Bug 854729: Add const to many certificate-related NSS functions, r=ryan.sleevi
authorBrian Smith <bsmith@mozilla.com>
Fri, 22 Mar 2013 19:25:18 -0700
changeset 10705 9639e5f328c90e850b46817011d31ee7adf35f27
parent 10704 c3f285fed43ee0017fd7ee84353866d9e61467ac
child 10706 d9813f5c5b8929c9d7b7d4acfe0662d4b73abc76
push id18
push userbsmith@mozilla.com
push dateTue, 26 Mar 2013 00:25:02 +0000
reviewersryan.sleevi
bugs854729
Bug 854729: Add const to many certificate-related NSS functions, r=ryan.sleevi
cmd/lib/basicutil.c
cmd/lib/basicutil.h
cmd/lib/derprint.c
cmd/lib/secutil.c
cmd/lib/secutil.h
cmd/selfserv/selfserv.c
cmd/signtool/verify.c
coreconf/WIN32.mk
lib/certdb/alg1485.c
lib/certdb/cert.h
lib/certdb/certdb.c
lib/certdb/certi.h
lib/certdb/certv3.c
lib/certdb/crl.c
lib/certdb/genname.c
lib/certdb/genname.h
lib/certdb/polcyxtn.c
lib/certdb/secname.c
lib/certdb/stanpcertdb.c
lib/certdb/xauthkid.c
lib/certdb/xbsconst.c
lib/certdb/xconst.c
lib/certhigh/certvfy.c
lib/nss/utilwrap.c
lib/util/dersubr.c
lib/util/hasht.h
lib/util/secder.h
--- a/cmd/lib/basicutil.c
+++ b/cmd/lib/basicutil.c
@@ -21,17 +21,17 @@
 #include <errno.h>
 
 #ifdef XP_UNIX
 #include <unistd.h>
 #endif
 
 #include "secoid.h"
 
-extern long DER_GetInteger(SECItem *src);
+extern long DER_GetInteger(const SECItem *src);
 
 static PRBool wrapEnabled = PR_TRUE;
 
 void
 SECU_EnableWrap(PRBool enable)
 {
     wrapEnabled = enable;
 }
@@ -226,17 +226,17 @@ SECU_Indent(FILE *out, int level)
 }
 
 void SECU_Newline(FILE *out)
 {
     fprintf(out, "\n");
 }
 
 void
-SECU_PrintAsHex(FILE *out, SECItem *data, const char *m, int level)
+SECU_PrintAsHex(FILE *out, const SECItem *data, const char *m, int level)
 {
     unsigned i;
     int column;
     PRBool isString     = PR_TRUE;
     PRBool isWhiteSpace = PR_TRUE;
     PRBool printedHex   = PR_FALSE;
     unsigned int limit = 15;
 
@@ -372,17 +372,17 @@ SECU_PrintBuf(FILE *out, const char *msg
 }
 
 
 /* This expents i->data[0] to be the MSB of the integer.
 ** if you want to print a DER-encoded integer (with the tag and length)
 ** call SECU_PrintEncodedInteger();
 */
 void
-SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level)
+SECU_PrintInteger(FILE *out, const SECItem *i, const char *m, int level)
 {
     int iv;
 
     if (!i || !i->len || !i->data) {
 	SECU_Indent(out, level); 
 	if (m) {
 	    fprintf(out, "%s: (null)\n", m);
 	} else {
--- a/cmd/lib/basicutil.h
+++ b/cmd/lib/basicutil.h
@@ -37,38 +37,41 @@ extern SECStatus SECU_TextFileToItem(SEC
 
 /* Indent based on "level" */
 extern void SECU_Indent(FILE *out, int level);
 
 /* Print a newline to out */
 extern void SECU_Newline(FILE *out);
 
 /* Print integer value and hex */
-extern void SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level);
+extern void SECU_PrintInteger(FILE *out, const SECItem *i, const char *m,
+                              int level);
 
 /* Print SECItem as hex */
-extern void SECU_PrintAsHex(FILE *out, SECItem *i, const char *m, int level);
+extern void SECU_PrintAsHex(FILE *out, const SECItem *i, const char *m,
+                            int level);
 
 /* dump a buffer in hex and ASCII */
 extern void SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len);
 
 #ifdef HAVE_EPV_TEMPLATE
 /* Dump contents of private key */
 extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level);
 #endif
 
 /* Init PKCS11 stuff */
 extern SECStatus SECU_PKCS11Init(PRBool readOnly);
 
 /* Dump contents of signed data */
 extern int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m, 
                                 int level, SECU_PPFunc inner);
 
-extern void SECU_PrintString(FILE *out, SECItem *si, char *m, int level);
-extern void SECU_PrintAny(FILE *out, SECItem *i, char *m, int level);
+extern void SECU_PrintString(FILE *out, const SECItem *si, const char *m,
+                             int level);
+extern void SECU_PrintAny(FILE *out, const SECItem *i, const char *m, int level);
 
 extern void SECU_PrintPRandOSError(char *progName);
 
 /* Caller ensures that dst is at least item->len*2+1 bytes long */
 void
 SECU_SECItemToHex(const SECItem * item, char * dst);
 
 /* Requires 0x prefix. Case-insensitive. Will do in-place replacement if
--- a/cmd/lib/derprint.c
+++ b/cmd/lib/derprint.c
@@ -10,17 +10,17 @@ extern int fflush(FILE *stream);
 #endif
 
 #define RIGHT_MARGIN	24
 /*#define RAW_BYTES 1 */
 
 static int prettyColumn = 0;
 
 static int
-getInteger256(unsigned char *data, unsigned int nb)
+getInteger256(const unsigned char *data, unsigned int nb)
 {
     int val;
 
     switch (nb) {
       case 1:
 	val = data[0];
 	break;
       case 2:
@@ -95,32 +95,32 @@ prettyPrintByte(FILE *out, unsigned char
     if (prettyColumn >= RIGHT_MARGIN) {
 	return prettyNewline(out);
     }
 
     return 0;
 }
 
 static int
-prettyPrintLeaf(FILE *out, unsigned char *data,
+prettyPrintLeaf(FILE *out, const unsigned char *data,
 		unsigned int len, unsigned int lv)
 {
     unsigned int i;
     int rv;
 
     for (i = 0; i < len; i++) {
 	rv = prettyPrintByte(out, *data++, lv);
 	if (rv < 0)
 	    return rv;
     }
     return prettyNewline(out);
 }
 
 static int
-prettyPrintStringStart(FILE *out, unsigned char *str,
+prettyPrintStringStart(FILE *out, const unsigned char *str,
 		       unsigned int len, unsigned int level)
 {
 #define BUF_SIZE 100
     unsigned char buf[BUF_SIZE];
     int rv;
 
     if (len >= BUF_SIZE)
 	len = BUF_SIZE - 1;
@@ -142,17 +142,17 @@ prettyPrintStringStart(FILE *out, unsign
 	return rv;
     }
 
     return 0;
 #undef BUF_SIZE
 }
 
 static int
-prettyPrintString(FILE *out, unsigned char *str,
+prettyPrintString(FILE *out, const unsigned char *str,
 		  unsigned int len, unsigned int level, PRBool raw)
 {
     int rv;
 
     rv = prettyPrintStringStart(out, str, len, level);
     if (rv < 0)
 	return rv;
 
@@ -165,27 +165,27 @@ prettyPrintString(FILE *out, unsigned ch
 	if (rv < 0)
 	    return rv;
     }
 
     return 0;
 }
 
 static int
-prettyPrintTime(FILE *out, unsigned char *str,
+prettyPrintTime(FILE *out, const unsigned char *str,
 		unsigned int len, unsigned int level, PRBool raw, PRBool utc)
 {
     SECItem time_item;
     int rv;
 
     rv = prettyPrintStringStart(out, str, len, level);
     if (rv < 0)
 	return rv;
 
-    time_item.data = str;
+    time_item.data = (unsigned char *)str;
     time_item.len = len;
 
     rv = fprintf(out, " (");
     if (rv < 0) {
 	PORT_SetError(SEC_ERROR_IO);
 	return rv;
     }
 
@@ -209,17 +209,17 @@ prettyPrintTime(FILE *out, unsigned char
 	if (rv < 0)
 	    return rv;
     }
 
     return 0;
 }
 
 static int
-prettyPrintObjectID(FILE *out, unsigned char *data,
+prettyPrintObjectID(FILE *out, const unsigned char *data,
 		    unsigned int len, unsigned int level, PRBool raw)
 {
     SECOidData *oiddata;
     SECItem oiditem;
     unsigned int i;
     unsigned long val;
     int rv;
 
@@ -255,17 +255,17 @@ prettyPrintObjectID(FILE *out, unsigned 
 	    return rv;
 	}
 	val = 0;
     }
 
