bug 1391404 - fold nsIPKCS11 into nsIPKCS11ModuleDB r=Cykesiopka
authorDavid Keeler <dkeeler@mozilla.com>
Wed, 16 Aug 2017 17:06:59 -0700
changeset 376215 c76c0f1fadfe1f981f1fe1e9ddaafb5bf80ef602
parent 376214 cf3a6dfc75c2701b4a3ded74d2470e79fbae63d3
child 376216 a97cc606c12fe499368c0ef5c7ad8b1cefa4cd9d
push id32379
push userarchaeopteryx@coole-files.de
push dateWed, 23 Aug 2017 14:23:47 +0000
treeherdermozilla-central@76c7aa772dc4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersCykesiopka
bugs1391404
milestone57.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 1391404 - fold nsIPKCS11 into nsIPKCS11ModuleDB r=Cykesiopka This also moves the implementation of nsIPKCS11ModuleDB into its own file. MozReview-Commit-ID: LYXixzbx3Ia
security/manager/pki/resources/content/device_manager.js
security/manager/pki/resources/content/load_device.js
security/manager/ssl/PKCS11.cpp
security/manager/ssl/PKCS11.h
security/manager/ssl/PKCS11ModuleDB.cpp
security/manager/ssl/PKCS11ModuleDB.h
security/manager/ssl/moz.build
security/manager/ssl/nsIPKCS11.idl
security/manager/ssl/nsIPKCS11ModuleDB.idl
security/manager/ssl/nsNSSComponent.cpp
security/manager/ssl/nsNSSModule.cpp
security/manager/ssl/nsPKCS11Slot.cpp
security/manager/ssl/nsPKCS11Slot.h
security/manager/ssl/tests/mochitest/browser/browser_loadPKCS11Module_ui.js
security/manager/ssl/tests/unit/head_psm.js
security/manager/ssl/tests/unit/test_pkcs11_module.js
security/manager/ssl/tests/unit/test_pkcs11_no_events_after_removal.js
security/manager/ssl/tests/unit/test_pkcs11_safe_mode.js
--- a/security/manager/pki/resources/content/device_manager.js
+++ b/security/manager/pki/resources/content/device_manager.js
@@ -7,18 +7,16 @@ const nsIPKCS11Slot = Components.interfa
 const nsIPKCS11Module = Components.interfaces.nsIPKCS11Module;
 const nsPKCS11ModuleDB = "@mozilla.org/security/pkcs11moduledb;1";
 const nsIPKCS11ModuleDB = Components.interfaces.nsIPKCS11ModuleDB;
 const nsIPK11Token = Components.interfaces.nsIPK11Token;
 const nsPK11TokenDB = "@mozilla.org/security/pk11tokendb;1";
 const nsIPK11TokenDB = Components.interfaces.nsIPK11TokenDB;
 const nsIDialogParamBlock = Components.interfaces.nsIDialogParamBlock;
 const nsDialogParamBlock = "@mozilla.org/embedcomp/dialogparam;1";
-const nsIPKCS11 = Components.interfaces.nsIPKCS11;
-const nsPKCS11ContractID = "@mozilla.org/security/pkcs11;1";
 
 var { Services } = Components.utils.import("resource://gre/modules/Services.jsm", {});
 
 var bundle;
 var secmoddb;
 var skip_enable_buttons = false;
 
 var smartCardObserver = {
@@ -37,20 +35,16 @@ function LoadModules() {
   bundle = document.getElementById("pippki_bundle");
   secmoddb = Components.classes[nsPKCS11ModuleDB].getService(nsIPKCS11ModuleDB);
   Services.obs.addObserver(smartCardObserver, "smartcard-insert");
   Services.obs.addObserver(smartCardObserver, "smartcard-remove");
 
   RefreshDeviceList();
 }
 
-function getPKCS11() {
-  return Components.classes[nsPKCS11ContractID].getService(nsIPKCS11);
-}
-
 function getNSSString(name) {
   return document.getElementById("pipnss_bundle").getString(name);
 }
 
 function doPrompt(msg) {
   let prompts = Components.classes["@mozilla.org/embedcomp/prompt-service;1"].
     getService(Components.interfaces.nsIPromptService);
   prompts.alert(window, null, msg);
@@ -351,17 +345,17 @@ function doLoad() {
   RefreshDeviceList();
 }
 
 function deleteSelected() {
   getSelectedItem();
   if (selected_module &&
       doConfirm(getNSSString("DelModuleWarning"))) {
     try {
-      getPKCS11().deleteModule(selected_module.name);
+      secmoddb.deleteModule(selected_module.name);
     } catch (e) {
       doPrompt(getNSSString("DelModuleError"));
       return false;
     }
     selected_module = null;
     return true;
   }
   return false;
--- a/security/manager/pki/resources/content/load_device.js
+++ b/security/manager/pki/resources/content/load_device.js
@@ -34,19 +34,20 @@ function onBrowseBtnPress() {
  * ondialogaccept() handler.
  *
  * @returns {Boolean} true to make the dialog close, false otherwise.
  */
 function onDialogAccept() {
   let bundle = document.getElementById("pipnss_bundle");
   let nameBox = document.getElementById("device_name");
   let pathBox = document.getElementById("device_path");
-  let pkcs11 = Cc["@mozilla.org/security/pkcs11;1"].getService(Ci.nsIPKCS11);
+  let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"]
+                         .getService(Ci.nsIPKCS11ModuleDB);
 
   try {
-    pkcs11.addModule(nameBox.value, pathBox.value, 0, 0);
+    pkcs11ModuleDB.addModule(nameBox.value, pathBox.value, 0, 0);
   } catch (e) {
     alertPromptService(null, bundle.getString("AddModuleFailure"));
     return false;
   }
 
   return true;
 }
rename from security/manager/ssl/PKCS11.cpp
rename to security/manager/ssl/PKCS11ModuleDB.cpp
--- a/security/manager/ssl/PKCS11.cpp
+++ b/security/manager/ssl/PKCS11ModuleDB.cpp
@@ -1,49 +1,45 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#include "PKCS11.h"
+#include "PKCS11ModuleDB.h"
 
