Bug 669061, Upgrade to NSS 3.13, starting with NSS_3_13_BETA1, r=wtc
authorKai Engert <kaie@kuix.de>
Fri, 19 Aug 2011 17:27:10 +0200
changeset 75563 33000157292b4cef2533a8769a49cd7d1e86d64d
parent 75562 79399ce1a1fbd1f10e22f9328d2af72b7cb0dcff
child 75564 be9c15f7dd336427a760a05a0d292f6b6646ba92
push id3
push userfelipc@gmail.com
push dateFri, 30 Sep 2011 20:09:13 +0000
reviewerswtc
bugs669061
milestone9.0a1
Bug 669061, Upgrade to NSS 3.13, starting with NSS_3_13_BETA1, r=wtc
security/coreconf/Darwin.mk
security/coreconf/Linux.mk
security/coreconf/WIN32.mk
security/coreconf/coreconf.dep
security/nss/TAG-INFO
security/nss/cmd/addbuiltin/addbuiltin.c
security/nss/cmd/bltest/blapitest.c
security/nss/cmd/bltest/tests/sha224/ciphertext0
security/nss/cmd/bltest/tests/sha224/ciphertext1
security/nss/cmd/bltest/tests/sha224/numtests
security/nss/cmd/bltest/tests/sha224/plaintext0
security/nss/cmd/bltest/tests/sha224/plaintext1
security/nss/cmd/certutil/certutil.c
security/nss/cmd/chktest/Makefile
security/nss/cmd/chktest/chktest.c
security/nss/cmd/chktest/manifest.mn
security/nss/cmd/lib/Makefile
security/nss/cmd/lib/NSPRerrs.h
security/nss/cmd/lib/SECerrs.h
security/nss/cmd/lib/SSLerrs.h
security/nss/cmd/lib/manifest.mn
security/nss/cmd/lib/pk11table.c
security/nss/cmd/lib/secerror.c
security/nss/cmd/lib/secutil.c
security/nss/cmd/lib/secutil.h
security/nss/cmd/manifest.mn
security/nss/cmd/modutil/install.c
security/nss/cmd/modutil/instsec.c
security/nss/cmd/pk11mode/pk11mode.c
security/nss/cmd/pk12util/pk12util.c
security/nss/cmd/pp/pp.c
security/nss/cmd/ppcertdata/Makefile
security/nss/cmd/ppcertdata/manifest.mn
security/nss/cmd/ppcertdata/ppcertdata.c
security/nss/cmd/selfserv/selfserv.c
security/nss/cmd/shlibsign/manifest.mn
security/nss/cmd/shlibsign/shlibsign.c
security/nss/cmd/signtool/sign.c
security/nss/cmd/signtool/util.c
security/nss/cmd/signtool/verify.c
security/nss/cmd/signver/signver.c
security/nss/cmd/strsclnt/strsclnt.c
security/nss/cmd/symkeyutil/symkey.man
security/nss/cmd/tests/encodeinttest.c
security/nss/cmd/tests/manifest.mn
security/nss/cmd/tstclnt/tstclnt.c
security/nss/cmd/vfychain/vfychain.c
security/nss/lib/certdb/alg1485.c
security/nss/lib/certdb/cert.h
security/nss/lib/certdb/certdb.c
security/nss/lib/certdb/certdb.h
security/nss/lib/certdb/certi.h
security/nss/lib/certdb/certt.h
security/nss/lib/certdb/crl.c
security/nss/lib/certdb/genname.c
security/nss/lib/certdb/manifest.mn
security/nss/lib/certhigh/certhtml.c
security/nss/lib/certhigh/certvfy.c
security/nss/lib/certhigh/manifest.mn
security/nss/lib/certhigh/ocsp.c
security/nss/lib/certhigh/ocsp.h
security/nss/lib/ckfw/builtins/certdata.c
security/nss/lib/ckfw/builtins/certdata.txt
security/nss/lib/ckfw/capi/cfind.c
security/nss/lib/ckfw/capi/ckcapi.h
security/nss/lib/ckfw/capi/cobject.c
security/nss/lib/ckfw/capi/crsa.c
security/nss/lib/ckfw/hash.c
security/nss/lib/ckfw/session.c
security/nss/lib/crmf/cmmf.h
security/nss/lib/crmf/crmf.h
security/nss/lib/crmf/crmffut.h
security/nss/lib/crmf/crmfi.h
security/nss/lib/cryptohi/cryptohi.h
security/nss/lib/cryptohi/keyhi.h
security/nss/lib/cryptohi/keythi.h
security/nss/lib/cryptohi/manifest.mn
security/nss/lib/cryptohi/sechash.c
security/nss/lib/cryptohi/seckey.c
security/nss/lib/cryptohi/secsign.c
security/nss/lib/dev/ckhelper.c
security/nss/lib/dev/devt.h
security/nss/lib/dev/devtoken.c
security/nss/lib/freebl/Makefile
security/nss/lib/freebl/blapi.h
security/nss/lib/freebl/blapii.h
security/nss/lib/freebl/blapit.h
security/nss/lib/freebl/camellia.c
security/nss/lib/freebl/des.c
security/nss/lib/freebl/dh.c
security/nss/lib/freebl/dsa.c
security/nss/lib/freebl/ec.c
security/nss/lib/freebl/ecl/ecp_mont.c
security/nss/lib/freebl/hasht.h
security/nss/lib/freebl/ldvector.c
security/nss/lib/freebl/loader.c
security/nss/lib/freebl/loader.h
security/nss/lib/freebl/manifest.mn
security/nss/lib/freebl/mgf1.c
security/nss/lib/freebl/mpi/Makefile
security/nss/lib/freebl/mpi/README
security/nss/lib/freebl/mpi/hpma512.s
security/nss/lib/freebl/mpi/hppa20.s
security/nss/lib/freebl/mpi/make-logtab
security/nss/lib/freebl/mpi/make-test-arrays
security/nss/lib/freebl/mpi/mpi-config.h
security/nss/lib/freebl/mpi/mpi-priv.h
security/nss/lib/freebl/mpi/mpi.c
security/nss/lib/freebl/mpi/mpi.h
security/nss/lib/freebl/mpi/mpi_arm.c
security/nss/lib/freebl/mpi/mpmontg.c
security/nss/lib/freebl/mpi/target.mk
security/nss/lib/freebl/mpi/utils/primegen.c
security/nss/lib/freebl/mpi/utils/ptab.pl
security/nss/lib/freebl/nsslowhash.c
security/nss/lib/freebl/rawhash.c
security/nss/lib/freebl/ret_cr16.s
security/nss/lib/freebl/rijndael.c
security/nss/lib/freebl/rsa.c
security/nss/lib/freebl/secmpi.h
security/nss/lib/freebl/sha512.c
security/nss/lib/freebl/sha_fast.h
security/nss/lib/freebl/shvfy.c
security/nss/lib/freebl/stubs.c
security/nss/lib/freebl/stubs.h
security/nss/lib/freebl/tlsprfalg.c
security/nss/lib/jar/config.mk
security/nss/lib/jar/jarver.c
security/nss/lib/jar/manifest.mn
security/nss/lib/libpkix/pkix/certsel/manifest.mn
security/nss/lib/libpkix/pkix/checker/manifest.mn
security/nss/lib/libpkix/pkix/crlsel/manifest.mn
security/nss/lib/libpkix/pkix/params/manifest.mn
security/nss/lib/libpkix/pkix/results/manifest.mn
security/nss/lib/libpkix/pkix/store/manifest.mn
security/nss/lib/libpkix/pkix/top/manifest.mn
security/nss/lib/libpkix/pkix/util/manifest.mn
security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
security/nss/lib/libpkix/pkix_pl_nss/pki/manifest.mn
security/nss/lib/libpkix/pkix_pl_nss/system/manifest.mn
security/nss/lib/nss/manifest.mn
security/nss/lib/nss/nss.def
security/nss/lib/nss/nss.h
security/nss/lib/nss/nssinit.c
security/nss/lib/pk11wrap/debug_module.c
security/nss/lib/pk11wrap/dev3hack.c
security/nss/lib/pk11wrap/manifest.mn
security/nss/lib/pk11wrap/pk11akey.c
security/nss/lib/pk11wrap/pk11cert.c
security/nss/lib/pk11wrap/pk11err.c
security/nss/lib/pk11wrap/pk11load.c
security/nss/lib/pk11wrap/pk11mech.c
security/nss/lib/pk11wrap/pk11merge.c
security/nss/lib/pk11wrap/pk11nobj.c
security/nss/lib/pk11wrap/pk11obj.c
security/nss/lib/pk11wrap/pk11pbe.c
security/nss/lib/pk11wrap/pk11pk12.c
security/nss/lib/pk11wrap/pk11pub.h
security/nss/lib/pk11wrap/pk11skey.c
security/nss/lib/pkcs12/manifest.mn
security/nss/lib/pkcs12/p12.h
security/nss/lib/pkcs12/p12d.c
security/nss/lib/pkcs7/manifest.mn
security/nss/lib/pki/certificate.c
security/nss/lib/pki/pki3hack.c
security/nss/lib/pki/pki3hack.h
security/nss/lib/pki/pkistore.c
security/nss/lib/smime/cms.h
security/nss/lib/smime/cmsasn1.c
security/nss/lib/smime/cmscinfo.c
security/nss/lib/smime/cmsdecode.c
security/nss/lib/smime/cmsdigdata.c
security/nss/lib/smime/cmsencdata.c
security/nss/lib/smime/cmsencode.c
security/nss/lib/smime/cmsenvdata.c
security/nss/lib/smime/cmslocal.h
security/nss/lib/smime/cmsmessage.c
security/nss/lib/smime/cmssigdata.c
security/nss/lib/smime/cmssiginfo.c
security/nss/lib/smime/cmst.h
security/nss/lib/smime/cmsudf.c
security/nss/lib/smime/cmsutil.c
security/nss/lib/smime/manifest.mn
security/nss/lib/smime/smime.def
security/nss/lib/smime/smime.h
security/nss/lib/smime/smimeutil.c
security/nss/lib/softoken/fipstest.c
security/nss/lib/softoken/legacydb/keydb.c
security/nss/lib/softoken/legacydb/lgattr.c
security/nss/lib/softoken/legacydb/lgcreate.c
security/nss/lib/softoken/legacydb/lgdb.h
security/nss/lib/softoken/legacydb/lgfind.c
security/nss/lib/softoken/legacydb/lginit.c
security/nss/lib/softoken/legacydb/lowcert.c
security/nss/lib/softoken/legacydb/lowkey.c
security/nss/lib/softoken/legacydb/lowkeyi.h
security/nss/lib/softoken/legacydb/lowkeyti.h
security/nss/lib/softoken/legacydb/manifest.mn
security/nss/lib/softoken/legacydb/pcertdb.c
security/nss/lib/softoken/legacydb/pcertt.h
security/nss/lib/softoken/legacydb/pk11db.c
security/nss/lib/softoken/lowpbe.c
security/nss/lib/softoken/manifest.mn
security/nss/lib/softoken/pk11pars.h
security/nss/lib/softoken/pkcs11.c
security/nss/lib/softoken/pkcs11c.c
security/nss/lib/softoken/pkcs11i.h
security/nss/lib/softoken/rsawrapr.c
security/nss/lib/softoken/sftkdb.c
security/nss/lib/softoken/sftkmod.c
security/nss/lib/softoken/sftkpwd.c
security/nss/lib/softoken/softkver.h
security/nss/lib/softoken/softoken.h
security/nss/lib/ssl/SSLerrs.h
security/nss/lib/ssl/derive.c
security/nss/lib/ssl/manifest.mn
security/nss/lib/ssl/notes.txt
security/nss/lib/ssl/ssl.def
security/nss/lib/ssl/ssl.h
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/ssl3ext.c
security/nss/lib/ssl/ssl3gthr.c
security/nss/lib/ssl/sslauth.c
security/nss/lib/ssl/sslcon.c
security/nss/lib/ssl/sslerr.h
security/nss/lib/ssl/sslerrstrs.c
security/nss/lib/ssl/sslerrstrs.h
security/nss/lib/ssl/sslimpl.h
security/nss/lib/ssl/sslinfo.c
security/nss/lib/ssl/sslinit.c
security/nss/lib/ssl/sslnonce.c
security/nss/lib/ssl/sslreveal.c
security/nss/lib/ssl/sslsecur.c
security/nss/lib/ssl/sslsnce.c
security/nss/lib/ssl/sslsock.c
security/nss/lib/ssl/sslutil.h
security/nss/lib/util/SECerrs.h
security/nss/lib/util/errstrs.c
security/nss/lib/util/errstrs.h
security/nss/lib/util/manifest.mn
security/nss/lib/util/nssb64d.c
security/nss/lib/util/nssutil.def
security/nss/lib/util/nssutil.h
security/nss/lib/util/pkcs11n.h
security/nss/lib/util/quickder.c
security/nss/lib/util/secasn1e.c
security/nss/lib/util/secdig.c
security/nss/lib/util/secitem.c
security/nss/lib/util/secoid.c
security/nss/lib/util/secoidt.h
security/nss/lib/zlib/Makefile
security/nss/lib/zlib/README
security/nss/lib/zlib/README.nss
security/nss/lib/zlib/adler32.c
security/nss/lib/zlib/compress.c
security/nss/lib/zlib/crc32.c
security/nss/lib/zlib/deflate.c
security/nss/lib/zlib/deflate.h
security/nss/lib/zlib/example.c
security/nss/lib/zlib/gzclose.c
security/nss/lib/zlib/gzguts.h
security/nss/lib/zlib/gzio.c
security/nss/lib/zlib/gzlib.c
security/nss/lib/zlib/gzread.c
security/nss/lib/zlib/gzwrite.c
security/nss/lib/zlib/infback.c
security/nss/lib/zlib/inffast.c
security/nss/lib/zlib/inffast.h
security/nss/lib/zlib/inflate.c
security/nss/lib/zlib/inflate.h
security/nss/lib/zlib/inftrees.c
security/nss/lib/zlib/inftrees.h
security/nss/lib/zlib/manifest.mn
security/nss/lib/zlib/minigzip.c
security/nss/lib/zlib/patches/msvc-vsnprintf.patch
security/nss/lib/zlib/patches/prune-zlib.sh
security/nss/lib/zlib/trees.c
security/nss/lib/zlib/trees.h
security/nss/lib/zlib/uncompr.c
security/nss/lib/zlib/zconf.h
security/nss/lib/zlib/zlib.h
security/nss/lib/zlib/zutil.c
security/nss/lib/zlib/zutil.h
security/nss/tests/cert/cert.sh
security/nss/tests/cipher/cipher.txt
security/nss/tests/pkcs11/netscape/suites/security/ssl/sslc.c
security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.c
--- a/security/coreconf/Darwin.mk
+++ b/security/coreconf/Darwin.mk
@@ -32,34 +32,36 @@
 # and other provisions required by the GPL or the LGPL. If you do not delete
 # the provisions above, a recipient may use your version of this file under
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
 
 include $(CORE_DEPTH)/coreconf/UNIX.mk
 
-DEFAULT_COMPILER = cc
+DEFAULT_COMPILER = gcc
 
-CC		= cc
-CCC		= c++
+CC		= gcc
+CCC		= g++
 RANLIB		= ranlib
 
 ifndef CPU_ARCH
 # When cross-compiling, CPU_ARCH should already be defined as the target
 # architecture, set to powerpc or i386.
 CPU_ARCH	:= $(shell uname -p)
 endif
 
 ifeq (,$(filter-out i%86,$(CPU_ARCH)))
 ifdef USE_64
 CC              += -arch x86_64
+override CPU_ARCH	= x86_64
 else
 OS_REL_CFLAGS	= -Di386
 CC              += -arch i386
+override CPU_ARCH	= x86
 endif
 else
 OS_REL_CFLAGS	= -Dppc
 CC              += -arch ppc
 endif
 
 ifneq (,$(MACOS_SDK_DIR))
     GCC_VERSION_FULL := $(shell $(CC) -dumpversion)
@@ -102,17 +104,17 @@ endif
 # The meaning of a common is ambiguous.  It may be a true definition:
 #     int x = 0;
 # or it may be a declaration of a symbol defined in another file:
 #     extern int x;
 # Use the -fno-common option to force all commons to become true
 # definitions so that the linker can catch multiply-defined symbols.
 # Also, common symbols are not allowed with Darwin dynamic libraries.
 
-OS_CFLAGS	= $(DSO_CFLAGS) $(OS_REL_CFLAGS) -Wmost -fpascal-strings -fno-common -pipe -DDARWIN -DHAVE_STRERROR -DHAVE_BSD_FLOCK $(DARWIN_SDK_CFLAGS)
+OS_CFLAGS	= $(DSO_CFLAGS) $(OS_REL_CFLAGS) -Wall -fno-common -pipe -DDARWIN -DHAVE_STRERROR -DHAVE_BSD_FLOCK $(DARWIN_SDK_CFLAGS)
 
 ifdef BUILD_OPT
 ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
 	OPTIMIZER       = -Oz
 else
 	OPTIMIZER	= -O2
 endif
 ifdef MOZ_DEBUG_SYMBOLS
--- a/security/coreconf/Linux.mk
+++ b/security/coreconf/Linux.mk
@@ -197,13 +197,10 @@ MKSHLIB         = $(CC) $(DSO_LDOPTS) -W
 
 ifdef MAPFILE
 	MKSHLIB += -Wl,--version-script,$(MAPFILE)
 endif
 PROCESS_MAP_FILE = grep -v ';-' $< | \
         sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
 
 ifeq ($(OS_RELEASE),2.4)
-# Softoken 3.13 uses NO_FORK_CHECK only.
-# Softoken 3.12 uses NO_FORK_CHECK and NO_CHECK_FORK.
-# Don't use NO_CHECK_FORK in new code.
-DEFINES += -DNO_FORK_CHECK -DNO_CHECK_FORK
+DEFINES += -DNO_FORK_CHECK
 endif
--- a/security/coreconf/WIN32.mk
+++ b/security/coreconf/WIN32.mk
@@ -138,17 +138,18 @@ ifdef NS_USE_GCC
 	OPTIMIZER  += -g
 	NULLSTRING :=
 	SPACE      := $(NULLSTRING) # end of the line
 	USERNAME   := $(subst $(SPACE),_,$(USERNAME))
 	USERNAME   := $(subst -,_,$(USERNAME))
 	DEFINES    += -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USERNAME)
     endif
 else # !NS_USE_GCC
-    OS_CFLAGS += -W3 -nologo -D_CRT_SECURE_NO_WARNINGS
+    OS_CFLAGS += -W3 -nologo -D_CRT_SECURE_NO_WARNINGS \
+		 -D_CRT_NONSTDC_NO_WARNINGS
     OS_DLLFLAGS += -nologo -DLL -SUBSYSTEM:WINDOWS
     ifeq ($(_MSC_VER),$(_MSC_VER_6))
     ifndef MOZ_DEBUG_SYMBOLS
 	OS_DLLFLAGS += -PDB:NONE
     endif
     endif
     ifdef USE_DYNAMICBASE
 	OS_DLLFLAGS += -DYNAMICBASE
--- a/security/coreconf/coreconf.dep
+++ b/security/coreconf/coreconf.dep
@@ -38,8 +38,9 @@
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
 
+
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_12_11_RTM
+NSS_3_13_BETA1
--- a/security/nss/cmd/addbuiltin/addbuiltin.c
+++ b/security/nss/cmd/addbuiltin/addbuiltin.c
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Tool for converting builtin CA certs.
  *
- * $Id: addbuiltin.c,v 1.14.68.1 2011/03/23 20:07:57 kaie%kuix.de Exp $
+ * $Id: addbuiltin.c,v 1.16 2011/04/13 00:10:21 rrelyea%redhat.com Exp $
  */
 
 #include "nssrenam.h"
 #include "nss.h"
 #include "cert.h"
 #include "certdb.h"
 #include "secutil.h"
 #include "pk11func.h"
@@ -63,32 +63,32 @@ void dumpbytes(unsigned char *buf, int l
     }
     printf("\n");
 }
 
 char *getTrustString(unsigned int trust)
 {
     if (trust & CERTDB_TRUSTED) {
 	if (trust & CERTDB_TRUSTED_CA) {
-		return "CKT_NETSCAPE_TRUSTED_DELEGATOR|CKT_NETSCAPE_TRUSTED";
+		return "CKT_NSS_TRUSTED_DELEGATOR";
 	} else {
-		return "CKT_NETSCAPE_TRUSTED";
+		return "CKT_NSS_TRUSTED";
 	}
     } else {
 	if (trust & CERTDB_TRUSTED_CA) {
-		return "CKT_NETSCAPE_TRUSTED_DELEGATOR";
+		return "CKT_NSS_TRUSTED_DELEGATOR";
 	} else if (trust & CERTDB_VALID_CA) {
-		return "CKT_NETSCAPE_VALID_DELEGATOR";
-	} else if (trust & CERTDB_VALID_PEER) {
-		return "CKT_NETSCAPE_VALID";
+		return "CKT_NSS_VALID_DELEGATOR";
+	} else if (trust & CERTDB_TERMINAL_RECORD) {
+		return "CKT_NSS_NOT_TRUSTED";
 	} else {
-		return "CKT_NETSCAPE_TRUST_UNKNOWN";
+		return "CKT_NSS_MUST_VERIFY_TRUST";
 	}
     }
-    return "CKT_NETSCAPE_TRUST_UNKNOWN"; /* not reached */
+    return "CKT_NSS_TRUST_UNKNOWN"; /* not reached */
 }
 
 static const SEC_ASN1Template serialTemplate[] = {
     { SEC_ASN1_INTEGER, offsetof(CERTCertificate,serialNumber) },
     { 0 }
 };
 
 static SECStatus
@@ -128,17 +128,17 @@ ConvertCertificate(SECItem *sdder, char 
     printf("END\n");
     printf("CKA_VALUE MULTILINE_OCTAL\n");
     dumpbytes(sdder->data,sdder->len);
     printf("END\n");
 
     PK11_HashBuf(SEC_OID_SHA1, sha1_hash, sdder->data, sdder->len);
     PK11_HashBuf(SEC_OID_MD5, md5_hash, sdder->data, sdder->len);
     printf("\n# Trust for Certificate \"%s\"\n",nickname);
-    printf("CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST\n");
+    printf("CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST\n");
     printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
     printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
     printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
     printf("CKA_LABEL UTF8 \"%s\"\n",nickname);
     printf("CKA_CERT_SHA1_HASH MULTILINE_OCTAL\n");
     dumpbytes(sha1_hash,SHA1_LENGTH);
     printf("END\n");
     printf("CKA_CERT_MD5_HASH MULTILINE_OCTAL\n");
@@ -154,23 +154,23 @@ ConvertCertificate(SECItem *sdder, char 
     
     printf("CKA_TRUST_SERVER_AUTH CK_TRUST %s\n",
 				 getTrustString(trust->sslFlags));
     printf("CKA_TRUST_EMAIL_PROTECTION CK_TRUST %s\n",
 				 getTrustString(trust->emailFlags));
     printf("CKA_TRUST_CODE_SIGNING CK_TRUST %s\n",
 				 getTrustString(trust->objectSigningFlags));
 #ifdef notdef
-    printf("CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED\n");*/
-    printf("CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_NON_REPUDIATION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NSS_TRUSTED\n");
+    printf("CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_NON_REPUDIATION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
 #endif
     printf("CKA_TRUST_STEP_UP_APPROVED CK_BBOOL %s\n",
                 trust->sslFlags & CERTDB_GOVT_APPROVED_CA ? 
                 "CK_TRUE" : "CK_FALSE");
 
 
     PORT_Free(sdder->data);
     return(rv);
@@ -210,17 +210,17 @@ void printheader() {
 "# use your version of this file under the terms of the MPL, indicate your\n"
 "# decision by deleting the provisions above and replace them with the notice\n"
 "# and other provisions required by the GPL or the LGPL. If you do not delete\n"
 "# the provisions above, a recipient may use your version of this file under\n"
 "# the terms of any one of the MPL, the GPL or the LGPL.\n"
 "#\n"
 "# ***** END LICENSE BLOCK *****\n"
      "#\n"
-     "CVS_ID \"@(#) $RCSfile: addbuiltin.c,v $ $Revision: 1.14.68.1 $ $Date: 2011/03/23 20:07:57 $\"\n"
+     "CVS_ID \"@(#) $RCSfile: addbuiltin.c,v $ $Revision: 1.16 $ $Date: 2011/04/13 00:10:21 $\"\n"
      "\n"
      "#\n"
      "# certdata.txt\n"
      "#\n"
      "# This file contains the object definitions for the certs and other\n"
      "# information \"built into\" NSS.\n"
      "#\n"
      "# Object definitions:\n"
@@ -234,17 +234,17 @@ void printheader() {
      "#  CKA_MODIFIABLE           CK_BBOOL                CK_FALSE\n"
      "#  CKA_LABEL                UTF8                    (varies)\n"
      "#  CKA_CERTIFICATE_TYPE     CK_CERTIFICATE_TYPE     CKC_X_509\n"
      "#  CKA_SUBJECT              DER+base64              (varies)\n"
      "#  CKA_ID                   byte array              (varies)\n"
      "#  CKA_ISSUER               DER+base64              (varies)\n"
      "#  CKA_SERIAL_NUMBER        DER+base64              (varies)\n"
      "#  CKA_VALUE                DER+base64              (varies)\n"
-     "#  CKA_NETSCAPE_EMAIL       ASCII7                  (unused here)\n"
+     "#  CKA_NSS_EMAIL            ASCII7                  (unused here)\n"
      "#\n"
      "#    Trust\n"
      "#\n"
      "#  -- Attribute --              -- type --          -- value --\n"
      "#  CKA_CLASS                    CK_OBJECT_CLASS     CKO_TRUST\n"
      "#  CKA_TOKEN                    CK_BBOOL            CK_TRUE\n"
      "#  CKA_PRIVATE                  CK_BBOOL            CK_FALSE\n"
      "#  CKA_MODIFIABLE               CK_BBOOL            CK_FALSE\n"
@@ -271,17 +271,17 @@ void printheader() {
      "#  (other trust attributes can be defined)\n"
      "#\n"
      "\n"
      "#\n"
      "# The object to tell NSS that this is a root list and we don't\n"
      "# have to go looking for others.\n"
      "#\n"
      "BEGINDATA\n"
-     "CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_BUILTIN_ROOT_LIST\n"
+     "CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST\n"
      "CKA_TOKEN CK_BBOOL CK_TRUE\n"
      "CKA_PRIVATE CK_BBOOL CK_FALSE\n"
      "CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"
      "CKA_LABEL UTF8 \"Mozilla Builtin Roots\"\n");
 }
 
 static void Usage(char *progName)
 {
--- a/security/nss/cmd/bltest/blapitest.c
+++ b/security/nss/cmd/bltest/blapitest.c
@@ -45,17 +45,17 @@
 #include "prtime.h"
 #include "prsystem.h"
 #include "plstr.h"
 #include "nssb64.h"
 #include "secutil.h"
 #include "plgetopt.h"
 #include "softoken.h"
 #include "nspr.h"
-#include "nss.h"
+#include "nssutil.h"
 #include "secoid.h"
 
 #ifdef NSS_ENABLE_ECC
 #include "ecl-curve.h"
 SECStatus EC_DecodeParams(const SECItem *encodedParams, 
 	ECParams **ecparams);
 SECStatus EC_CopyParams(PRArenaPool *arena, ECParams *dstParams,
 	      const ECParams *srcParams);
@@ -73,17 +73,17 @@ char *testdir = NULL;
 #define BLTEST_DEFAULT_CHUNKSIZE 4096
 
 #define WORDSIZE sizeof(unsigned long)
 
 #define CHECKERROR(rv, ln) \
     if (rv) { \
 	PRErrorCode prerror = PR_GetError(); \
 	PR_fprintf(PR_STDERR, "%s: ERR %d (%s) at line %d.\n", progName, \
-                   prerror, SECU_Strerror(prerror), ln); \
+	prerror, NSS_Strerror(prerror,formatSimple), ln); \
 	exit(-1); \
     }
 
 /* Macros for performance timing. */
 #define TIMESTART() \
     time1 = PR_IntervalNow();
 
 #define TIMEFINISH(time, reps) \
@@ -687,16 +687,17 @@ typedef enum {
     bltestRSA,		  /* Public Key Ciphers	   */
 #ifdef NSS_ENABLE_ECC
     bltestECDSA,	  /* . (Public Key Sig.)   */
 #endif
     bltestDSA,		  /* .                     */
     bltestMD2,		  /* Hash algorithms	   */
     bltestMD5,		  /* .			   */
     bltestSHA1,           /* .			   */
+    bltestSHA224,         /* .			   */
     bltestSHA256,         /* .			   */
     bltestSHA384,         /* .			   */
     bltestSHA512,         /* .			   */
     NUMMODES
 } bltestCipherMode;
 
 static char *mode_strings[] =
 {
@@ -721,16 +722,17 @@ static char *mode_strings[] =
 #ifdef NSS_ENABLE_ECC
     "ecdsa",
 #endif
     /*"pqg",*/
     "dsa",
     "md2",
     "md5",
     "sha1",
+    "sha224",
     "sha256",
     "sha384",
     "sha512",
 };
 
 typedef struct
 {
     bltestIO key;
@@ -1761,16 +1763,56 @@ sha1_restart(unsigned char *dest, const 
     }
     SHA1_End(cx, dest, &len, MD5_LENGTH);
 finish:
     SHA1_DestroyContext(cx, PR_TRUE);
     return rv;
 }
 
 SECStatus
+SHA224_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+    SECStatus rv = SECSuccess;
+    SHA224Context *cx, *cx_cpy;
+    unsigned char *cxbytes;
+    unsigned int len;
+    unsigned int i, quarter;
+    cx = SHA224_NewContext();
+    SHA224_Begin(cx);
+    /* divide message by 4, restarting 3 times */
+    quarter = (src_length + 3) / 4;
+    for (i=0; i < 4 && src_length > 0; i++) {
+	SHA224_Update(cx, src + i*quarter, PR_MIN(quarter, src_length));
+	len = SHA224_FlattenSize(cx);
+	cxbytes = PORT_Alloc(len);
+	SHA224_Flatten(cx, cxbytes);
+	cx_cpy = SHA224_Resurrect(cxbytes, NULL);
+	if (!cx_cpy) {
+	    PR_fprintf(PR_STDERR, "%s: SHA224_Resurrect failed!\n", progName);
+	    rv = SECFailure;
+	    goto finish;
+	}
+	rv = PORT_Memcmp(cx, cx_cpy, len);
+	if (rv) {
+	    SHA224_DestroyContext(cx_cpy, PR_TRUE);
+	    PR_fprintf(PR_STDERR, "%s: SHA224_restart failed!\n", progName);
+	    goto finish;
+	}
+	
+	SHA224_DestroyContext(cx_cpy, PR_TRUE);
+	PORT_Free(cxbytes);
+	src_length -= quarter;
+    }
+    SHA224_End(cx, dest, &len, MD5_LENGTH);
+finish:
+    SHA224_DestroyContext(cx, PR_TRUE);
+    return rv;
+}
+
+SECStatus
 SHA256_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
 {
     SECStatus rv = SECSuccess;
     SHA256Context *cx, *cx_cpy;
     unsigned char *cxbytes;
     unsigned int len;
     unsigned int i, quarter;
     cx = SHA256_NewContext();
@@ -2052,16 +2094,24 @@ cipherInit(bltestCipherInfo *cipherInfo,
 	break;
     case bltestSHA1:
 	restart = cipherInfo->params.hash.restart;
 	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
 			  SHA1_LENGTH);
 	cipherInfo->cipher.hashCipher = (restart) ? sha1_restart : SHA1_HashBuf;
 	return SECSuccess;
 	break;
+    case bltestSHA224:
+	restart = cipherInfo->params.hash.restart;
+	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+			  SHA224_LENGTH);
+	cipherInfo->cipher.hashCipher = (restart) ? SHA224_restart 
+	                                          : SHA224_HashBuf;
+	return SECSuccess;
+	break;
     case bltestSHA256:
 	restart = cipherInfo->params.hash.restart;
 	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
 			  SHA256_LENGTH);
 	cipherInfo->cipher.hashCipher = (restart) ? SHA256_restart 
 	                                          : SHA256_HashBuf;
 	return SECSuccess;
 	break;
@@ -2493,16 +2543,17 @@ cipherFinish(bltestCipherInfo *cipherInf
     case bltestRSA: /* keys are alloc'ed within cipherInfo's arena, */
     case bltestDSA: /* will be freed with it. */
 #ifdef NSS_ENABLE_ECC
     case bltestECDSA:
 #endif
     case bltestMD2: /* hash contexts are ephemeral */
     case bltestMD5:
     case bltestSHA1:
+    case bltestSHA224:
     case bltestSHA256:
     case bltestSHA384:
     case bltestSHA512:
 	return SECSuccess;
 	break;
     default:
 	return SECFailure;
     }
@@ -2846,16 +2897,17 @@ get_params(PRArenaPool *arena, bltestPar
 	               bltestBase64Encoded);
 	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "ciphertext",j);
 	load_file_data(arena, &params->ecdsa.sig, filename, bltestBase64Encoded);
 	break;
 #endif
     case bltestMD2:
     case bltestMD5:
     case bltestSHA1:
+    case bltestSHA224:
     case bltestSHA256:
     case bltestSHA384:
     case bltestSHA512:
 	/*params->hash.restart = PR_TRUE;*/
 	params->hash.restart = PR_FALSE;
 	break;
     default:
 	break;
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha224/ciphertext0
@@ -0,0 +1,2 @@
+Iwl9IjQF2CKGQqR3vaJVsyqtvOS9oLP342ydpw==
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha224/ciphertext1
@@ -0,0 +1,2 @@
+dTiLFlEndsxdul2h/YkBULDGRVy09YsZUlIlJQ==
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha224/numtests
@@ -0,0 +1,1 @@
+2
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha224/plaintext0
@@ -0,0 +1,1 @@
+abc
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha224/plaintext1
@@ -0,0 +1,1 @@
+abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -1101,18 +1101,18 @@ static void luE(enum usage_level ul, con
 static void luCommonDetailsAE()
 {
     FPS "%-20s Specify the nickname of the certificate to add\n",
         "   -n cert-name");
     FPS "%-20s Set the certificate trust attributes:\n",
         "   -t trustargs");
     FPS "%-25s trustargs is of the form x,y,z where x is for SSL, y is for S/MIME,\n", "");
     FPS "%-25s and z is for code signing. Use ,, for no explicit trust.\n", "");
-    FPS "%-25s p \t valid peer\n", "");
-    FPS "%-25s P \t trusted peer (implies p)\n", "");
+    FPS "%-25s p \t prohibited\n", "");
+    FPS "%-25s P \t trusted peer\n", "");
     FPS "%-25s c \t valid CA\n", "");
     FPS "%-25s T \t trusted CA to issue client certs (implies c)\n", "");
     FPS "%-25s C \t trusted CA to issue server certs (implies c)\n", "");
     FPS "%-25s u \t user cert\n", "");
     FPS "%-25s w \t send warning\n", "");
     FPS "%-25s g \t make step-up cert\n", "");
     FPS "%-20s Specify the password file\n",
         "   -f pwfile");
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/chktest/Makefile
@@ -0,0 +1,79 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include ../platrules.mk
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/chktest/chktest.c
@@ -0,0 +1,76 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Kai Engert <kengert@redhat.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "blapi.h"
+#include "secutil.h"
+
+static int Usage()
+{
+    fprintf(stderr, "Usage:  chktest <full-path-to-shared-library>\n");
+    fprintf(stderr, "        Will test for valid chk file.\n");
+    fprintf(stderr, "        Will print SUCCESS or FAILURE.\n");
+    exit(1);
+}
+
+int main(int argc, char **argv)
+{
+    SECStatus rv = SECFailure;
+    PRBool good_result = PR_FALSE;
+
+    if (argc != 2)
+      return Usage();
+    
+    rv = RNG_RNGInit();
+    if (rv != SECSuccess) {
+        SECU_PrintPRandOSError("");
+        return -1;
+    }
+    rv = BL_Init();
+    if (rv != SECSuccess) {
+        SECU_PrintPRandOSError("");
+        return -1;
+    }
+    RNG_SystemInfoForRNG();
+
+    good_result = BLAPI_SHVerifyFile(argv[1]);
+    printf("%s\n", 
+      (good_result ? "SUCCESS" : "FAILURE"));
+    return (good_result) ? SECSuccess : SECFailure;
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/chktest/manifest.mn
@@ -0,0 +1,59 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../..
+
+MODULE = nss
+
+#REQUIRES = seccmd dbm softoken
+REQUIRES = seccmd dbm
+
+#INCLUDES += -I$(CORE_DEPTH)/nss/lib/softoken
+
+PROGRAM = chktest
+
+ USE_STATIC_LIBS = 1
+
+EXPORTS = \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	$(NULL)
+
+CSRCS = \
+	chktest.c \
+	$(NULL)
+
--- a/security/nss/cmd/lib/Makefile
+++ b/security/nss/cmd/lib/Makefile
@@ -73,10 +73,9 @@ include $(CORE_DEPTH)/coreconf/rules.mk
 