     /*
      * Now try to look it up and print a symbolic version.
      */
-    oiditem.data = data;
+    oiditem.data = (unsigned char *)data;
     oiditem.len = len;
     oiddata = SECOID_FindOID(&oiditem);
     if (oiddata != NULL) {
 	i = PORT_Strlen(oiddata->desc);
 	if ((prettyColumn + 1 + (i / 3)) > RIGHT_MARGIN) {
 	    rv = prettyNewline(out);
 	    if (rv < 0)
 		return rv;
@@ -333,17 +333,17 @@ static char *prettyTagType [32] = {
   "0x1B",
   "Universal String",
   "0x1D",
   "BMP String",
   "High-Tag-Number"
 };
 
 static int
-prettyPrintTag(FILE *out, unsigned char *src, unsigned char *end,
+prettyPrintTag(FILE *out, const unsigned char *src, const unsigned char *end,
 	       unsigned char *codep, unsigned int level, PRBool raw)
 {
     int rv;
     unsigned char code, tagnum;
 
     if (src >= end) {
 	PORT_SetError(SEC_ERROR_BAD_DER);
 	return -1;
@@ -397,17 +397,17 @@ prettyPrintTag(FILE *out, unsigned char 
     }
 
     *codep = code;
 
     return 1;
 }
 
 static int
-prettyPrintLength(FILE *out, unsigned char *data, unsigned char *end,
+prettyPrintLength(FILE *out, const unsigned char *data, const unsigned char *end,
 		  int *lenp, PRBool *indefinitep, unsigned int lv, PRBool raw)
 {
     unsigned char lbyte;
     int lenLen;
     int rv;
 
     if (data >= end) {
 	PORT_SetError(SEC_ERROR_BAD_DER);
@@ -475,22 +475,22 @@ prettyPrintLength(FILE *out, unsigned ch
 	return rv;
     }
 
     prettyColumn = -1;
     return lenLen;
 }
 
 static int
-prettyPrintItem(FILE *out, unsigned char *data, unsigned char *end,
+prettyPrintItem(FILE *out, const unsigned char *data, const unsigned char *end,
 		unsigned int lv, PRBool raw)
 {
     int slen;
     int lenLen;
-    unsigned char *orig = data;
+    const unsigned char *orig = data;
     int rv;
 
     while (data < end) {
         unsigned char code;
 	PRBool indefinite;
 
 	slen = prettyPrintTag(out, data, end, &code, lv, raw);
 	if (slen < 0)
@@ -572,17 +572,17 @@ prettyPrintItem(FILE *out, unsigned char
     rv = prettyNewline(out);
     if (rv < 0)
 	return rv;
 
     return data - orig;
 }
 
 SECStatus
-DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw)
+DER_PrettyPrint(FILE *out, const SECItem *it, PRBool raw)
 {
     int rv;
 
     prettyColumn = -1;
 
     rv = prettyPrintItem(out, it->data, it->data + it->len, 0, raw);
     if (rv < 0)
 	return SECFailure;
--- a/cmd/lib/secutil.c
+++ b/cmd/lib/secutil.c
@@ -613,17 +613,17 @@ secu_PrintRawStringQuotesOptional(FILE *
 
 static void
 secu_PrintRawString(FILE *out, SECItem *si, const char *m, int level)
 {
     secu_PrintRawStringQuotesOptional(out, si, m, level, PR_TRUE);
 }
 
 void
-SECU_PrintString(FILE *out, SECItem *si, char *m, int level)
+SECU_PrintString(FILE *out, const SECItem *si, const char *m, int level)
 {
     SECItem my = *si;
 
     if (SECSuccess != SECU_StripTagAndLength(&my) || !my.len)
     	return;
     secu_PrintRawString(out, &my, m, level);
 }
 
@@ -645,17 +645,17 @@ secu_PrintBoolean(FILE *out, SECItem *i,
 }
 
 /*
  * Format and print "time".  If the tag message "m" is not NULL,
  * do indent formatting based on "level" and add a newline afterward;
  * otherwise just print the formatted time string only.
  */
 static void
-secu_PrintTime(FILE *out, int64 time, char *m, int level)
+secu_PrintTime(FILE *out, const PRTime time, const char *m, int level)
 {
     PRExplodedTime printableTime; 
     char *timeString;
 
     /* Convert to local time */
     PR_ExplodeTime(time, PR_GMTParameters, &printableTime);
 
     timeString = PORT_Alloc(256);
@@ -678,17 +678,17 @@ secu_PrintTime(FILE *out, int64 time, ch
 }
 
 /*
  * Format and print the UTC Time "t".  If the tag message "m" is not NULL,
  * do indent formatting based on "level" and add a newline afterward;
  * otherwise just print the formatted time string only.
  */
 void
-SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level)
+SECU_PrintUTCTime(FILE *out, const SECItem *t, const char *m, int level)
 {
     int64 time;
     SECStatus rv;
 
     rv = DER_UTCTimeToTime(&time, t);
     if (rv != SECSuccess)
 	return;
 
@@ -696,17 +696,17 @@ SECU_PrintUTCTime(FILE *out, SECItem *t,
 }
 
 /*
  * Format and print the Generalized Time "t".  If the tag message "m"
  * is not NULL, * do indent formatting based on "level" and add a newline
  * afterward; otherwise just print the formatted time string only.
  */
 void
-SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m, int level)
+SECU_PrintGeneralizedTime(FILE *out, const SECItem *t, const char *m, int level)
 {
     int64 time;
     SECStatus rv;
 
 
     rv = DER_GeneralizedTimeToTime(&time, t);
     if (rv != SECSuccess)
 	return;
@@ -715,17 +715,17 @@ SECU_PrintGeneralizedTime(FILE *out, SEC
 }
 
 /*
  * Format and print the UTC or Generalized Time "t".  If the tag message
  * "m" is not NULL, do indent formatting based on "level" and add a newline
  * afterward; otherwise just print the formatted time string only.
  */
 void
-SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level)
+SECU_PrintTimeChoice(FILE *out, const SECItem *t, const char *m, int level)
 {
     switch (t->type) {
         case siUTCTime:
             SECU_PrintUTCTime(out, t, m, level);
             break;
 
         case siGeneralizedTime:
             SECU_PrintGeneralizedTime(out, t, m, level);
@@ -734,18 +734,18 @@ SECU_PrintTimeChoice(FILE *out, SECItem 
         default:
             PORT_Assert(0);
             break;
     }
 }
 
 
 /* This prints a SET or SEQUENCE */
-void
-SECU_PrintSet(FILE *out, SECItem *t, char *m, int level)
+static void
+SECU_PrintSet(FILE *out, const SECItem *t, const char *m, int level)
 {
     int            type        = t->data[0] & SEC_ASN1_TAGNUM_MASK;
     int            constructed = t->data[0] & SEC_ASN1_CONSTRUCTED;
     const char *   label;
     SECItem        my          = *t;
 
     if (!constructed) {
 	SECU_PrintAsHex(out, t, m, level);
@@ -789,17 +789,17 @@ SECU_PrintSet(FILE *out, SECItem *t, cha
 	my.data += tmp.len;
 	my.len  -= tmp.len;
 	SECU_PrintAny(out, &tmp, NULL, level + 1);
     }
     SECU_Indent(out, level); fprintf(out, /* { */ "}\n");
 }
 
 static void
-secu_PrintContextSpecific(FILE *out, SECItem *i, char *m, int level)
+secu_PrintContextSpecific(FILE *out, const SECItem *i, const char *m, int level)
 {
     int type        = i->data[0] & SEC_ASN1_TAGNUM_MASK;
     int constructed = i->data[0] & SEC_ASN1_CONSTRUCTED;
     SECItem tmp;
 
     if (constructed) {
 	char * m2;
 	if (!m) 
@@ -820,25 +820,25 @@ secu_PrintContextSpecific(FILE *out, SEC
     fprintf(out,"[%d]\n", type);
 
     tmp = *i;
     if (SECSuccess == SECU_StripTagAndLength(&tmp))
 	SECU_PrintAsHex(out, &tmp, m, level+1);
 }
 
 static void
-secu_PrintOctetString(FILE *out, SECItem *i, char *m, int level)
+secu_PrintOctetString(FILE *out, const SECItem *i, const char *m, int level)
 {
     SECItem tmp = *i;
     if (SECSuccess == SECU_StripTagAndLength(&tmp))
 	SECU_PrintAsHex(out, &tmp, m, level);
 }
 
 static void
-secu_PrintBitString(FILE *out, SECItem *i, char *m, int level)
+secu_PrintBitString(FILE *out, const SECItem *i, const char *m, int level)
 {
     int unused_bits;
     SECItem tmp = *i;
 
     if (SECSuccess != SECU_StripTagAndLength(&tmp) || tmp.len < 2)
     	return;
 
     unused_bits = *tmp.data++;
@@ -848,17 +848,17 @@ secu_PrintBitString(FILE *out, SECItem *
     if (unused_bits) {
 	SECU_Indent(out, level + 1);
 	fprintf(out, "(%d least significant bits unused)\n", unused_bits);
     }
 }
 
 /* in a decoded bit string, the len member is a bit length. */
 static void
-secu_PrintDecodedBitString(FILE *out, SECItem *i, char *m, int level)
+secu_PrintDecodedBitString(FILE *out, const SECItem *i, const char *m, int level)
 {
     int unused_bits;
     SECItem tmp = *i;
 
 
     unused_bits = (tmp.len & 0x7) ? 8 - (tmp.len & 7) : 0;
     DER_ConvertBitString(&tmp); /* convert length to byte length */
 
