Bug 490864, deliver 3.12.4.1 (NSS_3_12_4_FIPS1) to mozilla-central for trunk testing
authorKai Engert <kaie@kuix.de>
Tue, 05 May 2009 17:22:50 +0200
changeset 27997 b1f84820222109855566dc9eaaa099cdc6c4d637
parent 27996 d53c16d62dc37d77ad6227b53d3d39776c7ec147
child 27998 6c911e46665499429395525be3cb3eb20d3c2054
push id6835
push userkaie@kuix.de
push dateTue, 05 May 2009 15:23:11 +0000
treeherdermozilla-central@b1f848202221 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs490864
milestone1.9.2a1pre
Bug 490864, deliver 3.12.4.1 (NSS_3_12_4_FIPS1) to mozilla-central for trunk testing r=relyea, r=nelson
security/coreconf/coreconf.dep
security/nss/cmd/fipstest/fipstest.c
security/nss/lib/certdb/cert.h
security/nss/lib/certdb/certi.h
security/nss/lib/certdb/certt.h
security/nss/lib/certdb/crl.c
security/nss/lib/certhigh/certvfypkix.c
security/nss/lib/ckfw/mechanism.c
security/nss/lib/jar/config.mk
security/nss/lib/jar/jar-ds.c
security/nss/lib/jar/jar-ds.h
security/nss/lib/jar/jar.c
security/nss/lib/jar/jar.h
security/nss/lib/jar/jarfile.c
security/nss/lib/jar/jarfile.h
security/nss/lib/jar/jarint.c
security/nss/lib/jar/jarint.h
security/nss/lib/jar/jarjart.c
security/nss/lib/jar/jarjart.h
security/nss/lib/jar/jarnav.c
security/nss/lib/jar/jarsign.c
security/nss/lib/jar/jarver.c
security/nss/lib/jar/jzconf.h
security/nss/lib/jar/manifest.mn
security/nss/lib/libpkix/include/pkix_certstore.h
security/nss/lib/libpkix/include/pkix_crlsel.h
security/nss/lib/libpkix/include/pkix_errorstrings.h
security/nss/lib/libpkix/include/pkix_pl_pki.h
security/nss/lib/libpkix/include/pkix_sample_modules.h
security/nss/lib/libpkix/include/pkixt.h
security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c
security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.c
security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.c
security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c
security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
security/nss/lib/libpkix/pkix/checker/pkix_targetcertchecker.c
security/nss/lib/libpkix/pkix/crlsel/pkix_comcrlselparams.c
security/nss/lib/libpkix/pkix/crlsel/pkix_comcrlselparams.h
security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.c
security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.h
security/nss/lib/libpkix/pkix/top/pkix_build.c
security/nss/lib/libpkix/pkix/top/pkix_lifecycle.c
security/nss/lib/libpkix/pkix/util/pkix_list.c
security/nss/lib/libpkix/pkix/util/pkix_tools.h
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.c
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.h
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c
security/nss/lib/libpkix/pkix_pl_nss/pki/manifest.mn
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.h
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.h
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crldp.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crldp.h
security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_common.h
security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c
security/nss/lib/nss/nss.h
security/nss/lib/pk11wrap/pk11cert.c
security/nss/lib/pki/pkibase.c
security/nss/tests/chains/chains.sh
security/nss/tests/chains/scenarios/explicitPolicy.cfg
security/nss/tests/chains/scenarios/ocsp.cfg
security/nss/tests/chains/scenarios/scenarios
security/nss/tests/common/cleanup.sh
--- a/security/coreconf/coreconf.dep
+++ b/security/coreconf/coreconf.dep
@@ -39,8 +39,9 @@
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
 
 /* NSS 3.12.4 Beta */
+
--- a/security/nss/cmd/fipstest/fipstest.c
+++ b/security/nss/cmd/fipstest/fipstest.c
@@ -2591,277 +2591,415 @@ alloc_value(char *buf, int *len)
     if (!value) {
 	*len = 0;
 	return NULL;
     }
 	
     for (i=0; i<*len; buf+=2 , i++) {
 	hex_to_byteval(buf, &value[i]);
     }
+    
+
     return value;
 }
 
 PRBool
 isblankline(char *b)
 {
    while (isspace(*b)) b++;
    if ((*b == '\n') || (*b == 0)) {
 	return PR_TRUE;
    }
    return PR_FALSE;
 }
 
+static int debug = 0;
+
 /*
  * Perform the Hash_DRBG (CAVS) for the RNG algorithm
  *
  * reqfn is the pathname of the REQUEST file.
  *
  * The output RESPONSE file is written to stdout.
  */
 void
 drbg(char *reqfn)
 {
     char buf[2000];   /* test case has some very long lines, returned bits
-		       * as high as 800 bytes (6400 bits). That 1600 byte
-		       * plus a tag */
+     * as high as 800 bytes (6400 bits). That 1600 byte
+     * plus a tag */
     char buf2[2000]; 
     FILE *rngreq;       /* input stream from the REQUEST file */
     FILE *rngresp;      /* output stream to the RESPONSE file */
-    unsigned int i;
-    unsigned char *entropy = NULL;
-    int entropy_len = 0;
+    
+    unsigned int i, j;
+    PRBool predictionResistance = PR_FALSE;
     unsigned char *nonce =  NULL;
-    int nonce_len = 0;
-    unsigned char *personalization_string =  NULL;
-    int ps_len = 0;
-    unsigned char *return_bytes =  NULL;
-    unsigned char *predicted_return_bytes = NULL;
-    int return_bytes_len = 0;
-    unsigned char *additional_input =  NULL;
-    int additional_len = 0;
-    enum { NONE, INSTANTIATE, GENERATE, RESEED, UNINSTANTIATE } command =
-		NONE;
+    int nonceLen = 0;
+    unsigned char *personalizationString =  NULL;
+    int personalizationStringLen = 0;
+    unsigned char *additionalInput =  NULL;
+    int additionalInputLen = 0;
+    unsigned char *entropyInput = NULL;
+    int entropyInputLen = 0;
+    unsigned char predictedreturn_bytes[SHA256_LENGTH];
+    unsigned char return_bytes[SHA256_LENGTH];
+    int return_bytes_len = SHA256_LENGTH;
+    enum { NONE, INSTANTIATE, GENERATE, RESEED, RESULT } command =
+    NONE;
+    PRBool genResult = PR_FALSE;
     SECStatus rv;
-
+    
     rngreq = fopen(reqfn, "r");
     rngresp = stdout;
     while (fgets(buf, sizeof buf, rngreq) != NULL) {
-	/* a comment, skip it. */
-	if (buf[0] == '#') { 
-	    fputs(buf, rngresp);
-	    continue;
-	}
-
-        if (isblankline(buf)) {
-	    switch (command) {
-	    case INSTANTIATE:
-		rv = PRNGTEST_Instantiate(entropy, entropy_len,
-				      nonce, nonce_len,
-				      personalization_string, ps_len);
-		if (rv != SECSuccess) {
-		    goto loser;
-		}
-		/* clear */
-		if (entropy) {
-		    PORT_ZFree(entropy, entropy_len);
-		    entropy = NULL;
-		    entropy_len = 0;
-		}
-		if (nonce) {
-		    PORT_ZFree(nonce, nonce_len);
-		    nonce = NULL;
-		    nonce_len = 0;
-		}
-		if (personalization_string) {
-		    PORT_ZFree(personalization_string, ps_len);
-		    personalization_string = NULL;
-		    ps_len = 0;
-		}
-		break;
-	    case GENERATE:
-		rv = PRNGTEST_Generate(return_bytes, return_bytes_len,
-				      additional_input, additional_len);
-		if (rv != SECSuccess) {
-		    goto loser;
-		}
-		/* clear */
-		if (predicted_return_bytes) {
-		    fputc('+', rngresp);
+       switch (command) {
+            case INSTANTIATE:
+		if (debug) {
+		    fputs("# PRNGTEST_Instantiate(",rngresp);
+		    to_hex_str(buf2,entropyInput, entropyInputLen);
+		    fputs(buf2,rngresp);
+		    fprintf(rngresp,",%d,",entropyInputLen);
+		    to_hex_str(buf2,nonce, nonceLen);
+		    fputs(buf2,rngresp);
+		    fprintf(rngresp,",%d,",nonceLen);
+		    to_hex_str(buf2,personalizationString, 
+					personalizationStringLen);
+		    fputs(buf2,rngresp);
+		    fprintf(rngresp,",%d)\n", personalizationStringLen);
 		}
-	   	fputs("Returned bits = ", rngresp);
-		to_hex_str(buf2, return_bytes, return_bytes_len);
-		fputs(buf2, rngresp);
-		fputc('\n', rngresp);
-
-		if (predicted_return_bytes) {
-		    if (memcmp(return_bytes, 
-			   predicted_return_bytes, return_bytes_len) != 0) {
-			fprintf(stderr, "Generate failed:\n");
-			fputs(  "   predicted=", stderr);
-			to_hex_str(buf, predicted_return_bytes, 
-							return_bytes_len);
-			fputs(buf, stderr);
-			fputs("\n   actual  = ", stderr);
-			fputs(buf2, stderr);
-			fputc('\n', stderr);
-		    }
-		    PORT_ZFree(predicted_return_bytes, return_bytes_len);
-		    predicted_return_bytes = NULL;
-		}
-			
-		if (return_bytes) {
-		    PORT_ZFree(return_bytes, return_bytes_len);
-		    return_bytes = NULL;
-		    return_bytes_len = 0;
+                rv = PRNGTEST_Instantiate(entropyInput, entropyInputLen,
+                                          nonce, nonceLen,
+                                          personalizationString, 
+				          personalizationStringLen);
+                if (rv != SECSuccess) {
+                    goto loser;
+                }
+                break;
+                    
+            case GENERATE:
+            case RESULT:
+                memset(return_bytes, 0, return_bytes_len);
+		if (debug) {
+		    fputs("# PRNGTEST_Generate(returnbytes",rngresp);
+		    fprintf(rngresp,",%d,", return_bytes_len);
+		    to_hex_str(buf2,additionalInput, additionalInputLen);
+		    fputs(buf2,rngresp);
+		    fprintf(rngresp,",%d)\n",additionalInputLen);
 		}
-		if (additional_input) {
-		    PORT_ZFree(additional_input, additional_len);
-		    additional_input = NULL;
-		    additional_len = 0;
-		}
-		
-		break;
-	    case RESEED:
-		rv = PRNGTEST_Reseed(entropy, entropy_len,
-				      additional_input, additional_len);
-		if (rv != SECSuccess) {
-		    goto loser;
-		}
-		/* clear */
-		if (entropy) {
-		    PORT_ZFree(entropy, entropy_len);
-		    entropy = NULL;
-		    entropy_len = 0;
-		}
-		if (additional_input) {
-		    PORT_ZFree(additional_input, additional_len);
-		    additional_input = NULL;
-		    additional_len = 0;
-		}
-		break;
-	    case UNINSTANTIATE:
-		rv = PRNGTEST_Uninstantiate();
-		if (rv != SECSuccess) {
-		    goto loser;
+                rv = PRNGTEST_Generate((PRUint8 *) return_bytes, 
+					return_bytes_len,
+                                       (PRUint8 *) additionalInput, 
+					additionalInputLen);
+                if (rv != SECSuccess) {
+                    goto loser;
+                }
+                    
+                if (command == RESULT) {
+                    fputs("ReturnedBits = ", rngresp);
+                    to_hex_str(buf2, return_bytes, return_bytes_len);
+                    fputs(buf2, rngresp);
+                    fputc('\n', rngresp);
+		    if (debug) {
+			fputs("# PRNGTEST_Uninstantiate()\n",rngresp);
+		    }
+                    rv = PRNGTEST_Uninstantiate();
+                    if (rv != SECSuccess) {
+                        goto loser;
+                    }
+                } else if (debug) {
+                    fputs("#ReturnedBits = ", rngresp);
+                    to_hex_str(buf2, return_bytes, return_bytes_len);
+                    fputs(buf2, rngresp);
+                    fputc('\n', rngresp);
 		}
-		break;
-	    } 
-	    fputs(buf, rngresp);
-	    command = NONE;
-	    continue;
-	}
-
-	/* [Hash - SHA256] */
-	if (buf[0] == '[') {
-	    fputs(buf, rngresp);
-	    continue;
-	}
-	/* INSTANTIATE */
-	if (strncmp(buf, "INSTANTIATE", 11) == 0) {
-	    i = 11;
-
-	    command = INSTANTIATE;
-	    fputs(buf, rngresp);
-	    continue;
-	}
-	/* Generate bytes */
-	if (strncmp(buf, "GENERATE", 8) == 0) {
-	    i = 8;
-	    while (isspace(buf[i])) {
-		i++;
-	    }
-	    return_bytes_len = atoi(&buf[i])/8;
-	    return_bytes = PORT_Alloc(return_bytes_len);
-	    command = GENERATE;
-	    fputs(buf, rngresp);
-	    continue;
-	}
-	if (strncmp(buf, "RESEED", 6) == 0) {
-	    i = 6;
-	    command = RESEED;
-	    fputs(buf, rngresp);
-	    continue;
-	}
-	if (strncmp(buf, "UNINSTANTIATE", 13) == 0) {
-	    i = 13;
-	    command = UNINSTANTIATE;
-	    fputs(buf, rngresp);
-	    continue;
-	}
-	/* Entropy input = ... */
-	if (strncmp(buf, "Entropy input", 13) == 0) {
-	    i = 13;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-
-	    if ((command == INSTANTIATE) || (command == RESEED)) {
-		entropy = alloc_value(&buf[i], &entropy_len);
-	    }
-	    
-	    fputs(buf, rngresp);
-	    continue;
-	}
-	/* Nonce = ... */
-	if (strncmp(buf, "Nonce", 5) == 0) {
-	    i = 5;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-
-	    if (command == INSTANTIATE) {
-		nonce = alloc_value(&buf[i], &nonce_len);
-	    }
-	    
-	    fputs(buf, rngresp);
-	    continue;
-	}
-	/* Personalization string = ... */
-	if (strncmp(buf, "Personalization string", 22) == 0) {
-	    i = 22;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-
-	    if (command == INSTANTIATE) {
-		personalization_string = alloc_value(&buf[i], &ps_len);
-	    }
-	    
-	    fputs(buf, rngresp);
-	    continue;
-	}
-	/* Returned bits = ... */
-	if (strncmp(buf, "Returned bits", 13) == 0) {
-	    i = 13;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-
-	    if (command == GENERATE) {
-		int len;
-		predicted_return_bytes = alloc_value(&buf[i], &len);
-	    }
-	    
-	    fputs(buf, rngresp);
-	    continue;
-	}
-	/* Additional input = ... */
-	if (strncmp(buf, "Additional input", 16) == 0) {
-	    i = 16;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-
-	    if ((command == GENERATE) || (command = RESEED)) {
-		additional_input = alloc_value(&buf[i], &additional_len);
-	    }
-	    
-	    fputs(buf, rngresp);
-	    continue;
-	}
+                    
+                memset(additionalInput, 0, additionalInputLen);
+                break;
+                    
+            case RESEED:
+                if (entropyInput || additionalInput) {
+		    if (debug) {
+			fputs("# PRNGTEST_Reseed(",rngresp);
+			fprintf(rngresp,",%d,", return_bytes_len);
+			to_hex_str(buf2,entropyInput, entropyInputLen);
+			fputs(buf2,rngresp);
+			fprintf(rngresp,",%d,", entropyInputLen);
+			to_hex_str(buf2,additionalInput, additionalInputLen);
+			fputs(buf2,rngresp);
+			fprintf(rngresp,",%d)\n",additionalInputLen);
+		    }	
+                    rv = PRNGTEST_Reseed(entropyInput, entropyInputLen,
+                                             additionalInput, additionalInputLen);
+                    if (rv != SECSuccess) {
+                        goto loser;
+                    }
+                }
+                memset(entropyInput, 0, entropyInputLen);
+                memset(additionalInput, 0, additionalInputLen);
+                break;
+            case NONE:
+                break;
+                    
+        } 
+        command = NONE;
+        
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n' || buf[0] == '\r' ) {
+            fputs(buf, rngresp);
+            continue;
+        }
+        
+        /* [Hash - SHA256] */
+        if (strncmp(buf, "[SHA-256]", 9) == 0) {
+            fputs(buf, rngresp);
+            continue;
+        }
+        
+        if (strncmp(buf, "[PredictionResistance", 21)  == 0) {
+            i = 21;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }    
+            if (strncmp(buf, "False", 5) == 0) {
+                predictionResistance = PR_FALSE;
+            } else {
+                predictionResistance = PR_TRUE;
+            }
+            
+            fputs(buf, rngresp);
+            continue;
+        }
+        
+        if (strncmp(buf, "[EntropyInputLen", 16)  == 0) {
+            if (entropyInput) {
+                PORT_ZFree(entropyInput, entropyInputLen);
+                entropyInput = NULL;
+                entropyInputLen = 0;
+            }
+            if (sscanf(buf, "[EntropyInputLen = %d]", &entropyInputLen) != 1) {
+                goto loser;
+            }
+	    entropyInputLen = entropyInputLen/8;
+            if (entropyInputLen > 0) {
+                entropyInput = PORT_Alloc(entropyInputLen);
+            }
+            fputs(buf, rngresp);
+            continue;
+        }
+        
+        if (strncmp(buf, "[NonceLen", 9)  == 0) {
+            if (nonce) {
+                PORT_ZFree(nonce, nonceLen);
+                nonce = NULL;
+                nonceLen = 0;
+            }
+            
+            if (sscanf(buf, "[NonceLen = %d]", &nonceLen) != 1) {
+                goto loser;
+            }
+	    nonceLen = nonceLen/8;
+            if (nonceLen > 0) {
+                nonce = PORT_Alloc(nonceLen);
+            }               
+            fputs(buf, rngresp);
+            continue;
+        }
+        
+        if (strncmp(buf, "[PersonalizationStringLen", 16)  == 0) {
+            if (personalizationString) {
+                PORT_ZFree(personalizationString, personalizationStringLen);
+                personalizationString = NULL;
+                personalizationStringLen = 0;
+            }
+            
+            if (sscanf(buf, "[PersonalizationStringLen = %d]", &personalizationStringLen) != 1) {
+                goto loser;
+            }
+	    personalizationStringLen = personalizationStringLen / 8;
+            if (personalizationStringLen > 0) {
+                personalizationString = PORT_Alloc(personalizationStringLen);
+            }
+            fputs(buf, rngresp);
+            
+            continue;
+        }
+        
+        if (strncmp(buf, "[AdditionalInputLen", 16)  == 0) {
+            if (additionalInput) {
+                PORT_ZFree(additionalInput, additionalInputLen);
+                additionalInput = NULL;
+                additionalInputLen = 0;
+            }
+            
+            if (sscanf(buf, "[AdditionalInputLen = %d]", &additionalInputLen) != 1) {
+                goto loser;
+            }
+	    additionalInputLen = additionalInputLen/8;
+            if (additionalInputLen > 0) {
+                additionalInput = PORT_Alloc(additionalInputLen);
+            }
+            fputs(buf, rngresp);
+            continue;
+        }
+        
+        if (strncmp(buf, "COUNT", 5) == 0) {
+            /* zeroize the variables for the test with this data set */
+            if (entropyInput) {
+                memset(entropyInput, 0, entropyInputLen);
+            }
+            if (nonce) {
+                memset(nonce, 0, nonceLen);        
+            }
+            if (personalizationString) {
+                memset(personalizationString, 0, personalizationStringLen);
+            }
+            if (additionalInput) {
+                memset(additionalInput, 0, additionalInputLen);
+            }
+            genResult = PR_FALSE;
+            
+            fputs(buf, rngresp);
+            continue;
+        }
+        
+        /* EntropyInputReseed = ... */
+        if (strncmp(buf, "EntropyInputReseed", 18) == 0) {
+            if (entropyInput) {
+                memset(entropyInput, 0, entropyInputLen);
+                i = 18;
+                while (isspace(buf[i]) || buf[i] == '=') {
+                    i++;
+                }            
+                
+                for (j=0; isxdigit(buf[i]); i+=2,j++) { /*j<entropyInputLen*/
+                    hex_to_byteval(&buf[i], &entropyInput[j]);
+                }           
+            }
+            fputs(buf, rngresp);
+            continue;
+        }
+        
+        /* AttionalInputReseed  = ... */
+        if (strncmp(buf, "AdditionalInputReseed", 21) == 0) {
+            if (additionalInput) {
+                memset(additionalInput, 0, additionalInputLen);
+                i = 21;
+                while (isspace(buf[i]) || buf[i] == '=') {
+                    i++;
+                }
+                for (j=0; isxdigit(buf[i]); i+=2,j++) { /*j<additionalInputLen*/
+                    hex_to_byteval(&buf[i], &additionalInput[j]);
+                }    
+            }
+            command = RESEED;
+            fputs(buf, rngresp);
+            continue;
+        }
+        
+        /* Entropy input = ... */
+        if (strncmp(buf, "EntropyInput", 12) == 0) {
+            i = 12;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; isxdigit(buf[i]); i+=2,j++) { /*j<entropyInputLen*/
+                hex_to_byteval(&buf[i], &entropyInput[j]);
+            }  
+            fputs(buf, rngresp);
+            continue;
+        }
+        
+        /* nouce = ... */
+        if (strncmp(buf, "Nonce", 5) == 0) {
+            i = 5;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; isxdigit(buf[i]); i+=2,j++) { /*j<nonceLen*/
+                hex_to_byteval(&buf[i], &nonce[j]);
+            }  
+            fputs(buf, rngresp);
+            continue;
+        }
+        
+        /* Personalization string = ... */
+        if (strncmp(buf, "PersonalizationString", 21) == 0) {
+            if (personalizationString) {
+                i = 21;
+                while (isspace(buf[i]) || buf[i] == '=') {
+                    i++;
+                }
+                for (j=0; isxdigit(buf[i]); i+=2,j++) { /*j<personalizationStringLen*/
+                    hex_to_byteval(&buf[i], &personalizationString[j]);
+                }
+            }
+            fputs(buf, rngresp);
+            command = INSTANTIATE;
+            continue;
+        }
+        
+        /* Additional input = ... */
+        if (strncmp(buf, "AdditionalInput", 15) == 0) {
+            if (additionalInput) {
+                i = 15;
+                while (isspace(buf[i]) || buf[i] == '=') {
+                    i++;
+                }
+                for (j=0; isxdigit(buf[i]); i+=2,j++) { /*j<additionalInputLen*/
+                    hex_to_byteval(&buf[i], &additionalInput[j]);
+                } 
+            }
+            if (genResult) {
+                command = RESULT;
+            } else {
+                command = GENERATE;
+                genResult = PR_TRUE; /* next time generate result */
+            }
+            fputs(buf, rngresp);
+            continue;
+        }
+        
+        /* Returned bits = ... */
+        if (strncmp(buf, "ReturnedBits", 12) == 0) {
+            i = 12;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; isxdigit(buf[i]); i+=2,j++) { /*j<additionalInputLen*/
+                hex_to_byteval(&buf[i], &predictedreturn_bytes[j]);
+            }          
+
+            if (memcmp(return_bytes, 
+                       predictedreturn_bytes, return_bytes_len) != 0) {
+		if (debug) {
+                fprintf(rngresp, "# Generate failed:\n");
+                fputs(  "#   predicted=", rngresp);
+                to_hex_str(buf, predictedreturn_bytes, 
+                           return_bytes_len);
+                fputs(buf, rngresp);
+                fputs("\n#   actual  = ", rngresp);
+                fputs(buf2, rngresp);
+                fputc('\n', rngresp);
+
+		} else {
+                fprintf(stderr, "Generate failed:\n");
+                fputs(  "   predicted=", stderr);
+                to_hex_str(buf, predictedreturn_bytes, 
+                           return_bytes_len);
+                fputs(buf, stderr);
+                fputs("\n   actual  = ", stderr);
+                fputs(buf2, stderr);
+                fputc('\n', stderr);
+		}
+            }
+            memset(predictedreturn_bytes, 0 , sizeof predictedreturn_bytes);
+
+            continue;
+        }
     }
 loser:
     fclose(rngreq);
 }
 
 /*
  * Perform the RNG Variable Seed Test (VST) for the RNG algorithm
  * "DSA - Generation of X", used both as specified and as a generic
@@ -4893,11 +5031,14 @@ int main(int argc, char **argv)
 	    rng_vst(argv[3]);
 	} else if (strcmp(argv[2], "mct") == 0) {
 	    /* Monte Carlo Test */
 	    rng_mct(argv[3]);
 	}
     } else if (strcmp(argv[1], "drbg") == 0) {
 	/* Variable Seed Test */
 	drbg(argv[2]);
+    } else if (strcmp(argv[1], "ddrbg") == 0) {
+	debug = 1;
+	drbg(argv[2]);
     }
     return 0;
 }
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * cert.h - public data structures and prototypes for the certificate library
  *
- * $Id: cert.h,v 1.76 2009/03/20 18:03:57 nelson%bolyard.com Exp $
+ * $Id: cert.h,v 1.77 2009/04/17 22:46:27 julien.pierre.boogz%sun.com Exp $
  */
 
 #ifndef _CERT_H_
 #define _CERT_H_
 
 #include "utilrename.h"
 #include "plarena.h"
 #include "plhash.h"
@@ -1520,17 +1520,17 @@ CERT_UnlockCertTrust(CERTCertificate *ce
  * results in a NULL being returned (and an appropriate error set).
  */ 
 extern SECItem *
 CERT_GetSPKIDigest(PLArenaPool *arena, const CERTCertificate *cert,
                    SECOidTag digestAlg, SECItem *fill);
 
 
 SECStatus CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer,
-                        SECItem* dp, PRTime t, void* wincx);
+                        const SECItem* dp, PRTime t, void* wincx);
 
 
 /*
  * Add a CERTNameConstraint to the CERTNameConstraint list
  */
 extern CERTNameConstraint *
 CERT_AddNameConstraint(CERTNameConstraint *list, 
 		       CERTNameConstraint *constraint);
--- a/security/nss/lib/certdb/certi.h
+++ b/security/nss/lib/certdb/certi.h
@@ -31,17 +31,17 @@
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 /*
  * certi.h - private data structures for the certificate library
  *
- * $Id: certi.h,v 1.28 2009/03/17 07:30:11 nelson%bolyard.com Exp $
+ * $Id: certi.h,v 1.30 2009/04/18 05:15:45 alexei.volkov.bugs%sun.com Exp $
  */
 #ifndef _CERTI_H_
 #define _CERTI_H_
 
 #include "certt.h"
 #include "nssrwlkt.h"
 
 /*
@@ -53,16 +53,18 @@
 /* all definitions in this file are subject to change */
 
 typedef struct OpaqueCRLFieldsStr OpaqueCRLFields;
 typedef struct CRLEntryCacheStr CRLEntryCache;
 typedef struct CRLDPCacheStr CRLDPCache;
 typedef struct CRLIssuerCacheStr CRLIssuerCache;
 typedef struct CRLCacheStr CRLCache;
 typedef struct CachedCrlStr CachedCrl;
+typedef struct NamedCRLCacheStr NamedCRLCache;
+typedef struct NamedCRLCacheEntryStr NamedCRLCacheEntry;
 
 struct OpaqueCRLFieldsStr {
     PRBool partial;
     PRBool decodingError;
     PRBool badEntries;
     PRBool badDER;
     PRBool badExtensions;
     PRBool heapDER;
@@ -98,16 +100,27 @@ struct CRLEntryCacheStr {
 #define CRL_CACHE_OUT_OF_MEMORY             0x0004 /* this state will be set
         if we don't have enough memory to build the hash table of entries */
 
 typedef enum {
     CRL_OriginToken = 0,    /* CRL came from PKCS#11 token */
     CRL_OriginExplicit = 1  /* CRL was explicitly added to the cache, from RAM */
 } CRLOrigin;
 
+typedef enum {
+    dpcacheNoEntry = 0,             /* no entry found for this SN */
+    dpcacheFoundEntry = 1,          /* entry found for this SN */
+    dpcacheCallerError = 2,         /* invalid args */
+    dpcacheInvalidCacheError = 3,   /* CRL in cache may be bad DER */
+                                    /* or unverified */
+    dpcacheEmpty = 4,               /* no CRL in cache */
+    dpcacheLookupError = 5          /* internal error */
+} dpcacheStatus;
+
+
 struct CachedCrlStr {
     CERTSignedCrl* crl;
     CRLOrigin origin;
     /* hash table of entries. We use a PLHashTable and pre-allocate the
        required amount of memory in one shot, so that our allocator can
        simply pass offsets into it when hashing.
 
        This won't work anymore when we support delta CRLs and iCRLs, because
@@ -252,23 +265,23 @@ extern CERTAVA * CERT_CreateAVAFromRaw(P
 /* Make an AVA from binary input specified by SECItem */
 extern CERTAVA * CERT_CreateAVAFromSECItem(PRArenaPool *arena, SECOidTag kind, 
                                            int valueType, SECItem *value);
 
 /*
  * get a DPCache object for the given issuer subject and dp
  * Automatically creates the cache object if it doesn't exist yet.
  */
-SECStatus AcquireDPCache(CERTCertificate* issuer, SECItem* subject,
-                         SECItem* dp, int64 t, void* wincx,
+SECStatus AcquireDPCache(CERTCertificate* issuer, const SECItem* subject,
+                         const SECItem* dp, int64 t, void* wincx,
                          CRLDPCache** dpcache, PRBool* writeLocked);
 
 /* check if a particular SN is in the CRL cache and return its entry */
-SECStatus DPCache_Lookup(CRLDPCache* cache, SECItem* sn,
-                         CERTCrlEntry** returned);
+dpcacheStatus DPCache_Lookup(CRLDPCache* cache, SECItem* sn,
+                             CERTCrlEntry** returned);
 
 /* release a DPCache object that was previously acquired */
 void ReleaseDPCache(CRLDPCache* dpcache, PRBool writeLocked);
 
 /* this function assumes the caller holds a lock on the DPCache */
 SECStatus DPCache_GetAllCRLs(CRLDPCache* dpc, PRArenaPool* arena,
                              CERTSignedCrl*** crls, PRUint16* status);
 
@@ -310,10 +323,73 @@ extern SECStatus cert_GetCertType(CERTCe
  * update the CERTCertificate.
  */
 extern PRUint32 cert_ComputeCertType(CERTCertificate *cert);
 
 void cert_AddToVerifyLog(CERTVerifyLog *log,CERTCertificate *cert,
                          unsigned long errorCode, unsigned int depth,
                          void *arg);
 
+/* Insert a DER CRL into the CRL cache, and take ownership of it.
+ *
+ * cert_CacheCRLByGeneralName takes ownership of the memory in crl argument
+ * completely.  crl must be freeable by SECITEM_FreeItem. It will be freed
+ * immediately if it is rejected from the CRL cache, or later during cache
+ * updates when a new crl is available, or at shutdown time.
+ *
+ * canonicalizedName represents the source of the CRL, a GeneralName.
+ * The format of the encoding is not restricted, but all callers of
+ * cert_CacheCRLByGeneralName and cert_FindCRLByGeneralName must use
+ * the same encoding. To facilitate X.500 name matching, a canonicalized
+ * encoding of the GeneralName should be used, if available.
+ */
+ 
+SECStatus cert_CacheCRLByGeneralName(CERTCertDBHandle* dbhandle, SECItem* crl,
+                                     const SECItem* canonicalizedName);
+
+struct NamedCRLCacheStr {
+    PRLock* lock;
+    PLHashTable* entries;
+};
+
+/* NamedCRLCacheEntryStr is filled in by cert_CacheCRLByGeneralName,
+ * and read by cert_FindCRLByGeneralName */
+struct NamedCRLCacheEntryStr {
+    SECItem* canonicalizedName;
+    SECItem* crl;                   /* DER, kept only if CRL
+                                     * is successfully cached */
+    PRBool inCRLCache;
+    PRTime successfulInsertionTime; /* insertion time */
+    PRTime lastAttemptTime;         /* time of last call to
+                              cert_CacheCRLByGeneralName with this name */
+    PRBool badDER;      /* ASN.1 error */
+    PRBool dupe;        /* matching DER CRL already in CRL cache */
+    PRBool unsupported; /* IDP, delta, any other reason */
+};
+
+typedef enum {
+    certRevocationStatusRevoked = 0,
+    certRevocationStatusValid = 1,
+    certRevocationStatusUnknown = 2,
+} CERTRevocationStatus;
+
+/* Returns detailed status of the cert(revStatus variable). Tells if
+ * issuer cache has OriginFetchedWithTimeout crl in it. */
+SECStatus
+cert_CheckCertRevocationStatus(CERTCertificate* cert, CERTCertificate* issuer,
+                               const SECItem* dp, PRTime t, void *wincx,
+                               CERTRevocationStatus *revStatus,
+                               CERTCRLEntryReasonCode *revReason);
+
+
+SECStatus cert_AcquireNamedCRLCache(NamedCRLCache** returned);
+
+/* cert_FindCRLByGeneralName must be called only while the named cache is
+ * acquired, and the entry is only valid until cache is released.
+ */
+SECStatus cert_FindCRLByGeneralName(NamedCRLCache* ncc,
+                                    const SECItem* canonicalizedName,
+                                    NamedCRLCacheEntry** retEntry);
+
+SECStatus cert_ReleaseNamedCRLCache(NamedCRLCache* ncc);
+
 #endif /* _CERTI_H_ */
 
--- a/security/nss/lib/certdb/certt.h
+++ b/security/nss/lib/certdb/certt.h
@@ -31,17 +31,17 @@
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 /*
  * certt.h - public data structures for the certificate library
  *
- * $Id: certt.h,v 1.49 2009/03/21 01:40:34 nelson%bolyard.com Exp $
+ * $Id: certt.h,v 1.50 2009/04/24 19:18:32 nelson%bolyard.com Exp $
  */
 #ifndef _CERTT_H_
 #define _CERTT_H_
 
 #include "prclist.h"
 #include "pkcs11t.h"
 #include "seccomon.h"
 #include "secmodt.h"
@@ -1106,16 +1106,18 @@ typedef enum {
  * is available for at least one of the allowed methods, but it's
  * irrelevant which of the mechanisms succeeded.
  * NO_OVERALL_INFO_REQUIREMENT means:
  *     We strictly follow the requirements for each individual method.
  * REQUIRE_SOME_FRESH_INFO_AVAILABLE means:
  *     After the individual tests have been executed, we must have
  *     been able to find fresh information using at least one method.
  *     If we were unable to find fresh info, it's a failure.
+ *     This setting overrides the CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
+ *     flag on all methods.
  */
 #define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT       0L
 #define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2L
 
 
 typedef struct {
     /*
      * The size of the array that cert_rev_flags_per_method points to,
--- a/security/nss/lib/certdb/crl.c
+++ b/security/nss/lib/certdb/crl.c
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Moved from secpkcs7.c
  *
- * $Id: crl.c,v 1.62 2009/02/05 20:31:26 nelson%bolyard.com Exp $
+ * $Id: crl.c,v 1.66 2009/04/21 22:53:58 julien.pierre.boogz%sun.com Exp $
  */
  
 #include "cert.h"
 #include "certi.h"
 #include "secder.h"
 #include "secasn1.h"
 #include "secoid.h"
 #include "certdb.h"
@@ -931,17 +931,17 @@ static SECStatus CachedCrl_Depopulate(Ca
 /* are these CRLs the same, as far as the cache is concerned ?
    Or are they the same token object, but with different DER ? */
 
 static SECStatus CachedCrl_Compare(CachedCrl* a, CachedCrl* b, PRBool* isDupe,
                                 PRBool* isUpdated);
 
 /* create a DPCache object */
 static SECStatus DPCache_Create(CRLDPCache** returned, CERTCertificate* issuer,
-                         SECItem* subject, SECItem* dp);
+                         const SECItem* subject, SECItem* dp);
 
 /* destructor for CRL DPCache object */
 static SECStatus DPCache_Destroy(CRLDPCache* cache);
 
 /* add a new CRL object to the dynamic array of CRLs of the DPCache, and
    returns the cached CRL object . Needs write access to DPCache. */
 static SECStatus DPCache_AddCRL(CRLDPCache* cache, CachedCrl* crl,
                                 PRBool* added);
@@ -962,28 +962,30 @@ static PRBool DPCache_HasTokenCRLs(CRLDP
 static SECStatus DPCache_RemoveCRL(CRLDPCache* cache, PRUint32 offset);
 
 /* Pick best CRL to use . needs write access */
 static SECStatus DPCache_SelectCRL(CRLDPCache* cache);
 
 /* create an issuer cache object (per CA subject ) */
 static SECStatus IssuerCache_Create(CRLIssuerCache** returned,
                              CERTCertificate* issuer,
-                             SECItem* subject, SECItem* dp);
+                             const SECItem* subject, const SECItem* dp);
 
 /* destructor for CRL IssuerCache object */
 SECStatus IssuerCache_Destroy(CRLIssuerCache* cache);
 
 /* add a DPCache to the issuer cache */
 static SECStatus IssuerCache_AddDP(CRLIssuerCache* cache,
-                                   CERTCertificate* issuer, SECItem* subject,
-                                   SECItem* dp, CRLDPCache** newdpc);
+                                   CERTCertificate* issuer,
+                                   const SECItem* subject,
+                                   const SECItem* dp, CRLDPCache** newdpc);
 
 /* get a particular DPCache object from an IssuerCache */
-static CRLDPCache* IssuerCache_GetDPCache(CRLIssuerCache* cache, SECItem* dp);
+static CRLDPCache* IssuerCache_GetDPCache(CRLIssuerCache* cache,
+                                          const SECItem* dp);
 
 /*
 ** Pre-allocator hash allocator ops.
 */
 
 /* allocate memory for hash table */
 static void * PR_CALLBACK
 PreAllocTable(void *pool, PRSize size)
@@ -1084,16 +1086,19 @@ PreAllocator* PreAllocator_Create(PRSize
     {
         PreAllocator_Destroy(&prebuffer);
         return NULL;
     }
     *prepointer = prebuffer;
     return prepointer;
 }
 
+/* global Named CRL cache object */
+static NamedCRLCache namedCRLCache = { NULL, NULL };
+
 /* global CRL cache object */
 static CRLCache crlcache = { NULL, NULL };
 
 /* initial state is off */
 static PRBool crlcache_initialized = PR_FALSE;
 
 PRTime CRLCache_Empty_TokenFetch_Interval = 60 * 1000000; /* how often
     to query the tokens for CRL objects, in order to discover new objects, if
@@ -1108,41 +1113,63 @@ PRTime CRLCache_ExistenceCheck_Interval 
 
 /* this function is called at NSS initialization time */
 SECStatus InitCRLCache(void)
 {
     if (PR_FALSE == crlcache_initialized)
     {
         PORT_Assert(NULL == crlcache.lock);
         PORT_Assert(NULL == crlcache.issuers);
-        if (crlcache.lock || crlcache.issuers)
+        PORT_Assert(NULL == namedCRLCache.lock);
+        PORT_Assert(NULL == namedCRLCache.entries);
+        if (crlcache.lock || crlcache.issuers || namedCRLCache.lock ||
+            namedCRLCache.entries)
         {
             /* CRL cache already partially initialized */
             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
             return SECFailure;
         }
 #ifdef GLOBAL_RWLOCK
         crlcache.lock = NSSRWLock_New(NSS_RWLOCK_RANK_NONE, NULL);
 #else
         crlcache.lock = PR_NewLock();
 #endif
-        if (!crlcache.lock)
-        {
-            return SECFailure;
-        }
+        namedCRLCache.lock = PR_NewLock();
         crlcache.issuers = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
                                   PL_CompareValues, NULL, NULL);
-        if (!crlcache.issuers)
+        namedCRLCache.entries = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
+                                  PL_CompareValues, NULL, NULL);
+        if (!crlcache.lock || !namedCRLCache.lock || !crlcache.issuers ||
+            !namedCRLCache.entries)
         {
+            if (crlcache.lock)
+            {
 #ifdef GLOBAL_RWLOCK
-            NSSRWLock_Destroy(crlcache.lock);
+                NSSRWLock_Destroy(crlcache.lock);
 #else
-            PR_DestroyLock(crlcache.lock);
+                PR_DestroyLock(crlcache.lock);
 #endif
-            crlcache.lock = NULL;
+                crlcache.lock = NULL;
+            }
+            if (namedCRLCache.lock)
+            {
+                PR_DestroyLock(namedCRLCache.lock);
+                namedCRLCache.lock = NULL;
+            }
+            if (crlcache.issuers)
+            {
+                PL_HashTableDestroy(crlcache.issuers);
+                crlcache.issuers = NULL;
+            }
+            if (namedCRLCache.entries)
+            {
+                PL_HashTableDestroy(namedCRLCache.entries);
+                namedCRLCache.entries = NULL;
+            }
+
             return SECFailure;
         }
         crlcache_initialized = PR_TRUE;
         return SECSuccess;
     }
     else
     {
         PORT_Assert(crlcache.lock);
@@ -1252,16 +1279,58 @@ SECStatus IssuerCache_Destroy(CRLIssuerC
     {
         PORT_Assert(0);
         return SECFailure;
     }
     PORT_Free(cache);
     return SECSuccess;
 }
 
+/* create a named CRL entry object */
+static SECStatus NamedCRLCacheEntry_Create(NamedCRLCacheEntry** returned)
+{
+    NamedCRLCacheEntry* entry = NULL;
+    if (!returned)
+    {
+        PORT_Assert(0);
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    *returned = NULL;
+    entry = (NamedCRLCacheEntry*) PORT_ZAlloc(sizeof(NamedCRLCacheEntry));
+    if (!entry)
+    {
+        return SECFailure;
+    }
+    *returned = entry;
+    return SECSuccess;
+}
+
+/* destroy a named CRL entry object */
+static SECStatus NamedCRLCacheEntry_Destroy(NamedCRLCacheEntry* entry)
+{
+    if (!entry)
+    {
+        PORT_Assert(0);
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    if (entry->crl)
+    {
+        /* named CRL cache owns DER memory */
+        SECITEM_ZfreeItem(entry->crl, PR_TRUE);
+    }
+    if (entry->canonicalizedName)
+    {
+        SECITEM_FreeItem(entry->canonicalizedName, PR_TRUE);
+    }
+    PORT_Free(entry);
+    return SECSuccess;
+}
+
 /* callback function used in hash table destructor */
 static PRIntn PR_CALLBACK FreeIssuer(PLHashEntry *he, PRIntn i, void *arg)
 {
     CRLIssuerCache* issuer = NULL;
     SECStatus* rv = (SECStatus*) arg;
 
