Bug 839141: Update NSS to NSS 3.14.3 (NSS_3_14_3_RTM), a=akeybl, r=me
authorBrian Smith <bsmith@mozilla.com>
Thu, 11 Apr 2013 17:43:06 -0700
changeset 118737 2b44e2c40cc12ee1f13d9f0c04b9f31a5694887f
parent 118736 d887b7ef36401f44206895c0a6586965265e98bd
child 118738 9ed6f3f4d013ae0b169edaedf9f09aaa18546d13
push id104
push userbsmith@mozilla.com
push dateSun, 14 Apr 2013 23:56:20 +0000
reviewersakeybl, me
bugs839141
milestone18.0
Bug 839141: Update NSS to NSS 3.14.3 (NSS_3_14_3_RTM), a=akeybl, r=me
configure.in
dbm/src/mktemp.c
security/coreconf/Android.mk
security/coreconf/Linux.mk
security/coreconf/SunOS5.10.mk
security/coreconf/SunOS5.10_i86pc.mk
security/coreconf/SunOS5.11.mk
security/coreconf/SunOS5.11_i86pc.mk
security/coreconf/SunOS5.3.mk
security/coreconf/SunOS5.4.mk
security/coreconf/SunOS5.4_i86pc.mk
security/coreconf/SunOS5.5.1.mk
security/coreconf/SunOS5.5.1_i86pc.mk
security/coreconf/SunOS5.5.mk
security/coreconf/SunOS5.6.mk
security/coreconf/SunOS5.6_i86pc.mk
security/coreconf/SunOS5.7.mk
security/coreconf/SunOS5.7_i86pc.mk
security/coreconf/SunOS5.8.mk
security/coreconf/SunOS5.8_i86pc.mk
security/coreconf/SunOS5.9.mk
security/coreconf/SunOS5.9_i86pc.mk
security/coreconf/SunOS5.mk
security/coreconf/arch.mk
security/coreconf/config.mk
security/coreconf/coreconf.dep
security/nss/Makefile
security/nss/TAG-INFO
security/nss/TAG-INFO-CKBI
security/nss/cmd/bltest/blapitest.c
security/nss/cmd/bltest/tests/aes_ctr/aes_ctr_0.txt
security/nss/cmd/bltest/tests/aes_ctr/aes_ctr_1.txt
security/nss/cmd/bltest/tests/aes_ctr/aes_ctr_2.txt
security/nss/cmd/bltest/tests/aes_ctr/aes_ctr_tests_source.txt
security/nss/cmd/bltest/tests/aes_ctr/ciphertext0
security/nss/cmd/bltest/tests/aes_ctr/ciphertext1
security/nss/cmd/bltest/tests/aes_ctr/ciphertext2
security/nss/cmd/bltest/tests/aes_ctr/iv0
security/nss/cmd/bltest/tests/aes_ctr/iv1
security/nss/cmd/bltest/tests/aes_ctr/iv2
security/nss/cmd/bltest/tests/aes_ctr/key0
security/nss/cmd/bltest/tests/aes_ctr/key1
security/nss/cmd/bltest/tests/aes_ctr/key2
security/nss/cmd/bltest/tests/aes_ctr/mktst.sh
security/nss/cmd/bltest/tests/aes_ctr/numtests
security/nss/cmd/bltest/tests/aes_ctr/plaintext0
security/nss/cmd/bltest/tests/aes_ctr/plaintext1
security/nss/cmd/bltest/tests/aes_ctr/plaintext2
security/nss/cmd/bltest/tests/aes_gcm/aad0
security/nss/cmd/bltest/tests/aes_gcm/aad1
security/nss/cmd/bltest/tests/aes_gcm/aad10
security/nss/cmd/bltest/tests/aes_gcm/aad11
security/nss/cmd/bltest/tests/aes_gcm/aad12
security/nss/cmd/bltest/tests/aes_gcm/aad13
security/nss/cmd/bltest/tests/aes_gcm/aad14
security/nss/cmd/bltest/tests/aes_gcm/aad2
security/nss/cmd/bltest/tests/aes_gcm/aad3
security/nss/cmd/bltest/tests/aes_gcm/aad4
security/nss/cmd/bltest/tests/aes_gcm/aad5
security/nss/cmd/bltest/tests/aes_gcm/aad6
security/nss/cmd/bltest/tests/aes_gcm/aad7
security/nss/cmd/bltest/tests/aes_gcm/aad8
security/nss/cmd/bltest/tests/aes_gcm/aad9
security/nss/cmd/bltest/tests/aes_gcm/ciphertext0
security/nss/cmd/bltest/tests/aes_gcm/ciphertext1
security/nss/cmd/bltest/tests/aes_gcm/ciphertext10
security/nss/cmd/bltest/tests/aes_gcm/ciphertext11
security/nss/cmd/bltest/tests/aes_gcm/ciphertext12
security/nss/cmd/bltest/tests/aes_gcm/ciphertext13
security/nss/cmd/bltest/tests/aes_gcm/ciphertext14
security/nss/cmd/bltest/tests/aes_gcm/ciphertext2
security/nss/cmd/bltest/tests/aes_gcm/ciphertext3
security/nss/cmd/bltest/tests/aes_gcm/ciphertext4
security/nss/cmd/bltest/tests/aes_gcm/ciphertext5
security/nss/cmd/bltest/tests/aes_gcm/ciphertext6
security/nss/cmd/bltest/tests/aes_gcm/ciphertext7
security/nss/cmd/bltest/tests/aes_gcm/ciphertext8
security/nss/cmd/bltest/tests/aes_gcm/ciphertext9
security/nss/cmd/bltest/tests/aes_gcm/iv0
security/nss/cmd/bltest/tests/aes_gcm/iv1
security/nss/cmd/bltest/tests/aes_gcm/iv10
security/nss/cmd/bltest/tests/aes_gcm/iv11
security/nss/cmd/bltest/tests/aes_gcm/iv12
security/nss/cmd/bltest/tests/aes_gcm/iv13
security/nss/cmd/bltest/tests/aes_gcm/iv14
security/nss/cmd/bltest/tests/aes_gcm/iv2
security/nss/cmd/bltest/tests/aes_gcm/iv3
security/nss/cmd/bltest/tests/aes_gcm/iv4
security/nss/cmd/bltest/tests/aes_gcm/iv5
security/nss/cmd/bltest/tests/aes_gcm/iv6
security/nss/cmd/bltest/tests/aes_gcm/iv7
security/nss/cmd/bltest/tests/aes_gcm/iv8
security/nss/cmd/bltest/tests/aes_gcm/iv9
security/nss/cmd/bltest/tests/aes_gcm/key0
security/nss/cmd/bltest/tests/aes_gcm/key1
security/nss/cmd/bltest/tests/aes_gcm/key10
security/nss/cmd/bltest/tests/aes_gcm/key11
security/nss/cmd/bltest/tests/aes_gcm/key12
security/nss/cmd/bltest/tests/aes_gcm/key13
security/nss/cmd/bltest/tests/aes_gcm/key14
security/nss/cmd/bltest/tests/aes_gcm/key2
security/nss/cmd/bltest/tests/aes_gcm/key3
security/nss/cmd/bltest/tests/aes_gcm/key4
security/nss/cmd/bltest/tests/aes_gcm/key5
security/nss/cmd/bltest/tests/aes_gcm/key6
security/nss/cmd/bltest/tests/aes_gcm/key7
security/nss/cmd/bltest/tests/aes_gcm/key8
security/nss/cmd/bltest/tests/aes_gcm/key9
security/nss/cmd/bltest/tests/aes_gcm/mktst.sh
security/nss/cmd/bltest/tests/aes_gcm/numtests
security/nss/cmd/bltest/tests/aes_gcm/plaintext0
security/nss/cmd/bltest/tests/aes_gcm/plaintext1
security/nss/cmd/bltest/tests/aes_gcm/plaintext10
security/nss/cmd/bltest/tests/aes_gcm/plaintext11
security/nss/cmd/bltest/tests/aes_gcm/plaintext12
security/nss/cmd/bltest/tests/aes_gcm/plaintext13
security/nss/cmd/bltest/tests/aes_gcm/plaintext14
security/nss/cmd/bltest/tests/aes_gcm/plaintext2
security/nss/cmd/bltest/tests/aes_gcm/plaintext3
security/nss/cmd/bltest/tests/aes_gcm/plaintext4
security/nss/cmd/bltest/tests/aes_gcm/plaintext5
security/nss/cmd/bltest/tests/aes_gcm/plaintext6
security/nss/cmd/bltest/tests/aes_gcm/plaintext7
security/nss/cmd/bltest/tests/aes_gcm/plaintext8
security/nss/cmd/bltest/tests/aes_gcm/plaintext9
security/nss/cmd/bltest/tests/aes_gcm/test0.txt
security/nss/cmd/bltest/tests/aes_gcm/test1.txt
security/nss/cmd/bltest/tests/aes_gcm/test10.txt
security/nss/cmd/bltest/tests/aes_gcm/test11.txt
security/nss/cmd/bltest/tests/aes_gcm/test12.txt
security/nss/cmd/bltest/tests/aes_gcm/test13.txt
security/nss/cmd/bltest/tests/aes_gcm/test14.txt
security/nss/cmd/bltest/tests/aes_gcm/test2.txt
security/nss/cmd/bltest/tests/aes_gcm/test3.txt
security/nss/cmd/bltest/tests/aes_gcm/test4.txt
security/nss/cmd/bltest/tests/aes_gcm/test5.txt
security/nss/cmd/bltest/tests/aes_gcm/test6.txt
security/nss/cmd/bltest/tests/aes_gcm/test7.txt
security/nss/cmd/bltest/tests/aes_gcm/test8.txt
security/nss/cmd/bltest/tests/aes_gcm/test9.txt
security/nss/cmd/bltest/tests/aes_gcm/test_source.txt
security/nss/cmd/certcgi/ca_form.html
security/nss/cmd/certcgi/certcgi.c
security/nss/cmd/certcgi/stnd_ext_form.html
security/nss/cmd/certutil/certext.c
security/nss/cmd/certutil/certutil.c
security/nss/cmd/lib/basicutil.c
security/nss/cmd/lib/moreoids.c
security/nss/cmd/lib/secutil.c
security/nss/cmd/lib/secutil.h
security/nss/cmd/lowhashtest/lowhashtest.c
security/nss/cmd/multinit/multinit.c
security/nss/cmd/ocspclnt/ocspclnt.c
security/nss/cmd/pwdecrypt/pwdecrypt.c
security/nss/cmd/shlibsign/Makefile
security/nss/cmd/shlibsign/sign.sh
security/nss/cmd/ssltap/ssltap.c
security/nss/cmd/vfychain/vfychain.c
security/nss/doc/Makefile
security/nss/doc/README
security/nss/doc/certutil.xml
security/nss/doc/cmsutil.xml
security/nss/doc/crlutil.xml
security/nss/doc/derdump.xml
security/nss/doc/modutil.xml
security/nss/doc/pk12util.xml
security/nss/doc/pp.xml
security/nss/doc/signtool.xml
security/nss/doc/signver.xml
security/nss/doc/ssltap.xml
security/nss/doc/vfychain.xml
security/nss/doc/vfyserv.xml
security/nss/lib/certdb/certdb.c
security/nss/lib/certdb/certt.h
security/nss/lib/certdb/stanpcertdb.c
security/nss/lib/certhigh/certhigh.c
security/nss/lib/certhigh/certvfy.c
security/nss/lib/certhigh/certvfypkix.c
security/nss/lib/certhigh/ocsp.c
security/nss/lib/certhigh/ocsp.h
security/nss/lib/certhigh/ocspi.h
security/nss/lib/certhigh/ocspt.h
security/nss/lib/certhigh/ocspti.h
security/nss/lib/freebl/Makefile
security/nss/lib/freebl/arcfour.c
security/nss/lib/freebl/blapi.h
security/nss/lib/freebl/desblapi.c
security/nss/lib/freebl/drbg.c
security/nss/lib/freebl/ecl/ecp_aff.c
security/nss/lib/freebl/hmacct.c
security/nss/lib/freebl/hmacct.h
security/nss/lib/freebl/intel-gcm-wrap.c
security/nss/lib/freebl/intel-gcm.h
security/nss/lib/freebl/intel-gcm.s
security/nss/lib/freebl/ldvector.c
security/nss/lib/freebl/loader.c
security/nss/lib/freebl/loader.h
security/nss/lib/freebl/manifest.mn
security/nss/lib/freebl/md5.c
security/nss/lib/freebl/pqg.c
security/nss/lib/freebl/rawhash.c
security/nss/lib/freebl/rijndael.c
security/nss/lib/freebl/sha512.c
security/nss/lib/freebl/sha_fast.c
security/nss/lib/freebl/sha_fast.h
security/nss/lib/freebl/unix_rand.c
security/nss/lib/libpkix/include/pkix_params.h
security/nss/lib/libpkix/pkix/params/pkix_procparams.c
security/nss/lib/libpkix/pkix/params/pkix_procparams.h
security/nss/lib/libpkix/pkix/top/pkix_build.c
security/nss/lib/libpkix/pkix/top/pkix_build.h
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
security/nss/lib/nss/nss.def
security/nss/lib/nss/nss.h
security/nss/lib/pk11wrap/pk11cert.c
security/nss/lib/pk11wrap/pk11merge.c
security/nss/lib/pk11wrap/pk11obj.c
security/nss/lib/pk11wrap/pk11pub.h
security/nss/lib/pkcs7/certread.c
security/nss/lib/pkcs7/p7decode.c
security/nss/lib/pki/pki3hack.c
security/nss/lib/smime/cmsasn1.c
security/nss/lib/softoken/legacydb/pcertdb.c
security/nss/lib/softoken/manifest.mn
security/nss/lib/softoken/pkcs11.c
security/nss/lib/softoken/pkcs11c.c
security/nss/lib/softoken/pkcs11i.h
security/nss/lib/softoken/rsawrapr.c
security/nss/lib/softoken/sdb.c
security/nss/lib/softoken/sftkhmac.c
security/nss/lib/softoken/softkver.h
security/nss/lib/softoken/softoken.h
security/nss/lib/softoken/softoknt.h
security/nss/lib/sqlite/README
security/nss/lib/sqlite/config.mk
security/nss/lib/sqlite/sqlite.def
security/nss/lib/sqlite/sqlite3.c
security/nss/lib/sqlite/sqlite3.h
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/sslsock.c
security/nss/lib/util/hasht.h
security/nss/lib/util/nssutil.h
security/nss/lib/util/pkcs11n.h
security/nss/lib/util/secasn1t.h
security/nss/lib/util/secoid.c
security/nss/lib/util/secoidt.h
security/nss/tests/cert/cert.sh
security/nss/tests/chains/chains.sh
security/nss/tests/chains/scenarios/scenarios
security/nss/tests/chains/scenarios/trustanchors.cfg
security/nss/tests/common/init.sh
security/nss/tests/dummy/dummy.sh
security/nss/tests/lowhash/lowhash.sh
security/nss/tests/remote/Makefile
security/nss/tests/remote/manifest.mn
security/nss/tests/ssl/ssl.sh
--- a/configure.in
+++ b/configure.in
@@ -3997,17 +3997,17 @@ dnl = If NSS was not detected in the sys
 dnl = use the one in the source tree (mozilla/security/nss)
 dnl ========================================================
 
 MOZ_ARG_WITH_BOOL(system-nss,
 [  --with-system-nss       Use system installed NSS],
     _USE_SYSTEM_NSS=1 )
 
 if test -n "$_USE_SYSTEM_NSS"; then
-    AM_PATH_NSS(3.14.1, [MOZ_NATIVE_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
+    AM_PATH_NSS(3.14.3, [MOZ_NATIVE_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
 fi
 
 if test -n "$MOZ_NATIVE_NSS"; then
    NSS_LIBS="$NSS_LIBS -lcrmf"
 else
    NSS_CFLAGS='-I$(LIBXUL_DIST)/include/nss'
    NSS_DEP_LIBS="\
         \$(LIBXUL_DIST)/lib/\$(LIB_PREFIX)crmf.\$(LIB_SUFFIX) \
--- a/dbm/src/mktemp.c
+++ b/dbm/src/mktemp.c
@@ -79,19 +79,16 @@ mkstempflags(char *path, int extraFlags)
 }
 
 /* NB: This routine modifies its input string, and does not always restore it.
 ** returns 1 on success, 0 on failure.
 */
 static int 
 _gettemp(char *path, register int *doopen, int extraFlags)
 {    
-#if !defined(_WINDOWS) || defined(_WIN32)
-	extern int errno;                    
-#endif
 	register char *start, *trv;
 	struct stat sbuf;
 	unsigned int pid;
 
 	pid = getpid();
 	for (trv = path; *trv; ++trv);		/* extra X's get set to 0's */
 	while (*--trv == 'X') {
 		*trv = (pid % 10) + '0';
new file mode 100644
--- /dev/null
+++ b/security/coreconf/Android.mk
@@ -0,0 +1,6 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+include $(CORE_DEPTH)/coreconf/Linux.mk
--- a/security/coreconf/Linux.mk
+++ b/security/coreconf/Linux.mk
@@ -3,28 +3,50 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 include $(CORE_DEPTH)/coreconf/UNIX.mk
 
 #
 # The default implementation strategy for Linux is now pthreads
 #
-USE_PTHREADS = 1
+ifneq ($(OS_TARGET),Android)
+	USE_PTHREADS = 1
+endif
 
 ifeq ($(USE_PTHREADS),1)
 	IMPL_STRATEGY = _PTH
 endif
 
 CC			= gcc
 CCC			= g++
 RANLIB			= ranlib
 
 DEFAULT_COMPILER = gcc
 
+ifeq ($(OS_TARGET),Android)
+ifndef ANDROID_NDK
+	$(error Must set ANDROID_NDK to the path to the android NDK first)
+endif
+	ANDROID_PREFIX=$(OS_TEST)-linux-androideabi
+	ANDROID_TARGET=$(ANDROID_PREFIX)-4.4.3
+	# should autodetect which linux we are on, currently android only
+	# supports linux-x86 prebuilts
+	ANDROID_TOOLCHAIN=$(ANDROID_NDK)/toolchains/$(ANDROID_TARGET)/prebuilt/linux-x86
+	ANDROID_SYSROOT=$(ANDROID_NDK)/platforms/android-$(OS_TARGET_RELEASE)/arch-$(OS_TEST)
+	ANDROID_CC=$(ANDROID_TOOLCHAIN)/bin/$(ANDROID_PREFIX)-gcc
+# internal tools need to be built with the native compiler
+ifndef INTERNAL_TOOLS
+	CC = $(ANDROID_CC) --sysroot=$(ANDROID_SYSROOT)
+	DEFAULT_COMPILER=$(ANDROID_PREFIX)-gcc
+	ARCHFLAG = --sysroot=$(ANDROID_SYSROOT)
+	DEFINES += -DNO_SYSINFO -DNO_FORK_CHECK -DANDROID
+	CROSS_COMPILE = 1
+endif
+endif
 ifeq ($(OS_TEST),ppc64)
 	CPU_ARCH	= ppc
 ifeq ($(USE_64),1)
 	ARCHFLAG	= -m64
 endif
 else
 ifeq ($(OS_TEST),alpha)
         OS_REL_CFLAGS   = -D_ALPHA_
@@ -62,17 +84,19 @@ endif
 endif
 endif
 endif
 endif
 endif
 endif
 
 
+ifneq ($(OS_TARGET),Android)
 LIBC_TAG		= _glibc
+endif
 
 ifeq ($(OS_RELEASE),2.0)
 	OS_REL_CFLAGS	+= -DLINUX2_0
 	MKSHLIB		= $(CC) -shared -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH)
 	ifdef MAPFILE
 		MKSHLIB += -Wl,--version-script,$(MAPFILE)
 	endif
 	PROCESS_MAP_FILE = grep -v ';-' $< | \
@@ -98,17 +122,17 @@ endif
 ifeq ($(USE_PTHREADS),1)
 OS_PTHREAD = -lpthread 
 endif
 
 # See bug 537829, in particular comment 23.
 # Place -ansi and *_SOURCE before $(DSO_CFLAGS) so DSO_CFLAGS can override
 # -ansi on platforms like Android where the system headers are C99 and do
 # not build with -ansi.
-STANDARDS_CFLAGS	= -ansi -D_POSIX_SOURCE -D_BSD_SOURCE -D_XOPEN_SOURCE
+STANDARDS_CFLAGS	= -D_POSIX_SOURCE -D_BSD_SOURCE -D_XOPEN_SOURCE
 OS_CFLAGS		= $(STANDARDS_CFLAGS) $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -Wall -Werror-implicit-function-declaration -Wno-switch -pipe -DLINUX -Dlinux -DHAVE_STRERROR
 OS_LIBS			= $(OS_PTHREAD) -ldl -lc
 
 ifdef USE_PTHREADS
 	DEFINES		+= -D_REENTRANT
 endif
 
 ARCH			= linux
@@ -136,22 +160,24 @@ G++INCLUDES		= -I/usr/include/g++
 #
 CPU_TAG = _$(CPU_ARCH)
 
 #
 # On Linux 2.6 or later, build libfreebl3.so with no NSPR and libnssutil3.so
 # dependencies by default.  Set FREEBL_NO_DEPEND to 0 in the environment to
 # override this.
 #
+ifneq ($(OS_TARGET),Android)
 ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
 ifndef FREEBL_NO_DEPEND
 FREEBL_NO_DEPEND = 1
 FREEBL_LOWHASH = 1
 endif
 endif
+endif
 
 USE_SYSTEM_ZLIB = 1
 ZLIB_LIBS = -lz
 
 # The -rpath '$$ORIGIN' linker option instructs this library to search for its
 # dependencies in the same directory where it resides.
 ifeq ($(BUILD_SUN_PKG), 1)
 ifeq ($(USE_64), 1)
--- a/security/coreconf/SunOS5.10.mk
+++ b/security/coreconf/SunOS5.10.mk
@@ -1,14 +1,12 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-SOL_CFLAGS += -D_SVID_GETTOD
-
 include $(CORE_DEPTH)/coreconf/SunOS5.mk
 
 ifeq ($(OS_RELEASE),5.10)
 	OS_DEFINES += -DSOLARIS2_10
 endif
 
 OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc 
--- a/security/coreconf/SunOS5.10_i86pc.mk
+++ b/security/coreconf/SunOS5.10_i86pc.mk
@@ -1,15 +1,13 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-SOL_CFLAGS	= -D_SVID_GETTOD
-
 include $(CORE_DEPTH)/coreconf/SunOS5.mk
 
 ifeq ($(USE_64),1)
     CPU_ARCH		= x86_64
 else
     CPU_ARCH		= x86
     OS_DEFINES		+= -Di386
 endif
--- a/security/coreconf/SunOS5.11.mk
+++ b/security/coreconf/SunOS5.11.mk
@@ -1,14 +1,12 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-SOL_CFLAGS += -D_SVID_GETTOD
-
 include $(CORE_DEPTH)/coreconf/SunOS5.mk
 
 ifeq ($(OS_RELEASE),5.11)
 	OS_DEFINES += -DSOLARIS2_11
 endif
 
 OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc 
--- a/security/coreconf/SunOS5.11_i86pc.mk
+++ b/security/coreconf/SunOS5.11_i86pc.mk
@@ -1,15 +1,13 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-SOL_CFLAGS	= -D_SVID_GETTOD
-
 include $(CORE_DEPTH)/coreconf/SunOS5.mk
 
 ifeq ($(USE_64),1)
     CPU_ARCH		= x86_64
 else
     CPU_ARCH		= x86
     OS_DEFINES		+= -Di386
 endif
deleted file mode 100644
--- a/security/coreconf/SunOS5.3.mk
+++ /dev/null
@@ -1,8 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SOL_CFLAGS =
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
deleted file mode 100644
--- a/security/coreconf/SunOS5.4.mk
+++ /dev/null
@@ -1,8 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SOL_CFLAGS =
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
deleted file mode 100644
--- a/security/coreconf/SunOS5.4_i86pc.mk
+++ /dev/null
@@ -1,37 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-include $(CORE_DEPTH)/coreconf/UNIX.mk
-
-DEFAULT_COMPILER = cc
-
-ifdef NS_USE_GCC
-	CC		= gcc
-	OS_CFLAGS	+= -Wall -Wno-format -Wno-switch
-	CCC		= g++
-	CCC		+= -Wall -Wno-format
-	ASFLAGS		+= -x assembler-with-cpp
-	OS_CFLAGS	+= $(NOMD_OS_CFLAGS)
-	ifdef USE_MDUPDATE
-		OS_CFLAGS += -MDupdate $(DEPENDENCIES)
-	endif
-else
-	CC		= cc
-	CCC		= CC
-	ASFLAGS		+= -Wa,-P
-	OS_CFLAGS	+= $(NOMD_OS_CFLAGS)
-endif
-
-CPU_ARCH	= x86
-
-MKSHLIB		= $(LD)
-MKSHLIB		+= $(DSO_LDOPTS)
-NOSUCHFILE	= /solx86-rm-f-sucks
-RANLIB		= echo
-
-# for purify
-NOMD_OS_CFLAGS	+= -DSVR4 -DSYSV -D_REENTRANT -DSOLARIS -D__svr4__ -Di386
-
-DSO_LDOPTS	+= -G
deleted file mode 100644
--- a/security/coreconf/SunOS5.5.1.mk
+++ /dev/null
@@ -1,14 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SOL_CFLAGS += -D_SVID_GETTOD
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-ifeq ($(OS_RELEASE),5.5.1)
-	OS_DEFINES += -DSOLARIS2_5
-endif
-
-OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc 
deleted file mode 100644
--- a/security/coreconf/SunOS5.5.1_i86pc.mk
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SOL_CFLAGS	= -D_SVID_GETTOD
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-CPU_ARCH		= x86
-ARCHFLAG		=
-OS_DEFINES		+= -Di386
-
-ifeq ($(OS_RELEASE),5.5.1_i86pc)
-	OS_DEFINES += -DSOLARIS2_5
-endif
deleted file mode 100644
--- a/security/coreconf/SunOS5.5.mk
+++ /dev/null
@@ -1,12 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SOL_CFLAGS += -D_SVID_GETTOD
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-ifeq ($(OS_RELEASE),5.5)
-	OS_DEFINES += -DSOLARIS2_5
-endif
deleted file mode 100644
--- a/security/coreconf/SunOS5.6.mk
+++ /dev/null
@@ -1,14 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SOL_CFLAGS += -D_SVID_GETTOD
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-ifeq ($(OS_RELEASE),5.6)
-	OS_DEFINES += -DSOLARIS2_6
-endif
-
-OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc 
deleted file mode 100644
--- a/security/coreconf/SunOS5.6_i86pc.mk
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SOL_CFLAGS	= -D_SVID_GETTOD
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-CPU_ARCH		= x86
-ARCHFLAG		=
-OS_DEFINES		+= -Di386
-
-ifeq ($(OS_RELEASE),5.6_i86pc)
-	OS_DEFINES += -DSOLARIS2_6
-endif
deleted file mode 100644
--- a/security/coreconf/SunOS5.7.mk
+++ /dev/null
@@ -1,14 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SOL_CFLAGS += -D_SVID_GETTOD
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-ifeq ($(OS_RELEASE),5.7)
-	OS_DEFINES += -DSOLARIS2_7
-endif
-
-OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc 
deleted file mode 100644
--- a/security/coreconf/SunOS5.7_i86pc.mk
+++ /dev/null
@@ -1,18 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SOL_CFLAGS	= -D_SVID_GETTOD
-
-include $(CORE_DEPTH)/coreconf/SunOS5.mk
-
-CPU_ARCH		= x86
-ARCHFLAG		=
-OS_DEFINES		+= -Di386
-
-ifeq ($(OS_RELEASE),5.7_i86pc)
-	OS_DEFINES += -DSOLARIS2_7
-endif
-
-OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc
--- a/security/coreconf/SunOS5.8.mk
+++ b/security/coreconf/SunOS5.8.mk
@@ -1,14 +1,12 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-SOL_CFLAGS += -D_SVID_GETTOD
-
 include $(CORE_DEPTH)/coreconf/SunOS5.mk
 
 ifeq ($(OS_RELEASE),5.8)
 	OS_DEFINES += -DSOLARIS2_8
 endif
 
 OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc 
--- a/security/coreconf/SunOS5.8_i86pc.mk
+++ b/security/coreconf/SunOS5.8_i86pc.mk
@@ -1,15 +1,13 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-SOL_CFLAGS	= -D_SVID_GETTOD
-
 include $(CORE_DEPTH)/coreconf/SunOS5.mk
 
 CPU_ARCH		= x86
 ARCHFLAG		=
 OS_DEFINES		+= -Di386
 
 ifeq ($(OS_RELEASE),5.8_i86pc)
 	OS_DEFINES += -DSOLARIS2_8
--- a/security/coreconf/SunOS5.9.mk
+++ b/security/coreconf/SunOS5.9.mk
@@ -1,14 +1,12 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-SOL_CFLAGS += -D_SVID_GETTOD
-
 include $(CORE_DEPTH)/coreconf/SunOS5.mk
 
 ifeq ($(OS_RELEASE),5.9)
 	OS_DEFINES += -DSOLARIS2_9
 endif
 
 OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc 
--- a/security/coreconf/SunOS5.9_i86pc.mk
+++ b/security/coreconf/SunOS5.9_i86pc.mk
@@ -1,15 +1,13 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-SOL_CFLAGS	= -D_SVID_GETTOD
-
 include $(CORE_DEPTH)/coreconf/SunOS5.mk
 
 CPU_ARCH		= x86
 ARCHFLAG		=
 OS_DEFINES		+= -Di386
 
 ifeq ($(OS_RELEASE),5.9_i86pc)
 	OS_DEFINES += -DSOLARIS2_9
--- a/security/coreconf/SunOS5.mk
+++ b/security/coreconf/SunOS5.mk
@@ -58,18 +58,16 @@ else
 		OPTIMIZER = -xO4
 	endif
 	ifdef USE_TCOV
 		CC += -xprofile=tcov
 		CCC += -xprofile=tcov
 	endif
 endif
 
-INCLUDES   += -I/usr/dt/include -I/usr/openwin/include
-
 RANLIB      = echo
 CPU_ARCH    = sparc
 OS_DEFINES += -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT
 
 # Purify doesn't like -MDupdate
 NOMD_OS_CFLAGS += $(DSO_CFLAGS) $(OS_DEFINES) $(SOL_CFLAGS)
 
 MKSHLIB  = $(CC) $(DSO_LDOPTS) $(RPATH)
--- a/security/coreconf/arch.mk
+++ b/security/coreconf/arch.mk
@@ -244,16 +244,27 @@ ifeq (MINGW32_NT,$(findstring MINGW32_NT
 	# MSYS's uname -m returns "i686" on a Pentium Pro machine.
 	#
 	ifneq (,$(findstring 86,$(CPU_ARCH)))
 	    CPU_ARCH = x386
 	endif
     endif
 endif
 
+ifeq ($(OS_TARGET),Android)
+#
+# this should be  configurable from the user
+#
+   OS_TEST := arm
+   OS_ARCH = Android
+   ifndef OS_TARGET_RELEASE
+	OS_TARGET_RELEASE := 8
+   endif
+endif
+
 ifndef OS_TARGET
     OS_TARGET = $(OS_ARCH)
 endif
 
 ifeq ($(OS_TARGET), WIN95)
     OS_RELEASE = 4.0
 endif
 
--- a/security/coreconf/config.mk
+++ b/security/coreconf/config.mk
@@ -26,17 +26,17 @@ endif
 #       (dependent upon <architecture> tags)                          #
 #                                                                     #
 #       We are moving towards just having a $(OS_TARGET).mk file      #
 #       as opposed to multiple $(OS_TARGET)$(OS_RELEASE).mk files,    #
 #       one for each OS release.                                      #
 #######################################################################
 
 TARGET_OSES = FreeBSD BSD_OS NetBSD OpenUNIX OS2 QNX Darwin BeOS OpenBSD \
-              AIX RISCOS WINNT WIN95 Linux
+              AIX RISCOS WINNT WIN95 Linux Android
 
 ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET)))
 include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk
 else
 include $(CORE_DEPTH)/coreconf/$(OS_TARGET)$(OS_RELEASE).mk
 endif
 
 #######################################################################
--- a/security/coreconf/coreconf.dep
+++ b/security/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
--- a/security/nss/Makefile
+++ b/security/nss/Makefile
@@ -56,16 +56,19 @@ clobber_coreconf:
 
 NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME)/config.status
 NSPR_CONFIGURE = $(CORE_DEPTH)/../nsprpub/configure
 
 #
 # Translate coreconf build options to NSPR configure options.
 #
 
+ifeq ($(OS_TARGET),Android)
+NSPR_CONFIGURE_OPTS += --with-android-ndk=$(ANDROID_NDK) --target=arm-linux-androideabi --with-android-version=$(OS_TARGET_RELEASE)
+endif
 ifdef BUILD_OPT
 NSPR_CONFIGURE_OPTS += --disable-debug --enable-optimize
 endif
 ifdef USE_64
 NSPR_CONFIGURE_OPTS += --enable-64bit
 endif
 ifeq ($(OS_TARGET),WIN95)
 NSPR_CONFIGURE_OPTS += --enable-win32-target=WIN95
@@ -145,36 +148,8 @@ else
 endif
 endif
 
 nss_RelEng_bld: build_coreconf import build_dbm all
 
 package:
 	$(MAKE) -C pkg publish
 
-TESTPACKAGE="nss-$(OS_TARGET)$(CPU_TAG).tgz"
-package_for_testing:
-	echo "export OBJDIR=$(OBJDIR_NAME)"     > $(DIST)/platform.cfg
-	echo "export OS_ARCH=$(ANDROID)"       >> $(DIST)/platform.cfg
-	echo "export DLL_PREFIX=$(DLL_PREFIX)" >> $(DIST)/platform.cfg
-	echo "export DLL_SUFFIX=$(DLL_SUFFIX)" >> $(DIST)/platform.cfg
-ifeq ($(OS_TARGET),Android)
-	# Android doesn't support FIPS tests, so don't run them
-	echo "export NSS_TEST_DISABLE_FIPS=1"  >> $(DIST)/platform.cfg
-endif
-	echo 'echo "set HOST and DOMSUF if your system is not registered in DNS"; sleep 5' > $(DIST)/../../runtests.sh
-	echo 'export NSS_TESTS=$(NSS_TESTS)'         >> $(DIST)/../../runtests.sh
-	echo 'export NSS_SSL_TESTS=$(NSS_SSL_TESTS)' >> $(DIST)/../../runtests.sh
-	echo 'export NSS_SSL_RUN=$(NSS_SSL_RUN)'     >> $(DIST)/../../runtests.sh
-	echo 'export NSS_CYCLES=$(NSS_CYCLES)'       >> $(DIST)/../../runtests.sh
-	echo 'export OBJDIR=$(OBJDIR_NAME)'          >> $(DIST)/../../runtests.sh
-	echo 'export USE_64=$(USE_64)'               >> $(DIST)/../../runtests.sh
-	echo 'export BUILD_OPT=$(BUILD_OPT)'         >> $(DIST)/../../runtests.sh
-	echo 'rm -rf test_results'                   >> $(DIST)/../../runtests.sh
-	echo 'echo "running tests"'                  >> $(DIST)/../../runtests.sh
-	echo 'cd security/nss/tests; ./all.sh > ../../../logfile 2>&1 ; cd ../../../' >> $(DIST)/../../runtests.sh
-	echo 'tar czf tests_results.tgz tests_results' >> $(DIST)/../../runtests.sh
-	echo 'echo "created tests_results.tgz"' >> $(DIST)/../../runtests.sh
-	echo 'echo "results are in directory: "`ls -1d tests_results/security/*.1`' >> $(DIST)/../../runtests.sh
-	echo 'echo -n "number of PASSED tests: "; grep -cw PASSED logfile;'  >> $(DIST)/../../runtests.sh
-	echo 'echo -n "number of FAILED tests: "; grep -cw FAILED logfile;'  >> $(DIST)/../../runtests.sh
-	rm -f $(TESTPACKAGE)
-	(cd $(DIST)/../.. ; tar czhf dist/$(TESTPACKAGE) runtests.sh dist/$(OBJDIR_NAME) dist/public security/nss/tests security/nss/cmd/bltest/tests; echo "created "`pwd`"/dist/$(TESTPACKAGE)")
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_14_1_RTM
+NSS_3_14_3_RTM
--- a/security/nss/TAG-INFO-CKBI
+++ b/security/nss/TAG-INFO-CKBI
@@ -1,1 +1,1 @@
-NSS_3_14_CKBI_1_93_RTM
+NSS_3_14_3_RTM
--- a/security/nss/cmd/bltest/blapitest.c
+++ b/security/nss/cmd/bltest/blapitest.c
@@ -14,16 +14,17 @@
 #include "plstr.h"
 #include "nssb64.h"
 #include "basicutil.h"
 #include "plgetopt.h"
 #include "softoken.h"
 #include "nspr.h"
 #include "secport.h"
 #include "secoid.h"
+#include "nssutil.h"
 