@@ -867,43 +867,43 @@ secu_PrintDecodedBitString(FILE *out, SE
 	SECU_Indent(out, level + 1);
 	fprintf(out, "(%d least significant bits unused)\n", unused_bits);
     }
 }
 
 
 /* Print a DER encoded Boolean */
 void
-SECU_PrintEncodedBoolean(FILE *out, SECItem *i, char *m, int level)
+SECU_PrintEncodedBoolean(FILE *out, const SECItem *i, const char *m, int level)
 {
     SECItem my    = *i;
     if (SECSuccess == SECU_StripTagAndLength(&my))
 	secu_PrintBoolean(out, &my, m, level);
 }
 
 /* Print a DER encoded integer */
 void
-SECU_PrintEncodedInteger(FILE *out, SECItem *i, char *m, int level)
+SECU_PrintEncodedInteger(FILE *out, const SECItem *i, const char *m, int level)
 {
     SECItem my    = *i;
     if (SECSuccess == SECU_StripTagAndLength(&my))
 	SECU_PrintInteger(out, &my, m, level);
 }
 
 /* Print a DER encoded OID */
 void
-SECU_PrintEncodedObjectID(FILE *out, SECItem *i, char *m, int level)
+SECU_PrintEncodedObjectID(FILE *out, const SECItem *i, const char *m, int level)
 {
     SECItem my    = *i;
     if (SECSuccess == SECU_StripTagAndLength(&my))
 	SECU_PrintObjectID(out, &my, m, level);
 }
 
 static void
-secu_PrintBMPString(FILE *out, SECItem *i, char *m, int level)
+secu_PrintBMPString(FILE *out, const SECItem *i, const char *m, int level)
 {
     unsigned char * s;
     unsigned char * d;
     int      len;
     SECItem  tmp = {0, 0, 0};
     SECItem  my  = *i;
 
     if (SECSuccess != SECU_StripTagAndLength(&my))
@@ -927,17 +927,17 @@ secu_PrintBMPString(FILE *out, SECItem *
 
 loser:
     SECU_PrintAsHex(out, i, m, level);
     if (tmp.data)
 	PORT_Free(tmp.data);
 }
 
 static void
-secu_PrintUniversalString(FILE *out, SECItem *i, char *m, int level)
+secu_PrintUniversalString(FILE *out, const SECItem *i, const char *m, int level)
 {
     unsigned char * s;
     unsigned char * d;
     int      len;
     SECItem  tmp = {0, 0, 0};
     SECItem  my  = *i;
 
     if (SECSuccess != SECU_StripTagAndLength(&my))
@@ -962,17 +962,17 @@ secu_PrintUniversalString(FILE *out, SEC
 
 loser:
     SECU_PrintAsHex(out, i, m, level);
     if (tmp.data)
 	PORT_Free(tmp.data);
 }
 
 static void
-secu_PrintUniversal(FILE *out, SECItem *i, char *m, int level)
+secu_PrintUniversal(FILE *out, const SECItem *i, const char *m, int level)
 {
 	switch (i->data[0] & SEC_ASN1_TAGNUM_MASK) {
 	  case SEC_ASN1_ENUMERATED:
 	  case SEC_ASN1_INTEGER:
 	    SECU_PrintEncodedInteger(out, i, m, level);
 	    break;
 	  case SEC_ASN1_OBJECT_ID:
 	    SECU_PrintEncodedObjectID(out, i, m, level);
@@ -1018,17 +1018,17 @@ secu_PrintUniversal(FILE *out, SECItem *
 	    break;
 	  default:
 	    SECU_PrintAsHex(out, i, m, level);
 	    break;
 	}
 }
 
 void
-SECU_PrintAny(FILE *out, SECItem *i, char *m, int level)
+SECU_PrintAny(FILE *out, const SECItem *i, const char *m, int level)
 {
     if ( i && i->len && i->data ) {
 	switch (i->data[0] & SEC_ASN1_CLASS_MASK) {
 	case SEC_ASN1_CONTEXT_SPECIFIC:
 	    secu_PrintContextSpecific(out, i, m, level);
 	    break;
 	case SEC_ASN1_UNIVERSAL:
 	    secu_PrintUniversal(out, i, m, level);
@@ -1046,17 +1046,17 @@ secu_PrintValidity(FILE *out, CERTValidi
     SECU_Indent(out, level);  fprintf(out, "%s:\n", m);
     SECU_PrintTimeChoice(out, &v->notBefore, "Not Before", level+1);
     SECU_PrintTimeChoice(out, &v->notAfter,  "Not After ", level+1);
     return 0;
 }
 
 /* This function does NOT expect a DER type and length. */
 SECOidTag
-SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level)
+SECU_PrintObjectID(FILE *out, const SECItem *oid, const char *m, int level)
 {
     SECOidData *oiddata;
     char *      oidString = NULL;
     
     oiddata = SECOID_FindOID(oid);
     if (oiddata != NULL) {
 	const char *name = oiddata->desc;
 	SECU_Indent(out, level);
@@ -2284,17 +2284,17 @@ SECU_PrintCertificateRequest(FILE *out, 
 	SECU_PrintCertAttributes(out, cr->attributes, "Attributes", level+1);
     rv = 0;
 loser:
     PORT_FreeArena(arena, PR_FALSE);
     return rv;
 }
 
 int
-SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level)
+SECU_PrintCertificate(FILE *out, const SECItem *der, const char *m, int level)
 {
     PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     CERTCertificate *c;
     int rv = SEC_ERROR_NO_MEMORY;
     int iv;
     
     if (!arena)
 	return rv;
--- a/cmd/lib/secutil.h
+++ b/cmd/lib/secutil.h
@@ -158,46 +158,50 @@ extern void
 SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log,
                       PRBool verbose);
 
 /* Read in a DER from a file, may be ascii  */
 extern SECStatus 
 SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii);
 
 /* Print integer value and hex */
-extern void SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level);
+extern void SECU_PrintInteger(FILE *out, const SECItem *i, const char *m,
+                              int level);
 
 /* Print ObjectIdentifier symbolically */
-extern SECOidTag SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level);
+extern SECOidTag SECU_PrintObjectID(FILE *out, const SECItem *oid,
+                                    const char *m, int level);
 
 /* Print AlgorithmIdentifier symbolically */
 extern void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m,
 				  int level);
 
 /*
  * Format and print the UTC Time "t".  If the tag message "m" is not NULL,
  * do indent formatting based on "level" and add a newline afterward;
  * otherwise just print the formatted time string only.
  */
-extern void SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level);
+extern void SECU_PrintUTCTime(FILE *out, const SECItem *t, const char *m,
+                              int level);
 
 /*
  * Format and print the Generalized Time "t".  If the tag message "m"
  * is not NULL, * do indent formatting based on "level" and add a newline
  * afterward; otherwise just print the formatted time string only.
  */
-extern void SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m,
-				      int level);
+extern void SECU_PrintGeneralizedTime(FILE *out, const SECItem *t,
+                                      const char *m, int level);
 
 /*
  * Format and print the UTC or Generalized Time "t".  If the tag message
  * "m" is not NULL, do indent formatting based on "level" and add a newline
  * afterward; otherwise just print the formatted time string only.
  */
-extern void SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level);
+extern void SECU_PrintTimeChoice(FILE *out, const SECItem *t, const char *m,
+                                 int level);
 
 /* callback for listing certs through pkcs11 */
 extern SECStatus SECU_PrintCertNickname(CERTCertListNode* cert, void *data);
 
 /* Dump all certificate nicknames in a database */
 extern SECStatus
 SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc* out, 
                            PRBool sortByName, PRBool sortByTrust);
@@ -205,17 +209,18 @@ SECU_PrintCertificateNames(CERTCertDBHan
 /* See if nickname already in database. Return 1 true, 0 false, -1 error */
 int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname);
 
 /* Dump contents of cert req */
 extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m,
 	int level);
 
 /* Dump contents of certificate */
-extern int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level);
+extern int SECU_PrintCertificate(FILE *out, const SECItem *der, const char *m,
+                                 int level);
 
 extern int SECU_PrintDumpDerIssuerAndSerial(FILE *out, SECItem *der, char *m,
                                  int level);
 
 /* Dump contents of a DER certificate name (issuer or subject) */
 extern int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level);
 
 /* print trust flags on a cert */
@@ -260,18 +265,19 @@ extern SECStatus SEC_PrintCertificateAnd
                                               const char *label,
                                               CERTCertTrust *trust);
 
 extern int SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level);
 
 extern void
 SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level);
 
-extern void SECU_PrintString(FILE *out, SECItem *si, char *m, int level);
-extern void SECU_PrintAny(FILE *out, SECItem *i, char *m, int level);
+extern void SECU_PrintString(FILE *out, const SECItem *si, const char *m,
+                             int level);
+extern void SECU_PrintAny(FILE *out, const SECItem *i, const char *m, int level);
 
 extern void SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level);
 extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value,
                                  char *msg, int level);
 
 extern void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions,
 				 char *msg, int level);
 
@@ -284,17 +290,17 @@ extern void SECU_PrintRDN(FILE *out, CER
 
 #ifdef SECU_GetPassword
 /* Convert a High public Key to a Low public Key */
 extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey);
 #endif
 
 extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg);
 
