bug 1030963 - remove non-standard window.crypto functions/properties r=jst r=briansmith r=glandium
authorDavid Keeler <dkeeler@mozilla.com>
Thu, 14 Aug 2014 09:38:42 -0700
changeset 221184 68499003df5ed29ba5cc594aeac3b166f4730de7
parent 221183 8f853af559828b576db28056bbbd69b43b1bdf7f
child 221185 cd997ef8a2adf1b4960bfd7ea6f186d4d2d5cc38
push id3979
push userraliiev@mozilla.com
push dateMon, 13 Oct 2014 16:35:44 +0000
treeherdermozilla-beta@30f2cc610691 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjst, briansmith, glandium
bugs1030963
milestone34.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 1030963 - remove non-standard window.crypto functions/properties r=jst r=briansmith r=glandium
b2g/confvars.sh
configure.in
content/base/test/csp/file_CSP_evalscript_main_allowed_getCRMFRequest.html
content/base/test/csp/file_CSP_evalscript_main_allowed_getCRMFRequest.html^headers^
content/base/test/csp/file_CSP_evalscript_main_allowed_getCRMFRequest.js
content/base/test/csp/file_CSP_evalscript_main_getCRMFRequest.html
content/base/test/csp/file_CSP_evalscript_main_getCRMFRequest.html^headers^
content/base/test/csp/file_CSP_evalscript_main_getCRMFRequest.js
content/base/test/csp/file_CSP_evalscript_no_CSP_at_all.html
content/base/test/csp/file_CSP_evalscript_no_CSP_at_all.html^headers^
content/base/test/csp/file_CSP_evalscript_no_CSP_at_all.js
content/base/test/csp/mochitest.ini
content/base/test/csp/test_CSP_evalscript_getCRMFRequest.html
dom/base/Crypto.cpp
dom/base/Crypto.h
dom/base/nsGlobalWindow.cpp
dom/bindings/Bindings.conf
dom/events/test/test_all_synthetic_events.html
dom/events/test/test_eventctors.html
dom/interfaces/base/moz.build
dom/interfaces/base/nsIDOMCryptoLegacy.idl
dom/tests/mochitest/crypto/mochitest-legacy.ini
dom/tests/mochitest/crypto/mochitest.ini
dom/tests/mochitest/crypto/test_legacy.html
dom/tests/mochitest/crypto/test_no_legacy.html
dom/tests/mochitest/general/test_interfaces.html
dom/tests/moz.build
dom/webidl/CRMFObject.webidl
dom/webidl/Crypto.webidl
dom/webidl/SmartCardEvent.webidl
dom/webidl/moz.build
mobile/android/confvars.sh
security/certverifier/CertVerifier.cpp
security/manager/locales/en-US/chrome/pippki/pippki.dtd
security/manager/locales/en-US/chrome/pippki/pippki.properties
security/manager/pki/resources/content/certManager.js
security/manager/pki/resources/content/certManager.xul
security/manager/pki/resources/content/device_manager.js
security/manager/pki/resources/content/device_manager.xul
security/manager/pki/resources/content/formsigning.js
security/manager/pki/resources/content/formsigning.xul
security/manager/pki/resources/jar.mn
security/manager/pki/src/moz.build
security/manager/pki/src/nsFormSigningDialog.cpp
security/manager/pki/src/nsFormSigningDialog.h
security/manager/pki/src/nsPKIModule.cpp
security/manager/ssl/crashtests/327524-1.html
security/manager/ssl/crashtests/crashtests.list
security/manager/ssl/public/moz.build
security/manager/ssl/public/nsIFormSigningDialog.idl
security/manager/ssl/src/moz.build
security/manager/ssl/src/nsCrypto.cpp
security/manager/ssl/src/nsCrypto.h
security/manager/ssl/src/nsNSSComponent.cpp
security/manager/ssl/src/nsNSSComponent.h
security/manager/ssl/src/nsNSSModule.cpp
security/manager/ssl/src/nsSmartCardMonitor.cpp
security/manager/ssl/tests/mochitest/bugs/mochitest-legacy.ini
security/manager/ssl/tests/mochitest/bugs/moz.build
security/manager/ssl/tests/mochitest/bugs/test_generateCRMFRequest.html
security/manager/ssl/tests/moz.build
security/manager/ssl/tests/unit/moz.build
--- a/b2g/confvars.sh
+++ b/b2g/confvars.sh
@@ -18,17 +18,17 @@ MOZ_OFFICIAL_BRANDING_DIRECTORY=b2g/bran
 # MOZ_APP_DISPLAYNAME is set by branding/configure.sh
 
 MOZ_SAFE_BROWSING=
 MOZ_SERVICES_COMMON=1
 MOZ_SERVICES_METRICS=1
 MOZ_CAPTIVEDETECT=1
 
 MOZ_WEBSMS_BACKEND=1
-MOZ_DISABLE_CRYPTOLEGACY=1
+MOZ_NO_SMART_CARDS=1
 MOZ_APP_STATIC_INI=1
 NSS_NO_LIBPKIX=1
 NSS_DISABLE_DBM=1
 MOZ_NO_EV_CERTS=1
 MOZ_DISABLE_EXPORT_JS=1
 
 if test "$OS_TARGET" = "Android"; then
 MOZ_CAPTURE=1
--- a/configure.in
+++ b/configure.in
@@ -3827,17 +3827,17 @@ MOZ_ANDROID_APZ=
 MOZ_TOOLKIT_SEARCH=1
 MOZ_UI_LOCALE=en-US
 MOZ_UNIVERSALCHARDET=1
 MOZ_URL_CLASSIFIER=
 MOZ_XUL=1
 MOZ_ZIPWRITER=1
 NS_PRINTING=1
 MOZ_PDF_PRINTING=
-MOZ_DISABLE_CRYPTOLEGACY=
+MOZ_NO_SMART_CARDS=
 NSS_DISABLE_DBM=
 NECKO_COOKIES=1
 NECKO_PROTOCOLS_DEFAULT="about app data file ftp http res viewsource websocket wyciwyg device"
 if test -n "$MOZ_RTSP"; then
   NECKO_PROTOCOLS_DEFAULT="$NECKO_PROTOCOLS_DEFAULT rtsp"
 fi
 USE_ARM_KUSER=
 BUILD_CTYPES=1
@@ -6343,22 +6343,22 @@ MOZ_ARG_DISABLE_BOOL(parental-controls,
    MOZ_DISABLE_PARENTAL_CONTROLS=)
 if test -n "$MOZ_DISABLE_PARENTAL_CONTROLS"; then
     AC_DEFINE(MOZ_DISABLE_PARENTAL_CONTROLS)
 fi
 
 AC_SUBST(MOZ_DISABLE_PARENTAL_CONTROLS)
 
 dnl ========================================================
-dnl = Disable DOMCrypto
-dnl ========================================================
-if test -n "$MOZ_DISABLE_CRYPTOLEGACY"; then
-    AC_DEFINE(MOZ_DISABLE_CRYPTOLEGACY)
-fi
-AC_SUBST(MOZ_DISABLE_CRYPTOLEGACY)
+dnl = Disable smartcard support
+dnl ========================================================
+if test -n "$MOZ_NO_SMART_CARDS"; then
+    AC_DEFINE(MOZ_NO_SMART_CARDS)
+fi
+AC_SUBST(MOZ_NO_SMART_CARDS)
 
