Bug 1227795 - Add NSS_DISABLE_LIBPKIX to allow compiling without libpkix, r=franziskus,wtc
authorEugen Sawin <esawin@mozilla.com>
Wed, 22 Jun 2016 11:45:00 +0200
changeset 12307 64a69537291a3dc7e6f46317f65b5b6c00ba1da8
parent 12306 6714cf361769d9734bed4540b45cc15556c7c45d
child 12308 7e4c251717d4903dad57ae54d9e92da5556040f2
push id1338
push userfranziskuskiefer@gmail.com
push dateMon, 27 Jun 2016 11:40:03 +0000
reviewersfranziskus, wtc
bugs1227795
Bug 1227795 - Add NSS_DISABLE_LIBPKIX to allow compiling without libpkix, r=franziskus,wtc
cmd/manifest.mn
cmd/platlibs.mk
coreconf/config.mk
lib/Makefile
lib/certhigh/certvfy.c
lib/certhigh/certvfypkix.c
lib/manifest.mn
lib/nss/config.mk
lib/nss/nssinit.c
--- a/cmd/manifest.mn
+++ b/cmd/manifest.mn
@@ -53,17 +53,16 @@ NSS_SRCDIRS = \
  p7content  \
  p7env  \
  p7sign  \
  p7verify  \
  pk12util \
  pk11gcmtest \
  pk11mode \
  pk1sign  \
- pkix-errcodes \
  pp  \
  pwdecrypt \
  rsaperf \
  sdrtest \
  selfserv  \
  signtool \
  signver \
  smimetools  \
@@ -71,16 +70,23 @@ NSS_SRCDIRS = \
  strsclnt \
  symkeyutil \
  tests \
  tstclnt  \
  vfychain \
  vfyserv \
  modutil \
  $(NULL)
+
+ifndef NSS_DISABLE_LIBPKIX
+NSS_SRCDIRS += \
+ pkix-errcodes \
+ $(NULL)
+endif
+
 endif
 endif
 
 DIRS = \
  $(LIB_SRCDIRS) \
  $(SOFTOKEN_SRCDIRS) \
  $(NSS_SRCDIRS)
 
--- a/cmd/platlibs.mk
+++ b/cmd/platlibs.mk
@@ -46,31 +46,33 @@ else
 CRYPTOLIB=$(FREEBL_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
 SOFTOKENLIB=
 EXTRA_SHARED_LIBS += \
 	-L$(SOFTOKEN_LIB_DIR) \
 	-lsoftokn3 \
 	$(NULL)
 endif
 
+ifndef NSS_DISABLE_LIBPKIX
 ifndef NSS_BUILD_SOFTOKEN_ONLY
 PKIXLIB = \
 	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixutil.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixsystem.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixcrlsel.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixmodule.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixstore.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixparams.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixchecker.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixpki.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixresults.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixcertsel.$(LIB_SUFFIX)
 endif
+endif
 
 NSS_LIBS_1=
 SECTOOL_LIB=
 NSS_LIBS_2=
 NSS_LIBS_3=
 NSS_LIBS_4=
 
 ifneq ($(NSS_BUILD_UTIL_ONLY),1)
--- a/coreconf/config.mk
+++ b/coreconf/config.mk
@@ -157,16 +157,20 @@ endif
 ifdef NSS_ALLOW_UNSUPPORTED_CRITICAL
 DEFINES += -DNSS_ALLOW_UNSUPPORTED_CRITICAL
 endif
 
 ifdef BUILD_LIBPKIX_TESTS
 DEFINES += -DBUILD_LIBPKIX_TESTS
 endif
 
+ifdef NSS_DISABLE_LIBPKIX
+DEFINES += -DNSS_DISABLE_LIBPKIX
+endif
+
 ifdef NSS_DISABLE_DBM
 DEFINES += -DNSS_DISABLE_DBM
 endif
 