 #ifdef NSS_ENABLE_ECC
 #include "ecl-curve.h"
 SECStatus EC_DecodeParams(const SECItem *encodedParams, 
 	ECParams **ecparams);
 SECStatus EC_CopyParams(PRArenaPool *arena, ECParams *dstParams,
 	      const ECParams *srcParams);
 #endif
@@ -100,31 +101,33 @@ static void Usage()
     PRINTUSAGE("",	"-o", "file for output buffer");
     PRINTUSAGE("",	"-k", "file which contains key");
     PRINTUSAGE("",	"-v", "file which contains initialization vector");
     PRINTUSAGE("",	"-b", "size of input buffer");
     PRINTUSAGE("",	"-g", "key size (in bytes)");
     PRINTUSAGE("",	"-p", "do performance test");
     PRINTUSAGE("",	"-4", "run test in multithread mode. th_num number of parallel threads");
     PRINTUSAGE("",	"-5", "run test for specified time interval(in seconds)");
+    PRINTUSAGE("",	"--aad", "File with contains additional auth data");
     PRINTUSAGE("(rsa)", "-e", "rsa public exponent");
     PRINTUSAGE("(rc5)", "-r", "number of rounds");
     PRINTUSAGE("(rc5)", "-w", "wordsize (32 or 64)");
     fprintf(stderr, "\n");
     PRINTUSAGE(progName, "-D -m mode", "Decrypt a buffer");
     PRINTUSAGE("",	"", "[-i plaintext] [-o ciphertext] [-k key] [-v iv]");
     PRINTUSAGE("",	"", "[-p repetitions | -5 time_interval] [-4 th_num]");
     PRINTUSAGE("",	"-m", "cipher mode to use");
     PRINTUSAGE("",	"-i", "file which contains input buffer");
     PRINTUSAGE("",	"-o", "file for output buffer");
     PRINTUSAGE("",	"-k", "file which contains key");
     PRINTUSAGE("",	"-v", "file which contains initialization vector");
     PRINTUSAGE("",	"-p", "do performance test");
     PRINTUSAGE("",	"-4", "run test in multithread mode. th_num number of parallel threads");
     PRINTUSAGE("",	"-5", "run test for specified time interval(in seconds)");
+    PRINTUSAGE("",	"--aad", "File with contains additional auth data");
     fprintf(stderr, "\n");
     PRINTUSAGE(progName, "-H -m mode", "Hash a buffer");
     PRINTUSAGE("",	"", "[-i plaintext] [-o hash]");
     PRINTUSAGE("",	"", "[-b bufsize]");
     PRINTUSAGE("",	"", "[-p repetitions | -5 time_interval] [-4 th_num]");
     PRINTUSAGE("",	"-m", "cipher mode to use");
     PRINTUSAGE("",	"-i", "file which contains input buffer");
     PRINTUSAGE("",	"-o", "file for hash");
@@ -636,16 +639,19 @@ typedef enum {
     bltestRC2_CBC,	  /* .			   */
     bltestRC4,		  /* .			   */
 #ifdef NSS_SOFTOKEN_DOES_RC5
     bltestRC5_ECB,	  /* .			   */
     bltestRC5_CBC,	  /* .			   */
 #endif
     bltestAES_ECB,        /* .                     */
     bltestAES_CBC,        /* .                     */
+    bltestAES_CTS,        /* .                     */
+    bltestAES_CTR,        /* .                     */
+    bltestAES_GCM,        /* .                     */
     bltestCAMELLIA_ECB,   /* .                     */
     bltestCAMELLIA_CBC,   /* .                     */
     bltestSEED_ECB,       /* SEED algorithm	   */
     bltestSEED_CBC,       /* SEED algorithm	   */
     bltestRSA,		  /* Public Key Ciphers	   */
 #ifdef NSS_ENABLE_ECC
     bltestECDSA,	  /* . (Public Key Sig.)   */
 #endif
@@ -670,16 +676,19 @@ static char *mode_strings[] =
     "rc2_cbc",
     "rc4",
 #ifdef NSS_SOFTOKEN_DOES_RC5
     "rc5_ecb",
     "rc5_cbc",
 #endif
     "aes_ecb",
     "aes_cbc",
+    "aes_cts",
+    "aes_ctr",
+    "aes_gcm",
     "camellia_ecb",
     "camellia_cbc",
     "seed_ecb",
     "seed_cbc",
     "rsa",
 #ifdef NSS_ENABLE_ECC
     "ecdsa",
 #endif
@@ -697,16 +706,22 @@ static char *mode_strings[] =
 typedef struct
 {
     bltestIO key;
     bltestIO iv;
 } bltestSymmKeyParams;
 
 typedef struct
 {
+    bltestSymmKeyParams sk; /* must be first */
+    bltestIO aad;
+} bltestAuthSymmKeyParams;
+
+typedef struct
+{
     bltestIO key;
     bltestIO iv;
     int	     rounds;
     int	     wordsize;
 } bltestRC5Params;
 
 typedef struct
 {
@@ -743,16 +758,17 @@ typedef struct
     bltestIO   key; /* unused */
     PRBool     restart;
 } bltestHashParams;
 
 typedef union
 {
     bltestIO		key;
     bltestSymmKeyParams sk;
+    bltestAuthSymmKeyParams ask;
     bltestRC5Params	rc5;
     bltestRSAParams	rsa;
     bltestDSAParams	dsa;
 #ifdef NSS_ENABLE_ECC
     bltestECDSAParams	ecdsa;
 #endif
     bltestHashParams	hash;
 } bltestParams;
@@ -796,16 +812,37 @@ is_symmkeyCipher(bltestCipherMode mode)
 {
     /* change as needed! */
     if (mode >= bltestDES_ECB && mode <= bltestSEED_CBC)
 	return PR_TRUE;
     return PR_FALSE;
 }
 
 PRBool
+is_authCipher(bltestCipherMode mode)
+{
+    /* change as needed! */
+    if (mode == bltestAES_GCM)
+	return PR_TRUE;
+    return PR_FALSE;
+}
+
+
+PRBool
+is_singleShotCipher(bltestCipherMode mode)
+{
+    /* change as needed! */
+    if (mode == bltestAES_GCM)
+	return PR_TRUE;
+    if (mode == bltestAES_CTS)
+	return PR_TRUE;
+    return PR_FALSE;
+}
+
+PRBool
 is_pubkeyCipher(bltestCipherMode mode)
 {
     /* change as needed! */
     if (mode >= bltestRSA && mode <= bltestDSA)
 	return PR_TRUE;
     return PR_FALSE;
 }
 
@@ -833,20 +870,21 @@ is_sigCipher(bltestCipherMode mode)
 
 PRBool
 cipher_requires_IV(bltestCipherMode mode)
 {
     /* change as needed! */
     if (mode == bltestDES_CBC || mode == bltestDES_EDE_CBC ||
 	mode == bltestRC2_CBC || 
 #ifdef NSS_SOFTOKEN_DOES_RC5
-        mode == bltestRC5_CBC     ||
+	mode == bltestRC5_CBC ||
 #endif
-        mode == bltestAES_CBC || mode == bltestCAMELLIA_CBC||
-	mode == bltestSEED_CBC)
+	mode == bltestAES_CBC || mode == bltestAES_CTS || 
+	mode == bltestAES_CTR || mode == bltestAES_GCM ||
+	mode == bltestCAMELLIA_CBC || mode == bltestSEED_CBC)
 	return PR_TRUE;
     return PR_FALSE;
 }
 
 SECStatus finishIO(bltestIO *output, PRFileDesc *file);
 
 SECStatus
 setupIO(PRArenaPool *arena, bltestIO *input, PRFileDesc *file,
@@ -877,19 +915,29 @@ setupIO(PRArenaPool *arena, bltestIO *in
 	RNG_GenerateGlobalRandomBytes(input->buf.data, numBytes);
 	return finishIO(input, file);
     } else {
 	return SECFailure;
     }
 
     switch (input->mode) {
     case bltestBase64Encoded:
+	if (in->len == 0) {
+	    input->buf.data = NULL;
+	    input->buf.len = 0;
+	    break;
+	}
 	rv = atob(in, &input->buf, arena);
 	break;
     case bltestBinary:
+	if (in->len == 0) {
+	    input->buf.data = NULL;
+	    input->buf.len = 0;
+	    break;
+	}
 	if (in->data[in->len-1] == '\n') --in->len;
 	if (in->data[in->len-1] == '\r') --in->len;
 	SECITEM_CopyItem(arena, &input->buf, in);
 	break;
     case bltestHexSpaceDelim:
 	SECITEM_AllocItem(arena, &input->buf, in->len/5);
 	for (i=0, j=0; i<in->len; i+=5, j++) {
 	    tok = &in->data[i];
@@ -1289,39 +1337,63 @@ bltest_rc5_init(bltestCipherInfo *cipher
     return SECFailure;
 #endif
 }
 
 SECStatus
 bltest_aes_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
 {
     bltestSymmKeyParams *aesp = &cipherInfo->params.sk;
+    bltestAuthSymmKeyParams *gcmp = &cipherInfo->params.ask;
     int minorMode;
     int i;
     int keylen   = aesp->key.buf.len;
     int blocklen = AES_BLOCK_SIZE; 
     PRIntervalTime time1, time2;
-
+    unsigned char *params;
+    int len;
+    CK_AES_CTR_PARAMS ctrParams;
+    CK_GCM_PARAMS gcmParams;
+
+    params = aesp->iv.buf.data;
     switch (cipherInfo->mode) {
     case bltestAES_ECB:	    minorMode = NSS_AES;	  break;
     case bltestAES_CBC:	    minorMode = NSS_AES_CBC;	  break;
+    case bltestAES_CTS:	    minorMode = NSS_AES_CTS;	  break;
+    case bltestAES_CTR:	    
+	minorMode = NSS_AES_CTR;
+	ctrParams.ulCounterBits = 32;
+	len = PR_MIN(aesp->iv.buf.len, blocklen);
+	PORT_Memset(ctrParams.cb, 0, blocklen);
+	PORT_Memcpy(ctrParams.cb, aesp->iv.buf.data, len);
+	params = (unsigned char *)&ctrParams;
+	break;
+    case bltestAES_GCM:
+	minorMode = NSS_AES_GCM;
+	gcmParams.pIv = gcmp->sk.iv.buf.data;
+	gcmParams.ulIvLen = gcmp->sk.iv.buf.len;
+	gcmParams.pAAD = gcmp->aad.buf.data;
+	gcmParams.ulAADLen = gcmp->aad.buf.len;
+	gcmParams.ulTagBits = blocklen*8;
+	params = (unsigned char *)&gcmParams;
+	break;
     default:
 	return SECFailure;
     }
     cipherInfo->cx = (void*)AES_CreateContext(aesp->key.buf.data,
-					      aesp->iv.buf.data,
+					      params,
 					      minorMode, encrypt, 
                                               keylen, blocklen);
     if (cipherInfo->cxreps > 0) {
 	AESContext **dummycx;
 	dummycx = PORT_Alloc(cipherInfo->cxreps * sizeof(AESContext *));
 	TIMESTART();
 	for (i=0; i<cipherInfo->cxreps; i++) {
 	    dummycx[i] = (void*)AES_CreateContext(aesp->key.buf.data,
-					          aesp->iv.buf.data,
+					          params,
 					          minorMode, encrypt,
 	                                          keylen, blocklen);
 	}
 	TIMEFINISH(cipherInfo->cxtime, 1.0);
 	for (i=0; i<cipherInfo->cxreps; i++) {
 	    AES_DestroyContext(dummycx[i], PR_TRUE);
 	}
 	PORT_Free(dummycx);
@@ -1980,16 +2052,17 @@ pubkeyInitKey(bltestCipherInfo *cipherIn
     }
     return SECSuccess;
 }
 
 SECStatus
 cipherInit(bltestCipherInfo *cipherInfo, PRBool encrypt)
 {
     PRBool restart;
+    int outlen;
     switch (cipherInfo->mode) {
     case bltestDES_ECB:
     case bltestDES_CBC:
     case bltestDES_EDE_ECB:
     case bltestDES_EDE_CBC:
 	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
 			  cipherInfo->input.pBuf.len);
 	return bltest_des_init(cipherInfo, encrypt);
@@ -2010,18 +2083,24 @@ cipherInit(bltestCipherInfo *cipherInfo,
     case bltestRC5_CBC:
 	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
 			  cipherInfo->input.pBuf.len);
 #endif
 	return bltest_rc5_init(cipherInfo, encrypt);
 	break;
     case bltestAES_ECB:
     case bltestAES_CBC:
-	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
-			  cipherInfo->input.pBuf.len);
+    case bltestAES_CTS:
+    case bltestAES_CTR:
+    case bltestAES_GCM:
+	outlen = cipherInfo->input.pBuf.len;
+	if (cipherInfo->mode == bltestAES_GCM && encrypt) {
+	    outlen += 16;
+	}
+	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf, outlen);
 	return bltest_aes_init(cipherInfo, encrypt);
 	break;
     case bltestCAMELLIA_ECB:
     case bltestCAMELLIA_CBC:
 	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
 			  cipherInfo->input.pBuf.len);
 	return bltest_camellia_init(cipherInfo, encrypt);
 	break;
@@ -2362,34 +2441,40 @@ cipherDoOp(bltestCipherInfo *cipherInfo)
 	return dsaOp(cipherInfo);
 #ifdef NSS_ENABLE_ECC
     else if (cipherInfo->mode == bltestECDSA)
 	return ecdsaOp(cipherInfo);
 #endif
     dummyOut = PORT_Alloc(maxLen);
     if (is_symmkeyCipher(cipherInfo->mode)) {
         const unsigned char *input = cipherInfo->input.pBuf.data;
-        unsigned int inputLen = PR_MIN(cipherInfo->input.pBuf.len, 16);
+        unsigned int inputLen = is_singleShotCipher(cipherInfo->mode) ?
+                 cipherInfo->input.pBuf.len :
+                 PR_MIN(cipherInfo->input.pBuf.len, 16);
         unsigned char *output = cipherInfo->output.pBuf.data;
         unsigned int outputLen = maxLen;
+        unsigned int totalOutputLen = 0;
         TIMESTART();
         rv = (*cipherInfo->cipher.symmkeyCipher)(cipherInfo->cx,
                                                  output, &len, outputLen,
                                                  input, inputLen);
         CHECKERROR(rv, __LINE__);
+        totalOutputLen += len;
         if (cipherInfo->input.pBuf.len > inputLen) {
             input += inputLen;
             inputLen = cipherInfo->input.pBuf.len - inputLen;
             output += len;
             outputLen -= len;
             rv = (*cipherInfo->cipher.symmkeyCipher)(cipherInfo->cx,
                                                      output, &len, outputLen,
                                                      input, inputLen);
             CHECKERROR(rv, __LINE__);
+	    totalOutputLen += len;
         }
+	cipherInfo->output.pBuf.len = totalOutputLen;
         TIMEFINISH(cipherInfo->optime, 1.0);
         cipherInfo->repetitions = 0;
         if (cipherInfo->repetitionsToPerfom != 0) {
             TIMESTART();
             for (i=0; i<cipherInfo->repetitionsToPerfom; i++,
                      cipherInfo->repetitions++) {
                 (*cipherInfo->cipher.symmkeyCipher)(cipherInfo->cx, dummyOut,
                                                     &len, maxLen,
@@ -2485,25 +2570,30 @@ cipherDoOp(bltestCipherInfo *cipherInfo)
     }
     PORT_Free(dummyOut);
     return rv;
 }
 
 SECStatus
 cipherFinish(bltestCipherInfo *cipherInfo)
 {
+    SECStatus rv = SECSuccess;
+
     switch (cipherInfo->mode) {
     case bltestDES_ECB:
     case bltestDES_CBC:
     case bltestDES_EDE_ECB:
     case bltestDES_EDE_CBC:
 	DES_DestroyContext((DESContext *)cipherInfo->cx, PR_TRUE);
 	break;
+    case bltestAES_GCM:
     case bltestAES_ECB:
     case bltestAES_CBC:
+    case bltestAES_CTS:
+    case bltestAES_CTR:
 	AES_DestroyContext((AESContext *)cipherInfo->cx, PR_TRUE);
 	break;
     case bltestCAMELLIA_ECB:
     case bltestCAMELLIA_CBC:
 	Camellia_DestroyContext((CamelliaContext *)cipherInfo->cx, PR_TRUE);
 	break;
     case bltestSEED_ECB:
     case bltestSEED_CBC:
@@ -2534,17 +2624,17 @@ cipherFinish(bltestCipherInfo *cipherInf
     case bltestSHA256:
     case bltestSHA384:
     case bltestSHA512:
 	return SECSuccess;
 	break;
     default:
 	return SECFailure;
     }
-    return SECSuccess;
+    return rv;
 }
 
 void
 print_exponent(SECItem *exp)
 {
     int i;
     int e = 0;
     if (exp->len <= 4) {
@@ -2653,16 +2743,19 @@ dump_performance_info(bltestCipherInfo *
 print_td:
     switch (info->mode) {
       case bltestDES_ECB:
       case bltestDES_CBC:
       case bltestDES_EDE_ECB:
       case bltestDES_EDE_CBC:
       case bltestAES_ECB:
       case bltestAES_CBC:
+      case bltestAES_CTS:
+      case bltestAES_CTR:
+      case bltestAES_GCM:
       case bltestCAMELLIA_ECB:
       case bltestCAMELLIA_CBC:
       case bltestSEED_ECB:
       case bltestSEED_CBC:
       case bltestRC2_ECB:
       case bltestRC2_CBC:
       case bltestRC4:
           if (td)
@@ -2795,20 +2888,25 @@ get_params(PRArenaPool *arena, bltestPar
     char filename[256];
     char *modestr = mode_strings[mode];
 #ifdef NSS_SOFTOKEN_DOES_RC5
     FILE *file;
     char *mark, *param, *val;
     int index = 0;
 #endif
     switch (mode) {
+    case bltestAES_GCM:
+	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "aad", j);
+	load_file_data(arena, &params->ask.aad, filename, bltestBinary);
     case bltestDES_CBC:
     case bltestDES_EDE_CBC:
     case bltestRC2_CBC:
     case bltestAES_CBC:
+    case bltestAES_CTS:
+    case bltestAES_CTR:
     case bltestCAMELLIA_CBC:
     case bltestSEED_CBC: 
 	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "iv", j);
 	load_file_data(arena, &params->sk.iv, filename, bltestBinary);
     case bltestDES_ECB:
     case bltestDES_EDE_ECB:
     case bltestRC2_ECB:
     case bltestRC4:
@@ -3018,16 +3116,17 @@ blapi_selftest(bltestCipherMode *modes, 
 	                   ((mode == bltestDSA) || (mode == bltestECDSA))
 #else
 	                   (mode == bltestDSA)
 #endif
 	                   ? bltestBase64Encoded : bltestBinary);
 	    sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr,
 			      "ciphertext", j);
 	    load_file_data(arena, &ct, filename, bltestBase64Encoded);
+
 #ifdef TRACK_BLTEST_BUG
 	    if (mode == bltestRSA) {
 		fprintf(stderr, "[%s] Loaded data for  self-test #%d\n", __bltDBG, j);
 	    }
 #endif
 	    get_params(arena, params, mode, j);
 #ifdef TRACK_BLTEST_BUG
 	    if (mode == bltestRSA) {
@@ -3403,16 +3502,17 @@ enum {
     opt_Seed,
     opt_SigSeedFile,
     opt_CXReps,
     opt_IV,
     opt_WordSize,
     opt_UseSeed,
     opt_UseSigSeed,
     opt_SeedFile,
+    opt_AAD,
     opt_InputOffset,
     opt_OutputOffset,
     opt_MonteCarlo,
     opt_ThreadNum,
     opt_SecondsToRun,
     opt_CmdLine
 };
 
@@ -3455,16 +3555,17 @@ static secuCommandFlag bltest_options[] 
     { /* opt_Seed	  */ 's', PR_TRUE,  0, PR_FALSE },
     { /* opt_SigSeedFile  */ 't', PR_TRUE,  0, PR_FALSE },
     { /* opt_CXReps       */ 'u', PR_TRUE,  0, PR_FALSE },
     { /* opt_IV		  */ 'v', PR_TRUE,  0, PR_FALSE },
     { /* opt_WordSize	  */ 'w', PR_TRUE,  0, PR_FALSE },
     { /* opt_UseSeed	  */ 'x', PR_FALSE, 0, PR_FALSE },
     { /* opt_UseSigSeed	  */ 'y', PR_FALSE, 0, PR_FALSE },
     { /* opt_SeedFile	  */ 'z', PR_FALSE, 0, PR_FALSE },
+    { /* opt_AAD	  */  0 , PR_TRUE,  0, PR_FALSE, "aad" },
     { /* opt_InputOffset  */ '1', PR_TRUE,  0, PR_FALSE },
     { /* opt_OutputOffset */ '2', PR_TRUE,  0, PR_FALSE },
     { /* opt_MonteCarlo   */ '3', PR_FALSE, 0, PR_FALSE },
     { /* opt_ThreadNum    */ '4', PR_TRUE,  0, PR_FALSE },
     { /* opt_SecondsToRun */ '5', PR_TRUE,  0, PR_FALSE },
     { /* opt_CmdLine	  */ '-', PR_FALSE, 0, PR_FALSE }
 };
 
@@ -3492,32 +3593,38 @@ int main(int argc, char **argv)
     bltest.commands = bltest_commands;
     bltest.options = bltest_options;
 
     progName = strrchr(argv[0], '/');
     if (!progName) 
 	progName = strrchr(argv[0], '\\');
     progName = progName ? progName+1 : argv[0];
 
+    rv = NSS_InitializePRErrorTable();
+    if (rv != SECSuccess) {
+	SECU_PrintPRandOSError(progName);
+	return -1;
+    }
     rv = RNG_RNGInit();
     if (rv != SECSuccess) {
-    	SECU_PrintPRandOSError(progName);
+	SECU_PrintPRandOSError(progName);
 	return -1;
     }
     rv = BL_Init();
     if (rv != SECSuccess) {
-    	SECU_PrintPRandOSError(progName);
+	SECU_PrintPRandOSError(progName);
 	return -1;
     }
     RNG_SystemInfoForRNG();
 
+
     rv = SECU_ParseCommandLine(argc, argv, progName, &bltest);
     if (rv == SECFailure) {
-        fprintf(stderr, "%s: command line parsing error!\n", progName);
-        goto print_usage;
+	fprintf(stderr, "%s: command line parsing error!\n", progName);
+	goto print_usage;
     }
     rv = SECFailure;
 
     cipherInfo = PORT_ZNew(bltestCipherInfo);
     cipherInfoListHead = cipherInfo;
     /* set some defaults */
     infileName = outfileName = keyfileName = ivfileName = NULL;
 
@@ -3827,16 +3934,40 @@ int main(int argc, char **argv)
             }
             memset(&skp->iv, 0, sizeof skp->iv);
             skp->iv.mode = ioMode;
             setupIO(cipherInfo->arena, &skp->iv, file, ivstr, keysize);
             if (file) {
                 PR_Close(file);
             }
         }
+
+        /* set up an initialization vector. */
+        if (is_authCipher(cipherInfo->mode)) {
+            char *aadstr = NULL;
+            bltestAuthSymmKeyParams *askp;
+            file = NULL;
+            askp = &params->ask;
+            if (bltest.options[opt_AAD].activated) {
+                if (bltest.options[opt_CmdLine].activated) {
+                    aadstr = bltest.options[opt_AAD].arg;
+                } else {
+                    file = PR_Open(bltest.options[opt_AAD].arg,
+                                   PR_RDONLY, 00660);
+                }
+            } else {
+                file = NULL;
+            }
+            memset(&askp->aad, 0, sizeof askp->aad);
+            askp->aad.mode = ioMode;
+            setupIO(cipherInfo->arena, &askp->aad, file, aadstr, 0);
+            if (file) {
+                PR_Close(file);
+            }
+        }
         
         if (bltest.commands[cmd_Verify].activated) {
             file = PR_Open(bltest.options[opt_SigFile].arg, PR_RDONLY, 00660);
             if (cipherInfo->mode == bltestDSA) {
                 memset(&cipherInfo->params.dsa.sig, 0, sizeof(bltestIO));
                 cipherInfo->params.dsa.sig.mode = ioMode;
                 setupIO(cipherInfo->arena, &cipherInfo->params.dsa.sig,
                         file, NULL, 0);
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ctr/aes_ctr_0.txt
@@ -0,0 +1,28 @@
+Test="F.5.1 CTR-AES128.Encrypt"
+Type=Encrypt
+Key=2b7e151628aed2a6abf7158809cf4f3c
+Init. Counter=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Block #1={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Output Block=ec8cdf7398607cb0f2d21675ea9ea1e4
+Plaintext=6bc1bee22e409f96e93d7e117393172a
+Ciphertext=874d6191b620e3261bef6864990db6ce
+}
+Block #2={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff00
+Output Block=362b7c3c6773516318a077d7fc5073ae
+Plaintext=ae2d8a571e03ac9c9eb76fac45af8e51
+Ciphertext=9806f66b7970fdff8617187bb9fffdff
+}
+Block #3={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff01
+Output Block=6a2cc3787889374fbeb4c81b17ba6c44
+Plaintext=30c81c46a35ce411e5fbc1191a0a52ef
+Ciphertext=5ae4df3edbd5d35e5b4f09020db03eab
+}
+Block #4={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff02
+Output Block=e89c399ff0f198c6d40a31db156cabfe
+Plaintext=f69f2445df4f9b17ad2b417be66c3710
+Ciphertext=1e031dda2fbe03d1792170a0f3009cee
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ctr/aes_ctr_1.txt
@@ -0,0 +1,28 @@
+Test="F.5.3 CTR-AES192.Encrypt"
+Type=Encrypt
+Key=8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b
+Init. Counter=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff 
+Block #1={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff 
+Output Block=717d2dc639128334a6167a488ded7921 
+Plaintext=6bc1bee22e409f96e93d7e117393172a 
+Ciphertext=1abc932417521ca24f2b0459fe7e6e0b
+}
+Block #2={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 
+Output Block=a72eb3bb14a556734b7bad6ab16100c5 
+Plaintext=ae2d8a571e03ac9c9eb76fac45af8e51 
+Ciphertext=090339ec0aa6faefd5ccc2c6f4ce8e94
+}
+Block #3={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 
+Output Block=2efeae2d72b722613446dc7f4c2af918 
+Plaintext=30c81c46a35ce411e5fbc1191a0a52ef 
+Ciphertext=1e36b26bd1ebc670d1bd1d665620abf7
+}
+Block #4={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 
+Output Block=b9e783b30dd7924ff7bc9b97beaa8740 
+Plaintext=f69f2445df4f9b17ad2b417be66c3710 
+Ciphertext=4f78a7f6d29809585a97daec58c6b050
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ctr/aes_ctr_2.txt
@@ -0,0 +1,28 @@
+Test="F.5.5 CTR-AES256.Encrypt"
+Type=Encrypt
+Key=603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4
+Init. Counter=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Block #1={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Output Block=0bdf7df1591716335e9a8b15c860c502
+Plaintext=6bc1bee22e409f96e93d7e117393172a
+Ciphertext=601ec313775789a5b7a7f504bbf3d228
+}
+Block #2={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff00
+Output Block=5a6e699d536119065433863c8f657b94
+Plaintext=ae2d8a571e03ac9c9eb76fac45af8e51
+Ciphertext=f443e3ca4d62b59aca84e990cacaf5c5
+}
+Block #3={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff01
+Output Block=1bc12c9c01610d5d0d8bd6a3378eca62
+Plaintext=30c81c46a35ce411e5fbc1191a0a52ef
+Ciphertext=2b0930daa23de94ce87017ba2d84988d
+}
+Block #4={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff02
+Output Block=2956e1c8693536b1bee99c73a31576b6
+Plaintext=f69f2445df4f9b17ad2b417be66c3710
+Ciphertext=dfc9c58db67aada613c2dd08457941a6
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ctr/aes_ctr_tests_source.txt
@@ -0,0 +1,199 @@
+#
+# From NIST Special Publication 800-38A; 2001 Edition ;
+# "Recommendation for Block Cipher Modes of Operation: Methods and Techniques"
+# Morris Dworkin
+# Appendix F Example Vectors for Modes of Operation of the AES
+#
+# In this appendix, three examples are provided for each of the modes in this recommendation with
+# the AES algorithm [2] as the underlying block cipher: one example is given for each of the
+# allowed key sizes (128, 192, and 256 bits). Some intermediate results are presented. For the five
+# confidentiality modes, examples are provided for both encryption and decryption. Examples are
+# provided for 1-bit, 8-bit, and 128 bit CFB. The plaintext for all but two of these examples is
+# equivalent to the following string of hexadecimal characters, formatted into four 128 bit blocks:
+#
+#     6bc1bee22e409f96e93d7e117393172a 
+#     ae2d8a571e03ac9c9eb76fac45af8e51 
+#     30c81c46a35ce411e5fbc1191a0a52ef 
+#     f69f2445df4f9b17ad2b417be66c3710. 
+#
+# For the example of 1-bit CFB, the plaintext is the first 16 bits in the above string; for the example
+# of 8-bit CFB, the plaintext is the first 18 octets in the above string. All strings are presented in
+# hexadecimal notation, except in the example of 1-bit CFB, where the plaintext and ciphertext
+# segments are single bits.
+#
+#
+#  F.5 CTR Example Vectors
+
+Test="F.5.1 CTR-AES128.Encrypt"
+Type=Encrypt
+Key=2b7e151628aed2a6abf7158809cf4f3c
+Init. Counter=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Block #1={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Output Block=ec8cdf7398607cb0f2d21675ea9ea1e4
+Plaintext=6bc1bee22e409f96e93d7e117393172a
+Ciphertext=874d6191b620e3261bef6864990db6ce
+}
+Block #2={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff00
+Output Block=362b7c3c6773516318a077d7fc5073ae
+Plaintext=ae2d8a571e03ac9c9eb76fac45af8e51
+Ciphertext=9806f66b7970fdff8617187bb9fffdff
+}
+Block #3={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff01
+Output Block=6a2cc3787889374fbeb4c81b17ba6c44
+Plaintext=30c81c46a35ce411e5fbc1191a0a52ef
+Ciphertext=5ae4df3edbd5d35e5b4f09020db03eab
+}
+Block #4={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff02
+Output Block=e89c399ff0f198c6d40a31db156cabfe
+Plaintext=f69f2445df4f9b17ad2b417be66c3710
+Ciphertext=1e031dda2fbe03d1792170a0f3009cee
+}
+
+Test="F.5.2 CTR-AES128.Decrypt"
+Type=Decrypt
+Key=2b7e151628aed2a6abf7158809cf4f3c
+Init. Counter=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Block #1={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Output Block=ec8cdf7398607cb0f2d21675ea9ea1e4
+Ciphertext=874d6191b620e3261bef6864990db6ce
+Plaintext=6bc1bee22e409f96e93d7e117393172a
+Block #2={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff00
+Output Block=362b7c3c6773516318a077d7fc5073ae
+Ciphertext=9806f66b7970fdff8617187bb9fffdff
+Plaintext=ae2d8a571e03ac9c9eb76fac45af8e51
+}
+Block #3={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff01
+Output Block=6a2cc3787889374fbeb4c81b17ba6c44
+Ciphertext=5ae4df3edbd5d35e5b4f09020db03eab
+Plaintext=30c81c46a35ce411e5fbc1191a0a52ef
+}
+Block #4={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff02
+Output Block=e89c399ff0f198c6d40a31db156cabfe
+Ciphertext=1e031dda2fbe03d1792170a0f3009cee
+Plaintext=f69f2445df4f9b17ad2b417be66c3710
+}
+
+Test="F.5.3 CTR-AES192.Encrypt"
+Type=Encrypt
+Key=8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b
+Init. Counter=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff 
+Block #1={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff 
+Output Block=717d2dc639128334a6167a488ded7921 
+Plaintext=6bc1bee22e409f96e93d7e117393172a 
+Ciphertext=1abc932417521ca24f2b0459fe7e6e0b
+}
+Block #2={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 
+Output Block=a72eb3bb14a556734b7bad6ab16100c5 
+Plaintext=ae2d8a571e03ac9c9eb76fac45af8e51 
+Ciphertext=090339ec0aa6faefd5ccc2c6f4ce8e94
+}
+Block #3={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 
+Output Block=2efeae2d72b722613446dc7f4c2af918 
+Plaintext=30c81c46a35ce411e5fbc1191a0a52ef 
+Ciphertext=1e36b26bd1ebc670d1bd1d665620abf7
+}
+Block #4={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 
+Output Block=b9e783b30dd7924ff7bc9b97beaa8740 
+Plaintext=f69f2445df4f9b17ad2b417be66c3710 
+Ciphertext=4f78a7f6d29809585a97daec58c6b050
+}
+
+Test="F.5.4 CTR-AES192.Decrypt"
+Type="Decrypt"
+Key=8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b
+Init. Counter=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff 
+Block #1={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff 
+Output Block=717d2dc639128334a6167a488ded7921 
+Ciphertext=1abc932417521ca24f2b0459fe7e6e0b
+Plaintext=6bc1bee22e409f96e93d7e117393172a
+} 
+Block #2={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 
+Output Block=a72eb3bb14a556734b7bad6ab16100c5 
+Ciphertext=090339ec0aa6faefd5ccc2c6f4ce8e94
+Plaintext=ae2d8a571e03ac9c9eb76fac45af8e51
+} 
+Block #3 
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 
+Output Block=2efeae2d72b722613446dc7f4c2af918 
+Ciphertext=1e36b26bd1ebc670d1bd1d665620abf7
+Plaintext=30c81c46a35ce411e5fbc1191a0a52ef
+}
+Block #4 
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 
+Output Block=b9e783b30dd7924ff7bc9b97beaa8740 
+Ciphertext=4f78a7f6d29809585a97daec58c6b050
+Plaintext=f69f2445df4f9b17ad2b417be66c3710 
+}
+
+Test="F.5.5 CTR-AES256.Encrypt"
+Type=Encrypt
+Key=603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4
+Init. Counter=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Block #1={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Output Block=0bdf7df1591716335e9a8b15c860c502
+Plaintext=6bc1bee22e409f96e93d7e117393172a
+Ciphertext=601ec313775789a5b7a7f504bbf3d228
+}
+Block #2={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff00
+Output Block=5a6e699d536119065433863c8f657b94
+Plaintext=ae2d8a571e03ac9c9eb76fac45af8e51
+Ciphertext=f443e3ca4d62b59aca84e990cacaf5c5
+}
+Block #3={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff01
+Output Block=1bc12c9c01610d5d0d8bd6a3378eca62
+Plaintext=30c81c46a35ce411e5fbc1191a0a52ef
+Ciphertext=2b0930daa23de94ce87017ba2d84988d
+}
+Block #4={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff02
+Output Block=2956e1c8693536b1bee99c73a31576b6
+Plaintext=f69f2445df4f9b17ad2b417be66c3710
+Ciphertext=dfc9c58db67aada613c2dd08457941a6
+}
+
+Test="F.5.6 CTR-AES256.Decrypt"
+Type=Decrypt
+Key=603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4
+Init. Counter=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff 
+Block #1={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff 
+OutputBlock=0bdf7df1591716335e9a8b15c860c502 
+Ciphertext=601ec313775789a5b7a7f504bbf3d228
+Plaintext=6bc1bee22e409f96e93d7e117393172a 
+}
+Block #2={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 
+OutputBlock=5a6e699d536119065433863c8f657b94 
+Ciphertext=f443e3ca4d62b59aca84e990cacaf5c5 
+Plaintext=ae2d8a571e03ac9c9eb76fac45af8e51 
+}
+Block #3={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 
+OutputBlock=1bc12c9c01610d5d0d8bd6a3378eca62 
+Ciphertext=2b0930daa23de94ce87017ba2d84988d 
+Plaintext=30c81c46a35ce411e5fbc1191a0a52ef 
+}
+Block #4={
+Input Block=f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 
+OutputBlock=2956e1c8693536b1bee99c73a31576b6 
+Ciphertext=dfc9c58db67aada613c2dd08457941a6 
+Plaintext=f69f2445df4f9b17ad2b417be66c3710
+}
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ctr/ciphertext0
@@ -0,0 +1,2 @@
+h01hkbYg4yYb72hkmQ22zpgG9mt5cP3/hhcYe7n//f9a5N8+29XTXltPCQINsD6r
+HgMd2i++A9F5IXCg8wCc7g==
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ctr/ciphertext1
@@ -0,0 +1,2 @@
+GryTJBdSHKJPKwRZ/n5uCwkDOewKpvrv1czCxvTOjpQeNrJr0evGcNG9HWZWIKv3
+T3in9tKYCVhal9rsWMawUA==
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ctr/ciphertext2
@@ -0,0 +1,2 @@
+YB7DE3dXiaW3p/UEu/PSKPRD48pNYrWayoTpkMrK9cUrCTDaoj3pTOhwF7othJiN
+38nFjbZ6raYTwt0IRXlBpg==
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ctr/iv0
@@ -0,0 +1,1 @@
+
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ctr/iv1
@@ -0,0 +1,1 @@
+
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ctr/iv2
@@ -0,0 +1,1 @@
+
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ctr/key0
@@ -0,0 +1,1 @@
++~(Ҧ	O<
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ctr/key1
@@ -0,0 +1,1 @@
+sdR+ybR,k{
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ctr/key2
@@ -0,0 +1,1 @@
+`=q+s}w5,;a-	
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ctr/mktst.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+for i in 0 1 2
+do
+    file="aes_ctr_$i.txt"
+    grep Key $file | sed -e 's;Key=;;' | hex > key$i
+    grep "Init. Counter"  $file | sed -e 's;Init. Counter=;;' | hex > iv$i
+    grep "Ciphertext"  $file | sed -e 's;Ciphertext=;;' | hex | btoa > ciphertext$i
+    grep "Plaintext"  $file | sed -e 's;Plaintext=;;' | hex  > plaintext$i
+done
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ctr/numtests
@@ -0,0 +1,1 @@
+3
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ctr/plaintext0
@@ -0,0 +1,2 @@
+k.@=~s*-WoEQ0F\
+R$EO+A{l7
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ctr/plaintext1
@@ -0,0 +1,2 @@
+k.@=~s*-WoEQ0F\
+R$EO+A{l7
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ctr/plaintext2
@@ -0,0 +1,2 @@
+k.@=~s*-WoEQ0F\
+R$EO+A{l7
\ No newline at end of file
new file mode 100644
new file mode 100644
new file mode 100644
new file mode 100644
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad12
@@ -0,0 +1,1 @@
+ޭޭ﫭
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad13
@@ -0,0 +1,1 @@
+ޭޭ﫭
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad14
@@ -0,0 +1,1 @@
+ޭޭ﫭
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad2
@@ -0,0 +1,1 @@
+ޭޭ﫭
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad3
@@ -0,0 +1,1 @@
+ޭޭ﫭
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad4
@@ -0,0 +1,1 @@
+ޭޭ﫭
\ No newline at end of file
new file mode 100644
new file mode 100644
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad7
@@ -0,0 +1,1 @@
+ޭޭ﫭
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad8
@@ -0,0 +1,1 @@
+ޭޭ﫭
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/aad9
@@ -0,0 +1,1 @@
+ޭޭ﫭
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/ciphertext0
@@ -0,0 +1,1 @@
+A4jazmC2o5LzKMK5cbL+eKtuR9Qs7BO99TpnshJXvd8=
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/ciphertext1
@@ -0,0 +1,2 @@
+QoMewiF3dCRLciG3hNDUnOOqIS8sAqTgNcF+IymsoS4h1RSyVGaTHH2PalqshKoF
+G6MLOWoKrJc9WOCRRz9ZhU1cKvMnzWSmLPNavSum+rQ=
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/ciphertext10
@@ -0,0 +1,1 @@
+zqdAPU1ga24HTsXTuvOdGNDRyKeZmWvwJluYtdSKuRk=
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/ciphertext11
@@ -0,0 +1,2 @@
+Ui3B8JlWfQf0fzejKoRCfWQ6jNy/5cDJdZiivSVV0aqMsI5IWQ27PaewixBWgog4
+xfYeY5O6egq8yfZiiYAVrbCU2sXZNHG97BpQInDjzGw=
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/ciphertext12
@@ -0,0 +1,2 @@
+Ui3B8JlWfQf0fzejKoRCfWQ6jNy/5cDJdZiivSVV0aqMsI5IWQ27PaewixBWgog4
+xfYeY5O6egq8yfZidvxuzg9OF2jN34hTuy1VGw==
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/ciphertext13
@@ -0,0 +1,2 @@
+w3Yt8cp4fTKuR8E78ZhEy68a4U0Ll2r6xS/315u6neD+tYLTOTSk8JVMwjY7xz94
+YqxDDmSr5Jn0fJsfOjN9v0anksReRUkT/i6o8g==
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/ciphertext14
@@ -0,0 +1,2 @@
+Wo3vLwyeU/H3XXhTZZ4qIO6ysiqv3mQZoFirT290a/QPwMO3gPJERS2j6/HF2Cze
+okGJlyAO+C5Ern4/pEqCZu4cjrDItdTPWunxmg==
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/ciphertext2
@@ -0,0 +1,2 @@
+QoMewiF3dCRLciG3hNDUnOOqIS8sAqTgNcF+IymsoS4h1RSyVGaTHH2PalqshKoF
+G6MLOWoKrJc9WOCRW8lPvDIhpduU+ula5xIaRw==
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/ciphertext3
@@ -0,0 +1,2 @@
+YTU7TCgGk0p3f/UfoipHVWmbKnFPzcb4N2bl+XtsdCNzgGkA5J8ksisJdUTUiWtC
+SYm14eusDwfCP0WYNhLS5547B4VWG+FKrKL8yw==
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/ciphertext4
@@ -0,0 +1,2 @@
+jOJJmGJWFbYDoDOsoT+4lL6REqXDohGouiYqPMp+LKcB5Kmk+6Q8kMzcsoHUjHxv
+1ih10qykFwNMNK7lYZzFrv/+C/pGKvQ8FpnQUA==
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/ciphertext5
@@ -0,0 +1,1 @@
+mOckfAfw/kEcJn5DhLD2AC/1jYADOSerjvTUWHUU8Ps=
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/ciphertext6
@@ -0,0 +1,2 @@
+OYDKCzwA6EHrBvrEhyonV4WeHOqm79mEYoWTtAyh4Zx9dz0AwUTFJaxhnRjISj9H
+GOJEiy/jJNnM2icQrK3iVpkkp8hYcza/sRgCTbhnShQ=
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/ciphertext7
@@ -0,0 +1,2 @@
+OYDKCzwA6EHrBvrEhyonV4WeHOqm79mEYoWTtAyh4Zx9dz0AwUTFJaxhnRjISj9H
+GOJEiy/jJNnM2icQJRlJjoDxR483ulW9bSdhjA==
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/ciphertext8
@@ -0,0 +1,2 @@
+DxD1ma4UoVTtJLNuJTJNuMVmYy7yu7NPg0coD8RQcFf93CnfmkcfdcZlQdTU2tHJ
+6ToZpY6LRz+g8GL3ZdzFf89iOiQJT8ykDTUz+A==
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/ciphertext9
@@ -0,0 +1,2 @@
+0n6IaBzjJDxIMBZaj9z5/x3podjmtEfvbve3mChmbkWB55ASrzTd2eLwN1ibKS2z
+5nwDZ0X6Iufptzc73PVm/ykcJbu4Vo/D03am2Q==
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..ce58bc9f84b9623e708de4eb8427a57d9f9a160f
GIT binary patch
literal 12
Kc${NkKmY&$3;+QD
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/iv1
@@ -0,0 +1,1 @@

