Bug 1479787 - build mozpkix as part of NSS, r=mt,keeler
authorFranziskus Kiefer <franziskuskiefer@gmail.com>
Fri, 03 Aug 2018 10:35:44 +0200
changeset 14907 403437c461fdd08f7a3a9dc7eba3c66e8c0c5ab9
parent 14906 1dc240df02b1789a0f5b260c3fb6c7192c768434
child 14908 94bcc2706b98a04d7ca0b3e5ad12dc54b424fcaf
push id3202
push userfranziskuskiefer@gmail.com
push dateMon, 01 Oct 2018 08:30:12 +0000
reviewersmt, keeler
bugs1479787
Bug 1479787 - build mozpkix as part of NSS, r=mt,keeler Differential Revision: https://phabricator.services.mozilla.com/D2719 Differential Revision: https://phabricator.services.mozilla.com/D2720 Differential Revision: https://phabricator.services.mozilla.com/D2861
build.sh
coreconf/config.gypi
cpputil/dummy_io.h
cpputil/nss_scoped_ptrs.h
cpputil/scoped_ptrs.h
cpputil/scoped_ptrs_ssl.h
exports.gyp
fuzz/tls_server_certs.cc
gtests/certdb_gtest/alg1485_unittest.cc
gtests/cryptohi_gtest/cryptohi_unittest.cc
gtests/der_gtest/der_private_key_import_unittest.cc
gtests/der_gtest/p12_import_unittest.cc
gtests/freebl_gtest/ecl_unittest.cc
gtests/mozpkix_gtest/README.txt
gtests/mozpkix_gtest/mozpkix_gtest.gyp
gtests/mozpkix_gtest/pkixbuild_tests.cpp
gtests/mozpkix_gtest/pkixcert_extension_tests.cpp
gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp
gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp
gtests/mozpkix_gtest/pkixcheck_CheckIssuer_tests.cpp
gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp
gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp
gtests/mozpkix_gtest/pkixcheck_CheckValidity_tests.cpp
gtests/mozpkix_gtest/pkixcheck_ParseValidity_tests.cpp
gtests/mozpkix_gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp
gtests/mozpkix_gtest/pkixder_input_tests.cpp
gtests/mozpkix_gtest/pkixder_pki_types_tests.cpp
gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp
gtests/mozpkix_gtest/pkixgtest.cpp
gtests/mozpkix_gtest/pkixgtest.h
gtests/mozpkix_gtest/pkixnames_tests.cpp
gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
gtests/nss_bogo_shim/nss_bogo_shim.cc
gtests/pk11_gtest/pk11_aes_gcm_unittest.cc
gtests/pk11_gtest/pk11_aeskeywrap_unittest.cc
gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
gtests/pk11_gtest/pk11_curve25519_unittest.cc
gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc
gtests/pk11_gtest/pk11_ecdsa_unittest.cc
gtests/pk11_gtest/pk11_encrypt_derive_unittest.cc
gtests/pk11_gtest/pk11_export_unittest.cc
gtests/pk11_gtest/pk11_pbkdf2_unittest.cc
gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc
gtests/pk11_gtest/pk11_rsapss_unittest.cc
gtests/pk11_gtest/pk11_signature_test.h
gtests/softoken_gtest/softoken_gtest.cc
gtests/ssl_gtest/selfencrypt_unittest.cc
gtests/ssl_gtest/ssl_0rtt_unittest.cc
gtests/ssl_gtest/ssl_auth_unittest.cc
gtests/ssl_gtest/ssl_damage_unittest.cc
gtests/ssl_gtest/ssl_dhe_unittest.cc
gtests/ssl_gtest/ssl_drop_unittest.cc
gtests/ssl_gtest/ssl_ecdh_unittest.cc
gtests/ssl_gtest/ssl_ems_unittest.cc
gtests/ssl_gtest/ssl_fragment_unittest.cc
gtests/ssl_gtest/ssl_hrr_unittest.cc
gtests/ssl_gtest/ssl_keyupdate_unittest.cc
gtests/ssl_gtest/ssl_loopback_unittest.cc
gtests/ssl_gtest/ssl_recordsize_unittest.cc
gtests/ssl_gtest/ssl_resumption_unittest.cc
gtests/ssl_gtest/ssl_staticrsa_unittest.cc
gtests/ssl_gtest/ssl_version_unittest.cc
gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
gtests/ssl_gtest/test_io.h
gtests/ssl_gtest/tls_agent.cc
gtests/ssl_gtest/tls_agent.h
gtests/ssl_gtest/tls_connect.cc
gtests/ssl_gtest/tls_hkdf_unittest.cc
help.txt
lib/mozpkix/.clang-format
lib/mozpkix/exports.gyp
lib/mozpkix/include/pkix-test/pkixtestnss.h
lib/mozpkix/include/pkix-test/pkixtestutil.h
lib/mozpkix/include/pkix/Input.h
lib/mozpkix/include/pkix/Time.h
lib/mozpkix/include/pkix/pkix.h
lib/mozpkix/include/pkix/pkixcheck.h
lib/mozpkix/include/pkix/pkixder.h
lib/mozpkix/include/pkix/pkixnss.h
lib/mozpkix/include/pkix/pkixtypes.h
lib/mozpkix/include/pkix/pkixutil.h
lib/mozpkix/lib/ScopedPtr.h
lib/mozpkix/lib/pkixbuild.cpp
lib/mozpkix/lib/pkixcert.cpp
lib/mozpkix/lib/pkixcheck.cpp
lib/mozpkix/lib/pkixcheck.h
lib/mozpkix/lib/pkixder.cpp
lib/mozpkix/lib/pkixder.h
lib/mozpkix/lib/pkixnames.cpp
lib/mozpkix/lib/pkixnss.cpp
lib/mozpkix/lib/pkixocsp.cpp
lib/mozpkix/lib/pkixresult.cpp
lib/mozpkix/lib/pkixtime.cpp
lib/mozpkix/lib/pkixutil.h
lib/mozpkix/lib/pkixverify.cpp
lib/mozpkix/moz.build
lib/mozpkix/mozpkix.gyp
lib/mozpkix/test-lib/pkixtestalg.cpp
lib/mozpkix/test-lib/pkixtestnss.cpp
lib/mozpkix/test-lib/pkixtestutil.cpp
lib/mozpkix/test/gtest/README.txt
lib/mozpkix/test/gtest/moz.build
lib/mozpkix/test/gtest/pkixbuild_tests.cpp
lib/mozpkix/test/gtest/pkixcert_extension_tests.cpp
lib/mozpkix/test/gtest/pkixcert_signature_algorithm_tests.cpp
lib/mozpkix/test/gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp
lib/mozpkix/test/gtest/pkixcheck_CheckIssuer_tests.cpp
lib/mozpkix/test/gtest/pkixcheck_CheckKeyUsage_tests.cpp
lib/mozpkix/test/gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp
lib/mozpkix/test/gtest/pkixcheck_CheckValidity_tests.cpp
lib/mozpkix/test/gtest/pkixcheck_ParseValidity_tests.cpp
lib/mozpkix/test/gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp
lib/mozpkix/test/gtest/pkixder_input_tests.cpp
lib/mozpkix/test/gtest/pkixder_pki_types_tests.cpp
lib/mozpkix/test/gtest/pkixder_universal_types_tests.cpp
lib/mozpkix/test/gtest/pkixgtest.cpp
lib/mozpkix/test/gtest/pkixgtest.h
lib/mozpkix/test/gtest/pkixnames_tests.cpp
lib/mozpkix/test/gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
lib/mozpkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
lib/mozpkix/test/lib/moz.build
lib/mozpkix/test/lib/pkixtestalg.cpp
lib/mozpkix/test/lib/pkixtestnss.cpp
lib/mozpkix/test/lib/pkixtestnss.h
lib/mozpkix/test/lib/pkixtestutil.cpp
lib/mozpkix/test/lib/pkixtestutil.h
lib/mozpkix/warnings.mozbuild
nss-tool/common/util.h
nss-tool/db/dbtool.cc
nss-tool/digest/digesttool.cc
nss-tool/enc/enctool.h
nss.gyp
--- a/build.sh
+++ b/build.sh
@@ -94,16 +94,17 @@ while [ $# -gt 0 ]; do
         --emit-llvm) gyp_params+=(-Demit_llvm=1 -Dsign_libs=0) ;;
         --disable-tests) gyp_params+=(-Ddisable_tests=1) ;;
         --no-zdefs) gyp_params+=(-Dno_zdefs=1) ;;
         --system-sqlite) gyp_params+=(-Duse_system_sqlite=1) ;;
         --with-nspr=?*) set_nspr_path "${1#*=}"; no_local_nspr=1 ;;
         --system-nspr) set_nspr_path "/usr/include/nspr/:"; no_local_nspr=1 ;;
         --enable-libpkix) gyp_params+=(-Ddisable_libpkix=0) ;;
         --enable-fips) gyp_params+=(-Ddisable_fips=0) ;;
+        --mozpkix-only) gyp_params+=(-Dmozpkix_only=1 -Ddisable_tests=1 -Dsign_libs=0) ;;
         *) show_help; exit 2 ;;
     esac
     shift
 done
 
 if [ "$opt_build" = 1 ]; then
     target=Release
 else
--- a/coreconf/config.gypi
+++ b/coreconf/config.gypi
@@ -103,34 +103,43 @@
     'fuzz_tls%': 0,
     'fuzz_oss%': 0,
     'sign_libs%': 1,
     'use_pprof%': 0,
     'ct_verif%': 0,
     'emit_llvm%': 0,
     'nss_public_dist_dir%': '<(nss_dist_dir)/public',
     'nss_private_dist_dir%': '<(nss_dist_dir)/private',
+    # This is only needed when building with --mozpkix-only and might not work
+    # on all machines.
+    'nss_include_dir%': '/usr/include/nss',
     'only_dev_random%': 1,
     'disable_fips%': 1,
+    'mozpkix_only%': 0,
   },
   'target_defaults': {
     # Settings specific to targets should go here.
     # This is mostly for linking to libraries.
     'variables': {
       'mapfile%': '',
       'test_build%': 0,
       'debug_optimization_level%': '0',
       'release_optimization_level%': '2',
     },
     'standalone_static_library': 0,
     'include_dirs': [
       '<(nspr_include_dir)',
       '<(nss_dist_dir)/private/<(module)',
     ],
     'conditions': [
+      [ 'mozpkix_only==1 and OS=="linux"', {
+        'include_dirs': [
+          '<(nss_include_dir)',
+        ],
+      }],
       [ 'disable_fips==1', {
         'defines': [
           'NSS_FIPS_DISABLED',
           'NSS_NO_INIT_SUPPORT',
         ],
       }],
       [ 'OS!="android" and OS!="mac" and OS!="win"', {
         'libraries': [
--- a/cpputil/dummy_io.h
+++ b/cpputil/dummy_io.h
@@ -3,17 +3,17 @@
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef dummy_io_h__
 #define dummy_io_h__
 
 #include "prerror.h"
 #include "prio.h"
 
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 class DummyIOLayerMethods {
  public:
   static ScopedPRFileDesc CreateFD(PRDescIdentity id,
                                    DummyIOLayerMethods *methods);
 
   virtual PRStatus Close(PRFileDesc *f);
   virtual int32_t Read(PRFileDesc *f, void *buf, int32_t length);
rename from cpputil/scoped_ptrs.h
rename to cpputil/nss_scoped_ptrs.h
--- a/cpputil/scoped_ptrs.h
+++ b/cpputil/nss_scoped_ptrs.h
@@ -1,52 +1,51 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#ifndef scoped_ptrs_h__
-#define scoped_ptrs_h__
+#ifndef nss_scoped_ptrs_h__
+#define nss_scoped_ptrs_h__
 
 #include <memory>
 #include "cert.h"
 #include "keyhi.h"
 #include "p12.h"
 #include "pk11pub.h"
 #include "pkcs11uri.h"
-#include "sslexp.h"
 
 struct ScopedDelete {
   void operator()(CERTCertificate* cert) { CERT_DestroyCertificate(cert); }
   void operator()(CERTCertificateList* list) {
     CERT_DestroyCertificateList(list);
   }
   void operator()(CERTName* name) { CERT_DestroyName(name); }
   void operator()(CERTCertList* list) { CERT_DestroyCertList(list); }
   void operator()(CERTSubjectPublicKeyInfo* spki) {
     SECKEY_DestroySubjectPublicKeyInfo(spki);
   }
   void operator()(PK11SlotInfo* slot) { PK11_FreeSlot(slot); }
   void operator()(PK11SymKey* key) { PK11_FreeSymKey(key); }
   void operator()(PRFileDesc* fd) { PR_Close(fd); }
   void operator()(SECAlgorithmID* id) { SECOID_DestroyAlgorithmID(id, true); }
+  void operator()(SECKEYEncryptedPrivateKeyInfo* e) {
+    SECKEY_DestroyEncryptedPrivateKeyInfo(e, true);
+  }
   void operator()(SECItem* item) { SECITEM_FreeItem(item, true); }
   void operator()(SECKEYPublicKey* key) { SECKEY_DestroyPublicKey(key); }
   void operator()(SECKEYPrivateKey* key) { SECKEY_DestroyPrivateKey(key); }
   void operator()(SECKEYPrivateKeyList* list) {
     SECKEY_DestroyPrivateKeyList(list);
   }
   void operator()(PK11URI* uri) { PK11URI_DestroyURI(uri); }
   void operator()(PLArenaPool* arena) { PORT_FreeArena(arena, PR_FALSE); }
   void operator()(PK11Context* context) { PK11_DestroyContext(context, true); }
   void operator()(PK11GenericObject* obj) { PK11_DestroyGenericObject(obj); }
-  void operator()(SSLResumptionTokenInfo* token) {
-    SSL_DestroyResumptionTokenInfo(token);
-  }
   void operator()(SEC_PKCS12DecoderContext* dcx) {
     SEC_PKCS12DecoderFinish(dcx);
   }
   void operator()(CERTDistNames* names) { CERT_FreeDistNames(names); }
 };
 
 template <class T>
 struct ScopedMaybeDelete {
@@ -64,23 +63,23 @@ SCOPED(CERTCertificate);
 SCOPED(CERTCertificateList);
 SCOPED(CERTCertList);
 SCOPED(CERTName);
 SCOPED(CERTSubjectPublicKeyInfo);
 SCOPED(PK11SlotInfo);
 SCOPED(PK11SymKey);
 SCOPED(PRFileDesc);
 SCOPED(SECAlgorithmID);
+SCOPED(SECKEYEncryptedPrivateKeyInfo);
 SCOPED(SECItem);
 SCOPED(SECKEYPublicKey);
 SCOPED(SECKEYPrivateKey);
 SCOPED(SECKEYPrivateKeyList);
 SCOPED(PK11URI);
 SCOPED(PLArenaPool);
 SCOPED(PK11Context);
 SCOPED(PK11GenericObject);
-SCOPED(SSLResumptionTokenInfo);
 SCOPED(SEC_PKCS12DecoderContext);
 SCOPED(CERTDistNames);
 