 ifdef NSS_DISABLE_CHACHAPOLY
 DEFINES += -DNSS_DISABLE_CHACHAPOLY
 endif
 
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -45,16 +45,20 @@ endif
 ifndef NSS_DISABLE_DBM
 DBM_SRCDIR = dbm  # Add the dbm directory to DIRS.
 endif
 
 ifeq ($(NSS_BUILD_UTIL_ONLY),1)
 SYSINIT_SRCDIR=
 endif
 
+ifndef NSS_DISABLE_LIBPKIX
+LIBPKIX_SRCDIR = libpkix  # Add the libpkix directory to DIRS.
+endif
+
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
 # (6) Execute "component" rules. (OPTIONAL)                           #
--- a/lib/certhigh/certvfy.c
+++ b/lib/certhigh/certvfy.c
@@ -7,19 +7,23 @@
 #include "seccomon.h"
 #include "secoid.h"
 #include "genname.h"
 #include "keyhi.h"
 #include "cert.h"
 #include "certdb.h"
 #include "certi.h"
 #include "cryptohi.h"
+
+#ifndef NSS_DISABLE_LIBPKIX
 #include "pkix.h"
-/*#include "pkix_sample_modules.h" */
 #include "pkix_pl_cert.h"
+#else
+#include "nss.h"
+#endif /* NSS_DISABLE_LIBPKIX */
 
 #include "nsspki.h"
 #include "pkitm.h"
 #include "pkim.h"
 #include "pki3hack.h"
 #include "base.h"
 #include "keyhi.h"
 
--- a/lib/certhigh/certvfypkix.c
+++ b/lib/certhigh/certvfypkix.c
@@ -18,32 +18,34 @@
 #include "certdb.h"
 #include "cert.h"
 #include "secerr.h"
 #include "nssb64.h"
 #include "secasn1.h"
 #include "secder.h"
 #include "pkit.h"
 
+#ifndef NSS_DISABLE_LIBPKIX
 #include "pkix_pl_common.h"
 
 extern PRLogModuleInfo *pkixLog;
 
 #ifdef PKIX_OBJECT_LEAK_TEST
 
 extern PKIX_UInt32
 pkix_pl_lifecycle_ObjectLeakCheck(int *);
 
 extern SECStatus
 pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable);
 
 PRInt32 parallelFnInvocationCount;
 #endif /* PKIX_OBJECT_LEAK_TEST */
 
 static PRBool usePKIXValidationEngine = PR_FALSE;
+#endif /* NSS_DISABLE_LIBPKIX */
 
 /*
  * FUNCTION: CERT_SetUsePKIXForValidation
  * DESCRIPTION:
  *
  * Enables or disables use of libpkix for certificate validation
  *
  * PARAMETERS:
@@ -53,18 +55,23 @@ static PRBool usePKIXValidationEngine = 
  * THREAD SAFETY:
  *  NOT Thread Safe.
  * RETURNS:
  *  Returns SECSuccess if successfully enabled
  */
 SECStatus
 CERT_SetUsePKIXForValidation(PRBool enable)
 {
+#ifdef NSS_DISABLE_LIBPKIX
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+#else
     usePKIXValidationEngine = (enable > 0) ? PR_TRUE : PR_FALSE;
     return SECSuccess;
+#endif /* NSS_DISABLE_LIBPKIX */
 }
 
 /*
  * FUNCTION: CERT_GetUsePKIXForValidation
  * DESCRIPTION:
  *
  * Checks if libpkix building function should be use for certificate
  * chain building.
@@ -74,19 +81,24 @@ CERT_SetUsePKIXForValidation(PRBool enab
  * THREAD SAFETY:
  *  NOT Thread Safe
  * RETURNS:
  *  Returns PR_TRUE if libpkix should be used. PR_FALSE otherwise.
  */
 PRBool
 CERT_GetUsePKIXForValidation()
 {
+#ifdef NSS_DISABLE_LIBPKIX
+    return PR_FALSE;
+#else
     return usePKIXValidationEngine;
+#endif /* NSS_DISABLE_LIBPKIX */
 }
 
