_DISABLE_DBM']:
 DEFINES['SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES'] = 'True'
 DEFINES['NSS_ENABLE_ECC'] = 'True'
 
 if not CONFIG['MOZ_SYSTEM_NSS']:
     USE_LIBS += [
         'crmf',
     ]
 
+# mozpkix is linked statically from the in-tree sources independent of whether
+# system NSS is used or not.
+USE_LIBS += [ 'mozpkix' ]
+
 include('/ipc/chromium/chromium-config.mozbuild')
 
 if CONFIG['CC_TYPE'] in ('clang', 'gcc'):
     CXXFLAGS += [
         '-Wextra',
         # -Wextra enables this warning, but it's too noisy to be useful.
         '-Wno-missing-field-initializers',
     ]
--- a/security/manager/ssl/nsCertTree.cpp
+++ b/security/manager/ssl/nsCertTree.cpp
@@ -18,17 +18,17 @@
 #include "nsNSSCertificateDB.h"
 #include "nsNSSHelper.h"
 #include "nsReadableUtils.h"
 #include "nsTHashtable.h"
 #include "nsUnicharUtils.h"
 #include "nsXPCOMCID.h"
 #include "nsString.h"
 #include "nsTreeColumns.h"
-#include "pkix/pkixtypes.h"
+#include "mozpkix/pkixtypes.h"
 
 using namespace mozilla;
 
 extern LazyLogModule gPIPNSSLog;
 
 static NS_DEFINE_CID(kCertOverrideCID, NS_CERTOVERRIDE_CID);
 
 // treeArrayElStr
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -28,17 +28,17 @@
 #include "nsNSSCertHelper.h"
 #include "nsNSSCertificate.h"
 #include "nsNSSComponent.h"
 #include "nsNSSIOLayer.h"
 #include "nsNetUtil.h"
 #include "nsProtectedAuthThread.h"
 #include "nsProxyRelease.h"
 #include "nsStringStream.h"
-#include "pkix/pkixtypes.h"
+#include "mozpkix/pkixtypes.h"
 #include "ssl.h"
 #include "sslproto.h"
 
 #include "TrustOverrideUtils.h"
 #include "TrustOverride-SymantecData.inc"
 #include "TrustOverride-AppleGoogleDigiCertData.inc"
 #include "TrustOverride-TestImminentDistrustData.inc"
 
--- a/security/manager/ssl/nsNSSCallbacks.h
+++ b/security/manager/ssl/nsNSSCallbacks.h
@@ -9,17 +9,17 @@
 
 #include "mozilla/Attributes.h"
 #include "mozilla/BasePrincipal.h"
 #include "mozilla/TimeStamp.h"
 #include "mozilla/Vector.h"
 #include "nspr.h"
 #include "nsString.h"
 #include "pk11func.h"
-#include "pkix/pkixtypes.h"
+#include "mozpkix/pkixtypes.h"
 
 using mozilla::OriginAttributes;
 using mozilla::TimeDuration;
 using mozilla::Vector;
 
 class nsILoadGroup;
 
 char*
--- a/security/manager/ssl/nsNSSCertificate.cpp
+++ b/security/manager/ssl/nsNSSCertificate.cpp
@@ -30,19 +30,19 @@
 #include "nsPK11TokenDB.h"
 #include "nsPKCS12Blob.h"
 #include "nsProxyRelease.h"
 #include "nsReadableUtils.h"
 #include "nsString.h"
 #include "nsThreadUtils.h"
 #include "nsUnicharUtils.h"
 #include "nspr.h"
-#include "pkix/pkixnss.h"
-#include "pkix/pkixtypes.h"
-#include "pkix/Result.h"
+#include "mozpkix/pkixnss.h"
+#include "mozpkix/pkixtypes.h"
+#include "mozpkix/Result.h"
 #include "prerror.h"
 #include "secasn1.h"
 #include "secder.h"
 #include "secerr.h"
 #include "ssl.h"
 
