Bug 1041186, Part 2: Rename Input to Reader and InputBuffer to Input, r=keeler
authorBrian Smith <brian@briansmith.org>
Thu, 31 Jul 2014 12:17:31 -0700
changeset 211577 c989be71f8443b628a15cd0aab16f47de73d3582
parent 211576 c04d170a0bd9ad169065d5546a1149554a543422
child 211578 9c67ef1f95153de5ce249c7da2506066d6ac9c8a
push idunknown
push userunknown
push dateunknown
reviewerskeeler
bugs1041186
milestone34.0a1
Bug 1041186, Part 2: Rename Input to Reader and InputBuffer to Input, r=keeler
security/apps/AppSignatureVerification.cpp
security/apps/AppTrustDomain.cpp
security/apps/AppTrustDomain.h
security/certverifier/CertVerifier.cpp
security/certverifier/NSSCertDBTrustDomain.cpp
security/certverifier/NSSCertDBTrustDomain.h
security/certverifier/OCSPCache.cpp
security/manager/ssl/src/nsNSSCertificate.cpp
security/manager/ssl/tests/gtest/OCSPCacheTest.cpp
security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
security/pkix/include/pkix/Input.h
security/pkix/include/pkix/pkix.h
security/pkix/include/pkix/pkixnss.h
security/pkix/include/pkix/pkixtypes.h
security/pkix/lib/pkixbuild.cpp
security/pkix/lib/pkixcert.cpp
security/pkix/lib/pkixcheck.cpp
security/pkix/lib/pkixcheck.h
security/pkix/lib/pkixder.cpp
security/pkix/lib/pkixder.h
security/pkix/lib/pkixnss.cpp
security/pkix/lib/pkixocsp.cpp
security/pkix/lib/pkixutil.h
security/pkix/test/gtest/pkixbuild_tests.cpp
security/pkix/test/gtest/pkixcert_extension_tests.cpp
security/pkix/test/gtest/pkixcheck_CheckKeyUsage_tests.cpp
security/pkix/test/gtest/pkixcheck_CheckValidity_tests.cpp
security/pkix/test/gtest/pkixder_input_tests.cpp
security/pkix/test/gtest/pkixder_pki_types_tests.cpp
security/pkix/test/gtest/pkixder_universal_types_tests.cpp
security/pkix/test/gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
security/pkix/test/lib/pkixtestutil.cpp
security/pkix/test/lib/pkixtestutil.h
--- a/security/apps/AppSignatureVerification.cpp
+++ b/security/apps/AppSignatureVerification.cpp
@@ -537,17 +537,17 @@ VerifyCertificate(CERTCertificate* signe
   }
   const VerifyCertificateContext& context =
     *reinterpret_cast<const VerifyCertificateContext*>(voidContext);
 
   AppTrustDomain trustDomain(context.builtChain, pinArg);
   if (trustDomain.SetTrustedRoot(context.trustedRoot) != SECSuccess) {
     return MapSECStatus(SECFailure);
   }
-  InputBuffer certDER;
+  Input certDER;
   Result rv = certDER.Init(signerCert->derCert.data, signerCert->derCert.len);
   if (rv != Success) {
     return mozilla::psm::GetXPCOMFromNSSError(MapResultToPRErrorCode(rv));
   }
   rv = BuildCertChain(trustDomain, certDER, PR_Now(),
                       EndEntityOrCA::MustBeEndEntity,
                       KeyUsage::digitalSignature,
                       KeyPurposeId::id_kp_codeSigning,
--- a/security/apps/AppTrustDomain.cpp
+++ b/security/apps/AppTrustDomain.cpp
@@ -89,43 +89,43 @@ AppTrustDomain::SetTrustedRoot(AppTruste
   if (!mTrustedRoot) {
     return SECFailure;
   }
 
   return SECSuccess;
 }
 
 Result
-AppTrustDomain::FindIssuer(InputBuffer encodedIssuerName,
-                           IssuerChecker& checker, PRTime time)
+AppTrustDomain::FindIssuer(Input encodedIssuerName, IssuerChecker& checker,
+                           PRTime time)
 
 {
   MOZ_ASSERT(mTrustedRoot);
   if (!mTrustedRoot) {
     return Result::FATAL_ERROR_INVALID_STATE;
   }
 
   // TODO(bug 1035418): If/when mozilla::pkix relaxes the restriction that
   // FindIssuer must only pass certificates with a matching subject name to
   // checker.Check, we can stop using CERT_CreateSubjectCertList and instead
   // use logic like this:
   //
   // 1. First, try the trusted trust anchor.
   // 2. Secondly, iterate through the certificates that were stored in the CMS
   //    message, passing each one to checker.Check.
   SECItem encodedIssuerNameSECItem =
-    UnsafeMapInputBufferToSECItem(encodedIssuerName);
+    UnsafeMapInputToSECItem(encodedIssuerName);
   ScopedCERTCertList
     candidates(CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),
                                           &encodedIssuerNameSECItem, time,
                                           true));
   if (candidates) {
     for (CERTCertListNode* n = CERT_LIST_HEAD(candidates);
          !CERT_LIST_END(n, candidates); n = CERT_LIST_NEXT(n)) {
-      InputBuffer certDER;
+      Input certDER;
       Result rv = certDER.Init(n->cert->derCert.data, n->cert->derCert.len);
       if (rv != Success) {
         continue; // probably too big
       }
 
       bool keepGoing;
       rv = checker.Check(certDER, nullptr/*additionalNameConstraints*/,
                          keepGoing);
@@ -139,17 +139,17 @@ AppTrustDomain::FindIssuer(InputBuffer e
   }
 
   return Success;
 }
 
 Result
 AppTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
                              const CertPolicyId& policy,
-                             InputBuffer candidateCertDER,
+                             Input candidateCertDER,
                      /*out*/ TrustLevel& trustLevel)
 {
   MOZ_ASSERT(policy.IsAnyPolicy());
   MOZ_ASSERT(mTrustedRoot);
   if (!policy.IsAnyPolicy()) {
     return Result::FATAL_ERROR_INVALID_ARGS;
   }
   if (!mTrustedRoot) {
@@ -157,17 +157,17 @@ AppTrustDomain::GetCertTrust(EndEntityOr
   }
 
   // Handle active distrust of the certificate.
 
   // XXX: This would be cleaner and more efficient if we could get the trust
   // information without constructing a CERTCertificate here, but NSS doesn't
   // expose it in any other easy-to-use fashion.
   SECItem candidateCertDERSECItem =
-    UnsafeMapInputBufferToSECItem(candidateCertDER);
+    UnsafeMapInputToSECItem(candidateCertDER);
   ScopedCERTCertificate candidateCert(
     CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &candidateCertDERSECItem,
                             nullptr, false, true));
   if (!candidateCert) {
     return MapPRErrorCodeToResult(PR_GetError());
   }
 
   CERTCertTrust trust;
@@ -196,33 +196,33 @@ AppTrustDomain::GetCertTrust(EndEntityOr
   }
 
   trustLevel = TrustLevel::InheritsTrust;
   return Success;
 }
 
 Result
 AppTrustDomain::VerifySignedData(const SignedDataWithSignature& signedData,
-                                 InputBuffer subjectPublicKeyInfo)
+                                 Input subjectPublicKeyInfo)
 {
   return ::mozilla::pkix::VerifySignedData(signedData, subjectPublicKeyInfo,
                                            mPinArg);
 }
 
 Result
-AppTrustDomain::DigestBuf(InputBuffer item, /*out*/ uint8_t* digestBuf,
+AppTrustDomain::DigestBuf(Input item, /*out*/ uint8_t* digestBuf,
                           size_t digestBufLen)
 {
   return ::mozilla::pkix::DigestBuf(item, digestBuf, digestBufLen);
 }
 
 Result
 AppTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&, PRTime time,
-                                /*optional*/ const InputBuffer*,
-                                /*optional*/ const InputBuffer*)
+                                /*optional*/ const Input*,
+                                /*optional*/ const Input*)
 {
   // We don't currently do revocation checking. If we need to distrust an Apps
   // certificate, we will use the active distrust mechanism.
   return Success;
 }
 
 Result
 AppTrustDomain::IsChainValid(const DERArray& certChain)
@@ -231,14 +231,14 @@ AppTrustDomain::IsChainValid(const DERAr
                                                             mCertChain);
   if (srv != SECSuccess) {
     return MapPRErrorCodeToResult(PR_GetError());
   }
   return Success;
 }
 
 Result
-AppTrustDomain::CheckPublicKey(InputBuffer subjectPublicKeyInfo)
+AppTrustDomain::CheckPublicKey(Input subjectPublicKeyInfo)
 {
   return ::mozilla::pkix::CheckPublicKey(subjectPublicKeyInfo);
 }
 
 } } // namespace mozilla::psm
--- a/security/apps/AppTrustDomain.h
+++ b/security/apps/AppTrustDomain.h
@@ -20,34 +20,34 @@ public:
   typedef mozilla::pkix::Result Result;
 
   AppTrustDomain(ScopedCERTCertList&, void* pinArg);
 
   SECStatus SetTrustedRoot(AppTrustedRoot trustedRoot);
 
   virtual Result GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA,
                               const mozilla::pkix::CertPolicyId& policy,
-                              mozilla::pkix::InputBuffer candidateCertDER,
+                              mozilla::pkix::Input candidateCertDER,
                               /*out*/ mozilla::pkix::TrustLevel& trustLevel)
                               MOZ_OVERRIDE;
-  virtual Result FindIssuer(mozilla::pkix::InputBuffer encodedIssuerName,
+  virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName,
                             IssuerChecker& checker,
                             PRTime time) MOZ_OVERRIDE;
   virtual Result CheckRevocation(mozilla::pkix::EndEntityOrCA endEntityOrCA,
                                  const mozilla::pkix::CertID& certID, PRTime time,
-                    /*optional*/ const mozilla::pkix::InputBuffer* stapledOCSPresponse,
-                    /*optional*/ const mozilla::pkix::InputBuffer* aiaExtension);
+                    /*optional*/ const mozilla::pkix::Input* stapledOCSPresponse,
+                    /*optional*/ const mozilla::pkix::Input* aiaExtension);
   virtual Result IsChainValid(const mozilla::pkix::DERArray& certChain)
                               MOZ_OVERRIDE;
-  virtual Result CheckPublicKey(mozilla::pkix::InputBuffer subjectPublicKeyInfo)
+  virtual Result CheckPublicKey(mozilla::pkix::Input subjectPublicKeyInfo)
                                 MOZ_OVERRIDE;
   virtual Result VerifySignedData(
            const mozilla::pkix::SignedDataWithSignature& signedData,
-           mozilla::pkix::InputBuffer subjectPublicKeyInfo) MOZ_OVERRIDE;
-  virtual Result DigestBuf(mozilla::pkix::InputBuffer item,
+           mozilla::pkix::Input subjectPublicKeyInfo) MOZ_OVERRIDE;
+  virtual Result DigestBuf(mozilla::pkix::Input item,
                            /*out*/ uint8_t* digestBuf,
                            size_t digestBufLen) MOZ_OVERRIDE;
 
 private:
   /*out*/ ScopedCERTCertList& mCertChain;
   void* mPinArg; // non-owning!
   ScopedCERTCertificate mTrustedRoot;
 };
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -151,21 +151,21 @@ SECStatus chainValidationCallback(void* 
   *chainOK = PublicKeyPinningService::
     ChainHasValidPins(certList, callbackState->hostname, callbackState->time,
                       enforceTestMode);
 
   return SECSuccess;
 }
 
 static Result
-BuildCertChainForOneKeyUsage(TrustDomain& trustDomain, InputBuffer certDER,
+BuildCertChainForOneKeyUsage(TrustDomain& trustDomain, Input certDER,
                              PRTime time, KeyUsage ku1, KeyUsage ku2,
                              KeyUsage ku3, KeyPurposeId eku,
                              const CertPolicyId& requiredPolicy,
-                             const InputBuffer* stapledOCSPResponse)
+                             const Input* stapledOCSPResponse)
 {
   Result rv = BuildCertChain(trustDomain, certDER, time,
                              EndEntityOrCA::MustBeEndEntity, ku1,
                              eku, requiredPolicy, stapledOCSPResponse);
   if (rv == Result::ERROR_INADEQUATE_KEY_USAGE) {
     rv = BuildCertChain(trustDomain, certDER, time,
                         EndEntityOrCA::MustBeEndEntity, ku2,
                         eku, requiredPolicy, stapledOCSPResponse);
@@ -204,17 +204,17 @@ CertVerifier::VerifyCert(CERTCertificate
   if (!cert ||
       (usage != certificateUsageSSLServer && (flags & FLAG_MUST_BE_EV))) {
     PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
     return SECFailure;
   }
 
   Result rv;
 
-  InputBuffer certDER;
+  Input certDER;
   rv = certDER.Init(cert->derCert.data, cert->derCert.len);
   if (rv != Success) {
     PR_SetError(MapResultToPRErrorCode(rv), 0);
     return SECFailure;
   }
 
   ChainValidationCallbackState callbackState = {
     hostname, mPinningEnforcementLevel, usage, time
@@ -227,27 +227,27 @@ CertVerifier::VerifyCert(CERTCertificate
     = !mOCSPDownloadEnabled ||
       (flags & FLAG_LOCAL_ONLY) ? NSSCertDBTrustDomain::NeverFetchOCSP
     : !mOCSPStrict              ? NSSCertDBTrustDomain::FetchOCSPForDVSoftFail
                                 : NSSCertDBTrustDomain::FetchOCSPForDVHardFail;
 
   ocsp_get_config ocspGETConfig = mOCSPGETEnabled ? ocsp_get_enabled
                                                   : ocsp_get_disabled;
 
-  InputBuffer stapledOCSPResponseInputBuffer;
-  const InputBuffer* stapledOCSPResponse = nullptr;
+  Input stapledOCSPResponseInput;
+  const Input* stapledOCSPResponse = nullptr;
   if (stapledOCSPResponseSECItem) {
-    rv = stapledOCSPResponseInputBuffer.Init(stapledOCSPResponseSECItem->data,
-                                             stapledOCSPResponseSECItem->len);
+    rv = stapledOCSPResponseInput.Init(stapledOCSPResponseSECItem->data,
+                                       stapledOCSPResponseSECItem->len);
     if (rv != Success) {
       // The stapled OCSP response was too big.
       PR_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE, 0);
       return SECFailure;
     }
-    stapledOCSPResponse = &stapledOCSPResponseInputBuffer;
+    stapledOCSPResponse = &stapledOCSPResponseInput;
   }
 
   switch (usage) {
     case certificateUsageSSLClient: {
       // XXX: We don't really have a trust bit for SSL client authentication so
       // just use trustEmail as it is the closest alternative.
       NSSCertDBTrustDomain trustDomain(trustEmail, ocspFetching, mOCSPCache,
                                        pinArg, ocspGETConfig, nullptr,
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -91,46 +91,45 @@ static const uint8_t PERMIT_FRANCE_GOV_N
                        "\x30\x05\x82\x03" ".bl"
                        "\x30\x05\x82\x03" ".mf"
                        "\x30\x05\x82\x03" ".wf"
                        "\x30\x05\x82\x03" ".pf"
                        "\x30\x05\x82\x03" ".nc"
                        "\x30\x05\x82\x03" ".tf";
 
 Result
-NSSCertDBTrustDomain::FindIssuer(InputBuffer encodedIssuerName,
+NSSCertDBTrustDomain::FindIssuer(Input encodedIssuerName,
                                  IssuerChecker& checker, PRTime time)
 {
   // TODO: NSS seems to be ambiguous between "no potential issuers found" and
   // "there was an error trying to retrieve the potential issuers."
-  SECItem encodedIssuerNameSECItem =
-    UnsafeMapInputBufferToSECItem(encodedIssuerName);
+  SECItem encodedIssuerNameSECItem = UnsafeMapInputToSECItem(encodedIssuerName);
   ScopedCERTCertList
     candidates(CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),
                                           &encodedIssuerNameSECItem, time,
                                           true));
   if (candidates) {
     for (CERTCertListNode* n = CERT_LIST_HEAD(candidates);
          !CERT_LIST_END(n, candidates); n = CERT_LIST_NEXT(n)) {
-      InputBuffer certDER;
+      Input certDER;
       Result rv = certDER.Init(n->cert->derCert.data, n->cert->derCert.len);
       if (rv != Success) {
         continue; // probably too big
       }
 
       bool keepGoing;
-      InputBuffer anssiSubject;
+      Input anssiSubject;
       rv = anssiSubject.Init(ANSSI_SUBJECT_DATA,
                              sizeof(ANSSI_SUBJECT_DATA) - 1);
       if (rv != Success) {
         return Result::FATAL_ERROR_LIBRARY_FAILURE;
       }
       // TODO: Use CERT_CompareName or equivalent
-      if (InputBuffersAreEqual(encodedIssuerName, anssiSubject)) {
-        InputBuffer anssiNameConstraints;
+      if (InputsAreEqual(encodedIssuerName, anssiSubject)) {
+        Input anssiNameConstraints;
         if (anssiNameConstraints.Init(
                 PERMIT_FRANCE_GOV_NAME_CONSTRAINTS_DATA,
                 sizeof(PERMIT_FRANCE_GOV_NAME_CONSTRAINTS_DATA) - 1)
               != Success) {
           return Result::FATAL_ERROR_LIBRARY_FAILURE;
         }
         rv = checker.Check(certDER, &anssiNameConstraints, keepGoing);
       } else {
@@ -146,33 +145,32 @@ NSSCertDBTrustDomain::FindIssuer(InputBu
   }
 
   return Success;
 }
 
 Result
 NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
                                    const CertPolicyId& policy,
-                                   InputBuffer candidateCertDER,
+                                   Input candidateCertDER,
                                    /*out*/ TrustLevel& trustLevel)
 {
 #ifdef MOZ_NO_EV_CERTS
   if (!policy.IsAnyPolicy()) {
     return Result::ERROR_POLICY_VALIDATION_FAILED;
   }
 #endif
 
   // XXX: This would be cleaner and more efficient if we could get the trust
   // information without constructing a CERTCertificate here, but NSS doesn't
   // expose it in any other easy-to-use fashion. The use of
   // CERT_NewTempCertificate to get a CERTCertificate shouldn't be a
   // performance problem because NSS will just find the existing
   // CERTCertificate in its in-memory cache and return it.
-  SECItem candidateCertDERSECItem =
-    UnsafeMapInputBufferToSECItem(candidateCertDER);
+  SECItem candidateCertDERSECItem = UnsafeMapInputToSECItem(candidateCertDER);
   ScopedCERTCertificate candidateCert(
     CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &candidateCertDERSECItem,
                             nullptr, false, true));
   if (!candidateCert) {
     return MapPRErrorCodeToResult(PR_GetError());
   }
 
   // XXX: CERT_GetCertTrust seems to be abusing SECStatus as a boolean, where
@@ -216,24 +214,24 @@ NSSCertDBTrustDomain::GetCertTrust(EndEn
   }
 
   trustLevel = TrustLevel::InheritsTrust;
   return Success;
 }
 
 Result
 NSSCertDBTrustDomain::VerifySignedData(const SignedDataWithSignature& signedData,
-                                       InputBuffer subjectPublicKeyInfo)
+                                       Input subjectPublicKeyInfo)
 {
   return ::mozilla::pkix::VerifySignedData(signedData, subjectPublicKeyInfo,
                                            mPinArg);
 }
 
 Result
-NSSCertDBTrustDomain::DigestBuf(InputBuffer item,
+NSSCertDBTrustDomain::DigestBuf(Input item,
                                 /*out*/ uint8_t* digestBuf, size_t digestBufLen)
 {
   return ::mozilla::pkix::DigestBuf(item, digestBuf, digestBufLen);
 }
 
 
 static PRIntervalTime
 OCSPFetchingTypeToTimeoutTime(NSSCertDBTrustDomain::OCSPFetching ocspFetching)
@@ -257,21 +255,21 @@ OCSPFetchingTypeToTimeoutTime(NSSCertDBT
 
 // Copied and modified from CERT_GetOCSPAuthorityInfoAccessLocation and
 // CERT_GetGeneralNameByType. Returns SECFailure on error, SECSuccess
 // with url == nullptr when an OCSP URI was not found, and SECSuccess with
 // url != nullptr when an OCSP URI was found. The output url will be owned
 // by the arena.
 static Result
 GetOCSPAuthorityInfoAccessLocation(PLArenaPool* arena,
-                                   InputBuffer aiaExtension,
+                                   Input aiaExtension,
                                    /*out*/ char const*& url)
 {
   url = nullptr;
-  SECItem aiaExtensionSECItem = UnsafeMapInputBufferToSECItem(aiaExtension);
+  SECItem aiaExtensionSECItem = UnsafeMapInputToSECItem(aiaExtension);
   CERTAuthInfoAccess** aia =
     CERT_DecodeAuthInfoAccessExtension(arena, &aiaExtensionSECItem);
   if (!aia) {
     return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
   }
   for (size_t i = 0; aia[i]; ++i) {
     if (SECOID_FindOIDTag(&aia[i]->method) == SEC_OID_PKIX_OCSP) {
       // NSS chooses the **last** OCSP URL; we choose the **first**
@@ -305,18 +303,18 @@ GetOCSPAuthorityInfoAccessLocation(PLAre
   }
 
   return Success;
 }
 
 Result
 NSSCertDBTrustDomain::CheckRevocation(EndEntityOrCA endEntityOrCA,
                                       const CertID& certID, PRTime time,
-                         /*optional*/ const InputBuffer* stapledOCSPResponse,
-                         /*optional*/ const InputBuffer* aiaExtension)
+                         /*optional*/ const Input* stapledOCSPResponse,
+                         /*optional*/ const Input* aiaExtension)
 {
   // Actively distrusted certificates will have already been blocked by
   // GetCertTrust.
 
   // TODO: need to verify that IsRevoked isn't called for trust anchors AND
   // that that fact is documented in mozillapkix.
 
   PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
@@ -482,17 +480,17 @@ NSSCertDBTrustDomain::CheckRevocation(En
     // assume it is good. Note that this is the confusing, but intended,
     // interpretation of "strict" revocation checking in the face of a
     // certificate that lacks an OCSP responder URI.
     return Success;
   }
 
   // Only request a response if we didn't have a cached indication of failure
   // (don't keep requesting responses from a failing server).
-  InputBuffer response;
+  Input response;
   bool attemptedRequest;
   if (cachedResponseResult == Success ||
       cachedResponseResult == Result::ERROR_OCSP_UNKNOWN_CERT ||
       cachedResponseResult == Result::ERROR_OCSP_OLD_RESPONSE) {
     uint8_t ocspRequest[OCSP_REQUEST_MAX_LENGTH];
     size_t ocspRequestLength;
     rv = CreateEncodedOCSPRequest(*this, certID, ocspRequest,
                                   ocspRequestLength);
@@ -584,17 +582,17 @@ NSSCertDBTrustDomain::CheckRevocation(En
          ("NSSCertDBTrustDomain: end of CheckRevocation"));
 
   return Success; // Soft fail -> success :(
 }
 
 Result
 NSSCertDBTrustDomain::VerifyAndMaybeCacheEncodedOCSPResponse(
   const CertID& certID, PRTime time, uint16_t maxLifetimeInDays,
-  InputBuffer encodedResponse, EncodedResponseSource responseSource,
+  Input encodedResponse, EncodedResponseSource responseSource,
   /*out*/ bool& expired)
 {
   PRTime thisUpdate = 0;
   PRTime validThrough = 0;
   Result rv = VerifyEncodedOCSPResponse(*this, certID, time,
                                         maxLifetimeInDays, encodedResponse,
                                         expired, &thisUpdate, &validThrough);
   // If a response was stapled and expired, we don't want to cache it. Return
@@ -663,17 +661,17 @@ NSSCertDBTrustDomain::IsChainValid(const
   if (mBuiltChain) {
     *mBuiltChain = certList.forget();
   }
 
   return Success;
 }
 
 Result
-NSSCertDBTrustDomain::CheckPublicKey(InputBuffer subjectPublicKeyInfo)
+NSSCertDBTrustDomain::CheckPublicKey(Input subjectPublicKeyInfo)
 {
   return ::mozilla::pkix::CheckPublicKey(subjectPublicKeyInfo);
 }
 
 namespace {
 
 static char*
 nss_addEscape(const char* string, char quote)
--- a/security/certverifier/NSSCertDBTrustDomain.h
+++ b/security/certverifier/NSSCertDBTrustDomain.h
@@ -51,58 +51,58 @@ public:
     LocalOnlyOCSPForEV = 4,
   };
   NSSCertDBTrustDomain(SECTrustType certDBTrustType, OCSPFetching ocspFetching,
                        OCSPCache& ocspCache, void* pinArg,
                        CertVerifier::ocsp_get_config ocspGETConfig,
           /*optional*/ CERTChainVerifyCallback* checkChainCallback = nullptr,
           /*optional*/ ScopedCERTCertList* builtChain = nullptr);
 
-  virtual Result FindIssuer(mozilla::pkix::InputBuffer encodedIssuerName,
+  virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName,
                             IssuerChecker& checker,
                             PRTime time) MOZ_OVERRIDE;
 
   virtual Result GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA,
                               const mozilla::pkix::CertPolicyId& policy,
-                              mozilla::pkix::InputBuffer candidateCertDER,
+                              mozilla::pkix::Input candidateCertDER,
                               /*out*/ mozilla::pkix::TrustLevel& trustLevel)
                               MOZ_OVERRIDE;
 
-  virtual Result CheckPublicKey(mozilla::pkix::InputBuffer subjectPublicKeyInfo)
+  virtual Result CheckPublicKey(mozilla::pkix::Input subjectPublicKeyInfo)
                                 MOZ_OVERRIDE;
 
   virtual Result VerifySignedData(
                    const mozilla::pkix::SignedDataWithSignature& signedData,
-                   mozilla::pkix::InputBuffer subjectPublicKeyInfo)
+                   mozilla::pkix::Input subjectPublicKeyInfo)
                    MOZ_OVERRIDE;
 
-  virtual Result DigestBuf(mozilla::pkix::InputBuffer item,
+  virtual Result DigestBuf(mozilla::pkix::Input item,
                            /*out*/ uint8_t* digestBuf,
                            size_t digestBufLen) MOZ_OVERRIDE;
 
   virtual Result CheckRevocation(
                    mozilla::pkix::EndEntityOrCA endEntityOrCA,
                    const mozilla::pkix::CertID& certID,
                    PRTime time,
-      /*optional*/ const mozilla::pkix::InputBuffer* stapledOCSPResponse,
-      /*optional*/ const mozilla::pkix::InputBuffer* aiaExtension)
+      /*optional*/ const mozilla::pkix::Input* stapledOCSPResponse,
+      /*optional*/ const mozilla::pkix::Input* aiaExtension)
                    MOZ_OVERRIDE;
 
   virtual Result IsChainValid(const mozilla::pkix::DERArray& certChain)
                               MOZ_OVERRIDE;
 
 private:
   enum EncodedResponseSource {
     ResponseIsFromNetwork = 1,
     ResponseWasStapled = 2
   };
   static const PRTime ServerFailureDelay = 5 * 60 * PR_USEC_PER_SEC;
   Result VerifyAndMaybeCacheEncodedOCSPResponse(
     const mozilla::pkix::CertID& certID, PRTime time,
-    uint16_t maxLifetimeInDays, mozilla::pkix::InputBuffer encodedResponse,
+    uint16_t maxLifetimeInDays, mozilla::pkix::Input encodedResponse,
     EncodedResponseSource responseSource, /*out*/ bool& expired);
 
   const SECTrustType mCertDBTrustType;
   const OCSPFetching mOCSPFetching;
   OCSPCache& mOCSPCache; // non-owning!
   void* mPinArg; // non-owning!
   const CertVerifier::ocsp_get_config mOCSPGetConfig;
   CERTChainVerifyCallback* mCheckChainCallback; // non-owning!
--- a/security/certverifier/OCSPCache.cpp
+++ b/security/certverifier/OCSPCache.cpp
@@ -57,30 +57,30 @@ CertIDHash(SHA384Buffer& buf, const Cert
   ScopedPK11Context context(PK11_CreateDigestContext(SEC_OID_SHA384));
   if (!context) {
     return SECFailure;
   }
   SECStatus rv = PK11_DigestBegin(context.get());
   if (rv != SECSuccess) {
     return rv;
   }
-  SECItem certIDIssuer = UnsafeMapInputBufferToSECItem(certID.issuer);
+  SECItem certIDIssuer = UnsafeMapInputToSECItem(certID.issuer);
   rv = PK11_DigestOp(context.get(), certIDIssuer.data, certIDIssuer.len);
   if (rv != SECSuccess) {
     return rv;
   }
   SECItem certIDIssuerSubjectPublicKeyInfo =
-    UnsafeMapInputBufferToSECItem(certID.issuerSubjectPublicKeyInfo);
+    UnsafeMapInputToSECItem(certID.issuerSubjectPublicKeyInfo);
   rv = PK11_DigestOp(context.get(), certIDIssuerSubjectPublicKeyInfo.data,
                      certIDIssuerSubjectPublicKeyInfo.len);
   if (rv != SECSuccess) {
     return rv;
   }
   SECItem certIDSerialNumber =
-    UnsafeMapInputBufferToSECItem(certID.serialNumber);
+    UnsafeMapInputToSECItem(certID.serialNumber);
   rv = PK11_DigestOp(context.get(), certIDSerialNumber.data,
                      certIDSerialNumber.len);
   if (rv != SECSuccess) {
     return rv;
   }
   uint32_t outLen = 0;
   rv = PK11_DigestFinal(context.get(), buf, &outLen, SHA384_LENGTH);
   if (outLen != SHA384_LENGTH) {
--- a/security/manager/ssl/src/nsNSSCertificate.cpp
+++ b/security/manager/ssl/src/nsNSSCertificate.cpp
@@ -1521,17 +1521,17 @@ ConstructCERTCertListFromReversedDERArra
   if (!certList) {
     return SECFailure;
   }
 
   CERTCertDBHandle* certDB(CERT_GetDefaultCertDB()); // non-owning
 
   size_t numCerts = certArray.GetLength();
   for (size_t i = 0; i < numCerts; ++i) {
-    SECItem certDER(UnsafeMapInputBufferToSECItem(*certArray.GetDER(i)));
+    SECItem certDER(UnsafeMapInputToSECItem(*certArray.GetDER(i)));
     ScopedCERTCertificate cert(CERT_NewTempCertificate(certDB, &certDER,
                                                        nullptr, false, true));
     if (!cert) {
       return SECFailure;
     }
     // certArray is ordered with the root first, but we want the resulting
     // certList to have the root last.
     if (CERT_AddCertToListHead(certList, cert) != SECSuccess) {
--- a/security/manager/ssl/tests/gtest/OCSPCacheTest.cpp
+++ b/security/manager/ssl/tests/gtest/OCSPCacheTest.cpp
@@ -45,25 +45,25 @@ PutAndGet(OCSPCache& cache, const CertID
   ASSERT_TRUE(rv == Success);
   Result resultOut;
   PRTime timeOut;
   ASSERT_TRUE(cache.Get(certID, resultOut, timeOut));
   ASSERT_EQ(result, resultOut);
   ASSERT_EQ(time, timeOut);
 }
 
-TestInputBuffer fakeIssuer1("CN=issuer1");
-TestInputBuffer fakeKey000("key000");
-TestInputBuffer fakeKey001("key001");
-TestInputBuffer fakeSerial0000("0000");
+TestInput fakeIssuer1("CN=issuer1");
+TestInput fakeKey000("key000");
+TestInput fakeKey001("key001");
+TestInput fakeSerial0000("0000");
 
 TEST_F(OCSPCacheTest, TestPutAndGet)
 {
-  TestInputBuffer fakeSerial000("000");
-  TestInputBuffer fakeSerial001("001");
+  TestInput fakeSerial000("000");
+  TestInput fakeSerial001("001");
 
   SCOPED_TRACE("");
   PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial001),
             Success, PR_Now());
   Result resultOut;
   PRTime timeOut;
   ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey001, fakeSerial000),
                          resultOut, timeOut));
@@ -71,17 +71,17 @@ TEST_F(OCSPCacheTest, TestPutAndGet)
 
 TEST_F(OCSPCacheTest, TestVariousGets)
 {
   SCOPED_TRACE("");
   PRTime timeIn = PR_Now();
   for (int i = 0; i < MaxCacheEntries; i++) {
     uint8_t serialBuf[8];
     PR_snprintf(reinterpret_cast<char*>(serialBuf), sizeof(serialBuf), "%04d", i);
-    InputBuffer fakeSerial;
+    Input fakeSerial;
     ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4));
     PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial),
               Success, timeIn + i);
   }
 
   Result resultOut;
   PRTime timeOut;
 
@@ -91,42 +91,42 @@ TEST_F(OCSPCacheTest, TestVariousGets)
   ASSERT_EQ(Success, resultOut);
   ASSERT_EQ(timeIn, timeOut);
   // Once we access it, it goes to the front
   ASSERT_TRUE(cache.Get(cert0000, resultOut, timeOut));
   ASSERT_EQ(Success, resultOut);
   ASSERT_EQ(timeIn, timeOut);
 
   // This will be in the middle
-  static const TestInputBuffer fakeSerial0512("0512");
+  static const TestInput fakeSerial0512("0512");
   CertID cert0512(fakeIssuer1, fakeKey000, fakeSerial0512);
   ASSERT_TRUE(cache.Get(cert0512, resultOut, timeOut));
   ASSERT_EQ(Success, resultOut);
   ASSERT_EQ(timeIn + 512, timeOut);
   ASSERT_TRUE(cache.Get(cert0512, resultOut, timeOut));
   ASSERT_EQ(Success, resultOut);
   ASSERT_EQ(timeIn + 512, timeOut);
 
   // We've never seen this certificate
-  static const TestInputBuffer fakeSerial1111("1111");
+  static const TestInput fakeSerial1111("1111");
   ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey000, fakeSerial1111),
                          resultOut, timeOut));
 }
 
 TEST_F(OCSPCacheTest, TestEviction)
 {
   SCOPED_TRACE("");
   PRTime timeIn = PR_Now();
 
   // By putting more distinct entries in the cache than it can hold,
   // we cause the least recently used entry to be evicted.
   for (int i = 0; i < MaxCacheEntries + 1; i++) {
     uint8_t serialBuf[8];
     PR_snprintf(reinterpret_cast<char*>(serialBuf), sizeof(serialBuf), "%04d", i);
-    InputBuffer fakeSerial;
+    Input fakeSerial;
     ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4));
     PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial),
               Success, timeIn + i);
   }
 
   Result resultOut;
   PRTime timeOut;
   ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey001, fakeSerial0000),
@@ -139,68 +139,68 @@ TEST_F(OCSPCacheTest, TestNoEvictionForR
   PRTime timeIn = PR_Now();
   CertID notEvicted(fakeIssuer1, fakeKey000, fakeSerial0000);
   PutAndGet(cache, notEvicted, Result::ERROR_REVOKED_CERTIFICATE, timeIn);
   // By putting more distinct entries in the cache than it can hold,
   // we cause the least recently used entry that isn't revoked to be evicted.
   for (int i = 1; i < MaxCacheEntries + 1; i++) {
     uint8_t serialBuf[8];
     PR_snprintf(reinterpret_cast<char*>(serialBuf), sizeof(serialBuf), "%04d", i);
-    InputBuffer fakeSerial;
+    Input fakeSerial;
     ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4));
     PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial),
               Success, timeIn + i);
   }
   Result resultOut;
   PRTime timeOut;
   ASSERT_TRUE(cache.Get(notEvicted, resultOut, timeOut));
   ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE, resultOut);
   ASSERT_EQ(timeIn, timeOut);
 