 dnl ========================================================
 dnl = Disable EV certificate verification
 dnl ========================================================
 if test -n "$MOZ_NO_EV_CERTS"; then
     AC_DEFINE(MOZ_NO_EV_CERTS)
 fi
 AC_SUBST(MOZ_NO_EV_CERTS)
deleted file mode 100644
--- a/content/base/test/csp/file_CSP_evalscript_main_allowed_getCRMFRequest.html
+++ /dev/null
@@ -1,12 +0,0 @@
-<html>
-  <head>
-    <title>CSP eval script tests</title>
-    <script type="application/javascript"
-             src="file_CSP_evalscript_main_allowed_getCRMFRequest.js"></script>
-  </head>
-  <body>
-
-    Foo.
-
-  </body>
-</html>
deleted file mode 100644
--- a/content/base/test/csp/file_CSP_evalscript_main_allowed_getCRMFRequest.html^headers^
+++ /dev/null
@@ -1,2 +0,0 @@
-Cache-Control: no-cache
-Content-Security-Policy: default-src 'self' ; script-src 'self' 'unsafe-eval'
deleted file mode 100644
--- a/content/base/test/csp/file_CSP_evalscript_main_allowed_getCRMFRequest.js
+++ /dev/null
@@ -1,42 +0,0 @@
-// some javascript for the CSP eval() tests
-// all of these evals should succeed, as the document loading this script
-// has script-src 'self' 'unsafe-eval'
-
-function logResult(str, passed) {
-  var elt = document.createElement('div');
-  var color = passed ? "#cfc;" : "#fcc";
-  elt.setAttribute('style', 'background-color:' + color + '; width:100%; border:1px solid black; padding:3px; margin:4px;');
-  elt.innerHTML = str;
-  document.body.appendChild(elt);
-}
-
-// callback for when stuff is allowed by CSP
-var onevalexecuted = (function(window) {
-    return function(shouldrun, what, data) {
-      window.parent.scriptRan(shouldrun, what, data);
-      logResult((shouldrun ? "PASS: " : "FAIL: ") + what + " : " + data, shouldrun);
-    };})(window);
-
-// callback for when stuff is blocked
-var onevalblocked = (function(window) {
-    return function(shouldrun, what, data) {
-      window.parent.scriptBlocked(shouldrun, what, data);
-      logResult((shouldrun ? "FAIL: " : "PASS: ") + what + " : " + data, !shouldrun);
-    };})(window);
-
-
-// Defer until document is loaded so that we can write the pretty result boxes
-// out.
-addEventListener('load', function() {
-  // test that allows crypto.generateCRMFRequest eval to run
-  try {
-      var script =
-        'console.log("dynamic script passed to crypto.generateCRMFRequest should execute")';
-      crypto.generateCRMFRequest('CN=0', 0, 0, null, script, 384, null, 'rsa-dual-use');
-      onevalexecuted(true, "eval(script) inside crypto.generateCRMFRequest",
-                     "eval executed during crypto.generateCRMFRequest");
-  } catch (e) {
-    onevalblocked(true, "eval(script) inside crypto.generateCRMFRequest",
-                  "eval was blocked during crypto.generateCRMFRequest");
-  }
-}, false);
deleted file mode 100644
--- a/content/base/test/csp/file_CSP_evalscript_main_getCRMFRequest.html
+++ /dev/null
@@ -1,12 +0,0 @@
-<html>
-  <head>
-    <title>CSP eval script tests</title>
-    <script type="application/javascript"
-             src="file_CSP_evalscript_main_getCRMFRequest.js"></script>
-  </head>
-  <body>
-
-    Foo.
-
-  </body>
-</html>
deleted file mode 100644
--- a/content/base/test/csp/file_CSP_evalscript_main_getCRMFRequest.html^headers^
+++ /dev/null
@@ -1,2 +0,0 @@
-Cache-Control: no-cache
-Content-Security-Policy: default-src 'self'
deleted file mode 100644
--- a/content/base/test/csp/file_CSP_evalscript_main_getCRMFRequest.js
+++ /dev/null
@@ -1,48 +0,0 @@
-// some javascript for the CSP eval() tests
-
-function logResult(str, passed) {
-  var elt = document.createElement('div');
-  var color = passed ? "#cfc;" : "#fcc";
-  elt.setAttribute('style', 'background-color:' + color + '; width:100%; border:1px solid black; padding:3px; margin:4px;');
-  elt.innerHTML = str;
-  document.body.appendChild(elt);
-}
-
-window._testResults = {};
-
-// callback for when stuff is allowed by CSP
-var onevalexecuted = (function(window) {
-    return function(shouldrun, what, data) {
-      window._testResults[what] = "ran";
-      window.parent.scriptRan(shouldrun, what, data);
-      logResult((shouldrun ? "PASS: " : "FAIL: ") + what + " : " + data, shouldrun);
-    };})(window);
-
-// callback for when stuff is blocked
-var onevalblocked = (function(window) {
-    return function(shouldrun, what, data) {
-      window._testResults[what] = "blocked";
-      window.parent.scriptBlocked(shouldrun, what, data);
-      logResult((shouldrun ? "FAIL: " : "PASS: ") + what + " : " + data, !shouldrun);
-    };})(window);
-
-
-// Defer until document is loaded so that we can write the pretty result boxes
-// out.
-addEventListener('load', function() {
-  // generateCRMFRequest test -- make sure we cannot eval the callback if CSP is in effect
-  try {
-    var script = 'console.log("dynamic script eval\'d in crypto.generateCRMFRequest should be disallowed")';
-    crypto.generateCRMFRequest('CN=0', 0, 0, null, script, 384, null, 'rsa-dual-use');
-    onevalexecuted(false, "crypto.generateCRMFRequest()",
-                   "crypto.generateCRMFRequest() should not run!");
-  } catch (e) {
-    onevalblocked(false, "eval(script) inside crypto.generateCRMFRequest",
-                  "eval was blocked during crypto.generateCRMFRequest");
-  }
-
-
-}, false);
-
-
-
deleted file mode 100644
--- a/content/base/test/csp/file_CSP_evalscript_no_CSP_at_all.html
+++ /dev/null
@@ -1,12 +0,0 @@
-<html>
-  <head>
-    <title>CSP eval script tests: no CSP specified</title>
-    <script type="application/javascript"
-             src="file_CSP_evalscript_no_CSP_at_all.js"></script>
-  </head>
-  <body>
-
-    Foo. See bug 824652
-
-  </body>
-</html>
deleted file mode 100644
--- a/content/base/test/csp/file_CSP_evalscript_no_CSP_at_all.html^headers^
+++ /dev/null
@@ -1,1 +0,0 @@
-Cache-Control: no-cache
deleted file mode 100644
--- a/content/base/test/csp/file_CSP_evalscript_no_CSP_at_all.js
+++ /dev/null
@@ -1,42 +0,0 @@
-// some javascript for the CSP eval() tests
-// all of these evals should succeed, as the document loading this script
-// has script-src 'self' 'unsafe-eval'
-
-function logResult(str, passed) {
-  var elt = document.createElement('div');
-  var color = passed ? "#cfc;" : "#fcc";
-  elt.setAttribute('style', 'background-color:' + color + '; width:100%; border:1px solid black; padding:3px; margin:4px;');
-  elt.innerHTML = str;
-  document.body.appendChild(elt);
-}
-
-// callback for when stuff is allowed by CSP
-var onevalexecuted = (function(window) {
-    return function(shouldrun, what, data) {
-      window.parent.scriptRan(shouldrun, what, data);
-      logResult((shouldrun ? "PASS: " : "FAIL: ") + what + " : " + data, shouldrun);
-    };})(window);
-
-// callback for when stuff is blocked
-var onevalblocked = (function(window) {
-    return function(shouldrun, what, data) {
-      window.parent.scriptBlocked(shouldrun, what, data);
-      logResult((shouldrun ? "FAIL: " : "PASS: ") + what + " : " + data, !shouldrun);
-    };})(window);
-
-
-// Defer until document is loaded so that we can write the pretty result boxes
-// out.
-addEventListener('load', function() {
-  // test that allows crypto.generateCRMFRequest eval to run when there is no CSP at all in place
-  try {
-      var script =
-        'console.log("dynamic script passed to crypto.generateCRMFRequest should execute")';
-      crypto.generateCRMFRequest('CN=0', 0, 0, null, script, 384, null, 'rsa-dual-use');
-      onevalexecuted(true, "eval(script) inside crypto.generateCRMFRequest: no CSP at all",
-                     "eval executed during crypto.generateCRMFRequest where no CSP is set at all");
-  } catch (e) {
-    onevalblocked(true, "eval(script) inside crypto.generateCRMFRequest",
-                  "eval was blocked during crypto.generateCRMFRequest");
-  }
-}, false);
--- a/content/base/test/csp/mochitest.ini
+++ b/content/base/test/csp/mochitest.ini
@@ -15,29 +15,20 @@ support-files =
   file_CSP_bug885433_allows.html
   file_CSP_bug885433_allows.html^headers^
   file_CSP_bug885433_blocks.html
   file_CSP_bug885433_blocks.html^headers^
   file_CSP_bug888172.html
   file_CSP_bug888172.sjs
   file_CSP_evalscript_main.js
   file_CSP_evalscript_main_allowed.js
-  file_CSP_evalscript_main_allowed_getCRMFRequest.js
-  file_CSP_evalscript_main_getCRMFRequest.js
   file_CSP_evalscript_main.html
   file_CSP_evalscript_main.html^headers^
   file_CSP_evalscript_main_allowed.html
   file_CSP_evalscript_main_allowed.html^headers^
-  file_CSP_evalscript_main_allowed_getCRMFRequest.html
-  file_CSP_evalscript_main_allowed_getCRMFRequest.html^headers^
-  file_CSP_evalscript_main_getCRMFRequest.html
-  file_CSP_evalscript_main_getCRMFRequest.html^headers^
-  file_CSP_evalscript_no_CSP_at_all.html
-  file_CSP_evalscript_no_CSP_at_all.html^headers^
-  file_CSP_evalscript_no_CSP_at_all.js
   file_CSP_frameancestors_main.html
   file_CSP_frameancestors_main.js
   file_CSP_frameancestors.sjs
   file_CSP_inlinescript_main.html
   file_CSP_inlinescript_main.html^headers^
   file_CSP_inlinescript_main_allowed.html
   file_CSP_inlinescript_main_allowed.html^headers^
   file_CSP_inlinestyle_main.html
@@ -107,18 +98,16 @@ support-files =
 