 #ifdef XP_WIN
 #include <winsock.h> // for htonl
--- a/security/manager/ssl/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/nsNSSCertificateDB.cpp
@@ -10,16 +10,19 @@
 #include "NSSCertDBTrustDomain.h"
 #include "SharedSSLState.h"
 #include "certdb.h"
 #include "mozilla/Assertions.h"
 #include "mozilla/Base64.h"
 #include "mozilla/Casting.h"
 #include "mozilla/Services.h"
 #include "mozilla/Unused.h"
+#include "mozpkix/Time.h"
+#include "mozpkix/pkixnss.h"
+#include "mozpkix/pkixtypes.h"
 #include "nsArray.h"
 #include "nsArrayUtils.h"
 #include "nsCOMPtr.h"
 #include "nsComponentManagerUtils.h"
 #include "nsICertificateDialogs.h"
 #include "nsIFile.h"
 #include "nsIMutableArray.h"
 #include "nsIObserverService.h"
@@ -32,19 +35,16 @@
 #include "nsNSSComponent.h"
 #include "nsNSSHelper.h"
 #include "nsPKCS12Blob.h"
 #include "nsPromiseFlatString.h"
 #include "nsProxyRelease.h"
 #include "nsReadableUtils.h"
 #include "nsThreadUtils.h"
 #include "nspr.h"
-#include "pkix/Time.h"
-#include "pkix/pkixnss.h"
-#include "pkix/pkixtypes.h"
 #include "secasn1.h"
 #include "secder.h"
 #include "secerr.h"
 #include "ssl.h"
 
 #ifdef XP_WIN
 #include <winsock.h> // for ntohl
 #endif
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -47,17 +47,17 @@
 #include "nsNSSHelper.h"
 #include "nsPK11TokenDB.h"
 #include "nsPrintfCString.h"
 #include "nsServiceManagerUtils.h"
 #include "nsThreadUtils.h"
 #include "nsXULAppAPI.h"
 #include "nss.h"
 #include "p12plcy.h"
-#include "pkix/pkixnss.h"
+#include "mozpkix/pkixnss.h"
 #include "secerr.h"
 #include "secmod.h"
 #include "ssl.h"
 #include "sslerr.h"
 #include "sslproto.h"
 #include "prmem.h"
 
 #if defined(XP_LINUX) && !defined(ANDROID)
--- a/security/manager/ssl/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/nsNSSIOLayer.cpp
@@ -33,18 +33,18 @@
 #include "nsIPrefService.h"
 #include "nsISocketProvider.h"
 #include "nsIWebProgressListener.h"
 #include "nsNSSCertHelper.h"
 #include "nsNSSComponent.h"
 #include "nsNSSHelper.h"
 #include "nsPrintfCString.h"
 #include "nsServiceManagerUtils.h"
-#include "pkix/pkixnss.h"
-#include "pkix/pkixtypes.h"
+#include "mozpkix/pkixnss.h"
+#include "mozpkix/pkixtypes.h"
 #include "prmem.h"
 #include "prnetdb.h"
 #include "secder.h"
 #include "secerr.h"
 #include "ssl.h"
 #include "sslerr.h"
 #include "sslproto.h"
 #include "sslexp.h"
--- a/security/manager/ssl/nsPKCS12Blob.cpp
+++ b/security/manager/ssl/nsPKCS12Blob.cpp
@@ -16,17 +16,17 @@
 #include "nsIX509CertDB.h"
 #include "nsNSSCertHelper.h"
 #include "nsNSSCertificate.h"
 #include "nsNSSHelper.h"
 #include "nsNetUtil.h"
 #include "nsReadableUtils.h"
 #include "nsThreadUtils.h"
 #include "p12plcy.h"
-#include "pkix/pkixtypes.h"
+#include "mozpkix/pkixtypes.h"
 #include "secerr.h"
 
 using namespace mozilla;
 extern LazyLogModule gPIPNSSLog;
 