     PORT_Assert(he);
     if (!he)
@@ -1280,50 +1349,91 @@ static PRIntn PR_CALLBACK FreeIssuer(PLH
                 *rv = SECFailure;
             }
             return HT_ENUMERATE_NEXT;
         }
     }
     return HT_ENUMERATE_NEXT;
 }
 
+/* callback function used in hash table destructor */
+static PRIntn PR_CALLBACK FreeNamedEntries(PLHashEntry *he, PRIntn i, void *arg)
+{
+    NamedCRLCacheEntry* entry = NULL;
+    SECStatus* rv = (SECStatus*) arg;
+
+    PORT_Assert(he);
+    if (!he)
+    {
+        return HT_ENUMERATE_NEXT;
+    }
+    entry = (NamedCRLCacheEntry*) he->value;
+    PORT_Assert(entry);
+    if (entry)
+    {
+        if (SECSuccess != NamedCRLCacheEntry_Destroy(entry))
+        {
+            PORT_Assert(rv);
+            if (rv)
+            {
+                *rv = SECFailure;
+            }
+            return HT_ENUMERATE_NEXT;
+        }
+    }
+    return HT_ENUMERATE_NEXT;
+}
+
 /* needs to be called at NSS shutdown time
    This will destroy the global CRL cache, including 
    - the hash table of issuer cache objects
    - the issuer cache objects
    - DPCache objects in issuer cache objects */
 SECStatus ShutdownCRLCache(void)
 {
     SECStatus rv = SECSuccess;
     if (PR_FALSE == crlcache_initialized &&
         !crlcache.lock && !crlcache.issuers)
     {
         /* CRL cache has already been shut down */
         return SECSuccess;
     }
     if (PR_TRUE == crlcache_initialized &&
-        (!crlcache.lock || !crlcache.issuers))
+        (!crlcache.lock || !crlcache.issuers || !namedCRLCache.lock ||
+         !namedCRLCache.entries))
     {
         /* CRL cache has partially been shut down */
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
-    /* empty the cache */
+    /* empty the CRL cache */
     /* free the issuers */
     PL_HashTableEnumerateEntries(crlcache.issuers, &FreeIssuer, &rv);
     /* free the hash table of issuers */
     PL_HashTableDestroy(crlcache.issuers);
     crlcache.issuers = NULL;
     /* free the global lock */
 #ifdef GLOBAL_RWLOCK
     NSSRWLock_Destroy(crlcache.lock);
 #else
     PR_DestroyLock(crlcache.lock);
 #endif
     crlcache.lock = NULL;
+
+    /* empty the named CRL cache. This must be done after freeing the CRL
+     * cache, since some CRLs in this cache are in the memory for the other  */
+    /* free the entries */
+    PL_HashTableEnumerateEntries(namedCRLCache.entries, &FreeNamedEntries, &rv);
+    /* free the hash table of issuers */
+    PL_HashTableDestroy(namedCRLCache.entries);
+    namedCRLCache.entries = NULL;
+    /* free the global lock */
+    PR_DestroyLock(namedCRLCache.lock);
+    namedCRLCache.lock = NULL;
+
     crlcache_initialized = PR_FALSE;
     return rv;
 }
 
 /* add a new CRL object to the dynamic array of CRLs of the DPCache, and
    returns the cached CRL object . Needs write access to DPCache. */
 static SECStatus DPCache_AddCRL(CRLDPCache* cache, CachedCrl* newcrl,
                                 PRBool* added)
@@ -1708,39 +1818,56 @@ static SECStatus CachedCrl_GetEntry(Cach
     else
     {
         *returned = NULL;
     }
     return SECSuccess;
 }
 
 /* check if a particular SN is in the CRL cache and return its entry */
-SECStatus DPCache_Lookup(CRLDPCache* cache, SECItem* sn,
-                                CERTCrlEntry** returned)
+dpcacheStatus DPCache_Lookup(CRLDPCache* cache, SECItem* sn,
+                         CERTCrlEntry** returned)
 {
+    SECStatus rv;
     if (!cache || !sn || !returned)
     {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         /* no cache or SN to look up, or no way to return entry */
-        return SECFailure;
+        return dpcacheCallerError;
     }
+    *returned = NULL;
     if (0 != cache->invalid)
     {
         /* the cache contains a bad CRL, or there was a CRL fetching error.
            consider all certs revoked as a security measure */
         PORT_SetError(SEC_ERROR_CRL_INVALID);
-        return SECFailure;
+        return dpcacheInvalidCacheError;
     }
     if (!cache->selected)
     {
-        /* no CRL means no entry to return, but this is OK */
-        *returned = NULL;
-        return SECSuccess;
+        /* no CRL means no entry to return. This is OK, except for
+         * NIST policy */
+        return dpcacheEmpty;
+    }
+    rv = CachedCrl_GetEntry(cache->selected, sn, returned);
+    if (SECSuccess != rv)
+    {
+        return dpcacheLookupError;
     }
-    return CachedCrl_GetEntry(cache->selected, sn, returned);
+    else
+    {
+        if (*returned)
+        {
+            return dpcacheFoundEntry;
+        }
+        else
+        {
+            return dpcacheNoEntry;
+        }
+    }
 }
 
 #if defined(DPC_RWLOCK)
 
 #define DPCache_LockWrite() \
 { \
     if (readlocked) \
     { \
@@ -1786,16 +1913,17 @@ static SECStatus DPCache_GetUpToDate(CRL
     SECStatus rv = SECSuccess;
     PRUint32 i = 0;
     PRBool forcedrefresh = PR_FALSE;
     PRBool dirty = PR_FALSE; /* whether something was changed in the
                                 cache state during this update cycle */
     PRBool hastokenCRLs = PR_FALSE;
     PRTime now = 0;
     PRTime lastfetch = 0;
+    PRBool mustunlock = PR_FALSE;
 
     if (!cache)
     {
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
 
     /* first, make sure we have obtained all the CRLs we need.
@@ -1855,18 +1983,18 @@ static SECStatus DPCache_GetUpToDate(CRL
     if (( PR_TRUE != dirty) && (!now) )
     {
         now = PR_Now();
     }
     if ( (PR_TRUE == dirty) ||
          ( (now - cache->lastcheck > CRLCache_ExistenceCheck_Interval) ||
            (now < cache->lastcheck)) )
     {
-        PRBool mustunlock = PR_FALSE;
         PRTime lastcheck = cache->lastcheck;
+        mustunlock = PR_FALSE;
         /* check if all CRLs still exist */
         for (i = 0; (i < cache->ncrls) ; i++)
         {
             CachedCrl* savcrl = cache->crls[i];
             if ( (!savcrl) || (savcrl && CRL_OriginToken != savcrl->origin))
             {
                 /* we only want to check token CRLs */
                 continue;
@@ -1917,28 +2045,28 @@ static SECStatus DPCache_GetUpToDate(CRL
     /* verify CRLs that couldn't be checked when inserted into the cache
        because the issuer cert or a verification date was unavailable.
        These are CRLs that were inserted into the cache through
        SEC_FindCrlByName, or through manual insertion, rather than through a
        certificate verification (CERT_CheckCRL) */
 
     if (cache->issuer && vfdate )
     {
-        PRBool mustunlock = PR_FALSE;
+	mustunlock = PR_FALSE;
         /* re-process all unverified CRLs */
         for (i = 0; i < cache->ncrls ; i++)
         {
             CachedCrl* savcrl = cache->crls[i];
             if (!savcrl)
             {
                 continue;
             }
             if (PR_TRUE != savcrl->sigChecked)
             {
-                if (PR_TRUE != mustunlock)
+                if (!mustunlock)
                 {
                     DPCache_LockWrite();
                     mustunlock = PR_TRUE;
                 }
                 /* first, we need to check if another thread updated
                    it before we did, and abort if it has been modified since
                    we acquired the lock. Make sure first that the CRL is still
                    in the array at the same position */
@@ -1947,33 +2075,38 @@ static SECStatus DPCache_GetUpToDate(CRL
                 {
                     /* the CRL is still there, unverified. Do it */
                     CachedCrl_Verify(cache, savcrl, vfdate, wincx);
                     dirty = PR_TRUE;
                 }
                 /* stay locked here intentionally so we do all the other
                    updates in this thread for the remaining CRLs */
             }
-            if (PR_TRUE == mustunlock)
+            if (mustunlock && !dirty)
             {
                 DPCache_UnlockWrite();
                 mustunlock = PR_FALSE;
             }
         }
     }
 
     if (dirty || cache->mustchoose)
     {
         /* changes to the content of the CRL cache necessitate examining all
            CRLs for selection of the most appropriate one to cache */
-        DPCache_LockWrite();
+	if (!mustunlock)
+	{
+	    DPCache_LockWrite();
+	    mustunlock = PR_TRUE;
+	}
         DPCache_SelectCRL(cache);
         cache->mustchoose = PR_FALSE;
-        DPCache_UnlockWrite();
     }
+    if (mustunlock)
+	DPCache_UnlockWrite();
 
     return rv;
 }
 
 /* callback for qsort to sort by thisUpdate */
 static int SortCRLsByThisUpdate(const void* arg1, const void* arg2)
 {
     PRTime timea, timeb;
@@ -2138,17 +2271,17 @@ static SECStatus DPCache_SelectCRL(CRLDP
 
     cache->selected = selected;
 
     return SECSuccess;
 }
 
 /* initialize a DPCache object */
 static SECStatus DPCache_Create(CRLDPCache** returned, CERTCertificate* issuer,
-                         SECItem* subject, SECItem* dp)
+                         const SECItem* subject, SECItem* dp)
 {
     CRLDPCache* cache = NULL;
     PORT_Assert(returned);
     /* issuer and dp are allowed to be NULL */
     if (!returned || !subject)
     {
         PORT_Assert(0);
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
@@ -2180,17 +2313,17 @@ static SECStatus DPCache_Create(CRLDPCac
     cache->lastcheck = 0;
     *returned = cache;
     return SECSuccess;
 }
 
 /* create an issuer cache object (per CA subject ) */
 static SECStatus IssuerCache_Create(CRLIssuerCache** returned,
                              CERTCertificate* issuer,
-                             SECItem* subject, SECItem* dp)
+                             const SECItem* subject, const SECItem* dp)
 {
     SECStatus rv = SECSuccess;
     CRLIssuerCache* cache = NULL;
     PORT_Assert(returned);
     PORT_Assert(subject);
     /* issuer and dp are allowed to be NULL */
     if (!returned || !subject)
     {
@@ -2227,17 +2360,18 @@ static SECStatus IssuerCache_Create(CRLI
     }
     *returned = cache;
     return SECSuccess;
 }
 
 /* add a DPCache to the issuer cache */
 static SECStatus IssuerCache_AddDP(CRLIssuerCache* cache,
                                    CERTCertificate* issuer,
-                                   SECItem* subject, SECItem* dp,
+                                   const SECItem* subject,
+                                   const SECItem* dp,
                                    CRLDPCache** newdpc)
 {
     /* now create the required DP cache object */
     if (!cache || !subject || !newdpc)
     {
         PORT_Assert(0);
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
@@ -2276,17 +2410,18 @@ static SECStatus CRLCache_AddIssuer(CRLI
                                 (void*) issuer))
     {
         return SECFailure;
     }
     return SECSuccess;
 }
 
 /* retrieve the issuer cache object for a given issuer subject */
-static SECStatus CRLCache_GetIssuerCache(CRLCache* cache, SECItem* subject,
+static SECStatus CRLCache_GetIssuerCache(CRLCache* cache,
+                                         const SECItem* subject,
                                          CRLIssuerCache** returned)
 {
     /* we need to look up the issuer in the hash table */
     SECStatus rv = SECSuccess;
     PORT_Assert(cache);
     PORT_Assert(subject);
     PORT_Assert(returned);
     PORT_Assert(crlcache.issuers);
@@ -2346,17 +2481,17 @@ static CERTSignedCrl* GetBestCRL(CRLDPCa
         }
     }
 
     PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
     return NULL;
 }
 
 /* get a particular DPCache object from an IssuerCache */
-static CRLDPCache* IssuerCache_GetDPCache(CRLIssuerCache* cache, SECItem* dp)
+static CRLDPCache* IssuerCache_GetDPCache(CRLIssuerCache* cache, const SECItem* dp)
 {
     CRLDPCache* dpp = NULL;
     PORT_Assert(cache);
     /* XCRL for now we only support the "default" DP, ie. the
        full CRL. So we can return the global one without locking. In
        the future we will have a lock */
     PORT_Assert(NULL == dp);
     if (!cache || dp)
@@ -2372,18 +2507,18 @@ static CRLDPCache* IssuerCache_GetDPCach
     NSSRWLock_UnlockRead(cache->lock);
 #endif
     return dpp;
 }
 
 /* get a DPCache object for the given issuer subject and dp
    Automatically creates the cache object if it doesn't exist yet.
    */
-SECStatus AcquireDPCache(CERTCertificate* issuer, SECItem* subject,
-                         SECItem* dp, PRTime t, void* wincx,
+SECStatus AcquireDPCache(CERTCertificate* issuer, const SECItem* subject,
+                         const SECItem* dp, PRTime t, void* wincx,
                          CRLDPCache** dpcache, PRBool* writeLocked)
 {
     SECStatus rv = SECSuccess;
     CRLIssuerCache* issuercache = NULL;
 #ifdef GLOBAL_RWLOCK
     PRBool globalwrite = PR_FALSE;
 #endif
     PORT_Assert(crlcache.lock);
@@ -2564,83 +2699,150 @@ void ReleaseDPCache(CRLDPCache* dpcache,
     {
         NSSRWLock_UnlockRead(dpcache->lock);
     }
 #else
     PR_Unlock(dpcache->lock);
 #endif
 }
 
-/* check CRL revocation status of given certificate and issuer */
 SECStatus
-CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer, SECItem* dp,
-              PRTime t, void* wincx)
+cert_CheckCertRevocationStatus(CERTCertificate* cert, CERTCertificate* issuer,
+                               const SECItem* dp, PRTime t, void *wincx,
+                               CERTRevocationStatus *revStatus,
+                               CERTCRLEntryReasonCode *revReason)
 {
     PRBool lockedwrite = PR_FALSE;
     SECStatus rv = SECSuccess;
     CRLDPCache* dpcache = NULL;
+    CERTRevocationStatus status = certRevocationStatusRevoked;
+    CERTCRLEntryReasonCode reason = crlEntryReasonUnspecified;
+    CERTCrlEntry* entry = NULL;
+    dpcacheStatus ds;
+
     if (!cert || !issuer)
     {
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
 
-    if (SECSuccess != CERT_CheckCertValidTimes(issuer, t, PR_FALSE))
+    if (revStatus)
+    {
+        *revStatus = status;
+    }
+    if (revReason)
+    {
+        *revReason = reason;
+    }
+
+    if (t && SECSuccess != CERT_CheckCertValidTimes(issuer, t, PR_FALSE))
     {
         /* we won't be able to check the CRL's signature if the issuer cert
            is expired as of the time we are verifying. This may cause a valid
            CRL to be cached as bad. short-circuit to avoid this case. */
         PORT_SetError(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE);
         return SECFailure;
     }
 
     rv = AcquireDPCache(issuer, &issuer->derSubject, dp, t, wincx, &dpcache,
                         &lockedwrite);
-    
-    if (SECSuccess == rv)
+    PORT_Assert(SECSuccess == rv);
+    if (SECSuccess != rv)
     {
-        /* now look up the certificate SN in the DP cache's CRL */
-        CERTCrlEntry* entry = NULL;
-        rv = DPCache_Lookup(dpcache, &cert->serialNumber, &entry);
-        if (SECSuccess == rv && entry)
-        {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    /* now look up the certificate SN in the DP cache's CRL */
+    ds = DPCache_Lookup(dpcache, &cert->serialNumber, &entry);
+    switch (ds)
+    {
+        case dpcacheFoundEntry:
+            PORT_Assert(entry);
             /* check the time if we have one */
             if (entry->revocationDate.data && entry->revocationDate.len)
             {
                 PRTime revocationDate = 0;
                 if (SECSuccess == DER_DecodeTimeChoice(&revocationDate,
                                                &entry->revocationDate))
                 {
                     /* we got a good revocation date, only consider the
                        certificate revoked if the time we are inquiring about
                        is past the revocation date */
                     if (t>=revocationDate)
                     {
                         rv = SECFailure;
                     }
-                } else {
+                    else
+                    {
+                        status = certRevocationStatusValid;
+                    }
+                }
+                else
+                {
                     /* invalid revocation date, consider the certificate
                        permanently revoked */
                     rv = SECFailure;
                 }
-            } else {
+            }
+            else
+            {
                 /* no revocation date, certificate is permanently revoked */
                 rv = SECFailure;
             }
             if (SECFailure == rv)
             {
+                SECStatus rv2 = CERT_FindCRLEntryReasonExten(entry, &reason);
                 PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
             }
-        }
+            break;
+
+        case dpcacheEmpty:
+            /* useful for NIST policy */
+            status = certRevocationStatusUnknown;
+            break;
+
+        case dpcacheNoEntry:
+            status = certRevocationStatusValid;
+            break;
+
+        case dpcacheInvalidCacheError:
+            /* t of zero may have caused the CRL cache to fail to verify
+             * a CRL. treat it as unknown */
+            if (!t)
+            {
+                status = certRevocationStatusUnknown;
+            }
+            break;
+
+        default:
+            /* leave status as revoked */
+            break;
     }
 
     ReleaseDPCache(dpcache, lockedwrite);
+    if (revStatus)
+    {
+        *revStatus = status;
+    }
+    if (revReason)
+    {
+        *revReason = reason;
+    }
     return rv;
 }
 
+/* check CRL revocation status of given certificate and issuer */
+SECStatus
+CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer,
+              const SECItem* dp, PRTime t, void* wincx)
+{
+    return cert_CheckCertRevocationStatus(cert, issuer, dp, t, wincx,
+                                          NULL, NULL);
+}
+
 /* retrieve full CRL object that best matches the cache status */
 CERTSignedCrl *
 SEC_FindCrlByName(CERTCertDBHandle *handle, SECItem *crlKey, int type)
 {
     CERTSignedCrl* acrl = NULL;
     CRLDPCache* dpcache = NULL;
     SECStatus rv = SECSuccess;
     PRBool writeLocked = PR_FALSE;
@@ -2711,16 +2913,18 @@ SECStatus CERT_CacheCRL(CERTCertDBHandle
                                         CRL_DECODE_DONT_COPY_DER |
                                         CRL_DECODE_SKIP_ENTRIES);
 
     if (!newcrl)
     {
         return SECFailure;
     }
 
+    /* XXX check if it has IDP extension. If so, do not proceed and set error */
+
     rv = AcquireDPCache(NULL,
                         &newcrl->crl.derName,
                         NULL, 0, NULL, &cache, &writeLocked);
     if (SECSuccess == rv)
     {
         readlocked = (writeLocked == PR_TRUE? PR_FALSE : PR_TRUE);
     
         rv = CachedCrl_Create(&returned, newcrl, CRL_OriginExplicit);
@@ -2831,16 +3035,245 @@ SECStatus CERT_UncacheCRL(CERTCertDBHand
     }
     if (SECSuccess == rv && PR_TRUE != removed)
     {
         PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
     }
     return rv;
 }
 
+SECStatus cert_AcquireNamedCRLCache(NamedCRLCache** returned)
+{
+    PORT_Assert(returned);
+    if (!namedCRLCache.lock)
+    {
+        PORT_Assert(0);
+        return SECFailure;
+    }
+    PR_Lock(namedCRLCache.lock);
+    *returned = &namedCRLCache;
+    return SECSuccess;
+}
+
+/* This must be called only while cache is acquired, and the entry is only
+ * valid until cache is released.
+ */
+SECStatus cert_FindCRLByGeneralName(NamedCRLCache* ncc,
+                                    const SECItem* canonicalizedName,
+                                    NamedCRLCacheEntry** retEntry)
+{
+    if (!ncc || !canonicalizedName || !retEntry)
+    {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    *retEntry = (NamedCRLCacheEntry*) PL_HashTableLookup(namedCRLCache.entries,
+                                         (void*) canonicalizedName);
+    return SECSuccess;
+}
+
+SECStatus cert_ReleaseNamedCRLCache(NamedCRLCache* ncc)
+{
+    if (!ncc)
+    {
+        return SECFailure;
+    }
+    if (!ncc->lock)
+    {
+        PORT_Assert(0);
+        return SECFailure;
+    }
+    PR_Unlock(namedCRLCache.lock);
+    return SECSuccess;
+}
+
+/* creates new named cache entry from CRL, and tries to add it to CRL cache */
+static SECStatus addCRLToCache(CERTCertDBHandle* dbhandle, SECItem* crl,
+                                    const SECItem* canonicalizedName,
+                                    NamedCRLCacheEntry** newEntry)
+{
+    SECStatus rv = SECSuccess;
+    NamedCRLCacheEntry* entry = NULL;
+
+    /* create new named entry */
+    if (SECSuccess != NamedCRLCacheEntry_Create(newEntry) || !*newEntry)
+    {
+        /* no need to keep unused CRL around */
+        SECITEM_ZfreeItem(crl, PR_TRUE);
+        return SECFailure;
+    }
+    entry = *newEntry;
+    entry->crl = crl; /* named CRL cache owns DER */
+    entry->lastAttemptTime = PR_Now();
+    entry->canonicalizedName = SECITEM_DupItem(canonicalizedName);
+    if (!entry->canonicalizedName)
+    {
+        rv = NamedCRLCacheEntry_Destroy(entry); /* destroys CRL too */
+        PORT_Assert(SECSuccess == rv);
+        return SECFailure;
+    }
+    /* now, attempt to insert CRL into CRL cache */
+    if (SECSuccess == CERT_CacheCRL(dbhandle, entry->crl))
+    {
+        entry->inCRLCache = PR_TRUE;
+        entry->successfulInsertionTime = entry->lastAttemptTime;
+    }
+    else
+    {
+        switch (PR_GetError())
+        {
+            case SEC_ERROR_CRL_ALREADY_EXISTS:
+                entry->dupe = PR_TRUE;
+                break;
+
+            case SEC_ERROR_BAD_DER:
+                entry->badDER = PR_TRUE;
+                break;
+
+            /* all other reasons */
+            default:
+                entry->unsupported = PR_TRUE;
+                break;
+        }
+        rv = SECFailure;
+        /* no need to keep unused CRL around */
+        SECITEM_ZfreeItem(entry->crl, PR_TRUE);
+    }
+    return rv;
+}
+
+/* take ownership of CRL, and insert it into the named CRL cache
+ * and indexed CRL cache
+ */
+SECStatus cert_CacheCRLByGeneralName(CERTCertDBHandle* dbhandle, SECItem* crl,
+                                     const SECItem* canonicalizedName)
+{
+    NamedCRLCacheEntry* oldEntry, * newEntry = NULL;
+    NamedCRLCache* ncc = NULL;
+    SECStatus rv = SECSuccess, rv2;
+
+    PORT_Assert(namedCRLCache.lock);
+    PORT_Assert(namedCRLCache.entries);
+
+    if (!crl || !canonicalizedName)
+    {
+        PORT_Assert(0);
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    rv = cert_AcquireNamedCRLCache(&ncc);
+    PORT_Assert(SECSuccess == rv);
+    if (SECSuccess != rv)
+    {
+        SECITEM_ZfreeItem(crl, PR_TRUE);
+        return SECFailure;
+    }
+    rv = cert_FindCRLByGeneralName(ncc, canonicalizedName, &oldEntry);
+    PORT_Assert(SECSuccess == rv);
+    if (SECSuccess != rv)
+    {
+        rv = cert_ReleaseNamedCRLCache(ncc);
+        SECITEM_ZfreeItem(crl, PR_TRUE);
+        return SECFailure;
+    }
+    if (SECSuccess == addCRLToCache(dbhandle, crl, canonicalizedName,
+                                    &newEntry) )
+    {
+        if (!oldEntry)
+        {
+            /* add new good entry to the hash table */
+            if (NULL == PL_HashTableAdd(namedCRLCache.entries,
+                                        (void*) newEntry->canonicalizedName,
+                                        (void*) newEntry))
+            {
+                PORT_Assert(0);
+                rv2 = NamedCRLCacheEntry_Destroy(newEntry);
+                PORT_Assert(SECSuccess == rv2);
+                rv = SECFailure;
+            }
+        }
+        else
+        {
+            PRBool removed;
+            /* remove the old CRL from the cache if needed */
+            if (oldEntry->inCRLCache)
+            {
+                rv = CERT_UncacheCRL(dbhandle, oldEntry->crl);
+                PORT_Assert(SECSuccess == rv);
+            }
+            removed = PL_HashTableRemove(namedCRLCache.entries,
+                                      (void*) oldEntry->canonicalizedName);
+            PORT_Assert(removed);
+            if (!removed)
+            {
+                rv = SECFailure;
+                rv2 = NamedCRLCacheEntry_Destroy(oldEntry);
+                PORT_Assert(SECSuccess == rv2);
+            }
+            if (NULL == PL_HashTableAdd(namedCRLCache.entries,
+                                      (void*) newEntry->canonicalizedName,
+                                      (void*) newEntry))
+            {
+                PORT_Assert(0);
+                rv = SECFailure;
+            }
+        }
+    } else
+    {
+        /* error adding new CRL to cache */
+        if (!oldEntry)
+        {
+            /* no old cache entry, use the new one even though it's bad */
+            if (NULL == PL_HashTableAdd(namedCRLCache.entries,
+                                        (void*) newEntry->canonicalizedName,
+                                        (void*) newEntry))
+            {
+                PORT_Assert(0);
+                rv = SECFailure;
+            }
+        }
+        else
+        {
+            if (oldEntry->inCRLCache)
+            {
+                /* previous cache entry was good, keep it and update time */
+                oldEntry-> lastAttemptTime = newEntry->lastAttemptTime;
+                /* throw away new bad entry */
+                rv = NamedCRLCacheEntry_Destroy(newEntry);
+                PORT_Assert(SECSuccess == rv);
+            }
+            else
+            {
+                /* previous cache entry was bad, just replace it */
+                PRBool removed = PL_HashTableRemove(namedCRLCache.entries,
+                                          (void*) oldEntry->canonicalizedName);
+                PORT_Assert(removed);
+                if (!removed)
+                {
+                    rv = SECFailure;
+                    rv2 = NamedCRLCacheEntry_Destroy(oldEntry);
+                    PORT_Assert(SECSuccess == rv2);
+                }
+                if (NULL == PL_HashTableAdd(namedCRLCache.entries,
+                                          (void*) newEntry->canonicalizedName,
+                                          (void*) newEntry))
+                {
+                    PORT_Assert(0);
+                    rv = SECFailure;
+                }
+            }
+        }
+    }
+    rv2 = cert_ReleaseNamedCRLCache(ncc);
+    PORT_Assert(SECSuccess == rv2);
+
+    return rv;
+}
+
 static SECStatus CachedCrl_Create(CachedCrl** returned, CERTSignedCrl* crl,
                                   CRLOrigin origin)
 {
     CachedCrl* newcrl = NULL;
     if (!returned)
     {
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
--- a/security/nss/lib/certhigh/certvfypkix.c
+++ b/security/nss/lib/certhigh/certvfypkix.c
@@ -125,16 +125,17 @@ CERT_SetUsePKIXForValidation(PRBool enab
  *  Returns PR_TRUE if libpkix should be used. PR_FALSE otherwise.
  */
 PRBool
 CERT_GetUsePKIXForValidation()
 {
     return usePKIXValidationEngine;
 }
 
+#ifdef NOTDEF
 /*
  * FUNCTION: cert_NssKeyUsagesToPkix
  * DESCRIPTION:
  *
  * Converts nss key usage bit field(PRUint32) to pkix key usage
  * bit field.
  *
  * PARAMETERS:
@@ -332,98 +333,80 @@ cert_NssCertificateUsageToPkixKUAndEKU(
 cleanup:
     
     PKIX_DECREF(ekuOid);
     PKIX_DECREF(ekuOidsList);
 
     PKIX_RETURN(CERTVFYPKIX);
 }
 
+#endif
 
 /*
- * FUNCTION: cert_ProcessingParamsSetKuAndEku
+ * FUNCTION: cert_ProcessingParamsSetKeyAndCertUsage
  * DESCRIPTION:
  *
- * Converts cert usage to pkix KU and EKU types and sets
+ * Converts cert usage to pkix KU type and sets
  * converted data into PKIX_ProcessingParams object. It also sets
  * proper cert usage into nsscontext object.
  *
  * PARAMETERS:
  *  "procParams"
  *      Pointer to PKIX_ProcessingParams used during validation.
  *  "requiredCertUsage"
  *      Required certificate usages the certificate and chain is built and
  *      validated for.
  *  "requiredKeyUsage"
  *      Request additional key usages the certificate should be validated for.
- *  "isCA"
- *      Should the cert be verifyed as CA cert for the usages.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns a Cert Verify Error if the function fails in an unrecoverable way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 static PKIX_Error*
-cert_ProcessingParamsSetKuAndEku(
+cert_ProcessingParamsSetKeyAndCertUsage(
     PKIX_ProcessingParams *procParams,
-    CERTCertificate       *cert,
-    PRBool                 isCA,
     SECCertUsage           requiredCertUsage,
     PRUint32               requiredKeyUsages,
     void                  *plContext)
 {
-    PKIX_List             *extKeyUsage = NULL;
     PKIX_CertSelector     *certSelector = NULL;
     PKIX_ComCertSelParams *certSelParams = NULL;
     PKIX_PL_NssContext    *nssContext = (PKIX_PL_NssContext*)plContext;
-    PKIX_UInt32            keyUsage = 0;
  
-    PKIX_ENTER(CERTVFYPKIX, "cert_ProcessingParamsSetKuAndEku");
+    PKIX_ENTER(CERTVFYPKIX, "cert_ProcessingParamsSetKeyAndCertUsage");
     PKIX_NULLCHECK_TWO(procParams, nssContext);
     
     PKIX_CHECK(
         pkix_pl_NssContext_SetCertUsage(
 	    ((SECCertificateUsage)1) << requiredCertUsage, nssContext),
 	    PKIX_NSSCONTEXTSETCERTUSAGEFAILED);
 
-    PKIX_CHECK(
-        cert_NssCertificateUsageToPkixKUAndEKU(cert, requiredCertUsage,
-                                               requiredKeyUsages, isCA, 
-                                               &extKeyUsage, &keyUsage,
-                                               plContext),
-        PKIX_CANNOTCONVERTCERTUSAGETOPKIXKEYANDEKUSAGES);
-
-    PKIX_CHECK(
-        PKIX_ProcessingParams_GetTargetCertConstraints(procParams,
-                                                       &certSelector, plContext),
-        PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
-
-    PKIX_CHECK(
-        PKIX_CertSelector_GetCommonCertSelectorParams(certSelector,
-                                                      &certSelParams, plContext),
-        PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED);
-    
-
-    PKIX_CHECK(
-        PKIX_ComCertSelParams_SetKeyUsage(certSelParams, keyUsage,
-                                          plContext),
-        PKIX_COMCERTSELPARAMSSETKEYUSAGEFAILED);
-
-    PKIX_CHECK(
-        PKIX_ComCertSelParams_SetExtendedKeyUsage(certSelParams,
-                                                  extKeyUsage,
-                                                  plContext),
-        PKIX_COMCERTSELPARAMSSETEXTKEYUSAGEFAILED);
-
+    if (requiredKeyUsages) {
+        PKIX_CHECK(
+            PKIX_ProcessingParams_GetTargetCertConstraints(procParams,
+                                                           &certSelector, plContext),
+            PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
+        
+        PKIX_CHECK(
+            PKIX_CertSelector_GetCommonCertSelectorParams(certSelector,
+                                                          &certSelParams, plContext),
+            PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED);
+        
+        
+        PKIX_CHECK(
+            PKIX_ComCertSelParams_SetKeyUsage(certSelParams, requiredKeyUsages,
+                                              plContext),
+            PKIX_COMCERTSELPARAMSSETKEYUSAGEFAILED);
+    }
 cleanup:
-    PKIX_DECREF(extKeyUsage);
     PKIX_DECREF(certSelector);
     PKIX_DECREF(certSelParams);
 
     PKIX_RETURN(CERTVFYPKIX);
 }
 
 /*
  * Unused parameters: 
@@ -1269,18 +1252,18 @@ do {
                                     PR_FALSE/*use arena*/,
                                     requiredUsage == certUsageStatusResponder,
                                     &procParams, &plContext);
     if (error) {
         goto cleanup;
     }
 
     error =
-        cert_ProcessingParamsSetKuAndEku(procParams, cert, PR_TRUE,
-                                         requiredUsage, 0, plContext);
+        cert_ProcessingParamsSetKeyAndCertUsage(procParams, requiredUsage, 0,
+                                                plContext);
     if (error) {
         goto cleanup;
     }
 
     error = 
         cert_BuildAndValidateChain(procParams, &result, &verifyNode, plContext);
     if (error) {
         goto cleanup;
--- a/security/nss/lib/ckfw/mechanism.c
+++ b/security/nss/lib/ckfw/mechanism.c
@@ -30,17 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: mechanism.c,v $ $Revision: 1.6 $ $Date: 2009/02/09 07:55:52 $";
+static const char CVS_ID[] = "@(#) $RCSfile: mechanism.c,v $ $Revision: 1.7 $ $Date: 2009/04/29 00:25:32 $";
 #endif /* DEBUG */
 
 /*
  * mechanism.c
  *
  * This file implements the NSSCKFWMechanism type and methods.
  */
 
@@ -951,17 +951,17 @@ nssCKFWMechanism_GenerateKeyPair
 )
 {
   NSSCKMDSession *mdSession;
   NSSCKMDObject  *mdPublicKeyObject;
   NSSCKMDObject  *mdPrivateKeyObject;
   NSSArena       *arena;
   CK_RV         error = CKR_OK;
 
-  if (!fwMechanism->mdMechanism->GenerateKey) {
+  if (!fwMechanism->mdMechanism->GenerateKeyPair) {
     return CKR_FUNCTION_FAILED;
   }
 
   arena = nssCKFWToken_GetArena(fwMechanism->fwToken, &error);
   if (!arena) {
     if (CKR_OK == error) {
       error = CKR_GENERAL_ERROR;
     }
--- a/security/nss/lib/jar/config.mk
+++ b/security/nss/lib/jar/config.mk
@@ -40,8 +40,19 @@
 #  are specifed as dependencies within rules.mk.
 #
 
 TARGETS        = $(LIBRARY)
 SHARED_LIBRARY =
 IMPORT_LIBRARY =
 PROGRAM        =
 
+# NSS_X86 means the target is a 32-bits x86 CPU architecture
+# NSS_X64 means the target is a 64-bits x64 CPU architecture
+# NSS_X86_OR_X64 means the target is either x86 or x64
+ifeq (,$(filter-out x386 x86 x86_64,$(CPU_ARCH)))
+        DEFINES += -DNSS_X86_OR_X64
+ifdef USE_64
+        DEFINES += -DNSS_X64
+else
+        DEFINES += -DNSS_X86
+endif
+endif
--- a/security/nss/lib/jar/jar-ds.c
+++ b/security/nss/lib/jar/jar-ds.c
@@ -32,42 +32,37 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #include "jar.h"
 
 /* These are old DS_* routines renamed to ZZ_* */
-
-ZZList *ZZ_NewList()
-  {
-  ZZList *list;
-
-  list = (ZZList *) PORT_ZAlloc (sizeof (ZZList));
-
-  if (list)
-    ZZ_InitList (list);
-
-  return list;
-  }
-
-ZZLink *ZZ_NewLink (JAR_Item *thing)
-  {
-  ZZLink *link;
+ZZList *
+ZZ_NewList(void)
+{
+    ZZList *list = (ZZList *) PORT_ZAlloc (sizeof (ZZList));
+    if (list)
+	ZZ_InitList (list);
+    return list;
+}
 
-  link = (ZZLink *) PORT_ZAlloc (sizeof (ZZLink));
-
-  if (link)
-    link->thing = thing;
- 
-  return link;
-  }
+ZZLink *
+ZZ_NewLink(JAR_Item *thing)
+{
+    ZZLink *link = (ZZLink *) PORT_ZAlloc (sizeof (ZZLink));
+    if (link)
+	link->thing = thing;
+    return link;
+}
 
-void ZZ_DestroyLink (ZZLink *link)
-  {
-  PORT_Free (link);
-  }
+void 
+ZZ_DestroyLink(ZZLink *link)
+{
+    PORT_Free(link);
+}
 
-void ZZ_DestroyList (ZZList *list)
-  {
-  PORT_Free (list);
-  }
+void 
+ZZ_DestroyList (ZZList *list)
+{
+    PORT_Free(list);
+}
--- a/security/nss/lib/jar/jar-ds.h
+++ b/security/nss/lib/jar/jar-ds.h
@@ -39,71 +39,72 @@
 
 /* Typedefs */
 typedef struct ZZLinkStr ZZLink;
 typedef struct ZZListStr ZZList;
 
 /*
 ** Circular linked list. Each link contains a pointer to the object that
 ** is actually in the list.
-*/ 
-struct ZZLinkStr 
-{
+*/
+struct ZZLinkStr {
     ZZLink *next;
     ZZLink *prev;
     JAR_Item *thing;
 };
 
-struct ZZListStr 
-{
+struct ZZListStr {
     ZZLink link;
 };
 
-#define ZZ_InitList(lst)	     \
-{				     \
+#define ZZ_InitList(lst)	 \
+{ \
     (lst)->link.next = &(lst)->link; \
     (lst)->link.prev = &(lst)->link; \
-    (lst)->link.thing = 0;	     \
+    (lst)->link.thing = 0; \
 }
 
-#define ZZ_ListEmpty(lst) \
-    ((lst)->link.next == &(lst)->link)
+#define ZZ_ListEmpty(lst) ((lst)->link.next == &(lst)->link)
 
-#define ZZ_ListHead(lst) \
-    ((lst)->link.next)
+#define ZZ_ListHead(lst) ((lst)->link.next)
 
-#define ZZ_ListTail(lst) \
-    ((lst)->link.prev)
+#define ZZ_ListTail(lst) ((lst)->link.prev)
 
-#define ZZ_ListIterDone(lst,lnk) \
-    ((lnk) == &(lst)->link)
+#define ZZ_ListIterDone(lst,lnk) ((lnk) == &(lst)->link)
 
 #define ZZ_AppendLink(lst,lnk)	    \
-{				    \
-    (lnk)->next = &(lst)->link;	    \
+{ \
+    (lnk)->next = &(lst)->link; \
     (lnk)->prev = (lst)->link.prev; \
     (lst)->link.prev->next = (lnk); \
-    (lst)->link.prev = (lnk);	    \
+    (lst)->link.prev = (lnk); \
 }
 
 #define ZZ_InsertLink(lst,lnk)	    \
-{				    \
+{ \
     (lnk)->next = (lst)->link.next; \
-    (lnk)->prev = &(lst)->link;	    \
+    (lnk)->prev = &(lst)->link; \
     (lst)->link.next->prev = (lnk); \
-    (lst)->link.next = (lnk);	    \
+    (lst)->link.next = (lnk); \
 }
 
-#define ZZ_RemoveLink(lnk)	     \
-{				     \
+#define ZZ_RemoveLink(lnk)	 \
+{ \
     (lnk)->next->prev = (lnk)->prev; \
     (lnk)->prev->next = (lnk)->next; \
-    (lnk)->next = 0;		     \
-    (lnk)->prev = 0;		     \
+    (lnk)->next = 0; \
+    (lnk)->prev = 0; \
 }
 
-extern ZZLink *ZZ_NewLink (JAR_Item *thing);
-extern void ZZ_DestroyLink (ZZLink *link);
-extern ZZList *ZZ_NewList (void);
-extern void ZZ_DestroyList (ZZList *list);
+extern ZZLink *
+ZZ_NewLink(JAR_Item *thing);
+
+extern void 
+ZZ_DestroyLink(ZZLink *link);
+
+extern ZZList *
+ZZ_NewList(void);
+
+extern void 
+ZZ_DestroyList(ZZList *list);
 
 
 #endif /* __JAR_DS_h_ */
--- a/security/nss/lib/jar/jar.c
+++ b/security/nss/lib/jar/jar.c
@@ -40,795 +40,671 @@
  *  Jarnature.
  *  Routines common to signing and validating.
  *
  */
 
 #include "jar.h"
 #include "jarint.h"
 
-static void jar_destroy_list (ZZList *list);
+static void 
+jar_destroy_list (ZZList *list);
 
-static int jar_find_first_cert 
-    (JAR_Signer *signer, int type, JAR_Item **it);
+static int 
+jar_find_first_cert(JAR_Signer *signer, int type, JAR_Item **it);
 
 /*
- *  J A R _ n e w 
+ *  J A R _ n e w
  *
  *  Create a new instantiation of a manifest representation.
  *  Use this as a token to any calls to this API.
  *
  */
-
-JAR *JAR_new (void)
-  {
-  JAR *jar;
-
-  if ((jar = (JAR*)PORT_ZAlloc (sizeof (JAR))) == NULL)
-    goto loser;
-
-  if ((jar->manifest = ZZ_NewList()) == NULL)
-    goto loser;
+JAR *
+JAR_new(void)
+{
+    JAR *jar;
 
-  if ((jar->hashes = ZZ_NewList()) == NULL)
-    goto loser;
-
-  if ((jar->phy = ZZ_NewList()) == NULL)
-    goto loser;
-
-  if ((jar->metainfo = ZZ_NewList()) == NULL)
-    goto loser;
-
-  if ((jar->signers = ZZ_NewList()) == NULL)
-    goto loser;
-
-  return jar;
+    if ((jar = (JAR*)PORT_ZAlloc (sizeof (JAR))) == NULL)
+	goto loser;
+    if ((jar->manifest = ZZ_NewList()) == NULL)
+	goto loser;
+    if ((jar->hashes = ZZ_NewList()) == NULL)
+	goto loser;
+    if ((jar->phy = ZZ_NewList()) == NULL)
+	goto loser;
+    if ((jar->metainfo = ZZ_NewList()) == NULL)
+	goto loser;
+    if ((jar->signers = ZZ_NewList()) == NULL)
+	goto loser;
+    return jar;
 
 loser:
-
-  if (jar)
-    {
-    if (jar->manifest)
-      ZZ_DestroyList (jar->manifest);
-
-    if (jar->hashes)
-      ZZ_DestroyList (jar->hashes);
-
-    if (jar->phy)
-      ZZ_DestroyList (jar->phy);
-
-    if (jar->metainfo)
-      ZZ_DestroyList (jar->metainfo);
+    if (jar) {
+	if (jar->manifest)
+	    ZZ_DestroyList (jar->manifest);
+	if (jar->hashes)
+	    ZZ_DestroyList (jar->hashes);
+	if (jar->phy)
+	    ZZ_DestroyList (jar->phy);
+	if (jar->metainfo)
+	    ZZ_DestroyList (jar->metainfo);
+	if (jar->signers)
+	    ZZ_DestroyList (jar->signers);
+	PORT_Free (jar);
+    }
+    return NULL;
+}
 