 [test_connect-src.html]
 [test_CSP.html]
 [test_CSP_bug663567.html]
 [test_CSP_bug802872.html]
 [test_CSP_bug885433.html]
 [test_CSP_bug888172.html]
 [test_CSP_evalscript.html]
-[test_CSP_evalscript_getCRMFRequest.html]
-skip-if = buildapp == 'b2g' || toolkit == 'android' || e10s # no (deprecated) window.crypto support in multiprocess (bug 824652)
 [test_CSP_frameancestors.html]
 skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) || toolkit == 'android' # Times out, not sure why (bug 1008445)
 [test_CSP_inlinescript.html]
 [test_CSP_inlinestyle.html]
 [test_bug836922_npolicies.html]
 [test_bug886164.html]
 [test_csp_redirects.html]
 [test_CSP_bug910139.html]
deleted file mode 100644
--- a/content/base/test/csp/test_CSP_evalscript_getCRMFRequest.html
+++ /dev/null
@@ -1,63 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <title>Test for Content Security Policy "no eval" in crypto.getCRMFRequest()</title>
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body>
-<p id="display"></p>
-<div id="content" style="display: none">
-</div>
-<iframe style="width:100%;height:300px;" id='cspframe'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
-<script class="testbody" type="text/javascript">
-
-var path = "/tests/content/base/test/csp/";
-
-var evalScriptsThatRan = 0;
-var evalScriptsBlocked = 0;
-var evalScriptsTotal = 3;
-
-// called by scripts that run
-var scriptRan = function(shouldrun, testname, data) {
-  evalScriptsThatRan++;
-  ok(shouldrun, 'EVAL SCRIPT RAN: ' + testname + '(' + data + ')');
-  checkTestResults();
-}
-
-// called when a script is blocked
-var scriptBlocked = function(shouldrun, testname, data) {
-  evalScriptsBlocked++;
-  ok(!shouldrun, 'EVAL SCRIPT BLOCKED: ' + testname + '(' + data + ')');
-  checkTestResults();
-}
-
-// Check to see if all the tests have run
-var checkTestResults = function() {
-  // if any test is incomplete, keep waiting
-  if (evalScriptsTotal - evalScriptsBlocked - evalScriptsThatRan > 0)
-    return;
-
-  // ... otherwise, finish
-  SimpleTest.finish();
-}
-
-function loadElements() {
-  // save this for last so that our listeners are registered.
-  // ... this loads the testbed of good and bad requests.
-  document.getElementById('cspframe').src = 'file_CSP_evalscript_main_getCRMFRequest.html';
-  document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_allowed_getCRMFRequest.html';
-  document.getElementById('cspframe3').src = 'file_CSP_evalscript_no_CSP_at_all.html';
-}
-
-//////////////////////////////////////////////////////////////////////
-// set up and go
-SimpleTest.waitForExplicitFinish();
-SpecialPowers.pushPrefEnv({"set": [["dom.unsafe_legacy_crypto.enabled", true]]},
-                          loadElements);
-</script>
-</pre>
-</body>
-</html>
--- a/dom/base/Crypto.cpp
+++ b/dom/base/Crypto.cpp
@@ -122,92 +122,16 @@ SubtleCrypto*
 Crypto::Subtle()
 {
   if(!mSubtle) {
     mSubtle = new SubtleCrypto(GetParentObject());
   }
   return mSubtle;
 }
 
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
-// Stub out the legacy nsIDOMCrypto methods. The actual
-// implementations are in security/manager/ssl/src/nsCrypto.{cpp,h}
-
-NS_IMETHODIMP
-Crypto::GetEnableSmartCardEvents(bool *aEnableSmartCardEvents)
-{
-  return NS_ERROR_NOT_IMPLEMENTED;
-}
-
-NS_IMETHODIMP
-Crypto::SetEnableSmartCardEvents(bool aEnableSmartCardEvents)
-{
-  return NS_ERROR_NOT_IMPLEMENTED;
-}
-
-bool
-Crypto::EnableSmartCardEvents()
-{
-  return false;
-}
-
-void
-Crypto::SetEnableSmartCardEvents(bool aEnable, ErrorResult& aRv)
-{
-  aRv.Throw(NS_ERROR_NOT_IMPLEMENTED);
-}
-
-void
-Crypto::GetVersion(nsString& aVersion)
-{
-}
-
-mozilla::dom::CRMFObject*
-Crypto::GenerateCRMFRequest(JSContext* aContext,
-                            const nsCString& aReqDN,
-                            const nsCString& aRegToken,
-                            const nsCString& aAuthenticator,
-                            const nsCString& aEaCert,
-                            const nsCString& aJsCallback,
-                            const Sequence<JS::Value>& aArgs,
-                            ErrorResult& aRv)
-{
-  aRv.Throw(NS_ERROR_NOT_IMPLEMENTED);
-  return nullptr;
-}
-
-void
-Crypto::ImportUserCertificates(const nsAString& aNickname,
-                               const nsAString& aCmmfResponse,
-                               bool aDoForcedBackup,
-                               nsAString& aReturn,
-                               ErrorResult& aRv)
-{
-  aRv.Throw(NS_ERROR_NOT_IMPLEMENTED);
-}
-
-void
-Crypto::SignText(JSContext* aContext,
-                 const nsAString& aStringToSign,
-                 const nsAString& aCaOption,
-                 const Sequence<nsCString>& aArgs,
-                 nsAString& aReturn)
-
-{
-  aReturn.AssignLiteral("error:internalError");
-}
-
-void
-Crypto::Logout(ErrorResult& aRv)
-{
-  aRv.Throw(NS_ERROR_NOT_IMPLEMENTED);
-}
-
-#endif
-
 /* static */ uint8_t*
 Crypto::GetRandomValues(uint32_t aLength)
 {
   nsCOMPtr<nsIRandomGenerator> randomGenerator;
   nsresult rv;
   randomGenerator = do_GetService("@mozilla.org/security/random-generator;1");
   NS_ENSURE_TRUE(randomGenerator, nullptr);
 