 #define PIP_PKCS12_BUFFER_SIZE 2048
 #define PIP_PKCS12_NOSMARTCARD_EXPORT 4
 #define PIP_PKCS12_RESTORE_FAILED 5
--- a/security/manager/ssl/nsSiteSecurityService.h
+++ b/security/manager/ssl/nsSiteSecurityService.h
@@ -9,17 +9,17 @@
 #include "mozilla/Dafsa.h"
 #include "mozilla/DataStorage.h"
 #include "mozilla/RefPtr.h"
 #include "nsCOMPtr.h"
 #include "nsIObserver.h"
 #include "nsISiteSecurityService.h"
 #include "nsString.h"
 #include "nsTArray.h"
-#include "pkix/pkixtypes.h"
+#include "mozpkix/pkixtypes.h"
 #include "prtime.h"
 
 class nsIURI;
 class nsITransportSecurityInfo;
 
 using mozilla::OriginAttributes;
 
 // {16955eee-6c48-4152-9309-c42a465138a1}
--- a/security/manager/ssl/tests/gtest/OCSPCacheTest.cpp
+++ b/security/manager/ssl/tests/gtest/OCSPCacheTest.cpp
@@ -6,18 +6,18 @@
 
 #include "CertVerifier.h"
 #include "OCSPCache.h"
 #include "gtest/gtest.h"
 #include "mozilla/BasePrincipal.h"
 #include "mozilla/Casting.h"
 #include "mozilla/Sprintf.h"
 #include "nss.h"
-#include "pkix/pkixtypes.h"
-#include "pkixtestutil.h"
+#include "mozpkix/pkixtypes.h"
+#include "mozpkix/test/pkixtestutil.h"
 #include "prerr.h"
 #include "secerr.h"
 
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::test;
 
 using mozilla::OriginAttributes;
 
--- a/security/manager/ssl/tests/gtest/moz.build
+++ b/security/manager/ssl/tests/gtest/moz.build
@@ -13,18 +13,16 @@ SOURCES += [
     'MD4Test.cpp',
     'OCSPCacheTest.cpp',
     'TLSIntoleranceTest.cpp',
 ]
 
 LOCAL_INCLUDES += [
     '/security/certverifier',
     '/security/manager/ssl',
-    '/security/pkix/include',
-    '/security/pkix/test/lib',
     '/third_party/rust/cose-c/include',
 ]
 
 include('/ipc/chromium/chromium-config.mozbuild')
 
 FINAL_LIBRARY = 'xul-gtest'
 
 if CONFIG['CC_TYPE'] in ('clang', 'gcc'):
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build
@@ -11,16 +11,15 @@ GeckoSimplePrograms([
     'SymantecSanctionsServer',
 ], linkage=None)
 
 LOCAL_INCLUDES += [
     '../lib',
 ]
 
 USE_LIBS += [
-    'mozillapkix',
+    'mozpkix',
     'nspr',
     'nss',
-    'pkixtestutil',
     'tlsserver',
 ]
 
 CXXFLAGS += CONFIG['TK_CFLAGS']
--- a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
@@ -1,18 +1,18 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "OCSPCommon.h"
 
 #include <stdio.h>
 
-#include "pkixtestutil.h"
-#include "pkixtestnss.h"
+#include "mozpkix/test/pkixtestutil.h"
+#include "mozpkix/test/pkixtestnss.h"
 #include "TLSServer.h"
 #include "secder.h"
 #include "secerr.h"
 
 using namespace mozilla;
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::test;
 using namespace mozilla::test;
--- a/security/manager/ssl/tests/unit/tlsserver/lib/moz.build
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/moz.build
@@ -4,14 +4,13 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 UNIFIED_SOURCES += [
     'OCSPCommon.cpp',
     'TLSServer.cpp',
 ]
 
-LOCAL_INCLUDES += [
-    '../../../../../../pkix/include',
-    '../../../../../../pkix/test/lib',
+USE_LIBS += [
+    'mozpkix-testlib',
 ]
 
 Library('tlsserver')
--- a/security/moz.build
+++ b/security/moz.build
@@ -14,135 +14,142 @@ with Files("nss/**"):
     BUG_COMPONENT = ("NSS", "Libraries")
 
 with Files("nss.symbols"):
     BUG_COMPONENT = ("NSS", "Libraries")
 
 if CONFIG['MOZ_SYSTEM_NSS']:
     Library('nss')
     OS_LIBS += CONFIG['NSS_LIBS']
-else:
-    include('/build/gyp_base.mozbuild')
-    if CONFIG['MOZ_FOLD_LIBS']:
-        GeckoSharedLibrary('nss', linkage=None)
-        # TODO: The library name can be changed when bug 845217 is fixed.
-        SHARED_LIBRARY_NAME = 'nss3'
+
+include('/build/gyp_base.mozbuild')
+if CONFIG['MOZ_FOLD_LIBS']:
+    GeckoSharedLibrary('nss', linkage=None)
+    # TODO: The library name can be changed when bug 845217 is fixed.
+    SHARED_LIBRARY_NAME = 'nss3'
 