-    if (jar->signers)
-      ZZ_DestroyList (jar->signers);
-
-    PORT_Free (jar);
-    }
-
-  return NULL;
-  }
+/*
+ *  J A R _ d e s t r o y
+ */
+void PR_CALLBACK 
+JAR_destroy(JAR *jar)
+{
+    PORT_Assert( jar != NULL );
 
-/* 
- *  J A R _ d e s t r o y
- *
- *  Godzilla.
- *
- */
-
-void PR_CALLBACK JAR_destroy (JAR *jar)
-  {
-  PORT_Assert( jar != NULL );
+    if (jar == NULL)
+	return;
 
-  if (jar == NULL)
-    return;
-
-  if (jar->fp) JAR_FCLOSE ((PRFileDesc*)jar->fp);
-
-  if (jar->url)      PORT_Free (jar->url);
-  if (jar->filename) PORT_Free (jar->filename);
-
-  /* Free the linked list elements */
-
-  jar_destroy_list (jar->manifest);
-  ZZ_DestroyList (jar->manifest);
-
-  jar_destroy_list (jar->hashes);
-  ZZ_DestroyList (jar->hashes);
-
-  jar_destroy_list (jar->phy);
-  ZZ_DestroyList (jar->phy);
+    if (jar->fp) 
+    	JAR_FCLOSE ((PRFileDesc*)jar->fp);
+    if (jar->url)      
+    	PORT_Free (jar->url);
+    if (jar->filename) 
+    	PORT_Free (jar->filename);
 
-  jar_destroy_list (jar->metainfo);
-  ZZ_DestroyList (jar->metainfo);
-
-  jar_destroy_list (jar->signers);
-  ZZ_DestroyList (jar->signers);
-
-  PORT_Free (jar);
-  }
+    /* Free the linked list elements */
+    jar_destroy_list (jar->manifest);
+    ZZ_DestroyList (jar->manifest);
+    jar_destroy_list (jar->hashes);
+    ZZ_DestroyList (jar->hashes);
+    jar_destroy_list (jar->phy);
+    ZZ_DestroyList (jar->phy);
+    jar_destroy_list (jar->metainfo);
+    ZZ_DestroyList (jar->metainfo);
+    jar_destroy_list (jar->signers);
+    ZZ_DestroyList (jar->signers);
+    PORT_Free (jar);
+}
 
-static void jar_destroy_list (ZZList *list)
-  {
-  ZZLink *link, *oldlink;
-
-  JAR_Item *it;
-
-  JAR_Physical *phy;
-  JAR_Digest *dig;
-  JAR_Cert *fing;
-  JAR_Metainfo *met;
-  JAR_Signer *signer;
+static void 
+jar_destroy_list(ZZList *list)
+{
+    ZZLink *link, *oldlink;
+    JAR_Item *it;
+    JAR_Physical *phy;
+    JAR_Digest *dig;
+    JAR_Cert *fing;
+    JAR_Metainfo *met;
+    JAR_Signer *signer;
 
-  if (list && !ZZ_ListEmpty (list))
-    {
-    link = ZZ_ListHead (list);
-
-    while (!ZZ_ListIterDone (list, link))
-      {
-      it = link->thing;
-      if (!it) goto next;
-
-      if (it->pathname) PORT_Free (it->pathname);
- 
-      switch (it->type)
-        {
-        case jarTypeMeta:
+    if (list && !ZZ_ListEmpty (list)) {
+	link = ZZ_ListHead (list);
+	while (!ZZ_ListIterDone (list, link)) {
+	    it = link->thing;
+	    if (!it) 
+	    	goto next;
+	    if (it->pathname) 
+	    	PORT_Free (it->pathname);
 
-          met = (JAR_Metainfo *) it->data;
-          if (met)
-            {
-            if (met->header) PORT_Free (met->header);
-            if (met->info) PORT_Free (met->info);
-            PORT_Free (met);
-            }
-          break;
+	    switch (it->type) {
+	    case jarTypeMeta:
+		met = (JAR_Metainfo *) it->data;
+		if (met) {
+		    if (met->header) 
+		    	PORT_Free (met->header);
+		    if (met->info) 
+		    	PORT_Free (met->info);
+		    PORT_Free (met);
+		}
+		break;
 
-	case jarTypePhy:
-
-          phy = (JAR_Physical *) it->data;
-          if (phy)
-            PORT_Free (phy);
-          break;
-
-        case jarTypeSign:
+	    case jarTypePhy:
+		phy = (JAR_Physical *) it->data;
+		if (phy)
+		    PORT_Free (phy);
+		break;
 
-          fing = (JAR_Cert *) it->data;
-          if (fing)
-            {
-            if (fing->cert)
-              CERT_DestroyCertificate (fing->cert);
-            if (fing->key)
-              PORT_Free (fing->key);
-            PORT_Free (fing);
-            }
-	  break;
+	    case jarTypeSign:
+		fing = (JAR_Cert *) it->data;
+		if (fing) {
+		    if (fing->cert)
+			CERT_DestroyCertificate (fing->cert);
+		    if (fing->key)
+			PORT_Free (fing->key);
+		    PORT_Free (fing);
+		}
+		break;
 
-        case jarTypeSect:
-        case jarTypeMF:
-        case jarTypeSF:
-
-          dig = (JAR_Digest *) it->data;
-          if (dig)
-            {
-            PORT_Free (dig);
-            }
-          break;
-
-        case jarTypeOwner:
+	    case jarTypeSect:
+	    case jarTypeMF:
+	    case jarTypeSF:
+		dig = (JAR_Digest *) it->data;
+		if (dig) {
+		    PORT_Free (dig);
+		}
+		break;
 
-          signer = (JAR_Signer *) it->data;
-
-          if (signer)
-            JAR_destroy_signer (signer);
-
-          break;
-
-        default:
+	    case jarTypeOwner:
+		signer = (JAR_Signer *) it->data;
+		if (signer)
+		    JAR_destroy_signer (signer);
+		break;
 
-          /* PORT_Assert( 1 != 2 ); */
-          break;
-        }
-
-      PORT_Free (it);
-
-    next:
+	    default:
+		/* PORT_Assert( 1 != 2 ); */
+		break;
+	    }
+	    PORT_Free (it);
 
-      oldlink = link;
-      link = link->next;
-
-      ZZ_DestroyLink (oldlink);
-      }
+next:
+	    oldlink = link;
+	    link = link->next;
+	    ZZ_DestroyLink (oldlink);
+	}
     }
-  }
+}
 
 /*
  *  J A R _ g e t _ m e t a i n f o
  *
  *  Retrieve meta information from the manifest file.
  *  It doesn't matter whether it's from .MF or .SF, does it?
  *
  */
 
-int JAR_get_metainfo
-    (JAR *jar, char *name, char *header, void **info, unsigned long *length)
-  {
-  JAR_Item *it;
-
-  ZZLink *link;
-  ZZList *list;
-
-  JAR_Metainfo *met;
+int 
+JAR_get_metainfo(JAR *jar, char *name, char *header, void **info, 
+                 unsigned long *length)
+{
+    JAR_Item *it;
+    ZZLink *link;
+    ZZList *list;
 
-  PORT_Assert( jar != NULL && header != NULL );
+    PORT_Assert( jar != NULL && header != NULL );
 
-  if (jar == NULL || header == NULL)
-    return JAR_ERR_PNF;
+    if (jar == NULL || header == NULL)
+	return JAR_ERR_PNF;
 
-  list = jar->metainfo;
+    list = jar->metainfo;
 
-  if (ZZ_ListEmpty (list))
-    return JAR_ERR_PNF;
+    if (ZZ_ListEmpty (list))
+	return JAR_ERR_PNF;
 
-  for (link = ZZ_ListHead (list); 
-       !ZZ_ListIterDone (list, link); 
-       link = link->next)
-    {
-    it = link->thing;
-    if (it->type == jarTypeMeta)
-      {
-      if ((name && !it->pathname) || (!name && it->pathname))
-        continue;
-
-      if (name && it->pathname && strcmp (it->pathname, name))
-        continue;
+    for (link = ZZ_ListHead (list);
+         !ZZ_ListIterDone (list, link);
+         link = link->next) {
+	it = link->thing;
+	if (it->type == jarTypeMeta) {
+	    JAR_Metainfo *met;
 
-      met = (JAR_Metainfo *) it->data;
-
-      if (!PORT_Strcasecmp (met->header, header))
-        {
-        *info = PORT_Strdup (met->info);
-        *length = PORT_Strlen (met->info);
-        return 0;
-        }
-      }
+	    if ((name && !it->pathname) || (!name && it->pathname))
+		continue;
+	    if (name && it->pathname && strcmp (it->pathname, name))
+		continue;
+	    met = (JAR_Metainfo *) it->data;
+	    if (!PORT_Strcasecmp (met->header, header)) {
+		*info = PORT_Strdup (met->info);
+		*length = PORT_Strlen (met->info);
+		return 0;
+	    }
+	}
     }
-
-  return JAR_ERR_PNF;
-  }
+    return JAR_ERR_PNF;
+}
 
 /*
  *  J A R _ f i n d
  *
  *  Establish the search pattern for use
  *  by JAR_find_next, to traverse the filenames
  *  or certificates in the JAR structure.
  *
  *  See jar.h for a description on how to use.
  *
  */
+JAR_Context *
+JAR_find (JAR *jar, char *pattern, jarType type)
+{
+    JAR_Context *ctx;
 
-JAR_Context *JAR_find (JAR *jar, char *pattern, jarType type)
-  {
-  JAR_Context *ctx;
-
-  PORT_Assert( jar != NULL );
+    PORT_Assert( jar != NULL );
 
-  if (!jar)
-    return NULL;
+    if (!jar)
+	return NULL;
 
-  ctx = (JAR_Context *) PORT_ZAlloc (sizeof (JAR_Context));
-
-  if (ctx == NULL)
-    return NULL;
+    ctx = (JAR_Context *) PORT_ZAlloc (sizeof (JAR_Context));
+    if (ctx == NULL)
+	return NULL;
 
-  ctx->jar = jar;
+    ctx->jar = jar;
+    if (pattern) {
+	if ((ctx->pattern = PORT_Strdup (pattern)) == NULL) {
+	    PORT_Free (ctx);
+	    return NULL;
+	}
+    }
+    ctx->finding = type;
 
-  if (pattern)
-    {
-    if ((ctx->pattern = PORT_Strdup (pattern)) == NULL)
-      {
-      PORT_Free (ctx);
-      return NULL;
-      }
-    }
-
-  ctx->finding = type;
-
-  switch (type)
-    {
-    case jarTypeMF:     ctx->next = ZZ_ListHead (jar->hashes);
-                        break;
+    switch (type) {
+    case jarTypeMF:
+	ctx->next = ZZ_ListHead (jar->hashes);
+	break;
 
     case jarTypeSF:
-    case jarTypeSign:   ctx->next = NULL;
-                        ctx->nextsign = ZZ_ListHead (jar->signers);
-                        break;
+    case jarTypeSign:
+	ctx->next = NULL;
+	ctx->nextsign = ZZ_ListHead (jar->signers);
+	break;
 
-    case jarTypeSect:   ctx->next = ZZ_ListHead (jar->manifest);
-                        break;
+    case jarTypeSect:
+	ctx->next = ZZ_ListHead (jar->manifest);
+	break;
 
-    case jarTypePhy:    ctx->next = ZZ_ListHead (jar->phy);
-                        break;
+    case jarTypePhy:
+	ctx->next = ZZ_ListHead (jar->phy);
+	break;
 
-    case jarTypeOwner:  if (jar->signers)
-                          ctx->next = ZZ_ListHead (jar->signers);
-                        else
-                          ctx->next = NULL;
-                        break;
+    case jarTypeOwner:
+	if (jar->signers)
+	    ctx->next = ZZ_ListHead (jar->signers);
+	else
+	    ctx->next = NULL;
+	break;
 
-    case jarTypeMeta:   ctx->next = ZZ_ListHead (jar->metainfo);
-                        break;
+    case jarTypeMeta:
+	ctx->next = ZZ_ListHead (jar->metainfo);
+	break;
 
-    default:            PORT_Assert( 1 != 2);
-                        break;
+    default:
+	PORT_Assert( 1 != 2);
+	break;
     }
-
-  return ctx;
-  }
+    return ctx;
+}
 
 /*
  *  J A R _ f i n d _ e n d
  *
  *  Destroy the find iterator context.
  *
  */
-
-void JAR_find_end (JAR_Context *ctx)
-  {
-  PORT_Assert( ctx != NULL );
-
-  if (ctx)
-    {
-    if (ctx->pattern) 
-      PORT_Free (ctx->pattern);
-    PORT_Free (ctx);
+void 
+JAR_find_end (JAR_Context *ctx)
+{
+    PORT_Assert( ctx != NULL );
+    if (ctx) {
+	if (ctx->pattern)
+	    PORT_Free (ctx->pattern);
+	PORT_Free (ctx);
     }
-  }
+}
 
 /*
  *  J A R _ f i n d _ n e x t
  *
  *  Return the next item of the given type
  *  from one of the JAR linked lists.
  *
  */
 
 int JAR_find_next (JAR_Context *ctx, JAR_Item **it)
-  {
-  JAR *jar;
-  ZZList *list = NULL;
-
-  int finding;
+{
+    JAR *jar;
+    ZZList *list = NULL;
+    int finding;
+    JAR_Signer *signer = NULL;
 
-  JAR_Signer *signer = NULL;
+    PORT_Assert( ctx != NULL );
+    PORT_Assert( ctx->jar != NULL );
 
-  PORT_Assert( ctx != NULL );
-  PORT_Assert( ctx->jar != NULL );
-
-  jar = ctx->jar;
+    jar = ctx->jar;
 
-  /* Internally, convert jarTypeSign to jarTypeSF, and return
-     the actual attached certificate later */
-
-  finding = (ctx->finding == jarTypeSign) ? jarTypeSF : ctx->finding;
-
-  if (ctx->nextsign)
-    {
-      if (ZZ_ListIterDone (jar->signers, ctx->nextsign))
-       {
-       *it = NULL;
-       return -1;
-       }
-    PORT_Assert (ctx->nextsign->thing != NULL);
-    signer = (JAR_Signer*)ctx->nextsign->thing->data;
+    /* Internally, convert jarTypeSign to jarTypeSF, and return
+       the actual attached certificate later */
+    finding = (ctx->finding == jarTypeSign) ? jarTypeSF : ctx->finding;
+    if (ctx->nextsign) {
+	if (ZZ_ListIterDone (jar->signers, ctx->nextsign)) {
+	    *it = NULL;
+	    return -1;
+	}
+	PORT_Assert (ctx->nextsign->thing != NULL);
+	signer = (JAR_Signer*)ctx->nextsign->thing->data;
     }
 
-
-  /* Find out which linked list to traverse. Then if
-     necessary, advance to the next linked list. */
-
-  while (1)
-    {
-    switch (finding)
-      {
-      case jarTypeSign:    /* not any more */
-                           PORT_Assert( finding != jarTypeSign );
-                           list = signer->certs;
-                           break;
-
-      case jarTypeSect:    list = jar->manifest;
-                           break;
+    /* Find out which linked list to traverse. Then if
+       necessary, advance to the next linked list. */
+    while (1) {
+	switch (finding) {
+	case jarTypeSign:    /* not any more */
+	    PORT_Assert( finding != jarTypeSign );
+	    list = signer->certs;
+	    break;
 
-      case jarTypePhy:     list = jar->phy;
-                           break;
-
-      case jarTypeSF:      /* signer, not jar */
-                           PORT_Assert( signer != NULL );
-                           list = signer->sf;
-                           break;
+	case jarTypeSect:
+	    list = jar->manifest;
+	    break;
 
-      case jarTypeMF:      list = jar->hashes;
-                           break;
-
-      case jarTypeOwner:   list = jar->signers;
-                           break;
-
-      case jarTypeMeta:    list = jar->metainfo;
-                           break;
+	case jarTypePhy:
+	    list = jar->phy;
+	    break;
 
-      default:             PORT_Assert( 1 != 2 );
-                           break;
-      }
-
-    if (list == NULL)
-      {
-      *it = NULL;
-      return -1;
-      }
-
-    /* When looping over lists of lists, advance
-       to the next signer. This is done when multiple
-       signers are possible. */
+	case jarTypeSF:      /* signer, not jar */
+	    PORT_Assert( signer != NULL );
+	    list = signer->sf;
+	    break;
 
-    if (ZZ_ListIterDone (list, ctx->next))
-      {
-      if (ctx->nextsign && jar->signers) 
-        {
-        ctx->nextsign = ctx->nextsign->next;
-        if (!ZZ_ListIterDone (jar->signers, ctx->nextsign)) 
-          {
-          PORT_Assert (ctx->nextsign->thing != NULL);
+	case jarTypeMF:
+	    list = jar->hashes;
+	    break;
 
-          signer = (JAR_Signer*)ctx->nextsign->thing->data;
-          PORT_Assert( signer != NULL );
+	case jarTypeOwner:
+	    list = jar->signers;
+	    break;
 
-          ctx->next = NULL;
-          continue;
-          }
-        }
-      *it = NULL;
-      return -1;
-      }
-
-    /* if the signer changed, still need to fill
-       in the "next" link */
+	case jarTypeMeta:
+	    list = jar->metainfo;
+	    break;
 
-    if (ctx->nextsign && ctx->next == NULL)
-      {
-      switch (finding)
-        {
-        case jarTypeSF:
-
-          ctx->next = ZZ_ListHead (signer->sf);
-          break;
-
-        case jarTypeSign:
-
-          ctx->next = ZZ_ListHead (signer->certs);
-          break;
-        }
-      }
-
-    PORT_Assert( ctx->next != NULL );
+	default:
+	    PORT_Assert( 1 != 2 );
+	    break;
+	}
+	if (list == NULL) {
+	    *it = NULL;
+	    return -1;
+	}
+	/* When looping over lists of lists, advance to the next signer. 
+	   This is done when multiple signers are possible. */
+	if (ZZ_ListIterDone (list, ctx->next)) {
+	    if (ctx->nextsign && jar->signers) {
+		ctx->nextsign = ctx->nextsign->next;
+		if (!ZZ_ListIterDone (jar->signers, ctx->nextsign)) {
+		    PORT_Assert (ctx->nextsign->thing != NULL);
+		    signer = (JAR_Signer*)ctx->nextsign->thing->data;
+		    PORT_Assert( signer != NULL );
+		    ctx->next = NULL;
+		    continue;
+		}
+	    }
+	    *it = NULL;
+	    return -1;
+	}
 
-
-    while (!ZZ_ListIterDone (list, ctx->next))
-      {
-      *it = ctx->next->thing;
-      ctx->next = ctx->next->next;
-
-      if (!*it || (*it)->type != finding)
-        continue;
-
-      if (ctx->pattern && *ctx->pattern)
-        {
-        if (PORT_Strcmp ((*it)->pathname, ctx->pattern))
-          continue;
-        }
-
-      /* We have a valid match. If this is a jarTypeSign
-         return the certificate instead.. */
+	/* if the signer changed, still need to fill in the "next" link */
+	if (ctx->nextsign && ctx->next == NULL) {
+	    switch (finding) {
+	    case jarTypeSF:
+		ctx->next = ZZ_ListHead (signer->sf);
+		break;
 
-      if (ctx->finding == jarTypeSign)
-        {
-        JAR_Item *itt;
+	    case jarTypeSign:
+		ctx->next = ZZ_ListHead (signer->certs);
+		break;
+	    }
+	}
+	PORT_Assert( ctx->next != NULL );
+	while (!ZZ_ListIterDone (list, ctx->next)) {
+	    *it = ctx->next->thing;
+	    ctx->next = ctx->next->next;
+	    if (!*it || (*it)->type != finding)
+		continue;
+	    if (ctx->pattern && *ctx->pattern) {
+		if (PORT_Strcmp ((*it)->pathname, ctx->pattern))
+		    continue;
+	    }
+	    /* We have a valid match. If this is a jarTypeSign
+	       return the certificate instead.. */
+	    if (ctx->finding == jarTypeSign) {
+		JAR_Item *itt;
 
-        /* just the first one for now */
-        if (jar_find_first_cert (signer, jarTypeSign, &itt) >= 0) 
-           {
-           *it = itt;
-           return 0;
-           }
-
-        continue;      
-        }
-
-      return 0;
-      }
-
+		/* just the first one for now */
+		if (jar_find_first_cert (signer, jarTypeSign, &itt) >= 0) {
+		    *it = itt;
+		    return 0;
+		}
+		continue;
+	    }
+	    return 0;
+	}
     } /* end while */
-  }
-
-static int jar_find_first_cert 
-    (JAR_Signer *signer, int type, JAR_Item **it)
-  {
-  ZZLink *link;
-  ZZList *list;
+}
 
-  int status = JAR_ERR_PNF;
-
-  list = signer->certs;
+static int 
+jar_find_first_cert (JAR_Signer *signer, int type, JAR_Item **it)
+{
+    ZZLink *link;
+    ZZList *list = signer->certs;
+    int status = JAR_ERR_PNF;
 
-  *it = NULL;
-
-  if (ZZ_ListEmpty (list))
-    {
-    /* empty list */
-    return JAR_ERR_PNF;
+    *it = NULL;
+    if (ZZ_ListEmpty (list)) {
+	/* empty list */
+	return JAR_ERR_PNF;
     }
 
-  for (link = ZZ_ListHead (list); 
-       !ZZ_ListIterDone (list, link); 
-       link = link->next)
-    {
-    if (link->thing->type == type)
-      {
-      *it = link->thing;
-      status = 0;
-      break;
-      }
+    for (link = ZZ_ListHead (list);
+	 !ZZ_ListIterDone (list, link);
+	 link = link->next) {
+	if (link->thing->type == type) {
+	    *it = link->thing;
+	    status = 0;
+	    break;
+	}
     }
-
-  return status;
-  }
-
-JAR_Signer *JAR_new_signer (void)
-  {
-  JAR_Signer *signer;
-
-  signer = (JAR_Signer *) PORT_ZAlloc (sizeof (JAR_Signer));
+    return status;
+}
 
-  if (signer == NULL)
-    goto loser;
-
-
-  /* certs */
-  signer->certs = ZZ_NewList();
-
-  if (signer->certs == NULL)
-    goto loser;
+JAR_Signer *
+JAR_new_signer (void) 
+{
+    JAR_Signer *signer = (JAR_Signer *) PORT_ZAlloc (sizeof (JAR_Signer));
+    if (signer == NULL)
+	goto loser;
 
-
-  /* sf */
-  signer->sf = ZZ_NewList();
+    /* certs */
+    signer->certs = ZZ_NewList();
+    if (signer->certs == NULL)
+	goto loser;
 
-  if (signer->sf == NULL)
-    goto loser;
-
-
-  return signer;
-
+    /* sf */
+    signer->sf = ZZ_NewList();
+    if (signer->sf == NULL)
+	goto loser;
+    return signer;
 
 loser:
-
-  if (signer)
-    {
-    if (signer->certs) 
-      ZZ_DestroyList (signer->certs);
-
-    if (signer->sf) 
-      ZZ_DestroyList (signer->sf);
-
-    PORT_Free (signer);
+    if (signer) {
+	if (signer->certs)
+	    ZZ_DestroyList (signer->certs);
+	if (signer->sf)
+	    ZZ_DestroyList (signer->sf);
+	PORT_Free (signer);
     }
-
-  return NULL;
-  }
+    return NULL;
+}
 
-void JAR_destroy_signer (JAR_Signer *signer)
-  {
-  if (signer)
-    {
-    if (signer->owner) PORT_Free (signer->owner);
-    if (signer->digest) PORT_Free (signer->digest);
-
-    jar_destroy_list (signer->sf);
-    ZZ_DestroyList (signer->sf);
-
-    jar_destroy_list (signer->certs);
-    ZZ_DestroyList (signer->certs);
-
-    PORT_Free (signer);
+void 
+JAR_destroy_signer(JAR_Signer *signer)
+{
+    if (signer) {
+	if (signer->owner) 
+	    PORT_Free (signer->owner);
+	if (signer->digest) 
+	    PORT_Free (signer->digest);
+	jar_destroy_list (signer->sf);
+	ZZ_DestroyList (signer->sf);
+	jar_destroy_list (signer->certs);
+	ZZ_DestroyList (signer->certs);
+	PORT_Free (signer);
     }
-  }
-
-JAR_Signer *jar_get_signer (JAR *jar, char *basename)
-  {
-  JAR_Item *it;
-  JAR_Context *ctx;
+}
 
-  JAR_Signer *candidate;
-  JAR_Signer *signer = NULL;
-
-  ctx = JAR_find (jar, NULL, jarTypeOwner);
-
-  if (ctx == NULL)
-    return NULL;
+JAR_Signer *
+jar_get_signer(JAR *jar, char *basename)
+{
+    JAR_Item *it;
+    JAR_Context *ctx = JAR_find (jar, NULL, jarTypeOwner);
+    JAR_Signer *candidate;
+    JAR_Signer *signer = NULL;
 
-  while (JAR_find_next (ctx, &it) >= 0)
-    {
-    candidate = (JAR_Signer *) it->data;
-    if (*basename == '*' || !PORT_Strcmp (candidate->owner, basename))
-      {
-      signer = candidate;
-      break;
-      }
+    if (ctx == NULL)
+	return NULL;
+
+    while (JAR_find_next (ctx, &it) >= 0) {
+	candidate = (JAR_Signer *) it->data;
+	if (*basename == '*' || !PORT_Strcmp (candidate->owner, basename)) {
+	    signer = candidate;
+	    break;
+	}
     }
-
-  JAR_find_end (ctx);
-
-  return signer;
-  }
+    JAR_find_end (ctx);
+    return signer;
+}
 
 /*
  *  J A R _ g e t _ f i l e n a m e
  *
  *  Returns the filename associated with
  *  a JAR structure.
  *
  */
-
-char *JAR_get_filename (JAR *jar)
-  {
-  return jar->filename;
-  }
+char *
+JAR_get_filename(JAR *jar)
+{
+    return jar->filename;
+}
 
 /*
  *  J A R _ g e t _ u r l
  *
  *  Returns the URL associated with
  *  a JAR structure. Nobody really uses this now.
  *
  */
-
-char *JAR_get_url (JAR *jar)
-  {
-  return jar->url;
-  }
+char *
+JAR_get_url(JAR *jar)
+{
+    return jar->url;
+}
 
 /*
  *  J A R _ s e t _ c a l l b a c k
  *
- *  Register some manner of callback function for this jar. 
+ *  Register some manner of callback function for this jar.
  *
  */
-
-int JAR_set_callback (int type, JAR *jar, 
-      int (*fn) (int status, JAR *jar, 
-         const char *metafile, char *pathname, char *errortext))
-  {
-  if (type == JAR_CB_SIGNAL)
-    {
-    jar->signal = fn;
-    return 0;
+int 
+JAR_set_callback(int type, JAR *jar, jar_settable_callback_fn *fn)
+{
+    if (type == JAR_CB_SIGNAL) {
+	jar->signal = fn;
+	return 0;
     }
-  else
     return -1;
-  }
+}
 
 /*
  *  Callbacks
  *
  */
 
 /* To return an error string */
 char *(*jar_fn_GetString) (int) = NULL;
 
 /* To return an MWContext for Java */
 void *(*jar_fn_FindSomeContext) (void) = NULL;
 
 /* To fabricate an MWContext for FE_GetPassword */
 void *(*jar_fn_GetInitContext) (void) = NULL;
 
 void
-JAR_init_callbacks
-     ( 
-     char *(*string_cb)(int), 
-     void *(*find_cx)(void), 
-     void *(*init_cx)(void) 
-     )
-  {
-  jar_fn_GetString = string_cb;
-  jar_fn_FindSomeContext = find_cx;
-  jar_fn_GetInitContext = init_cx;
-  }
+JAR_init_callbacks(char *(*string_cb)(int), 
+                   void *(*find_cx)(void),
+                   void *(*init_cx)(void))
+{
+    jar_fn_GetString = string_cb;
+    jar_fn_FindSomeContext = find_cx;
+    jar_fn_GetInitContext = init_cx;
+}
 
 /*
  *  J A R _ g e t _ e r r o r
  *
  *  This is provided to map internal JAR errors to strings for
  *  the Java console. Also, a DLL may call this function if it does
  *  not have access to the XP_GetString function.
  *
  *  These strings aren't UI, since they are Java console only.
  *
  */
-
-char *JAR_get_error (int status)
-  { 
-  char *errstring = NULL;
+char *
+JAR_get_error(int status)
+{
+    char *errstring = NULL;
 
-  switch (status)
-    {
+    switch (status) {
     case JAR_ERR_GENERAL:
-      errstring = "General JAR file error";
-      break;
+	errstring = "General JAR file error";
+	break;
 
     case JAR_ERR_FNF:
-      errstring = "JAR file not found";
-      break;
+	errstring = "JAR file not found";
+	break;
 
     case JAR_ERR_CORRUPT:
-      errstring = "Corrupt JAR file";
-      break;
+	errstring = "Corrupt JAR file";
+	break;
 
     case JAR_ERR_MEMORY:
-      errstring = "Out of memory";
-      break;
+	errstring = "Out of memory";
+	break;
 
     case JAR_ERR_DISK:
-      errstring = "Disk error (perhaps out of space)";
-      break;
+	errstring = "Disk error (perhaps out of space)";
+	break;
 
     case JAR_ERR_ORDER:
-      errstring = "Inconsistent files in META-INF directory";
-      break;
+	errstring = "Inconsistent files in META-INF directory";
+	break;
 
     case JAR_ERR_SIG:
-      errstring = "Invalid digital signature file";
-      break;
+	errstring = "Invalid digital signature file";
+	break;
 
     case JAR_ERR_METADATA:
-      errstring = "JAR metadata failed verification";
-      break;
+	errstring = "JAR metadata failed verification";
+	break;
 
     case JAR_ERR_ENTRY:
-      errstring = "No Manifest entry for this JAR entry";
-      break;
+	errstring = "No Manifest entry for this JAR entry";
+	break;
 
     case JAR_ERR_HASH:
-      errstring = "Invalid Hash of this JAR entry";
-      break;
+	errstring = "Invalid Hash of this JAR entry";
+	break;
 
     case JAR_ERR_PK7:
-      errstring = "Strange PKCS7 or RSA failure";
-      break;
+	errstring = "Strange PKCS7 or RSA failure";
+	break;
 
     case JAR_ERR_PNF:
-      errstring = "Path not found inside JAR file";
-      break;
+	errstring = "Path not found inside JAR file";
+	break;
 
     default:
-      if (jar_fn_GetString)
-        {
-        errstring = jar_fn_GetString (status);
-        }
-      else
-        {
-        /* this is not a normal situation, and would only be
-           called in cases of improper initialization */
-
-        char *err;
-
-        err = (char*)PORT_Alloc (40);
-        if (err)
-          PR_snprintf (err, 39,  "Error %d\n", status);
-        else
-          err = "Error! Bad! Out of memory!";
-
-        return err;
-        }
-      break;
+	if (jar_fn_GetString) {
+	    errstring = jar_fn_GetString (status);
+	} else {
+	    /* this is not a normal situation, and would only be
+	       called in cases of improper initialization */
+	    char *err = (char*)PORT_Alloc (40);
+	    if (err)
+		PR_snprintf (err, 39,  "Error %d\n", status); /* leak me! */
+	    else
+		err = "Error! Bad! Out of memory!";
+	    return err;
+	}
+	break;
     }
-
-  return errstring;
-  }
+    return errstring;
+}
--- a/security/nss/lib/jar/jar.h
+++ b/security/nss/lib/jar/jar.h
@@ -45,303 +45,253 @@
 
 /* security includes */
 #include "cert.h"
 #include "hasht.h"
 
 /* nspr 2.0 includes */
 #include "prio.h"
 
-#ifndef ZHUGEP
-#ifdef XP_WIN16
-#define ZHUGEP __huge
-#else
 #define ZHUGEP
-#endif
-#endif
 
 #include <stdio.h>
 
 /* various types */
 
-typedef enum
-  {
-  jarTypeMF = 2,
-  jarTypeSF = 3,
-  jarTypeMeta = 6,
-  jarTypePhy = 7,
-  jarTypeSign = 10,
-  jarTypeSect = 11,
-  jarTypeOwner = 13
-  }
-jarType;
+typedef enum {
+    jarTypeMF = 2,
+    jarTypeSF = 3,
+    jarTypeMeta = 6,
+    jarTypePhy = 7,
+    jarTypeSign = 10,
+    jarTypeSect = 11,
+    jarTypeOwner = 13
+} jarType;
 
 /* void data in ZZList's contain JAR_Item type */
-
-typedef struct JAR_Item_
-  {
-  char *pathname;        /* relative. inside zip file */
-  jarType type;          /* various types */
-  size_t size;           /* size of data below */
-  void *data;            /* totally opaque */
-  }
-JAR_Item;
-
+typedef struct JAR_Item_ {
+    char *pathname;	   /* relative. inside zip file */
+    jarType type;	   /* various types */
+    size_t size;	   /* size of data below */
+    void *data; 	   /* totally opaque */
+} JAR_Item;
 
 /* hashes */
-
-typedef enum
-  {
-  jarHashNone = 0,
-  jarHashBad = 1,
-  jarHashPresent = 2
-  }
-jarHash;
+typedef enum {
+    jarHashNone = 0,
+    jarHashBad = 1,
+    jarHashPresent = 2
+} jarHash;
 
-typedef struct JAR_Digest_
-  {
-  jarHash md5_status;
-  unsigned char md5 [MD5_LENGTH];
-  jarHash sha1_status;
-  unsigned char sha1 [SHA1_LENGTH];
-  }
-JAR_Digest;
-
+typedef struct JAR_Digest_ {
+    jarHash md5_status;
+    unsigned char md5 [MD5_LENGTH];
+    jarHash sha1_status;
+    unsigned char sha1 [SHA1_LENGTH];
+} JAR_Digest;
 
 /* physical archive formats */
-
-typedef enum
-  {
-  jarArchGuess = 0,
-  jarArchNone = 1,
-  jarArchZip = 2,
-  jarArchTar = 3
-  }
-jarArch;
-
+typedef enum {
+    jarArchGuess = 0,
+    jarArchNone = 1,
+    jarArchZip = 2,
+    jarArchTar = 3
+} jarArch;
 
 #include "jar-ds.h"
 
-/* jar object */
+struct JAR_;
 
-typedef struct JAR_
-  {
-  jarArch format;       /* physical archive format */ 
-  char *url;            /* Where it came from */
-  char *filename;       /* Disk location */
-  FILE *fp;             /* For multiple extractions */    /* JAR_FILE */
+typedef int jar_settable_callback_fn(int status, struct JAR_ *jar, 
+                                     const char *metafile, char *pathname, 
+				     char *errortext);
 
-  /* various linked lists */
+/* jar object */
+typedef struct JAR_ {
+    jarArch format;	  /* physical archive format */
 
-  ZZList *manifest;     /* Digests of MF sections */
-  ZZList *hashes;       /* Digests of actual signed files */
-  ZZList *phy;          /* Physical layout of JAR file */
-  ZZList *metainfo;     /* Global metainfo */
-
-  JAR_Digest *globalmeta;  /* digest of .MF global portion */
+    char *url;		  /* Where it came from */
+    char *filename;	  /* Disk location */
+    FILE *fp;		  /* For multiple extractions */
+    /* JAR_FILE */
 
-  /* Below will change to a linked list to support multiple sigs */
+    /* various linked lists */
+    ZZList *manifest;	  /* Digests of MF sections */
+    ZZList *hashes;	  /* Digests of actual signed files */
+    ZZList *phy;	  /* Physical layout of JAR file */
+    ZZList *metainfo;	  /* Global metainfo */
 
-  int pkcs7;            /* Enforced opaqueness */
-  int valid;            /* PKCS7 signature validated */
-
-  ZZList *signers;      /* the above, per signer */
-
-  /* Window context, very necessary for PKCS11 now */
+    JAR_Digest *globalmeta;  /* digest of .MF global portion */
 
-  void *mw;             /* MWContext window context */
+    /* Below will change to a linked list to support multiple sigs */
+    int pkcs7;		  /* Enforced opaqueness */
+    int valid;		  /* PKCS7 signature validated */
 
-  /* Signal callback function */
+    ZZList *signers;	  /* the above, per signer */
 
-  int (*signal) (int status, struct JAR_ *jar, 
-     const char *metafile, char *pathname, char *errorstring);
-  }
-JAR;
+    /* Window context, very necessary for PKCS11 now */
+    void *mw;		  /* MWContext window context */
 
+    /* Signal callback function */
+    jar_settable_callback_fn *signal;
+} JAR;
 
 /*
  *  Iterator
  *
  *  Context for iterative operations. Certain operations
  *  require iterating multiple linked lists because of
  *  multiple signers. "nextsign" is used for this purpose.
  *
  */
-
-typedef struct JAR_Context_
-  {
-  JAR *jar;             /* Jar we are searching */
-  char *pattern;        /* Regular expression */
-  jarType finding;      /* Type of item to find */
-  ZZLink *next;         /* Next item in find */
-  ZZLink *nextsign;     /* Next signer, sometimes */
-  }
-JAR_Context;
+typedef struct JAR_Context_ {
+    JAR *jar;		  /* Jar we are searching */
+    char *pattern;	  /* Regular expression */
+    jarType finding;	  /* Type of item to find */
+    ZZLink *next;	  /* Next item in find */
+    ZZLink *nextsign;	  /* Next signer, sometimes */
+} JAR_Context;
 
-typedef struct JAR_Signer_
-  {
-  int pkcs7;            /* Enforced opaqueness */
-  int valid;            /* PKCS7 signature validated */
-  char *owner;          /* name of .RSA file */
-  JAR_Digest *digest;   /* of .SF file */
-  ZZList *sf;           /* Linked list of .SF file contents */
-  ZZList *certs;        /* Signing information */
-  }
-JAR_Signer;
-
+typedef struct JAR_Signer_ {
+    int pkcs7;		  /* Enforced opaqueness */
+    int valid;		  /* PKCS7 signature validated */
+    char *owner;	  /* name of .RSA file */
+    JAR_Digest *digest;   /* of .SF file */
+    ZZList *sf; 	  /* Linked list of .SF file contents */
+    ZZList *certs;	  /* Signing information */
+} JAR_Signer;
 
 /* Meta informaton, or "policy", from the manifest file.
    Right now just one tuple per JAR_Item. */
-
-typedef struct JAR_Metainfo_
-  {
-  char *header;
-  char *info;
-  }
-JAR_Metainfo;
+typedef struct JAR_Metainfo_ {
+    char *header;
+    char *info;
+} JAR_Metainfo;
 
 /* This should not be global */
-
-typedef struct JAR_Physical_
-  {
-  unsigned char compression;
-  unsigned long offset;
-  unsigned long length;
-  unsigned long uncompressed_length;
+typedef struct JAR_Physical_ {
+    unsigned char compression;
+    unsigned long offset;
+    unsigned long length;
+    unsigned long uncompressed_length;
 #if defined(XP_UNIX) || defined(XP_BEOS)
-  uint16 mode;
+    uint16 mode;
 #endif
-  }
-JAR_Physical;
+} JAR_Physical;
 
-typedef struct JAR_Cert_
-  {
-  size_t length;
-  void *key;
-  CERTCertificate *cert;
-  }
-JAR_Cert;
+typedef struct JAR_Cert_ {
+    size_t length;
+    void *key;
+    CERTCertificate *cert;
+} JAR_Cert;
 
 
 /* certificate stuff */
-
-typedef enum
-  {
-  jarCertCompany = 1,
-  jarCertCA = 2,
-  jarCertSerial = 3,
-  jarCertExpires = 4,
-  jarCertNickname = 5,
-  jarCertFinger = 6,
-  jarCertJavaHack = 100
-  }
-jarCert;
+typedef enum {
+    jarCertCompany = 1,
+    jarCertCA = 2,
+    jarCertSerial = 3,
+    jarCertExpires = 4,
+    jarCertNickname = 5,
+    jarCertFinger = 6,
+    jarCertJavaHack = 100
+} jarCert;
 
 /* callback types */
-
 #define JAR_CB_SIGNAL	1
 
-
-/* 
+/*
  *  This is the base for the JAR error codes. It will
  *  change when these are incorporated into allxpstr.c,
  *  but right now they won't let me put them there.
  *
  */
+#ifndef SEC_ERR_BASE
+#define SEC_ERR_BASE	    (-0x2000)
+#endif
 
-#ifndef SEC_ERR_BASE
-#define SEC_ERR_BASE		(-0x2000)
-#endif
- 
-#define JAR_BASE		SEC_ERR_BASE + 300
+#define JAR_BASE	SEC_ERR_BASE + 300
 
 /* Jar specific error definitions */
 
-#define JAR_ERR_GENERAL         (JAR_BASE + 1)
+#define JAR_ERR_GENERAL 	(JAR_BASE + 1)
 #define JAR_ERR_FNF		(JAR_BASE + 2)
-#define JAR_ERR_CORRUPT		(JAR_BASE + 3)
-#define JAR_ERR_MEMORY		(JAR_BASE + 4)
-#define JAR_ERR_DISK		(JAR_BASE + 5)
-#define JAR_ERR_ORDER           (JAR_BASE + 6)
+#define JAR_ERR_CORRUPT     	(JAR_BASE + 3)
+#define JAR_ERR_MEMORY	    	(JAR_BASE + 4)
+#define JAR_ERR_DISK	    	(JAR_BASE + 5)
+#define JAR_ERR_ORDER		(JAR_BASE + 6)
 #define JAR_ERR_SIG		(JAR_BASE + 7)
-#define JAR_ERR_METADATA        (JAR_BASE + 8)
-#define JAR_ERR_ENTRY		(JAR_BASE + 9)
-#define JAR_ERR_HASH		(JAR_BASE + 10)
+#define JAR_ERR_METADATA	(JAR_BASE + 8)
+#define JAR_ERR_ENTRY	    	(JAR_BASE + 9)
+#define JAR_ERR_HASH	    	(JAR_BASE + 10)
 #define JAR_ERR_PK7		(JAR_BASE + 11)
 #define JAR_ERR_PNF		(JAR_BASE + 12)
 