 
 #######################################################################
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
 
 export:: private_export
 
-$(OBJDIR)/secerror$(OBJ_SUFFIX): NSPRerrs.h SECerrs.h SSLerrs.h 
 
deleted file mode 100644
--- a/security/nss/cmd/lib/NSPRerrs.h
+++ /dev/null
@@ -1,153 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* General NSPR 2.0 errors */
-/* Caller must #include "prerror.h" */
-
-ER2( PR_OUT_OF_MEMORY_ERROR, 	"Memory allocation attempt failed." )
-ER2( PR_BAD_DESCRIPTOR_ERROR, 	"Invalid file descriptor." )
-ER2( PR_WOULD_BLOCK_ERROR, 	"The operation would have blocked." )
-ER2( PR_ACCESS_FAULT_ERROR, 	"Invalid memory address argument." )
-ER2( PR_INVALID_METHOD_ERROR, 	"Invalid function for file type." )
-ER2( PR_ILLEGAL_ACCESS_ERROR, 	"Invalid memory address argument." )
-ER2( PR_UNKNOWN_ERROR, 		"Some unknown error has occurred." )
-ER2( PR_PENDING_INTERRUPT_ERROR,"Operation interrupted by another thread." )
-ER2( PR_NOT_IMPLEMENTED_ERROR, 	"function not implemented." )
-ER2( PR_IO_ERROR, 		"I/O function error." )
-ER2( PR_IO_TIMEOUT_ERROR, 	"I/O operation timed out." )
-ER2( PR_IO_PENDING_ERROR, 	"I/O operation on busy file descriptor." )
-ER2( PR_DIRECTORY_OPEN_ERROR, 	"The directory could not be opened." )
-ER2( PR_INVALID_ARGUMENT_ERROR, "Invalid function argument." )
-ER2( PR_ADDRESS_NOT_AVAILABLE_ERROR, "Network address not available (in use?)." )
-ER2( PR_ADDRESS_NOT_SUPPORTED_ERROR, "Network address type not supported." )
-ER2( PR_IS_CONNECTED_ERROR, 	"Already connected." )
-ER2( PR_BAD_ADDRESS_ERROR, 	"Network address is invalid." )
-ER2( PR_ADDRESS_IN_USE_ERROR, 	"Local Network address is in use." )
-ER2( PR_CONNECT_REFUSED_ERROR, 	"Connection refused by peer." )
-ER2( PR_NETWORK_UNREACHABLE_ERROR, "Network address is presently unreachable." )
-ER2( PR_CONNECT_TIMEOUT_ERROR, 	"Connection attempt timed out." )
-ER2( PR_NOT_CONNECTED_ERROR, 	"Network file descriptor is not connected." )
-ER2( PR_LOAD_LIBRARY_ERROR, 	"Failure to load dynamic library." )
-ER2( PR_UNLOAD_LIBRARY_ERROR, 	"Failure to unload dynamic library." )
-ER2( PR_FIND_SYMBOL_ERROR, 	
-"Symbol not found in any of the loaded dynamic libraries." )
-ER2( PR_INSUFFICIENT_RESOURCES_ERROR, "Insufficient system resources." )
-ER2( PR_DIRECTORY_LOOKUP_ERROR, 	
-"A directory lookup on a network address has failed." )
-ER2( PR_TPD_RANGE_ERROR, 		
-"Attempt to access a TPD key that is out of range." )
-ER2( PR_PROC_DESC_TABLE_FULL_ERROR, "Process open FD table is full." )
-ER2( PR_SYS_DESC_TABLE_FULL_ERROR, "System open FD table is full." )
-ER2( PR_NOT_SOCKET_ERROR, 	
-"Network operation attempted on non-network file descriptor." )
-ER2( PR_NOT_TCP_SOCKET_ERROR, 	
-"TCP-specific function attempted on a non-TCP file descriptor." )
-ER2( PR_SOCKET_ADDRESS_IS_BOUND_ERROR, "TCP file descriptor is already bound." )
-ER2( PR_NO_ACCESS_RIGHTS_ERROR, "Access Denied." )
-ER2( PR_OPERATION_NOT_SUPPORTED_ERROR, 
-"The requested operation is not supported by the platform." )
-ER2( PR_PROTOCOL_NOT_SUPPORTED_ERROR, 
-"The host operating system does not support the protocol requested." )
-ER2( PR_REMOTE_FILE_ERROR, 	"Access to the remote file has been severed." )
-ER2( PR_BUFFER_OVERFLOW_ERROR, 	
-"The value requested is too large to be stored in the data buffer provided." )
-ER2( PR_CONNECT_RESET_ERROR, 	"TCP connection reset by peer." )
-ER2( PR_RANGE_ERROR, 		"Unused." )
-ER2( PR_DEADLOCK_ERROR, 	"The operation would have deadlocked." )
-ER2( PR_FILE_IS_LOCKED_ERROR, 	"The file is already locked." )
-ER2( PR_FILE_TOO_BIG_ERROR, 	
-"Write would result in file larger than the system allows." )
-ER2( PR_NO_DEVICE_SPACE_ERROR, 	"The device for storing the file is full." )
-ER2( PR_PIPE_ERROR, 		"Unused." )
-ER2( PR_NO_SEEK_DEVICE_ERROR, 	"Unused." )
-ER2( PR_IS_DIRECTORY_ERROR, 	
-"Cannot perform a normal file operation on a directory." )
-ER2( PR_LOOP_ERROR, 		"Symbolic link loop." )
-ER2( PR_NAME_TOO_LONG_ERROR, 	"File name is too long." )
-ER2( PR_FILE_NOT_FOUND_ERROR, 	"File not found." )
-ER2( PR_NOT_DIRECTORY_ERROR, 	
-"Cannot perform directory operation on a normal file." )
-ER2( PR_READ_ONLY_FILESYSTEM_ERROR, 
-"Cannot write to a read-only file system." )
-ER2( PR_DIRECTORY_NOT_EMPTY_ERROR, 
-"Cannot delete a directory that is not empty." )
-ER2( PR_FILESYSTEM_MOUNTED_ERROR, 
-"Cannot delete or rename a file object while the file system is busy." )
-ER2( PR_NOT_SAME_DEVICE_ERROR, 	
-"Cannot rename a file to a file system on another device." )
-ER2( PR_DIRECTORY_CORRUPTED_ERROR, 
-"The directory object in the file system is corrupted." )
-ER2( PR_FILE_EXISTS_ERROR, 	
-"Cannot create or rename a filename that already exists." )
-ER2( PR_MAX_DIRECTORY_ENTRIES_ERROR, 
-"Directory is full.  No additional filenames may be added." )
-ER2( PR_INVALID_DEVICE_STATE_ERROR, 
-"The required device was in an invalid state." )
-ER2( PR_DEVICE_IS_LOCKED_ERROR, "The device is locked." )
-ER2( PR_NO_MORE_FILES_ERROR, 	"No more entries in the directory." )
-ER2( PR_END_OF_FILE_ERROR, 	"Encountered end of file." )
-ER2( PR_FILE_SEEK_ERROR, 	"Seek error." )
-ER2( PR_FILE_IS_BUSY_ERROR, 	"The file is busy." )
-ER2( PR_IN_PROGRESS_ERROR,
-"Operation is still in progress (probably a non-blocking connect)." )
-ER2( PR_ALREADY_INITIATED_ERROR,
-"Operation has already been initiated (probably a non-blocking connect)." )
-
-#ifdef PR_GROUP_EMPTY_ERROR
-ER2( PR_GROUP_EMPTY_ERROR, 	"The wait group is empty." )
-#endif
-
-#ifdef PR_INVALID_STATE_ERROR
-ER2( PR_INVALID_STATE_ERROR, 	"Object state improper for request." )
-#endif
-
-#ifdef PR_NETWORK_DOWN_ERROR
-ER2( PR_NETWORK_DOWN_ERROR,	"Network is down." )
-#endif
-
-#ifdef PR_SOCKET_SHUTDOWN_ERROR
-ER2( PR_SOCKET_SHUTDOWN_ERROR,	"The socket was previously shut down." )
-#endif
-
-#ifdef PR_CONNECT_ABORTED_ERROR
-ER2( PR_CONNECT_ABORTED_ERROR,	"TCP Connection aborted." )
-#endif
-
-#ifdef PR_HOST_UNREACHABLE_ERROR
-ER2( PR_HOST_UNREACHABLE_ERROR,	"Host is unreachable." )
-#endif
-
-/* always last */
-ER2( PR_MAX_ERROR, 		"Placeholder for the end of the list" )
--- a/security/nss/cmd/lib/manifest.mn
+++ b/security/nss/cmd/lib/manifest.mn
@@ -39,27 +39,22 @@ CORE_DEPTH	= ../../..
 LIBRARY_NAME	= sectool
 
 # MODULE public and private header  directories are implicitly REQUIRED.
 MODULE		= nss
 
 DEFINES		= -DNSPR20
 
 PRIVATE_EXPORTS	= secutil.h \
-		  NSPRerrs.h \
-		  SECerrs.h \
-		  SSLerrs.h \
 		  pk11table.h \
 		  $(NULL)
 
 CSRCS		= secutil.c \
 		secpwd.c    \
 		derprint.c \
 		moreoids.c \
 		pppolicy.c \
 		secerror.c \
 		ffs.c \
 		pk11table.c \
 		$(NULL)
 
-REQUIRES	= dbm
-
 NO_MD_RELEASE	= 1
--- a/security/nss/cmd/lib/pk11table.c
+++ b/security/nss/cmd/lib/pk11table.c
@@ -150,20 +150,20 @@ const Constant _consts[] = {
 	mkEntry(CKO_DATA, Object),
 	mkEntry(CKO_CERTIFICATE, Object),
 	mkEntry(CKO_PUBLIC_KEY, Object),
 	mkEntry(CKO_PRIVATE_KEY, Object),
 	mkEntry(CKO_SECRET_KEY, Object),
 	mkEntry(CKO_HW_FEATURE, Object),
 	mkEntry(CKO_DOMAIN_PARAMETERS, Object),
 	mkEntry(CKO_KG_PARAMETERS, Object),
-	mkEntry(CKO_NETSCAPE_CRL, Object),
-	mkEntry(CKO_NETSCAPE_SMIME, Object),
-	mkEntry(CKO_NETSCAPE_TRUST, Object),
-	mkEntry(CKO_NETSCAPE_BUILTIN_ROOT_LIST, Object),
+	mkEntry(CKO_NSS_CRL, Object),
+	mkEntry(CKO_NSS_SMIME, Object),
+	mkEntry(CKO_NSS_TRUST, Object),
+	mkEntry(CKO_NSS_BUILTIN_ROOT_LIST, Object),
 
 	mkEntry(CKH_MONOTONIC_COUNTER, Hardware),
 	mkEntry(CKH_CLOCK, Hardware),
 
 	mkEntry(CKK_RSA, KeyType),
 	mkEntry(CKK_DSA, KeyType),
 	mkEntry(CKK_DH, KeyType),
 	mkEntry(CKK_ECDSA, KeyType),
@@ -183,17 +183,17 @@ const Constant _consts[] = {
 	mkEntry(CKK_RC5, KeyType),
 	mkEntry(CKK_IDEA, KeyType),
 	mkEntry(CKK_SKIPJACK, KeyType),
 	mkEntry(CKK_BATON, KeyType),
 	mkEntry(CKK_JUNIPER, KeyType),
 	mkEntry(CKK_CDMF, KeyType),
 	mkEntry(CKK_AES, KeyType),
 	mkEntry(CKK_CAMELLIA, KeyType),
-	mkEntry(CKK_NETSCAPE_PKCS8, KeyType),
+	mkEntry(CKK_NSS_PKCS8, KeyType),
 
 	mkEntry(CKC_X_509, CertType),
 	mkEntry(CKC_X_509_ATTR_CERT, CertType),
 
 	mkEntry2(CKA_CLASS, Attribute, Object),
 	mkEntry2(CKA_TOKEN, Attribute, Bool),
 	mkEntry2(CKA_PRIVATE, Attribute, Bool),
 	mkEntry2(CKA_LABEL, Attribute, None),
@@ -247,28 +247,28 @@ const Constant _consts[] = {
 	mkEntry2(CKA_ECDSA_PARAMS, Attribute, None),
 	mkEntry2(CKA_EC_PARAMS, Attribute, None),
 	mkEntry2(CKA_EC_POINT, Attribute, None),
 	mkEntry2(CKA_SECONDARY_AUTH, Attribute, None),
 	mkEntry2(CKA_AUTH_PIN_FLAGS, Attribute, None),
 	mkEntry2(CKA_HW_FEATURE_TYPE, Attribute, Hardware),
 	mkEntry2(CKA_RESET_ON_INIT, Attribute, Bool),
 	mkEntry2(CKA_HAS_RESET, Attribute, Bool),
-	mkEntry2(CKA_NETSCAPE_URL, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_EMAIL, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_SMIME_INFO, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_SMIME_TIMESTAMP, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PKCS8_SALT, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PASSWORD_CHECK, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_EXPIRES, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_KRL, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PQG_COUNTER, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PQG_SEED, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PQG_H, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PQG_SEED_BITS, Attribute, None),
+	mkEntry2(CKA_NSS_URL, Attribute, None),
+	mkEntry2(CKA_NSS_EMAIL, Attribute, None),
+	mkEntry2(CKA_NSS_SMIME_INFO, Attribute, None),
+	mkEntry2(CKA_NSS_SMIME_TIMESTAMP, Attribute, None),
+	mkEntry2(CKA_NSS_PKCS8_SALT, Attribute, None),
+	mkEntry2(CKA_NSS_PASSWORD_CHECK, Attribute, None),
+	mkEntry2(CKA_NSS_EXPIRES, Attribute, None),
+	mkEntry2(CKA_NSS_KRL, Attribute, None),
+	mkEntry2(CKA_NSS_PQG_COUNTER, Attribute, None),
+	mkEntry2(CKA_NSS_PQG_SEED, Attribute, None),
+	mkEntry2(CKA_NSS_PQG_H, Attribute, None),
+	mkEntry2(CKA_NSS_PQG_SEED_BITS, Attribute, None),
 	mkEntry2(CKA_TRUST_DIGITAL_SIGNATURE, Attribute, Trust),
 	mkEntry2(CKA_TRUST_NON_REPUDIATION, Attribute, Trust),
 	mkEntry2(CKA_TRUST_KEY_ENCIPHERMENT, Attribute, Trust),
 	mkEntry2(CKA_TRUST_DATA_ENCIPHERMENT, Attribute, Trust),
 	mkEntry2(CKA_TRUST_KEY_AGREEMENT, Attribute, Trust),
 	mkEntry2(CKA_TRUST_KEY_CERT_SIGN, Attribute, Trust),
 	mkEntry2(CKA_TRUST_CRL_SIGN, Attribute, Trust),
 	mkEntry2(CKA_TRUST_SERVER_AUTH, Attribute, Trust),
@@ -487,18 +487,18 @@ const Constant _consts[] = {
 	mkEntry(CKM_SEED_CBC, Mechanism),
 	mkEntry(CKM_SEED_MAC, Mechanism),
 	mkEntry(CKM_SEED_MAC_GENERAL, Mechanism),
 	mkEntry(CKM_SEED_CBC_PAD, Mechanism),
 	mkEntry(CKM_SEED_ECB_ENCRYPT_DATA, Mechanism),
 	mkEntry(CKM_SEED_CBC_ENCRYPT_DATA, Mechanism),
 	mkEntry(CKM_DSA_PARAMETER_GEN, Mechanism),
 	mkEntry(CKM_DH_PKCS_PARAMETER_GEN, Mechanism),
-	mkEntry(CKM_NETSCAPE_AES_KEY_WRAP, Mechanism),
-	mkEntry(CKM_NETSCAPE_AES_KEY_WRAP_PAD, Mechanism),
+	mkEntry(CKM_NSS_AES_KEY_WRAP, Mechanism),
+	mkEntry(CKM_NSS_AES_KEY_WRAP_PAD, Mechanism),
 	mkEntry(CKM_NETSCAPE_PBE_SHA1_DES_CBC, Mechanism),
 	mkEntry(CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, Mechanism),
 	mkEntry(CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC, Mechanism),
 	mkEntry(CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC, Mechanism),
 	mkEntry(CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4, Mechanism),
 	mkEntry(CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4, Mechanism),
 	mkEntry(CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC, Mechanism),
 	mkEntry(CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN, Mechanism),
@@ -588,23 +588,22 @@ const Constant _consts[] = {
 	mkEntry(CKR_INFORMATION_SENSITIVE, Result),
 	mkEntry(CKR_STATE_UNSAVEABLE, Result),
 	mkEntry(CKR_CRYPTOKI_NOT_INITIALIZED, Result),
 	mkEntry(CKR_CRYPTOKI_ALREADY_INITIALIZED, Result),
 	mkEntry(CKR_MUTEX_BAD, Result),
 	mkEntry(CKR_MUTEX_NOT_LOCKED, Result),
 	mkEntry(CKR_VENDOR_DEFINED, Result),
 
-	mkEntry(CKT_NETSCAPE_TRUSTED, Trust),
-	mkEntry(CKT_NETSCAPE_TRUSTED_DELEGATOR, Trust),
-	mkEntry(CKT_NETSCAPE_UNTRUSTED, Trust),
-	mkEntry(CKT_NETSCAPE_MUST_VERIFY, Trust),
-	mkEntry(CKT_NETSCAPE_TRUST_UNKNOWN, Trust),
-	mkEntry(CKT_NETSCAPE_VALID, Trust),
-	mkEntry(CKT_NETSCAPE_VALID_DELEGATOR, Trust),
+	mkEntry(CKT_NSS_TRUSTED, Trust),
+	mkEntry(CKT_NSS_TRUSTED_DELEGATOR, Trust),
+	mkEntry(CKT_NSS_NOT_TRUSTED, Trust),
+	mkEntry(CKT_NSS_MUST_VERIFY_TRUST, Trust),
+	mkEntry(CKT_NSS_TRUST_UNKNOWN, Trust),
+	mkEntry(CKT_NSS_VALID_DELEGATOR, Trust),
 
 	mkEntry(CK_EFFECTIVELY_INFINITE, AvailableSizes),
 	mkEntry(CK_UNAVAILABLE_INFORMATION, CurrentSize),
 };
 
 const Constant *consts = &_consts[0];
 const int constCount = sizeof(_consts)/sizeof(_consts[0]);
 
@@ -1247,17 +1246,17 @@ const Commands _commands[] = {
 "NewTemplate varName attributeList\n\n"
 "Create a new empty template and populate the attribute list\n"
 " varName        variable name of the new template\n"
 " attributeList  comma separated list of CKA_ATTRIBUTE types\n",
 	{ArgVar|ArgNew, ArgVar, ArgNone, ArgNone, ArgNone, 
 	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
     {"NewMechanism", F_NewMechanism,
 "NewMechanism varName mechanismType\n\n"
-"Create a new CK_MECHANISM object with type NULL paramters and specified type\n"
+"Create a new CK_MECHANISM object with type NULL parameters and specified type\n"
 " varName        variable name of the new mechansim\n"
 " mechanismType  CKM_ mechanism type value to set int the type field\n",
 	{ArgVar|ArgNew, ArgULong, ArgNone, ArgNone, ArgNone, 
 	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
     {"BuildTemplate", F_BuildTemplate,
 "BuildTemplate template\n\n"
 "Allocates space for the value in a template which has the sizes filled in,\n"
 "but no values allocated yet.\n"
--- a/security/nss/cmd/lib/secerror.c
+++ b/security/nss/cmd/lib/secerror.c
@@ -28,83 +28,18 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-#include "nspr.h"
-
-struct tuple_str {
-    PRErrorCode	 errNum;
-    const char * errString;
-};
-
-typedef struct tuple_str tuple_str;
-
-#define ER2(a,b)   {a, b},
-#define ER3(a,b,c) {a, c},
-
-#include "secerr.h"
-#include "sslerr.h"
-
-const tuple_str errStrings[] = {
-
-/* keep this list in asceding order of error numbers */
-#include "SSLerrs.h"
-#include "SECerrs.h"
-#include "NSPRerrs.h"
-
-};
-
-const PRInt32 numStrings = sizeof(errStrings) / sizeof(tuple_str);
+#include "prtypes.h"
+#include "nssutil.h"
 
 /* Returns a UTF-8 encoded constant error string for "errNum".
- * Returns NULL of errNum is unknown.
+ * Returns NULL if errNum is unknown.
  */
 const char *
 SECU_Strerror(PRErrorCode errNum) {
-    PRInt32 low  = 0;
-    PRInt32 high = numStrings - 1;
-    PRInt32 i;
-    PRErrorCode num;
-    static int initDone;
-
-    /* make sure table is in ascending order.
-     * binary search depends on it.
-     */
-    if (!initDone) {
-	PRErrorCode lastNum = ((PRInt32)0x80000000);
-    	for (i = low; i <= high; ++i) {
-	    num = errStrings[i].errNum;
-	    if (num <= lastNum) {
-	    	fprintf(stderr, 
-"sequence error in error strings at item %d\n"
-"error %d (%s)\n"
-"should come after \n"
-"error %d (%s)\n",
-		        i, lastNum, errStrings[i-1].errString, 
-			num, errStrings[i].errString);
-	    }
-	    lastNum = num;
-	}
-	initDone = 1;
-    }
-
-    /* Do binary search of table. */
-    while (low + 1 < high) {
-    	i = (low + high) / 2;
-	num = errStrings[i].errNum;
-	if (errNum == num) 
-	    return errStrings[i].errString;
-        if (errNum < num)
-	    high = i;
-	else 
-	    low = i;
-    }
-    if (errNum == errStrings[low].errNum)
-    	return errStrings[low].errString;
-    if (errNum == errStrings[high].errNum)
-    	return errStrings[high].errString;
-    return NULL;
+    return NSS_Strerror(errNum, formatSimple);
 }
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -78,25 +78,19 @@ static char consoleName[] =  {
 #ifdef XP_OS2
     "\\DEV\\CON"
 #else
     "CON:"
 #endif
 #endif
 };
 
-
-char *
-SECU_GetString(int16 error_number)
-{
-
-    static char errString[80];
-    sprintf(errString, "Unknown error string (%d)", error_number);
-    return errString;
-}
+#include "nssutil.h"
+#include "ssl.h"
+
 
 void 
 SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...)
 {
     va_list args;
     PRErrorCode err = PORT_GetError();
     const char * errString = SECU_Strerror(err);
 
@@ -1511,16 +1505,80 @@ const SEC_ASN1Template secuPBEV2Params[]
     { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
         SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
     { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg),
         SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
     { 0 }
 };
 
 void
+secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level)
+{
+    PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    SECStatus rv;
+    SECKEYRSAPSSParams param;
+    SECAlgorithmID maskHashAlg;
+
+    if (m) {
+	SECU_Indent(out, level);
+	fprintf (out, "%s:\n", m);
+    }
+
+    if (!pool) {
+	SECU_Indent(out, level);
+	fprintf(out, "Out of memory\n");
+	return;
+    }
+
+    PORT_Memset(&param, 0, sizeof param);
+
+    rv = SEC_QuickDERDecodeItem(pool, &param,
+				SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate),
+				value);
+    if (rv == SECSuccess) {
+	if (!param.hashAlg) {
+	    SECU_Indent(out, level+1);
+	    fprintf(out, "Hash algorithm: default, SHA-1\n");
+	} else {
+	    SECU_PrintObjectID(out, &param.hashAlg->algorithm,
+			       "Hash algorithm", level+1);
+	}
+	if (!param.maskAlg) {
+	    SECU_Indent(out, level+1);
+	    fprintf(out, "Mask algorithm: default, MGF1\n");
+	    SECU_Indent(out, level+1);
+	    fprintf(out, "Mask hash algorithm: default, SHA-1\n");
+	} else {
+	    SECU_PrintObjectID(out, &param.maskAlg->algorithm,
+			       "Mask algorithm", level+1);
+	    rv = SEC_QuickDERDecodeItem(pool, &maskHashAlg,
+		     SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
+		     &param.maskAlg->parameters);
+	    if (rv == SECSuccess) {
+		SECU_PrintObjectID(out, &maskHashAlg.algorithm,
+				   "Mask hash algorithm", level+1);
+	    } else {
+		SECU_Indent(out, level+1);
+		fprintf(out, "Invalid mask generation algorithm parameters\n");
+	    }
+	}
+	if (!param.saltLength.data) {
+	    SECU_Indent(out, level+1);
+	    fprintf(out, "Salt length: default, %i (0x%2X)\n", 20, 20);
+	} else {
+	    SECU_PrintInteger(out, &param.saltLength, "Salt Length", level+1);
+	}
+    } else {
+	SECU_Indent(out, level+1);
+	fprintf(out, "Invalid RSA-PSS parameters\n");
+    }
+    PORT_FreeArena(pool, PR_FALSE);
+}
+
+void
 secu_PrintKDF2Params(FILE *out, SECItem *value, char *m, int level)
 {
     PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     SECStatus rv;
     secuPBEParams param;
 
     if (m) {
 	SECU_Indent(out, level);
@@ -1620,17 +1678,21 @@ SECU_PrintAlgorithmID(FILE *out, SECAlgo
 	    secu_PrintPKCS5V2Params(out, &a->parameters, "MAC", level+1);
 	    break;
 	default:
 	    secu_PrintPBEParams(out, &a->parameters, "Parameters", level+1);
 	    break;
 	}
 	return;
     }
-	
+
+    if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
+	secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level+1);
+	return;
+    }
 
     if (a->parameters.len == 0
 	|| (a->parameters.len == 2
 	    && PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) {
 	/* No arguments or NULL argument */
     } else {
 	/* Print args to algorithm */
 	SECU_PrintAsHex(out, &a->parameters, "Args", level+1);
@@ -2379,17 +2441,17 @@ SECU_PrintName(FILE *out, CERTName *name
 
 void
 printflags(char *trusts, unsigned int flags)
 {
     if (flags & CERTDB_VALID_CA)
 	if (!(flags & CERTDB_TRUSTED_CA) &&
 	    !(flags & CERTDB_TRUSTED_CLIENT_CA))
 	    PORT_Strcat(trusts, "c");
-    if (flags & CERTDB_VALID_PEER)
+    if (flags & CERTDB_TERMINAL_RECORD)
 	if (!(flags & CERTDB_TRUSTED))
 	    PORT_Strcat(trusts, "p");
     if (flags & CERTDB_TRUSTED_CA)
 	PORT_Strcat(trusts, "C");
     if (flags & CERTDB_TRUSTED_CLIENT_CA)
 	PORT_Strcat(trusts, "T");
     if (flags & CERTDB_TRUSTED)
 	PORT_Strcat(trusts, "P");
@@ -3204,18 +3266,18 @@ SECU_PrintPKCS7ContentInfo(FILE *out, SE
 
 /*
 ** End of PKCS7 functions
 */
 
 void
 printFlags(FILE *out, unsigned int flags, int level)
 {
-    if ( flags & CERTDB_VALID_PEER ) {
-	SECU_Indent(out, level); fprintf(out, "Valid Peer\n");
+    if ( flags & CERTDB_TERMINAL_RECORD ) {
+	SECU_Indent(out, level); fprintf(out, "Terminal Record\n");
     }
     if ( flags & CERTDB_TRUSTED ) {
 	SECU_Indent(out, level); fprintf(out, "Trusted\n");
     }
     if ( flags & CERTDB_SEND_WARN ) {
 	SECU_Indent(out, level); fprintf(out, "Warn When Sending\n");
     }
     if ( flags & CERTDB_VALID_CA ) {
@@ -3245,16 +3307,39 @@ SECU_PrintTrustFlags(FILE *out, CERTCert
     SECU_Indent(out, level+1); fprintf(out, "SSL Flags:\n");
     printFlags(out, trust->sslFlags, level+2);
     SECU_Indent(out, level+1); fprintf(out, "Email Flags:\n");
     printFlags(out, trust->emailFlags, level+2);
     SECU_Indent(out, level+1); fprintf(out, "Object Signing Flags:\n");
     printFlags(out, trust->objectSigningFlags, level+2);
 }
 
+int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level)
+{
+    PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    CERTName *name;
+    int rv = SEC_ERROR_NO_MEMORY;
+
+    if (!arena)
+	return rv;
+
+    name = PORT_ArenaZNew(arena, CERTName);
+    if (!name)
+	goto loser;
+
+    rv = SEC_ASN1DecodeItem(arena, name, SEC_ASN1_GET(CERT_NameTemplate), der);
+    if (rv)
+	goto loser;
+
+    SECU_PrintName(out, name, m, level);
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return rv;
+}
+
 int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m,
 			   int level, SECU_PPFunc inner)
 {
     PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     CERTSignedData *sd;
     int rv = SEC_ERROR_NO_MEMORY;
 
     if (!arena)
@@ -3276,17 +3361,16 @@ int SECU_PrintSignedData(FILE *out, SECI
     SECU_PrintAlgorithmID(out, &sd->signatureAlgorithm, "Signature Algorithm",
 			  level+1);
     DER_ConvertBitString(&sd->signature);
     SECU_PrintAsHex(out, &sd->signature, "Signature", level+1);
     SECU_PrintFingerprints(out, der, "Fingerprint", level+1);
 loser:
     PORT_FreeArena(arena, PR_FALSE);
     return rv;
-
 }
 
 SECStatus
 SEC_PrintCertificateAndTrust(CERTCertificate *cert,
                              const char *label,
                              CERTCertTrust *trust)
 {
     SECStatus rv;
@@ -3506,133 +3590,16 @@ SECU_GetOptionArg(const secuCommand *cmd
 	if (optionNum < 0 || optionNum >= cmd->numOptions)
 		return NULL;
 	if (cmd->options[optionNum].activated)
 		return PL_strdup(cmd->options[optionNum].arg);
 	else
 		return NULL;
 }
 