+#ifndef NSS_DISABLE_LIBPKIX
 #ifdef NOTDEF
 /*
  * FUNCTION: cert_NssKeyUsagesToPkix
  * DESCRIPTION:
  *
  * Converts nss key usage bit field(PRUint32) to pkix key usage
  * bit field.
  *
@@ -1057,16 +1069,17 @@ cleanup:
     PKIX_DECREF(pkixCertChain);
     PKIX_DECREF(validResult);
     PKIX_DECREF(error);
     PKIX_DECREF(verifyNode);
     PKIX_DECREF(buildResult);
 
     PKIX_RETURN(CERTVFYPKIX);
 }
+#endif /* NSS_DISABLE_LIBPKIX */
 
 /*
  * FUNCTION: cert_VerifyCertChainPkix
  * DESCRIPTION:
  *
  * The main wrapper function that is called from CERT_VerifyCert and
  * CERT_VerifyCACertForUsage functions to validate cert with libpkix.
  *
@@ -1103,16 +1116,20 @@ cert_VerifyCertChainPkix(
     PRBool checkSig,
     SECCertUsage requiredUsage,
     PRTime time,
     void *wincx,
     CERTVerifyLog *log,
     PRBool *pSigerror,
     PRBool *pRevoked)
 {
+#ifdef NSS_DISABLE_LIBPKIX
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+#else
     PKIX_ProcessingParams *procParams = NULL;
     PKIX_BuildResult *result = NULL;
     PKIX_VerifyNode *verifyNode = NULL;
     PKIX_Error *error = NULL;
 
     SECStatus rv = SECFailure;
     void *plContext = NULL;
 
@@ -1221,18 +1238,20 @@ cert_VerifyCertChainPkix(
     } while (errorGenerated);
 
     runningLeakTest = PKIX_FALSE;
     PR_ATOMIC_DECREMENT(&parallelFnInvocationCount);
     usePKIXValidationEngine = savedUsePkixEngFlag;
 #endif /* PKIX_OBJECT_LEAK_TEST */
 
     return rv;
+#endif /* NSS_DISABLE_LIBPKIX */
 }
 
+#ifndef NSS_DISABLE_LIBPKIX
 PKIX_CertSelector *
 cert_GetTargetCertConstraints(CERTCertificate *target, void *plContext)
 {
     PKIX_ComCertSelParams *certSelParams = NULL;
     PKIX_CertSelector *certSelector = NULL;
     PKIX_CertSelector *r = NULL;
     PKIX_PL_Cert *eeCert = NULL;
     PKIX_Error *error = NULL;
@@ -1751,23 +1770,30 @@ static const CERTRevocationFlags certRev
       0 },
     { /* chainTests */
       2,
       certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags,
       0,
       0,
       0 }
 };
+#endif /* NSS_DISABLE_LIBPKIX */
 
 extern const CERTRevocationFlags *
 CERT_GetClassicOCSPEnabledSoftFailurePolicy()
 {
+#ifdef NSS_DISABLE_LIBPKIX
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return NULL;
+#else
     return &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy;
+#endif /* NSS_DISABLE_LIBPKIX */
 }
 
+#ifndef NSS_DISABLE_LIBPKIX
 static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags[2] = {
     /* crl */
     CERT_REV_M_TEST_USING_THIS_METHOD |
         CERT_REV_M_FORBID_NETWORK_FETCHING |
         CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
     /* ocsp */
     CERT_REV_M_TEST_USING_THIS_METHOD |
         CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
@@ -1796,23 +1822,30 @@ static const CERTRevocationFlags certRev
       0 },
     { /* chainTests */
       2,
       certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags,
       0,
       0,
       0 }
 };
+#endif /* NSS_DISABLE_LIBPKIX */
 
 extern const CERTRevocationFlags *
 CERT_GetClassicOCSPEnabledHardFailurePolicy()
 {
+#ifdef NSS_DISABLE_LIBPKIX
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return NULL;
+#else
     return &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy;
+#endif /* NSS_DISABLE_LIBPKIX */
 }
 
