fixup commit for tag 'ROGC_20020830_FREEZE' ROGC_20020830_FREEZE
authorcvs2hg
Fri, 30 Aug 2002 03:44:25 +0000
changeset 3515 9fd2a0132f63cd5d6a49f22a1f96835f8febd066
parent 3437 00b74c4874489c962d78d555780409a9cb32ba31
child 3516 fb48b7061f27ed6dfac936b3d96d85d261076e91
push idunknown
push userunknown
push dateunknown
fixup commit for tag 'ROGC_20020830_FREEZE'
dbm/makefile.win
dbm/src/hash.c
security/coreconf/AIX5.1.mk
security/coreconf/Darwin.mk
security/coreconf/HP-UXB.11.20.mk
security/coreconf/HP-UXB.11.mk
security/coreconf/OpenBSD.mk
security/coreconf/config.mk
security/coreconf/jdk.mk
security/coreconf/nsinstall/pathsub.c
security/coreconf/rules.mk
security/dbm/Makefile
security/dbm/config/config.mk
security/dbm/include/Makefile
security/dbm/include/manifest.mn
security/dbm/manifest.mn
security/dbm/src/Makefile
security/dbm/src/config.mk
security/dbm/src/dirent.c
security/dbm/src/dirent.h
security/dbm/src/manifest.mn
security/dbm/tests/Makefile
security/nss/cmd/modutil/README.TXT
security/nss/cmd/signtool/README.TXT
security/nss/cmd/tests/Makefile
security/nss/cmd/tests/manifest.mn
security/nss/cmd/vfyserv/Makefile
security/nss/cmd/vfyserv/makefile.win
security/nss/cmd/vfyserv/manifest.mn
security/nss/cmd/vfyserv/vfyserv.c
security/nss/cmd/vfyserv/vfyserv.h
security/nss/cmd/vfyserv/vfyutil.c
security/nss/lib/certhigh/certvfy.c
security/nss/lib/ckfw/builtins/certdata.c
security/nss/lib/ckfw/builtins/certdata.txt
security/nss/lib/ckfw/builtins/constants.c
security/nss/lib/ckfw/instance.c
security/nss/lib/dev/ckhelper.c
security/nss/lib/dev/dev.h
security/nss/lib/dev/devobject.c
security/nss/lib/pk11wrap/pk11cert.c
security/nss/lib/pki/certificate.c
security/nss/lib/pki/pkim.h
security/nss/lib/pki/trustdomain.c
security/nss/lib/softoken/pkcs11u.c
security/nss/lib/util/quickder.c
new file mode 100644
--- /dev/null
+++ b/dbm/makefile.win
@@ -0,0 +1,38 @@
+# The contents of this file are subject to the Netscape Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/NPL/
+#
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+#
+# The Original Code is mozilla.org code.
+#
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
+#
+# Contributor(s): 
+
+DEPTH=..
+
+#//------------------------------------------------------------------------
+#//
+#// Specify any "command" targets. (ie. DIRS, INSTALL_FILES, ...)
+#// (these must come before the common makefiles are included)
+#// 
+#// DIRS          - There are subdirectories to process
+#//
+#//------------------------------------------------------------------------
+DIRS = include src
+
+#//------------------------------------------------------------------------
+#//
+#// Include the common makefile rules
+#//
+#//------------------------------------------------------------------------
+include <$(DEPTH)\config\rules.mak>
+
--- a/dbm/src/hash.c
+++ b/dbm/src/hash.c
@@ -561,21 +561,19 @@ hdestroy(HTAB *hashp)
 
 	if(hashp->filename) {
 #if defined(_WIN32) || defined(_WINDOWS) || defined(XP_OS2)
 		if (hashp->is_temp)
 			(void)unlink(hashp->filename);
 #endif
 		free(hashp->filename);
 	}
-	if (hashp->tmp_buf)
-	    free(hashp->tmp_buf);
-	if (hashp->tmp_key)
-	    free(hashp->tmp_key);
+
 	free(hashp);
+
 	if (save_errno) {
 		errno = save_errno;
 		return (DBM_ERROR);
 	}
 	return (SUCCESS);
 }
 
 #if defined(_WIN32) || defined(_WINDOWS) 
@@ -897,17 +895,17 @@ hash_access(
             if(ovfl_loop_count > MAX_OVERFLOW_HASH_ACCESS_LOOPS)
     			return (DATABASE_CORRUPTED_ERROR);
 
 			/* FOR LOOP INIT */
 			bp = (uint16 *)rbufp->page;
 			n = *bp++;
 			ndx = 1;
 			off = hashp->BSIZE;
-		} else if (bp[1] < REAL_KEY) {
+		                } else if (bp[1] < REAL_KEY) {
 			if ((ndx =
 			    __find_bigpair(hashp, rbufp, ndx, kp, (int)size)) > 0)
 				goto found;
 			if (ndx == -2) {
 				bufp = rbufp;
 				if (!(pageno =
 				    __find_last_page(hashp, &bufp))) {
 					ndx = 0;
deleted file mode 100644
--- a/security/coreconf/AIX5.1.mk
+++ /dev/null
@@ -1,54 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for AIX5.1
-#
-
-include $(CORE_DEPTH)/coreconf/AIX.mk
-
-
-ifeq ($(USE_64), 1)
-# Next line replaced by generic name handling in arch.mk
-#	COMPILER_TAG    = _64
-	OS_CFLAGS	+= -DAIX_64BIT
-	OBJECT_MODE=64
-	export OBJECT_MODE
-endif
-DSO_LDOPTS	= -brtl -bM:SRE -bnoentry
-MKSHLIB		= $(LD) $(DSO_LDOPTS) -lsvld -L/usr/lpp/xlC/lib -lc -lm
-
-OS_LIBS		+= -L/usr/lpp/xlC/lib -lc -lm
-ifdef MAPFILE
-DSO_LDOPTS      += -bexport:$(MAPFILE)
-else
-DSO_LDOPTS      += -bexpall
-endif
--- a/security/coreconf/Darwin.mk
+++ b/security/coreconf/Darwin.mk
@@ -65,12 +65,10 @@ endif
 
 ARCH		= darwin
 
 # May override this with -bundle to create a loadable module.
 DSO_LDOPTS	= -dynamiclib -compatibility_version 1 -current_version 1 -install_name @executable_path/$(notdir $@)
 
 MKSHLIB		= $(CC) -arch $(CPU_ARCH) $(DSO_LDOPTS)
 DLL_SUFFIX	= dylib
-PROCESS_MAP_FILE = grep -v ';+' $(LIBRARY_NAME).def | grep -v ';-' | \
-                sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,^,_,' > $@
 
 G++INCLUDES	= -I/usr/include/g++
deleted file mode 100644
--- a/security/coreconf/HP-UXB.11.20.mk
+++ /dev/null
@@ -1,55 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 2002 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# On HP-UX 10.30 and 11.x, the default implementation strategy is
-# pthreads.  Classic nspr and pthreads-user are also available.
-#
-
-ifeq ($(OS_RELEASE),B.11.20)
-OS_CFLAGS		+= -DHPUX10
-DEFAULT_IMPL_STRATEGY = _PTH
-endif
-
-#
-# To use the true pthread (kernel thread) library on 10.30 and
-# 11.x, we should define _POSIX_C_SOURCE to be 199506L.
-# The _REENTRANT macro is deprecated.
-#
-
-ifdef USE_PTHREADS
-	OS_CFLAGS	+= -D_POSIX_C_SOURCE=199506L
-endif
-
-#
-# Config stuff for HP-UXB.11.x.
-#
-include $(CORE_DEPTH)/coreconf/HP-UXB.11.mk
--- a/security/coreconf/HP-UXB.11.mk
+++ b/security/coreconf/HP-UXB.11.mk
@@ -36,32 +36,24 @@ include $(CORE_DEPTH)/coreconf/HP-UX.mk
 
 ifdef USE_LONG_LONGS
 USE_HYBRID = 1
 endif
 
 ifndef NS_USE_GCC
     CCC                 = /opt/aCC/bin/aCC -ext
     ifeq ($(USE_64), 1)
-	ifeq ($(OS_TEST), ia64)
-	    OS_CFLAGS	+= -Aa +e +p +DD64
-	else
-	    OS_CFLAGS	+= -Aa +e +DA2.0W +DS2.0 +DChpux
-	endif
+	OS_CFLAGS       +=  -Aa +e +DA2.0W +DS2.0 +DChpux
 # Next line replaced by generic name handling in arch.mk
 #	COMPILER_TAG    = _64
     else
-	ifeq ($(OS_TEST), ia64)
-	    OS_CFLAGS	+= -Aa +e +p +DD32
+	ifdef USE_HYBRID
+	    OS_CFLAGS 	+= -Aa +e +DA2.0 +DS2.0 
 	else
-	    ifdef USE_HYBRID
-		OS_CFLAGS += -Aa +e +DA2.0 +DS2.0 
-	    else
-		OS_CFLAGS += +DAportable +DS2.0
-	    endif
+	    OS_CFLAGS   += +DAportable +DS2.0
 	endif
     endif
 else
     CCC = aCC
 endif
 
 OS_CFLAGS += -DHPUX11 
 OS_LIBS   += -lpthread -lm -lrt
deleted file mode 100644
--- a/security/coreconf/OpenBSD.mk
+++ /dev/null
@@ -1,62 +0,0 @@
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable
-# instead of those above.  If you wish to allow use of your
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-# Config stuff for OpenBSD 
-#
-
-include $(CORE_DEPTH)/coreconf/UNIX.mk
-
-DEFAULT_COMPILER	= gcc
-CC			= gcc
-CCC			= g++
-RANLIB			= ranlib
-
-CPU_ARCH		:= $(shell uname -p)
-ifeq ($(CPU_ARCH),i386)
-OS_REL_CFLAGS		= -Di386
-CPU_ARCH		= x86
-endif
-
-DLL_SUFFIX		= so.1.0
-
-OS_CFLAGS		= $(DSO_CFLAGS) $(OS_REL_CFLAGS) -ansi -Wall -pipe -DOPENBSD
-
-OS_LIBS			= 
-
-ARCH			= openbsd
-
-DSO_CFLAGS		= -fPIC -DPIC
-DSO_LDOPTS		= -shared -Wl,-soname,lib$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
-DSO_LDFLAGS		=
-
-MKSHLIB			= $(CC) $(DSO_LDOPTS)
-
--- a/security/coreconf/config.mk
+++ b/security/coreconf/config.mk
@@ -53,17 +53,17 @@ endif
 # [3.0] Master "Core Components" <architecture>-specific macros       #
 #       (dependent upon <architecture> tags)                          #
 #                                                                     #
 #       We are moving towards just having a $(OS_TARGET).mk file      #
 #       as opposed to multiple $(OS_TARGET)$(OS_RELEASE).mk files,    #
 #       one for each OS release.                                      #
 #######################################################################
 
-TARGET_OSES = FreeBSD BSD_OS NetBSD OpenUNIX OS2 QNX Darwin BeOS OpenBSD
+TARGET_OSES = FreeBSD BSD_OS NetBSD OpenUNIX OS2 QNX Darwin BeOS
 
 ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET)))
 include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk
 else
 include $(CORE_DEPTH)/coreconf/$(OS_TARGET)$(OS_RELEASE).mk
 endif
 
 #######################################################################
--- a/security/coreconf/jdk.mk
+++ b/security/coreconf/jdk.mk
@@ -113,17 +113,17 @@ ifeq ($(OS_ARCH), WINNT)
 
 	LDFLAGS += $(JAVA_LIBS)
 
 	#     currently, disable JIT option on this platform
 	JDK_JIT_OPT = -nojit
 endif
 
 # set [Sun Solaris] platforms
-ifeq ($(OS_ARCH), SunOS)
+ifeq ($(OS_TARGET), SunOS)
 	JAVA_CLASSES = $(JAVA_HOME)/lib/classes.zip
 
 	ifeq ($(JRE_HOME),)
 		JRE_HOME = $(JAVA_HOME)
 		JRE_CLASSES = $(JAVA_CLASSES)
 	else
 		ifeq ($(JRE_CLASSES),)
 			JRE_CLASSES = $(JRE_HOME)/lib/classes.zip
@@ -134,54 +134,46 @@ ifeq ($(OS_ARCH), SunOS)
 
 	# (2) specify "header" information
 	JAVA_ARCH = solaris
 
 	INCLUDES += -I$(JAVA_HOME)/include
 	INCLUDES += -I$(JAVA_HOME)/include/$(JAVA_ARCH)
 
 	# (3) specify "linker" information
-ifeq ($(USE_64), 1)
-	JAVA_CPU = $(shell uname -p)v9
-else
 	JAVA_CPU = $(shell uname -p)
-endif
 
 ifeq ($(JDK_VERSION), 1.1)
 	JAVA_LIBDIR = lib/$(JAVA_CPU)
 else
 	JAVA_LIBDIR = jre/lib/$(JAVA_CPU)
 endif
 
 	#     ** IMPORTANT ** having -lthread before -lnspr is critical on solaris
 	#     when linking with -ljava as nspr redefines symbols in libthread that
 	#     cause JNI executables to fail with assert of bad thread stack values.
 	JAVA_CLIBS = -lthread
 
 ifneq ($(JDK_VERSION), 1.1)
-ifeq ($(USE_64), 1)
-	JAVA_LIBS += -L$(JAVA_HOME)/$(JAVA_LIBDIR)/server
-else
 	JAVA_LIBS += -L$(JAVA_HOME)/$(JAVA_LIBDIR)/classic
-endif
 	JAVA_LIBS += -L$(JAVA_HOME)/$(JAVA_LIBDIR)
 	JAVA_LIBS += -ljvm -ljava
 else
 	JAVA_LIBS += -L$(JAVA_HOME)/$(JAVA_LIBDIR)/$(JDK_THREADING_MODEL) -ljava
 endif
 	JAVA_LIBS += $(JAVA_CLIBS)
 
 	LDFLAGS += $(JAVA_LIBS)
 
 	#     currently, disable JIT option on this platform
 	JDK_JIT_OPT =
 endif
 
 # set [Hewlett Packard HP-UX] platforms
-ifeq ($(OS_ARCH), HP-UX)
+ifeq ($(OS_TARGET), HP-UX)
 	JAVA_CLASSES = $(JAVA_HOME)/lib/classes.zip
 
 	ifeq ($(JRE_HOME),)
 		JRE_HOME = $(JAVA_HOME)
 		JRE_CLASSES = $(JAVA_CLASSES)
 	else
 		ifeq ($(JRE_CLASSES),)
 			JRE_CLASSES = $(JRE_HOME)/lib/classes.zip
@@ -210,17 +202,17 @@ ifeq ($(OS_ARCH), HP-UX)
 
 	LDFLAGS += $(JAVA_LIBS)
 
 	# no JIT option available on this platform
 	JDK_JIT_OPT =
 endif
 
 # set [Redhat Linux] platforms
-ifeq ($(OS_ARCH), Linux)
+ifeq ($(OS_TARGET), Linux)
 	JAVA_CLASSES = $(JAVA_HOME)/lib/classes.zip
 
 	ifeq ($(JRE_HOME),)
 		JRE_HOME = $(JAVA_HOME)
 		JRE_CLASSES = $(JAVA_CLASSES)
 	else
 		ifeq ($(JRE_CLASSES),)
 			JRE_CLASSES = $(JRE_HOME)/lib/classes.zip
@@ -237,32 +229,29 @@ ifeq ($(OS_ARCH), Linux)
 
 	# (3) specify "linker" information
 	JAVA_CPU = i386
 
 	JAVA_LIBDIR = jre/lib/$(JAVA_CPU)
 
 	JAVA_CLIBS =
 
-        ifeq ($(JDK_VERSION), 1.4)
-	    JAVA_LIBS += -L$(JAVA_HOME)/$(JAVA_LIBDIR)/server -ljvm
-        else
-	    JAVA_LIBS += -L$(JAVA_HOME)/$(JAVA_LIBDIR)/classic -ljvm
-	endif
+	JAVA_LIBS  = -L$(JAVA_HOME)/$(JAVA_LIBDIR)/$(JDK_THREADING_MODEL) -lhpi
+	JAVA_LIBS += -L$(JAVA_HOME)/$(JAVA_LIBDIR)/classic -ljvm
 	JAVA_LIBS += -L$(JAVA_HOME)/$(JAVA_LIBDIR) -ljava
 	JAVA_LIBS += $(JAVA_CLIBS)
 
 	LDFLAGS += $(JAVA_LIBS)
 
 	# no JIT option available on this platform
 	JDK_JIT_OPT =
 endif
 
 # set [IBM AIX] platforms
-ifeq ($(OS_ARCH), AIX)
+ifeq ($(OS_TARGET), AIX)
 	JAVA_CLASSES = $(JAVA_HOME)/lib/classes.zip
 
 	ifeq ($(JRE_HOME),)
 		JRE_HOME = $(JAVA_HOME)
 		JRE_CLASSES = $(JAVA_CLASSES)
 	else
 		ifeq ($(JRE_CLASSES),)
 			JRE_CLASSES = $(JRE_HOME)/lib/classes.zip
@@ -291,17 +280,17 @@ ifeq ($(OS_ARCH), AIX)
 
 	LDFLAGS += $(JAVA_LIBS)
 
 	# no JIT option available on this platform
 	JDK_JIT_OPT =
 endif
 
 # set [Digital UNIX] platforms
-ifeq ($(OS_ARCH), OSF1)
+ifeq ($(OS_TARGET), OSF1)
 	JAVA_CLASSES = $(JAVA_HOME)/lib/classes.zip
 
 	ifeq ($(JRE_HOME),)
 		JRE_HOME = $(JAVA_HOME)
 		JRE_CLASSES = $(JAVA_CLASSES)
 	else
 		ifeq ($(JRE_CLASSES),)
 			JRE_CLASSES = $(JRE_HOME)/lib/classes.zip
@@ -330,17 +319,17 @@ ifeq ($(OS_ARCH), OSF1)
 
 	LDFLAGS += $(JAVA_LIBS)
 
 	# no JIT option available on this platform
 	JDK_JIT_OPT =
 endif
 
 # set [Silicon Graphics IRIX] platforms
-ifeq ($(OS_ARCH), IRIX)
+ifeq ($(OS_TARGET), IRIX)
 	JAVA_CLASSES = $(JAVA_HOME)/lib/dev.jar:$(JAVA_HOME)/lib/rt.jar
 
 	ifeq ($(JRE_HOME),)
 		JRE_HOME = $(JAVA_HOME)
 		JRE_CLASSES = $(JAVA_CLASSES)
 	else
 		ifeq ($(JRE_CLASSES),)
 			JRE_CLASSES = $(JRE_HOME)/lib/dev.jar:$(JRE_HOME)/lib/rt.jar
@@ -402,19 +391,16 @@ ifeq ($(JDK_CLASSPATH),)
 	JDK_CLASSPATH = '$(JAVA_DESTPATH)$(PATH_SEPARATOR)$(JAVA_SOURCEPATH)$(PATH_SEPARATOR)$(JAVA_CLASSES)'
 endif
 
 # by default, override CLASSPATH environment variable using the JDK classpath option with $(JDK_CLASSPATH)
 ifeq ($(JDK_CLASSPATH_OPT),)
 	JDK_CLASSPATH_OPT = -classpath $(JDK_CLASSPATH)
 endif
 
-ifeq ($(USE_64), 1)
-	JDK_USE_64 = -d64
-endif
 
 endif
 
 
 #######################################################################
 # [5] Define JDK "Core Components" toolset;                           #
 #     (always allow a user to override these values)                  #
 #######################################################################
@@ -446,32 +432,30 @@ endif
 #
 
 ifeq ($(JAVA),)
 	JAVA_PROG   = $(JAVA_HOME)/bin/java$(PROG_SUFFIX)
 	JAVA_FLAGS  = $(JDK_THREADING_MODEL_OPT)
 	JAVA_FLAGS += $(JDK_DEBUG_OPT)
 	JAVA_FLAGS += $(JDK_CLASSPATH_OPT)
 	JAVA_FLAGS += $(JDK_JIT_OPT)
-	JAVA_FLAGS += $(JDK_USE_64)
 	JAVA        = $(JAVA_PROG) $(JAVA_FLAGS) 
 endif
 
 #
 # (4) javac
 #
 
 ifeq ($(JAVAC),)
 	JAVAC_PROG   = $(JAVA_HOME)/bin/javac$(PROG_SUFFIX)
 	JAVAC_FLAGS  = $(JDK_THREADING_MODEL_OPT)
 	JAVAC_FLAGS += $(JDK_OPTIMIZER_OPT)
 	JAVAC_FLAGS += $(JDK_DEBUG_OPT)
 	JAVAC_FLAGS += $(JDK_CLASSPATH_OPT)
 	JAVAC_FLAGS += $(JDK_CLASS_REPOSITORY_OPT)
-	JAVAC_FLAGS += $(JDK_USE_64)
 	JAVAC        = $(JAVAC_PROG) $(JAVAC_FLAGS)
 endif
 