-static char SECUErrorBuf[64];
-
-char *
-SECU_ErrorStringRaw(int16 err)
-{
-    if (err == 0)
-	SECUErrorBuf[0] = '\0';
-    else if (err == SEC_ERROR_BAD_DATA)
-	sprintf(SECUErrorBuf, "Bad data");
-    else if (err == SEC_ERROR_BAD_DATABASE)
-	sprintf(SECUErrorBuf, "Problem with database");
-    else if (err == SEC_ERROR_BAD_DER)
-	sprintf(SECUErrorBuf, "Problem with DER");
-    else if (err == SEC_ERROR_BAD_KEY)
-	sprintf(SECUErrorBuf, "Problem with key");
-    else if (err == SEC_ERROR_BAD_PASSWORD)
-	sprintf(SECUErrorBuf, "Incorrect password");
-    else if (err == SEC_ERROR_BAD_SIGNATURE)
-	sprintf(SECUErrorBuf, "Bad signature");
-    else if (err == SEC_ERROR_EXPIRED_CERTIFICATE)
-	sprintf(SECUErrorBuf, "Expired certificate");
-    else if (err == SEC_ERROR_EXTENSION_VALUE_INVALID)
-	sprintf(SECUErrorBuf, "Invalid extension value");
-    else if (err == SEC_ERROR_INPUT_LEN)
-	sprintf(SECUErrorBuf, "Problem with input length");
-    else if (err == SEC_ERROR_INVALID_ALGORITHM)
-	sprintf(SECUErrorBuf, "Invalid algorithm");
-    else if (err == SEC_ERROR_INVALID_ARGS)
-	sprintf(SECUErrorBuf, "Invalid arguments");
-    else if (err == SEC_ERROR_INVALID_AVA)
-	sprintf(SECUErrorBuf, "Invalid AVA");
-    else if (err == SEC_ERROR_INVALID_TIME)
-	sprintf(SECUErrorBuf, "Invalid time");
-    else if (err == SEC_ERROR_IO)
-	sprintf(SECUErrorBuf, "Security I/O error");
-    else if (err == SEC_ERROR_LIBRARY_FAILURE)
-	sprintf(SECUErrorBuf, "Library failure");
-    else if (err == SEC_ERROR_NO_MEMORY)
-	sprintf(SECUErrorBuf, "Out of memory");
-    else if (err == SEC_ERROR_OLD_CRL)
-	sprintf(SECUErrorBuf, "CRL is older than the current one");
-    else if (err == SEC_ERROR_OUTPUT_LEN)
-	sprintf(SECUErrorBuf, "Problem with output length");
-    else if (err == SEC_ERROR_UNKNOWN_ISSUER)
-	sprintf(SECUErrorBuf, "Unknown issuer");
-    else if (err == SEC_ERROR_UNTRUSTED_CERT)
-	sprintf(SECUErrorBuf, "Untrusted certificate");
-    else if (err == SEC_ERROR_UNTRUSTED_ISSUER)
-	sprintf(SECUErrorBuf, "Untrusted issuer");
-    else if (err == SSL_ERROR_BAD_CERTIFICATE)
-	sprintf(SECUErrorBuf, "Bad certificate");
-    else if (err == SSL_ERROR_BAD_CLIENT)
-	sprintf(SECUErrorBuf, "Bad client");
-    else if (err == SSL_ERROR_BAD_SERVER)
-	sprintf(SECUErrorBuf, "Bad server");
-    else if (err == SSL_ERROR_EXPORT_ONLY_SERVER)
-	sprintf(SECUErrorBuf, "Export only server");
-    else if (err == SSL_ERROR_NO_CERTIFICATE)
-	sprintf(SECUErrorBuf, "No certificate");
-    else if (err == SSL_ERROR_NO_CYPHER_OVERLAP)
-	sprintf(SECUErrorBuf, "No cypher overlap");
-    else if (err == SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE)
-	sprintf(SECUErrorBuf, "Unsupported certificate type");
-    else if (err == SSL_ERROR_UNSUPPORTED_VERSION)
-	sprintf(SECUErrorBuf, "Unsupported version");
-    else if (err == SSL_ERROR_US_ONLY_SERVER)
-	sprintf(SECUErrorBuf, "U.S. only server");
-    else if (err == PR_IO_ERROR)
-	sprintf(SECUErrorBuf, "I/O error");
-
-    else if (err == SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE)
-        sprintf (SECUErrorBuf, "Expired Issuer Certificate");
-    else if (err == SEC_ERROR_REVOKED_CERTIFICATE)
-        sprintf (SECUErrorBuf, "Revoked certificate");
-    else if (err == SEC_ERROR_NO_KEY)
-        sprintf (SECUErrorBuf, "No private key in database for this cert");
-    else if (err == SEC_ERROR_CERT_NOT_VALID)
-        sprintf (SECUErrorBuf, "Certificate is not valid");
-    else if (err == SEC_ERROR_EXTENSION_NOT_FOUND)
-        sprintf (SECUErrorBuf, "Certificate extension was not found");
-    else if (err == SEC_ERROR_EXTENSION_VALUE_INVALID)
-        sprintf (SECUErrorBuf, "Certificate extension value invalid");
-    else if (err == SEC_ERROR_CA_CERT_INVALID)
-        sprintf (SECUErrorBuf, "Issuer certificate is invalid");
-    else if (err == SEC_ERROR_CERT_USAGES_INVALID)
-        sprintf (SECUErrorBuf, "Certificate usages is invalid");
-    else if (err == SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION)
-        sprintf (SECUErrorBuf, "Certificate has unknown critical extension");
-    else if (err == SEC_ERROR_PKCS7_BAD_SIGNATURE)
-        sprintf (SECUErrorBuf, "Bad PKCS7 signature");
-    else if (err == SEC_ERROR_INADEQUATE_KEY_USAGE)
-        sprintf (SECUErrorBuf, "Certificate not approved for this operation");
-    else if (err == SEC_ERROR_INADEQUATE_CERT_TYPE)
-        sprintf (SECUErrorBuf, "Certificate not approved for this operation");
-
-    return SECUErrorBuf;
-}
-
-char *
-SECU_ErrorString(int16 err)
-{
-    char *error_string;
-
-    *SECUErrorBuf = 0;
-    SECU_ErrorStringRaw (err);
-
-    if (*SECUErrorBuf == 0) { 
-	error_string = SECU_GetString(err);
-	if (error_string == NULL || *error_string == '\0') 
-	    sprintf(SECUErrorBuf, "No error string found for %d.",  err);
-	else
-	    return error_string;
-    }
-
-    return SECUErrorBuf;
-}
-
 
 void 
 SECU_PrintPRandOSError(char *progName) 
 {
     char buffer[513];
     PRInt32     errLen = PR_GetErrorTextLength();
     if (errLen > 0 && errLen < sizeof buffer) {
         PR_GetErrorText(buffer);
--- a/security/nss/cmd/lib/secutil.h
+++ b/security/nss/cmd/lib/secutil.h
@@ -47,16 +47,17 @@
 #include <stdio.h>
 
 #define SEC_CT_PRIVATE_KEY		"private-key"
 #define SEC_CT_PUBLIC_KEY		"public-key"
 #define SEC_CT_CERTIFICATE		"certificate"
 #define SEC_CT_CERTIFICATE_REQUEST	"certificate-request"
 #define SEC_CT_PKCS7			"pkcs7"
 #define SEC_CT_CRL			"crl"
+#define SEC_CT_NAME			"name"
 
 #define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----"
 #define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----"
 
 #define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
 #define NS_CERT_TRAILER "-----END CERTIFICATE-----"
 
 #define NS_CRL_HEADER  "-----BEGIN CRL-----"
@@ -254,16 +255,19 @@ int SECU_CheckCertNameExists(CERTCertDBH
 
 /* Dump contents of cert req */
 extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m,
 	int level);
 
 /* Dump contents of certificate */
 extern int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level);
 
+/* Dump contents of a DER certificate name (issuer or subject) */
+extern int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level);
+
 /* print trust flags on a cert */
 extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, 
                                  int level);
 
 /* Dump contents of an RSA public key */
 extern int SECU_PrintRSAPublicKey(FILE *out, SECItem *der, char *m, int level);
 
 extern int SECU_PrintSubjectPublicKeyInfo(FILE *out, SECItem *der, char *m, 
@@ -437,22 +441,16 @@ char *
 SECU_GetOptionArg(const secuCommand *cmd, int optionNum);
 
 /*
  *
  *  Error messaging
  *
  */
 
-/* Return informative error string */
-char *SECU_ErrorString(int16 err);
-
-/* Return informative error string. Does not call XP_GetString */
-char *SECU_ErrorStringRaw(int16 err);
-
 void printflags(char *trusts, unsigned int flags);
 
 #if !defined(XP_UNIX) && !defined(XP_OS2)
 extern int ffs(unsigned int i);
 #endif
 
 /* Finds certificate by searching it in the DB or by examinig file
  * in the local directory. */
--- a/security/nss/cmd/manifest.mn
+++ b/security/nss/cmd/manifest.mn
@@ -43,16 +43,17 @@ REQUIRES = nss nspr libdbm
 DIRS = lib  \
  addbuiltin \
  atob  \
  bltest \
  btoa  \
  certcgi \
  certutil  \
  checkcert  \
+ chktest  \
  crlutil  \
  crmftest \
  dbtest \
  derdump  \
  digest  \
  fipstest  \
  makepqg  \
  multinit \
--- a/security/nss/cmd/modutil/install.c
+++ b/security/nss/cmd/modutil/install.c
@@ -31,16 +31,17 @@
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #include "install.h"
 #include "install-ds.h"
+#include <prerror.h>
 #include <prlock.h>
 #include <prio.h>
 #include <prmem.h>
 #include <prprf.h>
 #include <prsystem.h>
 #include <prproces.h>
 
 #ifdef XP_UNIX
@@ -56,17 +57,17 @@
 extern /*"C"*/
 int Pk11Install_AddNewModule(char* moduleName, char* dllPath,
                               unsigned long defaultMechanismFlags,
                               unsigned long cipherEnableFlags);
 extern /*"C"*/
 short Pk11Install_UserVerifyJar(JAR *jar, PRFileDesc *out,
 	PRBool query);
 extern /*"C"*/
-const char* mySECU_ErrorString(int16);
+const char* mySECU_ErrorString(PRErrorCode errnum);
 extern 
 int Pk11Install_yyparse();
 
 #define INSTALL_METAINFO_TAG "Pkcs11_install_script"
 #define SCRIPT_TEMP_FILE "pkcs11inst.tmp"
 #define ROOT_MARKER "%root%"
 #define TEMP_MARKER "%temp%"
 #define PRINTF_ROOT_MARKER "%%root%%"
@@ -413,17 +414,17 @@ Pk11Install_DoInstall(char *jarFile, con
 	} else {
 		status = JAR_pass_archive(jar, jarArchGuess, jarFile, "url");
 	}
 	if( (status < 0) || (jar->valid < 0) ) {
 		if (status >= JAR_BASE && status <= JAR_BASE_END) {
 			error(PK11_INSTALL_JAR_ERROR, jarFile, JAR_get_error(status));
 		} else {
 			error(PK11_INSTALL_JAR_ERROR, jarFile,
-			  mySECU_ErrorString((int16) PORT_GetError()) );
+			  mySECU_ErrorString(PORT_GetError()));
 		}
 		ret=PK11_INSTALL_JAR_ERROR;
 		goto loser;
 	}
 	/*printf("passed the archive\n");*/
 
 	/*
 	 * Show the user security information, allow them to abort or continue
@@ -465,17 +466,17 @@ Pk11Install_DoInstall(char *jarFile, con
 	} else {
 		status = JAR_verified_extract(jar, installer, SCRIPT_TEMP_FILE);
 	}
 	if(status) {
 		if (status >= JAR_BASE && status <= JAR_BASE_END) {
 			error(PK11_INSTALL_JAR_EXTRACT, installer, JAR_get_error(status));
 		} else {
 			error(PK11_INSTALL_JAR_EXTRACT, installer,
-			  mySECU_ErrorString((int16) PORT_GetError()) );
+			  mySECU_ErrorString(PORT_GetError()));
 		}
 		ret = PK11_INSTALL_JAR_EXTRACT;
 		goto loser;
 	} else {
 		made_temp_file = PR_TRUE;
 	}
 
 	/*
@@ -687,17 +688,17 @@ DoInstall(JAR *jar, const char *installD
 			status = JAR_verified_extract(jar, (char*)file->jarPath, dest);
 		}
 		if(status) {
 			if (status >= JAR_BASE && status <= JAR_BASE_END) {
 				error(PK11_INSTALL_JAR_EXTRACT, file->jarPath,
                   JAR_get_error(status));
 			} else {
 				error(PK11_INSTALL_JAR_EXTRACT, file->jarPath,
-				  mySECU_ErrorString((int16) PORT_GetError()) );
+				  mySECU_ErrorString(PORT_GetError()));
 			}
 			ret=PK11_INSTALL_JAR_EXTRACT;
 			goto loser;
 		}
 		if(feedback) {
 			PR_fprintf(feedback, msgStrings[INSTALLED_FILE_MSG],
 				file->jarPath, dest);
 		}
--- a/security/nss/cmd/modutil/instsec.c
+++ b/security/nss/cmd/modutil/instsec.c
@@ -30,16 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #include <plarena.h>
+#include <prerror.h>
 #include <prio.h>
 #include <prprf.h>
 #include <seccomon.h>
 #include <secmod.h>
 #include <jar.h>
 #include <secutil.h>
 
 /* These are installation functions that make calls to the security library.
@@ -170,12 +171,12 @@ PR_fgets(char *buf, int size, PRFileDesc
     return buf;
 }
 
 /**************************************************************************
  *
  * m y S E C U _ E r r o r S t r i n g
  *
  */
-const char* mySECU_ErrorString(int16 errnum)
+const char* mySECU_ErrorString(PRErrorCode errnum)
 {
 	return SECU_Strerror(errnum);
 }
--- a/security/nss/cmd/pk11mode/pk11mode.c
+++ b/security/nss/cmd/pk11mode/pk11mode.c
@@ -878,28 +878,31 @@ CK_RV PKM_KeyTests(CK_FUNCTION_LIST_PTR 
         CK_ULONG    mechanism;
         const char *mechanismStr;
     };
 
     typedef struct mech_str mech_str;
 
     mech_str digestMechs[] = {
         {CKM_SHA_1, "CKM_SHA_1 "},
+        {CKM_SHA224, "CKM_SHA224"},
         {CKM_SHA256, "CKM_SHA256"},
         {CKM_SHA384, "CKM_SHA384"},
         {CKM_SHA512, "CKM_SHA512"}
     };
     mech_str hmacMechs[] = {
         {CKM_SHA_1_HMAC, "CKM_SHA_1_HMAC"}, 
+        {CKM_SHA224_HMAC, "CKM_SHA224_HMAC"},
         {CKM_SHA256_HMAC, "CKM_SHA256_HMAC"},
         {CKM_SHA384_HMAC, "CKM_SHA384_HMAC"},
         {CKM_SHA512_HMAC, "CKM_SHA512_HMAC"}
     };
     mech_str sigRSAMechs[] = {
         {CKM_SHA1_RSA_PKCS, "CKM_SHA1_RSA_PKCS"}, 
+        {CKM_SHA224_RSA_PKCS, "CKM_SHA224_RSA_PKCS"},
         {CKM_SHA256_RSA_PKCS, "CKM_SHA256_RSA_PKCS"},
         {CKM_SHA384_RSA_PKCS, "CKM_SHA384_RSA_PKCS"},
         {CKM_SHA512_RSA_PKCS, "CKM_SHA512_RSA_PKCS"}
     };
 
     CK_ULONG digestMechsSZ = NUM_ELEM(digestMechs);
     CK_ULONG sigRSAMechsSZ = NUM_ELEM(sigRSAMechs);
     CK_ULONG hmacMechsSZ = NUM_ELEM(hmacMechs);
@@ -5118,17 +5121,17 @@ CK_RV PKM_Digest(CK_FUNCTION_LIST_PTR pF
                  CK_MECHANISM *digestMech, CK_OBJECT_HANDLE hSecretKey,
                  const CK_BYTE *  pData, CK_ULONG pDataLen) {
     CK_RV crv = CKR_OK;
     CK_BYTE digest1[MAX_DIGEST_SZ];
     CK_ULONG digest1Len = 0 ;
     CK_BYTE digest2[MAX_DIGEST_SZ];
     CK_ULONG digest2Len = 0;
 
-    /* Tested with CKM_SHA_1, CKM_SHA256, CKM_SHA384, CKM_SHA512 */
+    /* Tested with CKM_SHA_1, CKM_SHA224, CKM_SHA256, CKM_SHA384, CKM_SHA512 */
 
     memset(digest1, 0, sizeof(digest1));
     memset(digest2, 0, sizeof(digest2));
     
     NUMTESTS++; /* increment NUMTESTS */
 
     crv = pFunctionList->C_DigestInit(hSession, digestMech);
     if (crv != CKR_OK) {
--- a/security/nss/cmd/pk12util/pk12util.c
+++ b/security/nss/cmd/pk12util/pk12util.c
@@ -555,27 +555,27 @@ loser:
     }
     
     return rv;
 }
 
 static void
 p12u_DoPKCS12ExportErrors()
 {
-    int error_value;
+    PRErrorCode error_value;
 
     error_value = PORT_GetError();
     if ((error_value == SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY) ||
 	(error_value == SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME) ||
 	(error_value == SEC_ERROR_PKCS12_UNABLE_TO_WRITE)) {
-	fputs(SECU_ErrorStringRaw((int16)error_value), stderr);
+	fputs(SECU_Strerror(error_value), stderr);
     } else if(error_value == SEC_ERROR_USER_CANCELLED) {
 	;
     } else {
-	fputs(SECU_ErrorStringRaw(SEC_ERROR_EXPORTING_CERTIFICATES), stderr);
+	fputs(SECU_Strerror(SEC_ERROR_EXPORTING_CERTIFICATES), stderr);
     }
 }
 
 static void
 p12u_WriteToExportFile(void *arg, const char *buf, unsigned long len)
 {
     p12uContext *p12cxt = arg;
     int writeLen;
--- a/security/nss/cmd/pp/pp.c
+++ b/security/nss/cmd/pp/pp.c
@@ -33,17 +33,17 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Pretty-print some well-known BER or DER encoded data (e.g. certificates,
  * keys, pkcs7)
  *
- * $Id: pp.c,v 1.9 2007/09/25 03:46:23 nelson%bolyard.com Exp $
+ * $Id: pp.c,v 1.10 2010/09/03 19:25:02 nelson%bolyard.com Exp $
  */
 
 #include "secutil.h"
 
 #if defined(__sun) && !defined(SVR4)
 extern int fprintf(FILE *, char *, ...);
 #endif
 
@@ -57,17 +57,18 @@ static void Usage(char *progName)
 {
     fprintf(stderr,
 	    "Usage:  %s -t type [-a] [-i input] [-o output]\n",
 	    progName);
     fprintf(stderr, "%-20s Specify the input type (must be one of %s,\n",
 	    "-t type", SEC_CT_PRIVATE_KEY);
     fprintf(stderr, "%-20s %s, %s, %s,\n", "", SEC_CT_PUBLIC_KEY,
 	    SEC_CT_CERTIFICATE, SEC_CT_CERTIFICATE_REQUEST);
-    fprintf(stderr, "%-20s %s or %s)\n", "", SEC_CT_PKCS7, SEC_CT_CRL);    
+    fprintf(stderr, "%-20s %s, %s or %s)\n", "", SEC_CT_PKCS7, SEC_CT_CRL,
+            SEC_CT_NAME);    
     fprintf(stderr, "%-20s Input is in ascii encoded form (RFC1113)\n",
 	    "-a");
     fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n",
 	    "-i input");
     fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
 	    "-o output");
     exit(-1);
 }
@@ -161,16 +162,18 @@ int main(int argc, char **argv)
     } else if (PORT_Strcmp(typeTag, SEC_CT_PRIVATE_KEY) == 0) {
 	rv = SECU_PrintPrivateKey(outFile, &data, "Private Key", 0);
 #endif
     } else if (PORT_Strcmp(typeTag, SEC_CT_PUBLIC_KEY) == 0) {
 	rv = SECU_PrintSubjectPublicKeyInfo(outFile, &data, "Public Key", 0);
     } else if (PORT_Strcmp(typeTag, SEC_CT_PKCS7) == 0) {
 	rv = SECU_PrintPKCS7ContentInfo(outFile, &data,
 					"PKCS #7 Content Info", 0);
+    } else if (PORT_Strcmp(typeTag, SEC_CT_NAME) == 0) {
+	rv = SECU_PrintDERName(outFile, &data, "Name", 0);
     } else {
 	fprintf(stderr, "%s: don't know how to print out '%s' files\n",
 		progName, typeTag);
 	SECU_PrintAny(outFile, &data, "File contains", 0);
 	return -1;
     }
 
     if (inFile != PR_STDIN)
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/ppcertdata/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2010
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/ppcertdata/manifest.mn
@@ -0,0 +1,55 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2010
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#	Nelson Bolyard <nelson@bolyard.me>
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH	= ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss 
+
+# This next line is used by .mk files
+# and gets translated into $LINCS in manifest.mnw
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = seccmd 
+
+#DEFINES = -DNSPR20
+
+CSRCS = ppcertdata.c
+
+PROGRAM	= ppcertdata
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/ppcertdata/ppcertdata.c
@@ -0,0 +1,132 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the CertData.txt review helper program.
+ *
+ * The Initial Developer of the Original Code is
+ * Nelson Bolyard
+ * Portions created by the Initial Developer are Copyright (C) 2009-2010
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include <stdio.h>
+#include <string.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include "secutil.h"
+#include "nss.h"
+
+unsigned char  binary_line[64 * 1024];
+
+int
+main(int argc, const char ** argv)
+{
+    int            skip_count = 0;
+    int            bytes_read;
+    char           line[133];
+
+    if (argc > 1) {
+    	skip_count = atoi(argv[1]);
+    }
+    if (argc > 2 || skip_count < 0) {
+        printf("Usage: %s [ skip_columns ] \n", argv[0]);
+	return 1;
+    }
+
+    NSS_NoDB_Init(NULL);
+
+    while (fgets(line, 132, stdin) && (bytes_read = strlen(line)) > 0 ) {
+	int    bytes_written;
+	char * found;
+	char * in          = line       + skip_count; 
+	int    left        = bytes_read - skip_count;
+	int    is_cert;
+	int    is_serial;
+	int    is_name;
+	int    is_hash;
+	int    use_pp      = 0;
+	int    out = 0;
+	SECItem der = {siBuffer, NULL, 0 };
+
+	line[bytes_read] = 0;
+	if (bytes_read <= skip_count) 
+	    continue;
+	fwrite(in, 1, left, stdout);
+	found = strstr(in, "MULTILINE_OCTAL");
+	if (!found) 
+	    continue;
+	fflush(stdout);
+
+	is_cert   = (NULL != strstr(in, "CKA_VALUE"));
+	is_serial = (NULL != strstr(in, "CKA_SERIAL_NUMBER"));
+	is_name   = (NULL != strstr(in, "CKA_ISSUER")) ||
+		    (NULL != strstr(in, "CKA_SUBJECT"));
+	is_hash   = (NULL != strstr(in, "_HASH"));
+	while (fgets(line, 132, stdin) && 
+	       (bytes_read = strlen(line)) > 0 ) {
+	    in   = line       + skip_count; 
+	    left = bytes_read - skip_count;
+
+	    if ((left >= 3) && !strncmp(in, "END", 3))
+		break;
+	    while (left >= 4) {
+		if (in[0] == '\\'  && isdigit(in[1]) && 
+		    isdigit(in[2]) && isdigit(in[3])) {
+		    left -= 4;
+		    binary_line[out++] = ((in[1] - '0') << 6) |
+					 ((in[2] - '0') << 3) | 
+					  (in[3] - '0');
+		    in += 4;
+		} else 
+		    break;
+	    }
+	}
+	der.data = binary_line;
+	der.len  = out;
+	if (is_cert)
+	    SECU_PrintSignedData(stdout, &der, "Certificate", 0,
+				 SECU_PrintCertificate);
+	else if (is_name)
+	    SECU_PrintDERName(stdout, &der, "Name", 0);
+	else if (is_serial) {
+	    if (out > 2 && binary_line[0] == 2 &&
+	        out == 2 + binary_line[1]) {
+		der.data += 2;
+		der.len  -= 2;
+		SECU_PrintInteger(stdout, &der, "DER Serial Number", 0);
+	    } else
+		SECU_PrintInteger(stdout, &der, "Raw Serial Number", 0);
+	} else if (is_hash) 
+	    SECU_PrintAsHex(stdout, &der, "Hash", 0);
+	else 
+	    SECU_PrintBuf(stdout, "Other", binary_line, out);
+    }
+    NSS_Shutdown();
+    return 0;
+}
+
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -1486,28 +1486,24 @@ do_accepts(
 PRFileDesc *
 getBoundListenSocket(unsigned short port)
 {
     PRFileDesc *       listen_sock;
     int                listenQueueDepth = 5 + (2 * maxThreads);
     PRStatus	       prStatus;
     PRNetAddr          addr;
     PRSocketOptionData opt;
-    PRUint16           socketDomain = PR_AF_INET;
 
     addr.inet.family = PR_AF_INET;
     addr.inet.ip     = PR_INADDR_ANY;
     addr.inet.port   = PR_htons(port);
 
-    if (PR_GetEnv("NSS_USE_SDP")) {
-        socketDomain = PR_AF_INET_SDP;
-    }
-    listen_sock = PR_OpenTCPSocket(socketDomain);
+    listen_sock = PR_NewTCPSocket();
     if (listen_sock == NULL) {
-        errExit("PR_OpenTCPSocket error");
+	errExit("PR_NewTCPSocket");
     }
 
     opt.option = PR_SockOpt_Nonblocking;
     opt.value.non_blocking = PR_FALSE;
     prStatus = PR_SetSocketOption(listen_sock, &opt);
     if (prStatus < 0) {
         PR_Close(listen_sock);
 	errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
--- a/security/nss/cmd/shlibsign/manifest.mn
+++ b/security/nss/cmd/shlibsign/manifest.mn
@@ -41,19 +41,16 @@ CORE_DEPTH = ../../..
 MODULE = nss
 
 DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\"
 
 CSRCS = \
 	shlibsign.c \
 	$(NULL)
 
-# headers for the MODULE (defined above) are implicitly required.
-REQUIRES = dbm seccmd
-
 # WINNT uses EXTRA_LIBS as the list of libs to link in.
 # Unix uses     OS_LIBS for that purpose.
 # We can solve this via conditional makefile code, but 
 # can't do this in manifest.mn because OS_ARCH isn't defined there.
 # So, look in the local Makefile for the defines for the list of libs.
 
 PROGRAM = shlibsign
 
--- a/security/nss/cmd/shlibsign/shlibsign.c
+++ b/security/nss/cmd/shlibsign/shlibsign.c
@@ -41,17 +41,17 @@
  *
  * The generated .chk files must be put in the same directory as
  * the NSS libraries they were generated for.
  *
  * When in FIPS 140 mode, the NSS Internal FIPS PKCS #11 Module will
  * compute the checksum for the NSS cryptographic boundary libraries
  * and compare the checksum with the value in .chk file.
  *
- * $Id: shlibsign.c,v 1.18.20.1 2011/04/08 04:04:27 wtc%google.com Exp $
+ * $Id: shlibsign.c,v 1.19 2011/04/08 04:02:53 wtc%google.com Exp $
  */
 
 #ifdef XP_UNIX
 #define USES_LINKS 1
 #endif
 
 #include <assert.h>
 #include <stdio.h>
--- a/security/nss/cmd/signtool/sign.c
+++ b/security/nss/cmd/signtool/sign.c
@@ -301,17 +301,17 @@ create_pk7 (char *dir, char *keyName, in
     status = SignFile (out, in, cert);
 
     CERT_DestroyCertificate (cert);
     fclose (in);
     fclose (out);
 
     if (status) {
 	PR_fprintf(errorFD, "%s: PROBLEM signing data (%s)\n",
-	    PROGRAM_NAME, SECU_ErrorString ((int16) PORT_GetError()));
+	    PROGRAM_NAME, SECU_Strerror(PORT_GetError()));
 	errorCount++;
 	return - 1;
     }
 
     return 0;
 }
 
 
--- a/security/nss/cmd/signtool/util.c
+++ b/security/nss/cmd/signtool/util.c
@@ -45,17 +45,17 @@ static int	is_dir (char *filename);
  * Nasty hackish function definitions
  */
 
 long	*mozilla_event_queue = 0;
 
 #ifndef XP_WIN
 char	*XP_GetString (int i)
 {
-    return SECU_ErrorStringRaw ((int16) i);
+    return SECU_Strerror (i);
 }
 #endif
 
 void	FE_SetPasswordEnabled()
 {
 }
 
 
--- a/security/nss/cmd/signtool/verify.c
+++ b/security/nss/cmd/signtool/verify.c
@@ -79,17 +79,17 @@ VerifyJar(char *filename)
 	    "\nNOTE -- \"%s\" archive DID NOT PASS crypto verification.\n",
 	     filename);
 	if (status < 0) {
 	    char	*errtext;
 
 	    if (status >= JAR_BASE && status <= JAR_BASE_END) {
 		errtext = JAR_get_error (status);
 	    } else {
-		errtext = SECU_ErrorString ((int16) PORT_GetError());
+		errtext = SECU_Strerror(PORT_GetError());
 	    }
 
 	    PR_fprintf(outputFD, "  (reported reason: %s)\n\n",
 	         errtext);
 
 	    /* corrupt files should not have their contents listed */
 
 	    if (status == JAR_ERR_CORRUPT)
@@ -310,17 +310,17 @@ JarWho(char *filename)
 	     filename);
 	retval = -1;
 	if (jar->valid < 0 || status != -1) {
 	    char	*errtext;
 
 	    if (status >= JAR_BASE && status <= JAR_BASE_END) {
 		errtext = JAR_get_error (status);
 	    } else {
-		errtext = SECU_ErrorString ((int16) PORT_GetError());
+		errtext = SECU_Strerror(PORT_GetError());
 	    }
 
 	    PR_fprintf(outputFD, "  (reported reason: %s)\n\n", errtext);
 	}
     }
 
     PR_fprintf(outputFD, "\nSigner information:\n\n");
 
--- a/security/nss/cmd/signver/signver.c
+++ b/security/nss/cmd/signver/signver.c
@@ -315,17 +315,17 @@ int main(int argc, char **argv)
 	    PORT_SetError(0);
 	    if (SEC_PKCS7VerifyDetachedSignature (cinfo, usage,
 				   &digest, digestType, PR_FALSE)) {
 		fprintf(outFile, "yes");
 	    } else {
 		fprintf(outFile, "no");
 		if (verbose) {
 		    fprintf(outFile, ":%s",
-			    SECU_ErrorString((int16)PORT_GetError()));
+			    SECU_Strerror(PORT_GetError()));
 		}
 	    }
 	    fprintf(outFile, "\n");
 	    result = 0;
 	}
 done:
 	SEC_PKCS7DestroyContentInfo(cinfo);
     }
--- a/security/nss/cmd/strsclnt/strsclnt.c
+++ b/security/nss/cmd/strsclnt/strsclnt.c
@@ -275,17 +275,17 @@ mySSLAuthCertificate(void *arg, PRFileDe
     CERT_DestroyCertificate(peerCert);
     /* error, if any, will be displayed by the Bad Cert Handler. */
     return rv;  
 }
 
 static SECStatus
 myBadCertHandler( void *arg, PRFileDesc *fd)
 {
-    int err = PR_GetError();
+    PRErrorCode err = PR_GetError();
     if (!MakeCertOK)
 	fprintf(stderr, 
 	    "strsclnt: -- SSL: Server Certificate Invalid, err %d.\n%s\n", 
             err, SECU_Strerror(err));
     return (MakeCertOK ? SECSuccess : SECFailure);
 }
 
 void 
@@ -355,31 +355,30 @@ printSecurityInfo(PRFileDesc *fd)
 }
 
 /**************************************************************************
 ** Begin thread management routines and data.
 **************************************************************************/
 
 #define MAX_THREADS 128
 
-typedef int startFn(void *a, void *b, int c, int d);
+typedef int startFn(void *a, void *b, int c);
 
 
 static PRInt32     numConnected;
 static int         max_threads;    /* peak threads allowed */
 
 typedef struct perThreadStr {
     void *	a;
     void *	b;
     int         tid;
     int         rv;
     startFn  *  startFunc;
     PRThread *  prThread;
     PRBool	inUse;
-    PRInt32     socketDomain;
 } perThread;
 
 perThread threads[MAX_THREADS];
 
 void
 thread_wrapper(void * arg)
 {
     perThread * slot = (perThread *)arg;
@@ -425,34 +424,32 @@ thread_wrapper(void * arg)
             if (--remaining_connections >= 0) { /* protected by threadLock */
                 doop = PR_TRUE;
             } else {
                 done = PR_TRUE;
             }
         }
         PR_Unlock(threadLock);
         if (doop) {
-            slot->rv = (* slot->startFunc)(slot->a, slot->b, slot->tid,
-                                           slot->socketDomain);
+            slot->rv = (* slot->startFunc)(slot->a, slot->b, slot->tid);
             PRINTF("strsclnt: Thread in slot %d returned %d\n", 
                    slot->tid, slot->rv);
         }
         if (dosleep) {
             PR_Sleep(PR_SecondsToInterval(1));
         }
     } while (!done && (!failed_already || ignoreErrors));
 }
 
 SECStatus
 launch_thread(
     startFn *	startFunc,
     void *	a,
     void *	b,
-    int         tid,
-    int         sockDom)
+    int         tid)
 {
     PRUint32 i;
     perThread * slot;
 
     PR_Lock(threadLock);
 
     PORT_Assert(numUsed < MAX_THREADS);
     if (! (numUsed < MAX_THREADS)) {
@@ -460,18 +457,17 @@ launch_thread(
         return SECFailure;
     }
 
     i = numUsed++;
     slot = &threads[i];
     slot->a = a;
     slot->b = b;
     slot->tid = tid;
-    slot->socketDomain = sockDom;
-    
+
     slot->startFunc = startFunc;
 
     slot->prThread      = PR_CreateThread(PR_USER_THREAD,
                                       thread_wrapper, slot,
 				      PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD,
 				      PR_JOINABLE_THREAD, 0);
     if (slot->prThread == NULL) {
 	PR_Unlock(threadLock);
@@ -584,18 +580,17 @@ lockedVars_AddToCount(lockedVars * lv, i
     PR_Unlock(lv->lock);
     return rv;
 }
 
 int
 do_writes(
     void *       a,
     void *       b,
-    int          c,
-    int          d)
+    int          c)
 {
     PRFileDesc *	ssl_sock	= (PRFileDesc *)a;
     lockedVars *	lv 		= (lockedVars *)b;
     int			sent  		= 0;
     int 		count		= 0;
 
     while (sent < bigBuf.len) {
 
@@ -627,17 +622,17 @@ handle_fdx_connection( PRFileDesc * ssl_
     lockedVars         lv;
     char               *buf;
 
 
     lockedVars_Init(&lv);
     lockedVars_AddToCount(&lv, 1);
 