 #include "ScopedNSSTypes.h"
 #include "mozilla/Telemetry.h"
 #include "nsCRTGlue.h"
+#include "nsIMutableArray.h"
 #include "nsNSSComponent.h"
 #include "nsNativeCharsetUtils.h"
+#include "nsPKCS11Slot.h"
 #include "nsServiceManagerUtils.h"
 
 namespace mozilla { namespace psm {
 
-NS_INTERFACE_MAP_BEGIN(PKCS11)
-  NS_INTERFACE_MAP_ENTRY(nsIPKCS11)
-  NS_INTERFACE_MAP_ENTRY(nsISupports)
-NS_INTERFACE_MAP_END
+NS_IMPL_ISUPPORTS(PKCS11ModuleDB, nsIPKCS11ModuleDB)
 
-NS_IMPL_ADDREF(PKCS11)
-NS_IMPL_RELEASE(PKCS11)
-
-PKCS11::PKCS11()
+PKCS11ModuleDB::PKCS11ModuleDB()
 {
 }
 
-PKCS11::~PKCS11()
+PKCS11ModuleDB::~PKCS11ModuleDB()
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
   shutdown(ShutdownCalledFrom::Object);
 }
 
 // Delete a PKCS11 module from the user's profile.
 NS_IMETHODIMP
-PKCS11::DeleteModule(const nsAString& aModuleName)
+PKCS11ModuleDB::DeleteModule(const nsAString& aModuleName)
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   if (aModuleName.IsEmpty()) {
     return NS_ERROR_INVALID_ARG;
@@ -99,20 +95,20 @@ GetModuleNameForTelemetry(/*in*/ const S
   }
   if (result.Length() >= 70) {
     result.Truncate(69);
   }
 }
 
 // Add a new PKCS11 module to the user's profile.
 NS_IMETHODIMP
-PKCS11::AddModule(const nsAString& aModuleName,
-                  const nsAString& aLibraryFullPath,
-                  int32_t aCryptoMechanismFlags,
-                  int32_t aCipherFlags)
+PKCS11ModuleDB::AddModule(const nsAString& aModuleName,
+                          const nsAString& aLibraryFullPath,
+                          int32_t aCryptoMechanismFlags,
+                          int32_t aCipherFlags)
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   if (aModuleName.IsEmpty()) {
     return NS_ERROR_INVALID_ARG;
@@ -150,9 +146,214 @@ PKCS11::AddModule(const nsAString& aModu
   // (it wouldn't give us anything useful anyway).
   if (scalarKey.Length() > 0) {
     Telemetry::ScalarSet(Telemetry::ScalarID::SECURITY_PKCS11_MODULES_LOADED,
                          scalarKey, true);
   }
   return NS_OK;
 }
 
+NS_IMETHODIMP
+PKCS11ModuleDB::GetInternal(nsIPKCS11Module** _retval)
+{
+  NS_ENSURE_ARG_POINTER(_retval);
+
+  nsNSSShutDownPreventionLock locker;
+  if (isAlreadyShutDown()) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  UniqueSECMODModule nssMod(
+    SECMOD_CreateModule(nullptr, SECMOD_INT_NAME, nullptr, SECMOD_INT_FLAGS));
+  if (!nssMod) {
+    return NS_ERROR_FAILURE;
+  }
+
+  nsCOMPtr<nsIPKCS11Module> module = new nsPKCS11Module(nssMod.get());
+  module.forget(_retval);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+PKCS11ModuleDB::GetInternalFIPS(nsIPKCS11Module** _retval)
+{
+  NS_ENSURE_ARG_POINTER(_retval);
+
+  nsNSSShutDownPreventionLock locker;
+  if (isAlreadyShutDown()) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  UniqueSECMODModule nssMod(
+    SECMOD_CreateModule(nullptr, SECMOD_FIPS_NAME, nullptr, SECMOD_FIPS_FLAGS));
+  if (!nssMod) {
+    return NS_ERROR_FAILURE;
+  }
+
+  nsCOMPtr<nsIPKCS11Module> module = new nsPKCS11Module(nssMod.get());
+  module.forget(_retval);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+PKCS11ModuleDB::FindModuleByName(const nsACString& name,
+                         /*out*/ nsIPKCS11Module** _retval)
+{
+  NS_ENSURE_ARG_POINTER(_retval);
+
+  nsNSSShutDownPreventionLock locker;
+  if (isAlreadyShutDown()) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  nsresult rv = BlockUntilLoadableRootsLoaded();
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  UniqueSECMODModule mod(SECMOD_FindModule(PromiseFlatCString(name).get()));
+  if (!mod) {
+    return NS_ERROR_FAILURE;
+  }
+
+  nsCOMPtr<nsIPKCS11Module> module = new nsPKCS11Module(mod.get());
+  module.forget(_retval);
+  return NS_OK;
+}
+
+/* This is essentially the same as nsIPK11Token::findTokenByName, except
+ * that it returns an nsIPKCS11Slot, which may be desired.
+ */
+NS_IMETHODIMP
+PKCS11ModuleDB::FindSlotByName(const nsACString& name,
+                       /*out*/ nsIPKCS11Slot** _retval)
+{
+  NS_ENSURE_ARG_POINTER(_retval);
+
+  nsNSSShutDownPreventionLock locker;
+  if (isAlreadyShutDown()) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  nsresult rv = BlockUntilLoadableRootsLoaded();
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  if (name.IsEmpty()) {
+    return NS_ERROR_ILLEGAL_VALUE;
+  }
+
+  UniquePK11SlotInfo slotInfo(
+    PK11_FindSlotByName(PromiseFlatCString(name).get()));
+  if (!slotInfo) {
+    return NS_ERROR_FAILURE;
+  }
+
+  nsCOMPtr<nsIPKCS11Slot> slot = new nsPKCS11Slot(slotInfo.get());
+  slot.forget(_retval);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+PKCS11ModuleDB::ListModules(nsISimpleEnumerator** _retval)
+{
+  NS_ENSURE_ARG_POINTER(_retval);
+
+  nsNSSShutDownPreventionLock locker;
+  if (isAlreadyShutDown()) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  nsresult rv = BlockUntilLoadableRootsLoaded();
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  nsCOMPtr<nsIMutableArray> array = do_CreateInstance(NS_ARRAY_CONTRACTID);
+  if (!array) {
+    return NS_ERROR_FAILURE;
+  }
+
+  /* lock down the list for reading */
+  AutoSECMODListReadLock lock;
+  for (SECMODModuleList* list = SECMOD_GetDefaultModuleList(); list;
+       list = list->next) {
+    nsCOMPtr<nsIPKCS11Module> module = new nsPKCS11Module(list->module);
+    nsresult rv = array->AppendElement(module, false);
+    if (NS_FAILED(rv)) {
+      return rv;
+    }
+  }
+
+  /* Get the modules in the database that didn't load */
+  for (SECMODModuleList* list = SECMOD_GetDeadModuleList(); list;
+       list = list->next) {
+    nsCOMPtr<nsIPKCS11Module> module = new nsPKCS11Module(list->module);
+    nsresult rv = array->AppendElement(module, false);
+    if (NS_FAILED(rv)) {
+      return rv;
+    }
+  }
+
+  return array->Enumerate(_retval);
+}
+
+NS_IMETHODIMP
+PKCS11ModuleDB::GetCanToggleFIPS(bool* aCanToggleFIPS)
+{
+  NS_ENSURE_ARG_POINTER(aCanToggleFIPS);
+
+  nsNSSShutDownPreventionLock locker;
+  if (isAlreadyShutDown()) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  *aCanToggleFIPS = SECMOD_CanDeleteInternalModule();
+  return NS_OK;
+}
+
+
+NS_IMETHODIMP
+PKCS11ModuleDB::ToggleFIPSMode()
+{
+  nsNSSShutDownPreventionLock locker;
+  if (isAlreadyShutDown()) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  // The way to toggle FIPS mode in NSS is extremely obscure. Basically, we
+  // delete the internal module, and it gets replaced with the opposite module
+  // (i.e. if it was FIPS before, then it becomes non-FIPS next).
+  // SECMOD_GetInternalModule() returns a pointer to a local copy of the
+  // internal module stashed in NSS.  We don't want to delete it since it will
+  // cause much pain in NSS.
+  SECMODModule* internal = SECMOD_GetInternalModule();
+  if (!internal) {
+    return NS_ERROR_FAILURE;
+  }
+
+  if (SECMOD_DeleteInternalModule(internal->commonName) != SECSuccess) {
+    return NS_ERROR_FAILURE;
+  }
+
+  if (PK11_IsFIPS()) {
+    Telemetry::Accumulate(Telemetry::FIPS_ENABLED, true);
+  }
+
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+PKCS11ModuleDB::GetIsFIPSEnabled(bool* aIsFIPSEnabled)
+{
+  NS_ENSURE_ARG_POINTER(aIsFIPSEnabled);
+
+  nsNSSShutDownPreventionLock locker;
+  if (isAlreadyShutDown()) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  *aIsFIPSEnabled = PK11_IsFIPS();
+  return NS_OK;
+}
+
 } } // namespace mozilla::psm
rename from security/manager/ssl/PKCS11.h
rename to security/manager/ssl/PKCS11ModuleDB.h
--- a/security/manager/ssl/PKCS11.h
+++ b/security/manager/ssl/PKCS11ModuleDB.h
@@ -1,40 +1,41 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-#ifndef PKCS11_h
-#define PKCS11_h
+#ifndef PKCS11ModuleDB_h
+#define PKCS11ModuleDB_h
 