 #
 # (5) javadoc
 #
 
 ifeq ($(JAVADOC),)
--- a/security/coreconf/nsinstall/pathsub.c
+++ b/security/coreconf/nsinstall/pathsub.c
@@ -64,26 +64,25 @@ fail(char *format, ...)
     R_STRERROR_INIT_R();
 #endif
 
     error = errno;
     fprintf(stderr, "%s: ", program);
     va_start(ap, format);
     vfprintf(stderr, format, ap);
     va_end(ap);
-    if (error) {
+    if (error)
 
 #ifdef USE_REENTRANT_LIBC
     R_STRERROR_R(errno);
 	fprintf(stderr, ": %s", r_strerror_r);
 #else
 	fprintf(stderr, ": %s", strerror(errno));
 #endif
-    }
- 
+
     putc('\n', stderr);
     abort();
     exit(1);
 }
 
 char *
 getcomponent(char *path, char *name)
 {
--- a/security/coreconf/rules.mk
+++ b/security/coreconf/rules.mk
@@ -359,21 +359,16 @@ ifdef XP_OS2_VACPP
 	$(MKSHLIB) $(DLLFLAGS) $(LDFLAGS) $(OBJS) $(SUB_SHLOBJS) $(LD_LIBS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $@.def
 else
 	$(MKSHLIB) -o $@ $(OBJS) $(SUB_SHLOBJS) $(LD_LIBS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS)
 endif
 	chmod +x $@
 ifeq ($(OS_TARGET),OpenVMS)
 	@echo "`translate $@`" > $(@:$(DLL_SUFFIX)=vms)
 endif
-ifeq ($(OS_TARGET),Darwin)
-ifdef MAPFILE
-	nmedit -s $(MAPFILE) $@
-endif
-endif
 endif
 endif
 