-
-/*
- *  Birth and death 
- *
- */
+/* Function declarations */
 
 extern JAR *JAR_new (void);
 
 extern void PR_CALLBACK JAR_destroy (JAR *jar);
 
 extern char *JAR_get_error (int status);
 
-extern int JAR_set_callback (int type, JAR *jar, 
-  int (*fn) (int status, JAR *jar, 
-  const char *metafile, char *pathname, char *errortext));
+extern int JAR_set_callback(int type, JAR *jar, jar_settable_callback_fn *fn);
 
-extern void JAR_init_callbacks
-  ( char *(*string_cb)(int), void *(*find_cx)(void), void *(*init_cx)(void) );
+extern void 
+JAR_init_callbacks(char *(*string_cb)(int), 
+                   void *(*find_cx)(void), 
+		   void *(*init_cx)(void) );
 
 /*
  *  JAR_set_context
  *
  *  PKCS11 may require a password to be entered by the user
  *  before any crypto routines may be called. This will require
  *  a window context if used from inside Mozilla.
  *
- *  Call this routine with your context before calling 
+ *  Call this routine with your context before calling
  *  verifying or signing. If you have no context, call with NULL
  *  and one will be chosen for you.
  *
  */
-
 int JAR_set_context (JAR *jar, void /*MWContext*/ *mw);
 
 /*
  *  Iterative operations
  *
  *  JAR_find sets up for repeated calls with JAR_find_next.
  *  I never liked findfirst and findnext, this is nicer.
  *
  *  Pattern contains a relative pathname to match inside the
  *  archive. It is currently assumed to be "*".
  *
  *  To use:
  *
  *     JAR_Item *item;
  *     JAR_find (jar, "*.class", jarTypeMF);
- *     while (JAR_find_next (jar, &item) >= 0) 
- *       { do stuff }
+ *     while (JAR_find_next (jar, &item) >= 0)
+ *	 { do stuff }
  *
  */
 
-
 /* Replacement functions with an external context */
 
 extern JAR_Context *JAR_find (JAR *jar, char *pattern, jarType type);
 
 extern int JAR_find_next (JAR_Context *ctx, JAR_Item **it);
 
 extern void JAR_find_end (JAR_Context *ctx);
 
-
 /*
  *  Function to parse manifest file:
  *
  *  Many signatures may be attached to a single filename located
  *  inside the zip file. We only support one.
  *
- *  Several manifests may be included in the zip file. 
+ *  Several manifests may be included in the zip file.
  *
  *  You must pass the MANIFEST.MF file before any .SF files.
  *
  *  Right now this returns a big ole list, privately in the jar structure.
  *  If you need to traverse it, use JAR_find if possible.
  *
  *  The path is needed to determine what type of binary signature is
  *  being passed, though it is technically not needed for manifest files.
@@ -350,132 +300,119 @@ extern void JAR_find_end (JAR_Context *c
  *  prior to sending it, and indicate a length of 0. For binary digital
  *  signatures only, indicate the true length of the signature.
  *  (This is legacy behavior.)
  *
  *  You may free the manifest after parsing it.
  *
  */
 
-extern int JAR_parse_manifest 
-    (JAR *jar, char ZHUGEP *raw_manifest, 
-       long length, const char *path, const char *url);
+extern int 
+JAR_parse_manifest(JAR *jar, char *raw_manifest, long length, const char *path,
+                   const char *url);
 
 /*
  *  Verify data (nonstreaming). The signature is actually
  *  checked by JAR_parse_manifest or JAR_pass_archive.
  *
  */
 
-extern JAR_Digest * PR_CALLBACK JAR_calculate_digest 
-    (void ZHUGEP *data, long length);
+extern JAR_Digest * PR_CALLBACK 
+JAR_calculate_digest(void *data, long length);
 
-extern int PR_CALLBACK JAR_verify_digest
-    (JAR *jar, const char *name, JAR_Digest *dig);
+extern int PR_CALLBACK 
+JAR_verify_digest(JAR *jar, const char *name, JAR_Digest *dig);
 
-extern int JAR_digest_file (char *filename, JAR_Digest *dig);
+extern int 
+JAR_digest_file(char *filename, JAR_Digest *dig);
 
 /*
  *  Get attribute from certificate:
  *
  *  Returns any special signed attribute associated with this cert
  *  or signature (passed in "data"). Attributes jarCert*. Most of the time
  *  this will return a zero terminated string.
  *
  */
 
-extern int PR_CALLBACK JAR_cert_attribute
-    (JAR *jar, jarCert attrib, long keylen, void *key, 
-       void **result, unsigned long *length);
+extern int PR_CALLBACK 
+JAR_cert_attribute(JAR *jar, jarCert attrib, long keylen, void *key,
+                   void **result, unsigned long *length);
 
 /*
  *  Meta information
  *
  *  Currently, since this call does not support passing of an owner
  *  (certificate, or physical name of the .sf file), it is restricted to
- *  returning information located in the manifest.mf file. 
+ *  returning information located in the manifest.mf file.
  *
  *  Meta information is a name/value pair inside the archive file. Here,
  *  the name is passed in *header and value returned in **info.
  *
  *  Pass a NULL as the name to retrieve metainfo from the global section.
  *
  *  Data is returned in **info, of size *length. The return value
  *  will indicate if no data was found.
  *
  */
 
-extern int JAR_get_metainfo
-    (JAR *jar, char *name, char *header, void **info, unsigned long *length);
+extern int 
+JAR_get_metainfo(JAR *jar, char *name, char *header, void **info, 
+                 unsigned long *length);
 
 extern char *JAR_get_filename (JAR *jar);
 
 extern char *JAR_get_url (JAR *jar);
 
-/*
- *  Return an HTML mockup of a certificate or signature.
- *
- *  Returns a zero terminated ascii string
- *  in raw HTML format.
- *
- */
-
-extern char *JAR_cert_html
-    (JAR *jar, int style, long keylen, void *key, int *result);
-
 /* save the certificate with this fingerprint in persistent
-   storage, somewhere, for retrieval in a future session when there 
+   storage, somewhere, for retrieval in a future session when there
    is no corresponding JAR structure. */
-
-extern int PR_CALLBACK JAR_stash_cert
-        (JAR *jar, long keylen, void *key);
+extern int PR_CALLBACK 
+JAR_stash_cert(JAR *jar, long keylen, void *key);
 
 /* retrieve a certificate presumably stashed with the above
    function, but may be any certificate. Type is &CERTCertificate */
-
-void *JAR_fetch_cert (long length, void *key);
+CERTCertificate *
+JAR_fetch_cert(long length, void *key);
 
 /*
  *  New functions to handle archives alone
  *    (call JAR_new beforehand)
  *
  *  JAR_pass_archive acts much like parse_manifest. Certificates
- *  are returned in the JAR structure but as opaque data. When calling 
- *  JAR_verified_extract you still need to decide which of these 
- *  certificates to honor. 
+ *  are returned in the JAR structure but as opaque data. When calling
+ *  JAR_verified_extract you still need to decide which of these
+ *  certificates to honor.
  *
- *  Code to examine a JAR structure is in jarbert.c. You can obtain both 
+ *  Code to examine a JAR structure is in jarbert.c. You can obtain both
  *  a list of filenames and certificates from traversing the linked list.
  *
  */
-
-extern int JAR_pass_archive
-    (JAR *jar, jarArch format, char *filename, const char *url);
+extern int 
+JAR_pass_archive(JAR *jar, jarArch format, char *filename, const char *url);
 
 /*
  * Same thing, but don't check signatures
  */
-extern int JAR_pass_archive_unverified
-    (JAR *jar, jarArch format, char *filename, const char *url);
+extern int 
+JAR_pass_archive_unverified(JAR *jar, jarArch format, char *filename, 
+                            const char *url);
 
 /*
  *  Extracts a relative pathname from the archive and places it
- *  in the filename specified. 
- * 
+ *  in the filename specified.
+ *
  *  Call JAR_set_nailed if you want to keep the file descriptors
  *  open between multiple calls to JAR_verify_extract.
  *
  */
-
-extern int JAR_verified_extract
-    (JAR *jar, char *path, char *outpath);
+extern int 
+JAR_verified_extract(JAR *jar, char *path, char *outpath);
 
 /*
  *  JAR_extract does no crypto checking. This can be used if you
  *  need to extract a manifest file or signature, etc.
  *
  */
+extern int 
+JAR_extract(JAR *jar, char *path, char *outpath);
 
-extern int JAR_extract
-    (JAR *jar, char *path, char *outpath);
-
-
-#endif /* __JAR_h_ */ 
+#endif /* __JAR_h_ */
--- a/security/nss/lib/jar/jarfile.c
+++ b/security/nss/lib/jar/jarfile.c
@@ -34,1150 +34,965 @@
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  *  JARFILE
  *
  *  Parsing of a Jar file
  */
-
 #define JAR_SIZE 256
 
 #include "jar.h"
-
 #include "jarint.h"
 #include "jarfile.h"
 
 /* commercial compression */
 #include "jzlib.h"
 
 #if defined(XP_UNIX) || defined(XP_BEOS)
 #include "sys/stat.h"
 #endif
 
 #include "sechash.h"	/* for HASH_GetHashObject() */
 
-/* extracting */
-
-static int jar_guess_jar (char *filename, JAR_FILE fp);
+PR_STATIC_ASSERT(46 == sizeof(struct ZipCentral));
+PR_STATIC_ASSERT(30 == sizeof(struct ZipLocal));
+PR_STATIC_ASSERT(22 == sizeof(struct ZipEnd));
+PR_STATIC_ASSERT(512 == sizeof(union TarEntry));
 
-static int jar_inflate_memory 
-   (unsigned int method, long *length, long expected_out_len, char ZHUGEP **data);
+/* extracting */
+static int 
+jar_guess_jar(const char *filename, JAR_FILE fp);
 
-static int jar_physical_extraction 
-   (JAR_FILE fp, char *outpath, long offset, long length);
+static int 
+jar_inflate_memory(unsigned int method, long *length, long expected_out_len, 
+                   char **data);
+
+static int 
+jar_physical_extraction(JAR_FILE fp, char *outpath, long offset, long length);
 
-static int jar_physical_inflate
-   (JAR_FILE fp, char *outpath, long offset, 
-         long length, unsigned int method);
+static int 
+jar_physical_inflate(JAR_FILE fp, char *outpath, long offset, long length, 
+                     unsigned int method);
+
+static int 
+jar_verify_extract(JAR *jar, char *path, char *physical_path);
 
-static int jar_verify_extract 
-   (JAR *jar, char *path, char *physical_path);
+static JAR_Physical *
+jar_get_physical(JAR *jar, char *pathname);
 
-static JAR_Physical *jar_get_physical (JAR *jar, char *pathname);
+static int 
+jar_extract_manifests(JAR *jar, jarArch format, JAR_FILE fp);
 
-static int jar_extract_manifests (JAR *jar, jarArch format, JAR_FILE fp);
-
-static int jar_extract_mf (JAR *jar, jarArch format, JAR_FILE fp, char *ext);
+static int 
+jar_extract_mf(JAR *jar, jarArch format, JAR_FILE fp, char *ext);
 
 
 /* indexing */
-
-static int jar_gen_index (JAR *jar, jarArch format, JAR_FILE fp);
+static int 
+jar_gen_index(JAR *jar, jarArch format, JAR_FILE fp);
 
-static int jar_listtar (JAR *jar, JAR_FILE fp);
+static int 
+jar_listtar(JAR *jar, JAR_FILE fp);
 
-static int jar_listzip (JAR *jar, JAR_FILE fp);
+static int 
+jar_listzip(JAR *jar, JAR_FILE fp);
 
 
 /* conversions */
+static int 
+dosdate(char *date, const char *s);
 
-static int dosdate (char *date, char *s);
-
-static int dostime (char *time, char *s);
+static int 
+dostime(char *time, const char *s);
 
-static unsigned int xtoint (unsigned char *ii);
+#ifdef NSS_X86_OR_X64
+#define x86ShortToUint32(ii)   ((const PRUint32)*((const PRUint16 *)(ii)))
+#define x86LongToUint32(ii)    (*(const PRUint32 *)(ii))
+#else
+static PRUint32
+x86ShortToUint32(const void *ii);
 
-static unsigned long xtolong (unsigned char *ll);
+static PRUint32
+x86LongToUint32(const void *ll);
+#endif
 
-static long atoo (char *s);
+static long 
+octalToLong(const char *s);
 
 /*
  *  J A R _ p a s s _ a r c h i v e
  *
  *  For use by naive clients. Slam an entire archive file
  *  into this function. We extract manifests, parse, index
  *  the archive file, and do whatever nastiness.
  *
  */
-
-int JAR_pass_archive
-    (JAR *jar, jarArch format, char *filename, const char *url)
-  {
-  JAR_FILE fp;
-  int status = 0;
+int 
+JAR_pass_archive(JAR *jar, jarArch format, char *filename, const char *url)
+{
+    JAR_FILE fp;
+    int status = 0;
 
-  if (filename == NULL)
-    return JAR_ERR_GENERAL;
+    if (filename == NULL)
+	return JAR_ERR_GENERAL;
 
-  if ((fp = JAR_FOPEN (filename, "rb")) != NULL)
-    {
-    if (format == jarArchGuess)
-      format = (jarArch)jar_guess_jar (filename, fp);
+    if ((fp = JAR_FOPEN (filename, "rb")) != NULL) {
+	if (format == jarArchGuess)
+	    format = (jarArch)jar_guess_jar (filename, fp);
 
-    jar->format = format;
-    jar->url = url ? PORT_Strdup (url) : NULL;
-    jar->filename = PORT_Strdup (filename);
+	jar->format = format;
+	jar->url = url ? PORT_Strdup (url) : NULL;
+	jar->filename = PORT_Strdup (filename);
 
-    status = jar_gen_index (jar, format, fp);
-
-    if (status == 0)
-      status = jar_extract_manifests (jar, format, fp);
+	status = jar_gen_index (jar, format, fp);
+	if (status == 0)
+	    status = jar_extract_manifests (jar, format, fp);
 
-    JAR_FCLOSE (fp);
-
-    if (status < 0)
-      return status;
+	JAR_FCLOSE (fp);
+	if (status < 0)
+	    return status;
 
-    /* people were expecting it this way */
-    return jar->valid;
+	/* people were expecting it this way */
+	return jar->valid;
     }
-  else
-    {
     /* file not found */
     return JAR_ERR_FNF;
-    }
-  }
+}
 
 /*
  *  J A R _ p a s s _ a r c h i v e _ u n v e r i f i e d
  *
  * Same as JAR_pass_archive, but doesn't parse signatures.
  *
  */
-int JAR_pass_archive_unverified
-        (JAR *jar, jarArch format, char *filename, const char *url)
+int 
+JAR_pass_archive_unverified(JAR *jar, jarArch format, char *filename, 
+                            const char *url)
 {
-        JAR_FILE fp;
-        int status = 0;
+    JAR_FILE fp;
+    int status = 0;
 
-        if (filename == NULL) {
-                return JAR_ERR_GENERAL;
-        }
+    if (filename == NULL) {
+	return JAR_ERR_GENERAL;
+    }
 
-        if ((fp = JAR_FOPEN (filename, "rb")) != NULL) {
-                if (format == jarArchGuess) {
-                        format = (jarArch)jar_guess_jar (filename, fp);
-                }
-
-                jar->format = format;
-                jar->url = url ? PORT_Strdup (url) : NULL;
-                jar->filename = PORT_Strdup (filename);
+    if ((fp = JAR_FOPEN (filename, "rb")) != NULL) {
+	if (format == jarArchGuess) {
+	    format = (jarArch)jar_guess_jar (filename, fp);
+	}
 
-                status = jar_gen_index (jar, format, fp);
+	jar->format = format;
+	jar->url = url ? PORT_Strdup (url) : NULL;
+	jar->filename = PORT_Strdup (filename);
 
-                if (status == 0) {
-                        status = jar_extract_mf(jar, format, fp, "mf");
-                }
-
-                JAR_FCLOSE (fp);
+	status = jar_gen_index (jar, format, fp);
+	if (status == 0) {
+	    status = jar_extract_mf(jar, format, fp, "mf");
+	}
 
-                if (status < 0) {
-                        return status;
-                }
+	JAR_FCLOSE (fp);
+	if (status < 0) {
+	    return status;
+	}
 
-                /* people were expecting it this way */
-                return jar->valid;
-        } else {
-                /* file not found */
-                return JAR_ERR_FNF;
-        }
+	/* people were expecting it this way */
+	return jar->valid;
+    }
+    /* file not found */
+    return JAR_ERR_FNF;
 }
 
 /*
  *  J A R _ v e r i f i e d _ e x t r a c t
  *
  *  Optimization: keep a file descriptor open
  *  inside the JAR structure, so we don't have to
- *  open the file 25 times to run java. 
+ *  open the file 25 times to run java.
  *
  */
 
-int JAR_verified_extract
-    (JAR *jar, char *path, char *outpath)
-  {
-  int status;
+int 
+JAR_verified_extract(JAR *jar, char *path, char *outpath)
+{
+    int status = JAR_extract (jar, path, outpath);
 
-  status = JAR_extract (jar, path, outpath);
-
-  if (status >= 0)
-    return jar_verify_extract (jar, path, outpath);
-  else
+    if (status >= 0)
+	return jar_verify_extract(jar, path, outpath);
     return status;
-  }
+}
 
-int JAR_extract
-    (JAR *jar, char *path, char *outpath)
-  {
-  int result;
-
-  JAR_Physical *phy;
+int 
+JAR_extract(JAR *jar, char *path, char *outpath)
+{
+    int result;
+    JAR_Physical *phy;
 
-  if (jar->fp == NULL && jar->filename)
-    {
-    jar->fp = (FILE*)JAR_FOPEN (jar->filename, "rb");
+    if (jar->fp == NULL && jar->filename) {
+	jar->fp = (FILE*)JAR_FOPEN (jar->filename, "rb");
     }
-
-  if (jar->fp == NULL)
-    {
-    /* file not found */
-    return JAR_ERR_FNF;
+    if (jar->fp == NULL) {
+	/* file not found */
+	return JAR_ERR_FNF;
     }
 
-  phy = jar_get_physical (jar, path);
-
-  if (phy)
-    {
-    if (phy->compression != 0 && phy->compression != 8)
-      {
-      /* unsupported compression method */
-      result = JAR_ERR_CORRUPT;
-      }
-
-    if (phy->compression == 0)
-      {
-      result = jar_physical_extraction 
-         ((PRFileDesc*)jar->fp, outpath, phy->offset, phy->length);
-      }
-    else
-      {
-      result = jar_physical_inflate 
-         ((PRFileDesc*)jar->fp, outpath, phy->offset, phy->length, 
-            (unsigned int) phy->compression);
-      }
+    phy = jar_get_physical (jar, path);
+    if (phy) {
+	if (phy->compression != 0 && phy->compression != 8) {
+	    /* unsupported compression method */
+	    result = JAR_ERR_CORRUPT;
+	}
+	if (phy->compression == 0) {
+	    result = jar_physical_extraction
+		((PRFileDesc*)jar->fp, outpath, phy->offset, phy->length);
+	} else {
+	    result = jar_physical_inflate((PRFileDesc*)jar->fp, outpath, 
+	                                  phy->offset, phy->length,
+	                                  (unsigned int) phy->compression);
+	}
 
 #if defined(XP_UNIX) || defined(XP_BEOS)
-    if (phy->mode)
-      chmod (outpath, 0400 | (mode_t) phy->mode);
+	if (phy->mode)
+	    chmod (outpath, 0400 | (mode_t) phy->mode);
 #endif
+    } else {
+	/* pathname not found in archive */
+	result = JAR_ERR_PNF;
     }
-  else
-    {
-    /* pathname not found in archive */
-    result = JAR_ERR_PNF;
-    }
+    return result;
+}
 
-  return result;
-  }
-
-/* 
+/*
  *  p h y s i c a l _ e x t r a c t i o n
  *
  *  This needs to be done in chunks of say 32k, instead of
  *  in one bulk calloc. (Necessary under Win16 platform.)
  *  This is done for uncompressed entries only.
  *
  */
 
 #define CHUNK 32768
 
-static int jar_physical_extraction 
-     (JAR_FILE fp, char *outpath, long offset, long length)
-  {
-  JAR_FILE out;
-
-  char *buffer;
-  long at, chunk;
-
-  int status = 0;
-
-  buffer = (char *) PORT_ZAlloc (CHUNK);
+static int 
+jar_physical_extraction(JAR_FILE fp, char *outpath, long offset, long length)
+{
+    JAR_FILE out;
+    char *buffer = (char *)PORT_ZAlloc(CHUNK);
+    int status = 0;
 
-  if (buffer == NULL)
-    return JAR_ERR_MEMORY;
+    if (buffer == NULL)
+	return JAR_ERR_MEMORY;
 
-  if ((out = JAR_FOPEN (outpath, "wb")) != NULL)
-    {
-    at = 0;
-
-    JAR_FSEEK (fp, offset, (PRSeekWhence)0);
-
-    while (at < length)
-      {
-      chunk = (at + CHUNK <= length) ? CHUNK : length - at;
+    if ((out = JAR_FOPEN (outpath, "wb")) != NULL) {
+	long at = 0;
 
-      if (JAR_FREAD (fp, buffer, chunk) != chunk)
-        {
-        status = JAR_ERR_DISK;
-        break;
-        }
-
-      at += chunk;
-
-      if (JAR_FWRITE (out, buffer, chunk) < chunk)
-        {
-        /* most likely a disk full error */
-        status = JAR_ERR_DISK;
-        break;
-        }
-      }
-    JAR_FCLOSE (out);
+	JAR_FSEEK (fp, offset, (PRSeekWhence)0);
+	while (at < length) {
+	    long chunk = (at + CHUNK <= length) ? CHUNK : length - at;
+	    if (JAR_FREAD (fp, buffer, chunk) != chunk) {
+		status = JAR_ERR_DISK;
+		break;
+	    }
+	    at += chunk;
+	    if (JAR_FWRITE (out, buffer, chunk) < chunk) {
+		/* most likely a disk full error */
+		status = JAR_ERR_DISK;
+		break;
+	    }
+	}
+	JAR_FCLOSE (out);
+    } else {
+	/* error opening output file */
+	status = JAR_ERR_DISK;
     }
-  else
-    {
-    /* error opening output file */
-    status = JAR_ERR_DISK;
-    }
-
-  PORT_Free (buffer);
-  return status;
-  }
+    PORT_Free (buffer);
+    return status;
+}
 
 /*
  *  j a r _ p h y s i c a l _ i n f l a t e
  *
  *  Inflate a range of bytes in a file, writing the inflated
  *  result to "outpath". Chunk based.
  *
  */
-
 /* input and output chunks differ, assume 4x compression */
 
 #define ICHUNK 8192
 #define OCHUNK 32768
 
-static int jar_physical_inflate
-     (JAR_FILE fp, char *outpath, long offset, 
-          long length, unsigned int method)
-  {
-  z_stream zs;
-
-  JAR_FILE out;
-
-  long at, chunk;
-  char *inbuf, *outbuf;
+static int 
+jar_physical_inflate(JAR_FILE fp, char *outpath, long offset, long length, 
+                     unsigned int method)
+{
+    char *inbuf, *outbuf;
+    int status = 0;
+    z_stream zs;
+    JAR_FILE out;
 
-  int status = 0;
-
-  unsigned long prev_total, ochunk, tin;
+    /* Raw inflate in zlib 1.1.4 needs an extra dummy byte at the end */
+    if ((inbuf = (char *)PORT_ZAlloc(ICHUNK + 1)) == NULL)
+	return JAR_ERR_MEMORY;
 
-  /* Raw inflate in zlib 1.1.4 needs an extra dummy byte at the end */
-  if ((inbuf = (char *) PORT_ZAlloc (ICHUNK + 1)) == NULL)
-    return JAR_ERR_MEMORY;
-
-  if ((outbuf = (char *) PORT_ZAlloc (OCHUNK)) == NULL)
-    {
-    PORT_Free (inbuf);
-    return JAR_ERR_MEMORY;
+    if ((outbuf = (char *)PORT_ZAlloc(OCHUNK)) == NULL) {
+	PORT_Free (inbuf);
+	return JAR_ERR_MEMORY;
     }
 
-  PORT_Memset (&zs, 0, sizeof (zs));
-  status = inflateInit2 (&zs, -MAX_WBITS);
-
-  if (status != Z_OK)
-    {
-    PORT_Free (inbuf);
-    PORT_Free (outbuf);
-    return JAR_ERR_GENERAL;
+    PORT_Memset (&zs, 0, sizeof (zs));
+    status = inflateInit2 (&zs, -MAX_WBITS);
+    if (status != Z_OK) {
+	PORT_Free (inbuf);
+	PORT_Free (outbuf);
+	return JAR_ERR_GENERAL;
     }
 
-  if ((out = JAR_FOPEN (outpath, "wb")) != NULL)
-    {
-    at = 0;
-
-    JAR_FSEEK (fp, offset, (PRSeekWhence)0);
+    if ((out = JAR_FOPEN (outpath, "wb")) != NULL) {
+	long at = 0;
 
-    while (at < length)
-      {
-      chunk = (at + ICHUNK <= length) ? ICHUNK : length - at;
-
-      if (JAR_FREAD (fp, inbuf, chunk) != chunk)
-        {
-        /* incomplete read */
-        JAR_FCLOSE (out);
-        PORT_Free (inbuf);
-        PORT_Free (outbuf);
-        return JAR_ERR_CORRUPT;
-        }
+	JAR_FSEEK (fp, offset, (PRSeekWhence)0);
+	while (at < length) {
+	    long chunk = (at + ICHUNK <= length) ? ICHUNK : length - at;
+	    unsigned long tin;
 
-      at += chunk;
-
-      if (at == length)
-        {
-        /* add an extra dummy byte at the end */
-        inbuf[chunk++] = 0xDD;
-        }
-
-      zs.next_in = (Bytef *) inbuf;
-      zs.avail_in = chunk;
-      zs.avail_out = OCHUNK;
-
-      tin = zs.total_in;
-
-      while ((zs.total_in - tin < chunk) || (zs.avail_out == 0))
-        {
-        prev_total = zs.total_out;
-
-        zs.next_out = (Bytef *) outbuf;
-        zs.avail_out = OCHUNK;
+	    if (JAR_FREAD (fp, inbuf, chunk) != chunk) {
+		/* incomplete read */
+		JAR_FCLOSE (out);
+		PORT_Free (inbuf);
+		PORT_Free (outbuf);
+		return JAR_ERR_CORRUPT;
+	    }
+	    at += chunk;
+	    if (at == length) {
+		/* add an extra dummy byte at the end */
+		inbuf[chunk++] = 0xDD;
+	    }
+	    zs.next_in = (Bytef *) inbuf;
+	    zs.avail_in = chunk;
+	    zs.avail_out = OCHUNK;
+	    tin = zs.total_in;
+	    while ((zs.total_in - tin < chunk) || (zs.avail_out == 0)) {
+		unsigned long prev_total = zs.total_out;
+		unsigned long ochunk;
 
-        status = inflate (&zs, Z_NO_FLUSH);
-
-        if (status != Z_OK && status != Z_STREAM_END)
-          {
-          /* error during decompression */
-          JAR_FCLOSE (out);
-          PORT_Free (inbuf);
-          PORT_Free (outbuf);
-          return JAR_ERR_CORRUPT;
-          }
-
-	ochunk = zs.total_out - prev_total;
-
-        if (JAR_FWRITE (out, outbuf, ochunk) < ochunk)
-          {
-          /* most likely a disk full error */
-          status = JAR_ERR_DISK;
-          break;
-          }
-
-        if (status == Z_STREAM_END)
-          break;
-        }
-      }
-
-    JAR_FCLOSE (out);
-    status = inflateEnd (&zs);
+		zs.next_out = (Bytef *) outbuf;
+		zs.avail_out = OCHUNK;
+		status = inflate (&zs, Z_NO_FLUSH);
+		if (status != Z_OK && status != Z_STREAM_END) {
+		    /* error during decompression */
+		    JAR_FCLOSE (out);
+		    PORT_Free (inbuf);
+		    PORT_Free (outbuf);
+		    return JAR_ERR_CORRUPT;
+		}
+		ochunk = zs.total_out - prev_total;
+		if (JAR_FWRITE (out, outbuf, ochunk) < ochunk) {
+		    /* most likely a disk full error */
+		    status = JAR_ERR_DISK;
+		    break;
+		}
+		if (status == Z_STREAM_END)
+		    break;
+	    }
+	}
+	JAR_FCLOSE (out);
+	status = inflateEnd (&zs);
+    } else {
+	/* error opening output file */
+	status = JAR_ERR_DISK;
     }
-  else
-    {
-    /* error opening output file */
-    status = JAR_ERR_DISK;
-    }
-
-  PORT_Free (inbuf);
-  PORT_Free (outbuf);
-
-  return status;
-  }
+    PORT_Free (inbuf);
+    PORT_Free (outbuf);
+    return status;
+}
 
 /*
  *  j a r _ i n f l a t e _ m e m o r y
  *
- *  Call zlib to inflate the given memory chunk. It is re-XP_ALLOC'd, 
+ *  Call zlib to inflate the given memory chunk. It is re-XP_ALLOC'd,
  *  and thus appears to operate inplace to the caller.
  *
  */
-
-static int jar_inflate_memory 
-     (unsigned int method, long *length, long expected_out_len, char ZHUGEP **data)
-  {
-  int status;
-  z_stream zs;
-
-  long insz, outsz;
-
-  char *inbuf, *outbuf;
-
-  inbuf =  *data;
-  insz = *length;
+static int 
+jar_inflate_memory(unsigned int method, long *length, long expected_out_len, 
+                   char **data)
+{
+    char *inbuf  = *data;
+    char *outbuf = (char*)PORT_ZAlloc(expected_out_len);
+    long insz    = *length;
+    int status;
+    z_stream zs;
 
-  outsz = expected_out_len;
-  outbuf = (char*)PORT_ZAlloc (outsz);
-
-  if (outbuf == NULL)
-    return JAR_ERR_MEMORY;
-
-  PORT_Memset (&zs, 0, sizeof (zs));
+    if (outbuf == NULL)
+	return JAR_ERR_MEMORY;
 
-  status = inflateInit2 (&zs, -MAX_WBITS);
-
-  if (status < 0)
-    {
-    /* error initializing zlib stream */
-    PORT_Free (outbuf);
-    return JAR_ERR_GENERAL;
+    PORT_Memset(&zs, 0, sizeof zs);
+    status = inflateInit2 (&zs, -MAX_WBITS);
+    if (status < 0) {
+	/* error initializing zlib stream */
+	PORT_Free (outbuf);
+	return JAR_ERR_GENERAL;
     }
 
-  zs.next_in = (Bytef *) inbuf;
-  zs.next_out = (Bytef *) outbuf;
-
-  zs.avail_in = insz;
-  zs.avail_out = outsz;
+    zs.next_in = (Bytef *) inbuf;
+    zs.next_out = (Bytef *) outbuf;
+    zs.avail_in = insz;
+    zs.avail_out = expected_out_len;
 
-  status = inflate (&zs, Z_FINISH);
-
-  if (status != Z_OK && status != Z_STREAM_END)
-    {
-    /* error during deflation */
-    PORT_Free (outbuf);
-    return JAR_ERR_GENERAL; 
+    status = inflate (&zs, Z_FINISH);
+    if (status != Z_OK && status != Z_STREAM_END) {
+	/* error during deflation */
+	PORT_Free (outbuf);
+	return JAR_ERR_GENERAL;
     }
 
-  status = inflateEnd (&zs);
-
-  if (status != Z_OK)
-    {
-    /* error during deflation */
-    PORT_Free (outbuf);
-    return JAR_ERR_GENERAL;
+    status = inflateEnd (&zs);
+    if (status != Z_OK) {
+	/* error during deflation */
+	PORT_Free (outbuf);
+	return JAR_ERR_GENERAL;
     }
-
-  PORT_Free (*data);
-
-  *data = outbuf;
-  *length = zs.total_out;
-
-  return 0;
-  }
+    PORT_Free(*data);
+    *data = outbuf;
+    *length = zs.total_out;
+    return 0;
+}
 
 /*
  *  v e r i f y _ e x t r a c t
  *
  *  Validate signature on the freshly extracted file.
  *
  */
-
-static int jar_verify_extract (JAR *jar, char *path, char *physical_path)
-  {
-  int status;
-  JAR_Digest dig;
+static int 
+jar_verify_extract(JAR *jar, char *path, char *physical_path)
+{
+    int status;
+    JAR_Digest dig;
 
-  PORT_Memset (&dig, 0, sizeof (JAR_Digest));
-  status = JAR_digest_file (physical_path, &dig);
-
-  if (!status)
-    status = JAR_verify_digest (jar, path, &dig);
-
-  return status;
-  }
+    PORT_Memset (&dig, 0, sizeof dig);
+    status = JAR_digest_file (physical_path, &dig);
+    if (!status)
+	status = JAR_verify_digest (jar, path, &dig);
+    return status;
+}
 
 /*
  *  g e t _ p h y s i c a l
  *
  *  Let's get physical.
  *  Obtains the offset and length of this file in the jar file.
  *
  */
-
-static JAR_Physical *jar_get_physical (JAR *jar, char *pathname)
-  {
-  JAR_Item *it;
-
-  JAR_Physical *phy;
+static JAR_Physical *
+jar_get_physical(JAR *jar, char *pathname)
+{
+    ZZLink *link;
+    ZZList *list = jar->phy;
 
-  ZZLink *link;
-  ZZList *list;
-
-  list = jar->phy;
-
-  if (ZZ_ListEmpty (list))
-    return NULL;
+    if (ZZ_ListEmpty (list))
+	return NULL;
 
-  for (link = ZZ_ListHead (list);
-       !ZZ_ListIterDone (list, link);
-       link = link->next)
-    {
-    it = link->thing;
-    if (it->type == jarTypePhy 
-          && it->pathname && !PORT_Strcmp (it->pathname, pathname))
-      {
-      phy = (JAR_Physical *) it->data;
-      return phy;
-      }
+    for (link = ZZ_ListHead (list);
+         !ZZ_ListIterDone (list, link);
+         link = link->next) {
+	JAR_Item *it = link->thing;
+
+	if (it->type == jarTypePhy && 
+	    it->pathname && !PORT_Strcmp (it->pathname, pathname)) {
+	    JAR_Physical *phy = (JAR_Physical *)it->data;
+	    return phy;
+	}
     }
-
-  return NULL;
-  }
+    return NULL;
+}
 
 /*
  *  j a r _ e x t r a c t _ m a n i f e s t s
  *
  *  Extract the manifest files and parse them,
  *  from an open archive file whose contents are known.
  *
  */
+static int 
+jar_extract_manifests(JAR *jar, jarArch format, JAR_FILE fp)
+{
+    int status, signatures;
 
-static int jar_extract_manifests (JAR *jar, jarArch format, JAR_FILE fp)
-  {
-  int status, signatures;
-
-  if (format != jarArchZip && format != jarArchTar)
-    return JAR_ERR_CORRUPT;
+    if (format != jarArchZip && format != jarArchTar)
+	return JAR_ERR_CORRUPT;
 
-  if ((status = jar_extract_mf (jar, format, fp, "mf")) < 0)
-    return status;
-  if (!status) 
-    return JAR_ERR_ORDER;
-  if ((status = jar_extract_mf (jar, format, fp, "sf")) < 0)
-    return status;
-  if (!status) 
-    return JAR_ERR_ORDER;
-  if ((status = jar_extract_mf (jar, format, fp, "rsa")) < 0)
-    return status;
-  signatures = status;
-  if ((status = jar_extract_mf (jar, format, fp, "dsa")) < 0)
-    return status;
-  if (!(signatures += status)) 
-    return JAR_ERR_SIG;
-  return 0;
-  }
+    if ((status = jar_extract_mf (jar, format, fp, "mf")) < 0)
+	return status;
+    if (!status)
+	return JAR_ERR_ORDER;
+    if ((status = jar_extract_mf (jar, format, fp, "sf")) < 0)
+	return status;
+    if (!status)
+	return JAR_ERR_ORDER;
+    if ((status = jar_extract_mf (jar, format, fp, "rsa")) < 0)
+	return status;
+    signatures = status;
+    if ((status = jar_extract_mf (jar, format, fp, "dsa")) < 0)
+	return status;
+    if (!(signatures += status))
+	return JAR_ERR_SIG;
+    return 0;
+}
 
 /*
  *  j a r _ e x t r a c t _ m f
  *
- *  Extracts manifest files based on an extension, which 
- *  should be .MF, .SF, .RSA, etc. Order of the files is now no 
+ *  Extracts manifest files based on an extension, which
+ *  should be .MF, .SF, .RSA, etc. Order of the files is now no
  *  longer important when zipping jar files.
  *
  */
-
-static int jar_extract_mf (JAR *jar, jarArch format, JAR_FILE fp, char *ext)
-  {
-  JAR_Item *it;
-
-  JAR_Physical *phy;
-
-  ZZLink *link;
-  ZZList *list;
+static int 
+jar_extract_mf(JAR *jar, jarArch format, JAR_FILE fp, char *ext)
+{
+    ZZLink *link;
+    ZZList *list = jar->phy;
+    int ret = 0;
 
-  char *fn, *e;
-  char ZHUGEP *manifest;
+    if (ZZ_ListEmpty (list))
+	return JAR_ERR_PNF;
 
-  long length;
-  int status, ret = 0, num;
-
-  list = jar->phy;
-
-  if (ZZ_ListEmpty (list))
-    return JAR_ERR_PNF;
+    for (link = ZZ_ListHead (list);
+         ret >= 0 && !ZZ_ListIterDone (list, link);
+         link = link->next) {
+	JAR_Item *it = link->thing;
 
-  for (link = ZZ_ListHead (list);
-       ret >= 0 && !ZZ_ListIterDone (list, link);
-       link = link->next)
-    {
-    it = link->thing;
-    if (it->type == jarTypePhy 
-          && !PORT_Strncmp (it->pathname, "META-INF", 8))
-      {
-      phy = (JAR_Physical *) it->data;
-
-      if (PORT_Strlen (it->pathname) < 8)
-        continue;
-
-      fn = it->pathname + 8;
-      if (*fn == '/' || *fn == '\\') fn++;
+	if (it->type == jarTypePhy && 
+	    !PORT_Strncmp (it->pathname, "META-INF", 8))
+	{
+	    JAR_Physical *phy = (JAR_Physical *) it->data;
+	    char *fn = it->pathname + 8;
+	    char *e;
+	    char *manifest;
+	    long length;
+	    int num, status;
 
-      if (*fn == 0)
-        {
-        /* just a directory entry */
-        continue;
-        }
+	    if (PORT_Strlen (it->pathname) < 8)
+		continue;
 
-      /* skip to extension */
-      for (e = fn; *e && *e != '.'; e++)
-        /* yip */ ;
+	    if (*fn == '/' || *fn == '\\') 
+	    	fn++;
+	    if (*fn == 0) {
+		/* just a directory entry */
+		continue;
+	    }
 
-      /* and skip dot */
-      if (*e == '.') e++;
-
-      if (PORT_Strcasecmp (ext, e))
-        {
-        /* not the right extension */
-        continue;
-        }
+	    /* skip to extension */
+	    for (e = fn; *e && *e != '.'; e++)
+		/* yip */ ;
 
-      if (phy->length == 0 || phy->length > 0xFFFF)
-        {
-        /* manifest files cannot be zero length or too big! */
-        /* the 0xFFFF limit is per J2SE SDK */
-        return JAR_ERR_CORRUPT;
-        }
-
-      /* Read in the manifest and parse it */
-      /* Raw inflate in zlib 1.1.4 needs an extra dummy byte at the end */
-      manifest = (char ZHUGEP *) PORT_ZAlloc (phy->length + 1);
-      if (manifest)
-        {
-        JAR_FSEEK (fp, phy->offset, (PRSeekWhence)0);
-        num = JAR_FREAD (fp, manifest, phy->length);
+	    /* and skip dot */
+	    if (*e == '.') 
+	    	e++;
+	    if (PORT_Strcasecmp (ext, e)) {
+		/* not the right extension */
+		continue;
+	    }
+	    if (phy->length == 0 || phy->length > 0xFFFF) {
+		/* manifest files cannot be zero length or too big! */
+		/* the 0xFFFF limit is per J2SE SDK */
+		return JAR_ERR_CORRUPT;
+	    }
 
-        if (num != phy->length)
-          {
-          /* corrupt archive file */
-          PORT_Free (manifest);
-          return JAR_ERR_CORRUPT;
-          }
+	    /* Read in the manifest and parse it */
+	    /* Raw inflate in zlib 1.1.4 needs an extra dummy byte at the end */
+	    manifest = (char *)PORT_ZAlloc(phy->length + 1);
+	    if (!manifest) 
+		return JAR_ERR_MEMORY;
 
-        if (phy->compression == 8)
-          {
-          length = phy->length;
-          /* add an extra dummy byte at the end */
-          manifest[length++] = 0xDD;
-
-          status = jar_inflate_memory ((unsigned int) phy->compression, &length,  phy->uncompressed_length, &manifest);
+	    JAR_FSEEK (fp, phy->offset, (PRSeekWhence)0);
+	    num = JAR_FREAD (fp, manifest, phy->length);
+	    if (num != phy->length) {
+		/* corrupt archive file */
+		PORT_Free (manifest);
+		return JAR_ERR_CORRUPT;
+	    }
 