+#ifndef NSS_DISABLE_LIBPKIX
 static PRUint64 certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags[2] = {
     /* crl */
     CERT_REV_M_TEST_USING_THIS_METHOD |
         CERT_REV_M_FORBID_NETWORK_FETCHING |
         CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
     /* ocsp */
     0
 };
@@ -1835,23 +1868,30 @@ static const CERTRevocationFlags certRev
       0 },
     { /* chainTests */
       2,
       certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags,
       0,
       0,
       0 }
 };
+#endif /* NSS_DISABLE_LIBPKIX */
 
 extern const CERTRevocationFlags *
 CERT_GetClassicOCSPDisabledPolicy()
 {
+#ifdef NSS_DISABLE_LIBPKIX
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return NULL;
+#else
     return &certRev_NSS_3_11_Ocsp_Disabled_Policy;
+#endif /* NSS_DISABLE_LIBPKIX */
 }
 
+#ifndef NSS_DISABLE_LIBPKIX
 static PRUint64 certRev_PKIX_Verify_Nist_Policy_LeafFlags[2] = {
     /* crl */
     CERT_REV_M_TEST_USING_THIS_METHOD |
         CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO |
         CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE,
     /* ocsp */
     0
 };
@@ -1874,28 +1914,38 @@ static const CERTRevocationFlags certRev
       0 },
     { /* chainTests */
       2,
       certRev_PKIX_Verify_Nist_Policy_ChainFlags,
       0,
       0,
       0 }
 };
+#endif /* NSS_DISABLE_LIBPKIX */
 
 extern const CERTRevocationFlags *
 CERT_GetPKIXVerifyNistRevocationPolicy()
 {
+#ifdef NSS_DISABLE_LIBPKIX
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return NULL;
+#else
     return &certRev_PKIX_Verify_Nist_Policy;
+#endif /* NSS_DISABLE_LIBPKIX */
 }
 
 CERTRevocationFlags *
 CERT_AllocCERTRevocationFlags(
     PRUint32 number_leaf_methods, PRUint32 number_leaf_pref_methods,
     PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods)
 {
+#ifdef NSS_DISABLE_LIBPKIX
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return NULL;
+#else
     CERTRevocationFlags *flags;
 
     flags = PORT_New(CERTRevocationFlags);
     if (!flags)
         return (NULL);
 
     flags->leafTests.number_of_defined_methods = number_leaf_methods;
     flags->leafTests.cert_rev_flags_per_method =
@@ -1917,37 +1967,43 @@ CERT_AllocCERTRevocationFlags(
         !flags->leafTests.preferred_methods ||
         !flags->chainTests.cert_rev_flags_per_method ||
         !flags->chainTests.preferred_methods) {
         CERT_DestroyCERTRevocationFlags(flags);
         return (NULL);
     }
 
     return flags;
+#endif /* NSS_DISABLE_LIBPKIX */
 }
 
 void
 CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags)
 {
+#ifdef NSS_DISABLE_LIBPKIX
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return;
+#else
     if (!flags)
         return;
 
     if (flags->leafTests.cert_rev_flags_per_method)
         PORT_Free(flags->leafTests.cert_rev_flags_per_method);
 
     if (flags->leafTests.preferred_methods)
         PORT_Free(flags->leafTests.preferred_methods);
 
     if (flags->chainTests.cert_rev_flags_per_method)
         PORT_Free(flags->chainTests.cert_rev_flags_per_method);
 
     if (flags->chainTests.preferred_methods)
         PORT_Free(flags->chainTests.preferred_methods);
 