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 $(RES): $(RESNAME)
 	@$(MAKE_OBJDIR)
 # The resource compiler does not understand the -U option.
 	$(RC) $(filter-out -U%,$(DEFINES)) $(INCLUDES) -Fo$@ $<
deleted file mode 100644
--- a/security/dbm/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-coreconf_hack:
-	cd ../coreconf; gmake
-	gmake import
-
-RelEng_bld: coreconf_hack
-	gmake
deleted file mode 100644
--- a/security/dbm/config/config.mk
+++ /dev/null
@@ -1,67 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#
-# These macros are defined by mozilla's configure script.
-# We define them manually here.
-#
-
-DEFINES += -DSTDC_HEADERS -DHAVE_STRERROR
-
-#
-# Most platforms have snprintf, so it's simpler to list the exceptions.
-#
-HAVE_SNPRINTF = 1
-#
-# OSF1 V4.0D doesn't have snprintf but V5.0A does.
-#
-ifeq ($(OS_TARGET)$(OS_RELEASE),OSF1V4.0D)
-HAVE_SNPRINTF =
-endif
-ifdef HAVE_SNPRINTF
-DEFINES += -DHAVE_SNPRINTF
-endif
-
-ifeq (,$(filter-out IRIX Linux,$(OS_TARGET)))
-DEFINES += -DHAVE_SYS_CDEFS_H
-endif
-
-ifeq (,$(filter-out DGUX NCR ReliantUNIX SCO_SV SCOOS UNIXWARE,$(OS_TARGET)))
-DEFINES += -DHAVE_SYS_BYTEORDER_H
-endif
-
-#
-# None of the platforms that we are interested in need to
-# define HAVE_MEMORY_H.
-#
deleted file mode 100644
--- a/security/dbm/include/Makefile
+++ /dev/null
@@ -1,76 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
deleted file mode 100644
--- a/security/dbm/include/manifest.mn
+++ /dev/null
@@ -1,57 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-CORE_DEPTH = ../..
-
-VPATH  = $(CORE_DEPTH)/../dbm/include
-
-MODULE = dbm
-
-EXPORTS =	nsres.h   \
-		cdefs.h   \
-		mcom_db.h \
-		ncompat.h \
-		winfile.h \
-		$(NULL)
-
-PRIVATE_EXPORTS =	hsearch.h \
-			page.h    \
-			extern.h  \
-			ndbm.h    \
-			queue.h   \
-			hash.h    \
-			mpool.h   \
-			search.h  \
-			$(NULL)
-
deleted file mode 100644
--- a/security/dbm/manifest.mn
+++ /dev/null
@@ -1,45 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-CORE_DEPTH = ..
-
-MODULE = dbm
-
-IMPORTS = nspr20/v4.1.2
-
-RELEASE = dbm
-
-DIRS =  include \
-        src     \
-	$(NULL)
deleted file mode 100644
--- a/security/dbm/src/Makefile
+++ /dev/null
@@ -1,76 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-include $(CORE_DEPTH)/dbm/config/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
deleted file mode 100644
--- a/security/dbm/src/config.mk
+++ /dev/null
@@ -1,63 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-DEFINES += -DMEMMOVE -D__DBINTERFACE_PRIVATE $(SECURITY_FLAG)
-
-INCLUDES += -I$(CORE_DEPTH)/../dbm/include
-
-#
-#  Currently, override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PURE_LIBRARY   =
-PROGRAM        =
-
-ifdef SHARED_LIBRARY
-	ifeq (,$(filter-out WINNT WIN95 WINCE,$(OS_TARGET))) # list omits WIN16
-		DLLBASE=/BASE:0x30000000
-		RES=$(OBJDIR)/dbm.res
-		RESNAME=../include/dbm.rc
-	endif
-	ifeq ($(DLL_SUFFIX),dll)
-		DEFINES += -D_DLL
-	endif
-endif
-
-ifeq ($(OS_TARGET),AIX)
-	OS_LIBS += -lc_r
-endif
deleted file mode 100644
--- a/security/dbm/src/dirent.c
+++ /dev/null
@@ -1,348 +0,0 @@
-#ifdef OS2
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-
-#include <dirent.h>
-#include <errno.h>
-
-/*#ifndef __EMX__ 
-#include <libx.h>
-#endif */
-
-#define INCL_DOSFILEMGR
-#define INCL_DOSERRORS
-#include <os2.h>
-
-#if OS2 >= 2
-# define FFBUF	FILEFINDBUF3
-# define Word	ULONG
-  /*
-   * LS20 recommends a request count of 100, but according to the
-   * APAR text it does not lead to missing files, just to funny
-   * numbers of returned entries.
-   *
-   * LS30 HPFS386 requires a count greater than 2, or some files
-   * are missing (those starting with a character less that '.').
-   *
-   * Novell looses entries which overflow the buffer. In previous
-   * versions of dirent2, this could have lead to missing files
-   * when the average length of 100 directory entries was 40 bytes
-   * or more (quite unlikely for files on a Novell server).
-   *
-   * Conclusion: Make sure that the entries all fit into the buffer
-   * and that the buffer is large enough for more than 2 entries
-   * (each entry is at most 300 bytes long). And ignore the LS20
-   * effect.
-   */
-# define Count	25
-# define BufSz	(25 * (sizeof(FILEFINDBUF3)+1))
-#else
-# define FFBUF	FILEFINDBUF
-# define Word	USHORT
-# define BufSz	1024
-# define Count	3
-#endif
-
-#if defined(__IBMC__) || defined(__IBMCPP__)
-  #define error(rc) _doserrno = rc, errno = EOS2ERR
-#elif defined(MICROSOFT)
-  #define error(rc) _doserrno = rc, errno = 255
-#else
-  #define error(rc) errno = 255
-#endif
-
-struct _dirdescr {
-	HDIR		handle;		/* DosFindFirst handle */
-	char		fstype;		/* filesystem type */
-	Word		count;		/* valid entries in <ffbuf> */
-	long		number;		/* absolute number of next entry */
-	int		index;		/* relative number of next entry */
-	FFBUF *		next;		/* pointer to next entry */
-	char		name[MAXPATHLEN+3]; /* directory name */
-	unsigned	attrmask;	/* attribute mask for seekdir */
-	struct dirent	entry;		/* buffer for directory entry */
-	BYTE		ffbuf[BufSz];
-};
-
-/*
- * Return first char of filesystem type, or 0 if unknown.
- */
-static char
-getFSType(const char *path)
-{
-	static char cache[1+26];
-	char drive[3], info[512];
-	Word unit, infolen;
-	char r;
-
-	if (isalpha(path[0]) && path[1] == ':') {
-		unit = toupper(path[0]) - '@';
-		path += 2;
-	} else {
-		ULONG driveMap;
-#if OS2 >= 2
-		if (DosQueryCurrentDisk(&unit, &driveMap))
-#else
-		if (DosQCurDisk(&unit, &driveMap))
-#endif
-			return 0;
-	}
-
-	if ((path[0] == '\\' || path[0] == '/')
-	 && (path[1] == '\\' || path[1] == '/'))
-		return 0;
-
-	if (cache [unit])
-		return cache [unit];
-
-	drive[0] = '@' + unit;
-	drive[1] = ':';
-	drive[2] = '\0';
-	infolen = sizeof info;
-#if OS2 >= 2
-	if (DosQueryFSAttach(drive, 0, FSAIL_QUERYNAME, (PVOID)info, &infolen))
-		return 0;
-	if (infolen >= sizeof(FSQBUFFER2)) {
-		FSQBUFFER2 *p = (FSQBUFFER2 *)info;
-		r = p->szFSDName[p->cbName];
-	} else
-#else
-	if (DosQFSAttach((PSZ)drive, 0, FSAIL_QUERYNAME, (PVOID)info, &infolen, 0))
-		return 0;
-	if (infolen >= 9) {
-		char *p = info + sizeof(USHORT);
-		p += sizeof(USHORT) + *(USHORT *)p + 1 + sizeof(USHORT);
-		r = *p;
-	} else
-#endif
-		r = 0;
-	return cache [unit] = r;
-}
-
-char *
-abs_path(const char *name, char *buffer, int len)
-{
-	char buf[4];
-	if (isalpha(name[0]) && name[1] == ':' && name[2] == '\0') {
-		buf[0] = name[0];
-		buf[1] = name[1];
-		buf[2] = '.';
-		buf[3] = '\0';
-		name = buf;
-	}
-#if OS2 >= 2
-	if (DosQueryPathInfo((PSZ)name, FIL_QUERYFULLNAME, buffer, len))
-#else
-	if (DosQPathInfo((PSZ)name, FIL_QUERYFULLNAME, (PBYTE)buffer, len, 0L))
-#endif
-		return NULL;
-	return buffer;
-}
-
-DIR *
-openxdir(const char *path, unsigned att_mask)
-{
-	DIR *dir;
-	char name[MAXPATHLEN+3];
-	Word rc;
-
-	dir = malloc(sizeof(DIR));
-	if (dir == NULL) {
-		errno = ENOMEM;
-		return NULL;
-	}
-
-	strncpy(name, path, MAXPATHLEN);
-	name[MAXPATHLEN] = '\0';
-	switch (name[strlen(name)-1]) {
-	default:
-		strcat(name, "\\");
-	case '\\':
-	case '/':
-	case ':':
-		;
-	}
-	strcat(name, ".");
-	if (!abs_path(name, dir->name, MAXPATHLEN+1))
-		strcpy(dir->name, name);
-	if (dir->name[strlen(dir->name)-1] == '\\')
-		strcat(dir->name, "*");
-	else
-		strcat(dir->name, "\\*");
-
-	dir->fstype = getFSType(dir->name);
-	dir->attrmask = att_mask | A_DIR;
-
-	dir->handle = HDIR_CREATE;
-	dir->count = 100;
-#if OS2 >= 2
-	rc = DosFindFirst(dir->name, &dir->handle, dir->attrmask,
-		dir->ffbuf, sizeof dir->ffbuf, &dir->count, FIL_STANDARD);
-#else
-	rc = DosFindFirst((PSZ)dir->name, &dir->handle, dir->attrmask,
-		(PFILEFINDBUF)dir->ffbuf, sizeof dir->ffbuf, &dir->count, 0);
-#endif
-	switch (rc) {
-	default:
-		free(dir);
-		error(rc);
-		return NULL;
-	case NO_ERROR:
-	case ERROR_NO_MORE_FILES:
-		;
-	}
-
-	dir->number = 0;
-	dir->index = 0;
-	dir->next = (FFBUF *)dir->ffbuf;
-
-	return (DIR *)dir;
-}
-
-DIR *
-opendir(const char *pathname)
-{
-	return openxdir(pathname, 0);
-}
-
-struct dirent *
-readdir(DIR *dir)
-{
-	static int dummy_ino = 2;
-
-	if (dir->index == dir->count) {
-		Word rc;
-		dir->count = 100;
-#if OS2 >= 2
-		rc = DosFindNext(dir->handle, dir->ffbuf,
-			sizeof dir->ffbuf, &dir->count);
-#else
-		rc = DosFindNext(dir->handle, (PFILEFINDBUF)dir->ffbuf,
-			sizeof dir->ffbuf, &dir->count);
-#endif
-		if (rc) {
-			error(rc);
-			return NULL;
-		}
-
-		dir->index = 0;
-		dir->next = (FFBUF *)dir->ffbuf;
-	}
-
-	if (dir->index == dir->count)
-		return NULL;
-
-	memcpy(dir->entry.d_name, dir->next->achName, dir->next->cchName);
-	dir->entry.d_name[dir->next->cchName] = '\0';
-	dir->entry.d_ino = dummy_ino++;
-	dir->entry.d_reclen = dir->next->cchName;
-	dir->entry.d_namlen = dir->next->cchName;
-	dir->entry.d_size = dir->next->cbFile;
-	dir->entry.d_attribute = dir->next->attrFile;
-	dir->entry.d_time = *(USHORT *)&dir->next->ftimeLastWrite;
-	dir->entry.d_date = *(USHORT *)&dir->next->fdateLastWrite;
-
-	switch (dir->fstype) {
-	case 'F': /* FAT */
-	case 'C': /* CDFS */
-		if (dir->next->attrFile & FILE_DIRECTORY)
-			strupr(dir->entry.d_name);
-		else
-			strlwr(dir->entry.d_name);
-	}
-
-#if OS2 >= 2
-	dir->next = (FFBUF *)((BYTE *)dir->next + dir->next->oNextEntryOffset);
-#else
-	dir->next = (FFBUF *)((BYTE *)dir->next->achName + dir->next->cchName + 1);
-#endif
-	++dir->number;
-	++dir->index;
-
-	return &dir->entry;
-}
-
-long
-telldir(DIR *dir)
-{
-	return dir->number;
-}
-
-void
-seekdir(DIR *dir, long off)
-{
-	if (dir->number > off) {
-		char name[MAXPATHLEN+2];
-		Word rc;
-
-		DosFindClose(dir->handle);
-
-		strcpy(name, dir->name);
-		strcat(name, "*");
-
-		dir->handle = HDIR_CREATE;
-		dir->count = 32767;
-#if OS2 >= 2
-		rc = DosFindFirst(name, &dir->handle, dir->attrmask,
-			dir->ffbuf, sizeof dir->ffbuf, &dir->count, FIL_STANDARD);
-#else
-		rc = DosFindFirst((PSZ)name, &dir->handle, dir->attrmask,
-			(PFILEFINDBUF)dir->ffbuf, sizeof dir->ffbuf, &dir->count, 0);
-#endif
-		switch (rc) {
-		default:
-			error(rc);
-			return;
-		case NO_ERROR:
-		case ERROR_NO_MORE_FILES:
-			;
-		}
-
-		dir->number = 0;
-		dir->index = 0;
-		dir->next = (FFBUF *)dir->ffbuf;
-	}
-
-	while (dir->number < off && readdir(dir))
-		;
-}
-
-void
-closedir(DIR *dir)
-{
-	DosFindClose(dir->handle);
-	free(dir);
-}
-
-/*****************************************************************************/
-
-#ifdef TEST
-
-main(int argc, char **argv)
-{
-	int i;
-	DIR *dir;
-	struct dirent *ep;
-
-	for (i = 1; i < argc; ++i) {
-		dir = opendir(argv[i]);
-		if (!dir)
-			continue;
-		while (ep = readdir(dir))
-			if (strchr("\\/:", argv[i] [strlen(argv[i]) - 1]))
-				printf("%s%s\n", argv[i], ep->d_name);
-			else
-				printf("%s/%s\n", argv[i], ep->d_name);
-		closedir(dir);
-	}
-
-	return 0;
-}
-
-#endif
-
-#endif /* OS2 */
-
deleted file mode 100644
--- a/security/dbm/src/dirent.h
+++ /dev/null
@@ -1,97 +0,0 @@
-#ifndef __DIRENT_H__
-#define __DIRENT_H__
-/*
- * @(#)msd_dir.h 1.4 87/11/06   Public Domain.
- *
- *  A public domain implementation of BSD directory routines for
- *  MS-DOS.  Written by Michael Rendell ({uunet,utai}michael@garfield),
- *  August 1897
- *
- *  Extended by Peter Lim (lim@mullian.oz) to overcome some MS DOS quirks
- *  and returns 2 more pieces of information - file size & attribute.
- *  Plus a little reshuffling of some #define's positions    December 1987
- *
- *  Some modifications by Martin Junius                      02-14-89
- *
- *	AK900712
- *	AK910410	abs_path - make absolute path
- *
- */
-
-#ifdef __EMX__
-#include <sys/param.h>
-#else
-#if defined(__IBMC__) || defined(__IBMCPP__) || defined(XP_W32_MSVC)
-#include <stdio.h>
-#ifdef MAXPATHLEN
-	#undef MAXPATHLEN
-#endif
-#define MAXPATHLEN (FILENAME_MAX*4)
-#define MAXNAMLEN FILENAME_MAX
-
-#else
-#include <param.h>
-#endif
-#endif
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* attribute stuff */
-#ifndef A_RONLY
-# define A_RONLY   0x01
-# define A_HIDDEN  0x02
-# define A_SYSTEM  0x04
-# define A_LABEL   0x08
-# define A_DIR     0x10
-# define A_ARCHIVE 0x20
-#endif
-
-struct dirent {
-#if defined(OS2) || defined(WIN32)        /* use the layout of EMX to avoid trouble */
-    int            d_ino;                 /* Dummy */
-    int            d_reclen;		  /* Dummy, same as d_namlen */
-    int            d_namlen;              /* length of name */
-    char           d_name[MAXNAMLEN + 1];
-    unsigned long  d_size;
-    unsigned short d_attribute;           /* attributes (see above) */
-    unsigned short d_time;                /* modification time */
-    unsigned short d_date;                /* modification date */
-#else
-    char	   d_name[MAXNAMLEN + 1]; /* garentee null termination */
-    char	   d_attribute;		  /* .. extension .. */
-    unsigned long  d_size;		  /* .. extension .. */
-#endif
-};
-
-typedef struct _dirdescr DIR;
-/* the structs do not have to be defined here */
-
-extern DIR		*opendir(const char *);
-extern DIR		*openxdir(const char *, unsigned);
-extern struct dirent	*readdir(DIR *);
-extern void		seekdir(DIR *, long);
-extern long		telldir(DIR *);
-extern void 		closedir(DIR *);
-#define			rewinddir(dirp) seekdir(dirp, 0L)
-
-extern char *		abs_path(const char *name, char *buffer, int len);
-
-#ifndef S_IFMT
-#define S_IFMT ( S_IFDIR | S_IFREG )
-#endif
-
-#ifndef S_ISDIR
-#define S_ISDIR( m )                    (((m) & S_IFMT) == S_IFDIR)
-#endif
-
-#ifndef S_ISREG
-#define S_ISREG( m )                    (((m) & S_IFMT) == S_IFREG)
-#endif
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
deleted file mode 100644
--- a/security/dbm/src/manifest.mn
+++ /dev/null
@@ -1,61 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-CORE_DEPTH = ../..
-
-VPATH  = $(CORE_DEPTH)/../dbm/src
-
-MODULE = dbm
-
-#
-# memmove.c, snprintf.c, and strerror.c are not in CSRCS because
-# the Standard C Library has memmove and strerror and DBM is not
-# using snprintf.
-#
-
-CSRCS = db.c	   \
-	h_bigkey.c \
-	h_func.c   \
-	h_log2.c   \
-	h_page.c   \
-	hash.c	   \
-	hash_buf.c \
-	hsearch.c  \
-	mktemp.c   \
-	ndbm.c	   \
-	nsres.c	   \
-	dirent.c	   \
-	$(NULL)
-
-LIBRARY_NAME = dbm
deleted file mode 100644
--- a/security/dbm/tests/Makefile
+++ /dev/null
@@ -1,69 +0,0 @@
-#! gmake
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-DEPTH		= ../..
-CORE_DEPTH	= ../..
-
-VPATH		= $(CORE_DEPTH)/../dbm/tests
-
-MODULE		= dbm
-
-CSRCS		= lots.c
-
-PROGRAM		= lots
-
-include $(DEPTH)/coreconf/config.mk
-
-include $(DEPTH)/dbm/config/config.mk
-
-ifeq (,$(filter-out WIN%,$(OS_TARGET))) 
-LIBDBM		= ../src/$(PLATFORM)/dbm$(STATIC_LIB_SUFFIX)
-else
-LIBDBM		= ../src/$(PLATFORM)/libdbm$(STATIC_LIB_SUFFIX)
-endif
-
-INCLUDES	+= -I$(CORE_DEPTH)/../dbm/include
-
-LDFLAGS		= $(LDOPTS) $(LIBDBM)
-
-include $(DEPTH)/coreconf/rules.mk
-
-lots.pure: lots
-	purify $(CC) -o lots.pure $(CFLAGS) $(OBJS) $(MYLIBS)
-
-crash: crash.o $(MYLIBS)
-	$(CC) -o crash $(CFLAGS) $^
-
-crash.pure: crash.o $(MYLIBS)
-	purify $(CC) -o crash.pure $(CFLAGS) $^
-
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/modutil/README.TXT
@@ -0,0 +1,7 @@
+                    CRYPTOGRAPHIC MODULE UTILITY (modutil)
+                                VERSION 1.0
+              ===============================================
+
+The file specification.html documentats the software.
+
+The file pk11jar.html documents the PKCS #11 JAR format.
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/signtool/README.TXT
@@ -0,0 +1,119 @@
+                       Signing Tool (signtool)
+                         1.3 Release Notes
+               ========================================
+
+Documentation is provided online at mozilla.org
+
+Problems or questions not covered by the online documentation can be
+discussed in the DevEdge Security Newsgroup.
+
+=== New Features in 1.3
+=======================
+
+The security library components have been upgraded to utilize NSS_2_7_1_RTM.
+This means that the maximum RSA keysize now supported should be 4096 bits.
+
+=== Zigbert 0.6 Support
+=======================
+This program was previously named Zigbert.  The last version of zigbert
+was Zigbert 0.6.  Because all the functionality of Zigbert is maintained in
+signtool 1.2, Zigbert is no longer supported.  If you have problems
+using Zigbert, please upgrade to signtool 1.2.
+
+=== New Features in 1.2
+=======================
+
+Certificate Generation Improvements
+-----------------------------------
+Two new options have been added to control generation of self-signed object
+signing certificates with the -G option. The -s option takes the size (in bits)
+of the generated RSA private key.  The -t option takes the name of the PKCS #11
+token on which to generate the keypair and install the certificate.  Both
+options are optional.  By default, the private key is 1024 bits and is generated
+on the internal software token.
+
+
+=== New Features in 1.1
+=======================
+
+File I/O
+--------
+Signtool can now read its options from a command file specified with the -f
+option on the command line. The format for the file is described in the
+documentation.
+Error messages and informational output can be redirected to an output file
+by supplying the "--outfile" option on the command line or the "outfile="
+option in the command file.
+
+New Options
+-----------
+"--norecurse" tells Signtool not to recurse into subdirectories when signing
+directories or parsing HTML with the -J option.
+"--leavearc" tells Signtool not to delete the temporary .arc directories
+produced by the -J option.  This can aid debugging.
+"--verbosity" tells Signtool how much information to display. 0 is the
+default. -1 suppresses most messages, except for errors.
+
+=== Bug Fixes in 1.1
+====================
+
+-J option revamped
+------------------
+The -J option, which parses HTML files, extracts Java and Javascript code,
+and stores them in signed JAR files, has been re-implemented. Several bugs
+have been fixed:
+- CODEBASE attribute is no longer ignored
+- CLASS and SRC attributes can be be paths ("xxx/xxx/x.class") rather than
+  just filenames ("x.class").
+- LINK tags are handled correctly
+- various HTML parsing bugs fixed
+- error messages are more informative
+
+No Password on Key Database
+---------------------------
+If you had not yet set a Communicator password (which locks key3.db, the
+key database), signtool would fail with a cryptic error message whenever it
+attempted to verify the password.  Now this condition is detected at the
+beginning of the program, and a more informative message is displayed.
+
+-x and -e Options
+-----------------
+Previously, only one of each of these options could be specified on the command
+line. Now arbitrarily many can be specified.  For example, to sign only files
+with .class or .js extensions, the arguments "-eclass -ejs" could both be
+specified. To exclude the directories "subdir1" and "subdir2" from signing,
+the arguments "-x subdir1 -x subdir2" could both be specified.
+
+New Features in 1.0
+===================
+
+Creation of JAR files
+----------------------
+The -Z option causes signtool to output a JAR file formed by storing the
+signed archive in ZIP format.  This eliminates the need to use a separate ZIP
+utility.  The -c option specifies the compression level of the resulting
+JAR file.
+
+Generation of Object-Signing Certificates and Keys
+--------------------------------------------------
+The -G option will create a new, self-signed object-signing certificate
+which can be used for testing purposes.  The generated certificate and 
+associated public and private keys will be installed in the cert7.db and
+key3.db files in the directory specified with the -d option (unless the key
+is generated on an external token using the -t option). On Unix systems,
+if no directory is specified, the user's Netscape directory (~/.netscape)
+will be used. In addition, the certificate is output in X509 format to the
+files x509.raw and x509.cacert in the current directory.  x509.cacert can
+be published on a web page and imported into browsers that visit that page.
+
+Extraction and Signing of JavaScript from HTML
+----------------------------------------------
+The -J option activates the same functionality provided by the signpages
+Perl script.  It will parse a directory of html files, creating archives
+of the JavaScript called from the HTML. These archives are then signed and
+made into JAR files.
+
+Enhanced Smart Card Support
+---------------------------
+Certificates that reside on smart cards are displayed when using the -L and
+-l options.
deleted file mode 100644
--- a/security/nss/cmd/tests/Makefile
+++ /dev/null
@@ -1,73 +0,0 @@
-#! gmake
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
deleted file mode 100644
--- a/security/nss/cmd/tests/manifest.mn
+++ /dev/null
@@ -1,50 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-CORE_DEPTH = ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = security
-
-CSRCS = vercrt.c \
-	vercrtfps.c
-
-# The MODULE is always implicitly required.
-# Listing it here in REQUIRES makes it appear twice in the cc command line.
-REQUIRES = dbm seccmd
-
-PROGRAMS = $(CSRCS:.c=)
-
-TARGETS = $(PROGRAMS)
-
-NO_MD_RELEASE = 1
deleted file mode 100644
--- a/security/nss/cmd/vfyserv/Makefile
+++ /dev/null
@@ -1,82 +0,0 @@
-#! gmake
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-ifeq (,$(filter-out WINNT WIN95 WIN16,$(OS_TARGET)))  # omits WINCE
-ifndef BUILD_OPT
-LDFLAGS   +=  /subsystem:console /profile /debug /machine:I386 /incremental:no
-OS_CFLAGS += -D_CONSOLE
-endif
-endif
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-#include ../platlibs.mk
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include ../platrules.mk
-
deleted file mode 100644
--- a/security/nss/cmd/vfyserv/makefile.win
+++ /dev/null
@@ -1,130 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-VERBOSE	= 1
-include <manifest.mn>
-
-#cannot define PROGRAM in manifest compatibly with NT and UNIX
-PROGRAM = tstclnt
-PROGRAM	= ./$(OBJDIR)/$(PROGRAM).exe
-include <$(DEPTH)\config\config.mak>
-
-# let manifest generate C_OBJS, it will prepend ./$(OBJDIR)/
-# rules.mak will append C_OBJS onto OBJS.
-# OBJS	= $(CSRCS:.c=.obj)
-
-# include files are looked for in $LINCS and $INCS.
-# $LINCS is in manifest.mnw, computed from REQUIRES=
-INCS = $(INCS) \
- -I$(DEPTH)/security/lib/cert \
- -I../include \
- $(NULL)
-
-IGNORE_ME = \
- -I$(DEPTH)/security/lib/key \
- -I$(DEPTH)/security/lib/util  \
- $(NULL)
-
-
-WINFE	= $(DEPTH)/cmd/winfe/mkfiles$(MOZ_BITS)/x86Dbg
-
-# these files are the content of libdbm
-DBM_LIB	= \
- $(WINFE)/DB.obj \
- $(WINFE)/HASH.obj \
- $(WINFE)/H_BIGKEY.obj \
- $(WINFE)/H_PAGE.obj \
- $(WINFE)/H_LOG2.obj \
- $(WINFE)/H_FUNC.obj \
- $(WINFE)/HASH_BUF.obj \
- $(NULL)
-
-MOZ_LIBS = \
- $(WINFE)/ALLXPSTR.obj \
- $(WINFE)/XP_ERROR.obj \
- $(WINFE)/XPASSERT.obj \
- $(WINFE)/XP_REG.obj \
- $(WINFE)/XP_TRACE.obj \
- $(DBM_LIB) \
- $(WINFE)/XP_STR.obj \
- $(WINFE)/MKTEMP.obj \
- $(NULL)
-
-SEC_LIBS = \
- $(DIST)/lib/cert$(MOZ_BITS).lib \
- $(DIST)/lib/crypto$(MOZ_BITS).lib \
- $(DIST)/lib/hash$(MOZ_BITS).lib \
- $(DIST)/lib/key$(MOZ_BITS).lib \
- $(DIST)/lib/pkcs7$(MOZ_BITS).lib \
- $(DIST)/lib/secmod$(MOZ_BITS).lib \
- $(DIST)/lib/secutl$(MOZ_BITS).lib \
- $(DIST)/lib/ssl$(MOZ_BITS).lib \
- $(NULL)
-
-LLFLAGS	= $(LLFLAGS) \
- ../lib/$(OBJDIR)/sectool$(MOZ_BITS).lib \
- $(SEC_LIBS) \
- $(MOZ_LIBS) \
- $(DEPTH)/nspr/src/$(OBJDIR)/getopt.obj \
- $(LIBNSPR) \
- $(NULL)
-
-
-include <$(DEPTH)\config\rules.mak>
-
-INSTALL	= $(MAKE_INSTALL)
-
-objs:	$(OBJS)
-
-$(PROGRAM)::
-	$(INSTALL) $(DIST)/bin/pr3240.dll ./$(OBJDIR)
-
-programs: $(PROGRAM)
-
-install:: $(TARGETS)
-	$(INSTALL) $(TARGETS) $(DIST)/bin
-
-
-symbols:
-	@echo "CSRCS	= $(CSRCS)"
-	@echo "INCS	= $(INCS)"
-	@echo "OBJS	= $(OBJS)"
-	@echo "LIBRARY	= $(LIBRARY)"
-	@echo "PROGRAM	= $(PROGRAM)"
-	@echo "TARGETS	= $(TARGETS)"
-	@echo "DIST	= $(DIST)"
-	@echo "VERSION_NUMBER	= $(VERSION_NUMBER)"
-	@echo "WINFE	= $(WINFE)"
-	@echo "DBM_LIB	= $(DBM_LIB)"
-	@echo "INSTALL	= $(INSTALL)"
-
deleted file mode 100644
--- a/security/nss/cmd/vfyserv/manifest.mn
+++ /dev/null
@@ -1,51 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-
-CORE_DEPTH = ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = security
-
-# This next line is used by .mk files
-# and gets translated into $LINCS in manifest.mnw
-# The MODULE is always implicitly required.
-# Listing it here in REQUIRES makes it appear twice in the cc command line.
-REQUIRES = seccmd dbm 
-
-# DIRS = 
-
-CSRCS	= vfyserv.c  vfyutil.c
-DEFINES += -DDLL_PREFIX=\"$(DLL_PREFIX)\" -DDLL_SUFFIX=\"$(DLL_SUFFIX)\"
-
-PROGRAM	= vfyserv
-
deleted file mode 100644
--- a/security/nss/cmd/vfyserv/vfyserv.c
+++ /dev/null
@@ -1,450 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/****************************************************************************
- *  SSL client program that tests  a server for proper operation of SSL2,   *
- *  SSL3, and TLS. Test propder certificate installation.                   *
- *                                                                          *
- *  This code was modified from the SSLSample code also kept in the NSS     *
- *  directory.                                                              *
- ****************************************************************************/ 
-
-#include <stdio.h>
-#include <string.h>
-
-#if defined(XP_UNIX)
-#include <unistd.h>
-#endif
-
-#include "prerror.h"
-
-#include "pk11func.h"
-#include "secmod.h"
-#include "secitem.h"
-
-
-#include <stdlib.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <stdarg.h>
-
-#include "nspr.h"
-#include "plgetopt.h"
-#include "prio.h"
-#include "prnetdb.h"
-#include "nss.h"
-
-#include "vfyserv.h"
-
-#define RD_BUF_SIZE (60 * 1024)
-
-extern int ssl2CipherSuites[];
-extern int ssl3CipherSuites[];
-
-GlobalThreadMgr threadMGR;
-char *certNickname = NULL;
-char *hostName = NULL;
-char *password = NULL;
-unsigned short port = 0;
-
-static void
-Usage(const char *progName)
-{
-	fprintf(stderr, 
-	  "Usage: %s [-p port] [-c connections] [-C cipher(s)] hostname\n",
-	progName);
-	exit(1);
-}
-
-PRFileDesc *
-setupSSLSocket(PRNetAddr *addr)
-{
-	PRFileDesc         *tcpSocket;
-	PRFileDesc         *sslSocket;
-	PRSocketOptionData	socketOption;
-	PRStatus            prStatus;
-	SECStatus           secStatus;
-
-
-	tcpSocket = PR_NewTCPSocket();
-	if (tcpSocket == NULL) {
-		errWarn("PR_NewTCPSocket");
-	}
-
-	/* Make the socket blocking. */
-	socketOption.option	            = PR_SockOpt_Nonblocking;
-	socketOption.value.non_blocking = PR_FALSE;
-
-	prStatus = PR_SetSocketOption(tcpSocket, &socketOption);
-	if (prStatus != PR_SUCCESS) {
-		errWarn("PR_SetSocketOption");
-		goto loser;
-	} 
-
-
-	/* Import the socket into the SSL layer. */
-	sslSocket = SSL_ImportFD(NULL, tcpSocket);
-	if (!sslSocket) {
-		errWarn("SSL_ImportFD");
-		goto loser;
-	}
-
-	/* Set configuration options. */
-	secStatus = SSL_OptionSet(sslSocket, SSL_SECURITY, PR_TRUE);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_OptionSet:SSL_SECURITY");
-		goto loser;
-	}
-
-	secStatus = SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_OptionSet:SSL_HANDSHAKE_AS_CLIENT");
-		goto loser;
-	}
-
-	/* Set SSL callback routines. */
-	secStatus = SSL_GetClientAuthDataHook(sslSocket,
-	                          (SSLGetClientAuthData)myGetClientAuthData,
-	                          (void *)certNickname);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_GetClientAuthDataHook");
-		goto loser;
-	}
-
-	secStatus = SSL_AuthCertificateHook(sslSocket,
-	                                   (SSLAuthCertificate)myAuthCertificate,
-                                       (void *)CERT_GetDefaultCertDB());
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_AuthCertificateHook");
-		goto loser;
-	}
-
-	secStatus = SSL_BadCertHook(sslSocket, 
-	                           (SSLBadCertHandler)myBadCertHandler, NULL);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_BadCertHook");
-		goto loser;
-	}
-
-	secStatus = SSL_HandshakeCallback(sslSocket, 
-	                                 (SSLHandshakeCallback)myHandshakeCallback,
-	                                 NULL);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_HandshakeCallback");
-		goto loser;
-	}
-
-	return sslSocket;
-
-loser:
-
-	PR_Close(tcpSocket);
-	return NULL;
-}
-
-
-const char requestString[] = {"GET /testfile HTTP/1.0\r\n\r\n" };
-
-SECStatus
-handle_connection(PRFileDesc *sslSocket, int connection)
-{
-	int	countRead = 0;
-	PRInt32  numBytes;
-	char    *readBuffer;
-
-	readBuffer = PORT_Alloc(RD_BUF_SIZE);
-	if (!readBuffer) {
-		exitErr("PORT_Alloc");
-	}
-
-	/* compose the http request here. */
-
-	numBytes = PR_Write(sslSocket, requestString, strlen(requestString));
-	if (numBytes <= 0) {
-		errWarn("PR_Write");
-		PR_Free(readBuffer);
-		readBuffer = NULL;
-		return SECFailure;
-	}
-
-	/* read until EOF */