-#include "nsIPKCS11.h"
+#include "nsIPKCS11ModuleDB.h"
 
 #include "nsNSSShutDown.h"
 #include "nsString.h"
 
 namespace mozilla { namespace psm {
 
-#define NS_PKCS11_CID \
-  {0x74b7a390, 0x3b41, 0x11d4, { 0x8a, 0x80, 0x00, 0x60, 0x08, 0xc8, 0x44, 0xc3} }
+#define NS_PKCS11MODULEDB_CID \
+{ 0xff9fbcd7, 0x9517, 0x4334, \
+  { 0xb9, 0x7a, 0xce, 0xed, 0x78, 0x90, 0x99, 0x74 }}
 
-class PKCS11 : public nsIPKCS11
-             , public nsNSSShutDownObject
+class PKCS11ModuleDB : public nsIPKCS11ModuleDB
+                     , public nsNSSShutDownObject
 {
 public:
-  PKCS11();
+  PKCS11ModuleDB();
 
   NS_DECL_ISUPPORTS
-  NS_DECL_NSIPKCS11
+  NS_DECL_NSIPKCS11MODULEDB
 
 protected:
-  virtual ~PKCS11();
+  virtual ~PKCS11ModuleDB();
 
 private:
   virtual void virtualDestroyNSSReference() override {}
 };
 
 void GetModuleNameForTelemetry(/*in*/ const SECMODModule* module,
                                /*out*/nsString& result);
 