-          if (status < 0)
-            {
-            PORT_Free (manifest);
-            return status;
-            }
-          }
-        else if (phy->compression)
-          {
-          /* unsupported compression method */
-          PORT_Free (manifest);
-          return JAR_ERR_CORRUPT;
-          }
-        else
-          length = phy->length;
-
-        status = JAR_parse_manifest 
-           (jar, manifest, length, it->pathname, "url");
+	    if (phy->compression == 8) {
+		length = phy->length;
+		/* add an extra dummy byte at the end */
+		manifest[length++] = 0xDD;
+		status = jar_inflate_memory((unsigned int)phy->compression, 
+					     &length,  
+					     phy->uncompressed_length, 
+					     &manifest);
+		if (status < 0) {
+		    PORT_Free (manifest);
+		    return status;
+		}
+	    } else if (phy->compression) {
+		/* unsupported compression method */
+		PORT_Free (manifest);
+		return JAR_ERR_CORRUPT;
+	    } else
+		length = phy->length;
 
-        PORT_Free (manifest);
-
-        if (status < 0) 
-	  ret = status;
-	else
-	  ++ret;
-        }
-      else
-        return JAR_ERR_MEMORY;
-      }
-    else if (it->type == jarTypePhy)
-      {
-      /* ordinary file */
-      }
+	    status = JAR_parse_manifest(jar, manifest, length, 
+					it->pathname, "url");
+	    PORT_Free (manifest);
+	    if (status < 0)
+		ret = status;
+	    else
+		++ret;
+	} else if (it->type == jarTypePhy) {
+	    /* ordinary file */
+	}
     }
-
-  return ret;
-  }
+    return ret;
+}
 
 /*
  *  j a r _ g e n _ i n d e x
  *
  *  Generate an index for the various types of
  *  known archive files. Right now .ZIP and .TAR
  *
  */
-
-static int jar_gen_index (JAR *jar, jarArch format, JAR_FILE fp)
-  {
-  int result = JAR_ERR_CORRUPT;
-  JAR_FSEEK (fp, 0, (PRSeekWhence)0);
+static int 
+jar_gen_index(JAR *jar, jarArch format, JAR_FILE fp)
+{
+    int result = JAR_ERR_CORRUPT;
 
-  switch (format)
-    {
+    JAR_FSEEK (fp, 0, (PRSeekWhence)0);
+    switch (format) {
     case jarArchZip:
-      result = jar_listzip (jar, fp);
-      break;
+	result = jar_listzip (jar, fp);
+	break;
 
     case jarArchTar:
-      result = jar_listtar (jar, fp);
-      break;
+	result = jar_listtar (jar, fp);
+	break;
 
     case jarArchGuess:
     case jarArchNone:
-      return JAR_ERR_GENERAL;
+	return JAR_ERR_GENERAL;
     }
-
-  JAR_FSEEK (fp, 0, (PRSeekWhence)0);
-  return result;
-  }
-
+    JAR_FSEEK (fp, 0, (PRSeekWhence)0);
+    return result;
+}
 
 /*
  *  j a r _ l i s t z i p
  *
- *  List the physical contents of a Phil Katz 
+ *  List the physical contents of a Phil Katz
  *  style .ZIP file into the JAR linked list.
  *
  */
-
-static int jar_listzip (JAR *jar, JAR_FILE fp)
-  {
-  int err = 0;
-
-  long pos = 0L;
-  char filename [JAR_SIZE];
-
-  char date [9], time [9];
-  char sig [4];
-
-  unsigned int compression;
-  unsigned int filename_len, extra_len;
+static int 
+jar_listzip(JAR *jar, JAR_FILE fp)
+{
+    ZZLink  *ent;
+    JAR_Item *it;
+    JAR_Physical *phy;
+    struct ZipLocal *Local     = PORT_ZNew(struct ZipLocal);
+    struct ZipCentral *Central = PORT_ZNew(struct ZipCentral);
+    struct ZipEnd *End         = PORT_ZNew(struct ZipEnd);
 
-  struct ZipLocal *Local;
-  struct ZipCentral *Central;
-  struct ZipEnd *End;
-
-  /* phy things */
-
-  ZZLink  *ent;
-  JAR_Item *it;
-  JAR_Physical *phy;
+    int err = 0;
+    long pos = 0L;
+    unsigned int compression;
+    unsigned int filename_len, extra_len;
 
-  Local = (struct ZipLocal *) PORT_ZAlloc (30);
-  Central = (struct ZipCentral *) PORT_ZAlloc (46);
-  End = (struct ZipEnd *) PORT_ZAlloc (22);
+    char filename[JAR_SIZE];
+    char date[9], time[9];
+    char sig[4];
 
-  if (!Local || !Central || !End)
-    {
-    /* out of memory */
-    err = JAR_ERR_MEMORY;
-    goto loser;
+    if (!Local || !Central || !End) {
+	/* out of memory */
+	err = JAR_ERR_MEMORY;
+	goto loser;
     }
 
-  while (1)
-    {
-    JAR_FSEEK (fp, pos, (PRSeekWhence)0);
+    while (1) {
+	PRUint32 sigVal;
+	JAR_FSEEK (fp, pos, (PRSeekWhence)0);
 
-    if (JAR_FREAD (fp, (char *) sig, 4) != 4)
-      {
-      /* zip file ends prematurely */
-      err = JAR_ERR_CORRUPT;
-      goto loser;
-      }
+	if (JAR_FREAD(fp, sig, sizeof sig) != sizeof sig) {
+	    /* zip file ends prematurely */
+	    err = JAR_ERR_CORRUPT;
+	    goto loser;
+	}
 
-    JAR_FSEEK (fp, pos, (PRSeekWhence)0);
-
-    if (xtolong ((unsigned char *)sig) == LSIG)
-      {
-      JAR_FREAD (fp, (char *) Local, 30);
-
-      filename_len = xtoint ((unsigned char *) Local->filename_len);
-      extra_len = xtoint ((unsigned char *) Local->extrafield_len);
+	JAR_FSEEK (fp, pos, (PRSeekWhence)0);
+	sigVal = x86LongToUint32(sig);
+	if (sigVal == LSIG) {
+	    JAR_FREAD (fp, Local, sizeof *Local);
 
-      if (filename_len >= JAR_SIZE)
-        {
-        /* corrupt zip file */
-        err = JAR_ERR_CORRUPT;
-        goto loser;
-        }
+	    filename_len = x86ShortToUint32(Local->filename_len);
+	    extra_len    = x86ShortToUint32(Local->extrafield_len);
+	    if (filename_len >= JAR_SIZE) {
+		/* corrupt zip file */
+		err = JAR_ERR_CORRUPT;
+		goto loser;
+	    }
 
-      if (JAR_FREAD (fp, filename, filename_len) != filename_len)
-        {
-        /* truncated archive file */
-        err = JAR_ERR_CORRUPT;
-        goto loser;
-        }
-
-      filename [filename_len] = 0;
-
-      /* Add this to our jar chain */
-
-      phy = (JAR_Physical *) PORT_ZAlloc (sizeof (JAR_Physical));
-
-      if (phy == NULL)
-        {
-        err = JAR_ERR_MEMORY;
-        goto loser;
-        }
+	    if (JAR_FREAD (fp, filename, filename_len) != filename_len) {
+		/* truncated archive file */
+		err = JAR_ERR_CORRUPT;
+		goto loser;
+	    }
+	    filename [filename_len] = 0;
+	    /* Add this to our jar chain */
+	    phy = PORT_ZNew(JAR_Physical);
+	    if (phy == NULL) {
+		err = JAR_ERR_MEMORY;
+		goto loser;
+	    }
 
-      /* We will index any file that comes our way, but when it comes
-         to actually extraction, compression must be 0 or 8 */
-
-      compression = xtoint ((unsigned char *) Local->method);
-      phy->compression = compression >= 0 && 
-              compression <= 255 ? compression : 222;
-
-      phy->offset = pos + 30 + filename_len + extra_len;
-      phy->length = xtolong ((unsigned char *) Local->size);
-      phy->uncompressed_length = xtolong((unsigned char *) Local->orglen);
+	    /* We will index any file that comes our way, but when it comes
+	       to actually extraction, compression must be 0 or 8 */
+	    compression = x86ShortToUint32(Local->method);
+	    phy->compression = 
+	    	(compression >= 0 && compression <= 255) ? compression : 222;
+		/* XXX 222 is bad magic. */
 
-      dosdate (date, Local->date);
-      dostime (time, Local->time);
+	    phy->offset = pos + (sizeof *Local) + filename_len + extra_len;
+	    phy->length = x86LongToUint32(Local->size);
+	    phy->uncompressed_length = x86LongToUint32(Local->orglen);
 
-      it = (JAR_Item*)PORT_ZAlloc (sizeof (JAR_Item));
-      if (it == NULL)
-        {
-        err = JAR_ERR_MEMORY;
-        goto loser;
-        }
+	    dosdate (date, Local->date);
+	    dostime (time, Local->time);
 
-      it->pathname = PORT_Strdup (filename);
+	    it = PORT_ZNew(JAR_Item);
+	    if (it == NULL) {
+		err = JAR_ERR_MEMORY;
+		goto loser;
+	    }
 
-      it->type = jarTypePhy;
-
-      it->data = (unsigned char *) phy;
-      it->size = sizeof (JAR_Physical);
-
-      ent = ZZ_NewLink (it);
-
-      if (ent == NULL)
-        {
-        err = JAR_ERR_MEMORY;
-        goto loser;
-        }
+	    it->pathname = PORT_Strdup(filename);
+	    it->type = jarTypePhy;
+	    it->data = (unsigned char *) phy;
+	    it->size = sizeof (JAR_Physical);
 
-      ZZ_AppendLink (jar->phy, ent);
- 
-      pos = phy->offset + phy->length;
-      }
-    else if (xtolong ( (unsigned char *)sig) == CSIG)
-      {
-      if (JAR_FREAD (fp, (char *) Central, 46) != 46)
-        {
-        /* apparently truncated archive */
-        err = JAR_ERR_CORRUPT;
-        goto loser;
-        }
+	    ent = ZZ_NewLink (it);
+	    if (ent == NULL) {
+		err = JAR_ERR_MEMORY;
+		goto loser;
+	    }
+
+	    ZZ_AppendLink (jar->phy, ent);
+	    pos = phy->offset + phy->length;
+	} else if (sigVal == CSIG) {
+	    unsigned int attr = 0;
+	    if (JAR_FREAD(fp, Central, sizeof *Central) != sizeof *Central) {
+		/* apparently truncated archive */
+		err = JAR_ERR_CORRUPT;
+		goto loser;
+	    }
 
 #if defined(XP_UNIX) || defined(XP_BEOS)
-      /* with unix we need to locate any bits from 
-         the protection mask in the external attributes. */
-        {
-        unsigned int attr;
-
-        /* determined empirically */
-        attr = Central->external_attributes [2];
-
-        if (attr)
-          {
-          /* we have to read the filename, again */
-
-          filename_len = xtoint ((unsigned char *) Central->filename_len);
+	    /* with unix we need to locate any bits from
+	       the protection mask in the external attributes. */
+	    attr = Central->external_attributes [2]; /* magic */
+	    if (attr) {
+		/* we have to read the filename, again */
+		filename_len = x86ShortToUint32(Central->filename_len);
+		if (filename_len >= JAR_SIZE) {
+		    /* corrupt in central directory */
+		    err = JAR_ERR_CORRUPT;
+		    goto loser;
+		}
 
-          if (filename_len >= JAR_SIZE)
-            {
-            /* corrupt in central directory */
-            err = JAR_ERR_CORRUPT;
-            goto loser;
-            }
-
-          if (JAR_FREAD (fp, filename, filename_len) != filename_len)
-            {
-            /* truncated in central directory */
-            err = JAR_ERR_CORRUPT;
-            goto loser;
-            }
-
-          filename [filename_len] = 0;
+		if (JAR_FREAD(fp, filename, filename_len) != filename_len) {
+		    /* truncated in central directory */
+		    err = JAR_ERR_CORRUPT;
+		    goto loser;
+		}
+		filename [filename_len] = 0;
 
-          /* look up this name again */
-          phy = jar_get_physical (jar, filename);
-
-          if (phy)
-            {
-            /* always allow access by self */
-            phy->mode = 0400 | attr;
-            }
-          }
-        }
+		/* look up this name again */
+		phy = jar_get_physical (jar, filename);
+		if (phy) {
+		    /* always allow access by self */
+		    phy->mode = 0400 | attr;
+		}
+	    }
 #endif
-
-      pos += 46 + xtoint ( (unsigned char *)Central->filename_len)
-                + xtoint ( (unsigned char *)Central->commentfield_len)
-                + xtoint ( (unsigned char *)Central->extrafield_len);
-      }
-    else if (xtolong ( (unsigned char *)sig) == ESIG)
-      {
-      if (JAR_FREAD (fp, (char *) End, 22) != 22)
-        {
-        err = JAR_ERR_CORRUPT;
-        goto loser;
-        }
-      else
-        break;
-      }
-    else
-      {
-      /* garbage in archive */
-      err = JAR_ERR_CORRUPT;
-      goto loser;
-      }
+	    pos += sizeof(struct ZipCentral) 
+	         + x86ShortToUint32(Central->filename_len)
+		 + x86ShortToUint32(Central->commentfield_len)
+		 + x86ShortToUint32(Central->extrafield_len);
+	} else if (sigVal == ESIG) {
+	    if (JAR_FREAD(fp, End, sizeof *End) != sizeof *End) {
+		err = JAR_ERR_CORRUPT;
+		goto loser;
+	    }
+	    break;
+	} else {
+	    /* garbage in archive */
+	    err = JAR_ERR_CORRUPT;
+	    goto loser;
+	}
     }
 
 loser:
-
-  if (Local) PORT_Free (Local);
-  if (Central) PORT_Free (Central);
-  if (End) PORT_Free (End);
-
-  return err;
-  }
+    if (Local) 
+    	PORT_Free(Local);
+    if (Central) 
+    	PORT_Free(Central);
+    if (End) 
+    	PORT_Free(End);
+    return err;
+}
 
 /*
  *  j a r _ l i s t t a r
  *
- *  List the physical contents of a Unix 
+ *  List the physical contents of a Unix
  *  .tar file into the JAR linked list.
  *
  */
-
-static int jar_listtar (JAR *jar, JAR_FILE fp)
-  {
-  long pos = 0L;
-
-  long sz, mode;
-  time_t when;
-  union TarEntry tarball;
-
-  char *s;
-
-  /* phy things */
+static int 
+jar_listtar(JAR *jar, JAR_FILE fp)
+{
+    char *s;
+    JAR_Physical *phy;
+    long pos = 0L;
+    long sz, mode;
+    time_t when;
+    union TarEntry tarball;
 
-  JAR_Physical *phy;
-
-  while (1)
-    {
-    JAR_FSEEK (fp, pos, (PRSeekWhence)0);
+    while (1) {
+	JAR_FSEEK (fp, pos, (PRSeekWhence)0);
 
-    if (JAR_FREAD (fp, (char *) &tarball, 512) < 512)
-      break;
+	if (JAR_FREAD (fp, &tarball, sizeof tarball) < sizeof tarball)
+	    break;
 
-    if (!*tarball.val.filename)
-      break;
-
-    when = atoo (tarball.val.time);
-    sz = atoo (tarball.val.size);
-    mode = atoo (tarball.val.mode);
+	if (!*tarball.val.filename)
+	    break;
 
-
-    /* Tag the end of filename */
-
-    s = tarball.val.filename;
-    while (*s && *s != ' ') s++;
-    *s = 0;
+	when = octalToLong (tarball.val.time);
+	sz   = octalToLong (tarball.val.size);
+	mode = octalToLong (tarball.val.mode);
 
-
-    /* Add to our linked list */
-
-    phy = (JAR_Physical *) PORT_ZAlloc (sizeof (JAR_Physical));
-
-    if (phy == NULL)
-      return JAR_ERR_MEMORY;
+	/* Tag the end of filename */
+	s = tarball.val.filename;
+	while (*s && *s != ' ') 
+	    s++;
+	*s = 0;
 
-    phy->compression = 0;
-    phy->offset = pos + 512;
-    phy->length = sz;
-
-    ADDITEM (jar->phy, jarTypePhy, 
-       tarball.val.filename, phy, sizeof (JAR_Physical));
+	/* Add to our linked list */
+	phy = PORT_ZNew(JAR_Physical);
+	if (phy == NULL)
+	    return JAR_ERR_MEMORY;
 
-
-    /* Advance to next file entry */
+	phy->compression = 0;
+	phy->offset = pos + sizeof tarball;
+	phy->length = sz;
 
-    sz += 511;
-    sz = (sz / 512) * 512;
+	ADDITEM(jar->phy, jarTypePhy, tarball.val.filename, phy, 
+	        sizeof *phy);
 
-    pos += sz + 512;
+	/* Advance to next file entry */
+	sz = PR_ROUNDUP(sz,sizeof tarball);
+	pos += sz + sizeof tarball;
     }
 
-  return 0;
-  }
+    return 0;
+}
 
 /*
  *  d o s d a t e
  *
  *  Not used right now, but keep it in here because
- *  it will be needed. 
+ *  it will be needed.
  *
  */
-
-static int dosdate (char *date, char *s)
-  {
-  int num = xtoint ( (unsigned char *)s);
+static int 
+dosdate(char *date, const char *s)
+{
+    PRUint32 num = x86ShortToUint32(s);
 
-  PR_snprintf (date, 9, "%02d-%02d-%02d",
-     ((num >> 5) & 0x0F), (num & 0x1F), ((num >> 9) + 80));
-
-  return 0;
-  }
+    PR_snprintf(date, 9, "%02d-%02d-%02d", ((num >> 5) & 0x0F), (num & 0x1F), 
+                                           ((num >> 9) + 80));
+    return 0;
+}
 
 /*
  *  d o s t i m e
  *
  *  Not used right now, but keep it in here because
- *  it will be needed. 
- *
- */
-
-static int dostime (char *time, char *s)
-  {
-  int num = xtoint ( (unsigned char *)s);
-
-  PR_snprintf (time, 6, "%02d:%02d",
-     ((num >> 11) & 0x1F), ((num >> 5) & 0x3F));
-
-  return 0;
-  }
-
-/*
- *  x t o i n t
- *
- *  Converts a two byte ugly endianed integer
- *  to our platform's integer.
+ *  it will be needed.
  *
  */
+static int 
+dostime (char *time, const char *s)
+{
+    PRUint32 num = x86ShortToUint32(s);
 
-static unsigned int xtoint (unsigned char *ii)
-  {
-  return (int) (ii [0]) | ((int) ii [1] << 8);
-  }
+    PR_snprintf (time, 6, "%02d:%02d", ((num >> 11) & 0x1F), 
+                                       ((num >>  5) & 0x3F));
+    return 0;
+}
+
+#ifndef NSS_X86_OR_X64
+/*
+ *  Simulates an x86 (little endian, unaligned) ushort fetch from any address.
+ */
+static PRUint32
+x86ShortToUint32(const void * v)
+{
+    const unsigned char *ii = (const unsigned char *)v;
+    PRUint32 ret = (PRUint32)(ii[0]) | ((PRUint32)(ii[1]) << 8);
+    return ret;
+}
 
 /*
- *  x t o l o n g
- *
- *  Converts a four byte ugly endianed integer
- *  to our platform's integer.
- *
+ *  Simulates an x86 (little endian, unaligned) uint fetch from any address.
  */
+static PRUint32
+x86LongToUint32(const void *v)
+{
+    const unsigned char *ll = (const unsigned char *)v;
+    PRUint32 ret;
 
-static unsigned long xtolong (unsigned char *ll)
-  {
-  unsigned long ret;
-
-  ret =  (
-         (((unsigned long) ll [0]) <<  0) |
-         (((unsigned long) ll [1]) <<  8) |
-         (((unsigned long) ll [2]) << 16) |
-         (((unsigned long) ll [3]) << 24)
-         );
-
-  return ret;
-  }
+    ret = ((((PRUint32)(ll[0])) <<  0) |
+	   (((PRUint32)(ll[1])) <<  8) |
+	   (((PRUint32)(ll[2])) << 16) |
+	   (((PRUint32)(ll[3])) << 24));
+    return ret;
+}
+#endif
 
 /*
- *  a t o o
- *
- *  Ascii octal to decimal.
+ *  ASCII octal to binary long.
  *  Used for integer encoding inside tar files.
  *
  */
-
-static long atoo (char *s)
-  {
-  long num = 0L;
-
-  while (*s == ' ') s++;
+static long 
+octalToLong(const char *s)
+{
+    long num = 0L;
 
-  while (*s >= '0' && *s <= '7')
-    {
-    num <<= 3;
-    num += *s++ - '0';
+    while (*s == ' ') 
+    	s++;
+    while (*s >= '0' && *s <= '7') {
+	num <<= 3;
+	num += *s++ - '0';
     }
-
-  return num;
-  }
+    return num;
+}
 
 /*
  *  g u e s s _ j a r
  *
  *  Try to guess what kind of JAR file this is.
  *  Maybe tar, maybe zip. Look in the file for magic
  *  or at its filename.
  *
  */
-
-static int jar_guess_jar (char *filename, JAR_FILE fp)
-  {
-  char *ext;
+static int 
+jar_guess_jar(const char *filename, JAR_FILE fp)
+{
+    PRInt32 len = PORT_Strlen(filename);
+    const char *ext = filename + len - 4; /* 4 for ".tar" */
 
-  ext = filename + PORT_Strlen (filename) - 4;
-
-  if (!PORT_Strcmp (ext, ".tar"))
-    return jarArchTar;
-
-  return jarArchZip;
-  }
+    if (len >= 4 && !PL_strcasecmp(ext, ".tar"))
+	return jarArchTar;
+    return jarArchZip;
+}
--- a/security/nss/lib/jar/jarfile.h
+++ b/security/nss/lib/jar/jarfile.h
@@ -31,87 +31,78 @@
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  *  JARFILE.H
- * 
+ *
  *  Certain constants and structures for the archive format.
  *
  */
 
 /* ZIP */
-
-struct ZipLocal
-  {
-  char signature [4];
-  char word [2];
-  char bitflag [2];
-  char method [2];
-  char time [2];
-  char date [2];
-  char crc32 [4];
-  char size [4];
-  char orglen [4];
-  char filename_len [2];
-  char extrafield_len [2];
-  };
+struct ZipLocal {		/* 30 bytes */
+    char signature [4];
+    char word [2];
+    char bitflag [2];
+    char method [2];
+    char time [2];
+    char date [2];
+    char crc32 [4];
+    char size [4];
+    char orglen [4];
+    char filename_len [2];
+    char extrafield_len [2];
+};
 
-struct ZipCentral
-  {
-  char signature [4];
-  char version_made_by [2];
-  char version [2];
-  char bitflag [2];
-  char method [2];
-  char time [2];
-  char date [2];
-  char crc32 [4];
-  char size [4];
-  char orglen [4];
-  char filename_len [2];
-  char extrafield_len [2];
-  char commentfield_len [2];
-  char diskstart_number [2];
-  char internal_attributes [2];
-  char external_attributes [4];
-  char localhdr_offset [4];
-  };
+struct ZipCentral {		/* 46 bytes */
+    char signature [4];
+    char version_made_by [2];
+    char version [2];
+    char bitflag [2];
+    char method [2];
+    char time [2];
+    char date [2];
+    char crc32 [4];
+    char size [4];
+    char orglen [4];
+    char filename_len [2];
+    char extrafield_len [2];
+    char commentfield_len [2];
+    char diskstart_number [2];
+    char internal_attributes [2];
+    char external_attributes [4];
+    char localhdr_offset [4];
+};
 
-struct ZipEnd
-  {
-  char signature [4];
-  char disk_nr [2];
-  char start_central_dir [2];
-  char total_entries_disk [2];
-  char total_entries_archive [2];
-  char central_dir_size [4];
-  char offset_central_dir [4];
-  char commentfield_len [2];
-  };
+struct ZipEnd {			/* 22 bytes */
+    char signature [4];
+    char disk_nr [2];
+    char start_central_dir [2];
+    char total_entries_disk [2];
+    char total_entries_archive [2];
+    char central_dir_size [4];
+    char offset_central_dir [4];
+    char commentfield_len [2];
+};
 
 #define LSIG 0x04034B50l
 #define CSIG 0x02014B50l
 #define ESIG 0x06054B50l
 
 /* TAR */
-
-union TarEntry
-  {
-  struct header
-    {
-    char filename [100];
-    char mode [8];
-    char uid [8];
-    char gid [8];
-    char size [12];
-    char time [12];
-    char checksum [8];
-    char linkflag;
-    char linkname [100];
-    }
-  val;
-
-  char buffer [512];
-  };
+union TarEntry {		/* 512 bytes */
+    struct header {		/* 257 bytes */
+	char filename [100];
+	char mode [8];
+	char uid [8];
+	char gid [8];
+	char size [12];
+	char time [12];
+	char checksum [8];
+	char linkflag;
+	char linkname [100];
+    } val;
+    char buffer [512];
+};
--- a/security/nss/lib/jar/jarint.c
+++ b/security/nss/lib/jar/jarint.c
@@ -44,41 +44,41 @@
 /*-----------------------------------------------------------------------
  * JAR_FOPEN_to_PR_Open
  * Translate JAR_FOPEN arguments to PR_Open arguments
  */
 PRFileDesc*
 JAR_FOPEN_to_PR_Open(const char* name, const char *mode)
 {
 
-	PRIntn	prflags=0, prmode=0;
+    PRIntn  prflags=0, prmode=0;
 
-	/* Get read/write flags */
-	if(strchr(mode, 'r') && !strchr(mode, '+')) {
-		prflags |= PR_RDONLY;
-	} else if( (strchr(mode, 'w') || strchr(mode, 'a')) &&
-			!strchr(mode,'+') ) {
-		prflags |= PR_WRONLY;
-	} else {
-		prflags |= PR_RDWR;
-	}
+    /* Get read/write flags */
+    if (strchr(mode, 'r') && !strchr(mode, '+')) {
+	prflags |= PR_RDONLY;
+    } else if( (strchr(mode, 'w') || strchr(mode, 'a')) &&
+	!strchr(mode,'+') ) {
+	prflags |= PR_WRONLY;
+    } else {
+	prflags |= PR_RDWR;
+    }
 
-	/* Create a new file? */
-	if(strchr(mode, 'w') || strchr(mode, 'a')) {
-		prflags |= PR_CREATE_FILE;
-	}
+    /* Create a new file? */
+    if (strchr(mode, 'w') || strchr(mode, 'a')) {
+	prflags |= PR_CREATE_FILE;
+    }
 
-	/* Append? */
-	if(strchr(mode, 'a')) {
-		prflags |= PR_APPEND;
-	}
+    /* Append? */
+    if (strchr(mode, 'a')) {
+	prflags |= PR_APPEND;
+    }
 
-	/* Truncate? */
-	if(strchr(mode, 'w')) {
-		prflags |= PR_TRUNCATE;
-	}
+    /* Truncate? */
+    if (strchr(mode, 'w')) {
+	prflags |= PR_TRUNCATE;
+    }
 
-	/* We can't do umask because it isn't XP.  Choose some default
+    /* We can't do umask because it isn't XP.  Choose some default
 	   mode for created files */
-	prmode = 0755;
+    prmode = 0755;
 
-	return PR_Open(name, prflags, prmode);
+    return PR_Open(name, prflags, prmode);
 }
--- a/security/nss/lib/jar/jarint.h
+++ b/security/nss/lib/jar/jarint.h
@@ -32,19 +32,16 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /* JAR internal routines */
 
 #include "nspr.h"
-
-/* definitely required */
-/*#include "certdb.h" */
 #include "key.h"
 #include "base64.h"
 
 extern CERTCertDBHandle *JAR_open_database (void);
 
 extern int JAR_close_database (CERTCertDBHandle *certdb);
 
 extern int jar_close_key_database (void *keydb);
@@ -52,38 +49,39 @@ extern int jar_close_key_database (void 
 extern void *jar_open_key_database (void);
 
 extern JAR_Signer *JAR_new_signer (void);
 
 extern void JAR_destroy_signer (JAR_Signer *signer);
 
 extern JAR_Signer *jar_get_signer (JAR *jar, char *basename);
 
-extern int jar_append (ZZList *list, int type,
-   char *pathname, void *data, size_t size);
+extern int 
+jar_append(ZZList *list, int type, char *pathname, void *data, size_t size);
 
 /* Translate fopen mode arg to PR_Open flags and mode */
 PRFileDesc*
 JAR_FOPEN_to_PR_Open(const char *name, const char *mode);
 
-
 #define ADDITEM(list,type,pathname,data,size) \
-  { int err; err = jar_append (list, type, pathname, data, size); \
-    if (err < 0) return err; }
+{ \
+    int err = jar_append (list, type, pathname, data, size); \
+    if (err < 0) \
+    	return err; \
+}
 
 /* Here is some ugliness in the event it is necessary to link
-   with NSPR 1.0 libraries, which do not include an FSEEK. It is 
+   with NSPR 1.0 libraries, which do not include an FSEEK. It is
    difficult to fudge an FSEEK into 1.0 so we use stdio. */
 
 /* nspr 2.0 suite */
 #define JAR_FILE PRFileDesc *
-/* #define JAR_FOPEN(fn,mode) PR_Open(fn,0,0) */
 #define JAR_FOPEN(fn,mode) JAR_FOPEN_to_PR_Open(fn,mode)
 #define JAR_FCLOSE PR_Close
 #define JAR_FSEEK PR_Seek
 #define JAR_FREAD PR_Read
 #define JAR_FWRITE PR_Write
 
-int jar_create_pk7
-   (CERTCertDBHandle *certdb, void *keydb,
-       CERTCertificate *cert, char *password, JAR_FILE infp, 
-       JAR_FILE outfp);
+int 
+jar_create_pk7(CERTCertDBHandle *certdb, void *keydb,
+               CERTCertificate *cert, char *password, JAR_FILE infp,
+               JAR_FILE outfp);
 
deleted file mode 100644
--- a/security/nss/lib/jar/jarjart.c
+++ /dev/null
@@ -1,361 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- *  JARJART
- *
- *  JAR functions used by Jartool
- */
-
-/* This allows manifest files above 64k to be
-   processed on non-win16 platforms */
-
-#include "jar.h"
-#include "jarint.h"
-#include "jarjart.h"
-#include "blapi.h"	/* JAR is supposed to be above the line!! */
-#include "pk11func.h"	/* PK11 wrapper funcs are all above the line. */
-#include "certdb.h"
-
-/* from certdb.h */
-#define CERTDB_USER (1<<6)
-
-/*
- *  S O B _ l i s t _ c e r t s
- *
- *  Return a list of newline separated certificate nicknames
- *  (this function used by the Jartool)
- * 
- */
-
-static SECStatus jar_list_cert_callback 
-     (CERTCertificate *cert, SECItem *k, void *data)
-  {
-  char *name;
-  char **ugly_list;
-
-  int trusted;
-
-  ugly_list = (char **) data;
-
-  if (cert)
-    {
-    name = cert->nickname;
-
-    trusted = cert->trust->objectSigningFlags & CERTDB_USER;
-
-    /* Add this name or email to list */
-
-    if (name && trusted)
-      {
-      *ugly_list = (char*)PORT_Realloc
-           (*ugly_list, PORT_Strlen (*ugly_list) + PORT_Strlen (name) + 2);
-
-      if (*ugly_list)
-        {
-        if (**ugly_list)
-          PORT_Strcat (*ugly_list, "\n");
-
-        PORT_Strcat (*ugly_list, name);
-        }
-      }
-    }
-
-  return (SECSuccess);
-  }
-
-/*
- *  S O B _ J A R _ l i s t _ c e r t s
- *
- *  Return a linfeed separated ascii list of certificate
- *  nicknames for the Jartool.
- *
- */
-
-char *JAR_JAR_list_certs (void)
-  {
-  SECStatus status = SECFailure;
-  CERTCertDBHandle *certdb;
-  CERTCertList *certs;
-  CERTCertListNode *node;
-
-  char *ugly_list;
-
-  certdb = JAR_open_database();
-
-  /* a little something */
-  ugly_list = (char*)PORT_ZAlloc (16);
-
-  if (ugly_list)
-    {
-    *ugly_list = 0;
-
-    certs = PK11_ListCerts(PK11CertListUnique, NULL/* pwarg*/);
-    if (certs)
-      {
-	for (node = CERT_LIST_HEAD(certs); !CERT_LIST_END(node,certs);
-				node = CERT_LIST_NEXT(node))
-           {
-	    jar_list_cert_callback(node->cert, NULL, (void *)&ugly_list);
-	   }
-	CERT_DestroyCertList(certs);
-	status = SECSuccess;
-       }
-    }
-
-  JAR_close_database (certdb);
-
-  return (status != SECSuccess) ? NULL : ugly_list;
-  }
-
-int JAR_JAR_validate_archive (char *filename)
-  {
-  JAR *jar;
-  int status = -1;
-
-  jar = JAR_new();
-
-  if (jar)
-    {
-    status = JAR_pass_archive (jar, jarArchGuess, filename, "");
-
-    if (status == 0)
-      status = jar->valid;
-
-    JAR_destroy (jar);
-    }
-
-  return status;
-  }
-
-char *JAR_JAR_get_error (int status)
-  {
-  return JAR_get_error (status);
-  }
-
-/*
- *  S O B _ J A R _  h a s h
- *
- *  Hash algorithm interface for use by the Jartool. Since we really
- *  don't know the private sizes of the context, and Java does need to
- *  know this number, allocate 512 bytes for it.
- *
- *  In april 1997 hashes in this file were changed to call PKCS11,
- *  as FIPS requires that when a smartcard has failed validation, 
- *  hashes are not to be performed. But because of the difficulty of
- *  preserving pointer context between calls to the JAR_JAR hashing
- *  functions, the hash routines are called directly, though after
- *  checking to see if hashing is allowed.
- *
- */
-
-void *JAR_JAR_new_hash (int alg)
-  {
-  void *context;
-
-  MD5Context *md5;
-  SHA1Context *sha1;
-
-  /* this is a hack because this whole PORT_ZAlloc stuff looks scary */
-
-  if (!PK11_HashOK (alg == 1 ? SEC_OID_MD5 : SEC_OID_SHA1))
-    return NULL;
-
-  context = PORT_ZAlloc (512);
-
-  if (context)
-    {
-    switch (alg)
-      {
-      case 1:  /* MD5 */
-               md5 = (MD5Context *) context;
-               MD5_Begin (md5);
-               break;
-
-      case 2:  /* SHA1 */
-               sha1 = (SHA1Context *) context;
-               SHA1_Begin (sha1);
-               break;
-      }
-    }
-
-  return context;
-  }
-
-void *JAR_JAR_hash (int alg, void *cookie, int length, void *data)
-  {
-  MD5Context *md5;
-  SHA1Context *sha1;
-
-  /* this is a hack because this whole PORT_ZAlloc stuff looks scary */
-
-  if (!PK11_HashOK (alg == 1 ? SEC_OID_MD5 : SEC_OID_SHA1))
-    return NULL;
-
-  if (length > 0)
-    {
-    switch (alg)
-      {
-      case 1:  /* MD5 */
-               md5 = (MD5Context *) cookie;
-               MD5_Update (md5, (unsigned char*)data, length);
-               break;
-
-      case 2:  /* SHA1 */
-               sha1 = (SHA1Context *) cookie;
-               SHA1_Update (sha1, (unsigned char*)data, length);
-               break;
-      }
-    }
-
-  return cookie;
-  }
-
-void *JAR_JAR_end_hash (int alg, void *cookie)
-  {
-  int length;
-  unsigned char *data;
-  char *ascii; 
-
-  MD5Context *md5;
-  SHA1Context *sha1;
-
-  unsigned int md5_length;
-  unsigned char md5_digest [MD5_LENGTH];
-
-  unsigned int sha1_length;
-  unsigned char sha1_digest [SHA1_LENGTH];
-
-  /* this is a hack because this whole PORT_ZAlloc stuff looks scary */
-
-  if (!PK11_HashOK (alg == 1 ? SEC_OID_MD5 : SEC_OID_SHA1)) 
-    return NULL;
-
-  switch (alg)
-    {
-    case 1:  /* MD5 */
-
-             md5 = (MD5Context *) cookie;
-
-             MD5_End (md5, md5_digest, &md5_length, MD5_LENGTH);
-             /* MD5_DestroyContext (md5, PR_TRUE); */
-
-             data = md5_digest;
-             length = md5_length;
-
-             break;
-
-    case 2:  /* SHA1 */
-
-             sha1 = (SHA1Context *) cookie;
-
-             SHA1_End (sha1, sha1_digest, &sha1_length, SHA1_LENGTH);
-             /* SHA1_DestroyContext (sha1, PR_TRUE); */
-
-             data = sha1_digest;
-             length = sha1_length;
-
-             break;
-
-    default: return NULL;
-    }
-
-  /* Instead of destroy context, since we created it */
-  /* PORT_Free (cookie); */
-
-  ascii = BTOA_DataToAscii(data, length);
-
-  return ascii ? PORT_Strdup (ascii) : NULL;
-  }
-
-/*
- *  S O B _ J A R _ s i g n _ a r c h i v e
- *
- *  A simple API to sign a JAR archive.
- *
- */
-
-int JAR_JAR_sign_archive 
-      (char *nickname, char *password, char *sf, char *outsig)
-  {
-  int status = JAR_ERR_GENERAL;
-  JAR_FILE sf_fp; 
-  JAR_FILE out_fp;
-
-  CERTCertDBHandle *certdb;
-  void *keydb;
-
-  CERTCertificate *cert;
-
-  if (PORT_Strlen (sf) < 5)
-    {
-    return JAR_ERR_GENERAL;
-    }
-
-  /* open cert and key databases */
-
-  certdb = JAR_open_database();
-  if (certdb == NULL)
-    return JAR_ERR_GENERAL;
-
-  keydb = jar_open_key_database();
-  if (keydb == NULL)
-    {
-    JAR_close_database(certdb);
-    return JAR_ERR_GENERAL;
-    }
-
-  sf_fp = JAR_FOPEN (sf, "rb");
-  out_fp = JAR_FOPEN (outsig, "wb");
-
-  cert = CERT_FindCertByNickname (certdb, nickname);
-
-  if (cert && sf_fp && out_fp)
-    {
-    status = jar_create_pk7 (certdb, keydb, cert, password, sf_fp, out_fp);
-    }
-
-  /* remove password from prying eyes */
-  PORT_Memset (password, 0, PORT_Strlen (password));
-
-  JAR_FCLOSE (sf_fp);
-  JAR_FCLOSE (out_fp);
-
-  JAR_close_database (certdb);
-  jar_close_key_database (keydb);
-
-  return status;
-  }
deleted file mode 100644
--- a/security/nss/lib/jar/jarjart.h
+++ /dev/null
@@ -1,75 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- *  jarjart.h
- *
- *  Functions for the Jartool, which is written in Java and
- *  requires wrappers located elsewhere in the client.
- *
- *  Do not call these unless you are the Jartool, no matter
- *  how convenient they may appear.
- *
- */
-
-#ifndef _JARJART_H_
-#define _JARJART_H_
-
-/* return a list of certificate nicknames, separated by \n's */
-extern char *JAR_JAR_list_certs (void);
-
-/* validate archive, simple api */
-extern int JAR_JAR_validate_archive (char *filename);
-
-/* begin hash */
-extern void *JAR_JAR_new_hash (int alg);
-
-/* hash a streaming pile */
-extern void *JAR_JAR_hash (int alg, void *cookie, int length, void *data);
-
-/* end hash */
-extern void *JAR_JAR_end_hash (int alg, void *cookie);
-
-/* sign the archive (given an .SF file) with the given cert.
-   The password argument is a relic, PKCS11 now handles that. */
-
-extern int JAR_JAR_sign_archive 
-   (char *nickname, char *password, char *sf, char *outsig);
-
-/* convert status to text */
-extern char *JAR_JAR_get_error (int status);
-
-#endif
--- a/security/nss/lib/jar/jarnav.c
+++ b/security/nss/lib/jar/jarnav.c
@@ -40,71 +40,55 @@
  *  JAR stuff needed for client only.
  *
  */
 
 #include "jar.h"
 #include "jarint.h"
 
 /* from proto.h */
-#ifdef MOZILLA_CLIENT_OLD
-extern MWContext *XP_FindSomeContext(void);
-#endif
-
-/* sigh */
 extern MWContext *FE_GetInitContext(void);
 
 /* To return an MWContext for Java */
 static MWContext *(*jar_fn_FindSomeContext) (void) = NULL;
 
 /* To fabricate an MWContext for FE_GetPassword */
 static MWContext *(*jar_fn_GetInitContext) (void) = NULL;
 
 /*
  *  J A R _ i n i t
  *
  *  Initialize the JAR functions.
- * 
+ *
  */
 
 void JAR_init (void)
-  {
-#ifdef MOZILLA_CLIENT_OLD
-  JAR_init_callbacks (XP_GetString, XP_FindSomeContext, FE_GetInitContext);
-#else
-  JAR_init_callbacks (XP_GetString, NULL, NULL);
-#endif
-  }
+{
+    JAR_init_callbacks (XP_GetString, NULL, NULL);
+}
 
 /*
  *  J A R _ s e t _ c o n t e x t
  *
  *  Set the jar window context for use by PKCS11, since
  *  it may be needed to prompt the user for a password.
  *
  */
-
-int JAR_set_context (JAR *jar, MWContext *mw)
-  {
-  if (mw)
-    {
-    jar->mw = mw;
+int 
+JAR_set_context(JAR *jar, MWContext *mw)
+{
+    if (mw) {
+	jar->mw = mw;
+    } else {
+	/* jar->mw = XP_FindSomeContext(); */
+	jar->mw = NULL;
+	/*
+	 * We can't find a context because we're in startup state and none
+	 * exist yet. go get an FE_InitContext that only works at 
+	 * initialization time.
+	 */
+	/* Turn on the mac when we get the FE_ function */
+	if (jar->mw == NULL) {
+	    jar->mw = jar_fn_GetInitContext();
+	}
     }
-  else
-    {
-    /* jar->mw = XP_FindSomeContext(); */
-    jar->mw = NULL;
-
-    /*
-     * We can't find a context because we're in startup state and none
-     * exist yet. go get an FE_InitContext that only works at initialization
-     * time.
-     */
-
-    /* Turn on the mac when we get the FE_ function */
-    if (jar->mw == NULL)
-      {
-      jar->mw = jar_fn_GetInitContext();
-      }
-   }
-
-  return 0;
-  }
+    return 0;
+}
--- a/security/nss/lib/jar/jarsign.c
+++ b/security/nss/lib/jar/jarsign.c
@@ -45,309 +45,226 @@
 #include "jarint.h"
 #include "secpkcs7.h"
 #include "pk11func.h"
 #include "sechash.h"
 