-	while (PR_TRUE) {
-		numBytes = PR_Read(sslSocket, readBuffer, RD_BUF_SIZE);
-		if (numBytes == 0) {
-			break;	/* EOF */
-		}
-		if (numBytes < 0) {
-			errWarn("PR_Read");
-			break;
-		}
-		countRead += numBytes;
-	}
-
-	printSecurityInfo(stderr, sslSocket);
-	
-	PR_Free(readBuffer);
-	readBuffer = NULL;
-
-	/* Caller closes the socket. */
-
-	fprintf(stderr, 
-	        "***** Connection %d read %d bytes total.\n", 
-	        connection, countRead);
-
-	return SECSuccess;	/* success */
-}
-
-#define BYTE(n,i) (((i)>>((n)*8))&0xff)
-
-/* one copy of this function is launched in a separate thread for each
-** connection to be made.
-*/
-SECStatus
-do_connects(void *a, int connection)
-{
-	PRNetAddr  *addr = (PRNetAddr *)a;
-	PRFileDesc *sslSocket;
-	PRHostEnt   hostEntry;
-	char        buffer[PR_NETDB_BUF_SIZE];
-	PRStatus    prStatus;
-	PRIntn      hostenum;
-	PRInt32    ip;
-	SECStatus   secStatus;
-
-	/* Set up SSL secure socket. */
-	sslSocket = setupSSLSocket(addr);
-	if (sslSocket == NULL) {
-		errWarn("setupSSLSocket");
-		return SECFailure;
-	}
-
-	secStatus = SSL_SetPKCS11PinArg(sslSocket, password);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_SetPKCS11PinArg");
-		return secStatus;
-	}
-
-	secStatus = SSL_SetURL(sslSocket, hostName);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_SetURL");
-		return secStatus;
-	}
-
-	/* Prepare and setup network connection. */
-	prStatus = PR_GetHostByName(hostName, buffer, sizeof(buffer), &hostEntry);
-	if (prStatus != PR_SUCCESS) {
-		errWarn("PR_GetHostByName");
-		return SECFailure;
-	}
-
-	hostenum = PR_EnumerateHostEnt(0, &hostEntry, port, addr);
-	if (hostenum == -1) {
-		errWarn("PR_EnumerateHostEnt");
-		return SECFailure;
-	}
-
- 	ip = PR_ntohl(addr->inet.ip);
-	fprintf(stderr,
-	 	"Connecting to host %s (addr %d.%d.%d.%d) on port %d\n",
-			hostName, BYTE(3,ip), BYTE(2,ip), BYTE(1,ip), 
-			BYTE(0,ip), PR_ntohs(addr->inet.port)); 
-
-	prStatus = PR_Connect(sslSocket, addr, PR_INTERVAL_NO_TIMEOUT);
-	if (prStatus != PR_SUCCESS) {
-		errWarn("PR_Connect");
-		return SECFailure;
-	}
-
-	/* Established SSL connection, ready to send data. */
-#if 0
-	secStatus = SSL_ForceHandshake(sslSocket);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_ForceHandshake");
-		return secStatus;
-	}
-#endif
-
-	secStatus = SSL_ResetHandshake(sslSocket, /* asServer */ PR_FALSE);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_ResetHandshake");
-		prStatus = PR_Close(sslSocket);
-		if (prStatus != PR_SUCCESS) {
-			errWarn("PR_Close");
-		}
-		return secStatus;
-	}
-
-	secStatus = handle_connection(sslSocket, connection);
-	if (secStatus != SECSuccess) {
-		/* error already printed out in handle_connection */
-		/* errWarn("handle_connection"); */
-		return secStatus;
-	}
-
-	PR_Close(sslSocket);
-	return SECSuccess;
-}
-
-void
-client_main(unsigned short      port, 
-            int	                connections, 
-            const char *        hostName)
-{
-	int			i;
-	SECStatus	secStatus;
-	PRStatus    prStatus;
-	PRInt32     rv;
-	PRNetAddr	addr;
-	PRHostEnt   hostEntry;
-	char        buffer[256];
-
-	/* Setup network connection. */
-	prStatus = PR_GetHostByName(hostName, buffer, 256, &hostEntry);
-	if (prStatus != PR_SUCCESS) {
-		exitErr("PR_GetHostByName");
-	}
-
-	rv = PR_EnumerateHostEnt(0, &hostEntry, port, &addr);
-	if (rv < 0) {
-		exitErr("PR_EnumerateHostEnt");
-	}
-
-	secStatus = launch_thread(&threadMGR, do_connects, &addr, 1);
-	if (secStatus != SECSuccess) {
-		exitErr("launch_thread");
-	}
-
-	if (connections > 1) {
-		/* wait for the first connection to terminate, then launch the rest. */
-		reap_threads(&threadMGR);
-		/* Start up the connections */
-		for (i = 2; i <= connections; ++i) {
-			secStatus = launch_thread(&threadMGR, do_connects, &addr, i);
-			if (secStatus != SECSuccess) {
-				errWarn("launch_thread");
-			}
-		}
-	}
-
-	reap_threads(&threadMGR);
-	destroy_thread_data(&threadMGR);
-}
-
-int
-main(int argc, char **argv)
-{
-	char *               certDir = NULL;
-	char *               progName     = NULL;
-	int                  connections  = 1;
-	char *               cipherString = NULL;
-	SECStatus            secStatus;
-	PLOptState *         optstate;
-	PLOptStatus          status;
-
-	/* Call the NSPR initialization routines */
-	PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-
-	progName = PL_strdup(argv[0]);
-
-	hostName = NULL;
-	optstate = PL_CreateOptState(argc, argv, "C:c:d:n:p:w:");
-	while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-		switch(optstate->option) {
-		case 'C' : cipherString = PL_strdup(optstate->value); break;
-		case 'c' : connections = PORT_Atoi(optstate->value);  break;
-		case 'd' : certDir = PL_strdup(optstate->value);      break;
-		case 'p' : port = PORT_Atoi(optstate->value);         break;
-		case 'w' : password = PL_strdup(optstate->value);      break;
-		case '\0': hostName = PL_strdup(optstate->value);     break;
-		default  : Usage(progName);
-		}
-	}
-
-	if (port == 0) {
-		port = 443;
-	}
-
-	if (port == 0 || hostName == NULL)
-		Usage(progName);
-
-	/* Set our password function callback. */
-	PK11_SetPasswordFunc(myPasswd);
-
-	/* Initialize the NSS libraries. */
-	if (certDir) {
-	    secStatus = NSS_Init(certDir);
-	} else {
-	    secStatus = NSS_NoDB_Init(NULL);
-
-	    /* load the builtins */
-	    SECMOD_AddNewModule("Builtins",
-				DLL_PREFIX"nssckbi."DLL_SUFFIX, 0, 0);
-	}
-	if (secStatus != SECSuccess) {
-		exitErr("NSS_Init");
-	}
-
-	/* All cipher suites except RSA_NULL_MD5 are enabled by 
-	 * Domestic Policy. */
-	NSS_SetDomesticPolicy();
-	SSL_CipherPrefSetDefault(SSL_RSA_WITH_NULL_MD5, PR_TRUE);
-
-	/* all the SSL2 and SSL3 cipher suites are enabled by default. */
-	if (cipherString) {
-	    int ndx;
-
-	    /* disable all the ciphers, then enable the ones we want. */
-	    disableAllSSLCiphers();
-
-	    while (0 != (ndx = *cipherString++)) {
-		int *cptr;
-		int  cipher;
-
-		if (! isalpha(ndx))
-		    Usage(progName);
-		cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites;
-		for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; )
-		    /* do nothing */;
-		if (cipher) {
-		    SSL_CipherPrefSetDefault(cipher, PR_TRUE);
-		}
-	    }
-	}
-
-	client_main(port, connections, hostName);
-
-	NSS_Shutdown();
-	PR_Cleanup();
-	return 0;
-}
-
deleted file mode 100644
--- a/security/nss/cmd/vfyserv/vfyserv.h
+++ /dev/null
@@ -1,182 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifndef SSLSAMPLE_H
-#define SSLSAMPLE_H
-
-/* Generic header files */
-
-#include <stdio.h>
-#include <string.h>
-
-/* NSPR header files */
-
-#include "nspr.h"
-#include "prerror.h"
-#include "prnetdb.h"
-
-/* NSS header files */
-
-#include "pk11func.h"
-#include "secitem.h"
-#include "ssl.h"
-#include "certt.h"
-#include "nss.h"
-#include "secrng.h"
-#include "secder.h"
-#include "key.h"
-#include "sslproto.h"
-
-/* Custom header files */
-
-/*
-#include "sslerror.h"
-*/
-
-#define BUFFER_SIZE 10240
-
-/* Declare SSL cipher suites. */
-
-extern int cipherSuites[];
-extern int ssl2CipherSuites[];
-extern int ssl3CipherSuites[];
-
-/* Data buffer read from a socket. */
-typedef struct DataBufferStr {
-	char data[BUFFER_SIZE];
-	int  index;
-	int  remaining;
-	int  dataStart;
-	int  dataEnd;
-} DataBuffer;
-
-/* SSL callback routines. */
-
-char * myPasswd(PK11SlotInfo *info, PRBool retry, void *arg);
-
-SECStatus myAuthCertificate(void *arg, PRFileDesc *socket,
-                            PRBool checksig, PRBool isServer);
-
-SECStatus myBadCertHandler(void *arg, PRFileDesc *socket);
-
-SECStatus myHandshakeCallback(PRFileDesc *socket, void *arg);
-
-SECStatus myGetClientAuthData(void *arg, PRFileDesc *socket,
-                              struct CERTDistNamesStr *caNames,
-                              struct CERTCertificateStr **pRetCert,
-                              struct SECKEYPrivateKeyStr **pRetKey);
-
-/* Disable all v2/v3 SSL ciphers. */
-
-void disableAllSSLCiphers(void);
-
-
-/* Error and information utilities. */
-
-void errWarn(char *function);
-
-void exitErr(char *function);
-
-void printSecurityInfo(FILE *outfile, PRFileDesc *fd);
-
-void printCertProblems(FILE *outfile, CERTCertDBHandle *handle, 
-	CERTCertificate *cert, PRBool checksig, 
-	SECCertUsage certUsage, void *pinArg);
-
-/* Some simple thread management routines. */
-
-#define MAX_THREADS 32
-
-typedef SECStatus startFn(void *a, int b);
-
-typedef enum { rs_idle = 0, rs_running = 1, rs_zombie = 2 } runState;
-
-typedef struct perThreadStr {
-	PRFileDesc *a;
-	int         b;
-	int         rv;
-	startFn    *startFunc;
-	PRThread   *prThread;
-	PRBool      inUse;
-	runState    running;
-} perThread;
-
-typedef struct GlobalThreadMgrStr {
-	PRLock	  *threadLock;
-	PRCondVar *threadStartQ;
-	PRCondVar *threadEndQ;
-	perThread  threads[MAX_THREADS];
-	int        index;
-	int        numUsed;
-	int        numRunning;
-} GlobalThreadMgr;
-
-void thread_wrapper(void * arg);
-
-SECStatus launch_thread(GlobalThreadMgr *threadMGR, 
-                        startFn *startFunc, void *a, int b);
-
-SECStatus reap_threads(GlobalThreadMgr *threadMGR);
-
-void destroy_thread_data(GlobalThreadMgr *threadMGR);
-
-/* Management of locked variables. */
-
-struct lockedVarsStr {
-	PRLock *    lock;
-	int         count;
-	int         waiters;
-	PRCondVar * condVar;
-};
-
-typedef struct lockedVarsStr lockedVars;
-
-void lockedVars_Init(lockedVars *lv);
-
-void lockedVars_Destroy(lockedVars *lv);
-
-void lockedVars_WaitForDone(lockedVars *lv);
-
-int lockedVars_AddToCount(lockedVars *lv, int addend);
-
-/* Buffer stuff. */
-
-static const char stopCmd[] = { "GET /stop " };
-static const char defaultHeader[] = {
-	"HTTP/1.0 200 OK\r\n"
-	"Server: SSL sample server\r\n"
-	"Content-type: text/plain\r\n"
-	"\r\n"
-};
-
-#endif
deleted file mode 100644
--- a/security/nss/cmd/vfyserv/vfyutil.c
+++ /dev/null
@@ -1,700 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#include "vfyserv.h"
-#include "secerr.h"
-#include "sslerr.h"
-#include "nspr.h"
-#include "secutil.h"
-
-/* Declare SSL cipher suites. */
-
-int ssl2CipherSuites[] = {
-	SSL_EN_RC4_128_WITH_MD5,              /* A */
-	SSL_EN_RC4_128_EXPORT40_WITH_MD5,     /* B */
-	SSL_EN_RC2_128_CBC_WITH_MD5,          /* C */
-	SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, /* D */
-	SSL_EN_DES_64_CBC_WITH_MD5,           /* E */
-	SSL_EN_DES_192_EDE3_CBC_WITH_MD5,     /* F */
-	0
-};
-
-int ssl3CipherSuites[] = {
-	SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, /* a */
-	SSL_FORTEZZA_DMS_WITH_RC4_128_SHA,      /* b */
-	SSL_RSA_WITH_RC4_128_MD5,               /* c */
-	SSL_RSA_WITH_3DES_EDE_CBC_SHA,          /* d */
-	SSL_RSA_WITH_DES_CBC_SHA,               /* e */
-	SSL_RSA_EXPORT_WITH_RC4_40_MD5,         /* f */
-	SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,     /* g */
-	SSL_FORTEZZA_DMS_WITH_NULL_SHA,         /* h */
-	SSL_RSA_WITH_NULL_MD5,                  /* i */
-	SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,     /* j */
-	SSL_RSA_FIPS_WITH_DES_CBC_SHA,          /* k */
-	TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,    /* l */
-	TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,     /* m */
-	0
-};
-
-/**************************************************************************
-** 
-** SSL callback routines.
-**
-**************************************************************************/
-
-/* Function: char * myPasswd()
- * 
- * Purpose: This function is our custom password handler that is called by
- * SSL when retreiving private certs and keys from the database. Returns a
- * pointer to a string that with a password for the database. Password pointer
- * should point to dynamically allocated memory that will be freed later.
- */
-char *
-myPasswd(PK11SlotInfo *info, PRBool retry, void *arg)
-{
-	char * passwd = NULL;
-
-	if ( (!retry) && arg ) {
-		passwd = PORT_Strdup((char *)arg);
-	}
-
-	return passwd;
-}
-
-/* Function: SECStatus myAuthCertificate()
- *
- * Purpose: This function is our custom certificate authentication handler.
- * 
- * Note: This implementation is essentially the same as the default 
- *       SSL_AuthCertificate().
- */
-SECStatus 
-myAuthCertificate(void *arg, PRFileDesc *socket, 
-                  PRBool checksig, PRBool isServer) 
-{
-
-	SECCertUsage        certUsage;
-	CERTCertificate *   cert;
-	void *              pinArg;
-	char *              hostName;
-	SECStatus           secStatus;
-
-	if (!arg || !socket) {
-		errWarn("myAuthCertificate");
-		return SECFailure;
-	}
-
-	/* Define how the cert is being used based upon the isServer flag. */
-
-	certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;
-
-	cert = SSL_PeerCertificate(socket);
-	
-	pinArg = SSL_RevealPinArg(socket);
-
-	secStatus = CERT_VerifyCertNow((CERTCertDBHandle *)arg,
-	                               cert,
-	                               checksig,
-	                               certUsage,
-	                               pinArg);
-
-	/* If this is a server, we're finished. */
-	if (isServer || secStatus != SECSuccess) {
-		printCertProblems(stderr, (CERTCertDBHandle *)arg, cert, 
-					checksig, certUsage, pinArg);
-		CERT_DestroyCertificate(cert);
-		return secStatus;
-	}
-
-	/* Certificate is OK.  Since this is the client side of an SSL
-	 * connection, we need to verify that the name field in the cert
-	 * matches the desired hostname.  This is our defense against
-	 * man-in-the-middle attacks.
-	 */
-
-	/* SSL_RevealURL returns a hostName, not an URL. */
-	hostName = SSL_RevealURL(socket);
-
-	if (hostName && hostName[0]) {
-		secStatus = CERT_VerifyCertName(cert, hostName);
-	} else {
-		PR_SetError(SSL_ERROR_BAD_CERT_DOMAIN, 0);
-		secStatus = SECFailure;
-	}
-
-	if (hostName)
-		PR_Free(hostName);
-
-	CERT_DestroyCertificate(cert);
-	return secStatus;
-}
-
-/* Function: SECStatus myBadCertHandler()
- *
- * Purpose: This callback is called when the incoming certificate is not
- * valid. We define a certain set of parameters that still cause the
- * certificate to be "valid" for this session, and return SECSuccess to cause
- * the server to continue processing the request when any of these conditions
- * are met. Otherwise, SECFailure is return and the server rejects the 
- * request.
- */
-SECStatus 
-myBadCertHandler(void *arg, PRFileDesc *socket) 
-{
-
-    SECStatus	secStatus = SECFailure;
-    PRErrorCode	err;
-
-    /* log invalid cert here */
-
-    if (!arg) {
-		return secStatus;
-    }
-
-    *(PRErrorCode *)arg = err = PORT_GetError();
-
-    /* If any of the cases in the switch are met, then we will proceed   */
-    /* with the processing of the request anyway. Otherwise, the default */	
-    /* case will be reached and we will reject the request.              */
-
-    switch (err) {
-    case SEC_ERROR_INVALID_AVA:
-    case SEC_ERROR_INVALID_TIME:
-    case SEC_ERROR_BAD_SIGNATURE:
-    case SEC_ERROR_EXPIRED_CERTIFICATE:
-    case SEC_ERROR_UNKNOWN_ISSUER:
-    case SEC_ERROR_UNTRUSTED_CERT:
-    case SEC_ERROR_CERT_VALID:
-    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
-    case SEC_ERROR_CRL_EXPIRED:
-    case SEC_ERROR_CRL_BAD_SIGNATURE:
-    case SEC_ERROR_EXTENSION_VALUE_INVALID:
-    case SEC_ERROR_CA_CERT_INVALID:
-    case SEC_ERROR_CERT_USAGES_INVALID:
-    case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
-		secStatus = SECSuccess;
-	break;
-    default:
-		secStatus = SECFailure;
-	break;
-    }
-
-    fprintf(stderr, "Bad certificate: %d, %s\n", err, SECU_Strerror(err));
-
-    return secStatus;
-}
-
-/* Function: SECStatus ownGetClientAuthData()
- *
- * Purpose: This callback is used by SSL to pull client certificate 
- * information upon server request.
- */
-SECStatus 
-myGetClientAuthData(void *arg,
-                    PRFileDesc *socket,
-                    struct CERTDistNamesStr *caNames,
-                    struct CERTCertificateStr **pRetCert,
-                    struct SECKEYPrivateKeyStr **pRetKey) 
-{
-
-    CERTCertificate *  cert;
-    SECKEYPrivateKey * privKey;
-    char *             chosenNickName = (char *)arg;
-    void *             proto_win      = NULL;
-    SECStatus          secStatus      = SECFailure;
-
-    proto_win = SSL_RevealPinArg(socket);
-
-    if (chosenNickName) {
-		cert = PK11_FindCertFromNickname(chosenNickName, proto_win);
-		if (cert) {
-		    privKey = PK11_FindKeyByAnyCert(cert, proto_win);
-		    if (privKey) {
-				secStatus = SECSuccess;
-		    } else {
-				CERT_DestroyCertificate(cert);
-		    }
-		}
-    } else { /* no nickname given, automatically find the right cert */
-	CERTCertNicknames *names;
-	int                i;
-
-	names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(), 
-				      SEC_CERT_NICKNAMES_USER, proto_win);
-
-	if (names != NULL) {
-	    for(i = 0; i < names->numnicknames; i++ ) {
-
-		cert = PK11_FindCertFromNickname(names->nicknames[i], 
-						 proto_win);
-		if (!cert) {
-		    continue;
-		}
-
-		/* Only check unexpired certs */
-		if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_FALSE)
-		      != secCertTimeValid ) {
-		    CERT_DestroyCertificate(cert);
-		    continue;
-		}
-
-		secStatus = NSS_CmpCertChainWCANames(cert, caNames);
-		if (secStatus == SECSuccess) {
-		    privKey = PK11_FindKeyByAnyCert(cert, proto_win);
-		    if (privKey) {
-			break;
-		    }
-		    secStatus = SECFailure;
-		    break;
-		}
-		CERT_FreeNicknames(names);
-	    } /* for loop */
-	}
-    }
-
-    if (secStatus == SECSuccess) {
-		*pRetCert = cert;
-		*pRetKey  = privKey;
-    }
-
-    return secStatus;
-}
-
-/* Function: SECStatus myHandshakeCallback()
- *
- * Purpose: Called by SSL to inform application that the handshake is
- * complete. This function is mostly used on the server side of an SSL
- * connection, although it is provided for a client as well.
- * Useful when a non-blocking SSL_ReHandshake or SSL_ResetHandshake 
- * is used to initiate a handshake.
- *
- * A typical scenario would be:
- *
- * 1. Server accepts an SSL connection from the client without client auth.
- * 2. Client sends a request.
- * 3. Server determines that to service request it needs to authenticate the
- * client and initiates another handshake requesting client auth.
- * 4. While handshake is in progress, server can do other work or spin waiting
- * for the handshake to complete.
- * 5. Server is notified that handshake has been successfully completed by
- * the custom handshake callback function and it can service the client's
- * request.
- *
- * Note: This function is not implemented in this sample, as we are using
- * blocking sockets.
- */
-SECStatus 
-myHandshakeCallback(PRFileDesc *socket, void *arg) 
-{
-    fprintf(stderr,"Handshake Complete: SERVER CONFIGURED CORRECTLY\n");
-    return SECSuccess;
-}
-
-
-/**************************************************************************
-** 
-** Routines for disabling SSL ciphers.
-**
-**************************************************************************/
-
-void
-disableAllSSLCiphers(void)
-{
-    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
-    int             i            = SSL_NumImplementedCiphers;
-    SECStatus       rv;
-
-    /* disable all the SSL3 cipher suites */
-    while (--i >= 0) {
-	PRUint16 suite = cipherSuites[i];
-        rv = SSL_CipherPrefSetDefault(suite, PR_FALSE);
-	if (rv != SECSuccess) {
-	    fprintf(stderr,
-		"SSL_CipherPrefSetDefault didn't like value 0x%04x (i = %d)\n",
-	    	   suite, i);
-	    errWarn("SSL_CipherPrefSetDefault");
-	    exit(2);
-	}
-    }
-}
-
-/**************************************************************************
-** 
-** Error and information routines.
-**
-**************************************************************************/
-
-void
-errWarn(char *function)
-{
-	PRErrorCode  errorNumber = PR_GetError();
-	const char * errorString = SECU_Strerror(errorNumber);
-
-	fprintf(stderr, "Error in function %s: %d\n - %s\n",
-			function, errorNumber, errorString);
-}
-
-void
-exitErr(char *function)
-{
-	errWarn(function);
-	/* Exit gracefully. */
-	NSS_Shutdown();
-	PR_Cleanup();
-	exit(1);
-}
-
-void 
-printSecurityInfo(FILE *outfile, PRFileDesc *fd)
-{
-	char * cp;	/* bulk cipher name */
-	char * ip;	/* cert issuer DN */
-	char * sp;	/* cert subject DN */
-	int    op;	/* High, Low, Off */
-	int    kp0;	/* total key bits */
-	int    kp1;	/* secret key bits */
-	int    result;
-	SSL3Statistics * ssl3stats = SSL_GetStatistics();
-
-	if (!outfile) {
-	    outfile = stdout;
-	}
-
-	result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp);
-	if (result != SECSuccess)
-		return;
-	fprintf(outfile,
-	 "   bulk cipher %s, %d secret key bits, %d key bits, status: %d\n"
-	 "   subject DN:\n %s\n"
-	 "   issuer  DN:\n %s\n", cp, kp1, kp0, op, sp, ip);
-	PR_Free(cp);
-	PR_Free(ip);
-	PR_Free(sp);
-
-	fprintf(outfile,
-	  "   %ld cache hits; %ld cache misses, %ld cache not reusable\n",
-		ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses,
-	ssl3stats->hch_sid_cache_not_ok);
-
-}
-
-
-/**************************************************************************
-** Begin thread management routines and data.
-**************************************************************************/
-
-void
-thread_wrapper(void * arg)
-{
-	GlobalThreadMgr *threadMGR = (GlobalThreadMgr *)arg;
-	perThread *slot = &threadMGR->threads[threadMGR->index];
-
-	/* wait for parent to finish launching us before proceeding. */
-	PR_Lock(threadMGR->threadLock);
-	PR_Unlock(threadMGR->threadLock);
-
-	slot->rv = (* slot->startFunc)(slot->a, slot->b);
-
-	PR_Lock(threadMGR->threadLock);
-	slot->running = rs_zombie;
-
-	/* notify the thread exit handler. */
-	PR_NotifyCondVar(threadMGR->threadEndQ);
-
-	PR_Unlock(threadMGR->threadLock);
-}
-
-SECStatus
-launch_thread(GlobalThreadMgr *threadMGR,
-              startFn         *startFunc,
-              void            *a,
-              int              b)
-{
-	perThread *slot;
-	int        i;
-
-	if (!threadMGR->threadStartQ) {
-		threadMGR->threadLock   = PR_NewLock();
-		threadMGR->threadStartQ = PR_NewCondVar(threadMGR->threadLock);
-		threadMGR->threadEndQ   = PR_NewCondVar(threadMGR->threadLock);
-	}
-	PR_Lock(threadMGR->threadLock);
-	while (threadMGR->numRunning >= MAX_THREADS) {
-		PR_WaitCondVar(threadMGR->threadStartQ, PR_INTERVAL_NO_TIMEOUT);
-	}
-	for (i = 0; i < threadMGR->numUsed; ++i) {
-		slot = &threadMGR->threads[i];
-		if (slot->running == rs_idle) 
-			break;
-	}
-	if (i >= threadMGR->numUsed) {
-		if (i >= MAX_THREADS) {
-			/* something's really wrong here. */
-			PORT_Assert(i < MAX_THREADS);
-			PR_Unlock(threadMGR->threadLock);
-			return SECFailure;
-		}
-		++(threadMGR->numUsed);
-		PORT_Assert(threadMGR->numUsed == i + 1);
-		slot = &threadMGR->threads[i];
-	}
-
-	slot->a = a;
-	slot->b = b;
-	slot->startFunc = startFunc;
-
-	threadMGR->index = i;
-
-	slot->prThread = PR_CreateThread(PR_USER_THREAD,
-	                                 thread_wrapper, threadMGR,
-	                                 PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD,
-	                                 PR_JOINABLE_THREAD, 0);
-
-	if (slot->prThread == NULL) {
-		PR_Unlock(threadMGR->threadLock);
-		printf("Failed to launch thread!\n");
-		return SECFailure;
-	} 
-
-	slot->inUse   = 1;
-	slot->running = 1;
-	++(threadMGR->numRunning);
-	PR_Unlock(threadMGR->threadLock);
-
-	return SECSuccess;
-}
-
-SECStatus 
-reap_threads(GlobalThreadMgr *threadMGR)
-{
-	perThread * slot;
-	int			i;
-
-	if (!threadMGR->threadLock)
-		return 0;
-	PR_Lock(threadMGR->threadLock);
-	while (threadMGR->numRunning > 0) {
-	    PR_WaitCondVar(threadMGR->threadEndQ, PR_INTERVAL_NO_TIMEOUT);
-	    for (i = 0; i < threadMGR->numUsed; ++i) {
-		slot = &threadMGR->threads[i];
-		if (slot->running == rs_zombie)  {
-		    /* Handle cleanup of thread here. */
-
-		    /* Now make sure the thread has ended OK. */
-		    PR_JoinThread(slot->prThread);
-		    slot->running = rs_idle;
-		    --threadMGR->numRunning;
-
-		    /* notify the thread launcher. */
-		    PR_NotifyCondVar(threadMGR->threadStartQ);
-		}
-	    }
-	}
-
-	/* Safety Sam sez: make sure count is right. */
-	for (i = 0; i < threadMGR->numUsed; ++i) {
-		slot = &threadMGR->threads[i];
-		if (slot->running != rs_idle)  {
-			fprintf(stderr, "Thread in slot %d is in state %d!\n", 
-			                 i, slot->running);
-		}
-	}
-	PR_Unlock(threadMGR->threadLock);
-	return 0;
-}
-
-void
-destroy_thread_data(GlobalThreadMgr *threadMGR)
-{
-	PORT_Memset(threadMGR->threads, 0, sizeof(threadMGR->threads));
-
-	if (threadMGR->threadEndQ) {
-		PR_DestroyCondVar(threadMGR->threadEndQ);
-		threadMGR->threadEndQ = NULL;
-	}
-	if (threadMGR->threadStartQ) {
-		PR_DestroyCondVar(threadMGR->threadStartQ);
-		threadMGR->threadStartQ = NULL;
-	}
-	if (threadMGR->threadLock) {
-		PR_DestroyLock(threadMGR->threadLock);
-		threadMGR->threadLock = NULL;
-	}
-}
-
-/**************************************************************************
-** End	 thread management routines.
-**************************************************************************/
-
-void 
-lockedVars_Init( lockedVars * lv)
-{
-	lv->count	= 0;
-	lv->waiters = 0;
-	lv->lock	= PR_NewLock();
-	lv->condVar = PR_NewCondVar(lv->lock);
-}
-
-void
-lockedVars_Destroy( lockedVars * lv)
-{
-	PR_DestroyCondVar(lv->condVar);
-	lv->condVar = NULL;
-
-	PR_DestroyLock(lv->lock);
-	lv->lock = NULL;
-}
-
-void
-lockedVars_WaitForDone(lockedVars * lv)
-{
-	PR_Lock(lv->lock);
-	while (lv->count > 0) {
-		PR_WaitCondVar(lv->condVar, PR_INTERVAL_NO_TIMEOUT);
-	}
-	PR_Unlock(lv->lock);
-}
-
-int	/* returns count */
-lockedVars_AddToCount(lockedVars * lv, int addend)
-{
-	int rv;
-
-	PR_Lock(lv->lock);
-	rv = lv->count += addend;
-	if (rv <= 0) {
-	PR_NotifyCondVar(lv->condVar);
-	}
-	PR_Unlock(lv->lock);
-	return rv;
-}
-
-static char *
-bestCertName(CERTCertificate *cert) {
-    if (cert->nickname) {
-	return cert->nickname;
-    }
-    if (cert->emailAddr) {
-	return cert->emailAddr;
-    }
-    return cert->subjectName;
-}
-
-void
-printCertProblems(FILE *outfile, CERTCertDBHandle *handle, 
-	CERTCertificate *cert, PRBool checksig, 
-	SECCertUsage certUsage, void *pinArg)
-{
-    CERTVerifyLog log;
-    CERTVerifyLogNode *node = NULL;
-    unsigned int depth = (unsigned int)-1;
-    unsigned int flags = 0;
-    char *errstr = NULL;
-
-    log.arena = PORT_NewArena(512);
-    log.head = log.tail = NULL;
-    log.count = 0;
-    CERT_VerifyCert(handle, cert, checksig, certUsage,
-	PR_Now(), pinArg, &log);
-
-    if (log.count > 0) {
-	fprintf(outfile,"PROBLEM WITH THE CERT CHAIN:\n");
-	for (node = log.head; node; node = node->next) {
-	    if (depth != node->depth) {
-		depth = node->depth;
-		fprintf(outfile,"CERT %d. %s %s:\n", depth,
-				 bestCertName(node->cert), 
-			  	 depth ? "[Certificate Authority]": "");
-	    }
-	    fprintf(outfile,"  ERROR %d: %s\n", node->error,
-						SECU_Strerror(node->error));
-	    errstr = NULL;
-	    switch (node->error) {
-	    case SEC_ERROR_INADEQUATE_KEY_USAGE:
-		flags = (unsigned int)node->arg;
-		switch (flags) {
-		case KU_DIGITAL_SIGNATURE:
-		    errstr = "Cert cannot sign.";
-		    break;
-		case KU_KEY_ENCIPHERMENT:
-		    errstr = "Cert cannot encrypt.";
-		    break;
-		case KU_KEY_CERT_SIGN:
-		    errstr = "Cert cannot sign other certs.";
-		    break;
-		default:
-		    errstr = "[unknown usage].";
-		    break;
-		}
-	    case SEC_ERROR_INADEQUATE_CERT_TYPE:
-		flags = (unsigned int)node->arg;
-		switch (flags) {
-		case NS_CERT_TYPE_SSL_CLIENT:
-		case NS_CERT_TYPE_SSL_SERVER:
-		    errstr = "Cert cannot be used for SSL.";
-		    break;
-		case NS_CERT_TYPE_SSL_CA:
-		    errstr = "Cert cannot be used as an SSL CA.";
-		    break;
-		case NS_CERT_TYPE_EMAIL:
-		    errstr = "Cert cannot be used for SMIME.";
-		    break;
-		case NS_CERT_TYPE_EMAIL_CA:
-		    errstr = "Cert cannot be used as an SMIME CA.";
-		    break;
-		case NS_CERT_TYPE_OBJECT_SIGNING:
-		    errstr = "Cert cannot be used for object signing.";
-		    break;
-		case NS_CERT_TYPE_OBJECT_SIGNING_CA:
-		    errstr = "Cert cannot be used as an object signing CA.";
-		    break;
-		default:
-		    errstr = "[unknown usage].";
-		    break;
-		}
-	    case SEC_ERROR_UNKNOWN_ISSUER:
-	    case SEC_ERROR_UNTRUSTED_ISSUER:
-	    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
-		errstr = node->cert->issuerName;
-		break;
-	    default:
-		break;
-	    }
-	    if (errstr) {
-		fprintf(stderr,"    %s\n",errstr);
-	    }
-	    CERT_DestroyCertificate(node->cert);
-	}    
-    }
-    return ;
-}
--- a/security/nss/lib/certhigh/certvfy.c
+++ b/security/nss/lib/certhigh/certvfy.c
@@ -1011,16 +1011,17 @@ CERT_VerifyCACertForUsage(CERTCertDBHand
     PRBool isca;
     SECStatus rv;
     SECComparison rvCompare;
     SECStatus rvFinal = SECSuccess;
     int flags;
     unsigned int caCertType;
     unsigned int requiredCAKeyUsage;
     unsigned int requiredFlags;
+    CERTCertificate *issuerCert;
 