-  TestInputBuffer fakeSerial0001("0001");
+  TestInput fakeSerial0001("0001");
   CertID evicted(fakeIssuer1, fakeKey000, fakeSerial0001);
   ASSERT_FALSE(cache.Get(evicted, resultOut, timeOut));
 }
 
 TEST_F(OCSPCacheTest, TestEverythingIsRevoked)
 {
   SCOPED_TRACE("");
   PRTime timeIn = PR_Now();
   // Fill up the cache with revoked responses.
   for (int i = 0; i < MaxCacheEntries; i++) {
     uint8_t serialBuf[8];
     PR_snprintf(reinterpret_cast<char*>(serialBuf), sizeof(serialBuf), "%04d", i);
-    InputBuffer fakeSerial;
+    Input fakeSerial;
     ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4));
     PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial),
               Result::ERROR_REVOKED_CERTIFICATE, timeIn + i);
   }
-  static const TestInputBuffer fakeSerial1025("1025");
+  static const TestInput fakeSerial1025("1025");
   CertID good(fakeIssuer1, fakeKey000, fakeSerial1025);
   // This will "succeed", allowing verification to continue. However,
   // nothing was actually put in the cache.
   Result result = cache.Put(good, Success, timeIn + 1025 - 50, timeIn + 1025);
   ASSERT_EQ(Success, result);
   Result resultOut;
   PRTime timeOut;
   ASSERT_FALSE(cache.Get(good, resultOut, timeOut));
 
-  static const TestInputBuffer fakeSerial1026("1026");
+  static const TestInput fakeSerial1026("1026");
   CertID revoked(fakeIssuer1, fakeKey000, fakeSerial1026);
   // This will fail, causing verification to fail.
   result = cache.Put(revoked, Result::ERROR_REVOKED_CERTIFICATE,
                      timeIn + 1026 - 50, timeIn + 1026);
   ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE, result);
 }
 
 TEST_F(OCSPCacheTest, VariousIssuers)
 {
   SCOPED_TRACE("");
-  static const TestInputBuffer fakeIssuer2("CN=issuer2");
-  static const TestInputBuffer fakeSerial001("001");
+  static const TestInput fakeIssuer2("CN=issuer2");
+  static const TestInput fakeSerial001("001");
   PRTime timeIn = PR_Now();
   CertID subject(fakeIssuer1, fakeKey000, fakeSerial001);
   PutAndGet(cache, subject, Success, timeIn);
   Result resultOut;
   PRTime timeOut;
   ASSERT_TRUE(cache.Get(subject, resultOut, timeOut));
   ASSERT_EQ(Success, resultOut);
   ASSERT_EQ(timeIn, timeOut);
--- a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
@@ -51,26 +51,26 @@ GetOCSPResponseForType(OCSPResponseType 
   }
   // XXX CERT_FindCertIssuer uses the old, deprecated path-building logic
   mozilla::ScopedCERTCertificate
     issuerCert(CERT_FindCertIssuer(aCert, now, certUsageSSLCA));
   if (!issuerCert) {
     PrintPRError("CERT_FindCertIssuer failed");
     return nullptr;
   }
-  InputBuffer issuer;
+  Input issuer;
   if (issuer.Init(cert->derIssuer.data, cert->derIssuer.len) != Success) {
     return nullptr;
   }
-  InputBuffer issuerPublicKey;
+  Input issuerPublicKey;
   if (issuerPublicKey.Init(issuerCert->derPublicKey.data,
                            issuerCert->derPublicKey.len) != Success) {
     return nullptr;
   }
-  InputBuffer serialNumber;
+  Input serialNumber;
   if (serialNumber.Init(cert->serialNumber.data,
                         cert->serialNumber.len) != Success) {
     return nullptr;
   }
   CertID certID(issuer, issuerPublicKey, serialNumber);
   OCSPResponseContext context(aArena, certID, now);
 
   mozilla::ScopedCERTCertificate signerCert;
--- a/security/pkix/include/pkix/Input.h
+++ b/security/pkix/include/pkix/Input.h
@@ -29,63 +29,63 @@
 
 #include "pkix/nullptr.h"
 #include "pkix/Result.h"
 #include "prlog.h"
 #include "stdint.h"
 
 namespace mozilla { namespace pkix {
 
-class Input;
+class Reader;
 
-// An InputBuffer is a safety-oriented immutable weak reference to a array of
-// bytes of a known size. The data can only be legally accessed by constructing
-// an Input object, which guarantees all accesses to the data are memory safe.
-// Neither InputBuffer not Input provide any facilities for modifying the data
+// An Input is a safety-oriented immutable weak reference to a array of bytes
+// of a known size. The data can only be legally accessed by constructing a
+// Reader object, which guarantees all accesses to the data are memory safe.
+// Neither Input not Reader provide any facilities for modifying the data
 // they reference.
 //
-// InputBuffers are small and should usually be passed by value, not by
-// reference, though for inline functions the distinction doesn't matter.
+// Inputs are small and should usually be passed by value, not by reference,
+// though for inline functions the distinction doesn't matter:
 //
-//    Result GoodExample(InputBuffer input);
-//    Result BadExample(const InputBuffer& input);
+//    Result GoodExample(Input input);
+//    Result BadExample(const Input& input);
 //    Result WorseExample(const uint8_t* input, size_t len);
 //
 // Note that in the example, GoodExample has the same performance
 // characteristics as WorseExample, but with much better safety guarantees.
-class InputBuffer
+class Input
 {
 public:
-  // This constructor is useful for input buffers that are statically known to
-  // be of a fixed size, e.g.:
+  // This constructor is useful for inputs that are statically known to be of a
+  // fixed size, e.g.:
   //
   //   static const uint8_t EXPECTED_BYTES[] = { 0x00, 0x01, 0x02 };
-  //   const InputBuffer expected(EXPECTED_BYTES);
+  //   const Input expected(EXPECTED_BYTES);
   //
   // This is equivalent to (and preferred over):
   //
   //   static const uint8_t EXPECTED_BYTES[] = { 0x00, 0x01, 0x02 };
-  //   InputBuffer expected;
+  //   Input expected;
   //   Result rv = expected.Init(EXPECTED_BYTES, sizeof EXPECTED_BYTES);
   template <uint16_t N>
-  explicit InputBuffer(const uint8_t (&data)[N])
+  explicit Input(const uint8_t (&data)[N])
     : data(data)
     , len(N)
   {
   }
 
-  // Construct a valid, empty, Init-able InputBuffer.
-  InputBuffer()
+  // Construct a valid, empty, Init-able Input.
+  Input()
     : data(nullptr)
     , len(0u)
   {
   }
 
-  // Initialize the input buffer. data must be non-null and len must be less
-  // than 65536. Init may not be called more than once.
+  // Initialize the input. data must be non-null and len must be less than
+  // 65536. Init may not be called more than once.
   Result Init(const uint8_t* data, size_t len)
   {
     if (this->data) {
       // already initialized
       return Result::FATAL_ERROR_INVALID_ARGS;
     }
     if (!data || len > 0xffffu) {
       // input too large
@@ -93,71 +93,71 @@ public:
     }
 
     this->data = data;
     this->len = len;
 
     return Success;
   }
 
-  // Initialize the input buffer to be equivalent to the given input buffer.
-  // Init may not be called more than once.
+  // Initialize the input to be equivalent to the given input. Init may not be
+  // called more than once.
   //
   // This is basically operator=, but it wasn't given that name because
   // normally callers do not check the result of operator=, and normally
   // operator= can be used multiple times.
-  Result Init(InputBuffer other)
+  Result Init(Input other)
   {
     return Init(other.data, other.len);
   }
 
-  // Returns the length of the buffer.
+  // Returns the length of the input.
   //
   // Having the return type be uint16_t instead of size_t avoids the need for
   // callers to ensure that the result is small enough.
   uint16_t GetLength() const { return static_cast<uint16_t>(len); }
 
   // Don't use this. It is here because we have some "friend" functions that we
   // don't want to declare in this header file.
   const uint8_t* UnsafeGetData() const { return data; }
 
 private:
   const uint8_t* data;
   size_t len;
 
-  void operator=(const InputBuffer&) /* = delete */; // Use Init instead.
+  void operator=(const Input&) /* = delete */; // Use Init instead.
 };
 
 inline bool
-InputBuffersAreEqual(const InputBuffer& a, const InputBuffer& b)
+InputsAreEqual(const Input& a, const Input& b)
 {
   return a.GetLength() == b.GetLength() &&
          !std::memcmp(a.UnsafeGetData(), b.UnsafeGetData(), a.GetLength());
 }
 
-// An Input is a cursor/iterator through the contents of an InputBuffer,
-// designed to maximize safety during parsing while minimizing the performance
-// cost of that safety. In particular, all methods do strict bounds checking to
-// ensure buffer overflows are impossible, and they are all inline so that the
+// An Reader is a cursor/iterator through the contents of an Input, designed to
+// maximize safety during parsing while minimizing the performance cost of that
+// safety. In particular, all methods do strict bounds checking to ensure
+// buffer overflows are impossible, and they are all inline so that the
 // compiler can coalesce as many of those checks together as possible.
 //
-// In general, Input allows for one byte of lookahead and no backtracking.
+// In general, Reader allows for one byte of lookahead and no backtracking.
 // However, the Match* functions internally may have more lookahead.
-class Input
+class Reader
 {
 public:
-  Input()
+  Reader()
     : input(nullptr)
     , end(nullptr)
   {
   }
 
-  explicit Input(InputBuffer buffer)
-    : input(buffer.UnsafeGetData())
-    , end(buffer.UnsafeGetData() + buffer.GetLength())
+  explicit Reader(Input input)
+    : input(input.UnsafeGetData())
+    , end(input.UnsafeGetData() + input.GetLength())
   {
   }
 
   bool Peek(uint8_t expectedByte) const
   {
     return input < end && *input == expectedByte;
   }
 
@@ -229,37 +229,37 @@ public:
     Result rv = EnsureLength(len);
     if (rv != Success) {
       return rv;
     }
     input += len;
     return Success;
   }
 
-  Result Skip(uint16_t len, Input& skippedInput)
+  Result Skip(uint16_t len, Reader& skipped)
   {
     Result rv = EnsureLength(len);
     if (rv != Success) {
       return rv;
     }
-    rv = skippedInput.Init(input, len);
+    rv = skipped.Init(input, len);
     if (rv != Success) {
       return rv;
     }
     input += len;
     return Success;
   }
 
-  Result Skip(uint16_t len, InputBuffer& skippedItem)
+  Result Skip(uint16_t len, Input& skipped)
   {
     Result rv = EnsureLength(len);
     if (rv != Success) {
       return rv;
     }
-    rv = skippedItem.Init(input, len);
+    rv = skipped.Init(input, len);
     if (rv != Success) {
       return rv;
     }
     input += len;
     return Success;
   }
 
   void SkipToEnd()
@@ -275,26 +275,26 @@ public:
     return Success;
   }
 
   bool AtEnd() const { return input == end; }
 
   class Mark
   {
   private:
-    friend class Input;
-    Mark(const Input& input, const uint8_t* mark) : input(input), mark(mark) { }
-    const Input& input;
+    friend class Reader;
+    Mark(const Reader& input, const uint8_t* mark) : input(input), mark(mark) { }
+    const Reader& input;
     const uint8_t* const mark;
     void operator=(const Mark&) /* = delete */;
   };
 
   Mark GetMark() const { return Mark(*this, input); }
 
-  Result GetInputBuffer(const Mark& mark, /*out*/ InputBuffer& item)
+  Result GetInput(const Mark& mark, /*out*/ Input& item)
   {
     if (&mark.input != this || mark.mark > input) {
       PR_NOT_REACHED("invalid mark");
       return Result::FATAL_ERROR_INVALID_ARGS;
     }
     return item.Init(mark.mark, static_cast<uint16_t>(input - mark.mark));
   }
 
@@ -308,15 +308,15 @@ private:
     input = data;
     end = data + len;
     return Success;
   }
 
   const uint8_t* input;
   const uint8_t* end;
 
-  Input(const Input&) /* = delete */;
-  void operator=(const Input&) /* = delete */;
+  Reader(const Reader&) /* = delete */;
+  void operator=(const Reader&) /* = delete */;
 };
 
 } } // namespace mozilla::pkix
 
 #endif // mozilla_pkix__Input_h
--- a/security/pkix/include/pkix/pkix.h
+++ b/security/pkix/include/pkix/pkix.h
@@ -83,22 +83,22 @@ namespace mozilla { namespace pkix {
 // Meaning of specific error codes
 //
 // Result::ERROR_UNTRUSTED_CERT means that the end-entity certificate was
 //                              actively distrusted.
 // Result::SEC_ERROR_UNTRUSTED_ISSUER means that path building failed because
 //                                    of active distrust.
 // TODO(bug 968451): Document more of these.
 
-Result BuildCertChain(TrustDomain& trustDomain, InputBuffer cert,
+Result BuildCertChain(TrustDomain& trustDomain, Input cert,
                       PRTime time, EndEntityOrCA endEntityOrCA,
                       KeyUsage requiredKeyUsageIfPresent,
                       KeyPurposeId requiredEKUIfPresent,
                       const CertPolicyId& requiredPolicy,
-                      /*optional*/ const InputBuffer* stapledOCSPResponse);
+                      /*optional*/ const Input* stapledOCSPResponse);
 
 static const size_t OCSP_REQUEST_MAX_LENGTH = 127;
 Result CreateEncodedOCSPRequest(TrustDomain& trustDomain,
                                 const struct CertID& certID,
                                 /*out*/ uint8_t (&out)[OCSP_REQUEST_MAX_LENGTH],
                                 /*out*/ size_t& outLen);
 
 // The out parameter expired will be true if the response has expired. If the
@@ -111,16 +111,16 @@ Result CreateEncodedOCSPRequest(TrustDom
 // good, unknown, or revoked responses that verify correctly are considered
 // trustworthy. If the response is not trustworthy, thisUpdate will be 0.
 // Similarly, the optional parameter validThrough will be the time through
 // which the encoded response is considered trustworthy (that is, if a response had a
 // thisUpdate time of validThrough, it would be considered trustworthy).
 Result VerifyEncodedOCSPResponse(TrustDomain& trustDomain,
                                  const CertID& certID, PRTime time,
                                  uint16_t maxLifetimeInDays,
-                                 InputBuffer encodedResponse,
+                                 Input encodedResponse,
                        /* out */ bool& expired,
               /* optional out */ PRTime* thisUpdate = nullptr,
               /* optional out */ PRTime* validThrough = nullptr);
 
 } } // namespace mozilla::pkix
 
 #endif // mozilla_pkix__pkix_h
--- a/security/pkix/include/pkix/pkixnss.h
+++ b/security/pkix/include/pkix/pkixnss.h
@@ -28,35 +28,35 @@
 #include "pkixtypes.h"
 #include "prerror.h"
 #include "seccomon.h"
 
 namespace mozilla { namespace pkix {
 
 // Verify the given signed data using the given public key.
 Result VerifySignedData(const SignedDataWithSignature& sd,
-                        InputBuffer subjectPublicKeyInfo,
+                        Input subjectPublicKeyInfo,
                         void* pkcs11PinArg);
 
 // Computes the SHA-1 hash of the data in the current item.
 //
 // item contains the data to hash.
 // digestBuf must point to a buffer to where the SHA-1 hash will be written.
 // digestBufLen must be 20 (the length of a SHA-1 hash,
 //              TrustDomain::DIGEST_LENGTH).
 //
 // TODO(bug 966856): Add SHA-2 support
 // TODO: Taking the output buffer as (uint8_t*, size_t) is counter to our
 // other, extensive, memory safety efforts in mozilla::pkix, and we should find
 // a way to provide a more-obviously-safe interface.
-Result DigestBuf(InputBuffer item, /*out*/ uint8_t* digestBuf,
+Result DigestBuf(Input item, /*out*/ uint8_t* digestBuf,
                  size_t digestBufLen);
 
 // Checks, for RSA keys and DSA keys, that the modulus is at least 1024 bits.
-Result CheckPublicKey(InputBuffer subjectPublicKeyInfo);
+Result CheckPublicKey(Input subjectPublicKeyInfo);
 
 Result MapPRErrorCodeToResult(PRErrorCode errorCode);
 PRErrorCode MapResultToPRErrorCode(Result result);
 
 // Returns the stringified name of the given result, e.g. "Result::Success",
 // or nullptr if result is unknown (invalid).
 const char* MapResultToName(Result result);
 
@@ -71,17 +71,17 @@ static const PRErrorCode ERROR_BASE = -0
 static const PRErrorCode ERROR_LIMIT = ERROR_BASE + 1000;
 
 enum ErrorCode {
   MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = ERROR_BASE + 0
 };
 
 void RegisterErrorTable();
 
-inline SECItem UnsafeMapInputBufferToSECItem(InputBuffer ib)
+inline SECItem UnsafeMapInputToSECItem(Input ib)
 {
   SECItem result = {
     siBuffer,
     const_cast<uint8_t*>(ib.UnsafeGetData()),
     ib.GetLength()
   };
   return result;
 }
--- a/security/pkix/include/pkix/pkixtypes.h
+++ b/security/pkix/include/pkix/pkixtypes.h
@@ -74,19 +74,19 @@ MOZILLA_PKIX_ENUM_CLASS SignatureAlgorit
 
   // id-dsa-with-sha1 (OID 1.2.840.10040.4.3, RFC 3279 Section 2.2.2)
   dsa_with_sha1 = 18,
 };
 
 struct SignedDataWithSignature
 {
 public:
-  InputBuffer data;
+  Input data;
   SignatureAlgorithm algorithm;
-  InputBuffer signature;
+  Input signature;
 
 private:
   void operator=(const SignedDataWithSignature&) /*= delete*/;
 };
 
 MOZILLA_PKIX_ENUM_CLASS EndEntityOrCA { MustBeEndEntity = 0, MustBeCA = 1 };
 
 MOZILLA_PKIX_ENUM_CLASS KeyUsage : uint8_t {
@@ -137,40 +137,39 @@ MOZILLA_PKIX_ENUM_CLASS TrustLevel {
 // be encoded exactly the same, and the encoding matters for OCSP.)
 // issuerSubjectPublicKeyInfo is the entire DER-encoded subjectPublicKeyInfo
 // field from the issuer's certificate. serialNumber is the entire DER-encoded
 // serial number from the subject certificate (the certificate for which we are
 // checking the revocation status).
 struct CertID
 {
 public:
-  CertID(InputBuffer issuer, InputBuffer issuerSubjectPublicKeyInfo,
-         InputBuffer serialNumber)
+  CertID(Input issuer, Input issuerSubjectPublicKeyInfo, Input serialNumber)
     : issuer(issuer)
     , issuerSubjectPublicKeyInfo(issuerSubjectPublicKeyInfo)
     , serialNumber(serialNumber)
   {
   }
-  const InputBuffer issuer;
-  const InputBuffer issuerSubjectPublicKeyInfo;
-  const InputBuffer serialNumber;
+  const Input issuer;
+  const Input issuerSubjectPublicKeyInfo;
+  const Input serialNumber;
 private:
   void operator=(const CertID&) /*= delete*/;
 };
 
 class DERArray
 {
 public:
   // Returns the number of DER-encoded items in the array.
   virtual size_t GetLength() const = 0;
 
   // Returns a weak (non-owning) pointer the ith DER-encoded item in the array
   // (0-indexed). The result is guaranteed to be non-null if i < GetLength(),
   // and the result is guaranteed to be nullptr if i >= GetLength().
-  virtual const InputBuffer* GetDER(size_t i) const = 0;
+  virtual const Input* GetDER(size_t i) const = 0;
 protected:
   DERArray() { }
   virtual ~DERArray() { }
 };
 
 // Applications control the behavior of path building and verification by
 // implementing the TrustDomain interface. The TrustDomain is used for all
 // cryptography and for determining which certificates are trusted or
@@ -189,31 +188,31 @@ public:
   // trustLevel == TrustAnchor unless the given cert is considered a trust
   // anchor *for that policy*. In particular, if the user has marked an
   // intermediate certificate as trusted, but that intermediate isn't in the
   // list of EV roots, then GetCertTrust must result in
   // trustLevel == InheritsTrust instead of trustLevel == TrustAnchor
   // (assuming the candidate cert is not actively distrusted).
   virtual Result GetCertTrust(EndEntityOrCA endEntityOrCA,
                               const CertPolicyId& policy,
-                              InputBuffer candidateCertDER,
+                              Input candidateCertDER,
                               /*out*/ TrustLevel& trustLevel) = 0;
 
   class IssuerChecker
   {
   public:
     // potentialIssuerDER is the complete DER encoding of the certificate to
     // be checked as a potential issuer.
     //
     // If additionalNameConstraints is not nullptr then it must point to an
     // encoded NameConstraints extension value; in that case, those name
     // constraints will be checked in addition to any any name constraints
     // contained in potentialIssuerDER.
-    virtual Result Check(InputBuffer potentialIssuerDER,
-            /*optional*/ const InputBuffer* additionalNameConstraints,
+    virtual Result Check(Input potentialIssuerDER,
+            /*optional*/ const Input* additionalNameConstraints,
                  /*out*/ bool& keepGoing) = 0;
   protected:
     IssuerChecker();
     virtual ~IssuerChecker();
   private:
     IssuerChecker(const IssuerChecker&) /*= delete*/;
     void operator=(const IssuerChecker&) /*= delete*/;
   };
@@ -254,17 +253,17 @@ public:
   //              [...]
   //                TrustDomain::FindIssuer
   //                  [...]
   //                    IssuerChecker::Check
   //                      [...]
   //
   // checker.Check is responsible for limiting the recursion to a reasonable
   // limit.
-  virtual Result FindIssuer(InputBuffer encodedIssuerName,
+  virtual Result FindIssuer(Input encodedIssuerName,
                             IssuerChecker& checker, PRTime time) = 0;
 
   // Called as soon as we think we have a valid chain but before revocation
   // checks are done. This function can be used to compute additional checks,
   // especilaly checks that require the entire certificate chain. This callback
   // can also be used to save a copy of the built certificate chain for later
   // use.
   //
@@ -284,49 +283,49 @@ public:
   //
   // certChain.GetDER(0) is the trust anchor.
   virtual Result IsChainValid(const DERArray& certChain) = 0;
 
   // issuerCertToDup is only non-const so CERT_DupCertificate can be called on
   // it.
   virtual Result CheckRevocation(EndEntityOrCA endEntityOrCA,
                                  const CertID& certID, PRTime time,
-                    /*optional*/ const InputBuffer* stapledOCSPresponse,
-                    /*optional*/ const InputBuffer* aiaExtension) = 0;
+                    /*optional*/ const Input* stapledOCSPresponse,
+                    /*optional*/ const Input* aiaExtension) = 0;
 
   // Check that the key size, algorithm, and parameters of the given public key
   // are acceptable.
   //
   // VerifySignedData() should do the same checks that this function does, but
   // mainly for efficiency, some keys are not passed to VerifySignedData().
   // This function is called instead for those keys.
-  virtual Result CheckPublicKey(InputBuffer subjectPublicKeyInfo) = 0;
+  virtual Result CheckPublicKey(Input subjectPublicKeyInfo) = 0;
 
   // Verify the given signature using the given public key.
   //
   // Most implementations of this function should probably forward the call
   // directly to mozilla::pkix::VerifySignedData.
   //
   // In any case, the implementation must perform checks on the public key
   // similar to how mozilla::pkix::CheckPublicKey() does.
   virtual Result VerifySignedData(const SignedDataWithSignature& signedData,
-                                  InputBuffer subjectPublicKeyInfo) = 0;
+                                  Input subjectPublicKeyInfo) = 0;
 
   // Compute the SHA-1 hash of the data in the current item.
   //
   // item contains the data to hash.
   // digestBuf must point to a buffer to where the SHA-1 hash will be written.
   // digestBufLen must be DIGEST_LENGTH (20, the length of a SHA-1 hash).
   //
   // TODO(bug 966856): Add SHA-2 support
   // TODO: Taking the output buffer as (uint8_t*, size_t) is counter to our
   // other, extensive, memory safety efforts in mozilla::pkix, and we should
   // find a way to provide a more-obviously-safe interface.
   static const size_t DIGEST_LENGTH = 20; // length of SHA-1 digest
-  virtual Result DigestBuf(InputBuffer item, /*out*/ uint8_t* digestBuf,
+  virtual Result DigestBuf(Input item, /*out*/ uint8_t* digestBuf,
                            size_t digestBufLen) = 0;
 protected:
   TrustDomain() { }
 
 private:
   TrustDomain(const TrustDomain&) /* = delete */;
   void operator=(const TrustDomain&) /* = delete */;
 };
--- a/security/pkix/lib/pkixbuild.cpp
+++ b/security/pkix/lib/pkixbuild.cpp
@@ -32,57 +32,57 @@
 namespace mozilla { namespace pkix {
 
 static Result BuildForward(TrustDomain& trustDomain,
                            const BackCert& subject,
                            PRTime time,
                            KeyUsage requiredKeyUsageIfPresent,
                            KeyPurposeId requiredEKUIfPresent,
                            const CertPolicyId& requiredPolicy,
-                           /*optional*/ const InputBuffer* stapledOCSPResponse,
+                           /*optional*/ const Input* stapledOCSPResponse,
                            unsigned int subCACount);
 
 TrustDomain::IssuerChecker::IssuerChecker() { }
 TrustDomain::IssuerChecker::~IssuerChecker() { }
 
 // The implementation of TrustDomain::IssuerTracker is in a subclass only to
 // hide the implementation from external users.
 class PathBuildingStep : public TrustDomain::IssuerChecker
 {
 public:
   PathBuildingStep(TrustDomain& trustDomain, const BackCert& subject,
                    PRTime time, KeyPurposeId requiredEKUIfPresent,
                    const CertPolicyId& requiredPolicy,
-                   /*optional*/ const InputBuffer* stapledOCSPResponse,
+                   /*optional*/ const Input* stapledOCSPResponse,
                    unsigned int subCACount)
     : trustDomain(trustDomain)
     , subject(subject)
     , time(time)
     , requiredEKUIfPresent(requiredEKUIfPresent)
     , requiredPolicy(requiredPolicy)
     , stapledOCSPResponse(stapledOCSPResponse)
     , subCACount(subCACount)
     , result(Result::FATAL_ERROR_LIBRARY_FAILURE)
     , resultWasSet(false)
   {
   }
 
-  Result Check(InputBuffer potentialIssuerDER,
-               /*optional*/ const InputBuffer* additionalNameConstraints,
+  Result Check(Input potentialIssuerDER,
+               /*optional*/ const Input* additionalNameConstraints,
                /*out*/ bool& keepGoing);
 
   Result CheckResult() const;
 
 private:
   TrustDomain& trustDomain;
   const BackCert& subject;
   const PRTime time;
   const KeyPurposeId requiredEKUIfPresent;
   const CertPolicyId& requiredPolicy;
-  /*optional*/ InputBuffer const* const stapledOCSPResponse;
+  /*optional*/ Input const* const stapledOCSPResponse;
   const unsigned int subCACount;
 
   Result RecordResult(Result currentResult, /*out*/ bool& keepGoing);
   Result result;
   bool resultWasSet;
 
   PathBuildingStep(const PathBuildingStep&) /*= delete*/;
   void operator=(const PathBuildingStep&) /*= delete*/;
@@ -121,18 +121,18 @@ PathBuildingStep::CheckResult() const
   if (!resultWasSet) {
     return Result::ERROR_UNKNOWN_ISSUER;
   }
   return result;
 }
 
 // The code that executes in the inner loop of BuildForward
 Result
-PathBuildingStep::Check(InputBuffer potentialIssuerDER,
-           /*optional*/ const InputBuffer* additionalNameConstraints,
+PathBuildingStep::Check(Input potentialIssuerDER,
+           /*optional*/ const Input* additionalNameConstraints,
                 /*out*/ bool& keepGoing)
 {
   BackCert potentialIssuer(potentialIssuerDER, EndEntityOrCA::MustBeCA,
                            &subject);
   Result rv = potentialIssuer.Init();
   if (rv != Success) {
     return RecordResult(rv, keepGoing);
   }
@@ -141,20 +141,19 @@ PathBuildingStep::Check(InputBuffer pote
   // RFC5280 4.2.1.2. Subject Key Identifier
 
   // Loop prevention, done as recommended by RFC4158 Section 5.2
   // TODO: this doesn't account for subjectAltNames!
   // TODO(perf): This probably can and should be optimized in some way.
   bool loopDetected = false;
   for (const BackCert* prev = potentialIssuer.childCert;
        !loopDetected && prev != nullptr; prev = prev->childCert) {
-    if (InputBuffersAreEqual(potentialIssuer.GetSubjectPublicKeyInfo(),
-                             prev->GetSubjectPublicKeyInfo()) &&
-        InputBuffersAreEqual(potentialIssuer.GetSubject(),
-                             prev->GetSubject())) {
+    if (InputsAreEqual(potentialIssuer.GetSubjectPublicKeyInfo(),
+                       prev->GetSubjectPublicKeyInfo()) &&
+        InputsAreEqual(potentialIssuer.GetSubject(), prev->GetSubject())) {
       // XXX: error code
       return RecordResult(Result::ERROR_UNKNOWN_ISSUER, keepGoing);
     }
   }
 
   if (potentialIssuer.GetNameConstraints()) {
     rv = CheckNameConstraints(*potentialIssuer.GetNameConstraints(),
                               subject, requiredEKUIfPresent);
@@ -206,17 +205,17 @@ PathBuildingStep::Check(InputBuffer pote
 // pkix/pkix.h.
 static Result
 BuildForward(TrustDomain& trustDomain,
              const BackCert& subject,
              PRTime time,
              KeyUsage requiredKeyUsageIfPresent,
              KeyPurposeId requiredEKUIfPresent,
              const CertPolicyId& requiredPolicy,
-             /*optional*/ const InputBuffer* stapledOCSPResponse,
+             /*optional*/ const Input* stapledOCSPResponse,
              unsigned int subCACount)
 {
   Result rv;
 
   TrustLevel trustLevel;
   // If this is an end-entity and not a trust anchor, we defer reporting
   // any error found here until after attempting to find a valid chain.
   // See the explanation of error prioritization in pkix.h.
@@ -289,22 +288,22 @@ BuildForward(TrustDomain& trustDomain,
     return deferredEndEntityError;
   }
 
   // We've built a valid chain from the subject cert up to a trusted root.
   return Success;
 }
 
 Result
-BuildCertChain(TrustDomain& trustDomain, InputBuffer certDER,
+BuildCertChain(TrustDomain& trustDomain, Input certDER,
                PRTime time, EndEntityOrCA endEntityOrCA,
                KeyUsage requiredKeyUsageIfPresent,
                KeyPurposeId requiredEKUIfPresent,
                const CertPolicyId& requiredPolicy,
-               /*optional*/ const InputBuffer* stapledOCSPResponse)
+               /*optional*/ const Input* stapledOCSPResponse)
 {
   // XXX: Support the legacy use of the subject CN field for indicating the
   // domain name the certificate is valid for.
   BackCert cert(certDER, endEntityOrCA, nullptr);
   Result rv = cert.Init();
   if (rv != Success) {
     return rv;
   }
--- a/security/pkix/lib/pkixcert.cpp
+++ b/security/pkix/lib/pkixcert.cpp
@@ -32,23 +32,23 @@ BackCert::Init()
 {
   Result rv;
 
   // Certificate  ::=  SEQUENCE  {
   //         tbsCertificate       TBSCertificate,
   //         signatureAlgorithm   AlgorithmIdentifier,
   //         signatureValue       BIT STRING  }
 
-  Input tbsCertificate;
+  Reader tbsCertificate;
 
   // The scope of |input| and |certificate| are limited to this block so we
   // don't accidentally confuse them for tbsCertificate later.
   {
-    Input input(der);
-    Input certificate;
+    Reader input(der);
+    Reader certificate;
     rv = der::ExpectTagAndGetValue(input, der::SEQUENCE, certificate);
     if (rv != Success) {
       return rv;
     }
     rv = der::End(input);
     if (rv != Success) {
       return rv;
     }
@@ -153,20 +153,20 @@ BackCert::Init()
     if (rv != Success) {
       return rv;
     }
   }
 
   return der::End(tbsCertificate);
 }
 
-// XXX: The second value is of type |const InputBupkffer&| instead of type
-// |InputBuffer| due to limitations in our std::bind polyfill.
+// XXX: The second value is of type |const Input&| instead of type |Input| due
+// to limitations in our std::bind polyfill.
 Result
-BackCert::RememberExtension(Input& extnID, const InputBuffer& extnValue,
+BackCert::RememberExtension(Reader& extnID, const Input& extnValue,
                             /*out*/ bool& understood)
 {
   understood = false;
 
   // python DottedOIDToCode.py id-ce-keyUsage 2.5.29.15
   static const uint8_t id_ce_keyUsage[] = {
     0x55, 0x1d, 0x0f
   };
@@ -198,25 +198,25 @@ BackCert::RememberExtension(Input& extnI
   static const uint8_t id_ce_inhibitAnyPolicy[] = {
     0x55, 0x1d, 0x36
   };
   // python DottedOIDToCode.py id-pe-authorityInfoAccess 1.3.6.1.5.5.7.1.1
   static const uint8_t id_pe_authorityInfoAccess[] = {
     0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01
   };
 
-  InputBuffer* out = nullptr;
+  Input* out = nullptr;
 
   // We already enforce the maximum possible constraints for policies so we
   // can safely ignore even critical policy constraint extensions.
   //
   // XXX: Doing it this way won't allow us to detect duplicate
   // policyConstraints extensions, but that's OK because (and only because) we
   // ignore the extension.
-  InputBuffer dummyPolicyConstraints;
+  Input dummyPolicyConstraints;
 
   // RFC says "Conforming CAs MUST mark this extension as non-critical" for
   // both authorityKeyIdentifier and subjectKeyIdentifier, and we do not use
   // them for anything, so we totally ignore them here.
 
   if (extnID.MatchRest(id_ce_keyUsage)) {
     out = &keyUsage;
   } else if (extnID.MatchRest(id_ce_subjectAltName)) {
--- a/security/pkix/lib/pkixcheck.cpp
+++ b/security/pkix/lib/pkixcheck.cpp
@@ -30,19 +30,19 @@
 #include "pkix/ScopedPtr.h"
 #include "pkixder.h"
 #include "pkix/pkixnss.h"
 #include "pkixutil.h"
 
 namespace mozilla { namespace pkix {
 
 Result
-CheckValidity(InputBuffer encodedValidity, PRTime time)
+CheckValidity(Input encodedValidity, PRTime time)
 {
-  Input validity(encodedValidity);
+  Reader validity(encodedValidity);
   PRTime notBefore;
   if (der::TimeChoice(validity, notBefore) != Success) {
     return Result::ERROR_EXPIRED_CERTIFICATE;
   }
   if (time < notBefore) {
     return Result::ERROR_EXPIRED_CERTIFICATE;
   }
 