-        USE_LIBS += [
-            'nspr4',
-            'nss3_static',
-            'nssutil',
-            'plc4',
-            'plds4',
-            'smime3_static',
-            'ssl',
-        ]
+    USE_LIBS += [
+        'nspr4',
+        'nss3_static',
+        'nssutil',
+        'plc4',
+        'plds4',
+        'smime3_static',
+        'ssl',
+    ]
 
-        OS_LIBS += CONFIG['REALTIME_LIBS']
+    OS_LIBS += CONFIG['REALTIME_LIBS']
 
-        SYMBOLS_FILE = 'nss.symbols'
-        # This changes the default targets in the NSS build, among
-        # other things.
-        gyp_vars['moz_fold_libs'] = 1
-        # Some things in NSS need to link against nssutil, which
-        # gets folded, so this tells them what to link against.
-        gyp_vars['moz_folded_library_name'] = 'nss'
-        # Force things in NSS that want to link against NSPR to link
-        # against the folded library.
-        gyp_vars['nspr_libs'] = 'nss'
-    else:
-        Library('nss')
-        USE_LIBS += [
-            'nss3',
-            'nssutil3',
-            'smime3',
-            'sqlite',
-            'ssl3',
-        ]
-        gyp_vars['nspr_libs'] = 'nspr'
+    SYMBOLS_FILE = 'nss.symbols'
+    # This changes the default targets in the NSS build, among
+    # other things.
+    gyp_vars['moz_fold_libs'] = 1
+    # Some things in NSS need to link against nssutil, which
+    # gets folded, so this tells them what to link against.
+    gyp_vars['moz_folded_library_name'] = 'nss'
+    # Force things in NSS that want to link against NSPR to link
+    # against the folded library.
+    gyp_vars['nspr_libs'] = 'nss'
+elif not CONFIG['MOZ_SYSTEM_NSS']:
+    Library('nss')
+    USE_LIBS += [
+        'nss3',
+        'nssutil3',
+        'smime3',
+        'sqlite',
+        'ssl3',
+    ]
+    gyp_vars['nspr_libs'] = 'nspr'
+else:
+    # Build mozpkix and mozpkix-test only
+    gyp_vars['nspr_libs'] = 'nspr'
+    gyp_vars['mozpkix_only'] = 1
 