     /* Attempt to launch the writer thread. */
-    result = launch_thread(do_writes, ssl_sock, &lv, connection, -1 /*not used*/);
+    result = launch_thread(do_writes, ssl_sock, &lv, connection);
 
     if (result != SECSuccess) 
     	goto cleanup;
 
     buf = PR_Malloc(RD_BUF_SIZE);
 
     if (buf) {
 	do {
@@ -746,32 +741,31 @@ myHandshakeCallback(PRFileDesc *socket, 
 
 /* one copy of this function is launched in a separate thread for each
 ** connection to be made.
 */
 int
 do_connects(
     void *	a,
     void *	b,
-    int         tid,
-    PRInt32     socketDomain)
+    int         tid)
 {
     PRNetAddr  *        addr		= (PRNetAddr *)  a;
     PRFileDesc *        model_sock	= (PRFileDesc *) b;
     PRFileDesc *        ssl_sock	= 0;
     PRFileDesc *        tcp_sock	= 0;
     PRStatus	        prStatus;
     PRUint32            sleepInterval	= 50; /* milliseconds */
     SECStatus   	result;
     int                 rv 		= SECSuccess;
     PRSocketOptionData  opt;
 
 retry:
 
-    tcp_sock = PR_OpenTCPSocket(socketDomain);
+    tcp_sock = PR_OpenTCPSocket(addr->raw.family);
     if (tcp_sock == NULL) {
 	errExit("PR_OpenTCPSocket");
     }
 
     opt.option             = PR_SockOpt_Nonblocking;
     opt.value.non_blocking = PR_FALSE;
     prStatus = PR_SetSocketOption(tcp_sock, &opt);
     if (prStatus != PR_SUCCESS) {
@@ -1089,17 +1083,16 @@ client_main(
     const char *	hostName,
     const char *	sniHostName)
 {
     PRFileDesc *model_sock	= NULL;
     int         i;
     int         rv;
     PRStatus    status;
     PRNetAddr   addr;
-    PRInt32    socketDomain;
 
     status = PR_StringToNetAddr(hostName, &addr);
     if (status == PR_SUCCESS) {
     	addr.inet.port = PR_htons(port);
     } else {
 	/* Lookup host */
 	PRAddrInfo *addrInfo;
 	void       *enumPtr   = NULL;
@@ -1117,23 +1110,16 @@ client_main(
 		 addr.raw.family != PR_AF_INET6);
 	PR_FreeAddrInfo(addrInfo);
 	if (enumPtr == NULL) {
 	    SECU_PrintError(progName, "error looking up host address");
 	    return;
 	}
     }
 
-    /* check if SDP is going to be used */
-    if (!PR_GetEnv("NSS_USE_SDP")) {
-        socketDomain = addr.raw.family;
-    } else {
-        socketDomain = PR_AF_INET_SDP;
-    }
-
     /* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */
     NSS_SetDomesticPolicy();
 
     /* all the SSL2 and SSL3 cipher suites are enabled by default. */
     if (cipherString) {
         int ndx;
 
         /* disable all the ciphers, then enable the ones we want. */
@@ -1180,18 +1166,18 @@ client_main(
 			cipher);
 		failed_already = 1;
 		return;
 	    }
         }
     }
 
     /* configure model SSL socket. */
-    
-    model_sock = PR_OpenTCPSocket(socketDomain);
+
+    model_sock = PR_OpenTCPSocket(addr.raw.family);
     if (model_sock == NULL) {
 	errExit("PR_OpenTCPSocket for model socket");
     }
 
     model_sock = SSL_ImportFD(NULL, model_sock);
     if (model_sock == NULL) {
 	errExit("SSL_ImportFD");
     }
@@ -1285,26 +1271,26 @@ client_main(
 
     remaining_connections = total_connections = connections;
     total_connections_modulo_100 = total_connections % 100;
     total_connections_rounded_down_to_hundreds =
         total_connections - total_connections_modulo_100;
 
     if (!NoReuse) {
         remaining_connections = 1;
-	rv = launch_thread(do_connects, &addr, model_sock, 0, socketDomain);
+	rv = launch_thread(do_connects, &addr, model_sock, 0);
 	/* wait for the first connection to terminate, then launch the rest. */
 	reap_threads();
         remaining_connections = total_connections - 1 ;
     }
     if (remaining_connections > 0) {
         active_threads  = PR_MIN(active_threads, remaining_connections);
 	/* Start up the threads */
 	for (i=0;i<active_threads;i++) {
-	    rv = launch_thread(do_connects, &addr, model_sock, i, socketDomain);
+	    rv = launch_thread(do_connects, &addr, model_sock, i);
 	}
 	reap_threads();
     }
     destroy_thread_data();
 
     PR_Close(model_sock);
 }
 
--- a/security/nss/cmd/symkeyutil/symkey.man
+++ b/security/nss/cmd/symkeyutil/symkey.man
@@ -22,17 +22,17 @@ DESCRIPTION
 
     As with certutil, symkeyutil takes two types of arguments, commands and
     options. Most commands fall into one of two catagories: commands which
     create keys and commands which extract or destroy keys. 
 
     Exceptions to these catagories are listed first:
 
     -H    takes no additional options. It lists a more detailed help message.
-    -L    takes the standard set of options. It lists all the keys in a the 
+    -L    takes the standard set of options. It lists all the keys in the 
           specified token (NSS Internal DB Token is the default).  Only the 
           -L option accepts the all option for tokens to list all the fixed 
           keys.
 
     Key Creation commands:
     For these commands, the key type (-t) option is always required. 
     In addition, the -s option may be required for certain key types.
     The standard set of options may be specified.
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/tests/encodeinttest.c
@@ -0,0 +1,93 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2011
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include <stdio.h>
+
+#include "secasn1.h"
+
+struct TestCase {
+    long value;
+    unsigned char data[5];
+    unsigned int len;
+};
+
+static struct TestCase testCase[] = {
+    /* XXX NSS doesn't generate the shortest encoding for negative values. */
+#if 0
+    { -128, { 0x80 }, 1 },
+    { -129, { 0xFF, 0x7F }, 2 },
+#endif
+
+    { 0, { 0x00 }, 1 },
+    { 127, { 0x7F }, 1 },
+    { 128, { 0x00, 0x80 }, 2 },
+    { 256, { 0x01, 0x00 }, 2 },
+    { 32768, { 0x00, 0x80, 0x00 }, 3 }
+};
+
+int main()
+{
+    PRBool failed = PR_FALSE;
+    unsigned int i;
+    unsigned int j;
+
+    for (i = 0; i < sizeof(testCase)/sizeof(testCase[0]); i++) {
+        SECItem encoded;
+        if (SEC_ASN1EncodeInteger(NULL, &encoded, testCase[i].value) == NULL) {
+            fprintf(stderr, "SEC_ASN1EncodeInteger failed\n");
+            failed = PR_TRUE;
+            continue;
+        }
+        if (encoded.len != testCase[i].len ||
+            memcmp(encoded.data, testCase[i].data, encoded.len) != 0) {
+            fprintf(stderr, "Encoding of %ld is incorrect:",
+                    testCase[i].value);
+            for (j = 0; j < encoded.len; j++) {
+                fprintf(stderr, " 0x%02X", (unsigned int)encoded.data[j]);
+            } 
+            fputs("\n", stderr);
+            failed = PR_TRUE;
+        }
+        PORT_Free(encoded.data);
+    }
+
+    if (failed) {
+        fprintf(stderr, "FAIL\n");
+        return 1;
+    }
+    printf("PASS\n");
+    return 0;
+}
--- a/security/nss/cmd/tests/manifest.mn
+++ b/security/nss/cmd/tests/manifest.mn
@@ -39,16 +39,17 @@ CORE_DEPTH = ../../..
 
 # MODULE public and private header  directories are implicitly REQUIRED.
 MODULE = nss
 
 CSRCS = \
 	baddbdir.c \
 	conflict.c \
 	dertimetest.c \
+	encodeinttest.c \
 	nonspr10.c \
 	remtest.c \
 	$(NULL)
 
 # The MODULE is always implicitly required.
 # Listing it here in REQUIRES makes it appear twice in the cc command line.
 REQUIRES = seccmd dbm
 
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -533,17 +533,16 @@ int main(int argc, char **argv)
     int                headerSeparatorPtrnId = 0;
     int                error = 0;
     PRUint16           portno = 443;
     char *             hs1SniHostName = NULL;
     char *             hs2SniHostName = NULL;
     PLOptState *optstate;
     PLOptStatus optstatus;
     PRStatus prStatus;
-    PRUint16           socketDomain;
 
     progName = strrchr(argv[0], '/');
     if (!progName)
 	progName = strrchr(argv[0], '\\');
     progName = progName ? progName+1 : argv[0];
 
     tmp = PR_GetEnv("NSS_DEBUG_TIMEOUT");
     if (tmp && tmp[0]) {
@@ -695,27 +694,21 @@ int main(int argc, char **argv)
 	if (enumPtr == NULL) {
 	    SECU_PrintError(progName, "error looking up host address");
 	    return 1;
 	}
     }
 
     printHostNameAndAddr(host, &addr);
 
-    /* check if SDP is going to be used */
-    if (!PR_GetEnv("NSS_USE_SDP")) {
-        socketDomain = addr.raw.family;
-    } else {
-        socketDomain = PR_AF_INET_SDP;
-    }
     if (pingServerFirst) {
 	int iter = 0;
 	PRErrorCode err;
 	do {
-	    s = PR_OpenTCPSocket(socketDomain);
+	    s = PR_OpenTCPSocket(addr.raw.family);
 	    if (s == NULL) {
 		SECU_PrintError(progName, "Failed to create a TCP socket");
 	    }
 	    opt.option             = PR_SockOpt_Nonblocking;
 	    opt.value.non_blocking = PR_FALSE;
 	    prStatus = PR_SetSocketOption(s, &opt);
 	    if (prStatus != PR_SUCCESS) {
 		PR_Close(s);
@@ -743,17 +736,17 @@ int main(int argc, char **argv)
 	    PR_Sleep(PR_MillisecondsToInterval(WAIT_INTERVAL));
 	} while (++iter < MAX_WAIT_FOR_SERVER);
 	SECU_PrintError(progName, 
                      "Client timed out while waiting for connection to server");
 	return 1;
     }
 
     /* Create socket */
-    s = PR_OpenTCPSocket(socketDomain);
+    s = PR_OpenTCPSocket(addr.raw.family);
     if (s == NULL) {
 	SECU_PrintError(progName, "error creating socket");
 	return 1;
     }
 
     opt.option = PR_SockOpt_Nonblocking;
     opt.value.non_blocking = PR_TRUE;
     PR_SetSocketOption(s, &opt);
--- a/security/nss/cmd/vfychain/vfychain.c
+++ b/security/nss/cmd/vfychain/vfychain.c
@@ -124,21 +124,18 @@ Usage(const char *progName)
 ** 
 ** Error and information routines.
 **
 **************************************************************************/
 
 void
 errWarn(char *function)
 {
-    PRErrorCode  errorNumber = PR_GetError();
-    const char * errorString = SECU_Strerror(errorNumber);
-
-    fprintf(stderr, "Error in function %s: %d\n - %s\n",
-		    function, errorNumber, errorString);
+    fprintf(stderr, "Error in function %s: %s\n",
+		    function, SECU_Strerror(PR_GetError()));
 }
 
 void
 exitErr(char *function)
 {
     errWarn(function);
     /* Exit gracefully. */
     /* ignoring return value of NSS_Shutdown as code exits with 1 anyway*/
@@ -205,17 +202,17 @@ getCert(const char *name, PRBool isAscii
     if (cert) {
         return cert;
     }
 
     /* Don't have a cert with name "name" in the DB. Try to
      * open a file with such name and get the cert from there.*/
     fd = PR_Open(name, PR_RDONLY, 0777); 
     if (!fd) {
-	PRIntn err = PR_GetError();
+	PRErrorCode err = PR_GetError();
     	fprintf(stderr, "open of %s failed, %d = %s\n", 
 	        name, err, SECU_Strerror(err));
 	return cert;
     }
 
     rv = SECU_ReadDERFromFile(&item, fd, isAscii);
     PR_Close(fd);
     if (rv != SECSuccess) {
@@ -228,17 +225,17 @@ getCert(const char *name, PRBool isAscii
 	return cert;
     }
 
     cert = CERT_NewTempCertificate(defaultDB, &item, 
                                    NULL     /* nickname */, 
                                    PR_FALSE /* isPerm */, 
 				   PR_TRUE  /* copyDER */);
     if (!cert) {
-	PRIntn err = PR_GetError();
+	PRErrorCode err = PR_GetError();
 	fprintf(stderr, "couldn't import %s, %d = %s\n",
 	        name, err, SECU_Strerror(err));
     }
     PORT_Free(item.data);
     return cert;
 }
 
 
@@ -533,22 +530,22 @@ main(int argc, char *argv[], char *envp[
     }
 breakout:
     if (status != PL_OPT_OK)
 	Usage(progName);
 
     if (usePkix < 2) {
         if (oidStr) {
             fprintf(stderr, "Policy oid(-o) can be used only with"
-                    " CERT_PKIXVerifyChain(-pp) function.\n");
+                    " CERT_PKIXVerifyCert(-pp) function.\n");
             Usage(progName);
         }
         if (trusted) {
             fprintf(stderr, "Cert trust flag can be used only with"
-                    " CERT_PKIXVerifyChain(-pp) function.\n");
+                    " CERT_PKIXVerifyCert(-pp) function.\n");
             Usage(progName);
         }
     }
 
     if (!useDefaultRevFlags && parseRevMethodsAndFlags()) {
         fprintf(stderr, "Invalid revocation configuration specified.\n");
         goto punt;
     }
@@ -581,17 +578,17 @@ breakout:
 	switch(optstate->option) {
 	default  : Usage(progName);                           break;
 	case 'a' : isAscii  = PR_TRUE;                        break;
 	case 'r' : isAscii  = PR_FALSE;                       break;
 	case 't' : trusted  = PR_TRUE;                       break;
 	case  0  : /* positional parameter */
             if (usePkix < 2 && trusted) {
                 fprintf(stderr, "Cert trust flag can be used only with"
-                        " CERT_PKIXVerifyChain(-pp) function.\n");
+                        " CERT_PKIXVerifyCert(-pp) function.\n");
                 Usage(progName);
             }
 	    cert = getCert(optstate->value, isAscii, progName);
 	    if (!cert) 
 	        goto punt;
 	    rememberCert(cert, trusted);
 	    if (!firstCert)
 	        firstCert = cert;
@@ -783,11 +780,12 @@ punt:
     }
     PORT_Free(progName);
     PORT_Free(certDir);
     PORT_Free(oidStr);
     freeRevocationMethodData();
     if (pwdata.data) {
         PORT_Free(pwdata.data);
     }
+    PL_ArenaFinish();
     PR_Cleanup();
     return rv;
 }
--- a/security/nss/lib/certdb/alg1485.c
+++ b/security/nss/lib/certdb/alg1485.c
@@ -98,22 +98,29 @@ static const NameToKind name2kinds[] = {
     { "postalAddress", 128, SEC_OID_AVA_POSTAL_ADDRESS, SEC_ASN1_DS},
     { "postalCode",     40, SEC_OID_AVA_POSTAL_CODE,    SEC_ASN1_DS},
     { "postOfficeBox",  40, SEC_OID_AVA_POST_OFFICE_BOX,SEC_ASN1_DS},
     { "houseIdentifier",64, SEC_OID_AVA_HOUSE_IDENTIFIER,SEC_ASN1_DS},
 /* end of IANA registered type names */
 
 /* legacy keywords */
     { "E",             128, SEC_OID_PKCS9_EMAIL_ADDRESS,SEC_ASN1_IA5_STRING},
-
-#if 0 /* removed.  Not yet in any IETF draft or RFC. */
+    { "STREET",        128, SEC_OID_AVA_STREET_ADDRESS, SEC_ASN1_DS},
     { "pseudonym",      64, SEC_OID_AVA_PSEUDONYM,      SEC_ASN1_DS},
-#endif
 
-    { 0,           256, SEC_OID_UNKNOWN                      , 0},
+/* values defined by the CAB Forum for EV */
+    { "incorporationLocality", 128, SEC_OID_EV_INCORPORATION_LOCALITY,
+                                                        SEC_ASN1_DS},
+    { "incorporationState",    128, SEC_OID_EV_INCORPORATION_STATE,
+                                                        SEC_ASN1_DS},
+    { "incorporationCountry",    2, SEC_OID_EV_INCORPORATION_COUNTRY,
+                                                    SEC_ASN1_PRINTABLE_STRING},
+    { "businessCategory",       64, SEC_OID_BUSINESS_CATEGORY, SEC_ASN1_DS},
+
+    { 0,               256, SEC_OID_UNKNOWN,            0},
 };
 
 /* Table facilitates conversion of ASCII hex to binary. */
 static const PRInt16 x2b[256] = {
 /* #0x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
 /* #1x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
 /* #2x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
 /* #3x */  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, -1, -1, -1, -1, -1, -1, 
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * cert.h - public data structures and prototypes for the certificate library
  *
- * $Id: cert.h,v 1.80.2.3 2011/04/08 22:54:34 kaie%kuix.de Exp $
+ * $Id: cert.h,v 1.86 2011/07/24 13:48:09 wtc%google.com Exp $
  */
 
 #ifndef _CERT_H_
 #define _CERT_H_
 
 #include "utilrename.h"
 #include "plarena.h"
 #include "plhash.h"
@@ -293,23 +293,16 @@ CERT_GetCertificateRequestExtensions(CER
                                      CERTCertExtension ***exts);
 
 /*
 ** Extract a public key object from a certificate
 */
 extern SECKEYPublicKey *CERT_ExtractPublicKey(CERTCertificate *cert);
 
 /*
- * used to get a public key with Key Material ID. Only used for fortezza V1
- * certificates.
- */
-extern SECKEYPublicKey *CERT_KMIDPublicKey(CERTCertificate *cert);
-
-
-/*
 ** Retrieve the Key Type associated with the cert we're dealing with
 */
 
 extern KeyType CERT_GetCertKeyType (CERTSubjectPublicKeyInfo *spki);
 
 /*
 ** Initialize the certificate database.  This is called to create
 **  the initial list of certificates in the database.
@@ -445,22 +438,22 @@ extern SECStatus CERT_AddOKDomainName(CE
 **	"copyDER" is true if the DER should be copied, false if the
 **		existing copy should be referenced
 **	"nickname" is the nickname to use in the database.  If it is NULL
 **		then a temporary nickname is generated.
 */
 extern CERTCertificate *
 CERT_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nickname);
 /*
-** Decode a DER encoded CRL/KRL into an CERTSignedCrl structure
-**	"derSignedCrl" is the DER encoded signed crl/krl.
-**	"type" is this a CRL or KRL.
+** Decode a DER encoded CRL into a CERTSignedCrl structure
+**	"derSignedCrl" is the DER encoded signed CRL.
+**	"type" must be SEC_CRL_TYPE.
 */
 #define SEC_CRL_TYPE	1
-#define SEC_KRL_TYPE	0
+#define SEC_KRL_TYPE	0 /* deprecated */
 
 extern CERTSignedCrl *
 CERT_DecodeDERCrl (PLArenaPool *arena, SECItem *derSignedCrl,int type);
 
 /*
  * same as CERT_DecodeDERCrl, plus allow options to be passed in
  */
 
@@ -517,22 +510,16 @@ void CERT_CRLCacheRefreshIssuer(CERTCert
 SECStatus CERT_CacheCRL(CERTCertDBHandle* dbhandle, SECItem* newcrl);
 
 /* remove a previously added CRL object from the CRL cache. It is OK
    for the application to free the memory after a successful removal
 */
 SECStatus CERT_UncacheCRL(CERTCertDBHandle* dbhandle, SECItem* oldcrl);
 
 /*
-** Decode a certificate and put it into the temporary certificate database
-*/
-extern CERTCertificate *
-CERT_DecodeCertificate (SECItem *derCert, char *nickname,PRBool copyDER);
-
-/*
 ** Find a certificate in the database
 **	"key" is the database key to look for
 */
 extern CERTCertificate *CERT_FindCertByKey(CERTCertDBHandle *handle, SECItem *key);
 
 /*
 ** Find a certificate in the database by name
 **	"name" is the distinguished name to look up
@@ -1301,19 +1288,16 @@ CERT_CheckForEvilCert(CERTCertificate *c
 
 CERTGeneralName *
 CERT_GetCertificateNames(CERTCertificate *cert, PLArenaPool *arena);
 
 CERTGeneralName *
 CERT_GetConstrainedCertificateNames(CERTCertificate *cert, PLArenaPool *arena,
                                     PRBool includeSubjectCommonName);
 
-char *
-CERT_GetNickName(CERTCertificate   *cert, CERTCertDBHandle *handle, PLArenaPool *nicknameArena);
-
 /*
  * Creates or adds to a list of all certs with a give subject name, sorted by
  * validity time, newest first.  Invalid certs are considered older than
  * valid certs. If validOnly is set, do not include invalid certs on list.
  */
 CERTCertList *
 CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
 			   SECItem *name, PRTime sorttime, PRBool validOnly);
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -34,17 +34,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Certificate handling code
  *
- * $Id: certdb.c,v 1.104.2.5 2011/08/05 01:16:27 wtc%google.com Exp $
+ * $Id: certdb.c,v 1.116 2011/08/05 01:13:14 wtc%google.com Exp $
  */
 
 #include "nssilock.h"
 #include "prmon.h"
 #include "prtime.h"
 #include "cert.h"
 #include "certi.h"
 #include "secder.h"
@@ -476,67 +476,16 @@ GetKeyUsage(CERTCertificate *cert)
 	cert->keyUsage |= KU_NS_GOVT_APPROVED;
 	cert->rawKeyUsage |= KU_NS_GOVT_APPROVED;
     }
     
     return(SECSuccess);
 }
 
 
-/*
- * determine if a fortezza V1 Cert is a CA or not.
- */
-static PRBool
-fortezzaIsCA( CERTCertificate *cert) {
-    PRBool isCA = PR_FALSE;
-    CERTSubjectPublicKeyInfo *spki = &cert->subjectPublicKeyInfo;
-    int tag;
-
-    tag = SECOID_GetAlgorithmTag(&spki->algorithm);
-    if ((tag == SEC_OID_MISSI_KEA_DSS_OLD) ||
-       (tag == SEC_OID_MISSI_KEA_DSS) ||
-       (tag == SEC_OID_MISSI_DSS_OLD) ||
-       (tag == SEC_OID_MISSI_DSS) ) {
-	SECItem rawkey;
-	unsigned char *rawptr;
-	unsigned char *end;
-	int len;
-
-	rawkey = spki->subjectPublicKey;
-	DER_ConvertBitString(&rawkey);
-	rawptr = rawkey.data;
-	end = rawkey.data + rawkey.len;
-
-	/* version */	
-	rawptr += sizeof(((SECKEYPublicKey*)0)->u.fortezza.KMID)+2;
-
-	/* clearance (the string up to the first byte with the hi-bit on */
-	while ((rawptr < end) && (*rawptr++ & 0x80));
-	if (rawptr >= end) { return PR_FALSE; }
-
-	/* KEAPrivilege (the string up to the first byte with the hi-bit on */
-	while ((rawptr < end) && (*rawptr++ & 0x80));
-	if (rawptr >= end) { return PR_FALSE; }
-
-	/* skip the key */
-	len = (*rawptr << 8) | rawptr[1];
-	rawptr += 2 + len;
-
-	/* shared key */
-	if (rawptr >= end) { return PR_FALSE; }
-	/* DSS Version is next */
-	rawptr += 2;
-
-	/* DSSPrivilege (the string up to the first byte with the hi-bit on */
-	if (*rawptr & 0x30) isCA = PR_TRUE;
-	
-   }
-   return isCA;
-}
-
 static SECStatus
 findOIDinOIDSeqByTagNum(CERTOidSequence *seq, SECOidTag tagnum)
 {
     SECItem **oids;
     SECItem *oid;
     SECStatus rv = SECFailure;
     
     if (seq != NULL) {
@@ -698,22 +647,16 @@ cert_ComputeCertType(CERTCertificate *ce
 	if (basicConstraintPresent && basicConstraint.isCA ) {
 	    nsCertType |= (NS_CERT_TYPE_SSL_CA   |
 		           NS_CERT_TYPE_EMAIL_CA |
 		           EXT_KEY_USAGE_STATUS_RESPONDER);
 	}
 	/* allow any ssl or email (no ca or object signing. */
 	nsCertType |= NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER |
 	              NS_CERT_TYPE_EMAIL;
-
-	/* if the cert is a fortezza CA cert, then allow SSL CA and EMAIL CA */
-	if (fortezzaIsCA(cert)) {
-		nsCertType |= NS_CERT_TYPE_SSL_CA;
-		nsCertType |= NS_CERT_TYPE_EMAIL_CA;
-	}
     }
 
     if (encodedExtKeyUsage.data != NULL) {
 	PORT_Free(encodedExtKeyUsage.data);
     }
     if (extKeyUsage != NULL) {
 	CERT_DestroyOidSequence(extKeyUsage);
     }
@@ -723,53 +666,32 @@ cert_ComputeCertType(CERTCertificate *ce
 /*
  * cert_GetKeyID() - extract or generate the subjectKeyID from a certificate
  */
 SECStatus
 cert_GetKeyID(CERTCertificate *cert)
 {
     SECItem tmpitem;
     SECStatus rv;
-    SECKEYPublicKey *key;
     
     cert->subjectKeyID.len = 0;
 
     /* see of the cert has a key identifier extension */
     rv = CERT_FindSubjectKeyIDExtension(cert, &tmpitem);
     if ( rv == SECSuccess ) {
 	cert->subjectKeyID.data = (unsigned char*) PORT_ArenaAlloc(cert->arena, tmpitem.len);
 	if ( cert->subjectKeyID.data != NULL ) {
 	    PORT_Memcpy(cert->subjectKeyID.data, tmpitem.data, tmpitem.len);
 	    cert->subjectKeyID.len = tmpitem.len;
 	    cert->keyIDGenerated = PR_FALSE;
 	}
 	
 	PORT_Free(tmpitem.data);
     }
     
-    /* if the cert doesn't have a key identifier extension and the cert is
-     * a V1 fortezza certificate, use the cert's 8 byte KMID as the
-     * key identifier.  */
-    key = CERT_KMIDPublicKey(cert);
-
-    if (key != NULL) {
-	
-	if (key->keyType == fortezzaKey) {
-
-	    cert->subjectKeyID.data = (unsigned char *)PORT_ArenaAlloc(cert->arena, 8);
-	    if ( cert->subjectKeyID.data != NULL ) {
-		PORT_Memcpy(cert->subjectKeyID.data, key->u.fortezza.KMID, 8);
-		cert->subjectKeyID.len = 8;
-		cert->keyIDGenerated = PR_FALSE;
-	    }
-	}
-		
-	SECKEY_DestroyPublicKey(key);
-    }
-
     /* if the cert doesn't have a key identifier extension, then generate one*/
     if ( cert->subjectKeyID.len == 0 ) {
 	/*
 	 * pkix says that if the subjectKeyID is not present, then we should
 	 * use the SHA-1 hash of the DER-encoded publicKeyInfo from the cert
 	 */
 	cert->subjectKeyID.data = (unsigned char *)PORT_ArenaAlloc(cert->arena, SHA1_LENGTH);
 	if ( cert->subjectKeyID.data != NULL ) {
@@ -1341,18 +1263,16 @@ CERT_CheckKeyUsage(CERTCertificate *cert
 
 	switch (keyType) {
 	case rsaKey:
 	    requiredUsage |= KU_KEY_ENCIPHERMENT;
 	    break;
 	case dsaKey:
 	    requiredUsage |= KU_DIGITAL_SIGNATURE;
 	    break;
-	case fortezzaKey:
-	case keaKey:
 	case dhKey:
 	    requiredUsage |= KU_KEY_AGREEMENT;
 	    break;
 	case ecKey:
 	    /* Accept either signature or agreement. */
 	    if (!(cert->keyUsage & (KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT)))
 		 goto loser;
 	    break;
@@ -1659,18 +1579,17 @@ finish:
 /*
  * If found:
  *   - subAltName contains the extension (caller must free)
  *   - return value is the decoded namelist (allocated off arena)
  * if not found, or if failure to decode:
  *   - return value is NULL
  */
 CERTGeneralName *
-cert_GetSubjectAltNameList(CERTCertificate *cert,
-                           PRArenaPool *arena)
+cert_GetSubjectAltNameList(CERTCertificate *cert, PRArenaPool *arena)
 {
     CERTGeneralName * nameList       = NULL;
     SECStatus         rv             = SECFailure;
     SECItem           subAltName;
 
     if (!cert || !arena)
       return NULL;
 
@@ -2062,90 +1981,78 @@ CERT_GetCertIssuerAndSN(PRArenaPool *are
 char *
 CERT_MakeCANickname(CERTCertificate *cert)
 {
     char *firstname = NULL;
     char *org = NULL;
     char *nickname = NULL;
     int count;
     CERTCertificate *dummycert;
-    CERTCertDBHandle *handle;
     
-    handle = cert->dbhandle;
-    
-    nickname = CERT_GetNickName(cert, handle, cert->arena);
-    if (nickname == NULL) {
-	firstname = CERT_GetCommonName(&cert->subject);
-	if ( firstname == NULL ) {
-	    firstname = CERT_GetOrgUnitName(&cert->subject);
-	}
-
-	org = CERT_GetOrgName(&cert->issuer);
+    firstname = CERT_GetCommonName(&cert->subject);
+    if ( firstname == NULL ) {
+	firstname = CERT_GetOrgUnitName(&cert->subject);
+    }
+
+    org = CERT_GetOrgName(&cert->issuer);
+    if (org == NULL) {
+	org = CERT_GetDomainComponentName(&cert->issuer);
 	if (org == NULL) {
-	    org = CERT_GetDomainComponentName(&cert->issuer);
-	    if (org == NULL) {
-		if (firstname) {
-		    org = firstname;
-		    firstname = NULL;
-		} else {
-		    org = PORT_Strdup("Unknown CA");
-		}
+	    if (firstname) {
+		org = firstname;
+		firstname = NULL;
+	    } else {
+		org = PORT_Strdup("Unknown CA");
 	    }
 	}
-
-	/* can only fail if PORT_Strdup fails, in which case
-	 * we're having memory problems. */
-	if (org == NULL) {
-	    goto loser;
-	}
+    }
+
+    /* can only fail if PORT_Strdup fails, in which case
+     * we're having memory problems. */
+    if (org == NULL) {
+	goto done;
+    }
 
     
-	count = 1;
-	while ( 1 ) {
-
-	    if ( firstname ) {
-		if ( count == 1 ) {
-		    nickname = PR_smprintf("%s - %s", firstname, org);
-		} else {
-		    nickname = PR_smprintf("%s - %s #%d", firstname, org, count);
-		}
+    count = 1;
+    while ( 1 ) {
+
+	if ( firstname ) {
+	    if ( count == 1 ) {
+		nickname = PR_smprintf("%s - %s", firstname, org);
 	    } else {
-		if ( count == 1 ) {
-		    nickname = PR_smprintf("%s", org);
-		} else {
-		    nickname = PR_smprintf("%s #%d", org, count);
-		}
+		nickname = PR_smprintf("%s - %s #%d", firstname, org, count);
 	    }
-	    if ( nickname == NULL ) {
-		goto loser;
+	} else {
+	    if ( count == 1 ) {
+		nickname = PR_smprintf("%s", org);
+	    } else {
+		nickname = PR_smprintf("%s #%d", org, count);
 	    }
-
-	    /* look up the nickname to make sure it isn't in use already */
-	    dummycert = CERT_FindCertByNickname(handle, nickname);
-
-	    if ( dummycert == NULL ) {
-		goto done;
-	    }
+	}
+	if ( nickname == NULL ) {
+	    goto done;
+	}
+
+	/* look up the nickname to make sure it isn't in use already */
+	dummycert = CERT_FindCertByNickname(cert->dbhandle, nickname);
+
+	if ( dummycert == NULL ) {
+	    goto done;
+	}
 	
-	    /* found a cert, destroy it and loop */
-	    CERT_DestroyCertificate(dummycert);
-
-	    /* free the nickname */
-	    PORT_Free(nickname);
-
-	    count++;
-	}
+	/* found a cert, destroy it and loop */
+	CERT_DestroyCertificate(dummycert);
+
+	/* free the nickname */
+	PORT_Free(nickname);
+
+	count++;
     }
-loser:
-    if ( nickname ) {
-	PORT_Free(nickname);
-    }
-
-    nickname = NULL;
-    
+
 done:
     if ( firstname ) {
 	PORT_Free(firstname);
     }
     if ( org ) {
 	PORT_Free(org);
     }
     
@@ -2176,34 +2083,34 @@ static unsigned int
 cert_ComputeTrustOverrides(CERTCertificate *cert, unsigned int cType)
 {
     CERTCertTrust *trust = cert->trust;
 
     if (trust && (trust->sslFlags |
 		  trust->emailFlags |
 		  trust->objectSigningFlags)) {
 