--- a/dom/base/Crypto.h
+++ b/dom/base/Crypto.h
@@ -1,25 +1,15 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 #ifndef mozilla_dom_Crypto_h
 #define mozilla_dom_Crypto_h
 
-#ifdef MOZ_DISABLE_CRYPTOLEGACY
 #include "nsIDOMCrypto.h"
-#else
-#include "nsIDOMCryptoLegacy.h"
-namespace mozilla {
-namespace dom {
-class CRMFObject;
-}
-}
-#endif
-
 #include "mozilla/dom/SubtleCrypto.h"
 #include "nsPIDOMWindow.h"
 
 #include "nsWrapperCache.h"
 #include "mozilla/dom/TypedArray.h"
 #define NS_DOMCRYPTO_CID \
   {0x929d9320, 0x251e, 0x11d4, { 0x8a, 0x7c, 0x00, 0x60, 0x08, 0xc8, 0x44, 0xc3} }
 
@@ -46,48 +36,16 @@ public:
   void
   GetRandomValues(JSContext* aCx, const ArrayBufferView& aArray,
 		  JS::MutableHandle<JSObject*> aRetval,
 		  ErrorResult& aRv);
 
   SubtleCrypto*
   Subtle();
 
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
-  virtual bool EnableSmartCardEvents();
-  virtual void SetEnableSmartCardEvents(bool aEnable, ErrorResult& aRv);
-
-  virtual void GetVersion(nsString& aVersion);
-
-  virtual mozilla::dom::CRMFObject*
-  GenerateCRMFRequest(JSContext* aContext,
-                      const nsCString& aReqDN,
-                      const nsCString& aRegToken,
-                      const nsCString& aAuthenticator,
-                      const nsCString& aEaCert,
-                      const nsCString& aJsCallback,
-                      const Sequence<JS::Value>& aArgs,
-                      ErrorResult& aRv);
-
-  virtual void ImportUserCertificates(const nsAString& aNickname,
-                                      const nsAString& aCmmfResponse,
-                                      bool aDoForcedBackup,
-                                      nsAString& aReturn,
-                                      ErrorResult& aRv);
-
-  virtual void SignText(JSContext* aContext,
-                        const nsAString& aStringToSign,
-                        const nsAString& aCaOption,
-                        const Sequence<nsCString>& aArgs,
-                        nsAString& aReturn);
-
-  virtual void Logout(ErrorResult& aRv);
-
-#endif
-
   // WebIDL
 
   nsPIDOMWindow*
   GetParentObject() const
   {
     return mWindow;
   }
 
--- a/dom/base/nsGlobalWindow.cpp
+++ b/dom/base/nsGlobalWindow.cpp
@@ -78,19 +78,16 @@
 #include "nsIWidgetListener.h"
 #include "nsIBaseWindow.h"
 #include "nsIDeviceSensors.h"
 #include "nsIContent.h"
 #include "nsIDocShell.h"
 #include "nsIDocCharset.h"
 #include "nsIDocument.h"
 #include "Crypto.h"
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
-#include "nsIDOMCryptoLegacy.h"
-#endif
 #include "nsIDOMDocument.h"
 #include "nsIDOMElement.h"
 #include "nsIDOMEvent.h"
 #include "nsIDOMOfflineResourceList.h"
 #include "nsDOMString.h"
 #include "nsIEmbeddingSiteWindow.h"
 #include "nsThreadUtils.h"
 #include "nsILoadContext.h"
@@ -2359,24 +2356,16 @@ nsGlobalWindow::SetNewDocument(nsIDocume
       mDoc &&
       mDoc->NodePrincipal() != aDocument->NodePrincipal()) {
     NS_ERROR("Attempted forced inner window reuse while changing principal");
     return NS_ERROR_UNEXPECTED;
   }
 
   nsCOMPtr<nsIDocument> oldDoc = mDoc;
 
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
-  // clear smartcard events, our document has gone away.
-  if (mCrypto && XRE_GetProcessType() != GeckoProcessType_Content) {
-    nsresult rv = mCrypto->SetEnableSmartCardEvents(false);
-    NS_ENSURE_SUCCESS(rv, rv);
-  }
-#endif
-
   AutoJSAPI jsapi;
   jsapi.Init();
   JSContext *cx = jsapi.cx();
 
   if (!mDoc) {
     // First document load.
 
     // Get our private root. If it is equal to us, then we need to
@@ -4454,30 +4443,17 @@ nsGlobalWindow::GetApplicationCache(nsID
 }
 
 nsIDOMCrypto*
 nsGlobalWindow::GetCrypto(ErrorResult& aError)
 {
   FORWARD_TO_INNER_OR_THROW(GetCrypto, (aError), aError, nullptr);
 
   if (!mCrypto) {
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
-    if (XRE_GetProcessType() != GeckoProcessType_Content) {
-      nsresult rv;
-      mCrypto = do_CreateInstance(NS_CRYPTO_CONTRACTID, &rv);
-      if (NS_FAILED(rv)) {
-        aError.Throw(rv);
-        return nullptr;
-      }
-    } else
-#endif
-    {
-      mCrypto = new Crypto();
-    }
-
+    mCrypto = new Crypto();
     mCrypto->Init(this);
   }
   return mCrypto;
 }
 
 NS_IMETHODIMP
 nsGlobalWindow::GetCrypto(nsIDOMCrypto** aCrypto)
 {
--- a/dom/bindings/Bindings.conf
+++ b/dom/bindings/Bindings.conf
@@ -246,24 +246,17 @@ DOMInterfaces = {
     'implicitJSContext': [ 'buffer' ],
     'resultNotAddRefed': [ 'buffer' ],
 },
 
 'Coordinates': {
     'headerFile': 'nsGeoPosition.h'
 },
 
-'CRMFObject': {
-    'headerFile': 'nsCrypto.h',
-    'nativeOwnership': 'owned',
-    'wrapperCache': False,
-},
-
 'Crypto' : {
-    'implicitJSContext': [ 'generateCRMFRequest', 'signText' ],
     'headerFile': 'Crypto.h'
 },
 
 'CSS': {
     'concrete': False,
 },
 
 'CSS2Properties': {
--- a/dom/events/test/test_all_synthetic_events.html
+++ b/dom/events/test/test_all_synthetic_events.html
@@ -366,20 +366,16 @@ const kEventConstructors = {
                                                                                   aProps.clientX, aProps.clientY,
                                                                                   aProps.ctrlKey, aProps.altKey, aProps.shiftKey, aProps.metaKey,
                                                                                   aProps.button, aProps.relatedTarget,
                                                                                   aProps.allowedDirections, aProps.direction, aProps.delta || 0.0,
                                                                                   aProps.clickCount);
                                                          return e;
                                                        },
                                              },
-  SmartCardEvent:                            { create: function (aName, aProps) {
-                                                         return new SmartCardEvent(aName, aProps);
-                                                       },
-                                             },
   SpeechRecognitionEvent:                    { create: function (aName, aProps) {
                                                          return new SpeechRecognitionEvent(aName, aProps);
                                                        },
                                              },
   SpeechSynthesisEvent:                      { create: function (aName, aProps) {
                                                          return new SpeechSynthesisEvent(aName, aProps);
                                                        },
                                              },
--- a/dom/events/test/test_eventctors.html
+++ b/dom/events/test/test_eventctors.html
@@ -743,39 +743,16 @@ e = new PopupBlockedEvent("hello",
                           { requestingWindow: window,
                             popupWindowFeatures: "features",
                             popupWindowName: "name"
                           });
 is(e.requestingWindow, window);
 is(e.popupWindowFeatures, "features");
 is(e.popupWindowName, "name");
 