\ No newline at end of file
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..ce58bc9f84b9623e708de4eb8427a57d9f9a160f
GIT binary patch
literal 12
Kc${NkKmY&$3;+QD
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/iv11
@@ -0,0 +1,1 @@

\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/iv12
@@ -0,0 +1,1 @@

\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/iv13
@@ -0,0 +1,1 @@

\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/iv14
@@ -0,0 +1,1 @@
+"]UZRijz8SO}ң(QV9BkRTjW7
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/iv2
@@ -0,0 +1,1 @@

\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/iv3
@@ -0,0 +1,1 @@

\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/iv4
@@ -0,0 +1,1 @@
+"]UZRijz8SO}ң(QV9BkRTjW7
\ No newline at end of file
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..ce58bc9f84b9623e708de4eb8427a57d9f9a160f
GIT binary patch
literal 12
Kc${NkKmY&$3;+QD
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/iv6
@@ -0,0 +1,1 @@

\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/iv7
@@ -0,0 +1,1 @@

\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/iv8
@@ -0,0 +1,1 @@

\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/iv9
@@ -0,0 +1,1 @@
+"]UZRijz8SO}ң(QV9BkRTjW7
\ No newline at end of file
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..01d633b27e8ea9b17084fc911d0c8cc43a4170a9
GIT binary patch
literal 16
Kc${NkKm`B*5C8!H
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/key1
@@ -0,0 +1,1 @@
+钆esmjg0
\ No newline at end of file
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..4e4e4935707a596987ec1cc32e3d0d587dbe4f04
GIT binary patch
literal 32
Kc${Nkzz+ZbAOHaX
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/key11
@@ -0,0 +1,1 @@
+钆esmjg0钆esmjg0
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/key12
@@ -0,0 +1,1 @@
+钆esmjg0钆esmjg0
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/key13
@@ -0,0 +1,1 @@
+钆esmjg0钆esmjg0
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/key14
@@ -0,0 +1,1 @@
+钆esmjg0钆esmjg0
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/key2
@@ -0,0 +1,1 @@
+钆esmjg0
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/key3
@@ -0,0 +1,1 @@
+钆esmjg0
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/key4
@@ -0,0 +1,1 @@
+钆esmjg0
\ No newline at end of file
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..4ac5fc6cf890b46738523c4d4d9d964e312f368f
GIT binary patch
literal 24
Kc${NkzzzTa7ytnP
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/key6
@@ -0,0 +1,1 @@
+钆esmjg0钆es
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/key7
@@ -0,0 +1,1 @@
+钆esmjg0钆es
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/key8
@@ -0,0 +1,1 @@
+钆esmjg0钆es
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/key9
@@ -0,0 +1,1 @@
+钆esmjg0钆es
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/mktst.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+for i in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
+do
+    file="test$i.txt"
+    grep K= $file | sed -e 's;K=;;' | hex > key$i
+    grep IV=  $file | sed -e 's;IV=;;' | hex > iv$i
+    grep "C="  $file | sed -e 's;C=;;' | hex > ciphertext$i.bin
+    grep "P="  $file | sed -e 's;P=;;' | hex  > plaintext$i
+    grep "A="  $file | sed -e 's;A=;;' | hex  > aad$i
+    grep "T="  $file | sed -e 's;T=;;' | hex  >> ciphertext$i.bin
+    btoa < ciphertext$i.bin > ciphertext$i
+    rm ciphertext$i.bin
+done
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/numtests
@@ -0,0 +1,1 @@
+15
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..01d633b27e8ea9b17084fc911d0c8cc43a4170a9
GIT binary patch
literal 16
Kc${NkKm`B*5C8!H
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/plaintext1
@@ -0,0 +1,1 @@
+12%Y	ů&S4.L0=1r<h	S/$I%j
Wc{9U
\ No newline at end of file
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..01d633b27e8ea9b17084fc911d0c8cc43a4170a9
GIT binary patch
literal 16
Kc${NkKm`B*5C8!H
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/plaintext11
@@ -0,0 +1,1 @@
+12%Y	ů&S4.L0=1r<h	S/$I%j
Wc{9U
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/plaintext12
@@ -0,0 +1,1 @@
+12%Y	ů&S4.L0=1r<h	S/$I%j
Wc{9
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/plaintext13
@@ -0,0 +1,1 @@
+12%Y	ů&S4.L0=1r<h	S/$I%j
Wc{9
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/plaintext14
@@ -0,0 +1,1 @@
+12%Y	ů&S4.L0=1r<h	S/$I%j
Wc{9
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/plaintext2
@@ -0,0 +1,1 @@
+12%Y	ů&S4.L0=1r<h	S/$I%j
Wc{9
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/plaintext3
@@ -0,0 +1,1 @@
+12%Y	ů&S4.L0=1r<h	S/$I%j
Wc{9
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/plaintext4
@@ -0,0 +1,1 @@
+12%Y	ů&S4.L0=1r<h	S/$I%j
Wc{9
\ No newline at end of file
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..01d633b27e8ea9b17084fc911d0c8cc43a4170a9
GIT binary patch
literal 16
Kc${NkKm`B*5C8!H
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/plaintext6
@@ -0,0 +1,1 @@
+12%Y	ů&S4.L0=1r<h	S/$I%j
Wc{9U
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/plaintext7
@@ -0,0 +1,1 @@
+12%Y	ů&S4.L0=1r<h	S/$I%j
Wc{9
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/plaintext8
@@ -0,0 +1,1 @@
+12%Y	ů&S4.L0=1r<h	S/$I%j
Wc{9
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/plaintext9
@@ -0,0 +1,1 @@
+12%Y	ů&S4.L0=1r<h	S/$I%j
Wc{9
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/test0.txt
@@ -0,0 +1,14 @@
+test="Test Case 2"
+K=00000000000000000000000000000000
+P=00000000000000000000000000000000
+IV=000000000000000000000000
+H=66e94bd4ef8a2c3b884cfa59ca342b2e
+Y0=00000000000000000000000000000001
+E(K,Y0)=58e2fccefa7e3061367f1d57a4e7455a
+Y1=00000000000000000000000000000002
+E(K,Y1)=0388dace60b6a392f328c2b971b2fe78
+X1 5e2ec746917062882c85b0685353deb7
+len(A)||len(C)=00000000000000000000000000000080
+GHASH(H,A,C)=f38cbb1ad69223dcc3457ae5b6b0f885
+C=0388dace60b6a392f328c2b971b2fe78
+T=ab6e47d42cec13bdf53a67b21257bddf
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/test1.txt
@@ -0,0 +1,23 @@
+test="Test Case 3"
+K=feffe9928665731c6d6a8f9467308308
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255
+IV=cafebabefacedbaddecaf888
+H=b83b533708bf535d0aa6e52980d53b78
+Y0=cafebabefacedbaddecaf88800000001
+E(K,Y0)=3247184b3c4f69a44dbcd22887bbb418
+Y1=cafebabefacedbaddecaf88800000002
+E(K,Y1)=9bb22ce7d9f372c1ee2b28722b25f206
+Y2=cafebabefacedbaddecaf88800000003
+E(K,Y2)=650d887c3936533a1b8d4e1ea39d2b5c
+Y3=cafebabefacedbaddecaf88800000004
+E(K,Y3)=3de91827c10e9a4f5240647ee5221f20
+Y4=cafebabefacedbaddecaf88800000005
+E(K,Y4)=aac9e6ccc0074ac0873b9ba85d908bd0
+X1=59ed3f2bb1a0aaa07c9f56c6a504647b
+X2=b714c9048389afd9f9bc5c1d4378e052
+X3=47400c6577b1ee8d8f40b2721e86ff10
+X4=4796cf49464704b5dd91f159bb1b7f95
+len(A)||len(C)=00000000000000000000000000000200
+GHASH(H,A,C)=7f1b32b81b820d02614f8895ac1d4eac
+C=42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091473f5985
+T=4d5c2af327cd64a62cf35abd2ba6fab4
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/test10.txt
@@ -0,0 +1,14 @@
+test="Test Case 14"
+K=0000000000000000000000000000000000000000000000000000000000000000
+P=00000000000000000000000000000000
+IV=000000000000000000000000
+H=dc95c078a2408989ad48a21492842087
+Y0=00000000000000000000000000000001
+E(K,Y0)=530f8afbc74536b9a963b4f1c4cb738b
+Y1=00000000000000000000000000000002
+E(K,Y1)=cea7403d4d606b6e074ec5d3baf39d18
+X1=fd6ab7586e556dba06d69cfe6223b262
+len(A)||len(C)=00000000000000000000000000000080
+GHASH(H,A,C)=83de425c5edc5d498f382c441041ca92
+C=cea7403d4d606b6e074ec5d3baf39d18
+T=d0d1c8a799996bf0265b98b5d48ab919
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/test11.txt
@@ -0,0 +1,23 @@
+test="Test Case 15"
+K=feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255
+IV=cafebabefacedbaddecaf888
+H=acbef20579b4b8ebce889bac8732dad7
+Y0=cafebabefacedbaddecaf88800000001
+E(K,Y0)=fd2caa16a5832e76aa132c1453eeda7e
+Y1=cafebabefacedbaddecaf88800000002
+E(K,Y1)=8b1cf3d561d27be251263e66857164e7
+Y2=cafebabefacedbaddecaf88800000003
+E(K,Y2)=e29d258faad137135bd49280af645bd8
+Y3=cafebabefacedbaddecaf88800000004
+E(K,Y3)=908c82ddcc65b26e887f85341f243d1d
+Y4=cafebabefacedbaddecaf88800000005
+E(K,Y4)=749cf39639b79c5d06aa8d5b932fc7f8
+X1=fcbefb78635d598eddaf982310670f35
+X2=29de812309d3116a6eff7ec844484f3e
+X3=45fad9deeda9ea561b8f199c3613845b
+X4=ed95f8e164bf3213febc740f0bd9c6af
+len(A)||len(C)=00000000000000000000000000000200
+GHASH(H,A,C)=4db870d37cb75fcb46097c36230d1612
+C=522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad
+T=b094dac5d93471bdec1a502270e3cc6c
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/test12.txt
@@ -0,0 +1,26 @@
+test="Test Case 16"
+K=feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+A=feedfacedeadbeeffeedfacedeadbeefabaddad2
+IV=cafebabefacedbaddecaf888
+H=acbef20579b4b8ebce889bac8732dad7
+Y0=cafebabefacedbaddecaf88800000001
+E(K,Y0)=fd2caa16a5832e76aa132c1453eeda7e
+X1=5165d242c2592c0a6375e2622cf925d2
+X2=8efa30ce83298b85fe71abefc0cdd01d
+Y1=cafebabefacedbaddecaf88800000002
+E(K,Y1)=8b1cf3d561d27be251263e66857164e7
+Y2=cafebabefacedbaddecaf88800000003
+E(K,Y2)=e29d258faad137135bd49280af645bd8
+Y3=cafebabefacedbaddecaf88800000004
+E(K,Y3)=908c82ddcc65b26e887f85341f243d1d
+Y4=cafebabefacedbaddecaf88800000005
+E(K,Y4)=749cf39639b79c5d06aa8d5b932fc7f8
+X3=abe07e0bb62354177480b550f9f6cdcc
+X4=3978e4f141b95f3b4699756b1c3c2082
+X5=8abf3c48901debe76837d8a05c7d6e87
+X6=9249beaf520c48b912fa120bbf391dc8
+len(A)||len(C)=00000000000000a000000000000001e0
+GHASH(H,A,C)=8bd0c4d8aacd391e67cca447e8c38f65
+C=522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662
+T=76fc6ece0f4e1768cddf8853bb2d551b
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/test13.txt
@@ -0,0 +1,28 @@
+test="Test Case 17"
+K=feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+A=feedfacedeadbeeffeedfacedeadbeefabaddad2
+IV=cafebabefacedbad
+H=acbef20579b4b8ebce889bac8732dad7
+N1=90c22e3d2aca34b971e8bd09708fae5c
+len({})||len(IV)=00000000000000000000000000000040
+Y0=0095df49dd90abe3e4d252475748f5d4
+E(K,Y0)=4f903f37fe611d454217fbfa5cd7d791
+X1=5165d242c2592c0a6375e2622cf925d2
+X2=8efa30ce83298b85fe71abefc0cdd01d
+Y1=0095df49dd90abe3e4d252475748f5d5
+E(K,Y1)=1a471fd432fc7bd70b1ec8fe5e6d6251
+Y2=0095df49dd90abe3e4d252475748f5d6
+E(K,Y2)=29bd481e1ea39d20eb63c7ea118b1792
+Y3=0095df49dd90abe3e4d252475748f5d7
+E(K,Y3)=e2898e46ac5cada3ba83cc1272618a5d
+Y4=0095df49dd90abe3e4d252475748f5d8
+E(K,Y4)=d3c6aefbcea602ce4e1fe026065447bf
+X3=55e1ff68f9249e64b95223858e5cb936
+X4=cef1c034383dc96f733aaa4c99bd3e61
+X5=68588d004fd468f5854515039b08165d
+X6=2378943c034697f72a80fce5059bf3f3
+len(A)||len(C)=00000000000000a000000000000001e0
+GHASH(H,A,C)=75a34288b8c68f811c52b2e9a2f97f63
+C=c3762df1ca787d32ae47c13bf19844cbaf1ae14d0b976afac52ff7d79bba9de0feb582d33934a4f0954cc2363bc73f7862ac430e64abe499f47c9b1f
+T=3a337dbf46a792c45e454913fe2ea8f2
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/test14.txt
@@ -0,0 +1,31 @@
+test="Test Case 18"
+K=feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+A=feedfacedeadbeeffeedfacedeadbeefabaddad2
+IV=9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b
+H=acbef20579b4b8ebce889bac8732dad7
+N1=0bfe66e2032f195516379f5fb710f987
+N2=f0631554d11409915feec8f9f5102aba
+N3=749b90dda19a1557fd9e9fd31fed1d14
+N4=7a6a833f260d848793b327cb07d1b190
+len({})||len(IV)=000000000000000000000000000001e0
+Y0=0cd953e2140a5976079f8e2406bc8eb4
+E(K,Y0)=71b54d092bb0c3d9ba94538d4096e691
+X1=5165d242c2592c0a6375e2622cf925d2
+X2=8efa30ce83298b85fe71abefc0cdd01d
+Y1=0cd953e2140a5976079f8e2406bc8eb5
+E(K,Y1)=83bcdd0af41a551452047196ca6b0cba
+Y2=0cd953e2140a5976079f8e2406bc8eb6
+E(K,Y2)=68151b79baea93c38e149b72e545e186
+Y3=0cd953e2140a5976079f8e2406bc8eb7
+E(K,Y3)=13fccf22159a4d16026ce5d58c7e99fb
+Y4=0cd953e2140a5976079f8e2406bc8eb8
+E(K,Y4)=132b64628a031e79fecd050675a64f07
+X3=e963941cfa8c417bdaa3b3d94ab4e905
+X4=2178d7f836e5fa105ce0fdf0fc8f0654
+X5=bac14eeba3216f966b3e7e011475b832
+X6=cc9ae9175729a649936e890bd971a8bf
+len(A)||len(C)=00000000000000a000000000000001e0
+GHASH(H,A,C)=d5ffcf6fc5ac4d69722187421a7f170b
+C=5a8def2f0c9e53f1f75d7853659e2a20eeb2b22aafde6419a058ab4f6f746bf40fc0c3b780f244452da3ebf1c5d82cdea2418997200ef82e44ae7e3f
+T=a44a8266ee1c8eb0c8b5d4cf5ae9f19a
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/test2.txt
@@ -0,0 +1,26 @@
+test="Test Case 4"
+K=feffe9928665731c6d6a8f9467308308
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+A=feedfacedeadbeeffeedfacedeadbeefabaddad2
+IV=cafebabefacedbaddecaf888
+H=b83b533708bf535d0aa6e52980d53b78
+Y0=cafebabefacedbaddecaf88800000001
+E(K,Y0)=3247184b3c4f69a44dbcd22887bbb418
+X1=ed56aaf8a72d67049fdb9228edba1322
+X2=cd47221ccef0554ee4bb044c88150352
+Y1=cafebabefacedbaddecaf88800000002
+E(K,Y1)=9bb22ce7d9f372c1ee2b28722b25f206
+Y2=cafebabefacedbaddecaf88800000003
+E(K,Y2)=650d887c3936533a1b8d4e1ea39d2b5c
+Y3=cafebabefacedbaddecaf88800000004
+E(K,Y3)=3de91827c10e9a4f5240647ee5221f20
+Y4=cafebabefacedbaddecaf88800000005
+E(K,Y4)=aac9e6ccc0074ac0873b9ba85d908bd0
+X3=54f5e1b2b5a8f9525c23924751a3ca51
+X4=324f585c6ffc1359ab371565d6c45f93
+X5=ca7dd446af4aa70cc3c0cd5abba6aa1c
+X6=1590df9b2eb6768289e57d56274c8570
+len(A)||len(C)=00000000000000a000000000000001e0
+GHASH(H,A,C)=698e57f70e6ecc7fd9463b7260a9ae5f
+C=42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091
+T=5bc94fbc3221a5db94fae95ae7121a47
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/test3.txt
@@ -0,0 +1,28 @@
+test="Test Case 5"
+K=feffe9928665731c6d6a8f9467308308
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+A=feedfacedeadbeeffeedfacedeadbeefabaddad2
+IV=cafebabefacedbad
+H=b83b533708bf535d0aa6e52980d53b78
+N1=6f288b846e5fed9a18376829c86a6a16
+len({})||len(C)=00000000000000000000000000000040
+Y0=c43a83c4c4badec4354ca984db252f7d
+E(K,Y0)=e94ab9535c72bea9e089c93d48e62fb0
+X1=ed56aaf8a72d67049fdb9228edba1322
+X2=cd47221ccef0554ee4bb044c88150352
+Y1=c43a83c4c4badec4354ca984db252f7e
+E(K,Y1)=b8040969d08295afd226fcda0ddf61cf
+Y2=c43a83c4c4badec4354ca984db252f7f
+E(K,Y2)=ef3c83225af93122192ad5c4f15dfe51
+Y3=c43a83c4c4badec4354ca984db252f80
+E(K,Y3)=6fbc659571f72de104c67b609d2fde67
+Y4=c43a83c4c4badec4354ca984db252f81
+E(K,Y4)=f8e3581441a1e950785c3ea1430c6fa6
+X3=9379e2feae14649c86cf2250e3a81916
+X4=65dde904c92a6b3db877c4817b50a5f4
+X5=48c53cf863b49a1b0bbfc48c3baaa89d
+X6=08c873f1c8cec3effc209a07468caab1
+len(A)||len(C)=00000000000000a000000000000001e0
+GHASH(H,A,C)=df586bb4c249b92cb6922877e444d37b
+C=61353b4c2806934a777ff51fa22a4755699b2a714fcdc6f83766e5f97b6c742373806900e49f24b22b097544d4896b424989b5e1ebac0f07c23f4598
+T=3612d2e79e3b0785561be14aaca2fccb
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/test4.txt
@@ -0,0 +1,31 @@
+test="Test Case 6"
+K=feffe9928665731c6d6a8f9467308308
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+A=feedfacedeadbeeffeedfacedeadbeefabaddad2
+IV=9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b
+H=b83b533708bf535d0aa6e52980d53b78
+N1=004d6599d7fb1634756e1e299d81630f
+N2=88ffe8a3c8033df4b54d732f7f88408e
+N3=24e694cfab657beabba8055aad495e23
+N4=d8349a5eda24943c8fbb2ef5168b20cb
+len({})||len(IV)=000000000000000000000000000001e0
+Y0=3bab75780a31c059f83d2a44752f9864
+7dc63b399f2d98d57ab073b6baa4138e
+X1=ed56aaf8a72d67049fdb9228edba1322
+X2=cd47221ccef0554ee4bb044c88150352
+Y1=3bab75780a31c059f83d2a44752f9865
+E(K,Y1)=55d37bbd9ad21353a6f93a690eca9e0e
+Y2=3bab75780a31c059f83d2a44752f9866
+E(K,Y2)=3836bbf6d696e672946a1a01404fa6d5
+Y3=3bab75780a31c059f83d2a44752f9867
+E(K,Y3)=1dd8a5316ecc35c3e313bca59d2ac94a
+Y4=3bab75780a31c059f83d2a44752f9868
+E(K,Y4)=6742982706a9f154f657d5dc94b746db
+X3=31727669c63c6f078b5d22adbbbca384
+X4=480c00db2679065a7ed2f771a53acacd
+X5=1c1ae3c355e2214466a9923d2ba6ab35
+X6=0694c6f16bb0275a48891d06590344b0
+len(A)||len(C)=00000000000000a000000000000001e0
+GHASH(H,A,C)=1c5afe9760d3932f3c9a878aac3dc3de
+C=8ce24998625615b603a033aca13fb894be9112a5c3a211a8ba262a3cca7e2ca701e4a9a4fba43c90ccdcb281d48c7c6fd62875d2aca417034c34aee5
+T=619cc5aefffe0bfa462af43c1699d050
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/test5.txt
@@ -0,0 +1,14 @@
+test="Test Case 8"
+K=000000000000000000000000000000000000000000000000
+P=00000000000000000000000000000000
+IV=000000000000000000000000
+H=aae06992acbf52a3e8f4a96ec9300bd7
+Y0=00000000000000000000000000000001
+E(K,Y0)=cd33b28ac773f74ba00ed1f312572435
+Y1=00000000000000000000000000000002
+E(K,Y1)=98e7247c07f0fe411c267e4384b0f600
+X1=90e87315fb7d4e1b4092ec0cbfda5d7d
+len(A)||len(C)=00000000000000000000000000000080
+GHASH(H,A,C)=e2c63f0ac44ad0e02efa05ab6743d4ce
+C=98e7247c07f0fe411c267e4384b0f600
+T=2ff58d80033927ab8ef4d4587514f0fb
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/test6.txt
@@ -0,0 +1,23 @@
+test="Test Case 9"
+K=feffe9928665731c6d6a8f9467308308feffe9928665731c
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255
+IV=cafebabefacedbaddecaf888
+H=466923ec9ae682214f2c082badb39249
+Y0=cafebabefacedbaddecaf88800000001
+E(K,Y0)=c835aa88aebbc94f5a02e179fdcfc3e4
+Y1=cafebabefacedbaddecaf88800000002
+E(K,Y1)=e0b1f82ec484eea44e5ff30128df01cd
+Y2=cafebabefacedbaddecaf88800000003
+E(K,Y2)=0339b5b9b3db2e5e4cc9a38986906bee
+Y3=cafebabefacedbaddecaf88800000004
+E(K,Y3)=614b3195542ccc7683ae933c81ec8a62
+Y4=cafebabefacedbaddecaf88800000005
+E(K,Y4)=a988a97e85eec28e76b95c29b6023003
+X1=dddca3f91c17821ffac4a6d0fed176f7
+X2=a4e84ac60e2730f4a7e0e1eef708b198
+X3=e67592048dd7153973a0dbbb8804bee2
+X4=503e86628536625fb746ce3cecea433f
+len(A)||len(C)=00000000000000000000000000000200
+GHASH(H,A,C)=51110d40f6c8fff0eb1ae33445a889f0
+C=3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c144c525ac619d18c84a3f4718e2448b2fe324d9ccda2710acade256
+T=9924a7c8587336bfb118024db8674a14
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/test7.txt
@@ -0,0 +1,26 @@
+test="Test Case 10"
+K=feffe9928665731c6d6a8f9467308308feffe9928665731c
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+A=feedfacedeadbeeffeedfacedeadbeefabaddad2
+IV=cafebabefacedbaddecaf888
+H=466923ec9ae682214f2c082badb39249
+Y0=cafebabefacedbaddecaf88800000001
+E(K,Y0)=c835aa88aebbc94f5a02e179fdcfc3e4
+X1=f3bf7ba3e305aeb05ed0d2e4fe076666
+X2=20a51fa2302e9c01b87c48f2c3d91a56
+Y1=cafebabefacedbaddecaf88800000002
+E(K,Y1)=e0b1f82ec484eea44e5ff30128df01cd
+Y2=cafebabefacedbaddecaf88800000003
+E(K,Y2)=0339b5b9b3db2e5e4cc9a38986906bee
+Y3=cafebabefacedbaddecaf88800000004
+E(K,Y3)=614b3195542ccc7683ae933c81ec8a62
+Y4=cafebabefacedbaddecaf88800000005
+E(K,Y4)=a988a97e85eec28e76b95c29b6023003
+X3=714f9700ddf520f20695f6180c6e669d
+X4=e858680b7b240d2ecf7e06bbad4524e2
+X5=3f4865abd6bb3fb9f5c4a816f0a9b778
+X6=4256f67fe87b4f49422ba11af857c973
+len(A)||len(C)=00000000000000a000000000000001e0
+GHASH(H,A,C)=ed2ce3062e4a8ec06db8b4c490e8a268
+C=3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c144c525ac619d18c84a3f4718e2448b2fe324d9ccda2710
+T=2519498e80f1478f37ba55bd6d27618c
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/test8.txt
@@ -0,0 +1,28 @@
+test="Test Case 11"
+K=feffe9928665731c6d6a8f9467308308feffe9928665731c
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+A=feedfacedeadbeeffeedfacedeadbeefabaddad2
+IV=cafebabefacedbad
+H=466923ec9ae682214f2c082badb39249
+N1=9473c07b02544299cf007c42c5778218
+len({})||len(IV)=00000000000000000000000000000040
+Y0=a14378078d27258a6292737e1802ada5
+E(K,Y0)=7bb6d647c902427ce7cf26563a337371
+X1=f3bf7ba3e305aeb05ed0d2e4fe076666
+X2=20a51fa2302e9c01b87c48f2c3d91a56
+Y1=a14378078d27258a6292737e1802ada6
+E(K,Y1)=d621c7bc5690a7b1487dbaab8ac76b22
+Y2=a14378078d27258a6292737e1802ada7
+E(K,Y2)=43c1ca7de78f4495ad0b18324e61fa25
+Y3=a14378078d27258a6292737e1802ada8
+E(K,Y3)=e1e0254a0f2f1626e9aa4ff09d7c64ec
+Y4=a14378078d27258a6292737e1802ada9
+E(K,Y4)=5850f4502486a1681a9319ce7d0afa59
+X3=8bdedafd6ee8e529689de3a269b8240d
+X4=6607feb377b49c9ecdbc696344fe22d8
+X5=8a19570a06500ba9405fcece4a73fb48
+X6=8532826e63ce4a5b89b70fa28f8070fe
+len(A)||len(C)=00000000000000a000000000000001e0
+GHASH(H,A,C)=1e6a133806607858ee80eaf237064089
+C=0f10f599ae14a154ed24b36e25324db8c566632ef2bbb34f8347280fc4507057fddc29df9a471f75c66541d4d4dad1c9e93a19a58e8b473fa0f062f7
+T=65dcc57fcf623a24094fcca40d3533f8
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/test9.txt
@@ -0,0 +1,31 @@
+test="Test Case 12"
+K=feffe9928665731c6d6a8f9467308308feffe9928665731c
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+A=feedfacedeadbeeffeedfacedeadbeefabaddad2
+IV=9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b
+H=466923ec9ae682214f2c082badb39249
+N1=19aef0f04763b0c87903c5a217d5314f
+N2=62120253f79efc978625d1feb03b5b5b
+N3=b6ce2a84e366de900fa78a1653df77fb
+N4=374ecad90487f0bb261ba817447e022c
+len({})||len(IV)=000000000000000000000000000001e0
+Y0=4505cdc367a054c5002820e96aebef27
+E(K,Y0)=5ea3194f9dd012a3b9bc5103d6e0284d
+X1=f3bf7ba3e305aeb05ed0d2e4fe076666
+X2=20a51fa2302e9c01b87c48f2c3d91a56
+Y1=4505cdc367a054c5002820e96aebef28
+E(K,Y1)=0b4fba4de46722d9ed691f9f2029df65
+Y2=4505cdc367a054c5002820e96aebef29
+E(K,Y2)=9b4e088bf380b03540bb87a5a257e437
+Y3=4505cdc367a054c5002820e96aebef2a
+E(K,Y3)=9ddb9c873a5cd48acd3f397cd28f9896
+Y4=4505cdc367a054c5002820e96aebef2b
+E(K,Y4)=5716ee92eff7c4b053d44c0294ea88cd
+X3=f70d61693ea7f53f08c866d6eedb1e4b
+X4=dc40bc9a181b35aed66488071ef282ae
+X5=85ffa424b87b35cac7be9c450f0d7aee
+X6=65233cbe5251f7d246bfc967a8678647
+len(A)||len(C)=00000000000000a000000000000001e0
+GHASH(H,A,C)=82567fb0b4cc371801eadec005968e94
+C=d27e88681ce3243c4830165a8fdcf9ff1de9a1d8e6b447ef6ef7b79828666e4581e79012af34ddd9e2f037589b292db3e67c036745fa22e7e9b7373b
+T=dcf566ff291c25bbb8568fc3d376a6d9
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_gcm/test_source.txt
@@ -0,0 +1,438 @@
+#  AppendixB AES Test Vectors
+#  From "The Galois/Counter Mode of Operation (GCM)", David A McGree & John Viega,
+#   http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf
+#
+# This appendix contains test cases for AES GCM, with AES key sizes of 128, 192, and 256 bits. These
+# cases use the same notation as in Equations 1 and 2, with the exception that Ni is used in place of
+# Xi when GHASH is used to compute Y0 , in order to distinguish that case from the later invocation
+# of GHASH. All values are in hexadecimal, and a zero-length variable is indicated by the absence
+# of any hex digits. Each line consists of 128 bits of data, and variables whose lengths exceed that
+# value are continued on successive lines. The leftmost hex digit corresponds to the leftmost four
+# bits of the variable. For example, the lowest 128 bits of the field polynomial are represented as
+# e100000000000000000000000000000000.
+#
+
+test="Test Case 1"
+K=00000000000000000000000000000000
+P= 
+IV=000000000000000000000000
+H=66e94bd4ef8a2c3b884cfa59ca342b2e
+Y0=00000000000000000000000000000001
+E(K,Y0)=58e2fccefa7e3061367f1d57a4e7455a
+len(A)||len(C)=00000000000000000000000000000000 
+GHASH(H,A,C)=00000000000000000000000000000000
+C=
+T=58e2fccefa7e3061367f1d57a4e7455a
+
+
+test="Test Case 2"
+K=00000000000000000000000000000000
+P=00000000000000000000000000000000
+IV=000000000000000000000000
+H=66e94bd4ef8a2c3b884cfa59ca342b2e
+Y0=00000000000000000000000000000001
+E(K,Y0)=58e2fccefa7e3061367f1d57a4e7455a
+Y1=00000000000000000000000000000002
+E(K,Y1)=0388dace60b6a392f328c2b971b2fe78
+X1 5e2ec746917062882c85b0685353deb7