     PORT_Free(flags);
+#endif /* NSS_DISABLE_LIBPKIX */
 }
 
 /*
  * CERT_PKIXVerifyCert
  *
  * Verify a Certificate using the PKIX library.
  *
  * Parameters:
@@ -1973,16 +2029,20 @@ CERT_DestroyCERTRevocationFlags(CERTRevo
 SECStatus
 CERT_PKIXVerifyCert(
     CERTCertificate *cert,
     SECCertificateUsage usages,
     CERTValInParam *paramsIn,
     CERTValOutParam *paramsOut,
     void *wincx)
 {
+#ifdef NSS_DISABLE_LIBPKIX
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+#else
     SECStatus r = SECFailure;
     PKIX_Error *error = NULL;
     PKIX_ProcessingParams *procParams = NULL;
     PKIX_BuildResult *buildResult = NULL;
     void *nbioContext = NULL; /* for non-blocking IO */
     void *buildState = NULL;  /* for non-blocking IO */
     PKIX_CertSelector *certSelector = NULL;
     PKIX_List *certStores = NULL;
@@ -2236,9 +2296,10 @@ CERT_PKIXVerifyCert(
     } while (errorGenerated);
 
     runningLeakTest = PKIX_FALSE;
     PR_ATOMIC_DECREMENT(&parallelFnInvocationCount);
     usePKIXValidationEngine = savedUsePkixEngFlag;
 #endif /* PKIX_OBJECT_LEAK_TEST */
 
     return r;
+#endif /* NSS_DISABLE_LIBPKIX */
 }
--- a/lib/manifest.mn
+++ b/lib/manifest.mn
@@ -22,17 +22,17 @@ SOFTOKEN_SRCDIRS = \
 	$(SQLITE_SRCDIR) \
 	$(DBM_SRCDIR) \
 	$(SOFTOKEN_SRCDIR) \
 	$(NULL)
 ifndef NSS_BUILD_SOFTOKEN_ONLY
 # the rest of nss
 NSS_SRCDIRS = \
 	base dev pki \
-	libpkix \
+	$(LIBPKIX_SRCDIR) \
 	certdb certhigh pk11wrap cryptohi nss \
 	$(ZLIB_SRCDIR) ssl \
 	pkcs7 pkcs12 smime \
 	crmf jar \
 	ckfw $(SYSINIT_SRCDIR) \
 	$(NULL)
 endif
 endif
--- a/lib/nss/config.mk
+++ b/lib/nss/config.mk
@@ -74,28 +74,33 @@ SHARED_LIBRARY_LIBS = \
 SHARED_LIBRARY_DIRS = \
 	../certhigh \
 	../cryptohi \
 	../pk11wrap \
 	../certdb \
 	../pki \
 	../dev \
 	../base \
+	$(NULL)
+
+ifndef NSS_DISABLE_LIBPKIX
+SHARED_LIBRARY_DIRS += \
 	../libpkix/pkix/certsel \
 	../libpkix/pkix/checker \
 	../libpkix/pkix/params \
 	../libpkix/pkix/results \
 	../libpkix/pkix/top \
 	../libpkix/pkix/util \
 	../libpkix/pkix/crlsel \
 	../libpkix/pkix/store \
 	../libpkix/pkix_pl_nss/pki \
 	../libpkix/pkix_pl_nss/system \
 	../libpkix/pkix_pl_nss/module \
 	$(NULL)
+endif
 
 ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
 ifndef NS_USE_GCC
 # Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x
 # but do not put it in the import library.  See bug 142575.
 DEFINES += -DWIN32_NSS3_DLL_COMPAT
 DLLFLAGS += -EXPORT:mktemp=nss_mktemp,PRIVATE
 endif
--- a/lib/nss/nssinit.c
+++ b/lib/nss/nssinit.c
@@ -15,19 +15,22 @@
 #include "key.h"
 #include "secmod.h"
 #include "secoid.h"
 #include "nss.h"
 #include "pk11func.h"
 #include "secerr.h"
 #include "nssbase.h"
 #include "nssutil.h"
+
+#ifndef NSS_DISABLE_LIBPKIX
 #include "pkixt.h"
 #include "pkix.h"
 #include "pkix_tools.h"
+#endif /* NSS_DISABLE_LIBPKIX */
 