 
     if (CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_TRUE,
 					 &requiredCAKeyUsage,
 					 &caCertType) != SECSuccess ) {
 	PORT_Assert(0);
 	EXIT_IF_NOT_LOGGING(log);
 	requiredCAKeyUsage = 0;
@@ -1095,16 +1096,28 @@ CERT_VerifyCACertForUsage(CERTCertDBHand
 	 */
 	flags = SEC_GET_TRUST_FLAGS(cert->trust, trustType);
 	    
 	if ( (flags & CERTDB_VALID_CA) ||
 		 (certUsage == certUsageStatusResponder)) {
 	    if ( ( flags & requiredFlags ) == requiredFlags ||
 		     certUsage == certUsageStatusResponder ) {
 		    /* we found a trusted one, so return */
+        /* Check  the special case of certUsageStatusResponder */
+        if(certUsage == certUsageStatusResponder) {
+           issuerCert = CERT_FindCertIssuer(cert, t, certUsage);
+	         if (issuerCert) {
+              if(SEC_CheckCRL(handle, cert, issuerCert, t, wincx) != SECSuccess) {
+                 PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
+                 CERT_DestroyCertificate(issuerCert);
+                 goto loser;
+              }
+              CERT_DestroyCertificate(issuerCert);
+           }
+        }
 		    rv = rvFinal; 
 		    goto done;
 	    }
 	}
     }
 
     /*
      * Make sure that if this is an intermediate CA in the chain that
--- a/security/nss/lib/ckfw/builtins/certdata.c
+++ b/security/nss/lib/ckfw/builtins/certdata.c
@@ -385,83 +385,83 @@ static const CK_ATTRIBUTE_TYPE nss_built
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_111 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_112 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_113 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_114 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_115 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_116 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_117 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_118 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_119 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_120 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_121 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_122 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_123 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_124 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_125 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_126 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_127 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_128 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_129 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_130 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_131 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_132 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_133 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_134 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_135 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
 };
 #ifdef DEBUG
 static const NSSItem nss_builtins_items_0 [] = {
   { (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"CVS ID", (PRUint32)7 },
@@ -7020,16 +7020,28 @@ static const NSSItem nss_builtins_items_
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"AOL Time Warner Root Certification Authority 1", (PRUint32)47 },
   { (void *)"\164\124\123\134\044\243\247\130\040\176\076\076\323\044\370\026"
 "\373\041\026\111"
 , (PRUint32)20 },
   { (void *)"\347\172\334\261\037\156\006\037\164\154\131\026\047\303\113\300"
 , (PRUint32)16 },
+  { (void *)"\060\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\035\060\033\006\003\125\004\012\023\024\101\117\114\040\124"
+"\151\155\145\040\127\141\162\156\145\162\040\111\156\143\056\061"
+"\034\060\032\006\003\125\004\013\023\023\101\155\145\162\151\143"
+"\141\040\117\156\154\151\156\145\040\111\156\143\056\061\067\060"
+"\065\006\003\125\004\003\023\056\101\117\114\040\124\151\155\145"
+"\040\127\141\162\156\145\162\040\122\157\157\164\040\103\145\162"
+"\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157"
+"\162\151\164\171\040\061"
+, (PRUint32)134 },
+  { (void *)"\001"
+, (PRUint32)1 },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
 };
 static const NSSItem nss_builtins_items_114 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -7162,16 +7174,28 @@ static const NSSItem nss_builtins_items_
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"AOL Time Warner Root Certification Authority 2", (PRUint32)47 },
   { (void *)"\374\041\232\166\021\057\166\301\305\010\203\074\232\057\242\272"
 "\204\254\010\172"
 , (PRUint32)20 },
   { (void *)"\001\132\231\303\326\117\251\113\074\073\261\243\253\047\114\277"
 , (PRUint32)16 },
+  { (void *)"\060\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\035\060\033\006\003\125\004\012\023\024\101\117\114\040\124"
+"\151\155\145\040\127\141\162\156\145\162\040\111\156\143\056\061"
+"\034\060\032\006\003\125\004\013\023\023\101\155\145\162\151\143"
+"\141\040\117\156\154\151\156\145\040\111\156\143\056\061\067\060"
+"\065\006\003\125\004\003\023\056\101\117\114\040\124\151\155\145"
+"\040\127\141\162\156\145\162\040\122\157\157\164\040\103\145\162"
+"\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157"
+"\162\151\164\171\040\062"
+, (PRUint32)134 },
+  { (void *)"\001"
+, (PRUint32)1 },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
 };
 static const NSSItem nss_builtins_items_116 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -7292,16 +7316,26 @@ static const NSSItem nss_builtins_items_
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"beTRUSTed Root CA-Baltimore Implementation", (PRUint32)43 },
   { (void *)"\334\273\236\267\031\113\304\162\005\301\021\165\051\206\203\133"
 "\123\312\344\370"
 , (PRUint32)20 },
   { (void *)"\201\065\271\373\373\022\312\030\151\066\353\256\151\170\241\361"
 , (PRUint32)16 },
+  { (void *)"\060\146\061\022\060\020\006\003\125\004\012\023\011\142\145\124"
+"\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023"
+"\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040"
+"\103\101\163\061\063\060\061\006\003\125\004\003\023\052\142\145"
+"\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\055"
+"\102\141\154\164\151\155\157\162\145\040\111\155\160\154\145\155"
+"\145\156\164\141\164\151\157\156"
+, (PRUint32)104 },
+  { (void *)"\074\265\075\106"
+, (PRUint32)4 },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
 };
 static const NSSItem nss_builtins_items_118 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -7437,16 +7471,26 @@ static const NSSItem nss_builtins_items_
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"beTRUSTed Root CA - Entrust Implementation", (PRUint32)43 },
   { (void *)"\162\231\171\023\354\233\015\256\145\321\266\327\262\112\166\243"
 "\256\302\356\026"
 , (PRUint32)20 },
   { (void *)"\175\206\220\217\133\361\362\100\300\367\075\142\265\244\251\073"
 , (PRUint32)16 },
+  { (void *)"\060\146\061\022\060\020\006\003\125\004\012\023\011\142\145\124"
+"\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023"
+"\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040"
+"\103\101\163\061\063\060\061\006\003\125\004\003\023\052\142\145"
+"\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\040"
+"\055\040\105\156\164\162\165\163\164\040\111\155\160\154\145\155"
+"\145\156\164\141\164\151\157\156"
+, (PRUint32)104 },
+  { (void *)"\074\265\117\100"
+, (PRUint32)4 },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
 };
 static const NSSItem nss_builtins_items_120 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -7567,16 +7611,26 @@ static const NSSItem nss_builtins_items_
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"beTRUSTed Root CA - RSA Implementation", (PRUint32)39 },
   { (void *)"\035\202\131\312\041\047\303\313\301\154\331\062\366\054\145\051"
 "\214\250\207\022"
 , (PRUint32)20 },
   { (void *)"\206\102\005\011\274\247\235\354\035\363\056\016\272\330\035\320"
 , (PRUint32)16 },
+  { (void *)"\060\142\061\022\060\020\006\003\125\004\012\023\011\142\145\124"
+"\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023"
+"\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040"
+"\103\101\163\061\057\060\055\006\003\125\004\003\023\046\142\145"
+"\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\040"
+"\055\040\122\123\101\040\111\155\160\154\145\155\145\156\164\141"
+"\164\151\157\156"
+, (PRUint32)100 },
+  { (void *)"\073\131\307\173\315\133\127\236\275\067\122\254\166\264\252\032"
+, (PRUint32)16 },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
 };
 static const NSSItem nss_builtins_items_122 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -7659,16 +7713,23 @@ static const NSSItem nss_builtins_items_
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"RSA Security 2048 v3", (PRUint32)21 },
   { (void *)"\045\001\220\031\317\373\331\231\034\267\150\045\164\215\224\137"
 "\060\223\225\102"
 , (PRUint32)20 },
   { (void *)"\167\015\031\261\041\375\000\102\234\076\014\245\335\013\002\216"
 , (PRUint32)16 },
+  { (void *)"\060\072\061\031\060\027\006\003\125\004\012\023\020\122\123\101"
+"\040\123\145\143\165\162\151\164\171\040\111\156\143\061\035\060"
+"\033\006\003\125\004\013\023\024\122\123\101\040\123\145\143\165"
+"\162\151\164\171\040\062\060\064\070\040\126\063"
+, (PRUint32)60 },
+  { (void *)"\012\001\001\001\000\000\002\174\000\000\000\012\000\000\000\002"
+, (PRUint32)16 },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
 };
 static const NSSItem nss_builtins_items_124 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -7734,16 +7795,23 @@ static const NSSItem nss_builtins_items_
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"RSA Security 1024 v3", (PRUint32)21 },
   { (void *)"\074\273\135\340\374\326\071\174\005\210\345\146\227\275\106\052"
 "\275\371\134\166"
 , (PRUint32)20 },
   { (void *)"\072\345\120\260\071\276\307\106\066\063\241\376\202\076\215\224"
 , (PRUint32)16 },
+  { (void *)"\060\072\061\031\060\027\006\003\125\004\012\023\020\122\123\101"
+"\040\123\145\143\165\162\151\164\171\040\111\156\143\061\035\060"
+"\033\006\003\125\004\013\023\024\122\123\101\040\123\145\143\165"
+"\162\151\164\171\040\061\060\062\064\040\126\063"
+, (PRUint32)60 },
+  { (void *)"\012\001\001\001\000\000\002\174\000\000\000\013\000\000\000\002"
+, (PRUint32)16 },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
 };
 static const NSSItem nss_builtins_items_126 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -7827,16 +7895,24 @@ static const NSSItem nss_builtins_items_
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"GeoTrust Global CA", (PRUint32)19 },
   { (void *)"\336\050\364\244\377\345\271\057\243\305\003\321\243\111\247\371"
 "\226\052\202\022"
 , (PRUint32)20 },
   { (void *)"\367\165\253\051\373\121\116\267\167\136\377\005\074\231\216\365"
 , (PRUint32)16 },
+  { (void *)"\060\102\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165"
+"\163\164\040\111\156\143\056\061\033\060\031\006\003\125\004\003"
+"\023\022\107\145\157\124\162\165\163\164\040\107\154\157\142\141"
+"\154\040\103\101"
+, (PRUint32)68 },
+  { (void *)"\002\064\126"
+, (PRUint32)3 },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
 };
 static const NSSItem nss_builtins_items_128 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -7949,16 +8025,30 @@ static const NSSItem nss_builtins_items_
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"UTN-USER First-Network Applications", (PRUint32)36 },
   { (void *)"\135\230\234\333\025\226\021\066\121\145\144\033\126\017\333\352"
 "\052\302\076\361"
 , (PRUint32)20 },
   { (void *)"\277\140\131\243\133\272\366\247\166\102\332\157\032\173\120\317"
 , (PRUint32)16 },
+  { (void *)"\060\201\243\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060"
+"\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153"
+"\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023"
+"\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116"
+"\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023"
+"\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
+"\164\162\165\163\164\056\143\157\155\061\053\060\051\006\003\125"
+"\004\003\023\042\125\124\116\055\125\123\105\122\106\151\162\163"
+"\164\055\116\145\164\167\157\162\153\040\101\160\160\154\151\143"
+"\141\164\151\157\156\163"
+, (PRUint32)166 },
+  { (void *)"\104\276\014\213\120\000\044\264\021\323\066\060\113\300\063\167"
+, (PRUint32)16 },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
 };
 static const NSSItem nss_builtins_items_130 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -8051,16 +8141,26 @@ static const NSSItem nss_builtins_items_
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"America Online Root Certification Authority 1", (PRUint32)46 },
   { (void *)"\071\041\301\025\301\135\016\312\134\313\133\304\360\175\041\330"
 "\005\013\126\152"
 , (PRUint32)20 },
   { (void *)"\024\361\010\255\235\372\144\342\211\347\034\317\250\255\175\136"
 , (PRUint32)16 },
+  { (void *)"\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143"
+"\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060"
+"\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040"
+"\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164"
+"\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
+"\151\164\171\040\061"
+, (PRUint32)101 },
+  { (void *)"\001"
+, (PRUint32)1 },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
 };
 static const NSSItem nss_builtins_items_132 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -8185,16 +8285,26 @@ static const NSSItem nss_builtins_items_
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"America Online Root Certification Authority 2", (PRUint32)46 },
   { (void *)"\205\265\377\147\233\014\171\226\037\310\156\104\042\000\106\023"
 "\333\027\222\204"
 , (PRUint32)20 },
   { (void *)"\326\355\074\312\342\146\017\257\020\103\015\167\233\004\011\277"
 , (PRUint32)16 },
+  { (void *)"\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143"
+"\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060"
+"\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040"
+"\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164"
+"\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
+"\151\164\171\040\062"
+, (PRUint32)101 },
+  { (void *)"\001"
+, (PRUint32)1 },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
 };
 static const NSSItem nss_builtins_items_134 [] = {
   { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -8287,16 +8397,26 @@ static const NSSItem nss_builtins_items_
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"Visa eCommerce Root", (PRUint32)20 },
   { (void *)"\160\027\233\206\214\000\244\372\140\221\122\042\077\237\076\062"
 "\275\340\005\142"
 , (PRUint32)20 },
   { (void *)"\374\021\270\330\010\223\060\000\155\043\371\176\353\122\036\002"
 , (PRUint32)16 },
+  { (void *)"\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
+"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
+"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
+"\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145"
+"\103\157\155\155\145\162\143\145\040\122\157\157\164"
+, (PRUint32)109 },
+  { (void *)"\023\206\065\115\035\077\006\362\301\371\145\005\325\220\034\142"
+, (PRUint32)16 },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
 };
 