+len(A)||len(C)=00000000000000000000000000000080
+GHASH(H,A,C)=f38cbb1ad69223dcc3457ae5b6b0f885
+C=0388dace60b6a392f328c2b971b2fe78
+T=ab6e47d42cec13bdf53a67b21257bddf
+
+test="Test Case 3"
+K=feffe9928665731c6d6a8f9467308308
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255
+IV=cafebabefacedbaddecaf888
+H=b83b533708bf535d0aa6e52980d53b78
+Y0=cafebabefacedbaddecaf88800000001
+E(K,Y0)=3247184b3c4f69a44dbcd22887bbb418
+Y1=cafebabefacedbaddecaf88800000002
+E(K,Y1)=9bb22ce7d9f372c1ee2b28722b25f206
+Y2=cafebabefacedbaddecaf88800000003
+E(K,Y2)=650d887c3936533a1b8d4e1ea39d2b5c
+Y3=cafebabefacedbaddecaf88800000004
+E(K,Y3)=3de91827c10e9a4f5240647ee5221f20
+Y4=cafebabefacedbaddecaf88800000005
+E(K,Y4)=aac9e6ccc0074ac0873b9ba85d908bd0
+X1=59ed3f2bb1a0aaa07c9f56c6a504647b
+X2=b714c9048389afd9f9bc5c1d4378e052
+X3=47400c6577b1ee8d8f40b2721e86ff10
+X4=4796cf49464704b5dd91f159bb1b7f95
+len(A)||len(C)=00000000000000000000000000000200
+GHASH(H,A,C)=7f1b32b81b820d02614f8895ac1d4eac
+C=42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091473f5985
+T=4d5c2af327cd64a62cf35abd2ba6fab4
+
+test="Test Case 4"
+K=feffe9928665731c6d6a8f9467308308
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+A=feedfacedeadbeeffeedfacedeadbeefabaddad2
+IV=cafebabefacedbaddecaf888
+H=b83b533708bf535d0aa6e52980d53b78
+Y0=cafebabefacedbaddecaf88800000001
+E(K,Y0)=3247184b3c4f69a44dbcd22887bbb418
+X1=ed56aaf8a72d67049fdb9228edba1322
+X2=cd47221ccef0554ee4bb044c88150352
+Y1=cafebabefacedbaddecaf88800000002
+E(K,Y1)=9bb22ce7d9f372c1ee2b28722b25f206
+Y2=cafebabefacedbaddecaf88800000003
+E(K,Y2)=650d887c3936533a1b8d4e1ea39d2b5c
+Y3=cafebabefacedbaddecaf88800000004
+E(K,Y3)=3de91827c10e9a4f5240647ee5221f20
+Y4=cafebabefacedbaddecaf88800000005
+E(K,Y4)=aac9e6ccc0074ac0873b9ba85d908bd0
+X3=54f5e1b2b5a8f9525c23924751a3ca51
+X4=324f585c6ffc1359ab371565d6c45f93
+X5=ca7dd446af4aa70cc3c0cd5abba6aa1c
+X6=1590df9b2eb6768289e57d56274c8570
+len(A)||len(C)=00000000000000a000000000000001e0
+GHASH(H,A,C)=698e57f70e6ecc7fd9463b7260a9ae5f
+C=42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091
+T=5bc94fbc3221a5db94fae95ae7121a47
+
+test="Test Case 5"
+K=feffe9928665731c6d6a8f9467308308
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+A=feedfacedeadbeeffeedfacedeadbeefabaddad2
+IV=cafebabefacedbad
+H=b83b533708bf535d0aa6e52980d53b78
+N1=6f288b846e5fed9a18376829c86a6a16
+len({})||len(C)=00000000000000000000000000000040
+Y0=c43a83c4c4badec4354ca984db252f7d
+E(K,Y0)=e94ab9535c72bea9e089c93d48e62fb0
+X1=ed56aaf8a72d67049fdb9228edba1322
+X2=cd47221ccef0554ee4bb044c88150352
+Y1=c43a83c4c4badec4354ca984db252f7e
+E(K,Y1)=b8040969d08295afd226fcda0ddf61cf
+Y2=c43a83c4c4badec4354ca984db252f7f
+E(K,Y2)=ef3c83225af93122192ad5c4f15dfe51
+Y3=c43a83c4c4badec4354ca984db252f80
+E(K,Y3)=6fbc659571f72de104c67b609d2fde67
+Y4=c43a83c4c4badec4354ca984db252f81
+E(K,Y4)=f8e3581441a1e950785c3ea1430c6fa6
+X3=9379e2feae14649c86cf2250e3a81916
+X4=65dde904c92a6b3db877c4817b50a5f4
+X5=48c53cf863b49a1b0bbfc48c3baaa89d
+X6=08c873f1c8cec3effc209a07468caab1
+len(A)||len(C)=00000000000000a000000000000001e0
+GHASH(H,A,C)=df586bb4c249b92cb6922877e444d37b
+C=61353b4c2806934a777ff51fa22a4755699b2a714fcdc6f83766e5f97b6c742373806900e49f24b22b097544d4896b424989b5e1ebac0f07c23f4598
+T=3612d2e79e3b0785561be14aaca2fccb
+
+test="Test Case 6"
+K=feffe9928665731c6d6a8f9467308308
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+A=feedfacedeadbeeffeedfacedeadbeefabaddad2
+IV=9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b
+H=b83b533708bf535d0aa6e52980d53b78
+N1=004d6599d7fb1634756e1e299d81630f
+N2=88ffe8a3c8033df4b54d732f7f88408e
+N3=24e694cfab657beabba8055aad495e23
+N4=d8349a5eda24943c8fbb2ef5168b20cb
+len({})||len(IV)=000000000000000000000000000001e0
+Y0=3bab75780a31c059f83d2a44752f9864
+7dc63b399f2d98d57ab073b6baa4138e
+X1=ed56aaf8a72d67049fdb9228edba1322
+X2=cd47221ccef0554ee4bb044c88150352
+Y1=3bab75780a31c059f83d2a44752f9865
+E(K,Y1)=55d37bbd9ad21353a6f93a690eca9e0e
+Y2=3bab75780a31c059f83d2a44752f9866
+E(K,Y2)=3836bbf6d696e672946a1a01404fa6d5
+Y3=3bab75780a31c059f83d2a44752f9867
+E(K,Y3)=1dd8a5316ecc35c3e313bca59d2ac94a
+Y4=3bab75780a31c059f83d2a44752f9868
+E(K,Y4)=6742982706a9f154f657d5dc94b746db
+X3=31727669c63c6f078b5d22adbbbca384
+X4=480c00db2679065a7ed2f771a53acacd
+X5=1c1ae3c355e2214466a9923d2ba6ab35
+X6=0694c6f16bb0275a48891d06590344b0
+len(A)||len(C)=00000000000000a000000000000001e0
+GHASH(H,A,C)=1c5afe9760d3932f3c9a878aac3dc3de
+C=8ce24998625615b603a033aca13fb894be9112a5c3a211a8ba262a3cca7e2ca701e4a9a4fba43c90ccdcb281d48c7c6fd62875d2aca417034c34aee5
+T=619cc5aefffe0bfa462af43c1699d050
+
+test="Test Case 7"
+K=000000000000000000000000000000000000000000000000000000000000000000000000
+P=
+IV=aae06992acbf52a3e8f4a96ec9300bd7
+H=00000000000000000000000000000001
+Y0=cd33b28ac773f74ba00ed1f312572435
+E(K,Y0)=00000000000000000000000000000000
+GHASH(H,A,C)=00000000000000000000000000000000
+C=
+T=cd33b28ac773f74ba00ed1f31257243
+
+test="Test Case 8"
+K=000000000000000000000000000000000000000000000000
+P=00000000000000000000000000000000
+IV=000000000000000000000000
+H=aae06992acbf52a3e8f4a96ec9300bd7
+Y0=00000000000000000000000000000001
+E(K,Y0)=cd33b28ac773f74ba00ed1f312572435
+Y1=00000000000000000000000000000002
+E(K,Y1)=98e7247c07f0fe411c267e4384b0f600
+X1=90e87315fb7d4e1b4092ec0cbfda5d7d
+len(A)||len(C)=00000000000000000000000000000080
+GHASH(H,A,C)=e2c63f0ac44ad0e02efa05ab6743d4ce
+C=98e7247c07f0fe411c267e4384b0f600
+T=2ff58d80033927ab8ef4d4587514f0fb
+
+
+test="Test Case 9"
+K=feffe9928665731c6d6a8f9467308308feffe9928665731c
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255
+IV=cafebabefacedbaddecaf888
+H=466923ec9ae682214f2c082badb39249
+Y0=cafebabefacedbaddecaf88800000001
+E(K,Y0)=c835aa88aebbc94f5a02e179fdcfc3e4
+Y1=cafebabefacedbaddecaf88800000002
+E(K,Y1)=e0b1f82ec484eea44e5ff30128df01cd
+Y2=cafebabefacedbaddecaf88800000003
+E(K,Y2)=0339b5b9b3db2e5e4cc9a38986906bee
+Y3=cafebabefacedbaddecaf88800000004
+E(K,Y3)=614b3195542ccc7683ae933c81ec8a62
+Y4=cafebabefacedbaddecaf88800000005
+E(K,Y4)=a988a97e85eec28e76b95c29b6023003
+X1=dddca3f91c17821ffac4a6d0fed176f7
+X2=a4e84ac60e2730f4a7e0e1eef708b198
+X3=e67592048dd7153973a0dbbb8804bee2
+X4=503e86628536625fb746ce3cecea433f
+len(A)||len(C)=00000000000000000000000000000200
+GHASH(H,A,C)=51110d40f6c8fff0eb1ae33445a889f0
+C=3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c144c525ac619d18c84a3f4718e2448b2fe324d9ccda2710acade256
+T=9924a7c8587336bfb118024db8674a14
+
+test="Test Case 10"
+K=feffe9928665731c6d6a8f9467308308feffe9928665731c
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+A=feedfacedeadbeeffeedfacedeadbeefabaddad2
+IV=cafebabefacedbaddecaf888
+H=466923ec9ae682214f2c082badb39249
+Y0=cafebabefacedbaddecaf88800000001
+E(K,Y0)=c835aa88aebbc94f5a02e179fdcfc3e4
+X1=f3bf7ba3e305aeb05ed0d2e4fe076666
+X2=20a51fa2302e9c01b87c48f2c3d91a56
+Y1=cafebabefacedbaddecaf88800000002
+E(K,Y1)=e0b1f82ec484eea44e5ff30128df01cd
+Y2=cafebabefacedbaddecaf88800000003
+E(K,Y2)=0339b5b9b3db2e5e4cc9a38986906bee
+Y3=cafebabefacedbaddecaf88800000004
+E(K,Y3)=614b3195542ccc7683ae933c81ec8a62
+Y4=cafebabefacedbaddecaf88800000005
+E(K,Y4)=a988a97e85eec28e76b95c29b6023003
+X3=714f9700ddf520f20695f6180c6e669d
+X4=e858680b7b240d2ecf7e06bbad4524e2
+X5=3f4865abd6bb3fb9f5c4a816f0a9b778
+X6=4256f67fe87b4f49422ba11af857c973
+len(A)||len(C)=00000000000000a000000000000001e0
+GHASH(H,A,C)=ed2ce3062e4a8ec06db8b4c490e8a268
+C=3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c144c525ac619d18c84a3f4718e2448b2fe324d9ccda2710
+T=2519498e80f1478f37ba55bd6d27618c
+
+test="Test Case 11"
+K=feffe9928665731c6d6a8f9467308308feffe9928665731c
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+A=feedfacedeadbeeffeedfacedeadbeefabaddad2
+IV=cafebabefacedbad
+H=466923ec9ae682214f2c082badb39249
+N1=9473c07b02544299cf007c42c5778218
+len({})||len(IV)=00000000000000000000000000000040
+Y0=a14378078d27258a6292737e1802ada5
+E(K,Y0)=7bb6d647c902427ce7cf26563a337371
+X1=f3bf7ba3e305aeb05ed0d2e4fe076666
+X2=20a51fa2302e9c01b87c48f2c3d91a56
+Y1=a14378078d27258a6292737e1802ada6
+E(K,Y1)=d621c7bc5690a7b1487dbaab8ac76b22
+Y2=a14378078d27258a6292737e1802ada7
+E(K,Y2)=43c1ca7de78f4495ad0b18324e61fa25
+Y3=a14378078d27258a6292737e1802ada8
+E(K,Y3)=e1e0254a0f2f1626e9aa4ff09d7c64ec
+Y4=a14378078d27258a6292737e1802ada9
+E(K,Y4)=5850f4502486a1681a9319ce7d0afa59
+X3=8bdedafd6ee8e529689de3a269b8240d
+X4=6607feb377b49c9ecdbc696344fe22d8
+X5=8a19570a06500ba9405fcece4a73fb48
+X6=8532826e63ce4a5b89b70fa28f8070fe
+len(A)||len(C)=00000000000000a000000000000001e0
+GHASH(H,A,C)=1e6a133806607858ee80eaf237064089
+C=0f10f599ae14a154ed24b36e25324db8c566632ef2bbb34f8347280fc4507057fddc29df9a471f75c66541d4d4dad1c9e93a19a58e8b473fa0f062f7
+T=65dcc57fcf623a24094fcca40d3533f8
+
+test="Test Case 12"
+K=feffe9928665731c6d6a8f9467308308feffe9928665731c
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+A=feedfacedeadbeeffeedfacedeadbeefabaddad2
+IV=9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b
+H=466923ec9ae682214f2c082badb39249
+N1=19aef0f04763b0c87903c5a217d5314f
+N2=62120253f79efc978625d1feb03b5b5b
+N3=b6ce2a84e366de900fa78a1653df77fb
+N4=374ecad90487f0bb261ba817447e022c
+len({})||len(IV)=000000000000000000000000000001e0
+Y0=4505cdc367a054c5002820e96aebef27
+E(K,Y0)=5ea3194f9dd012a3b9bc5103d6e0284d
+X1=f3bf7ba3e305aeb05ed0d2e4fe076666
+X2=20a51fa2302e9c01b87c48f2c3d91a56
+Y1=4505cdc367a054c5002820e96aebef28
+E(K,Y1)=0b4fba4de46722d9ed691f9f2029df65
+Y2=4505cdc367a054c5002820e96aebef29
+E(K,Y2)=9b4e088bf380b03540bb87a5a257e437
+Y3=4505cdc367a054c5002820e96aebef2a
+E(K,Y3)=9ddb9c873a5cd48acd3f397cd28f9896
+Y4=4505cdc367a054c5002820e96aebef2b
+E(K,Y4)=5716ee92eff7c4b053d44c0294ea88cd
+X3=f70d61693ea7f53f08c866d6eedb1e4b
+X4=dc40bc9a181b35aed66488071ef282ae
+X5=85ffa424b87b35cac7be9c450f0d7aee
+X6=65233cbe5251f7d246bfc967a8678647
+len(A)||len(C)=00000000000000a000000000000001e0
+GHASH(H,A,C)=82567fb0b4cc371801eadec005968e94
+C=d27e88681ce3243c4830165a8fdcf9ff1de9a1d8e6b447ef6ef7b79828666e4581e79012af34ddd9e2f037589b292db3e67c036745fa22e7e9b7373b
+T=dcf566ff291c25bbb8568fc3d376a6d9
+
+test="Test Case 13"
+K=0000000000000000000000000000000000000000000000000000000000000000
+P=
+IV=000000000000000000000000
+H=dc95c078a2408989ad48a21492842087
+Y0=00000000000000000000000000000001
+E(K,Y0)=530f8afbc74536b9a963b4f1c4cb738b
+len(A)||len(C)=00000000000000000000000000000000
+GHASH(H,A,C)=00000000000000000000000000000000
+C=
+T=530f8afbc74536b9a963b4f1c4cb738b
+
+
+test="Test Case 14"
+K=0000000000000000000000000000000000000000000000000000000000000000
+P=00000000000000000000000000000000
+IV=000000000000000000000000
+H=dc95c078a2408989ad48a21492842087
+Y0=00000000000000000000000000000001
+E(K,Y0)=530f8afbc74536b9a963b4f1c4cb738b
+Y1=00000000000000000000000000000002
+E(K,Y1)=cea7403d4d606b6e074ec5d3baf39d18
+X1=fd6ab7586e556dba06d69cfe6223b262
+len(A)||len(C)=00000000000000000000000000000080
+GHASH(H,A,C)=83de425c5edc5d498f382c441041ca92
+C=cea7403d4d606b6e074ec5d3baf39d18
+T=d0d1c8a799996bf0265b98b5d48ab919
+
+test="Test Case 15"
+K=feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255
+IV=cafebabefacedbaddecaf888
+H=acbef20579b4b8ebce889bac8732dad7
+Y0=cafebabefacedbaddecaf88800000001
+E(K,Y0)=fd2caa16a5832e76aa132c1453eeda7e
+Y1=cafebabefacedbaddecaf88800000002
+E(K,Y1)=8b1cf3d561d27be251263e66857164e7
+Y2=cafebabefacedbaddecaf88800000003
+E(K,Y2)=e29d258faad137135bd49280af645bd8
+Y3=cafebabefacedbaddecaf88800000004
+E(K,Y3)=908c82ddcc65b26e887f85341f243d1d
+Y4=cafebabefacedbaddecaf88800000005
+E(K,Y4)=749cf39639b79c5d06aa8d5b932fc7f8
+X1=fcbefb78635d598eddaf982310670f35
+X2=29de812309d3116a6eff7ec844484f3e
+X3=45fad9deeda9ea561b8f199c3613845b
+X4=ed95f8e164bf3213febc740f0bd9c6af
+len(A)||len(C)=00000000000000000000000000000200
+GHASH(H,A,C)=4db870d37cb75fcb46097c36230d1612
+C=522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad
+T=b094dac5d93471bdec1a502270e3cc6c
+
+test="Test Case 16"
+K=feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+A=feedfacedeadbeeffeedfacedeadbeefabaddad2
+IV=cafebabefacedbaddecaf888
+H=acbef20579b4b8ebce889bac8732dad7
+Y0=cafebabefacedbaddecaf88800000001
+E(K,Y0)=fd2caa16a5832e76aa132c1453eeda7e
+X1=5165d242c2592c0a6375e2622cf925d2
+X2=8efa30ce83298b85fe71abefc0cdd01d
+Y1=cafebabefacedbaddecaf88800000002
+E(K,Y1)=8b1cf3d561d27be251263e66857164e7
+Y2=cafebabefacedbaddecaf88800000003
+E(K,Y2)=e29d258faad137135bd49280af645bd8
+Y3=cafebabefacedbaddecaf88800000004
+E(K,Y3)=908c82ddcc65b26e887f85341f243d1d
+Y4=cafebabefacedbaddecaf88800000005
+E(K,Y4)=749cf39639b79c5d06aa8d5b932fc7f8
+X3=abe07e0bb62354177480b550f9f6cdcc
+X4=3978e4f141b95f3b4699756b1c3c2082
+X5=8abf3c48901debe76837d8a05c7d6e87
+X6=9249beaf520c48b912fa120bbf391dc8
+len(A)||len(C)=00000000000000a000000000000001e0
+GHASH(H,A,C)=8bd0c4d8aacd391e67cca447e8c38f65
+C=522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662
+T=76fc6ece0f4e1768cddf8853bb2d551b
+
+
+test="Test Case 17"
+K=feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+A=feedfacedeadbeeffeedfacedeadbeefabaddad2
+IV=cafebabefacedbad
+H=acbef20579b4b8ebce889bac8732dad7
+N1=90c22e3d2aca34b971e8bd09708fae5c
+len({})||len(IV)=00000000000000000000000000000040
+Y0=0095df49dd90abe3e4d252475748f5d4
+E(K,Y0)=4f903f37fe611d454217fbfa5cd7d791
+X1=5165d242c2592c0a6375e2622cf925d2
+X2=8efa30ce83298b85fe71abefc0cdd01d
+Y1=0095df49dd90abe3e4d252475748f5d5
+E(K,Y1)=1a471fd432fc7bd70b1ec8fe5e6d6251
+Y2=0095df49dd90abe3e4d252475748f5d6
+E(K,Y2)=29bd481e1ea39d20eb63c7ea118b1792
+Y3=0095df49dd90abe3e4d252475748f5d7
+E(K,Y3)=e2898e46ac5cada3ba83cc1272618a5d
+Y4=0095df49dd90abe3e4d252475748f5d8
+E(K,Y4)=d3c6aefbcea602ce4e1fe026065447bf
+X3=55e1ff68f9249e64b95223858e5cb936
+X4=cef1c034383dc96f733aaa4c99bd3e61
+X5=68588d004fd468f5854515039b08165d
+X6=2378943c034697f72a80fce5059bf3f3
+len(A)||len(C)=00000000000000a000000000000001e0
+GHASH(H,A,C)=75a34288b8c68f811c52b2e9a2f97f63
+C=c3762df1ca787d32ae47c13bf19844cbaf1ae14d0b976afac52ff7d79bba9de0feb582d33934a4f0954cc2363bc73f7862ac430e64abe499f47c9b1f
+T=3a337dbf46a792c45e454913fe2ea8f2
+
+test="Test Case 18"
+K=feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308
+P=d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+A=feedfacedeadbeeffeedfacedeadbeefabaddad2
+IV=9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b
+H=acbef20579b4b8ebce889bac8732dad7
+N1=0bfe66e2032f195516379f5fb710f987
+N2=f0631554d11409915feec8f9f5102aba
+N3=749b90dda19a1557fd9e9fd31fed1d14
+N4=7a6a833f260d848793b327cb07d1b190
+len({})||len(IV)=000000000000000000000000000001e0
+Y0=0cd953e2140a5976079f8e2406bc8eb4
+E(K,Y0)=71b54d092bb0c3d9ba94538d4096e691
+X1=5165d242c2592c0a6375e2622cf925d2
+X2=8efa30ce83298b85fe71abefc0cdd01d
+Y1=0cd953e2140a5976079f8e2406bc8eb5
+E(K,Y1)=83bcdd0af41a551452047196ca6b0cba
+Y2=0cd953e2140a5976079f8e2406bc8eb6
+E(K,Y2)=68151b79baea93c38e149b72e545e186
+Y3=0cd953e2140a5976079f8e2406bc8eb7
+E(K,Y3)=13fccf22159a4d16026ce5d58c7e99fb
+Y4=0cd953e2140a5976079f8e2406bc8eb8
+E(K,Y4)=132b64628a031e79fecd050675a64f07
+X3=e963941cfa8c417bdaa3b3d94ab4e905
+X4=2178d7f836e5fa105ce0fdf0fc8f0654
+X5=bac14eeba3216f966b3e7e011475b832
+X6=cc9ae9175729a649936e890bd971a8bf
+len(A)||len(C)=00000000000000a000000000000001e0
+GHASH(H,A,C)=d5ffcf6fc5ac4d69722187421a7f170b
+C=5a8def2f0c9e53f1f75d7853659e2a20eeb2b22aafde6419a058ab4f6f746bf40fc0c3b780f244452da3ebf1c5d82cdea2418997200ef82e44ae7e3f
+T=a44a8266ee1c8eb0c8b5d4cf5ae9f19a
+
+
+
+
+
--- a/security/nss/cmd/certcgi/ca_form.html
+++ b/security/nss/cmd/certcgi/ca_form.html
@@ -162,16 +162,17 @@
     <td>
     <input type="checkbox" name="extKeyUsage-serverAuth"> Server Auth</P>
     <input type="checkbox" name="extKeyUsage-clientAuth"> Client Auth</P>
     <input type="checkbox" name="extKeyUsage-codeSign"> Code Signing</P>
     <input type="checkbox" name="extKeyUsage-emailProtect"> Email Protection</P>
     <input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P>
     <input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P>
     <input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P>
+    <input type="checkbox" name="extKeyUsage-msTrustListSign"> Microsoft Trust List Signing</P>
     </tr>
     <tr>
     <td>
     <b>Basic Constraints:</b></p>
     Activate extension: <input type="checkbox" name="basicConstraints"></P>
     Critical: <input type="checkbox" name="basicConstraints-crit">
     <td>
     CA:</p>
--- a/security/nss/cmd/certcgi/certcgi.c
+++ b/security/nss/cmd/certcgi/certcgi.c
@@ -814,16 +814,21 @@ AddExtKeyUsage(void *extHandle, Pair *da
     return SECFailure;
   }
 
   if( find_field_bool(data, "extKeyUsage-serverAuth", PR_TRUE) ) {
     rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_SERVER_AUTH);
     if( SECSuccess != rv ) goto loser;
   }
 
+  if( find_field_bool(data, "extKeyUsage-msTrustListSign", PR_TRUE) ) {
+    rv = AddOidToSequence(os, SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING);
+    if( SECSuccess != rv ) goto loser;
+  }
+
   if( find_field_bool(data, "extKeyUsage-clientAuth", PR_TRUE) ) {
     rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH);
     if( SECSuccess != rv ) goto loser;
   }
 
   if( find_field_bool(data, "extKeyUsage-codeSign", PR_TRUE) ) {
     rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CODE_SIGN);
     if( SECSuccess != rv ) goto loser;
--- a/security/nss/cmd/certcgi/stnd_ext_form.html
+++ b/security/nss/cmd/certcgi/stnd_ext_form.html
@@ -29,16 +29,17 @@
     <td>
     <input type="checkbox" name="extKeyUsage-serverAuth"> Server Auth</P>
     <input type="checkbox" name="extKeyUsage-clientAuth"> Client Auth</P>
     <input type="checkbox" name="extKeyUsage-codeSign"> Code Signing</P>
     <input type="checkbox" name="extKeyUsage-emailProtect"> Email Protection</P>
     <input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P>
     <input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P>
     <input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P>
+    <input type="checkbox" name="extKeyUsage-msTrustListSign"> Microsoft Trust List Signing</P>
     </tr>
     <tr>
     <td>
     <b>Basic Constraints:</b></p>
     Activate extension: <input type="checkbox" name="basicConstraints"></P>
     Critical: <input type="checkbox" name="basicConstraints-crit">
     <td>
     CA:</p>
--- a/security/nss/cmd/certutil/certext.c
+++ b/security/nss/cmd/certutil/certext.c
@@ -478,16 +478,17 @@ loser:
 static const char * const 
 extKeyUsageKeyWordArray[] = { "serverAuth",
                               "clientAuth",
                               "codeSigning",
                               "emailProtection",
                               "timeStamp",
                               "ocspResponder",
                               "stepUp",
+                              "msTrustListSigning",
                               NULL};
 
 static SECStatus 
 AddExtKeyUsage (void *extHandle, const char *userSuppliedValue)
 {
     char buffer[5];
     int value;
     CERTOidSequence *os;
@@ -506,16 +507,17 @@ AddExtKeyUsage (void *extHandle, const c
             if (PrintChoicesAndGetAnswer(
                     "\t\t0 - Server Auth\n"
                     "\t\t1 - Client Auth\n"
                     "\t\t2 - Code Signing\n"
                     "\t\t3 - Email Protection\n"
                     "\t\t4 - Timestamp\n"
                     "\t\t5 - OCSP Responder\n"
                     "\t\t6 - Step-up\n"
+                    "\t\t7 - Microsoft Trust List Signing\n"
                     "\t\tOther to finish\n",
                     buffer, sizeof(buffer)) == SECFailure) {
                 GEN_BREAK(SECFailure);
             }
             value = PORT_Atoi(buffer);
             
             if (value == 0) {
                 /* Checking that zero value of variable 'value'
@@ -549,16 +551,19 @@ AddExtKeyUsage (void *extHandle, const c
             rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_TIME_STAMP);
             break;
         case 5:
             rv = AddOidToSequence(os, SEC_OID_OCSP_RESPONDER);
             break;
         case 6:
             rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED);
             break;
+        case 7:
+            rv = AddOidToSequence(os, SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING);
+            break;
         default:
             goto endloop;
         }
 
         if (userSuppliedValue && !nextPos)
             break;
         if( SECSuccess != rv )
             goto loser;
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -42,97 +42,78 @@
 #define MAX_KEY_BITS		8192
 #define DEFAULT_KEY_BITS	1024
 
 #define GEN_BREAK(e) rv=e; break;
 
 char *progName;
 
 static CERTCertificateRequest *
-GetCertRequest(PRFileDesc *inFile, PRBool ascii)
+GetCertRequest(const SECItem *reqDER)
 {
     CERTCertificateRequest *certReq = NULL;
     CERTSignedData signedData;
     PRArenaPool *arena = NULL;
-    SECItem reqDER;
     SECStatus rv;
 
-    reqDER.data = NULL;
     do {
 	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
 	if (arena == NULL) {
 	    GEN_BREAK (SECFailure);
 	}
 	
- 	rv = SECU_ReadDERFromFile(&reqDER, inFile, ascii);
-	if (rv) {
-	    break;
-	}
         certReq = (CERTCertificateRequest*) PORT_ArenaZAlloc
 		  (arena, sizeof(CERTCertificateRequest));
         if (!certReq) { 
 	    GEN_BREAK(SECFailure);
 	}
 	certReq->arena = arena;
 
 	/* Since cert request is a signed data, must decode to get the inner
 	   data
 	 */
 	PORT_Memset(&signedData, 0, sizeof(signedData));
 	rv = SEC_ASN1DecodeItem(arena, &signedData, 
-		SEC_ASN1_GET(CERT_SignedDataTemplate), &reqDER);
+		SEC_ASN1_GET(CERT_SignedDataTemplate), reqDER);
 	if (rv) {
 	    break;
 	}
 	rv = SEC_ASN1DecodeItem(arena, certReq, 
 		SEC_ASN1_GET(CERT_CertificateRequestTemplate), &signedData.data);
 	if (rv) {
 	    break;
 	}
    	rv = CERT_VerifySignedDataWithPublicKeyInfo(&signedData, 
 		&certReq->subjectPublicKeyInfo, NULL /* wincx */);
    } while (0);
 
-   if (reqDER.data) {
-   	SECITEM_FreeItem(&reqDER, PR_FALSE);
-   }
-
    if (rv) {
    	SECU_PrintError(progName, "bad certificate request\n");
    	if (arena) {
    	    PORT_FreeArena(arena, PR_FALSE);
    	}
    	certReq = NULL;
    }
 
    return certReq;
 }
 
 static SECStatus
 AddCert(PK11SlotInfo *slot, CERTCertDBHandle *handle, char *name, char *trusts, 
-        PRFileDesc *inFile, PRBool ascii, PRBool emailcert, void *pwdata)
+        const SECItem *certDER, PRBool emailcert, void *pwdata)
 {
     CERTCertTrust *trust = NULL;
     CERTCertificate *cert = NULL;
-    SECItem certDER;
     SECStatus rv;
 
-    certDER.data = NULL;
     do {
-	/* Read in the entire file specified with the -i argument */
-	rv = SECU_ReadDERFromFile(&certDER, inFile, ascii);
-	if (rv != SECSuccess) {
-	    SECU_PrintError(progName, "unable to read input file");
-	    break;
-	}
-
 	/* Read in an ASCII cert and return a CERTCertificate */
-	cert = CERT_DecodeCertFromPackage((char *)certDER.data, certDER.len);
+	cert = CERT_DecodeCertFromPackage((char *)certDER->data, certDER->len);
 	if (!cert) {
-	    SECU_PrintError(progName, "could not obtain certificate from file"); 
+	    SECU_PrintError(progName, "could not decode certificate");
 	    GEN_BREAK(SECFailure);
 	}
 