 } } // namespace mozilla::psm
 
-#endif // PKCS11_h
+#endif // PKCS11ModuleDB_h
--- a/security/manager/ssl/moz.build
+++ b/security/manager/ssl/moz.build
@@ -24,17 +24,16 @@ XPIDL_SOURCES += [
     'nsIKeygenThread.idl',
     'nsIKeyModule.idl',
     'nsILocalCertService.idl',
     'nsINSSErrorsService.idl',
     'nsINSSU2FToken.idl',
     'nsINSSVersion.idl',
     'nsIPK11Token.idl',
     'nsIPK11TokenDB.idl',
-    'nsIPKCS11.idl',
     'nsIPKCS11Module.idl',
     'nsIPKCS11ModuleDB.idl',
     'nsIPKCS11Slot.idl',
     'nsIProtectedAuthThread.idl',
     'nsISecretDecoderRing.idl',
     'nsISecurityUITelemetry.idl',
     'nsISiteSecurityService.idl',
     'nsISSLStatus.idl',
@@ -129,17 +128,17 @@ UNIFIED_SOURCES += [
     'nsRandomGenerator.cpp',
     'nsSecureBrowserUIImpl.cpp',
     'nsSecurityHeaderParser.cpp',
     'NSSErrorsService.cpp',
     'nsSiteSecurityService.cpp',
     'nsSSLSocketProvider.cpp',
     'nsSSLStatus.cpp',
     'nsTLSSocketProvider.cpp',
-    'PKCS11.cpp',
+    'PKCS11ModuleDB.cpp',
     'PSMContentListener.cpp',
     'PSMRunnable.cpp',
     'PublicKeyPinningService.cpp',
     'RootCertificateTelemetryUtils.cpp',
     'SecretDecoderRing.cpp',
     'SharedSSLState.cpp',
     'SSLServerCertVerification.cpp',
     'TransportSecurityInfo.cpp',
deleted file mode 100644
--- a/security/manager/ssl/nsIPKCS11.idl
+++ /dev/null
@@ -1,22 +0,0 @@
-/* -*- Mode: IDL; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsISupports.idl"
-
-%{C++
-#define NS_PKCS11_CONTRACTID "@mozilla.org/security/pkcs11;1"
-%}
-
-[scriptable, uuid(5743f870-958e-4f02-aef2-c0afeef67f05)]
-interface nsIPKCS11 : nsISupports
-{
-  [must_use]
-  void deleteModule(in AString moduleName);
-  [must_use]
-  void addModule(in AString moduleName,
-                 in AString libraryFullPath,
-                 in long cryptoMechanismFlags,
-                 in long cipherFlags);
-};
--- a/security/manager/ssl/nsIPKCS11ModuleDB.idl
+++ b/security/manager/ssl/nsIPKCS11ModuleDB.idl
@@ -13,16 +13,25 @@ interface nsISimpleEnumerator;
 %{C++
 #define NS_PKCS11MODULEDB_CONTRACTID "@mozilla.org/security/pkcs11moduledb;1"
 %}
 
 [scriptable, uuid(ff9fbcd7-9517-4334-b97a-ceed78909974)]
 interface nsIPKCS11ModuleDB : nsISupports
 {
   [must_use]
+  void deleteModule(in AString moduleName);
+
+  [must_use]
+  void addModule(in AString moduleName,
+                 in AString libraryFullPath,
+                 in long cryptoMechanismFlags,
+                 in long cipherFlags);
+
+  [must_use]
   nsIPKCS11Module getInternal();
 
   [must_use]
   nsIPKCS11Module getInternalFIPS();
 
   [must_use]
   nsIPKCS11Module findModuleByName(in AUTF8String name);
 
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -3,17 +3,17 @@
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsNSSComponent.h"
 
 #include "ExtendedValidation.h"
 #include "NSSCertDBTrustDomain.h"
-#include "PKCS11.h"
+#include "PKCS11ModuleDB.h"
 #include "ScopedNSSTypes.h"
 #include "SharedSSLState.h"
 #include "cert.h"
 #include "certdb.h"
 #include "mozStorageCID.h"
 #include "mozilla/ArrayUtils.h"
 #include "mozilla/Assertions.h"
 #include "mozilla/Casting.h"
--- a/security/manager/ssl/nsNSSModule.cpp
+++ b/security/manager/ssl/nsNSSModule.cpp
@@ -2,17 +2,17 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "CertBlocklist.h"
 #include "ContentSignatureVerifier.h"
 #include "NSSErrorsService.h"
-#include "PKCS11.h"
+#include "PKCS11ModuleDB.h"
 #include "PSMContentListener.h"
 #include "SecretDecoderRing.h"
 #include "TransportSecurityInfo.h"
 #include "mozilla/ModuleUtils.h"
 #include "nsCURILoader.h"
 #include "nsCertOverrideService.h"
 #include "nsCryptoHash.h"
 #include "nsDataSignatureVerifier.h"
@@ -141,17 +141,16 @@ NS_DEFINE_NAMED_CID(NS_PKCS11MODULEDB_CI
 NS_DEFINE_NAMED_CID(NS_PSMCONTENTLISTEN_CID);
 NS_DEFINE_NAMED_CID(NS_X509CERT_CID);
 NS_DEFINE_NAMED_CID(NS_X509CERTDB_CID);
 NS_DEFINE_NAMED_CID(NS_X509CERTLIST_CID);
 NS_DEFINE_NAMED_CID(NS_FORMPROCESSOR_CID);
 #ifdef MOZ_XUL
 NS_DEFINE_NAMED_CID(NS_CERTTREE_CID);
 #endif
-NS_DEFINE_NAMED_CID(NS_PKCS11_CID);
 NS_DEFINE_NAMED_CID(NS_CRYPTO_HASH_CID);
 NS_DEFINE_NAMED_CID(NS_CRYPTO_HMAC_CID);
 NS_DEFINE_NAMED_CID(NS_NTLMAUTHMODULE_CID);
 NS_DEFINE_NAMED_CID(NS_KEYMODULEOBJECT_CID);
 NS_DEFINE_NAMED_CID(NS_KEYMODULEOBJECTFACTORY_CID);
 NS_DEFINE_NAMED_CID(NS_DATASIGNATUREVERIFIER_CID);
 NS_DEFINE_NAMED_CID(NS_CONTENTSIGNATUREVERIFIER_CID);
 NS_DEFINE_NAMED_CID(NS_CERTOVERRIDE_CID);
@@ -169,28 +168,27 @@ static const mozilla::Module::CIDEntry k
   { &kNS_NSSCOMPONENT_CID, false, nullptr, nsNSSComponentConstructor },
   { &kNS_SSLSOCKETPROVIDER_CID, false, nullptr,
     Constructor<nsSSLSocketProvider> },
   { &kNS_STARTTLSSOCKETPROVIDER_CID, false, nullptr,
     Constructor<nsTLSSocketProvider> },
   { &kNS_SECRETDECODERRING_CID, false, nullptr,
     Constructor<SecretDecoderRing> },
   { &kNS_PK11TOKENDB_CID, false, nullptr, Constructor<nsPK11TokenDB> },
-  { &kNS_PKCS11MODULEDB_CID, false, nullptr, Constructor<nsPKCS11ModuleDB> },
+  { &kNS_PKCS11MODULEDB_CID, false, nullptr, Constructor<PKCS11ModuleDB> },
   { &kNS_PSMCONTENTLISTEN_CID, false, nullptr, PSMContentListenerConstructor },
   { &kNS_X509CERT_CID, false, nullptr,
     Constructor<nsNSSCertificate, nullptr, ProcessRestriction::AnyProcess> },
   { &kNS_X509CERTDB_CID, false, nullptr, Constructor<nsNSSCertificateDB> },
   { &kNS_X509CERTLIST_CID, false, nullptr,
     Constructor<nsNSSCertList, nullptr, ProcessRestriction::AnyProcess> },
   { &kNS_FORMPROCESSOR_CID, false, nullptr, nsKeygenFormProcessor::Create },
 #ifdef MOZ_XUL
   { &kNS_CERTTREE_CID, false, nullptr, Constructor<nsCertTree> },
 #endif
-  { &kNS_PKCS11_CID, false, nullptr, Constructor<PKCS11> },
   { &kNS_CRYPTO_HASH_CID, false, nullptr,
     Constructor<nsCryptoHash, nullptr, ProcessRestriction::AnyProcess> },
   { &kNS_CRYPTO_HMAC_CID, false, nullptr,
     Constructor<nsCryptoHMAC, nullptr, ProcessRestriction::AnyProcess> },
   { &kNS_NTLMAUTHMODULE_CID, false, nullptr,
     Constructor<nsNTLMAuthModule, &nsNTLMAuthModule::InitTest> },
   { &kNS_KEYMODULEOBJECT_CID, false, nullptr,
     Constructor<nsKeyObject, nullptr, ProcessRestriction::AnyProcess> },
@@ -238,17 +236,16 @@ static const mozilla::Module::ContractID
   { NS_PKCS11MODULEDB_CONTRACTID, &kNS_PKCS11MODULEDB_CID },
   { NS_PSMCONTENTLISTEN_CONTRACTID, &kNS_PSMCONTENTLISTEN_CID },
   { NS_X509CERTDB_CONTRACTID, &kNS_X509CERTDB_CID },
   { NS_X509CERTLIST_CONTRACTID, &kNS_X509CERTLIST_CID },
   { NS_FORMPROCESSOR_CONTRACTID, &kNS_FORMPROCESSOR_CID },
 #ifdef MOZ_XUL
   { NS_CERTTREE_CONTRACTID, &kNS_CERTTREE_CID },
 #endif
-  { NS_PKCS11_CONTRACTID, &kNS_PKCS11_CID },
   { NS_CRYPTO_HASH_CONTRACTID, &kNS_CRYPTO_HASH_CID },
   { NS_CRYPTO_HMAC_CONTRACTID, &kNS_CRYPTO_HMAC_CID },
   { "@mozilla.org/uriloader/psm-external-content-listener;1", &kNS_PSMCONTENTLISTEN_CID },
   { NS_NTLMAUTHMODULE_CONTRACTID, &kNS_NTLMAUTHMODULE_CID },
   { NS_KEYMODULEOBJECT_CONTRACTID, &kNS_KEYMODULEOBJECT_CID },
   { NS_KEYMODULEOBJECTFACTORY_CONTRACTID, &kNS_KEYMODULEOBJECTFACTORY_CID },
   { NS_DATASIGNATUREVERIFIER_CONTRACTID, &kNS_DATASIGNATUREVERIFIER_CID },
   { NS_CONTENTSIGNATUREVERIFIER_CONTRACTID, &kNS_CONTENTSIGNATUREVERIFIER_CID },
--- a/security/manager/ssl/nsPKCS11Slot.cpp
+++ b/security/manager/ssl/nsPKCS11Slot.cpp
@@ -355,229 +355,8 @@ nsPKCS11Module::ListSlots(nsISimpleEnume
       if (NS_FAILED(rv)) {
         return rv;
       }
     }
   }
 