-	if (trust->sslFlags & (CERTDB_VALID_PEER|CERTDB_TRUSTED)) 
+	if (trust->sslFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) 
 	    cType |= NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT;
 	if (trust->sslFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) 
 	    cType |= NS_CERT_TYPE_SSL_CA;
 #if defined(CERTDB_NOT_TRUSTED)
 	if (trust->sslFlags & CERTDB_NOT_TRUSTED) 
 	    cType &= ~(NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT|
 	               NS_CERT_TYPE_SSL_CA);
 #endif
-	if (trust->emailFlags & (CERTDB_VALID_PEER|CERTDB_TRUSTED)) 
+	if (trust->emailFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) 
 	    cType |= NS_CERT_TYPE_EMAIL;
 	if (trust->emailFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) 
 	    cType |= NS_CERT_TYPE_EMAIL_CA;
 #if defined(CERTDB_NOT_TRUSTED)
 	if (trust->emailFlags & CERTDB_NOT_TRUSTED) 
 	    cType &= ~(NS_CERT_TYPE_EMAIL|NS_CERT_TYPE_EMAIL_CA);
 #endif
-	if (trust->objectSigningFlags & (CERTDB_VALID_PEER|CERTDB_TRUSTED)) 
+	if (trust->objectSigningFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) 
 	    cType |= NS_CERT_TYPE_OBJECT_SIGNING;
 	if (trust->objectSigningFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) 
 	    cType |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
 #if defined(CERTDB_NOT_TRUSTED)
 	if (trust->objectSigningFlags & CERTDB_NOT_TRUSTED) 
 	    cType &= ~(NS_CERT_TYPE_OBJECT_SIGNING|
 	               NS_CERT_TYPE_OBJECT_SIGNING_CA);
 #endif
@@ -2230,20 +2137,19 @@ CERT_IsCACert(CERTCertificate *cert, uns
 
 	rv = CERT_FindBasicConstraintExten(cert, &constraints);
 	if (rv == SECSuccess && constraints.isCA) {
 	    ret = PR_TRUE;
 	    cType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
 	} 
     }
 
-    /* finally check if it's an X.509 v1 root or FORTEZZA V1 CA */
+    /* finally check if it's an X.509 v1 root CA */
     if (!ret && 
-        ((cert->isRoot && cert_Version(cert) < SEC_CERTIFICATE_VERSION_3) ||
-    	 fortezzaIsCA(cert) )) {
+        (cert->isRoot && cert_Version(cert) < SEC_CERTIFICATE_VERSION_3)) {
 	ret = PR_TRUE;
 	cType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
     }
     /* Now apply trust overrides, if any */
     cType = cert_ComputeTrustOverrides(cert, cType);
     ret = (cType & (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |
                     NS_CERT_TYPE_OBJECT_SIGNING_CA)) ? PR_TRUE : PR_FALSE;
 
@@ -2444,21 +2350,21 @@ CERT_DecodeTrustString(CERTCertTrust *tr
 	return SECFailure;
     }
 
     pflags = &trust->sslFlags;
     
     for (i=0; i < PORT_Strlen(trusts); i++) {
 	switch (trusts[i]) {
 	  case 'p':
-	      *pflags = *pflags | CERTDB_VALID_PEER;
+	      *pflags = *pflags | CERTDB_TERMINAL_RECORD;
 	      break;
 
 	  case 'P':
-	      *pflags = *pflags | CERTDB_TRUSTED | CERTDB_VALID_PEER;
+	      *pflags = *pflags | CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD;
 	      break;
 
 	  case 'w':
 	      *pflags = *pflags | CERTDB_SEND_WARN;
 	      break;
 
 	  case 'c':
 	      *pflags = *pflags | CERTDB_VALID_CA;
@@ -2500,17 +2406,17 @@ CERT_DecodeTrustString(CERTCertTrust *tr
 
 static void
 EncodeFlags(char *trusts, unsigned int flags)
 {
     if (flags & CERTDB_VALID_CA)
 	if (!(flags & CERTDB_TRUSTED_CA) &&
 	    !(flags & CERTDB_TRUSTED_CLIENT_CA))
 	    PORT_Strcat(trusts, "c");
-    if (flags & CERTDB_VALID_PEER)
+    if (flags & CERTDB_TERMINAL_RECORD)
 	if (!(flags & CERTDB_TRUSTED))
 	    PORT_Strcat(trusts, "p");
     if (flags & CERTDB_TRUSTED_CA)
 	PORT_Strcat(trusts, "C");
     if (flags & CERTDB_TRUSTED_CLIENT_CA)
 	PORT_Strcat(trusts, "T");
     if (flags & CERTDB_TRUSTED)
 	PORT_Strcat(trusts, "P");
@@ -2584,43 +2490,39 @@ CERT_ImportCerts(CERTCertDBHandle *certd
 		}
 		fcerts++;
 	    }
 	}
 
 	if ( keepCerts ) {
 	    for ( i = 0; i < fcerts; i++ ) {
                 char* canickname = NULL;
-                PRBool freeNickname = PR_FALSE;
+                PRBool isCA;
 
 		SECKEY_UpdateCertPQG(certs[i]);
                 
-                if ( CERT_IsCACert(certs[i], NULL) ) {
+                isCA = CERT_IsCACert(certs[i], NULL);
+                if ( isCA ) {
                     canickname = CERT_MakeCANickname(certs[i]);
-                    if ( canickname != NULL ) {
-                        freeNickname = PR_TRUE;
-                    }
                 }
 
-		if(CERT_IsCACert(certs[i], NULL) && (fcerts > 1)) {
+		if(isCA && (fcerts > 1)) {
 		    /* if we are importing only a single cert and specifying
 		     * a nickname, we want to use that nickname if it a CA,
 		     * otherwise if there are more than one cert, we don't
 		     * know which cert it belongs to. But we still may try
                      * the individual canickname from the cert itself.
 		     */
 		    rv = CERT_AddTempCertToPerm(certs[i], canickname, NULL);
 		} else {
 		    rv = CERT_AddTempCertToPerm(certs[i],
                                                 nickname?nickname:canickname, NULL);
 		}
 
-                if (PR_TRUE == freeNickname) {
-                    PORT_Free(canickname);
-                }
+                PORT_Free(canickname);
 		/* don't care if it fails - keep going */
 	    }
 	}
     }
 
     if ( retCerts ) {
 	*retCerts = certs;
     } else {
@@ -3119,16 +3021,18 @@ CERT_SetStatusConfig(CERTCertDBHandle *h
 }
 
 /*
  * Code for dealing with subjKeyID to cert mappings.
  */
 
 static PLHashTable *gSubjKeyIDHash = NULL;
 static PRLock      *gSubjKeyIDLock = NULL;
+static PLHashTable *gSubjKeyIDSlotCheckHash = NULL;
+static PRLock      *gSubjKeyIDSlotCheckLock = NULL;
 
 static void *cert_AllocTable(void *pool, PRSize size)
 {
     return PORT_Alloc(size);
 }
 
 static void cert_FreeTable(void *pool, void *item)
 {
@@ -3149,34 +3053,63 @@ static void cert_FreeEntry(void *pool, P
     }
 }
 
 static PLHashAllocOps cert_AllocOps = {
     cert_AllocTable, cert_FreeTable, cert_AllocEntry, cert_FreeEntry
 };
 
 SECStatus
+cert_CreateSubjectKeyIDSlotCheckHash(void)
+{
+    /*
+     * This hash is used to remember the series of a slot
+     * when we last checked for user certs
+     */
+    gSubjKeyIDSlotCheckHash = PL_NewHashTable(0, SECITEM_Hash,
+                                             SECITEM_HashCompare,
+                                             SECITEM_HashCompare,
+                                             &cert_AllocOps, NULL);
+    if (!gSubjKeyIDSlotCheckHash) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+    gSubjKeyIDSlotCheckLock = PR_NewLock();
+    if (!gSubjKeyIDSlotCheckLock) {
+        PL_HashTableDestroy(gSubjKeyIDSlotCheckHash);
+        gSubjKeyIDSlotCheckHash = NULL;
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus
 cert_CreateSubjectKeyIDHashTable(void)
 {
     gSubjKeyIDHash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
                                     SECITEM_HashCompare,
                                     &cert_AllocOps, NULL);
     if (!gSubjKeyIDHash) {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
         return SECFailure;
     }
     gSubjKeyIDLock = PR_NewLock();
     if (!gSubjKeyIDLock) {
         PL_HashTableDestroy(gSubjKeyIDHash);
         gSubjKeyIDHash = NULL;
         PORT_SetError(SEC_ERROR_NO_MEMORY);
         return SECFailure;
     }
+    /* initialize the companion hash (for remembering slot series) */
+    if (cert_CreateSubjectKeyIDSlotCheckHash() != SECSuccess) {
+	cert_DestroySubjectKeyIDHashTable();
+	return SECFailure;
+    }
     return SECSuccess;
-
 }
 
 SECStatus
 cert_AddSubjectKeyIDMapping(SECItem *subjKeyID, CERTCertificate *cert)
 {
     SECItem *newKeyID, *oldVal, *newVal;
     SECStatus rv = SECFailure;
 
@@ -3225,26 +3158,114 @@ cert_RemoveSubjectKeyIDMapping(SECItem *
     PR_Lock(gSubjKeyIDLock);
     rv = (PL_HashTableRemove(gSubjKeyIDHash, subjKeyID)) ? SECSuccess :
                                                            SECFailure;
     PR_Unlock(gSubjKeyIDLock);
     return rv;
 }
 
 SECStatus
+cert_UpdateSubjectKeyIDSlotCheck(SECItem *slotid, int series)
+{
+    SECItem *oldSeries, *newSlotid, *newSeries;
+    SECStatus rv = SECFailure;
+
+    if (!gSubjKeyIDSlotCheckLock) {
+	return rv;
+    }
+
+    newSlotid = SECITEM_DupItem(slotid);
+    newSeries = SECITEM_AllocItem(NULL, NULL, sizeof(int));
+    if (!newSlotid || !newSeries ) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        goto loser;
+    }
+    PORT_Memcpy(newSeries->data, &series, sizeof(int));
+
+    PR_Lock(gSubjKeyIDSlotCheckLock);
+    oldSeries = (SECItem *)PL_HashTableLookup(gSubjKeyIDSlotCheckHash, slotid);
+    if (oldSeries) {
+	/* 
+	 * make sure we don't leak the key of an existing entry
+	 * (similar to cert_AddSubjectKeyIDMapping, see comment there)
+	 */
+        PL_HashTableRemove(gSubjKeyIDSlotCheckHash, slotid);
+    }
+    rv = (PL_HashTableAdd(gSubjKeyIDSlotCheckHash, newSlotid, newSeries)) ?
+         SECSuccess : SECFailure;
+    PR_Unlock(gSubjKeyIDSlotCheckLock);
+    if (rv == SECSuccess) {
+	return rv;
+    }
+
+loser:
+    if (newSlotid) {
+        SECITEM_FreeItem(newSlotid, PR_TRUE);
+    }
+    if (newSeries) {
+        SECITEM_FreeItem(newSeries, PR_TRUE);
+    }
+    return rv;
+}
+
+int
+cert_SubjectKeyIDSlotCheckSeries(SECItem *slotid)
+{
+    SECItem *seriesItem = NULL;
+    int series;
+
+    if (!gSubjKeyIDSlotCheckLock) {
+	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return -1;
+    }
+
+    PR_Lock(gSubjKeyIDSlotCheckLock);
+    seriesItem = (SECItem *)PL_HashTableLookup(gSubjKeyIDSlotCheckHash, slotid);
+    PR_Unlock(gSubjKeyIDSlotCheckLock);
+     /* getting a null series just means we haven't registered one yet, 
+      * just return 0 */
+    if (seriesItem == NULL) {
+	return 0;
+    }
+    /* if we got a series back, assert if it's not the proper length. */
+    PORT_Assert(seriesItem->len == sizeof(int));
+    if (seriesItem->len != sizeof(int)) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return -1;
+    }
+    PORT_Memcpy(&series, seriesItem->data, sizeof(int));
+    return series;
+}
+
+SECStatus
+cert_DestroySubjectKeyIDSlotCheckHash(void)
+{
+    if (gSubjKeyIDSlotCheckHash) {
+        PR_Lock(gSubjKeyIDSlotCheckLock);
+        PL_HashTableDestroy(gSubjKeyIDSlotCheckHash);
+        gSubjKeyIDSlotCheckHash = NULL;
+        PR_Unlock(gSubjKeyIDSlotCheckLock);
+        PR_DestroyLock(gSubjKeyIDSlotCheckLock);
+        gSubjKeyIDSlotCheckLock = NULL;
+    }
+    return SECSuccess;
+}
+
+SECStatus
 cert_DestroySubjectKeyIDHashTable(void)
 {
     if (gSubjKeyIDHash) {
         PR_Lock(gSubjKeyIDLock);
         PL_HashTableDestroy(gSubjKeyIDHash);
         gSubjKeyIDHash = NULL;
         PR_Unlock(gSubjKeyIDLock);
         PR_DestroyLock(gSubjKeyIDLock);
         gSubjKeyIDLock = NULL;
     }
+    cert_DestroySubjectKeyIDSlotCheckHash();
     return SECSuccess;
 }
 
 SECItem*
 cert_FindDERCertBySubjectKeyID(SECItem *subjKeyID)
 {
     SECItem   *val;
  
--- a/security/nss/lib/certdb/certdb.h
+++ b/security/nss/lib/certdb/certdb.h
@@ -34,27 +34,45 @@
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifndef _CERTDB_H_
 #define _CERTDB_H_
 
 
 /* common flags for all types of certificates */
-#define CERTDB_VALID_PEER	(1<<0)
+#define CERTDB_TERMINAL_RECORD	(1<<0)
 #define CERTDB_TRUSTED		(1<<1)
 #define CERTDB_SEND_WARN	(1<<2)
 #define CERTDB_VALID_CA		(1<<3)
 #define CERTDB_TRUSTED_CA	(1<<4) /* trusted for issuing server certs */
 #define CERTDB_NS_TRUSTED_CA	(1<<5)
 #define CERTDB_USER		(1<<6)
 #define CERTDB_TRUSTED_CLIENT_CA (1<<7) /* trusted for issuing client certs */
 #define CERTDB_INVISIBLE_CA	(1<<8) /* don't show in UI */
 #define CERTDB_GOVT_APPROVED_CA	(1<<9) /* can do strong crypto in export ver */
 
+/* old usage, to keep old programs compiling */
+/* On Windows, Mac, and Linux (and other gcc platforms), we can give compile
+ * time deprecation warnings when applications use the old CERTDB_VALID_PEER
+ * define */
+#if __GNUC__ > 3
+#if (__GNUC__ == 4) && (__GNUC_MINOR__ < 5)
+typedef unsigned int __CERTDB_VALID_PEER __attribute__((deprecated));
+#else
+typedef unsigned int __CERTDB_VALID_PEER __attribute__((deprecated
+    ("CERTDB_VALID_PEER is now CERTDB_TERMINAL_RECORD")));
+#endif
+#define CERTDB_VALID_PEER  ((__CERTDB_VALID_PEER) CERTDB_TERMINAL_RECORD)
+#else
+#ifdef _WIN32
+#pragma deprecated(CERTDB_VALID_PEER)
+#endif
+#define CERTDB_VALID_PEER  CERTDB_TERMINAL_RECORD 
+#endif
 
 SEC_BEGIN_PROTOS
 
 CERTSignedCrl *
 SEC_FindCrlByKey(CERTCertDBHandle *handle, SECItem *crlKey, int type);
 
 CERTSignedCrl *
 SEC_FindCrlByName(CERTCertDBHandle *handle, SECItem *crlKey, int type);
--- a/security/nss/lib/certdb/certi.h
+++ b/security/nss/lib/certdb/certi.h
@@ -31,17 +31,17 @@
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 /*
  * certi.h - private data structures for the certificate library
  *
- * $Id: certi.h,v 1.34 2010/05/21 00:43:51 wtc%google.com Exp $
+ * $Id: certi.h,v 1.35 2011/01/29 22:17:20 nelson%bolyard.com Exp $
  */
 #ifndef _CERTI_H_
 #define _CERTI_H_
 
 #include "certt.h"
 #include "nssrwlkt.h"
 
 /*
@@ -230,24 +230,31 @@ SECStatus ShutdownCRLCache(void);
 
 /* Returns a pointer to an environment-like string, a series of
 ** null-terminated strings, terminated by a zero-length string.
 ** This function is intended to be internal to NSS.
 */
 extern char * cert_GetCertificateEmailAddresses(CERTCertificate *cert);
 
 /*
- * These functions are used to map subjectKeyID extension values to certs.
+ * These functions are used to map subjectKeyID extension values to certs
+ * and to keep track of the checks for user certificates in each slot
  */
 SECStatus
 cert_CreateSubjectKeyIDHashTable(void);
 
 SECStatus
 cert_AddSubjectKeyIDMapping(SECItem *subjKeyID, CERTCertificate *cert);
 
+SECStatus
+cert_UpdateSubjectKeyIDSlotCheck(SECItem *slotid, int series);
+
+int
+cert_SubjectKeyIDSlotCheckSeries(SECItem *slotid);
+
 /*
  * Call this function to remove an entry from the mapping table.
  */
 SECStatus
 cert_RemoveSubjectKeyIDMapping(SECItem *subjKeyID);
 
 SECStatus
 cert_DestroySubjectKeyIDHashTable(void);
--- a/security/nss/lib/certdb/certt.h
+++ b/security/nss/lib/certdb/certt.h
@@ -31,17 +31,17 @@
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 /*
  * certt.h - public data structures for the certificate library
  *
- * $Id: certt.h,v 1.54.2.1 2011/07/28 22:19:57 wtc%google.com Exp $
+ * $Id: certt.h,v 1.55 2011/07/28 21:38:14 wtc%google.com Exp $
  */
 #ifndef _CERTT_H_
 #define _CERTT_H_
 
 #include "prclist.h"
 #include "pkcs11t.h"
 #include "seccomon.h"
 #include "secmodt.h"
--- a/security/nss/lib/certdb/crl.c
+++ b/security/nss/lib/certdb/crl.c
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Moved from secpkcs7.c
  *
- * $Id: crl.c,v 1.71 2010/05/21 00:43:51 wtc%google.com Exp $
+ * $Id: crl.c,v 1.72 2011/07/24 13:48:10 wtc%google.com Exp $
  */
  
 #include "cert.h"
 #include "certi.h"
 #include "secder.h"
 #include "secasn1.h"
 #include "secoid.h"
 #include "certdb.h"
@@ -70,84 +70,36 @@ const SEC_ASN1Template SEC_CERTExtension
     { 0, }
 };
 
 static const SEC_ASN1Template SEC_CERTExtensionsTemplate[] = {
     { SEC_ASN1_SEQUENCE_OF, 0,  SEC_CERTExtensionTemplate}
 };
 
 /*
- * XXX Also, these templates, especially the Krl/FORTEZZA ones, need to
- * be tested; Lisa did the obvious translation but they still should be
- * verified.
+ * XXX Also, these templates need to be tested; Lisa did the obvious
+ * translation but they still should be verified.
  */
 
 const SEC_ASN1Template CERT_IssuerAndSNTemplate[] = {
     { SEC_ASN1_SEQUENCE,
 	  0, NULL, sizeof(CERTIssuerAndSN) },
     { SEC_ASN1_SAVE,
 	  offsetof(CERTIssuerAndSN,derIssuer) },
     { SEC_ASN1_INLINE,
 	  offsetof(CERTIssuerAndSN,issuer),
 	  CERT_NameTemplate },
     { SEC_ASN1_INTEGER,
 	  offsetof(CERTIssuerAndSN,serialNumber) },
     { 0 }
 };
 
-static const SEC_ASN1Template cert_KrlEntryTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCrlEntry) },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(CERTCrlEntry,serialNumber) },
-    { SEC_ASN1_UTC_TIME,
-	  offsetof(CERTCrlEntry,revocationDate) },
-    { 0 }
-};
-
 SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
 SEC_ASN1_MKSUB(CERT_TimeChoiceTemplate)
 
-static const SEC_ASN1Template cert_KrlTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCrl) },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-	  offsetof(CERTCrl,signatureAlg),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTCrl,derName) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCrl,name),
-	  CERT_NameTemplate },
-    { SEC_ASN1_UTC_TIME,
-	  offsetof(CERTCrl,lastUpdate) },
-    { SEC_ASN1_UTC_TIME,
-	  offsetof(CERTCrl,nextUpdate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
-	  offsetof(CERTCrl,entries),
-	  cert_KrlEntryTemplate },
-    { 0 }
-};
-
-static const SEC_ASN1Template cert_SignedKrlTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTSignedCrl) },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTSignedCrl,signatureWrap.data) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTSignedCrl,crl),
-	  cert_KrlTemplate },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-	  offsetof(CERTSignedCrl,signatureWrap.signatureAlgorithm),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_BIT_STRING,
-	  offsetof(CERTSignedCrl,signatureWrap.signature) },
-    { 0 }
-};
-
 static const SEC_ASN1Template cert_CrlKeyTemplate[] = {
     { SEC_ASN1_SEQUENCE,
 	  0, NULL, sizeof(CERTCrlKey) },
     { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof(CERTCrlKey,dummy) },
     { SEC_ASN1_SKIP },
     { SEC_ASN1_ANY, offsetof(CERTCrlKey,derName) },
     { SEC_ASN1_SKIP_REST },
     { 0 }
@@ -465,17 +417,17 @@ SECStatus CERT_CompleteCRLDecodeEntries(
         if (rv != SECSuccess) {
             extended->badExtensions = PR_TRUE;
         }
     }
     return rv;
 }
 
 /*
- * take a DER CRL or KRL  and decode it into a CRL structure
+ * take a DER CRL and decode it into a CRL structure
  * allow reusing the input DER without making a copy
  */
 CERTSignedCrl *
 CERT_DecodeDERCrlWithFlags(PRArenaPool *narena, SECItem *derSignedCrl,
                           int type, PRInt32 options)
 {
     PRArenaPool *arena;
     CERTSignedCrl *crl;
@@ -573,21 +525,18 @@ CERT_DecodeDERCrlWithFlags(PRArenaPool *
 
         rv = cert_check_crl_entries(&crl->crl);
         if (rv != SECSuccess) {
             extended->badExtensions = PR_TRUE;
         }
 
         break;
 
-    case SEC_KRL_TYPE:
-	rv = SEC_QuickDERDecodeItem
-	     (arena, crl, cert_SignedKrlTemplate, derSignedCrl);
-	break;
     default:
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	rv = SECFailure;
 	break;
     }
 
     if (rv != SECSuccess) {
 	goto loser;
     }
 
@@ -609,17 +558,17 @@ loser:
     if ((narena == NULL) && arena ) {
 	PORT_FreeArena(arena, PR_FALSE);
     }
     
     return(0);
 }
 
 /*
- * take a DER CRL or KRL  and decode it into a CRL structure
+ * take a DER CRL and decode it into a CRL structure
  */
 CERTSignedCrl *
 CERT_DecodeDERCrl(PRArenaPool *narena, SECItem *derSignedCrl, int type)
 {
     return CERT_DecodeDERCrlWithFlags(narena, derSignedCrl, type,
                                       CRL_DECODE_DEFAULT_OPTIONS);
 }
 
@@ -711,16 +660,22 @@ crl_storeCRL (PK11SlotInfo *slot,char *u
 {
     CERTSignedCrl *oldCrl = NULL, *crl = NULL;
     PRBool deleteOldCrl = PR_FALSE;
     CK_OBJECT_HANDLE crlHandle = CK_INVALID_HANDLE;
     SECStatus rv;
 
     PORT_Assert(newCrl);
     PORT_Assert(derCrl);
+    PORT_Assert(type == SEC_CRL_TYPE);
+
+    if (type != SEC_CRL_TYPE) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
 
     /* we can't use the cache here because we must look in the same
        token */
     rv = SEC_FindCrlByKeyOnSlot(slot, &newCrl->crl.derName, type,
                                 &oldCrl, CRL_DECODE_SKIP_ENTRIES);
     /* if there is an old crl on the token, make sure the one we are
        installing is newer. If not, exit out, otherwise delete the
        old crl.
@@ -734,31 +689,17 @@ crl_storeCRL (PK11SlotInfo *slot,char *u
 	    crl->pkcs11ID = oldCrl->pkcs11ID;
 	    if (oldCrl->url && !url)
 	        url = oldCrl->url;
 	    if (url)
 		crl->url = PORT_ArenaStrdup(crl->arena, url);
 	    goto done;
 	}
         if (!SEC_CrlIsNewer(&newCrl->crl,&oldCrl->crl)) {
-
-            if (type == SEC_CRL_TYPE) {
-                PORT_SetError(SEC_ERROR_OLD_CRL);
-            } else {
-                PORT_SetError(SEC_ERROR_OLD_KRL);
-            }
-
-            goto done;
-        }
-
-        if ((SECITEM_CompareItem(&newCrl->crl.derName,
-                &oldCrl->crl.derName) != SECEqual) &&
-            (type == SEC_KRL_TYPE) ) {
-
-            PORT_SetError(SEC_ERROR_CKL_CONFLICT);
+            PORT_SetError(SEC_ERROR_OLD_CRL);
             goto done;
         }
 
         /* if we have a url in the database, use that one */
         if (oldCrl->url && !url) {
 	    url = oldCrl->url;
         }
 
--- a/security/nss/lib/certdb/genname.c
+++ b/security/nss/lib/certdb/genname.c
@@ -1680,121 +1680,16 @@ done:
 	badCert = (count >= 0) ? certsList[count] : cert;
     }
     if (pBadCert)
 	*pBadCert = badCert;
 
     return rv;
 }
 
-/* Search the cert for an X509_SUBJECT_ALT_NAME extension.
-** ASN1 Decode it into a list of alternate names.
-** Search the list of alternate names for one with the NETSCAPE_NICKNAME OID.
-** ASN1 Decode that name.  Turn the result into a zString.  
-** Look for duplicate nickname already in the certdb. 
-** If one is found, create a nickname string that is not a duplicate.
-*/
-char *
-CERT_GetNickName(CERTCertificate   *cert,
- 		 CERTCertDBHandle  *handle,
-		 PRArenaPool      *nicknameArena)
-{ 
-    CERTGeneralName  *current;
-    CERTGeneralName  *names;
-    char             *nickname   = NULL;
-    char             *returnName = NULL;
-    char             *basename   = NULL;
-    PRArenaPool      *arena      = NULL;
-    CERTCertificate  *tmpcert;
-    SECStatus        rv;
-    int              count;
-    int              found = 0;
-    SECItem          altNameExtension;
-    SECItem          nick;
-
-    if (handle == NULL) {
-	handle = CERT_GetDefaultCertDB();
-    }
-    altNameExtension.data = NULL;
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, 
-				&altNameExtension);
-    if (rv != SECSuccess) { 
-	goto loser; 
-    }
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	goto loser;
-    }
-    names = CERT_DecodeAltNameExtension(arena, &altNameExtension);
-    if (names == NULL) {
-	goto loser;
-    } 
-    current = names;
-    do {
-	if (current->type == certOtherName && 
-	    SECOID_FindOIDTag(&current->name.OthName.oid) == 
-	      SEC_OID_NETSCAPE_NICKNAME) {
-	    found = 1;
-	    break;
-	}
-	current = CERT_GetNextGeneralName(current);
-    } while (current != names);
-    if (!found)
-    	goto loser;
-
-    rv = SEC_QuickDERDecodeItem(arena, &nick,
-                            SEC_ASN1_GET(SEC_IA5StringTemplate),
-			    &current->name.OthName.name);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    /* make a null terminated string out of nick, with room enough at
-    ** the end to add on a number of up to 21 digits in length, (a signed
-    ** 64-bit number in decimal) plus a space and a "#". 
-    */
-    nickname = (char*)PORT_ZAlloc(nick.len + 24);
-    if (!nickname) 
-	goto loser;
-    PORT_Strncpy(nickname, (char *)nick.data, nick.len);
-
-    /* Don't let this cert's nickname duplicate one already in the DB.
-    ** If it does, create a variant of the nickname that doesn't.
-    */
-    count = 0;
-    while ((tmpcert = CERT_FindCertByNickname(handle, nickname)) != NULL) {
-	CERT_DestroyCertificate(tmpcert);
-	if (!basename) {
-	    basename = PORT_Strdup(nickname);
-	    if (!basename)
-		goto loser;
-	}
-	count++;
-	sprintf(nickname, "%s #%d", basename, count);
-    }
-
-    /* success */
-    if (nicknameArena) {
-	returnName =  PORT_ArenaStrdup(nicknameArena, nickname);
-    } else {
-	returnName = nickname;
-	nickname = NULL;
-    }
-loser:
-    if (arena != NULL) 
-	PORT_FreeArena(arena, PR_FALSE);
-    if (nickname)
-	PORT_Free(nickname);
-    if (basename)
-	PORT_Free(basename);
-    if (altNameExtension.data)
-    	PORT_Free(altNameExtension.data);
-    return returnName;
-}
-
 #if 0
 /* not exported from shared libs, not used.  Turn on if we ever need it. */
 SECStatus
 CERT_CompareGeneralName(CERTGeneralName *a, CERTGeneralName *b)
 {
     CERTGeneralName *currentA;
     CERTGeneralName *currentB;
     PRBool found;
--- a/security/nss/lib/certdb/manifest.mn
+++ b/security/nss/lib/certdb/manifest.mn
@@ -61,14 +61,12 @@ CSRCS = \
 	stanpcertdb.c \
 	polcyxtn.c \
 	secname.c \
 	xauthkid.c \
 	xbsconst.c \
 	xconst.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 LIBRARY_NAME = certdb
 
 # This part of the code, including all sub-dirs, can be optimized for size
 export ALLOW_OPT_CODE_SIZE = 1
--- a/security/nss/lib/certhigh/certhtml.c
+++ b/security/nss/lib/certhigh/certhtml.c
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * certhtml.c --- convert a cert to html
  *
- * $Id: certhtml.c,v 1.8.66.1 2010/08/28 19:49:28 nelson%bolyard.com Exp $
+ * $Id: certhtml.c,v 1.10 2010/08/28 18:00:28 nelson%bolyard.com Exp $
  */
 
 #include "seccomon.h"
 #include "secitem.h"
 #include "sechash.h"
 #include "cert.h"
 #include "keyhi.h"
 #include "secder.h"
--- a/security/nss/lib/certhigh/certvfy.c
+++ b/security/nss/lib/certhigh/certvfy.c
@@ -574,29 +574,53 @@ cert_VerifyCertChainOld(CERTCertDBHandle
 	        if (( flags & requiredFlags ) == requiredFlags) {
 	            /* we found a trusted one, so return */
 	            rv = rvFinal; 
 	            goto done;
 	        }
 	        if (flags & CERTDB_VALID_CA) {
 	            validCAOverride = PR_TRUE;
 	        }
+		/* is it explicitly distrusted? */
+		if ((flags & CERTDB_TERMINAL_RECORD) && 
+			((flags & (CERTDB_VALID_CA|CERTDB_TRUSTED)) == 0)) {
+		    /* untrusted -- the cert is explicitly untrusted, not
+		     * just that it doesn't chain to a trusted cert */
+		    PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+		    LOG_ERROR_OR_EXIT(log,issuerCert,count+1,flags);
+		}
 	    } else {
                 /* Check if we have any valid trust when cheching for
                  * certUsageAnyCA or certUsageStatusResponder. */
                 for (trustType = trustSSL; trustType < trustTypeNone;
                      trustType++) {
                     flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
                     if ((flags & requiredFlags) == requiredFlags) {
 	                rv = rvFinal; 
 	                goto done;
                     }
                     if (flags & CERTDB_VALID_CA)
                         validCAOverride = PR_TRUE;
                 }
+		/* We have 2 separate loops because we want any single trust
+		 * bit to allow this usage to return trusted. Only if none of
+		 * the trust bits are on do we check to see if the cert is 
+		 * untrusted */
+                for (trustType = trustSSL; trustType < trustTypeNone;
+                     trustType++) {
+                    flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
+		    /* is it explicitly distrusted? */
+		    if ((flags & CERTDB_TERMINAL_RECORD) && 
+			((flags & (CERTDB_VALID_CA|CERTDB_TRUSTED)) == 0)) {
+			/* untrusted -- the cert is explicitly untrusted, not
+			 * just that it doesn't chain to a trusted cert */
+			PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+			LOG_ERROR_OR_EXIT(log,issuerCert,count+1,flags);
+		    }
+                }
             }
         }
 
 	if (!validCAOverride) {
 	    /*
 	     * Make sure that if this is an intermediate CA in the chain that
 	     * it was given permission by its signer to be a CA.
 	     */
@@ -821,16 +845,24 @@ CERT_VerifyCACertForUsage(CERTCertDBHand
 	if ( ( flags & requiredFlags ) == requiredFlags) {
 	    /* we found a trusted one, so return */
 	    rv = rvFinal; 
 	    goto done;
 	}
 	if (flags & CERTDB_VALID_CA) {
 	    validCAOverride = PR_TRUE;
 	}
+	/* is it explicitly distrusted? */
+	if ((flags & CERTDB_TERMINAL_RECORD) && 
+		((flags & (CERTDB_VALID_CA|CERTDB_TRUSTED)) == 0)) {
+	    /* untrusted -- the cert is explicitly untrusted, not
+	     * just that it doesn't chain to a trusted cert */
+	    PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+	    LOG_ERROR_OR_EXIT(log,cert,0,flags);
+	}
     }
     if (!validCAOverride) {
 	/*
 	 * Make sure that if this is an intermediate CA in the chain that
 	 * it was given permission by its signer to be a CA.
 	 */
 	/*
 	 * if basicConstraints says it is a ca, then we check the
@@ -885,16 +917,164 @@ done:
     } \
     if (PR_TRUE == requiredUsage) { \
         valid = SECFailure; \
     } \
     NEXT_USAGE(); \
 }
 