 /* from libevent.h */
 typedef void (*ETVoidPtrFunc) (void * data);
 
-#ifdef MOZILLA_CLIENT_OLD
-
-extern void ET_moz_CallFunction (ETVoidPtrFunc fn, void *data);
-
-/* from proto.h */
-/* extern MWContext *XP_FindSomeContext(void); */
-extern void *XP_FindSomeContext(void);
-
-#endif
-
 /* key database wrapper */
-
 /* static SECKEYKeyDBHandle *jar_open_key_database (void); */
-
 /* CHUNQ is our bite size */
 
 #define CHUNQ 64000
 #define FILECHUNQ 32768
 
 /*
- *  J A R _ c a l c u l a t e _ d i g e s t 
+ *  J A R _ c a l c u l a t e _ d i g e s t
  *
  *  Quick calculation of a digest for
  *  the specified block of memory. Will calculate
  *  for all supported algorithms, now MD5.
  *
  *  This version supports huge pointers for WIN16.
- * 
+ *
  */
-
-JAR_Digest * PR_CALLBACK JAR_calculate_digest (void ZHUGEP *data, long length)
-  {
-  long chunq;
-  JAR_Digest *dig;
-
-  unsigned int md5_length, sha1_length;
+JAR_Digest * PR_CALLBACK 
+JAR_calculate_digest(void *data, long length)
+{
+    PK11Context *md5  = 0;
+    PK11Context *sha1 = 0;
+    JAR_Digest *dig   = PORT_ZNew(JAR_Digest);
+    long chunq;
+    unsigned int md5_length, sha1_length;
 
-  PK11Context *md5  = 0;
-  PK11Context *sha1 = 0;
-
-  dig = (JAR_Digest *) PORT_ZAlloc (sizeof (JAR_Digest));
-
-  if (dig == NULL) 
-    {
-    /* out of memory allocating digest */
-    return NULL;
+    if (dig == NULL) {
+	/* out of memory allocating digest */
+	return NULL;
     }
 
-#if defined(XP_WIN16)
-  PORT_Assert ( !IsBadHugeReadPtr(data, length) );
-#endif
-
-  md5  = PK11_CreateDigestContext (SEC_OID_MD5);
-  sha1 = PK11_CreateDigestContext (SEC_OID_SHA1);
+    md5  = PK11_CreateDigestContext(SEC_OID_MD5);
+    sha1 = PK11_CreateDigestContext(SEC_OID_SHA1);
 
-  if (length >= 0) 
-    {
-    PK11_DigestBegin (md5);
-    PK11_DigestBegin (sha1);
+    if (length >= 0) {
+	PK11_DigestBegin (md5);
+	PK11_DigestBegin (sha1);
 
-    do {
-       chunq = length;
-
-#ifdef XP_WIN16
-       if (length > CHUNQ) chunq = CHUNQ;
+	do {
+	    chunq = length;
 
-       /*
-        *  If the block of data crosses one or more segment 
-        *  boundaries then only pass the chunk of data in the 
-        *  first segment.
-        * 
-        *  This allows the data to be treated as FAR by the
-        *  PK11_DigestOp(...) routine.
-        *
-        */
-
-       if (OFFSETOF(data) + chunq >= 0x10000) 
-         chunq = 0x10000 - OFFSETOF(data);
-#endif
+	    PK11_DigestOp(md5,  (unsigned char*)data, chunq);
+	    PK11_DigestOp(sha1, (unsigned char*)data, chunq);
+	    length -= chunq;
+	    data = ((char *) data + chunq);
+	}
+	while (length > 0);
 
-       PK11_DigestOp (md5,  (unsigned char*)data, chunq);
-       PK11_DigestOp (sha1, (unsigned char*)data, chunq);
-
-       length -= chunq;
-       data = ((char ZHUGEP *) data + chunq);
-       } 
-    while (length > 0);
+	PK11_DigestFinal (md5,	dig->md5,  &md5_length,  MD5_LENGTH);
+	PK11_DigestFinal (sha1, dig->sha1, &sha1_length, SHA1_LENGTH);
 
-    PK11_DigestFinal (md5,  dig->md5,  &md5_length,  MD5_LENGTH);
-    PK11_DigestFinal (sha1, dig->sha1, &sha1_length, SHA1_LENGTH);
-
-    PK11_DestroyContext (md5,  PR_TRUE);
-    PK11_DestroyContext (sha1, PR_TRUE);
+	PK11_DestroyContext (md5,  PR_TRUE);
+	PK11_DestroyContext (sha1, PR_TRUE);
     }
-
-  return dig;
-  }
+    return dig;
+}
 
 /*
  *  J A R _ d i g e s t _ f i l e
  *
- *  Calculates the MD5 and SHA1 digests for a file 
+ *  Calculates the MD5 and SHA1 digests for a file
  *  present on disk, and returns these in JAR_Digest struct.
  *
  */
-
-int JAR_digest_file (char *filename, JAR_Digest *dig)
-    {
+int 
+JAR_digest_file (char *filename, JAR_Digest *dig)
+{
     JAR_FILE fp;
-
-    int num;
-    unsigned char *buf;
-
     PK11Context *md5 = 0;
     PK11Context *sha1 = 0;
-
+    unsigned char *buf = (unsigned char *) PORT_ZAlloc (FILECHUNQ);
+    int num;
     unsigned int md5_length, sha1_length;
 
-    buf = (unsigned char *) PORT_ZAlloc (FILECHUNQ);
-    if (buf == NULL)
-      {
-      /* out of memory */
-      return JAR_ERR_MEMORY;
-      }
- 
-    if ((fp = JAR_FOPEN (filename, "rb")) == 0)
-      {
-      /* perror (filename); FIX XXX XXX XXX XXX XXX XXX */
-      PORT_Free (buf);
-      return JAR_ERR_FNF;
-      }
+    if (buf == NULL) {
+	/* out of memory */
+	return JAR_ERR_MEMORY;
+    }
+
+    if ((fp = JAR_FOPEN (filename, "rb")) == 0) {
+	/* perror (filename); FIX XXX XXX XXX XXX XXX XXX */
+	PORT_Free (buf);
+	return JAR_ERR_FNF;
+    }
 
     md5 = PK11_CreateDigestContext (SEC_OID_MD5);
     sha1 = PK11_CreateDigestContext (SEC_OID_SHA1);
 
-    if (md5 == NULL || sha1 == NULL) 
-      {
-      /* can't generate digest contexts */
-      PORT_Free (buf);
-      JAR_FCLOSE (fp);
-      return JAR_ERR_GENERAL;
-      }
+    if (md5 == NULL || sha1 == NULL) {
+	/* can't generate digest contexts */
+	PORT_Free (buf);
+	JAR_FCLOSE (fp);
+	return JAR_ERR_GENERAL;
+    }
 
     PK11_DigestBegin (md5);
     PK11_DigestBegin (sha1);
 
-    while (1)
-      {
-      if ((num = JAR_FREAD (fp, buf, FILECHUNQ)) == 0)
-        break;
+    while (1) {
+	if ((num = JAR_FREAD (fp, buf, FILECHUNQ)) == 0)
+	    break;
 
-      PK11_DigestOp (md5, buf, num);
-      PK11_DigestOp (sha1, buf, num);
-      }
+	PK11_DigestOp (md5, buf, num);
+	PK11_DigestOp (sha1, buf, num);
+    }
 
     PK11_DigestFinal (md5, dig->md5, &md5_length, MD5_LENGTH);
     PK11_DigestFinal (sha1, dig->sha1, &sha1_length, SHA1_LENGTH);
 
     PK11_DestroyContext (md5, PR_TRUE);
     PK11_DestroyContext (sha1, PR_TRUE);
 
     PORT_Free (buf);
     JAR_FCLOSE (fp);
 
     return 0;
-    }
+}
 
 /*
  *  J A R _ o p e n _ k e y _ d a t a b a s e
  *
  */
 
-void* jar_open_key_database (void)
-  {
+void* 
+jar_open_key_database(void)
+{
     return NULL;
-  }
+}
 
-int jar_close_key_database (void *keydb)
-  {
-  /* We never do close it */
-  return 0;
-  }
+int 
+jar_close_key_database(void *keydb)
+{
+    /* We never do close it */
+    return 0;
+}
 
 
 /*
  *  j a r _ c r e a t e _ p k 7
  *
  */
 
 static void jar_pk7_out (void *arg, const char *buf, unsigned long len)
-  {
-  JAR_FWRITE ((JAR_FILE) arg, buf, len);
-  }
+{
+    JAR_FWRITE ((JAR_FILE) arg, buf, len);
+}
 
-int jar_create_pk7 
-   (CERTCertDBHandle *certdb, void *keydb, 
-       CERTCertificate *cert, char *password, JAR_FILE infp, JAR_FILE outfp)
-  {
-  int nb;
-  unsigned char buffer [4096], digestdata[32];
-  const SECHashObject *hashObj;
-  void *hashcx;
-  unsigned int len;
+int 
+jar_create_pk7(CERTCertDBHandle *certdb, void *keydb, CERTCertificate *cert, 
+               char *password, JAR_FILE infp, JAR_FILE outfp)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+    const SECHashObject *hashObj;
+    char *errstring;
+    void *mw = NULL;
+    void *hashcx;
+    unsigned int len;
+    int status = 0;
+    SECStatus rv;
+    SECItem digest;
+    unsigned char digestdata[32];
+    unsigned char buffer[4096];
 
-  int status = 0;
-  char *errstring;
+    if (outfp == NULL || infp == NULL || cert == NULL)
+	return JAR_ERR_GENERAL;
 
-  SECItem digest;
-  SEC_PKCS7ContentInfo *cinfo;
-  SECStatus rv;
-
-  void /*MWContext*/ *mw;
+    /* we sign with SHA */
+    hashObj = HASH_GetHashObject(HASH_AlgSHA1);
 
-  if (outfp == NULL || infp == NULL || cert == NULL)
-    return JAR_ERR_GENERAL;
-
-  /* we sign with SHA */
-  hashObj = HASH_GetHashObject(HASH_AlgSHA1);
+    hashcx = (* hashObj->create)();
+    if (hashcx == NULL)
+	return JAR_ERR_GENERAL;
 
-  hashcx = (* hashObj->create)();
-  if (hashcx == NULL)
-    return JAR_ERR_GENERAL;
-
-  (* hashObj->begin)(hashcx);
+    (* hashObj->begin)(hashcx);
+    while (1) {
+	int nb = JAR_FREAD(infp, buffer, sizeof buffer);
+	if (nb == 0) { /* eof */
+	    break;
+	}
+	(* hashObj->update) (hashcx, buffer, nb);
+    }
+    (* hashObj->end)(hashcx, digestdata, &len, 32);
+    (* hashObj->destroy)(hashcx, PR_TRUE);
 
-  while (1)
-    {
-    /* nspr2.0 doesn't support feof 
-       if (feof (infp)) break; */
+    digest.data = digestdata;
+    digest.len = len;
 
-    nb = JAR_FREAD (infp, buffer, sizeof (buffer));
-    if (nb == 0) 
-      {
-      /* eof */
-      break;
-      }
-    (* hashObj->update) (hashcx, buffer, nb);
+    /* signtool must use any old context it can find since it's
+	 calling from inside javaland. */
+    PORT_SetError (0);
+    cinfo = SEC_PKCS7CreateSignedData(cert, certUsageObjectSigner, NULL,
+                                      SEC_OID_SHA1, &digest, NULL, mw);
+    if (cinfo == NULL)
+	return JAR_ERR_PK7;
+
+    rv = SEC_PKCS7IncludeCertChain(cinfo, NULL);
+    if (rv != SECSuccess) {
+	status = PORT_GetError();
+	SEC_PKCS7DestroyContentInfo(cinfo);
+	return status;
     }
 
-  (* hashObj->end) (hashcx, digestdata, &len, 32);
-  (* hashObj->destroy) (hashcx, PR_TRUE);
-
-  digest.data = digestdata;
-  digest.len = len;
-
-  /* signtool must use any old context it can find since it's
-     calling from inside javaland. */
-
-#ifdef MOZILLA_CLIENT_OLD
-  mw = XP_FindSomeContext();
-#else
-  mw = NULL;
-#endif
+    /* Having this here forces signtool to always include signing time. */
+    rv = SEC_PKCS7AddSigningTime(cinfo);
+    /* don't check error */
+    PORT_SetError(0);
 
-  PORT_SetError (0);
-
-  cinfo = SEC_PKCS7CreateSignedData 
-             (cert, certUsageObjectSigner, NULL, 
-                SEC_OID_SHA1, &digest, NULL, (void *) mw);
-
-  if (cinfo == NULL)
-    return JAR_ERR_PK7;
-
-  rv = SEC_PKCS7IncludeCertChain (cinfo, NULL);
-  if (rv != SECSuccess) 
-    {
-    status = PORT_GetError();
+    /* if calling from mozilla thread*/
+    rv = SEC_PKCS7Encode(cinfo, jar_pk7_out, outfp, NULL, NULL, mw);
+    if (rv != SECSuccess)
+	status = PORT_GetError();
     SEC_PKCS7DestroyContentInfo (cinfo);
-    return status;
+    if (rv != SECSuccess) {
+	errstring = JAR_get_error (status);
+	return ((status < 0) ? status : JAR_ERR_GENERAL);
     }
-
-  /* Having this here forces signtool to always include
-     signing time. */
-
-  rv = SEC_PKCS7AddSigningTime (cinfo);
-  if (rv != SECSuccess)
-    {
-    /* don't check error */
-    }
-
-  PORT_SetError (0);
-
-  /* if calling from mozilla thread*/
-  rv = SEC_PKCS7Encode 
-             (cinfo, jar_pk7_out, outfp, 
-                 NULL,  /* pwfn */ NULL,  /* pwarg */ (void *) mw);
-
-  if (rv != SECSuccess)
-    status = PORT_GetError();
-
-  SEC_PKCS7DestroyContentInfo (cinfo);
-
-  if (rv != SECSuccess)
-    {
-    errstring = JAR_get_error (status);
-    /*XP_TRACE (("Jar signing failed (reason %d = %s)", status, errstring));*/
-    return status < 0 ? status : JAR_ERR_GENERAL;
-    }
-
-  return 0;
-  }
+    return 0;
+}
--- a/security/nss/lib/jar/jarver.c
+++ b/security/nss/lib/jar/jarver.c
@@ -45,1840 +45,1566 @@
 #include "jarint.h"
 #include "certdb.h"
 #include "certt.h"
 #include "secpkcs7.h"
 
 /*#include "cdbhdl.h" */
 #include "secder.h"
 
-/* to use huge pointers in win16 */
-
-#define xp_HUGE_MEMCPY PORT_Memcpy
-#define xp_HUGE_STRCPY PORT_Strcpy
-#define xp_HUGE_STRLEN PORT_Strlen
-#define xp_HUGE_STRNCASECMP PORT_Strncasecmp
-
 /* from certdb.h */
 #define CERTDB_USER (1<<6)
 
 #define SZ 512
 
-static int jar_validate_pkcs7 
-     (JAR *jar, JAR_Signer *signer, char *data, long length);
+static int
+jar_validate_pkcs7(JAR *jar, JAR_Signer *signer, char *data, long length);
 
-static void jar_catch_bytes
-     (void *arg, const char *buf, unsigned long len);
+static void
+jar_catch_bytes(void *arg, const char *buf, unsigned long len);
 
-static int jar_gather_signers
-     (JAR *jar, JAR_Signer *signer, SEC_PKCS7ContentInfo *cinfo);
+static int
+jar_gather_signers(JAR *jar, JAR_Signer *signer, SEC_PKCS7ContentInfo *cinfo);
 
-static char ZHUGEP *jar_eat_line 
-     (int lines, int eating, char ZHUGEP *data, long *len);
+static char *
+jar_eat_line(int lines, int eating, char *data, long *len);
 
-static JAR_Digest *jar_digest_section 
-     (char ZHUGEP *manifest, long length);
+static JAR_Digest *
+jar_digest_section(char *manifest, long length);
 
-static JAR_Digest *jar_get_mf_digest (JAR *jar, char *path);
+static JAR_Digest *jar_get_mf_digest(JAR *jar, char *path);
 
-static int jar_parse_digital_signature 
-     (char *raw_manifest, JAR_Signer *signer, long length, JAR *jar);
+static int
+jar_parse_digital_signature(char *raw_manifest, JAR_Signer *signer,
+			    long length, JAR *jar);
 
-static int jar_add_cert
-     (JAR *jar, JAR_Signer *signer, int type, CERTCertificate *cert);
-
-static CERTCertificate *jar_get_certificate
-            (JAR *jar, long keylen, void *key, int *result);
+static int
+jar_add_cert(JAR *jar, JAR_Signer *signer, int type, CERTCertificate *cert);
 
-static char *jar_cert_element (char *name, char *tag, int occ);
+static CERTCertificate *
+jar_get_certificate(JAR *jar, long keylen, void *key, int *result);
 
-static char *jar_choose_nickname (CERTCertificate *cert);
+static char * jar_cert_element(char *name, char *tag, int occ);
 
-static char *jar_basename (const char *path);
+static char *jar_choose_nickname(CERTCertificate *cert);
 
-static int jar_signal 
-     (int status, JAR *jar, const char *metafile, char *pathname);
+static char *jar_basename(const char *path);
+
+static int
+jar_signal(int status, JAR *jar, const char *metafile, char *pathname);
 
 #ifdef DEBUG
-static int jar_insanity_check (char ZHUGEP *data, long length);
+static int jar_insanity_check(char *data, long length);
 #endif
 
-int jar_parse_mf
-    (JAR *jar, char ZHUGEP *raw_manifest, 
-        long length, const char *path, const char *url);
+int
+jar_parse_mf(JAR *jar, char *raw_manifest, long length,
+	     const char *path, const char *url);
 
-int jar_parse_sf
-    (JAR *jar, char ZHUGEP *raw_manifest, 
-        long length, const char *path, const char *url);
+int
+jar_parse_sf(JAR *jar, char *raw_manifest, long length,
+	     const char *path, const char *url);
 
-int jar_parse_sig
-    (JAR *jar, const char *path, char ZHUGEP *raw_manifest, long length);
+int
+jar_parse_sig(JAR *jar, const char *path, char *raw_manifest,
+	      long length);
 
-int jar_parse_any
-    (JAR *jar, int type, JAR_Signer *signer, char ZHUGEP *raw_manifest, 
-        long length, const char *path, const char *url);
+int
+jar_parse_any(JAR *jar, int type, JAR_Signer *signer,
+	      char *raw_manifest, long length, const char *path,
+	  const char *url);
 
-static int jar_internal_digest 
-     (JAR *jar, const char *path, char *x_name, JAR_Digest *dig);
+static int
+jar_internal_digest(JAR *jar, const char *path, char *x_name, JAR_Digest *dig);
 
 /*
  *  J A R _ p a r s e _ m a n i f e s t
- * 
+ *
  *  Pass manifest files to this function. They are
  *  decoded and placed into internal representations.
- * 
+ *
  *  Accepts both signature and manifest files. Use
- *  the same "jar" for both. 
+ *  the same "jar" for both.
  *
  */
-
-int JAR_parse_manifest 
-    (JAR *jar, char ZHUGEP *raw_manifest, 
-        long length, const char *path, const char *url)
+int
+JAR_parse_manifest(JAR *jar, char *raw_manifest, long length,
+		   const char *path, const char *url)
 {
-  int filename_free = 0;
+    int filename_free = 0;
 
-  /* fill in the path, if supplied. This is a the location
-     of the jar file on disk, if known */
+    /* fill in the path, if supplied. This is a the location
+	 of the jar file on disk, if known */
 
-  if (jar->filename == NULL && path)
-    {
-    jar->filename = PORT_Strdup (path);
-    if (jar->filename == NULL)
-      return JAR_ERR_MEMORY;
-    filename_free = 1;
+    if (jar->filename == NULL && path) {
+	jar->filename = PORT_Strdup(path);
+	if (jar->filename == NULL)
+	    return JAR_ERR_MEMORY;
+	filename_free = 1;
     }
 
-  /* fill in the URL, if supplied. This is the place
-     from which the jar file was retrieved. */
+    /* fill in the URL, if supplied. This is the place
+	 from which the jar file was retrieved. */
 
-  if (jar->url == NULL && url)
-    {
-    jar->url = PORT_Strdup (url);
-    if (jar->url == NULL)
-      {
-      if (filename_free)
-        {
-        PORT_Free (jar->filename);
-        }
-      return JAR_ERR_MEMORY;
-      }
+    if (jar->url == NULL && url) {
+	jar->url = PORT_Strdup(url);
+	if (jar->url == NULL) {
+	    if (filename_free) {
+		PORT_Free(jar->filename);
+	    }
+	    return JAR_ERR_MEMORY;
+	}
     }
 
-  /* Determine what kind of file this is from the META-INF 
-     directory. It could be MF, SF, or a binary RSA/DSA file */
+    /* Determine what kind of file this is from the META-INF
+	 directory. It could be MF, SF, or a binary RSA/DSA file */
 
-  if (!xp_HUGE_STRNCASECMP (raw_manifest, "Manifest-Version:", 17))
-    {
-    return jar_parse_mf (jar, raw_manifest, length, path, url);
+    if (!PORT_Strncasecmp (raw_manifest, "Manifest-Version:", 17)) {
+	return jar_parse_mf(jar, raw_manifest, length, path, url);
     }
-  else if (!xp_HUGE_STRNCASECMP (raw_manifest, "Signature-Version:", 18))
+    else if (!PORT_Strncasecmp (raw_manifest, "Signature-Version:", 18))
     {
-    return jar_parse_sf (jar, raw_manifest, length, path, url);
+	return jar_parse_sf(jar, raw_manifest, length, path, url);
+    } else {
+	/* This is probably a binary signature */
+	return jar_parse_sig(jar, path, raw_manifest, length);
     }
-  else
-    {
-    /* This is probably a binary signature */
-    return jar_parse_sig (jar, path, raw_manifest, length);
-    }
-  }
+}
 
 /*
  *  j a r _ p a r s e _ s i g
  *
  *  Pass some manner of RSA or DSA digital signature
  *  on, after checking to see if it comes at an appropriate state.
  *
  */
- 
-int jar_parse_sig
-    (JAR *jar, const char *path, char ZHUGEP *raw_manifest, long length)
+int
+jar_parse_sig(JAR *jar, const char *path, char *raw_manifest,
+	      long length)
 {
-  JAR_Signer *signer;
-  int status = JAR_ERR_ORDER;
+    JAR_Signer *signer;
+    int status = JAR_ERR_ORDER;
 
-  if (length <= 128) 
-    {
-    /* signature is way too small */
-    return JAR_ERR_SIG;
+    if (length <= 128) {
+	/* signature is way too small */
+	return JAR_ERR_SIG;
     }
 
-  /* make sure that MF and SF have already been processed */
-
-  if (jar->globalmeta == NULL)
-    return JAR_ERR_ORDER;
+    /* make sure that MF and SF have already been processed */
 
-  /* Determine whether or not this RSA file has
-     has an associated SF file */
+    if (jar->globalmeta == NULL)
+	return JAR_ERR_ORDER;
 
-  if (path)
-    {
-    char *owner;
-    owner = jar_basename (path);
+    /* Determine whether or not this RSA file has
+	 has an associated SF file */
 
-    if (owner == NULL)
-      return JAR_ERR_MEMORY;
+    if (path) {
+	char *owner;
+	owner = jar_basename(path);
 
-    signer = jar_get_signer (jar, owner);
+	if (owner == NULL)
+	    return JAR_ERR_MEMORY;
 
-    PORT_Free (owner);
-    }
-  else
-    signer = jar_get_signer (jar, "*");
+	signer = jar_get_signer(jar, owner);
+	PORT_Free(owner);
+    } else
+	signer = jar_get_signer(jar, "*");
 
-  if (signer == NULL)
-    return JAR_ERR_ORDER;
+    if (signer == NULL)
+	return JAR_ERR_ORDER;
 
 
-  /* Do not pass a huge pointer to this function,
-     since the underlying security code is unaware. We will
-     never pass >64k through here. */
+    /* Do not pass a huge pointer to this function,
+	 since the underlying security code is unaware. We will
+	 never pass >64k through here. */
 
-  if (length > 64000)
-    {
-    /* this digital signature is way too big */
-    return JAR_ERR_SIG;
+    if (length > 64000) {
+	/* this digital signature is way too big */
+	return JAR_ERR_SIG;
     }
 
-  /* don't expense unneeded calloc overhead on non-win16 */
-  status = jar_parse_digital_signature 
-                (raw_manifest, signer, length, jar);
+    /* don't expense unneeded calloc overhead on non-win16 */
+    status = jar_parse_digital_signature(raw_manifest, signer, length, jar);
 
-  return status;
-  }
+    return status;
+}
 
 /*
  *  j a r _ p a r s e _ m f
  *
  *  Parse the META-INF/manifest.mf file, whose
  *  information applies to all signers.
  *
  */
-
-int jar_parse_mf
-    (JAR *jar, char ZHUGEP *raw_manifest, 
-        long length, const char *path, const char *url)
-  {
-  if (jar->globalmeta)
-    {
-    /* refuse a second manifest file, if passed for some reason */
-    return JAR_ERR_ORDER;
+int
+jar_parse_mf(JAR *jar, char *raw_manifest, long length,
+	     const char *path, const char *url)
+{
+    if (jar->globalmeta) {
+	/* refuse a second manifest file, if passed for some reason */
+	return JAR_ERR_ORDER;
     }
 
-
-  /* remember a digest for the global section */
-
-  jar->globalmeta = jar_digest_section (raw_manifest, length);
-
-  if (jar->globalmeta == NULL)
-    return JAR_ERR_MEMORY;
-
-
-  return jar_parse_any 
-    (jar, jarTypeMF, NULL, raw_manifest, length, path, url);
-  }
+    /* remember a digest for the global section */
+    jar->globalmeta = jar_digest_section(raw_manifest, length);
+    if (jar->globalmeta == NULL)
+	return JAR_ERR_MEMORY;
+    return jar_parse_any(jar, jarTypeMF, NULL, raw_manifest, length,
+			 path, url);
+}
 
 /*
  *  j a r _ p a r s e _ s f
  *
  *  Parse META-INF/xxx.sf, a digitally signed file
- *  pointing to a subset of MF sections. 
+ *  pointing to a subset of MF sections.
  *
  */
+int
+jar_parse_sf(JAR *jar, char *raw_manifest, long length,
+	     const char *path, const char *url)
+{
+    JAR_Signer *signer = NULL;
+    int status = JAR_ERR_MEMORY;
 
-int jar_parse_sf
-    (JAR *jar, char ZHUGEP *raw_manifest, 
-        long length, const char *path, const char *url)
-  {
-  JAR_Signer *signer = NULL;
-  int status = JAR_ERR_MEMORY;
-
-  if (jar->globalmeta == NULL)
-    {
-    /* It is a requirement that the MF file be passed before the SF file */
-    return JAR_ERR_ORDER;
+    if (jar->globalmeta == NULL) {
+	/* It is a requirement that the MF file be passed before the SF file */
+	return JAR_ERR_ORDER;
     }
 
-  signer = JAR_new_signer();
-
-  if (signer == NULL)
-    goto loser;
+    signer = JAR_new_signer();
+    if (signer == NULL)
+	goto loser;
 
-  if (path)
-    {
-    signer->owner = jar_basename (path);
-    if (signer->owner == NULL)
-      goto loser;
+    if (path) {
+	signer->owner = jar_basename(path);
+	if (signer->owner == NULL)
+	    goto loser;
     }
 
-
-  /* check for priors. When someone doctors a jar file
-     to contain identical path entries, prevent the second
-     one from affecting JAR functions */
-
-  if (jar_get_signer (jar, signer->owner))
-    {
-    /* someone is trying to spoof us */
-    status = JAR_ERR_ORDER;
-    goto loser;
+    /* check for priors. When someone doctors a jar file
+	 to contain identical path entries, prevent the second
+	 one from affecting JAR functions */
+    if (jar_get_signer(jar, signer->owner)) {
+	/* someone is trying to spoof us */
+	status = JAR_ERR_ORDER;
+	goto loser;
     }
 
-
-  /* remember its digest */
-
-  signer->digest = JAR_calculate_digest (raw_manifest, length);
-
-  if (signer->digest == NULL)
-    goto loser;
+    /* remember its digest */
+    signer->digest = JAR_calculate_digest (raw_manifest, length);
+    if (signer->digest == NULL)
+	goto loser;
 
-  /* Add this signer to the jar */
+    /* Add this signer to the jar */
+    ADDITEM(jar->signers, jarTypeOwner, signer->owner, signer,
+	    sizeof (JAR_Signer));
 
-  ADDITEM (jar->signers, jarTypeOwner, 
-     signer->owner, signer, sizeof (JAR_Signer));
-
-
-  return jar_parse_any 
-    (jar, jarTypeSF, signer, raw_manifest, length, path, url);
+    return jar_parse_any(jar, jarTypeSF, signer, raw_manifest, length,
+			 path, url);
 
 loser:
-
-  if (signer)
-    JAR_destroy_signer (signer);
+    if (signer)
+	JAR_destroy_signer (signer);
+    return status;
+}
 
-  return status;
-  }
-
-/* 
+/*
  *  j a r _ p a r s e _ a n y
  *
- *  Parse a MF or SF manifest file. 
+ *  Parse a MF or SF manifest file.
  *
  */
- 
-int jar_parse_any
-    (JAR *jar, int type, JAR_Signer *signer, char ZHUGEP *raw_manifest, 
-        long length, const char *path, const char *url)
-  {
-  int status;
-
-  long raw_len;
-
-  JAR_Digest *dig, *mfdig = NULL;
+int 
+jar_parse_any(JAR *jar, int type, JAR_Signer *signer, 
+              char *raw_manifest, long length, const char *path, 
+	      const char *url)
+{
+    int status;
+    long raw_len;
+    JAR_Digest *dig, *mfdig = NULL;
+    char line [SZ];
+    char x_name [SZ], x_md5 [SZ], x_sha [SZ];
+    char *x_info;
+    char *sf_md5 = NULL, *sf_sha1 = NULL;
 
-  char line [SZ];
-  char x_name [SZ], x_md5 [SZ], x_sha [SZ];
-
-  char *x_info;
-
-  char *sf_md5 = NULL, *sf_sha1 = NULL;
+    *x_name = 0;
+    *x_md5 = 0;
+    *x_sha = 0;
 
-  *x_name = 0;
-  *x_md5 = 0;
-  *x_sha = 0;
-
-  PORT_Assert( length > 0 );
-  raw_len = length;
+    PORT_Assert( length > 0 );
+    raw_len = length;
 
 #ifdef DEBUG
-  if ((status = jar_insanity_check (raw_manifest, raw_len)) < 0)
-    return status;
+    if ((status = jar_insanity_check(raw_manifest, raw_len)) < 0)
+	return status;
 #endif
 
-
-  /* null terminate the first line */
-  raw_manifest = jar_eat_line (0, PR_TRUE, raw_manifest, &raw_len);
-
+    /* null terminate the first line */
+    raw_manifest = jar_eat_line(0, PR_TRUE, raw_manifest, &raw_len);
 
-  /* skip over the preliminary section */
-  /* This is one section at the top of the file with global metainfo */
+    /* skip over the preliminary section */
+    /* This is one section at the top of the file with global metainfo */
+    while (raw_len) {
+	JAR_Metainfo *met;
 
-  while (raw_len)
-    {
-    JAR_Metainfo *met;
-
-    raw_manifest = jar_eat_line (1, PR_TRUE, raw_manifest, &raw_len);
-    if (!*raw_manifest) break;
+	raw_manifest = jar_eat_line(1, PR_TRUE, raw_manifest, &raw_len);
+	if (!*raw_manifest)
+	    break;
 
-    met = (JAR_Metainfo*)PORT_ZAlloc (sizeof (JAR_Metainfo));
-    if (met == NULL)
-      return JAR_ERR_MEMORY;
-
-    /* Parse out the header & info */
+	met = PORT_ZNew(JAR_Metainfo);
+	if (met == NULL)
+	    return JAR_ERR_MEMORY;
 
-    if (xp_HUGE_STRLEN (raw_manifest) >= SZ)
-      {
-      /* almost certainly nonsense */
-      PORT_Free (met);
-      continue;
-      }
+	/* Parse out the header & info */
+	if (PORT_Strlen (raw_manifest) >= SZ) {
+	    /* almost certainly nonsense */
+	    PORT_Free(met);
+	    continue;
+	}
 
-    xp_HUGE_STRCPY (line, raw_manifest);
-    x_info = line;
+	PORT_Strcpy (line, raw_manifest);
+	x_info = line;
 
-    while (*x_info && *x_info != ' ' && *x_info != '\t' && *x_info != ':')
-      x_info++;
-
-    if (*x_info) *x_info++ = 0;
+	while (*x_info && *x_info != ' ' && *x_info != '\t' && *x_info != ':')
+	    x_info++;
 
-    while (*x_info == ' ' || *x_info == '\t')
-      x_info++;
+	if (*x_info)
+	    *x_info++ = 0;
 
-    /* metainfo (name, value) pair is now (line, x_info) */
-
-    met->header = PORT_Strdup (line);
-    met->info = PORT_Strdup (x_info);
+	while (*x_info == ' ' || *x_info == '\t')
+	    x_info++;
 
-    if (type == jarTypeMF)
-      {
-      ADDITEM (jar->metainfo, jarTypeMeta, 
-         /* pathname */ NULL, met, sizeof (JAR_Metainfo));
-      }
+	/* metainfo (name, value) pair is now (line, x_info) */
+	met->header = PORT_Strdup(line);
+	met->info = PORT_Strdup(x_info);
 
-    /* For SF files, this metadata may be the digests
-       of the MF file, still in the "met" structure. */
+	if (type == jarTypeMF) {
+	    ADDITEM (jar->metainfo, jarTypeMeta,
+	    /* pathname */ NULL, met, sizeof (JAR_Metainfo));
+	}
 
-    if (type == jarTypeSF)
-      {
-      if (!PORT_Strcasecmp (line, "MD5-Digest"))
-        sf_md5 = (char *) met->info;
+	/* For SF files, this metadata may be the digests
+	       of the MF file, still in the "met" structure. */
 
-      if (!PORT_Strcasecmp (line, "SHA1-Digest") || !PORT_Strcasecmp (line, "SHA-Digest"))
-        sf_sha1 = (char *) met->info;
-      }
+	if (type == jarTypeSF) {
+	    if (!PORT_Strcasecmp(line, "MD5-Digest"))
+		sf_md5 = (char *) met->info;
 
-    if (type != jarTypeMF)
-      {
-      PORT_Free (met->header);
-      if (type != jarTypeSF)
-        {
-        PORT_Free (met->info);
-        }
-      PORT_Free (met);
-      }
+	    if (!PORT_Strcasecmp(line, "SHA1-Digest") || !PORT_Strcasecmp (line, "SHA-Digest"))
+		sf_sha1 = (char *) met->info;
+	}
+
+	if (type != jarTypeMF) {
+	    PORT_Free(met->header);
+	    if (type != jarTypeSF) {
+		PORT_Free(met->info);
+	    }
+	    PORT_Free(met);
+	}
     }
 
-  if (type == jarTypeSF && jar->globalmeta)
-    {
-    /* this is a SF file which may contain a digest of the manifest.mf's 
-       global metainfo. */
+    if (type == jarTypeSF && jar->globalmeta) {
+	/* this is a SF file which may contain a digest of the manifest.mf's
+	       global metainfo. */
 
-    int match = 0;
-    JAR_Digest *glob = jar->globalmeta;
+	int match = 0;
+	JAR_Digest *glob = jar->globalmeta;
 
-    if (sf_md5)
-      {
-      unsigned int md5_length;
-      unsigned char *md5_digest;
+	if (sf_md5) {
+	    unsigned int md5_length;
+	    unsigned char *md5_digest;
 
-      md5_digest = ATOB_AsciiToData (sf_md5, &md5_length);
-      PORT_Assert( md5_length == MD5_LENGTH );
+	    md5_digest = ATOB_AsciiToData (sf_md5, &md5_length);
+	    PORT_Assert( md5_length == MD5_LENGTH );
 
-      if (md5_length != MD5_LENGTH)
-        return JAR_ERR_CORRUPT;
+	    if (md5_length != MD5_LENGTH)
+		return JAR_ERR_CORRUPT;
 
-      match = PORT_Memcmp (md5_digest, glob->md5, MD5_LENGTH);
-      }
+	    match = PORT_Memcmp(md5_digest, glob->md5, MD5_LENGTH);
+	}
 
-    if (sf_sha1 && match == 0)
-      {
-      unsigned int sha1_length;
-      unsigned char *sha1_digest;
+	if (sf_sha1 && match == 0) {
+	    unsigned int sha1_length;
+	    unsigned char *sha1_digest;
 
-      sha1_digest = ATOB_AsciiToData (sf_sha1, &sha1_length);
-      PORT_Assert( sha1_length == SHA1_LENGTH );
+	    sha1_digest = ATOB_AsciiToData (sf_sha1, &sha1_length);
+	    PORT_Assert( sha1_length == SHA1_LENGTH );
 
-      if (sha1_length != SHA1_LENGTH)
-        return JAR_ERR_CORRUPT;
+	    if (sha1_length != SHA1_LENGTH)
+		return JAR_ERR_CORRUPT;
 
-      match = PORT_Memcmp (sha1_digest, glob->sha1, SHA1_LENGTH);
-      }
+	    match = PORT_Memcmp(sha1_digest, glob->sha1, SHA1_LENGTH);
+	}
 
-    if (match != 0)
-      {
-      /* global digest doesn't match, SF file therefore invalid */
-      jar->valid = JAR_ERR_METADATA;
-      return JAR_ERR_METADATA;
-      }
+	if (match != 0) {
+	    /* global digest doesn't match, SF file therefore invalid */
+	    jar->valid = JAR_ERR_METADATA;
+	    return JAR_ERR_METADATA;
+	}
     }
 
-  /* done with top section of global data */
+    /* done with top section of global data */
+    while (raw_len) {
+	*x_md5 = 0;
+	*x_sha = 0;
+	*x_name = 0;
 
+	/* If this is a manifest file, attempt to get a digest of the following
+	   section, without damaging it. This digest will be saved later. */
+
+	if (type == jarTypeMF) {
+	    char *sec;
+	    long sec_len = raw_len;
 
-  while (raw_len)
-    {
-    *x_md5 = 0;
-    *x_sha = 0;
-    *x_name = 0;
+	    if (!*raw_manifest || *raw_manifest == '\n') {
+		/* skip the blank line */
+		sec = jar_eat_line(1, PR_FALSE, raw_manifest, &sec_len);
+	    } else
+		sec = raw_manifest;
+
+	    if (!PORT_Strncasecmp(sec, "Name:", 5)) {
+		if (type == jarTypeMF)
+		    mfdig = jar_digest_section(sec, sec_len);
+		else
+		    mfdig = NULL;
+	    }
+	}
 
 
-    /* If this is a manifest file, attempt to get a digest of the following section, 
-       without damaging it. This digest will be saved later. */
+	while (raw_len) {
+	    raw_manifest = jar_eat_line(1, PR_TRUE, raw_manifest, &raw_len);
+	    if (!*raw_manifest)
+		break; /* blank line, done with this entry */
 
-    if (type == jarTypeMF)
-      {
-      char ZHUGEP *sec;
-      long sec_len = raw_len;
+	    if (PORT_Strlen(raw_manifest) >= SZ) {
+		/* almost certainly nonsense */
+		continue;
+	    }
 
-      if (!*raw_manifest || *raw_manifest == '\n')
-        {     
-        /* skip the blank line */ 
-        sec = jar_eat_line (1, PR_FALSE, raw_manifest, &sec_len);
-        }
-      else
-        sec = raw_manifest;
+	    /* Parse out the name/value pair */
+	    PORT_Strcpy(line, raw_manifest);
+	    x_info = line;
 
-      if (!xp_HUGE_STRNCASECMP (sec, "Name:", 5))
-        {
-        if (type == jarTypeMF)
-          mfdig = jar_digest_section (sec, sec_len);
-        else
-          mfdig = NULL;
-        }
-      }
+	    while (*x_info && *x_info != ' ' && *x_info != '\t' && 
+	           *x_info != ':')
+		x_info++;
 
+	    if (*x_info)
+		*x_info++ = 0;
 
-    while (raw_len)
-      {
-      raw_manifest = jar_eat_line (1, PR_TRUE, raw_manifest, &raw_len);
-      if (!*raw_manifest) break; /* blank line, done with this entry */
+	    while (*x_info == ' ' || *x_info == '\t')
+		x_info++;
 
-      if (xp_HUGE_STRLEN (raw_manifest) >= SZ)
-        {
-        /* almost certainly nonsense */
-        continue;
-        }
-
-
-      /* Parse out the name/value pair */
+	    if (!PORT_Strcasecmp(line, "Name"))
+		PORT_Strcpy(x_name, x_info);
+	    else if (!PORT_Strcasecmp(line, "MD5-Digest"))
+		PORT_Strcpy(x_md5, x_info);
+	    else if (!PORT_Strcasecmp(line, "SHA1-Digest")
+		  || !PORT_Strcasecmp(line, "SHA-Digest"))
+		PORT_Strcpy(x_sha, x_info);
 
-      xp_HUGE_STRCPY (line, raw_manifest);
-      x_info = line;
-
-      while (*x_info && *x_info != ' ' && *x_info != '\t' && *x_info != ':')
-        x_info++;
+	    /* Algorithm list is meta info we don't care about; keeping it out
+		 of metadata saves significant space for large jar files */
+	    else if (!PORT_Strcasecmp(line, "Digest-Algorithms")
+		  || !PORT_Strcasecmp(line, "Hash-Algorithms"))
+		continue;
 
-      if (*x_info) *x_info++ = 0;
-
-      while (*x_info == ' ' || *x_info == '\t') 
-        x_info++;
-
-
-      if (!PORT_Strcasecmp (line, "Name"))
-        PORT_Strcpy (x_name, x_info);
+	    /* Meta info is only collected for the manifest.mf file,
+		 since the JAR_get_metainfo call does not support identity */
+	    else if (type == jarTypeMF) {
+		JAR_Metainfo *met;
 
-      else if (!PORT_Strcasecmp (line, "MD5-Digest"))
-        PORT_Strcpy (x_md5, x_info);
+		/* this is meta-data */
+		met = PORT_ZNew(JAR_Metainfo);
+		if (met == NULL)
+		    return JAR_ERR_MEMORY;
 