-
-// SmartCardEvent
-
-try {
-  e = new SmartCardEvent();
-} catch(exp) {
-  ex = true;
-}
-ok(ex, "SmartCardEvent: First parameter is required!");
-ex = false;
-
-e = new SmartCardEvent("hello");
-is(e.type, "hello", "SmartCardEvent: Wrong event type!");
-ok(!e.isTrusted, "SmartCardEvent: Event shouldn't be trusted!");
-ok(!e.bubbles, "SmartCardEvent: Event shouldn't bubble!");
-ok(!e.cancelable, "SmartCardEvent: Event shouldn't be cancelable!");
-is(e.tokenName, "");
-document.dispatchEvent(e);
-is(receivedEvent, e, "SmartCardEvent: Wrong event!");
-
-e = new SmartCardEvent("hello", { tokenName: "foo" });
-is(e.tokenName, "foo");
-
 // WheelEvent
 
 try {
   e = new WheelEvent();
 } catch(exp) {
   ex = true;
 }
 ok(ex, "WheelEvent: First parameter is required!");
--- a/dom/interfaces/base/moz.build
+++ b/dom/interfaces/base/moz.build
@@ -11,16 +11,17 @@ XPIDL_SOURCES += [
     'nsIContentPermissionPrompt.idl',
     'nsIContentPrefService.idl',
     'nsIContentPrefService2.idl',
     'nsIContentURIGrouper.idl',
     'nsIDOMChromeWindow.idl',
     'nsIDOMClientRect.idl',
     'nsIDOMClientRectList.idl',
     'nsIDOMConstructor.idl',
+    'nsIDOMCrypto.idl',
     'nsIDOMGlobalObjectConstructor.idl',
     'nsIDOMGlobalPropertyInitializer.idl',
     'nsIDOMHistory.idl',
     'nsIDOMJSWindow.idl',
     'nsIDOMLocation.idl',
     'nsIDOMModalContentWindow.idl',
     'nsIDOMNavigator.idl',
     'nsIDOMScreen.idl',
@@ -32,25 +33,16 @@ XPIDL_SOURCES += [
     'nsIIdleObserver.idl',
     'nsIQueryContentEventResult.idl',
     'nsIServiceWorkerManager.idl',
     'nsIStructuredCloneContainer.idl',
     'nsITabChild.idl',
     'nsITabParent.idl',
 ]
 
-if CONFIG['MOZ_DISABLE_CRYPTOLEGACY']:
-    XPIDL_SOURCES += [
-        'nsIDOMCrypto.idl',
-    ]
-else:
-    XPIDL_SOURCES += [
-        'nsIDOMCryptoLegacy.idl',
-    ]
-
 if CONFIG['MOZ_B2G']:
     XPIDL_SOURCES += [
         'nsIDOMWindowB2G.idl',
     ]
 
 if CONFIG['MOZ_WEBSPEECH']:
     XPIDL_SOURCES += [
         'nsISpeechSynthesisGetter.idl'
deleted file mode 100644
--- a/dom/interfaces/base/nsIDOMCryptoLegacy.idl
+++ /dev/null
@@ -1,15 +0,0 @@
-/* -*- Mode: IDL; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "domstubs.idl"
-
-interface nsIDOMWindow;
-
-[uuid(c25ecf08-3f46-4420-bee4-8505792fd63a)]
-interface nsIDOMCrypto : nsISupports
-{
-  [notxpcom] void init(in nsIDOMWindow window);
-  attribute boolean         enableSmartCardEvents;
-};
deleted file mode 100644
--- a/dom/tests/mochitest/crypto/mochitest-legacy.ini
+++ /dev/null
@@ -1,2 +0,0 @@
-[test_legacy.html]
-skip-if = e10s
--- a/dom/tests/mochitest/crypto/mochitest.ini
+++ b/dom/tests/mochitest/crypto/mochitest.ini
@@ -1,5 +1,4 @@
 [DEFAULT]
 skip-if = e10s
 
 [test_getRandomValues.html]
-[test_no_legacy.html]
deleted file mode 100644
--- a/dom/tests/mochitest/crypto/test_legacy.html
+++ /dev/null
@@ -1,60 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <title>Test presence of legacy window.crypto features when
-         MOZ_DISABLE_CRYPTOLEGACY is NOT set and dom.unsafe_legacy_crypto.enabled is true</title>
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>        
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body>
-<script class="testbody" type="text/javascript">
-
-function test_unsafe_legacy_crypto_enabled() {
-  ok("crypto" in window, "crypto in window");
-  ok("version" in window.crypto, "version in window.crypto");
-  ok("enableSmartCardEvents" in window.crypto,
-     "enableSmartCardEvents in window.crypto");
-  ok("generateCRMFRequest" in window.crypto,
-     "generateCRMFRequest in window.crypto");
-  ok("importUserCertificates" in window.crypto,
-     "importUserCertificates in window.crypto");
-  ok("signText" in window.crypto, "signText in window.crypto");
-
-  function jsCallback () {
-  }
-
-  try {
-    window.crypto.generateCRMFRequest(null, null, null, null, jsCallback.toString());
-    ok(false, "window.crypto.generateCRMFRequest failed, should throw error");
-  } catch (e) {
-    ok(e.toString().search(/Failure/) > -1,
-       "Expected error: ReqDN cannot be null");
-  }
-
-  try {
-    window.crypto.generateCRMFRequest(document.documentElement, null, null, null,
-                                      null);
-    ok(false, "window.crypto.generateCRMFRequest failed, should throw error");
-  } catch (e) {
-    ok(e.toString().search(/Failure/) > -1,
-       "Expected error: jsCallback cannot be null");
-  }
-
-  try {
-    window.crypto.generateCRMFRequest(document.documentElement, null, null, null,
-                                      jsCallback.toString(), 1024);
-    ok(false, "window.crypto.generateCRMFRequest failed, should throw error");
-  } catch (e) {
-    ok(e.toString().search(/TypeError/) > -1,
-       "Expected error: Not enough arguments");
-  }
-
-  SimpleTest.finish();
-}
-
-SpecialPowers.pushPrefEnv({"set": [["dom.unsafe_legacy_crypto.enabled", true]]},
-                          test_unsafe_legacy_crypto_enabled);
-SimpleTest.waitForExplicitFinish();
-
-</script>
-</body></html>
deleted file mode 100644
--- a/dom/tests/mochitest/crypto/test_no_legacy.html
+++ /dev/null
@@ -1,23 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <title>Test lack of legacy window.crypto features when
-         MOZ_DISABLE_CRYPTOLEGACY is set or dom.unsafe_legacy_crypto.enabled is false</title>
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>        
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body>
-<script class="testbody" type="text/javascript">
-
-ok("crypto" in window, "crypto in window");
-ok(!("version" in window.crypto), "version not in window.crypto");
-ok(!("enableSmartCardEvents" in window.crypto),
-   "enableSmartCardEvents not in window.crypto");
-ok(!("generateCRMFRequest" in window.crypto),
-   "generateCRMFRequest not in window.crypto");
-ok(!("importUserCertificates" in window.crypto),
-   "importUserCertificates not in window.crypto");
-ok(!("signText" in window.crypto), "signText not in window.crypto");
-
-</script>
-</body></html>
--- a/dom/tests/mochitest/general/test_interfaces.html
+++ b/dom/tests/mochitest/general/test_interfaces.html
@@ -853,18 +853,16 @@ var interfaceNamesInGlobalScope =
     {name: "ShadowRoot", pref: "dom.webcomponents.enabled"},
 // IMPORTANT: Do not change this list without review from a DOM peer!
     {name: "SharedWorker", pref: "dom.workers.sharedWorkers.enabled"},
 // IMPORTANT: Do not change this list without review from a DOM peer!
     "SimpleGestureEvent",
 // IMPORTANT: Do not change this list without review from a DOM peer!
     {name: "SimpleTest", xbl: false},
 // IMPORTANT: Do not change this list without review from a DOM peer!
-    "SmartCardEvent",
-// IMPORTANT: Do not change this list without review from a DOM peer!
     {name: "SpeechSynthesisEvent", b2g: true},
 // IMPORTANT: Do not change this list without review from a DOM peer!
     {name: "SpeechSynthesis", b2g: true},
 // IMPORTANT: Do not change this list without review from a DOM peer!
     {name: "SpeechSynthesisUtterance", b2g: true},
 // IMPORTANT: Do not change this list without review from a DOM peer!
     {name: "SpeechSynthesisVoice", b2g: true},
 // IMPORTANT: Do not change this list without review from a DOM peer!
--- a/dom/tests/moz.build
+++ b/dom/tests/moz.build
@@ -43,20 +43,15 @@ MOCHITEST_CHROME_MANIFESTS += [
 ]
 
 if CONFIG['MOZ_WIDGET_TOOLKIT'] != 'gtk2':
     # Bug 788164.
     MOCHITEST_MANIFESTS += [
         'mochitest/pointerlock/mochitest.ini',
     ]
 