 #undef SCOPED
 
-#endif  // scoped_ptrs_h__
+#endif  // nss_scoped_ptrs_h__
new file mode 100644
--- /dev/null
+++ b/cpputil/scoped_ptrs_ssl.h
@@ -0,0 +1,35 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef scoped_ptrs_ssl_h__
+#define scoped_ptrs_ssl_h__
+
+#include <memory>
+#include "sslexp.h"
+
+struct ScopedDeleteSSL {
+  void operator()(SSLResumptionTokenInfo* token) {
+    SSL_DestroyResumptionTokenInfo(token);
+  }
+};
+
+template <class T>
+struct ScopedMaybeDeleteSSL {
+  void operator()(T* ptr) {
+    if (ptr) {
+      ScopedDeleteSSL del;
+      del(ptr);
+    }
+  }
+};
+
+#define SCOPED(x) typedef std::unique_ptr<x, ScopedMaybeDeleteSSL<x> > Scoped##x
+
+SCOPED(SSLResumptionTokenInfo);
+
+#undef SCOPED
+
+#endif  // scoped_ptrs_ssl_h__
--- a/exports.gyp
+++ b/exports.gyp
@@ -1,77 +1,96 @@
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 {
   'includes': [
     'coreconf/config.gypi'
   ],
+  'conditions': [
+    [ 'mozpkix_only==0', {
+      'targets': [
+        {
+          'target_name': 'nss_exports',
+          'type': 'none',
+          'direct_dependent_settings': {
+            'include_dirs': [
+              '<(nss_public_dist_dir)/nss',
+            ]
+          },
+          'dependencies': [
+            'cmd/lib/exports.gyp:cmd_lib_exports',
+            'lib/base/exports.gyp:lib_base_exports',
+            'lib/certdb/exports.gyp:lib_certdb_exports',
+            'lib/certhigh/exports.gyp:lib_certhigh_exports',
+            'lib/ckfw/builtins/exports.gyp:lib_ckfw_builtins_exports',
+            'lib/ckfw/exports.gyp:lib_ckfw_exports',
+            'lib/crmf/exports.gyp:lib_crmf_exports',
+            'lib/cryptohi/exports.gyp:lib_cryptohi_exports',
+            'lib/dev/exports.gyp:lib_dev_exports',
+            'lib/freebl/exports.gyp:lib_freebl_exports',
+            'lib/jar/exports.gyp:lib_jar_exports',
+            'lib/nss/exports.gyp:lib_nss_exports',
+            'lib/pk11wrap/exports.gyp:lib_pk11wrap_exports',
+            'lib/pkcs12/exports.gyp:lib_pkcs12_exports',
+            'lib/pkcs7/exports.gyp:lib_pkcs7_exports',
+            'lib/pki/exports.gyp:lib_pki_exports',
+            'lib/smime/exports.gyp:lib_smime_exports',
+            'lib/softoken/exports.gyp:lib_softoken_exports',
+            'lib/sqlite/exports.gyp:lib_sqlite_exports',
+            'lib/ssl/exports.gyp:lib_ssl_exports',
+            'lib/util/exports.gyp:lib_util_exports',
+            'lib/zlib/exports.gyp:lib_zlib_exports',
+          ],
+          'conditions': [
+            [ 'disable_libpkix==0', {
+              'dependencies': [
+                'lib/libpkix/include/exports.gyp:lib_libpkix_include_exports',
+                'lib/libpkix/pkix/certsel/exports.gyp:lib_libpkix_pkix_certsel_exports',
+                'lib/libpkix/pkix/checker/exports.gyp:lib_libpkix_pkix_checker_exports',
+                'lib/libpkix/pkix/crlsel/exports.gyp:lib_libpkix_pkix_crlsel_exports',
+                'lib/libpkix/pkix/params/exports.gyp:lib_libpkix_pkix_params_exports',
+                'lib/libpkix/pkix/results/exports.gyp:lib_libpkix_pkix_results_exports',
+                'lib/libpkix/pkix/store/exports.gyp:lib_libpkix_pkix_store_exports',
+                'lib/libpkix/pkix/top/exports.gyp:lib_libpkix_pkix_top_exports',
+                'lib/libpkix/pkix/util/exports.gyp:lib_libpkix_pkix_util_exports',
+                'lib/libpkix/pkix_pl_nss/module/exports.gyp:lib_libpkix_pkix_pl_nss_module_exports',
+                'lib/libpkix/pkix_pl_nss/pki/exports.gyp:lib_libpkix_pkix_pl_nss_pki_exports',
+                'lib/libpkix/pkix_pl_nss/system/exports.gyp:lib_libpkix_pkix_pl_nss_system_exports',
+              ],
+            }],
+          ],
+        },
+        {
+          'target_name': 'dbm_exports',
+          'type': 'none',
+          'conditions': [
+            ['disable_dbm==0', {
+              'direct_dependent_settings': {
+                'include_dirs': [
+                  '<(nss_public_dist_dir)/dbm'
+                ]
+              },
+              'dependencies': [
+                'lib/dbm/include/exports.gyp:lib_dbm_include_exports'
+              ],
+            }],
+          ],
+        }
+      ],
+    }],
+  ],
   'targets': [
     {
-      'target_name': 'nss_exports',
+      'target_name': 'nss_mozpkix_exports',
       'type': 'none',
       'direct_dependent_settings': {
         'include_dirs': [
           '<(nss_public_dist_dir)/nss'
         ]
       },
       'dependencies': [
-        'cmd/lib/exports.gyp:cmd_lib_exports',
-        'lib/base/exports.gyp:lib_base_exports',
-        'lib/certdb/exports.gyp:lib_certdb_exports',
-        'lib/certhigh/exports.gyp:lib_certhigh_exports',
-        'lib/ckfw/builtins/exports.gyp:lib_ckfw_builtins_exports',
-        'lib/ckfw/exports.gyp:lib_ckfw_exports',
-        'lib/crmf/exports.gyp:lib_crmf_exports',
-        'lib/cryptohi/exports.gyp:lib_cryptohi_exports',
-        'lib/dev/exports.gyp:lib_dev_exports',
-        'lib/freebl/exports.gyp:lib_freebl_exports',
-        'lib/jar/exports.gyp:lib_jar_exports',
-        'lib/nss/exports.gyp:lib_nss_exports',
-        'lib/pk11wrap/exports.gyp:lib_pk11wrap_exports',
-        'lib/pkcs12/exports.gyp:lib_pkcs12_exports',
-        'lib/pkcs7/exports.gyp:lib_pkcs7_exports',
-        'lib/pki/exports.gyp:lib_pki_exports',
-        'lib/smime/exports.gyp:lib_smime_exports',
-        'lib/softoken/exports.gyp:lib_softoken_exports',
-        'lib/sqlite/exports.gyp:lib_sqlite_exports',
-        'lib/ssl/exports.gyp:lib_ssl_exports',
-        'lib/util/exports.gyp:lib_util_exports',
-        'lib/zlib/exports.gyp:lib_zlib_exports'
-      ],
-      'conditions': [
-        [ 'disable_libpkix==0', {
-          'dependencies': [
-            'lib/libpkix/include/exports.gyp:lib_libpkix_include_exports',
-            'lib/libpkix/pkix/certsel/exports.gyp:lib_libpkix_pkix_certsel_exports',
-            'lib/libpkix/pkix/checker/exports.gyp:lib_libpkix_pkix_checker_exports',
-            'lib/libpkix/pkix/crlsel/exports.gyp:lib_libpkix_pkix_crlsel_exports',
-            'lib/libpkix/pkix/params/exports.gyp:lib_libpkix_pkix_params_exports',
-            'lib/libpkix/pkix/results/exports.gyp:lib_libpkix_pkix_results_exports',
-            'lib/libpkix/pkix/store/exports.gyp:lib_libpkix_pkix_store_exports',
-            'lib/libpkix/pkix/top/exports.gyp:lib_libpkix_pkix_top_exports',
-            'lib/libpkix/pkix/util/exports.gyp:lib_libpkix_pkix_util_exports',
-            'lib/libpkix/pkix_pl_nss/module/exports.gyp:lib_libpkix_pkix_pl_nss_module_exports',
-            'lib/libpkix/pkix_pl_nss/pki/exports.gyp:lib_libpkix_pkix_pl_nss_pki_exports',
-            'lib/libpkix/pkix_pl_nss/system/exports.gyp:lib_libpkix_pkix_pl_nss_system_exports',
-          ],
-        }],
+        'lib/mozpkix/exports.gyp:lib_mozpkix_exports',
+        'lib/mozpkix/exports.gyp:lib_mozpkix_test_exports',
       ],
     },
-    {
-      'target_name': 'dbm_exports',
-      'type': 'none',
-      'conditions': [
-        ['disable_dbm==0', {
-          'direct_dependent_settings': {
-            'include_dirs': [
-              '<(nss_public_dist_dir)/dbm'
-            ]
-          },
-          'dependencies': [
-            'lib/dbm/include/exports.gyp:lib_dbm_include_exports'
-          ],
-        }],
-      ],
-    }
-  ]
+  ],
 }
--- a/fuzz/tls_server_certs.cc
+++ b/fuzz/tls_server_certs.cc
@@ -3,17 +3,17 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include <assert.h>
 #include <stdint.h>
 
 #include "ssl.h"
 
 #include "cpputil.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_server_certs.h"
 
 const uint8_t kP256ServerCert[] = {
     0x30, 0x82, 0x01, 0xcf, 0x30, 0x82, 0x01, 0x76, 0xa0, 0x03, 0x02, 0x01,
     0x02, 0x02, 0x09, 0x00, 0xd9, 0x4c, 0x04, 0xda, 0x49, 0x7d, 0xbf, 0xeb,
     0x30, 0x09, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x01, 0x30,
     0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
     0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
--- a/gtests/certdb_gtest/alg1485_unittest.cc
+++ b/gtests/certdb_gtest/alg1485_unittest.cc
@@ -4,17 +4,17 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include <stdint.h>
 
 #include "gtest/gtest.h"
 
 #include "nss.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "prprf.h"
 
 namespace nss_test {
 
 typedef struct AVATestValuesStr {
   std::string avaString;
   bool expectedResult;
 } AVATestValues;
--- a/gtests/cryptohi_gtest/cryptohi_unittest.cc
+++ b/gtests/cryptohi_gtest/cryptohi_unittest.cc
@@ -3,17 +3,17 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include <string>
 
 #include "gtest/gtest.h"
 
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "cryptohi.h"
 #include "secitem.h"
 #include "secerr.h"
 
 namespace nss_test {
 
 class SignParamsTestF : public ::testing::Test {
  protected:
--- a/gtests/der_gtest/der_private_key_import_unittest.cc
+++ b/gtests/der_gtest/der_private_key_import_unittest.cc
@@ -6,17 +6,17 @@
 
 #include <climits>
 #include <memory>
 #include "nss.h"
 #include "pk11pub.h"
 #include "secutil.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
 const std::vector<uint8_t> kValidRSAKey = {
     // 512-bit RSA private key (PKCS#8)
     0x30, 0x82, 0x01, 0x54, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a,
     0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82,
     0x01, 0x3e, 0x30, 0x82, 0x01, 0x3a, 0x02, 0x01, 0x00, 0x02, 0x41, 0x00,
--- a/gtests/der_gtest/p12_import_unittest.cc
+++ b/gtests/der_gtest/p12_import_unittest.cc
@@ -3,17 +3,17 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nss.h"
 #include "p12.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
 static const uint8_t cert_p12[] = {
     0x30, 0x82, 0x0a, 0x1f, 0x02, 0x01, 0x03, 0x30, 0x82, 0x09, 0xe5, 0x06,
     0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82,
     0x09, 0xd6, 0x04, 0x82, 0x09, 0xd2, 0x30, 0x82, 0x09, 0xce, 0x30, 0x82,
     0x04, 0x42, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07,
--- a/gtests/freebl_gtest/ecl_unittest.cc
+++ b/gtests/freebl_gtest/ecl_unittest.cc
@@ -2,17 +2,17 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this file,
 // You can obtain one at http://mozilla.org/MPL/2.0/.
 
 #include "gtest/gtest.h"
 
 #include <stdint.h>
 
 #include "blapi.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "secerr.h"
 
 namespace nss_test {
 
 class ECLTest : public ::testing::Test {
  protected:
   const ECCurveName GetCurveName(std::string name) {
     if (name == "P256") return ECCurve_NIST_P256;
rename from lib/mozpkix/test/gtest/README.txt
rename to gtests/mozpkix_gtest/README.txt
new file mode 100644
--- /dev/null
+++ b/gtests/mozpkix_gtest/mozpkix_gtest.gyp
@@ -0,0 +1,71 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+  'includes': [
+    '../../coreconf/config.gypi',
+    '../common/gtest.gypi',
+  ],
+  'targets': [
+    {
+      'target_name': 'mozpkix_gtest',
+      'type': 'executable',
+      'sources': [
+        '<(DEPTH)/gtests/common/gtests.cc',
+        'pkixbuild_tests.cpp',
+        'pkixcert_extension_tests.cpp',
+        'pkixcert_signature_algorithm_tests.cpp',
+        'pkixcheck_CheckExtendedKeyUsage_tests.cpp',
+        'pkixcheck_CheckIssuer_tests.cpp',
+        'pkixcheck_CheckKeyUsage_tests.cpp',
+        'pkixcheck_CheckSignatureAlgorithm_tests.cpp',
+        'pkixcheck_CheckValidity_tests.cpp',
+        'pkixcheck_ParseValidity_tests.cpp',
+        'pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp',
+        'pkixder_input_tests.cpp',
+        'pkixder_pki_types_tests.cpp',
+        'pkixder_universal_types_tests.cpp',
+        'pkixgtest.cpp',
+        'pkixnames_tests.cpp',
+        'pkixocsp_CreateEncodedOCSPRequest_tests.cpp',
+        'pkixocsp_VerifyEncodedOCSPResponse.cpp',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        '<(DEPTH)/gtests/google_test/google_test.gyp:gtest',
+        '<(DEPTH)/lib/util/util.gyp:nssutil',
+        '<(DEPTH)/lib/ssl/ssl.gyp:ssl',
+        '<(DEPTH)/lib/nss/nss.gyp:nss_static',
+        '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap_static',
+        '<(DEPTH)/lib/cryptohi/cryptohi.gyp:cryptohi',
+        '<(DEPTH)/lib/certhigh/certhigh.gyp:certhi',
+        '<(DEPTH)/lib/certdb/certdb.gyp:certdb',
+        '<(DEPTH)/lib/base/base.gyp:nssb',
+        '<(DEPTH)/lib/dev/dev.gyp:nssdev',
+        '<(DEPTH)/lib/pki/pki.gyp:nsspki',
+        '<(DEPTH)/lib/mozpkix/mozpkix.gyp:mozpkix',
+        '<(DEPTH)/lib/mozpkix/mozpkix.gyp:mozpkix-testlib',
+      ],
+      'include_dirs': [
+        '<(DEPTH)/lib/mozpkix/',
+        '<(DEPTH)/lib/mozpkix/lib',
+        '<(DEPTH)/lib/mozpkix/include/',
+        '<(DEPTH)/lib/mozpkix/include/pkix-test/',
+      ],
+      'conditions': [
+        [ 'OS=="win"', {
+          'libraries': [
+            'advapi32.lib',
+          ],
+        }],
+      ],
+      'defines': [
+        'NSS_USE_STATIC_LIBS'
+      ],
+    }
+  ],
+  'variables': {
+    'module': 'nss',
+    'use_static_libs': 1,
+  }
+}
rename from lib/mozpkix/test/gtest/pkixbuild_tests.cpp
rename to gtests/mozpkix_gtest/pkixbuild_tests.cpp
--- a/lib/mozpkix/test/gtest/pkixbuild_tests.cpp
+++ b/gtests/mozpkix_gtest/pkixbuild_tests.cpp
@@ -32,19 +32,20 @@
 