-      else if (!PORT_Strcasecmp (line, "SHA1-Digest") 
-                  || !PORT_Strcasecmp (line, "SHA-Digest"))
-        {
-        PORT_Strcpy (x_sha, x_info);
-        }
-
-      /* Algorithm list is meta info we don't care about; keeping it out
-         of metadata saves significant space for large jar files */
+		/* metainfo (name, value) pair is now (line, x_info) */
+		if ((met->header = PORT_Strdup(line)) == NULL) {
+		    PORT_Free(met);
+		    return JAR_ERR_MEMORY;
+		}
 
-      else if (!PORT_Strcasecmp (line, "Digest-Algorithms")
-                    || !PORT_Strcasecmp (line, "Hash-Algorithms"))
-        {
-        continue;
-        }
+		if ((met->info = PORT_Strdup(x_info)) == NULL) {
+		    PORT_Free(met->header);
+		    PORT_Free(met);
+		    return JAR_ERR_MEMORY;
+		}
 
-      /* Meta info is only collected for the manifest.mf file,
-         since the JAR_get_metainfo call does not support identity */
-
-      else if (type == jarTypeMF)
-        {
-        JAR_Metainfo *met;
-
-        /* this is meta-data */
+		ADDITEM (jar->metainfo, jarTypeMeta,
+		x_name, met, sizeof (JAR_Metainfo));
+	    }
+	}
 
-        met = (JAR_Metainfo*)PORT_ZAlloc (sizeof (JAR_Metainfo));
-
-        if (met == NULL)
-          return JAR_ERR_MEMORY;
+	if (!x_name || !*x_name) {
+	    /* Whatever that was, it wasn't an entry, because we didn't get a 
+	       name. We don't really have anything, so don't record this. */
+	    continue;
+	}
 
-        /* metainfo (name, value) pair is now (line, x_info) */
-
-        if ((met->header = PORT_Strdup (line)) == NULL)
-          {
-          PORT_Free (met);
-          return JAR_ERR_MEMORY;
-          }
+	dig = PORT_ZNew(JAR_Digest);
+	if (dig == NULL)
+	    return JAR_ERR_MEMORY;
 
-        if ((met->info = PORT_Strdup (x_info)) == NULL)
-          {
-          PORT_Free (met->header);
-          PORT_Free (met);
-          return JAR_ERR_MEMORY;
-          }
+	if (*x_md5) {
+	    unsigned int binary_length;
+	    unsigned char *binary_digest;
 
-        ADDITEM (jar->metainfo, jarTypeMeta, 
-           x_name, met, sizeof (JAR_Metainfo));
-        }
-      }
-
-	if(!x_name || !*x_name) {
-		/* Whatever that was, it wasn't an entry, because we didn't get a name.
-		 * We don't really have anything, so don't record this. */
-		continue;
+	    binary_digest = ATOB_AsciiToData (x_md5, &binary_length);
+	    PORT_Assert( binary_length == MD5_LENGTH );
+	    if (binary_length != MD5_LENGTH) {
+		PORT_Free(dig);
+		return JAR_ERR_CORRUPT;
+	    }
+	    memcpy (dig->md5, binary_digest, MD5_LENGTH);
+	    dig->md5_status = jarHashPresent;
 	}
 
-    dig = (JAR_Digest*)PORT_ZAlloc (sizeof (JAR_Digest));
-    if (dig == NULL)
-      return JAR_ERR_MEMORY;
-
-    if (*x_md5 ) 
-      {
-      unsigned int binary_length;
-      unsigned char *binary_digest;
-
-      binary_digest = ATOB_AsciiToData (x_md5, &binary_length);
-      PORT_Assert( binary_length == MD5_LENGTH );
-
-      if (binary_length != MD5_LENGTH)
-        {
-        PORT_Free (dig);
-        return JAR_ERR_CORRUPT;
-        }
+	if (*x_sha ) {
+	    unsigned int binary_length;
+	    unsigned char *binary_digest;
 
-      memcpy (dig->md5, binary_digest, MD5_LENGTH);
-      dig->md5_status = jarHashPresent;
-      }
-
-    if (*x_sha ) 
-      {
-      unsigned int binary_length;
-      unsigned char *binary_digest;
-
-      binary_digest = ATOB_AsciiToData (x_sha, &binary_length);
-      PORT_Assert( binary_length == SHA1_LENGTH );
-
-      if (binary_length != SHA1_LENGTH)
-        {
-        PORT_Free (dig);
-        return JAR_ERR_CORRUPT;
-        }
+	    binary_digest = ATOB_AsciiToData (x_sha, &binary_length);
+	    PORT_Assert( binary_length == SHA1_LENGTH );
+	    if (binary_length != SHA1_LENGTH) {
+		PORT_Free(dig);
+		return JAR_ERR_CORRUPT;
+	    }
+	    memcpy (dig->sha1, binary_digest, SHA1_LENGTH);
+	    dig->sha1_status = jarHashPresent;
+	}
 
-      memcpy (dig->sha1, binary_digest, SHA1_LENGTH);
-      dig->sha1_status = jarHashPresent;
-      }
-
-    PORT_Assert( type == jarTypeMF || type == jarTypeSF );
-
-
-    if (type == jarTypeMF)
-      {
-      ADDITEM (jar->hashes, jarTypeMF, x_name, dig, sizeof (JAR_Digest));
-      }
-    else if (type == jarTypeSF)
-      {
-      ADDITEM (signer->sf, jarTypeSF, x_name, dig, sizeof (JAR_Digest));
-      }
-    else
-      {
-      PORT_Free (dig);
-      return JAR_ERR_ORDER;
-      }
+	PORT_Assert( type == jarTypeMF || type == jarTypeSF );
+	if (type == jarTypeMF) {
+	    ADDITEM (jar->hashes, jarTypeMF, x_name, dig, sizeof (JAR_Digest));
+	} else if (type == jarTypeSF) {
+	    ADDITEM (signer->sf, jarTypeSF, x_name, dig, sizeof (JAR_Digest));
+	} else {
+	    PORT_Free(dig);
+	    return JAR_ERR_ORDER;
+	}
 
-    /* we're placing these calculated digests of manifest.mf 
-       sections in a list where they can subsequently be forgotten */
-
-    if (type == jarTypeMF && mfdig)
-      {
-      ADDITEM (jar->manifest, jarTypeSect, 
-         x_name, mfdig, sizeof (JAR_Digest));
-
-      mfdig = NULL;
-      }
+	/* we're placing these calculated digests of manifest.mf
+	   sections in a list where they can subsequently be forgotten */
+	if (type == jarTypeMF && mfdig) {
+	    ADDITEM (jar->manifest, jarTypeSect,
+	    x_name, mfdig, sizeof (JAR_Digest));
+	    mfdig = NULL;
+	}
 
-
-    /* Retrieve our saved SHA1 digest from saved copy and check digests.
-       This is just comparing the digest of the MF section as indicated in
-       the SF file with the one we remembered from parsing the MF file */
+	/* Retrieve our saved SHA1 digest from saved copy and check digests.
+	   This is just comparing the digest of the MF section as indicated in
+	   the SF file with the one we remembered from parsing the MF file */
 
-    if (type == jarTypeSF)
-      {
-      if ((status = jar_internal_digest (jar, path, x_name, dig)) < 0)
-        return status;
-      }
+	if (type == jarTypeSF) {
+	    if ((status = jar_internal_digest(jar, path, x_name, dig)) < 0)
+		return status;
+	}
     }
 
-  return 0;
-  }
+    return 0;
+}
 
-static int jar_internal_digest 
-     (JAR *jar, const char *path, char *x_name, JAR_Digest *dig)
-  {
-  int cv;
-  int status;
-
-  JAR_Digest *savdig;
+static int
+jar_internal_digest(JAR *jar, const char *path, char *x_name, JAR_Digest *dig)
+{
+    int cv;
+    int status;
 
-  savdig = jar_get_mf_digest (jar, x_name);
+    JAR_Digest *savdig;
 
-  if (savdig == NULL)
-    {
-    /* no .mf digest for this pathname */
-    status = jar_signal (JAR_ERR_ENTRY, jar, path, x_name);
-    if (status < 0) 
-      return 0; /* was continue; */
-    else 
-      return status;
+    savdig = jar_get_mf_digest(jar, x_name);
+    if (savdig == NULL) {
+	/* no .mf digest for this pathname */
+	status = jar_signal(JAR_ERR_ENTRY, jar, path, x_name);
+	if (status < 0)
+	    return 0; /* was continue; */
+	return status;
     }
 
-  /* check for md5 consistency */
-  if (dig->md5_status)
-    {
-    cv = PORT_Memcmp (savdig->md5, dig->md5, MD5_LENGTH);
-    /* md5 hash of .mf file is not what expected */
-    if (cv) 
-      {
-      status = jar_signal (JAR_ERR_HASH, jar, path, x_name);
+    /* check for md5 consistency */
+    if (dig->md5_status) {
+	cv = PORT_Memcmp(savdig->md5, dig->md5, MD5_LENGTH);
+	/* md5 hash of .mf file is not what expected */
+	if (cv) {
+	    status = jar_signal(JAR_ERR_HASH, jar, path, x_name);
 
-      /* bad hash, man */
-
-      dig->md5_status = jarHashBad;
-      savdig->md5_status = jarHashBad;
+	    /* bad hash, man */
+	    dig->md5_status = jarHashBad;
+	    savdig->md5_status = jarHashBad;
 
-      if (status < 0) 
-        return 0; /* was continue; */
-      else 
-        return status;
-      }
+	    if (status < 0)
+		return 0; /* was continue; */
+	    return status;
+	}
     }
 
-  /* check for sha1 consistency */
-  if (dig->sha1_status)
-    {
-    cv = PORT_Memcmp (savdig->sha1, dig->sha1, SHA1_LENGTH);
-    /* sha1 hash of .mf file is not what expected */
-    if (cv) 
-      {
-      status = jar_signal (JAR_ERR_HASH, jar, path, x_name);
-
-      /* bad hash, man */
+    /* check for sha1 consistency */
+    if (dig->sha1_status) {
+	cv = PORT_Memcmp(savdig->sha1, dig->sha1, SHA1_LENGTH);
+	/* sha1 hash of .mf file is not what expected */
+	if (cv) {
+	    status = jar_signal(JAR_ERR_HASH, jar, path, x_name);
 
-      dig->sha1_status = jarHashBad;
-      savdig->sha1_status = jarHashBad;
+	    /* bad hash, man */
+	    dig->sha1_status = jarHashBad;
+	    savdig->sha1_status = jarHashBad;
 
-      if (status < 0)
-        return 0; /* was continue; */
-      else
-        return status;
-      }
+	    if (status < 0)
+		return 0; /* was continue; */
+	    return status;
+	}
     }
-	return 0;
-  }
+    return 0;
+}
 
 #ifdef DEBUG
 /*
  *  j a r _ i n s a n i t y _ c h e c k
  *
  *  Check for illegal characters (or possibly so)
  *  in the manifest files, to detect potential memory
  *  corruption by our neighbors. Debug only, since
  *  not I18N safe.
- * 
+ *
  */
-
-static int jar_insanity_check (char ZHUGEP *data, long length)
-  {
-  int c;
-  long off;
+static int
+jar_insanity_check(char *data, long length)
+{
+    int c;
+    long off;
 
-  for (off = 0; off < length; off++)
-    {
-    c = data [off];
-
-    if (c == '\n' || c == '\r' || (c >= ' ' && c <= 128))
-      continue;
-
-    return JAR_ERR_CORRUPT;
+    for (off = 0; off < length; off++) {
+	c = data [off];
+	if (c == '\n' || c == '\r' || (c >= ' ' && c <= 128))
+	    continue;
+	return JAR_ERR_CORRUPT;
     }
-
-  return 0;
-  }
+    return 0;
+}
 #endif
 
 /*
  *  j a r _ p a r s e _ d i g i t a l _ s i g n a t u r e
  *
  *  Parse an RSA or DSA (or perhaps other) digital signature.
  *  Right now everything is PKCS7.
  *
  */
-
-static int jar_parse_digital_signature 
-     (char *raw_manifest, JAR_Signer *signer, long length, JAR *jar)
-  {
-  return jar_validate_pkcs7 (jar, signer, raw_manifest, length);
-  }
+static int
+jar_parse_digital_signature(char *raw_manifest, JAR_Signer *signer,
+			    long length, JAR *jar)
+{
+    return jar_validate_pkcs7 (jar, signer, raw_manifest, length);
+}
 
 /*
  *  j a r _ a d d _ c e r t
- * 
+ *
  *  Add information for the given certificate
  *  (or whatever) to the JAR linked list. A pointer
  *  is passed for some relevant reference, say
  *  for example the original certificate.
  *
  */
-
-static int jar_add_cert
-     (JAR *jar, JAR_Signer *signer, int type, CERTCertificate *cert)
-  {
-  JAR_Cert *fing;
-  unsigned char *keyData;
+static int
+jar_add_cert(JAR *jar, JAR_Signer *signer, int type, CERTCertificate *cert)
+{
+    JAR_Cert *fing;
+    unsigned char *keyData;
 
-  if (cert == NULL)
-    return JAR_ERR_ORDER;
-
-  fing = (JAR_Cert*)PORT_ZAlloc (sizeof (JAR_Cert));
+    if (cert == NULL)
+	return JAR_ERR_ORDER;
 
-  if (fing == NULL)
-    goto loser;
-
-  fing->cert = CERT_DupCertificate (cert);
+    fing = PORT_ZNew(JAR_Cert);
+    if (fing == NULL)
+	goto loser;
 
-  /* get the certkey */
-
-  fing->length = cert->derIssuer.len + 2 + cert->serialNumber.len;
-
-  keyData = (unsigned char *) PORT_ZAlloc (fing->length);
-  fing->key = keyData;
+    fing->cert = CERT_DupCertificate (cert);
 
-  if (fing->key == NULL)
-    goto loser;
-  keyData[0] = ((cert->derIssuer.len) >> 8) & 0xff;
-  keyData[1] = ((cert->derIssuer.len) & 0xff);
-  PORT_Memcpy (&keyData[2], cert->derIssuer.data, cert->derIssuer.len);
-  PORT_Memcpy (&keyData[2+cert->derIssuer.len], cert->serialNumber.data,
-						 cert->serialNumber.len);
+    /* get the certkey */
+    fing->length = cert->derIssuer.len + 2 + cert->serialNumber.len;
+    fing->key = keyData = (unsigned char *) PORT_ZAlloc(fing->length);
+    if (fing->key == NULL)
+	goto loser;
+    keyData[0] = ((cert->derIssuer.len) >> 8) & 0xff;
+    keyData[1] = ((cert->derIssuer.len) & 0xff);
+    PORT_Memcpy(&keyData[2], cert->derIssuer.data, cert->derIssuer.len);
+    PORT_Memcpy(&keyData[2+cert->derIssuer.len], cert->serialNumber.data,
+		cert->serialNumber.len);
 
-  ADDITEM (signer->certs, type, 
-    /* pathname */ NULL, fing, sizeof (JAR_Cert));
-
-  return 0;
+    ADDITEM (signer->certs, type, NULL, fing, sizeof (JAR_Cert));
+    return 0;
 
 loser:
-
-  if (fing)
-    {
-    if (fing->cert) 
-      CERT_DestroyCertificate (fing->cert);
-
-    PORT_Free (fing);
+    if (fing) {
+	if (fing->cert)
+	    CERT_DestroyCertificate (fing->cert);
+	PORT_Free(fing);
     }
-
-  return JAR_ERR_MEMORY;
-  }
+    return JAR_ERR_MEMORY;
+}
 
 /*
- *  e a t _ l i n e 
+ *  e a t _ l i n e
  *
- *  Consume an ascii line from the top of a file kept
- *  in memory. This destroys the file in place. This function
- *  handles PC, Mac, and Unix style text files.
- *
+ *  Consume an ASCII line from the top of a file kept in memory. 
+ *  This destroys the file in place. 
+ *  This function handles PC, Mac, and Unix style text files.
  */
+static char *
+jar_eat_line(int lines, int eating, char *data, long *len)
+{
+    char *ret;
 
-static char ZHUGEP *jar_eat_line 
-    (int lines, int eating, char ZHUGEP *data, long *len)
-  {
-  char ZHUGEP *ret;
-
-  ret = data;
-  if (!*len) return ret;
+    ret = data;
+    if (!*len)
+	return ret;
 
-  /* Eat the requisite number of lines, if any; 
-     prior to terminating the current line with a 0. */
+    /* Eat the requisite number of lines, if any;
+	 prior to terminating the current line with a 0. */
 
-  for (/* yip */ ; lines; lines--)
-    {
-    while (*data && *data != '\n')
-      data++;
+    for (/* yip */ ; lines; lines--) {
+	while (*data && *data != '\n')
+	    data++;
 
-    /* After the CR, ok to eat one LF */
-
-    if (*data == '\n')
-      data++;
+	/* After the CR, ok to eat one LF */
+	if (*data == '\n')
+	    data++;
 
-    /* If there are zeros, we put them there */
-
-    while (*data == 0 && data - ret < *len)
-      data++;
+	/* If there are zeros, we put them there */
+	while (*data == 0 && data - ret < *len)
+	    data++;
     }
 
-  *len -= data - ret;
-  ret = data;
+    *len -= data - ret;
+    ret = data;
 
-  if (eating)
-    {
-    /* Terminate this line with a 0 */ 
-
-    while (*data && *data != '\n' && *data != '\r')
-      data++;
-
-    /* In any case we are allowed to eat CR */
+    if (eating) {
+	/* Terminate this line with a 0 */
+	while (*data && *data != '\n' && *data != '\r')
+	    data++;
 
-    if (*data == '\r')
-      *data++ = 0;
-
-    /* After the CR, ok to eat one LF */
+	/* In any case we are allowed to eat CR */
+	if (*data == '\r')
+	    *data++ = 0;
 
-    if (*data == '\n')
-      *data++ = 0;
+	/* After the CR, ok to eat one LF */
+	if (*data == '\n')
+	    *data++ = 0;
     }
-
-  return ret;
-  }
+    return ret;
+}
 
 /*
  *  j a r _ d i g e s t _ s e c t i o n
  *
  *  Return the digests of the next section of the manifest file.
  *  Does not damage the manifest file, unlike parse_manifest.
- * 
+ *
  */
-
-static JAR_Digest *jar_digest_section 
-    (char ZHUGEP *manifest, long length)
-  {
-  long global_len;
-  char ZHUGEP *global_end;
+static JAR_Digest *
+jar_digest_section(char *manifest, long length)
+{
+    long global_len;
+    char *global_end;
 
-  global_end = manifest;
-  global_len = length;
+    global_end = manifest;
+    global_len = length;
 
-  while (global_len)
-    {
-    global_end = jar_eat_line (1, PR_FALSE, global_end, &global_len);
-    if (*global_end == 0 || *global_end == '\n')
-      break;
+    while (global_len) {
+	global_end = jar_eat_line(1, PR_FALSE, global_end, &global_len);
+	if (*global_end == 0 || *global_end == '\n')
+	    break;
     }
-
-  return JAR_calculate_digest (manifest, global_end - manifest);
-  }
+    return JAR_calculate_digest (manifest, global_end - manifest);
+}
 
 /*
  *  J A R _ v e r i f y _ d i g e s t
  *
  *  Verifies that a precalculated digest matches the
  *  expected value in the manifest.
  *
  */
-
-int PR_CALLBACK JAR_verify_digest
-    (JAR *jar, const char *name, JAR_Digest *dig)
-  {
-  JAR_Item *it;
-
-  JAR_Digest *shindig;
-
-  ZZLink *link;
-  ZZList *list;
-
-  int result1, result2;
+int PR_CALLBACK
+JAR_verify_digest(JAR *jar, const char *name, JAR_Digest *dig)
+{
+    JAR_Item *it;
+    JAR_Digest *shindig;
+    ZZLink *link;
+    ZZList *list = jar->hashes;
+    int result1 = 0;
+    int result2 = 0;
 
-  list = jar->hashes;
 
-  result1 = result2 = 0;
-
-  if (jar->valid < 0)
-    {
-    /* signature not valid */
-    return JAR_ERR_SIG;
+    if (jar->valid < 0) {
+	/* signature not valid */
+	return JAR_ERR_SIG;
     }
-
-  if (ZZ_ListEmpty (list))
-    {
-    /* empty list */
-    return JAR_ERR_PNF;
+    if (ZZ_ListEmpty (list)) {
+	/* empty list */
+	return JAR_ERR_PNF;
     }
 
-  for (link = ZZ_ListHead (list); 
-       !ZZ_ListIterDone (list, link); 
-       link = link->next)
-    {
-    it = link->thing;
-    if (it->type == jarTypeMF 
-           && it->pathname && !PORT_Strcmp (it->pathname, name))
-      {
-      shindig = (JAR_Digest *) it->data;
+    for (link = ZZ_ListHead (list);
+	     !ZZ_ListIterDone (list, link);
+	     link = link->next) {
+	it = link->thing;
+	if (it->type == jarTypeMF
+	    && it->pathname && !PORT_Strcmp(it->pathname, name)) {
+	    shindig = (JAR_Digest *) it->data;
+	    if (shindig->md5_status) {
+		if (shindig->md5_status == jarHashBad)
+		    return JAR_ERR_HASH;
+		result1 = memcmp (dig->md5, shindig->md5, MD5_LENGTH);
+	    }
+	    if (shindig->sha1_status) {
+		if (shindig->sha1_status == jarHashBad)
+		    return JAR_ERR_HASH;
+		result2 = memcmp (dig->sha1, shindig->sha1, SHA1_LENGTH);
+	    }
+	    return (result1 == 0 && result2 == 0) ? 0 : JAR_ERR_HASH;
+	}
+    }
+    return JAR_ERR_PNF;
+}
 
-      if (shindig->md5_status)
-        {
-        if (shindig->md5_status == jarHashBad)
-          return JAR_ERR_HASH;
-        else
-          result1 = memcmp (dig->md5, shindig->md5, MD5_LENGTH);
-        }
-
-      if (shindig->sha1_status)
-        {
-        if (shindig->sha1_status == jarHashBad)
-          return JAR_ERR_HASH;
-        else
-          result2 = memcmp (dig->sha1, shindig->sha1, SHA1_LENGTH);
-        }
-
-      return (result1 == 0 && result2 == 0) ? 0 : JAR_ERR_HASH;
-      }
-    }
-
-  return JAR_ERR_PNF;
-  }
-
-/* 
+/*
  *  J A R _ c e r t _ a t t r i b u t e
  *
  *  Return the named certificate attribute from the
  *  certificate specified by the given key.
  *
  */
-
-int PR_CALLBACK JAR_cert_attribute
-    (JAR *jar, jarCert attrib, long keylen, void *key, 
-        void **result, unsigned long *length)
-  {
-  int status = 0;
-  char *ret = NULL;
-
-  CERTCertificate *cert;
+int PR_CALLBACK
+JAR_cert_attribute(JAR *jar, jarCert attrib, long keylen, void *key,
+		   void **result, unsigned long *length)
+{
+    int status = 0;
+    char *ret = NULL;
+    CERTCertificate *cert;
+    CERTCertDBHandle *certdb;
+    JAR_Digest *dig;
+    SECItem hexme;
 
-  CERTCertDBHandle *certdb;
-
-  JAR_Digest *dig;
-  SECItem hexme;
+    *length = 0;
 
-  *length = 0;
-
-  if (attrib == 0 || key == 0)
-    return JAR_ERR_GENERAL;
+    if (attrib == 0 || key == 0)
+	return JAR_ERR_GENERAL;
 
-  if (attrib == jarCertJavaHack)
-    {
-    cert = (CERTCertificate *) NULL;
-    certdb = JAR_open_database();
-
-    if (certdb)
-      {
-      cert = CERT_FindCertByNickname (certdb, key);
-
-      if (cert)
-        {
-        *length = cert->certKey.len;
+    if (attrib == jarCertJavaHack) {
+	cert = (CERTCertificate *) NULL;
+	certdb = JAR_open_database();
 
-        *result = (void *) PORT_ZAlloc (*length);
-
-        if (*result)
-          PORT_Memcpy (*result, cert->certKey.data, *length);
-        else
-          {
-          JAR_close_database (certdb);
-          return JAR_ERR_MEMORY;
-          }
-        }
-      JAR_close_database (certdb);
-      }
-
-    return cert ? 0 : JAR_ERR_GENERAL;
+	if (certdb) {
+	    cert = CERT_FindCertByNickname (certdb, key);
+	    if (cert) {
+		*length = cert->certKey.len;
+		*result = (void *) PORT_ZAlloc(*length);
+		if (*result)
+		    PORT_Memcpy(*result, cert->certKey.data, *length);
+		else {
+		    JAR_close_database (certdb);
+		    return JAR_ERR_MEMORY;
+		}
+	    }
+	    JAR_close_database (certdb);
+	}
+	return cert ? 0 : JAR_ERR_GENERAL;
     }
 
-  if (jar && jar->pkcs7 == 0)
-    return JAR_ERR_GENERAL;
+    if (jar && jar->pkcs7 == 0)
+	return JAR_ERR_GENERAL;
 
-  cert = jar_get_certificate (jar, keylen, key, &status);
-
-  if (cert == NULL || status < 0)
-    return JAR_ERR_GENERAL;
+    cert = jar_get_certificate(jar, keylen, key, &status);
+    if (cert == NULL || status < 0)
+	return JAR_ERR_GENERAL;
 
 #define SEP " <br> "
 #define SEPLEN (PORT_Strlen(SEP))
 
-  switch (attrib)
-    {
+    switch (attrib) {
     case jarCertCompany:
+	ret = cert->subjectName;
 
-      ret = cert->subjectName;
+	/* This is pretty ugly looking but only used
+		 here for this one purpose. */
+	if (ret) {
+	    int retlen = 0;
 
-      /* This is pretty ugly looking but only used
-         here for this one purpose. */
+	    char *cer_ou1, *cer_ou2, *cer_ou3;
+	    char *cer_cn, *cer_e, *cer_o, *cer_l;
 
-      if (ret)
-        {
-        int retlen = 0;
-
-        char *cer_ou1, *cer_ou2, *cer_ou3;
-	char *cer_cn, *cer_e, *cer_o, *cer_l;
+	    cer_cn  = CERT_GetCommonName (&cert->subject);
+	    cer_e   = CERT_GetCertEmailAddress (&cert->subject);
+	    cer_ou3 = jar_cert_element(ret, "OU=", 3);
+	    cer_ou2 = jar_cert_element(ret, "OU=", 2);
+	    cer_ou1 = jar_cert_element(ret, "OU=", 1);
+	    cer_o   = CERT_GetOrgName (&cert->subject);
+	    cer_l   = CERT_GetCountryName (&cert->subject);
 
-	cer_cn  = CERT_GetCommonName (&cert->subject);
-        cer_e   = CERT_GetCertEmailAddress (&cert->subject);
-        cer_ou3 = jar_cert_element (ret, "OU=", 3);
-        cer_ou2 = jar_cert_element (ret, "OU=", 2);
-        cer_ou1 = jar_cert_element (ret, "OU=", 1);
-        cer_o   = CERT_GetOrgName (&cert->subject);
-        cer_l   = CERT_GetCountryName (&cert->subject);
+	    if (cer_cn)
+		retlen += SEPLEN + PORT_Strlen(cer_cn);
+	    if (cer_e)
+		retlen += SEPLEN + PORT_Strlen(cer_e);
+	    if (cer_ou1)
+		retlen += SEPLEN + PORT_Strlen(cer_ou1);
+	    if (cer_ou2)
+		retlen += SEPLEN + PORT_Strlen(cer_ou2);
+	    if (cer_ou3)
+		retlen += SEPLEN + PORT_Strlen(cer_ou3);
+	    if (cer_o)
+		retlen += SEPLEN + PORT_Strlen(cer_o);
+	    if (cer_l)
+		retlen += SEPLEN + PORT_Strlen(cer_l);
 
-        if (cer_cn)  retlen += SEPLEN + PORT_Strlen (cer_cn);
-        if (cer_e)   retlen += SEPLEN + PORT_Strlen (cer_e);
-        if (cer_ou1) retlen += SEPLEN + PORT_Strlen (cer_ou1);
-        if (cer_ou2) retlen += SEPLEN + PORT_Strlen (cer_ou2);
-        if (cer_ou3) retlen += SEPLEN + PORT_Strlen (cer_ou3);
-        if (cer_o)   retlen += SEPLEN + PORT_Strlen (cer_o);
-        if (cer_l)   retlen += SEPLEN + PORT_Strlen (cer_l);
-
-        ret = (char *) PORT_ZAlloc (1 + retlen);
+	    ret = (char *) PORT_ZAlloc(1 + retlen);
 
-        if (cer_cn)  { PORT_Strcpy (ret, cer_cn);  PORT_Strcat (ret, SEP); }
-        if (cer_e)   { PORT_Strcat (ret, cer_e);   PORT_Strcat (ret, SEP); }
-        if (cer_ou1) { PORT_Strcat (ret, cer_ou1); PORT_Strcat (ret, SEP); }
-        if (cer_ou2) { PORT_Strcat (ret, cer_ou2); PORT_Strcat (ret, SEP); }
-        if (cer_ou3) { PORT_Strcat (ret, cer_ou3); PORT_Strcat (ret, SEP); }
-        if (cer_o)   { PORT_Strcat (ret, cer_o);   PORT_Strcat (ret, SEP); }
-        if (cer_l)     PORT_Strcat (ret, cer_l);
+	    if (cer_cn)  {
+		PORT_Strcpy(ret, cer_cn);
+		PORT_Strcat(ret, SEP);
+	    }
+	    if (cer_e)	 {
+		PORT_Strcat(ret, cer_e);
+		PORT_Strcat(ret, SEP);
+	    }
+	    if (cer_ou1) {
+		PORT_Strcat(ret, cer_ou1);
+		PORT_Strcat(ret, SEP);
+	    }
+	    if (cer_ou2) {
+		PORT_Strcat(ret, cer_ou2);
+		PORT_Strcat(ret, SEP);
+	    }
+	    if (cer_ou3) {
+		PORT_Strcat(ret, cer_ou3);
+		PORT_Strcat(ret, SEP);
+	    }
+	    if (cer_o)	 {
+		PORT_Strcat(ret, cer_o);
+		PORT_Strcat(ret, SEP);
+	    }
+	    if (cer_l)
+		PORT_Strcat(ret, cer_l);
 
-	/* return here to avoid unsightly memory leak */
-
-        *result = ret;
-        *length = PORT_Strlen (ret);
-
-        return 0;
-        }
-      break;
+	    /* return here to avoid unsightly memory leak */
+	    *result = ret;
+	    *length = PORT_Strlen(ret);
+	    CERT_DestroyCertificate(cert);
+	    return 0;
+	}
+	break;
 
     case jarCertCA:
-
-      ret = cert->issuerName;
+	ret = cert->issuerName;
+	if (ret) {
+	    int retlen = 0;
 
-      if (ret)
-        {
-        int retlen = 0;
+	    char *cer_ou1, *cer_ou2, *cer_ou3;
+	    char *cer_cn, *cer_e, *cer_o, *cer_l;
 
-        char *cer_ou1, *cer_ou2, *cer_ou3;
-	char *cer_cn, *cer_e, *cer_o, *cer_l;
+	    /* This is pretty ugly looking but only used
+		       here for this one purpose. */
 
-        /* This is pretty ugly looking but only used
-           here for this one purpose. */
+	    cer_cn  = CERT_GetCommonName (&cert->issuer);
+	    cer_e   = CERT_GetCertEmailAddress (&cert->issuer);
+	    cer_ou3 = jar_cert_element(ret, "OU=", 3);
+	    cer_ou2 = jar_cert_element(ret, "OU=", 2);
+	    cer_ou1 = jar_cert_element(ret, "OU=", 1);
+	    cer_o   = CERT_GetOrgName (&cert->issuer);
+	    cer_l   = CERT_GetCountryName (&cert->issuer);
 
-	cer_cn  = CERT_GetCommonName (&cert->issuer);
-        cer_e   = CERT_GetCertEmailAddress (&cert->issuer);
-        cer_ou3 = jar_cert_element (ret, "OU=", 3);
-        cer_ou2 = jar_cert_element (ret, "OU=", 2);
-        cer_ou1 = jar_cert_element (ret, "OU=", 1);
-        cer_o   = CERT_GetOrgName (&cert->issuer);
-        cer_l   = CERT_GetCountryName (&cert->issuer);
+	    if (cer_cn)
+		retlen += SEPLEN + PORT_Strlen(cer_cn);
+	    if (cer_e)
+		retlen += SEPLEN + PORT_Strlen(cer_e);
+	    if (cer_ou1)
+		retlen += SEPLEN + PORT_Strlen(cer_ou1);
+	    if (cer_ou2)
+		retlen += SEPLEN + PORT_Strlen(cer_ou2);
+	    if (cer_ou3)
+		retlen += SEPLEN + PORT_Strlen(cer_ou3);
+	    if (cer_o)
+		retlen += SEPLEN + PORT_Strlen(cer_o);
+	    if (cer_l)
+		retlen += SEPLEN + PORT_Strlen(cer_l);
+
+	    ret = (char *) PORT_ZAlloc(1 + retlen);
 
-        if (cer_cn)  retlen += SEPLEN + PORT_Strlen (cer_cn);
-        if (cer_e)   retlen += SEPLEN + PORT_Strlen (cer_e);
-        if (cer_ou1) retlen += SEPLEN + PORT_Strlen (cer_ou1);
-        if (cer_ou2) retlen += SEPLEN + PORT_Strlen (cer_ou2);
-        if (cer_ou3) retlen += SEPLEN + PORT_Strlen (cer_ou3);
-        if (cer_o)   retlen += SEPLEN + PORT_Strlen (cer_o);
-        if (cer_l)   retlen += SEPLEN + PORT_Strlen (cer_l);
-
-        ret = (char *) PORT_ZAlloc (1 + retlen);
+	    if (cer_cn)  {
+		PORT_Strcpy(ret, cer_cn);
+		PORT_Strcat(ret, SEP);
+	    }
+	    if (cer_e)	 {
+		PORT_Strcat(ret, cer_e);
+		PORT_Strcat(ret, SEP);
+	    }
+	    if (cer_ou1) {
+		PORT_Strcat(ret, cer_ou1);
+		PORT_Strcat(ret, SEP);
+	    }
+	    if (cer_ou2) {
+		PORT_Strcat(ret, cer_ou2);
+		PORT_Strcat(ret, SEP);
+	    }
+	    if (cer_ou3) {
+		PORT_Strcat(ret, cer_ou3);
+		PORT_Strcat(ret, SEP);
+	    }
+	    if (cer_o)	 {
+		PORT_Strcat(ret, cer_o);
+		PORT_Strcat(ret, SEP);
+	    }
+	    if (cer_l)
+		PORT_Strcat(ret, cer_l);
 
-        if (cer_cn)  { PORT_Strcpy (ret, cer_cn);  PORT_Strcat (ret, SEP); }
-        if (cer_e)   { PORT_Strcat (ret, cer_e);   PORT_Strcat (ret, SEP); }
-        if (cer_ou1) { PORT_Strcat (ret, cer_ou1); PORT_Strcat (ret, SEP); }
-        if (cer_ou2) { PORT_Strcat (ret, cer_ou2); PORT_Strcat (ret, SEP); }
-        if (cer_ou3) { PORT_Strcat (ret, cer_ou3); PORT_Strcat (ret, SEP); }
-        if (cer_o)   { PORT_Strcat (ret, cer_o);   PORT_Strcat (ret, SEP); }
-        if (cer_l)     PORT_Strcat (ret, cer_l);
-
-	/* return here to avoid unsightly memory leak */
-
-        *result = ret;
-        *length = PORT_Strlen (ret);
-
-        return 0;
-        }
-
-      break;
+	    /* return here to avoid unsightly memory leak */
+	    *result = ret;
+	    *length = PORT_Strlen(ret);
+	    CERT_DestroyCertificate(cert);
+	    return 0;
+	}
+	break;
 
     case jarCertSerial:
-
-      ret = CERT_Hexify (&cert->serialNumber, 1);
-      break;
+	ret = CERT_Hexify (&cert->serialNumber, 1);
+	break;
 
     case jarCertExpires:
-
-      ret = DER_UTCDayToAscii (&cert->validity.notAfter);
-      break;
+	ret = DER_UTCDayToAscii (&cert->validity.notAfter);
+	break;
 
     case jarCertNickname:
-
-      ret = jar_choose_nickname (cert);
-      break;
+	ret = jar_choose_nickname(cert);
+	break;
 
     case jarCertFinger:
-
-      dig = JAR_calculate_digest 
-         ((char *) cert->derCert.data, cert->derCert.len);
-
-      if (dig)
-        {
-        hexme.len = sizeof (dig->md5);
-        hexme.data = dig->md5;
-        ret = CERT_Hexify (&hexme, 1);
-        }
-      break;
+	dig = JAR_calculate_digest((char *) cert->derCert.data,
+				   cert->derCert.len);
+	if (dig) {
+	    hexme.len = sizeof (dig->md5);
+	    hexme.data = dig->md5;
+	    ret = CERT_Hexify (&hexme, 1);
+	}
+	break;
 
     default:
-
-      return JAR_ERR_GENERAL;
+	CERT_DestroyCertificate(cert);
+	return JAR_ERR_GENERAL;
     }
 
-  *result = ret ? PORT_Strdup (ret) : NULL;
-  *length = ret ? PORT_Strlen (ret) : 0;
+    *result = ret ? PORT_Strdup(ret) : NULL;
+    *length = ret ? PORT_Strlen(ret) : 0;
+    CERT_DestroyCertificate(cert);
+    return 0;
+}
 
-  return 0;
-  }
-
-/* 
+/*
  *  j a r  _ c e r t _ e l e m e n t
  *
  *  Retrieve an element from an x400ish ascii
  *  designator, in a hackish sort of way. The right
  *  thing would probably be to sort AVATags.
  *
  */
-
-static char *jar_cert_element (char *name, char *tag, int occ)
-  {
-  if (name && tag)
-    {
-    char *s;
-    int found = 0;
+static char *
+jar_cert_element(char *name, char *tag, int occ)
+{
+    if (name && tag) {
+	char *s;
+	int found = 0;
+	while (occ--) {
+	    if (PORT_Strstr(name, tag)) {
+		name = PORT_Strstr(name, tag) + PORT_Strlen (tag);
+		found = 1;
+	    } else {
+		name = PORT_Strstr(name, "=");
+		if (name == NULL) return NULL;
+		found = 0;
+	    }
+	}
+	if (!found)
+	    return NULL;
 
-    while (occ--)
-      {
-      if (PORT_Strstr (name, tag))
-        {
-        name = PORT_Strstr (name, tag) + PORT_Strlen (tag);
-        found = 1;
-        }
-      else
-        {
-        name = PORT_Strstr (name, "=");
-        if (name == NULL) return NULL;
-        found = 0;
-        }
-      }
+	/* must mangle only the copy */
+	name = PORT_Strdup(name);
 
-    if (!found) return NULL;
+	/* advance to next equal */
+	for (s = name; *s && *s != '='; s++)
+	    /* yip */ ;
 
-    /* must mangle only the copy */
-    name = PORT_Strdup (name);
-
-    /* advance to next equal */
-    for (s = name; *s && *s != '='; s++)
-      /* yip */ ;
+	/* back up to previous comma */
+	while (s > name && *s != ',')
+	    s--;
 
-    /* back up to previous comma */
-    while (s > name && *s != ',') s--;
-
-    /* zap the whitespace and return */
-    *s = 0;
+	/* zap the whitespace and return */
+	*s = 0;
     }
+    return name;
+}
 
-  return name;
-  }
-
-/* 
+/*
  *  j a r _ c h o o s e _ n i c k n a m e
  *
  *  Attempt to determine a suitable nickname for
- *  a certificate with a computer-generated "tmpcertxxx" 
+ *  a certificate with a computer-generated "tmpcertxxx"
  *  nickname. It needs to be something a user can
  *  understand, so try a few things.
  *
  */
-
-static char *jar_choose_nickname (CERTCertificate *cert)
-  {
-  char *cert_cn;
-  char *cert_o;
-  char *cert_cn_o;
-
-  int cn_o_length;
+static char *
+jar_choose_nickname(CERTCertificate *cert)
+{
+    char *cert_cn;
+    char *cert_o;
+    char *cert_cn_o;
+    int cn_o_length;
 
-  /* is the existing name ok */
-
-  if (cert->nickname && PORT_Strncmp (cert->nickname, "tmpcert", 7))
-    return PORT_Strdup (cert->nickname);
-
-  /* we have an ugly name here people */
-
-  /* Try the CN */
-  cert_cn = CERT_GetCommonName (&cert->subject);
+    /* is the existing name ok */
+    if (cert->nickname && PORT_Strncmp(cert->nickname, "tmpcert", 7))
+	return PORT_Strdup(cert->nickname);
 
-  if (cert_cn)
-    {
-    /* check for duplicate nickname */
-
-    if (CERT_FindCertByNickname (CERT_GetDefaultCertDB(), cert_cn) == NULL)
-      return cert_cn;
-
-    /* Try the CN plus O */
-    cert_o = CERT_GetOrgName (&cert->subject);
+    /* Try the CN */
+    cert_cn = CERT_GetCommonName(&cert->subject);
+    if (cert_cn) {
+	CERTCertificate *cert1;
+	/* check for duplicate nickname */
+	cert1 = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), cert_cn);
+	if (cert1 == NULL)
+	    return cert_cn;
+        CERT_DestroyCertificate(cert1); cert1 = NULL;
 
-    cn_o_length = PORT_Strlen (cert_cn) + 3 + PORT_Strlen (cert_o) + 20;
-    cert_cn_o = (char*)PORT_ZAlloc (cn_o_length);
-
-    PR_snprintf (cert_cn_o, cn_o_length, 
-           "%s's %s Certificate", cert_cn, cert_o);
+	/* Try the CN plus O */
+	cert_o = CERT_GetOrgName (&cert->subject);
+	/* XXX: Get Yer Magic Numbers here! */
+	cn_o_length = PORT_Strlen(cert_cn) + 3 + PORT_Strlen (cert_o) + 20;
+	cert_cn_o = (char*)PORT_ZAlloc(cn_o_length);
+	PR_snprintf(cert_cn_o, cn_o_length, "%s's %s Certificate",
+		    cert_cn, cert_o);
 