-if not CONFIG['MOZ_DISABLE_CRYPTOLEGACY']:
-    MOCHITEST_MANIFESTS += [
-        'mochitest/crypto/mochitest-legacy.ini',
-    ]
-
 if CONFIG['MOZ_GAMEPAD']:
     MOCHITEST_MANIFESTS += [
         'mochitest/gamepad/mochitest.ini',
     ]
 
 XPCSHELL_TESTS_MANIFESTS += ['unit/xpcshell.ini']
 BROWSER_CHROME_MANIFESTS += ['browser/browser.ini']
deleted file mode 100644
--- a/dom/webidl/CRMFObject.webidl
+++ /dev/null
@@ -1,10 +0,0 @@
-/* -*- Mode: IDL; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/.
- */
-
-[NoInterfaceObject]
-interface CRMFObject {
-  readonly attribute DOMString request;
-};
--- a/dom/webidl/Crypto.webidl
+++ b/dom/webidl/Crypto.webidl
@@ -14,43 +14,8 @@ interface RandomSource {
 };
 
 Crypto implements RandomSource;
 
 interface Crypto {
   [Pref="dom.webcrypto.enabled"]
   readonly attribute SubtleCrypto subtle;
 };
-
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
-[NoInterfaceObject]
-interface CryptoLegacy {
-  [Pref="dom.unsafe_legacy_crypto.enabled"]
-  readonly attribute DOMString version;
-
-  [SetterThrows,Pref="dom.unsafe_legacy_crypto.enabled"]
-  attribute boolean enableSmartCardEvents;
-
-  [Throws,NewObject,Pref="dom.unsafe_legacy_crypto.enabled"]
-  CRMFObject? generateCRMFRequest(ByteString? reqDN,
-                                  ByteString? regToken,
-                                  ByteString? authenticator,
-                                  ByteString? eaCert,
-                                  ByteString? jsCallback,
-                                  any... args);
-
-  [Throws,Pref="dom.unsafe_legacy_crypto.enabled"]
-  DOMString importUserCertificates(DOMString nickname,
-                                   DOMString cmmfResponse,
-                                   boolean doForcedBackup);
-
-  [Pref="dom.unsafe_legacy_crypto.enabled"]
-  DOMString signText(DOMString stringToSign,
-                     DOMString caOption,
-                     ByteString... args);
-
-  [Throws,Pref="dom.unsafe_legacy_crypto.enabled"]
-  void logout();
-};
-
-Crypto implements CryptoLegacy;
-#endif // !MOZ_DISABLE_CRYPTOLEGACY
-
deleted file mode 100644
--- a/dom/webidl/SmartCardEvent.webidl
+++ /dev/null
@@ -1,16 +0,0 @@
-/* -*- Mode: IDL; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/.
- */
-
-[Constructor(DOMString type, optional SmartCardEventInit eventInitDict)]
-interface SmartCardEvent : Event
-{
-  readonly attribute DOMString? tokenName;
-};
-
-dictionary SmartCardEventInit : EventInit
-{
-  DOMString tokenName = "";
-};
--- a/dom/webidl/moz.build
+++ b/dom/webidl/moz.build
@@ -547,17 +547,16 @@ WEBIDL_FILES += [
     'HashChangeEvent.webidl',
     'MozApplicationEvent.webidl',
     'MozSettingsEvent.webidl',
     'PageTransitionEvent.webidl',
     'PopStateEvent.webidl',
     'PopupBlockedEvent.webidl',
     'ProgressEvent.webidl',
     'RecordErrorEvent.webidl',
-    'SmartCardEvent.webidl',
     'StyleRuleChangeEvent.webidl',
     'StyleSheetApplicableStateChangeEvent.webidl',
     'StyleSheetChangeEvent.webidl',
 ]
 
 # We only expose our prefable test interfaces in debug builds, just to be on
 # the safe side.
 if CONFIG['MOZ_DEBUG']:
@@ -622,21 +621,16 @@ else:
         'InstallTrigger.webidl',
     ]
 
 if CONFIG['MOZ_B2G_FM']:
     WEBIDL_FILES += [
         'FMRadio.webidl',
     ]
 
-if not CONFIG['MOZ_DISABLE_CRYPTOLEGACY']:
-    WEBIDL_FILES += [
-        'CRMFObject.webidl',
-    ]
-
 GENERATED_EVENTS_WEBIDL_FILES = [
     'AutocompleteErrorEvent.webidl',
     'BlobEvent.webidl',
     'CallEvent.webidl',
     'CallGroupErrorEvent.webidl',
     'CFStateChangeEvent.webidl',
     'CloseEvent.webidl',
     'DataErrorEvent.webidl',
@@ -667,17 +661,16 @@ GENERATED_EVENTS_WEBIDL_FILES = [
     'PopupBlockedEvent.webidl',
     'ProgressEvent.webidl',
     'RecordErrorEvent.webidl',
     'RTCDataChannelEvent.webidl',
     'RTCPeerConnectionIceEvent.webidl',
     'RTCPeerConnectionIdentityErrorEvent.webidl',
     'RTCPeerConnectionIdentityEvent.webidl',
     'SelectionChangeEvent.webidl',
-    'SmartCardEvent.webidl',
     'StyleRuleChangeEvent.webidl',
     'StyleSheetApplicableStateChangeEvent.webidl',
     'StyleSheetChangeEvent.webidl',
     'TrackEvent.webidl',
     'UserProximityEvent.webidl',
     'USSDReceivedEvent.webidl',
 ]
 
--- a/mobile/android/confvars.sh
+++ b/mobile/android/confvars.sh
@@ -13,17 +13,17 @@ MOZ_OFFICIAL_BRANDING_DIRECTORY=mobile/a
 # MOZ_APP_DISPLAYNAME is set by branding/configure.sh
 
 # We support Android SDK version 9 and up by default.
 # See the --enable-android-min-sdk and --enable-android-max-sdk arguments in configure.in.
 MOZ_ANDROID_MIN_SDK_VERSION=9
 