@@ -63,17 +63,17 @@ CheckValidity(InputBuffer encodedValidit
 // bit and bit 7 is the least significant bit.
 inline uint8_t KeyUsageToBitMask(KeyUsage keyUsage)
 {
   PR_ASSERT(keyUsage != KeyUsage::noParticularKeyUsageRequired);
   return 0x80u >> static_cast<uint8_t>(keyUsage);
 }
 
 Result
-CheckKeyUsage(EndEntityOrCA endEntityOrCA, const InputBuffer* encodedKeyUsage,
+CheckKeyUsage(EndEntityOrCA endEntityOrCA, const Input* encodedKeyUsage,
               KeyUsage requiredKeyUsageIfPresent)
 {
   if (!encodedKeyUsage) {
     // TODO(bug 970196): Reject certificates that are being used to verify
     // certificate signatures unless the certificate is a trust anchor, to
     // reduce the chances of an end-entity certificate being abused as a CA
     // certificate.
     // if (endEntityOrCA == EndEntityOrCA::MustBeCA && !isTrustAnchor) {
@@ -81,18 +81,18 @@ CheckKeyUsage(EndEntityOrCA endEntityOrC
     // }
     //
     // TODO: Users may configure arbitrary certificates as trust anchors, not
     // just roots. We should only allow a certificate without a key usage to be
     // used as a CA when it is self-issued and self-signed.
     return Success;
   }
 
-  Input input(*encodedKeyUsage);
-  Input value;
+  Reader input(*encodedKeyUsage);
+  Reader value;
   if (der::ExpectTagAndGetValue(input, der::BIT_STRING, value) != Success) {
     return Result::ERROR_INADEQUATE_KEY_USAGE;
   }
 
   uint8_t numberOfPaddingBits;
   if (value.Read(numberOfPaddingBits) != Success) {
     return Result::ERROR_INADEQUATE_KEY_USAGE;
   }
@@ -194,17 +194,17 @@ bool CertPolicyId::IsAnyPolicy() const
           !memcmp(bytes, anyPolicy.bytes, anyPolicy.numBytes));
 }
 
 // PolicyInformation ::= SEQUENCE {
 //         policyIdentifier   CertPolicyId,
 //         policyQualifiers   SEQUENCE SIZE (1..MAX) OF
 //                                 PolicyQualifierInfo OPTIONAL }
 inline Result
-CheckPolicyInformation(Input& input, EndEntityOrCA endEntityOrCA,
+CheckPolicyInformation(Reader& input, EndEntityOrCA endEntityOrCA,
                        const CertPolicyId& requiredPolicy,
                        /*in/out*/ bool& found)
 {
   if (input.MatchTLV(der::OIDTag, requiredPolicy.numBytes,
                      requiredPolicy.bytes)) {
     found = true;
   } else if (endEntityOrCA == EndEntityOrCA::MustBeCA &&
              input.MatchTLV(der::OIDTag, CertPolicyId::anyPolicy.numBytes,
@@ -223,18 +223,18 @@ CheckPolicyInformation(Input& input, End
   input.SkipToEnd();
 
   return Success;
 }
 
 // certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
 Result
 CheckCertificatePolicies(EndEntityOrCA endEntityOrCA,
-                         const InputBuffer* encodedCertificatePolicies,
-                         const InputBuffer* encodedInhibitAnyPolicy,
+                         const Input* encodedCertificatePolicies,
+                         const Input* encodedInhibitAnyPolicy,
                          TrustLevel trustLevel,
                          const CertPolicyId& requiredPolicy)
 {
   if (requiredPolicy.numBytes == 0 ||
       requiredPolicy.numBytes > sizeof requiredPolicy.bytes) {
     return Result::FATAL_ERROR_INVALID_ARGS;
   }
 
@@ -262,17 +262,17 @@ CheckCertificatePolicies(EndEntityOrCA e
   }
 
   if (!encodedCertificatePolicies) {
     return Result::ERROR_POLICY_VALIDATION_FAILED;
   }
 
   bool found = false;
 
-  Input input(*encodedCertificatePolicies);
+  Reader input(*encodedCertificatePolicies);
   if (der::NestedOf(input, der::SEQUENCE, der::SEQUENCE, der::EmptyAllowed::No,
                     bind(CheckPolicyInformation, _1, endEntityOrCA,
                          requiredPolicy, ref(found))) != Success) {
     return Result::ERROR_POLICY_VALIDATION_FAILED;
   }
   if (der::End(input) != Success) {
     return Result::ERROR_POLICY_VALIDATION_FAILED;
   }
@@ -284,17 +284,17 @@ CheckCertificatePolicies(EndEntityOrCA e
 }
 
 static const long UNLIMITED_PATH_LEN = -1; // must be less than zero
 
 //  BasicConstraints ::= SEQUENCE {
 //          cA                      BOOLEAN DEFAULT FALSE,
 //          pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
 static Result
-DecodeBasicConstraints(Input& input, /*out*/ bool& isCA,
+DecodeBasicConstraints(Reader& input, /*out*/ bool& isCA,
                        /*out*/ long& pathLenConstraint)
 {
   // TODO(bug 989518): cA is by default false. According to DER, default
   // values must not be explicitly encoded in a SEQUENCE. So, if this
   // value is present and false, it is an encoding error. However, Go Daddy
   // has issued many certificates with this improper encoding, so we can't
   // enforce this yet (hence passing true for allowInvalidExplicitEncoding
   // to der::OptionalBoolean).
@@ -311,25 +311,25 @@ DecodeBasicConstraints(Input& input, /*o
   }
 
   return Success;
 }
 
 // RFC5280 4.2.1.9. Basic Constraints (id-ce-basicConstraints)
 Result
 CheckBasicConstraints(EndEntityOrCA endEntityOrCA,
-                      const InputBuffer* encodedBasicConstraints,
+                      const Input* encodedBasicConstraints,
                       const der::Version version, TrustLevel trustLevel,
                       unsigned int subCACount)
 {
   bool isCA = false;
   long pathLenConstraint = UNLIMITED_PATH_LEN;
 
   if (encodedBasicConstraints) {
-    Input input(*encodedBasicConstraints);
+    Reader input(*encodedBasicConstraints);
     if (der::Nested(input, der::SEQUENCE,
                     bind(DecodeBasicConstraints, _1, ref(isCA),
                          ref(pathLenConstraint))) != Success) {
       return Result::ERROR_EXTENSION_VALUE_INVALID;
     }
     if (der::End(input) != Success) {
       return Result::ERROR_EXTENSION_VALUE_INVALID;
     }
@@ -392,39 +392,39 @@ PORT_FreeArena_false(PLArenaPool* arena)
   // memory, which doesn't work well with memory analysis tools
   return PORT_FreeArena(arena, PR_FALSE);
 }
 
 // TODO: Remove #include "pkix/pkixnss.h", #include "cert.h",
 // #include "ScopedPtr.h", etc. when this is rewritten to be independent of
 // NSS.
 Result
-CheckNameConstraints(InputBuffer encodedNameConstraints,
+CheckNameConstraints(Input encodedNameConstraints,
                      const BackCert& firstChild,
                      KeyPurposeId requiredEKUIfPresent)
 {
   ScopedPtr<PLArenaPool, PORT_FreeArena_false>
     arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
   if (!arena) {
     return Result::FATAL_ERROR_NO_MEMORY;
   }
 
   SECItem encodedNameConstraintsSECItem =
-    UnsafeMapInputBufferToSECItem(encodedNameConstraints);
+    UnsafeMapInputToSECItem(encodedNameConstraints);
 
   // Owned by arena
   const CERTNameConstraints* constraints =
     CERT_DecodeNameConstraintsExtension(arena.get(),
                                         &encodedNameConstraintsSECItem);
   if (!constraints) {
     return MapPRErrorCodeToResult(PR_GetError());
   }
 
   for (const BackCert* child = &firstChild; child; child = child->childCert) {
-    SECItem childCertDER = UnsafeMapInputBufferToSECItem(child->GetDER());
+    SECItem childCertDER = UnsafeMapInputToSECItem(child->GetDER());
     ScopedPtr<CERTCertificate, CERT_DestroyCertificate>
       nssCert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &childCertDER,
                                       nullptr, false, true));
     if (!nssCert) {
       return MapPRErrorCodeToResult(PR_GetError());
     }
 
     bool includeCN = child->endEntityOrCA == EndEntityOrCA::MustBeEndEntity &&
@@ -451,17 +451,17 @@ CheckNameConstraints(InputBuffer encoded
   }
 
   return Success;
 }
 
 // 4.2.1.12. Extended Key Usage (id-ce-extKeyUsage)
 
 static Result
-MatchEKU(Input& value, KeyPurposeId requiredEKU,
+MatchEKU(Reader& value, KeyPurposeId requiredEKU,
          EndEntityOrCA endEntityOrCA, /*in/out*/ bool& found,
          /*in/out*/ bool& foundOCSPSigning)
 {
   // See Section 5.9 of "A Layman's Guide to a Subset of ASN.1, BER, and DER"
   // for a description of ASN.1 DER encoding of OIDs.
 
   // id-pkix  OBJECT IDENTIFIER  ::=
   //            { iso(1) identified-organization(3) dod(6) internet(1)
@@ -535,30 +535,30 @@ MatchEKU(Input& value, KeyPurposeId requ
 
   value.SkipToEnd(); // ignore unmatched OIDs.
 
   return Success;
 }
 
 Result
 CheckExtendedKeyUsage(EndEntityOrCA endEntityOrCA,
-                      const InputBuffer* encodedExtendedKeyUsage,
+                      const Input* encodedExtendedKeyUsage,
                       KeyPurposeId requiredEKU)
 {
   // XXX: We're using Result::ERROR_INADEQUATE_CERT_TYPE here so that callers
   // can distinguish EKU mismatch from KU mismatch from basic constraints
   // mismatch. We should probably add a new error code that is more clear for
   // this type of problem.
 
   bool foundOCSPSigning = false;
 
   if (encodedExtendedKeyUsage) {
     bool found = requiredEKU == KeyPurposeId::anyExtendedKeyUsage;
 
-    Input input(*encodedExtendedKeyUsage);
+    Reader input(*encodedExtendedKeyUsage);
     if (der::NestedOf(input, der::SEQUENCE, der::OIDTag, der::EmptyAllowed::No,
                       bind(MatchEKU, _1, requiredEKU, endEntityOrCA,
                            ref(found), ref(foundOCSPSigning)))
           != Success) {
       return Result::ERROR_INADEQUATE_CERT_TYPE;
     }
     if (der::End(input) != Success) {
       return Result::ERROR_INADEQUATE_CERT_TYPE;
--- a/security/pkix/lib/pkixcheck.h
+++ b/security/pkix/lib/pkixcheck.h
@@ -36,15 +36,15 @@ Result CheckIssuerIndependentProperties(
           const BackCert& cert,
           PRTime time,
           KeyUsage requiredKeyUsageIfPresent,
           KeyPurposeId requiredEKUIfPresent,
           const CertPolicyId& requiredPolicy,
           unsigned int subCACount,
           /*out*/ TrustLevel& trustLevel);
 
-Result CheckNameConstraints(InputBuffer encodedNameConstraints,
+Result CheckNameConstraints(Input encodedNameConstraints,
                             const BackCert& firstChild,
                             KeyPurposeId requiredEKUIfPresent);
 
 } } // namespace mozilla::pkix
 
 #endif // mozilla_pkix__pkixcheck_h
--- a/security/pkix/lib/pkixder.cpp
+++ b/security/pkix/lib/pkixder.cpp
@@ -27,17 +27,17 @@
 #include "cert.h"
 
 namespace mozilla { namespace pkix { namespace der {
 
 namespace internal {
 
 // Too complicated to be inline
 Result
-ExpectTagAndGetLength(Input& input, uint8_t expectedTag, uint16_t& length)
+ExpectTagAndGetLength(Reader& input, uint8_t expectedTag, uint16_t& length)
 {
   PR_ASSERT((expectedTag & 0x1F) != 0x1F); // high tag number form not allowed
 
   uint8_t tag;
   Result rv;
   rv = input.Read(tag);
   if (rv != Success) {
     return rv;
@@ -85,28 +85,29 @@ ExpectTagAndGetLength(Input& input, uint
 
   // Ensure the input is long enough for the length it says it has.
   return input.EnsureLength(length);
 }
 
 } // namespace internal
 
 static Result
-OptionalNull(Input& input)
+OptionalNull(Reader& input)
 {
   if (input.Peek(NULLTag)) {
     return Null(input);
   }
   return Success;
 }
 
 namespace {
 
 Result
-DigestAlgorithmOIDValue(Input& algorithmID, /*out*/ DigestAlgorithm& algorithm)
+DigestAlgorithmOIDValue(Reader& algorithmID,
+                        /*out*/ DigestAlgorithm& algorithm)
 {
   // RFC 4055 Section 2.1
   // python DottedOIDToCode.py id-sha1 1.3.14.3.2.26
   static const uint8_t id_sha1[] = {
     0x2b, 0x0e, 0x03, 0x02, 0x1a
   };
   // python DottedOIDToCode.py id-sha256 2.16.840.1.101.3.4.2.1
   static const uint8_t id_sha256[] = {
@@ -134,17 +135,17 @@ DigestAlgorithmOIDValue(Input& algorithm
   } else {
     return Result::ERROR_INVALID_ALGORITHM;
   }
 
   return Success;
 }
 
 Result
-SignatureAlgorithmOIDValue(Input& algorithmID,
+SignatureAlgorithmOIDValue(Reader& algorithmID,
                            /*out*/ SignatureAlgorithm& algorithm)
 {
   // RFC 5758 Section 3.1 (id-dsa-with-sha224 is intentionally excluded)
   // python DottedOIDToCode.py id-dsa-with-sha256 2.16.840.1.101.3.4.3.2
   static const uint8_t id_dsa_with_sha256[] = {
     0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x02
   };
 
@@ -230,26 +231,26 @@ SignatureAlgorithmOIDValue(Input& algori
     return Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED;
   }
 
   return Success;
 }
 
 template <typename OidValueParser, typename Algorithm>
 Result
-AlgorithmIdentifier(OidValueParser oidValueParser, Input& input,
+AlgorithmIdentifier(OidValueParser oidValueParser, Reader& input,
                     /*out*/ Algorithm& algorithm)
 {
-  Input value;
+  Reader value;
   Result rv = ExpectTagAndGetValue(input, SEQUENCE, value);
   if (rv != Success) {
     return rv;
   }
 
-  Input algorithmID;
+  Reader algorithmID;
   rv = ExpectTagAndGetValue(value, der::OIDTag, algorithmID);
   if (rv != Success) {
     return rv;
   }
   rv = oidValueParser(algorithmID, algorithm);
   if (rv != Success) {
     return rv;
   }
@@ -260,41 +261,41 @@ AlgorithmIdentifier(OidValueParser oidVa
   }
 
   return End(value);
 }
 
 } // unnamed namespace
 
 Result
-SignatureAlgorithmIdentifier(Input& input,
+SignatureAlgorithmIdentifier(Reader& input,
                              /*out*/ SignatureAlgorithm& algorithm)
 {
   return AlgorithmIdentifier(SignatureAlgorithmOIDValue, input, algorithm);
 }
 
 Result
-DigestAlgorithmIdentifier(Input& input, /*out*/ DigestAlgorithm& algorithm)
+DigestAlgorithmIdentifier(Reader& input, /*out*/ DigestAlgorithm& algorithm)
 {
   return AlgorithmIdentifier(DigestAlgorithmOIDValue, input, algorithm);
 }
 
 Result
-SignedData(Input& input, /*out*/ Input& tbs,
+SignedData(Reader& input, /*out*/ Reader& tbs,
            /*out*/ SignedDataWithSignature& signedData)
 {
-  Input::Mark mark(input.GetMark());
+  Reader::Mark mark(input.GetMark());
 
   Result rv;
   rv = ExpectTagAndGetValue(input, SEQUENCE, tbs);
   if (rv != Success) {
     return rv;
   }
 
-  rv = input.GetInputBuffer(mark, signedData.data);
+  rv = input.GetInput(mark, signedData.data);
   if (rv != Success) {
     return rv;
   }
 
   rv = SignatureAlgorithmIdentifier(input, signedData.algorithm);
   if (rv != Success) {
     return rv;
   }
@@ -302,19 +303,19 @@ SignedData(Input& input, /*out*/ Input& 
   rv = BitStringWithNoUnusedBits(input, signedData.signature);
   if (rv == Result::ERROR_BAD_DER) {
     rv = Result::ERROR_BAD_SIGNATURE;
   }
   return rv;
 }
 
 Result
-BitStringWithNoUnusedBits(Input& input, /*out*/ InputBuffer& value)
+BitStringWithNoUnusedBits(Reader& input, /*out*/ Input& value)
 {
-  Input valueWithUnusedBits;
+  Reader valueWithUnusedBits;
   Result rv = ExpectTagAndGetValue(input, BIT_STRING, valueWithUnusedBits);
   if (rv != Success) {
     return rv;
   }
 
   uint8_t unusedBitsAtEnd;
   if (valueWithUnusedBits.Read(unusedBitsAtEnd) != Success) {
     return Result::ERROR_BAD_DER;
@@ -323,37 +324,37 @@ BitStringWithNoUnusedBits(Input& input, 
   // than 7. But, we suspect there are no real-world values in OCSP responses
   // or certificates with non-zero unused bits. It seems like NSS assumes this
   // in various places, so we enforce it too in order to simplify this code. If
   // we find compatibility issues, we'll know we're wrong and we'll have to
   // figure out how to shift the bits around.
   if (unusedBitsAtEnd != 0) {
     return Result::ERROR_BAD_DER;
   }
-  Input::Mark mark(valueWithUnusedBits.GetMark());
+  Reader::Mark mark(valueWithUnusedBits.GetMark());
   valueWithUnusedBits.SkipToEnd();
-  return valueWithUnusedBits.GetInputBuffer(mark, value);
+  return valueWithUnusedBits.GetInput(mark, value);
 }
 
 static inline Result
-ReadDigit(Input& input, /*out*/ int& value)
+ReadDigit(Reader& input, /*out*/ int& value)
 {
   uint8_t b;
   if (input.Read(b) != Success) {
     return Result::ERROR_INVALID_TIME;
   }
   if (b < '0' || b > '9') {
     return Result::ERROR_INVALID_TIME;
   }
   value = b - '0';
   return Success;
 }
 
 static inline Result
-ReadTwoDigits(Input& input, int minValue, int maxValue, /*out*/ int& value)
+ReadTwoDigits(Reader& input, int minValue, int maxValue, /*out*/ int& value)
 {
   int hi;
   Result rv = ReadDigit(input, hi);
   if (rv != Success) {
     return rv;
   }
   int lo;
   rv = ReadDigit(input, lo);
@@ -379,21 +380,21 @@ daysBeforeYear(int year)
 namespace internal {
 
 // We parse GeneralizedTime and UTCTime according to RFC 5280 and we do not
 // accept all time formats allowed in the ASN.1 spec. That is,
 // GeneralizedTime must always be in the format YYYYMMDDHHMMSSZ and UTCTime
 // must always be in the format YYMMDDHHMMSSZ. Timezone formats of the form
 // +HH:MM or -HH:MM or NOT accepted.
 Result
-TimeChoice(Input& tagged, uint8_t expectedTag, /*out*/ PRTime& time)
+TimeChoice(Reader& tagged, uint8_t expectedTag, /*out*/ PRTime& time)
 {
   int days;
 
-  Input input;
+  Reader input;
   Result rv = ExpectTagAndGetValue(tagged, expectedTag, input);
   if (rv != Success) {
     return rv;
   }
 
   int yearHi;
   int yearLo;
   if (expectedTag == GENERALIZED_TIME) {
--- a/security/pkix/lib/pkixder.h
+++ b/security/pkix/lib/pkixder.h
@@ -68,17 +68,17 @@ enum Tag
   SEQUENCE = UNIVERSAL | CONSTRUCTED | 0x10, // 0x30
   UTCTime = UNIVERSAL | 0x17,
   GENERALIZED_TIME = UNIVERSAL | 0x18,
 };
 
 MOZILLA_PKIX_ENUM_CLASS EmptyAllowed { No = 0, Yes = 1 };
 
 inline Result
-ExpectTagAndLength(Input& input, uint8_t expectedTag, uint8_t expectedLength)
+ExpectTagAndLength(Reader& input, uint8_t expectedTag, uint8_t expectedLength)
 {
   PR_ASSERT((expectedTag & 0x1F) != 0x1F); // high tag number form not allowed
   PR_ASSERT(expectedLength < 128); // must be a single-byte length
 
   uint16_t tagAndLength;
   Result rv = input.Read(tagAndLength);
   if (rv != Success) {
     return rv;
@@ -92,105 +92,105 @@ ExpectTagAndLength(Input& input, uint8_t
   }
 
   return Success;
 }
 
 namespace internal {
 
 Result
-ExpectTagAndGetLength(Input& input, uint8_t expectedTag, uint16_t& length);
+ExpectTagAndGetLength(Reader& input, uint8_t expectedTag, uint16_t& length);
 
 } // namespace internal
 
 inline Result
-ExpectTagAndSkipValue(Input& input, uint8_t tag)
+ExpectTagAndSkipValue(Reader& input, uint8_t tag)
 {
   uint16_t length;
   Result rv = internal::ExpectTagAndGetLength(input, tag, length);
   if (rv != Success) {
     return rv;
   }
   return input.Skip(length);
 }
 
 inline Result
-ExpectTagAndGetValue(Input& input, uint8_t tag, /*out*/ InputBuffer& value)
+ExpectTagAndGetValue(Reader& input, uint8_t tag, /*out*/ Input& value)
 {
   uint16_t length;
   Result rv = internal::ExpectTagAndGetLength(input, tag, length);
   if (rv != Success) {
     return rv;
   }
   return input.Skip(length, value);
 }
 
 inline Result
-ExpectTagAndGetValue(Input& input, uint8_t tag, /*out*/ Input& value)
+ExpectTagAndGetValue(Reader& input, uint8_t tag, /*out*/ Reader& value)
 {
   uint16_t length;
   Result rv = internal::ExpectTagAndGetLength(input, tag, length);
   if (rv != Success) {
     return rv;
   }
   return input.Skip(length, value);
 }
 
-// Like ExpectTagAndGetValue, except the output InputBuffer will contain the
+// Like ExpectTagAndGetValue, except the output Input will contain the
 // encoded tag and length along with the value.
 inline Result
-ExpectTagAndGetTLV(Input& input, uint8_t tag, /*out*/ InputBuffer& tlv)
+ExpectTagAndGetTLV(Reader& input, uint8_t tag, /*out*/ Input& tlv)
 {
-  Input::Mark mark(input.GetMark());
+  Reader::Mark mark(input.GetMark());
   uint16_t length;
   Result rv = internal::ExpectTagAndGetLength(input, tag, length);
   if (rv != Success) {
     return rv;
   }
   rv = input.Skip(length);
   if (rv != Success) {
     return rv;
   }
-  return input.GetInputBuffer(mark, tlv);
+  return input.GetInput(mark, tlv);
 }
 
 inline Result
-End(Input& input)
+End(Reader& input)
 {
   if (!input.AtEnd()) {
     return Result::ERROR_BAD_DER;
   }
 
   return Success;
 }
 
 template <typename Decoder>
 inline Result
-Nested(Input& input, uint8_t tag, Decoder decoder)
+Nested(Reader& input, uint8_t tag, Decoder decoder)
 {
-  Input nested;
+  Reader nested;
   Result rv = ExpectTagAndGetValue(input, tag, nested);
   if (rv != Success) {
     return rv;
   }
   rv = decoder(nested);
   if (rv != Success) {
     return rv;
   }
   return End(nested);
 }
 
 template <typename Decoder>
 inline Result
-Nested(Input& input, uint8_t outerTag, uint8_t innerTag, Decoder decoder)
+Nested(Reader& input, uint8_t outerTag, uint8_t innerTag, Decoder decoder)
 {
   // XXX: This doesn't work (in VS2010):
   // return Nested(input, outerTag, bind(Nested, _1, innerTag, decoder));
 
-  Input nestedInput;
+  Reader nestedInput;
   Result rv = ExpectTagAndGetValue(input, outerTag, nestedInput);
   if (rv != Success) {
     return rv;
   }
   rv = Nested(nestedInput, innerTag, decoder);
   if (rv != Success) {
     return rv;
   }
@@ -204,27 +204,27 @@ Nested(Input& input, uint8_t outerTag, u
 //     ...
 //     Foo ::= SEQUENCE {
 //     }
 //
 // using a call like this:
 //
 //    rv = NestedOf(input, SEQEUENCE, SEQUENCE, bind(_1, Foo));
 //
-//    Result Foo(Input& input) {
+//    Result Foo(Reader& input) {
 //    }
 //
 // In this example, Foo will get called once for each element of foos.
 //
 template <typename Decoder>
 inline Result
-NestedOf(Input& input, uint8_t outerTag, uint8_t innerTag,
+NestedOf(Reader& input, uint8_t outerTag, uint8_t innerTag,
          EmptyAllowed mayBeEmpty, Decoder decoder)
 {
-  Input inner;
+  Reader inner;
   Result rv = ExpectTagAndGetValue(input, outerTag, inner);
   if (rv != Success) {
     return rv;
   }
 
   if (inner.AtEnd()) {
     if (mayBeEmpty != EmptyAllowed::Yes) {
       return Result::ERROR_BAD_DER;
@@ -244,17 +244,17 @@ NestedOf(Input& input, uint8_t outerTag,
 
 // Universal types
 
 namespace internal {
 
 // This parser will only parse values between 0..127. If this range is
 // increased then callers will need to be changed.
 template <typename T> inline Result
-IntegralValue(Input& input, uint8_t tag, T& value)
+IntegralValue(Reader& input, uint8_t tag, T& value)
 {
   // Conveniently, all the Integers that we actually have to be able to parse
   // are positive and very small. Consequently, this parser is *much* simpler
   // than a general Integer parser would need to be.
   Result rv = ExpectTagAndLength(input, tag, 1);
   if (rv != Success) {
     return rv;
   }
@@ -268,20 +268,20 @@ IntegralValue(Input& input, uint8_t tag,
   }
   value = valueByte;
   return Success;
 }
 
 } // namespace internal
 
 Result
-BitStringWithNoUnusedBits(Input& input, /*out*/ InputBuffer& value);
+BitStringWithNoUnusedBits(Reader& input, /*out*/ Input& value);
 
 inline Result
-Boolean(Input& input, /*out*/ bool& value)
+Boolean(Reader& input, /*out*/ bool& value)
 {
   Result rv = ExpectTagAndLength(input, BOOLEAN, 1);
   if (rv != Success) {
     return rv;
   }
 
   uint8_t intValue;
   rv = input.Read(intValue);
@@ -296,17 +296,17 @@ Boolean(Input& input, /*out*/ bool& valu
   }
 }
 
 // This is for any BOOLEAN DEFAULT FALSE.
 // (If it is present and false, this is a bad encoding.)
 // TODO(bug 989518): For compatibility reasons, in some places we allow
 // invalid encodings with the explicit default value.
 inline Result
-OptionalBoolean(Input& input, bool allowInvalidExplicitEncoding,
+OptionalBoolean(Reader& input, bool allowInvalidExplicitEncoding,
                 /*out*/ bool& value)
 {
   value = false;
   if (input.Peek(BOOLEAN)) {
     Result rv = Boolean(input, value);
     if (rv != Success) {
       return rv;
     }
@@ -315,66 +315,66 @@ OptionalBoolean(Input& input, bool allow
     }
   }
   return Success;
 }
 
 // This parser will only parse values between 0..127. If this range is
 // increased then callers will need to be changed.
 inline Result
-Enumerated(Input& input, uint8_t& value)
+Enumerated(Reader& input, uint8_t& value)
 {
   return internal::IntegralValue(input, ENUMERATED | 0, value);
 }
 
 namespace internal {
 
 // internal::TimeChoice implements the shared functionality of GeneralizedTime
 // and TimeChoice. tag must be either UTCTime or GENERALIZED_TIME.
 //
 // Only times from 1970-01-01-00:00:00 onward are accepted, in order to
 // eliminate the chance for complications in converting times to traditional
 // time formats that start at 1970.
-Result TimeChoice(Input& input, uint8_t tag, /*out*/ PRTime& time);
+Result TimeChoice(Reader& input, uint8_t tag, /*out*/ PRTime& time);
 
 } // namespace internal
 
 // Only times from 1970-01-01-00:00:00 onward are accepted, in order to
 // eliminate the chance for complications in converting times to traditional
 // time formats that start at 1970.
 inline Result
-GeneralizedTime(Input& input, /*out*/ PRTime& time)
+GeneralizedTime(Reader& input, /*out*/ PRTime& time)
 {
   return internal::TimeChoice(input, GENERALIZED_TIME, time);
 }
 
 // Only times from 1970-01-01-00:00:00 onward are accepted, in order to
 // eliminate the chance for complications in converting times to traditional
 // time formats that start at 1970.
 inline Result
-TimeChoice(Input& input, /*out*/ PRTime& time)
+TimeChoice(Reader& input, /*out*/ PRTime& time)
 {
   uint8_t expectedTag = input.Peek(UTCTime) ? UTCTime : GENERALIZED_TIME;
   return internal::TimeChoice(input, expectedTag, time);
 }
 
 // This parser will only parse values between 0..127. If this range is
 // increased then callers will need to be changed.
 inline Result
-Integer(Input& input, /*out*/ uint8_t& value)
+Integer(Reader& input, /*out*/ uint8_t& value)
 {
   return internal::IntegralValue(input, INTEGER, value);
 }
 
 // This parser will only parse values between 0..127. If this range is
 // increased then callers will need to be changed. The default value must be
 // -1; defaultValue is only a parameter to make it clear in the calling code
 // what the default value is.
 inline Result
-OptionalInteger(Input& input, long defaultValue, /*out*/ long& value)
+OptionalInteger(Reader& input, long defaultValue, /*out*/ long& value)
 {
   // If we need to support a different default value in the future, we need to
   // test that parsedValue != defaultValue.
   if (defaultValue != -1) {
     return Result::FATAL_ERROR_INVALID_ARGS;
   }
 
   if (!input.Peek(INTEGER)) {
@@ -387,40 +387,40 @@ OptionalInteger(Input& input, long defau
   if (rv != Success) {
     return rv;
   }
   value = parsedValue;
   return Success;
 }
 
 inline Result
-Null(Input& input)
+Null(Reader& input)
 {
   return ExpectTagAndLength(input, NULLTag, 0);
 }
 
 template <uint8_t Len>
 Result
-OID(Input& input, const uint8_t (&expectedOid)[Len])
+OID(Reader& input, const uint8_t (&expectedOid)[Len])
 {
-  Input value;
+  Reader value;
   Result rv = ExpectTagAndGetValue(input, OIDTag, value);
   if (rv != Success) {
     return rv;
   }
   if (!value.MatchRest(expectedOid)) {
     return Result::ERROR_BAD_DER;
   }
   return Success;
 }
 
 // PKI-specific types
 
 inline Result
-CertificateSerialNumber(Input& input, /*out*/ InputBuffer& value)
+CertificateSerialNumber(Reader& input, /*out*/ Input& value)
 {
   // http://tools.ietf.org/html/rfc5280#section-4.1.2.2:
   //
   // * "The serial number MUST be a positive integer assigned by the CA to
   //   each certificate."
   // * "Certificate users MUST be able to handle serialNumber values up to 20
   //   octets. Conforming CAs MUST NOT use serialNumber values longer than 20
   //   octets."
@@ -438,17 +438,17 @@ CertificateSerialNumber(Input& input, /*
   }
 
   // Check for overly-long encodings. If the first byte is 0x00 then the high
   // bit on the second byte must be 1; otherwise the same *positive* value
   // could be encoded without the leading 0x00 byte. If the first byte is 0xFF
   // then the second byte must NOT have its high bit set; otherwise the same
   // *negative* value could be encoded without the leading 0xFF byte.
   if (value.GetLength() > 1) {
-    Input valueInput(value);
+    Reader valueInput(value);
     uint8_t firstByte;
     rv = valueInput.Read(firstByte);
     if (rv != Success) {
       return rv;
     }
     uint8_t secondByte;
     rv = valueInput.Read(secondByte);
     if (rv != Success) {
@@ -466,24 +466,24 @@ CertificateSerialNumber(Input& input, /*
 // x.509 and OCSP both use this same version numbering scheme, though OCSP
 // only supports v1.
 MOZILLA_PKIX_ENUM_CLASS Version { v1 = 0, v2 = 1, v3 = 2 };
 
 // X.509 Certificate and OCSP ResponseData both use this
 // "[0] EXPLICIT Version DEFAULT <defaultVersion>" construct, but with
 // different default versions.
 inline Result
-OptionalVersion(Input& input, /*out*/ Version& version)
+OptionalVersion(Reader& input, /*out*/ Version& version)
 {
   static const uint8_t TAG = CONTEXT_SPECIFIC | CONSTRUCTED | 0;
   if (!input.Peek(TAG)) {
     version = Version::v1;
     return Success;
   }
-  Input value;
+  Reader value;
   Result rv = ExpectTagAndGetValue(input, TAG, value);
   if (rv != Success) {
     return rv;
   }
   uint8_t integerValue;
   rv = Integer(value, integerValue);
   if (rv != Success) {
     return rv;
@@ -501,27 +501,28 @@ OptionalVersion(Input& input, /*out*/ Ve
     default:
       return Result::ERROR_BAD_DER;
   }
   return Success;
 }
 
 template <typename ExtensionHandler>
 inline Result
-OptionalExtensions(Input& input, uint8_t tag, ExtensionHandler extensionHandler)
+OptionalExtensions(Reader& input, uint8_t tag,
+                   ExtensionHandler extensionHandler)
 {
   if (!input.Peek(tag)) {
     return Success;
   }
 
   Result rv;
 
-  Input extensions;
+  Reader extensions;
   {
-    Input tagged;
+    Reader tagged;
     rv = ExpectTagAndGetValue(input, tag, tagged);
     if (rv != Success) {
       return rv;
     }
     rv = ExpectTagAndGetValue(tagged, SEQUENCE, extensions);
     if (rv != Success) {
       return rv;
     }
@@ -532,38 +533,38 @@ OptionalExtensions(Input& input, uint8_t
   }
 
   // Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
   //
   // TODO(bug 997994): According to the specification, there should never be
   // an empty sequence of extensions but we've found OCSP responses that have
   // that (see bug 991898).
   while (!extensions.AtEnd()) {
-    Input extension;
+    Reader extension;
     rv = ExpectTagAndGetValue(extensions, SEQUENCE, extension);
     if (rv != Success) {
       return rv;
     }
 
     // Extension  ::=  SEQUENCE  {
     //      extnID      OBJECT IDENTIFIER,
     //      critical    BOOLEAN DEFAULT FALSE,
     //      extnValue   OCTET STRING
     //      }
-    Input extnID;
+    Reader extnID;
     rv = ExpectTagAndGetValue(extension, OIDTag, extnID);
     if (rv != Success) {
       return rv;
     }
     bool critical;
     rv = OptionalBoolean(extension, false, critical);
     if (rv != Success) {
       return rv;
     }
-    InputBuffer extnValue;
+    Input extnValue;
     rv = ExpectTagAndGetValue(extension, OCTET_STRING, extnValue);
     if (rv != Success) {
       return rv;
     }
     rv = End(extension);
     if (rv != Success) {
       return rv;
     }
@@ -576,20 +577,20 @@ OptionalExtensions(Input& input, uint8_t
     if (critical && !understood) {
       return Result::ERROR_UNKNOWN_CRITICAL_EXTENSION;
     }
   }
 
   return Success;
 }
 
-Result DigestAlgorithmIdentifier(Input& input,
+Result DigestAlgorithmIdentifier(Reader& input,
                                  /*out*/ DigestAlgorithm& algorithm);
 