-extern SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw);
+extern SECStatus DER_PrettyPrint(FILE *out, const SECItem *it, PRBool raw);
 
 extern char *SECU_SECModDBName(void);
 
 /* Fetch and register an oid if it hasn't been done already */
 extern void SECU_cert_fetchOID(SECOidTag *data, const SECOidData *src);
 
 extern SECStatus SECU_RegisterDynamicOids(void);
 
--- a/cmd/selfserv/selfserv.c
+++ b/cmd/selfserv/selfserv.c
@@ -470,17 +470,17 @@ myBadCertHandler( void *arg, PRFileDesc 
  * Only uses one server name but verifies that the names match. */
 PRInt32 
 mySSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr,
                      PRUint32 sniNameArrSize, void *arg)
 {
     PRInt32        i = 0;
     const SECItem *current = sniNameArr;
     const char    **nameArr = (const char**)arg;
-    const secuPWData *pwdata;
+    secuPWData *pwdata;
     CERTCertificate *    cert = NULL;
     SECKEYPrivateKey *   privKey = NULL;
 
     PORT_Assert(fd && sniNameArr);
     if (!fd || !sniNameArr) {
 	return SSL_SNI_SEND_ALERT;
     }
 
@@ -1113,17 +1113,17 @@ makeSignedOCSPResponse(PRArenaPool *aren
     SECItemArray *result = NULL;
     SECItem *ocspResponse = NULL;
     CERTOCSPSingleResponse **singleResponses;
     CERTOCSPSingleResponse *sr;
     CERTOCSPCertID *cid = NULL;
     CERTCertificate *ca;
     PRTime now = PR_Now();
     PRTime nextUpdate;
-    const secuPWData *pwdata;
+    secuPWData *pwdata;
 
     PORT_Assert(model_sock != NULL && cert != NULL);
 
     ca = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), ocspStaplingCA);
     if (!ca)
 	errExit("cannot find CA");
 
     cid = CERT_CreateOCSPCertID(cert, now);
--- a/cmd/signtool/verify.c
+++ b/cmd/signtool/verify.c
@@ -42,17 +42,17 @@ VerifyJar(char *filename)
     status = JAR_pass_archive (jar, jarArchGuess, filename, "some-url");
 
     if (status < 0 || jar->valid < 0) {
 	failed = 1;
 	PR_fprintf(outputFD, 
 	    "\nNOTE -- \"%s\" archive DID NOT PASS crypto verification.\n",
 	     filename);
 	if (status < 0) {
-	    char	*errtext;
+	    const char	*errtext;
 
 	    if (status >= JAR_BASE && status <= JAR_BASE_END) {
 		errtext = JAR_get_error (status);
 	    } else {
 		errtext = SECU_Strerror(PORT_GetError());
 	    }
 
 	    PR_fprintf(outputFD, "  (reported reason: %s)\n\n",
@@ -273,17 +273,17 @@ JarWho(char *filename)
     status = JAR_pass_archive (jar, jarArchGuess, filename, "some-url");
 
     if (status < 0 || jar->valid < 0) {
 	PR_fprintf(outputFD,
 	    "NOTE -- \"%s\" archive DID NOT PASS crypto verification.\n",
 	     filename);
 	retval = -1;
 	if (jar->valid < 0 || status != -1) {
-	    char	*errtext;
+	    const char	*errtext;
 
 	    if (status >= JAR_BASE && status <= JAR_BASE_END) {
 		errtext = JAR_get_error (status);
 	    } else {
 		errtext = SECU_Strerror(PORT_GetError());
 	    }
 
 	    PR_fprintf(outputFD, "  (reported reason: %s)\n\n", errtext);
--- a/coreconf/WIN32.mk
+++ b/coreconf/WIN32.mk
@@ -165,17 +165,17 @@ endif
 endif
 	# Purify requires /FIXED:NO when linking EXEs.
 	LDFLAGS    += /FIXED:NO
     endif
 ifneq ($(_MSC_VER),$(_MSC_VER_6))
     # Convert certain deadly warnings to errors (see list at end of file)
     OS_CFLAGS += -we4002 -we4003 -we4004 -we4006 -we4009 -we4013 \
      -we4015 -we4028 -we4033 -we4035 -we4045 -we4047 -we4053 -we4054 -we4063 \
-     -we4064 -we4078 -we4087 -we4098 -we4390 -we4551 -we4553 -we4715
+     -we4064 -we4078 -we4087 -we4090 -we4098 -we4390 -we4551 -we4553 -we4715
 endif # !MSVC6
 endif # NS_USE_GCC
 
 ifdef USE_64
 DEFINES += -DWIN64
 else
 DEFINES += -DWIN32
 endif
@@ -343,16 +343,17 @@ endif
 # 4047: 'function' : 'type 1' differs in levels of indirection from 'type 2'
 # 4053: one void operand for '?:'
 # 4054: 'conversion' : from function pointer 'type1' to data pointer 'type2'
 # 4059: pascal string too big, length byte is length % 256
 # 4063: case 'identifier' is not a valid value for switch of enum 'identifier'
 # 4064: switch of incomplete enum 'identifier'
 # 4078: case constant 'value' too big for the type of the switch expression
 # 4087: 'function' : declared with 'void' parameter list
+# 4090: 'function' : different 'const' qualifiers
 # 4098: 'function' : void function returning a value
 # 4390: ';' : empty controlled statement found; is this the intent?
 # 4541: RTTI train wreck
 # 4715: not all control paths return a value
 # 4013: function undefined; assuming extern returning int
 # 4553: '==' : operator has no effect; did you intend '='?
 # 4551: function call missing argument list
 
--- a/lib/certdb/alg1485.c
+++ b/lib/certdb/alg1485.c
@@ -1214,17 +1214,17 @@ CERT_GetNameElement(PRArenaPool *arena, 
     return ava ? avaToString(arena, ava) : NULL;
 }
 
 /* RDNs are sorted from most general to most specific.
  * This code returns the LAST one found, the most specific one found.
  * This is particularly appropriate for Common Name.  See RFC 2818.
  */
 static char *
-CERT_GetLastNameElement(PRArenaPool *arena, CERTName *name, int wantedTag)
+CERT_GetLastNameElement(PRArenaPool *arena, const CERTName *name, int wantedTag)
 {
     CERTRDN** rdns    = name->rdns;
     CERTRDN*  rdn;
     CERTAVA*  lastAva = NULL;
     
     while (rdns && (rdn = *rdns++) != 0) {
 	CERTAVA** avas = rdn->avas;
 	CERTAVA*  ava;
@@ -1495,17 +1495,17 @@ CERT_GetCertEmailAddress(CERTName *name)
     if ( rawEmailAddr ) {
 	PORT_Free(rawEmailAddr);
     }
     return(emailAddr);
 }
 
 /* The return value must be freed with PORT_Free. */
 char *
-CERT_GetCommonName(CERTName *name)
+CERT_GetCommonName(const CERTName *name)
 {
     return(CERT_GetLastNameElement(NULL, name, SEC_OID_AVA_COMMON_NAME));
 }
 
 char *
 CERT_GetCountryName(CERTName *name)
 {
     return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_COUNTRY_NAME));
--- a/lib/certdb/cert.h
+++ b/lib/certdb/cert.h
@@ -105,17 +105,18 @@ extern SECComparison CERT_CompareRDN(con
 extern CERTName *CERT_CreateName(CERTRDN *rdn, ...);
 
 /*
 ** Make a copy of "src" storing it in "dest". Memory is allocated in
 ** "dest" for each of the appropriate sub objects. Memory is not freed in
 ** "dest" before allocation is done (use CERT_DestroyName(dest, PR_FALSE) to
 ** do that).
 */
-extern SECStatus CERT_CopyName(PLArenaPool *arena, CERTName *dest, CERTName *src);
+extern SECStatus CERT_CopyName(PLArenaPool *arena, CERTName *dest,
+                               const CERTName *src);
 
 /*
 ** Destroy a Name object.
 **	"name" the CERTName to destroy
 **	"freeit" if PR_TRUE then free the object as well as its sub-objects
 */
 extern void CERT_DestroyName(CERTName *name);
 
@@ -387,17 +388,18 @@ extern SECStatus CERT_OpenVolatileCertDB
 */
 extern CERTCertNicknames *
   CERT_GetValidDNSPatternsFromCert(CERTCertificate *cert);
 
 /*
 ** Check the hostname to make sure that it matches the shexp that
 ** is given in the common name of the certificate.
 */
-extern SECStatus CERT_VerifyCertName(CERTCertificate *cert, const char *hostname);
+extern SECStatus CERT_VerifyCertName(const CERTCertificate *cert,
+                                     const char *hostname);
 
 /*
 ** Add a domain name to the list of names that the user has explicitly
 ** allowed (despite cert name mismatches) for use with a server cert.
 */
 extern SECStatus CERT_AddOKDomainName(CERTCertificate *cert, const char *hostname);
 