 MOZ_SAFE_BROWSING=1
 
-MOZ_DISABLE_CRYPTOLEGACY=1
+MOZ_NO_SMART_CARDS=1
 
 # Enable getUserMedia
 MOZ_MEDIA_NAVIGATOR=1
 
 # Enable NFC permission
 MOZ_ANDROID_BEAM=1
 
 if test "$LIBXUL_SDK"; then
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -367,18 +367,17 @@ CertVerifier::VerifyCert(CERTCertificate
                           KeyPurposeId::id_kp_codeSigning,
                           CertPolicyId::anyPolicy, stapledOCSPResponse);
       break;
     }
 
     case certificateUsageVerifyCA:
     case certificateUsageStatusResponder: {
       // XXX This is a pretty useless way to verify a certificate. It is used
-      // by the implementation of window.crypto.importCertificates and in the
-      // certificate viewer UI. Because we don't know what trust bit is
+      // by the certificate viewer UI. Because we don't know what trust bit is
       // interesting, we just try them all.
       mozilla::pkix::EndEntityOrCA endEntityOrCA;
       mozilla::pkix::KeyUsage keyUsage;
       KeyPurposeId eku;
       if (usage == certificateUsageVerifyCA) {
         endEntityOrCA = EndEntityOrCA::MustBeCA;
         keyUsage = KeyUsage::keyCertSign;
         eku = KeyPurposeId::anyExtendedKeyUsage;
--- a/security/manager/locales/en-US/chrome/pippki/pippki.dtd
+++ b/security/manager/locales/en-US/chrome/pippki/pippki.dtd
@@ -76,17 +76,12 @@
 <!ENTITY examineCert.label "View Certificate">
 <!ENTITY examineCert.accesskey "V">
 
 <!-- Strings for the CreateCertInfo dialog  -->
 <!ENTITY createCertInfo.title "Generating A Private Key">
 <!ENTITY createCertInfo.msg1 "Key Generation in progress… This may take a few minutes….">
 <!ENTITY createCertInfo.msg2 "Please wait…">
 
-<!-- Form Signing confirmation prompt -->
-<!ENTITY formSigning.title "Text Signing Request">
-<!ENTITY formSigning.cert "Signing Certificate">
-<!ENTITY formSigning.confirmPassword "To confirm you agree to sign this text message using your selected certificate, please confirm by entering the master password:">
-
 <!-- Strings for protectedAuth dialog -->
 <!ENTITY protectedAuth.title "Protected Token Authentication">
 <!ENTITY protectedAuth.msg "Please authenticate to the token. Authentication method depends on the type of your token.">
 <!ENTITY protectedAuth.tokenName.label "Token:">
--- a/security/manager/locales/en-US/chrome/pippki/pippki.properties
+++ b/security/manager/locales/en-US/chrome/pippki/pippki.properties
@@ -128,19 +128,16 @@ resetPasswordConfirmationTitle=Reset Mas
 resetPasswordConfirmationMessage=Your password has been reset.
 
 #Import certificate(s) file dialog
 importEmailCertPrompt=Select File containing somebody's Email certificate to import
 importCACertsPrompt=Select File containing CA certificate(s) to import
 importServerCertPrompt=Select File containing Server certificate to import
 file_browse_Certificate_spec=Certificate Files
 
-# Form Signing confirmation prompt
-formSigningIntro=The site '%S' has requested that you sign the following text message:
-
 # Cert export
 SaveCertAs=Save Certificate To File
 CertFormatBase64=X.509 Certificate (PEM)
 CertFormatBase64Chain=X.509 Certificate with chain (PEM)
 CertFormatDER=X.509 Certificate (DER)
 CertFormatPKCS7=X.509 Certificate (PKCS#7)
 CertFormatPKCS7Chain=X.509 Certificate with chain (PKCS#7)
 writeFileFailure=File Error
--- a/security/manager/pki/resources/content/certManager.js
+++ b/security/manager/pki/resources/content/certManager.js
@@ -27,21 +27,32 @@ var selected_index = [];
 var certdb;
 
 var caTreeView;
 var serverTreeView;
 var emailTreeView;
 var userTreeView;
 var orphanTreeView;
 
+var smartCardObserver = {
+  observe: function() {
+    onSmartCardChange();
+  }
+};
+
+function DeregisterSmartCardObservers()
+{
+  Services.obs.removeObserver(smartCardObserver, "smartcard-insert");
+  Services.obs.removeObserver(smartCardObserver, "smartcard-remove");
+}
+
 function LoadCerts()
 {
-  window.crypto.enableSmartCardEvents = true;
-  document.addEventListener("smartcard-insert", onSmartCardChange, false);
-  document.addEventListener("smartcard-remove", onSmartCardChange, false);
+  Services.obs.addObserver(smartCardObserver, "smartcard-insert", false);
+  Services.obs.addObserver(smartCardObserver, "smartcard-remove", false);
 
   certdb = Components.classes[nsX509CertDB].getService(nsIX509CertDB);
   var certcache = Components.classes[nsNSSCertCache].createInstance(nsINSSCertCache);
   
   certcache.cacheAllCerts();
 
   caTreeView = Components.classes[nsCertTree]
                     .createInstance(nsICertTree);
@@ -608,9 +619,8 @@ function addException()
                     'chrome,centerscreen,modal');
   var certcache = Components.classes[nsNSSCertCache].createInstance(nsINSSCertCache);
   certcache.cacheAllCerts();
   serverTreeView.loadCertsFromCache(certcache, nsIX509Cert.SERVER_CERT);
   serverTreeView.selection.clearSelection();
   orphanTreeView.loadCertsFromCache(certcache, nsIX509Cert.UNKNOWN_CERT);
   orphanTreeView.selection.clearSelection();
 }
-
--- a/security/manager/pki/resources/content/certManager.xul
+++ b/security/manager/pki/resources/content/certManager.xul
@@ -13,16 +13,17 @@
 
 <!DOCTYPE dialog SYSTEM "chrome://pippki/locale/certManager.dtd">
 
 <dialog id="certmanager" 
 	windowtype="mozilla:certmanager"
 	xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" 
         title="&certmgr.title;"
         onload="LoadCerts();"
+        onunload="DeregisterSmartCardObservers();"
         buttons="accept"
         style="width: 48em; height: 32em;"
         persist="screenX screenY width height">
 
   <stringbundle id="pippki_bundle" src="chrome://pippki/locale/pippki.properties"/>
 
   <script type="application/javascript" src="chrome://pippki/content/pippki.js"/>
   <script type="application/javascript" src="chrome://pippki/content/certManager.js"/>
--- a/security/manager/pki/resources/content/device_manager.js
+++ b/security/manager/pki/resources/content/device_manager.js
@@ -11,28 +11,41 @@ const nsIPKCS11ModuleDB = Components.int
 const nsIPK11Token = Components.interfaces.nsIPK11Token;
 const nsPK11TokenDB = "@mozilla.org/security/pk11tokendb;1";
 const nsIPK11TokenDB = Components.interfaces.nsIPK11TokenDB;
 const nsIDialogParamBlock = Components.interfaces.nsIDialogParamBlock;
 const nsDialogParamBlock = "@mozilla.org/embedcomp/dialogparam;1";
 const nsIPKCS11 = Components.interfaces.nsIPKCS11;
 const nsPKCS11ContractID = "@mozilla.org/security/pkcs11;1";
 
+let { Services } = Components.utils.import("resource://gre/modules/Services.jsm", {});
+
 var bundle;
 var secmoddb;
 var skip_enable_buttons = false;
 
+var smartCardObserver = {
+  observe: function() {
+    onSmartCardChange();
+  }
+};
+
+function DeregisterSmartCardObservers()
+{
+  Services.obs.removeObserver(smartCardObserver, "smartcard-insert");
+  Services.obs.removeObserver(smartCardObserver, "smartcard-remove");
+}
+
 /* Do the initial load of all PKCS# modules and list them. */
 function LoadModules()
 {
   bundle = document.getElementById("pippki_bundle");
   secmoddb = Components.classes[nsPKCS11ModuleDB].getService(nsIPKCS11ModuleDB);
-  window.crypto.enableSmartCardEvents = true;
-  document.addEventListener("smartcard-insert", onSmartCardChange, false);
-  document.addEventListener("smartcard-remove", onSmartCardChange, false);
+  Services.obs.addObserver(smartCardObserver, "smartcard-insert", false);
+  Services.obs.addObserver(smartCardObserver, "smartcard-remove", false);
 