-Result SignatureAlgorithmIdentifier(Input& input,
+Result SignatureAlgorithmIdentifier(Reader& input,
                                     /*out*/ SignatureAlgorithm& algorithm);
 
 // Parses a SEQUENCE into tbs and then parses an AlgorithmIdentifier followed
 // by a BIT STRING into signedData. This handles the commonality between
 // parsing the signed/signature fields of certificates and OCSP responses. In
 // the case of an OCSP response, the caller needs to parse the certs
 // separately.
 //
@@ -598,14 +599,14 @@ Result SignatureAlgorithmIdentifier(Inpu
 //        signatureAlgorithm   AlgorithmIdentifier,
 //        signatureValue       BIT STRING  }
 //
 // BasicOCSPResponse       ::= SEQUENCE {
 //    tbsResponseData      ResponseData,
 //    signatureAlgorithm   AlgorithmIdentifier,
 //    signature            BIT STRING,
 //    certs            [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
-Result SignedData(Input& input, /*out*/ Input& tbs,
+Result SignedData(Reader& input, /*out*/ Reader& tbs,
                   /*out*/ SignedDataWithSignature& signedDataWithSignature);
 
 } } } // namespace mozilla::pkix::der
 
 #endif // mozilla_pkix__pkixder_h
--- a/security/pkix/lib/pkixnss.cpp
+++ b/security/pkix/lib/pkixnss.cpp
@@ -34,21 +34,21 @@
 #include "pkix/ScopedPtr.h"
 #include "secerr.h"
 
 namespace mozilla { namespace pkix {
 
 typedef ScopedPtr<SECKEYPublicKey, SECKEY_DestroyPublicKey> ScopedSECKeyPublicKey;
 
 Result
-CheckPublicKeySize(InputBuffer subjectPublicKeyInfo,
+CheckPublicKeySize(Input subjectPublicKeyInfo,
                    /*out*/ ScopedSECKeyPublicKey& publicKey)
 {
   SECItem subjectPublicKeyInfoSECItem =
-    UnsafeMapInputBufferToSECItem(subjectPublicKeyInfo);
+    UnsafeMapInputToSECItem(subjectPublicKeyInfo);
   ScopedPtr<CERTSubjectPublicKeyInfo, SECKEY_DestroySubjectPublicKeyInfo>
     spki(SECKEY_DecodeDERSubjectPublicKeyInfo(&subjectPublicKeyInfoSECItem));
   if (!spki) {
     return MapPRErrorCodeToResult(PR_GetError());
   }
   publicKey = SECKEY_ExtractPublicKey(spki.get());
   if (!publicKey) {
     return MapPRErrorCodeToResult(PR_GetError());
@@ -77,25 +77,25 @@ CheckPublicKeySize(InputBuffer subjectPu
     default:
       return Result::ERROR_UNSUPPORTED_KEYALG;
   }
 
   return Success;
 }
 
 Result
-CheckPublicKey(InputBuffer subjectPublicKeyInfo)
+CheckPublicKey(Input subjectPublicKeyInfo)
 {
   ScopedSECKeyPublicKey unused;
   return CheckPublicKeySize(subjectPublicKeyInfo, unused);
 }
 
 Result
 VerifySignedData(const SignedDataWithSignature& sd,
-                 InputBuffer subjectPublicKeyInfo, void* pkcs11PinArg)
+                 Input subjectPublicKeyInfo, void* pkcs11PinArg)
 {
   // See bug 921585.
   if (sd.data.GetLength() >
         static_cast<unsigned int>(std::numeric_limits<int>::max())) {
     return Result::FATAL_ERROR_INVALID_ARGS;
   }
 
   SECOidTag pubKeyAlg;
@@ -150,40 +150,40 @@ VerifySignedData(const SignedDataWithSig
   ScopedSECKeyPublicKey pubKey;
   rv = CheckPublicKeySize(subjectPublicKeyInfo, pubKey);
   if (rv != Success) {
     return rv;
   }
 
   // The static_cast is safe according to the check above that references
   // bug 921585.
-  SECItem dataSECItem(UnsafeMapInputBufferToSECItem(sd.data));
-  SECItem signatureSECItem(UnsafeMapInputBufferToSECItem(sd.signature));
+  SECItem dataSECItem(UnsafeMapInputToSECItem(sd.data));
+  SECItem signatureSECItem(UnsafeMapInputToSECItem(sd.signature));
   SECStatus srv = VFY_VerifyDataDirect(dataSECItem.data,
                                        static_cast<int>(dataSECItem.len),
                                        pubKey.get(), &signatureSECItem,
                                        pubKeyAlg, digestAlg, nullptr,
                                        pkcs11PinArg);
   if (srv != SECSuccess) {
     return MapPRErrorCodeToResult(PR_GetError());
   }
 
   return Success;
 }
 
 Result
-DigestBuf(InputBuffer item, /*out*/ uint8_t* digestBuf, size_t digestBufLen)
+DigestBuf(Input item, /*out*/ uint8_t* digestBuf, size_t digestBufLen)
 {
   static_assert(TrustDomain::DIGEST_LENGTH == SHA1_LENGTH,
                 "TrustDomain::DIGEST_LENGTH must be 20 (SHA-1 digest length)");
   if (digestBufLen != TrustDomain::DIGEST_LENGTH) {
     PR_NOT_REACHED("invalid hash length");
     return Result::FATAL_ERROR_INVALID_ARGS;
   }
-  SECItem itemSECItem = UnsafeMapInputBufferToSECItem(item);
+  SECItem itemSECItem = UnsafeMapInputToSECItem(item);
   if (itemSECItem.len >
         static_cast<decltype(itemSECItem.len)>(
           std::numeric_limits<int32_t>::max())) {
     PR_NOT_REACHED("large items should not be possible here");
     return Result::FATAL_ERROR_INVALID_ARGS;
   }
   SECStatus srv = PK11_HashBuf(SEC_OID_SHA1, digestBuf, itemSECItem.data,
                                static_cast<int32_t>(itemSECItem.len));
--- a/security/pkix/lib/pkixocsp.cpp
+++ b/security/pkix/lib/pkixocsp.cpp
@@ -80,18 +80,18 @@ private:
   void operator=(const Context&); // delete
 };
 
 // Verify that potentialSigner is a valid delegated OCSP response signing cert
 // according to RFC 6960 section 4.2.2.2.
 static Result
 CheckOCSPResponseSignerCert(TrustDomain& trustDomain,
                             BackCert& potentialSigner,
-                            InputBuffer issuerSubject,
-                            InputBuffer issuerSubjectPublicKeyInfo,
+                            Input issuerSubject,
+                            Input issuerSubjectPublicKeyInfo,
                             PRTime time)
 {
   Result rv;
 
   // We don't need to do a complete verification of the signer (i.e. we don't
   // have to call BuildCertChain to verify the entire chain) because we
   // already know that the issuer is valid, since revocation checking is done
   // from the root to the parent after we've built a complete chain that we
@@ -124,17 +124,17 @@ CheckOCSPResponseSignerCert(TrustDomain&
     return rv;
   }
 
   // It is possible that there exists a certificate with the same key as the
   // issuer but with a different name, so we need to compare names
   // XXX(bug 926270) XXX(bug 1008133) XXX(bug 980163): Improve name
   // comparison.
   // TODO: needs test
-  if (!InputBuffersAreEqual(potentialSigner.GetIssuer(), issuerSubject)) {
+  if (!InputsAreEqual(potentialSigner.GetIssuer(), issuerSubject)) {
     return Result::ERROR_OCSP_RESPONDER_CERT_INVALID;
   }
 
   // TODO(bug 926260): check name constraints
   rv = trustDomain.VerifySignedData(potentialSigner.GetSignedData(),
                                     issuerSubjectPublicKeyInfo);
 
   // TODO: check for revocation of the OCSP responder certificate unless no-check
@@ -145,93 +145,93 @@ CheckOCSPResponseSignerCert(TrustDomain&
 }
 
 MOZILLA_PKIX_ENUM_CLASS ResponderIDType : uint8_t
 {
   byName = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1,
   byKey = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 2
 };
 
-static inline Result OCSPResponse(Input&, Context&);
-static inline Result ResponseBytes(Input&, Context&);
-static inline Result BasicResponse(Input&, Context&);
+static inline Result OCSPResponse(Reader&, Context&);
+static inline Result ResponseBytes(Reader&, Context&);
+static inline Result BasicResponse(Reader&, Context&);
 static inline Result ResponseData(
-                       Input& tbsResponseData,
+                       Reader& tbsResponseData,
                        Context& context,
                        const SignedDataWithSignature& signedResponseData,
                        const DERArray& certs);
-static inline Result SingleResponse(Input& input, Context& context);
-static Result ExtensionNotUnderstood(Input& extnID, InputBuffer extnValue,
+static inline Result SingleResponse(Reader& input, Context& context);
+static Result ExtensionNotUnderstood(Reader& extnID, Input extnValue,
                                      /*out*/ bool& understood);
-static inline Result CertID(Input& input,
+static inline Result CertID(Reader& input,
                             const Context& context,
                             /*out*/ bool& match);
 static Result MatchKeyHash(TrustDomain& trustDomain,
-                           InputBuffer issuerKeyHash,
-                           InputBuffer issuerSubjectPublicKeyInfo,
+                           Input issuerKeyHash,
+                           Input issuerSubjectPublicKeyInfo,
                            /*out*/ bool& match);
 static Result KeyHash(TrustDomain& trustDomain,
-                      InputBuffer subjectPublicKeyInfo,
+                      Input subjectPublicKeyInfo,
                       /*out*/ uint8_t* hashBuf, size_t hashBufSize);
 
 static Result
 MatchResponderID(TrustDomain& trustDomain,
                  ResponderIDType responderIDType,
-                 InputBuffer responderID,
-                 InputBuffer potentialSignerSubject,
-                 InputBuffer potentialSignerSubjectPublicKeyInfo,
+                 Input responderID,
+                 Input potentialSignerSubject,
+                 Input potentialSignerSubjectPublicKeyInfo,
                  /*out*/ bool& match)
 {
   match = false;
 
   switch (responderIDType) {
     case ResponderIDType::byName:
       // XXX(bug 926270) XXX(bug 1008133) XXX(bug 980163): Improve name
       // comparison.
-      match = InputBuffersAreEqual(responderID, potentialSignerSubject);
+      match = InputsAreEqual(responderID, potentialSignerSubject);
       return Success;
 
     case ResponderIDType::byKey:
     {
-      Input input(responderID);
-      InputBuffer keyHash;
+      Reader input(responderID);
+      Input keyHash;
       Result rv = der::ExpectTagAndGetValue(input, der::OCTET_STRING, keyHash);
       if (rv != Success) {
         return rv;
       }
       return MatchKeyHash(trustDomain, keyHash,
                           potentialSignerSubjectPublicKeyInfo, match);
     }
 
     default:
       return Result::ERROR_OCSP_MALFORMED_RESPONSE;
   }
 }
 
 static Result
 VerifyOCSPSignedData(TrustDomain& trustDomain,
                      const SignedDataWithSignature& signedResponseData,
-                     InputBuffer spki)
+                     Input spki)
 {
   Result rv = trustDomain.VerifySignedData(signedResponseData, spki);
   if (rv == Result::ERROR_BAD_SIGNATURE) {
     rv = Result::ERROR_OCSP_BAD_SIGNATURE;
   }
   return rv;
 }
 
 // RFC 6960 section 4.2.2.2: The OCSP responder must either be the issuer of
 // the cert or it must be a delegated OCSP response signing cert directly
 // issued by the issuer. If the OCSP responder is a delegated OCSP response
 // signer, then its certificate is (probably) embedded within the OCSP
 // response and we'll need to verify that it is a valid certificate that chains
 // *directly* to issuerCert.
 static Result
 VerifySignature(Context& context, ResponderIDType responderIDType,
-                InputBuffer responderID, const DERArray& certs,
+                Input responderID, const DERArray& certs,
                 const SignedDataWithSignature& signedResponseData)
 {
   bool match;
   Result rv = MatchResponderID(context.trustDomain, responderIDType,
                                responderID, context.certID.issuer,
                                context.certID.issuerSubjectPublicKeyInfo,
                                match);
   if (rv != Success) {
@@ -286,28 +286,28 @@ MapBadDERToMalformedOCSPResponse(Result 
     return Result::ERROR_OCSP_MALFORMED_RESPONSE;
   }
   return rv;
 }
 
 Result
 VerifyEncodedOCSPResponse(TrustDomain& trustDomain, const struct CertID& certID,
                           PRTime time, uint16_t maxOCSPLifetimeInDays,
-                          InputBuffer encodedResponse,
+                          Input encodedResponse,
                           /*out*/ bool& expired,
                           /*optional out*/ PRTime* thisUpdate,
                           /*optional out*/ PRTime* validThrough)
 {
   // Always initialize this to something reasonable.
   expired = false;
 
   Context context(trustDomain, certID, time, maxOCSPLifetimeInDays,
                   thisUpdate, validThrough);
 
-  Input input(encodedResponse);
+  Reader input(encodedResponse);
   Result rv = der::Nested(input, der::SEQUENCE,
                           bind(OCSPResponse, _1, ref(context)));
   if (rv != Success) {
     return MapBadDERToMalformedOCSPResponse(rv);
   }
   rv = der::End(input);
   if (rv != Success) {
     return MapBadDERToMalformedOCSPResponse(rv);
@@ -331,17 +331,17 @@ VerifyEncodedOCSPResponse(TrustDomain& t
   return Result::ERROR_OCSP_UNKNOWN_CERT;
 }
 
 // OCSPResponse ::= SEQUENCE {
 //       responseStatus         OCSPResponseStatus,
 //       responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
 //
 static inline Result
-OCSPResponse(Input& input, Context& context)
+OCSPResponse(Reader& input, Context& context)
 {
   // OCSPResponseStatus ::= ENUMERATED {
   //     successful            (0),  -- Response has valid confirmations
   //     malformedRequest      (1),  -- Illegal confirmation request
   //     internalError         (2),  -- Internal error in issuer
   //     tryLater              (3),  -- Try again later
   //                                 -- (4) is not used
   //     sigRequired           (5),  -- Must sign the request
@@ -366,17 +366,17 @@ OCSPResponse(Input& input, Context& cont
   return der::Nested(input, der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
                      der::SEQUENCE, bind(ResponseBytes, _1, ref(context)));
 }
 
 // ResponseBytes ::=       SEQUENCE {
 //     responseType   OBJECT IDENTIFIER,
 //     response       OCTET STRING }
 static inline Result
-ResponseBytes(Input& input, Context& context)
+ResponseBytes(Reader& input, Context& context)
 {
   static const uint8_t id_pkix_ocsp_basic[] = {
     0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
   };
 
   Result rv = der::OID(input, id_pkix_ocsp_basic);
   if (rv != Success) {
     return rv;
@@ -387,19 +387,19 @@ ResponseBytes(Input& input, Context& con
 }
 
 // BasicOCSPResponse       ::= SEQUENCE {
 //    tbsResponseData      ResponseData,
 //    signatureAlgorithm   AlgorithmIdentifier,
 //    signature            BIT STRING,
 //    certs            [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
 Result
-BasicResponse(Input& input, Context& context)
+BasicResponse(Reader& input, Context& context)
 {
-  Input tbsResponseData;
+  Reader tbsResponseData;
   SignedDataWithSignature signedData;
   Result rv = der::SignedData(input, tbsResponseData, signedData);
   if (rv != Success) {
     if (rv == Result::ERROR_BAD_SIGNATURE) {
       return Result::ERROR_OCSP_BAD_SIGNATURE;
     }
     return rv;
   }
@@ -408,41 +408,41 @@ BasicResponse(Input& input, Context& con
 
   NonOwningDERArray certs;
   if (!input.AtEnd()) {
     // We ignore the lengths of the wrappers because we'll detect bad lengths
     // during parsing--too short and we'll run out of input for parsing a cert,
     // and too long and we'll have leftover data that won't parse as a cert.
 
     // [0] wrapper
-    Input wrapped;
+    Reader wrapped;
     rv = der::ExpectTagAndGetValue(
           input, der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0, wrapped);
     if (rv != Success) {
       return rv;
     }
     rv = der::End(input);
     if (rv != Success) {
       return rv;
     }
 
     // SEQUENCE wrapper
-    Input certsSequence;
+    Reader certsSequence;
     rv = der::ExpectTagAndGetValue(wrapped, der::SEQUENCE, certsSequence);
     if (rv != Success) {
       return rv;
     }
     rv = der::End(wrapped);
     if (rv != Success) {
       return rv;
     }
 
     // sequence of certificates
     while (!certsSequence.AtEnd()) {
-      InputBuffer cert;
+      Input cert;
       rv = der::ExpectTagAndGetTLV(certsSequence, der::SEQUENCE, cert);
       if (rv != Success) {
         return rv;
       }
       rv = certs.Append(cert);
       if (rv != Success) {
         return rv;
       }
@@ -454,34 +454,34 @@ BasicResponse(Input& input, Context& con
 
 // ResponseData ::= SEQUENCE {
 //    version             [0] EXPLICIT Version DEFAULT v1,
 //    responderID             ResponderID,
 //    producedAt              GeneralizedTime,
 //    responses               SEQUENCE OF SingleResponse,
 //    responseExtensions  [1] EXPLICIT Extensions OPTIONAL }
 static inline Result
-ResponseData(Input& input, Context& context,
+ResponseData(Reader& input, Context& context,
              const SignedDataWithSignature& signedResponseData,
              const DERArray& certs)
 {
   der::Version version;
   Result rv = der::OptionalVersion(input, version);
   if (rv != Success) {
     return rv;
   }
   if (version != der::Version::v1) {
     // TODO: more specific error code for bad version?
     return Result::ERROR_BAD_DER;
   }
 
   // ResponderID ::= CHOICE {
   //    byName              [1] Name,
   //    byKey               [2] KeyHash }
-  InputBuffer responderID;
+  Input responderID;
   ResponderIDType responderIDType
     = input.Peek(static_cast<uint8_t>(ResponderIDType::byName))
     ? ResponderIDType::byName
     : ResponderIDType::byKey;
   rv = der::ExpectTagAndGetValue(input, static_cast<uint8_t>(responderIDType),
                                  responderID);
   if (rv != Success) {
     return rv;
@@ -523,17 +523,17 @@ ResponseData(Input& input, Context& cont
 //    certStatus                   CertStatus,
 //    thisUpdate                   GeneralizedTime,
 //    nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
 //    singleExtensions     [1]     EXPLICIT Extensions{{re-ocsp-crl |
 //                                              re-ocsp-archive-cutoff |
 //                                              CrlEntryExtensions, ...}
 //                                              } OPTIONAL }
 static inline Result
-SingleResponse(Input& input, Context& context)
+SingleResponse(Reader& input, Context& context)
 {
   bool match = false;
   Result rv = der::Nested(input, der::SEQUENCE,
                           bind(CertID, _1, cref(context), ref(match)));
   if (rv != Success) {
     return rv;
   }
 
@@ -655,50 +655,50 @@ SingleResponse(Input& input, Context& co
 }
 
 // CertID          ::=     SEQUENCE {
 //        hashAlgorithm       AlgorithmIdentifier,
 //        issuerNameHash      OCTET STRING, -- Hash of issuer's DN
 //        issuerKeyHash       OCTET STRING, -- Hash of issuer's public key
 //        serialNumber        CertificateSerialNumber }
 static inline Result
-CertID(Input& input, const Context& context, /*out*/ bool& match)
+CertID(Reader& input, const Context& context, /*out*/ bool& match)
 {
   match = false;
 
   DigestAlgorithm hashAlgorithm;
   Result rv = der::DigestAlgorithmIdentifier(input, hashAlgorithm);
   if (rv != Success) {
     if (rv == Result::ERROR_INVALID_ALGORITHM) {
       // Skip entries that are hashed with algorithms we don't support.
       input.SkipToEnd();
       return Success;
     }
     return rv;
   }
 
-  InputBuffer issuerNameHash;
+  Input issuerNameHash;
   rv = der::ExpectTagAndGetValue(input, der::OCTET_STRING, issuerNameHash);
   if (rv != Success) {
     return rv;
   }
 
-  InputBuffer issuerKeyHash;
+  Input issuerKeyHash;
   rv = der::ExpectTagAndGetValue(input, der::OCTET_STRING, issuerKeyHash);
   if (rv != Success) {
     return rv;
   }
 
-  InputBuffer serialNumber;
+  Input serialNumber;
   rv = der::CertificateSerialNumber(input, serialNumber);
   if (rv != Success) {
     return rv;
   }
 
-  if (!InputBuffersAreEqual(serialNumber, context.certID.serialNumber)) {
+  if (!InputsAreEqual(serialNumber, context.certID.serialNumber)) {
     // This does not reference the certificate we're interested in.
     // Consume the rest of the input and return successfully to
     // potentially continue processing other responses.
     input.SkipToEnd();
     return Success;
   }
 
   // TODO: support SHA-2 hashes.
@@ -717,18 +717,18 @@ CertID(Input& input, const Context& cont
   // "The hash shall be calculated over the DER encoding of the
   // issuer's name field in the certificate being checked."
   uint8_t hashBuf[TrustDomain::DIGEST_LENGTH];
   rv = context.trustDomain.DigestBuf(context.certID.issuer, hashBuf,
                                      sizeof(hashBuf));
   if (rv != Success) {
     return rv;
   }
-  InputBuffer computed(hashBuf);
-  if (!InputBuffersAreEqual(computed, issuerNameHash)) {
+  Input computed(hashBuf);
+  if (!InputsAreEqual(computed, issuerNameHash)) {
     // Again, not interested in this response. Consume input, return success.
     input.SkipToEnd();
     return Success;
   }
 
   return MatchKeyHash(context.trustDomain, issuerKeyHash,
                       context.certID.issuerSubjectPublicKeyInfo, match);
 }
@@ -739,86 +739,86 @@ CertID(Input& input, const Context& cont
 //
 // From http://tools.ietf.org/html/rfc6960#appendix-B.1:
 // KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
 //                          -- (i.e., the SHA-1 hash of the value of the
 //                          -- BIT STRING subjectPublicKey [excluding
 //                          -- the tag, length, and number of unused
 //                          -- bits] in the responder's certificate)
 static Result
-MatchKeyHash(TrustDomain& trustDomain, InputBuffer keyHash,
-             const InputBuffer subjectPublicKeyInfo, /*out*/ bool& match)
+MatchKeyHash(TrustDomain& trustDomain, Input keyHash,
+             const Input subjectPublicKeyInfo, /*out*/ bool& match)
 {
   if (keyHash.GetLength() != TrustDomain::DIGEST_LENGTH)  {
     return Result::ERROR_OCSP_MALFORMED_RESPONSE;
   }
   static uint8_t hashBuf[TrustDomain::DIGEST_LENGTH];
   Result rv = KeyHash(trustDomain, subjectPublicKeyInfo, hashBuf,
                       sizeof hashBuf);
   if (rv != Success) {
     return rv;
   }
-  InputBuffer computed(hashBuf);
-  match = InputBuffersAreEqual(computed, keyHash);
+  Input computed(hashBuf);
+  match = InputsAreEqual(computed, keyHash);
   return Success;
 }
 
 // TODO(bug 966856): support SHA-2 hashes
 Result
-KeyHash(TrustDomain& trustDomain, const InputBuffer subjectPublicKeyInfo,
+KeyHash(TrustDomain& trustDomain, const Input subjectPublicKeyInfo,
         /*out*/ uint8_t* hashBuf, size_t hashBufSize)
 {
   if (!hashBuf || hashBufSize != TrustDomain::DIGEST_LENGTH) {
     return Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
 
   // RFC 5280 Section 4.1
   //
   // SubjectPublicKeyInfo  ::=  SEQUENCE  {
   //    algorithm            AlgorithmIdentifier,
   //    subjectPublicKey     BIT STRING  }
 
-  Input spki;
+  Reader spki;
   Result rv;
 
   {
     // The scope of input is limited to reduce the possibility of confusing it
     // with spki in places we need to be using spki below.
-    Input input(subjectPublicKeyInfo);
+    Reader input(subjectPublicKeyInfo);
     rv = der::ExpectTagAndGetValue(input, der::SEQUENCE, spki);
     if (rv != Success) {
       return rv;
     }
     rv = der::End(input);
     if (rv != Success) {
       return rv;
     }
   }
 
   // Skip AlgorithmIdentifier
   rv = der::ExpectTagAndSkipValue(spki, der::SEQUENCE);
   if (rv != Success) {
     return rv;
   }
 
-  InputBuffer subjectPublicKey;
+  Input subjectPublicKey;
   rv = der::BitStringWithNoUnusedBits(spki, subjectPublicKey);
   if (rv != Success) {
     return rv;
   }
   rv = der::End(spki);
   if (rv != Success) {
     return rv;
   }
 
   return trustDomain.DigestBuf(subjectPublicKey, hashBuf, hashBufSize);
 }
 
 Result
-ExtensionNotUnderstood(Input& /*extnID*/, InputBuffer /*extnValue*/,
+ExtensionNotUnderstood(Reader& /*extnID*/, Input /*extnValue*/,
                        /*out*/ bool& understood)
 {
   understood = false;
   return Success;
 }
 
 //   1. The certificate identified in a received response corresponds to
 //      the certificate that was identified in the corresponding request;
@@ -927,17 +927,17 @@ CreateEncodedOCSPRequest(TrustDomain& tr
   if (rv != Success) {
     return rv;
   }
   d += hashLen;
 
   // reqCert.serialNumber (INTEGER)
   *d++ = 0x02; // INTEGER
   *d++ = static_cast<uint8_t>(certID.serialNumber.GetLength());
-  Input serialNumber(certID.serialNumber);
+  Reader serialNumber(certID.serialNumber);
   do {
     rv = serialNumber.Read(*d);
     if (rv != Success) {
       return rv;
     }
     ++d;
   } while (!serialNumber.AtEnd());
 
--- a/security/pkix/lib/pkixutil.h
+++ b/security/pkix/lib/pkixutil.h
@@ -37,110 +37,110 @@ namespace mozilla { namespace pkix {
 //
 // Each BackCert contains pointers to all the given certificate's extensions
 // so that we can parse the extension block once and then process the
 // extensions in an order that may be different than they appear in the cert.
 class BackCert
 {
 public:
   // certDER and childCert must be valid for the lifetime of BackCert.
-  BackCert(InputBuffer certDER, EndEntityOrCA endEntityOrCA,
+  BackCert(Input certDER, EndEntityOrCA endEntityOrCA,
            const BackCert* childCert)
     : der(certDER)
     , endEntityOrCA(endEntityOrCA)
     , childCert(childCert)
   {
   }
 
   Result Init();
 
-  const InputBuffer GetDER() const { return der; }
+  const Input GetDER() const { return der; }
   const der::Version GetVersion() const { return version; }
   const SignedDataWithSignature& GetSignedData() const { return signedData; }
-  const InputBuffer GetIssuer() const { return issuer; }
+  const Input GetIssuer() const { return issuer; }
   // XXX: "validity" is a horrible name for the structure that holds
   // notBefore & notAfter, but that is the name used in RFC 5280 and we use the
   // RFC 5280 names for everything.
-  const InputBuffer GetValidity() const { return validity; }
-  const InputBuffer GetSerialNumber() const { return serialNumber; }
-  const InputBuffer GetSubject() const { return subject; }
-  const InputBuffer GetSubjectPublicKeyInfo() const
+  const Input GetValidity() const { return validity; }
+  const Input GetSerialNumber() const { return serialNumber; }
+  const Input GetSubject() const { return subject; }
+  const Input GetSubjectPublicKeyInfo() const
   {
     return subjectPublicKeyInfo;
   }
-  const InputBuffer* GetAuthorityInfoAccess() const
+  const Input* GetAuthorityInfoAccess() const
   {
-    return MaybeInputBuffer(authorityInfoAccess);
+    return MaybeInput(authorityInfoAccess);
   }
-  const InputBuffer* GetBasicConstraints() const
+  const Input* GetBasicConstraints() const
   {
-    return MaybeInputBuffer(basicConstraints);
+    return MaybeInput(basicConstraints);
   }
-  const InputBuffer* GetCertificatePolicies() const
+  const Input* GetCertificatePolicies() const
   {
-    return MaybeInputBuffer(certificatePolicies);
+    return MaybeInput(certificatePolicies);
   }
-  const InputBuffer* GetExtKeyUsage() const
+  const Input* GetExtKeyUsage() const
   {
-    return MaybeInputBuffer(extKeyUsage);
+    return MaybeInput(extKeyUsage);
   }
-  const InputBuffer* GetKeyUsage() const
+  const Input* GetKeyUsage() const
   {
-    return MaybeInputBuffer(keyUsage);
+    return MaybeInput(keyUsage);
   }
-  const InputBuffer* GetInhibitAnyPolicy() const
+  const Input* GetInhibitAnyPolicy() const
   {
-    return MaybeInputBuffer(inhibitAnyPolicy);
+    return MaybeInput(inhibitAnyPolicy);
   }
-  const InputBuffer* GetNameConstraints() const
+  const Input* GetNameConstraints() const
   {
-    return MaybeInputBuffer(nameConstraints);
+    return MaybeInput(nameConstraints);
   }
 
 private:
-  const InputBuffer der;
+  const Input der;
 
 public:
   const EndEntityOrCA endEntityOrCA;
   BackCert const* const childCert;
 
 private:
   der::Version version;
 
   // When parsing certificates in BackCert::Init, we don't accept empty
   // extensions. Consequently, we don't have to store a distinction between
   // empty extensions and extensions that weren't included. However, when
   // *processing* extensions, we distinguish between whether an extension was
   // included or not based on whetehr the GetXXX function for the extension
   // returns nullptr.
-  static inline const InputBuffer* MaybeInputBuffer(const InputBuffer& item)
+  static inline const Input* MaybeInput(const Input& item)
   {
     return item.GetLength() > 0 ? &item : nullptr;
   }
 
   SignedDataWithSignature signedData;
-  InputBuffer issuer;
+  Input issuer;
   // XXX: "validity" is a horrible name for the structure that holds
   // notBefore & notAfter, but that is the name used in RFC 5280 and we use the
   // RFC 5280 names for everything.
-  InputBuffer validity;
-  InputBuffer serialNumber;
-  InputBuffer subject;
-  InputBuffer subjectPublicKeyInfo;
+  Input validity;
+  Input serialNumber;
+  Input subject;
+  Input subjectPublicKeyInfo;
 
-  InputBuffer authorityInfoAccess;
-  InputBuffer basicConstraints;
-  InputBuffer certificatePolicies;
-  InputBuffer extKeyUsage;
-  InputBuffer inhibitAnyPolicy;
-  InputBuffer keyUsage;
-  InputBuffer nameConstraints;
-  InputBuffer subjectAltName;
+  Input authorityInfoAccess;
+  Input basicConstraints;
+  Input certificatePolicies;
+  Input extKeyUsage;
+  Input inhibitAnyPolicy;
+  Input keyUsage;
+  Input nameConstraints;
+  Input subjectAltName;
 
-  Result RememberExtension(Input& extnID, const InputBuffer& extnValue,
+  Result RememberExtension(Reader& extnID, const Input& extnValue,
                            /*out*/ bool& understood);
 
   BackCert(const BackCert&) /* = delete */;
   void operator=(const BackCert&); /* = delete */;
 };
 
 class NonOwningDERArray : public DERArray
 {
@@ -149,38 +149,38 @@ public:
     : numItems(0)
   {
     // we don't need to initialize the items array because we always check
     // numItems before accessing i.
   }
 
   virtual size_t GetLength() const { return numItems; }
 
-  virtual const InputBuffer* GetDER(size_t i) const
+  virtual const Input* GetDER(size_t i) const
   {
     return i < numItems ? &items[i] : nullptr;
   }
 
-  Result Append(InputBuffer der)
+  Result Append(Input der)
   {
     if (numItems >= MAX_LENGTH) {
       return Result::FATAL_ERROR_INVALID_ARGS;
     }
     Result rv = items[numItems].Init(der); // structure assignment
     if (rv != Success) {
       return rv;
     }
     ++numItems;
     return Success;
   }
 
   // Public so we can static_assert on this. Keep in sync with MAX_SUBCA_COUNT.
   static const size_t MAX_LENGTH = 8;
 private:
-  InputBuffer items[MAX_LENGTH]; // avoids any heap allocations
+  Input items[MAX_LENGTH]; // avoids any heap allocations
   size_t numItems;
 
   NonOwningDERArray(const NonOwningDERArray&) /* = delete*/;
   void operator=(const NonOwningDERArray&) /* = delete*/;
 };
 
 } } // namespace mozilla::pkix
 
--- a/security/pkix/test/gtest/pkixbuild_tests.cpp
+++ b/security/pkix/test/gtest/pkixbuild_tests.cpp
@@ -29,17 +29,17 @@
 #include "pkixtestutil.h"
 #include "prinit.h"
 #include "secerr.h"
 
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::test;
 
 // The result is owned by the arena
-static InputBuffer
+static Input
 CreateCert(PLArenaPool* arena, const char* issuerStr,
            const char* subjectStr, EndEntityOrCA endEntityOrCA,
            /*optional*/ SECKEYPrivateKey* issuerKey,
            /*out*/ ScopedSECKEYPrivateKey& subjectKey,
            /*out*/ ScopedCERTCertificate* subjectCert = nullptr)
 {
   static long serialNumberValue = 0;
   ++serialNumberValue;
@@ -66,17 +66,17 @@ CreateCert(PLArenaPool* arena, const cha
                      subjectDER, extensions, issuerKey, SEC_OID_SHA256,
                      subjectKey));
   EXPECT_TRUE(certDER);
   if (subjectCert) {
     *subjectCert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), certDER,
                                            nullptr, false, true);
     EXPECT_TRUE(*subjectCert);
   }
-  InputBuffer result;
+  Input result;
   EXPECT_EQ(Success, result.Init(certDER->data, certDER->len));
   return result;
 }
 
 class TestTrustDomain : public TrustDomain
 {
 public:
   // The "cert chain tail" is a longish chain of certificates that is used by
@@ -105,45 +105,45 @@ public:
                  &certChainTail[i]);
     }
 
     return true;
   }
 
 private:
   virtual Result GetCertTrust(EndEntityOrCA, const CertPolicyId&,
-                              InputBuffer candidateCert,
+                              Input candidateCert,
                               /*out*/ TrustLevel& trustLevel)
   {
-    InputBuffer rootDER;
+    Input rootDER;
     Result rv = rootDER.Init(certChainTail[0]->derCert.data,
                              certChainTail[0]->derCert.len);
     EXPECT_EQ(Success, rv);
-    if (InputBuffersAreEqual(candidateCert, rootDER)) {
+    if (InputsAreEqual(candidateCert, rootDER)) {
       trustLevel = TrustLevel::TrustAnchor;
     } else {
       trustLevel = TrustLevel::InheritsTrust;
     }
     return Success;
   }
 