 /*
@@ -587,17 +589,17 @@ CERT_FindCertIssuer(CERTCertificate *cer
 /*
 ** Check the validity times of a certificate vs. time 't', allowing
 ** some slop for broken clocks and stuff.
 **	"cert" is the certificate to be checked
 **	"t" is the time to check against
 **	"allowOverride" if true then check to see if the invalidity has
 **		been overridden by the user.
 */
-extern SECCertTimeValidity CERT_CheckCertValidTimes(CERTCertificate *cert,
+extern SECCertTimeValidity CERT_CheckCertValidTimes(const CERTCertificate *cert,
 						    PRTime t,
 						    PRBool allowOverride);
 
 /*
 ** WARNING - this function is deprecated, and will either go away or have
 **		a new API in the near future.
 **
 ** Check the validity times of a certificate vs. the current time, allowing
@@ -608,17 +610,18 @@ extern SECStatus CERT_CertTimesValid(CER
 
 /*
 ** Extract the validity times from a certificate
 **	"c" is the certificate
 **	"notBefore" is the start of the validity period
 **	"notAfter" is the end of the validity period
 */
 extern SECStatus
-CERT_GetCertTimes (CERTCertificate *c, PRTime *notBefore, PRTime *notAfter);
+CERT_GetCertTimes (const CERTCertificate *c, PRTime *notBefore,
+		   PRTime *notAfter);
 
 /*
 ** Extract the issuer and serial number from a certificate
 */
 extern CERTIssuerAndSN *CERT_GetCertIssuerAndSN(PLArenaPool *, 
 							CERTCertificate *);
 
 /*
@@ -637,17 +640,17 @@ extern SECStatus
 CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd,
                                        CERTSubjectPublicKeyInfo *pubKeyInfo,
                                        void *wincx);
 
 /*
 ** verify the signature of a signed data object with a SECKEYPublicKey.
 */
 extern SECStatus
-CERT_VerifySignedDataWithPublicKey(CERTSignedData *sd,
+CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd,
                                    SECKEYPublicKey *pubKey, void *wincx);
 
 /*
 ** NEW FUNCTIONS with new bit-field-FIELD SECCertificateUsage - please use
 ** verify a certificate by checking validity times against a certain time,
 ** that we trust the issuer, and that the signature on the certificate is
 ** valid.
 **	"cert" the certificate to verify
@@ -758,17 +761,17 @@ extern char *CERT_GetCertificateEmailAdd
 extern char *CERT_GetCertEmailAddress(CERTName *name);
 
 extern const char * CERT_GetFirstEmailAddress(CERTCertificate * cert);
 
 extern const char * CERT_GetNextEmailAddress(CERTCertificate * cert, 
                                              const char * prev);
 
 /* The return value must be freed with PORT_Free. */
-extern char *CERT_GetCommonName(CERTName *name);
+extern char *CERT_GetCommonName(const CERTName *name);
 
 extern char *CERT_GetCountryName(CERTName *name);
 
 extern char *CERT_GetLocalityName(CERTName *name);
 
 extern char *CERT_GetStateName(CERTName *name);
 
 extern char *CERT_GetOrgName(CERTName *name);
@@ -776,17 +779,18 @@ extern char *CERT_GetOrgName(CERTName *n
 extern char *CERT_GetOrgUnitName(CERTName *name);
 
 extern char *CERT_GetDomainComponentName(CERTName *name);
 
 extern char *CERT_GetCertUid(CERTName *name);
 
 /* manipulate the trust parameters of a certificate */
 
-extern SECStatus CERT_GetCertTrust(CERTCertificate *cert, CERTCertTrust *trust);
+extern SECStatus CERT_GetCertTrust(const CERTCertificate *cert,
+                                   CERTCertTrust *trust);
 
 extern SECStatus
 CERT_ChangeCertTrust (CERTCertDBHandle *handle, CERTCertificate *cert,
 		      CERTCertTrust *trust);
 
 extern SECStatus
 CERT_ChangeCertTrustByUsage(CERTCertDBHandle *certdb, CERTCertificate *cert,
 			    SECCertUsage usage);
@@ -883,27 +887,26 @@ extern SECStatus CERT_EncodeCRLDistribut
    (PLArenaPool *arena, CERTCrlDistributionPoints *value,SECItem *derValue);
 
 /*
 ** Decodes a DER encoded basicConstaint extension value into a readable format
 **	value - decoded value
 **	encodedValue - value to decoded
 */
 extern SECStatus CERT_DecodeBasicConstraintValue
-   (CERTBasicConstraints *value, SECItem *encodedValue);
+   (CERTBasicConstraints *value, const SECItem *encodedValue);
 
 /* Decodes a DER encoded authorityKeyIdentifier extension value into a
 ** readable format.
 **	arena - where to allocate memory for the decoded value
 **	encodedValue - value to be decoded
 **	Returns a CERTAuthKeyID structure which contains the decoded value
 */
 extern CERTAuthKeyID *CERT_DecodeAuthKeyID 
-			(PLArenaPool *arena, SECItem *encodedValue);
-
+			(PLArenaPool *arena, const SECItem *encodedValue);
 
 /* Decodes a DER encoded crlDistributionPoints extension value into a 
 ** readable format.
 **	arena - where to allocate memory for the decoded value
 **	der - value to be decoded
 **	Returns a CERTCrlDistributionPoints structure which contains the 
 **          decoded value
 */
@@ -911,29 +914,29 @@ extern CERTCrlDistributionPoints * CERT_
    (PLArenaPool *arena, SECItem *der);
 
 /* Extract certain name type from a generalName */
 extern void *CERT_GetGeneralNameByType
    (CERTGeneralName *genNames, CERTGeneralNameType type, PRBool derFormat);
 
 
 extern CERTOidSequence *
-CERT_DecodeOidSequence(SECItem *seqItem);
+CERT_DecodeOidSequence(const SECItem *seqItem);
 
 
 
 
 /****************************************************************************
  *
  * Find extension values of a certificate 
  *
  ***************************************************************************/
 
 extern SECStatus CERT_FindCertExtension
-   (CERTCertificate *cert, int tag, SECItem *value);
+   (const CERTCertificate *cert, int tag, SECItem *value);
 
 extern SECStatus CERT_FindNSCertTypeExtension
    (CERTCertificate *cert, SECItem *value);
 
 extern char * CERT_FindNSStringExtension (CERTCertificate *cert, int oidtag);
 
 extern SECStatus CERT_FindIssuerCertExtension
    (CERTCertificate *cert, int tag, SECItem *value);
@@ -1024,17 +1027,18 @@ extern CERTCertNicknames *CERT_GetCertNi
 extern SECStatus CERT_FindCRLNumberExten (PLArenaPool *arena, CERTCrl *crl,
                                           SECItem *value);
 
 extern SECStatus CERT_FindCRLEntryReasonExten (CERTCrlEntry *crlEntry,
 					       CERTCRLEntryReasonCode *value);
 
 extern void CERT_FreeNicknames(CERTCertNicknames *nicknames);
 
-extern PRBool CERT_CompareCerts(CERTCertificate *c1, CERTCertificate *c2);
+extern PRBool CERT_CompareCerts(const CERTCertificate *c1,
+                                const CERTCertificate *c2);
 
 extern PRBool CERT_CompareCertsForRedirection(CERTCertificate *c1,
 							 CERTCertificate *c2);
 
 /*
 ** Generate an array of the Distinguished Names that the given cert database
 ** "trusts"
 */
@@ -1135,43 +1139,44 @@ CERT_SaveSMimeProfile(CERTCertificate *c
  */
 SECItem *
 CERT_FindSMimeProfile(CERTCertificate *cert);
 
 SECStatus
 CERT_AddNewCerts(CERTCertDBHandle *handle);
 
 CERTCertificatePolicies *
-CERT_DecodeCertificatePoliciesExtension(SECItem *extnValue);
+CERT_DecodeCertificatePoliciesExtension(const SECItem *extnValue);
 
 void
 CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies);
 
 CERTCertificatePolicyMappings *
 CERT_DecodePolicyMappingsExtension(SECItem *encodedCertPolicyMaps);
 
 SECStatus
 CERT_DestroyPolicyMappingsExtension(CERTCertificatePolicyMappings *mappings);
 
 SECStatus
 CERT_DecodePolicyConstraintsExtension(
-    CERTCertificatePolicyConstraints *decodedValue, SECItem *encodedValue);
+    CERTCertificatePolicyConstraints *decodedValue,
+    const SECItem *encodedValue);
 
 SECStatus CERT_DecodeInhibitAnyExtension
     (CERTCertificateInhibitAny *decodedValue, SECItem *extnValue);
 
 CERTUserNotice *
 CERT_DecodeUserNotice(SECItem *noticeItem);
 
 extern CERTGeneralName *
 CERT_DecodeAltNameExtension(PLArenaPool *reqArena, SECItem *EncodedAltName);
 
 extern CERTNameConstraints *
 CERT_DecodeNameConstraintsExtension(PLArenaPool *arena, 
-                                    SECItem *encodedConstraints);
+                                    const SECItem *encodedConstraints);
 