 /*
+ * check the leaf cert against trust and usage. 
+ *   returns success if the cert is not distrusted. If the cert is
+ *       trusted, then the trusted bool will be true.
+ *   returns failure if the cert is distrusted. If failure, flags
+ *       will return the flag bits that indicated distrust.
+ */
+SECStatus
+cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage,
+	            unsigned int *failedFlags, PRBool *trusted)
+{
+    unsigned int flags;
+
+    *failedFlags = 0;
+    *trusted = PR_FALSE;
+			
+    /* check trust flags to see if this cert is directly trusted */
+    if ( cert->trust ) { 
+	switch ( certUsage ) {
+	  case certUsageSSLClient:
+	  case certUsageSSLServer:
+	    flags = cert->trust->sslFlags;
+	    
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
+		    *trusted = PR_TRUE;
+		    return SECSuccess;
+		} else { /* don't trust this cert */
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	    break;
+	  case certUsageSSLServerWithStepUp:
+	    /* XXX - step up certs can't be directly trusted, only distrust */
+	    flags = cert->trust->sslFlags;
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if (( flags & CERTDB_TRUSTED ) == 0) {	
+		    /* don't trust this cert */
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	    break;
+	  case certUsageSSLCA:
+	    flags = cert->trust->sslFlags;
+	    /* we probably should also not explicitly fail the cert 
+	     * if only the trusted DELEGATOR flag is set */
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if (( flags & CERTDB_TRUSTED_CA ) == 0) {	
+		    /* don't trust this cert */
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	    break;
+	  case certUsageEmailSigner:
+	  case certUsageEmailRecipient:
+	    flags = cert->trust->emailFlags;
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
+		    *trusted = PR_TRUE;
+		    return SECSuccess;
+		} 
+		else { /* don't trust this cert */
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	    
+	    break;
+	  case certUsageObjectSigner:
+	    flags = cert->trust->objectSigningFlags;
+
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
+		    *trusted = PR_TRUE;
+		    return SECSuccess;
+		} else { /* don't trust this cert */
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	    break;
+	  case certUsageVerifyCA:
+	  case certUsageStatusResponder:
+	    flags = cert->trust->sslFlags;
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
+		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
+		*trusted = PR_TRUE;
+		return SECSuccess;
+	    }
+	    flags = cert->trust->emailFlags;
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
+		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
+		*trusted = PR_TRUE;
+		return SECSuccess;
+	    }
+	    flags = cert->trust->objectSigningFlags;
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
+		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
+		*trusted = PR_TRUE;
+		return SECSuccess;
+	    }
+	    /* fall through to test distrust */
+	  case certUsageAnyCA:
+	  case certUsageUserCertImport:
+	    /* do we distrust these certs explicitly */
+	    flags = cert->trust->sslFlags;
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if ((flags & CERTDB_TRUSTED_CA) == 0) {
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	    flags = cert->trust->emailFlags;
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if ((flags & CERTDB_TRUSTED_CA) == 0) {
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	  case certUsageProtectedObjectSigner:
+	    flags = cert->trust->objectSigningFlags;
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if ((flags & CERTDB_TRUSTED_CA) == 0) {
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	    break;
+	}
+    }
+    return SECSuccess;
+}
+
+/*
  * verify a certificate by checking if it's valid and that we
  * trust the issuer.
  *
  * certificateUsage contains a bitfield of all cert usages that are
  * required for verification to succeed
  *
  * a bitfield of cert usages is returned in *returnedUsages
  * if requiredUsages is non-zero, the returned bitmap is only
@@ -916,16 +1096,17 @@ CERT_VerifyCertificate(CERTCertDBHandle 
     SECCertTimeValidity validity;
     CERTStatusConfig *statusConfig;
     PRInt32 i;
     SECCertUsage certUsage = 0;
     PRBool checkedOCSP = PR_FALSE;
     PRBool checkAllUsages = PR_FALSE;
     PRBool revoked = PR_FALSE;
     PRBool sigerror = PR_FALSE;
+    PRBool trusted = PR_FALSE;
 
     if (!requiredUsages) {
         /* there are no required usages, so the user probably wants to
            get status for all usages */
         checkAllUsages = PR_TRUE;
     }
 
     if (returnedUsages) {
@@ -1003,101 +1184,31 @@ CERT_VerifyCertificate(CERTCertDBHandle 
         if ( !( certType & requiredCertType ) ) {
             if (PR_TRUE == requiredUsage) {
                 PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);
             }
             LOG_ERROR(log,cert,0,requiredCertType);
             INVALID_USAGE();
         }
 
-        /* check trust flags to see if this cert is directly trusted */
-        if ( cert->trust ) { /* the cert is in the DB */
-            switch ( certUsage ) {
-              case certUsageSSLClient:
-              case certUsageSSLServer:
-                flags = cert->trust->sslFlags;
-
-                /* is the cert directly trusted or not trusted ? */
-                if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
-                    if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
-                        VALID_USAGE();
-                    } else { /* don't trust this cert */
-                        if (PR_TRUE == requiredUsage) {
-                            PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
-                        }
-                        LOG_ERROR(log,cert,0,flags);
-                        INVALID_USAGE();
-                    }
-                }
-                break;
-              case certUsageSSLServerWithStepUp:
-                /* XXX - step up certs can't be directly trusted */
-                break;
-              case certUsageSSLCA:
-                break;
-              case certUsageEmailSigner:
-              case certUsageEmailRecipient:
-                flags = cert->trust->emailFlags;
-
-                /* is the cert directly trusted or not trusted ? */
-                if ( ( flags & ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) ==
-                    ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) {
-                    VALID_USAGE();
-                }
-                break;
-              case certUsageObjectSigner:
-                flags = cert->trust->objectSigningFlags;
+	rv = cert_CheckLeafTrust(cert, certUsage, &flags, &trusted);
+	if (rv == SECFailure) {
+	    if (PR_TRUE == requiredUsage) {
+		PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+	    }
+	    LOG_ERROR(log, cert, 0, flags);
+	    INVALID_USAGE();
+	}
+	if (trusted) {
+	    VALID_USAGE();
+	}
 
-                /* is the cert directly trusted or not trusted ? */
-                if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
-                    if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
-                        VALID_USAGE();
-                    } else { /* don't trust this cert */
-                        if (PR_TRUE == requiredUsage) {
-                            PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
-                        }
-                        LOG_ERROR(log,cert,0,flags);
-                        INVALID_USAGE();
-                    }
-                }
-                break;
-              case certUsageVerifyCA:
-              case certUsageStatusResponder:
-                flags = cert->trust->sslFlags;
-                /* is the cert directly trusted or not trusted ? */
-                if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-                    ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-                    VALID_USAGE();
-                }
-                flags = cert->trust->emailFlags;
-                /* is the cert directly trusted or not trusted ? */
-                if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-                    ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-                    VALID_USAGE();
-                }
-                flags = cert->trust->objectSigningFlags;
-                /* is the cert directly trusted or not trusted ? */
-                if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-                    ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-                    VALID_USAGE();
-                }
-                break;
-              case certUsageAnyCA:
-              case certUsageProtectedObjectSigner:
-              case certUsageUserCertImport:
-                /* XXX to make the compiler happy.  Should these be
-                 * explicitly handled?
-                 */
-                break;
-            }
-        }
-
-        if (PR_TRUE == revoked || PR_TRUE == sigerror) {
-            INVALID_USAGE();
-        }
+	if (PR_TRUE == revoked || PR_TRUE == sigerror) {
+	    INVALID_USAGE();
+	}
 
         rv = cert_VerifyCertChain(handle, cert,
             checkSig, &sigerror,
             certUsage, t, wincx, log,
             &revoked);
 
         if (rv != SECSuccess) {
             /* EXIT_IF_NOT_LOGGING(log); XXX ???? */
@@ -1141,16 +1252,17 @@ CERT_VerifyCert(CERTCertDBHandle *handle
 		PRBool checkSig, SECCertUsage certUsage, int64 t,
 		void *wincx, CERTVerifyLog *log)
 {
     SECStatus rv;
     unsigned int requiredKeyUsage;
     unsigned int requiredCertType;
     unsigned int flags;
     unsigned int certType;
+    PRBool       trusted;
     PRBool       allowOverride;
     SECCertTimeValidity validity;
     CERTStatusConfig *statusConfig;
    
 #ifdef notdef 
     /* check if this cert is in the Evil list */
     rv = CERT_CheckForEvilCert(cert);
     if ( rv != SECSuccess ) {
@@ -1207,91 +1319,25 @@ CERT_VerifyCert(CERTCertDBHandle *handle
 	PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
 	LOG_ERROR_OR_EXIT(log,cert,0,requiredKeyUsage);
     }
     if ( !( certType & requiredCertType ) ) {
 	PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);
 	LOG_ERROR_OR_EXIT(log,cert,0,requiredCertType);
     }
 
-    /* check trust flags to see if this cert is directly trusted */
-    if ( cert->trust ) { /* the cert is in the DB */
-	switch ( certUsage ) {
-	  case certUsageSSLClient:
-	  case certUsageSSLServer:
-	    flags = cert->trust->sslFlags;
-	    
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
-		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
-		    goto winner;
-		} else { /* don't trust this cert */
-		    PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
-		    LOG_ERROR_OR_EXIT(log,cert,0,flags);
-		}
-	    }
-	    break;
-	  case certUsageSSLServerWithStepUp:
-	    /* XXX - step up certs can't be directly trusted */
-	    break;
-	  case certUsageSSLCA:
-	    break;
-	  case certUsageEmailSigner:
-	  case certUsageEmailRecipient:
-	    flags = cert->trust->emailFlags;
-	    
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( ( flags & ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) ==
-		( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) {
-		goto winner;
-	    }
-	    break;
-	  case certUsageObjectSigner:
-	    flags = cert->trust->objectSigningFlags;
+    rv = cert_CheckLeafTrust(cert,certUsage, &flags, &trusted);
+    if (rv  == SECFailure) {
+	PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+	LOG_ERROR_OR_EXIT(log,cert,0,flags);
+    }
+    if (trusted) {
+	goto winner;
+    }
 
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
-		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
-		    goto winner;
-		} else { /* don't trust this cert */
-		    PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
-		    LOG_ERROR_OR_EXIT(log,cert,0,flags);
-		}
-	    }
-	    break;
-	  case certUsageVerifyCA:
-	  case certUsageStatusResponder:
-	    flags = cert->trust->sslFlags;
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-		goto winner;
-	    }
-	    flags = cert->trust->emailFlags;
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-		goto winner;
-	    }
-	    flags = cert->trust->objectSigningFlags;
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-		goto winner;
-	    }
-	    break;
-	  case certUsageAnyCA:
-	  case certUsageProtectedObjectSigner:
-	  case certUsageUserCertImport:
-	    /* XXX to make the compiler happy.  Should these be
-	     * explicitly handled?
-	     */
-	    break;
-	}
-    }
 
     rv = CERT_VerifyCertChain(handle, cert, checkSig, certUsage,
 			      t, wincx, log);
     if (rv != SECSuccess) {
 	EXIT_IF_NOT_LOGGING(log);
     }
 
     /*
--- a/security/nss/lib/certhigh/manifest.mn
+++ b/security/nss/lib/certhigh/manifest.mn
@@ -55,14 +55,12 @@ CSRCS = \
 	ocsp.c \
 	certhigh.c \
  	certvfy.c \
  	certvfypkix.c \
  	certvfypkixprint.c \
  	xcrldist.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 LIBRARY_NAME = certhi
 
 # This part of the code, including all sub-dirs, can be optimized for size
 export ALLOW_OPT_CODE_SIZE = 1
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -34,17 +34,17 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Implementation of OCSP services, for both client and server.
  * (XXX, really, mostly just for client right now, but intended to do both.)
  *
- * $Id: ocsp.c,v 1.65.2.1 2011/07/13 11:13:55 kaie%kuix.de Exp $
+ * $Id: ocsp.c,v 1.67 2011/08/10 12:31:52 kaie%kuix.de Exp $
  */
 
 #include "prerror.h"
 #include "prprf.h"
 #include "plarena.h"
 #include "prnetdb.h"
 
 #include "seccomon.h"
@@ -2945,36 +2945,42 @@ ocsp_SendEncodedRequest(char *location, 
 {
     char *hostname = NULL;
     char *path = NULL;
     PRUint16 port;
     SECStatus rv;
     PRFileDesc *sock = NULL;
     PRFileDesc *returnSock = NULL;
     char *header = NULL;
+    char portstr[16];
 
     /*
      * Take apart the location, getting the hostname, port, and path.
      */
     rv = ocsp_ParseURL(location, &hostname, &port, &path);
     if (rv != SECSuccess)
 	goto loser;
 
     PORT_Assert(hostname != NULL);
     PORT_Assert(path != NULL);
 
     sock = ocsp_ConnectToHost(hostname, port);
     if (sock == NULL)
 	goto loser;
 
+    portstr[0] = '\0';
+    if (port != 80) {
+        PR_snprintf(portstr, sizeof(portstr), ":%d", port);
+    }
+
     header = PR_smprintf("POST %s HTTP/1.0\r\n"
-			 "Host: %s:%d\r\n"
+			 "Host: %s%s\r\n"
 			 "Content-Type: application/ocsp-request\r\n"
 			 "Content-Length: %u\r\n\r\n",
-			 path, hostname, port, encodedRequest->len);
+			 path, hostname, portstr, encodedRequest->len);
     if (header == NULL)
 	goto loser;
 
     /*
      * The NSPR documentation promises that if it can, it will write the full
      * amount; this will not return a partial value expecting us to loop.
      */
     if (PR_Write(sock, header, (PRInt32) PORT_Strlen(header)) < 0)
--- a/security/nss/lib/certhigh/ocsp.h
+++ b/security/nss/lib/certhigh/ocsp.h
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Interface to the OCSP implementation.
  *
- * $Id: ocsp.h,v 1.17.2.1 2010/09/27 21:22:20 wtc%google.com Exp $
+ * $Id: ocsp.h,v 1.19 2011/01/15 19:47:11 nelson%bolyard.com Exp $
  */
 
 #ifndef _OCSP_H_
 #define _OCSP_H_
 
 
 #include "plarena.h"
 #include "seccomon.h"
@@ -583,17 +583,17 @@ extern SECStatus
 CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
 				      CERTCertificate *cert,
 				      PRTime time,
 				      SECItem *encodedResponse,
 				      void *pwArg);
 
 /*
  * FUNCTION: CERT_GetOCSPStatusForCertID
- *  Returns the OCSP status contained in the passed in paramter response
+ *  Returns the OCSP status contained in the passed in parameter response
  *  that corresponds to the certID passed in.
  * INPUTS:
  *  CERTCertDBHandle *handle
  *    certificate DB of the cert that is being checked
  *  CERTOCSPResponse *response
  *    the OCSP response we want to retrieve status from.
  *  CERTOCSPCertID *certID
  *    the ID we want to look for from the response.
--- a/security/nss/lib/ckfw/builtins/certdata.c
+++ b/security/nss/lib/ckfw/builtins/certdata.c
@@ -30,34 +30,34 @@
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.67.2.10 $ $Date: 2011/08/01 06:40:03 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.67.2.10 $ $Date: 2011/08/01 06:40:03 $";
+static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.78 $ $Date: 2011/08/01 06:33:46 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.78 $ $Date: 2011/08/01 06:33:46 $";
 #endif /* DEBUG */
 