-  virtual Result FindIssuer(InputBuffer encodedIssuerName,
+  virtual Result FindIssuer(Input encodedIssuerName,
                             IssuerChecker& checker, PRTime time)
   {
     SECItem encodedIssuerNameSECItem =
-      UnsafeMapInputBufferToSECItem(encodedIssuerName);
+      UnsafeMapInputToSECItem(encodedIssuerName);
     ScopedCERTCertList
       candidates(CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),
                                             &encodedIssuerNameSECItem, time,
                                             true));
     if (candidates) {
       for (CERTCertListNode* n = CERT_LIST_HEAD(candidates);
            !CERT_LIST_END(n, candidates); n = CERT_LIST_NEXT(n)) {
         bool keepGoing;
-        InputBuffer derCert;
+        Input derCert;
         Result rv = derCert.Init(n->cert->derCert.data, n->cert->derCert.len);
         EXPECT_EQ(Success, rv);
         if (rv != Success) {
           return rv;
         }
         rv = checker.Check(derCert, nullptr/*additionalNameConstraints*/,
                            keepGoing);
         if (rv != Success) {
@@ -154,42 +154,42 @@ private:
         }
       }
     }
 
     return Success;
   }
 
   virtual Result CheckRevocation(EndEntityOrCA, const CertID&, PRTime,
-                                 /*optional*/ const InputBuffer*,
-                                 /*optional*/ const InputBuffer*)
+                                 /*optional*/ const Input*,
+                                 /*optional*/ const Input*)
   {
     return Success;
   }
 
   virtual Result IsChainValid(const DERArray&)
   {
     return Success;
   }
 
   virtual Result VerifySignedData(const SignedDataWithSignature& signedData,
-                                  InputBuffer subjectPublicKeyInfo)
+                                  Input subjectPublicKeyInfo)
   {
     return ::mozilla::pkix::VerifySignedData(signedData, subjectPublicKeyInfo,
                                              nullptr);
   }
 
-  virtual Result DigestBuf(InputBuffer item, /*out*/ uint8_t* digestBuf,
+  virtual Result DigestBuf(Input item, /*out*/ uint8_t *digestBuf,
                            size_t digestBufLen)
   {
     ADD_FAILURE();
     return Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
 
-  virtual Result CheckPublicKey(InputBuffer subjectPublicKeyInfo)
+  virtual Result CheckPublicKey(Input subjectPublicKeyInfo)
   {
     return ::mozilla::pkix::CheckPublicKey(subjectPublicKeyInfo);
   }
 
   // We hold references to CERTCertificates in the cert chain tail so that we
   // CERT_CreateSubjectCertList can find them.
   ScopedCERTCertificate certChainTail[7];
 
@@ -218,36 +218,36 @@ protected:
   static TestTrustDomain trustDomain;
 };
 
 /*static*/ TestTrustDomain pkixbuild::trustDomain;
 
 TEST_F(pkixbuild, MaxAcceptableCertChainLength)
 {
   {
-    InputBuffer certDER;
+    Input certDER;
     ASSERT_EQ(Success, certDER.Init(trustDomain.GetLeafCACert()->derCert.data,
                                     trustDomain.GetLeafCACert()->derCert.len));
     ASSERT_EQ(Success,
               BuildCertChain(trustDomain, certDER, now,
                              EndEntityOrCA::MustBeCA,
                              KeyUsage::noParticularKeyUsageRequired,
                              KeyPurposeId::id_kp_serverAuth,
                              CertPolicyId::anyPolicy,
                              nullptr/*stapledOCSPResponse*/));
   }
 
   {
     ScopedSECKEYPrivateKey privateKey;
     ScopedCERTCertificate cert;
-    InputBuffer certDER(CreateCert(arena.get(),
-                                   trustDomain.GetLeafCACert()->subjectName,
-                                   "CN=Direct End-Entity",
-                                   EndEntityOrCA::MustBeEndEntity,
-                                   trustDomain.leafCAKey.get(), privateKey));
+    Input certDER(CreateCert(arena.get(),
+                             trustDomain.GetLeafCACert()->subjectName,
+                             "CN=Direct End-Entity",
+                             EndEntityOrCA::MustBeEndEntity,
+                             trustDomain.leafCAKey.get(), privateKey));
     ASSERT_EQ(Success,
               BuildCertChain(trustDomain, certDER, now,
                              EndEntityOrCA::MustBeEndEntity,
                              KeyUsage::noParticularKeyUsageRequired,
                              KeyPurposeId::id_kp_serverAuth,
                              CertPolicyId::anyPolicy,
                              nullptr/*stapledOCSPResponse*/));
   }
@@ -258,36 +258,36 @@ TEST_F(pkixbuild, BeyondMaxAcceptableCer
   static char const* const caCertName = "CN=CA Too Far";
   ScopedSECKEYPrivateKey caPrivateKey;
 
   // We need a CERTCertificate for caCert so that the trustdomain's FindIssuer
   // method can find it through the NSS cert DB.
   ScopedCERTCertificate caCert;
 
   {
-    InputBuffer cert(CreateCert(arena.get(),
-                                trustDomain.GetLeafCACert()->subjectName,
-                                caCertName, EndEntityOrCA::MustBeCA,
-                                trustDomain.leafCAKey.get(), caPrivateKey,
-                                &caCert));
+    Input cert(CreateCert(arena.get(),
+                          trustDomain.GetLeafCACert()->subjectName,
+                          caCertName, EndEntityOrCA::MustBeCA,
+                          trustDomain.leafCAKey.get(), caPrivateKey,
+                          &caCert));
     ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER,
               BuildCertChain(trustDomain, cert, now,
                              EndEntityOrCA::MustBeCA,
                              KeyUsage::noParticularKeyUsageRequired,
                              KeyPurposeId::id_kp_serverAuth,
                              CertPolicyId::anyPolicy,
                              nullptr/*stapledOCSPResponse*/));
   }
 
   {
     ScopedSECKEYPrivateKey privateKey;
-    InputBuffer cert(CreateCert(arena.get(), caCertName,
-                                "CN=End-Entity Too Far",
-                                EndEntityOrCA::MustBeEndEntity,
-                                caPrivateKey.get(), privateKey));
+    Input cert(CreateCert(arena.get(), caCertName,
+                          "CN=End-Entity Too Far",
+                          EndEntityOrCA::MustBeEndEntity,
+                          caPrivateKey.get(), privateKey));
     ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER,
               BuildCertChain(trustDomain, cert, now,
                              EndEntityOrCA::MustBeEndEntity,
                              KeyUsage::noParticularKeyUsageRequired,
                              KeyPurposeId::id_kp_serverAuth,
                              CertPolicyId::anyPolicy,
                              nullptr/*stapledOCSPResponse*/));
   }
--- a/security/pkix/test/gtest/pkixcert_extension_tests.cpp
+++ b/security/pkix/test/gtest/pkixcert_extension_tests.cpp
@@ -27,17 +27,17 @@
 #include "pkix/pkixnss.h"
 #include "pkixtestutil.h"
 #include "secerr.h"
 
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::test;
 
 // Creates a self-signed certificate with the given extension.
-static InputBuffer
+static Input
 CreateCert(PLArenaPool* arena, const char* subjectStr,
            SECItem const* const* extensions, // null-terminated array
            /*out*/ ScopedSECKEYPrivateKey& subjectKey)
 {
   static long serialNumberValue = 0;
   ++serialNumberValue;
   const SECItem* serialNumber(CreateEncodedSerialNumber(arena,
                                                         serialNumberValue));
@@ -50,75 +50,75 @@ CreateCert(PLArenaPool* arena, const cha
                                   arena, v3,
                                   SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION,
                                   serialNumber, issuerDER,
                                   PR_Now() - ONE_DAY,
                                   PR_Now() + ONE_DAY,
                                   subjectDER, extensions,
                                   nullptr, SEC_OID_SHA256, subjectKey);
   EXPECT_TRUE(cert);
-  InputBuffer result;
+  Input result;
   EXPECT_EQ(Success, result.Init(cert->data, cert->len));
   return result;
 }
 
 // Creates a self-signed certificate with the given extension.
-static InputBuffer
+static Input
 CreateCert(PLArenaPool* arena, const char* subjectStr,
            const SECItem* extension,
            /*out*/ ScopedSECKEYPrivateKey& subjectKey)
 {
   const SECItem * extensions[] = { extension, nullptr };
   return CreateCert(arena, subjectStr, extensions, subjectKey);
 }
 
 class TrustEverythingTrustDomain : public TrustDomain
 {
 private:
   virtual Result GetCertTrust(EndEntityOrCA, const CertPolicyId&,
-                              InputBuffer candidateCert,
+                              Input candidateCert,
                               /*out*/ TrustLevel& trustLevel)
   {
     trustLevel = TrustLevel::TrustAnchor;
     return Success;
   }
 
-  virtual Result FindIssuer(InputBuffer /*encodedIssuerName*/,
+  virtual Result FindIssuer(Input /*encodedIssuerName*/,
                             IssuerChecker& /*checker*/, PRTime /*time*/)
   {
     ADD_FAILURE();
     return Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
 
   virtual Result CheckRevocation(EndEntityOrCA, const CertID&, PRTime,
-                                 /*optional*/ const InputBuffer*,
-                                 /*optional*/ const InputBuffer*)
+                                 /*optional*/ const Input*,
+                                 /*optional*/ const Input*)
   {
     return Success;
   }
 
   virtual Result IsChainValid(const DERArray&)
   {
     return Success;
   }
 
   virtual Result VerifySignedData(const SignedDataWithSignature& signedData,
-                                  InputBuffer subjectPublicKeyInfo)
+                                  Input subjectPublicKeyInfo)
   {
     return ::mozilla::pkix::VerifySignedData(signedData, subjectPublicKeyInfo,
                                              nullptr);
   }
 
-  virtual Result DigestBuf(InputBuffer, /*out*/ uint8_t*, size_t)
+  virtual Result DigestBuf(Input, /*out*/ uint8_t*, size_t)
   {
     ADD_FAILURE();
     return Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
 
-  virtual Result CheckPublicKey(InputBuffer subjectPublicKeyInfo)
+  virtual Result CheckPublicKey(Input subjectPublicKeyInfo)
   {
     return ::mozilla::pkix::CheckPublicKey(subjectPublicKeyInfo);
   }
 };
 
 class pkixcert_extension: public NSSTest
 {
 public:
@@ -150,17 +150,17 @@ TEST_F(pkixcert_extension, UnknownCritic
   static const SECItem unknownCriticalExtension = {
     siBuffer,
     const_cast<unsigned char*>(unknownCriticalExtensionBytes),
     sizeof(unknownCriticalExtensionBytes)
   };
   const char* certCN = "CN=Cert With Unknown Critical Extension";
   ScopedSECKEYPrivateKey key;
   // cert is owned by the arena
-  InputBuffer cert(CreateCert(arena.get(), certCN,
+  Input cert(CreateCert(arena.get(), certCN,
                               &unknownCriticalExtension, key));
   ASSERT_EQ(Result::ERROR_UNKNOWN_CRITICAL_EXTENSION,
             BuildCertChain(trustDomain, cert, now,
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::anyExtendedKeyUsage,
                            CertPolicyId::anyPolicy,
                            nullptr/*stapledOCSPResponse*/));
@@ -181,17 +181,17 @@ TEST_F(pkixcert_extension, UnknownNonCri
   static const SECItem unknownNonCriticalExtension = {
     siBuffer,
     const_cast<unsigned char*>(unknownNonCriticalExtensionBytes),
     sizeof(unknownNonCriticalExtensionBytes)
   };
   const char* certCN = "CN=Cert With Unknown NonCritical Extension";
   ScopedSECKEYPrivateKey key;
   // cert is owned by the arena
-  InputBuffer cert(CreateCert(arena.get(), certCN,
+  Input cert(CreateCert(arena.get(), certCN,
                               &unknownNonCriticalExtension, key));
   ASSERT_EQ(Success,
             BuildCertChain(trustDomain, cert, now,
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::anyExtendedKeyUsage,
                            CertPolicyId::anyPolicy,
                            nullptr/*stapledOCSPResponse*/));
@@ -213,17 +213,17 @@ TEST_F(pkixcert_extension, WrongOIDCriti
   static const SECItem wrongOIDCriticalExtension = {
     siBuffer,
     const_cast<unsigned char*>(wrongOIDCriticalExtensionBytes),
     sizeof(wrongOIDCriticalExtensionBytes)
   };
   const char* certCN = "CN=Cert With Critical Wrong OID Extension";
   ScopedSECKEYPrivateKey key;
   // cert is owned by the arena
-  InputBuffer cert(CreateCert(arena.get(), certCN,
+  Input cert(CreateCert(arena.get(), certCN,
                               &wrongOIDCriticalExtension, key));
   ASSERT_EQ(Result::ERROR_UNKNOWN_CRITICAL_EXTENSION,
             BuildCertChain(trustDomain, cert, now,
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::anyExtendedKeyUsage,
                            CertPolicyId::anyPolicy,
                            nullptr/*stapledOCSPResponse*/));
@@ -247,17 +247,17 @@ TEST_F(pkixcert_extension, CriticalAIAEx
   static const SECItem criticalAIAExtension = {
     siBuffer,
     const_cast<unsigned char*>(criticalAIAExtensionBytes),
     sizeof(criticalAIAExtensionBytes)
   };
   const char* certCN = "CN=Cert With Critical AIA Extension";
   ScopedSECKEYPrivateKey key;
   // cert is owned by the arena
-  InputBuffer cert(CreateCert(arena.get(), certCN, &criticalAIAExtension, key));
+  Input cert(CreateCert(arena.get(), certCN, &criticalAIAExtension, key));
   ASSERT_EQ(Success,
             BuildCertChain(trustDomain, cert, now,
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::anyExtendedKeyUsage,
                            CertPolicyId::anyPolicy,
                            nullptr/*stapledOCSPResponse*/));
 }
@@ -277,17 +277,17 @@ TEST_F(pkixcert_extension, UnknownCritic
   static const SECItem unknownCriticalCEExtension = {
     siBuffer,
     const_cast<unsigned char*>(unknownCriticalCEExtensionBytes),
     sizeof(unknownCriticalCEExtensionBytes)
   };
   const char* certCN = "CN=Cert With Unknown Critical id-ce Extension";
   ScopedSECKEYPrivateKey key;
   // cert is owned by the arena
-  InputBuffer cert(CreateCert(arena.get(), certCN,
+  Input cert(CreateCert(arena.get(), certCN,
                               &unknownCriticalCEExtension, key));
   ASSERT_EQ(Result::ERROR_UNKNOWN_CRITICAL_EXTENSION,
             BuildCertChain(trustDomain, cert, now,
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::anyExtendedKeyUsage,
                            CertPolicyId::anyPolicy,
                            nullptr/*stapledOCSPResponse*/));
@@ -308,17 +308,17 @@ TEST_F(pkixcert_extension, KnownCritical
   static const SECItem criticalCEExtension = {
     siBuffer,
     const_cast<unsigned char*>(criticalCEExtensionBytes),
     sizeof(criticalCEExtensionBytes)
   };
   const char* certCN = "CN=Cert With Known Critical id-ce Extension";
   ScopedSECKEYPrivateKey key;
   // cert is owned by the arena
-  InputBuffer cert(CreateCert(arena.get(), certCN, &criticalCEExtension, key));
+  Input cert(CreateCert(arena.get(), certCN, &criticalCEExtension, key));
   ASSERT_EQ(Success,
             BuildCertChain(trustDomain, cert, now,
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::anyExtendedKeyUsage,
                            CertPolicyId::anyPolicy,
                            nullptr/*stapledOCSPResponse*/));
 }
@@ -339,17 +339,17 @@ TEST_F(pkixcert_extension, DuplicateSubj
     siBuffer,
     const_cast<unsigned char*>(DER_BYTES),
     sizeof(DER_BYTES)
   };
   static SECItem const* const extensions[] = { &DER, &DER, nullptr };
   static const char* certCN = "CN=Cert With Duplicate subjectAltName";
   ScopedSECKEYPrivateKey key;
   // cert is owned by the arena
-  InputBuffer cert(CreateCert(arena.get(), certCN, extensions, key));
+  Input cert(CreateCert(arena.get(), certCN, extensions, key));
   ASSERT_EQ(Result::ERROR_EXTENSION_VALUE_INVALID,
             BuildCertChain(trustDomain, cert, now,
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::anyExtendedKeyUsage,
                            CertPolicyId::anyPolicy,
                            nullptr/*stapledOCSPResponse*/));
 }
--- a/security/pkix/test/gtest/pkixcheck_CheckKeyUsage_tests.cpp
+++ b/security/pkix/test/gtest/pkixcheck_CheckKeyUsage_tests.cpp
@@ -27,40 +27,40 @@
 #include "pkixtestutil.h"
 
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::test;
 
 namespace mozilla { namespace pkix {
 
 extern Result CheckKeyUsage(EndEntityOrCA endEntityOrCA,
-                            const InputBuffer* encodedKeyUsage,
+                            const Input* encodedKeyUsage,
                             KeyUsage requiredKeyUsageIfPresent);
 
 } } // namespace mozilla::pkix
 
 class pkixcheck_CheckKeyUsage : public ::testing::Test { };
 
 #define ASSERT_BAD(x) ASSERT_EQ(Result::ERROR_INADEQUATE_KEY_USAGE, x)
 
 // Make it easy to define test data for the common, simplest cases.
 #define NAMED_SIMPLE_KU(name, unusedBits, bits) \
   const uint8_t name##_bytes[4] = { \
     0x03/*BIT STRING*/, 0x02/*LENGTH=2*/, unusedBits, bits \
   }; \
-  const InputBuffer name(name##_bytes);
+  const Input name(name##_bytes);
 
-static const InputBuffer empty_null;
+static const Input empty_null;
 
 // Note that keyCertSign is really the only interesting case for CA
 // certificates since we don't support cRLSign.
 
 TEST_F(pkixcheck_CheckKeyUsage, EE_none)
 {
-  // The input InputBuffer is nullptr. This means the cert had no keyUsage
+  // The input Input is nullptr. This means the cert had no keyUsage
   // extension. This is always valid because no key usage in an end-entity
   // means that there are no key usage restrictions.
 
   ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
                                    KeyUsage::noParticularKeyUsageRequired));
   ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
                                    KeyUsage::digitalSignature));
   ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
@@ -70,22 +70,22 @@ TEST_F(pkixcheck_CheckKeyUsage, EE_none)
   ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
                                    KeyUsage::dataEncipherment));
   ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
                                    KeyUsage::keyAgreement));
 }
 
 TEST_F(pkixcheck_CheckKeyUsage, EE_empty)
 {
-  // The input InputBuffer is empty. The cert had an empty keyUsage extension,
+  // The input Input is empty. The cert had an empty keyUsage extension,
   // which is syntactically invalid.
   ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &empty_null,
                            KeyUsage::digitalSignature));
   static const uint8_t dummy = 0x00;
-  InputBuffer empty_nonnull;
+  Input empty_nonnull;
   ASSERT_EQ(Success, empty_nonnull.Init(&dummy, 0));
   ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &empty_nonnull,
                            KeyUsage::digitalSignature));
 }
 
 TEST_F(pkixcheck_CheckKeyUsage, CA_none)
 {
   // A CA certificate does not have a KU extension.
@@ -94,17 +94,17 @@ TEST_F(pkixcheck_CheckKeyUsage, CA_none)
 }
 
 TEST_F(pkixcheck_CheckKeyUsage, CA_empty)
 {
   // A CA certificate has an empty KU extension.
   ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &empty_null,
                            KeyUsage::keyCertSign));
   static const uint8_t dummy = 0x00;
-  InputBuffer empty_nonnull;
+  Input empty_nonnull;
   ASSERT_EQ(Success, empty_nonnull.Init(&dummy, 0));
   ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &empty_nonnull,
                            KeyUsage::keyCertSign));
 }
 
 TEST_F(pkixcheck_CheckKeyUsage, maxUnusedBits)
 {
   NAMED_SIMPLE_KU(encoded, 7, 0x80);
@@ -112,46 +112,46 @@ TEST_F(pkixcheck_CheckKeyUsage, maxUnuse
                                    KeyUsage::digitalSignature));
 }
 
 TEST_F(pkixcheck_CheckKeyUsage, tooManyUnusedBits)
 {
   static uint8_t oneValueByteData[] = {
     0x03/*BIT STRING*/, 0x02/*LENGTH=2*/, 8/*unused bits*/, 0x80
   };
-  static const InputBuffer oneValueByte(oneValueByteData);
+  static const Input oneValueByte(oneValueByteData);
   ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &oneValueByte,
                            KeyUsage::digitalSignature));
 
   static uint8_t twoValueBytesData[] = {
     0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, 8/*unused bits*/, 0x01, 0x00
   };
-  static const InputBuffer twoValueBytes(twoValueBytesData);
+  static const Input twoValueBytes(twoValueBytesData);
   ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &twoValueBytes,
                            KeyUsage::digitalSignature));
 }
 
 TEST_F(pkixcheck_CheckKeyUsage, NoValueBytes_NoPaddingBits)
 {
   static const uint8_t DER_BYTES[] = {
     0x03/*BIT STRING*/, 0x01/*LENGTH=1*/, 0/*unused bits*/
   };
-  static const InputBuffer DER(DER_BYTES);
+  static const Input DER(DER_BYTES);
   ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &DER,
                            KeyUsage::digitalSignature));
   ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &DER,
                            KeyUsage::keyCertSign));
 }
 
 TEST_F(pkixcheck_CheckKeyUsage, NoValueBytes_7PaddingBits)
 {
   static const uint8_t DER_BYTES[] = {
     0x03/*BIT STRING*/, 0x01/*LENGTH=1*/, 7/*unused bits*/
   };
-  static const InputBuffer DER(DER_BYTES);
+  static const Input DER(DER_BYTES);
   ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &DER,
                            KeyUsage::digitalSignature));
   ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &DER,
                            KeyUsage::keyCertSign));
 }
 
 void ASSERT_SimpleCase(uint8_t unusedBits, uint8_t bits, KeyUsage usage)
 {
@@ -175,17 +175,17 @@ void ASSERT_SimpleCase(uint8_t unusedBit
 
   // Test that none of the other non-padding bits are mistaken for the given
   // key usage in the two-byte value case.
   const uint8_t twoByteNotGoodData[] = {
     0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, unusedBits,
     static_cast<uint8_t>(~bits),
     static_cast<uint8_t>((0xFFu >> unusedBits) << unusedBits)
   };
-  InputBuffer twoByteNotGood(twoByteNotGoodData);
+  Input twoByteNotGood(twoByteNotGoodData);
   ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &twoByteNotGood,
                            usage));
   ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &twoByteNotGood, usage));
 }
 
 TEST_F(pkixcheck_CheckKeyUsage, simpleCases)
 {
   ASSERT_SimpleCase(7, 0x80, KeyUsage::digitalSignature);
@@ -212,63 +212,63 @@ TEST_F(pkixcheck_CheckKeyUsage, keyCertS
   ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &notGood,
                            KeyUsage::keyCertSign));
 
   // Test that none of the other non-padding bits are mistaken for the given
   // key usage in the two-byte value case.
   static uint8_t twoByteNotGoodData[] = {
     0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, 2/*unused bits*/, 0xFBu, 0xFCu
   };
-  static const InputBuffer twoByteNotGood(twoByteNotGoodData);
+  static const Input twoByteNotGood(twoByteNotGoodData);
   ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &twoByteNotGood,
                            KeyUsage::keyCertSign));
   ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &twoByteNotGood,
                            KeyUsage::keyCertSign));
 }
 
 TEST_F(pkixcheck_CheckKeyUsage, unusedBitNotZero)
 {
   // single byte control case
   static uint8_t controlOneValueByteData[] = {
     0x03/*BIT STRING*/, 0x02/*LENGTH=2*/, 7/*unused bits*/, 0x80
   };
-  static const InputBuffer controlOneValueByte(controlOneValueByteData);
+  static const Input controlOneValueByte(controlOneValueByteData);
   ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity,
                                    &controlOneValueByte,
                                    KeyUsage::digitalSignature));
   ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeCA,
                                    &controlOneValueByte,
                                    KeyUsage::digitalSignature));
 
   // single-byte test case
   static uint8_t oneValueByteData[] = {
     0x03/*BIT STRING*/, 0x02/*LENGTH=2*/, 7/*unused bits*/, 0x80 | 0x01
   };
-  static const InputBuffer oneValueByte(oneValueByteData);
+  static const Input oneValueByte(oneValueByteData);
   ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &oneValueByte,
                            KeyUsage::digitalSignature));
   ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &oneValueByte,
                            KeyUsage::digitalSignature));
 
   // two-byte control case
   static uint8_t controlTwoValueBytesData[] = {
     0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, 7/*unused bits*/,
     0x80 | 0x01, 0x80
   };
-  static const InputBuffer controlTwoValueBytes(controlTwoValueBytesData);
+  static const Input controlTwoValueBytes(controlTwoValueBytesData);
   ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity,
                                    &controlTwoValueBytes,
                                    KeyUsage::digitalSignature));
   ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeCA,
                                    &controlTwoValueBytes,
                                    KeyUsage::digitalSignature));
 
   // two-byte test case
   static uint8_t twoValueBytesData[] = {
     0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, 7/*unused bits*/,
     0x80 | 0x01, 0x80 | 0x01
   };
-  static const InputBuffer twoValueBytes(twoValueBytesData);
+  static const Input twoValueBytes(twoValueBytesData);
   ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &twoValueBytes,
                            KeyUsage::digitalSignature));
   ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &twoValueBytes,
                            KeyUsage::digitalSignature));
 }
--- a/security/pkix/test/gtest/pkixcheck_CheckValidity_tests.cpp
+++ b/security/pkix/test/gtest/pkixcheck_CheckValidity_tests.cpp
@@ -26,17 +26,17 @@
 #include "pkix/pkixtypes.h"
 #include "pkixtestutil.h"
 
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::test;
 
 namespace mozilla { namespace pkix {
 
-Result CheckValidity(const InputBuffer encodedValidity, PRTime time);
+Result CheckValidity(const Input encodedValidity, PRTime time);
 
 } } // namespace mozilla::pkix
 
 static const PRTime PAST_TIME(YMDHMS(1998, 12, 31, 12, 23, 56));
 
 #define OLDER_GENERALIZEDTIME \
   0x18, 15,                               /* tag, length */ \
   '1', '9', '9', '9', '0', '1', '0', '1', /* 1999-01-01 */ \
@@ -64,79 +64,79 @@ static const PRTime FUTURE_TIME(YMDHMS(2
 class pkixcheck_CheckValidity : public ::testing::Test { };
 
 TEST_F(pkixcheck_CheckValidity, BothEmptyNull)
 {
   static const uint8_t DER[] = {
     0x17/*UTCTime*/, 0/*length*/,
     0x17/*UTCTime*/, 0/*length*/,
   };
-  static const InputBuffer validity(DER);
+  static const Input validity(DER);
   ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE, CheckValidity(validity, NOW));
 }
 
 TEST_F(pkixcheck_CheckValidity, NotBeforeEmptyNull)
 {
   static const uint8_t DER[] = {
     0x17/*UTCTime*/, 0x00/*length*/,
     NEWER_UTCTIME
   };
-  static const InputBuffer validity(DER);
+  static const Input validity(DER);
   ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE, CheckValidity(validity, NOW));
 }
 
 TEST_F(pkixcheck_CheckValidity, NotAfterEmptyNull)
 {
   static const uint8_t DER[] = {
     NEWER_UTCTIME,
     0x17/*UTCTime*/, 0x00/*length*/,
   };
-  static const InputBuffer validity(DER);
+  static const Input validity(DER);
   ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE, CheckValidity(validity, NOW));
 }
 
 static const uint8_t OLDER_UTCTIME_NEWER_UTCTIME_DATA[] = {
   OLDER_UTCTIME,
   NEWER_UTCTIME,
 };
-static const InputBuffer
+static const Input
 OLDER_UTCTIME_NEWER_UTCTIME(OLDER_UTCTIME_NEWER_UTCTIME_DATA);
 
 TEST_F(pkixcheck_CheckValidity, Valid_UTCTIME_UTCTIME)
 {
   ASSERT_EQ(Success, CheckValidity(OLDER_UTCTIME_NEWER_UTCTIME, NOW));
 }
 
 TEST_F(pkixcheck_CheckValidity, Valid_GENERALIZEDTIME_GENERALIZEDTIME)
 {
   static const uint8_t DER[] = {
     OLDER_GENERALIZEDTIME,
     NEWER_GENERALIZEDTIME,
   };
-  static const InputBuffer validity(DER);
+  static const Input validity(DER);
   ASSERT_EQ(Success, CheckValidity(validity, NOW));
 }
 
 TEST_F(pkixcheck_CheckValidity, Valid_GENERALIZEDTIME_UTCTIME)
 {
   static const uint8_t DER[] = {
     OLDER_GENERALIZEDTIME,
     NEWER_UTCTIME,
   };
-  static const InputBuffer validity(DER);
+  static const Input validity(DER);
   ASSERT_EQ(Success, CheckValidity(validity, NOW));
 }
 
 TEST_F(pkixcheck_CheckValidity, Valid_UTCTIME_GENERALIZEDTIME)
 {
   static const uint8_t DER[] = {
     OLDER_UTCTIME,
     NEWER_GENERALIZEDTIME,
   };
-  static const InputBuffer validity(DER);
+  static const Input validity(DER);
   ASSERT_EQ(Success, CheckValidity(validity, NOW));
 }
 
 TEST_F(pkixcheck_CheckValidity, InvalidBeforeNotBefore)
 {
   ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE,
             CheckValidity(OLDER_UTCTIME_NEWER_UTCTIME, PAST_TIME));
 }
@@ -148,11 +148,11 @@ TEST_F(pkixcheck_CheckValidity, InvalidA
 }
 
 TEST_F(pkixcheck_CheckValidity, InvalidNotAfterBeforeNotBefore)
 {
   static const uint8_t DER[] = {
     NEWER_UTCTIME,
     OLDER_UTCTIME,
   };
-  static const InputBuffer validity(DER);
+  static const Input validity(DER);
   ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE, CheckValidity(validity, NOW));
 }
--- a/security/pkix/test/gtest/pkixder_input_tests.cpp
+++ b/security/pkix/test/gtest/pkixder_input_tests.cpp
@@ -81,102 +81,102 @@ const uint8_t DER_OVERRUN_SEQUENCE_OF_IN
 };
 
 const uint8_t DER_INT16[] = {
   0x02,                       // INTEGER
   0x02,                       // length
   0x12, 0x34                  // 0x1234
 };
 
-TEST_F(pkixder_input_tests, InputBufferInit)
+TEST_F(pkixder_input_tests, InputInit)
 {
-  InputBuffer buf;
+  Input buf;
   ASSERT_EQ(Success,
             buf.Init(DER_SEQUENCE_OF_INT8, sizeof DER_SEQUENCE_OF_INT8));
 }
 
-TEST_F(pkixder_input_tests, InputBufferInitWithNullPointerOrZeroLength)
+TEST_F(pkixder_input_tests, InputInitWithNullPointerOrZeroLength)
 {
-  InputBuffer buf;
+  Input buf;
   ASSERT_EQ(Result::ERROR_BAD_DER, buf.Init(nullptr, 0));
 
   ASSERT_EQ(Result::ERROR_BAD_DER, buf.Init(nullptr, 100));
 
   // Though it seems odd to initialize with zero-length and non-null ptr, this
-  // is working as intended. The Input class was intended to protect against
+  // is working as intended. The Reader class was intended to protect against
   // buffer overflows, and there's no risk with the current behavior. See bug
   // 1000354.
   ASSERT_EQ(Success, buf.Init((const uint8_t*) "hello", 0));
   ASSERT_TRUE(buf.GetLength() == 0);
 }
 
-TEST_F(pkixder_input_tests, InputBufferInitWithLargeData)
+TEST_F(pkixder_input_tests, InputInitWithLargeData)
 {
-  InputBuffer buf;
+  Input buf;
   // Data argument length does not matter, it is not touched, just
   // needs to be non-null
   ASSERT_EQ(Result::ERROR_BAD_DER, buf.Init((const uint8_t*) "", 0xffff+1));
 
   ASSERT_EQ(Success, buf.Init((const uint8_t*) "", 0xffff));
 }
 
-TEST_F(pkixder_input_tests, InputBufferInitMultipleTimes)
+TEST_F(pkixder_input_tests, InputInitMultipleTimes)
 {
-  InputBuffer buf;
+  Input buf;
 
   ASSERT_EQ(Success,
             buf.Init(DER_SEQUENCE_OF_INT8, sizeof DER_SEQUENCE_OF_INT8));
 
   ASSERT_EQ(Result::FATAL_ERROR_INVALID_ARGS,
             buf.Init(DER_SEQUENCE_OF_INT8, sizeof DER_SEQUENCE_OF_INT8));
 }
 
 TEST_F(pkixder_input_tests, PeekWithinBounds)
 {
   const uint8_t der[] = { 0x11, 0x11 };
-  InputBuffer buf(der);
-  Input input(buf);
+  Input buf(der);
+  Reader input(buf);
   ASSERT_TRUE(input.Peek(0x11));
   ASSERT_FALSE(input.Peek(0x22));
 }
 
 TEST_F(pkixder_input_tests, PeekPastBounds)
 {
   const uint8_t der[] = { 0x11, 0x22 };
-  InputBuffer buf;
+  Input buf;
   ASSERT_EQ(Success, buf.Init(der, 1));
-  Input input(buf);
+  Reader input(buf);
 
   uint8_t readByte;
   ASSERT_EQ(Success, input.Read(readByte));
   ASSERT_EQ(0x11, readByte);
   ASSERT_FALSE(input.Peek(0x22));
 }
 
 TEST_F(pkixder_input_tests, ReadByte)
 {
   const uint8_t der[] = { 0x11, 0x22 };
-  InputBuffer buf(der);
-  Input input(buf);
+  Input buf(der);
+  Reader input(buf);
 
   uint8_t readByte1;
   ASSERT_EQ(Success, input.Read(readByte1));
   ASSERT_EQ(0x11, readByte1);
 
   uint8_t readByte2;
   ASSERT_EQ(Success, input.Read(readByte2));
   ASSERT_EQ(0x22, readByte2);
 }
 
 TEST_F(pkixder_input_tests, ReadBytePastEnd)
 {
   const uint8_t der[] = { 0x11, 0x22 };
-  InputBuffer buf;
+  Input buf;
   ASSERT_EQ(Success, buf.Init(der, 1));
-  Input input(buf);
+  Reader input(buf);
 
   uint8_t readByte1 = 0;
   ASSERT_EQ(Success, input.Read(readByte1));
   ASSERT_EQ(0x11, readByte1);
 
   uint8_t readByte2 = 0;
   ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(readByte2));
   ASSERT_NE(0x22, readByte2);
@@ -187,89 +187,89 @@ TEST_F(pkixder_input_tests, ReadByteWrap
   // The original implementation of our buffer read overflow checks was
   // susceptible to integer overflows which could make the checks ineffective.
   // This attempts to verify that we've fixed that. Unfortunately, decrementing
   // a null pointer is undefined behavior according to the C++ language spec.,
   // but this should catch the problem on at least some compilers, if not all of
   // them.
   const uint8_t* der = nullptr;
   --der;
-  InputBuffer buf;
+  Input buf;
   ASSERT_EQ(Success, buf.Init(der, 0));
-  Input input(buf);
+  Reader input(buf);
 
   uint8_t b;
   ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(b));
 }
 
 TEST_F(pkixder_input_tests, ReadWord)
 {
   const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
-  InputBuffer buf(der);
-  Input input(buf);
+  Input buf(der);
+  Reader input(buf);
 
   uint16_t readWord1 = 0;
   ASSERT_EQ(Success, input.Read(readWord1));
   ASSERT_EQ(0x1122, readWord1);
 
   uint16_t readWord2 = 0;
   ASSERT_EQ(Success, input.Read(readWord2));
   ASSERT_EQ(0x3344, readWord2);
 }
 