 /* returns addr of a NULL termainated array of pointers to CERTAuthInfoAccess */
 extern CERTAuthInfoAccess **
 CERT_DecodeAuthInfoAccessExtension(PLArenaPool *reqArena,
 				   SECItem     *encodedExtension);
 
 extern CERTPrivKeyUsagePeriod *
 CERT_DecodePrivKeyUsagePeriodExtension(PLArenaPool *arena, SECItem *extnValue);
@@ -1253,27 +1258,29 @@ CERT_SortCBValidity(CERTCertificate *cer
 
 SECStatus
 CERT_CheckForEvilCert(CERTCertificate *cert);
 
 CERTGeneralName *
 CERT_GetCertificateNames(CERTCertificate *cert, PLArenaPool *arena);
 
 CERTGeneralName *
-CERT_GetConstrainedCertificateNames(CERTCertificate *cert, PLArenaPool *arena,
+CERT_GetConstrainedCertificateNames(const CERTCertificate *cert,
+                                    PLArenaPool *arena,
                                     PRBool includeSubjectCommonName);
 
 /*
  * Creates or adds to a list of all certs with a give subject name, sorted by
  * validity time, newest first.  Invalid certs are considered older than
  * valid certs. If validOnly is set, do not include invalid certs on list.
  */
 CERTCertList *
 CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
-			   SECItem *name, PRTime sorttime, PRBool validOnly);
+			   const SECItem *name, PRTime sorttime,
+			   PRBool validOnly);
 
 /*
  * remove certs from a list that don't have keyUsage and certType
  * that match the given usage.
  */
 SECStatus
 CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage,
 			   PRBool ca);
@@ -1473,23 +1480,23 @@ CERT_UnlockCertRefCount(CERTCertificate 
 
 /*
  * Acquire the cert trust lock
  * There is currently one global lock for all certs, but I'm putting a cert
  * arg here so that it will be easy to make it per-cert in the future if
  * that turns out to be necessary.
  */
 void
-CERT_LockCertTrust(CERTCertificate *cert);
+CERT_LockCertTrust(const CERTCertificate *cert);
 
 /*
  * Free the cert trust lock
  */
 void
-CERT_UnlockCertTrust(CERTCertificate *cert);
+CERT_UnlockCertTrust(const CERTCertificate *cert);
 
 /*
  * Digest the cert's subject public key using the specified algorithm.
  * The necessary storage for the digest data is allocated.  If "fill" is
  * non-null, the data is put there, otherwise a SECItem is allocated.
  * Allocation from "arena" if it is non-null, heap otherwise.  Any problem
  * results in a NULL being returned (and an appropriate error set).
  */ 
@@ -1520,18 +1527,18 @@ CERT_CopyNameConstraint(PLArenaPool     
 			CERTNameConstraint  *src);
 
 /*
  * Verify name against all the constraints relevant to that type of
  * the name.
  */
 extern SECStatus
 CERT_CheckNameSpace(PLArenaPool          *arena,
-		    CERTNameConstraints  *constraints,
-		    CERTGeneralName      *currentName);
+		    const CERTNameConstraints *constraints,
+		    const CERTGeneralName *currentName);
 
 /*
  * Extract and allocate the name constraints extension from the CA cert.
  */
 extern SECStatus
 CERT_FindNameConstraintsExten(PLArenaPool      *arena,
 			      CERTCertificate  *cert,
 			      CERTNameConstraints **constraints);
--- a/lib/certdb/certdb.c
+++ b/lib/certdb/certdb.c
@@ -950,17 +950,17 @@ CERT_SetSlopTime(PRInt32 slop)		/* secon
 {
     if (slop < 0)
 	return SECFailure;
     pendingSlop = slop;
     return SECSuccess;
 }
 
 SECStatus
-CERT_GetCertTimes(CERTCertificate *c, PRTime *notBefore, PRTime *notAfter)
+CERT_GetCertTimes(const CERTCertificate *c, PRTime *notBefore, PRTime *notAfter)
 {
     SECStatus rv;
 
     if (!c || !notBefore || !notAfter) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     
@@ -978,17 +978,18 @@ CERT_GetCertTimes(CERTCertificate *c, PR
 
     return(SECSuccess);
 }
 
 /*
  * Check the validity times of a certificate
  */
 SECCertTimeValidity
-CERT_CheckCertValidTimes(CERTCertificate *c, PRTime t, PRBool allowOverride)
+CERT_CheckCertValidTimes(const CERTCertificate *c, PRTime t,
+                         PRBool allowOverride)
 {
     PRTime notBefore, notAfter, llPendingSlop, tmp1;
     SECStatus rv;
 
     if (!c) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return(secCertTimeUndetermined);
     }
@@ -1411,17 +1412,17 @@ cert_TestHostName(char * cn, const char 
     }
 
     PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
     return SECFailure;
 }
 
 
 SECStatus
-cert_VerifySubjectAltName(CERTCertificate *cert, const char *hn)
+cert_VerifySubjectAltName(const CERTCertificate *cert, const char *hn)
 {
     PRArenaPool *     arena          = NULL;
     CERTGeneralName * nameList       = NULL;
     CERTGeneralName * current;
     char *            cn;
     int               cnBufLen;
     unsigned int      hnLen;
     int               DNSextCount    = 0;
@@ -1548,17 +1549,17 @@ finish:
 /*
  * If found:
  *   - subAltName contains the extension (caller must free)
  *   - return value is the decoded namelist (allocated off arena)
  * if not found, or if failure to decode:
  *   - return value is NULL
  */
 CERTGeneralName *
-cert_GetSubjectAltNameList(CERTCertificate *cert, PRArenaPool *arena)
+cert_GetSubjectAltNameList(const CERTCertificate *cert, PRArenaPool *arena)
 {
     CERTGeneralName * nameList       = NULL;
     SECStatus         rv             = SECFailure;
     SECItem           subAltName;
 
     if (!cert || !arena)
       return NULL;
 
@@ -1755,17 +1756,17 @@ CERT_GetValidDNSPatternsFromCert(CERTCer
     return NULL;
 }
 
 /* Make sure that the name of the host we are connecting to matches the
  * name that is incoded in the common-name component of the certificate
  * that they are using.
  */
 SECStatus
-CERT_VerifyCertName(CERTCertificate *cert, const char *hn)
+CERT_VerifyCertName(const CERTCertificate *cert, const char *hn)
 {
     char *    cn;
     SECStatus rv;
     CERTOKDomainName *domainOK;
 
     if (!hn || !strlen(hn)) {
     	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
@@ -1800,17 +1801,17 @@ CERT_VerifyCertName(CERTCertificate *cer
         }
 	PORT_Free(cn);
     } else 
 	PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
     return rv;
 }
 
 PRBool
-CERT_CompareCerts(CERTCertificate *c1, CERTCertificate *c2)
+CERT_CompareCerts(const CERTCertificate *c1, const CERTCertificate *c2)
 {
     SECComparison comp;
     
     comp = SECITEM_CompareItem(&c1->derCert, &c2->derCert);
     if ( comp == SECEqual ) { /* certs are the same */
 	return(PR_TRUE);
     } else {
 	return(PR_FALSE);
@@ -2900,17 +2901,17 @@ static PZLock *certTrustLock = NULL;
 
 /*
  * Acquire the cert trust lock
  * There is currently one global lock for all certs, but I'm putting a cert
  * arg here so that it will be easy to make it per-cert in the future if
  * that turns out to be necessary.
  */
 void
-CERT_LockCertTrust(CERTCertificate *cert)
+CERT_LockCertTrust(const CERTCertificate *cert)
 {
     PORT_Assert(certTrustLock != NULL);
     PZ_Lock(certTrustLock);
     return;
 }
 
 SECStatus
 cert_InitLocks(void)
@@ -2958,17 +2959,17 @@ cert_DestroyLocks(void)
     }
     return rv;
 }
 
 /*
  * Free the cert trust lock
  */
 void
-CERT_UnlockCertTrust(CERTCertificate *cert)
+CERT_UnlockCertTrust(const CERTCertificate *cert)
 {
     PRStatus prstat;
 
     PORT_Assert(certTrustLock != NULL);
     
     prstat = PZ_Unlock(certTrustLock);
     
     PORT_Assert(prstat == PR_SUCCESS);
--- a/lib/certdb/certi.h
+++ b/lib/certdb/certi.h
@@ -245,17 +245,17 @@ extern CERTAVA * CERT_CreateAVAFromSECIt
  * get a DPCache object for the given issuer subject and dp
  * Automatically creates the cache object if it doesn't exist yet.
  */
 SECStatus AcquireDPCache(CERTCertificate* issuer, const SECItem* subject,
                          const SECItem* dp, int64 t, void* wincx,
                          CRLDPCache** dpcache, PRBool* writeLocked);
 
 /* check if a particular SN is in the CRL cache and return its entry */
-dpcacheStatus DPCache_Lookup(CRLDPCache* cache, SECItem* sn,
+dpcacheStatus DPCache_Lookup(CRLDPCache* cache, const SECItem* sn,
                              CERTCrlEntry** returned);
 
 /* release a DPCache object that was previously acquired */
 void ReleaseDPCache(CRLDPCache* dpcache, PRBool writeLocked);
 