 PR_IMPLEMENT_DATA(builtinsInternalObject)
 nss_builtins_data[] = {
 #ifdef DEBUG
@@ -8409,38 +8529,38 @@ nss_builtins_data[] = {
   { 12, nss_builtins_types_105, nss_builtins_items_105, {NULL} },
   { 11, nss_builtins_types_106, nss_builtins_items_106, {NULL} },
   { 12, nss_builtins_types_107, nss_builtins_items_107, {NULL} },
   { 11, nss_builtins_types_108, nss_builtins_items_108, {NULL} },
   { 12, nss_builtins_types_109, nss_builtins_items_109, {NULL} },
   { 11, nss_builtins_types_110, nss_builtins_items_110, {NULL} },
   { 12, nss_builtins_types_111, nss_builtins_items_111, {NULL} },
   { 11, nss_builtins_types_112, nss_builtins_items_112, {NULL} },
-  { 10, nss_builtins_types_113, nss_builtins_items_113, {NULL} },
+  { 12, nss_builtins_types_113, nss_builtins_items_113, {NULL} },
   { 11, nss_builtins_types_114, nss_builtins_items_114, {NULL} },
-  { 10, nss_builtins_types_115, nss_builtins_items_115, {NULL} },
+  { 12, nss_builtins_types_115, nss_builtins_items_115, {NULL} },
   { 11, nss_builtins_types_116, nss_builtins_items_116, {NULL} },
-  { 10, nss_builtins_types_117, nss_builtins_items_117, {NULL} },
+  { 12, nss_builtins_types_117, nss_builtins_items_117, {NULL} },
   { 11, nss_builtins_types_118, nss_builtins_items_118, {NULL} },
-  { 10, nss_builtins_types_119, nss_builtins_items_119, {NULL} },
+  { 12, nss_builtins_types_119, nss_builtins_items_119, {NULL} },
   { 11, nss_builtins_types_120, nss_builtins_items_120, {NULL} },
-  { 10, nss_builtins_types_121, nss_builtins_items_121, {NULL} },
+  { 12, nss_builtins_types_121, nss_builtins_items_121, {NULL} },
   { 11, nss_builtins_types_122, nss_builtins_items_122, {NULL} },
-  { 10, nss_builtins_types_123, nss_builtins_items_123, {NULL} },
+  { 12, nss_builtins_types_123, nss_builtins_items_123, {NULL} },
   { 11, nss_builtins_types_124, nss_builtins_items_124, {NULL} },
-  { 10, nss_builtins_types_125, nss_builtins_items_125, {NULL} },
+  { 12, nss_builtins_types_125, nss_builtins_items_125, {NULL} },
   { 11, nss_builtins_types_126, nss_builtins_items_126, {NULL} },
-  { 10, nss_builtins_types_127, nss_builtins_items_127, {NULL} },
+  { 12, nss_builtins_types_127, nss_builtins_items_127, {NULL} },
   { 11, nss_builtins_types_128, nss_builtins_items_128, {NULL} },
-  { 10, nss_builtins_types_129, nss_builtins_items_129, {NULL} },
+  { 12, nss_builtins_types_129, nss_builtins_items_129, {NULL} },
   { 11, nss_builtins_types_130, nss_builtins_items_130, {NULL} },
-  { 10, nss_builtins_types_131, nss_builtins_items_131, {NULL} },
+  { 12, nss_builtins_types_131, nss_builtins_items_131, {NULL} },
   { 11, nss_builtins_types_132, nss_builtins_items_132, {NULL} },
-  { 10, nss_builtins_types_133, nss_builtins_items_133, {NULL} },
+  { 12, nss_builtins_types_133, nss_builtins_items_133, {NULL} },
   { 11, nss_builtins_types_134, nss_builtins_items_134, {NULL} },
-  { 10, nss_builtins_types_135, nss_builtins_items_135, {NULL} }
+  { 12, nss_builtins_types_135, nss_builtins_items_135, {NULL} }
 };
 PR_IMPLEMENT_DATA(const PRUint32)
 #ifdef DEBUG
   nss_builtins_nObjects = 135+1;
 #else
   nss_builtins_nObjects = 135;
 #endif /* DEBUG */
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -7199,16 +7199,30 @@ CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "AOL Time Warner Root Certification Authority 1"
 CKA_CERT_SHA1_HASH MULTILINE_OCTAL
 \164\124\123\134\044\243\247\130\040\176\076\076\323\044\370\026
 \373\041\026\111
 END
 CKA_CERT_MD5_HASH MULTILINE_OCTAL
 \347\172\334\261\037\156\006\037\164\154\131\026\047\303\113\300
 END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\035\060\033\006\003\125\004\012\023\024\101\117\114\040\124
+\151\155\145\040\127\141\162\156\145\162\040\111\156\143\056\061
+\034\060\032\006\003\125\004\013\023\023\101\155\145\162\151\143
+\141\040\117\156\154\151\156\145\040\111\156\143\056\061\067\060
+\065\006\003\125\004\003\023\056\101\117\114\040\124\151\155\145
+\040\127\141\162\156\145\162\040\122\157\157\164\040\103\145\162
+\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
+\162\151\164\171\040\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 
 #
 # Certificate "AOL Time Warner Root Certification Authority 2"
 #
 CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
@@ -7349,16 +7363,30 @@ CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "AOL Time Warner Root Certification Authority 2"
 CKA_CERT_SHA1_HASH MULTILINE_OCTAL
 \374\041\232\166\021\057\166\301\305\010\203\074\232\057\242\272
 \204\254\010\172
 END
 CKA_CERT_MD5_HASH MULTILINE_OCTAL
 \001\132\231\303\326\117\251\113\074\073\261\243\253\047\114\277
 END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\035\060\033\006\003\125\004\012\023\024\101\117\114\040\124
+\151\155\145\040\127\141\162\156\145\162\040\111\156\143\056\061
+\034\060\032\006\003\125\004\013\023\023\101\155\145\162\151\143
+\141\040\117\156\154\151\156\145\040\111\156\143\056\061\067\060
+\065\006\003\125\004\003\023\056\101\117\114\040\124\151\155\145
+\040\127\141\162\156\145\162\040\122\157\157\164\040\103\145\162
+\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
+\162\151\164\171\040\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 
 #
 # Certificate "beTRUSTed Root CA-Baltimore Implementation"
 #
 CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
@@ -7487,16 +7515,28 @@ CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "beTRUSTed Root CA-Baltimore Implementation"
 CKA_CERT_SHA1_HASH MULTILINE_OCTAL
 \334\273\236\267\031\113\304\162\005\301\021\165\051\206\203\133
 \123\312\344\370
 END
 CKA_CERT_MD5_HASH MULTILINE_OCTAL
 \201\065\271\373\373\022\312\030\151\066\353\256\151\170\241\361
 END
+CKA_ISSUER MULTILINE_OCTAL
+\060\146\061\022\060\020\006\003\125\004\012\023\011\142\145\124
+\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023
+\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040
+\103\101\163\061\063\060\061\006\003\125\004\003\023\052\142\145
+\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\055
+\102\141\154\164\151\155\157\162\145\040\111\155\160\154\145\155
+\145\156\164\141\164\151\157\156
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\074\265\075\106
+END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 
 #
 # Certificate "beTRUSTed Root CA - Entrust Implementation"
 #
 CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
@@ -7640,16 +7680,28 @@ CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "beTRUSTed Root CA - Entrust Implementation"
 CKA_CERT_SHA1_HASH MULTILINE_OCTAL
 \162\231\171\023\354\233\015\256\145\321\266\327\262\112\166\243
 \256\302\356\026
 END
 CKA_CERT_MD5_HASH MULTILINE_OCTAL
 \175\206\220\217\133\361\362\100\300\367\075\142\265\244\251\073
 END
+CKA_ISSUER MULTILINE_OCTAL
+\060\146\061\022\060\020\006\003\125\004\012\023\011\142\145\124
+\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023
+\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040
+\103\101\163\061\063\060\061\006\003\125\004\003\023\052\142\145
+\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\040
+\055\040\105\156\164\162\165\163\164\040\111\155\160\154\145\155
+\145\156\164\141\164\151\157\156
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\074\265\117\100
+END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 
 #
 # Certificate "beTRUSTed Root CA - RSA Implementation"
 #
 CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
@@ -7778,16 +7830,28 @@ CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "beTRUSTed Root CA - RSA Implementation"
 CKA_CERT_SHA1_HASH MULTILINE_OCTAL
 \035\202\131\312\041\047\303\313\301\154\331\062\366\054\145\051
 \214\250\207\022
 END
 CKA_CERT_MD5_HASH MULTILINE_OCTAL
 \206\102\005\011\274\247\235\354\035\363\056\016\272\330\035\320
 END
+CKA_ISSUER MULTILINE_OCTAL
+\060\142\061\022\060\020\006\003\125\004\012\023\011\142\145\124
+\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023
+\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040
+\103\101\163\061\057\060\055\006\003\125\004\003\023\046\142\145
+\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\040
+\055\040\122\123\101\040\111\155\160\154\145\155\145\156\164\141
+\164\151\157\156
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\073\131\307\173\315\133\127\236\275\067\122\254\166\264\252\032
+END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 
 #
 # Certificate "RSA Security 2048 v3"
 #
 CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
@@ -7878,16 +7942,25 @@ CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "RSA Security 2048 v3"
 CKA_CERT_SHA1_HASH MULTILINE_OCTAL
 \045\001\220\031\317\373\331\231\034\267\150\045\164\215\224\137
 \060\223\225\102
 END
 CKA_CERT_MD5_HASH MULTILINE_OCTAL
 \167\015\031\261\041\375\000\102\234\076\014\245\335\013\002\216
 END
+CKA_ISSUER MULTILINE_OCTAL
+\060\072\061\031\060\027\006\003\125\004\012\023\020\122\123\101
+\040\123\145\143\165\162\151\164\171\040\111\156\143\061\035\060
+\033\006\003\125\004\013\023\024\122\123\101\040\123\145\143\165
+\162\151\164\171\040\062\060\064\070\040\126\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\012\001\001\001\000\000\002\174\000\000\000\012\000\000\000\002
+END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 
 #
 # Certificate "RSA Security 1024 v3"
 #
 CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
@@ -7961,16 +8034,25 @@ CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "RSA Security 1024 v3"
 CKA_CERT_SHA1_HASH MULTILINE_OCTAL
 \074\273\135\340\374\326\071\174\005\210\345\146\227\275\106\052
 \275\371\134\166
 END
 CKA_CERT_MD5_HASH MULTILINE_OCTAL
 \072\345\120\260\071\276\307\106\066\063\241\376\202\076\215\224
 END
+CKA_ISSUER MULTILINE_OCTAL
+\060\072\061\031\060\027\006\003\125\004\012\023\020\122\123\101
+\040\123\145\143\165\162\151\164\171\040\111\156\143\061\035\060
+\033\006\003\125\004\013\023\024\122\123\101\040\123\145\143\165
+\162\151\164\171\040\061\060\062\064\040\126\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\012\001\001\001\000\000\002\174\000\000\000\013\000\000\000\002
+END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 
 #
 # Certificate "GeoTrust Global CA"
 #
 CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
@@ -8062,16 +8144,26 @@ CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "GeoTrust Global CA"
 CKA_CERT_SHA1_HASH MULTILINE_OCTAL
 \336\050\364\244\377\345\271\057\243\305\003\321\243\111\247\371
 \226\052\202\022
 END
 CKA_CERT_MD5_HASH MULTILINE_OCTAL
 \367\165\253\051\373\121\116\267\167\136\377\005\074\231\216\365
 END
+CKA_ISSUER MULTILINE_OCTAL
+\060\102\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165
+\163\164\040\111\156\143\056\061\033\060\031\006\003\125\004\003
+\023\022\107\145\157\124\162\165\163\164\040\107\154\157\142\141
+\154\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\064\126
+END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 
 #
 # Certificate "UTN-USER First-Network Applications"
 #
 CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
@@ -8192,16 +8284,32 @@ CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "UTN-USER First-Network Applications"
 CKA_CERT_SHA1_HASH MULTILINE_OCTAL
 \135\230\234\333\025\226\021\066\121\145\144\033\126\017\333\352
 \052\302\076\361
 END
 CKA_CERT_MD5_HASH MULTILINE_OCTAL
 \277\140\131\243\133\272\366\247\166\102\332\157\032\173\120\317
 END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\243\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
+\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
+\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
+\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
+\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
+\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
+\164\162\165\163\164\056\143\157\155\061\053\060\051\006\003\125
+\004\003\023\042\125\124\116\055\125\123\105\122\106\151\162\163
+\164\055\116\145\164\167\157\162\153\040\101\160\160\154\151\143
+\141\164\151\157\156\163
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\104\276\014\213\120\000\044\264\021\323\066\060\113\300\063\167
+END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 
 #
 # Certificate "America Online Root Certification Authority 1"
 #
 CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
@@ -8302,16 +8410,28 @@ CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "America Online Root Certification Authority 1"
 CKA_CERT_SHA1_HASH MULTILINE_OCTAL
 \071\041\301\025\301\135\016\312\134\313\133\304\360\175\041\330
 \005\013\126\152
 END
 CKA_CERT_MD5_HASH MULTILINE_OCTAL
 \024\361\010\255\235\372\144\342\211\347\034\317\250\255\175\136
 END
+CKA_ISSUER MULTILINE_OCTAL
+\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143
+\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060
+\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040
+\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164
+\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
+\151\164\171\040\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 
 #
 # Certificate "America Online Root Certification Authority 2"
 #
 CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
@@ -8444,16 +8564,28 @@ CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "America Online Root Certification Authority 2"
 CKA_CERT_SHA1_HASH MULTILINE_OCTAL
 \205\265\377\147\233\014\171\226\037\310\156\104\042\000\106\023
 \333\027\222\204
 END
 CKA_CERT_MD5_HASH MULTILINE_OCTAL
 \326\355\074\312\342\146\017\257\020\103\015\167\233\004\011\277
 END
+CKA_ISSUER MULTILINE_OCTAL
+\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143
+\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060
+\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040
+\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164
+\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
+\151\164\171\040\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 
 #
 # Certificate "Visa eCommerce Root"
 #
 CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
@@ -8554,11 +8686,23 @@ CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "Visa eCommerce Root"
 CKA_CERT_SHA1_HASH MULTILINE_OCTAL
 \160\027\233\206\214\000\244\372\140\221\122\042\077\237\076\062
 \275\340\005\142
 END
 CKA_CERT_MD5_HASH MULTILINE_OCTAL
 \374\021\270\330\010\223\060\000\155\043\371\176\353\122\036\002
 END
+CKA_ISSUER MULTILINE_OCTAL
+\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
+\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
+\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
+\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145
+\103\157\155\155\145\162\143\145\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\023\206\065\115\035\077\006\362\301\371\145\005\325\220\034\142
+END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
--- a/security/nss/lib/ckfw/builtins/constants.c
+++ b/security/nss/lib/ckfw/builtins/constants.c
@@ -54,17 +54,17 @@ nss_builtins_CryptokiVersion = { 2, 1 };
 
 NSS_IMPLEMENT_DATA const NSSUTF8 *
 nss_builtins_ManufacturerID = (NSSUTF8 *) "Netscape Communications Corp.";
 
 NSS_IMPLEMENT_DATA const NSSUTF8 *
 nss_builtins_LibraryDescription = (NSSUTF8 *) "NSS Builtin Object Cryptoki Module";
 
 NSS_IMPLEMENT_DATA const CK_VERSION
-nss_builtins_LibraryVersion = { 1, 1 };
+nss_builtins_LibraryVersion = { 1, 2 };
 
 NSS_IMPLEMENT_DATA const NSSUTF8 *
 nss_builtins_SlotDescription = (NSSUTF8 *) "";
 
 NSS_IMPLEMENT_DATA const CK_VERSION
 nss_builtins_HardwareVersion = { 1, 0 };
 
 NSS_IMPLEMENT_DATA const CK_VERSION
--- a/security/nss/lib/ckfw/instance.c
+++ b/security/nss/lib/ckfw/instance.c
@@ -1087,17 +1087,17 @@ nssCKFWInstance_GetLibraryVersion
     goto done;
   }
 
   if( (void *)NULL != (void *)fwInstance->mdInstance->GetLibraryVersion ) {
     fwInstance->libraryVersion = fwInstance->mdInstance->GetLibraryVersion(
       fwInstance->mdInstance, fwInstance);
   } else {
     fwInstance->libraryVersion.major = 0;
-    fwInstance->libraryVersion.minor = 1;
+    fwInstance->libraryVersion.minor = 3;
   }
 
   rv = fwInstance->libraryVersion;
  done:
   (void)nssCKFWMutex_Unlock(fwInstance->mutex);
   return rv;
 }
 
--- a/security/nss/lib/dev/ckhelper.c
+++ b/security/nss/lib/dev/ckhelper.c
@@ -547,38 +547,40 @@ get_nss_trust
     return t;
 }
 
 NSS_IMPLEMENT PRStatus
 nssCryptokiTrust_GetAttributes
 (
   nssCryptokiObject *trustObject,
   nssSession *sessionOpt,
+  NSSItem *sha1_hash,
   nssTrustLevel *serverAuth,
   nssTrustLevel *clientAuth,
   nssTrustLevel *codeSigning,
   nssTrustLevel *emailProtection
 )
 {
     PRStatus status;
     NSSSlot *slot;
     nssSession *session;
     CK_BBOOL isToken;
     CK_TRUST saTrust, caTrust, epTrust, csTrust;
     CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE trust_template[5];
+    CK_ATTRIBUTE trust_template[6];
     CK_ULONG trust_size;
 
     /* Use the trust object to find the trust settings */
     NSS_CK_TEMPLATE_START(trust_template, attr, trust_size);
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TOKEN,                  isToken);
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_SERVER_AUTH,      saTrust);
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CLIENT_AUTH,      caTrust);
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_EMAIL_PROTECTION, epTrust);
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CODE_SIGNING,     csTrust);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CERT_SHA1_HASH,     sha1_hash);
     NSS_CK_TEMPLATE_FINISH(trust_template, attr, trust_size);
 
     status = nssToken_GetCachedObjectAttributes(trustObject->token, NULL,
                                                 trustObject, 
                                                 CKO_NETSCAPE_TRUST,
                                                 trust_template, trust_size);
     if (status != PR_SUCCESS) {
 	session = sessionOpt ? 
--- a/security/nss/lib/dev/dev.h
+++ b/security/nss/lib/dev/dev.h
@@ -736,16 +736,17 @@ nssCryptokiCertificate_GetAttributes
   NSSASCII7 **emailOpt
 );
 
 NSS_EXTERN PRStatus
 nssCryptokiTrust_GetAttributes
 (
   nssCryptokiObject *trustObject,
   nssSession *sessionOpt,
+  NSSItem *sha1_hash,
   nssTrustLevel *serverAuth,
   nssTrustLevel *clientAuth,
   nssTrustLevel *codeSigning,
   nssTrustLevel *emailProtection
 );
 