   return array->Enumerate(_retval);
 }
-
-NS_IMPL_ISUPPORTS(nsPKCS11ModuleDB, nsIPKCS11ModuleDB)
-
-nsPKCS11ModuleDB::nsPKCS11ModuleDB()
-{
-}
-
-nsPKCS11ModuleDB::~nsPKCS11ModuleDB()
-{
-  nsNSSShutDownPreventionLock locker;
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
-  shutdown(ShutdownCalledFrom::Object);
-}
-
-NS_IMETHODIMP
-nsPKCS11ModuleDB::GetInternal(nsIPKCS11Module** _retval)
-{
-  NS_ENSURE_ARG_POINTER(_retval);
-
-  nsNSSShutDownPreventionLock locker;
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
-  UniqueSECMODModule nssMod(
-    SECMOD_CreateModule(nullptr, SECMOD_INT_NAME, nullptr, SECMOD_INT_FLAGS));
-  if (!nssMod) {
-    return NS_ERROR_FAILURE;
-  }
-
-  nsCOMPtr<nsIPKCS11Module> module = new nsPKCS11Module(nssMod.get());
-  module.forget(_retval);
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsPKCS11ModuleDB::GetInternalFIPS(nsIPKCS11Module** _retval)
-{
-  NS_ENSURE_ARG_POINTER(_retval);
-
-  nsNSSShutDownPreventionLock locker;
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
-  UniqueSECMODModule nssMod(
-    SECMOD_CreateModule(nullptr, SECMOD_FIPS_NAME, nullptr, SECMOD_FIPS_FLAGS));
-  if (!nssMod) {
-    return NS_ERROR_FAILURE;
-  }
-
-  nsCOMPtr<nsIPKCS11Module> module = new nsPKCS11Module(nssMod.get());
-  module.forget(_retval);
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsPKCS11ModuleDB::FindModuleByName(const nsACString& name,
-                           /*out*/ nsIPKCS11Module** _retval)
-{
-  NS_ENSURE_ARG_POINTER(_retval);
-
-  nsNSSShutDownPreventionLock locker;
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
-  nsresult rv = BlockUntilLoadableRootsLoaded();
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  UniqueSECMODModule mod(SECMOD_FindModule(PromiseFlatCString(name).get()));
-  if (!mod) {
-    return NS_ERROR_FAILURE;
-  }
-
-  nsCOMPtr<nsIPKCS11Module> module = new nsPKCS11Module(mod.get());
-  module.forget(_retval);
-  return NS_OK;
-}
-
-/* This is essentially the same as nsIPK11Token::findTokenByName, except
- * that it returns an nsIPKCS11Slot, which may be desired.
- */
-NS_IMETHODIMP
-nsPKCS11ModuleDB::FindSlotByName(const nsACString& name,
-                         /*out*/ nsIPKCS11Slot** _retval)
-{
-  NS_ENSURE_ARG_POINTER(_retval);
-
-  nsNSSShutDownPreventionLock locker;
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
-  nsresult rv = BlockUntilLoadableRootsLoaded();
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  if (name.IsEmpty()) {
-    return NS_ERROR_ILLEGAL_VALUE;
-  }
-
-  UniquePK11SlotInfo slotInfo(
-    PK11_FindSlotByName(PromiseFlatCString(name).get()));
-  if (!slotInfo) {
-    return NS_ERROR_FAILURE;
-  }
-
-  nsCOMPtr<nsIPKCS11Slot> slot = new nsPKCS11Slot(slotInfo.get());
-  slot.forget(_retval);
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsPKCS11ModuleDB::ListModules(nsISimpleEnumerator** _retval)
-{
-  NS_ENSURE_ARG_POINTER(_retval);
-
-  nsNSSShutDownPreventionLock locker;
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
-  nsresult rv = BlockUntilLoadableRootsLoaded();
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  nsCOMPtr<nsIMutableArray> array = do_CreateInstance(NS_ARRAY_CONTRACTID);
-  if (!array) {
-    return NS_ERROR_FAILURE;
-  }
-
-  /* lock down the list for reading */
-  AutoSECMODListReadLock lock;
-  for (SECMODModuleList* list = SECMOD_GetDefaultModuleList(); list;
-       list = list->next) {
-    nsCOMPtr<nsIPKCS11Module> module = new nsPKCS11Module(list->module);
-    nsresult rv = array->AppendElement(module, false);
-    if (NS_FAILED(rv)) {
-      return rv;
-    }
-  }
-
-  /* Get the modules in the database that didn't load */
-  for (SECMODModuleList* list = SECMOD_GetDeadModuleList(); list;
-       list = list->next) {
-    nsCOMPtr<nsIPKCS11Module> module = new nsPKCS11Module(list->module);
-    nsresult rv = array->AppendElement(module, false);
-    if (NS_FAILED(rv)) {
-      return rv;
-    }
-  }
-
-  return array->Enumerate(_retval);
-}
-
-NS_IMETHODIMP
-nsPKCS11ModuleDB::GetCanToggleFIPS(bool* aCanToggleFIPS)
-{
-  NS_ENSURE_ARG_POINTER(aCanToggleFIPS);
-
-  nsNSSShutDownPreventionLock locker;
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
-  *aCanToggleFIPS = SECMOD_CanDeleteInternalModule();
-  return NS_OK;
-}
-
-
-NS_IMETHODIMP
-nsPKCS11ModuleDB::ToggleFIPSMode()
-{
-  nsNSSShutDownPreventionLock locker;
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
-  // The way to toggle FIPS mode in NSS is extremely obscure. Basically, we
-  // delete the internal module, and it gets replaced with the opposite module
-  // (i.e. if it was FIPS before, then it becomes non-FIPS next).
-  // SECMOD_GetInternalModule() returns a pointer to a local copy of the
-  // internal module stashed in NSS.  We don't want to delete it since it will
-  // cause much pain in NSS.
-  SECMODModule* internal = SECMOD_GetInternalModule();
-  if (!internal) {
-    return NS_ERROR_FAILURE;
-  }
-
-  if (SECMOD_DeleteInternalModule(internal->commonName) != SECSuccess) {
-    return NS_ERROR_FAILURE;
-  }
-
-  if (PK11_IsFIPS()) {
-    Telemetry::Accumulate(Telemetry::FIPS_ENABLED, true);
-  }
-
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsPKCS11ModuleDB::GetIsFIPSEnabled(bool* aIsFIPSEnabled)
-{
-  NS_ENSURE_ARG_POINTER(aIsFIPSEnabled);
-
-  nsNSSShutDownPreventionLock locker;
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
-  *aIsFIPSEnabled = PK11_IsFIPS();
-  return NS_OK;
-}
--- a/security/manager/ssl/nsPKCS11Slot.h
+++ b/security/manager/ssl/nsPKCS11Slot.h
@@ -4,17 +4,16 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef nsPKCS11Slot_h
 #define nsPKCS11Slot_h
 