 	/* Create a cert trust */
 	trust = (CERTCertTrust *)PORT_ZAlloc(sizeof(CERTCertTrust));
 	if (!trust) {
 	    SECU_PrintError(progName, "unable to allocate cert trust");
 	    GEN_BREAK(SECFailure);
@@ -188,37 +169,35 @@ AddCert(PK11SlotInfo *slot, CERTCertDBHa
 	if ( emailcert ) {
 	    CERT_SaveSMimeProfile(cert, NULL, pwdata);
 	}
 
     } while (0);
 
     CERT_DestroyCertificate (cert);
     PORT_Free(trust);
-    PORT_Free(certDER.data);
 
     return rv;
 }
 
 static SECStatus
 CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
         SECOidTag hashAlgTag, CERTName *subject, char *phone, int ascii, 
 	const char *emailAddrs, const char *dnsNames,
         certutilExtnList extnList,
-        PRFileDesc *outFile)
+        /*out*/ SECItem *result)
 {
     CERTSubjectPublicKeyInfo *spki;
     CERTCertificateRequest *cr;
     SECItem *encoding;
     SECOidTag signAlgTag;
-    SECItem result;
     SECStatus rv;
     PRArenaPool *arena;
-    PRInt32 numBytes;
     void *extHandle;
+    SECItem signedReq = { siBuffer, NULL, 0 };
 
     /* Create info about public key */
     spki = SECKEY_CreateSubjectPublicKeyInfo(pubk);
     if (!spki) {
 	SECU_PrintError(progName, "unable to create subject public key");
 	return SECFailure;
     }
     
@@ -261,35 +240,34 @@ CertReq(SECKEYPrivateKey *privk, SECKEYP
 
     /* Sign the request */
     signAlgTag = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag);
     if (signAlgTag == SEC_OID_UNKNOWN) {
 	PORT_FreeArena (arena, PR_FALSE);
 	SECU_PrintError(progName, "unknown Key or Hash type");
 	return SECFailure;
     }
-    rv = SEC_DerSignData(arena, &result, encoding->data, encoding->len, 
-			 privk, signAlgTag);
+
+    rv = SEC_DerSignData(arena, &signedReq, encoding->data, encoding->len,
+			  privk, signAlgTag);
     if (rv) {
 	PORT_FreeArena (arena, PR_FALSE);
 	SECU_PrintError(progName, "signing of data failed");
 	return SECFailure;
     }
 
     /* Encode request in specified format */
     if (ascii) {
 	char *obuf;
-	char *name, *email, *org, *state, *country;
-	SECItem *it;
-	int total;
+	char *header, *name, *email, *org, *state, *country;
 
-	it = &result;
-
-	obuf = BTOA_ConvertItemToAscii(it);
-	total = PL_strlen(obuf);
+	obuf = BTOA_ConvertItemToAscii(&signedReq);
+	if (!obuf) {
+	    goto oom;
+	}
 
 	name = CERT_GetCommonName(subject);
 	if (!name) {
 	    name = PORT_Strdup("(not specified)");
 	}
 
 	if (!phone)
 	    phone = strdup("(not specified)");
@@ -305,50 +283,63 @@ CertReq(SECKEYPrivateKey *privk, SECKEYP
 	state = CERT_GetStateName(subject);
 	if (!state)
 	    state = PORT_Strdup("(not specified)");
 
 	country = CERT_GetCountryName(subject);
 	if (!country)
 	    country = PORT_Strdup("(not specified)");
 
-	PR_fprintf(outFile, 
-	           "\nCertificate request generated by Netscape certutil\n");
-	PR_fprintf(outFile, "Phone: %s\n\n", phone);
-	PR_fprintf(outFile, "Common Name: %s\n", name);
-	PR_fprintf(outFile, "Email: %s\n", email);
-	PR_fprintf(outFile, "Organization: %s\n", org);
-	PR_fprintf(outFile, "State: %s\n", state);
-	PR_fprintf(outFile, "Country: %s\n\n", country);
+	header = PR_smprintf(
+	    "\nCertificate request generated by Netscape certutil\n"
+	    "Phone: %s\n\n"
+	    "Common Name: %s\n"
+	    "Email: %s\n"
+	    "Organization: %s\n"
+	    "State: %s\n"
+	    "Country: %s\n\n"
+	    "%s\n",
+	    phone, name, email, org, state, country, NS_CERTREQ_HEADER);
 
 	PORT_Free(name);
 	PORT_Free(email);
 	PORT_Free(org);
 	PORT_Free(state);
 	PORT_Free(country);
 
-	PR_fprintf(outFile, "%s\n", NS_CERTREQ_HEADER);
-	numBytes = PR_Write(outFile, obuf, total);
-	PORT_Free(obuf);
-	if (numBytes != total) {
-	    PORT_FreeArena (arena, PR_FALSE);
-	    SECU_PrintError(progName, "write error");
-	    return SECFailure;
+	if (header) {
+	    char * trailer = PR_smprintf("\n%s\n", NS_CERTREQ_TRAILER);
+	    if (trailer) {
+		PRUint32 headerLen = PL_strlen(header);
+		PRUint32 obufLen = PL_strlen(obuf);
+		PRUint32 trailerLen = PL_strlen(trailer);
+		SECITEM_AllocItem(NULL, result,
+				  headerLen + obufLen + trailerLen);
+		if (result->data) {
+		    PORT_Memcpy(result->data, header, headerLen);
+		    PORT_Memcpy(result->data + headerLen, obuf, obufLen);
+		    PORT_Memcpy(result->data + headerLen + obufLen,
+				trailer, trailerLen);
+		}
+		PR_smprintf_free(trailer);
+	    }
+	    PR_smprintf_free(header);
 	}
-	PR_fprintf(outFile, "\n%s\n", NS_CERTREQ_TRAILER);
     } else {
-	numBytes = PR_Write(outFile, result.data, result.len);
-	if (numBytes != (int)result.len) {
-	    PORT_FreeArena (arena, PR_FALSE);
-	    SECU_PrintSystemError(progName, "write error");
-	    return SECFailure;
-	}
+	(void) SECITEM_CopyItem(NULL, result, &signedReq);
     }
+
+    if (!result->data) {
+oom:    SECU_PrintError(progName, "out of memory");
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	rv = SECFailure;
+    }
+
     PORT_FreeArena (arena, PR_FALSE);
-    return SECSuccess;
+    return rv;
 }
 
 static SECStatus 
 ChangeTrustAttributes(CERTCertDBHandle *handle, PK11SlotInfo *slot,
 			char *name, char *trusts, void *pwdata)
 {
     SECStatus rv;
     CERTCertificate *cert;
@@ -481,18 +472,17 @@ listCerts(CERTCertDBHandle *handle, char
 	    } else if (raw) {
 		numBytes = PR_Write(outfile, data.data, data.len);
 		if (numBytes != (PRInt32) data.len) {
 		   SECU_PrintSystemError(progName, "error writing raw cert");
 		    rv = SECFailure;
 		}
 		rv = SECSuccess;
 	    } else {
-		rv = SEC_PrintCertificateAndTrust(the_cert, "Certificate",
-                                                  the_cert->trust);
+		rv = SEC_PrintCertificateAndTrust(the_cert, "Certificate", NULL);
 		if (rv != SECSuccess) {
 		    SECU_PrintError(progName, "problem printing certificate");
 		}
 
 	    }
 	    if (rv != SECSuccess) {
 		break;
 	    }
@@ -520,18 +510,17 @@ listCerts(CERTCertDBHandle *handle, char
 	    } else if (raw) {
 		numBytes = PR_Write(outfile, data.data, data.len);
 		rv = SECSuccess;
 		if (numBytes != (PRInt32) data.len) {
 		    SECU_PrintSystemError(progName, "error writing raw cert");
 		    rv = SECFailure;
 		}
 	    } else {
-		rv = SEC_PrintCertificateAndTrust(the_cert, "Certificate",
-                                                  the_cert->trust);
+		rv = SEC_PrintCertificateAndTrust(the_cert, "Certificate", NULL);
 		if (rv != SECSuccess) {
 		    SECU_PrintError(progName, "problem printing certificate");
 		}
 	    }
 	    if (rv != SECSuccess) {
 		break;
 	    }
 	}
@@ -1138,17 +1127,17 @@ static void luC(enum usage_level ul, con
               "%-20s Create netscape cert type extension. Possible keywords:\n"
               "%-20s \"sslClient\", \"sslServer\", \"smime\", \"objectSigning\",\n"
               "%-20s \"sslCA\", \"smimeCA\", \"objectSigningCA\", \"critical\".\n",
         "   -5 | --nsCertType keyword,keyword,... ", "", "", "");
     FPS "%-20s \n"
               "%-20s Create extended key usage extension. Possible keywords:\n"
               "%-20s \"serverAuth\", \"clientAuth\",\"codeSigning\",\n"
               "%-20s \"emailProtection\", \"timeStamp\",\"ocspResponder\",\n"
-              "%-20s \"stepUp\", \"critical\"\n",
+              "%-20s \"stepUp\", \"msTrustListSign\", \"critical\"\n",
         "   -6 | --extKeyUsage keyword,keyword,...", "", "", "", "");
     FPS "%-20s Create an email subject alt name extension\n",
         "   -7 emailAddrs");
     FPS "%-20s Create an dns subject alt name extension\n",
         "   -8 dnsNames");
     FPS "%-20s The input certificate request is encoded in ASCII (RFC1113)\n",
         "   -a");
     FPS "\n");
@@ -1695,50 +1684,50 @@ MakeV1Cert(	CERTCertDBHandle *	handle,
     }
     if ( issuerCert ) {
 	CERT_DestroyCertificate (issuerCert);
     }
     
     return(cert);
 }
 
-static SECItem *
+static SECStatus
 SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign, 
          SECOidTag hashAlgTag,
          SECKEYPrivateKey *privKey, char *issuerNickName, void *pwarg)
 {
     SECItem der;
-    SECItem *result = NULL;
     SECKEYPrivateKey *caPrivateKey = NULL;    
     SECStatus rv;
     PRArenaPool *arena;
     SECOidTag algID;
     void *dummy;
 
     if( !selfsign ) {
       CERTCertificate *issuer = PK11_FindCertFromNickname(issuerNickName, pwarg);
       if( (CERTCertificate *)NULL == issuer ) {
         SECU_PrintError(progName, "unable to find issuer with nickname %s", 
 	                issuerNickName);
-        return (SECItem *)NULL;
+        return SECFailure;
       }
 
       privKey = caPrivateKey = PK11_FindKeyByAnyCert(issuer, pwarg);
       CERT_DestroyCertificate(issuer);
       if (caPrivateKey == NULL) {
 	SECU_PrintError(progName, "unable to retrieve key %s", issuerNickName);
-	return NULL;
+	return SECFailure;
       }
     }
 	
     arena = cert->arena;
 
     algID = SEC_GetSignatureAlgorithmOidTag(privKey->keyType, hashAlgTag);
     if (algID == SEC_OID_UNKNOWN) {
 	fprintf(stderr, "Unknown key or hash type for issuer.");
+	rv = SECFailure;
 	goto done;
     }
 
     rv = SECOID_SetAlgorithmID(arena, &cert->signature, algID, 0);
     if (rv != SECSuccess) {
 	fprintf(stderr, "Could not set signature algorithm id.");
 	goto done;
     }
@@ -1748,72 +1737,62 @@ SignCert(CERTCertDBHandle *handle, CERTC
     cert->version.len = 1;
 
     der.len = 0;
     der.data = NULL;
     dummy = SEC_ASN1EncodeItem (arena, &der, cert,
 			 	SEC_ASN1_GET(CERT_CertificateTemplate));
     if (!dummy) {
 	fprintf (stderr, "Could not encode certificate.\n");
+	rv = SECFailure;
 	goto done;
     }
 
-    result = (SECItem *) PORT_ArenaZAlloc (arena, sizeof (SECItem));
-    if (result == NULL) {
-	fprintf (stderr, "Could not allocate item for certificate data.\n");
-	goto done;
-    }
-
-    rv = SEC_DerSignData(arena, result, der.data, der.len, privKey, algID);
+    rv = SEC_DerSignData(arena, &cert->derCert, der.data, der.len, privKey, algID);
     if (rv != SECSuccess) {
 	fprintf (stderr, "Could not sign encoded certificate data.\n");
 	/* result allocated out of the arena, it will be freed
 	 * when the arena is freed */
-	result = NULL;
 	goto done;
     }
-    cert->derCert = *result;
 done:
     if (caPrivateKey) {
 	SECKEY_DestroyPrivateKey(caPrivateKey);
     }
-    return result;
+    return rv;
 }
 
 static SECStatus
 CreateCert(
 	CERTCertDBHandle *handle, 
 	PK11SlotInfo *slot,
 	char *  issuerNickName, 
-	PRFileDesc *inFile,
-	PRFileDesc *outFile, 
+	const SECItem * certReqDER,
 	SECKEYPrivateKey **selfsignprivkey,
 	void 	*pwarg,
 	SECOidTag hashAlgTag,
 	unsigned int serialNumber, 
 	int     warpmonths,
 	int     validityMonths,
 	const char *emailAddrs,
 	const char *dnsNames,
-	PRBool  ascii,
+	PRBool ascii,
 	PRBool  selfsign,
-	certutilExtnList extnList)
+	certutilExtnList extnList,
+	SECItem * certDER)
 {
     void *	extHandle;
-    SECItem *	certDER;
     CERTCertificate *subjectCert 	= NULL;
     CERTCertificateRequest *certReq	= NULL;
     SECStatus 	rv 			= SECSuccess;
-    SECItem 	reqDER;
     CERTCertExtension **CRexts;
 
-    reqDER.data = NULL;
     do {
 	/* Create a certrequest object from the input cert request der */
-	certReq = GetCertRequest(inFile, ascii);
+	certReq = GetCertRequest(certReqDER);
 	if (certReq == NULL) {
 	    GEN_BREAK (SECFailure)
 	}
 
 	subjectCert = MakeV1Cert (handle, certReq, issuerNickName, selfsign,
 				  serialNumber, warpmonths, validityMonths);
 	if (subjectCert == NULL) {
 	    GEN_BREAK (SECFailure)
@@ -1851,29 +1830,43 @@ CreateCert(
 	    *selfsignprivkey = PK11_FindKeyByDERCert(slot, subjectCert, pwarg);
 	    if (!*selfsignprivkey) {
 		fprintf(stderr, "Failed to locate private key.\n");
 		rv = SECFailure;
 		break;
 	    }
 	}
 
-	certDER = SignCert(handle, subjectCert, selfsign, hashAlgTag,
-	                   *selfsignprivkey, issuerNickName,pwarg);
+	rv = SignCert(handle, subjectCert, selfsign, hashAlgTag,
+		      *selfsignprivkey, issuerNickName, pwarg);
+	if (rv != SECSuccess)
+	    break;
 
-	if (certDER) {
-	   if (ascii) {
-		PR_fprintf(outFile, "%s\n%s\n%s\n", NS_CERT_HEADER, 
-		           BTOA_DataToAscii(certDER->data, certDER->len), 
-			   NS_CERT_TRAILER);
-	   } else {
-		PR_Write(outFile, certDER->data, certDER->len);
-	   }
+	rv = SECFailure;
+	if (ascii) {
+	    char * asciiDER = BTOA_DataToAscii(subjectCert->derCert.data,
+					       subjectCert->derCert.len);
+	    if (asciiDER) {
+	        char * wrapped = PR_smprintf("%s\n%s\n%s\n",
+					     NS_CERT_HEADER,
+					     asciiDER,
+					     NS_CERT_TRAILER);
+	        if (wrapped) {
+		    PRUint32 wrappedLen = PL_strlen(wrapped);
+		    if (SECITEM_AllocItem(NULL, certDER, wrappedLen)) {
+		        PORT_Memcpy(certDER->data, wrapped, wrappedLen);
+		        rv = SECSuccess;
+		    }
+		    PR_smprintf_free(wrapped);
+	        }
+		PORT_Free(asciiDER);
+	    }
+	} else {
+	    rv = SECITEM_CopyItem(NULL, certDER, &subjectCert->derCert);
 	}
-
     } while (0);
     CERT_DestroyCertificateRequest (certReq);
     CERT_DestroyCertificate (subjectCert);
     if (rv != SECSuccess) {
 	PRErrorCode  perr = PR_GetError();
         fprintf(stderr, "%s: unable to create cert (%s)\n", progName,
                SECU_Strerror(perr));
     }
@@ -2174,19 +2167,19 @@ static certutilExtnList certutil_extns;
 
 static int 
 certutil_main(int argc, char **argv, PRBool initialize)
 {
     CERTCertDBHandle *certHandle;
     PK11SlotInfo *slot = NULL;
     CERTName *  subject         = 0;
     PRFileDesc *inFile          = PR_STDIN;
-    PRFileDesc *outFile         = NULL;
-    char *      certfile        = "tempcert";
-    char *      certreqfile     = "tempcertreq";
+    PRFileDesc *outFile         = PR_STDOUT;
+    SECItem     certReqDER      = { siBuffer, NULL, 0 };
+    SECItem     certDER         = { siBuffer, NULL, 0 };
     char *      slotname        = "internal";
     char *      certPrefix      = "";
     char *      sourceDir       = "";
     char *      srcCertPrefix   = "";
     char *      upgradeID        = "";
     char *      upgradeTokenName     = "";
     KeyType     keytype         = rsaKey;
     char *      name            = NULL;
@@ -2568,43 +2561,30 @@ certutil_main(int argc, char **argv, PRB
     /*  Using keytype == nullKey for list all key types, but only that.  */
     if (!certutil.commands[cmd_ListKeys].activated && keytype == nullKey) {
 	PR_fprintf(PR_STDERR,
 	           "%s -%c: cannot use \"-k all\" for this command.\n",
 	           progName, commandToRun);
 	return 255;
     }
 
-    /*  -S  open outFile, temporary file for cert request.  */
-    if (certutil.commands[cmd_CreateAndAddCert].activated) {
-	outFile = PR_Open(certreqfile,
-                          PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE, 00660);
-	if (!outFile) {
-	    PR_fprintf(PR_STDERR, 
-		       "%s -o: unable to open \"%s\" for writing (%ld, %ld)\n",
-		       progName, certreqfile,
-		       PR_GetError(), PR_GetOSError());
-	    return 255;
-	}
-    }
-
     /*  Open the input file.  */
     if (certutil.options[opt_InputFile].activated) {
 	inFile = PR_Open(certutil.options[opt_InputFile].arg, PR_RDONLY, 0);
 	if (!inFile) {
 	    PR_fprintf(PR_STDERR,
 	               "%s:  unable to open \"%s\" for reading (%ld, %ld).\n",
 	               progName, certutil.options[opt_InputFile].arg,
 	               PR_GetError(), PR_GetOSError());
 	    return 255;
 	}
     }
 
     /*  Open the output file.  */
-    if (certutil.options[opt_OutputFile].activated && !outFile) {
+    if (certutil.options[opt_OutputFile].activated) {
 	outFile = PR_Open(certutil.options[opt_OutputFile].arg, 
                           PR_CREATE_FILE | PR_RDWR | PR_TRUNCATE, 00660);
 	if (!outFile) {
 	    PR_fprintf(PR_STDERR,
 	               "%s:  unable to open \"%s\" for writing (%ld, %ld).\n",
 	               progName, certutil.options[opt_OutputFile].arg,
 	               PR_GetError(), PR_GetOSError());
 	    return 255;
@@ -2644,19 +2624,16 @@ certutil_main(int argc, char **argv, PRB
 	printf("Certificate database content version: command not implemented.\n");
     }
 
     if (PL_strcmp(slotname, "internal") == 0)
 	slot = PK11_GetInternalKeySlot();
     else if (slotname != NULL)
 	slot = PK11_FindSlotByName(slotname);
 
-    
-
-   
     if ( !slot && (certutil.commands[cmd_NewDBs].activated ||
          certutil.commands[cmd_ModifyCertTrust].activated  || 
          certutil.commands[cmd_ChangePassword].activated   ||
          certutil.commands[cmd_TokenReset].activated       ||
          certutil.commands[cmd_CreateAndAddCert].activated ||
          certutil.commands[cmd_AddCert].activated          ||
          certutil.commands[cmd_Merge].activated          ||
          certutil.commands[cmd_UpgradeMerge].activated          ||
@@ -2801,17 +2778,17 @@ merge_fail:
 
     /* The following 8 options are mutually exclusive with all others. */
 
     /*  List certs (-L)  */
     if (certutil.commands[cmd_ListCerts].activated) {
 	rv = ListCerts(certHandle, name, email, slot,
 	               certutil.options[opt_BinaryDER].activated,
 	               certutil.options[opt_ASCIIForIO].activated, 
-                       (outFile) ? outFile : PR_STDOUT, &pwdata);
+		       outFile, &pwdata);
 	goto shutdown;
     }
     if (certutil.commands[cmd_DumpChain].activated) {
 	rv = DumpChain(certHandle, name,
                        certutil.options[opt_ASCIIForIO].activated);
 	goto shutdown;
     }
     /*  XXX needs work  */
@@ -3001,125 +2978,110 @@ merge_fail:
 				certutil.options[opt_AddCertPoliciesExt].activated;
         certutil_extns[ext_policyMappings].activated =
 				certutil.options[opt_AddPolicyMapExt].activated;
         certutil_extns[ext_policyConstr].activated =
 				certutil.options[opt_AddPolicyConstrExt].activated;
         certutil_extns[ext_inhibitAnyPolicy].activated =
 				certutil.options[opt_AddInhibAnyExt].activated;
     }
+
+    /* -A -C or -E    Read inFile */
+    if (certutil.commands[cmd_CreateNewCert].activated ||
+	certutil.commands[cmd_AddCert].activated ||
+	certutil.commands[cmd_AddEmailCert].activated) {
+	PRBool isCreate = certutil.commands[cmd_CreateNewCert].activated;
+	rv = SECU_ReadDERFromFile(isCreate ? &certReqDER : &certDER, inFile,
+				  certutil.options[opt_ASCIIForIO].activated);
+	if (rv)
+	    goto shutdown;
+    }
+
     /*
      *  Certificate request
      */
 
     /*  Make a cert request (-R).  */
     if (certutil.commands[cmd_CertReq].activated) {
 	rv = CertReq(privkey, pubkey, keytype, hashAlgTag, subject,
 	             certutil.options[opt_PhoneNumber].arg,
 	             certutil.options[opt_ASCIIForIO].activated,
 		     certutil.options[opt_ExtendedEmailAddrs].arg,
 		     certutil.options[opt_ExtendedDNSNames].arg,
                      certutil_extns,
-                     outFile ? outFile : PR_STDOUT);
-	if (rv) 
+                     &certReqDER);
+	if (rv)
 	    goto shutdown;
 	privkey->wincx = &pwdata;
     }
 
     /*
      *  Certificate creation
      */
 
     /*  If making and adding a cert, create a cert request file first without
      *  any extensions, then load it with the command line extensions
      *  and output the cert to another file.
      */
     if (certutil.commands[cmd_CreateAndAddCert].activated) {
 	static certutilExtnList nullextnlist = {{PR_FALSE, NULL}};
 	rv = CertReq(privkey, pubkey, keytype, hashAlgTag, subject,
 	             certutil.options[opt_PhoneNumber].arg,
-	             certutil.options[opt_ASCIIForIO].activated,
+		     PR_FALSE, /* do not BASE64-encode regardless of -a option */
 		     NULL,
 		     NULL,
                      nullextnlist,
-                     outFile ? outFile : PR_STDOUT);
+		     &certReqDER);
 	if (rv) 
 	    goto shutdown;
 	privkey->wincx = &pwdata;
-	PR_Close(outFile);
-	outFile = NULL;
-	inFile  = PR_Open(certreqfile, PR_RDONLY, 0);
-	if (!inFile) {
-	    PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n",
-                       certreqfile, PR_GetError(), PR_GetOSError());
-	    rv = SECFailure;
-	    goto shutdown;
-	}
-	outFile = PR_Open(certfile,
-                          PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE, 00660);
-	if (!outFile) {
-	    PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n",
-                       certfile, PR_GetError(), PR_GetOSError());
-	    rv = SECFailure;
-	    goto shutdown;
-	}
     }
 
     /*  Create a certificate (-C or -S).  */
     if (certutil.commands[cmd_CreateAndAddCert].activated ||
          certutil.commands[cmd_CreateNewCert].activated) {
 	rv = CreateCert(certHandle, slot,
 	                certutil.options[opt_IssuerName].arg,
-	                inFile, outFile, &privkey, &pwdata, hashAlgTag,
+			&certReqDER, &privkey, &pwdata, hashAlgTag,
 	                serialNumber, warpmonths, validityMonths,
 		        certutil.options[opt_ExtendedEmailAddrs].arg,
 		        certutil.options[opt_ExtendedDNSNames].arg,
-	                certutil.options[opt_ASCIIForIO].activated,
+		        certutil.options[opt_ASCIIForIO].activated &&
+			    certutil.commands[cmd_CreateNewCert].activated,
 	                certutil.options[opt_SelfSign].activated,
-	                certutil_extns);
+	                certutil_extns,
+			&certDER);
 	if (rv) 
 	    goto shutdown;
     }
 
     /* 
      * Adding a cert to the database (or slot)
      */
- 
-    if (certutil.commands[cmd_CreateAndAddCert].activated) { 
-	PORT_Assert(inFile != PR_STDIN);
-	PR_Close(inFile);
-	PR_Close(outFile);
-	outFile = NULL;
-	inFile = PR_Open(certfile, PR_RDONLY, 0);
-	if (!inFile) {
-	    PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n",
-                       certfile, PR_GetError(), PR_GetOSError());
-	    rv = SECFailure;
-	    goto shutdown;
-	}
-    }
 
     /* -A -E or -S    Add the cert to the DB */
     if (certutil.commands[cmd_CreateAndAddCert].activated ||
          certutil.commands[cmd_AddCert].activated ||
 	 certutil.commands[cmd_AddEmailCert].activated) {
 	rv = AddCert(slot, certHandle, name, 
 	             certutil.options[opt_Trust].arg,
-	             inFile, 
-	             certutil.options[opt_ASCIIForIO].activated,
+	             &certDER,
 	             certutil.commands[cmd_AddEmailCert].activated,&pwdata);
 	if (rv) 
 	    goto shutdown;
     }
 
-    if (certutil.commands[cmd_CreateAndAddCert].activated) {
-	PORT_Assert(inFile != PR_STDIN);
-	PR_Close(inFile);
-	PR_Delete(certfile);
-	PR_Delete(certreqfile);
+    if (certutil.commands[cmd_CertReq].activated ||
+	certutil.commands[cmd_CreateNewCert].activated) {
+	SECItem * item = certutil.commands[cmd_CertReq].activated ? &certReqDER
+								  : &certDER;
+	PRInt32 written = PR_Write(outFile, item->data, item->len);
+	if (written < 0 || (PRUint32) written != item->len) {
+	    rv = SECFailure;
+	}
     }
 
 shutdown:
     if (slot) {
 	PK11_FreeSlot(slot);
     }
     if (privkey) {
 	SECKEY_DestroyPrivateKey(privkey);
@@ -3128,19 +3090,24 @@ shutdown:
 	SECKEY_DestroyPublicKey(pubkey);
     }
     if (subject) {
 	CERT_DestroyName(subject);
     }
     if (name) {
 	PL_strfree(name);
     }
-    if (outFile) {
+    if (inFile && inFile != PR_STDIN) {
+	PR_Close(inFile);
+    }
+    if (outFile && outFile != PR_STDOUT) {
 	PR_Close(outFile);
     }
+    SECITEM_FreeItem(&certReqDER, PR_FALSE);
+    SECITEM_FreeItem(&certDER, PR_FALSE);
     if (pwdata.data && pwdata.source == PW_PLAINTEXT) {
 	/* Allocated by a PL_strdup call in SECU_GetModulePassword. */
 	PL_strfree(pwdata.data);
     }
 
     /* Open the batch command file.
      *
      * - If -B <command line> option is specified, the contents in the
--- a/security/nss/cmd/lib/basicutil.c
+++ b/security/nss/cmd/lib/basicutil.c
@@ -32,17 +32,17 @@ static PRBool wrapEnabled = PR_TRUE;
 
 void
 SECU_EnableWrap(PRBool enable)
 {
     wrapEnabled = enable;
 }
 
 PRBool
-SECU_GetWrapEnabled()
+SECU_GetWrapEnabled(void)
 {
     return wrapEnabled;
 }
 
 void 
 SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...)
 {
     va_list args;
--- a/security/nss/cmd/lib/moreoids.c
+++ b/security/nss/cmd/lib/moreoids.c
@@ -122,16 +122,27 @@ static const SECOidData oids[] = {
     ODN( vcp2,		"Verisign Class 2 Certificate Policy"),
     ODN( vcp3,		"Verisign Class 3 Certificate Policy"),
     ODN( vcp4,		"Verisign Class 4 Certificate Policy"),
 
 };
 
 static const unsigned int numOids = (sizeof oids) / (sizeof oids[0]);
 
+/* Fetch and register an oid if it hasn't been done already */
+void
+SECU_cert_fetchOID(SECOidTag *data, const SECOidData *src)
+{
+    if (*data == SEC_OID_UNKNOWN) {
+        /* AddEntry does the right thing if someone else has already
+         * added the oid. (that is return that oid tag) */
+        *data = SECOID_AddEntry(src);
+    }
+}
+
 SECStatus
 SECU_RegisterDynamicOids(void)
 {
     unsigned int i;
     SECStatus rv = SECSuccess;
 
     for (i = 0; i < numOids; ++i) {
 	SECOidTag tag = SECOID_AddEntry(&oids[i]);
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -1081,17 +1081,17 @@ SECU_PrintObjectID(FILE *out, SECItem *o
 typedef struct secuPBEParamsStr {
     SECItem salt;
     SECItem iterationCount;
     SECItem keyLength;
     SECAlgorithmID cipherAlg;
     SECAlgorithmID kdfAlg;
 } secuPBEParams;
 
-SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate);
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
 
 /* SECOID_PKCS5_PBKDF2 */
 const SEC_ASN1Template secuKDF2Params[] =
 {
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
     { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
     { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
     { SEC_ASN1_INTEGER, offsetof(secuPBEParams, keyLength) },
@@ -2138,17 +2138,17 @@ printflags(char *trusts, unsigned int fl
 	PORT_Strcat(trusts, "G");
     return;
 }
 
 /* callback for listing certs through pkcs11 */
 SECStatus
 SECU_PrintCertNickname(CERTCertListNode *node, void *data)
 {
-    CERTCertTrust *trust;
+    CERTCertTrust trust;
     CERTCertificate* cert;
     FILE *out;
     char trusts[30];
     char *name;
 
     cert = node->cert;
 
     PORT_Memset (trusts, 0, sizeof (trusts));
@@ -2160,23 +2160,22 @@ SECU_PrintCertNickname(CERTCertListNode 
     }
     if (!name || !name[0]) {
         name = cert->emailAddr;
     }
     if (!name || !name[0]) {
         name = "(NULL)";
     }
 
-    trust = cert->trust;
-    if (trust) {
-        printflags(trusts, trust->sslFlags);
+    if (CERT_GetCertTrust(cert, &trust) == SECSuccess) {
+        printflags(trusts, trust.sslFlags);
         PORT_Strcat(trusts, ",");
-        printflags(trusts, trust->emailFlags);
+        printflags(trusts, trust.emailFlags);
         PORT_Strcat(trusts, ",");
-        printflags(trusts, trust->objectSigningFlags);
+        printflags(trusts, trust.objectSigningFlags);
     } else {
         PORT_Memcpy(trusts,",,",3);
     }
     fprintf(out, "%-60s %-5s\n", name, trusts);
 
     return (SECSuccess);
 }
 
@@ -3063,30 +3062,31 @@ int SECU_PrintSignedContent(FILE *out, S
 
 SECStatus
 SEC_PrintCertificateAndTrust(CERTCertificate *cert,
                              const char *label,
                              CERTCertTrust *trust)
 {
     SECStatus rv;
     SECItem data;
+    CERTCertTrust certTrust;
     
     data.data = cert->derCert.data;
     data.len = cert->derCert.len;
 
     rv = SECU_PrintSignedData(stdout, &data, label, 0,
 			      SECU_PrintCertificate);
     if (rv) {
 	return(SECFailure);
     }
     if (trust) {
 	SECU_PrintTrustFlags(stdout, trust,
 	                     "Certificate Trust Flags", 1);
-    } else if (cert->trust) {
-	SECU_PrintTrustFlags(stdout, cert->trust,
+    } else if (CERT_GetCertTrust(cert, &certTrust) == SECSuccess) {
+	SECU_PrintTrustFlags(stdout, &certTrust,
 	                     "Certificate Trust Flags", 1);
     }
 
     printf("\n");
 
     return(SECSuccess);
 }
 
@@ -3458,16 +3458,17 @@ SECU_FindCRLAuthKeyIDExten (PRArenaPool 
  * Find the issuer of a Crl.  Use the authorityKeyID if it exists.
  */
 CERTCertificate *
 SECU_FindCrlIssuer(CERTCertDBHandle *dbhandle, SECItem* subject,
                    CERTAuthKeyID* authorityKeyID, PRTime validTime)
 {
     CERTCertificate *issuerCert = NULL;
     CERTCertList *certList = NULL;
+    CERTCertTrust trust;
 
     if (!subject) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
 
     certList =
         CERT_CreateSubjectCertList(NULL, dbhandle, subject,
@@ -3476,17 +3477,17 @@ SECU_FindCrlIssuer(CERTCertDBHandle *dbh
         CERTCertListNode *node = CERT_LIST_HEAD(certList);
     
         /* XXX and authoritykeyid in the future */
         while ( ! CERT_LIST_END(node, certList) ) {
             CERTCertificate *cert = node->cert;
             /* check cert CERTCertTrust data is allocated, check cert
                usage extension, check that cert has pkey in db. Select
                the first (newest) user cert */
-            if (cert->trust &&
+            if (CERT_GetCertTrust(cert, &trust) == SECSuccess &&
                 CERT_CheckCertUsage(cert, KU_CRL_SIGN) == SECSuccess &&
                 CERT_IsUserCert(cert)) {
                 
                 issuerCert = CERT_DupCertificate(cert);
                 break;
             }
             node = CERT_LIST_NEXT(node);   
         }
@@ -3609,18 +3610,18 @@ SECU_ParseSSLVersionRangeString(const ch
         /* special value, use default */
         *enableSSL2 = defaultEnableSSL2;
         *vrange = defaultVersionRange;
         return SECSuccess;
     }
 
     colonPos = strchr(input, ':');
     if (!colonPos) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
     }
 
     colonIndex = colonPos - input;
     maxStr = colonPos + 1;
 
     if (!colonIndex) {
         /* colon was first character, min version is empty */
         *enableSSL2 = defaultEnableSSL2;
--- a/security/nss/cmd/lib/secutil.h
+++ b/security/nss/cmd/lib/secutil.h
@@ -131,17 +131,17 @@ extern char *SECU_ConfigDirectory(const 
 ** Basic callback function for SSL_GetClientAuthDataHook
 */
 extern int
 SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
 		       struct CERTDistNamesStr *caNames,
 		       struct CERTCertificateStr **pRetCert,
 		       struct SECKEYPrivateKeyStr **pRetKey);
 
-extern PRBool SECU_GetWrapEnabled();
+extern PRBool SECU_GetWrapEnabled(void);
 extern void SECU_EnableWrap(PRBool enable);
 
 /* revalidate the cert and print information about cert verification
  * failure at time == now */
 extern void
 SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, 
 	CERTCertificate *cert, PRBool checksig, 
 	SECCertificateUsage certUsage, void *pinArg, PRBool verbose);
@@ -288,16 +288,19 @@ extern SECKEYLowPublicKey *SECU_ConvHigh
 #endif
 
 extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg);
 
 extern SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw);
 
 extern char *SECU_SECModDBName(void);
 