 NSS_EXTERN PRStatus
 nssCryptokiCRL_GetAttributes
new file mode 100644
--- /dev/null
+++ b/security/nss/lib/dev/devobject.c
@@ -0,0 +1,1139 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef DEV_H
+#include "dev.h"
+#endif /* DEV_H */
+
+#ifndef DEVM_H
+#include "devm.h"
+#endif /* DEVM_H */
+
+#ifndef NSSCKEPV_H
+#include "nssckepv.h"
+#endif /* NSSCKEPV_H */
+
+#ifndef CKHELPER_H
+#include "ckhelper.h"
+#endif /* CKHELPER_H */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+/* XXX */
+#ifndef PKI_H
+#include "pki.h"
+#endif /* PKI_H */
+
+/* XXX */
+#ifndef NSSPKI_H
+#include "nsspki.h"
+#endif /* NSSPKI_H */
+
+#ifdef NSS_3_4_CODE
+#include "pkim.h" /* for cert decoding */
+#include "pk11func.h" /* for PK11_HasRootCerts */
+#include "pki3hack.h" /* for STAN_ForceCERTCertificateUpdate */
+#endif
+
+/* The number of object handles to grab during each call to C_FindObjects */
+#define OBJECT_STACK_SIZE 16
+
+NSS_IMPLEMENT PRStatus
+nssToken_DeleteStoredObject
+(
+  nssCryptokiInstance *instance
+)
+{
+    CK_RV ckrv;
+    PRStatus nssrv;
+    PRBool createdSession = PR_FALSE;
+    NSSToken *token = instance->token;
+    void *epv = token->epv;
+    nssSession *session = NULL;
+    if (nssCKObject_IsAttributeTrue(instance->handle, CKA_TOKEN, 
+                                    token->defaultSession,
+	                            token->slot, &nssrv)) {
+       if (nssSession_IsReadWrite(token->defaultSession)) {
+	   session = token->defaultSession;
+       } else {
+	   session = nssSlot_CreateSession(token->slot, NULL, PR_TRUE);
+	   createdSession = PR_TRUE;
+       }
+    }
+    if (session == NULL) {
+	return PR_FAILURE;
+    }
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(epv)->C_DestroyObject(session->handle, instance->handle);
+    nssSession_ExitMonitor(session);
+    if (createdSession) {
+	nssSession_Destroy(session);
+    }
+    if (ckrv != CKR_OK) {
+	return PR_FAILURE;
+    }
+    return PR_SUCCESS;
+}
+
+static CK_OBJECT_HANDLE
+import_object
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  CK_ATTRIBUTE_PTR objectTemplate,
+  CK_ULONG otsize
+)
+{
+    nssSession *session = NULL;
+    PRBool createdSession = PR_FALSE;
+    void *epv = tok->epv;
+    CK_OBJECT_HANDLE object;
+    CK_RV ckrv;
+    if (nssCKObject_IsTokenObjectTemplate(objectTemplate, otsize)) {
+	if (sessionOpt) {
+	    if (!nssSession_IsReadWrite(sessionOpt)) {
+		return CK_INVALID_HANDLE;
+	    } else {
+		session = sessionOpt;
+	    }
+	} else if (nssSession_IsReadWrite(tok->defaultSession)) {
+	    session = tok->defaultSession;
+	} else {
+	    session = nssSlot_CreateSession(tok->slot, NULL, PR_TRUE);
+	    createdSession = PR_TRUE;
+	}
+    } else {
+	session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+    }
+    if (session == NULL) {
+	return CK_INVALID_HANDLE;
+    }
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(epv)->C_CreateObject(session->handle, 
+                                            objectTemplate, otsize,
+                                            &object);
+    nssSession_ExitMonitor(session);
+    if (createdSession) {
+	nssSession_Destroy(session);
+    }
+    if (ckrv != CKR_OK) {
+	return CK_INVALID_HANDLE;
+    }
+    return object;
+}
+
+static CK_OBJECT_HANDLE
+find_object_by_template
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  CK_ATTRIBUTE_PTR cktemplate,
+  CK_ULONG ctsize
+)
+{
+    CK_SESSION_HANDLE hSession;
+    CK_OBJECT_HANDLE rvObject = CK_INVALID_HANDLE;
+    CK_ULONG count = 0;
+    CK_RV ckrv;
+    void *epv = tok->epv;
+    nssSession *session;
+    session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+    hSession = session->handle;
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(epv)->C_FindObjectsInit(hSession, cktemplate, ctsize);
+    if (ckrv != CKR_OK) {
+	nssSession_ExitMonitor(session);
+	return CK_INVALID_HANDLE;
+    }
+    ckrv = CKAPI(epv)->C_FindObjects(hSession, &rvObject, 1, &count);
+    if (ckrv != CKR_OK) {
+	nssSession_ExitMonitor(session);
+	return CK_INVALID_HANDLE;
+    }
+    ckrv = CKAPI(epv)->C_FindObjectsFinal(hSession);
+    nssSession_ExitMonitor(session);
+    if (ckrv != CKR_OK) {
+	return CK_INVALID_HANDLE;
+    }
+    return rvObject;
+}
+
+static PRStatus 
+traverse_objects_by_template
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  CK_ATTRIBUTE_PTR obj_template,
+  CK_ULONG otsize,
+  PRStatus (*callback)(NSSToken *t, nssSession *session,
+                       CK_OBJECT_HANDLE h, void *arg),
+  void *arg
+)
+{
+    NSSSlot *slot;
+    PRStatus cbrv;
+    PRUint32 i;
+    CK_RV ckrv;
+    CK_ULONG count;
+    CK_OBJECT_HANDLE *objectStack;
+    CK_OBJECT_HANDLE startOS[OBJECT_STACK_SIZE];
+    CK_SESSION_HANDLE hSession;
+    NSSArena *objectArena = NULL;
+    nssSession *session;
+    nssList *objectList = NULL;
+    int objectStackSize = OBJECT_STACK_SIZE;
+    void *epv = tok->epv;
+    slot = tok->slot;
+    objectStack = startOS;
+    session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+    hSession = session->handle;
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(epv)->C_FindObjectsInit(hSession, obj_template, otsize);
+    if (ckrv != CKR_OK) {
+	nssSession_ExitMonitor(session);
+	goto loser;
+    }
+    while (PR_TRUE) {
+	ckrv = CKAPI(epv)->C_FindObjects(hSession, objectStack, 
+	                                  objectStackSize, &count);
+	if (ckrv != CKR_OK) {
+	    nssSession_ExitMonitor(session);
+	    goto loser;
+	}
+	if (count == objectStackSize) {
+	    if (!objectList) {
+		objectArena = NSSArena_Create();
+		objectList = nssList_Create(objectArena, PR_FALSE);
+	    }
+	    nssList_Add(objectList, objectStack);
+	    objectStackSize = objectStackSize * 2;
+	    objectStack = nss_ZNEWARRAY(objectArena, CK_OBJECT_HANDLE, 
+	                                objectStackSize);
+	    if (objectStack == NULL) {
+		count =0;
+		break;
+		/* return what we can */
+	    }
+	} else {
+	    break;
+	}
+    }
+    ckrv = CKAPI(epv)->C_FindObjectsFinal(hSession);
+    nssSession_ExitMonitor(session);
+    if (ckrv != CKR_OK) {
+	goto loser;
+    }
+    if (objectList) {
+	nssListIterator *objects;
+	CK_OBJECT_HANDLE *localStack;
+	objects = nssList_CreateIterator(objectList);
+	objectStackSize = OBJECT_STACK_SIZE;
+	for (localStack = (CK_OBJECT_HANDLE *)nssListIterator_Start(objects);
+	     localStack != NULL;
+	     localStack = (CK_OBJECT_HANDLE *)nssListIterator_Next(objects)) {
+	    for (i=0; i< objectStackSize; i++) {
+		cbrv = (*callback)(tok, session, localStack[i], arg);
+	    }
+	    objectStackSize = objectStackSize * 2;
+	}
+	nssListIterator_Finish(objects);
+	nssListIterator_Destroy(objects);
+    }
+    for (i=0; i<count; i++) {
+	cbrv = (*callback)(tok, session, objectStack[i], arg);
+    }
+    if (objectArena)
+	NSSArena_Destroy(objectArena);
+    return PR_SUCCESS;
+loser:
+    if (objectArena)
+	NSSArena_Destroy(objectArena);
+    return PR_FAILURE;
+}
+
+static nssCryptokiInstance *
+create_cryptoki_instance
+(
+  NSSArena *arena,
+  NSSToken *t, 
+  CK_OBJECT_HANDLE h,
+  PRBool isTokenObject
+)
+{
+    PRStatus nssrv;
+    nssCryptokiInstance *instance;
+    CK_ATTRIBUTE cert_template = { CKA_LABEL, NULL, 0 };
+    nssrv = nssCKObject_GetAttributes(h, &cert_template, 1,
+                                      arena, t->defaultSession, t->slot);
+    if (nssrv != PR_SUCCESS) {
+	/* a failure here indicates a device error */
+	return NULL;
+    }
+    instance = nss_ZNEW(arena, nssCryptokiInstance);
+    if (!instance) {
+	return NULL;
+    }
+    instance->handle = h;
+    instance->token = t;
+    instance->isTokenObject = isTokenObject;
+    NSS_CK_ATTRIBUTE_TO_UTF8(&cert_template, instance->label);
+    return instance;
+}
+
+#ifdef NSS_3_4_CODE
+/* exposing this for the smart card cache code */
+NSS_IMPLEMENT nssCryptokiInstance *
+nssCryptokiInstance_Create
+(
+  NSSArena *arena,
+  NSSToken *t, 
+  CK_OBJECT_HANDLE h,
+  PRBool isTokenObject
+)
+{
+    return create_cryptoki_instance(arena, t, h, isTokenObject);
+}
+#endif
+
+static NSSCertificateType
+nss_cert_type_from_ck_attrib(CK_ATTRIBUTE_PTR attrib)
+{
+    CK_CERTIFICATE_TYPE ckCertType;
+    if (!attrib->pValue) {
+	/* default to PKIX */
+	return NSSCertificateType_PKIX;
+    }
+    ckCertType = *((CK_ULONG *)attrib->pValue);
+    switch (ckCertType) {
+    case CKC_X_509:
+	return NSSCertificateType_PKIX;
+    default:
+	break;
+    }
+    return NSSCertificateType_Unknown;
+}
+
+/* Create a certificate from an object handle. */
+static NSSCertificate *
+get_token_cert
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  CK_OBJECT_HANDLE handle
+)
+{
+    NSSCertificate *rvCert;
+    NSSArena *arena;
+    nssSession *session;
+    PRStatus nssrv;
+    CK_ULONG template_size;
+    CK_ATTRIBUTE cert_template[] = {
+	{ CKA_CERTIFICATE_TYPE, NULL, 0 },
+	{ CKA_ID,               NULL, 0 },
+	{ CKA_VALUE,            NULL, 0 },
+	{ CKA_ISSUER,           NULL, 0 },
+	{ CKA_SERIAL_NUMBER,    NULL, 0 },
+	{ CKA_SUBJECT,          NULL, 0 },
+	{ CKA_NETSCAPE_EMAIL,   NULL, 0 }
+    };
+    template_size = sizeof(cert_template) / sizeof(cert_template[0]);
+    session = (sessionOpt) ? sessionOpt : token->defaultSession;
+    arena = nssArena_Create();
+    if (!arena) {
+	return NULL;
+    }
+    rvCert = nss_ZNEW(arena, NSSCertificate);
+    if (!rvCert) {
+	NSSArena_Destroy(arena);
+	return NULL;
+    }
+    nssrv = nssPKIObject_Initialize(&rvCert->object, arena, 
+                                    token->trustDomain, NULL);
+    if (nssrv != PR_SUCCESS) {
+	goto loser;
+    }
+    nssrv = nssCKObject_GetAttributes(handle, 
+                                      cert_template, template_size,
+                                      arena, session, token->slot);
+    if (nssrv != PR_SUCCESS) {
+	goto loser;
+    }
+    rvCert->type = nss_cert_type_from_ck_attrib(&cert_template[0]);
+    NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[1], &rvCert->id);
+    NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[2], &rvCert->encoding);
+    NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[3], &rvCert->issuer);
+    NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[4], &rvCert->serial);
+    NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[5], &rvCert->subject);
+    NSS_CK_ATTRIBUTE_TO_UTF8(&cert_template[6],  rvCert->email);
+    /* XXX this would be better accomplished by dividing attributes to
+     * retrieve into "required" and "optional"
+     */
+    if (rvCert->encoding.size == 0 ||
+        rvCert->issuer.size == 0 ||
+        rvCert->serial.size == 0 ||
+        rvCert->subject.size == 0) 
+    {
+	/* received a bum object from the token */
+	goto loser;
+    }
+#ifdef NSS_3_4_CODE
+    /* nss 3.4 database doesn't associate email address with cert */
+    if (!rvCert->email) {
+	nssDecodedCert *dc;
+	NSSASCII7 *email;
+	dc = nssCertificate_GetDecoding(rvCert);
+	if (dc) {
+	    email = dc->getEmailAddress(dc);
+	    if (email) 
+	    	rvCert->email = nssUTF8_Duplicate(email, arena);
+	} else {
+	    goto loser;
+	}
+    }
+    /* nss 3.4 must deal with tokens that do not follow the PKCS#11
+     * standard and return decoded serial numbers.  The easiest way to
+     * work around this is just to grab the serial # from the full encoding
+     */
+    if (PR_TRUE) {
+	nssDecodedCert *dc;
+	dc = nssCertificate_GetDecoding(rvCert);
+	if (dc) {
+	    PRStatus sn_stat;
+	    sn_stat = dc->getDERSerialNumber(dc, &rvCert->serial, arena);
+	    if (sn_stat != PR_SUCCESS) {
+		goto loser;
+	    }
+	} else {
+	    goto loser;
+	}
+    }
+#endif
+    return rvCert;
+loser:
+    nssPKIObject_Destroy(&rvCert->object);
+    return (NSSCertificate *)NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_ImportCertificate
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSCertificate *cert,
+  NSSUTF8 *nickname,
+  PRBool asTokenObject
+)
+{
+    nssCryptokiInstance *instance;
+    CK_CERTIFICATE_TYPE cert_type = CKC_X_509;
+    CK_OBJECT_HANDLE handle;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE cert_tmpl[9];
+    CK_ULONG ctsize;
+    NSS_CK_TEMPLATE_START(cert_tmpl, attr, ctsize);
+    if (asTokenObject) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    } else {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    }
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS,            &g_ck_class_cert);
+    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CERTIFICATE_TYPE,  cert_type);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID,               &cert->id);
+    NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL,             nickname);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_VALUE,            &cert->encoding);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER,           &cert->issuer);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT,          &cert->subject);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER,    &cert->serial);
+    NSS_CK_TEMPLATE_FINISH(cert_tmpl, attr, ctsize);
+    /* Import the certificate onto the token */
+    handle = import_object(tok, sessionOpt, cert_tmpl, ctsize);
+    if (handle == CK_INVALID_HANDLE) {
+	return PR_FAILURE;
+    }
+    instance = create_cryptoki_instance(cert->object.arena, 
+                                        tok, handle, asTokenObject);
+    if (!instance) {
+	/* XXX destroy object */
+	return PR_FAILURE;
+    }
+    nssList_Add(cert->object.instanceList, instance);
+    /* XXX Fix this! */
+    nssListIterator_Destroy(cert->object.instances);
+    cert->object.instances = nssList_CreateIterator(cert->object.instanceList);
+    return PR_SUCCESS;
+}
+
+static PRBool 
+compare_cert_by_encoding(void *a, void *b)
+{
+    NSSCertificate *c1 = (NSSCertificate *)a;
+    NSSCertificate *c2 = (NSSCertificate *)b;
+    return  (nssItem_Equal(&c1->encoding, &c2->encoding, NULL));
+}
+
+static PRStatus
+retrieve_cert(NSSToken *t, nssSession *session, CK_OBJECT_HANDLE h, void *arg)
+{
+    PRStatus nssrv;
+    PRBool found, inCache;
+    nssTokenCertSearch *search = (nssTokenCertSearch *)arg;
+    NSSCertificate *cert = NULL;
+    nssListIterator *instances;
+    nssCryptokiInstance *ci;
+    CK_ATTRIBUTE derValue = { CKA_VALUE, NULL, 0 };
+    inCache = PR_FALSE;
+    if (search->cached) {
+	NSSCertificate csi; /* a fake cert for indexing */
+	nssrv = nssCKObject_GetAttributes(h, &derValue, 1,
+	                                  NULL, session, t->slot);
+	NSS_CK_ATTRIBUTE_TO_ITEM(&derValue, &csi.encoding);
+	cert = (NSSCertificate *)nssList_Get(search->cached, &csi);
+	nss_ZFreeIf(csi.encoding.data);
+    }
+    found = PR_FALSE;
+    if (cert) {
+	inCache = PR_TRUE;
+	nssCertificate_AddRef(cert);
+	instances = cert->object.instances;
+	for (ci  = (nssCryptokiInstance *)nssListIterator_Start(instances);
+	     ci != (nssCryptokiInstance *)NULL;
+	     ci  = (nssCryptokiInstance *)nssListIterator_Next(instances))
+	{
+	    /* The builtins token will not return the same handle for objects
+	     * during the lifetime of the token.  Thus, assuming the found
+	     * object is the same as the cached object if there is already an
+	     * instance for the token.
+	     */
+	    if (ci->token == t) {
+		found = PR_TRUE;
+		break;
+	    }
+	}
+	nssListIterator_Finish(instances);
+    } else {
+	cert = get_token_cert(t, session, h);
+	if (!cert) return PR_FAILURE;
+    }
+    if (!found) {
+	PRBool isTokenObject;
+	/* XXX this is incorrect if the search is over both types */
+	isTokenObject = (search->searchType == nssTokenSearchType_TokenOnly) ?
+	                PR_TRUE : PR_FALSE;
+	ci = create_cryptoki_instance(cert->object.arena, t, h, isTokenObject);
+	if (!ci) {
+	    NSSCertificate_Destroy(cert);
+	    return PR_FAILURE;
+	}
+	nssList_Add(cert->object.instanceList, ci);
+	/* XXX Fix this! */
+	nssListIterator_Destroy(cert->object.instances);
+	cert->object.instances = nssList_CreateIterator(cert->object.instanceList);
+	/* The cert was already discovered.  If it was made into a 
+	 * CERTCertificate, we need to update it here, because we have found
+	 * another instance of it.  This new instance may cause the slot
+	 * and nickname fields of the cert to change.
+	 */
+	if (cert->decoding && inCache) {
+	    (void)STAN_ForceCERTCertificateUpdate(cert);
+	}
+    }
+    if (!inCache) {
+	nssrv = (*search->callback)(cert, search->cbarg);
+    } else {
+	nssrv = PR_SUCCESS; /* cached entries already handled */
+    }
+#ifdef NSS_3_4_CODE
+     CERT_DestroyCertificate(STAN_GetCERTCertificate(cert));
+#else
+     NSSCertificate_Destroy(cert);
+#endif
+
+    return nssrv;
+}
+
+/* traverse all certificates - this should only happen if the token
+ * has been marked as "traversable"
+ */
+NSS_IMPLEMENT PRStatus 
+nssToken_TraverseCertificates
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  nssTokenCertSearch *search
+)
+{
+    PRStatus nssrv;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE cert_template[2];
+    CK_ULONG ctsize;
+    NSS_CK_TEMPLATE_START(cert_template, attr, ctsize);
+    /* Set the search to token/session only if provided */
+    if (search->searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (search->searchType == nssTokenSearchType_TokenOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
+    NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize);
+    if (search->cached) {
+	nssList_SetCompareFunction(search->cached, compare_cert_by_encoding);
+    }
+    nssrv = traverse_objects_by_template(token, sessionOpt,
+                                         cert_template, ctsize,
+                                         retrieve_cert, search);
+    return nssrv;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_TraverseCertificatesBySubject
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSDER *subject,
+  nssTokenCertSearch *search
+)
+{
+    PRStatus nssrv;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE subj_template[3];
+    CK_ULONG stsize;
+    NSS_CK_TEMPLATE_START(subj_template, attr, stsize);
+    /* Set the search to token/session only if provided */
+    if (search->searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (search->searchType == nssTokenSearchType_TokenOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject);
+    NSS_CK_TEMPLATE_FINISH(subj_template, attr, stsize);
+    if (search->cached) {
+	nssList_SetCompareFunction(search->cached, compare_cert_by_encoding);
+    }
+    /* now traverse the token certs matching this template */
+    nssrv = traverse_objects_by_template(token, sessionOpt,
+	                                 subj_template, stsize,
+                                         retrieve_cert, search);
+    return nssrv;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_TraverseCertificatesByNickname
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSUTF8 *name,
+  nssTokenCertSearch *search
+)
+{
+    PRStatus nssrv;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE nick_template[3];
+    CK_ULONG ntsize;
+    NSS_CK_TEMPLATE_START(nick_template, attr, ntsize);
+    NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL, name);
+    /* Set the search to token/session only if provided */
+    if (search->searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (search->searchType == nssTokenSearchType_TokenOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
+    NSS_CK_TEMPLATE_FINISH(nick_template, attr, ntsize);
+    if (search->cached) {
+	nssList_SetCompareFunction(search->cached, compare_cert_by_encoding);
+    }
+    /* now traverse the token certs matching this template */
+    nssrv = traverse_objects_by_template(token, sessionOpt,
+	                                 nick_template, ntsize, 
+                                         retrieve_cert, search);
+    if (nssrv != PR_SUCCESS) {
+	return nssrv;
+    }
+    /* This is to workaround the fact that PKCS#11 doesn't specify
+     * whether the '\0' should be included.  XXX Is that still true?
+     * im - this is not needed by the current softoken.  However, I'm 
+     * leaving it in until I have surveyed more tokens to see if it needed.
+     * well, its needed by the builtin token...
+     */
+    nick_template[0].ulValueLen++;
+    nssrv = traverse_objects_by_template(token, sessionOpt,
+	                                 nick_template, ntsize,
+                                         retrieve_cert, search);
+    return nssrv;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_TraverseCertificatesByEmail
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSASCII7 *email,
+  nssTokenCertSearch *search
+)
+{
+    PRStatus nssrv;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE email_template[3];
+    CK_ULONG etsize;
+    NSS_CK_TEMPLATE_START(email_template, attr, etsize);
+    NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NETSCAPE_EMAIL, email);
+    /* Set the search to token/session only if provided */
+    if (search->searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (search->searchType == nssTokenSearchType_TokenOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
+    NSS_CK_TEMPLATE_FINISH(email_template, attr, etsize);
+    if (search->cached) {
+	nssList_SetCompareFunction(search->cached, compare_cert_by_encoding);
+    }
+    /* now traverse the token certs matching this template */
+    nssrv = traverse_objects_by_template(token, sessionOpt,
+	                                 email_template, etsize,
+                                         retrieve_cert, search);
+    if (nssrv != PR_SUCCESS) {
+	return nssrv;
+    }
+#if 0
+    /* This is to workaround the fact that PKCS#11 doesn't specify
+     * whether the '\0' should be included.  XXX Is that still true?
+     */
+    email_tmpl[0].ulValueLen--;
+    nssrv = traverse_objects_by_template(token, sessionOpt,
+	                                 email_tmpl, etsize,
+                                         retrieve_cert, search);
+#endif
+    return nssrv;
+}
+
+/* XXX these next two need to create instances as needed */
+
+NSS_IMPLEMENT NSSCertificate *
+nssToken_FindCertificateByIssuerAndSerialNumber
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSDER *issuer,
+  NSSDER *serial,
+  nssTokenSearchType searchType
+)
+{
+    NSSCertificate *rvCert = NULL;
+    nssSession *session;
+    PRStatus nssrv;
+    CK_OBJECT_HANDLE object;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE cert_template[4];
+    CK_ULONG ctsize;
+    NSS_CK_TEMPLATE_START(cert_template, attr, ctsize);
+    /* Set the search to token/session only if provided */
+    if (searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (searchType == nssTokenSearchType_TokenOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    /* Set the unique id */
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS,         &g_ck_class_cert);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER,         issuer);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER,  serial);
+    NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize);
+    /* get the object handle */
+    object = find_object_by_template(token, sessionOpt, cert_template, ctsize);
+    if (object == CK_INVALID_HANDLE) {
+	return NULL;
+    }
+    session = (sessionOpt) ? sessionOpt : token->defaultSession;
+    rvCert = get_token_cert(token, sessionOpt, object);
+    if (rvCert) {
+	PRBool isTokenObject;
+	nssCryptokiInstance *instance;
+	isTokenObject = nssCKObject_IsAttributeTrue(object, CKA_TOKEN,
+	                                            session, token->slot, 
+	                                            &nssrv);
+	instance = create_cryptoki_instance(rvCert->object.arena,
+	                                    token, object, isTokenObject);
+	if (!instance) {
+	    NSSCertificate_Destroy(rvCert);
+	    return NULL;
+	}
+	nssList_Add(rvCert->object.instanceList, instance);
+	/* XXX Fix this! */
+	nssListIterator_Destroy(rvCert->object.instances);
+	rvCert->object.instances = nssList_CreateIterator(rvCert->object.instanceList);
+    }
+    return rvCert;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+nssToken_FindCertificateByEncodedCertificate
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSBER *encodedCertificate,
+  nssTokenSearchType searchType
+)
+{
+    NSSCertificate *rvCert = NULL;
+    nssSession *session;
+    PRStatus nssrv;
+    CK_OBJECT_HANDLE object;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE cert_template[3];
+    CK_ULONG ctsize;
+    NSS_CK_TEMPLATE_START(cert_template, attr, ctsize);
+    /* Set the search to token/session only if provided */
+    if (searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (searchType == nssTokenSearchType_TokenOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_VALUE, encodedCertificate);
+    NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize);
+    /* get the object handle */
+    object = find_object_by_template(token, sessionOpt, cert_template, ctsize);
+    if (object == CK_INVALID_HANDLE) {
+	return NULL;
+    }
+    session = (sessionOpt) ? sessionOpt : token->defaultSession;
+    rvCert = get_token_cert(token, sessionOpt, object);
+    if (rvCert) {
+	PRBool isTokenObject;
+	nssCryptokiInstance *instance;
+	isTokenObject = nssCKObject_IsAttributeTrue(object, CKA_TOKEN,
+	                                            session, token->slot, 
+	                                            &nssrv);
+	instance = create_cryptoki_instance(rvCert->object.arena,
+	                                    token, object, isTokenObject);
+	if (!instance) {
+	    NSSCertificate_Destroy(rvCert);
+	    return NULL;
+	}
+	nssList_Add(rvCert->object.instanceList, instance);
+	/* XXX Fix this! */
+	nssListIterator_Destroy(rvCert->object.instances);
+	rvCert->object.instances = nssList_CreateIterator(rvCert->object.instanceList);
+    }
+    return rvCert;
+}
+
+static void
+sha1_hash(NSSItem *input, NSSItem *output)
+{
+    NSSAlgorithmAndParameters *ap;
+    NSSToken *token = STAN_GetDefaultCryptoToken();
+    ap = NSSAlgorithmAndParameters_CreateSHA1Digest(NULL);
+    (void)nssToken_Digest(token, NULL, ap, input, output, NULL);
+#ifdef NSS_3_4_CODE
+    PK11_FreeSlot(token->pk11slot);
+#endif
+    nss_ZFreeIf(ap);
+}
+
+static void
+md5_hash(NSSItem *input, NSSItem *output)
+{
+    NSSAlgorithmAndParameters *ap;
+    NSSToken *token = STAN_GetDefaultCryptoToken();
+    ap = NSSAlgorithmAndParameters_CreateMD5Digest(NULL);
+    (void)nssToken_Digest(token, NULL, ap, input, output, NULL);
+#ifdef NSS_3_4_CODE
+    PK11_FreeSlot(token->pk11slot);
+#endif
+    nss_ZFreeIf(ap);
+}
+ 
+NSS_IMPLEMENT PRStatus
+nssToken_ImportTrust
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSTrust *trust,
+  PRBool asTokenObject
+)
+{
+    CK_OBJECT_HANDLE handle;
+    CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE trust_tmpl[10];
+    CK_ULONG tsize;
+    PRUint8 sha1[20]; /* this is cheating... */
+    PRUint8 md5[16];
+    NSSItem sha1_result, md5_result;
+    NSSCertificate *c = trust->certificate;
+    sha1_result.data = sha1; sha1_result.size = sizeof sha1;
+    md5_result.data = md5; md5_result.size = sizeof md5;
+    sha1_hash(&c->encoding, &sha1_result);
+    md5_hash(&c->encoding, &md5_result);
+    NSS_CK_TEMPLATE_START(trust_tmpl, attr, tsize);
+    if (asTokenObject) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    } else {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    }
+    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS,           tobjc);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER,         &c->issuer);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER,  &c->serial);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CERT_SHA1_HASH, &sha1_result);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CERT_MD5_HASH,  &md5_result);
+    /* now set the trust values */
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_SERVER_AUTH,  trust->serverAuth);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CLIENT_AUTH,  trust->clientAuth);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CODE_SIGNING, trust->codeSigning);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_EMAIL_PROTECTION, 
+                                                       trust->emailProtection);
+    NSS_CK_TEMPLATE_FINISH(trust_tmpl, attr, tsize);
+    /* import the trust object onto the token */
+    handle = import_object(tok, NULL, trust_tmpl, tsize);
+    if (handle != CK_INVALID_HANDLE) {
+	nssCryptokiInstance *instance;
+	instance = create_cryptoki_instance(trust->object.arena,
+	                                    tok, handle, asTokenObject);
+	if (!instance) {
+	    return PR_FAILURE;
+	}
+	nssList_Add(trust->object.instanceList, instance);
+	/* XXX Fix this! */
+	nssListIterator_Destroy(trust->object.instances);
+	trust->object.instances = nssList_CreateIterator(trust->object.instanceList);
+	tok->hasNoTrust = PR_FALSE;
+	return PR_SUCCESS;
+    } 
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_SetTrustCache
+(
+  NSSToken *token
+)
+{
+    CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE tobj_template[2];
+    CK_ULONG tobj_size;
+    CK_OBJECT_HANDLE obj;
+    nssSession *session = token->defaultSession;
+
+    NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size);
+    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, tobjc);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size);
+
+    obj = find_object_by_template(token, session,
+                                   tobj_template, tobj_size);
+    token->hasNoTrust = PR_FALSE;
+    if (obj == CK_INVALID_HANDLE) {
+	token->hasNoTrust = PR_TRUE;
+    } 
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_SetCrlCache
+(
+  NSSToken *token
+)
+{
+    CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_CRL;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE tobj_template[2];
+    CK_ULONG tobj_size;
+    CK_OBJECT_HANDLE obj;
+    nssSession *session = token->defaultSession;
+
+    NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size);
+    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, tobjc);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size);
+
+    obj = find_object_by_template(token, session,
+                                   tobj_template, tobj_size);
+    token->hasNoCrls = PR_TRUE;
+    if (obj == CK_INVALID_HANDLE) {
+	token->hasNoCrls = PR_TRUE;
+    }
+    return PR_SUCCESS;
+}
+
+static CK_OBJECT_HANDLE
+get_cert_trust_handle
+(
+  NSSToken *token,
+  nssSession *session,
+  NSSCertificate *c,
+  nssTokenSearchType searchType
+)
+{
+    CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE tobj_template[5];
+    CK_ULONG tobj_size;
+    PRUint8 sha1[20]; /* this is cheating... */
+    NSSItem sha1_result;
+
+    if (token->hasNoTrust) {
+	return CK_INVALID_HANDLE;
+    }
+    sha1_result.data = sha1; sha1_result.size = sizeof sha1;
+    sha1_hash(&c->encoding, &sha1_result);
+    NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size);
+    if (searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (searchType == nssTokenSearchType_TokenOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS,          tobjc);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CERT_SHA1_HASH, &sha1_result);
+#ifdef NSS_3_4_CODE
+    if (!PK11_HasRootCerts(token->pk11slot)) {
+#endif
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER,         &c->issuer);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER , &c->serial);
+#ifdef NSS_3_4_CODE
+    }
+    /*
+     * we need to arrange for the built-in token to lose the bottom 2 
+     * attributes so that old built-in tokens will continue to work.
+     */
+#endif
+    NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size);
+    return find_object_by_template(token, session,
+                                   tobj_template, tobj_size);
+}
+
+NSS_IMPLEMENT NSSTrust *
+nssToken_FindTrustForCert
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSCertificate *c,
+  nssTokenSearchType searchType
+)
+{
+    PRStatus nssrv;
+    NSSTrust *rvTrust;
+    nssSession *session;
+    NSSArena *arena;
+    nssCryptokiInstance *instance;
+    PRBool isTokenObject;
+    CK_BBOOL isToken;
+    CK_TRUST saTrust, caTrust, epTrust, csTrust;
+    CK_OBJECT_HANDLE tobjID;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE trust_template[5];
+    CK_ULONG trust_size;
+    session = (sessionOpt) ? sessionOpt : token->defaultSession;
+    tobjID = get_cert_trust_handle(token, session, c, searchType);
+    if (tobjID == CK_INVALID_HANDLE) {
+	return NULL;
+    }
+    /* Then use the trust object to find the trust settings */
+    NSS_CK_TEMPLATE_START(trust_template, attr, trust_size);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TOKEN,                  isToken);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_SERVER_AUTH,      saTrust);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CLIENT_AUTH,      caTrust);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_EMAIL_PROTECTION, epTrust);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CODE_SIGNING,     csTrust);
+    NSS_CK_TEMPLATE_FINISH(trust_template, attr, trust_size);
+    nssrv = nssCKObject_GetAttributes(tobjID,
+                                      trust_template, trust_size,
+                                      NULL, session, token->slot);
+    if (nssrv != PR_SUCCESS) {
+	return NULL;
+    }
+    arena = nssArena_Create();
+    if (!arena) {
+	return NULL;
+    }
+    rvTrust = nss_ZNEW(arena, NSSTrust);
+    if (!rvTrust) {
+	nssArena_Destroy(arena);
+	return NULL;
+    }
+    nssrv = nssPKIObject_Initialize(&rvTrust->object, arena, 
+                                    token->trustDomain, NULL);
+    if (nssrv != PR_SUCCESS) {
+	goto loser;
+    }
+    isTokenObject = (isToken == CK_TRUE) ? PR_TRUE : PR_FALSE;
+    instance = create_cryptoki_instance(arena, token, tobjID, isTokenObject);
+    if (!instance) {
+	goto loser;
+    }
+    rvTrust->serverAuth = saTrust;
+    rvTrust->clientAuth = caTrust;
+    rvTrust->emailProtection = epTrust;
+    rvTrust->codeSigning = csTrust;
+    return rvTrust;
+loser:
+    nssPKIObject_Destroy(&rvTrust->object);
+    return (NSSTrust *)NULL;
+}
+
+NSS_IMPLEMENT PRBool
+nssToken_HasCrls
+(
+    NSSToken *tok
+)
+{
+    return !tok->hasNoCrls;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_SetHasCrls
+(
+    NSSToken *tok
+)
+{
+    tok->hasNoCrls = PR_FALSE;
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRBool
+nssToken_IsPresent
+(
+  NSSToken *token
+)
+{
+    return nssSlot_IsTokenPresent(token->slot);
+}
+
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -2110,16 +2110,21 @@ pk11_FindCertObjectByRecipientNew(PK11Sl
     for (i=0; (ri = recipientlist[i]) != NULL; i++) {
 	CERTCertificate *cert = NULL;
 	/* XXXXX fixme - not yet implemented! */
 	if (ri->kind == RLSubjKeyID)
 	    continue;
 	cert = PK11_FindCertByIssuerAndSNOnToken(slot, ri->id.issuerAndSN, 
 								pwarg);
 	if (cert) {
+	    if ((cert->trust == NULL) ||
+		((cert->trust->emailFlags & CERTDB_USER) != CERTDB_USER)) {
+		CERT_DestroyCertificate(cert);
+		continue;
+	    }
 	    ri->slot = PK11_ReferenceSlot(slot);
 	    *rlIndex = i;
 	    return cert;
 	}
 