 #include "pki3hack.h"
 #include "certi.h"
 #include "secmodi.h"
 #include "ocspti.h"
 #include "ocspi.h"
 #include "utilpars.h"
 
@@ -476,17 +479,20 @@ loser:
  *           smart card tokens will not work).
  * allowAlreadyInitializedModules - if a module has already been loaded and
  *           initialize try to use it.
  * don'tFinalizeModules -  dont shutdown modules we may have loaded.
  */
 
 static PRBool          nssIsInitted = PR_FALSE;
 static NSSInitContext *nssInitContextList = NULL;
+
+#ifndef NSS_DISABLE_LIBPKIX
 static void*           plContext = NULL;
+#endif /* NSS_DISABLE_LIBPKIX */
 
 struct NSSInitContextStr {
     NSSInitContext *next;
     PRUint32 magic;
 };
 
 #define NSS_INIT_MAGIC 0x1413A91C
 static SECStatus nss_InitShutdownList(void);
@@ -521,18 +527,20 @@ nss_Init(const char *configdir, const ch
 		 NSSInitParameters *initParams,
 		 PRBool readOnly, PRBool noCertDB, 
 		 PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
 		 PRBool optimizeSpace, PRBool noSingleThreadedModules,
 		 PRBool allowAlreadyInitializedModules,
 		 PRBool dontFinalizeModules)
 {
     SECStatus rv = SECFailure;
+#ifndef NSS_DISABLE_LIBPKIX
     PKIX_UInt32 actualMinorVersion = 0;
     PKIX_Error *pkixError = NULL;
+#endif /* NSS_DISABLE_LIBPKIX */
     PRBool isReallyInitted;
     char *configStrings = NULL;
     char *configName = NULL;
     PRBool passwordRequired = PR_FALSE;
 
     /* if we are trying to init with a traditional NSS_Init call, maintain
      * the traditional idempotent behavior. */
     if (!initContextPtr && nssIsInitted) {
@@ -679,30 +687,30 @@ nss_Init(const char *configdir, const ch
 		    nss_FindExternalRoot(dbpath, secmodName);
 		}
 	    }
 	}
 
 	pk11sdr_Init();
 	cert_CreateSubjectKeyIDHashTable();
 
+#ifndef NSS_DISABLE_LIBPKIX
 	pkixError = PKIX_Initialize
 	    (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
 	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
 
 	if (pkixError != NULL) {
 	    goto loser;
 	} else {
             char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY");
             if (ev && ev[0]) {
                 CERT_SetUsePKIXForValidation(PR_TRUE);
             }
         }
-
-
+#endif /* NSS_DISABLE_LIBPKIX */
     }
 
     /*
      * Now mark the appropriate init state. If initContextPtr was passed
      * in, then return the new context pointer and add it to the
      * nssInitContextList. Otherwise set the global nss_isInitted flag
      */
     PZ_Lock(nssInitLock);
@@ -1075,17 +1083,19 @@ nss_Shutdown(void)
 
     rv = nss_ShutdownShutdownList();
     if (rv != SECSuccess) {
 	shutdownRV = SECFailure;
     }
     cert_DestroyLocks();
     ShutdownCRLCache();
     OCSP_ShutdownGlobal();
+#ifndef NSS_DISABLE_LIBPKIX
     PKIX_Shutdown(plContext);
+#endif /* NSS_DISABLE_LIBPKIX */
     SECOID_Shutdown();
     status = STAN_Shutdown();
     cert_DestroySubjectKeyIDHashTable();
     pk11_SetInternalKeySlot(NULL);
     rv = SECMOD_Shutdown();
     if (rv != SECSuccess) {
 	shutdownRV = SECFailure;
     }