 #include "ScopedNSSTypes.h"
 #include "nsIPKCS11Module.h"
-#include "nsIPKCS11ModuleDB.h"
 #include "nsIPKCS11Slot.h"
 #include "nsISupports.h"
 #include "nsNSSShutDown.h"
 #include "nsString.h"
 #include "pk11func.h"
 
 class nsPKCS11Slot : public nsIPKCS11Slot,
                      public nsNSSShutDownObject
@@ -57,29 +56,9 @@ protected:
 
 private:
   mozilla::UniqueSECMODModule mModule;
 
   virtual void virtualDestroyNSSReference() override;
   void destructorSafeDestroyNSSReference();
 };
 
-class nsPKCS11ModuleDB : public nsIPKCS11ModuleDB
-                       , public nsNSSShutDownObject
-{
-public:
-  NS_DECL_ISUPPORTS
-  NS_DECL_NSIPKCS11MODULEDB
-
-  nsPKCS11ModuleDB();
-
-protected:
-  virtual ~nsPKCS11ModuleDB();
-
-  // Nothing to release.
-  virtual void virtualDestroyNSSReference() override {}
-};
-
-#define NS_PKCS11MODULEDB_CID \
-{ 0xff9fbcd7, 0x9517, 0x4334, \
-  { 0xb9, 0x7a, 0xce, 0xed, 0x78, 0x90, 0x99, 0x74 }}
-
 #endif // nsPKCS11Slot_h
--- a/security/manager/ssl/tests/mochitest/browser/browser_loadPKCS11Module_ui.js
+++ b/security/manager/ssl/tests/mochitest/browser/browser_loadPKCS11Module_ui.js
@@ -2,17 +2,17 @@
 // http://creativecommons.org/publicdomain/zero/1.0/
 "use strict";
 
 // Tests the dialog used for loading PKCS #11 modules.
 