-    if (CERT_FindCertByNickname (CERT_GetDefaultCertDB(), cert_cn_o) == NULL)
-      {
-      PORT_Free (cert_cn_o);
-      return cert_cn;
-      }
-    PORT_Free (cert_cn_o);
+	cert1 = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), cert_cn_o);
+	if (cert1 == NULL) {
+	    PORT_Free(cert_cn_o);
+	    return cert_cn;
+	}
+	CERT_DestroyCertificate(cert1); cert1 = NULL;
+	PORT_Free(cert_cn_o);
     }
 
-  /* If all that failed, use the ugly nickname */
-  return cert->nickname ? PORT_Strdup (cert->nickname) : NULL;
-  }
-
-/*
- *  J A R _ c e r t _ h t m l 
- *
- *  Return an HTML representation of the certificate
- *  designated by the given fingerprint, in specified style.
- *
- *  JAR is optional, but supply it if you can in order
- *  to optimize.
- *
- */
-
-char *JAR_cert_html
-    (JAR *jar, int style, long keylen, void *key, int *result)
-  {
-  CERTCertificate *cert;
-
-  *result = -1;
-
-  if (style != 0)
-    return NULL;
-
-  cert = jar_get_certificate (jar, keylen, key, result);
-
-  if (cert == NULL || *result < 0)
-    return NULL;
-
-  *result = -1;
-
-   return NULL;
-  }
+    /* If all that failed, use the ugly nickname */
+    return cert->nickname ? PORT_Strdup(cert->nickname) : NULL;
+}
 
 /*
  *  J A R _ s t a s h _ c e r t
  *
  *  Stash the certificate pointed to by this
  *  fingerprint, in persistent storage somewhere.
  *
  */
-
-extern int PR_CALLBACK JAR_stash_cert
-    (JAR *jar, long keylen, void *key)
-  {
-  int result = 0;
-
-  char *nickname;
-  CERTCertTrust trust;
-
-  CERTCertDBHandle *certdb;
-  CERTCertificate *cert, *newcert;
-
-  cert = jar_get_certificate (jar, keylen, key, &result);
+int PR_CALLBACK
+JAR_stash_cert(JAR *jar, long keylen, void *key)
+{
+    int result = 0;
+    char *nickname;
+    CERTCertTrust trust;
+    CERTCertDBHandle *certdb;
+    CERTCertificate *cert, *newcert;
 
-  if (result < 0)
-    return result;
-
-  if (cert == NULL)
-    return JAR_ERR_GENERAL;
+    cert = jar_get_certificate(jar, keylen, key, &result);
+    if (cert == NULL)
+	return JAR_ERR_GENERAL;
 
-  if ((certdb = JAR_open_database()) == NULL)
-    return JAR_ERR_GENERAL;
-
-  /* Attempt to give a name to the newish certificate */
-  nickname = jar_choose_nickname (cert);
-
-  newcert = CERT_FindCertByNickname (certdb, nickname);
+    if ((certdb = JAR_open_database()) == NULL)
+	return JAR_ERR_GENERAL;
 
-  if (newcert && newcert->isperm) 
-    {
-    /* already in permanant database */
-    JAR_close_database (certdb);
-    return 0;
+    /* Attempt to give a name to the newish certificate */
+    nickname = jar_choose_nickname(cert);
+    newcert = CERT_FindCertByNickname(certdb, nickname);
+    if (newcert && newcert->isperm) {
+	/* already in permanent database */
+	CERT_DestroyCertificate(newcert);
+	JAR_close_database (certdb);
+	return 0;
     }
-
-  if (newcert) cert = newcert;
-
-  /* FIX, since FindCert returns a bogus dbhandle
-     set it ourselves */
-
-  cert->dbhandle = certdb;
-
-  if (nickname != NULL)
-    {
-    PORT_Memset ((void *) &trust, 0, sizeof(trust));
-
-    if (CERT_AddTempCertToPerm (cert, nickname, &trust) != SECSuccess) 
-      {
-      /* XXX might want to call PORT_GetError here */
-      result = JAR_ERR_GENERAL;
-      }
+    if (newcert) {
+	CERT_DestroyCertificate(cert);
+	cert = newcert;
     }
-
-  JAR_close_database (certdb);
-
-  return result;
-  }
+    if (nickname != NULL) {
+	PORT_Memset((void *) &trust, 0, sizeof(trust));
+	if (CERT_AddTempCertToPerm (cert, nickname, &trust) != SECSuccess) {
+	    /* XXX might want to call PORT_GetError here */
+	    result = JAR_ERR_GENERAL;
+	}
+    }
+    CERT_DestroyCertificate(cert);
+    JAR_close_database(certdb);
+    return result;
+}
 
 /*
  *  J A R _ f e t c h _ c e r t
  *
- *  Given an opaque identifier of a certificate, 
+ *  Given an opaque identifier of a certificate,
  *  return the full certificate.
  *
  * The new function, which retrieves by key.
  *
  */
-
-void *JAR_fetch_cert (long length, void *key)
-  {
-  CERTIssuerAndSN issuerSN;
-  CERTCertificate *cert = NULL;
-
-  CERTCertDBHandle *certdb;
-
-  certdb = JAR_open_database();
+CERTCertificate *
+JAR_fetch_cert(long length, void *key)
+{
+    CERTIssuerAndSN issuerSN;
+    CERTCertificate *cert = NULL;
+    CERTCertDBHandle *certdb;
 
-  if (certdb)
-    {
-    unsigned char *keyData = (unsigned char *)key;
-    issuerSN.derIssuer.len = (keyData[0] << 8) + keyData[0];
-    issuerSN.derIssuer.data = &keyData[2];
-    issuerSN.serialNumber.len = length - (2 + issuerSN.derIssuer.len);
-    issuerSN.serialNumber.data = &keyData[2+issuerSN.derIssuer.len];
-
-    cert = CERT_FindCertByIssuerAndSN (certdb, &issuerSN);
-
-    JAR_close_database (certdb);
+    certdb = JAR_open_database();
+    if (certdb) {
+	unsigned char *keyData = (unsigned char *)key;
+	issuerSN.derIssuer.len = (keyData[0] << 8) + keyData[0];
+	issuerSN.derIssuer.data = &keyData[2];
+	issuerSN.serialNumber.len = length - (2 + issuerSN.derIssuer.len);
+	issuerSN.serialNumber.data = &keyData[2+issuerSN.derIssuer.len];
+	cert = CERT_FindCertByIssuerAndSN (certdb, &issuerSN);
+	JAR_close_database (certdb);
     }
-
-  return (void *) cert;
-  }
+    return cert;
+}
 
 /*
  *  j a r _ g e t _ m f _ d i g e s t
  *
  *  Retrieve a corresponding saved digest over a section
- *  of the main manifest file. 
+ *  of the main manifest file.
  *
  */
-
-static JAR_Digest *jar_get_mf_digest (JAR *jar, char *pathname)
-  {
-  JAR_Item *it;
-
-  JAR_Digest *dig;
+static JAR_Digest *
+jar_get_mf_digest(JAR *jar, char *pathname)
+{
+    JAR_Item *it;
+    JAR_Digest *dig;
+    ZZLink *link;
+    ZZList *list = jar->manifest;
 
-  ZZLink *link;
-  ZZList *list;
-
-  list = jar->manifest;
-
-  if (ZZ_ListEmpty (list))
-    return NULL;
+    if (ZZ_ListEmpty (list))
+	return NULL;
 
-  for (link = ZZ_ListHead (list);
-       !ZZ_ListIterDone (list, link);
-       link = link->next)
-    {
-    it = link->thing;
-    if (it->type == jarTypeSect 
-          && it->pathname && !PORT_Strcmp (it->pathname, pathname))
-      {
-      dig = (JAR_Digest *) it->data;
-      return dig;
-      }
+    for (link = ZZ_ListHead (list);
+	 !ZZ_ListIterDone (list, link);
+	 link = link->next) {
+	it = link->thing;
+	if (it->type == jarTypeSect
+	    && it->pathname && !PORT_Strcmp(it->pathname, pathname)) {
+	    dig = (JAR_Digest *) it->data;
+	    return dig;
+	}
     }
-
-  return NULL;
-  }
+    return NULL;
+}
 
 /*
  *  j a r _ b a s e n a m e
  *
  *  Return the basename -- leading components of path stripped off,
  *  extension ripped off -- of a path.
  *
  */
-
-static char *jar_basename (const char *path)
-  {
-  char *pith, *e, *basename, *ext;
+static char *
+jar_basename(const char *path)
+{
+    char *pith, *e, *basename, *ext;
 
-  if (path == NULL)
-    return PORT_Strdup ("");
-
-  pith = PORT_Strdup (path);
+    if (path == NULL)
+	return PORT_Strdup("");
 
-  basename = pith;
-
-  while (1)
-    {
-    for (e = basename; *e && *e != '/' && *e != '\\'; e++)
-      /* yip */ ;
-    if (*e) 
-      basename = ++e; 
-    else
-      break;
+    pith = PORT_Strdup(path);
+    basename = pith;
+    while (1) {
+	for (e = basename; *e && *e != '/' && *e != '\\'; e++)
+	    /* yip */ ;
+	if (*e)
+	    basename = ++e;
+	else
+	    break;
     }
 
-  if ((ext = PORT_Strrchr (basename, '.')) != NULL)
-    *ext = 0;
+    if ((ext = PORT_Strrchr(basename, '.')) != NULL)
+	*ext = 0;
 
-  /* We already have the space allocated */
-  PORT_Strcpy (pith, basename);
-
-  return pith;
-  }
+    /* We already have the space allocated */
+    PORT_Strcpy(pith, basename);
+    return pith;
+}
 
 /*
  *  + + + + + + + + + + + + + + +
  *
  *  CRYPTO ROUTINES FOR JAR
  *
- *  The following functions are the cryptographic 
+ *  The following functions are the cryptographic
  *  interface to PKCS7 for Jarnatures.
  *
  *  + + + + + + + + + + + + + + +
  *
  */
 
 /*
  *  j a r _ c a t c h _ b y t e s
  *
  *  In the event signatures contain enveloped data, it will show up here.
  *  But note that the lib/pkcs7 routines aren't ready for it.
  *
  */
-
-static void jar_catch_bytes
-     (void *arg, const char *buf, unsigned long len)
-  {
-  /* Actually this should never be called, since there is
-     presumably no data in the signature itself. */
-  }
+static void
+jar_catch_bytes(void *arg, const char *buf, unsigned long len)
+{
+    /* Actually this should never be called, since there is
+	 presumably no data in the signature itself. */
+}
 
 /*
  *  j a r _ v a l i d a t e _ p k c s 7
  *
  *  Validate (and decode, if necessary) a binary pkcs7
  *  signature in DER format.
  *
  */
-
-static int jar_validate_pkcs7 
-     (JAR *jar, JAR_Signer *signer, char *data, long length)
+static int 
+jar_validate_pkcs7(JAR *jar, JAR_Signer *signer, char *data, long length)
 {
 
-  SEC_PKCS7ContentInfo *cinfo = NULL;
-  SEC_PKCS7DecoderContext *dcx;
-  PRBool goodSig;
-  int status = 0;
-  SECItem detdig;
+    SEC_PKCS7ContentInfo *cinfo = NULL;
+    SEC_PKCS7DecoderContext *dcx;
+    PRBool goodSig;
+    int status = 0;
+    SECItem detdig;
 
-  PORT_Assert( jar != NULL && signer != NULL );
-
-  if (jar == NULL || signer == NULL)
-    return JAR_ERR_ORDER;
-
-  signer->valid = JAR_ERR_SIG;
-
-  /* We need a context if we can get one */
+    PORT_Assert( jar != NULL && signer != NULL );
 
-#ifdef MOZILLA_CLIENT_OLD
-  if (jar->mw == NULL) {
-    JAR_set_context (jar, NULL);
-  }
-#endif
+    if (jar == NULL || signer == NULL)
+	return JAR_ERR_ORDER;
 
+    signer->valid = JAR_ERR_SIG;
 
-  dcx = SEC_PKCS7DecoderStart
-           (jar_catch_bytes, NULL /*cb_arg*/, NULL /*getpassword*/, jar->mw,
-            NULL, NULL, NULL);
-
-  if (dcx == NULL) 
-    {
-    /* strange pkcs7 failure */
-    return JAR_ERR_PK7;
+    /* We need a context if we can get one */
+    dcx = SEC_PKCS7DecoderStart(jar_catch_bytes, NULL /*cb_arg*/,
+				NULL /*getpassword*/, jar->mw,
+				NULL, NULL, NULL);
+    if (dcx == NULL) {
+	/* strange pkcs7 failure */
+	return JAR_ERR_PK7;
     }
 
-  SEC_PKCS7DecoderUpdate (dcx, data, length);
-  cinfo = SEC_PKCS7DecoderFinish (dcx);
-
-  if (cinfo == NULL)
-    {
-    /* strange pkcs7 failure */
-    return JAR_ERR_PK7;
+    SEC_PKCS7DecoderUpdate (dcx, data, length);
+    cinfo = SEC_PKCS7DecoderFinish (dcx);
+    if (cinfo == NULL) {
+	/* strange pkcs7 failure */
+	return JAR_ERR_PK7;
     }
-
-  if (SEC_PKCS7ContentIsEncrypted (cinfo))
-    {
-    /* content was encrypted, fail */
-    return JAR_ERR_PK7;
+    if (SEC_PKCS7ContentIsEncrypted (cinfo)) {
+	/* content was encrypted, fail */
+	return JAR_ERR_PK7;
     }
-
-  if (SEC_PKCS7ContentIsSigned (cinfo) == PR_FALSE)
-    {
-    /* content was not signed, fail */
-    return JAR_ERR_PK7;
+    if (SEC_PKCS7ContentIsSigned (cinfo) == PR_FALSE) {
+	/* content was not signed, fail */
+	return JAR_ERR_PK7;
     }
 
-  PORT_SetError (0);
-
-  /* use SHA1 only */
-
-  detdig.len = SHA1_LENGTH;
-  detdig.data = signer->digest->sha1;
+    PORT_SetError(0);
 
-  goodSig = SEC_PKCS7VerifyDetachedSignature(cinfo, certUsageObjectSigner, 
-                                             &detdig, HASH_AlgSHA1, PR_FALSE);
-  jar_gather_signers (jar, signer, cinfo);
-  if (goodSig == PR_TRUE)
-    {
-    /* signature is valid */
-    signer->valid = 0;
+    /* use SHA1 only */
+    detdig.len = SHA1_LENGTH;
+    detdig.data = signer->digest->sha1;
+    goodSig = SEC_PKCS7VerifyDetachedSignature(cinfo,
+					       certUsageObjectSigner,
+					       &detdig, HASH_AlgSHA1,
+					       PR_FALSE);
+    jar_gather_signers(jar, signer, cinfo);
+    if (goodSig == PR_TRUE) {
+	/* signature is valid */
+	signer->valid = 0;
+    } else {
+	status = PORT_GetError();
+	PORT_Assert( status < 0 );
+	if (status >= 0)
+	    status = JAR_ERR_SIG;
+	jar->valid = status;
+	signer->valid = status;
     }
-  else
-    {
-    status = PORT_GetError();
-
-    PORT_Assert( status < 0 );
-    if (status >= 0) status = JAR_ERR_SIG;
-
-    jar->valid = status;
-    signer->valid = status;
-    }
-
-  jar->pkcs7 = PR_TRUE;
-  signer->pkcs7 = PR_TRUE;
-
-  SEC_PKCS7DestroyContentInfo (cinfo);
-
-  return status;
+    jar->pkcs7 = PR_TRUE;
+    signer->pkcs7 = PR_TRUE;
+    SEC_PKCS7DestroyContentInfo(cinfo);
+    return status;
 }
 
 /*
  *  j a r _ g a t h e r _ s i g n e r s
  *
  *  Add the single signer of this signature to the
  *  certificate linked list.
  *
  */
-
-static int jar_gather_signers
-     (JAR *jar, JAR_Signer *signer, SEC_PKCS7ContentInfo *cinfo)
-  {
-  int result;
-
-  CERTCertificate *cert;
-  CERTCertDBHandle *certdb;
+static int
+jar_gather_signers(JAR *jar, JAR_Signer *signer, SEC_PKCS7ContentInfo *cinfo)
+{
+    int result;
+    CERTCertificate *cert;
+    CERTCertDBHandle *certdb;
+    SEC_PKCS7SignedData *sdp = cinfo->content.signedData;
+    SEC_PKCS7SignerInfo **pksigners, *pksigner;
 
-  SEC_PKCS7SignedData *sdp;
-  SEC_PKCS7SignerInfo **pksigners, *pksigner;
-
-  sdp = cinfo->content.signedData;
-
-  if (sdp == NULL)
-    return JAR_ERR_PK7;
-
-  pksigners = sdp->signerInfos;
-
-  /* permit exactly one signer */
+    if (sdp == NULL)
+	return JAR_ERR_PK7;
 
-  if (pksigners == NULL || pksigners [0] == NULL || pksigners [1] != NULL)
-    return JAR_ERR_PK7;
+    pksigners = sdp->signerInfos;
+    /* permit exactly one signer */
+    if (pksigners == NULL || pksigners [0] == NULL || pksigners [1] != NULL)
+	return JAR_ERR_PK7;
 
-  pksigner = *pksigners;
-  cert = pksigner->cert;
-
-  if (cert == NULL)
-    return JAR_ERR_PK7;
+    pksigner = *pksigners;
+    cert = pksigner->cert;
 
-  certdb = JAR_open_database();
-
-  if (certdb == NULL)
-    return JAR_ERR_GENERAL;
+    if (cert == NULL)
+	return JAR_ERR_PK7;
 
-  result = jar_add_cert (jar, signer, jarTypeSign, cert);
+    certdb = JAR_open_database();
+    if (certdb == NULL)
+	return JAR_ERR_GENERAL;
 
-  JAR_close_database (certdb);
-
-  return result;
-  }
+    result = jar_add_cert(jar, signer, jarTypeSign, cert);
+    JAR_close_database (certdb);
+    return result;
+}
 
 /*
  *  j a r _ o p e n _ d a t a b a s e
  *
  *  Open the certificate database,
  *  for use by JAR functions.
  *
  */
-
-CERTCertDBHandle *JAR_open_database (void)
-  {
-  CERTCertDBHandle *certdb;
-
-  certdb = CERT_GetDefaultCertDB();
-
-  return certdb;
-  }
+CERTCertDBHandle *
+JAR_open_database(void)
+{
+    return CERT_GetDefaultCertDB();
+}
 
 /*
  *  j a r _ c l o s e _ d a t a b a s e
  *
  *  Close the certificate database.
  *  For use by JAR functions.
  *
  */
-
-int JAR_close_database (CERTCertDBHandle *certdb)
-  {
-  return 0;
-  }
+int 
+JAR_close_database(CERTCertDBHandle *certdb)
+{
+    return 0;
+}
 
 /*
  *  j a r _ g e t _ c e r t i f i c a t e
  *
- *  Return the certificate referenced
+ *  Return a new reference to the certificate indicated
  *  by a given fingerprint, or NULL if not found.
  *  Error code is returned in result.
- *
+ *  Caller must destroy this reference, if it is non-NULL!
  */
-
-static CERTCertificate *jar_get_certificate
-      (JAR *jar, long keylen, void *key, int *result)
-  {
-  int found = 0;
+static CERTCertificate *
+jar_get_certificate(JAR *jar, long keylen, void *key, int *result)
+{
+    int found = 0;
+    JAR_Item *it;
+    JAR_Cert *fing = NULL;
+    JAR_Context *ctx;
 
-  JAR_Item *it;
-  JAR_Cert *fing = NULL;
-
-  JAR_Context *ctx;
-
-  if (jar == NULL) 
-    {
-    void *cert;
-    cert = JAR_fetch_cert (keylen, key);
-    *result = (cert == NULL) ? JAR_ERR_GENERAL : 0;
-    return (CERTCertificate *) cert;
+    if (jar == NULL) {
+	CERTCertificate * cert = JAR_fetch_cert(keylen, key);
+	*result = (cert == NULL) ? JAR_ERR_GENERAL : 0;
+	return cert;
     }
 
-  ctx = JAR_find (jar, NULL, jarTypeSign);
-
-  while (JAR_find_next (ctx, &it) >= 0)
-    {
-    fing = (JAR_Cert *) it->data;
+    ctx = JAR_find (jar, NULL, jarTypeSign);
+    while (JAR_find_next (ctx, &it) >= 0) {
+	fing = (JAR_Cert *) it->data;
+	if (keylen != fing->length)
+	    continue;
 
-    if (keylen != fing->length)
-      continue;
-
-    PORT_Assert( keylen < 0xFFFF );
-    if (!PORT_Memcmp (fing->key, key, keylen))
-      {
-      found = 1;
-      break;
-      }
+	PORT_Assert( keylen < 0xFFFF );
+	if (!PORT_Memcmp(fing->key, key, keylen)) {
+	    found = 1;
+	    break;
+	}
     }
 
-  JAR_find_end (ctx);
-
-  if (found == 0)
-    {
-    *result = JAR_ERR_GENERAL;
-    return NULL;
+    JAR_find_end (ctx);
+    if (found == 0) {
+	*result = JAR_ERR_GENERAL;
+	return NULL;
     }
 
-  PORT_Assert(fing != NULL);
-  *result = 0;
-  return fing->cert;
-  }
+    PORT_Assert(fing != NULL);
+    *result = 0;
+    /* XXX: is this a new reference or not?  
+     * If not, then this needs to be changed to call CERT_DupCertificate! 
+     */
+    return fing->cert;
+}
 
 /*
  *  j a r _ s i g n a l
  *
  *  Nonfatal errors come here to callback Java.
- *  
+ *
  */
-
-static int jar_signal 
-     (int status, JAR *jar, const char *metafile, char *pathname)
-  {
-  char *errstring;
-
-  errstring = JAR_get_error (status);
-
-  if (jar->signal)
-    {
-    (*jar->signal) (status, jar, metafile, pathname, errstring);
-    return 0;
+static int
+jar_signal(int status, JAR *jar, const char *metafile, char *pathname)
+{
+    char *errstring = JAR_get_error (status);
+    if (jar->signal) {
+	(*jar->signal) (status, jar, metafile, pathname, errstring);
+	return 0;
     }
-
-  return status;
-  }
+    return status;
+}
 
 /*
  *  j a r _ a p p e n d
  *
  *  Tack on an element to one of a JAR's linked
  *  lists, with rudimentary error handling.
  *
  */
-
-int jar_append (ZZList *list, int type, 
-        char *pathname, void *data, size_t size)
-  {
-  JAR_Item *it;
-  ZZLink *entity;
-
-  it = (JAR_Item*)PORT_ZAlloc (sizeof (JAR_Item));
+int
+jar_append(ZZList *list, int type, char *pathname, void *data, size_t size)
+{
+    JAR_Item *it = PORT_ZNew(JAR_Item);
+    ZZLink *entity;
 
-  if (it == NULL)
-    goto loser;
+    if (it == NULL)
+	goto loser;
 
-  if (pathname)
-    {
-    it->pathname = PORT_Strdup (pathname);
-    if (it->pathname == NULL)
-      goto loser;
+    if (pathname) {
+	it->pathname = PORT_Strdup(pathname);
+	if (it->pathname == NULL)
+	    goto loser;
     }
 
-  it->type = (jarType)type;
-  it->data = (unsigned char *) data;
-  it->size = size;
-
-  entity = ZZ_NewLink (it);
-
-  if (entity)
-    {
-    ZZ_AppendLink (list, entity);
-    return 0;
+    it->type = (jarType)type;
+    it->data = (unsigned char *) data;
+    it->size = size;
+    entity = ZZ_NewLink (it);
+    if (entity) {
+	ZZ_AppendLink (list, entity);
+	return 0;
     }
 
 loser:
-
-  if (it)
-    {
-    if (it->pathname) PORT_Free (it->pathname);
-    PORT_Free (it);
+    if (it) {
+	if (it->pathname) 
+	    PORT_Free(it->pathname);
+	PORT_Free(it);
     }
-
-  return JAR_ERR_MEMORY;
-  }
-
+    return JAR_ERR_MEMORY;
+}
--- a/security/nss/lib/jar/jzconf.h
+++ b/security/nss/lib/jar/jzconf.h
@@ -1,14 +1,14 @@
 /* zconf.h -- configuration of the zlib compression library
  * Copyright (C) 1995-1996 Jean-loup Gailly.
  * For conditions of distribution and use, see copyright notice in zlib.h 
  */
 /* This file was modified since it was taken from the zlib distribution */
-/* $Id: jzconf.h,v 1.1 2000/03/31 20:01:15 relyea%netscape.com Exp $ */
+/* $Id: jzconf.h,v 1.2 2009/04/28 04:25:03 nelson%bolyard.com Exp $ */
 
 #ifndef _ZCONF_H
 #define _ZCONF_H
 
 /*
  * If you *really* need a unique prefix for all types and library functions,
  * compile with -DZ_PREFIX. The "standard" zlib should be compiled without it.
  */
--- a/security/nss/lib/jar/manifest.mn
+++ b/security/nss/lib/jar/manifest.mn
@@ -41,17 +41,16 @@ LIBRARY_NAME = jar
 CORE_DEPTH = ../../..
 
 CSRCS =	\
 	jarver.c \
 	jarsign.c \
 	jar.c \
 	jar-ds.c \
 	jarfile.c \
-	jarjart.c \
 	jarint.c \
 	$(NULL)
 
 REQUIRES = dbm
 
 EXPORTS	 = jar.h jar-ds.h jarfile.h
 
 DEFINES = -DMOZILLA_CLIENT=1
--- a/security/nss/lib/libpkix/include/pkix_certstore.h
+++ b/security/nss/lib/libpkix/include/pkix_certstore.h
@@ -287,16 +287,18 @@ typedef PKIX_Error *
  *
  * The function imports crl list into a cert store. Stores that
  * have local cache may only have that function defined.
  *
  * PARAMETERS:
  *  "store"
  *      Address of CertStore from which CRLs are to be retrieved.
  *      Must be non-NULL.
+ *  "issuerName"
+ *      Name of the issuer that will be used to track bad der crls.
  *  "crlList"
  *      Address on the importing crl list.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe
  *
  *  Multiple threads must be able to safely call this function without
@@ -304,16 +306,17 @@ typedef PKIX_Error *
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns a CertStore Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 typedef PKIX_Error *
 (*PKIX_CertStore_ImportCrlCallback)(
         PKIX_CertStore *store,
+        PKIX_PL_X500Name *issuerName,
         PKIX_List *crlList,
         void *plContext);
 
 /*
  * FUNCTION: PKIX_CertStore_CheckRevokationByCrlCallback
  * DESCRIPTION:
  *
  * The function checks revocation status of a cert with specified
@@ -325,16 +328,19 @@ typedef PKIX_Error *
  *      Address of CertStore from which CRLs are to be retrieved.
  *      Must be non-NULL.
  *  "cert"
  *      Certificate which revocation status will be checked.
  *  "issuer"
  *      Issuer certificate of the "crl".
  *  "date"
  *      Date of the revocation check.
+ *  "crlDownloadDone"
+ *      Indicates, that all needed crl downloads are done by the time of
+ *      the revocation check.
  *  "reasonCode"
  *      If cert is revoked, returned reason code for  which a cert was revoked.
  *  "revStatus"
  *      Returned revocation status of the cert. See PKIX_RevocationStatus
  *      for more details
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
@@ -348,17 +354,17 @@ typedef PKIX_Error *
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 typedef PKIX_Error *
 (*PKIX_CertStore_CheckRevokationByCrlCallback)(
         PKIX_CertStore *store,
         PKIX_PL_Cert *cert,
         PKIX_PL_Cert *issuer,
         PKIX_PL_Date *date,
-        PKIX_Boolean delayCrlSigCheck,
+        PKIX_Boolean  crlDownloadDone,
         PKIX_UInt32 *reasonCode,
         PKIX_RevocationStatus *revStatus,
         void *plContext);
 
 /*
  * FUNCTION: PKIX_CertStore_CrlContinue
  * DESCRIPTION:
  *
--- a/security/nss/lib/libpkix/include/pkix_crlsel.h
+++ b/security/nss/lib/libpkix/include/pkix_crlsel.h
@@ -153,32 +153,35 @@ typedef PKIX_Error *
  *  implementation provided by libpkix, which understands how to process
  *  ComCRLSelParams. This is overridden if the MatchCallback pointed to by
  *  "callback" is not NULL, in which case the parameters are specified using
  *  the Object pointed to by "crlSelectorContext".
  *
  * PARAMETERS:
  *  "issue"
  *      crl issuer.
+ *  "crlDpList"
+ *      distribution points list
  *  "callback"
  *      The MatchCallback function to be used.
  *  "pSelector"
  *      Address where object pointer will be stored. Must be non-NULL.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns a CRLSelector Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 PKIX_CRLSelector_Create(
         PKIX_PL_Cert *issuer,
+        PKIX_List *crlDpList,
         PKIX_PL_Date *date,
         PKIX_CRLSelector **pSelector,
         void *plContext);
 
 /*
  * FUNCTION: PKIX_CRLSelector_GetMatchCallback
  * DESCRIPTION:
  *
@@ -749,13 +752,41 @@ PKIX_ComCRLSelParams_GetMinCRLNumber(
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 PKIX_ComCRLSelParams_SetMinCRLNumber(
         PKIX_ComCRLSelParams *params,
         PKIX_PL_BigInt *number,
         void *plContext);
 
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_SetCrlDp
+ * DESCRIPTION:
+ *
+ * Sets crldp list that can be used to download a crls.
+ * 
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCRLSelParamsParams whose minCRLNumber criterion is to be
+ *      set. Must be non-NULL.
+ *  "crldpList"
+ *      A list of CRLDPs. Can be an emptry list.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error*
+PKIX_ComCRLSelParams_SetCrlDp(
+         PKIX_ComCRLSelParams *params,
+         PKIX_List *crldpList,
+         void *plContext);
+
 #ifdef __cplusplus
 }
 #endif
 
 #endif /* _PKIX_CRLSEL_H */
--- a/security/nss/lib/libpkix/include/pkix_errorstrings.h
+++ b/security/nss/lib/libpkix/include/pkix_errorstrings.h
@@ -108,16 +108,17 @@ PKIX_ERRORENTRY(BYTEARRAYTOHEXSTRINGFAIL
 PKIX_ERRORENTRY(BYTEARRAYTOSTRINGFAILED,PKIX_PL_ByteArray_ToString failed,0),
 PKIX_ERRORENTRY(CACHECERTADDFAILED,pkix_CacheCert_Add failed,0),
 PKIX_ERRORENTRY(CACHECERTCHAINADDFAILED,pkix_CacheCertChain_Add failed,0),
 PKIX_ERRORENTRY(CACHECERTCHAINLOOKUPFAILED,pkix_CacheCertChain_Lookup failed,0),
 PKIX_ERRORENTRY(CACHECERTCHAINREMOVEFAILED,pkix_CacheCertChain_Remove failed,0),
 PKIX_ERRORENTRY(CACHECRLENTRYADDFAILED,pkix_CacheCrlEntry_Add failed,0),
 PKIX_ERRORENTRY(CACHECRLENTRYLOOKUPFAILED,pkix_CacheCrlEntry_Lookup failed,0),
 PKIX_ERRORENTRY(CALLOCFAILED,PKIX_PL_Calloc failed,0),
+PKIX_ERRORENTRY(CANNOTAQUIRECRLDER,PKIX_PL_CRL_AquireDerCrl failed,0),
 PKIX_ERRORENTRY(CANNOTCONVERTCERTUSAGETOPKIXKEYANDEKUSAGES, Fail to convert certificate usage to pkix KU and EKU,0),
 PKIX_ERRORENTRY(CANNOTOPENCOLLECTIONCERTSTORECONTEXTDIRECTORY,Cannot open CollectionCertStoreContext directory,0),
 PKIX_ERRORENTRY(CANTCREATESTRING,Cannot create PKIX_PL_String,0),
 PKIX_ERRORENTRY(CANTDECODEBINDRESPONSEFROMSERVER,Cannot decode BIND response from server,SEC_ERROR_BAD_LDAP_RESPONSE),
 PKIX_ERRORENTRY(CANTDECODESEARCHRESPONSEFROMSERVER,Cannot decode SEARCH response from server,SEC_ERROR_BAD_LDAP_RESPONSE),
 PKIX_ERRORENTRY(CANTENABLEREVOCATIONWITHOUTCERTSTORE,Cannot enable Revocation without CertStore,SEC_ERROR_INVALID_ARGS),
 PKIX_ERRORENTRY(CANTLOADLIBSMIME,Cannot load smime3 library,0),
 PKIX_ERRORENTRY(CANTREREGISTERSYSTEMTYPE,Cannot reregister system type,0),
@@ -130,20 +131,21 @@ PKIX_ERRORENTRY(CERTCHAINCHECKERCREATEFA
 PKIX_ERRORENTRY(CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED,PKIX_CertChainChecker_GetCertChainCheckerState failed,0),
 PKIX_ERRORENTRY(CERTCHAINCHECKERGETCHECKCALLBACKFAILED,PKIX_CertChainChecker_GetCheckCallback failed,0),
 PKIX_ERRORENTRY(CERTCHAINCHECKERGETSUPPORTEDEXTENSIONSFAILED,PKIX_CertChainChecker_GetSupportedExtensions failed,0),
 PKIX_ERRORENTRY(CERTCHAINCHECKERISFORWARDCHECKINGSUPPORTEDFAILED,PKIX_CertChainChecker_IsForwardCheckingSupported failed,0),
 PKIX_ERRORENTRY(CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED,PKIX_CertChainChecker_SetCertChainCheckerState failed,0),
 PKIX_ERRORENTRY(CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION,CertChain fails Certificate Policy validation,SEC_ERROR_POLICY_VALIDATION_FAILED),
 PKIX_ERRORENTRY(CERTCHAINTONSSCHAINFAILED,Fail to convert pkix cert chain to nss cert chain,0),
 PKIX_ERRORENTRY(CERTCHAINTOPKIXCERTLISTFAILED,Failed to convert nss cert chain to pkix cert chain,0),
+PKIX_ERRORENTRY(CERTCHECKCERTTYPEFAILED,Check cert type failed,SEC_ERROR_INADEQUATE_CERT_TYPE),
 PKIX_ERRORENTRY(CERTCHECKCERTVALIDTIMESFAILED,CERT_CheckCertValidTimes failed,SEC_ERROR_EXPIRED_CERTIFICATE),
 PKIX_ERRORENTRY(CERTCHECKCRLFAILED,Fail to get crl cache issued by cert,0),
 PKIX_ERRORENTRY(CERTCHECKEXTENDEDKEYUSAGEFAILED,pkix_pl_Cert_CheckExtendedKeyUsage failed,0),
-PKIX_ERRORENTRY(CERTCHECKKEYUSAGEFAILED,CERT_CheckKeyUsage failed,0),
+PKIX_ERRORENTRY(CERTCHECKKEYUSAGEFAILED,CERT_CheckKeyUsage failed,SEC_ERROR_INADEQUATE_KEY_USAGE),
 PKIX_ERRORENTRY(CERTCHECKNAMECONSTRAINTSFAILED,PKIX_PL_Cert_CheckNameConstraints failed,0),
 PKIX_ERRORENTRY(CERTCHECKVALIDITYFAILED,PKIX_PL_Cert_CheckValidity failed,SEC_ERROR_CERT_NOT_VALID),
 PKIX_ERRORENTRY(CERTCOMPLETECRLDECODEDENTRIESFAILED,CERT_CompleteCRLDecodedEntries failed,0),
 PKIX_ERRORENTRY(CERTCOPYNAMECONSTRAINTFAILED,CERT_CopyNameConstraint failed,0),
 PKIX_ERRORENTRY(CERTCOPYNAMEFAILED,CERT_CopyName failed,0),
 PKIX_ERRORENTRY(CERTCREATEFAILED,PKIX_PL_Cert_Create failed,0),
 PKIX_ERRORENTRY(CERTCREATEGENERALNAMELISTFAILED,CERT_CreateGeneralNameList failed,0),
 PKIX_ERRORENTRY(CERTCREATETOLISTFAILED,pkix_pl_Cert_CreateToList failed,0),
@@ -165,16 +167,17 @@ PKIX_ERRORENTRY(CERTFAILEDNAMECONSTRAINT
 PKIX_ERRORENTRY(CERTGETALLSUBJECTNAMESFAILED,PKIX_PL_Cert_GetAllSubjectNames failed,0),
 PKIX_ERRORENTRY(CERTGETAUTHORITYINFOACCESSFAILED,PKIX_PL_Cert_GetAuthorityInfoAccess failed,0),
 PKIX_ERRORENTRY(CERTGETAUTHORITYKEYIDENTIFIERFAILED,PKIX_PL_Cert_GetAuthorityKeyIdentifier failed,0),
 PKIX_ERRORENTRY(CERTGETBASICCONSTRAINTFAILED,PKIX_PL_Cert_GetBasicConstraint failed,0),
 PKIX_ERRORENTRY(CERTGETBASICCONSTRAINTSFAILED,PKIX_PL_Cert_GetBasicConstraints failed,0),
 PKIX_ERRORENTRY(CERTGETCACHEFLAGFAILED,PKIX_Cert_GetCacheFlag failed,0),
 PKIX_ERRORENTRY(CERTGETCERTCERTIFICATEFAILED,PKIX_PL_Cert_GetCERTCertificate failed,0),
 PKIX_ERRORENTRY(CERTGETCRITICALEXTENSIONOIDSFAILED,PKIX_PL_Cert_GetCriticalExtensionOIDs failed,0),
+PKIX_ERRORENTRY(CERTGETCRLDPFAILED,Failed to get cert crldp extension, 0),
 PKIX_ERRORENTRY(CERTGETEXTENDEDKEYUSAGEFAILED,PKIX_PL_Cert_GetExtendedKeyUsage failed,0),
 PKIX_ERRORENTRY(CERTGETINHIBITANYPOLICYFAILED,PKIX_PL_Cert_GetInhibitAnyPolicy failed,0),
 PKIX_ERRORENTRY(CERTGETISSUERFAILED,PKIX_PL_Cert_GetIssuer failed,0),
 PKIX_ERRORENTRY(CERTGETNAMECONSTRAINTSFAILED,PKIX_PL_CertGetNameConstraints failed,0),
 PKIX_ERRORENTRY(CERTGETNSSSUBJECTALTNAMESFAILED,pkix_pl_Cert_GetNssSubjectAltNames failed,0),
 PKIX_ERRORENTRY(CERTGETPOLICYINFORMATIONFAILED,PKIX_PL_Cert_GetPolicyInformation failed,0),
 PKIX_ERRORENTRY(CERTGETPOLICYMAPPINGINHIBITEDFAILED,PKIX_PL_Cert_GetPolicyMappingInhibited failed,0),
 PKIX_ERRORENTRY(CERTGETPOLICYMAPPINGSFAILED,PKIX_PL_Cert_GetPolicyMappings failed,0),
@@ -260,16 +263,17 @@ PKIX_ERRORENTRY(CERTSTOREGETCERTCALLBACK
 PKIX_ERRORENTRY(CERTSTOREGETCERTSTORECACHEFLAGFAILED,PKIX_CertStore_GetCertStoreCacheFlag failed,0),
 PKIX_ERRORENTRY(CERTSTOREGETCERTSTORECONTEXTFAILED,PKIX_CertStore_GetCertStoreContext failed,0),
 PKIX_ERRORENTRY(CERTSTOREGETCRLCALLBACKFAILED,PKIX_CertStore_GetCRLCallback failed,0),
 PKIX_ERRORENTRY(CERTSTOREGETLOCALFLAGFAILED,PKIX_CertStore_GetLocalFlag failed,0),
 PKIX_ERRORENTRY(CERTSTOREGETTRUSTCALLBACKFAILED,PKIX_CertStore_GetTrustCallback failed,0),
 PKIX_ERRORENTRY(CERTSTOREHASHCODEFAILED,pkix_CertStore_Hashcode failed,0),
 PKIX_ERRORENTRY(CERTTOSTRINGFAILED,PKIX_PL_Cert_ToString failed,0),
 PKIX_ERRORENTRY(CERTTOSTRINGHELPERFAILED,pkix_pl_Cert_ToString_Helper failed,0),
+PKIX_ERRORENTRY(CERTVERIFYCERTTYPEFAILED,PKIX_PL_Cert_VerifyCertAndKeyType failed,0),
 PKIX_ERRORENTRY(CERTVERIFYKEYUSAGEFAILED,PKIX_PL_Cert_VerifyKeyUsage failed,0),
 PKIX_ERRORENTRY(CERTVERIFYSIGNATUREFAILED,PKIX_PL_Cert_VerifySignature failed,0),
 PKIX_ERRORENTRY(CHAINREJECTEDBYREVOCATIONCHECKER,Chain rejected by Revocation Checker,0),
 PKIX_ERRORENTRY(CHECKCERTAGAINSTANCHORFAILED,pkix_CheckCertAgainstAnchor failed,0),
 PKIX_ERRORENTRY(CHECKCERTFAILED,pkix_CheckCert failed,0),
 PKIX_ERRORENTRY(CHECKCHAINFAILED,pkix_CheckChain failed,0),
 PKIX_ERRORENTRY(CHECKTRUSTCALLBACKFAILED,CheckTrustCallback failed,0),
 PKIX_ERRORENTRY(COLLECTIONCERTSTOREPOPULATECERTFAILED,pkix_pl_CollectionCertStoreContext_PopulateCert failed,0),
@@ -312,16 +316,17 @@ PKIX_ERRORENTRY(COMCERTSELPARAMSSETSUBJE
 PKIX_ERRORENTRY(COMCRLSELPARAMSADDISSUERNAMEFAILED,PKIX_ComCRLSelParams_AddIssuerName failed,0),
 PKIX_ERRORENTRY(COMCRLSELPARAMSCREATEFAILED,PKIX_ComCRLSelParams_Create failed,0),
 PKIX_ERRORENTRY(COMCRLSELPARAMSEQUALSFAILED,pkix_ComCRLSelParams_Equals failed,0),
 PKIX_ERRORENTRY(COMCRLSELPARAMSGETDATEANDTIMEFAILED,PKIX_ComCRLSelParams_GetDateAndTime failed,0),
 PKIX_ERRORENTRY(COMCRLSELPARAMSGETISSUERNAMESFAILED,PKIX_ComCRLSelParams_GetIssuerNames failed,0),