 /*
  * map Stan errors into NSS errors
  * This function examines the stan error stack and automatically sets
@@ -354,17 +354,17 @@ SECStatus cert_AcquireNamedCRLCache(Name
 SECStatus cert_FindCRLByGeneralName(NamedCRLCache* ncc,
                                     const SECItem* canonicalizedName,
                                     NamedCRLCacheEntry** retEntry);
 
 SECStatus cert_ReleaseNamedCRLCache(NamedCRLCache* ncc);
 
 /* This is private for now.  Maybe shoule be public. */
 CERTGeneralName *
-cert_GetSubjectAltNameList(CERTCertificate *cert, PRArenaPool *arena);
+cert_GetSubjectAltNameList(const CERTCertificate *cert, PRArenaPool *arena);
 
 /* Count DNS names and IP addresses in a list of GeneralNames */
 PRUint32
 cert_CountDNSPatterns(CERTGeneralName *firstName);
 
 /*
  * returns the trust status of the leaf certificate based on usage.
  * If the leaf is explicitly untrusted, this function will fail and 
--- a/lib/certdb/certv3.c
+++ b/lib/certdb/certv3.c
@@ -20,17 +20,17 @@ SECStatus
 CERT_FindCertExtensionByOID(CERTCertificate *cert, SECItem *oid,
 			    SECItem *value)
 {
     return (cert_FindExtensionByOID (cert->extensions, oid, value));
 }
     
 
 SECStatus
-CERT_FindCertExtension(CERTCertificate *cert, int tag, SECItem *value)
+CERT_FindCertExtension(const CERTCertificate *cert, int tag, SECItem *value)
 {
     return (cert_FindExtension (cert->extensions, tag, value));
 }
 
 static void
 SetExts(void *object, CERTCertExtension **exts)
 {
     CERTCertificate *cert = (CERTCertificate *)object;
--- a/lib/certdb/crl.c
+++ b/lib/certdb/crl.c
@@ -1690,17 +1690,17 @@ static SECStatus DPCache_FetchFromTokens
             }
         }
         PORT_FreeArena(head.arena, PR_FALSE); /* destroy CRL list */
     }
 
     return rv;
 }
 
-static SECStatus CachedCrl_GetEntry(CachedCrl* crl, SECItem* sn,
+static SECStatus CachedCrl_GetEntry(CachedCrl* crl, const SECItem* sn,
                                     CERTCrlEntry** returned)
 {
     CERTCrlEntry* acrlEntry;
      
     PORT_Assert(crl);
     PORT_Assert(crl->entries);
     PORT_Assert(sn);
     PORT_Assert(returned);
@@ -1717,17 +1717,17 @@ static SECStatus CachedCrl_GetEntry(Cach
     else
     {
         *returned = NULL;
     }
     return SECSuccess;
 }
 
 /* check if a particular SN is in the CRL cache and return its entry */
-dpcacheStatus DPCache_Lookup(CRLDPCache* cache, SECItem* sn,
+dpcacheStatus DPCache_Lookup(CRLDPCache* cache, const SECItem* sn,
                          CERTCrlEntry** returned)
 {
     SECStatus rv;
     if (!cache || !sn || !returned)
     {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         /* no cache or SN to look up, or no way to return entry */
         return dpcacheCallerError;
--- a/lib/certdb/genname.c
+++ b/lib/certdb/genname.c
@@ -681,17 +681,17 @@ cert_DecodeNameConstraintSubTree(PRArena
     return first;
 loser:
     /* TODO: release arena back to mark */
     return NULL;
 }
 
 CERTNameConstraints *
 cert_DecodeNameConstraints(PRArenaPool   *reqArena,
-			   SECItem       *encodedConstraints)
+			   const SECItem *encodedConstraints)
 {
     CERTNameConstraints   *constraints;
     SECStatus             rv;
     SECItem*              newEncodedConstraints;
 
     if (!reqArena) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
@@ -1059,17 +1059,18 @@ CERT_GetCertificateNames(CERTCertificate
 {
     return CERT_GetConstrainedCertificateNames(cert, arena, PR_FALSE);
 }
 
 /* This function is called by CERT_VerifyCertChain to extract all
 ** names from a cert in preparation for a name constraints test.
 */
 CERTGeneralName *
-CERT_GetConstrainedCertificateNames(CERTCertificate *cert, PRArenaPool *arena,
+CERT_GetConstrainedCertificateNames(const CERTCertificate *cert,
+                                    PRArenaPool *arena,
                                     PRBool includeSubjectCommonName)
 {
     CERTGeneralName  *DN;
     CERTGeneralName  *SAN;
     PRUint32         numDNSNames = 0;
     SECStatus        rv;
 
     if (!arena) {
@@ -1335,23 +1336,23 @@ parseUriHostname(SECItem * item)
 ** It searches the constraints looking for a match.
 ** It returns SECSuccess if the name satisfies the constraints, i.e.,
 ** if excluded, then the name does not match any constraint, 
 ** if permitted, then the name matches at least one constraint.
 ** It returns SECFailure if the name fails to satisfy the constraints,
 ** or if some code fails (e.g. out of memory, or invalid constraint)
 */
 SECStatus
-cert_CompareNameWithConstraints(CERTGeneralName     *name, 
-				CERTNameConstraint  *constraints,
+cert_CompareNameWithConstraints(const CERTGeneralName     *name,
+				const CERTNameConstraint  *constraints,
 				PRBool              excluded)
 {
     SECStatus           rv     = SECSuccess;
     SECStatus           matched = SECFailure;
-    CERTNameConstraint  *current;
+    const CERTNameConstraint *current;
 
     PORT_Assert(constraints);  /* caller should not call with NULL */
     if (!constraints) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
     current = constraints;
@@ -1459,17 +1460,17 @@ cert_CompareNameWithConstraints(CERTGene
 	    break;
 
 	default: /* non-standard types are not supported */
 	    rv = SECFailure;
 	    break;
 	}
 	if (matched == SECSuccess || rv != SECSuccess)
 	    break;
-	current = CERT_GetNextNameConstraint(current);
+	current = CERT_GetNextNameConstraint((CERTNameConstraint*)current);
     } while (current != constraints);
     if (rv == SECSuccess) {
         if (matched == SECSuccess) 
 	    rv = excluded ? SECFailure : SECSuccess;
 	else
 	    rv = excluded ? SECSuccess : SECFailure;
 	return rv;
     }
@@ -1560,18 +1561,18 @@ CERT_FindNameConstraintsExten(PRArenaPoo
     return rv;
 }
 
 /* Verify name against all the constraints relevant to that type of
 ** the name.
 */
 SECStatus
 CERT_CheckNameSpace(PRArenaPool          *arena,
-                    CERTNameConstraints  *constraints,
-                    CERTGeneralName      *currentName)
+                    const CERTNameConstraints *constraints,
+                    const CERTGeneralName     *currentName)
 {
     CERTNameConstraint  *matchingConstraints;
     SECStatus            rv = SECSuccess;
     
     if (constraints->excluded != NULL) {
         rv = CERT_GetNameConstraintByType(constraints->excluded, 
                                           currentName->type, 
                                           &matchingConstraints, arena);
--- a/lib/certdb/genname.h
+++ b/lib/certdb/genname.h
@@ -26,17 +26,17 @@ cert_DecodeGeneralNames(PRArenaPool *are
 extern SECStatus
 cert_DestroyGeneralNames(CERTGeneralName *name);
 
 extern SECStatus 
 cert_EncodeNameConstraints(CERTNameConstraints *constraints, PRArenaPool *arena,
 			   SECItem *dest);
 
 extern CERTNameConstraints *
-cert_DecodeNameConstraints(PRArenaPool *arena, SECItem *encodedConstraints);
+cert_DecodeNameConstraints(PRArenaPool *arena, const SECItem *encodedConstraints);
 
 extern CERTGeneralName *
 cert_CombineNamesLists(CERTGeneralName *list1, CERTGeneralName *list2);
 
 extern CERTNameConstraint *
 cert_CombineConstraintsLists(CERTNameConstraint *list1, CERTNameConstraint *list2);
 
 /*********************************************************************/
--- a/lib/certdb/polcyxtn.c
+++ b/lib/certdb/polcyxtn.c
@@ -143,17 +143,17 @@ breakLines(char *string)
 	curlen++;
 	tmpstr++;
     }
     
     return;
 }
 
 CERTCertificatePolicies *
-CERT_DecodeCertificatePoliciesExtension(SECItem *extnValue)
+CERT_DecodeCertificatePoliciesExtension(const SECItem *extnValue)
 {
     PRArenaPool *arena = NULL;
     SECStatus rv;
     CERTCertificatePolicies *policies;
     CERTPolicyInfo **policyInfos, *policyInfo;
     CERTPolicyQualifier **policyQualifiers, *policyQualifier;
     SECItem newExtnValue;
     
@@ -276,17 +276,17 @@ CERT_DestroyPolicyMappingsExtension(CERT
         PORT_FreeArena(mappings->arena, PR_FALSE);
     }
     return SECSuccess;
 }
 
 SECStatus
 CERT_DecodePolicyConstraintsExtension
                              (CERTCertificatePolicyConstraints *decodedValue,
-                              SECItem *encodedValue)
+                              const SECItem *encodedValue)
 {
     CERTCertificatePolicyConstraints decodeContext;
     PRArenaPool *arena = NULL;
     SECStatus rv = SECSuccess;
 