     }
     *rlIndex = -1;
     return NULL;
@@ -2177,16 +2182,21 @@ pk11_FindCertObjectByRecipient(PK11SlotI
     int i;
 
     for (i=0; (ri = recipientArray[i]) != NULL; i++) {
 	CERTCertificate *cert;
 
 	cert = PK11_FindCertByIssuerAndSNOnToken(slot, ri->issuerAndSN, 
 								pwarg);
         if (cert) {
+	    if ((cert->trust == NULL) ||
+		((cert->trust->emailFlags & CERTDB_USER) != CERTDB_USER)) {
+		CERT_DestroyCertificate(cert);
+		continue;
+	    }
 	    *rip = ri;
 	    return cert;
 	}
 
     }
     *rip = NULL;
     return NULL;
 }
--- a/security/nss/lib/pki/certificate.c
+++ b/security/nss/lib/pki/certificate.c
@@ -48,16 +48,18 @@ static const char CVS_ID[] = "@(#) $RCSf
 #endif /* PKIM_H */
 
 #ifndef DEV_H
 #include "dev.h"
 #endif /* DEV_H */
 
 #ifdef NSS_3_4_CODE
 #include "pki3hack.h"
+#include "pk11func.h"
+#include "hasht.h"
 #endif
 
 #ifndef BASE_H
 #include "base.h"
 #endif /* BASE_H */
 
 extern const NSSError NSS_ERROR_NOT_FOUND;
 
@@ -945,46 +947,64 @@ nssCertificateList_AddReferences
 )
 {
     (void)nssCertificateList_DoCallback(certList, add_ref_callback, NULL);
 }
 
 NSS_IMPLEMENT NSSTrust *
 nssTrust_Create
 (
-  nssPKIObject *object
+  nssPKIObject *object,
+  NSSItem *certData
 )
 {
     PRStatus status;
     PRUint32 i;
     PRUint32 lastTrustOrder, myTrustOrder;
+    unsigned char sha1_hashcmp[SHA1_LENGTH];
+    unsigned char sha1_hashin[SHA1_LENGTH];
+    NSSItem sha1_hash;
     NSSTrust *rvt;
     nssCryptokiObject *instance;
     nssTrustLevel serverAuth, clientAuth, codeSigning, emailProtection;
+    SECStatus rv; /* Should be stan flavor */
     lastTrustOrder = 1<<16; /* just make it big */
     PR_ASSERT(object->instances != NULL && object->numInstances > 0);
     rvt = nss_ZNEW(object->arena, NSSTrust);
     if (!rvt) {
 	return (NSSTrust *)NULL;
     }
     rvt->object = *object;
+
+    /* should be stan flavor of Hashbuf */
+    rv = PK11_HashBuf(SEC_OID_SHA1,sha1_hashcmp,certData->data,certData->size);
+    if (rv != SECSuccess) {
+	return (NSSTrust *)NULL;
+    }
+    sha1_hash.data = sha1_hashin;
+    sha1_hash.size = sizeof (sha1_hashin);
     /* trust has to peek into the base object members */
     PZ_Lock(object->lock);
     for (i=0; i<object->numInstances; i++) {
 	instance = object->instances[i];
 	myTrustOrder = nssToken_GetTrustOrder(instance->token);
 	status = nssCryptokiTrust_GetAttributes(instance, NULL,
+						&sha1_hash,
 	                                        &serverAuth,
 	                                        &clientAuth,
 	                                        &codeSigning,
 	                                        &emailProtection);
 	if (status != PR_SUCCESS) {
 	    PZ_Unlock(object->lock);
 	    return (NSSTrust *)NULL;
 	}
+	if (PORT_Memcmp(sha1_hashin,sha1_hashcmp,SHA1_LENGTH) != 0) {
+	    PZ_Unlock(object->lock);
+	    return (NSSTrust *)NULL;
+	}
 	if (rvt->serverAuth == nssTrustLevel_Unknown ||
 	    myTrustOrder < lastTrustOrder) 
 	{
 	    rvt->serverAuth = serverAuth;
 	}
 	if (rvt->clientAuth == nssTrustLevel_Unknown ||
 	    myTrustOrder < lastTrustOrder) 
 	{
--- a/security/nss/lib/pki/pkim.h
+++ b/security/nss/lib/pki/pkim.h
@@ -242,17 +242,18 @@ NSS_EXTERN PRStatus
 nssDecodedCert_Destroy
 (
   nssDecodedCert *dc
 );
 
 NSS_EXTERN NSSTrust *
 nssTrust_Create
 (
-  nssPKIObject *object
+  nssPKIObject *object,
+  NSSCertificate *nssCert
 );
 
 NSS_EXTERN NSSCRL *
 nssCRL_Create
 (
   nssPKIObject *object
 );
 
--- a/security/nss/lib/pki/trustdomain.c
+++ b/security/nss/lib/pki/trustdomain.c
@@ -1256,17 +1256,17 @@ nssTrustDomain_FindTrustForCertificate
 			goto loser;
 		    }
 		}
 	    }
 	    nssToken_Destroy(token);
 	}
     }
     if (pkio) {
-	rvt = nssTrust_Create(pkio);
+	rvt = nssTrust_Create(pkio, &c->encoding);
 	if (!rvt) {
 	    goto loser;
 	}
     }
     nssSlotArray_Destroy(slots);
     return rvt;
 loser:
     nssSlotArray_Destroy(slots);
--- a/security/nss/lib/softoken/pkcs11u.c
+++ b/security/nss/lib/softoken/pkcs11u.c
@@ -964,17 +964,16 @@ trust:
 #endif
     return NULL;
 }
 
 static PK11Attribute *
 pk11_FindCrlAttribute(PK11TokenObject *object, CK_ATTRIBUTE_TYPE type)
 {
     certDBEntryRevocation *crl;
-    char *url;
 
     switch (type) {
     case CKA_PRIVATE:
     case CKA_MODIFIABLE:
 	return (PK11Attribute *) &pk11_StaticFalseAttr;
     case CKA_NETSCAPE_KRL:
 	return (PK11Attribute *) ((object->obj.handle == PK11_TOKEN_KRL_HANDLE) 
 			? &pk11_StaticTrueAttr : &pk11_StaticFalseAttr);
@@ -982,17 +981,17 @@ pk11_FindCrlAttribute(PK11TokenObject *o
 	return pk11_NewTokenAttribute(type,object->dbKey.data,
 						object->dbKey.len, PR_FALSE);	
     default:
 	break;
     }
     crl =  pk11_getCrl(object);
     switch (type) {
     case CKA_NETSCAPE_URL:
-	if (url == NULL) {
+	if (crl->url == NULL) {
 	    return (PK11Attribute *) &pk11_StaticNullAttr;
 	}
 	return pk11_NewTokenAttribute(type, crl->url, 
 					PORT_Strlen(crl->url)+1, PR_TRUE);
     case CKA_VALUE:
 	return pk11_NewTokenAttribute(type, crl->derCrl.data, 
 						crl->derCrl.len, PR_FALSE);
     default:
--- a/security/nss/lib/util/quickder.c
+++ b/security/nss/lib/util/quickder.c
@@ -33,16 +33,17 @@
 
 /*
     Optimized ASN.1 DER decoder
     
 */
 
 #include "secerr.h"
 #include "secasn1.h" /* for SEC_ASN1GetSubtemplate */
+#include "secitem.h"
 
 /*
  * simple definite-length ASN.1 decoder
  */
 
 static unsigned char* definite_length_decoder(const unsigned char *buf,
                                               const unsigned int length,
                                               unsigned int *data_length,
@@ -881,17 +882,27 @@ SECStatus SEC_QuickDERDecodeItem(PRArena
     SECItem newsrc;
 
     if (!arena || !templateEntry || !src)
     {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         rv = SECFailure;
     }
 
+    /* temporarily copy the item until bug a new patch for 160805 is made */
+    if (SECSuccess != SECITEM_CopyItem(arena, &newsrc, src))
+    {
+        rv = SECFailure;
+    }
+#if 0
+    /*
+        we don't really want to copy the item. 
+    */
     newsrc = *src;
+#endif
 
     if (SECSuccess == rv)
     {
         rv = DecodeItem(dest, templateEntry, &newsrc, arena, PR_TRUE);
     }
 
     return rv;
 }