 const { MockRegistrar } =
   Cu.import("resource://testing-common/MockRegistrar.jsm", {});
 
-const gMockPKCS11 = {
+const gMockPKCS11ModuleDB = {
   addModuleCallCount: 0,
   expectedLibPath: "",
   expectedModuleName: "",
   throwOnAddModule: false,
 
   addModule(moduleName, libraryFullPath, cryptoMechanismFlags, cipherFlags) {
     this.addModuleCallCount++;
     Assert.equal(moduleName, this.expectedModuleName,
@@ -28,17 +28,49 @@ const gMockPKCS11 = {
       throw new Error(`addModule: Throwing exception`);
     }
   },
 
   deleteModule(moduleName) {
     Assert.ok(false, `deleteModule: should not be called`);
   },
 
-  QueryInterface: XPCOMUtils.generateQI([Ci.nsIPKCS11])
+  getInternal() {
+    throw new Error("not expecting getInternal() to be called");
+  },
+
+  getInternalFIPS() {
+    throw new Error("not expecting getInternalFIPS() to be called");
+  },
+
+  findModuleByName() {
+    throw new Error("not expecting findModuleByName() to be called");
+  },
+
+  findSlotByName() {
+    throw new Error("not expecting findSlotByName() to be called");
+  },
+
+  listModules() {
+    throw new Error("not expecting listModules() to be called");
+  },
+
+  get canToggleFIPS() {
+    throw new Error("not expecting get canToggleFIPS() to be called");
+  },
+
+  toggleFIPSMode() {
+    throw new Error("not expecting toggleFIPSMode() to be called");
+  },
+
+  get isFIPSEnabled() {
+    throw new Error("not expecting get isFIPSEnabled() to be called");
+  },
+
+  QueryInterface: XPCOMUtils.generateQI([Ci.nsIPKCS11ModuleDB])
 };
 
 const gMockPromptService = {
   alertCallCount: 0,
   expectedText: "",
   expectedWindow: null,
 
   alert(parent, dialogTitle, text) {
@@ -49,18 +81,18 @@ const gMockPromptService = {
     Assert.equal(text, this.expectedText,
                  "alert: Actual and expected text should match");
   },
 
   QueryInterface: XPCOMUtils.generateQI([Ci.nsIPromptService])
 };
 
 var gMockPKCS11CID =
-  MockRegistrar.register("@mozilla.org/security/pkcs11;1",
-                         gMockPKCS11);
+  MockRegistrar.register("@mozilla.org/security/pkcs11moduledb;1",
+                         gMockPKCS11ModuleDB);
 var gMockPromptServiceCID =
   MockRegistrar.register("@mozilla.org/embedcomp/prompt-service;1",
                          gMockPromptService);
 
 var gMockFilePicker = SpecialPowers.MockFilePicker;
 gMockFilePicker.init(window);
 
 var gTempFile = Cc["@mozilla.org/file/directory_service;1"]
@@ -70,17 +102,17 @@ gTempFile.append("browser_loadPKCS11Modu
 
 registerCleanupFunction(() => {
   gMockFilePicker.cleanup();
   MockRegistrar.unregister(gMockPKCS11CID);
   MockRegistrar.unregister(gMockPromptServiceCID);
 });
 
 function resetCallCounts() {
-  gMockPKCS11.addModuleCallCount = 0;
+  gMockPKCS11ModuleDB.addModuleCallCount = 0;
   gMockPromptService.alertCallCount = 0;
 }
 
 /**
  * Opens the dialog shown to load a PKCS #11 module.
  *
  * @returns {Promise}
  *          A promise that resolves when the dialog has finished loading, with
@@ -139,63 +171,63 @@ add_task(async function testBrowseButton
   Assert.equal(pathBox.value, gTempFile.path,
                "Path shown should be same as the one chosen in the file picker");
 
   await BrowserTestUtils.closeWindow(win);
 });
 
 function testAddModuleHelper(win, throwOnAddModule) {
   resetCallCounts();
-  gMockPKCS11.expectedLibPath = gTempFile.path;
-  gMockPKCS11.expectedModuleName = "test module";
-  gMockPKCS11.throwOnAddModule = throwOnAddModule;
+  gMockPKCS11ModuleDB.expectedLibPath = gTempFile.path;
+  gMockPKCS11ModuleDB.expectedModuleName = "test module";
+  gMockPKCS11ModuleDB.throwOnAddModule = throwOnAddModule;
 
   win.document.getElementById("device_name").value =
-    gMockPKCS11.expectedModuleName;
+    gMockPKCS11ModuleDB.expectedModuleName;
   win.document.getElementById("device_path").value =
-    gMockPKCS11.expectedLibPath;
+    gMockPKCS11ModuleDB.expectedLibPath;
 
   info("Accepting dialog");
   win.document.getElementById("loaddevice").acceptDialog();
 }
 
 add_task(async function testAddModuleSuccess() {
   let win = await openLoadModuleDialog();
 
   testAddModuleHelper(win, false);
   await BrowserTestUtils.windowClosed(win);
 
-  Assert.equal(gMockPKCS11.addModuleCallCount, 1,
+  Assert.equal(gMockPKCS11ModuleDB.addModuleCallCount, 1,
                "addModule() should have been called once");
   Assert.equal(gMockPromptService.alertCallCount, 0,
                "alert() should never have been called");
 });
 
 add_task(async function testAddModuleFailure() {
   let win = await openLoadModuleDialog();
   gMockPromptService.expectedText = "Unable to add module";
   gMockPromptService.expectedWindow = win;
 
   testAddModuleHelper(win, true);
   // If adding a module fails, the dialog will not close. As such, we have to
   // close the window ourselves.
   await BrowserTestUtils.closeWindow(win);
 
-  Assert.equal(gMockPKCS11.addModuleCallCount, 1,
+  Assert.equal(gMockPKCS11ModuleDB.addModuleCallCount, 1,
                "addModule() should have been called once");
   Assert.equal(gMockPromptService.alertCallCount, 1,
                "alert() should have been called once");
 });
 
 add_task(async function testCancel() {
   let win = await openLoadModuleDialog();
   resetCallCounts();
 
   info("Canceling dialog");
   win.document.getElementById("loaddevice").cancelDialog();
 