+/* Fetch and register an oid if it hasn't been done already */
+extern void SECU_cert_fetchOID(SECOidTag *data, const SECOidData *src);
+
 extern SECStatus SECU_RegisterDynamicOids(void);
 
 /* Identifies hash algorithm tag by its string representation. */
 extern SECOidTag SECU_StringToSignatureAlgTag(const char *alg);
 
 /* Store CRL in output file or pk11 db. Also
  * encodes with base64 and exports to file if ascii flag is set
  * and file is not NULL. */
--- a/security/nss/cmd/lowhashtest/lowhashtest.c
+++ b/security/nss/cmd/lowhashtest/lowhashtest.c
@@ -393,18 +393,16 @@ Usage(char *progName)
     fprintf(stderr, "algorithm must be one of %s\n",
 	    "{ MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 }");
     fprintf(stderr, "default is to test all\n");
     exit(-1);
 }
 
 int main(int argc, char **argv)
 {
-    PLOptState *optstate;
-    PLOptStatus status;
     NSSLOWInitContext *initCtx;
     int rv = 0; /* counts the number of failures */
 
     progName = strrchr(argv[0], '/');
     progName = progName ? progName+1 : argv[0];
 
     initCtx = NSSLOW_Init();
     if (initCtx == NULL) {
--- a/security/nss/cmd/multinit/multinit.c
+++ b/security/nss/cmd/multinit/multinit.c
@@ -487,16 +487,17 @@ sort_CN(CERTCertificate *certa, CERTCert
  * list all the certs
  */
 void
 do_list_certs(const char *progName, int log)
 {
    CERTCertList *list;
    CERTCertList *sorted;
    CERTCertListNode *node;
+   CERTCertTrust trust;
    int i;
 
    list = PK11_ListCerts(PK11CertListUnique, NULL);
    if (list == NULL) {
 	fprintf(stderr,"ERROR: no certs found %s\n", 
 		SECU_Strerror(PORT_GetError()));
 	appendLabel('C');
 	appendString("none");
@@ -538,20 +539,20 @@ do_list_certs(const char *progName, int 
 		fprintf(stderr, "%02x",cert->serialNumber.data[0]);
 	    }
 	    fprintf(stderr," *\n");
 	}
 	appendLabel('C');
 	commonName = CERT_GetCommonName(&cert->subject);
 	appendString(commonName?commonName:"*NoName*");
 	PORT_Free(commonName);
-	if (cert->trust) {
-	    appendFlags(cert->trust->sslFlags);
-	    appendFlags(cert->trust->emailFlags);
-	    appendFlags(cert->trust->objectSigningFlags);
+	if (CERT_GetCertTrust(cert, &trust) == SECSuccess) {
+	    appendFlags(trust.sslFlags);
+	    appendFlags(trust.emailFlags);
+	    appendFlags(trust.objectSigningFlags);
 	}
    }
    CERT_DestroyCertList(list);
 
 }
 
 /*
  * need to implement yet... try to add a new certificate
--- a/security/nss/cmd/ocspclnt/ocspclnt.c
+++ b/security/nss/cmd/ocspclnt/ocspclnt.c
@@ -1,16 +1,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Test program for client-side OCSP.
  *
- * $Id: ocspclnt.c,v 1.13 2012/03/20 14:47:10 gerv%gerv.net Exp $
+ * $Id: ocspclnt.c,v 1.14 2013/01/23 23:05:50 kaie%kuix.de Exp $
  */
 
 #include "secutil.h"
 #include "nspr.h"
 #include "plgetopt.h"
 #include "nss.h"
 #include "cert.h"
 #include "ocsp.h"
@@ -823,18 +823,17 @@ print_basic_response (FILE *out_file, oc
  */
 static char *responseStatusNames[] = {
     "successful (Response has valid confirmations)",
     "malformedRequest (Illegal confirmation request)",
     "internalError (Internal error in issuer)",
     "tryLater (Try again later)",
     "unused ((4) is not used)",
     "sigRequired (Must sign the request)",
-    "unauthorized (Request unauthorized)",
-    "other (Status value out of defined range)"
+    "unauthorized (Request unauthorized)"
 };
 
 /*
  * Decode the DER/BER-encoded item "data" as an OCSP response
  * and pretty-print the subfields.
  */
 static SECStatus
 print_response (FILE *out_file, SECItem *data, CERTCertDBHandle *handle)
@@ -848,19 +847,25 @@ print_response (FILE *out_file, SECItem 
 	PORT_SetError (SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
 
     response = CERT_DecodeOCSPResponse (data);
     if (response == NULL)
 	return SECFailure;
 
-    PORT_Assert (response->statusValue <= ocspResponse_other);
-    fprintf (out_file, "Response Status: %s\n",
-	     responseStatusNames[response->statusValue]);
+    if (response->statusValue >= ocspResponse_min &&
+	response->statusValue <= ocspResponse_max) {
+	fprintf (out_file, "Response Status: %s\n",
+		 responseStatusNames[response->statusValue]);
+    } else {
+	fprintf (out_file,
+		 "Response Status: other (Status value %d out of defined range)\n",
+		 (int)response->statusValue);
+    }
 
     if (response->statusValue == ocspResponse_successful) {
 	ocspResponseBytes *responseBytes = response->responseBytes;
 	SECStatus sigStatus;
 	CERTCertificate *signerCert = NULL;
 
 	PORT_Assert (responseBytes != NULL);
 
--- a/security/nss/cmd/pwdecrypt/pwdecrypt.c
+++ b/security/nss/cmd/pwdecrypt/pwdecrypt.c
@@ -1,16 +1,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Test program for SDR (Secret Decoder Ring) functions.
  *
- * $Id: pwdecrypt.c,v 1.8 2012/03/20 14:47:16 gerv%gerv.net Exp $
+ * $Id: pwdecrypt.c,v 1.9 2012/12/12 19:25:36 wtc%google.com Exp $
  */
 
 #include "nspr.h"
 #include "string.h"
 #include "nss.h"
 #include "secutil.h"
 #include "cert.h"
 #include "pk11func.h"
@@ -132,17 +132,16 @@ isBase64(char *inString)
 
 void
 doDecrypt(char * dataString, FILE *outFile, FILE *logFile, secuPWData *pwdata)
 {
     int        strLen = strlen(dataString);
     SECItem   *decoded = NSSBase64_DecodeBuffer(NULL, NULL, dataString, strLen);
     SECStatus  rv;
     int        err;
-    unsigned int i;
     SECItem    result = { siBuffer, NULL, 0 };
 
     if ((decoded == NULL) || (decoded->len == 0)) {
 	if (logFile) {
 	    err = PORT_GetError();
 	    fprintf(logFile,"Base 64 decode failed on <%s>\n", dataString);
 	    fprintf(logFile," Error %d: %s\n", err, SECU_Strerror(err));
 	}
--- a/security/nss/cmd/shlibsign/Makefile
+++ b/security/nss/cmd/shlibsign/Makefile
@@ -78,15 +78,19 @@ include ../platrules.mk
 SRCDIR = $(call core_abspath,.)
 
 %.chk: %.$(DLL_SUFFIX) 
 ifeq ($(OS_TARGET), OS2)
 	cd $(OBJDIR) ; cmd.exe /c $(SRCDIR)/sign.cmd $(DIST) \
 	$(call core_abspath,$(OBJDIR)) $(OS_TARGET) \
 	$(call core_abspath,$(NSPR_LIB_DIR)) $(call core_abspath,$<)
 else
+    ifeq ($(CROSS_COMPILE),1)
+	# do nothing
+    else
 	cd $(OBJDIR) ; sh $(SRCDIR)/sign.sh $(call core_abspath,$(DIST)) \
 	$(call core_abspath,$(OBJDIR)) $(OS_TARGET) \
 	$(call core_abspath,$(NSPR_LIB_DIR)) $(call core_abspath,$<)
+    endif
 endif
 
 libs install :: $(CHECKLOC)
 
--- a/security/nss/cmd/shlibsign/sign.sh
+++ b/security/nss/cmd/shlibsign/sign.sh
@@ -1,13 +1,20 @@
 #!/bin/sh
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
+# arguments:
+# 1: full path to DIST/OBJDIR (parent dir of "lib")
+# 2: full path to shlibsign executable (DIST/OBJDIR/bin)
+# 3: OS_TARGET
+# 4: full path to DIST/OBJDIR/lib
+# 5: full path to library that is to be signed
+
 case "${3}" in
 WIN*)
     if echo "${PATH}" | grep -c \; >/dev/null; then
         PATH=${1}/lib\;${1}/bin\;${4}\;${PATH}
     else
         # ARG1 is ${1} with the drive letter escaped.
         if echo "${1}" | grep -c : >/dev/null; then
             ARG1=`(cd ${1}; pwd)`
--- a/security/nss/cmd/ssltap/ssltap.c
+++ b/security/nss/cmd/ssltap/ssltap.c
@@ -29,17 +29,17 @@
 #include <string.h>
 #include <time.h>
 
 #include "plgetopt.h"
 #include "nss.h"
 #include "cert.h"
 #include "sslproto.h"
 
-#define VERSIONSTRING "$Revision: 1.22 $ ($Date: 2012/06/14 18:16:05 $) $Author: wtc%google.com $"
+#define VERSIONSTRING "$Revision: 1.23 $ ($Date: 2013/01/23 20:53:58 $) $Author: wtc%google.com $"
 
 
 struct _DataBufferList;
 struct _DataBuffer;
 
 typedef struct _DataBufferList {
   struct _DataBuffer *first,*last;
   int size;
@@ -328,18 +328,21 @@ const char * V2CipherString(int cs_int)
 
   case 0x000035:    cs_str = "TLS/RSA/AES256-CBC/SHA";  	break;
   case 0x000036:    cs_str = "TLS/DH-DSS/AES256-CBC/SHA";	break;
   case 0x000037:    cs_str = "TLS/DH-RSA/AES256-CBC/SHA";	break;
   case 0x000038:    cs_str = "TLS/DHE-DSS/AES256-CBC/SHA";	break;
   case 0x000039:    cs_str = "TLS/DHE-RSA/AES256-CBC/SHA";	break;
   case 0x00003A:    cs_str = "TLS/DH-ANON/AES256-CBC/SHA";	break;
 
+  case 0x00003B:    cs_str = "TLS/RSA/NULL/SHA256";		break;
   case 0x00003C:    cs_str = "TLS/RSA/AES128-CBC/SHA256";  	break;
   case 0x00003D:    cs_str = "TLS/RSA/AES256-CBC/SHA256";  	break;
+  case 0x00003E:    cs_str = "TLS/DH-DSS/AES128-CBC/SHA256";  	break;
+  case 0x00003F:    cs_str = "TLS/DH-RSA/AES128-CBC/SHA256";  	break;
   case 0x000040:    cs_str = "TLS/DHE-DSS/AES128-CBC/SHA256";	break;
 
   case 0x000041:    cs_str = "TLS/RSA/CAMELLIA128-CBC/SHA";	break;
   case 0x000042:    cs_str = "TLS/DH-DSS/CAMELLIA128-CBC/SHA";	break;
   case 0x000043:    cs_str = "TLS/DH-RSA/CAMELLIA128-CBC/SHA";	break;
   case 0x000044:    cs_str = "TLS/DHE-DSS/CAMELLIA128-CBC/SHA";	break;
   case 0x000045:    cs_str = "TLS/DHE-RSA/CAMELLIA128-CBC/SHA";	break;
   case 0x000046:    cs_str = "TLS/DH-ANON/CAMELLIA128-CBC/SHA";	break;
--- a/security/nss/cmd/vfychain/vfychain.c
+++ b/security/nss/cmd/vfychain/vfychain.c
@@ -61,16 +61,19 @@ Usage(const char *progName)
 	"\t-p \t\t Use PKIX Library to validate certificate by calling:\n"
 	"\t\t\t   * CERT_VerifyCertificate if specified once,\n"
 	"\t\t\t   * CERT_PKIXVerifyCert if specified twice and more.\n"
 	"\t-r\t\t Following certfile is raw binary DER (default)\n"
         "\t-t\t\t Following cert is explicitly trusted (overrides db trust).\n"
 	"\t-u usage \t 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,\n"
 	"\t\t\t 4=Email signer, 5=Email recipient, 6=Object signer,\n"
 	"\t\t\t 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA\n"
+	"\t-T\t\t Trust both explicit trust anchors (-t) and the database.\n"
+	"\t\t\t (Default is to only trust certificates marked -t, if there are any,\n"
+	"\t\t\t or to trust the database if there are certificates marked -t.)\n"
 	"\t-v\t\t Verbose mode. Prints root cert subject(double the\n"
 	"\t\t\t argument for whole root cert info)\n"
 	"\t-w password\t Database password.\n"
 	"\t-W pwfile\t Password file.\n\n"
         "\tRevocation options for PKIX API(invoked with -pp options) is a\n"
         "\tcollection of the following flags:\n"
         "\t\t[-g type [-h flags] [-m type [-s flags]] ...] ...\n"
         "\tWhere:\n"
@@ -418,23 +421,24 @@ main(int argc, char *argv[], char *envp[
     int                  rv           = 1;
     int                  usage;
     CERTVerifyLog        log;
     CERTCertList        *builtChain = NULL;
     PRBool               certFetching = PR_FALSE;
     int                  revDataIndex = 0;
     PRBool               ocsp_fetchingFailureIsAFailure = PR_TRUE;
     PRBool               useDefaultRevFlags = PR_TRUE;
+    PRBool               onlyTrustAnchors = PR_TRUE;
     int                  vfyCounts = 1;
 
     PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
 
     progName = PL_strdup(argv[0]);
 
-    optstate = PL_CreateOptState(argc, argv, "ab:c:d:efg:h:i:m:o:prs:tu:vw:W:");
+    optstate = PL_CreateOptState(argc, argv, "ab:c:d:efg:h:i:m:o:prs:tTu:vw:W:");
     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 	switch(optstate->option) {
 	case  0  : /* positional parameter */  goto breakout;
 	case 'a' : isAscii  = PR_TRUE;                        break;
 	case 'b' : secStatus = DER_AsciiToTime(&time, optstate->value);
 	           if (secStatus != SECSuccess) Usage(progName); break;
 	case 'd' : certDir  = PL_strdup(optstate->value);     break;
 	case 'e' : ocsp_fetchingFailureIsAFailure = PR_FALSE;  break;
@@ -473,16 +477,17 @@ main(int argc, char *argv[], char *envp[
                        methodTypeStr = PL_strdup(optstate->value); break;
 	case 'o' : oidStr = PL_strdup(optstate->value);       break;
 	case 'p' : usePkix += 1;                              break;
 	case 'r' : isAscii  = PR_FALSE;                       break;
 	case 's' : 
                    revMethodsData[revDataIndex].
                        methodFlagsStr = PL_strdup(optstate->value); break;
 	case 't' : trusted  = PR_TRUE;                        break;
+	case 'T' : onlyTrustAnchors = PR_FALSE;               break;
 	case 'u' : usage    = PORT_Atoi(optstate->value);
 	           if (usage < 0 || usage > 62) Usage(progName);
 		   certUsage = ((SECCertificateUsage)1) << usage; 
 		   if (certUsage > certificateUsageHighest) Usage(progName);
 		   break;
         case 'w':
                   pwdata.source = PW_PLAINTEXT;
                   pwdata.data = PORT_Strdup(optstate->value);
@@ -506,16 +511,21 @@ breakout:
                     " CERT_PKIXVerifyCert(-pp) function.\n");
             Usage(progName);
         }
         if (trusted) {
             fprintf(stderr, "Cert trust flag can be used only with"
                     " CERT_PKIXVerifyCert(-pp) function.\n");
             Usage(progName);
         }
+        if (!onlyTrustAnchors) {
+            fprintf(stderr, "Cert trust anchor exclusiveness can be"
+                    " used only with CERT_PKIXVerifyCert(-pp)"
+                    " function.\n");
+        }
     }
 
     if (!useDefaultRevFlags && parseRevMethodsAndFlags()) {
         fprintf(stderr, "Invalid revocation configuration specified.\n");
         goto punt;
     }
 
     /* Set our password function callback. */
@@ -588,17 +598,17 @@ breakout:
                                                PR_TRUE /* check sig */,
                                                certUsage, 
                                                time,
                                                &pwdata, /* wincx  */
                                                &log, /* error log */
                                            NULL);/* returned usages */
         } else do {
                 static CERTValOutParam cvout[4];
-                static CERTValInParam cvin[6];
+                static CERTValInParam cvin[7];
                 SECOidTag oidTag;
                 int inParamIndex = 0;
                 static PRUint64 revFlagsLeaf[2];
                 static PRUint64 revFlagsChain[2];
                 static CERTRevocationFlags rev;
                 
                 if (oidStr) {
                     PRArenaPool *arena;
@@ -662,16 +672,22 @@ breakout:
                 cvin[inParamIndex].value.pointer.revocation = &rev;
                 inParamIndex++;
                 
                 if (time) {
                     cvin[inParamIndex].type = cert_pi_date;
                     cvin[inParamIndex].value.scalar.time = time;
                     inParamIndex++;
                 }
+
+                if (!onlyTrustAnchors) {
+                    cvin[inParamIndex].type = cert_pi_useOnlyTrustAnchors;
+                    cvin[inParamIndex].value.scalar.b = onlyTrustAnchors;
+                    inParamIndex++;
+                }
                 
                 cvin[inParamIndex].type = cert_pi_end;
                 
                 cvout[0].type = cert_po_trustAnchor;
                 cvout[0].value.pointer.cert = NULL;
                 cvout[1].type = cert_po_certList;
                 cvout[1].value.pointer.chain = NULL;
                 