 #include <map>
 #include <vector>
 
 #if defined(_MSC_VER) && _MSC_VER < 1900
 #pragma warning(pop)
 #endif
 
-#include "pkixder.h"
 #include "pkixgtest.h"
 
+#include "mozpkix/pkixder.h"
+
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::test;
 
 static ByteString
 CreateCert(const char* issuerCN, // null means "empty name"
            const char* subjectCN, // null means "empty name"
            EndEntityOrCA endEntityOrCA,
            /*optional modified*/ std::map<ByteString, ByteString>*
@@ -678,18 +679,18 @@ private:
 
   std::map<ByteString, ByteString> subjectDERToCertDER;
   ByteString rootCACertDER;
   ByteString intermediateSignedByUntrustedRootCertDER;
 };
 
 TEST_F(pkixbuild, BadEmbeddedSCTWithMultiplePaths)
 {
-  MultiplePathTrustDomain trustDomain;
-  trustDomain.SetUpCerts();
+  MultiplePathTrustDomain localTrustDomain;
+  localTrustDomain.SetUpCerts();
 
   // python security/pkix/tools/DottedOIDToCode.py --tlv
   //   id-embeddedSctList 1.3.6.1.4.1.11129.2.4.2
   static const uint8_t tlv_id_embeddedSctList[] = {
     0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04, 0x02
   };
   static const uint8_t dummySctList[] = {
     0x01, 0x02, 0x03, 0x04, 0x05
@@ -704,17 +705,17 @@ TEST_F(pkixbuild, BadEmbeddedSCTWithMult
   ByteString certDER(CreateCert("Intermediate", "Cert with bogus SCT list",
                                 EndEntityOrCA::MustBeEndEntity,
                                 nullptr, /*subjectDERToCertDER*/
                                 &ctExtension));
   ASSERT_FALSE(ENCODING_FAILED(certDER));
   Input certDERInput;
   ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
   ASSERT_EQ(Result::ERROR_BAD_DER,
-            BuildCertChain(trustDomain, certDERInput, Now(),
+            BuildCertChain(localTrustDomain, certDERInput, Now(),
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::id_kp_serverAuth,
                            CertPolicyId::anyPolicy,
                            nullptr/*stapledOCSPResponse*/));
 }
 
 // Same as a MultiplePathTrustDomain, but the end-entity is revoked.
@@ -729,25 +730,25 @@ public:
       return Result::ERROR_REVOKED_CERTIFICATE;
     }
     return Success;
   }
 };
 
 TEST_F(pkixbuild, RevokedEndEntityWithMultiplePaths)
 {
-  RevokedEndEntityTrustDomain trustDomain;
-  trustDomain.SetUpCerts();
+  RevokedEndEntityTrustDomain localTrustDomain;
+  localTrustDomain.SetUpCerts();
   ByteString certDER(CreateCert("Intermediate", "RevokedEndEntity",
                                 EndEntityOrCA::MustBeEndEntity));
   ASSERT_FALSE(ENCODING_FAILED(certDER));
   Input certDERInput;
   ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
   ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE,
-            BuildCertChain(trustDomain, certDERInput, Now(),
+            BuildCertChain(localTrustDomain, certDERInput, Now(),
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::id_kp_serverAuth,
                            CertPolicyId::anyPolicy,
                            nullptr/*stapledOCSPResponse*/));
 }
 
 // This represents a collection of different certificates that all have the same
@@ -841,53 +842,53 @@ private:
 
   std::vector<ByteString> certs;
   ByteString rootCACertDER;
   ScopedTestKeyPair firstIssuerKey;
 };
 
 TEST_F(pkixbuild, AvoidUnboundedPathSearchingFailure)
 {
-  SelfIssuedCertificatesTrustDomain trustDomain;
+  SelfIssuedCertificatesTrustDomain localTrustDomain;
   // This creates a few hundred million potential paths of length 8 (end entity
   // + 6 sub-CAs + root). It would be prohibitively expensive to enumerate all
   // of these, so we give mozilla::pkix a budget that is spent when searching
   // paths. If the budget is exhausted, it simply returns an unknown issuer
   // error. In the future it might be nice to return a specific error that would
   // give the front-end a hint that maybe it shouldn't have so many certificates
   // that all have the same subject and issuer DN but different SPKIs.
-  trustDomain.SetUpCerts(18);
+  localTrustDomain.SetUpCerts(18);
   ByteString certDER(CreateCert("DN", "DN", EndEntityOrCA::MustBeEndEntity,
                                 nullptr, nullptr,
-                                trustDomain.GetFirstIssuerKey()));
+                                localTrustDomain.GetFirstIssuerKey()));
   ASSERT_FALSE(ENCODING_FAILED(certDER));
   Input certDERInput;
   ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
   ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER,
-            BuildCertChain(trustDomain, certDERInput, Now(),
+            BuildCertChain(localTrustDomain, certDERInput, Now(),
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::id_kp_serverAuth,
                            CertPolicyId::anyPolicy,
                            nullptr/*stapledOCSPResponse*/));
 }
 
 TEST_F(pkixbuild, AvoidUnboundedPathSearchingSuccess)
 {
-  SelfIssuedCertificatesTrustDomain trustDomain;
+  SelfIssuedCertificatesTrustDomain localTrustDomain;
   // This creates a few hundred thousand possible potential paths of length 8
   // (end entity + 6 sub-CAs + root). This will nearly exhaust mozilla::pkix's
   // search budget, so this should succeed.
-  trustDomain.SetUpCerts(10);
+  localTrustDomain.SetUpCerts(10);
   ByteString certDER(CreateCert("DN", "DN", EndEntityOrCA::MustBeEndEntity,
                                 nullptr, nullptr,
-                                trustDomain.GetFirstIssuerKey()));
+                                localTrustDomain.GetFirstIssuerKey()));
   ASSERT_FALSE(ENCODING_FAILED(certDER));
   Input certDERInput;
   ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
   ASSERT_EQ(Success,
-            BuildCertChain(trustDomain, certDERInput, Now(),
+            BuildCertChain(localTrustDomain, certDERInput, Now(),
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::id_kp_serverAuth,
                            CertPolicyId::anyPolicy,
                            nullptr/*stapledOCSPResponse*/));
 }
rename from lib/mozpkix/test/gtest/pkixcert_extension_tests.cpp
rename to gtests/mozpkix_gtest/pkixcert_extension_tests.cpp
--- a/lib/mozpkix/test/gtest/pkixcert_extension_tests.cpp
+++ b/gtests/mozpkix_gtest/pkixcert_extension_tests.cpp
@@ -17,19 +17,20 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "pkixder.h"
 #include "pkixgtest.h"
-#include "pkixtestutil.h"
+
+#include "mozpkix/pkixder.h"
+#include "mozpkix/test/pkixtestutil.h"
 
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::test;
 
 // Creates a self-signed certificate with the given extension.
 static ByteString
 CreateCertWithExtensions(const char* subjectCN,
                          const ByteString* extensions)
rename from lib/mozpkix/test/gtest/pkixcert_signature_algorithm_tests.cpp
rename to gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp
--- a/lib/mozpkix/test/gtest/pkixcert_signature_algorithm_tests.cpp
+++ b/gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp
@@ -1,16 +1,17 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* Any copyright is dedicated to the Public Domain.
  * http://creativecommons.org/publicdomain/zero/1.0/ */
 
-#include "pkixder.h"
 #include "pkixgtest.h"
 
+#include "mozpkix/pkixder.h"
+
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::test;
 
 static ByteString
 CreateCert(const char* issuerCN,
            const char* subjectCN,
            EndEntityOrCA endEntityOrCA,
            const TestSignatureAlgorithm& signatureAlgorithm,
rename from lib/mozpkix/test/gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp
rename to gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp
--- a/lib/mozpkix/test/gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp
+++ b/gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp
@@ -17,19 +17,20 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "pkixder.h"
 #include "pkixgtest.h"
-#include "pkixutil.h"
+
+#include "mozpkix/pkixder.h"
+#include "mozpkix/pkixutil.h"
 
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::test;
 
 namespace mozilla { namespace pkix {
 
 extern Result CheckExtendedKeyUsage(EndEntityOrCA endEntityOrCA,
                                     const Input* encodedExtendedKeyUsage,
rename from lib/mozpkix/test/gtest/pkixcheck_CheckIssuer_tests.cpp
rename to gtests/mozpkix_gtest/pkixcheck_CheckIssuer_tests.cpp
--- a/lib/mozpkix/test/gtest/pkixcheck_CheckIssuer_tests.cpp
+++ b/gtests/mozpkix_gtest/pkixcheck_CheckIssuer_tests.cpp
@@ -17,19 +17,20 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "pkixcheck.h"
 #include "pkixgtest.h"
 
+#include "mozpkix/pkixcheck.h"
+
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::test;
 
 class pkixcheck_CheckIssuer : public ::testing::Test { };
 
 static const uint8_t EMPTY_NAME_DATA[] = {
   0x30, 0x00 /* tag, length */
 };
rename from lib/mozpkix/test/gtest/pkixcheck_CheckKeyUsage_tests.cpp
rename to gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp
rename from lib/mozpkix/test/gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp
rename to gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp
--- a/lib/mozpkix/test/gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp
+++ b/gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp
@@ -17,19 +17,20 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "pkixder.h"
 #include "pkixgtest.h"
 
+#include "mozpkix/pkixder.h"
+
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::test;
 
 namespace mozilla { namespace pkix {
 
 extern Result CheckSignatureAlgorithm(
                 TrustDomain& trustDomain, EndEntityOrCA endEntityOrCA,
                 Time notBefore,
rename from lib/mozpkix/test/gtest/pkixcheck_CheckValidity_tests.cpp
rename to gtests/mozpkix_gtest/pkixcheck_CheckValidity_tests.cpp
--- a/lib/mozpkix/test/gtest/pkixcheck_CheckValidity_tests.cpp
+++ b/gtests/mozpkix_gtest/pkixcheck_CheckValidity_tests.cpp
@@ -17,19 +17,20 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "pkixcheck.h"
 #include "pkixgtest.h"
 
+#include "mozpkix/pkixcheck.h"
+
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::test;
 
 static const Time PAST_TIME(YMDHMS(1998, 12, 31, 12, 23, 56));
 
 #define OLDER_GENERALIZEDTIME \
   0x18, 15,                               /* tag, length */ \
   '1', '9', '9', '9', '0', '1', '0', '1', /* 1999-01-01 */ \
rename from lib/mozpkix/test/gtest/pkixcheck_ParseValidity_tests.cpp
rename to gtests/mozpkix_gtest/pkixcheck_ParseValidity_tests.cpp
--- a/lib/mozpkix/test/gtest/pkixcheck_ParseValidity_tests.cpp
+++ b/gtests/mozpkix_gtest/pkixcheck_ParseValidity_tests.cpp
@@ -17,19 +17,20 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "pkixcheck.h"
 #include "pkixgtest.h"
 
+#include "mozpkix/pkixcheck.h"
+
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::test;
 
 #define OLDER_UTCTIME \
   0x17, 13,                               /* tag, length */ \
   '9', '9', '0', '1', '0', '1',           /* (19)99-01-01 */ \
   '0', '0', '0', '0', '0', '0', 'Z'       /* 00:00:00Z */
 
rename from lib/mozpkix/test/gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp
rename to gtests/mozpkix_gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp
--- a/lib/mozpkix/test/gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp
+++ b/gtests/mozpkix_gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp
@@ -17,19 +17,20 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "pkixder.h"
 #include "pkixgtest.h"
 
+#include "mozpkix/pkixder.h"
+
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::test;
 
 namespace mozilla { namespace pkix {
   extern Result TLSFeaturesSatisfiedInternal(const Input* requiredTLSFeatures,
                                              const Input* stapledOCSPResponse);
 } } // namespace mozilla::pkix
 
rename from lib/mozpkix/test/gtest/pkixder_input_tests.cpp
rename to gtests/mozpkix_gtest/pkixder_input_tests.cpp
--- a/lib/mozpkix/test/gtest/pkixder_input_tests.cpp
+++ b/gtests/mozpkix_gtest/pkixder_input_tests.cpp
@@ -21,17 +21,17 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 #include <functional>
 #include <vector>
 #include "pkixgtest.h"
 
-#include "pkixder.h"
+#include "mozpkix/pkixder.h"
 
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::der;
 
 namespace {
 
 class pkixder_input_tests : public ::testing::Test { };
 
rename from lib/mozpkix/test/gtest/pkixder_pki_types_tests.cpp
rename to gtests/mozpkix_gtest/pkixder_pki_types_tests.cpp
--- a/lib/mozpkix/test/gtest/pkixder_pki_types_tests.cpp
+++ b/gtests/mozpkix_gtest/pkixder_pki_types_tests.cpp
@@ -21,18 +21,19 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 #include <functional>
 #include <vector>
 
 #include "pkixgtest.h"
-#include "pkix/pkixtypes.h"
-#include "pkixder.h"
+
+#include "mozpkix/pkixtypes.h"
+#include "mozpkix/pkixder.h"
 
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::der;
 
 class pkixder_pki_types_tests : public ::testing::Test { };
 
 TEST_F(pkixder_pki_types_tests, CertificateSerialNumber)
 {
rename from lib/mozpkix/test/gtest/pkixder_universal_types_tests.cpp
rename to gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp
--- a/lib/mozpkix/test/gtest/pkixder_universal_types_tests.cpp
+++ b/gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp
@@ -21,19 +21,20 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 #include <limits>
 #include <stdint.h>
 #include <vector>
 
-#include "pkixder.h"
 #include "pkixgtest.h"
 
+#include "mozpkix/pkixder.h"
+
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::der;
 using namespace mozilla::pkix::test;
 using namespace std;
 
 class pkixder_universal_types_tests : public ::testing::Test { };
 
 TEST_F(pkixder_universal_types_tests, BooleanTrue01)
rename from lib/mozpkix/test/gtest/pkixgtest.cpp
rename to gtests/mozpkix_gtest/pkixgtest.cpp
--- a/lib/mozpkix/test/gtest/pkixgtest.cpp
+++ b/gtests/mozpkix_gtest/pkixgtest.cpp
@@ -21,17 +21,17 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 #include "pkixgtest.h"
 
 #include <ctime>
 
-#include "pkix/Time.h"
+#include "mozpkix/Time.h"
 
 namespace mozilla { namespace pkix { namespace test {
 
 static const std::time_t ONE_DAY_IN_SECONDS_AS_TIME_T =
   static_cast<std::time_t>(Time::ONE_DAY_IN_SECONDS);
 
 // This assumes that time/time_t are POSIX-compliant in that time() returns
 // the number of seconds since the Unix epoch.
rename from lib/mozpkix/test/gtest/pkixgtest.h
rename to gtests/mozpkix_gtest/pkixgtest.h
--- a/lib/mozpkix/test/gtest/pkixgtest.h
+++ b/gtests/mozpkix_gtest/pkixgtest.h
@@ -51,18 +51,18 @@
 #if defined(__clang__)
 #pragma clang diagnostic pop
 #elif defined(__GNUC__)
 #pragma GCC diagnostic pop
 #elif defined(_MSC_VER)
 #pragma warning(pop)
 #endif
 