-  Assert.equal(gMockPKCS11.addModuleCallCount, 0,
+  Assert.equal(gMockPKCS11ModuleDB.addModuleCallCount, 0,
                "addModule() should never have been called");
   Assert.equal(gMockPromptService.alertCallCount, 0,
                "alert() should never have been called");
 
   await BrowserTestUtils.windowClosed(win);
 });
--- a/security/manager/ssl/tests/unit/head_psm.js
+++ b/security/manager/ssl/tests/unit/head_psm.js
@@ -843,26 +843,27 @@ function asyncTestCertificateUsages(cert
  *                  module gets reported.
  */
 function loadPKCS11TestModule(expectModuleUnloadToFail) {
   let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
   libraryFile.append("pkcs11testmodule");
   libraryFile.append(ctypes.libraryName("pkcs11testmodule"));
   ok(libraryFile.exists(), "The pkcs11testmodule file should exist");
 
-  let pkcs11 = Cc["@mozilla.org/security/pkcs11;1"].getService(Ci.nsIPKCS11);
+  let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"]
+                         .getService(Ci.nsIPKCS11ModuleDB);
   do_register_cleanup(() => {
     try {
-      pkcs11.deleteModule("PKCS11 Test Module");
+      pkcs11ModuleDB.deleteModule("PKCS11 Test Module");
     } catch (e) {
       Assert.ok(expectModuleUnloadToFail,
                 `Module unload should suceed only when expected: ${e}`);
     }
   });
-  pkcs11.addModule("PKCS11 Test Module", libraryFile.path, 0, 0);
+  pkcs11ModuleDB.addModule("PKCS11 Test Module", libraryFile.path, 0, 0);
 }
 
 /**
  * @param {String} data
  * @returns {String}
  */
 function hexify(data) {
   // |slice(-2)| chomps off the last two characters of a string.
--- a/security/manager/ssl/tests/unit/test_pkcs11_module.js
+++ b/security/manager/ssl/tests/unit/test_pkcs11_module.js
@@ -134,18 +134,19 @@ function run_test() {
         bundle.GetStringFromName("PrivateSlotDescription"),
         "Spot check: actual and expected internal 'slot' names should be equal");
   throws(() => gModuleDB.findSlotByName("Not Present"), /NS_ERROR_FAILURE/,
          "Non-present 'slot' should not be findable by name via the module DB");
   throws(() => gModuleDB.findSlotByName(""), /NS_ERROR_ILLEGAL_VALUE/,
          "nsIPKCS11ModuleDB.findSlotByName should throw given an empty name");
 
   // Check that deleting the test module makes it disappear from the module list.
-  let pkcs11 = Cc["@mozilla.org/security/pkcs11;1"].getService(Ci.nsIPKCS11);
-  pkcs11.deleteModule("PKCS11 Test Module");
+  let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"]
+                         .getService(Ci.nsIPKCS11ModuleDB);
+  pkcs11ModuleDB.deleteModule("PKCS11 Test Module");
   checkTestModuleNotPresent();
 
   // Check miscellaneous module DB methods and attributes.
   notEqual(gModuleDB.getInternal(), null,
            "The internal module should be present");
   notEqual(gModuleDB.getInternalFIPS(), null,
            "The internal FIPS module should be present");
   ok(gModuleDB.canToggleFIPS, "It should be possible to toggle FIPS");
--- a/security/manager/ssl/tests/unit/test_pkcs11_no_events_after_removal.js
+++ b/security/manager/ssl/tests/unit/test_pkcs11_no_events_after_removal.js
@@ -10,19 +10,20 @@
 // "smartcard-remove", respectively. This test ensures that these events
 // are no longer emitted once the module has been unloaded.
 
 // Ensure that the appropriate initialization has happened.
 do_get_profile();
 Cc["@mozilla.org/psm;1"].getService(Ci.nsISupports);
 
 function run_test() {
-  let pkcs11 = Cc["@mozilla.org/security/pkcs11;1"].getService(Ci.nsIPKCS11);
+  let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"]
+                         .getService(Ci.nsIPKCS11ModuleDB);
   loadPKCS11TestModule(true);
-  pkcs11.deleteModule("PKCS11 Test Module");
+  pkcs11ModuleDB.deleteModule("PKCS11 Test Module");
   Services.obs.addObserver(function() {
     ok(false, "smartcard-insert event should not have been emitted");
   }, "smartcard-insert");
   Services.obs.addObserver(function() {
     ok(false, "smartcard-remove event should not have been emitted");
   }, "smartcard-remove");
   do_timeout(500, do_test_finished);
   do_test_pending();
--- a/security/manager/ssl/tests/unit/test_pkcs11_safe_mode.js
+++ b/security/manager/ssl/tests/unit/test_pkcs11_safe_mode.js
@@ -33,17 +33,19 @@ function run_test() {
 
   let registrar = Components.manager.QueryInterface(Ci.nsIComponentRegistrar);
   const XULRUNTIME_CONTRACTID = "@mozilla.org/xre/runtime;1";
   const XULRUNTIME_CID = Components.ID("{f0f0b230-5525-4127-98dc-7bca39059e70}");
   registrar.registerFactory(XULRUNTIME_CID, "XULRuntime", XULRUNTIME_CONTRACTID,
                             xulRuntimeFactory);
 
   // When starting in safe mode, the test module should fail to load.
-  let pkcs11 = Cc["@mozilla.org/security/pkcs11;1"].getService(Ci.nsIPKCS11);
+  let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"]
+                         .getService(Ci.nsIPKCS11ModuleDB);
   let libraryName = ctypes.libraryName("pkcs11testmodule");
   let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
   libraryFile.append("pkcs11testmodule");
   libraryFile.append(libraryName);
   ok(libraryFile.exists(), "The pkcs11testmodule file should exist");
-  throws(() => pkcs11.addModule("PKCS11 Test Module", libraryFile.path, 0, 0),
+  throws(() => pkcs11ModuleDB.addModule("PKCS11 Test Module", libraryFile.path,
+                                        0, 0),
          /NS_ERROR_FAILURE/, "addModule should throw when in safe mode");
 }