new file mode 100644
--- /dev/null
+++ b/security/nss/doc/Makefile
@@ -0,0 +1,82 @@
+#! gmake
+#
+# Creates man pages for the NSS security tools
+#
+# pk12util, certutil, modutil, ssltap, 
+# signtool, signver, cmsutil, crlutil,  
+# derdump, pp, vfychain, vfyserv
+#
+
+.SUFFIXES: .html .txt .1 .xml
+
+COMPILE.1 = xmlto -o nroff man
+COMPILE.html = xmlto -o html html
+
+# the name of the tar ball
+name = nss-man
+date = `date +"%Y%m%d"`
+
+all: prepare all-man all-html
+
+prepare: date-and-version
+	mkdir -p html
+	mkdir -p nroff
+	
+clean:
+	rm -f date.xml version.xml *.tar.bz2
+	rm -fr $(name) ascii html nroff
+
+date-and-version: date.xml version.xml
+
+date.xml:
+	date +"%e %B %Y" | tr -d '\n' > $@
+
+version.xml:
+	echo -n ${VERSION} > $@
+
+.PHONY : $(MANPAGES)
+.PHONY : $(HTMLPAGES)
+.PHONY : $(TXTPAGES)
+
+#------------------------------------------
+# Package a tar ball for building in fedora
+# Include the makefile and .xml files only
+# man pages will be created at build time
+#------------------------------------------
+
+tarball:
+	rm -rf $(name); \
+	mkdir -p $(name)/nroff; \
+	cp Makefile $(name); \
+	cp *.xml $(name); \
+	tar cvjf $(name)-$(date).tar.bz2 $(name)
+
+#--------------------------------------------------------
+# manpages
+#--------------------------------------------------------
+
+%.1 : %.xml prepare
+	$(COMPILE.1) $<
+	
+MANPAGES = \
+certutil.1 cmsutil.1 crlutil.1 pk12util.1 \
+modutil.1 ssltap.1 derdump.1 signtool.1 signver.1 \
+pp.1 vfychain.1 vfyserv.1
+
+all-man: prepare $(MANPAGES)
+
+#--------------------------------------------------------
+# html pages
+#--------------------------------------------------------
+
+%.html : %.xml
+	$(COMPILE.html) $<
+	mv html/index.html html/$@
+
+HTMLPAGES = \
+certutil.html cmsutil.html crlutil.html pk12util.html  modutil.html \
+ssltap.html derdump.html signtool.html signver.html pp.html \
+vfychain.html vfyserv.html
+
+all-html: prepare $(HTMLPAGES)
+
new file mode 100644
--- /dev/null
+++ b/security/nss/doc/README
@@ -0,0 +1,7 @@
+A convenient tool to edit these files is
+  https://sourceforge.net/projects/xml-copy-editor/
+
+Assuming the documentation text will remain plain US-ASCII,
+please disable the option
+  "Save UTF-8 byte order mark".
+
new file mode 100644
--- /dev/null
+++ b/security/nss/doc/certutil.xml
@@ -0,0 +1,1128 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="certutil">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>NSS Security Tools</title>
+    <productname>nss-tools</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>CERTUTIL</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>certutil</refname>
+    <refpurpose>Manage keys and certificate in the the NSS database.</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>certutil</command>
+      <arg><replaceable>options</replaceable></arg>
+      <arg>[<replaceable>arguments</replaceable>]</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection>
+    <title>STATUS</title>
+    <para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
+    </para>
+  </refsection>
+
+<refsection id="description">
+    <title>Description</title>
+
+    <para>The Certificate Database Tool, <command>certutil</command>, is a command-line utility that manages certs and keys in both NSS databases and other NSS tokens (such as smart cards). It can specifically list, generate, modify, or delete certificates within the database, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</para>
+    <para>The key and certificate management process generally includes certificate issuance once keys and certificates have been created in the key database. This document discusses certificate and key database management. For information security module database management, see the <command>modutil</command> manpage.</para>
+
+  </refsection>
+  
+  <refsection id="options">
+    <title>Options and Arguments</title>
+	<para>Running <command>certutil</command> always requires one and only one option to specify the type of certificate operation. Each option may take arguments, anywhere from none to multiple arguments. Run the command option and <option>-H</option> to see the arguments available for each command option.</para>
+   	<para><command>Command Options</command></para> 
+   	<para>Command options are typically upper case. </para>
+    <variablelist>
+
+      <varlistentry>
+        <term>-A </term>
+        <listitem><para>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default. </para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-B</term>
+        <listitem><para>Run a series of commands from the specified batch file. This requires the <option>-i</option> argument.</para></listitem>
+      </varlistentry>
+    
+      <varlistentry>
+        <term>-C </term>
+        <listitem><para>Create a new binary certificate file from a binary certificate request file. Use the <option>-i</option> argument to specify the certificate request file. If this argument is not used, <command>certutil</command> prompts for a filename. </para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-D </term>
+        <listitem><para>Delete a certificate from the certificate database.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-E </term>
+        <listitem><para>Add an email certificate to the certificate database.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-F</term>
+        <listitem><para>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the 
+<option>-d</option> argument. Use the <option>-k</option> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <option>-k</option> argument, the option looks for an RSA key matching the specified nickname. 
+</para>
+<para>
+When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D. Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname. </para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-G </term>
+        <listitem><para>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-H </term>
+        <listitem><para>Display a list of the command options and arguments used by the Certificate Database Tool.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-K </term>
+        <listitem><para>List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-L </term>
+        <listitem><para>List all the certificates, or display information about a named certificate, in a certificate database.
+Use the -h tokenname argument to specify the certificate database on a particular hardware or software token.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-M </term>
+        <listitem><para>Modify a certificate's trust attributes using the values of the -t argument.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-N</term>
+        <listitem><para>Create new certificate and key databases.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-O </term>
+        <listitem><para>Print the certificate chain.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-R</term>
+        <listitem><para>Create a certificate request file  that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument.
+
+Use the -a argument to specify ASCII output.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-S </term>
+        <listitem><para>Create an individual certificate and add it to a certificate database.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-T </term>
+        <listitem><para>Reset the key database or token.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-U </term>
+        <listitem><para>List all available modules or print a single named module.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-V </term>
+        <listitem><para>Check the validity of a certificate and its attributes.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-W </term>
+        <listitem><para>Change the password to a key database.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--merge</term>
+        <listitem><para>Merge a source database into the target database. This is used to merge legacy NSS databases (<filename>cert8.db</filename> and <filename>key3.db</filename>) into the newer SQLite databases (<filename>cert9.db</filename> and <filename>key4.db</filename>).</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--upgrade-merge</term>
+        <listitem><para>Upgrade an old database and merge it into a new database. This is used to migrate legacy NSS databases (<filename>cert8.db</filename> and <filename>key3.db</filename>) into the newer SQLite databases (<filename>cert9.db</filename> and <filename>key4.db</filename>).</para></listitem>
+      </varlistentry>
+	</variablelist>
+
+	<para><command>Arguments</command></para>
+	<para>Arguments modify a command option and are usually lower case, numbers, or symbols.</para>
+	<variablelist>
+      <varlistentry>
+        <term>-a</term>
+        <listitem><para>Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC 1113. 
+For certificate requests, ASCII output defaults to standard output unless redirected.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-b validity-time</term>
+        <listitem><para>Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the <option>-V</option> option. The format of the <emphasis>validity-time</emphasis> argument is <emphasis>YYMMDDHHMMSS[+HHMM|-HHMM|Z]</emphasis>, which allows offsets to be set relative to the validity end time. Specifying seconds (<emphasis>SS</emphasis>) is optional. When specifying an explicit time, use a Z at the end of the term, <emphasis>YYMMDDHHMMSSZ</emphasis>, to close it. When specifying an offset time, use <emphasis>YYMMDDHHMMSS+HHMM</emphasis> or <emphasis>YYMMDDHHMMSS-HHMM</emphasis> for adding or subtracting time, respectively.
+</para>
+<para>
+If this option is not used, the validity check defaults to the current system time.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-c issuer</term>
+        <listitem><para>Identify the certificate of the CA from which a new certificate will derive its authenticity. 
+ Use the exact nickname or alias of the CA certificate, or use the CA's email address. Bracket the issuer string 
+ with quotation marks if it contains spaces. </para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-d [prefix]directory</term>
+        <listitem>
+          <para>Specify the database directory containing the certificate and key database files.</para>
+          <para><command>certutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para>
+          <para>NSS recognizes the following prefixes:</para>
+          <itemizedlist>
+            <listitem><para><command>sql: explicitly requests the newer database</command></para></listitem>
+	        <listitem><para><command>dbm: explicitly requests the older database</command></para></listitem>
+	        <listitem><para><command>extern: explicitly reserved for future use</command></para></listitem>
+          </itemizedlist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-e </term>
+        <listitem><para>Check a certificate's signature during the process of validating a certificate.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-f password-file</term>
+        <listitem><para>Specify a file that will automatically supply the password to include in a certificate 
+ or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent 
+ unauthorized access to this file.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-g keysize</term>
+        <listitem><para>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 8192 bits. The default is 1024 bits. Any size between the minimum and maximum is allowed.</para></listitem>
+      </varlistentry>
+
+
+      <varlistentry>
+        <term>-h tokenname</term>
+        <listitem><para>Specify the name of a token to use or act on. Unless specified otherwise the default token is an internal slot.</para></listitem>
+      </varlistentry>
+
+     <varlistentry>
+        <term>-i input_file</term>
+        <listitem><para>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-k rsa|dsa|ec|all</term>
+        <listitem><para>Specify the type of a key. The valid options are RSA, DSA, ECC, or all. The default value is rsa. Specifying the type of key can avoid mistakes caused by duplicate nicknames.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-k key-type-or-id</term>
+        <listitem>
+          <para>Specify the type or specific ID of a key. </para>
+          <para>
+           The valid key type options are RSA, DSA, ECC, or all. The default 
+           value is rsa. Specifying the type of key can avoid mistakes caused by
+           duplicate nicknames. Giving a key type generates a new key pair; 
+           giving the ID of an existing key reuses that key pair (which is 
+           required to renew certificates).
+          </para>
+          <para>
+           The valid key type options are RSA, DSA, ECC, or all. The default 
+           value is rsa. Specifying the type of key can avoid mistakes caused by
+           duplicate nicknames. Giving a key type generates a new key pair; 
+           giving the ID of an existing key reuses that key pair (which is 
+           required to renew certificates).
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-l </term>
+        <listitem><para>Display detailed information when validating a certificate with the -V option.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-m serial-number</term>
+        <listitem><para>Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is 
+           provided a default serial number is made from the current time. Serial numbers are limited to integers </para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-n nickname</term>
+        <listitem><para>Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-o output-file</term>
+        <listitem><para>Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-P dbPrefix</term>
+        <listitem><para>Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-p phone</term>
+        <listitem><para>Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-q pqgfile or curve-name</term>
+        <listitem>
+        <para>Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, <command>certutil</command> generates its own PQG value. PQG files are created with a separate DSA utility.</para>
+        <para>Elliptic curve name is one of the ones from SUITE B: nistp256, nistp384, nistp521</para>
+        <para>
+           If NSS has been compiled with support curves outside of SUITE B:
+              sect163k1, nistk163, sect163r1, sect163r2,            
+              nistb163,  sect193r1, sect193r2, sect233k1, nistk233,            
+              sect233r1, nistb233, sect239k1, sect283k1, nistk283,            
+              sect283r1, nistb283, sect409k1, nistk409, sect409r1,            
+              nistb409,  sect571k1, nistk571, sect571r1, nistb571,            
+              secp160k1, secp160r1, secp160r2, secp192k1, secp192r1,            
+              nistp192,  secp224k1, secp224r1, nistp224, secp256k1,            
+              secp256r1, secp384r1, secp521r1,       
+              prime192v1, prime192v2, prime192v3,          
+              prime239v1, prime239v2, prime239v3, c2pnb163v1,             
+              c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1,             
+              c2tnb191v2, c2tnb191v3,              
+              c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3,             
+              c2pnb272w1, c2pnb304w1,             
+              c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1,             
+              secp112r2, secp128r1, secp128r2, sect113r1, sect113r2            
+              sect131r1, sect131r2    
+        </para>
+
+        </listitem>
+        
+      </varlistentry>
+
+      <varlistentry>
+        <term>-r </term>
+        <listitem><para>Display a certificate's binary DER encoding when listing information about that certificate with the -L option.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-s subject</term>
+        <listitem><para>Identify a particular certificate owner for new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces. The subject identification format follows RFC #1485.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-t trustargs</term>
+        <listitem><para>Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database. There are three available trust categories for each certificate, expressed in the order <emphasis>SSL, email, object signing</emphasis> for each trust setting. In each category position, use none, any, or all
+of the attribute codes: 
+	</para>
+	<itemizedlist>
+	<listitem>
+	<para>
+		<command>p</command> - Valid peer
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		<command>P</command> - Trusted peer (implies p)
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		<command>c</command> - Valid CA
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		<command>T</command> - Trusted CA (implies c)
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		<command>C</command> - rusted CA for client authentication (ssl server only)
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		<command>u</command> - user
+	</para>
+	</listitem>
+	</itemizedlist>
+	<para>
+		The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example:
+	</para>
+<para><command>-t "TCu,Cu,Tuw"</command></para>
+	<para>
+	Use the -L option to see a list of the current certificates and trust attributes in a certificate database. </para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-u certusage</term>
+        <listitem><para>Specify a usage context to apply when validating a certificate with the -V option.</para><para>The contexts are the following:</para>
+	<itemizedlist>
+	<listitem>
+<para><command>C</command> (as an SSL client)</para>
+	</listitem>
+	<listitem>
+<para><command>V</command> (as an SSL server)</para>
+	</listitem>
+	<listitem>
+<para><command>S</command> (as an email signer)</para>
+	</listitem>
+	<listitem>
+<para><command>R</command> (as an email recipient)</para>
+	</listitem>
+	<listitem>
+<para><command>O</command> (as an OCSP status responder)</para>
+	</listitem>
+	<listitem>
+<para><command>J</command> (as an object signer)</para>
+	</listitem>
+	</itemizedlist></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-v valid-months</term>
+        <listitem><para>Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the <option>-w</option> option. If this argument is not used, the default validity period is three months. </para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-w offset-months</term>
+        <listitem><para>Set an offset from the current system time, in months, 
+ for the beginning of a certificate's validity period. Use when creating 
+ the certificate or adding it to a database. Express the offset in integers, 
+ using a minus sign (-) to indicate a negative offset. If this argument is 
+ not used, the validity period begins at the current system time. The length 
+ of the validity period is set with the -v argument. </para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-X </term>
+        <listitem><para>Force the key and certificate database to open in read-write mode. This is used with the <option>-U</option> and <option>-L</option> command options.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-x </term>
+        <listitem><para>Use <command>certutil</command> to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-y exp</term>
+        <listitem><para>Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-z noise-file</term>
+        <listitem><para>Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-0 SSO_password</term>
+        <listitem><para>Set a site security officer password on a token.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-1 | --keyUsage keyword,keyword</term>
+        <listitem><para>Set a Netscape Certificate Type Extension in the certificate. There are several available keywords:</para>
+	<itemizedlist>
+	<listitem>
+	<para>
+		digital signature
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		nonRepudiation
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		keyEncipherment
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		dataEncipherment
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		keyAgreement
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		certSigning
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		crlSigning
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		critical
+	</para>
+	</listitem>
+	</itemizedlist>
+</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-2 </term>
+        <listitem><para>Add a basic constraint extension to a certificate that is being created or added to a database. This extension supports the certificate chain verification process. <command>certutil</command> prompts for the certificate constraint extension to select.</para>
+<para>X.509 certificate extensions are described in RFC 5280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-3 </term>
+        <listitem><para>Add an authority key ID extension to a certificate that is being created or added to a database. This extension supports the identification of a particular certificate, from among multiple certificates associated with one subject name, as the correct issuer of a certificate. The Certificate Database Tool will prompt you to select the authority key ID extension.</para>
+<para>X.509 certificate extensions are described in RFC 5280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-4 </term>
+        <listitem><para>Add a CRL distribution point extension to a certificate that is being created or added to a database. This extension identifies the URL of a certificate's associated certificate revocation list (CRL). <command>certutil</command> prompts for the URL.</para>
+<para>X.509 certificate extensions are described in RFC 5280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-5 | --nsCertType keyword,keyword</term>
+        <listitem><para>Add a Netscape certificate type extension to a certificate that is being created or added to the database. There are several available keywords:</para>
+	<itemizedlist>
+	<listitem>
+	<para>
+		sslClient
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		sslServer
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		smime
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		objectSigning
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		sslCA
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		smimeCA
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		objectSigningCA
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		critical
+	</para>
+	</listitem>
+	</itemizedlist>
+
+<para>X.509 certificate extensions are described in RFC 5280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-6 | --extKeyUsage keyword,keyword</term>
+        <listitem><para>Add an extended key usage extension to a certificate that is being created or added to the database. Several keywords are available:</para>
+	<itemizedlist>
+	<listitem>
+	<para>
+		serverAuth
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		clientAuth
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		codeSigning
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		emailProtection
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		timeStamp
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		ocspResponder
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		stepUp
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		msTrustListSign
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		critical
+	</para>
+	</listitem>
+	</itemizedlist>
+<para>X.509 certificate extensions are described in RFC 5280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-7 emailAddrs</term>
+        <listitem><para>Add a comma-separated list of email addresses to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-8 dns-names</term>
+        <listitem><para>Add a comma-separated list of DNS names to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--extAIA</term>
+        <listitem><para>Add the Authority Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--extSIA</term>
+        <listitem><para>Add the Subject Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--extCP</term>
+        <listitem><para>Add the Certificate Policies extension to the certificate. X.509 certificate extensions are described in RFC 5280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--extPM</term>
+        <listitem><para>Add the Policy Mappings extension to the certificate. X.509 certificate extensions are described in RFC 5280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--extPC</term>
+        <listitem><para>Add the Policy Constraints extension to the certificate. X.509 certificate extensions are described in RFC 5280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--extIA</term>
+        <listitem><para>Add the Inhibit Any Policy Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--extSKID</term>
+        <listitem><para>Add the Subject Key ID extension to the certificate. X.509 certificate extensions are described in RFC 5280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--source-dir certdir</term>
+        <listitem><para>Identify the certificate database directory to upgrade.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--source-prefix certdir</term>
+        <listitem><para>Give the prefix of the certificate and key databases to upgrade.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--upgrade-id uniqueID</term>
+        <listitem><para>Give the unique ID of the database to upgrade.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--upgrade-token-name name</term>
+        <listitem><para>Set the name of the token to use while it is being upgraded.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-@ pwfile</term>
+        <listitem><para>Give the name of a password file to use for the database being upgraded.</para></listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsection>
+
+  <refsection id="basic-usage">
+    <title>Usage and Examples</title>
+	<para>
+		Most of the command options in the examples listed here have more arguments available. The arguments included in these examples are the most common ones or are used to illustrate a specific scenario. Use the <option>-H</option> option to show the complete list of arguments for each command option.
+	</para>
+	<para><command>Creating New Security Databases</command></para>
+	<para>
+		Certificates, keys, and security modules related to managing certificates are stored in three related databases:
+	</para>
+	<itemizedlist>
+	<listitem>
+	<para>
+		cert8.db or cert9.db
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		key3.db or key4.db
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		secmod.db or pkcs11.txt
+	</para>
+	</listitem>
+	</itemizedlist>
+	<para>
+		These databases must be created before certificates or keys can be generated.
+	</para>
+<programlisting>certutil -N -d [sql:]directory</programlisting>
+
+	<para><command>Creating a Certificate Request</command></para>
+	<para>
+		A certificate request contains most or all of the information that is used to generate the final certificate. This request is submitted separately to a certificate authority and is then approved by some mechanism (automatically or by human review). Once the request is approved, then the certificate is generated.
+	</para>
+<programlisting>$ certutil -R -k key-type-or-id [-q pqgfile|curve-name] -g key-size -s subject [-h tokenname] -d [sql:]directory [-p phone] [-o output-file] [-a]</programlisting>
+	<para>
+		The <option>-R</option> command options requires four arguments:
+	</para>
+	<itemizedlist>
+	<listitem>
+	<para>
+		<option>-k</option> to specify either the key type to generate or, when renewing a certificate, the existing key pair to use
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		<option>-g</option> to set the keysize of the key to generate
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		<option>-s</option> to set the subject name of the certificate
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		<option>-d</option> to give the security database directory
+	</para>
+	</listitem>
+	</itemizedlist>
+	<para>
+		The new certificate request can be output in ASCII format (<option>-a</option>) or can be written to a specified file (<option>-o</option>).
+	</para>
+	<para>
+		For example:
+	</para>
+<programlisting>$ certutil -R -k ec -q nistb409 -g 512 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d sql:/home/my/sharednssdb -p 650-555-0123 -a -o cert.cer
+
+Generating key.  This may take a few moments...
+
+
+Certificate request generated by Netscape 
+Phone: 650-555-0123
+Common Name: John Smith
+Email: (not ed)
+Organization: Example Corp
+State: California
+Country: US
+
+-----BEGIN NEW CERTIFICATE REQUEST-----
+MIIBIDCBywIBADBmMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEW
+MBQGA1UEBxMNTW91bnRhaW4gVmlldzEVMBMGA1UEChMMRXhhbXBsZSBDb3JwMRMw
+EQYDVQQDEwpKb2huIFNtaXRoMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMVUpDOZ
+KmHnOx7reP8Cc0Lk+fFWEuYIDX9W5K/BioQOKvEjXyQZhit9aThzBVMoSf1Y1S8J
+CzdUbCg1+IbnXaECAwEAAaAAMA0GCSqGSIb3DQEBBQUAA0EAryqZvpYrUtQ486Ny
+qmtyQNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB
+1hP9Gg==
+-----END NEW CERTIFICATE REQUEST-----</programlisting>
+
+	<para><command>Creating a Certificate</command></para>
+	<para>
+		A valid certificate must be issued by a trusted CA. This can be done by specifying a CA certificate (<option>-c</option>) that is stored in the certificate database. If a CA key pair is not available, you can create a self-signed certificate using the <option>-x</option> argument with the <option>-S</option> command option.
+	</para>
+<programlisting>$ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer |-x] -t trustargs -d [sql:]directory [-m serial-number] [-v valid-months] [-w offset-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA] [--extSKID]</programlisting>
+	<para>
+		The series of numbers and <option>--ext*</option> options set certificate extensions that can be added to the certificate when it is generated by the CA.
+	</para>
+	<para>
+		For example, this creates a self-signed certificate:
+	</para>
+<programlisting>$ certutil -S -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m 3650</programlisting>
+	<para>
+		From there, new certificates can reference the self-signed certificate:
+	</para>
+<programlisting>$ certutil -S -s "CN=My Server Cert" -n my-server-cert -c "my-ca-cert" -t "u,u,u" -1 -5 -6 -8 -m 730</programlisting>
+
+	<para><command>Generating a Certificate from a Certificate Request</command></para>
+	<para>
+		When a certificate request is created, a certificate can be generated by using the request and then referencing a certificate authority signing certificate (the <emphasis>issuer</emphasis> specified in the <option>-c</option> argument). The issuing certificate must be in the certificate database in the specified directory.
+	</para>
+<programlisting>certutil -C -c issuer -i cert-request-file -o output-file [-m serial-number] [-v valid-months] [-w offset-months] -d [sql:]directory [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names]</programlisting>
+	<para>
+		For example:
+	</para>
+<programlisting>$ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d sql:/home/my/sharednssdb -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com</programlisting>
+
+
+	<para><command>Generating Key Pairs</command></para>
+	<para>
+		Key pairs are generated automatically with a certificate request or certificate, but they can also be generated independently using the <option>-G</option> command option. 
+	</para>
+<programlisting>certutil -G -d [sql:]directory | -h tokenname -k key-type -g key-size [-y exponent-value] -q pqgfile|curve-name</programlisting>
+	<para>
+		For example:
+	</para>
+<programlisting>$ certutil -G -h lunasa -k ec -g 256 -q sect193r2</programlisting>
+
+	<para><command>Listing Certificates</command></para>
+	<para>
+		The <option>-L</option> command option lists all of the certificates listed in the certificate database. The path to the directory (<option>-d</option>) is required.
+	</para>
+<programlisting>$ certutil -L -d sql:/home/my/sharednssdb
+
+Certificate Nickname                                         Trust Attributes
+                                                             SSL,S/MIME,JAR/XPI
+
+CA Administrator of Instance pki-ca1's Example Domain ID     u,u,u
+TPS Administrator's Example Domain ID                        u,u,u
+Google Internet Authority                                    ,,   
+Certificate Authority - Example Domain                       CT,C,C</programlisting>
+	<para>
+		Using additional arguments with <option>-L</option> can return and print the information for a single, specific certificate. For example, the <option>-n</option> argument passes the certificate name, while the <option>-a</option> argument prints the certificate in ASCII format:
+	</para>
+<programlisting>$ certutil -L -d sql:/home/my/sharednssdb -a -n "Certificate Authority - Example Domain"
+
+-----BEGIN CERTIFICATE-----
+MIIDmTCCAoGgAwIBAgIBATANBgkqhkiG9w0BAQUFADA5MRcwFQYDVQQKEw5FeGFt
+cGxlIERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEw
+MDQyOTIxNTY1OFoXDTEyMDQxODIxNTY1OFowOTEXMBUGA1UEChMORXhhbXBsZSBE
+b21haW4xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAO/bqUli2KwqXFKmMMG93KN1SANzNTXA/Vlf
+Tmrih3hQgjvR1ktIY9aG6cB7DSKWmtHp/+p4PUCMqL4ZrSGt901qxkePyZ2dYmM2
+RnelK+SEUIPiUtoZaDhNdiYsE/yuDE8vQWj0vHCVL0w72qFUcSQ/WZT7FCrnUIUI
+udeWnoPSUn70gLhcj/lvxl7K9BHyD4Sq5CzktwYtFWLiiwV+ZY/Fl6JgbGaQyQB2
+bP4iRMfloGqsxGuB1evWVDF1haGpFDSPgMnEPSLg3/3dXn+HDJbZ29EU8/xKzQEb
+3V0AHKbu80zGllLEt2Zx/WDIrgJEN9yMfgKFpcmL+BvIRsmh0VsCAwEAAaOBqzCB
+qDAfBgNVHSMEGDAWgBQATgxHQyRUfKIZtdp55bZlFr+tFzAPBgNVHRMBAf8EBTAD
+AQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUAE4MR0MkVHyiGbXaeeW2ZRa/
+rRcwRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUFBzABhilodHRwOi8vbG9jYWxob3N0
+LmxvY2FsZG9tYWluOjkxODAvY2Evb2NzcDANBgkqhkiG9w0BAQUFAAOCAQEAi8Gk
+L3XO43u7/TDOeEsWPmq+jZsDZ3GZ85Ajt3KROLWeKVZZZa2E2Hnsvf2uXbk5amKe
+lRxdSeRH9g85pv4KY7Z8xZ71NrI3+K3uwmnqkc6t0hhYb1mw/gx8OAAoluQx3biX
+JBDxjI73Cf7XUopplHBjjiwyGIJUO8BEZJ5L+TF4P38MJz1snLtzZpEAX5bl0U76
+bfu/tZFWBbE8YAWYtkCtMcalBPj6jn2WD3M01kGozW4mmbvsj1cRB9HnsGsqyHCu
+U0ujlL1H/RWcjn607+CTeKH9jLMUqCIqPJNOa+kq/6F7NhNRRiuzASIbZc30BZ5a
+nI7q5n1USM3eWQlVXw==
+-----END CERTIFICATE-----</programlisting>
+
+	<para><command>Listing Keys</command></para>
+	<para>
+		Keys are the original material used to encrypt certificate data. The keys generated for certificates are stored separately, in the key database. 
+	</para>
+	<para>
+		To list all keys in the database, use the <option>-K</option> command option and the (required) <option>-d</option> argument to give the path to the directory.
+	</para>
+<programlisting>$ certutil -K -d sql:/home/my/sharednssdb
+certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services                  "
+&lt; 0> rsa      455a6673bde9375c2887ec8bf8016b3f9f35861d   Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
+&lt; 1> rsa      40defeeb522ade11090eacebaaf1196a172127df   Example Domain Administrator Cert
+&lt; 2> rsa      1d0b06f44f6c03842f7d4f4a1dc78b3bcd1b85a5   John Smith user cert</programlisting>
+	<para>
+		There are ways to narrow the keys listed in the search results:
+	</para>
+	<itemizedlist>
+	<listitem>
+	<para>
+		To return a specific key, use the <option>-n</option> <emphasis>name</emphasis> argument with the name of the key.
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		If there are multiple security devices loaded, then the <option>-h</option> <emphasis>tokenname</emphasis> argument can search a specific token or all tokens.
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		If there are multiple key types available, then the <option>-k</option> <emphasis>key-type</emphasis> argument can search a specific type of key, like RSA, DSA, or ECC. 
+	</para>
+	</listitem>
+	</itemizedlist>
+
+	<para><command>Listing Security Modules</command></para>
+	<para>
+		The devices that can be used to store certificates -- both internal databases and external devices like smart cards -- are recognized and used by loading security modules. The <option>-U</option> command option lists all of the security modules listed in the <filename>secmod.db</filename> database. The path to the directory (<option>-d</option>) is required.
+	</para>
+<programlisting>$ certutil -U -d sql:/home/my/sharednssdb
+
+    slot: NSS User Private Key and Certificate Services                  
+   token: NSS Certificate DB
+
+    slot: NSS Internal Cryptographic Services                            
+   token: NSS Generic Crypto Services</programlisting>
+
+	<para><command>Adding Certificates to the Database</command></para>
+	<para>
+		Existing certificates or certificate requests can be added manually to the certificate database, even if they were generated elsewhere. This uses the <option>-A</option> command option.
+	</para>
+<programlisting>certutil -A -n certname -t trustargs -d [sql:]directory [-a] [-i input-file]</programlisting>
+	<para>
+		For example:
+	</para>
+<programlisting>$ certutil -A -n "CN=My SSL Certificate" -t "u,u,u" -d sql:/home/my/sharednssdb -i /home/example-certs/cert.cer</programlisting>
+	<para>
+		A related command option, <option>-E</option>, is used specifically to add email certificates to the certificate database. The <option>-E</option> command has the same arguments as the <option>-A</option> command. The trust arguments for certificates have the format <emphasis>SSL,S/MIME,Code-signing</emphasis>, so the middle trust settings relate most to email certificates (though the others can be set). For example:
+	</para>
+<programlisting>$ certutil -E -n "CN=John Smith Email Cert" -t ",Pu," -d sql:/home/my/sharednssdb -i /home/example-certs/email.cer</programlisting>
+
+	<para><command>Deleting Certificates to the Database</command></para>
+	<para>
+		Certificates can be deleted from a database using the <option>-D</option> option. The only required options are to give the security database directory and to identify the certificate nickname.
+	</para>
+<programlisting>certutil -D -d [sql:]directory -n "nickname"</programlisting>
+	<para>
+		For example:
+	</para>
+<programlisting>$ certutil -D -d sql:/home/my/sharednssdb -n "my-ssl-cert"</programlisting>
+
+	<para><command>Validating Certificates</command></para>
+	<para>
+		A certificate contains an expiration date in itself, and expired certificates are easily rejected. However, certificates can also be revoked before they hit their expiration date. Checking whether a certificate has been revoked requires validating the certificate. Validation can also be used to ensure that the certificate is only used for the purposes it was initially issued for. Validation is carried out by the <option>-V</option> command option.
+	</para>
+<programlisting>certutil -V -n certificate-name [-b time] [-e] [-u cert-usage] -d [sql:]directory</programlisting>
+	<para>
+		For example, to validate an email certificate:
+	</para>
+<programlisting>$ certutil -V -n "John Smith's Email Cert" -e -u S,R -d sql:/home/my/sharednssdb</programlisting>
+
+	<para><command>Modifying Certificate Trust Settings</command></para>
+	<para>
+		The trust settings (which relate to the operations that a certificate is allowed to be used for) can be changed after a certificate is created or added to the database. This is especially useful for CA certificates, but it can be performed for any type of certificate.
+	</para>
+<programlisting>certutil -M -n certificate-name -t trust-args -d [sql:]directory</programlisting>
+	<para>
+		For example:
+	</para>
+<programlisting>$ certutil -M -n "My CA Certificate" -d sql:/home/my/sharednssdb -t "CTu,CTu,CTu"</programlisting>
+
+	<para><command>Printing the Certificate Chain</command></para>
+	<para>
+		Certificates can be issued in <emphasis>chains</emphasis> because every certificate authority itself has a certificate; when a CA issues a certificate, it essentially stamps that certificate with its own fingerprint. The <option>-O</option> prints the full chain of a certificate, going from the initial CA (the root CA) through ever intermediary CA to the actual certificate. For example, for an email certificate with two CAs in the chain:
+	</para>
+<programlisting>$ certutil -d sql:/home/my/sharednssdb -O -n "jsmith@example.com"
+"Builtin Object Token:Thawte Personal Freemail CA" [E=personal-freemail@thawte.com,CN=Thawte Personal Freemail CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA]
+
+  "Thawte Personal Freemail Issuing CA - Thawte Consulting" [CN=Thawte Personal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA]
+
+    "(null)" [E=jsmith@example.com,CN=Thawte Freemail Member]</programlisting>
+
+	<para><command>Resetting a Token</command></para>
+	<para>
+		The device which stores certificates -- both external hardware devices and internal software databases -- can be blanked and reused. This operation is performed on the device which stores the data, not directly on the security databases, so the location must be referenced through the token name (<option>-h</option>) as well as any directory path. If there is no external token used, the default value is internal.
+	</para>
+<programlisting>certutil -T -d [sql:]directory -h token-name -0 security-officer-password</programlisting>
+	<para>
+		Many networks have dedicated personnel who handle changes to security tokens (the security officer). This person must supply the password to access the specified token. For example:
+	</para>
+<programlisting>$ certutil -T -d sql:/home/my/sharednssdb -h nethsm -0 secret</programlisting>
+
+	<para><command>Upgrading or Merging the Security Databases</command></para>
+	<para>
+		Many networks or applications may be using older BerkeleyDB versions of the certificate database (<filename>cert8.db</filename>). Databases can be upgraded to the new SQLite version of the database (<filename>cert9.db</filename>) using the <option>--upgrade-merge</option> command option or existing databases can be merged with the new <filename>cert9.db</filename> databases using the <option>---merge</option> command.
+	</para>
+	<para>
+		The <option>--upgrade-merge</option> command must give information about the original database and then use the standard arguments (like <option>-d</option>) to give the information about the new databases. The command also requires information that the tool uses for the process to upgrade and write over the original database.
+	</para>
+<programlisting>certutil --upgrade-merge -d [sql:]directory [-P dbprefix] --source-dir directory --source-prefix dbprefix --upgrade-id id --upgrade-token-name name [-@ password-file]</programlisting>
+	<para>
+		For example:
+	</para>
+<programlisting>$ certutil --upgrade-merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp- --upgrade-id 1 --upgrade-token-name internal</programlisting>
+	<para>
+		The <option>--merge</option> command only requires information about the location of the original database; since it doesn't change the format of the database, it can write over information without performing interim step.
+	</para>
+<programlisting>certutil --merge -d [sql:]directory [-P dbprefix] --source-dir directory --source-prefix dbprefix [-@ password-file]</programlisting>
+	<para>
+		For example:
+	</para>
+<programlisting>$ certutil --merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp-</programlisting>
+
+	<para><command>Running certutil Commands from a Batch File</command></para>
+	<para>
+		A series of commands can be run sequentially from a text file with the <option>-B</option> command option. The only argument for this specifies the input file.
+	</para>
+<programlisting>$ certutil -B -i /path/to/batch-file</programlisting>
+  </refsection>
+
+<refsection id="databases"><title>NSS Database Types</title>
+<para>NSS originally used BerkeleyDB databases to store security information. 
+The last versions of these <emphasis>legacy</emphasis> databases are:</para>
+<itemizedlist>
+	<listitem>
+		<para>
+			cert8.db for certificates
+		</para>
+	</listitem>
+	<listitem>
+		<para>
+			key3.db for keys
+		</para>
+	</listitem>
+	<listitem>
+		<para>
+			secmod.db for PKCS #11 module information
+		</para>
+	</listitem>
+</itemizedlist>
+
+<para>BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has 
+some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS
+requires more flexibility to provide a truly shared security database.</para>
+
+<para>In 2009, NSS introduced a new set of databases that are SQLite databases rather than 
+BerkleyDB. These new databases provide more accessibility and performance:</para>
+<itemizedlist>
+	<listitem>
+		<para>
+			cert9.db for certificates
+		</para>
+	</listitem>
+	<listitem>
+		<para>
+			key4.db for keys
+		</para>
+	</listitem>
+	<listitem>
+		<para>
+			pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory
+		</para>
+	</listitem>
+</itemizedlist>
+
+<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
+
+<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases follow the more common legacy type. 
+Using the SQLite databases must be manually specified by using the <command>sql:</command> prefix with the given security directory. For example:</para>
+
+<programlisting>$ certutil -L -d sql:/home/my/sharednssdb</programlisting>
+
+<para>To set the shared database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>sql</envar>:</para>
+<programlisting>export NSS_DEFAULT_DB_TYPE="sql"</programlisting>
+
+<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para>
+
+<para>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</para>
+<itemizedlist>
+	<listitem>
+		<para>
+			https://wiki.mozilla.org/NSS_Shared_DB_Howto</para>
+	</listitem>
+</itemizedlist>
+<para>For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:</para>
+<itemizedlist>
+	<listitem>
+		<para>
+			https://wiki.mozilla.org/NSS_Shared_DB
+		</para>
+	</listitem>
+</itemizedlist>
+</refsection>
+
+
+  <refsection id="seealso">
+    <title>See Also</title>
+    <para>pk12util (1)</para>
+    <para>modutil (1)</para>
+    <para><command>certutil</command> has arguments or operations that use features defined in several IETF RFCs.</para>
+	<itemizedlist>
+	<listitem>
+	<para>
+		http://tools.ietf.org/html/rfc5280
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		http://tools.ietf.org/html/rfc1113
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		http://tools.ietf.org/html/rfc1485
+	</para>
+	</listitem>
+	</itemizedlist>
+
+	<para>The NSS wiki has information on the new database design and how to configure applications to use it.</para>
+        <itemizedlist>
+	<listitem>
+		<para>
+			https://wiki.mozilla.org/NSS_Shared_DB_Howto</para>
+	</listitem>
+	<listitem>
+		<para>
+			https://wiki.mozilla.org/NSS_Shared_DB
+		</para>
+	</listitem>
+        </itemizedlist>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="resources">
+    <title>Additional Resources</title>
+	<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
+	<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
+	<para>IRC: Freenode at #dogtag-pki</para>
+  </refsection>
+
+<!-- fill in your name first; keep the other names for reference -->
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
+    <para>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
+    </para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, version 1.1,
+        and/or the GNU General Public License, version 2 or later,
+        and/or the GNU Lesser General Public License, version 2.1 or later.
+    </para>
+  </refsection>
+
+</refentry>
new file mode 100644
--- /dev/null
+++ b/security/nss/doc/cmsutil.xml
@@ -0,0 +1,278 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="cmsutil">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>NSS Security Tools</title>
+    <productname>nss-tools</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>CMSUTIL</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>cmsutil</refname>
+    <refpurpose>Performs basic cryptograpic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages.</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>cmsutil</command>
+      <arg><replaceable>options</replaceable></arg>
+      <arg>[<replaceable>arguments</replaceable>]</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection>
+    <title>STATUS</title>
+    <para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
+    </para>
+  </refsection>
+
+  <refsection id="description">
+    <title>Description</title>
+
+    <para>The <command>cmsutil</command> command-line uses the S/MIME Toolkit to perform basic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages.
+	</para>
+	<para>
+To run cmsutil, type the command cmsutil option [arguments] where option and arguments are combinations of the options and arguments listed in the following section. 
+Each command takes one option. Each option may take zero or more arguments. 
+To see a usage string, issue the command without options. 
+	</para>
+
+  </refsection>
+
+  <refsection id="options">
+    <title>Options and Arguments</title>
+	<para>
+	</para>
+   	<para><command>Options</command></para> 
+   	<para>
+Options specify an action. Option arguments modify an action. 
+The options and arguments for the cmsutil command are defined as follows:
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>-D </term>
+        <listitem><para>Decode a message.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-C</term>
+        <listitem><para>Encrypt a message.</para></listitem>
+      </varlistentry>
+    
+      <varlistentry>
+        <term>-E </term>
+        <listitem><para>Envelope a message.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-O </term>
+        <listitem><para>Create a certificates-only message.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-S </term>
+        <listitem><para>Sign a message.</para></listitem>
+      </varlistentry>
+
+    </variablelist>
+
+	<para><command>Arguments</command></para>
+	<para>Option arguments modify an action and are lowercase.</para>
+	<variablelist>
+      <varlistentry>
+        <term>-c content </term>
+        <listitem>
+          <para>Use this detached content (decode only).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-d dbdir</term>
+        <listitem>
+          <para>Specify the key/certificate database directory (default is ".")</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-e envfile</term>
+        <listitem>
+          <para>Specify a file containing an enveloped message for a set of recipients to which you would like to send an encrypted message. If this is the first encrypted message for that set of recipients, a new enveloped message will be created that you can then use for future messages (encrypt only).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-G</term>
+        <listitem>
+          <para>Include a signing time attribute (sign only).</para>
+        </listitem>
+      </varlistentry>
+	
+      <varlistentry>
+        <term>-h num</term>
+        <listitem>
+          <para>Generate email headers with info about CMS message (decode only).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-i infile</term>
+        <listitem>
+          <para>Use infile as a source of data (default is stdin).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-N nickname</term>
+        <listitem>
+          <para>Specify nickname of certificate to sign with (sign only).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-n </term>
+        <listitem>
+          <para>Suppress output of contents (decode only).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-o outfile</term>
+        <listitem>
+          <para>Use outfile as a destination of data (default is stdout).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-P</term>
+        <listitem>
+          <para>Include an S/MIME capabilities attribute.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-p password</term>
+        <listitem>
+          <para>Use password as key database password.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-r recipient1,recipient2, ...</term>
+        <listitem>
+          <para>
+Specify list of recipients (email addresses) for an encrypted or enveloped message. 
+For certificates-only message, list of certificates to send.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-T</term>
+        <listitem>
+          <para>Suppress content in CMS message (sign only).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-u certusage</term>
+        <listitem>
+          <para>Set type of cert usage (default is certUsageEmailSigner).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-Y ekprefnick</term>
+        <listitem>
+          <para>Specify an encryption key preference by nickname.</para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+
+  </refsection>
+
+  <refsection id="usage">
+    <title>Usage</title>
+    <para>Encrypt Example</para>
+      <programlisting>
+cmsutil -C [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,recipient2, . . ." -e envfile
+      </programlisting>
+
+    <para>Decode Example</para>
+      <programlisting>
+cmsutil -D [-i infile] [-o outfile] [-d dbdir] [-p password] [-c content] [-n] [-h num]
+      </programlisting>
+
+    <para>Envelope Example</para>
+      <programlisting>
+cmsutil -E [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,recipient2, ..."
+      </programlisting>
+
+    <para>Certificate-only Example</para>
+      <programlisting>
+cmsutil -O [-i infile] [-o outfile] [-d dbdir] [-p password] -r "cert1,cert2, . . ."
+      </programlisting>
+
+    <para>Sign Message Example</para>
+      <programlisting>
+cmsutil -S [-i infile] [-o outfile] [-d dbdir] [-p password] -N nickname[-TGP] [-Y ekprefnick]
+      </programlisting>
+
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>certutil(1)</para>
+  </refsection>
+
+
+  <refsection id="seealso">
+    <title>See Also</title>
+    <para></para>
+	<para>
+	</para>
+	<para>
+	</para>
+	<para>
+	</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="resources">
+    <title>Additional Resources</title>
+	<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
+	<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
+	<para>IRC: Freenode at #dogtag-pki</para>
+  </refsection>
+
+<!-- fill in your name first; keep the other names for reference -->
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
+    <para>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