 TEST_F(pkixder_input_tests, ReadWordPastEnd)
 {
   const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
-  InputBuffer buf;
+  Input buf;
   ASSERT_EQ(Success, buf.Init(der, 2)); // Initialize with too-short length
-  Input input(buf);
+  Reader input(buf);
 
   uint16_t readWord1 = 0;
   ASSERT_EQ(Success, input.Read(readWord1));
   ASSERT_EQ(0x1122, readWord1);
 
   uint16_t readWord2 = 0;
   ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(readWord2));
   ASSERT_NE(0x3344, readWord2);
 }
 
 TEST_F(pkixder_input_tests, ReadWordWithInsufficentData)
 {
   const uint8_t der[] = { 0x11, 0x22 };
-  InputBuffer buf;
+  Input buf;
   ASSERT_EQ(Success, buf.Init(der, 1));
-  Input input(buf);
+  Reader input(buf);
 
   uint16_t readWord1 = 0;
   ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(readWord1));
   ASSERT_NE(0x1122, readWord1);
 }
 
 TEST_F(pkixder_input_tests, ReadWordWrapAroundPointer)
 {
   // The original implementation of our buffer read overflow checks was
   // susceptible to integer overflows which could make the checks ineffective.
   // This attempts to verify that we've fixed that. Unfortunately, decrementing
   // a null pointer is undefined behavior according to the C++ language spec.,
   // but this should catch the problem on at least some compilers, if not all of
   // them.
   const uint8_t* der = nullptr;
   --der;
-  InputBuffer buf;
+  Input buf;
   ASSERT_EQ(Success, buf.Init(der, 0));
-  Input input(buf);
+  Reader input(buf);
   uint16_t b;
   ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(b));
 }
 
 TEST_F(pkixder_input_tests, InputSkip)
 {
   const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
-  InputBuffer buf(der);
-  Input input(buf);
+  Input buf(der);
+  Reader input(buf);
 
   ASSERT_EQ(Success, input.Skip(1));
 
   uint8_t readByte1 = 0;
   ASSERT_EQ(Success, input.Read(readByte1));
   ASSERT_EQ(0x22, readByte1);
 
   ASSERT_EQ(Success, input.Skip(1));
@@ -277,507 +277,506 @@ TEST_F(pkixder_input_tests, InputSkip)
   uint8_t readByte2 = 0;
   ASSERT_EQ(Success, input.Read(readByte2));
   ASSERT_EQ(0x44, readByte2);
 }
 
 TEST_F(pkixder_input_tests, InputSkipToEnd)
 {
   const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
-  InputBuffer buf(der);
-  Input input(buf);
+  Input buf(der);
+  Reader input(buf);
   ASSERT_EQ(Success, input.Skip(sizeof der));
   ASSERT_TRUE(input.AtEnd());
 }
 
 TEST_F(pkixder_input_tests, InputSkipPastEnd)
 {
   const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
-  InputBuffer buf(der);
-  Input input(buf);
+  Input buf(der);
+  Reader input(buf);
 
   ASSERT_EQ(Result::ERROR_BAD_DER, input.Skip(sizeof der + 1));
 }
 
 TEST_F(pkixder_input_tests, InputSkipToNewInput)
 {
   const uint8_t der[] = { 0x01, 0x02, 0x03, 0x04 };
-  InputBuffer buf(der);
-  Input input(buf);
+  Input buf(der);
+  Reader input(buf);
 
-  Input skippedInput;
+  Reader skippedInput;
   ASSERT_EQ(Success, input.Skip(3, skippedInput));
 
   uint8_t readByte1 = 0;
   ASSERT_EQ(Success, input.Read(readByte1));
   ASSERT_EQ(0x04, readByte1);
 
   ASSERT_TRUE(input.AtEnd());
 
-  // Input has no Remaining() or Length() so we simply read the bytes
+  // Reader has no Remaining() or Length() so we simply read the bytes
   // and then expect to be at the end.
 
   for (uint8_t i = 1; i <= 3; ++i) {
     uint8_t readByte = 0;
     ASSERT_EQ(Success, skippedInput.Read(readByte));
     ASSERT_EQ(i, readByte);
   }
 
   ASSERT_TRUE(skippedInput.AtEnd());
 }
 
 TEST_F(pkixder_input_tests, InputSkipToNewInputPastEnd)
 {
   const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
-  InputBuffer buf(der);
-  Input input(buf);
+  Input buf(der);
+  Reader input(buf);
 
-  Input skippedInput;
+  Reader skippedInput;
   ASSERT_EQ(Result::ERROR_BAD_DER, input.Skip(sizeof der * 2, skippedInput));
 }
 
-TEST_F(pkixder_input_tests, InputSkipToInputBuffer)
+TEST_F(pkixder_input_tests, InputSkipToInput)
 {
   const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
-  InputBuffer buf(der);
-  Input input(buf);
+  Input buf(der);
+  Reader input(buf);
 
   const uint8_t expectedItemData[] = { 0x11, 0x22, 0x33 };
 
-  InputBuffer item;
+  Input item;
   ASSERT_EQ(Success, input.Skip(sizeof expectedItemData, item));
 
-  InputBuffer expected(expectedItemData);
-  ASSERT_TRUE(InputBuffersAreEqual(expected, item));
+  Input expected(expectedItemData);
+  ASSERT_TRUE(InputsAreEqual(expected, item));
 }
 
 TEST_F(pkixder_input_tests, SkipWrapAroundPointer)
 {
   // The original implementation of our buffer read overflow checks was
   // susceptible to integer overflows which could make the checks ineffective.
   // This attempts to verify that we've fixed that. Unfortunately, decrementing
   // a null pointer is undefined behavior according to the C++ language spec.,
   // but this should catch the problem on at least some compilers, if not all of
   // them.
   const uint8_t* der = nullptr;
   --der;
-  InputBuffer buf;
+  Input buf;
   ASSERT_EQ(Success, buf.Init(der, 0));
-  Input input(buf);
+  Reader input(buf);
   ASSERT_EQ(Result::ERROR_BAD_DER, input.Skip(1));
 }
 
-TEST_F(pkixder_input_tests, SkipToInputBufferPastEnd)
+TEST_F(pkixder_input_tests, SkipToInputPastEnd)
 {
   const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
-  InputBuffer buf(der);
-  Input input(buf);
+  Input buf(der);
+  Reader input(buf);
 
-  InputBuffer skipped;
+  Input skipped;
   ASSERT_EQ(Result::ERROR_BAD_DER, input.Skip(sizeof der + 1, skipped));
 }
 
 TEST_F(pkixder_input_tests, ExpectTagAndSkipValue)
 {
-  InputBuffer buf(DER_SEQUENCE_OF_INT8);
-  Input input(buf);
+  Input buf(DER_SEQUENCE_OF_INT8);
+  Reader input(buf);
 
   ASSERT_EQ(Success, ExpectTagAndSkipValue(input, SEQUENCE));
   ASSERT_EQ(Success, End(input));
 }
 
 TEST_F(pkixder_input_tests, ExpectTagAndSkipValueWithTruncatedData)
 {
-  InputBuffer buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
-  Input input(buf);
+  Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+  Reader input(buf);
 
   ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndSkipValue(input, SEQUENCE));
 }
 
 TEST_F(pkixder_input_tests, ExpectTagAndSkipValueWithOverrunData)
 {
-  InputBuffer buf(DER_OVERRUN_SEQUENCE_OF_INT8);
-  Input input(buf);
+  Input buf(DER_OVERRUN_SEQUENCE_OF_INT8);
+  Reader input(buf);
   ASSERT_EQ(Success, ExpectTagAndSkipValue(input, SEQUENCE));
   ASSERT_EQ(Result::ERROR_BAD_DER, End(input));
 }
 
 TEST_F(pkixder_input_tests, AtEndOnUnInitializedInput)
 {
-  Input input;
+  Reader input;
   ASSERT_TRUE(input.AtEnd());
 }
 
 TEST_F(pkixder_input_tests, AtEndAtBeginning)
 {
   const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
-  InputBuffer buf(der);
-  Input input(buf);
+  Input buf(der);
+  Reader input(buf);
   ASSERT_FALSE(input.AtEnd());
 }
 
 TEST_F(pkixder_input_tests, AtEndAtEnd)
 {
   const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
-  InputBuffer buf(der);
-  Input input(buf);
+  Input buf(der);
+  Reader input(buf);
   ASSERT_EQ(Success, input.Skip(sizeof der));
   ASSERT_TRUE(input.AtEnd());
 }
 
-TEST_F(pkixder_input_tests, MarkAndGetInputBuffer)
+TEST_F(pkixder_input_tests, MarkAndGetInput)
 {
   const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
-  InputBuffer buf(der);
-  Input input(buf);
+  Input buf(der);
+  Reader input(buf);
 
-  Input::Mark mark = input.GetMark();
+  Reader::Mark mark = input.GetMark();
 
   const uint8_t expectedItemData[] = { 0x11, 0x22, 0x33 };
 
   ASSERT_EQ(Success, input.Skip(sizeof expectedItemData));
 
-  InputBuffer item;
-  ASSERT_EQ(Success, input.GetInputBuffer(mark, item));
-  InputBuffer expected(expectedItemData);
-  ASSERT_TRUE(InputBuffersAreEqual(expected, item));
+  Input item;
+  ASSERT_EQ(Success, input.GetInput(mark, item));
+  Input expected(expectedItemData);
+  ASSERT_TRUE(InputsAreEqual(expected, item));
 }
 
 // Cannot run this test on debug builds because of the PR_NOT_REACHED
 #ifndef DEBUG
-TEST_F(pkixder_input_tests, MarkAndGetInputBufferDifferentInput)
+TEST_F(pkixder_input_tests, MarkAndGetInputDifferentInput)
 {
   const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
-  InputBuffer buf(der);
-  Input input(buf);
+  Input buf(der);
+  Reader input(buf);
 
-  Input another;
-  Input::Mark mark = another.GetMark();
+  Reader another;
+  Reader::Mark mark = another.GetMark();
 
   ASSERT_EQ(Success, input.Skip(3));
 
-  InputBuffer item;
-  ASSERT_EQ(Result::FATAL_ERROR_INVALID_ARGS,
-            input.GetInputBuffer(mark, item));
+  Input item;
+  ASSERT_EQ(Result::FATAL_ERROR_INVALID_ARGS, input.GetInput(mark, item));
 }
 #endif
 
 TEST_F(pkixder_input_tests, ExpectTagAndLength)
 {
-  InputBuffer buf(DER_SEQUENCE_OF_INT8);
-  Input input(buf);
+  Input buf(DER_SEQUENCE_OF_INT8);
+  Reader input(buf);
 
   ASSERT_EQ(Success, ExpectTagAndLength(input, SEQUENCE,
                                         sizeof DER_SEQUENCE_OF_INT8 - 2));
 }
 
 TEST_F(pkixder_input_tests, ExpectTagAndLengthWithWrongLength)
 {
-  InputBuffer buf(DER_INT16);
-  Input input(buf);
+  Input buf(DER_INT16);
+  Reader input(buf);
 
   // Wrong length
   ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndLength(input, INTEGER, 4));
 }
 
 TEST_F(pkixder_input_tests, ExpectTagAndLengthWithWrongTag)
 {
-  InputBuffer buf(DER_INT16);
-  Input input(buf);
+  Input buf(DER_INT16);
+  Reader input(buf);
 
   // Wrong type
   ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndLength(input, OCTET_STRING, 2));
 }
 
 TEST_F(pkixder_input_tests, ExpectTagAndGetLength)
 {
-  InputBuffer buf(DER_SEQUENCE_OF_INT8);
-  Input input(buf);
+  Input buf(DER_SEQUENCE_OF_INT8);
+  Reader input(buf);
 
   uint16_t length = 0;
   ASSERT_EQ(Success,
             der::internal::ExpectTagAndGetLength(input, SEQUENCE, length));
   ASSERT_EQ(sizeof DER_SEQUENCE_OF_INT8 - 2, length);
   ASSERT_EQ(Success, input.Skip(length));
   ASSERT_TRUE(input.AtEnd());
 }
 
 TEST_F(pkixder_input_tests, ExpectTagAndGetLengthWithWrongTag)
 {
-  InputBuffer buf(DER_SEQUENCE_OF_INT8);
-  Input input(buf);
+  Input buf(DER_SEQUENCE_OF_INT8);
+  Reader input(buf);
 
   uint16_t length = 0;
   ASSERT_EQ(Result::ERROR_BAD_DER,
             der::internal::ExpectTagAndGetLength(input, INTEGER, length));
 }
 
 TEST_F(pkixder_input_tests, ExpectTagAndGetLengthWithWrongLength)
 {
-  InputBuffer buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
-  Input input(buf);
+  Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+  Reader input(buf);
 
   uint16_t length = 0;
   ASSERT_EQ(Result::ERROR_BAD_DER,
             der::internal::ExpectTagAndGetLength(input, SEQUENCE, length));
 }
 
-TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_ValidEmpty)
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Reader_ValidEmpty)
 {
-  InputBuffer buf(DER_SEQUENCE_EMPTY);
-  Input input(buf);
-  Input value;
+  Input buf(DER_SEQUENCE_EMPTY);
+  Reader input(buf);
+  Reader value;
   ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
   ASSERT_TRUE(value.AtEnd());
   ASSERT_TRUE(input.AtEnd());
 }
 
-TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_ValidNotEmpty)
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Reader_ValidNotEmpty)
 {
-  InputBuffer buf(DER_SEQUENCE_NOT_EMPTY);
-  Input input(buf);
-  Input value;
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  Reader value;
   ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
   ASSERT_TRUE(value.MatchRest(DER_SEQUENCE_NOT_EMPTY_VALUE));
   ASSERT_TRUE(input.AtEnd());
 }
 
 TEST_F(pkixder_input_tests,
+       ExpectTagAndGetValue_Reader_InvalidNotEmptyValueTruncated)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
+  Reader input(buf);
+  Reader value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ExpectTagAndGetValue(input, SEQUENCE, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Reader_InvalidWrongLength)
+{
+  Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+  Reader input(buf);
+  Reader value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ExpectTagAndGetValue(input, SEQUENCE, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetLength_Reader_InvalidWrongTag)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  Reader value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ExpectTagAndGetValue(input, INTEGER, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_ValidEmpty)
+{
+  Input buf(DER_SEQUENCE_EMPTY);
+  Reader input(buf);
+  Input value;
+  ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
+  ASSERT_EQ(0u, value.GetLength());
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_ValidNotEmpty)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  Input value;
+  ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
+  Input expected(DER_SEQUENCE_NOT_EMPTY_VALUE);
+  ASSERT_TRUE(InputsAreEqual(expected, value));
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests,
        ExpectTagAndGetValue_Input_InvalidNotEmptyValueTruncated)
 {
-  InputBuffer buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
-  Input input(buf);
+  Input buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
+  Reader input(buf);
   Input value;
   ASSERT_EQ(Result::ERROR_BAD_DER,
             ExpectTagAndGetValue(input, SEQUENCE, value));
 }
 
 TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_InvalidWrongLength)
 {
-  InputBuffer buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
-  Input input(buf);
+  Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+  Reader input(buf);
   Input value;
   ASSERT_EQ(Result::ERROR_BAD_DER,
             ExpectTagAndGetValue(input, SEQUENCE, value));
 }
 
 TEST_F(pkixder_input_tests, ExpectTagAndGetLength_Input_InvalidWrongTag)
 {
-  InputBuffer buf(DER_SEQUENCE_NOT_EMPTY);
-  Input input(buf);
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
   Input value;
   ASSERT_EQ(Result::ERROR_BAD_DER,
             ExpectTagAndGetValue(input, INTEGER, value));
 }
 
-TEST_F(pkixder_input_tests, ExpectTagAndGetValue_InputBuffer_ValidEmpty)
+TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_Input_ValidEmpty)
 {
-  InputBuffer buf(DER_SEQUENCE_EMPTY);
-  Input input(buf);
-  InputBuffer value;
-  ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
-  ASSERT_EQ(0u, value.GetLength());
+  Input buf(DER_SEQUENCE_EMPTY);
+  Reader input(buf);
+  Input tlv;
+  ASSERT_EQ(Success, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
+  Input expected(DER_SEQUENCE_EMPTY);
+  ASSERT_TRUE(InputsAreEqual(expected, tlv));
   ASSERT_TRUE(input.AtEnd());
 }
 
-TEST_F(pkixder_input_tests, ExpectTagAndGetValue_InputBuffer_ValidNotEmpty)
+TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_Input_ValidNotEmpty)
 {
-  InputBuffer buf(DER_SEQUENCE_NOT_EMPTY);
-  Input input(buf);
-  InputBuffer value;
-  ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
-  InputBuffer expected(DER_SEQUENCE_NOT_EMPTY_VALUE);
-  ASSERT_TRUE(InputBuffersAreEqual(expected, value));
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  Input tlv;
+  ASSERT_EQ(Success, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
+  Input expected(DER_SEQUENCE_NOT_EMPTY);
+  ASSERT_TRUE(InputsAreEqual(expected, tlv));
   ASSERT_TRUE(input.AtEnd());
 }
 
 TEST_F(pkixder_input_tests,
-       ExpectTagAndGetValue_InputBuffer_InvalidNotEmptyValueTruncated)
-{
-  InputBuffer buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
-  Input input(buf);
-  InputBuffer value;
-  ASSERT_EQ(Result::ERROR_BAD_DER,
-            ExpectTagAndGetValue(input, SEQUENCE, value));
-}
-
-TEST_F(pkixder_input_tests, ExpectTagAndGetValue_InputBuffer_InvalidWrongLength)
-{
-  InputBuffer buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
-  Input input(buf);
-  InputBuffer value;
-  ASSERT_EQ(Result::ERROR_BAD_DER,
-            ExpectTagAndGetValue(input, SEQUENCE, value));
-}
-
-TEST_F(pkixder_input_tests, ExpectTagAndGetLength_InputBuffer_InvalidWrongTag)
+       ExpectTagAndGetTLV_Input_InvalidNotEmptyValueTruncated)
 {
-  InputBuffer buf(DER_SEQUENCE_NOT_EMPTY);
-  Input input(buf);
-  InputBuffer value;
-  ASSERT_EQ(Result::ERROR_BAD_DER,
-            ExpectTagAndGetValue(input, INTEGER, value));
-}
-
-TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_InputBuffer_ValidEmpty)
-{
-  InputBuffer buf(DER_SEQUENCE_EMPTY);
-  Input input(buf);
-  InputBuffer tlv;
-  ASSERT_EQ(Success, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
-  InputBuffer expected(DER_SEQUENCE_EMPTY);
-  ASSERT_TRUE(InputBuffersAreEqual(expected, tlv));
-  ASSERT_TRUE(input.AtEnd());
-}
-
-TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_InputBuffer_ValidNotEmpty)
-{
-  InputBuffer buf(DER_SEQUENCE_NOT_EMPTY);
-  Input input(buf);
-  InputBuffer tlv;
-  ASSERT_EQ(Success, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
-  InputBuffer expected(DER_SEQUENCE_NOT_EMPTY);
-  ASSERT_TRUE(InputBuffersAreEqual(expected, tlv));
-  ASSERT_TRUE(input.AtEnd());
-}
-
-TEST_F(pkixder_input_tests,
-       ExpectTagAndGetTLV_InputBuffer_InvalidNotEmptyValueTruncated)
-{
-  InputBuffer buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
-  Input input(buf);
-  InputBuffer tlv;
+  Input buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
+  Reader input(buf);
+  Input tlv;
   ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
 }
 
-TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_InputBuffer_InvalidWrongLength)
+TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_Input_InvalidWrongLength)
 {
-  InputBuffer buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
-  Input input(buf);
-  InputBuffer tlv;
+  Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+  Reader input(buf);
+  Input tlv;
   ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
 }
 
-TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_InputBuffer_InvalidWrongTag)
+TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_Input_InvalidWrongTag)
 {
-  InputBuffer buf(DER_SEQUENCE_NOT_EMPTY);
-  Input input(buf);
-  InputBuffer tlv;
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  Input tlv;
   ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndGetTLV(input, INTEGER, tlv));
 }
 
 TEST_F(pkixder_input_tests, EndAtEnd)
 {
-  InputBuffer buf(DER_INT16);
-  Input input(buf);
+  Input buf(DER_INT16);
+  Reader input(buf);
   ASSERT_EQ(Success, input.Skip(4));
   ASSERT_EQ(Success, End(input));
 }
 
 TEST_F(pkixder_input_tests, EndBeforeEnd)
 {
-  InputBuffer buf(DER_INT16);
-  Input input(buf);
+  Input buf(DER_INT16);
+  Reader input(buf);
   ASSERT_EQ(Success, input.Skip(2));
   ASSERT_EQ(Result::ERROR_BAD_DER, End(input));
 }
 
 TEST_F(pkixder_input_tests, EndAtBeginning)
 {
-  InputBuffer buf(DER_INT16);
-  Input input(buf);
+  Input buf(DER_INT16);
+  Reader input(buf);
   ASSERT_EQ(Result::ERROR_BAD_DER, End(input));
 }
 
 // TODO: Need tests for Nested too?
 
-Result NestedOfHelper(Input& input, std::vector<uint8_t>& readValues)
+Result NestedOfHelper(Reader& input, std::vector<uint8_t>& readValues)
 {
   uint8_t value = 0;
   Result rv = input.Read(value);
   EXPECT_EQ(Success, rv);
   if (rv != Success) {
     return rv;
   }
   readValues.push_back(value);
   return Success;
 }
 
 TEST_F(pkixder_input_tests, NestedOf)
 {
-  InputBuffer buf(DER_SEQUENCE_OF_INT8);
-  Input input(buf);
+  Input buf(DER_SEQUENCE_OF_INT8);
+  Reader input(buf);
 
   std::vector<uint8_t> readValues;
   ASSERT_EQ(Success,
     NestedOf(input, SEQUENCE, INTEGER, EmptyAllowed::No,
              mozilla::pkix::bind(NestedOfHelper, mozilla::pkix::_1,
                                  mozilla::pkix::ref(readValues))));
   ASSERT_EQ((size_t) 3, readValues.size());
   ASSERT_EQ(0x01, readValues[0]);
   ASSERT_EQ(0x02, readValues[1]);
   ASSERT_EQ(0x03, readValues[2]);
   ASSERT_EQ(Success, End(input));
 }
 
 TEST_F(pkixder_input_tests, NestedOfWithTruncatedData)
 {
-  InputBuffer buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
-  Input input(buf);
+  Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+  Reader input(buf);
 
   std::vector<uint8_t> readValues;
   ASSERT_EQ(Result::ERROR_BAD_DER,
             NestedOf(input, SEQUENCE, INTEGER, EmptyAllowed::No,
                      mozilla::pkix::bind(NestedOfHelper, mozilla::pkix::_1,
                                          mozilla::pkix::ref(readValues))));
   ASSERT_EQ((size_t) 0, readValues.size());
 }
 
 TEST_F(pkixder_input_tests, MatchRestAtEnd)
 {
   static const uint8_t der[1] = { };
-  InputBuffer buf;
+  Input buf;
   ASSERT_EQ(Success, buf.Init(der, 0));
-  Input input(buf);
+  Reader input(buf);
   ASSERT_TRUE(input.AtEnd());
   static const uint8_t toMatch[] = { 1 };
   ASSERT_FALSE(input.MatchRest(toMatch));
 }
 
 TEST_F(pkixder_input_tests, MatchRest1Match)
 {
   static const uint8_t der[] = { 1 };
-  InputBuffer buf(der);
-  Input input(buf);
+  Input buf(der);
+  Reader input(buf);
   ASSERT_FALSE(input.AtEnd());
   ASSERT_TRUE(input.MatchRest(der));
 }
 
 TEST_F(pkixder_input_tests, MatchRest1Mismatch)
 {
   static const uint8_t der[] = { 1 };
-  InputBuffer buf(der);
-  Input input(buf);
+  Input buf(der);
+  Reader input(buf);
   static const uint8_t toMatch[] = { 2 };
   ASSERT_FALSE(input.MatchRest(toMatch));
   ASSERT_FALSE(input.AtEnd());
 }
 
 TEST_F(pkixder_input_tests, MatchRest2WithTrailingByte)
 {
   static const uint8_t der[] = { 1, 2, 3 };
-  InputBuffer buf(der);
-  Input input(buf);
+  Input buf(der);
+  Reader input(buf);
   static const uint8_t toMatch[] = { 1, 2 };
   ASSERT_FALSE(input.MatchRest(toMatch));
 }
 
 TEST_F(pkixder_input_tests, MatchRest2Mismatch)
 {
   static const uint8_t der[] = { 1, 2, 3 };
-  InputBuffer buf(der);
-  Input input(buf);
+  Input buf(der);
+  Reader input(buf);
   static const uint8_t toMatchMismatch[] = { 1, 3 };
   ASSERT_FALSE(input.MatchRest(toMatchMismatch));
   ASSERT_TRUE(input.MatchRest(der));
 }
 
 } // unnamed namespace
--- a/security/pkix/test/gtest/pkixder_pki_types_tests.cpp
+++ b/security/pkix/test/gtest/pkixder_pki_types_tests.cpp
@@ -39,158 +39,158 @@ class pkixder_pki_types_tests : public :
 
 TEST_F(pkixder_pki_types_tests, CertificateSerialNumber)
 {
   const uint8_t DER_CERT_SERIAL[] = {
     0x02,                       // INTEGER
     8,                          // length
     0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
   };
-  InputBuffer buf(DER_CERT_SERIAL);
-  Input input(buf);
+  Input input(DER_CERT_SERIAL);
+  Reader reader(input);
 
-  InputBuffer item;
-  ASSERT_EQ(Success, CertificateSerialNumber(input, item));
+  Input item;
+  ASSERT_EQ(Success, CertificateSerialNumber(reader, item));
 
-  InputBuffer expected;
+  Input expected;
   ASSERT_EQ(Success,
             expected.Init(DER_CERT_SERIAL + 2, sizeof DER_CERT_SERIAL - 2));
-  ASSERT_TRUE(InputBuffersAreEqual(expected, item));
+  ASSERT_TRUE(InputsAreEqual(expected, item));
 }
 
 TEST_F(pkixder_pki_types_tests, CertificateSerialNumberLongest)
 {
   const uint8_t DER_CERT_SERIAL_LONGEST[] = {
     0x02,                       // INTEGER
     20,                         // length
     1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20
   };
-  InputBuffer buf(DER_CERT_SERIAL_LONGEST);
-  Input input(buf);
+  Input input(DER_CERT_SERIAL_LONGEST);
+  Reader reader(input);
 
-  InputBuffer item;
-  ASSERT_EQ(Success, CertificateSerialNumber(input, item));
+  Input item;
+  ASSERT_EQ(Success, CertificateSerialNumber(reader, item));
 
-  InputBuffer expected;
+  Input expected;
   ASSERT_EQ(Success,
             expected.Init(DER_CERT_SERIAL_LONGEST + 2,
                           sizeof DER_CERT_SERIAL_LONGEST - 2));
-  ASSERT_TRUE(InputBuffersAreEqual(expected, item));
+  ASSERT_TRUE(InputsAreEqual(expected, item));
 }
 
 TEST_F(pkixder_pki_types_tests, CertificateSerialNumberCrazyLong)
 {
   const uint8_t DER_CERT_SERIAL_CRAZY_LONG[] = {
     0x02,                       // INTEGER
     32,                         // length
     1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
     17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32
   };
-  InputBuffer buf(DER_CERT_SERIAL_CRAZY_LONG);
-  Input input(buf);
+  Input input(DER_CERT_SERIAL_CRAZY_LONG);
+  Reader reader(input);
 
-  InputBuffer item;
-  ASSERT_EQ(Success, CertificateSerialNumber(input, item));
+  Input item;
+  ASSERT_EQ(Success, CertificateSerialNumber(reader, item));
 }
 
 TEST_F(pkixder_pki_types_tests, CertificateSerialNumberZeroLength)
 {
   const uint8_t DER_CERT_SERIAL_ZERO_LENGTH[] = {
     0x02,                       // INTEGER
     0x00                        // length
   };
-  InputBuffer buf(DER_CERT_SERIAL_ZERO_LENGTH);
-  Input input(buf);
+  Input input(DER_CERT_SERIAL_ZERO_LENGTH);
+  Reader reader(input);
 
-  InputBuffer item;
-  ASSERT_EQ(Result::ERROR_BAD_DER, CertificateSerialNumber(input, item));
+  Input item;
+  ASSERT_EQ(Result::ERROR_BAD_DER, CertificateSerialNumber(reader, item));
 }
 
 TEST_F(pkixder_pki_types_tests, OptionalVersionV1ExplicitEncodingAllowed)
 {
   const uint8_t DER_OPTIONAL_VERSION_V1[] = {
     0xa0, 0x03,                   // context specific 0
     0x02, 0x01, 0x00              // INTEGER(0)
   };
-  InputBuffer buf(DER_OPTIONAL_VERSION_V1);
-  Input input(buf);
+  Input input(DER_OPTIONAL_VERSION_V1);
+  Reader reader(input);
 
   // XXX(bug 1031093): We shouldn't accept an explicit encoding of v1, but we
   // do here for compatibility reasons.
   // Version version;
-  // ASSERT_EQ(Result::ERROR_BAD_DER, OptionalVersion(input, version));
+  // ASSERT_EQ(Result::ERROR_BAD_DER, OptionalVersion(reader, version));
   der::Version version = der::Version::v3;
-  ASSERT_EQ(Success, OptionalVersion(input, version));
+  ASSERT_EQ(Success, OptionalVersion(reader, version));
   ASSERT_EQ(der::Version::v1, version);
 }
 
 TEST_F(pkixder_pki_types_tests, OptionalVersionV2)
 {
   const uint8_t DER_OPTIONAL_VERSION_V2[] = {
     0xa0, 0x03,                   // context specific 0
     0x02, 0x01, 0x01              // INTEGER(1)
   };
-  InputBuffer buf(DER_OPTIONAL_VERSION_V2);
-  Input input(buf);
+  Input input(DER_OPTIONAL_VERSION_V2);
+  Reader reader(input);
 
   der::Version version = der::Version::v1;
-  ASSERT_EQ(Success, OptionalVersion(input, version));
+  ASSERT_EQ(Success, OptionalVersion(reader, version));
   ASSERT_EQ(der::Version::v2, version);
 }
 
 TEST_F(pkixder_pki_types_tests, OptionalVersionV3)
 {
   const uint8_t DER_OPTIONAL_VERSION_V3[] = {
     0xa0, 0x03,                   // context specific 0
     0x02, 0x01, 0x02              // INTEGER(2)
   };
-  InputBuffer buf(DER_OPTIONAL_VERSION_V3);
-  Input input(buf);
+  Input input(DER_OPTIONAL_VERSION_V3);
+  Reader reader(input);
 
   der::Version version = der::Version::v1;
-  ASSERT_EQ(Success, OptionalVersion(input, version));
+  ASSERT_EQ(Success, OptionalVersion(reader, version));
   ASSERT_EQ(der::Version::v3, version);
 }
 
 TEST_F(pkixder_pki_types_tests, OptionalVersionUnknown)
 {
   const uint8_t DER_OPTIONAL_VERSION_INVALID[] = {
     0xa0, 0x03,                   // context specific 0
     0x02, 0x01, 0x42              // INTEGER(0x42)
   };
-  InputBuffer buf(DER_OPTIONAL_VERSION_INVALID);
-  Input input(buf);
+  Input input(DER_OPTIONAL_VERSION_INVALID);
+  Reader reader(input);
 
   der::Version version = der::Version::v1;
-  ASSERT_EQ(Result::ERROR_BAD_DER, OptionalVersion(input, version));
+  ASSERT_EQ(Result::ERROR_BAD_DER, OptionalVersion(reader, version));
 }
 
 TEST_F(pkixder_pki_types_tests, OptionalVersionInvalidTooLong)
 {
   const uint8_t DER_OPTIONAL_VERSION_INVALID_TOO_LONG[] = {
     0xa0, 0x03,                   // context specific 0
     0x02, 0x02, 0x12, 0x34        // INTEGER(0x1234)
   };
-  InputBuffer buf(DER_OPTIONAL_VERSION_INVALID_TOO_LONG);
-  Input input(buf);
+  Input input(DER_OPTIONAL_VERSION_INVALID_TOO_LONG);
+  Reader reader(input);
 
   der::Version version;
-  ASSERT_EQ(Result::ERROR_BAD_DER, OptionalVersion(input, version));
+  ASSERT_EQ(Result::ERROR_BAD_DER, OptionalVersion(reader, version));
 }
 
 TEST_F(pkixder_pki_types_tests, OptionalVersionMissing)
 {
   const uint8_t DER_OPTIONAL_VERSION_MISSING[] = {
     0x02, 0x11, 0x22              // INTEGER
   };
-  InputBuffer buf(DER_OPTIONAL_VERSION_MISSING);
-  Input input(buf);
+  Input input(DER_OPTIONAL_VERSION_MISSING);
+  Reader reader(input);
 
   der::Version version = der::Version::v3;
-  ASSERT_EQ(Success, OptionalVersion(input, version));
+  ASSERT_EQ(Success, OptionalVersion(reader, version));
   ASSERT_EQ(der::Version::v1, version);
 }
 
 static const size_t MAX_ALGORITHM_OID_DER_LENGTH = 13;
 
 template <typename T>
 struct AlgorithmIdentifierTestInfo
 {
@@ -230,76 +230,76 @@ DIGEST_ALGORITHM_TEST_INFO[] = {
   },
 };
 
 TEST_P(pkixder_DigestAlgorithmIdentifier, Valid)
 {
   const AlgorithmIdentifierTestInfo<DigestAlgorithm>& param(GetParam());
 
   {
-    InputBuffer buf;
-    ASSERT_EQ(Success, buf.Init(param.der, param.derLength));
-    Input input(buf);
+    Input input;
+    ASSERT_EQ(Success, input.Init(param.der, param.derLength));
+    Reader reader(input);
     DigestAlgorithm alg;
-    ASSERT_EQ(Success, DigestAlgorithmIdentifier(input, alg));
+    ASSERT_EQ(Success, DigestAlgorithmIdentifier(reader, alg));
     ASSERT_EQ(param.algorithm, alg);
-    ASSERT_EQ(Success, End(input));
+    ASSERT_EQ(Success, End(reader));
   }
 
   {
     uint8_t derWithNullParam[MAX_ALGORITHM_OID_DER_LENGTH + 2];
     memcpy(derWithNullParam, param.der, param.derLength);
     derWithNullParam[1] += 2; // we're going to expand the value by 2 bytes
     derWithNullParam[param.derLength] = 0x05; // NULL tag
     derWithNullParam[param.derLength + 1] = 0x00; // length zero
 