-    # This disables building some NSS tools.
-    gyp_vars['mozilla_client'] = 1
-    # We run shlibsign as part of packaging, not build.
-    gyp_vars['sign_libs'] = 0
-    gyp_vars['python'] = CONFIG['PYTHON']
-    # The NSS gyp files do not have a default for this.
-    gyp_vars['nss_dist_dir'] = '$PRODUCT_DIR/dist'
-    # NSS wants to put public headers in $nss_dist_dir/public/nss by default,
-    # which would wind up being mapped to dist/include/public/nss (by
-    # gyp_reader's `handle_copies`).
-    # This forces it to put them in dist/include/nss.
-    gyp_vars['nss_public_dist_dir'] = '$PRODUCT_DIR/dist'
-    gyp_vars['nss_dist_obj_dir'] = '$PRODUCT_DIR/dist/bin'
-    # We don't currently build NSS tests.
-    gyp_vars['disable_tests'] = 1
-    if CONFIG['NSS_DISABLE_DBM']:
-        gyp_vars['disable_dbm'] = 1
-    gyp_vars['disable_libpkix'] = 1
-    # pkg-config won't reliably find zlib on our builders, so just force it.
-    # System zlib is only used for modutil and signtool unless
-    # SSL zlib is enabled, which we are disabling immediately below this.
-    gyp_vars['zlib_libs'] = '-lz'
-    gyp_vars['ssl_enable_zlib'] = 0
-    # System sqlite here is the in-tree mozsqlite.
-    gyp_vars['use_system_sqlite'] = 1
-    gyp_vars['sqlite_libs'] = 'sqlite'
+# This disables building some NSS tools.
+gyp_vars['mozilla_client'] = 1
+# We run shlibsign as part of packaging, not build.
+gyp_vars['sign_libs'] = 0
+gyp_vars['python'] = CONFIG['PYTHON']
+# The NSS gyp files do not have a default for this.
+gyp_vars['nss_dist_dir'] = '$PRODUCT_DIR/dist'
+# NSS wants to put public headers in $nss_dist_dir/public/nss by default,
+# which would wind up being mapped to dist/include/public/nss (by
+# gyp_reader's `handle_copies`).
+# This forces it to put them in dist/include/nss.
+gyp_vars['nss_public_dist_dir'] = '$PRODUCT_DIR/dist'
+gyp_vars['nss_dist_obj_dir'] = '$PRODUCT_DIR/dist/bin'
+# We don't currently build NSS tests.
+gyp_vars['disable_tests'] = 1
+if CONFIG['NSS_DISABLE_DBM']:
+    gyp_vars['disable_dbm'] = 1
+gyp_vars['disable_libpkix'] = 1
+# pkg-config won't reliably find zlib on our builders, so just force it.
+# System zlib is only used for modutil and signtool unless
+# SSL zlib is enabled, which we are disabling immediately below this.
+gyp_vars['zlib_libs'] = '-lz'
+gyp_vars['ssl_enable_zlib'] = 0
+# System sqlite here is the in-tree mozsqlite.
+gyp_vars['use_system_sqlite'] = 1
+gyp_vars['sqlite_libs'] = 'sqlite'
 
-    if CONFIG['MOZ_SYSTEM_NSPR']:
-        gyp_vars['nspr_include_dir'] = '%' + CONFIG['NSPR_INCLUDE_DIR']
-        gyp_vars['nspr_lib_dir'] = '%' + CONFIG['NSPR_LIB_DIR']
-    else:
-        gyp_vars['nspr_include_dir'] = '!/dist/include/nspr'
-        gyp_vars['nspr_lib_dir'] = ''  # gyp wants a value, but we don't need
-                                       # it to be valid.
+
+if CONFIG['MOZ_SYSTEM_NSPR']:
+    gyp_vars['nspr_include_dir'] = '%' + CONFIG['NSPR_INCLUDE_DIR']
+    gyp_vars['nspr_lib_dir'] = '%' + CONFIG['NSPR_LIB_DIR']
+else:
+    gyp_vars['nspr_include_dir'] = '!/dist/include/nspr'
+    gyp_vars['nspr_lib_dir'] = ''  # gyp wants a value, but we don't need
+                                   # it to be valid.
 
-    # The Python scripts that detect clang need it to be set as CC
-    # in the environment, which isn't true here. I don't know that
-    # setting that would be harmful, but we already have this information
-    # anyway.
-    if CONFIG['CC_TYPE'] in ('clang', 'clang-cl'):
-        gyp_vars['cc_is_clang'] = 1
-    if CONFIG['GCC_USE_GNU_LD']:
-        gyp_vars['cc_use_gnu_ld'] = 1
+# The Python scripts that detect clang need it to be set as CC
+# in the environment, which isn't true here. I don't know that
+# setting that would be harmful, but we already have this information
+# anyway.
+if CONFIG['CC_TYPE'] in ('clang', 'clang-cl'):
+    gyp_vars['cc_is_clang'] = 1
+if CONFIG['GCC_USE_GNU_LD']:
+    gyp_vars['cc_use_gnu_ld'] = 1
 
-    GYP_DIRS += ['nss']
-    GYP_DIRS['nss'].input = 'nss/nss.gyp'
-    GYP_DIRS['nss'].variables = gyp_vars
+GYP_DIRS += ['nss']
+GYP_DIRS['nss'].input = 'nss/nss.gyp'
+GYP_DIRS['nss'].variables = gyp_vars
 