 #ifndef BUILTINS_H
 #include "builtins.h"
 #endif /* BUILTINS_H */
 
 static const CK_BBOOL ck_false = CK_FALSE;
 static const CK_BBOOL ck_true = CK_TRUE;
 static const CK_CERTIFICATE_TYPE ckc_x_509 = CKC_X_509;
 static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
 static const CK_OBJECT_CLASS cko_data = CKO_DATA;
-static const CK_OBJECT_CLASS cko_netscape_builtin_root_list = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
-static const CK_OBJECT_CLASS cko_netscape_trust = CKO_NETSCAPE_TRUST;
-static const CK_TRUST ckt_netscape_trust_unknown = CKT_NETSCAPE_TRUST_UNKNOWN;
-static const CK_TRUST ckt_netscape_trusted_delegator = CKT_NETSCAPE_TRUSTED_DELEGATOR;
-static const CK_TRUST ckt_netscape_untrusted = CKT_NETSCAPE_UNTRUSTED;
-static const CK_TRUST ckt_netscape_valid = CKT_NETSCAPE_VALID;
+static const CK_OBJECT_CLASS cko_nss_builtin_root_list = CKO_NSS_BUILTIN_ROOT_LIST;
+static const CK_OBJECT_CLASS cko_nss_trust = CKO_NSS_TRUST;
+static const CK_TRUST ckt_nss_must_verify_trust = CKT_NSS_MUST_VERIFY_TRUST;
+static const CK_TRUST ckt_nss_not_trusted = CKT_NSS_NOT_TRUSTED;
+static const CK_TRUST ckt_nss_trust_unknown = CKT_NSS_TRUST_UNKNOWN;
+static const CK_TRUST ckt_nss_trusted_delegator = CKT_NSS_TRUSTED_DELEGATOR;
 #ifdef DEBUG
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_0 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_APPLICATION,  CKA_VALUE
 };
 #endif /* DEBUG */
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_1 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL
 };
@@ -1048,21 +1048,21 @@ static const CK_ATTRIBUTE_TYPE nss_built
 #ifdef DEBUG
 static const NSSItem nss_builtins_items_0 [] = {
   { (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"CVS ID", (PRUint32)7 },
   { (void *)"NSS", (PRUint32)4 },
-  { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.67.2.10 $ $Date: 2011/08/01 06:40:03 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.67.2.10 $ $Date: 2011/08/01 06:40:03 $", (PRUint32)164 }
+  { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.78 $ $Date: 2011/08/01 06:33:46 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.78 $ $Date: 2011/08/01 06:33:46 $", (PRUint32)160 }
 };
 #endif /* DEBUG */
 static const NSSItem nss_builtins_items_1 [] = {
-  { (void *)&cko_netscape_builtin_root_list, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_builtin_root_list, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Mozilla Builtin Roots", (PRUint32)22 }
 };
 static const NSSItem nss_builtins_items_2 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
@@ -1127,17 +1127,17 @@ static const NSSItem nss_builtins_items_
 "\334\364\166\125\175\233\143\124\030\351\360\352\363\134\261\331"
 "\213\102\036\271\300\225\116\272\372\325\342\174\365\150\141\277"
 "\216\354\005\227\137\133\260\327\243\205\064\304\044\247\015\017"
 "\225\223\357\313\224\330\236\037\235\134\205\155\307\252\256\117"
 "\037\042\265\315\225\255\272\247\314\371\253\013\172\177"
 , (PRUint32)606 }
 };
 static const NSSItem nss_builtins_items_3 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GTE CyberTrust Global Root", (PRUint32)27 },
   { (void *)"\227\201\171\120\330\034\226\160\314\064\330\011\317\171\104\061"
 "\066\176\364\164"
 , (PRUint32)20 },
   { (void *)"\312\075\323\150\361\003\134\320\062\372\270\053\131\350\132\333"
@@ -1148,19 +1148,19 @@ static const NSSItem nss_builtins_items_
 "\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165"
 "\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156"
 "\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105"
 "\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142"
 "\141\154\040\122\157\157\164"
 , (PRUint32)119 },
   { (void *)"\002\002\001\245"
 , (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_4 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Thawte Server CA", (PRUint32)17 },
@@ -1244,17 +1244,17 @@ static const NSSItem nss_builtins_items_
 "\100\333\250\314\062\164\271\157\015\306\343\263\104\013\331\212"
 "\157\232\051\233\231\030\050\073\321\343\100\050\232\132\074\325"
 "\265\347\040\033\213\312\244\253\215\351\121\331\342\114\054\131"
 "\251\332\271\262\165\033\366\102\362\357\307\362\030\371\211\274"
 "\243\377\212\043\056\160\107"
 , (PRUint32)791 }
 };
 static const NSSItem nss_builtins_items_5 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Thawte Server CA", (PRUint32)17 },
   { (void *)"\043\345\224\224\121\225\362\101\110\003\264\325\144\322\243\243"
 "\365\330\213\214"
 , (PRUint32)20 },
   { (void *)"\305\160\304\242\355\123\170\014\310\020\123\201\144\313\320\035"
@@ -1270,19 +1270,19 @@ static const NSSItem nss_builtins_items_
 "\163\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124"
 "\150\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061"
 "\046\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027"
 "\163\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141"
 "\167\164\145\056\143\157\155"
 , (PRUint32)199 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_6 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Thawte Premium Server CA", (PRUint32)25 },
@@ -1369,17 +1369,17 @@ static const NSSItem nss_builtins_items_
 "\373\301\306\021\037\361\112\260\050\106\311\303\304\102\175\274"
 "\372\253\131\156\325\267\121\210\021\343\244\205\031\153\202\114"
 "\244\014\022\255\351\244\256\077\361\303\111\145\232\214\305\310"
 "\076\045\267\224\231\273\222\062\161\007\360\206\136\355\120\047"
 "\246\015\246\043\371\273\313\246\007\024\102"
 , (PRUint32)811 }
 };
 static const NSSItem nss_builtins_items_7 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Thawte Premium Server CA", (PRUint32)25 },
   { (void *)"\142\177\215\170\047\145\143\231\322\175\177\220\104\311\376\263"
 "\363\076\372\232"
 , (PRUint32)20 },
   { (void *)"\006\237\151\171\026\146\220\002\033\214\214\242\303\007\157\072"
@@ -1396,19 +1396,19 @@ static const NSSItem nss_builtins_items_
 "\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145"
 "\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110"
 "\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055"
 "\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157"
 "\155"
 , (PRUint32)209 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_8 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Equifax Secure CA", (PRUint32)18 },
@@ -1477,17 +1477,17 @@ static const NSSItem nss_builtins_items_
 "\052\247\043\111\001\004\206\102\173\374\356\177\242\026\122\265"
 "\147\147\323\100\333\073\046\130\262\050\167\075\256\024\167\141"
 "\326\372\052\146\047\240\015\372\247\163\134\352\160\361\224\041"
 "\145\104\137\372\374\357\051\150\251\242\207\171\357\171\357\117"
 "\254\007\167\070"
 , (PRUint32)804 }
 };
 static const NSSItem nss_builtins_items_9 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Equifax Secure CA", (PRUint32)18 },
   { (void *)"\322\062\011\255\043\323\024\043\041\164\344\015\177\235\142\023"
 "\227\206\143\072"
 , (PRUint32)20 },
   { (void *)"\147\313\235\300\023\044\212\202\233\262\027\036\321\033\354\324"
@@ -1495,19 +1495,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
 "\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141"
 "\170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151"
 "\146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151"
 "\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171"
 , (PRUint32)80 },
   { (void *)"\002\004\065\336\364\317"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_10 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Digital Signature Trust Co. Global CA 1", (PRUint32)40 },
@@ -1576,17 +1576,17 @@ static const NSSItem nss_builtins_items_
 "\356\202\213\061\052\223\066\205\043\210\212\074\003\150\323\311"
 "\011\017\115\374\154\244\332\050\162\223\016\211\200\260\175\376"
 "\200\157\145\155\030\063\227\213\302\153\211\356\140\075\310\233"
 "\357\177\053\062\142\163\223\313\074\343\173\342\166\170\105\274"
 "\241\223\004\273\206\237\072\133\103\172\303\212\145"
 , (PRUint32)813 }
 };
 static const NSSItem nss_builtins_items_11 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Digital Signature Trust Co. Global CA 1", (PRUint32)40 },
   { (void *)"\201\226\213\072\357\034\334\160\365\372\062\151\302\222\243\143"
 "\133\321\043\323"
 , (PRUint32)20 },
   { (void *)"\045\172\272\203\056\266\242\013\332\376\365\002\017\010\327\255"
@@ -1594,19 +1594,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
 "\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141"
 "\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163"
 "\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010"
 "\104\123\124\103\101\040\105\061"
 , (PRUint32)72 },
   { (void *)"\002\004\066\160\025\226"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_12 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Digital Signature Trust Co. Global CA 3", (PRUint32)40 },
@@ -1675,17 +1675,17 @@ static const NSSItem nss_builtins_items_
 "\143\335\136\247\342\272\237\365\367\115\245\061\173\234\051\055"
 "\114\376\144\076\354\266\123\376\352\233\355\202\333\164\165\113"
 "\007\171\156\036\330\031\203\163\336\365\076\320\265\336\347\113"
 "\150\175\103\056\052\040\341\176\240\170\104\236\010\365\230\371"
 "\307\177\033\033\326\006\040\002\130\241\303\242\003"
 , (PRUint32)813 }
 };
 static const NSSItem nss_builtins_items_13 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Digital Signature Trust Co. Global CA 3", (PRUint32)40 },
   { (void *)"\253\110\363\063\333\004\253\271\300\162\332\133\014\301\320\127"
 "\360\066\233\106"
 , (PRUint32)20 },
   { (void *)"\223\302\216\021\173\324\363\003\031\275\050\165\023\112\105\112"
@@ -1693,19 +1693,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
 "\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141"
 "\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163"
 "\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010"
 "\104\123\124\103\101\040\105\062"
 , (PRUint32)72 },
   { (void *)"\002\004\066\156\323\316"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_14 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 1 Public Primary Certification Authority", (PRUint32)56 },
@@ -1765,17 +1765,17 @@ static const NSSItem nss_builtins_items_
 "\361\202\042\135\270\261\335\201\043\243\173\045\025\106\060\171"
 "\026\370\352\005\113\224\177\035\302\034\310\343\267\364\020\100"
 "\074\023\303\137\037\123\350\110\344\206\264\173\241\065\260\173"
 "\045\272\270\323\216\253\077\070\235\000\064\000\230\363\321\161"
 "\224"
 , (PRUint32)577 }
 };
 static const NSSItem nss_builtins_items_15 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 1 Public Primary Certification Authority", (PRUint32)56 },
   { (void *)"\220\256\242\151\205\377\024\200\114\103\111\122\354\351\140\204"
 "\167\257\125\157"
 , (PRUint32)20 },
   { (void *)"\227\140\350\127\137\323\120\107\345\103\014\224\066\212\260\142"
@@ -1786,19 +1786,19 @@ static const NSSItem nss_builtins_items_
 "\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151"
 "\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
 "\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
 "\171"
 , (PRUint32)97 },
   { (void *)"\002\021\000\315\272\177\126\360\337\344\274\124\376\042\254\263"
 "\162\252\125"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_16 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 2 Public Primary Certification Authority", (PRUint32)56 },
@@ -1857,17 +1857,17 @@ static const NSSItem nss_builtins_items_
 "\025\021\151\257\235\142\215\243\003\124\153\246\276\345\356\005"
 "\030\140\004\277\102\200\375\320\250\250\036\001\073\367\243\134"
 "\257\243\334\346\046\200\043\074\270\104\164\367\012\256\111\213"
 "\141\170\314\044\277\210\212\247\016\352\163\031\101\375\115\003"
 "\360\210\321\345\170\215\245\052\117\366\227\015\027\167\312\330"
 , (PRUint32)576 }
 };
 static const NSSItem nss_builtins_items_17 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 2 Public Primary Certification Authority", (PRUint32)56 },
   { (void *)"\147\202\252\340\355\356\342\032\130\071\323\300\315\024\150\012"
 "\117\140\024\052"
 , (PRUint32)20 },
   { (void *)"\263\234\045\261\303\056\062\123\200\025\060\235\115\002\167\076"
@@ -1878,19 +1878,19 @@ static const NSSItem nss_builtins_items_
 "\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151"
 "\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
 "\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
 "\171"
 , (PRUint32)97 },
   { (void *)"\002\020\055\033\374\112\027\215\243\221\353\347\377\365\213\105"
 "\276\013"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_18 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 3 Public Primary Certification Authority", (PRUint32)56 },
@@ -1949,17 +1949,17 @@ static const NSSItem nss_builtins_items_
 "\326\046\300\166\001\127\201\222\136\041\361\321\261\377\347\320"
 "\041\130\315\151\027\343\104\034\234\031\104\071\211\134\334\234"
 "\000\017\126\215\002\231\355\242\220\105\114\344\273\020\244\075"
 "\360\062\003\016\361\316\370\350\311\121\214\346\142\237\346\237"
 "\300\175\267\162\234\311\066\072\153\237\116\250\377\144\015\144"
 , (PRUint32)576 }
 };
 static const NSSItem nss_builtins_items_19 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 3 Public Primary Certification Authority", (PRUint32)56 },
   { (void *)"\164\054\061\222\346\007\344\044\353\105\111\124\053\341\273\305"
 "\076\141\164\342"
 , (PRUint32)20 },
   { (void *)"\020\374\143\135\366\046\076\015\363\045\276\137\171\315\147\147"
@@ -1970,19 +1970,19 @@ static const NSSItem nss_builtins_items_
 "\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151"
 "\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
 "\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
 "\171"
 , (PRUint32)97 },
   { (void *)"\002\020\160\272\344\035\020\331\051\064\266\070\312\173\003\314"
 "\272\277"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_20 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 1 Public Primary Certification Authority - G2", (PRUint32)61 },
@@ -2066,17 +2066,17 @@ static const NSSItem nss_builtins_items_
 "\212\265\335\117\303\233\023\165\270\001\300\346\311\133\153\245"
 "\270\211\334\254\244\335\162\355\116\241\367\117\274\006\323\352"
 "\310\144\164\173\302\225\101\234\145\163\130\361\220\232\074\152"
 "\261\230\311\304\207\274\317\105\155\105\342\156\042\077\376\274"
 "\017\061\134\350\362\331"
 , (PRUint32)774 }
 };
 static const NSSItem nss_builtins_items_21 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 1 Public Primary Certification Authority - G2", (PRUint32)61 },
   { (void *)"\047\076\341\044\127\375\304\371\014\125\350\053\126\026\177\142"
 "\365\062\345\107"
 , (PRUint32)20 },
   { (void *)"\333\043\075\371\151\372\113\271\225\200\104\163\136\175\101\203"
@@ -2093,19 +2093,19 @@ static const NSSItem nss_builtins_items_
 "\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
 "\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
 "\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
 "\167\157\162\153"
 , (PRUint32)196 },
   { (void *)"\002\020\114\307\352\252\230\076\161\323\223\020\370\075\072\211"
 "\221\222"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_22 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 2 Public Primary Certification Authority - G2", (PRUint32)61 },
@@ -2189,17 +2189,17 @@ static const NSSItem nss_builtins_items_
 "\151\157\162\332\154\256\010\360\143\222\067\346\273\304\060\027"
 "\255\167\314\111\065\252\317\330\217\321\276\267\030\226\107\163"
 "\152\124\042\064\144\055\266\026\233\131\133\264\121\131\072\263"
 "\013\024\364\022\337\147\240\364\255\062\144\136\261\106\162\047"
 "\214\022\173\305\104\264\256"
 , (PRUint32)775 }
 };
 static const NSSItem nss_builtins_items_23 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 2 Public Primary Certification Authority - G2", (PRUint32)61 },
   { (void *)"\263\352\304\107\166\311\310\034\352\362\235\225\266\314\240\010"
 "\033\147\354\235"
 , (PRUint32)20 },
   { (void *)"\055\273\345\045\323\321\145\202\072\267\016\372\346\353\342\341"
@@ -2216,19 +2216,19 @@ static const NSSItem nss_builtins_items_
 "\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
 "\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
 "\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
 "\167\157\162\153"
 , (PRUint32)196 },
   { (void *)"\002\021\000\271\057\140\314\210\237\241\172\106\011\270\133\160"
 "\154\212\257"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_24 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 3 Public Primary Certification Authority - G2", (PRUint32)61 },
@@ -2312,17 +2312,17 @@ static const NSSItem nss_builtins_items_
 "\271\021\144\164\314\265\163\237\034\110\251\274\141\001\356\342"
 "\027\246\014\343\100\010\073\016\347\353\104\163\052\232\361\151"
 "\222\357\161\024\303\071\254\161\247\221\011\157\344\161\006\263"
 "\272\131\127\046\171\000\366\370\015\242\063\060\050\324\252\130"
 "\240\235\235\151\221\375"
 , (PRUint32)774 }
 };
 static const NSSItem nss_builtins_items_25 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 3 Public Primary Certification Authority - G2", (PRUint32)61 },
   { (void *)"\205\067\034\246\345\120\024\075\316\050\003\107\033\336\072\011"
 "\350\370\167\017"
 , (PRUint32)20 },
   { (void *)"\242\063\233\114\164\170\163\324\154\347\301\363\215\313\134\351"
@@ -2339,19 +2339,19 @@ static const NSSItem nss_builtins_items_
 "\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
 "\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
 "\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
 "\167\157\162\153"
 , (PRUint32)196 },
   { (void *)"\002\020\175\331\376\007\317\250\036\267\020\171\147\373\247\211"
 "\064\306"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_26 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 4 Public Primary Certification Authority - G2", (PRUint32)61 },
@@ -2435,17 +2435,17 @@ static const NSSItem nss_builtins_items_
 "\166\065\226\011\250\131\235\271\316\043\253\164\326\203\375\062"
 "\163\047\330\151\076\103\164\366\256\305\211\232\347\123\174\351"
 "\173\366\113\363\301\145\203\336\215\212\234\074\210\215\071\131"
 "\374\252\077\042\215\241\301\146\120\201\162\114\355\042\144\117"
 "\117\312\200\221\266\051"
 , (PRUint32)774 }
 };
 static const NSSItem nss_builtins_items_27 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 4 Public Primary Certification Authority - G2", (PRUint32)61 },
   { (void *)"\013\167\276\273\313\172\242\107\005\336\314\017\275\152\002\374"
 "\172\275\233\122"
 , (PRUint32)20 },
   { (void *)"\046\155\054\031\230\266\160\150\070\120\124\031\354\220\064\140"
@@ -2462,19 +2462,19 @@ static const NSSItem nss_builtins_items_
 "\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
 "\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
 "\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
 "\167\157\162\153"
 , (PRUint32)196 },
   { (void *)"\002\020\062\210\216\232\322\365\353\023\107\370\177\304\040\067"
 "\045\370"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_28 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GlobalSign Root CA", (PRUint32)19 },
@@ -2550,17 +2550,17 @@ static const NSSItem nss_builtins_items_
 "\014\252\202\344\231\121\335\160\267\333\126\075\141\344\152\341"
 "\134\326\366\376\075\336\101\314\007\256\143\122\277\123\123\364"
 "\053\351\307\375\266\367\202\137\205\322\101\030\333\201\263\004"
 "\034\305\037\244\200\157\025\040\311\336\014\210\012\035\326\146"
 "\125\342\374\110\311\051\046\151\340"
 , (PRUint32)889 }
 };
 static const NSSItem nss_builtins_items_29 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GlobalSign Root CA", (PRUint32)19 },
   { (void *)"\261\274\226\213\324\364\235\142\052\250\232\201\362\025\001\122"
 "\244\035\202\234"
 , (PRUint32)20 },
   { (void *)"\076\105\122\025\011\121\222\341\267\135\067\237\261\207\051\212"
@@ -2569,19 +2569,19 @@ static const NSSItem nss_builtins_items_
 "\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154"
 "\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003"
 "\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031"
 "\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147"
 "\156\040\122\157\157\164\040\103\101"
 , (PRUint32)89 },
   { (void *)"\002\013\004\000\000\000\000\001\025\113\132\303\224"
 , (PRUint32)13 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_30 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GlobalSign Root CA - R2", (PRUint32)24 },
@@ -2659,17 +2659,17 @@ static const NSSItem nss_builtins_items_
 "\301\377\357\253\156\040\304\120\311\137\235\115\233\027\214\014"
 "\345\001\311\240\101\152\163\123\372\245\120\264\156\045\017\373"
 "\114\030\364\375\122\331\216\151\261\350\021\017\336\210\330\373"
 "\035\111\367\252\336\225\317\040\170\302\140\022\333\045\100\214"
 "\152\374\176\102\070\100\144\022\367\236\201\341\223\056"
 , (PRUint32)958 }
 };
 static const NSSItem nss_builtins_items_31 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GlobalSign Root CA - R2", (PRUint32)24 },
   { (void *)"\165\340\253\266\023\205\022\047\034\004\370\137\335\336\070\344"
 "\267\044\056\376"
 , (PRUint32)20 },
   { (void *)"\224\024\167\176\076\136\375\217\060\275\101\260\317\347\320\060"
@@ -2677,19 +2677,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\114\061\040\060\036\006\003\125\004\013\023\027\107\154\157"
 "\142\141\154\123\151\147\156\040\122\157\157\164\040\103\101\040"
 "\055\040\122\062\061\023\060\021\006\003\125\004\012\023\012\107"
 "\154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125"
 "\004\003\023\012\107\154\157\142\141\154\123\151\147\156"
 , (PRUint32)78 },
   { (void *)"\002\013\004\000\000\000\000\001\017\206\046\346\015"
 , (PRUint32)13 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_32 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"ValiCert Class 1 VA", (PRUint32)20 },
@@ -2768,17 +2768,17 @@ static const NSSItem nss_builtins_items_
 "\043\313\050\201\062\303\000\171\030\354\131\027\211\311\306\152"
 "\036\161\311\375\267\164\245\045\105\151\305\110\253\031\341\105"
 "\212\045\153\031\356\345\273\022\365\177\367\246\215\121\303\360"
 "\235\164\267\251\076\240\245\377\266\111\003\023\332\042\314\355"
 "\161\202\053\231\317\072\267\365\055\162\310"
 , (PRUint32)747 }
 };
 static const NSSItem nss_builtins_items_33 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"ValiCert Class 1 VA", (PRUint32)20 },
   { (void *)"\345\337\164\074\266\001\304\233\230\103\334\253\214\350\152\201"
 "\020\237\344\216"
 , (PRUint32)20 },
   { (void *)"\145\130\253\025\255\127\154\036\250\247\265\151\254\277\377\353"
@@ -2793,19 +2793,19 @@ static const NSSItem nss_builtins_items_
 "\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
 "\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
 "\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
 "\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
 "\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
 , (PRUint32)190 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_34 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"ValiCert Class 2 VA", (PRUint32)20 },
@@ -2884,17 +2884,17 @@ static const NSSItem nss_builtins_items_
 "\041\201\031\240\062\111\050\364\304\216\126\325\122\063\375\120"
 "\325\176\231\154\003\344\311\114\374\313\154\253\146\263\112\041"
 "\214\345\265\014\062\076\020\262\314\154\241\334\232\230\114\002"
 "\133\363\316\271\236\245\162\016\112\267\077\074\346\026\150\370"
 "\276\355\164\114\274\133\325\142\037\103\335"
 , (PRUint32)747 }
 };
 static const NSSItem nss_builtins_items_35 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"ValiCert Class 2 VA", (PRUint32)20 },
   { (void *)"\061\172\052\320\177\053\063\136\365\241\303\116\113\127\350\267"
 "\330\361\374\246"
 , (PRUint32)20 },
   { (void *)"\251\043\165\233\272\111\066\156\061\302\333\362\347\146\272\207"
@@ -2909,19 +2909,19 @@ static const NSSItem nss_builtins_items_
 "\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
 "\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
 "\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
 "\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
 "\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
 , (PRUint32)190 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_36 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"RSA Root Certificate 1", (PRUint32)23 },
@@ -3000,17 +3000,17 @@ static const NSSItem nss_builtins_items_
 "\237\105\256\074\212\251\260\161\063\135\310\305\127\337\257\250"
 "\065\263\177\211\207\351\350\045\222\270\177\205\172\256\326\274"
 "\036\067\130\052\147\311\221\317\052\201\076\355\306\071\337\300"
 "\076\031\234\031\314\023\115\202\101\265\214\336\340\075\140\010"
 "\040\017\105\176\153\242\177\243\214\025\356"
 , (PRUint32)747 }
 };
 static const NSSItem nss_builtins_items_37 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"RSA Root Certificate 1", (PRUint32)23 },
   { (void *)"\151\275\214\364\234\323\000\373\131\056\027\223\312\125\152\363"
 "\354\252\065\373"
 , (PRUint32)20 },
   { (void *)"\242\157\123\267\356\100\333\112\150\347\372\030\331\020\113\162"
@@ -3025,19 +3025,19 @@ static const NSSItem nss_builtins_items_
 "\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
 "\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
 "\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
 "\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
 "\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
 , (PRUint32)190 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_38 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 1 Public Primary Certification Authority - G3", (PRUint32)61 },
@@ -3138,17 +3138,17 @@ static const NSSItem nss_builtins_items_
 "\274\070\335\260\056\021\261\153\262\102\314\232\274\371\110\042"
 "\171\112\031\017\262\034\076\040\164\331\152\303\276\362\050\170"
 "\023\126\171\117\155\120\352\033\260\265\127\261\067\146\130\043"
 "\363\334\017\337\012\207\304\357\206\005\325\070\024\140\231\243"
 "\113\336\006\226\161\054\362\333\266\037\244\357\077\356"
 , (PRUint32)1054 }
 };
 static const NSSItem nss_builtins_items_39 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 1 Public Primary Certification Authority - G3", (PRUint32)61 },
   { (void *)"\040\102\205\334\367\353\166\101\225\127\216\023\153\324\267\321"
 "\351\216\106\245"
 , (PRUint32)20 },
   { (void *)"\261\107\274\030\127\321\030\240\170\055\354\161\350\052\225\163"
@@ -3165,19 +3165,19 @@ static const NSSItem nss_builtins_items_
 "\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
 "\061\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
 "\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
 "\165\164\150\157\162\151\164\171\040\055\040\107\063"
 , (PRUint32)205 },
   { (void *)"\002\021\000\213\133\165\126\204\124\205\013\000\317\257\070\110"
 "\316\261\244"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_40 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 2 Public Primary Certification Authority - G3", (PRUint32)61 },
@@ -3278,17 +3278,17 @@ static const NSSItem nss_builtins_items_
 "\106\043\071\124\365\216\142\011\004\035\224\220\246\233\346\045"
 "\342\102\105\252\270\220\255\276\010\217\251\013\102\030\224\317"
 "\162\071\341\261\103\340\050\317\267\347\132\154\023\153\111\263"
 "\377\343\030\174\211\213\063\135\254\063\327\247\371\332\072\125"
 "\311\130\020\371\252\357\132\266\317\113\113\337\052"
 , (PRUint32)1053 }
 };
 static const NSSItem nss_builtins_items_41 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 2 Public Primary Certification Authority - G3", (PRUint32)61 },
   { (void *)"\141\357\103\327\177\312\324\141\121\274\230\340\303\131\022\257"
 "\237\353\143\021"
 , (PRUint32)20 },
   { (void *)"\370\276\304\143\042\311\250\106\164\213\270\035\036\112\053\366"
@@ -3305,19 +3305,19 @@ static const NSSItem nss_builtins_items_
 "\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
 "\062\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
 "\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
 "\165\164\150\157\162\151\164\171\040\055\040\107\063"
 , (PRUint32)205 },
   { (void *)"\002\020\141\160\313\111\214\137\230\105\051\347\260\246\331\120"
 "\133\172"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_42 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 3 Public Primary Certification Authority - G3", (PRUint32)61 },
@@ -3418,17 +3418,17 @@ static const NSSItem nss_builtins_items_
 "\124\000\317\360\361\301\307\230\060\032\073\066\026\333\243\156"
 "\352\375\255\262\302\332\357\002\107\023\212\300\361\263\061\255"
 "\117\034\341\117\234\257\017\014\235\367\170\015\330\364\065\126"
 "\200\332\267\155\027\217\235\036\201\144\341\376\305\105\272\255"
 "\153\271\012\172\116\117\113\204\356\113\361\175\335\021"
 , (PRUint32)1054 }
 };
 static const NSSItem nss_builtins_items_43 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 3 Public Primary Certification Authority - G3", (PRUint32)61 },
   { (void *)"\023\055\015\105\123\113\151\227\315\262\325\303\071\342\125\166"
 "\140\233\134\306"
 , (PRUint32)20 },
   { (void *)"\315\150\266\247\307\304\316\165\340\035\117\127\104\141\222\011"
@@ -3445,19 +3445,19 @@ static const NSSItem nss_builtins_items_
 "\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
 "\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
 "\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
 "\165\164\150\157\162\151\164\171\040\055\040\107\063"
 , (PRUint32)205 },
   { (void *)"\002\021\000\233\176\006\111\243\076\142\271\325\356\220\110\161"
 "\051\357\127"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_44 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 4 Public Primary Certification Authority - G3", (PRUint32)61 },
@@ -3558,17 +3558,17 @@ static const NSSItem nss_builtins_items_
 "\056\203\106\110\262\327\040\137\222\066\217\347\171\017\230\136"
 "\231\350\360\320\244\273\365\123\275\052\316\131\260\257\156\177"
 "\154\273\322\036\000\260\041\355\370\101\142\202\271\330\262\304"
 "\273\106\120\363\061\305\217\001\250\164\353\365\170\047\332\347"
 "\367\146\103\363\236\203\076\040\252\303\065\140\221\316"
 , (PRUint32)1054 }
 };
 static const NSSItem nss_builtins_items_45 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Verisign Class 4 Public Primary Certification Authority - G3", (PRUint32)61 },
   { (void *)"\310\354\214\207\222\151\313\113\253\071\351\215\176\127\147\363"
 "\024\225\163\235"
 , (PRUint32)20 },
   { (void *)"\333\310\362\047\056\261\352\152\051\043\135\376\126\076\063\337"
@@ -3585,19 +3585,19 @@ static const NSSItem nss_builtins_items_
 "\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
 "\064\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
 "\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
 "\165\164\150\157\162\151\164\171\040\055\040\107\063"
 , (PRUint32)205 },
   { (void *)"\002\021\000\354\240\247\213\156\165\152\001\317\304\174\314\057"
 "\224\136\327"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_46 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Entrust.net Secure Server CA", (PRUint32)29 },
@@ -3709,17 +3709,17 @@ static const NSSItem nss_builtins_items_
 "\310\061\306\347\356\077\343\127\165\204\172\021\357\106\117\030"
 "\364\323\230\273\250\207\062\272\162\366\074\342\075\237\327\035"
 "\331\303\140\103\214\130\016\042\226\057\142\243\054\037\272\255"
 "\005\357\253\062\170\207\240\124\163\031\265\134\005\371\122\076"
 "\155\055\105\013\367\012\223\352\355\006\371\262"
 , (PRUint32)1244 }
 };
 static const NSSItem nss_builtins_items_47 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Entrust.net Secure Server CA", (PRUint32)29 },
   { (void *)"\231\246\233\346\032\376\210\153\115\053\202\000\174\270\124\374"
 "\061\176\025\071"
 , (PRUint32)20 },
   { (void *)"\337\362\200\163\314\361\346\141\163\374\365\102\351\305\174\356"
@@ -3735,19 +3735,19 @@ static const NSSItem nss_builtins_items_
 "\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003"
 "\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164"
 "\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103"
 "\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
 "\150\157\162\151\164\171"
 , (PRUint32)198 },
   { (void *)"\002\004\067\112\322\103"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_48 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Entrust.net Premium 2048 Secure Server CA", (PRUint32)42 },
@@ -3849,17 +3849,17 @@ static const NSSItem nss_builtins_items_
 "\017\025\316\030\260\205\170\041\117\153\117\016\372\066\147\315"
 "\007\362\377\010\320\342\336\331\277\052\257\270\207\206\041\074"
 "\004\312\267\224\150\177\317\074\351\230\327\070\377\354\300\331"
 "\120\360\056\113\130\256\106\157\320\056\303\140\332\162\125\162"
 "\275\114\105\236\141\272\277\204\201\222\003\321\322\151\174\305"
 , (PRUint32)1120 }
 };
 static const NSSItem nss_builtins_items_49 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Entrust.net Premium 2048 Secure Server CA", (PRUint32)42 },
   { (void *)"\200\035\142\320\173\104\235\134\134\003\134\230\352\141\372\104"
 "\074\052\130\376"
 , (PRUint32)20 },
   { (void *)"\272\041\352\040\326\335\333\217\301\127\213\100\255\241\374\374"
@@ -3874,19 +3874,19 @@ static const NSSItem nss_builtins_items_
 "\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164"
 "\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164"
 "\162\165\163\164\056\156\145\164\040\103\145\162\164\151\146\151"
 "\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171"
 "\040\050\062\060\064\070\051"
 , (PRUint32)183 },
   { (void *)"\002\004\070\143\271\146"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_50 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Baltimore CyberTrust Root", (PRUint32)26 },
@@ -3962,17 +3962,17 @@ static const NSSItem nss_builtins_items_
 "\222\302\342\343\026\215\232\062\002\253\216\030\335\351\020\021"
 "\356\176\065\253\220\257\076\060\224\172\320\063\075\247\145\017"
 "\365\374\216\236\142\317\107\104\054\001\135\273\035\265\062\322"
 "\107\322\070\056\320\376\201\334\062\152\036\265\356\074\325\374"
 "\347\201\035\031\303\044\102\352\143\071\251"
 , (PRUint32)891 }
 };
 static const NSSItem nss_builtins_items_51 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Baltimore CyberTrust Root", (PRUint32)26 },
   { (void *)"\324\336\040\320\136\146\374\123\376\032\120\210\054\170\333\050"
 "\122\312\344\164"
 , (PRUint32)20 },
   { (void *)"\254\266\224\245\234\027\340\327\221\122\233\261\227\006\246\344"
@@ -3981,19 +3981,19 @@ static const NSSItem nss_builtins_items_
 "\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155"
 "\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171"
 "\142\145\162\124\162\165\163\164\061\042\060\040\006\003\125\004"
 "\003\023\031\102\141\154\164\151\155\157\162\145\040\103\171\142"
 "\145\162\124\162\165\163\164\040\122\157\157\164"
 , (PRUint32)92 },
   { (void *)"\002\004\002\000\000\271"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_52 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Equifax Secure Global eBusiness CA", (PRUint32)35 },
@@ -4055,17 +4055,17 @@ static const NSSItem nss_builtins_items_
 "\243\100\342\001\212\357\047\007\361\145\001\212\104\055\006\145"
 "\165\122\300\206\020\040\041\137\154\153\017\154\256\011\034\257"
 "\362\242\030\064\304\165\244\163\034\361\215\334\357\255\371\263"
 "\166\264\222\277\334\225\020\036\276\313\310\073\132\204\140\031"
 "\126\224\251\125"
 , (PRUint32)660 }
 };
 static const NSSItem nss_builtins_items_53 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Equifax Secure Global eBusiness CA", (PRUint32)35 },
   { (void *)"\176\170\112\020\034\202\145\314\055\341\361\155\107\264\100\312"
 "\331\012\031\105"
 , (PRUint32)20 },
   { (void *)"\217\135\167\006\047\304\230\074\133\223\170\347\327\175\233\314"
@@ -4074,19 +4074,19 @@ static const NSSItem nss_builtins_items_
 "\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141"
 "\170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060"
 "\053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040"
 "\123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102"
 "\165\163\151\156\145\163\163\040\103\101\055\061"
 , (PRUint32)92 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_54 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Equifax Secure eBusiness CA 1", (PRUint32)30 },
@@ -4147,17 +4147,17 @@ static const NSSItem nss_builtins_items_
 "\130\036\107\207\124\076\130\241\265\265\370\052\357\161\347\274"
 "\303\366\261\111\106\342\327\240\153\345\126\172\232\047\230\174"
 "\106\142\024\347\311\374\156\003\022\171\200\070\035\110\202\215"
 "\374\027\376\052\226\053\265\142\246\246\075\275\177\222\131\315"
 "\132\052\202\262\067\171"
 , (PRUint32)646 }
 };
 static const NSSItem nss_builtins_items_55 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Equifax Secure eBusiness CA 1", (PRUint32)30 },
   { (void *)"\332\100\030\213\221\211\243\355\356\256\332\227\376\057\235\365"
 "\267\321\212\101"
 , (PRUint32)20 },
   { (void *)"\144\234\357\056\104\374\306\217\122\007\320\121\163\217\313\075"
@@ -4166,19 +4166,19 @@ static const NSSItem nss_builtins_items_
 "\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141"
 "\170\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060"
 "\044\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040"
 "\123\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163"
 "\040\103\101\055\061"
 , (PRUint32)85 },
   { (void *)"\002\001\004"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_56 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Equifax Secure eBusiness CA 2", (PRUint32)30 },
@@ -4247,17 +4247,17 @@ static const NSSItem nss_builtins_items_
 "\342\261\344\270\232\357\303\275\316\336\013\062\064\331\336\050"
 "\355\063\153\304\324\327\075\022\130\253\175\011\055\313\160\365"
 "\023\212\224\241\047\244\326\160\305\155\224\265\311\175\235\240"
 "\322\306\010\111\331\146\233\246\323\364\013\334\305\046\127\341"
 "\221\060\352\315"
 , (PRUint32)804 }
 };
 static const NSSItem nss_builtins_items_57 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Equifax Secure eBusiness CA 2", (PRUint32)30 },
   { (void *)"\071\117\366\205\013\006\276\122\345\030\126\314\020\341\200\350"
 "\202\263\205\314"
 , (PRUint32)20 },
   { (void *)"\252\277\277\144\227\332\230\035\157\306\010\072\225\160\063\312"
@@ -4265,19 +4265,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
 "\027\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141"
 "\170\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004"
 "\013\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162"
 "\145\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062"
 , (PRUint32)80 },
   { (void *)"\002\004\067\160\317\265"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_58 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"AddTrust Low-Value Services Root", (PRUint32)33 },
@@ -4365,17 +4365,17 @@ static const NSSItem nss_builtins_items_
 "\062\312\173\306\343\253\144\106\225\370\046\151\331\125\203\173"
 "\054\226\007\377\131\054\104\243\306\345\351\251\334\241\143\200"
 "\132\041\136\041\317\123\124\360\272\157\211\333\250\252\225\317"
 "\213\343\161\314\036\033\040\104\010\300\172\266\100\375\304\344"
 "\065\341\035\026\034\320\274\053\216\326\161\331"
 , (PRUint32)1052 }
 };
 static const NSSItem nss_builtins_items_59 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"AddTrust Low-Value Services Root", (PRUint32)33 },
   { (void *)"\314\253\016\240\114\043\001\326\151\173\335\067\237\315\022\353"
 "\044\343\224\235"
 , (PRUint32)20 },
   { (void *)"\036\102\225\002\063\222\153\271\137\300\177\332\326\262\113\374"
@@ -4385,19 +4385,19 @@ static const NSSItem nss_builtins_items_
 "\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
 "\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
 "\167\157\162\153\061\041\060\037\006\003\125\004\003\023\030\101"
 "\144\144\124\162\165\163\164\040\103\154\141\163\163\040\061\040"
 "\103\101\040\122\157\157\164"
 , (PRUint32)103 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_60 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"AddTrust External Root", (PRUint32)23 },
@@ -4489,17 +4489,17 @@ static const NSSItem nss_builtins_items_
 "\163\210\077\126\033\061\070\030\264\161\017\232\315\310\016\236"
 "\216\056\033\341\214\230\203\313\037\061\361\104\114\306\004\163"
 "\111\166\140\017\307\370\275\027\200\153\056\351\314\114\016\132"
 "\232\171\017\040\012\056\325\236\143\046\036\125\222\224\330\202"
 "\027\132\173\320\274\307\217\116\206\004"
 , (PRUint32)1082 }
 };
 static const NSSItem nss_builtins_items_61 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"AddTrust External Root", (PRUint32)23 },
   { (void *)"\002\372\363\342\221\103\124\150\140\170\127\151\115\365\344\133"
 "\150\205\030\150"
 , (PRUint32)20 },
   { (void *)"\035\065\124\004\205\170\260\077\102\102\115\277\040\163\012\077"
@@ -4510,19 +4510,19 @@ static const NSSItem nss_builtins_items_
 "\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141"
 "\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060"
 "\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164"
 "\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157"
 "\164"
 , (PRUint32)113 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_62 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"AddTrust Public Services Root", (PRUint32)30 },
@@ -4610,17 +4610,17 @@ static const NSSItem nss_builtins_items_
 "\200\045\022\141\001\250\044\023\160\000\021\046\137\372\065\120"
 "\305\110\314\006\107\350\047\330\160\215\137\144\346\241\104\046"
 "\136\042\354\222\315\377\102\232\104\041\155\134\305\343\042\035"
 "\137\107\022\347\316\137\135\372\330\252\261\063\055\331\166\362"
 "\116\072\063\014\053\263\055\220\006"
 , (PRUint32)1049 }
 };
 static const NSSItem nss_builtins_items_63 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"AddTrust Public Services Root", (PRUint32)30 },
   { (void *)"\052\266\050\110\136\170\373\363\255\236\171\020\335\153\337\231"
 "\162\054\226\345"
 , (PRUint32)20 },
   { (void *)"\301\142\076\043\305\202\163\234\003\131\113\053\351\167\111\177"
@@ -4630,19 +4630,19 @@ static const NSSItem nss_builtins_items_
 "\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
 "\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
 "\167\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101"
 "\144\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103"
 "\101\040\122\157\157\164"
 , (PRUint32)102 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_64 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"AddTrust Qualified Certificates Root", (PRUint32)37 },
@@ -4731,17 +4731,17 @@ static const NSSItem nss_builtins_items_
 "\365\160\105\260\334\135\372\366\162\132\167\322\143\315\317\130"
 "\211\000\102\143\077\171\071\320\104\260\202\156\101\031\350\335"
 "\340\301\210\132\321\036\161\223\037\044\060\164\345\036\250\336"
 "\074\047\067\177\203\256\236\167\317\360\060\261\377\113\231\350"
 "\306\241"
 , (PRUint32)1058 }
 };