-#include "pkix/pkix.h"
-#include "pkixtestutil.h"
+#include "mozpkix/pkix.h"
+#include "mozpkix/test/pkixtestutil.h"
 
 // PrintTo must be in the same namespace as the type we're overloading it for.
 namespace mozilla { namespace pkix {
 
 inline void
 PrintTo(const Result& result, ::std::ostream* os)
 {
   const char* stringified = MapResultToName(result);
rename from lib/mozpkix/test/gtest/pkixnames_tests.cpp
rename to gtests/mozpkix_gtest/pkixnames_tests.cpp
--- a/lib/mozpkix/test/gtest/pkixnames_tests.cpp
+++ b/gtests/mozpkix_gtest/pkixnames_tests.cpp
@@ -16,20 +16,21 @@
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-#include "pkixcheck.h"
-#include "pkixder.h"
 #include "pkixgtest.h"
-#include "pkixutil.h"
+
+#include "mozpkix/pkixcheck.h"
+#include "mozpkix/pkixder.h"
+#include "mozpkix/pkixutil.h"
 
 namespace mozilla { namespace pkix {
 
 Result MatchPresentedDNSIDWithReferenceDNSID(Input presentedDNSID,
                                              Input referenceDNSID,
                                              /*out*/ bool& matches);
 
 bool IsValidReferenceDNSID(Input hostname);
rename from lib/mozpkix/test/gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
rename to gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
--- a/lib/mozpkix/test/gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
+++ b/gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
@@ -18,17 +18,18 @@
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 #include "pkixgtest.h"
-#include "pkixder.h"
+
+#include "mozpkix/pkixder.h"
 
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::test;
 
 class CreateEncodedOCSPRequestTrustDomain final
   : public EverythingFailsByDefaultTrustDomain
 {
 private:
rename from lib/mozpkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
rename to gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
--- a/lib/mozpkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
+++ b/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
@@ -17,19 +17,20 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "pkixder.h"
 #include "pkixgtest.h"
 
+#include "mozpkix/pkixder.h"
+
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::test;
 
 const uint16_t END_ENTITY_MAX_LIFETIME_IN_DAYS = 10;
 
 // Note that CheckRevocation is never called for OCSP signing certificates.
 class OCSPTestTrustDomain : public DefaultCryptoTrustDomain
 {
@@ -56,17 +57,16 @@ public:
     }
   }
 
   ByteString signedCertificateTimestamps;
 };
 
 namespace {
 char const* const rootName = "Test CA 1";
-void deleteCertID(CertID* certID) { delete certID; }
 } // namespace
 
 class pkixocsp_VerifyEncodedResponse : public ::testing::Test
 {
 public:
   static void SetUpTestCase()
   {
     rootKeyPair.reset(GenerateKeyPair());
@@ -114,17 +114,17 @@ public:
   static ScopedTestKeyPair rootKeyPair;
   static uint32_t rootIssuedCount;
   OCSPTestTrustDomain trustDomain;
 
   // endEntityCertID references rootKeyPair, rootNameDER, and serialNumberDER.
   ByteString rootNameDER;
   ByteString serialNumberDER;
   // endEntityCertID references rootKeyPair, rootNameDER, and serialNumberDER.
-  ScopedPtr<CertID, deleteCertID> endEntityCertID;
+  ScopedCertID endEntityCertID;
 };
 
 /*static*/ ScopedTestKeyPair pkixocsp_VerifyEncodedResponse::rootKeyPair;
 /*static*/ uint32_t pkixocsp_VerifyEncodedResponse::rootIssuedCount = 0;
 
 ///////////////////////////////////////////////////////////////////////////////
 // responseStatus
 
--- a/gtests/nss_bogo_shim/nss_bogo_shim.cc
+++ b/gtests/nss_bogo_shim/nss_bogo_shim.cc
@@ -13,17 +13,17 @@
 #include "nss.h"
 #include "prio.h"
 #include "prnetdb.h"
 #include "secerr.h"
 #include "ssl.h"
 #include "ssl3prot.h"
 #include "sslerr.h"
 #include "sslproto.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #include "nsskeys.h"
 
 static const char* kVersionDisableFlags[] = {"no-ssl3", "no-tls1", "no-tls11",
                                              "no-tls12", "no-tls13"};
 
 bool exitCodeUnimplemented = false;
 
--- a/gtests/pk11_gtest/pk11_aes_gcm_unittest.cc
+++ b/gtests/pk11_gtest/pk11_aes_gcm_unittest.cc
@@ -5,17 +5,17 @@
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include <memory>
 #include "nss.h"
 #include "pk11pub.h"
 #include "secerr.h"
 #include "sechash.h"
 
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #include "gcm-vectors.h"
 #include "gtest/gtest.h"
 #include "util.h"
 
 namespace nss_test {
 
 class Pkcs11AesGcmTest : public ::testing::TestWithParam<gcm_kat_value> {
--- a/gtests/pk11_gtest/pk11_aeskeywrap_unittest.cc
+++ b/gtests/pk11_gtest/pk11_aeskeywrap_unittest.cc
@@ -4,17 +4,17 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include <memory>
 #include "nss.h"
 #include "pk11pub.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
 // Test vectors from https://tools.ietf.org/html/rfc3394#section-4.1 to 4.6
 unsigned char kKEK1[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
                          0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F};
 
 unsigned char kKD1[] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
@@ -124,9 +124,9 @@ TEST_F(Pkcs11AESKeyWrapTest, WrapUnwrepT
 TEST_F(Pkcs11AESKeyWrapTest, WrapUnwrepTest5) {
   WrapUnwrap(kKEK3, sizeof(kKEK3), kKD4, sizeof(kKD4), kC5);
 }
 
 TEST_F(Pkcs11AESKeyWrapTest, WrapUnwrepTest6) {
   WrapUnwrap(kKEK3, sizeof(kKEK3), kKD6, sizeof(kKD6), kC6);
 }
 
-} /* nss_test */
\ No newline at end of file
+} /* nss_test */
--- a/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
+++ b/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
@@ -5,17 +5,17 @@
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include <memory>
 #include "nss.h"
 #include "pk11pub.h"
 #include "sechash.h"
 
 #include "cpputil.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #include "gtest/gtest.h"
 
 namespace nss_test {
 
 // ChaCha20/Poly1305 Test Vector 1, RFC 7539
 // <http://tools.ietf.org/html/rfc7539#section-2.8.2>
 const uint8_t kTestVector1Data[] = {
--- a/gtests/pk11_gtest/pk11_curve25519_unittest.cc
+++ b/gtests/pk11_gtest/pk11_curve25519_unittest.cc
@@ -2,17 +2,17 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include <memory>
 #include "nss.h"
 #include "pk11pub.h"
 
 #include "cpputil.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #include "gtest/gtest.h"
 
 namespace nss_test {
 
 // <https://tools.ietf.org/html/rfc7748#section-6.1>
 const uint8_t kPkcs8[] = {
     0x30, 0x67, 0x02, 0x01, 0x00, 0x30, 0x14, 0x06, 0x07, 0x2a, 0x86, 0x48,
--- a/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc
+++ b/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc
@@ -6,17 +6,17 @@
 
 #include <climits>
 #include <memory>
 #include "nss.h"
 #include "pk11pub.h"
 #include "secutil.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
 const std::vector<uint8_t> kValidRSAKey = {
     // 512-bit RSA private key (PKCS#8)
     0x30, 0x82, 0x01, 0x54, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a,
     0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82,
     0x01, 0x3e, 0x30, 0x82, 0x01, 0x3a, 0x02, 0x01, 0x00, 0x02, 0x41, 0x00,
--- a/gtests/pk11_gtest/pk11_ecdsa_unittest.cc
+++ b/gtests/pk11_gtest/pk11_ecdsa_unittest.cc
@@ -3,17 +3,17 @@
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include <memory>
 #include "nss.h"
 #include "pk11pub.h"
 #include "sechash.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #include "pk11_ecdsa_vectors.h"
 #include "pk11_signature_test.h"
 
 namespace nss_test {
 
 class Pkcs11EcdsaTestBase : public Pk11SignatureTest {
  protected:
--- a/gtests/pk11_gtest/pk11_encrypt_derive_unittest.cc
+++ b/gtests/pk11_gtest/pk11_encrypt_derive_unittest.cc
@@ -3,17 +3,17 @@
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "pk11pub.h"
 #include "nssutil.h"
 #include <stdio.h>
 #include "prerror.h"
 #include "nss.h"
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "cpputil.h"
 #include "databuffer.h"
 #include "util.h"
 
 #define MAX_KEY_SIZE 24
 
 namespace nss_test {
 
--- a/gtests/pk11_gtest/pk11_export_unittest.cc
+++ b/gtests/pk11_gtest/pk11_export_unittest.cc
@@ -4,17 +4,17 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include <memory>
 #include "nss.h"
 #include "pk11pub.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
 class Pkcs11ExportTest : public ::testing::Test {
  public:
   void Derive(bool is_export) {
     ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
     EXPECT_TRUE(slot.get());
--- a/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc
+++ b/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc
@@ -4,17 +4,17 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include <memory>
 #include "nss.h"
 #include "pk11pub.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
 static unsigned char* ToUcharPtr(std::string& str) {
   return const_cast<unsigned char*>(
       reinterpret_cast<const unsigned char*>(str.c_str()));
 }
 
--- a/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc
+++ b/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc
@@ -5,17 +5,17 @@
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include <stdint.h>
 #include "cryptohi.h"
 #include "nss.h"
 #include "pk11pub.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "cpputil.h"
 
 namespace nss_test {
 
 // Test that the RSASSA-PKCS1-v1_5 implementation enforces the missing NULL
 // parameter.
 TEST(RsaPkcs1Test, RequireNullParameter) {
   // kSpki is an RSA public key in an X.509 SubjectPublicKeyInfo.
--- a/gtests/pk11_gtest/pk11_rsapss_unittest.cc
+++ b/gtests/pk11_gtest/pk11_rsapss_unittest.cc
@@ -5,17 +5,17 @@
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include <memory>
 #include "nss.h"
 #include "pk11pub.h"
 #include "sechash.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #include "pk11_signature_test.h"
 #include "pk11_rsapss_vectors.h"
 
 namespace nss_test {
 
 class Pkcs11RsaPssTest : public Pk11SignatureTest {
  public:
--- a/gtests/pk11_gtest/pk11_signature_test.h
+++ b/gtests/pk11_gtest/pk11_signature_test.h
@@ -3,17 +3,17 @@
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include <memory>
 #include "nss.h"
 #include "pk11pub.h"
 #include "sechash.h"
 
 #include "cpputil.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "databuffer.h"
 
 #include "gtest/gtest.h"
 
 namespace nss_test {
 
 // For test vectors.
 struct Pkcs11SignatureTestParams {
--- a/gtests/softoken_gtest/softoken_gtest.cc
+++ b/gtests/softoken_gtest/softoken_gtest.cc
@@ -6,17 +6,17 @@
 
 #include "cert.h"
 #include "certdb.h"
 #include "nspr.h"
 #include "nss.h"
 #include "pk11pub.h"
 #include "secerr.h"
 
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
 
 namespace nss_test {
 
 // Given a prefix, attempts to create a unique directory that the user can do
 // work in without impacting other tests. For example, if given the prefix
--- a/gtests/ssl_gtest/selfencrypt_unittest.cc
+++ b/gtests/ssl_gtest/selfencrypt_unittest.cc
@@ -14,17 +14,17 @@
 #include "sslerr.h"
 extern "C" {
 #include "sslimpl.h"
 #include "selfencrypt.h"
 }
 
 #include "databuffer.h"
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
 static const uint8_t kAesKey1Buf[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05,
                                       0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
                                       0x0c, 0x0d, 0x0e, 0x0f};
 static const DataBuffer kAesKey1(kAesKey1Buf, sizeof(kAesKey1Buf));
 
--- a/gtests/ssl_gtest/ssl_0rtt_unittest.cc
+++ b/gtests/ssl_gtest/ssl_0rtt_unittest.cc
@@ -11,17 +11,17 @@
 #include "sslproto.h"
 
 extern "C" {
 // This is not something that should make you happy.
 #include "libssl_internals.h"
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
 
 namespace nss_test {
 
 TEST_P(TlsConnectTls13, ZeroRtt) {
   SetupForZeroRtt();
--- a/gtests/ssl_gtest/ssl_auth_unittest.cc
+++ b/gtests/ssl_gtest/ssl_auth_unittest.cc
@@ -10,17 +10,17 @@
 #include "sslproto.h"
 
 extern "C" {
 // This is not something that should make you happy.
 #include "libssl_internals.h"
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
 
 namespace nss_test {
 
 TEST_P(TlsConnectGeneric, ServerAuthBigRsa) {
   Reset(TlsAgent::kRsa2048);
--- a/gtests/ssl_gtest/ssl_damage_unittest.cc
+++ b/gtests/ssl_gtest/ssl_damage_unittest.cc
@@ -12,17 +12,17 @@
 #include "sslproto.h"
 
 extern "C" {
 // This is not something that should make you happy.
 #include "libssl_internals.h"
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
 
 namespace nss_test {
 
 TEST_F(TlsConnectTest, DamageSecretHandleClientFinished) {
   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
--- a/gtests/ssl_gtest/ssl_dhe_unittest.cc
+++ b/gtests/ssl_gtest/ssl_dhe_unittest.cc
@@ -8,17 +8,17 @@
 #include <memory>
 #include <set>
 #include "secerr.h"
 #include "ssl.h"
 #include "sslerr.h"
 #include "sslproto.h"
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
 
 namespace nss_test {
 
 TEST_P(TlsConnectGeneric, ConnectDhe) {
   EnableOnlyDheCiphers();
--- a/gtests/ssl_gtest/ssl_drop_unittest.cc
+++ b/gtests/ssl_gtest/ssl_drop_unittest.cc
@@ -9,17 +9,17 @@
 #include "sslexp.h"
 
 extern "C" {
 // This is not something that should make you happy.
 #include "libssl_internals.h"
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
 
 namespace nss_test {
 
 TEST_P(TlsConnectDatagramPre13, DropClientFirstFlightOnce) {
   client_->SetFilter(std::make_shared<SelectiveDropFilter>(0x1));
--- a/gtests/ssl_gtest/ssl_ecdh_unittest.cc
+++ b/gtests/ssl_gtest/ssl_ecdh_unittest.cc
@@ -12,17 +12,17 @@
 #include "sslproto.h"
 
 extern "C" {
 // This is not something that should make you happy.
 #include "libssl_internals.h"
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
 
 namespace nss_test {
 
 TEST_P(TlsConnectGenericPre13, ConnectEcdh) {
   SetExpectedVersion(std::get<1>(GetParam()));
--- a/gtests/ssl_gtest/ssl_ems_unittest.cc
+++ b/gtests/ssl_gtest/ssl_ems_unittest.cc
@@ -5,17 +5,17 @@
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "secerr.h"
 #include "ssl.h"
 #include "sslerr.h"
 #include "sslproto.h"
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
 
 namespace nss_test {
 
 TEST_P(TlsConnectGenericPre13, ConnectExtendedMasterSecret) {
   EnableExtendedMasterSecret();
--- a/gtests/ssl_gtest/ssl_fragment_unittest.cc
+++ b/gtests/ssl_gtest/ssl_fragment_unittest.cc
@@ -5,17 +5,17 @@
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "secerr.h"
 #include "ssl.h"
 #include "sslerr.h"
 #include "sslproto.h"
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
 
 namespace nss_test {
 
 // This class cuts every unencrypted handshake record into two parts.
 class RecordFragmenter : public PacketFilter {
--- a/gtests/ssl_gtest/ssl_hrr_unittest.cc
+++ b/gtests/ssl_gtest/ssl_hrr_unittest.cc
@@ -8,17 +8,17 @@
 #include "ssl.h"
 #include "sslerr.h"
 #include "sslproto.h"
 
 // This is internal, just to get DTLS_1_3_DRAFT_VERSION.
 #include "ssl3prot.h"
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
 
 namespace nss_test {
 
 TEST_P(TlsConnectTls13, HelloRetryRequestAbortsZeroRtt) {
   const char* k0RttData = "Such is life";
--- a/gtests/ssl_gtest/ssl_keyupdate_unittest.cc
+++ b/gtests/ssl_gtest/ssl_keyupdate_unittest.cc
@@ -10,17 +10,17 @@
 #include "sslproto.h"
 
 extern "C" {
 // This is not something that should make you happy.
 #include "libssl_internals.h"
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
 
 namespace nss_test {
 
 // All stream only tests; DTLS isn't supported yet.
 