-    InputBuffer buf;
-    ASSERT_EQ(Success, buf.Init(derWithNullParam, param.derLength + 2));
-    Input input(buf);
+    Input input;
+    ASSERT_EQ(Success, input.Init(derWithNullParam, param.derLength + 2));
+    Reader reader(input);
     DigestAlgorithm alg;
-    ASSERT_EQ(Success, DigestAlgorithmIdentifier(input, alg));
+    ASSERT_EQ(Success, DigestAlgorithmIdentifier(reader, alg));
     ASSERT_EQ(param.algorithm, alg);
-    ASSERT_EQ(Success, End(input));
+    ASSERT_EQ(Success, End(reader));
   }
 }
 
 INSTANTIATE_TEST_CASE_P(pkixder_DigestAlgorithmIdentifier,
                         pkixder_DigestAlgorithmIdentifier,
                         testing::ValuesIn(DIGEST_ALGORITHM_TEST_INFO));
 
 TEST_F(pkixder_DigestAlgorithmIdentifier, Invalid_MD5)
 {
   // The OID identifies MD5 (1.2.840.113549.2.5). It is invalid because we
   // don't accept MD5 as a hash algorithm.
   static const uint8_t DER[] = {
     0x30, 0x0a, 0x06, 0x08,
     0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05
   };
-  InputBuffer buf(DER);
-  Input input(buf);
+  Input input(DER);
+  Reader reader(input);
 
   DigestAlgorithm alg;
   ASSERT_EQ(Result::ERROR_INVALID_ALGORITHM,
-            DigestAlgorithmIdentifier(input, alg));
+            DigestAlgorithmIdentifier(reader, alg));
 }
 
 TEST_F(pkixder_DigestAlgorithmIdentifier, Invalid_Digest_ECDSA_WITH_SHA256)
 {
   // The OID identifies ecdsa-with-SHA256 (1.2.840.10045.4.3.2). It is invalid
   // because ECDSA-with-SHA256 is not a hash algorithm.
   static const uint8_t DER[] = {
     0x30, 0x0a, 0x06, 0x08,
     0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, //
   };
-  InputBuffer buf(DER);
-  Input input(buf);
+  Input input(DER);
+  Reader reader(input);
 
   DigestAlgorithm alg;
   ASSERT_EQ(Result::ERROR_INVALID_ALGORITHM,
-            DigestAlgorithmIdentifier(input, alg));
+            DigestAlgorithmIdentifier(reader, alg));
 }
 
 static const AlgorithmIdentifierTestInfo<SignatureAlgorithm>
   SIGNATURE_ALGORITHM_TEST_INFO[] =
 {
   { SignatureAlgorithm::ecdsa_with_sha512,
     { 0x30, 0x0a, 0x06, 0x08,
       0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04 },
@@ -363,71 +363,71 @@ class pkixder_SignatureAlgorithmIdentifi
 {
 };
 
 TEST_P(pkixder_SignatureAlgorithmIdentifier, Valid)
 {
   const AlgorithmIdentifierTestInfo<SignatureAlgorithm>& param(GetParam());
 
   {
-    InputBuffer buf;
-    ASSERT_EQ(Success, buf.Init(param.der, param.derLength));
-    Input input(buf);
+    Input input;
+    ASSERT_EQ(Success, input.Init(param.der, param.derLength));
+    Reader reader(input);
     SignatureAlgorithm alg;
-    ASSERT_EQ(Success, SignatureAlgorithmIdentifier(input, alg));
+    ASSERT_EQ(Success, SignatureAlgorithmIdentifier(reader, alg));
     ASSERT_EQ(param.algorithm, alg);
-    ASSERT_EQ(Success, End(input));
+    ASSERT_EQ(Success, End(reader));
   }
 
   {
     uint8_t derWithNullParam[MAX_ALGORITHM_OID_DER_LENGTH + 2];
     memcpy(derWithNullParam, param.der, param.derLength);
     derWithNullParam[1] += 2; // we're going to expand the value by 2 bytes
     derWithNullParam[param.derLength] = 0x05; // NULL tag
     derWithNullParam[param.derLength + 1] = 0x00; // length zero
 
-    InputBuffer buf;
-    ASSERT_EQ(Success, buf.Init(derWithNullParam, param.derLength + 2));
-    Input input(buf);
+    Input input;
+    ASSERT_EQ(Success, input.Init(derWithNullParam, param.derLength + 2));
+    Reader reader(input);
     SignatureAlgorithm alg;
-    ASSERT_EQ(Success, SignatureAlgorithmIdentifier(input, alg));
+    ASSERT_EQ(Success, SignatureAlgorithmIdentifier(reader, alg));
     ASSERT_EQ(param.algorithm, alg);
-    ASSERT_EQ(Success, End(input));
+    ASSERT_EQ(Success, End(reader));
   }
 }
 
 INSTANTIATE_TEST_CASE_P(pkixder_SignatureAlgorithmIdentifier,
                         pkixder_SignatureAlgorithmIdentifier,
                         testing::ValuesIn(SIGNATURE_ALGORITHM_TEST_INFO));
 
 TEST_F(pkixder_SignatureAlgorithmIdentifier, Invalid_RSA_With_MD5)
 {
   // The OID identifies RSA-with-MD5 (1.2.840.113549.1.1.4). It is invalid
   // because no MD5-based signatures algorithms are supported by the parser.
   static const uint8_t DER[] = {
     0x30, 0x0b, 0x06, 0x09,
     0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x04
   };
-  InputBuffer buf(DER);
-  Input input(buf);
+  Input input(DER);
+  Reader reader(input);
 
   SignatureAlgorithm alg;
   ASSERT_EQ(Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED,
-            SignatureAlgorithmIdentifier(input, alg));
+            SignatureAlgorithmIdentifier(reader, alg));
 }
 
 TEST_F(pkixder_SignatureAlgorithmIdentifier, Invalid_SignatureAlgorithm_SHA256)
 {
   // The OID identifies id-sha256 (2.16.840.1.101.3.4.2.1). It is invalid
   // because SHA-256 is not a signature algorithm.
   static const uint8_t DER[] = {
     0x30, 0x0b, 0x06, 0x09,
     0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01
   };
-  InputBuffer buf(DER);
-  Input input(buf);
+  Input input(DER);
+  Reader reader(input);
 
   SignatureAlgorithm alg;
   ASSERT_EQ(Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED,
-            SignatureAlgorithmIdentifier(input, alg));
+            SignatureAlgorithmIdentifier(reader, alg));
 }
 
 } // unnamed namespace
--- a/security/pkix/test/gtest/pkixder_universal_types_tests.cpp
+++ b/security/pkix/test/gtest/pkixder_universal_types_tests.cpp
@@ -42,238 +42,253 @@ class pkixder_universal_types_tests : pu
 
 TEST_F(pkixder_universal_types_tests, BooleanTrue01)
 {
   const uint8_t DER_BOOLEAN_TRUE_01[] = {
     0x01,                       // BOOLEAN
     0x01,                       // length
     0x01                        // invalid
   };
-  InputBuffer buf(DER_BOOLEAN_TRUE_01);
-  Input input(buf);
+  Input input(DER_BOOLEAN_TRUE_01);
+  Reader reader(input);
   bool value = false;
-  ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(input, value));
+  ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(reader, value));
 }
 
 TEST_F(pkixder_universal_types_tests, BooleanTrue42)
 {
   const uint8_t DER_BOOLEAN_TRUE_42[] = {
     0x01,                       // BOOLEAN
     0x01,                       // length
     0x42                        // invalid
   };
-  InputBuffer buf(DER_BOOLEAN_TRUE_42);
-  Input input(buf);
+  Input input(DER_BOOLEAN_TRUE_42);
+  Reader reader(input);
   bool value = false;
-  ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(input, value));
+  ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(reader, value));
 }
 
 static const uint8_t DER_BOOLEAN_TRUE[] = {
   0x01,                       // BOOLEAN
   0x01,                       // length
   0xff                        // true
 };
 
 TEST_F(pkixder_universal_types_tests, BooleanTrueFF)
 {
-  InputBuffer buf(DER_BOOLEAN_TRUE);
-  Input input(buf);
+  Input input(DER_BOOLEAN_TRUE);
+  Reader reader(input);
   bool value = false;
-  ASSERT_EQ(Success, Boolean(input, value));
+  ASSERT_EQ(Success, Boolean(reader, value));
   ASSERT_TRUE(value);
 }
 
 TEST_F(pkixder_universal_types_tests, BooleanFalse)
 {
   const uint8_t DER_BOOLEAN_FALSE[] = {
     0x01,                       // BOOLEAN
     0x01,                       // length
     0x00                        // false
   };
-  InputBuffer buf(DER_BOOLEAN_FALSE);
-  Input input(buf);
+  Input input(DER_BOOLEAN_FALSE);
+  Reader reader(input);
 
   bool value = true;
-  ASSERT_EQ(Success, Boolean(input, value));
+  ASSERT_EQ(Success, Boolean(reader, value));
   ASSERT_FALSE(value);
 }
 
 TEST_F(pkixder_universal_types_tests, BooleanInvalidLength)
 {
   const uint8_t DER_BOOLEAN_INVALID_LENGTH[] = {
     0x01,                       // BOOLEAN
     0x02,                       // length
     0x42, 0x42                  // invalid
   };
-  InputBuffer buf(DER_BOOLEAN_INVALID_LENGTH);
-  Input input(buf);
+  Input input(DER_BOOLEAN_INVALID_LENGTH);
+  Reader reader(input);
 
   bool value = true;
-  ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(input, value));
+  ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(reader, value));
 }
 
 TEST_F(pkixder_universal_types_tests, BooleanInvalidZeroLength)
 {
   const uint8_t DER_BOOLEAN_INVALID_ZERO_LENGTH[] = {
     0x01,                       // BOOLEAN
     0x00                        // length
   };
-  InputBuffer buf(DER_BOOLEAN_INVALID_ZERO_LENGTH);
-  Input input(buf);
+  Input input(DER_BOOLEAN_INVALID_ZERO_LENGTH);
+  Reader reader(input);
 
   bool value = true;
-  ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(input, value));
+  ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(reader, value));
 }
 
 // OptionalBoolean implements decoding of OPTIONAL BOOLEAN DEFAULT FALSE.
 // If the field is present, it must be a valid encoding of a BOOLEAN with
 // value TRUE. If the field is not present, it defaults to FALSE. For
 // compatibility reasons, OptionalBoolean can be told to accept an encoding
 // where the field is present with value FALSE (this is technically not a
 // valid DER encoding).
 TEST_F(pkixder_universal_types_tests, OptionalBooleanValidEncodings)
 {
-  const uint8_t DER_OPTIONAL_BOOLEAN_PRESENT_TRUE[] = {
-    0x01,                       // BOOLEAN
-    0x01,                       // length
-    0xff                        // true
-  };
-  InputBuffer buf1(DER_OPTIONAL_BOOLEAN_PRESENT_TRUE);
-  Input input1(buf1);
-  bool value = false;
-  ASSERT_EQ(Success, OptionalBoolean(input1, false, value)) <<
-    "Should accept the only valid encoding of a present OPTIONAL BOOLEAN";
-  ASSERT_TRUE(value);
-  ASSERT_TRUE(input1.AtEnd());
+  {
+    const uint8_t DER_OPTIONAL_BOOLEAN_PRESENT_TRUE[] = {
+      0x01,                       // BOOLEAN
+      0x01,                       // length
+      0xff                        // true
+    };
+    Input input(DER_OPTIONAL_BOOLEAN_PRESENT_TRUE);
+    Reader reader(input);
+    bool value = false;
+    ASSERT_EQ(Success, OptionalBoolean(reader, false, value)) <<
+      "Should accept the only valid encoding of a present OPTIONAL BOOLEAN";
+    ASSERT_TRUE(value);
+    ASSERT_TRUE(reader.AtEnd());
+  }
 
-  // The OPTIONAL BOOLEAN is omitted in this data.
-  const uint8_t DER_INTEGER_05[] = {
-    0x02,                       // INTEGER
-    0x01,                       // length
-    0x05
-  };
-  InputBuffer buf2(DER_INTEGER_05);
-  Input input2(buf2);
-  value = true;
-  ASSERT_EQ(Success, OptionalBoolean(input2, false, value)) <<
-    "Should accept a valid encoding of an omitted OPTIONAL BOOLEAN";
-  ASSERT_FALSE(value);
-  ASSERT_FALSE(input2.AtEnd());
+  {
+    // The OPTIONAL BOOLEAN is omitted in this data.
+    const uint8_t DER_INTEGER_05[] = {
+      0x02,                       // INTEGER
+      0x01,                       // length
+      0x05
+    };
+    Input input(DER_INTEGER_05);
+    Reader reader(input);
+    bool value = true;
+    ASSERT_EQ(Success, OptionalBoolean(reader, false, value)) <<
+      "Should accept a valid encoding of an omitted OPTIONAL BOOLEAN";
+    ASSERT_FALSE(value);
+    ASSERT_FALSE(reader.AtEnd());
+  }
 
-  InputBuffer buf3;
-  ASSERT_EQ(Success, buf3.Init(reinterpret_cast<const uint8_t*>(""), 0));
-  Input input3(buf3);
-  value = true;
-  ASSERT_EQ(Success, OptionalBoolean(input3, false, value)) <<
-    "Should accept another valid encoding of an omitted OPTIONAL BOOLEAN";
-  ASSERT_FALSE(value);
-  ASSERT_TRUE(input3.AtEnd());
+  {
+    Input input;
+    ASSERT_EQ(Success, input.Init(reinterpret_cast<const uint8_t*>(""), 0));
+    Reader reader(input);
+    bool value = true;
+    ASSERT_EQ(Success, OptionalBoolean(reader, false, value)) <<
+      "Should accept another valid encoding of an omitted OPTIONAL BOOLEAN";
+    ASSERT_FALSE(value);
+    ASSERT_TRUE(reader.AtEnd());
+  }
 }
 
 TEST_F(pkixder_universal_types_tests, OptionalBooleanInvalidEncodings)
 {
   const uint8_t DER_OPTIONAL_BOOLEAN_PRESENT_FALSE[] = {
     0x01,                       // BOOLEAN
     0x01,                       // length
     0x00                        // false
   };
 
-  InputBuffer buf1(DER_OPTIONAL_BOOLEAN_PRESENT_FALSE);
-  Input input1(buf1);
-  bool value;
-  // If the second parameter to OptionalBoolean is false, invalid encodings
-  // that include the field even when it is the DEFAULT FALSE are rejected.
-  bool allowInvalidEncodings = false;
-  ASSERT_EQ(Result::ERROR_BAD_DER,
-            OptionalBoolean(input1, allowInvalidEncodings, value)) <<
-    "Should reject an invalid encoding of present OPTIONAL BOOLEAN";
+  {
+    Input input(DER_OPTIONAL_BOOLEAN_PRESENT_FALSE);
+    Reader reader(input);
+    bool value;
+    // If the second parameter to OptionalBoolean is false, invalid encodings
+    // that include the field even when it is the DEFAULT FALSE are rejected.
+    bool allowInvalidEncodings = false;
+    ASSERT_EQ(Result::ERROR_BAD_DER,
+              OptionalBoolean(reader, allowInvalidEncodings, value)) <<
+      "Should reject an invalid encoding of present OPTIONAL BOOLEAN";
+  }
 
-  InputBuffer buf2(DER_OPTIONAL_BOOLEAN_PRESENT_FALSE);
-  Input input2(buf2);
-  value = true;
-  // If the second parameter to OptionalBoolean is true, invalid encodings
-  // that include the field even when it is the DEFAULT FALSE are accepted.
-  allowInvalidEncodings = true;
-  ASSERT_EQ(Success, OptionalBoolean(input2, allowInvalidEncodings, value)) <<
-    "Should now accept an invalid encoding of present OPTIONAL BOOLEAN";
-  ASSERT_FALSE(value);
-  ASSERT_TRUE(input2.AtEnd());
+  {
+    Input input(DER_OPTIONAL_BOOLEAN_PRESENT_FALSE);
+    Reader reader(input);
+    bool value = true;
+    // If the second parameter to OptionalBoolean is true, invalid encodings
+    // that include the field even when it is the DEFAULT FALSE are accepted.
+    bool allowInvalidEncodings = true;
+    ASSERT_EQ(Success, OptionalBoolean(reader, allowInvalidEncodings, value)) <<
+      "Should now accept an invalid encoding of present OPTIONAL BOOLEAN";
+    ASSERT_FALSE(value);
+    ASSERT_TRUE(reader.AtEnd());
+  }
 
   const uint8_t DER_OPTIONAL_BOOLEAN_PRESENT_42[] = {
     0x01,                       // BOOLEAN
     0x01,                       // length
     0x42                        // (invalid value for a BOOLEAN)
   };
-  InputBuffer buf3(DER_OPTIONAL_BOOLEAN_PRESENT_42);
-  Input input3(buf3);
-  // Even with the second parameter to OptionalBoolean as true, encodings
-  // of BOOLEAN that are invalid altogether are rejected.
-  ASSERT_EQ(Result::ERROR_BAD_DER,
-            OptionalBoolean(input3, allowInvalidEncodings, value)) <<
-    "Should reject another invalid encoding of present OPTIONAL BOOLEAN";
+
+  {
+    Input input(DER_OPTIONAL_BOOLEAN_PRESENT_42);
+    Reader reader(input);
+    // Even with the second parameter to OptionalBoolean as true, encodings
+    // of BOOLEAN that are invalid altogether are rejected.
+    bool allowInvalidEncodings = true;
+    bool value;
+    ASSERT_EQ(Result::ERROR_BAD_DER,
+              OptionalBoolean(reader, allowInvalidEncodings, value)) <<
+      "Should reject another invalid encoding of present OPTIONAL BOOLEAN";
+  }
 }
 
 TEST_F(pkixder_universal_types_tests, Enumerated)
 {
   const uint8_t DER_ENUMERATED[] = {
     0x0a,                       // ENUMERATED
     0x01,                       // length
     0x42                        // value
   };
-  InputBuffer buf(DER_ENUMERATED);
-  Input input(buf);
+  Input input(DER_ENUMERATED);
+  Reader reader(input);
 
   uint8_t value = 0;
-  ASSERT_EQ(Success, Enumerated(input, value));
+  ASSERT_EQ(Success, Enumerated(reader, value));
   ASSERT_EQ(0x42, value);
 }
 
 TEST_F(pkixder_universal_types_tests, EnumeratedNotShortestPossibleDER)
 {
   const uint8_t DER_ENUMERATED[] = {
     0x0a,                       // ENUMERATED
     0x02,                       // length
     0x00, 0x01                  // value
   };
-  InputBuffer buf(DER_ENUMERATED);
-  Input input(buf);
+  Input input(DER_ENUMERATED);
+  Reader reader(input);
 
   uint8_t value = 0;
-  ASSERT_EQ(Result::ERROR_BAD_DER, Enumerated(input, value));
+  ASSERT_EQ(Result::ERROR_BAD_DER, Enumerated(reader, value));
 }
 
 TEST_F(pkixder_universal_types_tests, EnumeratedOutOfAcceptedRange)
 {
   // Although this is a valid ENUMERATED value according to ASN.1, we
   // intentionally don't support these large values because there are no
   // ENUMERATED values in X.509 certs or OCSP this large, and we're trying to
   // keep the parser simple and fast.
   const uint8_t DER_ENUMERATED_INVALID_LENGTH[] = {
     0x0a,                       // ENUMERATED
     0x02,                       // length
     0x12, 0x34                  // value
   };
-  InputBuffer buf(DER_ENUMERATED_INVALID_LENGTH);
-  Input input(buf);
+  Input input(DER_ENUMERATED_INVALID_LENGTH);
+  Reader reader(input);
 
   uint8_t value = 0;
-  ASSERT_EQ(Result::ERROR_BAD_DER, Enumerated(input, value));
+  ASSERT_EQ(Result::ERROR_BAD_DER, Enumerated(reader, value));
 }
 
 TEST_F(pkixder_universal_types_tests, EnumeratedInvalidZeroLength)
 {
   const uint8_t DER_ENUMERATED_INVALID_ZERO_LENGTH[] = {
     0x0a,                       // ENUMERATED
     0x00                        // length
   };
-  InputBuffer buf(DER_ENUMERATED_INVALID_ZERO_LENGTH);
-  Input input(buf);
+  Input input(DER_ENUMERATED_INVALID_ZERO_LENGTH);
+  Reader reader(input);
 
   uint8_t value = 0;
-  ASSERT_EQ(Result::ERROR_BAD_DER, Enumerated(input, value));
+  ASSERT_EQ(Result::ERROR_BAD_DER, Enumerated(reader, value));
 }
 
 ////////////////////////////////////////
 // GeneralizedTime and TimeChoice
 //
 // From RFC 5280 section 4.1.2.5.2
 //
 //   For the purposes of this profile, GeneralizedTime values MUST be
@@ -307,41 +322,41 @@ TimeChoiceForEquivalentUTCTime(const uin
   uint8_t utcTimeDER[LENGTH - 2];
   utcTimeDER[0] = 0x17; // tag UTCTime
   utcTimeDER[1] = LENGTH - 1/*tag*/ - 1/*value*/ - 2/*century*/;
   // Copy the value except for the first two digits of the year
   for (size_t i = 2; i < LENGTH - 2; ++i) {
     utcTimeDER[i] = generalizedTimeDER[i + 2];
   }
 
-  InputBuffer buf(utcTimeDER);
-  Input input(buf);
-  return TimeChoice(input, value);
+  Input input(utcTimeDER);
+  Reader reader(input);
+  return TimeChoice(reader, value);
 }
 
 template <uint16_t LENGTH>
 void
 ExpectGoodTime(PRTime expectedValue,
                const uint8_t (&generalizedTimeDER)[LENGTH])
 {
   // GeneralizedTime
   {
-    InputBuffer buf(generalizedTimeDER);
-    Input input(buf);
+    Input input(generalizedTimeDER);
+    Reader reader(input);
     PRTime value = 0;
-    ASSERT_EQ(Success, GeneralizedTime(input, value));
+    ASSERT_EQ(Success, GeneralizedTime(reader, value));
     EXPECT_EQ(expectedValue, value);
   }
 
   // TimeChoice: GeneralizedTime
   {
-    InputBuffer buf(generalizedTimeDER);
-    Input input(buf);
+    Input input(generalizedTimeDER);
+    Reader reader(input);
     PRTime value = 0;
-    ASSERT_EQ(Success, TimeChoice(input, value));
+    ASSERT_EQ(Success, TimeChoice(reader, value));
     EXPECT_EQ(expectedValue, value);
   }
 
   // TimeChoice: UTCTime
   {
     PRTime value = 0;
     ASSERT_EQ(Success,
               TimeChoiceForEquivalentUTCTime(generalizedTimeDER, value));
@@ -350,28 +365,28 @@ ExpectGoodTime(PRTime expectedValue,
 }
 
 template <uint16_t LENGTH>
 void
 ExpectBadTime(const uint8_t (&generalizedTimeDER)[LENGTH])
 {
   // GeneralizedTime
   {
-    InputBuffer buf(generalizedTimeDER);
-    Input input(buf);
+    Input input(generalizedTimeDER);
+    Reader reader(input);
     PRTime value;
-    ASSERT_EQ(Result::ERROR_INVALID_TIME, GeneralizedTime(input, value));
+    ASSERT_EQ(Result::ERROR_INVALID_TIME, GeneralizedTime(reader, value));
   }
 
   // TimeChoice: GeneralizedTime
   {
-    InputBuffer buf(generalizedTimeDER);
-    Input input(buf);
+    Input input(generalizedTimeDER);
+    Reader reader(input);
     PRTime value;
-    ASSERT_EQ(Result::ERROR_INVALID_TIME, TimeChoice(input, value));
+    ASSERT_EQ(Result::ERROR_INVALID_TIME, TimeChoice(reader, value));
   }
 
   // TimeChoice: UTCTime
   {
     PRTime value;
     ASSERT_EQ(Result::ERROR_INVALID_TIME,
               TimeChoiceForEquivalentUTCTime(generalizedTimeDER, value));
   }
@@ -404,32 +419,32 @@ TEST_F(pkixder_universal_types_tests, Ti
   const uint8_t DER_GENERALIZED_TIME_INVALID_ZERO_LENGTH[] = {
     0x18,                           // GeneralizedTime
     0x00                            // Length = 0
   };
 
   PRTime value;
 
   // GeneralizedTime
-  InputBuffer gtBuf(DER_GENERALIZED_TIME_INVALID_ZERO_LENGTH);
-  Input gt(gtBuf);
+  Input gtBuf(DER_GENERALIZED_TIME_INVALID_ZERO_LENGTH);
+  Reader gt(gtBuf);
   ASSERT_EQ(Result::ERROR_INVALID_TIME, GeneralizedTime(gt, value));
 
   // TimeChoice: GeneralizedTime
-  InputBuffer tc_gt_buf(DER_GENERALIZED_TIME_INVALID_ZERO_LENGTH);
-  Input tc_gt(tc_gt_buf);
+  Input tc_gt_buf(DER_GENERALIZED_TIME_INVALID_ZERO_LENGTH);
+  Reader tc_gt(tc_gt_buf);
   ASSERT_EQ(Result::ERROR_INVALID_TIME, TimeChoice(tc_gt, value));
 
   // TimeChoice: UTCTime
   const uint8_t DER_UTCTIME_INVALID_ZERO_LENGTH[] = {
     0x17, // UTCTime
     0x00  // Length = 0
   };
-  InputBuffer tc_utc_buf(DER_UTCTIME_INVALID_ZERO_LENGTH);
-  Input tc_utc(tc_utc_buf);
+  Input tc_utc_buf(DER_UTCTIME_INVALID_ZERO_LENGTH);
+  Reader tc_utc(tc_utc_buf);
   ASSERT_EQ(Result::ERROR_INVALID_TIME, TimeChoice(tc_utc, value));
 }
 
 // A non zulu time should fail
 TEST_F(pkixder_universal_types_tests, TimeInvalidLocal)
 {
   const uint8_t DER_GENERALIZED_TIME_INVALID_LOCAL[] = {
     0x18,                           // Generalized Time
@@ -500,29 +515,29 @@ TEST_F(pkixder_universal_types_tests, Ge
     PRTime expectedValue = YMDHMS(i, 12, 31, 23, 59, 59);
 
     // We have to test GeneralizedTime separately from UTCTime instead of using
     // ExpectGooDtime because the range of UTCTime is less than the range of
     // GeneralizedTime.
 
     // GeneralizedTime
     {
-      InputBuffer buf(DER);
-      Input input(buf);
+      Input input(DER);
+      Reader reader(input);
       PRTime value = 0;
-      ASSERT_EQ(Success, GeneralizedTime(input, value));
+      ASSERT_EQ(Success, GeneralizedTime(reader, value));
       EXPECT_EQ(expectedValue, value);
     }
 
     // TimeChoice: GeneralizedTime
     {
-      InputBuffer buf(DER);
-      Input input(buf);
+      Input input(DER);
+      Reader reader(input);
       PRTime value = 0;
-      ASSERT_EQ(Success, TimeChoice(input, value));
+      ASSERT_EQ(Success, TimeChoice(reader, value));
       EXPECT_EQ(expectedValue, value);
     }
 
     // TimeChoice: UTCTime, which is limited to years less than 2049.
     if (i <= 2049) {
       PRTime value = 0;
       ASSERT_EQ(Success, TimeChoiceForEquivalentUTCTime(DER, value));
       EXPECT_EQ(expectedValue, value);
@@ -655,29 +670,29 @@ TEST_F(pkixder_universal_types_tests, Ti
   };
 
   // We don't use ExpectGoodTime here because UTCTime can't represent 2400.
 
   PRTime expectedValue = YMDHMS(2400, 2, 29, 16, 45, 40);
 
   // GeneralizedTime
   {
-    InputBuffer buf(DER);
-    Input input(buf);
+    Input input(DER);
+    Reader reader(input);
     PRTime value = 0;
-    ASSERT_EQ(Success, GeneralizedTime(input, value));
+    ASSERT_EQ(Success, GeneralizedTime(reader, value));
     EXPECT_EQ(expectedValue, value);
   }
 
   // TimeChoice: GeneralizedTime
   {
-    InputBuffer buf(DER);
-    Input input(buf);
+    Input input(DER);
+    Reader reader(input);
     PRTime value = 0;
-    ASSERT_EQ(Success, TimeChoice(input, value));
+    ASSERT_EQ(Success, TimeChoice(reader, value));
     EXPECT_EQ(expectedValue, value);
   }
 }
 
 TEST_F(pkixder_universal_types_tests, TimeMonthFebNotLeapYear2014)
 {
   static const uint8_t DER[] = {
     0x18,                           // Generalized Time
@@ -696,28 +711,28 @@ TEST_F(pkixder_universal_types_tests, Ti
     '2', '1', '0', '0', '0', '2', '2', '9', // 2100-02-29
     '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
   };
 
   // We don't use ExpectBadTime here because UTCTime can't represent 2100.
 
   // GeneralizedTime
   {
-    InputBuffer buf(DER);
-    Input input(buf);
+    Input input(DER);
+    Reader reader(input);
     PRTime value;
-    ASSERT_EQ(Result::ERROR_INVALID_TIME, GeneralizedTime(input, value));
+    ASSERT_EQ(Result::ERROR_INVALID_TIME, GeneralizedTime(reader, value));
   }
 
   // TimeChoice: GeneralizedTime
   {
-    InputBuffer buf(DER);
-    Input input(buf);
+    Input input(DER);
+    Reader reader(input);
     PRTime value;
-    ASSERT_EQ(Result::ERROR_INVALID_TIME, TimeChoice(input, value));
+    ASSERT_EQ(Result::ERROR_INVALID_TIME, TimeChoice(reader, value));
   }
 }
 
 TEST_F(pkixder_universal_types_tests, TimeHoursValidRange)
 {
   for (uint8_t i = 0; i <= 23; ++i) {
     const uint8_t DER[] = {
       0x18,                           // Generalized Time
@@ -834,28 +849,28 @@ TEST_F(pkixder_universal_types_tests, Ti
   };
 
   // We can't use ExpectBadTime here, because ExpectBadTime requires
   // consistent results for GeneralizedTime and UTCTime, but the results
   // for this input are different.
 
   // GeneralizedTime
   {
-    InputBuffer buf(DER_GENERALIZED_TIME_INVALID_CENTURY_CHAR);
-    Input input(buf);
+    Input input(DER_GENERALIZED_TIME_INVALID_CENTURY_CHAR);
+    Reader reader(input);
     PRTime value = 0;
-    ASSERT_EQ(Result::ERROR_INVALID_TIME, GeneralizedTime(input, value));
+    ASSERT_EQ(Result::ERROR_INVALID_TIME, GeneralizedTime(reader, value));
   }
 
   // TimeChoice: GeneralizedTime
   {
-    InputBuffer buf(DER_GENERALIZED_TIME_INVALID_CENTURY_CHAR);
-    Input input(buf);
+    Input input(DER_GENERALIZED_TIME_INVALID_CENTURY_CHAR);
+    Reader reader(input);
     PRTime value = 0;
-    ASSERT_EQ(Result::ERROR_INVALID_TIME, TimeChoice(input, value));
+    ASSERT_EQ(Result::ERROR_INVALID_TIME, TimeChoice(reader, value));
   }
 
   // This test is not applicable to TimeChoice: UTCTime
 }
 
 TEST_F(pkixder_universal_types_tests, TimeInvalidYearChar)
 {
   const uint8_t DER_GENERALIZED_TIME_INVALID_YEAR_CHAR[] = {
@@ -903,251 +918,251 @@ TEST_F(pkixder_universal_types_tests, Ti
 TEST_F(pkixder_universal_types_tests, Integer_0_127)
 {
   for (uint8_t i = 0; i <= 127; ++i) {
     const uint8_t DER[] = {
       0x02, // INTEGER
       0x01, // length
       i,    // value
     };
-    InputBuffer buf(DER);
-    Input input(buf);
+    Input input(DER);
+    Reader reader(input);
 
     uint8_t value = i + 1; // initialize with a value that is NOT i.
-    ASSERT_EQ(Success, Integer(input, value));
+    ASSERT_EQ(Success, Integer(reader, value));
     ASSERT_EQ(i, value);
   }
 }
 
 TEST_F(pkixder_universal_types_tests, Integer_Negative1)
 {
   // This is a valid integer value but our integer parser cannot parse
   // negative values.
 
   static const uint8_t DER[] = {
     0x02, // INTEGER
     0x01, // length
     0xff, // -1 (two's complement)
   };
-  InputBuffer buf(DER);
-  Input input(buf);
+  Input input(DER);
+  Reader reader(input);
 
   uint8_t value;
-  ASSERT_EQ(Result::ERROR_BAD_DER, Integer(input, value));
+  ASSERT_EQ(Result::ERROR_BAD_DER, Integer(reader, value));
 }
 
 TEST_F(pkixder_universal_types_tests, Integer_Negative128)
 {
   // This is a valid integer value but our integer parser cannot parse
   // negative values.
 
   static const uint8_t DER[] = {
     0x02, // INTEGER
     0x01, // length
     0x80, // -128 (two's complement)
   };
-  InputBuffer buf(DER);
-  Input input(buf);
+  Input input(DER);
+  Reader reader(input);
 
   uint8_t value;
-  ASSERT_EQ(Result::ERROR_BAD_DER, Integer(input, value));
+  ASSERT_EQ(Result::ERROR_BAD_DER, Integer(reader, value));
 }
 
 TEST_F(pkixder_universal_types_tests, Integer_128)
 {
   // This is a valid integer value but our integer parser cannot parse
   // values that require more than one byte to encode.
 
   static const uint8_t DER[] = {
     0x02, // INTEGER
     0x02, // length
     0x00, 0x80 // 128
   };
-  InputBuffer buf(DER);
-  Input input(buf);
+  Input input(DER);
+  Reader reader(input);
 
   uint8_t value;
-  ASSERT_EQ(Result::ERROR_BAD_DER, Integer(input, value));
+  ASSERT_EQ(Result::ERROR_BAD_DER, Integer(reader, value));
 }
 
 TEST_F(pkixder_universal_types_tests, Integer11223344)
 {
   // This is a valid integer value but our integer parser cannot parse
   // values that require more than one byte to be encoded.
 
   static const uint8_t DER[] = {
     0x02,                       // INTEGER
     0x04,                       // length
     0x11, 0x22, 0x33, 0x44      // 0x11223344
   };
-  InputBuffer buf(DER);
-  Input input(buf);
+  Input input(DER);
+  Reader reader(input);
 
   uint8_t value;
-  ASSERT_EQ(Result::ERROR_BAD_DER, Integer(input, value));
+  ASSERT_EQ(Result::ERROR_BAD_DER, Integer(reader, value));
 }
 
 TEST_F(pkixder_universal_types_tests, IntegerTruncatedOneByte)
 {
   const uint8_t DER_INTEGER_TRUNCATED[] = {
     0x02,                       // INTEGER
     0x01,                       // length
     // MISSING DATA HERE
   };
-  InputBuffer buf(DER_INTEGER_TRUNCATED);
-  Input input(buf);
+  Input input(DER_INTEGER_TRUNCATED);
+  Reader reader(input);
 
   uint8_t value;
-  ASSERT_EQ(Result::ERROR_BAD_DER, Integer(input, value));
+  ASSERT_EQ(Result::ERROR_BAD_DER, Integer(reader, value));
 }
 