     /* initialize so we can tell when an optional component is omitted */
     PORT_Memset(&decodeContext, 0, sizeof(decodeContext));
 
@@ -599,17 +599,17 @@ nopolicy:
 
 const SEC_ASN1Template CERT_OidSeqTemplate[] = {
     { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN,
 	  offsetof(CERTOidSequence, oids),
 	  SEC_ASN1_SUB(SEC_ObjectIDTemplate) }
 };
 
 CERTOidSequence *
-CERT_DecodeOidSequence(SECItem *seqItem)
+CERT_DecodeOidSequence(const SECItem *seqItem)
 {
     PRArenaPool *arena = NULL;
     SECStatus rv;
     CERTOidSequence *oidSeq;
     SECItem newSeqItem;
     
     /* make a new arena */
     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
--- a/lib/certdb/secname.c
+++ b/lib/certdb/secname.c
@@ -405,17 +405,17 @@ CERT_DestroyName(CERTName *name)
 SECStatus
 CERT_AddRDN(CERTName *name, CERTRDN *rdn)
 {
     name->rdns = (CERTRDN**) AddToArray(name->arena, (void**) name->rdns, rdn);
     return name->rdns ? SECSuccess : SECFailure;
 }
 
 SECStatus
-CERT_CopyName(PRArenaPool *arena, CERTName *to, CERTName *from)
+CERT_CopyName(PRArenaPool *arena, CERTName *to, const CERTName *from)
 {
     CERTRDN **rdns, *frdn, *trdn;
     SECStatus rv = SECSuccess;
 
     if (!to || !from) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
--- a/lib/certdb/stanpcertdb.c
+++ b/lib/certdb/stanpcertdb.c
@@ -82,17 +82,17 @@ SEC_DeletePermCertificate(CERTCertificat
     nssTrustDomain_LockCertCache(td);
     nssTrustDomain_RemoveCertFromCacheLOCKED(td, c);
     nssTrustDomain_UnlockCertCache(td);
 
     return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
 }
 
 SECStatus
-CERT_GetCertTrust(CERTCertificate *cert, CERTCertTrust *trust)
+CERT_GetCertTrust(const CERTCertificate *cert, CERTCertTrust *trust)
 {
     SECStatus rv;
     CERT_LockCertTrust(cert);
     if ( cert->trust == NULL ) {
 	rv = SECFailure;
     } else {
 	*trust = *cert->trust;
 	rv = SECSuccess;
@@ -707,17 +707,18 @@ add_to_subject_list(CERTCertList *certLi
 	    }
     } else {
 	CERT_DestroyCertificate(cert);
     }
 }
 
 CERTCertList *
 CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
-			   SECItem *name, int64 sorttime, PRBool validOnly)
+			   const SECItem *name, PRTime sorttime,
+			   PRBool validOnly)
 {
     NSSCryptoContext *cc;
     NSSCertificate **tSubjectCerts, **pSubjectCerts;
     NSSCertificate **ci;
     CERTCertificate *cert;
     NSSDER subject;
     PRBool myList = PR_FALSE;
     cc = STAN_GetDefaultCryptoContext();
--- a/lib/certdb/xauthkid.c
+++ b/lib/certdb/xauthkid.c
@@ -73,17 +73,17 @@ SECStatus CERT_EncodeAuthKeyID (PRArenaP
 	    break;
 	rv = SECSuccess;
 
     } while (0);
      return(rv);
 }
 
 CERTAuthKeyID *
-CERT_DecodeAuthKeyID (PRArenaPool *arena, SECItem *encodedValue)
+CERT_DecodeAuthKeyID (PRArenaPool *arena, const SECItem *encodedValue)
 {
     CERTAuthKeyID * value = NULL;
     SECStatus       rv    = SECFailure;
     void *          mark;
     SECItem         newEncodedValue;
 
     PORT_Assert (arena);
    
--- a/lib/certdb/xbsconst.c
+++ b/lib/certdb/xbsconst.c
@@ -83,17 +83,17 @@ SECStatus CERT_EncodeBasicConstraintValu
     } while (0);
     if (our_pool)
 	PORT_FreeArena (our_pool, PR_FALSE);
     return(rv);
 
 }
 
 SECStatus CERT_DecodeBasicConstraintValue
-   (CERTBasicConstraints *value, SECItem *encodedValue)
+   (CERTBasicConstraints *value, const SECItem *encodedValue)
 {
     EncodedContext decodeContext;
     PRArenaPool *our_pool;
     SECStatus rv = SECSuccess;
 
     do {
 	PORT_Memset (&decodeContext, 0, sizeof (decodeContext));
 	/* initialize the value just in case we got "0x30 00", or when the
--- a/lib/certdb/xconst.c
+++ b/lib/certdb/xconst.c
@@ -213,17 +213,17 @@ CERT_EncodeNameConstraintsExtension(PRAr
     
     rv = cert_EncodeNameConstraints(value, arena, encodedValue);
     return rv;
 }
 
 
 CERTNameConstraints *
 CERT_DecodeNameConstraintsExtension(PRArenaPool          *arena,
-				    SECItem              *encodedConstraints)
+				    const SECItem        *encodedConstraints)
 {
     return cert_DecodeNameConstraints(arena, encodedConstraints);
 }
 
 
 CERTAuthInfoAccess **
 CERT_DecodeAuthInfoAccessExtension(PRArenaPool *reqArena,
 				   SECItem     *encodedExtension)
--- a/lib/certhigh/certvfy.c
+++ b/lib/certhigh/certvfy.c
@@ -33,17 +33,17 @@ CERT_CertTimesValid(CERTCertificate *c)
     SECCertTimeValidity valid = CERT_CheckCertValidTimes(c, PR_Now(), PR_TRUE);
     return (valid == secCertTimeValid) ? SECSuccess : SECFailure;
 }
 
 /*
  * verify the signature of a signed data object with the given DER publickey
  */
 SECStatus
-CERT_VerifySignedDataWithPublicKey(CERTSignedData *sd, 
+CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd,
                                    SECKEYPublicKey *pubKey,
 		                   void *wincx)
 {
     SECStatus        rv;
     SECItem          sig;
     SECOidTag        hashAlg = SEC_OID_UNKNOWN;
 
     if ( !pubKey || !sd ) {
--- a/lib/nss/utilwrap.c
+++ b/lib/nss/utilwrap.c
@@ -397,17 +397,17 @@ SECStatus DER_Encode(PRArenaPool *arena,
 }
 
 SECStatus DER_Lengths(SECItem *item, int *header_len_p,
                              PRUint32 *contents_len_p)
 {
     return DER_Lengths_Util(item, header_len_p, contents_len_p);
 }
 
-long DER_GetInteger(SECItem *src)
+long DER_GetInteger(const SECItem *src)
 {
     return DER_GetInteger_Util(src);
 }
 
 SECStatus DER_TimeToUTCTime(SECItem *result, int64 time)
 {
     return DER_TimeToUTCTime_Util(result, time);
 }
--- a/lib/util/dersubr.c
+++ b/lib/util/dersubr.c
@@ -171,17 +171,17 @@ DER_SetUInteger(PRArenaPool *arena, SECI
     return SECSuccess;
 }
 
 /*
 ** Convert a der encoded *signed* integer into a machine integral value.
 ** If an underflow/overflow occurs, sets error code and returns min/max.
 */
 long
-DER_GetInteger(SECItem *it)
+DER_GetInteger(const SECItem *it)
 {
     long ival = 0;
     unsigned len = it->len;
     unsigned char *cp = it->data;
     unsigned long overflow = 0x1ffUL << (((sizeof(ival) - 1) * 8) - 1);
     unsigned long ofloinit;
 
     PORT_Assert(len);
--- a/lib/util/hasht.h
+++ b/lib/util/hasht.h
@@ -1,16 +1,18 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /* $Id$ */
 
 #ifndef _HASHT_H_
 #define _HASHT_H_
 
+#include "prtypes.h"
+
 /* Opaque objects */
 typedef struct SECHashObjectStr SECHashObject;
 typedef struct HASHContextStr HASHContext;
 
 /*
  * The hash functions the security library supports
  * NOTE the order must match the definition of SECHashObjects[]!
  */
--- a/lib/util/secder.h
+++ b/lib/util/secder.h
@@ -68,17 +68,17 @@ extern SECStatus DER_SetInteger(PLArenaP
 */
 extern SECStatus DER_SetUInteger(PLArenaPool *arena, SECItem *dst, PRUint32 src);
 
 /*
 ** Decode a der encoded *signed* integer that is stored in "src".
 ** If "-1" is returned, then the caller should check the error in
 ** XP_GetError() to see if an overflow occurred (SEC_ERROR_BAD_DER).
 */
-extern long DER_GetInteger(SECItem *src);
+extern long DER_GetInteger(const SECItem *src);
 
 /*
 ** Decode a der encoded *unsigned* integer that is stored in "src".
 ** If the ULONG_MAX is returned, then the caller should check the error
 ** in XP_GetError() to see if an overflow occurred (SEC_ERROR_BAD_DER).
 */
 extern unsigned long DER_GetUInteger(SECItem *src);