--- a/gtests/ssl_gtest/ssl_loopback_unittest.cc
+++ b/gtests/ssl_gtest/ssl_loopback_unittest.cc
@@ -13,17 +13,17 @@
 #include "sslproto.h"
 
 extern "C" {
 // This is not something that should make you happy.
 #include "libssl_internals.h"
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
 
 namespace nss_test {
 
 TEST_P(TlsConnectGeneric, SetupOnly) {}
 
--- a/gtests/ssl_gtest/ssl_recordsize_unittest.cc
+++ b/gtests/ssl_gtest/ssl_recordsize_unittest.cc
@@ -5,17 +5,17 @@
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "secerr.h"
 #include "ssl.h"
 #include "sslerr.h"
 #include "sslproto.h"
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
 
 namespace nss_test {
 
 // This class tracks the maximum size of record that was sent, both cleartext
 // and plain.  It only tracks records that have an outer type of
--- a/gtests/ssl_gtest/ssl_resumption_unittest.cc
+++ b/gtests/ssl_gtest/ssl_resumption_unittest.cc
@@ -13,17 +13,18 @@
 #include "sslproto.h"
 
 extern "C" {
 // This is not something that should make you happy.
 #include "libssl_internals.h"
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
+#include "scoped_ptrs_ssl.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
 #include "tls_protect.h"
 
 namespace nss_test {
 
 class TlsServerKeyExchangeEcdhe {
--- a/gtests/ssl_gtest/ssl_staticrsa_unittest.cc
+++ b/gtests/ssl_gtest/ssl_staticrsa_unittest.cc
@@ -12,17 +12,17 @@
 #include "sslproto.h"
 
 extern "C" {
 // This is not something that should make you happy.
 #include "libssl_internals.h"
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
 #include "rsa8193.h"
 
 namespace nss_test {
 
 const uint8_t kBogusClientKeyExchange[] = {
--- a/gtests/ssl_gtest/ssl_version_unittest.cc
+++ b/gtests/ssl_gtest/ssl_version_unittest.cc
@@ -6,17 +6,17 @@
 
 #include "secerr.h"
 #include "ssl.h"
 #include "ssl3prot.h"
 #include "sslerr.h"
 #include "sslproto.h"
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
 
 namespace nss_test {
 
 TEST_P(TlsConnectStream, ServerNegotiateTls10) {
   uint16_t minver, maxver;
--- a/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
+++ b/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
@@ -7,17 +7,17 @@
 #include "nss.h"
 #include "secerr.h"
 #include "ssl.h"
 #include "ssl3prot.h"
 #include "sslerr.h"
 #include "sslproto.h"
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
 
 #include <iostream>
 
 namespace nss_test {
 
--- a/gtests/ssl_gtest/test_io.h
+++ b/gtests/ssl_gtest/test_io.h
@@ -12,17 +12,17 @@
 #include <memory>
 #include <ostream>
 #include <queue>
 #include <string>
 
 #include "databuffer.h"
 #include "dummy_io.h"
 #include "prio.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "sslt.h"
 
 namespace nss_test {
 
 class DataBuffer;
 class DummyPrSocket;  // Fwd decl.
 
 // Allow us to inspect a packet before it is written.
--- a/gtests/ssl_gtest/tls_agent.cc
+++ b/gtests/ssl_gtest/tls_agent.cc
@@ -21,17 +21,17 @@
 extern "C" {
 // This is not something that should make you happy.
 #include "libssl_internals.h"
 }
 
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 extern std::string g_working_dir_path;
 
 namespace nss_test {
 
 const char* TlsAgent::states[] = {"INIT", "CONNECTING", "CONNECTED", "ERROR"};
 
 const std::string TlsAgent::kClient = "client";    // both sign and encrypt
--- a/gtests/ssl_gtest/tls_agent.h
+++ b/gtests/ssl_gtest/tls_agent.h
@@ -12,17 +12,18 @@
 
 #include <functional>
 #include <iostream>
 
 #include "test_io.h"
 
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
+#include "scoped_ptrs_ssl.h"
 
 extern bool g_ssl_gtest_verbose;
 
 namespace nss_test {
 
 #define LOG(msg) std::cerr << role_str() << ": " << msg << std::endl
 #define LOGV(msg)                      \
   do {                                 \
--- a/gtests/ssl_gtest/tls_connect.cc
+++ b/gtests/ssl_gtest/tls_connect.cc
@@ -9,17 +9,17 @@
 extern "C" {
 #include "libssl_internals.h"
 }
 
 #include <iostream>
 
 #include "databuffer.h"
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "sslproto.h"
 
 extern std::string g_working_dir_path;
 
 namespace nss_test {
 
 static const SSLProtocolVariant kTlsVariantsStreamArr[] = {ssl_variant_stream};
 ::testing::internal::ParamGenerator<SSLProtocolVariant>
--- a/gtests/ssl_gtest/tls_hkdf_unittest.cc
+++ b/gtests/ssl_gtest/tls_hkdf_unittest.cc
@@ -6,17 +6,17 @@
 
 #include <memory>
 #include "nss.h"
 #include "pk11pub.h"
 #include "tls13hkdf.h"
 
 #include "databuffer.h"
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
 const uint8_t kKey1Data[] = {
     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
     0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
     0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
     0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f};
--- a/help.txt
+++ b/help.txt
@@ -1,14 +1,14 @@
 Usage: build.sh [-hcv] [-cc] [-j <n>] [--nspr] [--gyp|-g] [--opt|-o] [-m32]
                 [--test] [--pprof] [--scan-build[=output]] [--ct-verif]
                 [--asan] [--ubsan] [--msan] [--sancov[=edge|bb|func|...]]
                 [--disable-tests] [--fuzz[=tls|oss]] [--system-sqlite]
                 [--no-zdefs] [--with-nspr] [--system-nspr] [--enable-libpkix]
-                [--enable-fips]
+                [--enable-fips] [--mozpkix-only]
 
 This script builds NSS with gyp and ninja.
 
 This build system is still under development.  It does not yet support all
 the features or platforms that NSS supports.
 
 NSS build tool options:
 
@@ -43,8 +43,10 @@ NSS build tool options:
     --system-sqlite  use system sqlite
     --no-zdefs       don't set -Wl,-z,defs
     --with-nspr      don't build NSPR but use the one at the given location, e.g.
                      --with-nspr=/path/to/nspr/include:/path/to/nspr/lib
     --system-nspr    use system nspr. This requires an installation of NSPR and
                      might not work on all systems.
     --enable-libpkix make libpkix part of the build.
     --enable-fips    don't disable FIPS checks.
+    --mozpkix-only   build only static mozpkix and mozpkix-test libraries.
+                     Note that support for this build option is limited.
new file mode 100644
--- /dev/null
+++ b/lib/mozpkix/.clang-format
@@ -0,0 +1,4 @@
+---
+Language: Cpp
+BasedOnStyle: Google
+...
new file mode 100644
--- /dev/null
+++ b/lib/mozpkix/exports.gyp
@@ -0,0 +1,47 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+  'includes': [
+    '../../coreconf/config.gypi'
+  ],
+  'targets': [
+    {
+      'target_name': 'lib_mozpkix_exports',
+      'type': 'none',
+      'copies': [
+        {
+          'files': [
+            '<(DEPTH)/cpputil/nss_scoped_ptrs.h',
+            'include/pkix/Input.h',
+            'include/pkix/Time.h',
+            'include/pkix/Result.h',
+            'include/pkix/pkix.h',
+            'include/pkix/pkixnss.h',
+            'include/pkix/pkixtypes.h',
+            'include/pkix/pkixutil.h',
+            'include/pkix/pkixcheck.h',
+            'include/pkix/pkixder.h',
+          ],
+          'destination': '<(nss_public_dist_dir)/<(module)/mozpkix'
+        },
+      ],
+    },
+    {
+      'target_name': 'lib_mozpkix_test_exports',
+      'type': 'none',
+      'copies': [
+        {
+          'files': [
+            'include/pkix-test/pkixtestutil.h',
+            'include/pkix-test/pkixtestnss.h',
+          ],
+          'destination': '<(nss_public_dist_dir)/<(module)/mozpkix/test'
+        },
+      ],
+    }
+  ],
+  'variables': {
+    'module': 'nss'
+  }
+}
\ No newline at end of file
rename from lib/mozpkix/test/lib/pkixtestnss.h
rename to lib/mozpkix/include/pkix-test/pkixtestnss.h
--- a/lib/mozpkix/test/lib/pkixtestnss.h
+++ b/lib/mozpkix/include/pkix-test/pkixtestnss.h
@@ -24,26 +24,22 @@
 
 // This file provides some implementation-specific test utilities. This is only
 // necessary because some PSM xpcshell test utilities overlap in functionality
 // with these test utilities, so the underlying implementation is shared.
 
 #ifndef mozilla_pkix_test_pkixtestnss_h
 #define mozilla_pkix_test_pkixtestnss_h
 
-#include "keyhi.h"
-#include "keythi.h"
-#include "pkixtestutil.h"
+#include <keyhi.h>
+#include <keythi.h>
+#include "mozpkix/test/pkixtestutil.h"
+#include "mozpkix/nss_scoped_ptrs.h"
 
 namespace mozilla { namespace pkix { namespace test {
 
-typedef ScopedPtr<SECKEYPublicKey, SECKEY_DestroyPublicKey>
-  ScopedSECKEYPublicKey;
-typedef ScopedPtr<SECKEYPrivateKey, SECKEY_DestroyPrivateKey>
-  ScopedSECKEYPrivateKey;
-
 TestKeyPair* CreateTestKeyPair(const TestPublicKeyAlgorithm publicKeyAlg,
                                const ScopedSECKEYPublicKey& publicKey,
                                const ScopedSECKEYPrivateKey& privateKey);
 
 } } } // namespace mozilla::pkix::test
 
 #endif // mozilla_pkix_test_pkixtestnss_h
rename from lib/mozpkix/test/lib/pkixtestutil.h
rename to lib/mozpkix/include/pkix-test/pkixtestutil.h
--- a/lib/mozpkix/test/lib/pkixtestutil.h
+++ b/lib/mozpkix/include/pkix-test/pkixtestutil.h
@@ -21,22 +21,21 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 #ifndef mozilla_pkix_test_pkixtestutil_h
 #define mozilla_pkix_test_pkixtestutil_h
 
 #include <ctime>
-#include <stdint.h> // Some Mozilla-supported compilers lack <cstdint>
+#include <cstdint>
 #include <string>
 #include <cstring>
 
-#include "pkix/pkixtypes.h"
-#include "../../lib/ScopedPtr.h"
+#include "mozpkix/pkixtypes.h"
 
 namespace mozilla { namespace pkix { namespace test {
 
 typedef std::basic_string<uint8_t> ByteString;
 
 inline bool ENCODING_FAILED(const ByteString& bs) { return bs.empty(); }
 
 template <size_t L>
@@ -308,17 +307,17 @@ protected:
   TestKeyPair(const TestKeyPair&) = delete;
   void operator=(const TestKeyPair&) = delete;
 };
 
 TestKeyPair* CloneReusedKeyPair();
 TestKeyPair* GenerateKeyPair();
 TestKeyPair* GenerateDSSKeyPair();
 inline void DeleteTestKeyPair(TestKeyPair* keyPair) { delete keyPair; }
-typedef ScopedPtr<TestKeyPair, DeleteTestKeyPair> ScopedTestKeyPair;
+typedef std::unique_ptr<TestKeyPair> ScopedTestKeyPair;
 
 Result TestVerifyECDSASignedDigest(const SignedDigest& signedDigest,
                                    Input subjectPublicKeyInfo);
 Result TestVerifyRSAPKCS1SignedDigest(const SignedDigest& signedDigest,
                                       Input subjectPublicKeyInfo);
 Result TestDigestBuf(Input item, DigestAlgorithm digestAlg,
                      /*out*/ uint8_t* digestBuf, size_t digestBufLen);
 
--- a/lib/mozpkix/include/pkix/Input.h
+++ b/lib/mozpkix/include/pkix/Input.h
@@ -22,17 +22,17 @@
  * limitations under the License.
  */
 
 #ifndef mozilla_pkix_Input_h
 #define mozilla_pkix_Input_h
 
 #include <algorithm>
 
-#include "pkix/Result.h"
+#include "mozpkix/Result.h"
 #include "stdint.h"
 
 namespace mozilla { namespace pkix {
 
 class Reader;
 
 // An Input is a safety-oriented immutable weak reference to a array of bytes
 // of a known size. The data can only be legally accessed by constructing a
--- a/lib/mozpkix/include/pkix/Time.h
+++ b/lib/mozpkix/include/pkix/Time.h
@@ -24,17 +24,17 @@
 
 #ifndef mozilla_pkix_Time_h
 #define mozilla_pkix_Time_h
 
 #include <ctime>
 #include <limits>
 #include <stdint.h>
 
-#include "pkix/Result.h"
+#include "mozpkix/Result.h"
 
 namespace mozilla { namespace pkix {
 
 // Time with a range from the first second of year 0 (AD) through at least the
 // last second of year 9999, which is the range of legal times in X.509 and
 // OCSP. This type has second-level precision. The time zone is always UTC.
 //
 // Pass by value, not by reference.
--- a/lib/mozpkix/include/pkix/pkix.h
+++ b/lib/mozpkix/include/pkix/pkix.h
@@ -20,17 +20,17 @@
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 #ifndef mozilla_pkix_pkix_h
 #define mozilla_pkix_pkix_h
 
-#include "pkixtypes.h"
+#include "mozpkix/pkixtypes.h"
 
 namespace mozilla { namespace pkix {
 
 // ----------------------------------------------------------------------------
 // LIMITED SUPPORT FOR CERTIFICATE POLICIES
 //
 // If SEC_OID_X509_ANY_POLICY is passed as the value of the requiredPolicy
 // parameter then all policy validation will be skipped. Otherwise, path
rename from lib/mozpkix/lib/pkixcheck.h
rename to lib/mozpkix/include/pkix/pkixcheck.h
--- a/lib/mozpkix/lib/pkixcheck.h
+++ b/lib/mozpkix/include/pkix/pkixcheck.h
@@ -20,17 +20,17 @@
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 #ifndef mozilla_pkix_pkixcheck_h
 #define mozilla_pkix_pkixcheck_h
 
-#include "pkix/pkixtypes.h"
+#include "mozpkix/pkixtypes.h"
 
 namespace mozilla { namespace pkix {
 
 class BackCert;
 
 Result CheckIssuerIndependentProperties(
           TrustDomain& trustDomain,
           const BackCert& cert,
rename from lib/mozpkix/lib/pkixder.h
rename to lib/mozpkix/include/pkix/pkixder.h
--- a/lib/mozpkix/lib/pkixder.h
+++ b/lib/mozpkix/include/pkix/pkixder.h
@@ -32,18 +32,18 @@
 // Match* functions advance the input mark and return true if the input matches
 // the given criteria; they return false without changing the input mark if the
 // input does not match the criteria.
 //
 // Skip* functions unconditionally advance the input mark and return Success if
 // they are able to do so; otherwise they fail with the input mark in an
 // undefined state.
 