 TEST_F(pkixder_universal_types_tests, IntegerTruncatedLarge)
 {
   const uint8_t DER_INTEGER_TRUNCATED[] = {
     0x02,                       // INTEGER
     0x04,                       // length
     0x11, 0x22                  // 0x1122
     // MISSING DATA HERE
   };
-  InputBuffer buf(DER_INTEGER_TRUNCATED);
-  Input input(buf);
+  Input input(DER_INTEGER_TRUNCATED);
+  Reader reader(input);
 
   uint8_t value;
-  ASSERT_EQ(Result::ERROR_BAD_DER, Integer(input, value));
+  ASSERT_EQ(Result::ERROR_BAD_DER, Integer(reader, value));
 }
 
 TEST_F(pkixder_universal_types_tests, IntegerZeroLength)
 {
   const uint8_t DER_INTEGER_ZERO_LENGTH[] = {
     0x02,                       // INTEGER
     0x00                        // length
   };
-  InputBuffer buf(DER_INTEGER_ZERO_LENGTH);
-  Input input(buf);
+  Input input(DER_INTEGER_ZERO_LENGTH);
+  Reader reader(input);
 
   uint8_t value;
-  ASSERT_EQ(Result::ERROR_BAD_DER, Integer(input, value));
+  ASSERT_EQ(Result::ERROR_BAD_DER, Integer(reader, value));
 }
 
 TEST_F(pkixder_universal_types_tests, IntegerOverlyLong1)
 {
   const uint8_t DER_INTEGER_OVERLY_LONG1[] = {
     0x02,                       // INTEGER
     0x02,                       // length
     0x00, 0x01                  //
   };
-  InputBuffer buf(DER_INTEGER_OVERLY_LONG1);
-  Input input(buf);
+  Input input(DER_INTEGER_OVERLY_LONG1);
+  Reader reader(input);
 
   uint8_t value;
-  ASSERT_EQ(Result::ERROR_BAD_DER, Integer(input, value));
+  ASSERT_EQ(Result::ERROR_BAD_DER, Integer(reader, value));
 }
 
 TEST_F(pkixder_universal_types_tests, IntegerOverlyLong2)
 {
   const uint8_t DER_INTEGER_OVERLY_LONG2[] = {
     0x02,                       // INTEGER
     0x02,                       // length
     0xff, 0x80                  //
   };
-  InputBuffer buf(DER_INTEGER_OVERLY_LONG2);
-  Input input(buf);
+  Input input(DER_INTEGER_OVERLY_LONG2);
+  Reader reader(input);
 
   uint8_t value;
-  ASSERT_EQ(Result::ERROR_BAD_DER, Integer(input, value));
+  ASSERT_EQ(Result::ERROR_BAD_DER, Integer(reader, value));
 }
 
 TEST_F(pkixder_universal_types_tests, OptionalIntegerSupportedDefault)
 {
   // The input is a BOOLEAN and not INTEGER for the input so we'll not parse
   // anything and instead use the default value.
-  InputBuffer buf(DER_BOOLEAN_TRUE);
-  Input input(buf);
+  Input input(DER_BOOLEAN_TRUE);
+  Reader reader(input);
 
   long value = 1;
-  ASSERT_EQ(Success, OptionalInteger(input, -1, value));
+  ASSERT_EQ(Success, OptionalInteger(reader, -1, value));
   ASSERT_EQ(-1, value);
   bool boolValue;
-  ASSERT_EQ(Success, Boolean(input, boolValue));
+  ASSERT_EQ(Success, Boolean(reader, boolValue));
 }
 
 TEST_F(pkixder_universal_types_tests, OptionalIntegerUnsupportedDefault)
 {
   // The same as the previous test, except with an unsupported default value
   // passed in.
-  InputBuffer buf(DER_BOOLEAN_TRUE);
-  Input input(buf);
+  Input input(DER_BOOLEAN_TRUE);
+  Reader reader(input);
 
   long value;
-  ASSERT_EQ(Result::FATAL_ERROR_INVALID_ARGS, OptionalInteger(input, 0, value));
+  ASSERT_EQ(Result::FATAL_ERROR_INVALID_ARGS, OptionalInteger(reader, 0, value));
 }
 
 TEST_F(pkixder_universal_types_tests, OptionalIntegerSupportedDefaultAtEnd)
 {
   static const uint8_t dummy = 1;
-  InputBuffer buf;
-  ASSERT_EQ(Success, buf.Init(&dummy, 0));
-  Input input(buf);
+  Input input;
+  ASSERT_EQ(Success, input.Init(&dummy, 0));
+  Reader reader(input);
 
   long value = 1;
-  ASSERT_EQ(Success, OptionalInteger(input, -1, value));
+  ASSERT_EQ(Success, OptionalInteger(reader, -1, value));
   ASSERT_EQ(-1, value);
 }
 
 TEST_F(pkixder_universal_types_tests, OptionalIntegerNonDefaultValue)
 {
   static const uint8_t DER[] = {
     0x02, // INTEGER
     0x01, // length
     0x00
   };
-  InputBuffer buf(DER);
-  Input input(buf);
+  Input input(DER);
+  Reader reader(input);
 
   long value = 2;
-  ASSERT_EQ(Success, OptionalInteger(input, -1, value));
+  ASSERT_EQ(Success, OptionalInteger(reader, -1, value));
   ASSERT_EQ(0, value);
-  ASSERT_TRUE(input.AtEnd());
+  ASSERT_TRUE(reader.AtEnd());
 }
 
 TEST_F(pkixder_universal_types_tests, Null)
 {
   const uint8_t DER_NUL[] = {
     0x05,
     0x00
   };
-  InputBuffer buf(DER_NUL);
-  Input input(buf);
+  Input input(DER_NUL);
+  Reader reader(input);
 
-  ASSERT_EQ(Success, Null(input));
+  ASSERT_EQ(Success, Null(reader));
 }
 
 TEST_F(pkixder_universal_types_tests, NullWithBadLength)
 {
   const uint8_t DER_NULL_BAD_LENGTH[] = {
     0x05,
     0x01,
     0x00
   };
-  InputBuffer buf(DER_NULL_BAD_LENGTH);
-  Input input(buf);
+  Input input(DER_NULL_BAD_LENGTH);
+  Reader reader(input);
 
-  ASSERT_EQ(Result::ERROR_BAD_DER, Null(input));
+  ASSERT_EQ(Result::ERROR_BAD_DER, Null(reader));
 }
 
 TEST_F(pkixder_universal_types_tests, OID)
 {
   const uint8_t DER_VALID_OID[] = {
     0x06,
     0x09,
     0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
   };
-  InputBuffer buf(DER_VALID_OID);
-  Input input(buf);
+  Input input(DER_VALID_OID);
+  Reader reader(input);
 
   const uint8_t expectedOID[] = {
     0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
   };
 
-  ASSERT_EQ(Success, OID(input, expectedOID));
+  ASSERT_EQ(Success, OID(reader, expectedOID));
 }
 
 } // unnamed namespace
--- a/security/pkix/test/gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
+++ b/security/pkix/test/gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
@@ -31,55 +31,55 @@
 
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::test;
 
 class CreateEncodedOCSPRequestTrustDomain : public TrustDomain
 {
 private:
   virtual Result GetCertTrust(EndEntityOrCA, const CertPolicyId&,
-                              InputBuffer, /*out*/ TrustLevel&)
+                              Input, /*out*/ TrustLevel&)
   {
     ADD_FAILURE();
     return Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
 
-  virtual Result FindIssuer(InputBuffer, IssuerChecker&, PRTime)
+  virtual Result FindIssuer(Input, IssuerChecker&, PRTime)
   {
     ADD_FAILURE();
     return Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
 
   virtual Result CheckRevocation(EndEntityOrCA, const CertID&, PRTime,
-                                 const InputBuffer*, const InputBuffer*)
+                                 const Input*, const Input*)
   {
     ADD_FAILURE();
     return Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
 
   virtual Result IsChainValid(const DERArray&)
   {
     ADD_FAILURE();
     return Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
 
   virtual Result VerifySignedData(const SignedDataWithSignature&,
-                                  InputBuffer)
+                                  Input)
   {
     ADD_FAILURE();
     return Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
 
-  virtual Result DigestBuf(InputBuffer item, /*out*/ uint8_t* digestBuf,
+  virtual Result DigestBuf(Input item, /*out*/ uint8_t *digestBuf,
                            size_t digestBufLen)
   {
     return ::mozilla::pkix::DigestBuf(item, digestBuf, digestBufLen);
   }
 
-  virtual Result CheckPublicKey(InputBuffer subjectPublicKeyInfo)
+  virtual Result CheckPublicKey(Input subjectPublicKeyInfo)
   {
     return ::mozilla::pkix::CheckPublicKey(subjectPublicKeyInfo);
   }
 };
 
 class pkixocsp_CreateEncodedOCSPRequest : public NSSTest
 {
 protected:
@@ -110,18 +110,18 @@ protected:
            longestRequiredSerialNumber->len);
     longestRequiredSerialNumber->data[0] = der::INTEGER;
     longestRequiredSerialNumber->data[1] = LONGEST_REQUIRED_LEN;
     longestRequiredSerialNumber->data[2] = 0x01; // value is 0x010000...00
   }
 
   // The resultant issuerDER and issuerSPKI are owned by the arena.
   SECStatus MakeIssuerCertIDComponents(const char* issuerASCII,
-                                       /*out*/ InputBuffer& issuerDER,
-                                       /*out*/ InputBuffer& issuerSPKI)
+                                       /*out*/ Input& issuerDER,
+                                       /*out*/ Input& issuerSPKI)
   {
     const SECItem* issuerDERSECItem = ASCIIToDERName(arena.get(), issuerASCII);
     if (!issuerDERSECItem) {
       return SECFailure;
     }
     if (issuerDER.Init(issuerDERSECItem->data, issuerDERSECItem->len)
           != Success) {
       return SECFailure;
@@ -151,41 +151,41 @@ protected:
 
   CreateEncodedOCSPRequestTrustDomain trustDomain;
 };
 
 // Test that the large length of the child serial number causes
 // CreateEncodedOCSPRequest to fail.
 TEST_F(pkixocsp_CreateEncodedOCSPRequest, ChildCertLongSerialNumberTest)
 {
-  InputBuffer issuerDER;
-  InputBuffer issuerSPKI;
+  Input issuerDER;
+  Input issuerSPKI;
   ASSERT_EQ(SECSuccess,
             MakeIssuerCertIDComponents("CN=CA", issuerDER, issuerSPKI));
-  InputBuffer serialNumber;
+  Input serialNumber;
   ASSERT_EQ(Success, serialNumber.Init(unsupportedLongSerialNumber->data,
                                        unsupportedLongSerialNumber->len));
   uint8_t ocspRequest[OCSP_REQUEST_MAX_LENGTH];
   size_t ocspRequestLength;
   ASSERT_EQ(Result::ERROR_BAD_DER,
             CreateEncodedOCSPRequest(trustDomain,
                                      CertID(issuerDER, issuerSPKI,
                                             serialNumber),
                                      ocspRequest, ocspRequestLength));
 }
 
 // Test that CreateEncodedOCSPRequest handles the longest serial number that
 // it's required to support (i.e. 20 octets).
 TEST_F(pkixocsp_CreateEncodedOCSPRequest, LongestSupportedSerialNumberTest)
 {
-  InputBuffer issuerDER;
-  InputBuffer issuerSPKI;
+  Input issuerDER;
+  Input issuerSPKI;
   ASSERT_EQ(SECSuccess,
             MakeIssuerCertIDComponents("CN=CA", issuerDER, issuerSPKI));
-  InputBuffer serialNumber;
+  Input serialNumber;
   ASSERT_EQ(Success, serialNumber.Init(longestRequiredSerialNumber->data,
                                        longestRequiredSerialNumber->len));
   uint8_t ocspRequest[OCSP_REQUEST_MAX_LENGTH];
   size_t ocspRequestLength;
   ASSERT_EQ(Success,
             CreateEncodedOCSPRequest(trustDomain,
                                      CertID(issuerDER, issuerSPKI,
                                             serialNumber),
--- a/security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
+++ b/security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
@@ -39,60 +39,60 @@ const uint16_t END_ENTITY_MAX_LIFETIME_I
 class OCSPTestTrustDomain : public TrustDomain
 {
 public:
   OCSPTestTrustDomain()
   {
   }
 
   Result GetCertTrust(EndEntityOrCA endEntityOrCA, const CertPolicyId&,
-                      InputBuffer, /*out*/ TrustLevel& trustLevel)
+                      Input, /*out*/ TrustLevel& trustLevel)
   {
     EXPECT_EQ(endEntityOrCA, EndEntityOrCA::MustBeEndEntity);
     trustLevel = TrustLevel::InheritsTrust;
     return Success;
   }
 
-  Result FindIssuer(InputBuffer, IssuerChecker&, PRTime)
+  Result FindIssuer(Input, IssuerChecker&, PRTime)
   {
     ADD_FAILURE();
     return Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
 
   virtual Result CheckRevocation(EndEntityOrCA endEntityOrCA, const CertID&,
-                                 PRTime time, /*optional*/ const InputBuffer*,
-                                 /*optional*/ const InputBuffer*)
+                                 PRTime time, /*optional*/ const Input*,
+                                 /*optional*/ const Input*)
   {
     // TODO: I guess mozilla::pkix should support revocation of designated
     // OCSP responder eventually, but we don't now, so this function should
     // never get called.
     ADD_FAILURE();
     return Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
 
   virtual Result IsChainValid(const DERArray&)
   {
     ADD_FAILURE();
     return Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
 
   virtual Result VerifySignedData(const SignedDataWithSignature& signedData,
-                                  InputBuffer subjectPublicKeyInfo)
+                                  Input subjectPublicKeyInfo)
   {
     return ::mozilla::pkix::VerifySignedData(signedData, subjectPublicKeyInfo,
                                              nullptr);
   }
 
-  virtual Result DigestBuf(InputBuffer item, /*out*/ uint8_t* digestBuf,
+  virtual Result DigestBuf(Input item, /*out*/ uint8_t *digestBuf,
                            size_t digestBufLen)
   {
     return ::mozilla::pkix::DigestBuf(item, digestBuf, digestBufLen);
   }
 
-  virtual Result CheckPublicKey(InputBuffer subjectPublicKeyInfo)
+  virtual Result CheckPublicKey(Input subjectPublicKeyInfo)
   {
     return ::mozilla::pkix::CheckPublicKey(subjectPublicKeyInfo);
   }
 
 private:
   OCSPTestTrustDomain(const OCSPTestTrustDomain&) /*delete*/;
   void operator=(const OCSPTestTrustDomain&) /*delete*/;
 };
@@ -126,33 +126,33 @@ public:
       PR_Abort();
     }
   }
 
   void SetUp()
   {
     NSSTest::SetUp();
 
-    InputBuffer rootNameDER;
+    Input rootNameDER;
     // The result of ASCIIToDERName is owned by the arena
-    if (InitInputBufferFromSECItem(ASCIIToDERName(arena.get(), rootName),
-                                   rootNameDER) != Success) {
+    if (InitInputFromSECItem(ASCIIToDERName(arena.get(), rootName),
+                             rootNameDER) != Success) {
       PR_Abort();
     }
 
-    InputBuffer serialNumberDER;
+    Input serialNumberDER;
     // The result of CreateEncodedSerialNumber is owned by the arena
-    if (InitInputBufferFromSECItem(
+    if (InitInputFromSECItem(
           CreateEncodedSerialNumber(arena.get(), ++rootIssuedCount),
           serialNumberDER) != Success) {
       PR_Abort();
     }
 
-    InputBuffer rootSPKIDER;
-    if (InitInputBufferFromSECItem(rootSPKI.get(), rootSPKIDER) != Success) {
+    Input rootSPKIDER;
+    if (InitInputFromSECItem(rootSPKI.get(), rootSPKIDER) != Success) {
       PR_Abort();
     }
     endEntityCertID = new (std::nothrow) CertID(rootNameDER, rootSPKIDER,
                                                 serialNumberDER);
     if (!endEntityCertID) {
       PR_Abort();
     }
   }
@@ -194,35 +194,37 @@ static const WithoutResponseBytes WITHOU
 };
 
 class pkixocsp_VerifyEncodedResponse_WithoutResponseBytes
   : public pkixocsp_VerifyEncodedResponse
   , public ::testing::WithParamInterface<WithoutResponseBytes>
 {
 protected:
   // The result is owned by the arena
-  InputBuffer CreateEncodedOCSPErrorResponse(uint8_t status)
+  Input CreateEncodedOCSPErrorResponse(uint8_t status)
   {
-    static const InputBuffer EMPTY;
+    static const Input EMPTY;
     OCSPResponseContext context(arena.get(),
                                 CertID(EMPTY, EMPTY, EMPTY),
                                 oneDayBeforeNow);
     context.responseStatus = status;
     context.skipResponseBytes = true;
     SECItem* response = CreateEncodedOCSPResponse(context);
     EXPECT_TRUE(response);
-    InputBuffer result;
+    // The result will be an empty Input on failure, but it doesn't
+    // matter because the test is going to fail anyway.
+    Input result;
     EXPECT_EQ(Success, result.Init(response->data, response->len));
     return result;
   }
 };
 
 TEST_P(pkixocsp_VerifyEncodedResponse_WithoutResponseBytes, CorrectErrorCode)
 {
-  InputBuffer
+  Input
     response(CreateEncodedOCSPErrorResponse(GetParam().responseStatus));
 
   bool expired;
   ASSERT_EQ(GetParam().expectedError,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
 }
@@ -251,17 +253,17 @@ public:
   }
 
   static void SetUpTestCase()
   {
     pkixocsp_VerifyEncodedResponse::SetUpTestCase();
   }
 
   // The result is owned by the arena
-  InputBuffer CreateEncodedOCSPSuccessfulResponse(
+  Input CreateEncodedOCSPSuccessfulResponse(
                     OCSPResponseContext::CertStatus certStatus,
                     const CertID& certID,
                     /*optional*/ const char* signerName,
                     const ScopedSECKEYPrivateKey& signerPrivateKey,
                     PRTime producedAt, PRTime thisUpdate,
                     /*optional*/ const PRTime* nextUpdate,
                     /*optional*/ SECItem const* const* certs = nullptr)
   {
@@ -279,81 +281,81 @@ public:
     context.certIDHashAlg = SEC_OID_SHA1;
     context.certStatus = certStatus;
     context.thisUpdate = thisUpdate;
     context.nextUpdate = nextUpdate ? *nextUpdate : 0;
     context.includeNextUpdate = nextUpdate != nullptr;
 
     SECItem* response = CreateEncodedOCSPResponse(context);
     EXPECT_TRUE(response);
-    InputBuffer result;
+    Input result;
     EXPECT_EQ(Success, result.Init(response->data, response->len));
     return result;
   }
 };
 
 TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_byKey)
 {
-  InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
+  Input response(CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID, byKey,
                          rootPrivateKey, oneDayBeforeNow, oneDayBeforeNow,
                          &oneDayAfterNow));
   bool expired;
   ASSERT_EQ(Success,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
                                       now, END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
   ASSERT_FALSE(expired);
 }
 
 TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_byName)
 {
-  InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
+  Input response(CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID, rootName,
                          rootPrivateKey, oneDayBeforeNow, oneDayBeforeNow,
                          &oneDayAfterNow));
   bool expired;
   ASSERT_EQ(Success,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
   ASSERT_FALSE(expired);
 }
 
 TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_byKey_without_nextUpdate)
 {
-  InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
+  Input response(CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID, byKey,
                          rootPrivateKey, oneDayBeforeNow, oneDayBeforeNow,
                          nullptr));
   bool expired;
   ASSERT_EQ(Success,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
   ASSERT_FALSE(expired);
 }
 
 TEST_F(pkixocsp_VerifyEncodedResponse_successful, revoked)
 {
-  InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
+  Input response(CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::revoked, *endEntityCertID, byKey,
                          rootPrivateKey, oneDayBeforeNow, oneDayBeforeNow,
                          &oneDayAfterNow));
   bool expired;
   ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
   ASSERT_FALSE(expired);
 }
 
 TEST_F(pkixocsp_VerifyEncodedResponse_successful, unknown)
 {
-  InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
+  Input response(CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::unknown, *endEntityCertID, byKey,
                          rootPrivateKey, oneDayBeforeNow, oneDayBeforeNow,
                          &oneDayAfterNow));
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_UNKNOWN_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
@@ -378,22 +380,22 @@ protected:
   // ResponderID construction.
   //
   // If signerEKU is omitted, then the certificate will have the
   // id-kp-OCSPSigning EKU. If signerEKU is SEC_OID_UNKNOWN then it will not
   // have any EKU extension. Otherwise, the certificate will have the given
   // EKU.
   //
   // signerDEROut is owned by the arena
-  InputBuffer CreateEncodedIndirectOCSPSuccessfulResponse(
+  Input CreateEncodedIndirectOCSPSuccessfulResponse(
               const char* certSubjectName,
               OCSPResponseContext::CertStatus certStatus,
               const char* signerName,
               SECOidTag signerEKU = SEC_OID_OCSP_RESPONDER,
-              /*optional, out*/ InputBuffer* signerDEROut = nullptr)
+              /*optional, out*/ Input* signerDEROut = nullptr)
   {
     PR_ASSERT(certSubjectName);
 
     const SECItem* extensions[] = {
       signerEKU != SEC_OID_UNKNOWN
         ? CreateEncodedEKUExtension(arena.get(), &signerEKU, 1,
                                     ExtensionCriticality::NotCritical)
         : nullptr,
@@ -452,30 +454,30 @@ protected:
                                     serialNumberDER, issuerDER, notBefore,
                                     notAfter, subjectDER, extensions,
                                     signerKey, SEC_OID_SHA256, privateKey);
   }
 };
 
 TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_byKey)
 {
-  InputBuffer response(CreateEncodedIndirectOCSPSuccessfulResponse(
+  Input response(CreateEncodedIndirectOCSPSuccessfulResponse(
                          "CN=good_indirect_byKey", OCSPResponseContext::good,
                          byKey));
   bool expired;
   ASSERT_EQ(Success,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
   ASSERT_FALSE(expired);
 }
 
 TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_byName)
 {
-  InputBuffer response(CreateEncodedIndirectOCSPSuccessfulResponse(
+  Input response(CreateEncodedIndirectOCSPSuccessfulResponse(
                          "CN=good_indirect_byName", OCSPResponseContext::good,
                          "CN=good_indirect_byName"));
   bool expired;
   ASSERT_EQ(Success,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
   ASSERT_FALSE(expired);
@@ -483,17 +485,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
 
 TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
        good_byKey_missing_signer)
 {
   ScopedSECKEYPublicKey missingSignerPublicKey;
   ScopedSECKEYPrivateKey missingSignerPrivateKey;
   ASSERT_SECSuccess(GenerateKeyPair(missingSignerPublicKey,
                                     missingSignerPrivateKey));
-  InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
+  Input response(CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID, byKey,
                          missingSignerPrivateKey, oneDayBeforeNow,
                          oneDayBeforeNow, nullptr));
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
@@ -502,17 +504,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
 
 TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
        good_byName_missing_signer)
 {
   ScopedSECKEYPublicKey missingSignerPublicKey;
   ScopedSECKEYPrivateKey missingSignerPrivateKey;
   ASSERT_SECSuccess(GenerateKeyPair(missingSignerPublicKey,
                                     missingSignerPrivateKey));
-  InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
+  Input response(CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          "CN=missing", missingSignerPrivateKey,
                          oneDayBeforeNow, oneDayBeforeNow, nullptr));
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
@@ -535,17 +537,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
                                               now - (10 * ONE_DAY),
                                               now - (2 * ONE_DAY),
                                               signerName, extensions,
                                               rootPrivateKey.get(),
                                               signerPrivateKey));
   ASSERT_TRUE(signerDER);
 
   SECItem const* const certs[] = { signerDER, nullptr };
-  InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
+  Input response(CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          signerName, signerPrivateKey, oneDayBeforeNow,
                          oneDayBeforeNow, &oneDayAfterNow, certs));
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
@@ -567,72 +569,72 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
                                               now + (2 * ONE_DAY),
                                               now + (10 * ONE_DAY),
                                               signerName, extensions,
                                               rootPrivateKey.get(),
                                               signerPrivateKey));
   ASSERT_TRUE(signerDER);
 
   SECItem const* const certs[] = { signerDER, nullptr };
-  InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
+  Input response(CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          signerName, signerPrivateKey, oneDayBeforeNow,
                          oneDayBeforeNow, &oneDayAfterNow, certs));
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
   ASSERT_FALSE(expired);
 }
 
 TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_no_eku)
 {
-  InputBuffer response(CreateEncodedIndirectOCSPSuccessfulResponse(
+  Input response(CreateEncodedIndirectOCSPSuccessfulResponse(
                          "CN=good_indirect_wrong_eku",
                          OCSPResponseContext::good, byKey, SEC_OID_UNKNOWN));
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
   ASSERT_FALSE(expired);
 }
 
 TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
        good_indirect_wrong_eku)
 {
-  InputBuffer response(CreateEncodedIndirectOCSPSuccessfulResponse(
-                         "CN=good_indirect_wrong_eku",
-                         OCSPResponseContext::good, byKey,
-                         SEC_OID_EXT_KEY_USAGE_SERVER_AUTH));
+  Input response(CreateEncodedIndirectOCSPSuccessfulResponse(
+                        "CN=good_indirect_wrong_eku",
+                        OCSPResponseContext::good, byKey,
+                        SEC_OID_EXT_KEY_USAGE_SERVER_AUTH));
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
   ASSERT_FALSE(expired);
 }
 
 // Test that signature of OCSP response signer cert is verified
 TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_tampered_eku)
 {
-  InputBuffer response(CreateEncodedIndirectOCSPSuccessfulResponse(
+  Input response(CreateEncodedIndirectOCSPSuccessfulResponse(
                          "CN=good_indirect_tampered_eku",
                          OCSPResponseContext::good, byKey,
                          SEC_OID_EXT_KEY_USAGE_SERVER_AUTH));
 
 #define EKU_PREFIX \
   0x06, 8, /* OBJECT IDENTIFIER, 8 bytes */ \
   0x2B, 6, 1, 5, 5, 7, /* id-pkix */ \
   0x03 /* id-kp */
   static const uint8_t EKU_SERVER_AUTH[] = { EKU_PREFIX, 0x01 }; // serverAuth
   static const uint8_t EKU_OCSP_SIGNER[] = { EKU_PREFIX, 0x09 }; // OCSPSigning
 #undef EKU_PREFIX
-  SECItem responseSECItem = UnsafeMapInputBufferToSECItem(response);
+  SECItem responseSECItem = UnsafeMapInputToSECItem(response);
   ASSERT_SECSuccess(TamperOnce(responseSECItem,
                                EKU_SERVER_AUTH, PR_ARRAY_SIZE(EKU_SERVER_AUTH),
                                EKU_OCSP_SIGNER, PR_ARRAY_SIZE(EKU_OCSP_SIGNER)));
 
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
@@ -661,17 +663,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
   SECItem* signerDER(CreateEncodedCertificate(arena.get(), 1,
                         subCAName, oneDayBeforeNow, oneDayAfterNow,
                         signerName, extensions, unknownPrivateKey.get(),
                         signerPrivateKey));
   ASSERT_TRUE(signerDER);
 
   // OCSP response signed by that delegated responder
   SECItem const* const certs[] = { signerDER, nullptr };
-  InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
+  Input response(CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          signerName, signerPrivateKey, oneDayBeforeNow,
                          oneDayBeforeNow, &oneDayAfterNow, certs));
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
@@ -715,17 +717,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
                                               signerName, extensions,
                                               subCAPrivateKey.get(),
                                               signerPrivateKey));
   ASSERT_TRUE(signerDER);
 
   // OCSP response signed by the delegated responder issued by the sub-CA
   // that is trying to impersonate the root.
   SECItem const* const certs[] = { subCADER, signerDER, nullptr };
-  InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
+  Input response(CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          signerName, signerPrivateKey, oneDayBeforeNow,
                          oneDayBeforeNow, &oneDayAfterNow, certs));
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
@@ -769,17 +771,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
                                               signerName, extensions,
                                               subCAPrivateKey.get(),
                                               signerPrivateKey));
   ASSERT_TRUE(signerDER);
 
   // OCSP response signed by the delegated responder issued by the sub-CA
   // that is trying to impersonate the root.
   SECItem const* const certs[] = { signerDER, subCADER, nullptr };
-  InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
+  Input response(CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          signerName, signerPrivateKey, oneDayBeforeNow,
                          oneDayBeforeNow, &oneDayAfterNow, certs));
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
@@ -788,17 +790,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
 
 class pkixocsp_VerifyEncodedResponse_GetCertTrust
   : public pkixocsp_VerifyEncodedResponse_DelegatedResponder {
 public:
   void SetUp()
   {
     pkixocsp_VerifyEncodedResponse_DelegatedResponder::SetUp();
 
-    InputBuffer
+    Input
       createdResponse(
         CreateEncodedIndirectOCSPSuccessfulResponse(
           "CN=OCSPGetCertTrustTest Signer", OCSPResponseContext::good,
           byKey, SEC_OID_OCSP_RESPONDER, &signerCertDER));
     if (response.Init(createdResponse) != Success) {
       PR_Abort();
     }
 
@@ -810,42 +812,42 @@ public:
   class TrustDomain : public OCSPTestTrustDomain
   {
   public:
     TrustDomain()
       : certTrustLevel(TrustLevel::InheritsTrust)
     {
     }
 
-    bool SetCertTrust(InputBuffer certDER, TrustLevel certTrustLevel)
+    bool SetCertTrust(Input certDER, TrustLevel certTrustLevel)
     {
       EXPECT_EQ(Success, this->certDER.Init(certDER));
       this->certTrustLevel = certTrustLevel;
       return true;
     }
   private:
     virtual Result GetCertTrust(EndEntityOrCA endEntityOrCA,
                                 const CertPolicyId&,
-                                InputBuffer candidateCert,
+                                Input candidateCert,
                                 /*out*/ TrustLevel& trustLevel)
     {
       EXPECT_EQ(endEntityOrCA, EndEntityOrCA::MustBeEndEntity);
       EXPECT_NE(0, certDER.GetLength());
-      EXPECT_TRUE(InputBuffersAreEqual(certDER, candidateCert));
+      EXPECT_TRUE(InputsAreEqual(certDER, candidateCert));
       trustLevel = certTrustLevel;
       return Success;
     }
 
-    InputBuffer certDER;
+    Input certDER;
     TrustLevel certTrustLevel;
   };
 
   TrustDomain trustDomain;
-  InputBuffer signerCertDER; // owned by arena
-  InputBuffer response; // owned by arena
+  Input signerCertDER; // owned by arena
+  Input response; // owned by arena
 };
 
 TEST_F(pkixocsp_VerifyEncodedResponse_GetCertTrust, InheritTrust)
 {
   ASSERT_TRUE(trustDomain.SetCertTrust(signerCertDER,
                                        TrustLevel::InheritsTrust));
   bool expired;
   ASSERT_EQ(Success,
--- a/security/pkix/test/lib/pkixtestutil.cpp
+++ b/security/pkix/test/lib/pkixtestutil.cpp
@@ -144,23 +144,22 @@ TamperOnce(SECItem& item,
     } else {
       p = foundFirstByte + 1;
       --remaining;
     }
   }
 }
 
 Result
-InitInputBufferFromSECItem(const SECItem* secItem,
-                           /*out*/ InputBuffer& inputBuffer)
+InitInputFromSECItem(const SECItem* secItem, /*out*/ Input& input)
 {
   if (!secItem) {
     return Result::FATAL_ERROR_INVALID_ARGS;
   }
-  return inputBuffer.Init(secItem->data, secItem->len);
+  return input.Init(secItem->data, secItem->len);
 }
 
 class Output
 {
 public:
   Output()
     : numItems(0)
     , length(0)
@@ -1332,42 +1331,42 @@ SingleResponse(OCSPResponseContext& cont
 SECItem*
 CertID(OCSPResponseContext& context)
 {
   SECItem* hashAlgorithm = AlgorithmIdentifier(context.arena,
                                                context.certIDHashAlg);
   if (!hashAlgorithm) {
     return nullptr;
   }
-  SECItem issuerSECItem = UnsafeMapInputBufferToSECItem(context.certID.issuer);
+  SECItem issuerSECItem = UnsafeMapInputToSECItem(context.certID.issuer);
   SECItem* issuerNameHash = HashedOctetString(context.arena, issuerSECItem,
                                               context.certIDHashAlg);
   if (!issuerNameHash) {
     return nullptr;
   }
 
   SECItem issuerSubjectPublicKeyInfoSECItem =
-    UnsafeMapInputBufferToSECItem(context.certID.issuerSubjectPublicKeyInfo);
+    UnsafeMapInputToSECItem(context.certID.issuerSubjectPublicKeyInfo);
   ScopedPtr<CERTSubjectPublicKeyInfo, SECKEY_DestroySubjectPublicKeyInfo>
     spki(SECKEY_DecodeDERSubjectPublicKeyInfo(
            &issuerSubjectPublicKeyInfoSECItem));
   if (!spki) {
     return nullptr;
   }
   SECItem* issuerKeyHash(KeyHashHelper(context.arena, spki.get()));
   if (!issuerKeyHash) {
     return nullptr;
   }
 
   static const SEC_ASN1Template serialTemplate[] = {
     { SEC_ASN1_INTEGER, 0 },
     { 0 }
   };
   SECItem serialNumberSECItem =
-    UnsafeMapInputBufferToSECItem(context.certID.serialNumber);
+    UnsafeMapInputToSECItem(context.certID.serialNumber);
   SECItem* serialNumber = SEC_ASN1EncodeItem(context.arena, nullptr,
                                              &serialNumberSECItem,
                                              serialTemplate);
   if (!serialNumber) {
     return nullptr;
   }
 
   Output output;
--- a/security/pkix/test/lib/pkixtestutil.h
+++ b/security/pkix/test/lib/pkixtestutil.h
@@ -32,22 +32,22 @@
 #include "keyhi.h"
 #include "pkix/enumclass.h"
 #include "pkix/pkixtypes.h"
 #include "pkix/ScopedPtr.h"
 #include "seccomon.h"
 
 namespace mozilla { namespace pkix { namespace test {
 
-class TestInputBuffer : public InputBuffer
+class TestInput : public Input
 {
 public:
   template <size_t N>
-  explicit TestInputBuffer(const char (&valueString)[N])
-    : InputBuffer(reinterpret_cast<const uint8_t(&)[N-1]>(valueString))
+  explicit TestInput(const char (&valueString)[N])
+    : Input(reinterpret_cast<const uint8_t(&)[N-1]>(valueString))
   {
   }
 };
 
 namespace {
 
 inline void
 fclose_void(FILE* file) {
@@ -90,18 +90,17 @@ const SECItem* ASCIIToDERName(PLArenaPoo
 // for avoiding making multiple changes at once.
 //
 // The string to search for must be 8 or more bytes long so that it is
 // extremely unlikely that there will ever be any false positive matches
 // in digital signatures, keys, hashes, etc.
 SECStatus TamperOnce(SECItem& item, const uint8_t* from, size_t fromLen,
                      const uint8_t* to, size_t toLen);
 
-Result InitInputBufferFromSECItem(const SECItem* secItem,
-                                  /*out*/ InputBuffer& inputBuffer);
+Result InitInputFromSECItem(const SECItem* secItem, /*out*/ Input& input);
 
 ///////////////////////////////////////////////////////////////////////////////
 // Encode Certificates
 
 enum Version { v1 = 0, v2 = 1, v3 = 2 };
 
 // serialNumber is assumed to be the DER encoding of an INTEGER.
 //