-    sandbox_vars = {
-        # NSS explicitly exports its public symbols
-        # with linker scripts.
-        'COMPILE_FLAGS': {
-            'VISIBILITY': [],
-            # XXX: We should fix these warnings.
-            'WARNINGS_AS_ERRORS': [],
-        },
-        # NSS' build system doesn't currently build NSS with PGO.
-        # We could probably do so, but not without a lot of
-        # careful consideration.
-        'NO_PGO': True,
-    }
-    if CONFIG['OS_TARGET'] == 'WINNT':
-        if CONFIG['CPU_ARCH'] == 'x86':
-            # This should really be the default.
-            sandbox_vars['ASFLAGS'] = ['-safeseh']
-        if CONFIG['MOZ_FOLD_LIBS_FLAGS']:
-            sandbox_vars['CFLAGS'] = CONFIG['MOZ_FOLD_LIBS_FLAGS']
-    if CONFIG['OS_TARGET'] == 'Android':
-        sandbox_vars['CFLAGS'] = [
-            '-include', TOPSRCDIR + '/security/manager/android_stub.h',
-            # Setting sandbox_vars['DEFINES'] is broken currently.
-            '-DCHECK_FORK_GETPID',
-        ]
-        if CONFIG['ANDROID_VERSION']:
-            sandbox_vars['CFLAGS'] += ['-DANDROID_VERSION=' + CONFIG['ANDROID_VERSION']]
-    GYP_DIRS['nss'].sandbox_vars = sandbox_vars
-    GYP_DIRS['nss'].no_chromium = True
-    GYP_DIRS['nss'].no_unified = True
-    # This maps action names from gyp files to
-    # Python scripts that can be used in moz.build GENERATED_FILES.
-    GYP_DIRS['nss'].action_overrides = {
-        'generate_certdata_c': 'generate_certdata.py',
-        'generate_mapfile': 'generate_mapfile.py',
-    }
+sandbox_vars = {
+    # NSS explicitly exports its public symbols
+    # with linker scripts.
+    'COMPILE_FLAGS': {
+        'VISIBILITY': [],
+        # XXX: We should fix these warnings.
+        'WARNINGS_AS_ERRORS': [],
+    },
+    # NSS' build system doesn't currently build NSS with PGO.
+    # We could probably do so, but not without a lot of
+    # careful consideration.
+    'NO_PGO': True,
+}
+if CONFIG['OS_TARGET'] == 'WINNT':
+    if CONFIG['CPU_ARCH'] == 'x86':
+        # This should really be the default.
+        sandbox_vars['ASFLAGS'] = ['-safeseh']
+    if CONFIG['MOZ_FOLD_LIBS_FLAGS']:
+        sandbox_vars['CFLAGS'] = CONFIG['MOZ_FOLD_LIBS_FLAGS']
+if CONFIG['OS_TARGET'] == 'Android':
+    sandbox_vars['CFLAGS'] = [
+        '-include', TOPSRCDIR + '/security/manager/android_stub.h',
+        # Setting sandbox_vars['DEFINES'] is broken currently.
+        '-DCHECK_FORK_GETPID',
+    ]
+    if CONFIG['ANDROID_VERSION']:
+        sandbox_vars['CFLAGS'] += ['-DANDROID_VERSION=' + CONFIG['ANDROID_VERSION']]
+if CONFIG['MOZ_SYSTEM_NSS']:
+    sandbox_vars['CXXFLAGS'] = CONFIG['NSS_CFLAGS']
+GYP_DIRS['nss'].sandbox_vars = sandbox_vars
+GYP_DIRS['nss'].no_chromium = True
+GYP_DIRS['nss'].no_unified = True
+# This maps action names from gyp files to
+# Python scripts that can be used in moz.build GENERATED_FILES.
+GYP_DIRS['nss'].action_overrides = {
+    'generate_certdata_c': 'generate_certdata.py',
+    'generate_mapfile': 'generate_mapfile.py',
+}
 
 if CONFIG['NSS_EXTRA_SYMBOLS_FILE']:
     DEFINES['NSS_EXTRA_SYMBOLS_FILE'] = CONFIG['NSS_EXTRA_SYMBOLS_FILE']