-#include "pkix/Input.h"
-#include "pkix/pkixtypes.h"
+#include "mozpkix/Input.h"
+#include "mozpkix/pkixtypes.h"
 
 namespace mozilla { namespace pkix { namespace der {
 
 enum Class : uint8_t
 {
    UNIVERSAL = 0 << 6,
 // APPLICATION = 1 << 6, // unused
    CONTEXT_SPECIFIC = 2 << 6,
--- a/lib/mozpkix/include/pkix/pkixnss.h
+++ b/lib/mozpkix/include/pkix/pkixnss.h
@@ -20,19 +20,19 @@
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 #ifndef mozilla_pkix_pkixnss_h
 #define mozilla_pkix_pkixnss_h
 
-#include "pkixtypes.h"
+#include <seccomon.h>
+#include "mozpkix/pkixtypes.h"
 #include "prerror.h"
-#include "seccomon.h"
 
 namespace mozilla { namespace pkix {
 
 // Verifies the PKCS#1.5 signature on the given data using the given RSA public
 // key.
 Result VerifyRSAPKCS1SignedDigestNSS(const SignedDigest& sd,
                                      Input subjectPublicKeyInfo,
                                      void* pkcs11PinArg);
--- a/lib/mozpkix/include/pkix/pkixtypes.h
+++ b/lib/mozpkix/include/pkix/pkixtypes.h
@@ -20,18 +20,20 @@
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 #ifndef mozilla_pkix_pkixtypes_h
 #define mozilla_pkix_pkixtypes_h
 
-#include "pkix/Input.h"
-#include "pkix/Time.h"
+#include <memory>
+
+#include "mozpkix/Input.h"
+#include "mozpkix/Time.h"
 #include "stdint.h"
 
 namespace mozilla { namespace pkix {
 
 enum class DigestAlgorithm
 {
   sha512 = 1,
   sha384 = 2,
@@ -142,16 +144,17 @@ public:
   {
   }
   const Input issuer;
   const Input issuerSubjectPublicKeyInfo;
   const Input serialNumber;
 
   void operator=(const CertID&) = delete;
 };
+typedef std::unique_ptr<CertID> ScopedCertID;
 
 class DERArray
 {
 public:
   // Returns the number of DER-encoded items in the array.
   virtual size_t GetLength() const = 0;
 
   // Returns a weak (non-owning) pointer the ith DER-encoded item in the array
rename from lib/mozpkix/lib/pkixutil.h
rename to lib/mozpkix/include/pkix/pkixutil.h
--- a/lib/mozpkix/lib/pkixutil.h
+++ b/lib/mozpkix/include/pkix/pkixutil.h
@@ -20,17 +20,17 @@
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 #ifndef mozilla_pkix_pkixutil_h
 #define mozilla_pkix_pkixutil_h
 
-#include "pkixder.h"
+#include "mozpkix/pkixder.h"
 
 namespace mozilla { namespace pkix {
 
 // During path building and verification, we build a linked list of BackCerts
 // from the current cert toward the end-entity certificate. The linked list
 // is used to verify properties that aren't local to the current certificate
 // and/or the direct link between the current certificate and its issuer,
 // such as name constraints.
deleted file mode 100644
--- a/lib/mozpkix/lib/ScopedPtr.h
+++ /dev/null
@@ -1,83 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This code is made available to you under your choice of the following sets
- * of licensing terms:
- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- */
-/* Copyright 2013 Mozilla Contributors
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef mozilla_pkix_ScopedPtr_h
-#define mozilla_pkix_ScopedPtr_h
-
-namespace mozilla { namespace pkix {
-
-// A subset polyfill of std::unique_ptr that does not support move construction
-// or move assignment. This is used instead of std::unique_ptr because some
-// important toolchains still don't provide std::unique_ptr, including in
-// particular Android NDK projects with APP_STL=stlport_static or
-// ALL_STL=stlport_shared.
-template <typename T, void (&Destroyer)(T*)>
-class ScopedPtr final
-{
-public:
-  explicit ScopedPtr(T* value = nullptr) : mValue(value) { }
-
-  ScopedPtr(const ScopedPtr&) = delete;
-
-  ~ScopedPtr()
-  {
-    if (mValue) {
-      Destroyer(mValue);
-    }
-  }
-
-  void operator=(const ScopedPtr&) = delete;
-
-  T& operator*() const { return *mValue; }
-  T* operator->() const { return mValue; }
-
-  explicit operator bool() const { return mValue; }
-
-  T* get() const { return mValue; }
-
-  T* release()
-  {
-    T* result = mValue;
-    mValue = nullptr;
-    return result;
-  }
-
-  void reset(T* newValue = nullptr)
-  {
-    // The C++ standard requires std::unique_ptr to destroy the old value
-    // pointed to by mValue, if any, *after* assigning the new value to mValue.
-    T* oldValue = mValue;
-    mValue = newValue;
-    if (oldValue) {
-      Destroyer(oldValue);
-    }
-  }
-
-private:
-  T* mValue;
-};
-
-} } // namespace mozilla::pkix
-
-#endif // mozilla_pkix_ScopedPtr_h
--- a/lib/mozpkix/lib/pkixbuild.cpp
+++ b/lib/mozpkix/lib/pkixbuild.cpp
@@ -17,20 +17,20 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "pkix/pkix.h"
+#include "mozpkix/pkix.h"
 
-#include "pkixcheck.h"
-#include "pkixutil.h"
+#include "mozpkix/pkixcheck.h"
+#include "mozpkix/pkixutil.h"
 
 namespace mozilla { namespace pkix {
 
 static Result BuildForward(TrustDomain& trustDomain,
                            const BackCert& subject,
                            Time time,
                            KeyUsage requiredKeyUsageIfPresent,
                            KeyPurposeId requiredEKUIfPresent,
--- a/lib/mozpkix/lib/pkixcert.cpp
+++ b/lib/mozpkix/lib/pkixcert.cpp
@@ -17,17 +17,17 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "pkixutil.h"
+#include "mozpkix/pkixutil.h"
 
 namespace mozilla { namespace pkix {
 
 Result
 BackCert::Init()
 {
   Result rv;
 
--- a/lib/mozpkix/lib/pkixcheck.cpp
+++ b/lib/mozpkix/lib/pkixcheck.cpp
@@ -17,20 +17,20 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "pkixcheck.h"
+#include "mozpkix/pkixcheck.h"
 
-#include "pkixder.h"
-#include "pkixutil.h"
+#include "mozpkix/pkixder.h"
+#include "mozpkix/pkixutil.h"
 
 namespace mozilla { namespace pkix {
 
 // 4.1.1.2 signatureAlgorithm
 // 4.1.2.3 signature
 
 Result
 CheckSignatureAlgorithm(TrustDomain& trustDomain,
--- a/lib/mozpkix/lib/pkixder.cpp
+++ b/lib/mozpkix/lib/pkixder.cpp
@@ -17,19 +17,19 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "pkixder.h"
+#include "mozpkix/pkixder.h"
 
-#include "pkixutil.h"
+#include "mozpkix/pkixutil.h"
 
 namespace mozilla { namespace pkix { namespace der {
 
 // Too complicated to be inline
 Result
 ReadTagAndGetValue(Reader& input, /*out*/ uint8_t& tag, /*out*/ Input& value)
 {
   Result rv;
--- a/lib/mozpkix/lib/pkixnames.cpp
+++ b/lib/mozpkix/lib/pkixnames.cpp
@@ -31,18 +31,18 @@
 // one in the subjectAltName of the certificate, or sometimes within a CN of
 // the certificate's subject. The "reference identifier" is the one we are
 // being asked to match the certificate against. When checking name
 // constraints, the reference identifier is the entire encoded name constraint
 // extension value.
 
 #include <algorithm>
 
-#include "pkixcheck.h"
-#include "pkixutil.h"
+#include "mozpkix/pkixcheck.h"
+#include "mozpkix/pkixutil.h"
 
 namespace mozilla { namespace pkix {
 
 namespace {
 
 // GeneralName ::= CHOICE {
 //      otherName                       [0]     OtherName,
 //      rfc822Name                      [1]     IA5String,
--- a/lib/mozpkix/lib/pkixnss.cpp
+++ b/lib/mozpkix/lib/pkixnss.cpp
@@ -17,26 +17,26 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "pkix/pkixnss.h"
+#include "mozpkix/pkixnss.h"
 
 #include <limits>
 
 #include "cryptohi.h"
 #include "keyhi.h"
 #include "pk11pub.h"
-#include "pkix/pkix.h"
-#include "pkixutil.h"
-#include "ScopedPtr.h"
+#include "mozpkix/nss_scoped_ptrs.h"
+#include "mozpkix/pkix.h"
+#include "mozpkix/pkixutil.h"
 #include "secerr.h"
 #include "sslerr.h"
 
 namespace mozilla { namespace pkix {
 
 namespace {
 
 Result
@@ -51,22 +51,22 @@ VerifySignedDigest(const SignedDigest& s
     case DigestAlgorithm::sha384: digestAlg = SEC_OID_SHA384; break;
     case DigestAlgorithm::sha256: digestAlg = SEC_OID_SHA256; break;
     case DigestAlgorithm::sha1: digestAlg = SEC_OID_SHA1; break;
     MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
   }
 
   SECItem subjectPublicKeyInfoSECItem =
     UnsafeMapInputToSECItem(subjectPublicKeyInfo);
-  ScopedPtr<CERTSubjectPublicKeyInfo, SECKEY_DestroySubjectPublicKeyInfo>
+  ScopedCERTSubjectPublicKeyInfo
     spki(SECKEY_DecodeDERSubjectPublicKeyInfo(&subjectPublicKeyInfoSECItem));
   if (!spki) {
     return MapPRErrorCodeToResult(PR_GetError());
   }
-  ScopedPtr<SECKEYPublicKey, SECKEY_DestroyPublicKey>
+  ScopedSECKEYPublicKey
     pubKey(SECKEY_ExtractPublicKey(spki.get()));
   if (!pubKey) {
     return MapPRErrorCodeToResult(PR_GetError());
   }
 
   SECItem digestSECItem(UnsafeMapInputToSECItem(sd.digest));
   SECItem signatureSECItem(UnsafeMapInputToSECItem(sd.signature));
   SECStatus srv = VFY_VerifyDigestDirect(&digestSECItem, pubKey.get(),
--- a/lib/mozpkix/lib/pkixocsp.cpp
+++ b/lib/mozpkix/lib/pkixocsp.cpp
@@ -19,19 +19,19 @@
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 #include <limits>
 
-#include "pkix/pkix.h"
-#include "pkixcheck.h"
-#include "pkixutil.h"
+#include "mozpkix/pkix.h"
+#include "mozpkix/pkixcheck.h"
+#include "mozpkix/pkixutil.h"
 
 namespace {
 
 const size_t SHA1_DIGEST_LENGTH = 160 / 8;
 
 } // namespace
 
 namespace mozilla { namespace pkix {
--- a/lib/mozpkix/lib/pkixresult.cpp
+++ b/lib/mozpkix/lib/pkixresult.cpp
@@ -17,18 +17,18 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "pkix/Result.h"
-#include "pkixutil.h"
+#include "mozpkix/Result.h"
+#include "mozpkix/pkixutil.h"
 
 namespace mozilla { namespace pkix {
 
 const char*
 MapResultToName(Result result)
 {
   switch (result)
   {
--- a/lib/mozpkix/lib/pkixtime.cpp
+++ b/lib/mozpkix/lib/pkixtime.cpp
@@ -17,20 +17,20 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "pkix/Time.h"
-#include "pkixutil.h"
+#include "mozpkix/Time.h"
+#include "mozpkix/pkixutil.h"
 
-#ifdef WIN32
+#ifdef _WINDOWS
 #ifdef _MSC_VER
 #pragma warning(push, 3)
 #endif
 #include "windows.h"
 #ifdef _MSC_VER
 #pragma warning(pop)
 #endif
 #else
@@ -39,17 +39,17 @@
 
 namespace mozilla { namespace pkix {
 
 Time
 Now()
 {
   uint64_t seconds;
 