 static const NSSItem nss_builtins_items_65 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"AddTrust Qualified Certificates Root", (PRUint32)37 },
   { (void *)"\115\043\170\354\221\225\071\265\000\177\165\217\003\073\041\036"
 "\305\115\213\317"
 , (PRUint32)20 },
   { (void *)"\047\354\071\107\315\332\132\257\342\232\001\145\041\251\114\273"
@@ -4751,19 +4751,19 @@ static const NSSItem nss_builtins_items_
 "\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
 "\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
 "\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101"
 "\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145"
 "\144\040\103\101\040\122\157\157\164"
 , (PRUint32)105 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_66 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Entrust Root Certification Authority", (PRUint32)37 },
@@ -4869,17 +4869,17 @@ static const NSSItem nss_builtins_items_
 "\172\356\205\112\247\120\200\360\247\134\112\224\056\137\005\231"
 "\074\122\101\340\315\264\143\317\001\103\272\234\203\334\217\140"
 "\073\363\132\264\264\173\256\332\013\220\070\165\357\201\035\146"
 "\322\367\127\160\066\263\277\374\050\257\161\045\205\133\023\376"
 "\036\177\132\264\074"
 , (PRUint32)1173 }
 };
 static const NSSItem nss_builtins_items_67 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Entrust Root Certification Authority", (PRUint32)37 },
   { (void *)"\263\036\261\267\100\343\154\204\002\332\334\067\324\115\365\324"
 "\147\111\122\371"
 , (PRUint32)20 },
   { (void *)"\326\245\303\355\135\335\076\000\301\075\207\222\037\035\077\344"
@@ -4894,19 +4894,19 @@ static const NSSItem nss_builtins_items_
 "\051\040\062\060\060\066\040\105\156\164\162\165\163\164\054\040"
 "\111\156\143\056\061\055\060\053\006\003\125\004\003\023\044\105"
 "\156\164\162\165\163\164\040\122\157\157\164\040\103\145\162\164"
 "\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
 "\151\164\171"
 , (PRUint32)179 },
   { (void *)"\002\004\105\153\120\124"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_68 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"RSA Security 2048 v3", (PRUint32)21 },
@@ -4978,17 +4978,17 @@ static const NSSItem nss_builtins_items_
 "\045\102\164\005\200\050\277\275\301\044\226\130\025\261\027\041"
 "\351\211\113\333\007\210\147\364\025\255\160\076\057\115\205\073"
 "\302\267\333\376\230\150\043\211\341\164\017\336\364\305\204\143"
 "\051\033\314\313\007\311\000\244\251\327\302\042\117\147\327\167"
 "\354\040\005\141\336"
 , (PRUint32)869 }
 };
 static const NSSItem nss_builtins_items_69 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"RSA Security 2048 v3", (PRUint32)21 },
   { (void *)"\045\001\220\031\317\373\331\231\034\267\150\045\164\215\224\137"
 "\060\223\225\102"
 , (PRUint32)20 },
   { (void *)"\167\015\031\261\041\375\000\102\234\076\014\245\335\013\002\216"
@@ -4996,19 +4996,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\072\061\031\060\027\006\003\125\004\012\023\020\122\123\101"
 "\040\123\145\143\165\162\151\164\171\040\111\156\143\061\035\060"
 "\033\006\003\125\004\013\023\024\122\123\101\040\123\145\143\165"
 "\162\151\164\171\040\062\060\064\070\040\126\063"
 , (PRUint32)60 },
   { (void *)"\002\020\012\001\001\001\000\000\002\174\000\000\000\012\000\000"
 "\000\002"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_70 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GeoTrust Global CA", (PRUint32)19 },
@@ -5080,17 +5080,17 @@ static const NSSItem nss_builtins_items_
 "\256\071\246\152\164\351\332\304\347\274\115\064\036\251\134\115"
 "\063\137\222\011\057\210\146\135\167\227\307\035\166\023\251\325"
 "\345\361\026\011\021\065\325\254\333\044\161\160\054\230\126\013"
 "\331\027\264\321\343\121\053\136\165\350\325\320\334\117\064\355"
 "\302\005\146\200\241\313\346\063"
 , (PRUint32)856 }
 };
 static const NSSItem nss_builtins_items_71 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GeoTrust Global CA", (PRUint32)19 },
   { (void *)"\336\050\364\244\377\345\271\057\243\305\003\321\243\111\247\371"
 "\226\052\202\022"
 , (PRUint32)20 },
   { (void *)"\367\165\253\051\373\121\116\267\167\136\377\005\074\231\216\365"
@@ -5098,19 +5098,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\102\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
 "\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165"
 "\163\164\040\111\156\143\056\061\033\060\031\006\003\125\004\003"
 "\023\022\107\145\157\124\162\165\163\164\040\107\154\157\142\141"
 "\154\040\103\101"
 , (PRUint32)68 },
   { (void *)"\002\003\002\064\126"
 , (PRUint32)5 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_72 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GeoTrust Global CA 2", (PRUint32)21 },
@@ -5183,17 +5183,17 @@ static const NSSItem nss_builtins_items_
 "\000\315\111\271\263\154\173\123\004\032\342\250\311\252\022\005"
 "\043\302\316\347\273\004\002\314\300\107\242\344\304\051\057\133"
 "\105\127\211\121\356\074\353\122\010\377\007\065\036\237\065\152"
 "\107\112\126\230\321\132\205\037\214\365\042\277\253\316\203\363"
 "\342\042\051\256\175\203\100\250\272\154"
 , (PRUint32)874 }
 };
 static const NSSItem nss_builtins_items_73 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GeoTrust Global CA 2", (PRUint32)21 },
   { (void *)"\251\351\170\010\024\067\130\210\362\005\031\260\155\053\015\053"
 "\140\026\220\175"
 , (PRUint32)20 },
   { (void *)"\016\100\247\154\336\003\135\217\321\017\344\321\215\371\154\251"
@@ -5201,19 +5201,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\104\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
 "\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165"
 "\163\164\040\111\156\143\056\061\035\060\033\006\003\125\004\003"
 "\023\024\107\145\157\124\162\165\163\164\040\107\154\157\142\141"
 "\154\040\103\101\040\062"
 , (PRUint32)70 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_74 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GeoTrust Universal CA", (PRUint32)22 },
@@ -5318,17 +5318,17 @@ static const NSSItem nss_builtins_items_
 "\317\265\135\353\333\333\034\304\166\337\210\271\275\105\005\225"
 "\033\256\374\106\152\114\257\110\343\316\256\017\322\176\353\346"
 "\154\234\117\201\152\172\144\254\273\076\325\347\313\166\056\305"
 "\247\110\301\134\220\017\313\310\077\372\346\062\341\215\033\157"
 "\244\346\216\330\371\051\110\212\316\163\376\054"
 , (PRUint32)1388 }
 };
 static const NSSItem nss_builtins_items_75 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GeoTrust Universal CA", (PRUint32)22 },
   { (void *)"\346\041\363\065\103\171\005\232\113\150\060\235\212\057\164\042"
 "\025\207\354\171"
 , (PRUint32)20 },
   { (void *)"\222\145\130\213\242\032\061\162\163\150\134\264\245\172\007\110"
@@ -5336,19 +5336,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\105\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
 "\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165"
 "\163\164\040\111\156\143\056\061\036\060\034\006\003\125\004\003"
 "\023\025\107\145\157\124\162\165\163\164\040\125\156\151\166\145"
 "\162\163\141\154\040\103\101"
 , (PRUint32)71 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_76 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GeoTrust Universal CA 2", (PRUint32)24 },
@@ -5453,17 +5453,17 @@ static const NSSItem nss_builtins_items_
 "\175\231\364\061\366\161\251\317\054\001\047\245\005\271\252\262"
 "\110\116\052\357\237\223\122\121\225\074\122\163\216\126\114\027"
 "\100\300\011\050\344\213\152\110\123\333\354\315\125\125\361\306"
 "\370\351\242\054\114\246\321\046\137\176\257\132\114\332\037\246"
 "\362\034\054\176\256\002\026\322\126\320\057\127\123\107\350\222"
 , (PRUint32)1392 }
 };
 static const NSSItem nss_builtins_items_77 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GeoTrust Universal CA 2", (PRUint32)24 },
   { (void *)"\067\232\031\173\101\205\105\065\014\246\003\151\363\074\056\257"
 "\107\117\040\171"
 , (PRUint32)20 },
   { (void *)"\064\374\270\320\066\333\236\024\263\302\362\333\217\344\224\307"
@@ -5471,19 +5471,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
 "\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165"
 "\163\164\040\111\156\143\056\061\040\060\036\006\003\125\004\003"
 "\023\027\107\145\157\124\162\165\163\164\040\125\156\151\166\145"
 "\162\163\141\154\040\103\101\040\062"
 , (PRUint32)73 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_78 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"UTN-USER First-Network Applications", (PRUint32)36 },
@@ -5585,17 +5585,17 @@ static const NSSItem nss_builtins_items_
 "\140\105\235\361\043\232\260\000\234\150\265\230\120\323\357\216"
 "\056\222\145\261\110\076\041\276\025\060\052\015\265\014\243\153"
 "\077\256\177\127\365\037\226\174\337\157\335\202\060\054\145\033"
 "\100\112\315\150\271\162\354\161\166\354\124\216\037\205\014\001"
 "\152\372\246\070\254\037\304\204"
 , (PRUint32)1128 }
 };
 static const NSSItem nss_builtins_items_79 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"UTN-USER First-Network Applications", (PRUint32)36 },
   { (void *)"\135\230\234\333\025\226\021\066\121\145\144\033\126\017\333\352"
 "\052\302\076\361"
 , (PRUint32)20 },
   { (void *)"\277\140\131\243\133\272\366\247\166\102\332\157\032\173\120\317"
@@ -5610,19 +5610,19 @@ static const NSSItem nss_builtins_items_
 "\164\162\165\163\164\056\143\157\155\061\053\060\051\006\003\125"
 "\004\003\023\042\125\124\116\055\125\123\105\122\106\151\162\163"
 "\164\055\116\145\164\167\157\162\153\040\101\160\160\154\151\143"
 "\141\164\151\157\156\163"
 , (PRUint32)166 },
   { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\060\113\300"
 "\063\167"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_80 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"America Online Root Certification Authority 1", (PRUint32)46 },
@@ -5703,17 +5703,17 @@ static const NSSItem nss_builtins_items_
 "\060\306\307\065\206\263\371\226\137\106\333\014\105\375\363\120"
 "\303\157\306\303\110\255\106\246\341\047\107\012\035\016\233\266"
 "\302\167\177\143\362\340\175\032\276\374\340\337\327\307\247\154"
 "\260\371\256\272\074\375\164\264\021\350\130\015\200\274\323\250"
 "\200\072\231\355\165\314\106\173"
 , (PRUint32)936 }
 };
 static const NSSItem nss_builtins_items_81 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"America Online Root Certification Authority 1", (PRUint32)46 },
   { (void *)"\071\041\301\025\301\135\016\312\134\313\133\304\360\175\041\330"
 "\005\013\126\152"
 , (PRUint32)20 },
   { (void *)"\024\361\010\255\235\372\144\342\211\347\034\317\250\255\175\136"
@@ -5723,19 +5723,19 @@ static const NSSItem nss_builtins_items_
 "\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060"
 "\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040"
 "\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164"
 "\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
 "\151\164\171\040\061"
 , (PRUint32)101 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_82 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"America Online Root Certification Authority 2", (PRUint32)46 },
@@ -5848,17 +5848,17 @@ static const NSSItem nss_builtins_items_
 "\377\023\312\057\135\203\274\207\223\154\334\044\121\026\004\045"
 "\146\372\263\331\302\272\051\276\232\110\070\202\231\364\277\073"
 "\112\061\031\371\277\216\041\063\024\312\117\124\137\373\316\373"
 "\217\161\177\375\136\031\240\017\113\221\270\304\124\274\006\260"
 "\105\217\046\221\242\216\376\251"
 , (PRUint32)1448 }
 };
 static const NSSItem nss_builtins_items_83 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"America Online Root Certification Authority 2", (PRUint32)46 },
   { (void *)"\205\265\377\147\233\014\171\226\037\310\156\104\042\000\106\023"
 "\333\027\222\204"
 , (PRUint32)20 },
   { (void *)"\326\355\074\312\342\146\017\257\020\103\015\167\233\004\011\277"
@@ -5868,19 +5868,19 @@ static const NSSItem nss_builtins_items_
 "\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060"
 "\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040"
 "\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164"
 "\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
 "\151\164\171\040\062"
 , (PRUint32)101 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_84 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Visa eCommerce Root", (PRUint32)20 },
@@ -5962,17 +5962,17 @@ static const NSSItem nss_builtins_items_
 "\373\340\333\146\243\000\001\275\346\054\332\221\137\240\106\213"
 "\115\152\234\075\075\335\005\106\376\166\277\240\012\074\344\000"
 "\346\047\267\377\204\055\336\272\042\047\226\020\161\353\042\355"
 "\337\337\063\234\317\343\255\256\216\324\216\346\117\121\257\026"
 "\222\340\134\366\007\017"
 , (PRUint32)934 }
 };
 static const NSSItem nss_builtins_items_85 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Visa eCommerce Root", (PRUint32)20 },
   { (void *)"\160\027\233\206\214\000\244\372\140\221\122\042\077\237\076\062"
 "\275\340\005\142"
 , (PRUint32)20 },
   { (void *)"\374\021\270\330\010\223\060\000\155\043\371\176\353\122\036\002"
@@ -5983,19 +5983,19 @@ static const NSSItem nss_builtins_items_
 "\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
 "\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
 "\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145"
 "\103\157\155\155\145\162\143\145\040\122\157\157\164"
 , (PRUint32)109 },
   { (void *)"\002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220"
 "\034\142"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_86 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"TC TrustCenter, Germany, Class 2 CA", (PRUint32)36 },
@@ -6081,17 +6081,17 @@ static const NSSItem nss_builtins_items_
 "\312\332\203\214\006\254\353\066\155\205\221\064\004\066\364\102"
 "\360\370\171\056\012\110\134\253\314\121\117\170\166\240\331\254"
 "\031\275\052\321\151\004\050\221\312\066\020\047\200\127\133\322"
 "\134\365\302\133\253\144\201\143\164\121\364\227\277\315\022\050"
 "\367\115\146\177\247\360\034\001\046\170\262\146\107\160\121\144"
 , (PRUint32)864 }
 };
 static const NSSItem nss_builtins_items_87 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"TC TrustCenter, Germany, Class 2 CA", (PRUint32)36 },
   { (void *)"\203\216\060\367\177\335\024\252\070\136\321\105\000\234\016\042"
 "\066\111\117\252"
 , (PRUint32)20 },
   { (void *)"\270\026\063\114\114\114\362\330\323\115\006\264\246\133\100\003"
@@ -6106,19 +6106,19 @@ static const NSSItem nss_builtins_items_
 "\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
 "\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
 "\062\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
 "\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
 "\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
 , (PRUint32)191 },
   { (void *)"\002\002\003\352"
 , (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_88 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"TC TrustCenter, Germany, Class 3 CA", (PRUint32)36 },
@@ -6204,17 +6204,17 @@ static const NSSItem nss_builtins_items_
 "\273\306\253\136\013\335\075\226\304\313\251\324\371\046\346\006"
 "\116\236\014\245\172\272\156\303\174\202\031\321\307\261\261\303"
 "\333\015\216\233\100\174\067\013\361\135\350\375\037\220\210\245"
 "\016\116\067\144\041\250\116\215\264\237\361\336\110\255\325\126"
 "\030\122\051\213\107\064\022\011\324\273\222\065\357\017\333\064"
 , (PRUint32)864 }
 };
 static const NSSItem nss_builtins_items_89 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"TC TrustCenter, Germany, Class 3 CA", (PRUint32)36 },
   { (void *)"\237\307\226\350\370\122\117\206\072\341\111\155\070\022\102\020"
 "\137\033\170\365"
 , (PRUint32)20 },
   { (void *)"\137\224\112\163\042\270\367\321\061\354\131\071\367\216\376\156"
@@ -6229,19 +6229,19 @@ static const NSSItem nss_builtins_items_
 "\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
 "\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
 "\063\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
 "\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
 "\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
 , (PRUint32)191 },
   { (void *)"\002\002\003\353"
 , (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_90 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Certum Root CA", (PRUint32)15 },
@@ -6306,36 +6306,36 @@ static const NSSItem nss_builtins_items_
 "\362\274\156\144\365\132\126\220\250\307\016\114\164\017\056\161"
 "\073\367\310\107\364\151\157\025\362\021\136\203\036\234\174\122"
 "\256\375\002\332\022\250\131\147\030\333\274\160\335\233\261\151"
 "\355\200\316\211\100\110\152\016\065\312\051\146\025\041\224\054"
 "\350\140\052\233\205\112\100\363\153\212\044\354\006\026\054\163"
 , (PRUint32)784 }
 };
 static const NSSItem nss_builtins_items_91 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Certum Root CA", (PRUint32)15 },
   { (void *)"\142\122\334\100\367\021\103\242\057\336\236\367\064\216\006\102"
 "\121\261\201\030"
 , (PRUint32)20 },
   { (void *)"\054\217\237\146\035\030\220\261\107\046\235\216\206\202\214\251"
 , (PRUint32)16 },
   { (void *)"\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114\061"
 "\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145\164"
 "\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060\020"
 "\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103\101"
 , (PRUint32)64 },
   { (void *)"\002\003\001\000\040"
 , (PRUint32)5 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_92 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Comodo AAA Services root", (PRUint32)25 },
@@ -6427,17 +6427,17 @@ static const NSSItem nss_builtins_items_
 "\227\140\370\220\136\164\324\242\232\123\275\362\251\150\340\242"
 "\156\302\327\154\261\243\017\236\277\353\150\347\126\362\256\362"
 "\343\053\070\072\011\201\265\153\205\327\276\055\355\077\032\267"
 "\262\143\342\365\142\054\202\324\152\000\101\120\361\071\203\237"
 "\225\351\066\226\230\156"
 , (PRUint32)1078 }
 };
 static const NSSItem nss_builtins_items_93 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Comodo AAA Services root", (PRUint32)25 },
   { (void *)"\321\353\043\244\155\027\326\217\331\045\144\302\361\361\140\027"
 "\144\330\343\111"
 , (PRUint32)20 },
   { (void *)"\111\171\004\260\353\207\031\254\107\260\274\021\121\233\164\320"
@@ -6448,19 +6448,19 @@ static const NSSItem nss_builtins_items_
 "\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032"
 "\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040"
 "\103\101\040\114\151\155\151\164\145\144\061\041\060\037\006\003"
 "\125\004\003\014\030\101\101\101\040\103\145\162\164\151\146\151"
 "\143\141\164\145\040\123\145\162\166\151\143\145\163"
 , (PRUint32)125 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_94 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Comodo Secure Services root", (PRUint32)28 },
@@ -6553,17 +6553,17 @@ static const NSSItem nss_builtins_items_
 "\243\360\244\050\244\025\304\205\364\047\324\153\277\345\134\344"
 "\145\002\166\124\264\343\067\146\044\323\031\141\310\122\020\345"
 "\213\067\232\271\251\371\035\277\352\231\222\141\226\377\001\315"
 "\241\137\015\274\161\274\016\254\013\035\107\105\035\301\354\174"
 "\354\375\051"
 , (PRUint32)1091 }
 };
 static const NSSItem nss_builtins_items_95 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Comodo Secure Services root", (PRUint32)28 },
   { (void *)"\112\145\325\364\035\357\071\270\270\220\112\112\323\144\201\063"
 "\317\307\241\321"
 , (PRUint32)20 },
   { (void *)"\323\331\275\256\237\254\147\044\263\310\033\122\341\271\251\275"
@@ -6574,19 +6574,19 @@ static const NSSItem nss_builtins_items_
 "\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032"
 "\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040"
 "\103\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003"
 "\125\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164"
 "\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163"
 , (PRUint32)128 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_96 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Comodo Trusted Services root", (PRUint32)29 },
@@ -6681,17 +6681,17 @@ static const NSSItem nss_builtins_items_
 "\115\045\107\356\057\210\310\265\341\005\105\300\276\024\161\336"
 "\172\375\216\173\175\115\010\226\245\022\163\360\055\312\067\047"
 "\164\022\047\114\313\266\227\351\331\256\010\155\132\071\100\335"
 "\005\107\165\152\132\041\263\243\030\317\116\367\056\127\267\230"
 "\160\136\310\304\170\260\142"
 , (PRUint32)1095 }
 };
 static const NSSItem nss_builtins_items_97 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Comodo Trusted Services root", (PRUint32)29 },
   { (void *)"\341\237\343\016\213\204\140\236\200\233\027\015\162\250\305\272"
 "\156\024\011\275"
 , (PRUint32)20 },
   { (void *)"\221\033\077\156\315\236\253\356\007\376\037\161\322\263\141\047"
@@ -6703,19 +6703,19 @@ static const NSSItem nss_builtins_items_
 "\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040"
 "\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003"
 "\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162"
 "\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145"
 "\163"
 , (PRUint32)129 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_98 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"QuoVadis Root CA", (PRUint32)17 },
@@ -6835,17 +6835,17 @@ static const NSSItem nss_builtins_items_
 "\242\346\352\131\042\207\370\227\365\016\375\352\314\222\244\026"
 "\304\122\030\352\041\316\261\361\346\204\201\345\272\251\206\050"
 "\362\103\132\135\022\235\254\036\331\250\345\012\152\247\177\240"
 "\207\051\317\362\211\115\324\354\305\342\346\172\320\066\043\212"
 "\112\164\066\371"
 , (PRUint32)1492 }
 };
 static const NSSItem nss_builtins_items_99 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"QuoVadis Root CA", (PRUint32)17 },
   { (void *)"\336\077\100\275\120\223\323\233\154\140\366\332\274\007\142\001"
 "\000\211\166\311"
 , (PRUint32)20 },
   { (void *)"\047\336\066\376\162\267\000\003\000\235\364\360\036\154\004\044"
@@ -6857,19 +6857,19 @@ static const NSSItem nss_builtins_items_
 "\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
 "\171\061\056\060\054\006\003\125\004\003\023\045\121\165\157\126"
 "\141\144\151\163\040\122\157\157\164\040\103\145\162\164\151\146"
 "\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
 "\171"
 , (PRUint32)129 },
   { (void *)"\002\004\072\266\120\213"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_100 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"QuoVadis Root CA 2", (PRUint32)19 },
@@ -6979,17 +6979,17 @@ static const NSSItem nss_builtins_items_
 "\341\243\223\035\314\212\046\132\011\070\320\316\327\015\200\026"
 "\264\170\245\072\207\114\215\212\245\325\106\227\362\054\020\271"
 "\274\124\042\300\001\120\151\103\236\364\262\357\155\370\354\332"
 "\361\343\261\357\337\221\217\124\052\013\045\301\046\031\304\122"
 "\020\005\145\325\202\020\352\302\061\315\056"
 , (PRUint32)1467 }
 };
 static const NSSItem nss_builtins_items_101 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"QuoVadis Root CA 2", (PRUint32)19 },
   { (void *)"\312\072\373\317\022\100\066\113\104\262\026\040\210\200\110\071"
 "\031\223\174\367"
 , (PRUint32)20 },
   { (void *)"\136\071\173\335\370\272\354\202\351\254\142\272\014\124\000\053"
@@ -6997,19 +6997,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\105\061\013\060\011\006\003\125\004\006\023\002\102\115\061"
 "\031\060\027\006\003\125\004\012\023\020\121\165\157\126\141\144"
 "\151\163\040\114\151\155\151\164\145\144\061\033\060\031\006\003"
 "\125\004\003\023\022\121\165\157\126\141\144\151\163\040\122\157"
 "\157\164\040\103\101\040\062"
 , (PRUint32)71 },
   { (void *)"\002\002\005\011"
 , (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_102 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"QuoVadis Root CA 3", (PRUint32)19 },
@@ -7134,17 +7134,17 @@ static const NSSItem nss_builtins_items_
 "\230\231\140\224\134\043\317\132\047\227\136\013\005\006\223\067"
 "\036\073\151\066\353\251\236\141\035\217\062\332\216\014\326\164"
 "\076\173\011\044\332\001\167\107\304\073\315\064\214\231\365\312"
 "\341\045\141\063\262\131\033\342\156\327\067\127\266\015\251\022"
 "\332"
 , (PRUint32)1697 }
 };
 static const NSSItem nss_builtins_items_103 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"QuoVadis Root CA 3", (PRUint32)19 },
   { (void *)"\037\111\024\367\330\164\225\035\335\256\002\300\276\375\072\055"
 "\202\165\121\205"
 , (PRUint32)20 },
   { (void *)"\061\205\074\142\224\227\143\271\252\375\211\116\257\157\340\317"
@@ -7152,19 +7152,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\105\061\013\060\011\006\003\125\004\006\023\002\102\115\061"
 "\031\060\027\006\003\125\004\012\023\020\121\165\157\126\141\144"
 "\151\163\040\114\151\155\151\164\145\144\061\033\060\031\006\003"
 "\125\004\003\023\022\121\165\157\126\141\144\151\163\040\122\157"
 "\157\164\040\103\101\040\063"
 , (PRUint32)71 },
   { (void *)"\002\002\005\306"
 , (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_104 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Security Communication Root CA", (PRUint32)31 },
@@ -7238,17 +7238,17 @@ static const NSSItem nss_builtins_items_
 "\065\303\340\210\141\311\210\307\337\066\020\042\230\131\352\260"
 "\112\373\126\026\163\156\254\115\367\042\241\117\255\035\172\055"
 "\105\047\345\060\301\136\362\332\023\313\045\102\121\225\107\003"
 "\214\154\041\314\164\102\355\123\377\063\213\217\017\127\001\026"
 "\057\317\246\356\311\160\042\024\275\375\276\154\013\003"
 , (PRUint32)862 }
 };
 static const NSSItem nss_builtins_items_105 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Security Communication Root CA", (PRUint32)31 },
   { (void *)"\066\261\053\111\371\201\236\327\114\236\274\070\017\306\126\217"
 "\135\254\262\367"
 , (PRUint32)20 },
   { (void *)"\361\274\143\152\124\340\265\047\365\315\347\032\343\115\156\112"
@@ -7257,19 +7257,19 @@ static const NSSItem nss_builtins_items_
 "\030\060\026\006\003\125\004\012\023\017\123\105\103\117\115\040"
 "\124\162\165\163\164\056\156\145\164\061\047\060\045\006\003\125"
 "\004\013\023\036\123\145\143\165\162\151\164\171\040\103\157\155"
 "\155\165\156\151\143\141\164\151\157\156\040\122\157\157\164\103"
 "\101\061"
 , (PRUint32)82 },
   { (void *)"\002\001\000"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_106 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Sonera Class 1 Root CA", (PRUint32)23 },
@@ -7336,36 +7336,36 @@ static const NSSItem nss_builtins_items_
 "\032\270\273\075\217\251\212\070\025\367\163\320\132\140\321\200"
 "\260\360\334\325\120\315\116\356\222\110\151\355\262\043\036\060"
 "\314\310\224\310\266\365\073\206\177\077\246\056\237\366\076\054"
 "\265\222\226\076\337\054\223\212\377\201\214\017\017\131\041\031"
 "\127\275\125\232"
 , (PRUint32)804 }
 };
 static const NSSItem nss_builtins_items_107 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Sonera Class 1 Root CA", (PRUint32)23 },
   { (void *)"\007\107\042\001\231\316\164\271\174\260\075\171\262\144\242\310"
 "\125\351\063\377"
 , (PRUint32)20 },
   { (void *)"\063\267\204\365\137\047\327\150\047\336\024\336\022\052\355\157"
 , (PRUint32)16 },
   { (void *)"\060\071\061\013\060\011\006\003\125\004\006\023\002\106\111\061"
 "\017\060\015\006\003\125\004\012\023\006\123\157\156\145\162\141"
 "\061\031\060\027\006\003\125\004\003\023\020\123\157\156\145\162"
 "\141\040\103\154\141\163\163\061\040\103\101"
 , (PRUint32)59 },
   { (void *)"\002\001\044"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_108 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Sonera Class 2 Root CA", (PRUint32)23 },
@@ -7432,36 +7432,36 @@ static const NSSItem nss_builtins_items_
 "\256\364\135\304\261\022\334\312\073\250\056\235\024\132\005\165"
 "\267\354\327\143\342\272\065\266\004\010\221\350\332\235\234\366"
 "\146\265\030\254\012\246\124\046\064\063\322\033\301\324\177\032"
 "\072\216\013\252\062\156\333\374\117\045\237\331\062\307\226\132"
 "\160\254\337\114"
 , (PRUint32)804 }
 };
 static const NSSItem nss_builtins_items_109 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Sonera Class 2 Root CA", (PRUint32)23 },
   { (void *)"\067\367\155\346\007\174\220\305\261\076\223\032\267\101\020\264"
 "\362\344\232\047"
 , (PRUint32)20 },
   { (void *)"\243\354\165\017\056\210\337\372\110\001\116\013\134\110\157\373"
 , (PRUint32)16 },
   { (void *)"\060\071\061\013\060\011\006\003\125\004\006\023\002\106\111\061"
 "\017\060\015\006\003\125\004\012\023\006\123\157\156\145\162\141"
 "\061\031\060\027\006\003\125\004\003\023\020\123\157\156\145\162"
 "\141\040\103\154\141\163\163\062\040\103\101"
 , (PRUint32)59 },
   { (void *)"\002\001\035"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_110 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Staat der Nederlanden Root CA", (PRUint32)30 },
@@ -7541,17 +7541,17 @@ static const NSSItem nss_builtins_items_
 "\135\026\027\054\021\151\347\176\376\305\203\010\337\274\334\042"
 "\072\056\040\151\043\071\126\140\147\220\213\056\166\071\373\021"
 "\210\227\366\174\275\113\270\040\026\147\005\215\342\073\301\162"
 "\077\224\225\067\307\135\271\236\330\223\241\027\217\377\014\146"
 "\025\301\044\174\062\174\003\035\073\241\130\105\062\223"
 , (PRUint32)958 }
 };
 static const NSSItem nss_builtins_items_111 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Staat der Nederlanden Root CA", (PRUint32)30 },
   { (void *)"\020\035\372\077\325\013\313\273\233\265\140\014\031\125\244\032"
 "\364\163\072\004"
 , (PRUint32)20 },
   { (void *)"\140\204\174\132\316\333\014\324\313\247\351\376\002\306\251\300"
@@ -7560,19 +7560,19 @@ static const NSSItem nss_builtins_items_
 "\036\060\034\006\003\125\004\012\023\025\123\164\141\141\164\040"
 "\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061"
 "\046\060\044\006\003\125\004\003\023\035\123\164\141\141\164\040"
 "\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040"
 "\122\157\157\164\040\103\101"
 , (PRUint32)87 },
   { (void *)"\002\004\000\230\226\212"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_112 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"TDC Internet Root CA", (PRUint32)21 },
@@ -7657,17 +7657,17 @@ static const NSSItem nss_builtins_items_
 "\304\011\137\164\213\331\021\373\302\126\261\074\370\160\312\064"
 "\215\103\100\023\214\375\231\003\124\171\306\056\352\206\241\366"
 "\072\324\011\274\364\274\146\314\075\130\320\127\111\012\356\045"
 "\342\101\356\023\371\233\070\064\321\000\365\176\347\224\035\374"
 "\151\003\142\270\231\005\005\075\153\170\022\275\260\157\145"
 , (PRUint32)1071 }
 };
 static const NSSItem nss_builtins_items_113 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"TDC Internet Root CA", (PRUint32)21 },
   { (void *)"\041\374\275\216\177\154\257\005\033\321\263\103\354\250\347\141"
 "\107\362\017\212"
 , (PRUint32)20 },
   { (void *)"\221\364\003\125\040\241\370\143\054\142\336\254\373\141\034\216"
@@ -7675,19 +7675,19 @@ static const NSSItem nss_builtins_items_
   { (void *)"\060\103\061\013\060\011\006\003\125\004\006\023\002\104\113\061"
 "\025\060\023\006\003\125\004\012\023\014\124\104\103\040\111\156"
 "\164\145\162\156\145\164\061\035\060\033\006\003\125\004\013\023"
 "\024\124\104\103\040\111\156\164\145\162\156\145\164\040\122\157"
 "\157\164\040\103\101"
 , (PRUint32)69 },
   { (void *)"\002\004\072\314\245\114"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_114 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"TDC OCES Root CA", (PRUint32)17 },
@@ -7785,36 +7785,36 @@ static const NSSItem nss_builtins_items_
 "\071\334\342\074\306\330\125\365\025\116\310\005\016\333\306\320"
 "\142\246\354\025\264\265\002\202\333\254\214\242\201\360\233\231"
 "\061\365\040\040\250\210\141\012\007\237\224\374\320\327\033\314"
 "\056\027\363\004\047\166\147\353\124\203\375\244\220\176\006\075"
 "\004\243\103\055\332\374\013\142\352\057\137\142\123"
 , (PRUint32)1309 }
 };
 static const NSSItem nss_builtins_items_115 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"TDC OCES Root CA", (PRUint32)17 },
   { (void *)"\207\201\302\132\226\275\302\373\114\145\006\117\371\071\013\046"
 "\004\212\016\001"
 , (PRUint32)20 },
   { (void *)"\223\177\220\034\355\204\147\027\244\145\137\233\313\060\002\227"
 , (PRUint32)16 },
   { (void *)"\060\061\061\013\060\011\006\003\125\004\006\023\002\104\113\061"
 "\014\060\012\006\003\125\004\012\023\003\124\104\103\061\024\060"
 "\022\006\003\125\004\003\023\013\124\104\103\040\117\103\105\123"
 "\040\103\101"
 , (PRUint32)51 },
   { (void *)"\002\004\076\110\275\304"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_116 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"UTN DATACorp SGC Root CA", (PRUint32)25 },
@@ -7914,17 +7914,17 @@ static const NSSItem nss_builtins_items_
 "\330\300\215\355\221\172\114\000\217\162\177\135\332\335\033\213"
 "\105\153\347\335\151\227\250\305\126\114\017\014\366\237\172\221"
 "\067\366\227\202\340\335\161\151\377\166\077\140\115\074\317\367"
 "\231\371\306\127\364\311\125\071\170\272\054\171\311\246\210\053"
 "\364\010"
 , (PRUint32)1122 }
 };
 static const NSSItem nss_builtins_items_117 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"UTN DATACorp SGC Root CA", (PRUint32)25 },
   { (void *)"\130\021\237\016\022\202\207\352\120\375\331\207\105\157\117\170"
 "\334\372\326\324"
 , (PRUint32)20 },
   { (void *)"\263\245\076\167\041\155\254\112\300\311\373\325\101\075\312\006"
@@ -7938,19 +7938,19 @@ static const NSSItem nss_builtins_items_
 "\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
 "\164\162\165\163\164\056\143\157\155\061\033\060\031\006\003\125"
 "\004\003\023\022\125\124\116\040\055\040\104\101\124\101\103\157"
 "\162\160\040\123\107\103"
 , (PRUint32)150 },
   { (void *)"\002\020\104\276\014\213\120\000\041\264\021\323\052\150\006\251"
 "\255\151"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_118 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"UTN USERFirst Email Root CA", (PRUint32)28 },
@@ -8058,17 +8058,17 @@ static const NSSItem nss_builtins_items_
 "\176\161\315\274\237\351\003\033\314\373\351\254\061\301\257\174"
 "\025\164\002\231\303\262\107\246\302\062\141\327\307\157\110\044"
 "\121\047\241\325\207\125\362\173\217\230\075\026\236\356\165\266"
 "\370\320\216\362\363\306\256\050\133\247\360\363\066\027\374\303"
 "\005\323\312\003\112\124"
 , (PRUint32)1190 }
 };
 static const NSSItem nss_builtins_items_119 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"UTN USERFirst Email Root CA", (PRUint32)28 },
   { (void *)"\261\162\261\245\155\225\371\037\345\002\207\341\115\067\352\152"
 "\104\143\166\212"
 , (PRUint32)20 },
   { (void *)"\327\064\075\357\035\047\011\050\341\061\002\133\023\053\335\367"
@@ -8084,19 +8084,19 @@ static const NSSItem nss_builtins_items_
 "\004\003\023\055\125\124\116\055\125\123\105\122\106\151\162\163"
 "\164\055\103\154\151\145\156\164\040\101\165\164\150\145\156\164"
 "\151\143\141\164\151\157\156\040\141\156\144\040\105\155\141\151"
 "\154"
 , (PRUint32)177 },
   { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\045\045\147"
 "\311\211"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_120 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"UTN USERFirst Hardware Root CA", (PRUint32)31 },
@@ -8197,17 +8197,17 @@ static const NSSItem nss_builtins_items_
 "\176\307\150\345\202\201\310\152\047\371\047\210\052\325\130\120"
 "\225\037\360\073\034\127\273\175\024\071\142\053\232\311\224\222"
 "\052\243\042\014\377\211\046\175\137\043\053\107\327\025\035\251"
 "\152\236\121\015\052\121\236\201\371\324\073\136\160\022\177\020"
 "\062\234\036\273\235\370\146\250"
 , (PRUint32)1144 }
 };
 static const NSSItem nss_builtins_items_121 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"UTN USERFirst Hardware Root CA", (PRUint32)31 },
   { (void *)"\004\203\355\063\231\254\066\010\005\207\042\355\274\136\106\000"
 "\343\276\371\327"
 , (PRUint32)20 },
   { (void *)"\114\126\101\345\015\273\053\350\312\243\355\030\010\255\103\071"
@@ -8221,19 +8221,19 @@ static const NSSItem nss_builtins_items_
 "\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
 "\164\162\165\163\164\056\143\157\155\061\037\060\035\006\003\125"
 "\004\003\023\026\125\124\116\055\125\123\105\122\106\151\162\163"
 "\164\055\110\141\162\144\167\141\162\145"
 , (PRUint32)154 },
   { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\052\376\145"
 "\012\375"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_122 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"UTN USERFirst Object Root CA", (PRUint32)29 },
@@ -8333,17 +8333,17 @@ static const NSSItem nss_builtins_items_
 "\363\123\255\154\265\053\242\022\252\031\117\011\332\136\347\223"
 "\306\216\024\010\376\360\060\200\030\240\206\205\115\310\175\327"
 "\213\003\376\156\325\367\235\026\254\222\054\240\043\345\234\221"
 "\122\037\224\337\027\224\163\303\263\301\301\161\005\040\000\170"
 "\275\023\122\035\250\076\315\000\037\310"
 , (PRUint32)1130 }
 };
 static const NSSItem nss_builtins_items_123 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"UTN USERFirst Object Root CA", (PRUint32)29 },
   { (void *)"\341\055\373\113\101\327\331\303\053\060\121\113\254\035\201\330"
 "\070\136\055\106"
 , (PRUint32)20 },
   { (void *)"\247\362\344\026\006\101\021\120\060\153\234\343\264\234\260\311"
@@ -8357,19 +8357,19 @@ static const NSSItem nss_builtins_items_
 "\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
 "\164\162\165\163\164\056\143\157\155\061\035\060\033\006\003\125"
 "\004\003\023\024\125\124\116\055\125\123\105\122\106\151\162\163"
 "\164\055\117\142\152\145\143\164"
 , (PRUint32)152 },
   { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\055\340\263"
 "\137\033"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_124 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Camerfirma Chambers of Commerce Root", (PRUint32)37 },
@@ -8472,17 +8472,17 @@ static const NSSItem nss_builtins_items_
 "\170\064\074\224\233\046\355\117\161\306\031\172\275\040\042\110"
 "\132\376\113\175\003\267\347\130\276\306\062\116\164\036\150\335"
 "\250\150\133\263\076\356\142\175\331\200\350\012\165\172\267\356"
 "\264\145\232\041\220\340\252\320\230\274\070\265\163\074\213\370"
 "\334"
 , (PRUint32)1217 }
 };
 static const NSSItem nss_builtins_items_125 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Camerfirma Chambers of Commerce Root", (PRUint32)37 },
   { (void *)"\156\072\125\244\031\014\031\134\223\204\074\300\333\162\056\061"
 "\060\141\360\261"
 , (PRUint32)20 },
   { (void *)"\260\001\356\024\331\257\051\030\224\166\216\361\151\063\052\204"
@@ -8494,19 +8494,19 @@ static const NSSItem nss_builtins_items_
 "\013\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150"
 "\141\155\142\145\162\163\151\147\156\056\157\162\147\061\042\060"
 "\040\006\003\125\004\003\023\031\103\150\141\155\142\145\162\163"
 "\040\157\146\040\103\157\155\155\145\162\143\145\040\122\157\157"
 "\164"
 , (PRUint32)129 },
   { (void *)"\002\001\000"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_126 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Camerfirma Global Chambersign Root", (PRUint32)35 },
@@ -8607,17 +8607,17 @@ static const NSSItem nss_builtins_items_
 "\171\304\060\237\353\216\270\125\265\327\210\134\305\152\044\075"
 "\262\323\005\003\121\306\007\357\314\024\162\164\075\156\162\316"
 "\030\050\214\112\240\167\345\011\053\105\104\107\254\267\147\177"
 "\001\212\005\132\223\276\241\301\377\370\347\016\147\244\107\111"
 "\166\135\165\220\032\365\046\217\360"
 , (PRUint32)1225 }
 };
 static const NSSItem nss_builtins_items_127 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Camerfirma Global Chambersign Root", (PRUint32)35 },
   { (void *)"\063\233\153\024\120\044\233\125\172\001\207\162\204\331\340\057"
 "\303\322\330\351"
 , (PRUint32)20 },
   { (void *)"\305\346\173\277\006\320\117\103\355\304\172\145\212\373\153\031"
@@ -8628,19 +8628,19 @@ static const NSSItem nss_builtins_items_
 "\070\062\067\064\063\062\070\067\061\043\060\041\006\003\125\004"
 "\013\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150"
 "\141\155\142\145\162\163\151\147\156\056\157\162\147\061\040\060"
 "\036\006\003\125\004\003\023\027\107\154\157\142\141\154\040\103"
 "\150\141\155\142\145\162\163\151\147\156\040\122\157\157\164"
 , (PRUint32)127 },
   { (void *)"\002\001\000"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_128 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"NetLock Qualified (Class QA) Root", (PRUint32)34 },
@@ -8784,17 +8784,17 @@ static const NSSItem nss_builtins_items_
 "\363\166\146\211\124\244\246\076\304\120\134\272\211\030\202\165"
 "\110\041\322\117\023\350\140\176\007\166\333\020\265\121\346\252"
 "\271\150\252\315\366\235\220\165\022\352\070\032\312\104\350\267"
 "\231\247\052\150\225\146\225\253\255\357\211\313\140\251\006\022"
 "\306\224\107\351\050"
 , (PRUint32)1749 }
 };
 static const NSSItem nss_builtins_items_129 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"NetLock Qualified (Class QA) Root", (PRUint32)34 },
   { (void *)"\001\150\227\341\240\270\362\303\261\064\146\134\040\247\047\267"
 "\241\130\342\217"
 , (PRUint32)20 },
   { (void *)"\324\200\145\150\044\371\211\042\050\333\365\244\232\027\217\024"
@@ -8810,19 +8810,19 @@ static const NSSItem nss_builtins_items_
 "\151\164\145\164\164\040\113\157\172\152\145\147\171\172\157\151"
 "\040\050\103\154\141\163\163\040\121\101\051\040\124\141\156\165"
 "\163\151\164\166\141\156\171\153\151\141\144\157\061\036\060\034"
 "\006\011\052\206\110\206\367\015\001\011\001\026\017\151\156\146"
 "\157\100\156\145\164\154\157\143\153\056\150\165"
 , (PRUint32)204 },
   { (void *)"\002\001\173"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_130 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"NetLock Notary (Class A) Root", (PRUint32)30 },
@@ -8959,17 +8959,17 @@ static const NSSItem nss_builtins_items_
 "\277\134\240\012\033\341\016\172\351\342\200\303\351\351\366\375"
 "\154\021\236\320\345\050\047\053\124\062\102\024\202\165\346\112"
 "\360\053\146\165\143\214\242\373\004\076\203\016\233\066\360\030"
 "\344\046\040\303\214\360\050\007\255\074\027\146\210\265\375\266"
 "\210"
 , (PRUint32)1665 }
 };
 static const NSSItem nss_builtins_items_131 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"NetLock Notary (Class A) Root", (PRUint32)30 },
   { (void *)"\254\355\137\145\123\375\045\316\001\137\037\172\110\073\152\164"
 "\237\141\170\306"
 , (PRUint32)20 },
   { (void *)"\206\070\155\136\111\143\154\205\134\333\155\334\224\267\320\367"
@@ -8984,19 +8984,19 @@ static const NSSItem nss_builtins_items_
 "\166\141\156\171\153\151\141\144\157\153\061\066\060\064\006\003"
 "\125\004\003\023\055\116\145\164\114\157\143\153\040\113\157\172"
 "\152\145\147\171\172\157\151\040\050\103\154\141\163\163\040\101"
 "\051\040\124\141\156\165\163\151\164\166\141\156\171\153\151\141"
 "\144\157"
 , (PRUint32)178 },
   { (void *)"\002\002\001\003"
 , (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_132 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BB