+    </para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, version 1.1,
+        and/or the GNU General Public License, version 2 or later,
+        and/or the GNU Lesser General Public License, version 2.1 or later.
+    </para>
+  </refsection>
+
+</refentry>
new file mode 100644
--- /dev/null
+++ b/security/nss/doc/crlutil.xml
@@ -0,0 +1,536 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="crlutil">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>NSS Security Tools</title>
+    <productname>nss-tools</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>CRLUTIL</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>crlutil</refname>
+    <refpurpose>
+List, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL.
+    </refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>crlutil</command>
+      <arg><replaceable>options</replaceable></arg>
+      <arg>[<replaceable>arguments</replaceable>]</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection>
+    <title>STATUS</title>
+    <para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
+    </para>
+  </refsection>
+
+  <refsection id="description">
+    <title>Description</title>
+
+    <para>The Certificate Revocation List (CRL) Management Tool, <command>crlutil</command>, is a command-line utility that can list, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL.
+    </para>
+    <para>
+The key and certificate management process generally begins with creating keys in the key database, then generating and managing certificates in the certificate database(see certutil tool) and continues with certificates expiration or revocation.
+    </para>
+    <para>
+This document discusses certificate revocation list management. For information on security module database management, see Using the Security Module Database Tool. For information on certificate and key database management, see Using the Certificate Database Tool.
+    </para>
+
+    <para>
+To run the Certificate Revocation List Management Tool, type the command
+    </para>
+    <para>
+crlutil option [arguments]
+    </para>
+    <para>
+where options and arguments are combinations of the options and arguments listed in the following section. Each command takes one option. Each option may take zero or more arguments. To see a usage string, issue the command without options, or with the -H option.
+    </para>
+
+  </refsection>
+  
+  <refsection id="options">
+    <title>Options and Arguments</title>
+	<para>
+	</para>
+   	<para><command>Options</command></para> 
+   	<para>
+Options specify an action. Option arguments modify an action. 
+The options and arguments for the crlutil command are defined as follows:
+    </para>
+
+  <variablelist>
+    <varlistentry>
+      <term>-G </term>
+        <listitem>
+          <para>
+Create new Certificate Revocation List(CRL).
+          </para>
+        </listitem>
+      </varlistentry>
+
+    <varlistentry>
+      <term>-D </term>
+        <listitem>
+          <para>
+Delete Certificate Revocation List from cert database.
+          </para>
+        </listitem>
+      </varlistentry>
+
+
+    <varlistentry>
+      <term>-I </term>
+        <listitem>
+          <para>
+Import a CRL to the cert database
+          </para>
+        </listitem>
+      </varlistentry>
+
+    <varlistentry>
+      <term>-E </term>
+        <listitem>
+          <para>
+Erase all CRLs of specified type from the cert database
+          </para>
+        </listitem>
+      </varlistentry>
+
+
+    <varlistentry>
+      <term>-L </term>
+        <listitem>
+          <para>
+List existing CRL located in cert database file.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    <varlistentry>
+      <term>-S </term>
+        <listitem>
+          <para>
+Show contents of a CRL file which isn't stored in the database.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    <varlistentry>
+      <term>-M </term>
+        <listitem>
+          <para>
+Modify existing CRL which can be located in cert db or in arbitrary file. If located in file it should be encoded in ASN.1 encode format.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    <varlistentry>
+      <term>-G </term>
+        <listitem>
+          <para>
+
+          </para>
+        </listitem>
+      </varlistentry>
+  </variablelist>
+
+  <para><command>Arguments</command></para>
+  <para>Option arguments modify an action and are lowercase.</para>
+
+  <variablelist>
+
+      <varlistentry>
+        <term>-B </term>
+        <listitem>
+          <para>
+Bypass CA signature checks.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-P dbprefix </term>
+        <listitem>
+          <para>
+Specify the prefix used on the NSS security database files (for example, my_cert8.db and my_key3.db). This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-a </term>
+        <listitem>
+          <para>
+Use ASCII format or allow the use of ASCII format for input and output. This formatting follows RFC #1113.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-c crl-gen-file </term>
+        <listitem>
+          <para>
+Specify script file that will be used to control crl generation/modification. See crl-cript-file format below. If options -M|-G is used and -c crl-script-file is not specified, crlutil will read script data from standard input.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-d directory </term>
+        <listitem>
+          <para>
+Specify the database directory containing the certificate and key database files. On Unix the Certificate Database Tool defaults to $HOME/.netscape (that is, ~/.netscape). On Windows NT the default is the current directory.
+          </para>
+          <para>
+The NSS database files must reside in the same directory.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-i crl-file </term>
+        <listitem>
+          <para>
+Specify the file which contains the CRL to import or show.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-f password-file </term>
+        <listitem>
+          <para>
+Specify a file that will automatically supply the password to include in a certificate or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent unauthorized access to this file.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-l algorithm-name </term>
+        <listitem>
+          <para>
+Specify a specific signature algorithm. List of possible algorithms: MD2 | MD4 | MD5 | SHA1 | SHA256 | SHA384 | SHA512
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-n nickname </term>
+        <listitem>
+          <para>
+Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-o output-file </term>
+        <listitem>
+          <para>
+Specify the output file name for new CRL. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-t crl-type </term>
+        <listitem>
+          <para>
+Specify type of CRL. possible types are: 0 - SEC_KRL_TYPE, 1 - SEC_CRL_TYPE. This option is obsolete
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-u url </term>
+        <listitem>
+          <para>
+Specify the url.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsection>
+
+  <refsection id="syntax">
+    <title>CRL Generation script syntax</title>
+    <para>CRL generation script file has the following syntax:</para>
+    <para>
+    * Line with comments should have # as a first symbol of a line</para>
+    <para>
+    * Set "this update" or "next update" CRL fields:
+    </para>
+    <para>           
+             update=YYYYMMDDhhmmssZ
+             nextupdate=YYYYMMDDhhmmssZ
+     </para>
+    <para>
+      Field "next update" is optional. Time should be in GeneralizedTime format (YYYYMMDDhhmmssZ).
+      For example: 20050204153000Z
+    </para>
+
+    <para>* Add an extension to a CRL or a crl certificate entry:</para>
+    <para>addext extension-name critical/non-critical [arg1[arg2 ...]]</para>
+    <para>Where:</para>
+    <para>
+          extension-name: string value of a name of known extensions.
+          critical/non-critical: is 1 when extension is critical and 0 otherwise.
+          arg1, arg2: specific to extension type extension parameters
+    </para>
+    <para>
+      addext uses the range that was set earlier by addcert and will install an extension to every cert entries within the range.
+    </para>
+    <para>
+    * Add certificate entries(s) to CRL:
+    </para>
+    <para>
+          addcert range date
+    </para>
+    <para>
+          range: two integer values separated by dash: range of certificates that will be added by this command. dash is used as a delimiter. Only one cert will be added if there is no delimiter.
+          date: revocation date of a cert. Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ).
+    </para>
+    <para>
+    * Remove certificate entry(s) from CRL
+    </para>
+    <para>
+          rmcert range
+    </para>
+    <para>
+      Where:
+    </para>
+    <para>
+          range: two integer values separated by dash: range of certificates that will be added by this command. dash is used as a delimiter. Only one cert will be added if there is no delimiter.
+    </para>
+    <para>
+    * Change range of certificate entry(s) in CRL
+    </para>
+    <para>
+          range new-range
+    </para>
+    <para>
+      Where:
+    </para>
+    <para>
+          new-range: two integer values separated by dash: range of certificates that will be added by this command. dash is used as a delimiter. Only one cert will be added if there is no delimiter.
+    </para>
+    <para>
+Implemented Extensions
+     </para>
+     <para>
+      The extensions defined for CRL provide methods for associating additional attributes with CRLs of theirs entries. For more information see RFC #3280
+     </para>
+     <para>
+    * Add The Authority Key Identifier extension:
+     </para>
+     <para>
+      The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a CRL.
+     </para>
+     <para>
+          authKeyId critical [key-id | dn cert-serial]
+     </para>
+     <para>
+      Where:
+     </para>
+     <para>
+          authKeyIdent: identifies the name of an extension
+          critical: value of 1 of 0. Should be set to 1 if this extension is critical or 0 otherwise.
+          key-id: key identifier represented in octet string. dn:: is a CA distinguished name cert-serial: authority certificate serial number. 
+     </para>
+     <para>
+    * Add Issuer Alternative Name extension:
+     </para>
+     <para>
+      The issuer alternative names extension allows additional identities to be associated with the issuer of the CRL. Defined options include an rfc822 name (electronic mail address), a DNS name, an IP address, and a URI.
+     </para>
+     <para>
+          issuerAltNames non-critical name-list
+     </para>
+     <para>
+      Where:
+     </para>
+     <para>
+          subjAltNames: identifies the name of an extension
+          should be set to 0 since this is non-critical extension
+          name-list: comma separated list of names
+     </para>
+     <para>
+    * Add CRL Number extension:
+     </para>
+     <para>
+      The CRL number is a non-critical CRL extension which conveys a monotonically increasing sequence number for a given CRL scope and CRL issuer. This extension allows users to easily determine when a particular CRL supersedes another CRL
+     </para>
+     <para>
+          crlNumber non-critical number
+     </para>
+     <para>
+      Where:
+     </para>
+     <para>
+          crlNumber: identifies the name of an extension
+          critical: should be set to 0 since this is non-critical extension
+          number: value of long which identifies the sequential number of a CRL.
+     </para>
+     <para>
+    * Add Revocation Reason Code extension:
+     </para>
+     <para>
+      The reasonCode is a non-critical CRL entry extension that identifies the reason for the certificate revocation.
+     </para>
+     <para>
+          reasonCode non-critical code
+     </para>
+     <para>
+      Where:
+     </para>
+     <para>
+          reasonCode: identifies the name of an extension
+          non-critical: should be set to 0 since this is non-critical extension
+          code: the following codes are available:
+     </para>
+     <para>
+              unspecified (0),
+              keyCompromise (1),
+              cACompromise (2),
+              affiliationChanged (3),
+              superseded (4),
+              cessationOfOperation (5),
+              certificateHold (6),
+              removeFromCRL (8),
+              privilegeWithdrawn (9),
+              aACompromise (10)
+     </para>
+     <para>
+    * Add Invalidity Date extension:
+     </para>
+     <para>
+      The invalidity date is a non-critical CRL entry extension that provides the date on which it is known or suspected that the private key was compromised or that the certificate otherwise became invalid.
+     </para>
+     <para>
+          invalidityDate non-critical date
+     </para>
+     <para>
+      Where:
+     </para>
+     <para>
+          crlNumber: identifies the name of an extension
+          non-critical: should be set to 0 since this is non-critical extension date: invalidity date of a cert. Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ).
+     </para>
+  </refsection>
+
+  <refsection id="usage">
+    <title>Usage</title>
+    <para>
+The Certificate Revocation List Management Tool's capabilities are grouped as follows, using these combinations of options and arguments. Options and arguments in square brackets are optional, those without square brackets are required.
+    </para>
+    <para>See "Implemented extensions" for more information regarding extensions and their parameters.</para>
+    <para>
+    * Creating or modifying a CRL:
+    </para>
+      <programlisting>
+crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbprefix] [-l alg] [-a] [-B] 
+      </programlisting>
+    <para>
+    * Listing all CRls or a named CRL:
+    </para>
+      <programlisting>
+	crlutil -L [-n crl-name] [-d krydir] 
+      </programlisting>
+
+    <para>
+    * Deleting CRL from db:
+    </para>
+      <programlisting>
+	crlutil -D -n nickname [-d keydir] [-P dbprefix] 
+      </programlisting>
+
+    <para>
+    * Erasing CRLs from db:
+    </para>
+      <programlisting>
+	crlutil -E [-d keydir] [-P dbprefix] 
+      </programlisting>
+
+    <para>
+    * Deleting CRL from db: 
+    </para>
+    <programlisting>
+          crlutil -D -n nickname [-d keydir] [-P dbprefix]
+    </programlisting>
+
+    <para>
+    * Erasing CRLs from db:
+    </para>
+    <programlisting>
+          crlutil -E [-d keydir] [-P dbprefix] 
+    </programlisting>
+
+    <para>
+    * Import CRL from file:
+    </para>
+    <programlisting>
+          crlutil -I -i crl [-t crlType] [-u url] [-d keydir] [-P dbprefix] [-B] 
+    </programlisting>
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>certutil(1)</para>
+  </refsection>
+
+
+  <refsection id="seealso">
+    <title>See Also</title>
+    <para></para>
+	<para>
+	</para>
+	<para>
+	</para>
+	<para>
+	</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="resources">
+    <title>Additional Resources</title>
+	<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
+	<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
+	<para>IRC: Freenode at #dogtag-pki</para>
+  </refsection>
+
+<!-- fill in your name first; keep the other names for reference -->
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
+    <para>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
+    </para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, version 1.1,
+        and/or the GNU General Public License, version 2 or later,
+        and/or the GNU Lesser General Public License, version 2.1 or later.
+    </para>
+  </refsection>
+
+</refentry>
new file mode 100644
--- /dev/null
+++ b/security/nss/doc/derdump.xml
@@ -0,0 +1,98 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="derdump">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>NSS Security Tools</title>
+    <productname>nss-tools</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>DERDUMP</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>derdump </refname>
+    <refpurpose>Dumps C-sequence strings from a DER encoded certificate file</refpurpose>
+  </refnamediv>
+
+ <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>derdump</command>
+      <arg><option>-r</option></arg>
+      <arg><option>-i <replaceable>input-file</replaceable></option></arg>
+      <arg><option>-o <replaceable>output-file</replaceable></option></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection>
+    <title>STATUS</title>
+    <para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
+    </para>
+  </refsection>
+
+  <refsection>
+    <title>Description</title>
+
+    <para><command>derdump </command>dumps C-sequence strings from a DER encode certificate file </para>
+
+  </refsection>
+
+<refsection>
+    <title>Options</title>
+    
+    <variablelist>
+    
+    <varlistentry>
+        <term><option>-r </option></term>
+        <listitem><simpara>For formatted items, dump raw bytes as well</simpara></listitem>
+      </varlistentry>
+      
+      <varlistentry>
+        <term><option>-i </option> <replaceable>DER encoded file</replaceable></term>
+        <listitem><simpara>Define an input file to use (default is stdin)</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>-o </option> <replaceable>output file</replaceable></term>
+        <listitem><simpara>Define an output file to use (default is stdout).</simpara></listitem>
+      </varlistentry>
+    
+        </variablelist>
+  </refsection>
+  
+  <refsection id="resources">
+    <title>Additional Resources</title>
+    <para>NSS is maintained in conjunction with PKI and security-related projects through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <ulink url="http://pki.fedoraproject.org/wiki/">PKI Wiki</ulink>. </para>
+	<para>For information specifically about NSS, the NSS project wiki is located at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">Mozilla NSS site</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
+	<para>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</para>
+	<para>IRC: Freenode at #dogtag-pki</para>
+  </refsection>
+
+<!-- fill in your name first; keep the other names for reference -->
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The NSS tools were written and maintained by developers with Netscape and now with Red Hat.</para>
+    <para>
+	Authors: Gerhardus Geldenhuis &lt;gerhardus.geldenhuis@gmail.com>. Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com&gt;
+    </para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, version 1.1,
+        and/or the GNU General Public License, version 2 or later,
+        and/or the GNU Lesser General Public License, version 2.1 or later.
+    </para>
+  </refsection>
+
+</refentry>
new file mode 100644
--- /dev/null
+++ b/security/nss/doc/modutil.xml
@@ -0,0 +1,761 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="modutil">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>NSS Security Tools</title>
+    <productname>nss-tools</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>MODUTIL</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>modutil</refname>
+    <refpurpose>Manage PKCS #11 module information within the security module database.</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>modutil</command>
+      <arg><replaceable>options</replaceable></arg>
+      <arg>[<replaceable>arguments</replaceable>]</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection>
+    <title>STATUS</title>
+    <para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
+    </para>
+  </refsection>
+
+  <refsection id="description">
+    <title>Description</title>
+    <para>The Security Module Database Tool, <command>modutil</command>, is a command-line utility for managing PKCS #11 module information both within <filename>secmod.db</filename> files and within hardware tokens. <command>modutil</command> can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.</para>
+
+	<para>The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.</para>
+  </refsection>
+  
+  <refsection id="options">
+    <title>Options</title>
+	<para>
+		Running <command>modutil</command> always requires one (and only one) option to specify the type of module operation. Each option may take arguments, anywhere from none to multiple arguments.
+	</para>
+   	<para><command>Options</command></para> 
+
+	<variablelist>
+
+      <varlistentry>
+        <term>-add modulename</term>
+	  <listitem><para>Add the named PKCS #11 module to the database. Use this option with the <option>-libfile</option>, <option>-ciphers</option>, and <option>-mechanisms</option> arguments.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-changepw tokenname</term>
+	  <listitem><para>Change the password on the named token. If the token has not been initialized, this option initializes the password. Use this option with the <option>-pwfile</option> and <option>-newpwfile</option> arguments. A <emphasis>password</emphasis> is equivalent to a personal identification number (PIN).</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-chkfips</term>
+	  <listitem><para>Verify whether the module is in the given FIPS mode. <command>true</command> means to verify that the module is in FIPS mode, while <command>false</command> means to verify that the module is not in FIPS mode.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-create</term>
+	<listitem><para>Create new certificate, key, and module databases. Use the <option>-dbdir</option> directory argument to specify a directory. If any of these databases already exist in a specified directory, <command>modutil</command> returns an error message.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-default modulename</term>
+	  <listitem><para>Specify the security mechanisms for which the named module will be a default provider. The security mechanisms are specified with the <option>-mechanisms</option> argument.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-delete modulename</term>
+	  <listitem><para>Delete the named module. The default NSS PKCS #11 module cannot be deleted.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-disable modulename</term>
+	  <listitem><para>Disable all slots on the named module. Use the <option>-slot</option> argument to disable a specific slot.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-enable modulename</term>
+	  <listitem><para>Enable all slots on the named module. Use the <option>-slot</option> argument to enable a specific slot.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-fips [true | false]</term>
+	  <listitem><para>Enable (true) or disable (false) FIPS 140-2 compliance for the default NSS module.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-force</term>
+	  <listitem><para>Disable <command>modutil</command>'s interactive prompts so it can be run from a script. Use this option only after manually testing each planned operation to check for warnings and to ensure that bypassing the prompts will cause no security lapses or loss of database integrity.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-jar JAR-file</term>
+	  <listitem><para>Add a new PKCS #11 module to the database using the named JAR file. Use this command with the <option>-installdir</option> and <option>-tempdir</option> arguments. The JAR file uses the NSS PKCS #11 JAR format to identify all the files to be installed, the module's name, the mechanism flags, and the cipher flags, as well as any files to be installed on the target machine, including the PKCS #11 module library file and other files such as documentation. This is covered in the JAR installation file section in the man page, which details the special script needed to perform an installation through a server or with <command>modutil</command>. </para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+          <term>-list [modulename]</term>
+	  <listitem><para>Display basic information about the contents of the <filename>secmod.db</filename> file. Specifying a <emphasis>modulename</emphasis> displays detailed information about a particular module and its slots and tokens.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-rawadd</term>
+	  <listitem><para>Add the module spec string to the <filename>secmod.db</filename> database.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-rawlist</term>
+	  <listitem><para>Display the module specs for a specified module or for all loadable modules.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-undefault modulename</term>
+	  <listitem><para>Specify the security mechanisms for which the named module will not be a default provider. The security mechanisms are specified with the <option>-mechanisms</option> argument.</para></listitem>
+      </varlistentry>
+	</variablelist>
+
+	<para><command>Arguments</command></para>
+    <variablelist>
+
+      <varlistentry>
+        <term>MODULE</term>
+	  <listitem><para>Give the security module to access.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>MODULESPEC</term>
+	  <listitem><para>Give the security module spec to load into the security database.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-ciphers cipher-enable-list</term>
+	  <listitem><para>Enable specific ciphers in a module that is being added to the database. The <emphasis>cipher-enable-list</emphasis> is a colon-delimited list of cipher names. Enclose this list in quotation marks if it contains spaces.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-dbdir [sql:]directory</term>
+	  <listitem><para>Specify the database directory in which to access or create security module database files.</para>
+	<para><command>modutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--dbprefix prefix</term>
+	  <listitem><para>Specify the prefix used on the database files, such as <filename>my_</filename> for <filename>my_cert8.db</filename>. This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-installdir root-installation-directory</term>
+	  <listitem><para>Specify the root installation directory relative to which files will be installed by the <option>-jar</option> option. This directory should be one below which it is appropriate to store dynamic library files, such as a server's root directory.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-libfile library-file</term>
+	  <listitem><para>Specify a path to a library file containing the implementation of the PKCS #11 interface module that is being added to the database.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-mechanisms mechanism-list</term>
+	  <listitem><para>Specify the security mechanisms for which a particular module will be flagged as a default provider. The <emphasis>mechanism-list</emphasis> is a colon-delimited list of mechanism names. Enclose this list in quotation marks if it contains spaces.</para>
+	<para>The module becomes a default provider for the listed mechanisms when those mechanisms are enabled. If more than one module claims to be a particular mechanism's default provider, that mechanism's default provider is undefined.</para>
+	<para><command>modutil</command> supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES, DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for random number generation), and FRIENDLY (meaning certificates are publicly readable).</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-newpwfile new-password-file</term>
+	  <listitem><para>Specify a text file containing a token's new or replacement password so that a password can be entered automatically with the <option>-changepw</option> option.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-nocertdb</term>
+	  <listitem><para>Do not open the certificate or key databases. This has several effects:</para>
+		<itemizedlist>
+		<listitem>
+          <para>With the <option>-create</option> command, only a module security file is created; certificate and key databases are not created.</para>
+		</listitem>
+		<listitem>
+          <para>With the <option>-jar</option> command, signatures on the JAR file are not checked.</para>
+		</listitem>
+		<listitem>
+          <para>With the <option>-changepw</option> command, the password on the NSS internal module cannot be set or changed, since this password is stored in the key database.</para></listitem>
+		</itemizedlist>
+		</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-pwfile old-password-file</term>
+	  <listitem><para>Specify a text file containing a token's existing password so that a password can be entered automatically when the <option>-changepw</option> option is used to change passwords.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-secmod secmodname</term>
+	  <listitem><para>Give the name of the security module database (like <filename>secmod.db</filename>) to load.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-slot slotname</term>
+	  <listitem><para>Specify a particular slot to be enabled or disabled with the <option>-enable</option> or <option>-disable</option> options.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-string CONFIG_STRING</term>
+	  <listitem><para>Pass a configuration string for the module being added to the database.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-tempdir temporary-directory</term>
+	  <listitem><para>Give a directory location where temporary files are created during the installation by the <option>-jar</option> option. If no temporary directory is specified, the current directory is used.</para></listitem>
+      </varlistentry>
+    </variablelist>
+  </refsection>
+
+  <refsection id="usage-and-examples">
+    <title>Usage and Examples</title>
+
+    <para><command>Creating Database Files</command></para>
+    <para>Before any operations can be performed, there must be a set of security databases available. <command>modutil</command> can be used to create these files. The only required argument is the database that where the databases will be located.</para>
+<programlisting>modutil -create -dbdir [sql:]directory</programlisting>
+
+	<para><command>Adding a Cryptographic Module</command></para>
+	<para>Adding a PKCS #11 module means submitting a supporting library file, enabling its ciphers, and setting default provider status for various security mechanisms. This can be done by supplying all of the information through <command>modutil</command> directly or by running a JAR file and install script. For the most basic case, simply upload the library:</para>
+<programlisting>modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list] </programlisting>
+	<para>For example:
+<programlisting>modutil -dbdir sql:/home/my/sharednssdb -add "Example PKCS #11 Module" -libfile "/tmp/crypto.so" -mechanisms RSA:DSA:RC2:RANDOM 
+
+Using database directory ... 
+Module "Example PKCS #11 Module" added to database.</programlisting>
+        </para>
+
+
+	<para><command>Installing a Cryptographic Module from a JAR File</command></para>
+	<para>PKCS #11 modules can also be loaded using a JAR file, which contains all of the required libraries and an installation script that describes how to install the module. The JAR install script is described in more detail in <xref linkend="jar-install-file" />.</para>
+	<para>The JAR installation script defines the setup information for each platform that the module can be installed on. For example:</para>
+<programlisting>Platforms { 
+   Linux:5.4.08:x86 { 
+      ModuleName { "Example PKCS #11 Module" } 
+      ModuleFile { crypto.so } 
+      DefaultMechanismFlags{0x0000} 
+      CipherEnableFlags{0x0000} 
+      Files { 
+         crypto.so { 
+            Path{ /tmp/crypto.so } 
+         } 
+         setup.sh { 
+            Executable 
+            Path{ /tmp/setup.sh } 
+         } 
+      } 
+   } 
+   Linux:6.0.0:x86 { 
+      EquivalentPlatform { Linux:5.4.08:x86 } 
+   } 
+} </programlisting>
+	<para>Both the install script and the required libraries must be bundled in a JAR file, which is specified with the <option>-jar</option> argument.</para>
+
+<programlisting>modutil -dbdir sql:/home/mt"jar-install-filey/sharednssdb -jar install.jar -installdir sql:/home/my/sharednssdb
+
+This installation JAR file was signed by: 
+---------------------------------------------- 
+
+**SUBJECT NAME** 
+
+C=US, ST=California, L=Mountain View, CN=Cryptorific Inc., OU=Digital ID
+Class 3 - Netscape Object Signing, OU="www.verisign.com/repository/CPS
+Incorp. by Ref.,LIAB.LTD(c)9 6", OU=www.verisign.com/CPS Incorp.by Ref
+. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign Object Signing CA - Class 3
+Organization, OU="VeriSign, Inc.", O=VeriSign Trust Network **ISSUER
+NAME**, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
+VeriSign, OU=VeriSign Object Signing CA - Class 3 Organization,
+OU="VeriSign, Inc.", O=VeriSign Trust Network 
+---------------------------------------------- 
+
+Do you wish to continue this installation? (y/n) y 
+Using installer script "installer_script" 
+Successfully parsed installation script 
+Current platform is Linux:5.4.08:x86 
+Using installation parameters for platform Linux:5.4.08:x86 
+Installed file crypto.so to /tmp/crypto.so
+Installed file setup.sh to ./pk11inst.dir/setup.sh 
+Executing "./pk11inst.dir/setup.sh"... 
+"./pk11inst.dir/setup.sh" executed successfully 
+Installed module "Example PKCS #11 Module" into module database 
+
+Installation completed successfully </programlisting>
+
+	<para><command>Adding Module Spec</command></para>
+	<para>Each module has information stored in the security database about its configuration and parameters. These can be added or edited using the <option>-rawadd</option> command. For the current settings or to see the format of the module spec in the database, use the <option>-rawlist</option> option.</para>
+<programlisting>modutil -rawadd modulespec</programlisting>
+
+
+	<para><command>Deleting a Module</command></para>
+    <para>A specific PKCS #11 module can be deleted from the <filename>secmod.db</filename> database:</para>
+<programlisting>modutil -delete modulename -dbdir [sql:]directory </programlisting>
+
+	<para><command>Displaying Module Information</command></para>
+	<para>The <filename>secmod.db</filename> database contains information about the PKCS #11 modules that are available to an application or server to use. The list of all modules, information about specific modules, and database configuration specs for modules can all be viewed. </para>
+    <para>To simply get a list of modules in the database, use the <option>-list</option> command.</para>
+<programlisting>modutil -list [modulename] -dbdir [sql:]directory </programlisting>
+	<para>Listing the modules shows the module name, their status, and other associated security databases for certificates and keys. For example:</para>
+   
+<programlisting>modutil -list -dbdir sql:/home/my/sharednssdb 
+
+Listing of PKCS #11 Modules
+-----------------------------------------------------------
+  1. NSS Internal PKCS #11 Module
+         slots: 2 slots attached
+        status: loaded
+
+         slot: NSS Internal Cryptographic Services                            
+        token: NSS Generic Crypto Services
+
+         slot: NSS User Private Key and Certificate Services                  
+        token: NSS Certificate DB
+-----------------------------------------------------------</programlisting>
+	<para>Passing a specific module name with the <option>-list</option> returns details information about the module itself, like supported cipher mechanisms, version numbers, serial numbers, and other information about the module and the token it is loaded on. For example:</para>
+<programlisting> modutil -list "NSS Internal PKCS #11 Module" -dbdir sql:/home/my/sharednssdb
+
+-----------------------------------------------------------
+Name: NSS Internal PKCS #11 Module
+Library file: **Internal ONLY module**
+Manufacturer: Mozilla Foundation              
+Description: NSS Internal Crypto Services    
+PKCS #11 Version 2.20
+Library Version: 3.11
+Cipher Enable Flags: None
+Default Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES
+
+  Slot: NSS Internal Cryptographic Services                            
+  Slot Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES
+  Manufacturer: Mozilla Foundation              
+  Type: Software
+  Version Number: 3.11
+  Firmware Version: 0.0
+  Status: Enabled
+  Token Name: NSS Generic Crypto Services     
+  Token Manufacturer: Mozilla Foundation              
+  Token Model: NSS 3           
+  Token Serial Number: 0000000000000000
+  Token Version: 4.0
+  Token Firmware Version: 0.0
+  Access: Write Protected
+  Login Type: Public (no login required)
+  User Pin: NOT Initialized
+
+  Slot: NSS User Private Key and Certificate Services                  
+  Slot Mechanism Flags: None
+  Manufacturer: Mozilla Foundation              
+  Type: Software
+  Version Number: 3.11
+  Firmware Version: 0.0
+  Status: Enabled
+  Token Name: NSS Certificate DB              
+  Token Manufacturer: Mozilla Foundation              
+  Token Model: NSS 3           
+  Token Serial Number: 0000000000000000
+  Token Version: 8.3
+  Token Firmware Version: 0.0
+  Access: NOT Write Protected
+  Login Type: Login required
+  User Pin: Initialized</programlisting>
+	<para>A related command, <option>-rawlist</option> returns information about the database configuration for the modules. (This information can be edited by loading new specs using the <option>-rawadd</option> command.)</para>
+<programlisting> modutil -rawlist -dbdir sql:/home/my/sharednssdb
+ name="NSS Internal PKCS #11 Module" parameters="configdir=. certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] }  Flags=internal,critical"</programlisting>
+
+	<para><command>Setting a Default Provider for Security Mechanisms</command></para>
+	<para>Multiple security modules may provide support for the same security mechanisms. It is possible to set a specific security module as the default provider for a specific security mechanism (or, conversely, to prohibit a provider from supplying those mechanisms).</para>
+<programlisting>modutil -default modulename -mechanisms mechanism-list </programlisting>
+	<para>To set a module as the default provider for mechanisms, use the <option>-default</option> command with a colon-separated list of mechanisms. The available mechanisms depend on the module; NSS supplies almost all common mechanisms. For example:</para>
+<programlisting>modutil -default "NSS Internal PKCS #11 Module" -dbdir -mechanisms RSA:DSA:RC2 
+
+Using database directory c:\databases...
+
+Successfully changed defaults.</programlisting>
+
+    <para>Clearing the default provider has the same format:</para>
+<programlisting>modutil -undefault "NSS Internal PKCS #11 Module" -dbdir -mechanisms MD2:MD5</programlisting>
+
+	<para><command>Enabling and Disabling Modules and Slots</command></para>
+	<para>Modules, and specific slots on modules, can be selectively enabled or disabled using <command>modutil</command>. Both commands have the same format:</para>
+<programlisting>modutil -enable|-disable modulename [-slot slotname] </programlisting>
+
+    <para>For example:</para>
+<programlisting>modutil -enable "NSS Internal PKCS #11 Module" -slot "NSS Internal Cryptographic Services                            " -dbdir .
+
+Slot "NSS Internal Cryptographic Services                            " enabled.</programlisting>
+	<para>Be sure that the appropriate amount of trailing whitespace is after the slot name. Some slot names have a significant amount of whitespace that must be included, or the operation will fail.</para>
+
+	<para><command>Enabling and Verifying FIPS Compliance</command></para>
+	<para>The NSS modules can have FIPS 140-2 compliance enabled or disabled using <command>modutil</command> with the <option>-fips</option> option. For example:</para>
+<programlisting>modutil -fips true -dbdir sql:/home/my/sharednssdb/
+
+FIPS mode enabled.</programlisting>
+	<para>To verify that status of FIPS mode, run the <option>-chkfips</option> command with either a true or false flag (it doesn't matter which). The tool returns the current FIPS setting.</para>
+<programlisting>modutil -chkfips false -dbdir sql:/home/my/sharednssdb/
+
+FIPS mode enabled.</programlisting>
+
+	<para><command>Changing the Password on a Token</command></para>
+
+    <para>Initializing or changing a token's password:</para>
+<programlisting>modutil -changepw tokenname [-pwfile old-password-file] [-newpwfile new-password-file] </programlisting>
+<programlisting>modutil -dbdir sql:/home/my/sharednssdb -changepw "NSS Certificate DB" 
+
+Enter old password: 
+Incorrect password, try again... 
+Enter old password: 
+Enter new password: 
+Re-enter new password: 
+Token "Communicator Certificate DB" password changed successfully.</programlisting>
+  </refsection>
+
+  <refsection id="jar-install-file"><title>JAR Installation File Format</title>
+     <para>When a JAR file is run by a server, by <command>modutil</command>, or by any program that does not interpret JavaScript, a special information file must be included to install the libraries. There are several things to keep in mind with this file:</para>
+	<itemizedlist>
+		<listitem>
+			<para>
+				It must be declared in the JAR archive's manifest file. 
+			</para>
+		</listitem>
+		<listitem>
+			<para>
+				The script can have any name. 
+			</para>
+		</listitem>
+		<listitem>
+			<para>
+				The metainfo tag for this is <command>Pkcs11_install_script</command>. To declare meta-information in the manifest file, put it in a file that is passed to <command>signtool</command>.</para>
+		</listitem>
+	</itemizedlist>
+
+	<para><command>Sample Script</command></para>
+	<para>For example, the PKCS #11 installer script could be in the file pk11install. If so, the metainfo file for <command>signtool</command> includes a line such as this:</para>
+<programlisting>+ Pkcs11_install_script: pk11install</programlisting>
+
+	<para>The script must define the platform and version number, the module name and file, and any optional information like supported ciphers and mechanisms. Multiple platforms can be defined in a single install file.</para>
+<programlisting>ForwardCompatible { IRIX:6.2:mips SUNOS:5.5.1:sparc }
+Platforms {
+   WINNT::x86 {
+      ModuleName { "Example Module" }
+      ModuleFile { win32/fort32.dll }
+      DefaultMechanismFlags{0x0001}
+      DefaultCipherFlags{0x0001}
+      Files {
+         win32/setup.exe {
+            Executable
+            RelativePath { %temp%/setup.exe }
+         }
+         win32/setup.hlp {
+            RelativePath { %temp%/setup.hlp }
+         }
+         win32/setup.cab {
+            RelativePath { %temp%/setup.cab }
+         }
+      }
+   }
+   WIN95::x86 {
+      EquivalentPlatform {WINNT::x86}
+   }
+   SUNOS:5.5.1:sparc {
+      ModuleName { "Example UNIX Module" }
+      ModuleFile { unix/fort.so }
+      DefaultMechanismFlags{0x0001}
+      CipherEnableFlags{0x0001}
+      Files {
+         unix/fort.so {
+            RelativePath{%root%/lib/fort.so}
+            AbsolutePath{/usr/local/netscape/lib/fort.so}
+            FilePermissions{555}
+         }
+         xplat/instr.html {
+            RelativePath{%root%/docs/inst.html}
+            AbsolutePath{/usr/local/netscape/docs/inst.html}
+            FilePermissions{555}
+         }
+      }
+   }
+   IRIX:6.2:mips {
+      EquivalentPlatform { SUNOS:5.5.1:sparc }
+   }
+}</programlisting>
+
+	<para><command>Script Grammar</command></para>
+	<para>The script is basic Java, allowing lists, key-value pairs, strings, and combinations of all of them.</para>
+<programlisting>--> valuelist
+
+valuelist --> value valuelist
+               &lt;null>
+
+value ---> key_value_pair
+            string
+
+key_value_pair --> key { valuelist }
+
+key --> string
+
+string --> simple_string
+            "complex_string"
+
+simple_string --> [^ \t\n\""{""}"]+ 
+
+complex_string --> ([^\"\\\r\n]|(\\\")|(\\\\))+ </programlisting>
+
+	<para>Quotes and backslashes must be escaped with a backslash. A complex string must not include newlines or carriage returns.Outside of complex strings, all white space (for example, spaces, tabs, and carriage returns) is considered equal and is used only to delimit tokens.</para>
+
+	<para><command>Keys</command></para>
+	<para>The Java install file uses keys to define the platform and module information.</para>
+	<para><command>ForwardCompatible</command> gives a list of platforms that are forward compatible. If the current platform cannot be found in the list of supported platforms, then the <command>ForwardCompatible</command> list is checked for any platforms that have the same OS and architecture in an earlier version. If one is found, its attributes are used for the current platform. </para>
+	<para><command>Platforms</command> (required) Gives a list of platforms. Each entry in the list is itself a key-value pair: the key is the name of the platform and the value list contains various attributes of the platform. The platform string is in the format <emphasis>system name:OS release:architecture</emphasis>. The installer obtains these values from NSPR. OS release is an empty string on non-Unix operating systems. NSPR supports these platforms:</para>
+	<itemizedlist>
+	<listitem>
+	<para>AIX (rs6000)</para>
+	</listitem>
+	<listitem>
+	<para>BSDI (x86)</para>
+	</listitem>
+	<listitem>
+	<para>FREEBSD (x86)</para>
+	</listitem>
+	<listitem>
+	<para>HPUX (hppa1.1)</para>
+	</listitem>
+	<listitem>
+	<para>IRIX (mips)</para>
+	</listitem>
+	<listitem>
+	<para>LINUX (ppc, alpha, x86)</para>
+	</listitem>
+	<listitem>
+	<para>MacOS (PowerPC)</para>
+	</listitem>
+	<listitem>
+	<para>NCR (x86)</para>
+	</listitem>
+	<listitem>
+	<para>NEC (mips)</para>
+	</listitem>
+	<listitem>
+	<para>OS2 (x86)</para>
+	</listitem>
+	<listitem>
+	<para>OSF (alpha)</para>
+	</listitem>
+	<listitem>
+	<para>ReliantUNIX (mips)</para>
+	</listitem>
+	<listitem>
+	<para>SCO (x86)</para>
+	</listitem>
+	<listitem>
+	<para>SOLARIS (sparc)</para>
+	</listitem>
+	<listitem>
+	<para>SONY (mips)</para>
+	</listitem>
+	<listitem>
+	<para>SUNOS (sparc)</para>
+	</listitem>
+	<listitem>
+	<para>UnixWare (x86)</para>
+	</listitem>
+	<listitem>
+	<para>WIN16 (x86)</para>
+	</listitem>
+	<listitem>
+	<para>WIN95 (x86)</para>
+	</listitem>
+	<listitem>
+	<para>WINNT (x86)</para>
+	</listitem>
+	</itemizedlist>
+
+	<para>For example:</para>
+<programlisting>IRIX:6.2:mips
+SUNOS:5.5.1:sparc
+Linux:2.0.32:x86
+WIN95::x86</programlisting>
+	<para>The module information is defined independently for each platform in the <command>ModuleName</command>, <command>ModuleFile</command>, and <command>Files</command> attributes. These attributes must be given unless an <command>EquivalentPlatform</command> attribute is specified. </para>
+
+	<para><command>Per-Platform Keys</command></para>
+	<para>Per-platform keys have meaning only within the value list of an entry in the <command>Platforms</command> list.</para>
+	<para><command>ModuleName</command> (required) gives the common name for the module. This name is used to reference the module by servers and by the <command>modutil</command> tool. </para>
+	<para><command>ModuleFile</command> (required) names the PKCS #11 module file for this platform. The name is given as the relative path of the file within the JAR archive. </para>
+	<para><command>Files</command> (required) lists the files that need to be installed for this module. Each entry in the file list is a key-value pair. The key is the path of the file in the JAR archive, and the value list contains attributes of the file. At least <command>RelativePath</command> or <command>AbsolutePath</command> must be specified for each file.</para>
+	<para><command>DefaultMechanismFlags</command> specifies mechanisms for which this module is the default provider; this is equivalent to the <option>-mechanism</option> option with the <option>-add</option> command. This key-value pair is a bitstring specified in hexadecimal (0x) format. It is constructed as a bitwise OR. If the DefaultMechanismFlags entry is omitted, the value defaults to 0x0.</para>
+
+<programlisting>RSA:                   0x00000001
+DSA:                   0x00000002
+RC2:                   0x00000004
+RC4:                   0x00000008
+DES:                   0x00000010
+DH:                    0x00000020
+FORTEZZA:              0x00000040
+RC5:                   0x00000080
+SHA1:                  0x00000100
+MD5:                   0x00000200
+MD2:                   0x00000400
+RANDOM:                0x08000000
+FRIENDLY:              0x10000000
+OWN_PW_DEFAULTS:       0x20000000
+DISABLE:               0x40000000</programlisting>
+
+	<para><command>CipherEnableFlags</command> specifies ciphers that this module provides that NSS does not provide (so that the module enables those ciphers for NSS). This is equivalent to the <option>-cipher</option> argument with the <option>-add</option> command. This key is a bitstring specified in hexadecimal (0x) format. It is constructed as a bitwise OR. If the <command>CipherEnableFlags</command> entry is omitted, the value defaults to 0x0.</para>
+
+	<para><command>EquivalentPlatform</command> specifies that the attributes of the named platform should also be used for the current platform. This makes it easier when more than one platform uses the same settings.</para>
+
+	<para><command>Per-File Keys</command></para>
+	<para>Some keys have meaning only within the value list of an entry in a <command>Files</command> list.</para>
+	<para>Each file requires a path key the identifies where the file is. Either <command>RelativePath</command> or <command>AbsolutePath</command> must be specified. If both are specified, the relative path is tried first, and the absolute path is used only if no relative root directory is provided by the installer program.</para>
+	<para><command>RelativePath</command> specifies the destination directory of the file, relative to some directory decided at install time. Two variables can be used in the relative path: <command>%root%</command> and <command>%temp%</command>. <command>%root%</command> is replaced at run time with the directory relative to which files should be installed; for example, it may be the server's root directory. The <command>%temp%</command> directory is created at the beginning of the installation and destroyed at the end. The purpose of <command>%temp%</command> is to hold executable files (such as setup programs) or files that are used by these programs. Files destined for the temporary directory are guaranteed to be in place before any executable file is run; they are not deleted until all executable files have finished.</para>
+	<para><command>AbsolutePath</command> specifies the destination directory of the file as an absolute path. </para>
+	<para><command>Executable</command> specifies that the file is to be executed during the course of the installation. Typically, this string is used for a setup program provided by a module vendor, such as a self-extracting setup executable. More than one file can be specified as executable, in which case the files are run in the order in which they are specified in the script file.</para>
+	<para><command>FilePermissions</command> sets permissions on any referenced files in a string of octal digits, according to the standard Unix format. This string is a bitwise OR.</para>
+
+<programlisting>user read:                0400
+user write:               0200
+user execute:             0100
+group read:               0040
+group write:              0020
+group execute:            0010
+other read:               0004
+other write:              0002
+other execute:       0001</programlisting>
+
+<para>Some platforms may not understand these permissions. They are applied only insofar as they make sense for the current platform. If this attribute is omitted, a default of 777 is assumed.</para>
+  </refsection>
+
+<refsection id="databases"><title>NSS Database Types</title>
+<para>NSS originally used BerkeleyDB databases to store security information. 
+The last versions of these <emphasis>legacy</emphasis> databases are:</para>
+<itemizedlist>
+	<listitem>
+		<para>
+			cert8.db for certificates
+		</para>
+	</listitem>
+	<listitem>
+		<para>
+			key3.db for keys
+		</para>
+	</listitem>
+	<listitem>
+		<para>
+			secmod.db for PKCS #11 module information
+		</para>
+	</listitem>
+</itemizedlist>
+
+<para>BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has 
+some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS
+requires more flexibility to provide a truly shared security database.</para>
+
+<para>In 2009, NSS introduced a new set of databases that are SQLite databases rather than 
+BerkleyDB. These new databases provide more accessibility and performance:</para>
+<itemizedlist>
+	<listitem>
+		<para>
+			cert9.db for certificates
+		</para>
+	</listitem>
+	<listitem>
+		<para>
+			key4.db for keys
+		</para>
+	</listitem>
+	<listitem>
+		<para>
+			pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory
+		</para>
+	</listitem>
+</itemizedlist>
+
+<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
+
+<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases follow the more common legacy type. 
+Using the SQLite databases must be manually specified by using the <command>sql:</command> prefix with the given security directory. For example:</para>
+
+<programlisting>modutil -create -dbdir sql:/home/my/sharednssdb</programlisting>
+
+<para>To set the shared database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>sql</envar>:</para>
+<programlisting>export NSS_DEFAULT_DB_TYPE="sql"</programlisting>
+
+<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para>
+
+<para>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</para>
+<itemizedlist>
+	<listitem>
+		<para>
+			https://wiki.mozilla.org/NSS_Shared_DB_Howto</para>
+	</listitem>
+</itemizedlist>
+<para>For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:</para>
+<itemizedlist>
+	<listitem>
+		<para>
+			https://wiki.mozilla.org/NSS_Shared_DB
+		</para>
+	</listitem>
+</itemizedlist>
+</refsection>
+
+  <refsection id="seealso">
+    <title>See Also</title>
+    <para>certutil (1)</para>
+    <para>pk12util (1)</para>
+    <para>signtool (1)</para>
+
+	<para>The NSS wiki has information on the new database design and how to configure applications to use it.</para>
+<itemizedlist>