-#ifdef WIN32
+#ifdef _WINDOWS
   // "Contains a 64-bit value representing the number of 100-nanosecond
   // intervals since January 1, 1601 (UTC)."
   //   - http://msdn.microsoft.com/en-us/library/windows/desktop/ms724284(v=vs.85).aspx
   FILETIME ft;
   GetSystemTimeAsFileTime(&ft);
   uint64_t ft64 = (static_cast<uint64_t>(ft.dwHighDateTime) << 32) |
                   ft.dwLowDateTime;
   seconds = (DaysBeforeYear(1601) * Time::ONE_DAY_IN_SECONDS) +
--- a/lib/mozpkix/lib/pkixverify.cpp
+++ b/lib/mozpkix/lib/pkixverify.cpp
@@ -17,17 +17,17 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "pkixutil.h"
+#include "mozpkix/pkixutil.h"
 
 namespace mozilla { namespace pkix {
 
 Result
 DigestSignedData(TrustDomain& trustDomain,
                  const der::SignedDataWithSignature& signedData,
                  /*out*/ uint8_t(&digestBuf)[MAX_DIGEST_SIZE_IN_BYTES],
                  /*out*/ der::PublicKeyAlgorithm& publicKeyAlg,
deleted file mode 100644
--- a/lib/mozpkix/moz.build
+++ /dev/null
@@ -1,36 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-with Files("**"):
-    BUG_COMPONENT = ("Core", "Security: PSM")
-
-SOURCES += [
-    'lib/pkixbuild.cpp',
-    'lib/pkixcert.cpp',
-    'lib/pkixcheck.cpp',
-    'lib/pkixder.cpp',
-    'lib/pkixnames.cpp',
-    'lib/pkixnss.cpp',
-    'lib/pkixocsp.cpp',
-    'lib/pkixresult.cpp',
-    'lib/pkixtime.cpp',
-    'lib/pkixverify.cpp',
-]
-
-LOCAL_INCLUDES += [
-    'include',
-]
-
-TEST_DIRS += [
-    'test/gtest',
-    'test/lib',
-]
-
-include('warnings.mozbuild')
-
-Library('mozillapkix')
-
-FINAL_LIBRARY = 'xul'
new file mode 100644
--- /dev/null
+++ b/lib/mozpkix/mozpkix.gyp
@@ -0,0 +1,60 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+  'includes': [
+    '../../coreconf/config.gypi'
+  ],
+  'targets': [
+    {
+      'target_name': 'mozpkix',
+      'type': 'static_library',
+      'standalone_static_library': 1,
+      'sources': [
+        'lib/pkixbuild.cpp',
+        'lib/pkixcert.cpp',
+        'lib/pkixcheck.cpp',
+        'lib/pkixder.cpp',
+        'lib/pkixnames.cpp',
+        'lib/pkixnss.cpp',
+        'lib/pkixocsp.cpp',
+        'lib/pkixresult.cpp',
+        'lib/pkixtime.cpp',
+        'lib/pkixverify.cpp',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_mozpkix_exports',
+      ],
+      'conditions': [
+        [ 'mozpkix_only==0', {
+          'dependencies': [
+            '<(DEPTH)/exports.gyp:nss_exports'
+          ],
+        }],
+      ],
+    },
+    {
+      'target_name': 'mozpkix-testlib',
+      'type': 'static_library',
+      'standalone_static_library': 1,
+      'sources': [
+        'test-lib/pkixtestalg.cpp',
+        'test-lib/pkixtestnss.cpp',
+        'test-lib/pkixtestutil.cpp',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_mozpkix_exports',
+      ],
+      'conditions': [
+        [ 'mozpkix_only==0', {
+          'dependencies': [
+            '<(DEPTH)/exports.gyp:nss_exports'
+          ],
+        }],
+      ],
+    },
+  ],
+  'variables': {
+    'module': 'nss',
+  }
+}
rename from lib/mozpkix/test/lib/pkixtestalg.cpp
rename to lib/mozpkix/test-lib/pkixtestalg.cpp
--- a/lib/mozpkix/test/lib/pkixtestalg.cpp
+++ b/lib/mozpkix/test-lib/pkixtestalg.cpp
@@ -17,19 +17,20 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "pkixtestutil.h"
+#include "mozpkix/test/pkixtestutil.h"
 
-#include "pkixder.h"
+#include "mozpkix/pkixder.h"
+#include "mozpkix/nss_scoped_ptrs.h"
 
 // python DottedOIDToCode.py --prefixdefine PREFIX_1_2_840_10040 1.2.840.10040
 #define PREFIX_1_2_840_10040 0x2a, 0x86, 0x48, 0xce, 0x38
 
 // python DottedOIDToCode.py --prefixdefine PREFIX_1_2_840_10045 1.2.840.10045
 #define PREFIX_1_2_840_10045 0x2a, 0x86, 0x48, 0xce, 0x3d
 
 // python DottedOIDToCode.py --prefixdefine PREFIX_1_2_840_113549 1.2.840.113549
rename from lib/mozpkix/test/lib/pkixtestnss.cpp
rename to lib/mozpkix/test-lib/pkixtestnss.cpp
--- a/lib/mozpkix/test/lib/pkixtestnss.cpp
+++ b/lib/mozpkix/test-lib/pkixtestnss.cpp
@@ -17,51 +17,38 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "pkixtestutil.h"
-#include "pkixtestnss.h"
+#include "mozpkix/test/pkixtestutil.h"
+#include "mozpkix/test/pkixtestnss.h"
 
 #include <limits>
 
 #include "cryptohi.h"
 #include "keyhi.h"
 #include "nss.h"
 #include "pk11pqg.h"
 #include "pk11pub.h"
-#include "pkix/pkixnss.h"
-#include "pkixder.h"
-#include "pkixutil.h"
+#include "mozpkix/nss_scoped_ptrs.h"
+#include "mozpkix/pkixnss.h"
+#include "mozpkix/pkixder.h"
+#include "mozpkix/pkixutil.h"
 #include "prinit.h"
 #include "secerr.h"
 #include "secitem.h"
 
 namespace mozilla { namespace pkix { namespace test {
 
 namespace {
 
-inline void
-SECITEM_FreeItem_true(SECItem* item)
-{
-  SECITEM_FreeItem(item, true);
-}
-
-inline void
-SECKEY_DestroyEncryptedPrivateKeyInfo_true(SECKEYEncryptedPrivateKeyInfo* e)
-{
-  SECKEY_DestroyEncryptedPrivateKeyInfo(e, true);
-}
-
-typedef mozilla::pkix::ScopedPtr<SECItem, SECITEM_FreeItem_true> ScopedSECItem;
-
 TestKeyPair* GenerateKeyPairInner();
 
 void
 InitNSSIfNeeded()
 {
   if (NSS_NoDB_Init(nullptr) != SECSuccess) {
     abort();
   }
@@ -121,17 +108,17 @@ public:
           oidTag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
           break;
         MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
       }
     } else {
       abort();
     }
 
-    ScopedPtr<PK11SlotInfo, PK11_FreeSlot> slot(PK11_GetInternalSlot());
+    ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
     if (!slot) {
       return MapPRErrorCodeToResult(PR_GetError());
     }
     SECItem encryptedPrivateKeyInfoItem = {
       siBuffer,
       const_cast<uint8_t*>(encryptedPrivateKey.data()),
       static_cast<unsigned int>(encryptedPrivateKey.length())
     };
@@ -195,37 +182,36 @@ private:
 } // namespace
 
 // This private function is also used by Gecko's PSM test framework
 // (OCSPCommon.cpp).
 TestKeyPair* CreateTestKeyPair(const TestPublicKeyAlgorithm publicKeyAlg,
                                const ScopedSECKEYPublicKey& publicKey,
                                const ScopedSECKEYPrivateKey& privateKey)
 {
-  ScopedPtr<CERTSubjectPublicKeyInfo, SECKEY_DestroySubjectPublicKeyInfo>
+  ScopedCERTSubjectPublicKeyInfo
     spki(SECKEY_CreateSubjectPublicKeyInfo(publicKey.get()));
   if (!spki) {
     return nullptr;
   }
   SECItem spkDER = spki->subjectPublicKey;
   DER_ConvertBitString(&spkDER); // bits to bytes
-  ScopedPtr<PK11SlotInfo, PK11_FreeSlot> slot(PK11_GetInternalSlot());
+  ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
   if (!slot) {
     return nullptr;
   }
   // Because NSSTestKeyPair isn't tracked by XPCOM and won't otherwise be aware
   // of shutdown, we don't have a way to release NSS resources at the
   // appropriate time. To work around this, NSSTestKeyPair doesn't hold on to
   // NSS resources. Instead, we export the generated private key part as an
   // encrypted blob (with an empty password and fairly lame encryption). When we
   // need to use it (e.g. to sign something), we decrypt it and create a
   // temporary key object.
   SECItem passwordItem = { siBuffer, nullptr, 0 };
-  ScopedPtr<SECKEYEncryptedPrivateKeyInfo,
-            SECKEY_DestroyEncryptedPrivateKeyInfo_true> encryptedPrivateKey(
+  ScopedSECKEYEncryptedPrivateKeyInfo encryptedPrivateKey(
     PK11_ExportEncryptedPrivKeyInfo(
       slot.get(), SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC,
       &passwordItem, privateKey.get(), 1, nullptr));
   if (!encryptedPrivateKey) {
     return nullptr;
   }
 
   return new (std::nothrow) NSSTestKeyPair(
@@ -239,17 +225,17 @@ TestKeyPair* CreateTestKeyPair(const Tes
                encryptedPrivateKey->algorithm.parameters.len));
 }
 
 namespace {
 
 TestKeyPair*
 GenerateKeyPairInner()
 {
-  ScopedPtr<PK11SlotInfo, PK11_FreeSlot> slot(PK11_GetInternalSlot());
+  ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
   if (!slot) {
     abort();
   }
 
   // Bug 1012786: PK11_GenerateKeyPair can fail if there is insufficient
   // entropy to generate a random key. Attempting to add some entropy and
   // retrying appears to solve this issue.
   for (uint32_t retries = 0; retries < 10; retries++) {
@@ -305,17 +291,17 @@ CloneReusedKeyPair()
   return reusedKeyPair->Clone();
 }
 
 TestKeyPair*
 GenerateDSSKeyPair()
 {
   InitNSSIfNeeded();
 
-  ScopedPtr<PK11SlotInfo, PK11_FreeSlot> slot(PK11_GetInternalSlot());
+  ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
   if (!slot) {
     return nullptr;
   }
 
   ByteString p(DSS_P());
   ByteString q(DSS_Q());
   ByteString g(DSS_G());
 
rename from lib/mozpkix/test/lib/pkixtestutil.cpp
rename to lib/mozpkix/test-lib/pkixtestutil.cpp
--- a/lib/mozpkix/test/lib/pkixtestutil.cpp
+++ b/lib/mozpkix/test-lib/pkixtestutil.cpp
@@ -17,42 +17,42 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "pkixtestutil.h"
+#include "mozpkix/test/pkixtestutil.h"
 
 #include <cerrno>
 #include <cstdio>
 #include <limits>
 #include <new>
 #include <sstream>
 #include <cstdlib>
 
-#include "pkixder.h"
-#include "pkixutil.h"
-
-#include "mozilla/Unused.h"
+#include "mozpkix/pkixder.h"
+#include "mozpkix/pkixutil.h"
 
 using namespace std;
 
 namespace mozilla { namespace pkix { namespace test {
 
 namespace {
 
-inline void
-fclose_void(FILE* file) {
-  (void) fclose(file);
-}
-
-typedef mozilla::pkix::ScopedPtr<FILE, fclose_void> ScopedFILE;
+struct ScopedMaybeDeleteFile {
+  void operator()(FILE* f) {
+    if (f) {
+      (void)fclose(f);
+    }
+  }
+};
+typedef std::unique_ptr<FILE, ScopedMaybeDeleteFile> ScopedFILE;
 
 FILE*
 OpenFile(const string& dir, const string& filename, const string& mode)
 {
   string path = dir + '/' + filename;
 
   ScopedFILE file;
 #ifdef _MSC_VER
@@ -246,17 +246,17 @@ Integer(long value)
   ByteString encodedValue;
   encodedValue.push_back(static_cast<uint8_t>(value));
   return TLV(der::INTEGER, encodedValue);
 }
 
 enum TimeEncoding { UTCTime = 0, GeneralizedTime = 1 };
 
 // Windows doesn't provide gmtime_r, but it provides something very similar.
-#if defined(WIN32) && (!defined(_POSIX_C_SOURCE) || !defined(_POSIX_THREAD_SAFE_FUNCTIONS))
+#if defined(_WINDOWS) && (!defined(_POSIX_C_SOURCE) || !defined(_POSIX_THREAD_SAFE_FUNCTIONS))
 static tm*
 gmtime_r(const time_t* t, /*out*/ tm* exploded)
 {
   if (gmtime_s(exploded, t) != 0) {
     return nullptr;
   }
   return exploded;
 }
@@ -506,17 +506,17 @@ MaybeLogOutput(const ByteString& result,
       assert(false);
       return;
     }
     string filename = counterStream.str() + '-' + suffix + ".der";
 
     ++counter;
     ScopedFILE file(OpenFile(logPath, filename, "wb"));
     if (file) {
-      Unused << fwrite(result.data(), result.length(), 1, file.get());
+      (void) fwrite(result.data(), result.length(), 1, file.get());
     }
   }
 }
 
 ///////////////////////////////////////////////////////////////////////////////
 // Certificates
 
 static ByteString TBSCertificate(long version, const ByteString& serialNumber,
deleted file mode 100644
--- a/lib/mozpkix/test/gtest/moz.build
+++ /dev/null
@@ -1,72 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SOURCES += [
-    'pkixbuild_tests.cpp',
-    'pkixcert_extension_tests.cpp',
-    'pkixcert_signature_algorithm_tests.cpp',
-    'pkixcheck_CheckExtendedKeyUsage_tests.cpp',
-    'pkixcheck_CheckIssuer_tests.cpp',
-    'pkixcheck_CheckKeyUsage_tests.cpp',
-    'pkixcheck_CheckSignatureAlgorithm_tests.cpp',
-    'pkixcheck_CheckValidity_tests.cpp',
-    'pkixcheck_ParseValidity_tests.cpp',
-    'pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp',
-
-    # The naming conventions are described in ./README.txt.
-
-    'pkixder_input_tests.cpp',
-    'pkixder_pki_types_tests.cpp',
-    'pkixder_universal_types_tests.cpp',
-    'pkixgtest.cpp',
-    'pkixnames_tests.cpp',
-    'pkixocsp_CreateEncodedOCSPRequest_tests.cpp',
-    'pkixocsp_VerifyEncodedOCSPResponse.cpp',
-]
-
-LOCAL_INCLUDES += [
-    '../../include',
-    '../../lib',
-    '../lib',
-]
-
-FINAL_LIBRARY = 'xul-gtest'
-
-include('../../warnings.mozbuild')
-
-# GTest uses a variadic macro in a questionable way and it doesn't seem to be
-# possible to selectively disable just that error when -pedantic-errors is set.
-if CONFIG['CC_TYPE'] == 'gcc':
-  CXXFLAGS.remove('-pedantic-errors')
-
-# These warnings are disabled in order to minimize the amount of boilerplate
-# required to implement tests, and/or because they originate in the GTest
-# framework in a way we cannot otherwise work around.
-if CONFIG['CC_TYPE'] in ('clang', 'clang-cl', 'gcc'):
-  CXXFLAGS += [
-    '-Wno-old-style-cast',
-  ]
-  if CONFIG['CC_TYPE'] in ('clang', 'clang-cl'):
-    CXXFLAGS += [
-      '-Wno-exit-time-destructors',
-      '-Wno-global-constructors',
-      '-Wno-thread-safety',
-      '-Wno-used-but-marked-unused',
-      '-Wno-zero-as-null-pointer-constant',
-    ]
-elif CONFIG['CC_TYPE'] == 'msvc':
-  CXXFLAGS += [
-    '-wd4350', # behavior change: 'std::_Wrap_alloc<std::allocator<_Ty>>::...
-    '-wd4275', # non dll-interface class used as base for dll-interface class
-    '-wd4548', # Expression before comma has no effect
-    '-wd4625', # copy constructor could not be generated.
-    '-wd4626', # assugment operator could not be generated.
-    '-wd4640', # construction of local static object is not thread safe.
-
-    # This is intended as a temporary hack to support building with VS2015.
-    # declaration of '*' hides class member
-    '-wd4458',
-  ]
deleted file mode 100644
--- a/lib/mozpkix/test/lib/moz.build
+++ /dev/null
@@ -1,39 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# This code is made available to you under your choice of the following sets
-# of licensing terms:
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# Copyright 2013 Mozilla Contributors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-SOURCES += [
-    'pkixtestalg.cpp',
-    'pkixtestnss.cpp',
-    'pkixtestutil.cpp',
-]
-
-Library('pkixtestutil')
-
-LOCAL_INCLUDES += [
-    '../../include',
-    '../../lib',
-]
-
-FINAL_LIBRARY = 'xul-gtest'
-
-if CONFIG['CC_TYPE'] in ('clang', 'gcc'):
-    CXXFLAGS += ['-Wno-error=shadow']
deleted file mode 100644
--- a/lib/mozpkix/warnings.mozbuild
+++ /dev/null
@@ -1,52 +0,0 @@
-if CONFIG['CC_TYPE'] in ('clang', 'clang-cl'):
-  CXXFLAGS += [
-    '-Weverything',
-
-    '-Wno-c++98-compat',
-    '-Wno-c++98-compat-pedantic',
-    '-Wno-missing-prototypes',
-    '-Wno-missing-variable-declarations',
-    '-Wno-padded',
-    '-Wno-reserved-id-macro', # NSPR and NSS use reserved IDs in their include guards.
-    '-Wno-weak-vtables', # We rely on the linker to merge the duplicate vtables.
-  ]
-elif CONFIG['CC_TYPE'] == 'msvc':
-  CXXFLAGS += [
-    '-sdl', # Enable additional security checks based on Microsoft's SDL.
-
-    '-Wall',
-
-    '-wd4464', # relative include path contains '..'
-    '-wd4514', # 'function': unreferenced inline function has been removed
-    '-wd4668', # warning C4668: 'X' is not defined as a preprocessor macro,
-               # replacing with '0' for '#if/#elif'.
-    '-wd4710', # 'function': function not inlined
-    '-wd4711', # function 'function' selected for inline expansion
-    '-wd4800', # forcing value to bool 'true' or 'false'
-    '-wd4820', # 'bytes' bytes padding added after construct 'member_name'
-
-    # The following warnings are disabled because MSVC 2017 headers aren't
-    # warning free at the -Wall level.
-    '-wd4365', # 'action' : conversion from 'type_1' to 'type_2',
-               # signed/unsigned mismatch
-    '-wd4619', # #pragma warning : there is no warning number 'number'
-    '-wd4623', # 'derived class' : default constructor was implicitly defined as
-               # deleted because a base class default constructor is
-               # inaccessible or deleted
-    '-wd4774', # '<function>' : format string expected in argument <position> is
-               # not a string literal
-    '-wd4987', # nonstandard extension used: 'throw (...)'
-
-    # XXX: We cannot use /Za (Disable Microsoft Extensions) because windows.h
-    # won't copmile with it.
-    '-Zc:forScope', # Standard C++ rules for variable scope in for loops.
-    '-Zc:inline', # Standard C++ rules requiring definition inline functions.
-    '-Zc:rvalueCast', # Standard C++ rules for result of cast being an rvalue.
-    '-Zc:strictStrings', # Standard C++ rule that string literals are const.
-  ]
-else:
-  CXXFLAGS += [
-    '-Wall',
-    '-Wextra',
-    '-pedantic-errors',
-  ]
--- a/nss-tool/common/util.h
+++ b/nss-tool/common/util.h
@@ -1,17 +1,17 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef util_h__
 #define util_h__
 
 #include "nspr.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #include <secmodt.h>
 #include <string>
 #include <vector>
 
 #ifndef PORT_Malloc
 #define PORT_Malloc PR_Malloc
 #endif
--- a/nss-tool/db/dbtool.cc
+++ b/nss-tool/db/dbtool.cc
@@ -1,15 +1,15 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "dbtool.h"
 #include "argparse.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "util.h"
 
 #include <iomanip>
 #include <iostream>
 #include <regex>
 #include <sstream>
 
 #include <cert.h>
--- a/nss-tool/digest/digesttool.cc
+++ b/nss-tool/digest/digesttool.cc
@@ -1,15 +1,15 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "digesttool.h"
 #include "argparse.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "util.h"
 
 #include <algorithm>
 #include <fstream>
 #include <iomanip>
 #include <iostream>
 
 #include <hasht.h>  // contains supported digest types
--- a/nss-tool/enc/enctool.h
+++ b/nss-tool/enc/enctool.h
@@ -4,17 +4,17 @@
 
 #ifndef enctool_h__
 #define enctool_h__
 
 #include <string>
 #include <vector>
 #include "argparse.h"
 #include "prerror.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tool.h"
 
 class EncTool : public Tool {
  public:
   bool Run(const std::vector<std::string>& arguments) override;
   void Usage() override;
 
  private:
--- a/nss.gyp
+++ b/nss.gyp
@@ -1,124 +1,142 @@
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 {
   'includes': [
     'coreconf/config.gypi'
   ],
-  'targets': [
-    {
-      'target_name': 'nss_libs',
-      'type': 'none',
-      'dependencies': [
-        'lib/ckfw/builtins/builtins.gyp:nssckbi',
-        'lib/freebl/freebl.gyp:freebl3',
-        'lib/softoken/softoken.gyp:softokn3',
-      ],
-      'conditions': [
-        [ 'moz_fold_libs==0', {
+  'conditions': [
+    [ 'mozpkix_only==0', {
+      'targets': [
+        {
+          'target_name': 'nss_libs',
+          'type': 'none',
+          'dependencies': [
+            'lib/ckfw/builtins/builtins.gyp:nssckbi',
+            'lib/freebl/freebl.gyp:freebl3',
+            'lib/softoken/softoken.gyp:softokn3',
+          ],
+          'conditions': [
+            [ 'moz_fold_libs==0', {
+              'dependencies': [
+                'lib/nss/nss.gyp:nss3',
+                'lib/smime/smime.gyp:smime3',
+                'lib/sqlite/sqlite.gyp:sqlite3',
+                'lib/ssl/ssl.gyp:ssl3',
+                'lib/util/util.gyp:nssutil3',
+              ],
+            }],
+            [ 'OS=="linux"', {
+              'dependencies': [
+                'lib/freebl/freebl.gyp:freeblpriv3',
+                'lib/sysinit/sysinit.gyp:nsssysinit',
+              ],
+            }],
+            [ 'disable_dbm==0', {
+              'dependencies': [
+                'lib/softoken/legacydb/legacydb.gyp:nssdbm3',
+              ],
+            }],
+          ],
+        },
+        {
+          'target_name': 'nss_static_libs',
+          'type': 'none',
           'dependencies': [
-            'lib/nss/nss.gyp:nss3',
-            'lib/smime/smime.gyp:smime3',
-            'lib/sqlite/sqlite.gyp:sqlite3',
-            'lib/ssl/ssl.gyp:ssl3',
-            'lib/util/util.gyp:nssutil3',
+            'cmd/lib/lib.gyp:sectool',
+            'lib/base/base.gyp:nssb',
+            'lib/certdb/certdb.gyp:certdb',
+            'lib/certhigh/certhigh.gyp:certhi',
+            'lib/ckfw/ckfw.gyp:nssckfw',
+            'lib/crmf/crmf.gyp:crmf',
+            'lib/cryptohi/cryptohi.gyp:cryptohi',
+            'lib/dev/dev.gyp:nssdev',
+            'lib/freebl/freebl.gyp:freebl',
+            'lib/jar/jar.gyp:jar',
+            'lib/libpkix/libpkix.gyp:libpkix',
+            # mozpkix and mozpkix-testlib are static C++ libs
+            'lib/mozpkix/mozpkix.gyp:mozpkix',
+            'lib/mozpkix/mozpkix.gyp:mozpkix-testlib',
+            'lib/nss/nss.gyp:nss_static',
+            'lib/pk11wrap/pk11wrap.gyp:pk11wrap',
+            'lib/pkcs12/pkcs12.gyp:pkcs12',
+            'lib/pkcs7/pkcs7.gyp:pkcs7',
+            'lib/pki/pki.gyp:nsspki',
+            'lib/smime/smime.gyp:smime',
+            'lib/softoken/softoken.gyp:softokn',
+            'lib/ssl/ssl.gyp:ssl',
+            'lib/util/util.gyp:nssutil',
           ],
-        }],
-        [ 'OS=="linux"', {
+          'conditions': [
+            [ 'OS=="linux"', {
+              'dependencies': [
+                'lib/sysinit/sysinit.gyp:nsssysinit_static',
+              ],
+            }],
+            [ 'disable_dbm==0', {
+              'dependencies': [
+                'lib/dbm/src/src.gyp:dbm',
+                'lib/softoken/legacydb/legacydb.gyp:nssdbm',
+              ],
+            }],
+            [ 'use_system_sqlite==0', {
+              'dependencies': [
+                'lib/sqlite/sqlite.gyp:sqlite',
+              ],
+            }],
+            [ 'moz_fold_libs==1', {
+              'dependencies': [
+                'lib/nss/nss.gyp:nss3_static',
+                'lib/smime/smime.gyp:smime3_static',
+              ],
+            }],
+          ],
+        },
+        {
+          'target_name': 'nss_cmds',
+          'type': 'none',
           'dependencies': [
-            'lib/freebl/freebl.gyp:freeblpriv3',
-            'lib/sysinit/sysinit.gyp:nsssysinit',
+            'cmd/certutil/certutil.gyp:certutil',
+            'cmd/modutil/modutil.gyp:modutil',
+            'cmd/pk12util/pk12util.gyp:pk12util',
+            'cmd/shlibsign/shlibsign.gyp:shlibsign',
           ],
-        }],
-        [ 'disable_dbm==0', {
-          'dependencies': [
-            'lib/softoken/legacydb/legacydb.gyp:nssdbm3',
+          'conditions': [
+            [ 'mozilla_client==0', {
+              'dependencies': [
+                'cmd/crlutil/crlutil.gyp:crlutil',
+                'cmd/pwdecrypt/pwdecrypt.gyp:pwdecrypt',
+                'cmd/signtool/signtool.gyp:signtool',
+                'cmd/signver/signver.gyp:signver',
+                'cmd/smimetools/smimetools.gyp:cmsutil',
+                'cmd/ssltap/ssltap.gyp:ssltap',
+                'cmd/symkeyutil/symkeyutil.gyp:symkeyutil',
+                'nss-tool/nss_tool.gyp:nss',
+                'nss-tool/nss_tool.gyp:hw-support',
+              ],
+            }],
           ],
-        }],
+        },
       ],
-    },
-    {
-      'target_name': 'nss_static_libs',
-      'type': 'none',
-      'dependencies': [
-        'cmd/lib/lib.gyp:sectool',
-        'lib/base/base.gyp:nssb',
-        'lib/certdb/certdb.gyp:certdb',
-        'lib/certhigh/certhigh.gyp:certhi',
-        'lib/ckfw/ckfw.gyp:nssckfw',
-        'lib/crmf/crmf.gyp:crmf',
-        'lib/cryptohi/cryptohi.gyp:cryptohi',
-        'lib/dev/dev.gyp:nssdev',
-        'lib/freebl/freebl.gyp:freebl',
-        'lib/jar/jar.gyp:jar',
-        'lib/nss/nss.gyp:nss_static',
-        'lib/pk11wrap/pk11wrap.gyp:pk11wrap',
-        'lib/pkcs12/pkcs12.gyp:pkcs12',
-        'lib/pkcs7/pkcs7.gyp:pkcs7',
-        'lib/pki/pki.gyp:nsspki',
-        'lib/smime/smime.gyp:smime',
-        'lib/softoken/softoken.gyp:softokn',
-        'lib/ssl/ssl.gyp:ssl',
-        'lib/util/util.gyp:nssutil',
-        'lib/libpkix/libpkix.gyp:libpkix',
-      ],
-      'conditions': [
-        [ 'OS=="linux"', {
+    }, { # else, i.e. mozpkix_only==1
+      # Build only mozpkix.
+      'targets': [
+        {
+          'target_name': 'nss_mozpkix_libs',
+          'type': 'none',
           'dependencies': [
-            'lib/sysinit/sysinit.gyp:nsssysinit_static',
-          ],
-        }],
-        [ 'disable_dbm==0', {
-          'dependencies': [
-            'lib/dbm/src/src.gyp:dbm',
-            'lib/softoken/legacydb/legacydb.gyp:nssdbm',
+            # mozpkix and mozpkix-testlib are static C++ libs
+            'lib/mozpkix/mozpkix.gyp:mozpkix',
+            'lib/mozpkix/mozpkix.gyp:mozpkix-testlib',
           ],
-        }],
-        [ 'use_system_sqlite==0', {
-          'dependencies': [
-            'lib/sqlite/sqlite.gyp:sqlite',
-          ],
-        }],
-        [ 'moz_fold_libs==1', {
-          'dependencies': [
-            'lib/nss/nss.gyp:nss3_static',
-            'lib/smime/smime.gyp:smime3_static',
-          ],
-        }],
+        },
       ],
-    },
-    {
-      'target_name': 'nss_cmds',
-      'type': 'none',
-      'dependencies': [
-        'cmd/certutil/certutil.gyp:certutil',
-        'cmd/modutil/modutil.gyp:modutil',
-        'cmd/pk12util/pk12util.gyp:pk12util',
-        'cmd/shlibsign/shlibsign.gyp:shlibsign',
-      ],
-      'conditions': [
-        [ 'mozilla_client==0', {
-          'dependencies': [
-            'cmd/crlutil/crlutil.gyp:crlutil',
-            'cmd/pwdecrypt/pwdecrypt.gyp:pwdecrypt',
-            'cmd/signtool/signtool.gyp:signtool',
-            'cmd/signver/signver.gyp:signver',
-            'cmd/smimetools/smimetools.gyp:cmsutil',
-            'cmd/ssltap/ssltap.gyp:ssltap',
-            'cmd/symkeyutil/symkeyutil.gyp:symkeyutil',
-            'nss-tool/nss_tool.gyp:nss',
-            'nss-tool/nss_tool.gyp:hw-support',
-          ],
-        }],
-      ],
-    },
-  ],
-  'conditions': [
+    }],
     [ 'disable_tests==0', {
       'targets': [
         {
           'target_name': 'nss_tests',
           'type': 'none',
           'dependencies': [
             'cmd/addbuiltin/addbuiltin.gyp:addbuiltin',
             'cmd/atob/atob.gyp:atob',
@@ -165,21 +183,22 @@
             'cmd/vfychain/vfychain.gyp:vfychain',
             'cmd/vfyserv/vfyserv.gyp:vfyserv',
             'gtests/certhigh_gtest/certhigh_gtest.gyp:certhigh_gtest',
             'gtests/cryptohi_gtest/cryptohi_gtest.gyp:cryptohi_gtest',
             'gtests/der_gtest/der_gtest.gyp:der_gtest',
             'gtests/certdb_gtest/certdb_gtest.gyp:certdb_gtest',
             'gtests/freebl_gtest/freebl_gtest.gyp:prng_gtest',
             'gtests/freebl_gtest/freebl_gtest.gyp:blake2b_gtest',
+            'gtests/mozpkix_gtest/mozpkix_gtest.gyp:mozpkix_gtest',
+            'gtests/nss_bogo_shim/nss_bogo_shim.gyp:nss_bogo_shim',
             'gtests/pk11_gtest/pk11_gtest.gyp:pk11_gtest',
             'gtests/softoken_gtest/softoken_gtest.gyp:softoken_gtest',
             'gtests/ssl_gtest/ssl_gtest.gyp:ssl_gtest',
             'gtests/util_gtest/util_gtest.gyp:util_gtest',
-            'gtests/nss_bogo_shim/nss_bogo_shim.gyp:nss_bogo_shim',
           ],
           'conditions': [
             [ 'OS=="linux"', {
               'dependencies': [
                 'cmd/lowhashtest/lowhashtest.gyp:lowhashtest',
               ],
             }],
             [ 'disable_libpkix==0', {