   RefreshDeviceList();
 }
 
 function getPKCS11()
 {
   return Components.classes[nsPKCS11ContractID].getService(nsIPKCS11);
 }
--- a/security/manager/pki/resources/content/device_manager.xul
+++ b/security/manager/pki/resources/content/device_manager.xul
@@ -14,16 +14,17 @@
 
 <dialog id="devicemanager"
 	windowtype="mozilla:devicemanager"
         xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" 
         title="&devmgr.title;"
         style="&devmgr.style;"
         persist="screenX screenY width height"
         onload="LoadModules();"
+        onunload="DeregisterSmartCardObservers();"
         buttons="accept">
 
 <stringbundleset id="stringbundleset">
   <stringbundle id="pippki_bundle" src="chrome://pippki/locale/pippki.properties"/>
   <stringbundle id="pipnss_bundle" src="chrome://pipnss/locale/pipnss.properties"/>
 </stringbundleset>
 
 <script type="application/javascript" src="chrome://pippki/content/device_manager.js"/>
deleted file mode 100644
--- a/security/manager/pki/resources/content/formsigning.js
+++ /dev/null
@@ -1,67 +0,0 @@
-/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-const nsIDialogParamBlock = Components.interfaces.nsIDialogParamBlock;
-
-var dialogParams;
-var itemCount = 0;
-
-function onLoad()
-{
-  dialogParams = window.arguments[0].QueryInterface(nsIDialogParamBlock);
-
-  var hostname = dialogParams.GetString(0);
-  var bundle = document.getElementById("pippki_bundle");
-  var intro = bundle.getFormattedString("formSigningIntro", [hostname]);
-  setText("sign.intro", intro);
-
-  document.getElementById("sign.text").value = dialogParams.GetString(1);
-
-  var selectElement = document.getElementById("nicknames");
-  itemCount = dialogParams.GetInt(0);
-  for (var index = 0; index < itemCount; ++index) {
-    var menuItemNode = document.createElement("menuitem");
-    var nick = dialogParams.GetString(2 + 2 * index);
-    menuItemNode.setAttribute("value", index);
-    menuItemNode.setAttribute("label", nick); // this is displayed
-    selectElement.firstChild.appendChild(menuItemNode);
-    if (index == 0) {
-      selectElement.selectedItem = menuItemNode;
-    }
-  }
-  setDetails();
-  document.getElementById("pw").focus();
-}
-
-function setDetails()
-{
-  var index = parseInt(document.getElementById("nicknames").value);
-  if (index == "NaN")
-    return;
-  
-  var details = dialogParams.GetString(2 + (2 * index + 1));
-  document.getElementById("certdetails").value = details;
-}
-
-function onCertSelected()
-{
-  setDetails();
-}
-
-function doOK()
-{
-  dialogParams.SetInt(0, 1);
-  var index = parseInt(document.getElementById("nicknames").value);
-  dialogParams.SetInt(1, index);
-  var password = document.getElementById("pw").value;
-  dialogParams.SetString(0, password);
-  return true;
-}
-
-function doCancel()
-{
-  dialogParams.SetInt(0, 0);
-  return true;
-}
deleted file mode 100644
--- a/security/manager/pki/resources/content/formsigning.xul
+++ /dev/null
@@ -1,45 +0,0 @@
-<?xml version="1.0"?>
-<!-- This Source Code Form is subject to the terms of the Mozilla Public
-   - License, v. 2.0. If a copy of the MPL was not distributed with this
-   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
-
-<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
-
-<!DOCTYPE dialog [
-<!ENTITY % pippkiDTD SYSTEM "chrome://pippki/locale/pippki.dtd" >
-%pippkiDTD;
-]>
-
-<dialog id="formsigning" title="&formSigning.title;"
-  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
-  buttons="accept,cancel"
-  ondialogaccept="return doOK();"
-  ondialogcancel="return doCancel();"
-  onload="onLoad();">
-
-<stringbundle id="pippki_bundle" src="chrome://pippki/locale/pippki.properties"/>
-
-<script type="application/javascript" src="chrome://pippki/content/pippki.js"/>
-<script type="application/javascript" src="chrome://pippki/content/formsigning.js"/>
-
-  <description id="sign.intro" style="max-width: 50em;"/>
-  <textbox readonly="true" id="sign.text" multiline="true"
-    style="height: 10em;" wrap="off"/>
-  <separator class="thin"/>
-  <groupbox>
-    <caption label="&formSigning.cert;"/>
-    <broadcaster id="certSelected" oncommand="onCertSelected();"/>
-    <menulist id="nicknames" observes="certSelected">
-      <!-- The items in this menulist must never be sorted,
-           but remain in the order filled by the application
-      -->
-      <menupopup/>
-    </menulist>
-    <textbox readonly="true" id="certdetails" multiline="true"
-      style="height: 10em;" wrap="off"/>
-    <separator/>
-  </groupbox>
-  <separator class="thin"/>
-  <description style="max-width: 30em;">&formSigning.confirmPassword;</description>
-  <textbox id="pw" type="password"/>
-</dialog>
--- a/security/manager/pki/resources/jar.mn
+++ b/security/manager/pki/resources/jar.mn
@@ -42,10 +42,8 @@ pippki.jar:
     content/pippki/choosetoken.xul           (content/choosetoken.xul)
     content/pippki/choosetoken.js            (content/choosetoken.js)
     content/pippki/escrowWarn.xul            (content/escrowWarn.xul)
     content/pippki/escrowWarn.js             (content/escrowWarn.js)
     content/pippki/createCertInfo.xul        (content/createCertInfo.xul)
     content/pippki/createCertInfo.js         (content/createCertInfo.js)
     content/pippki/protectedAuth.xul         (content/protectedAuth.xul)
     content/pippki/protectedAuth.js          (content/protectedAuth.js)
-    content/pippki/formsigning.xul           (content/formsigning.xul)
-    content/pippki/formsigning.js            (content/formsigning.js)
--- a/security/manager/pki/src/moz.build
+++ b/security/manager/pki/src/moz.build
@@ -1,17 +1,16 @@
 # -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
 # vim: set filetype=python:
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 UNIFIED_SOURCES += [
     'nsASN1Tree.cpp',
-    'nsFormSigningDialog.cpp',
     'nsNSSDialogHelper.cpp',
     'nsNSSDialogs.cpp',
     'nsPKIModule.cpp',
     'nsPKIParamBlock.cpp',
 ]
 
 FAIL_ON_WARNINGS = True
 
deleted file mode 100644
--- a/security/manager/pki/src/nsFormSigningDialog.cpp
+++ /dev/null
@@ -1,91 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsFormSigningDialog.h"
-#include "nsNSSDialogHelper.h"
-#include "nsCOMPtr.h"
-#include "nsIDialogParamBlock.h"
-#include "nsIComponentManager.h"
-#include "nsIServiceManager.h"
-#include "nsIInterfaceRequestor.h"
-#include "nsIInterfaceRequestorUtils.h"
-#include "nsLiteralString.h"
-#include "nsXPIDLString.h"
-
-nsFormSigningDialog::nsFormSigningDialog()
-{
-}
-
-nsFormSigningDialog::~nsFormSigningDialog()
-{
-}
-
-NS_IMPL_ISUPPORTS(nsFormSigningDialog, nsIFormSigningDialog)
-
-NS_IMETHODIMP
-nsFormSigningDialog::ConfirmSignText(nsIInterfaceRequestor *aContext, 
-                                     const nsAString &aHost,
-                                     const nsAString &aSignText,
-                                     const char16_t **aCertNickList,
-                                     const char16_t **aCertDetailsList,
-                                     uint32_t aCount, int32_t *aSelectedIndex,
-                                     nsAString &aPassword, bool *aCanceled) 
-{
-  *aCanceled = true;
-
-  // Get the parent window for the dialog
-  nsCOMPtr<nsIDOMWindow> parent = do_GetInterface(aContext);
-
-  nsresult rv;
-  nsCOMPtr<nsIDialogParamBlock> block =
-    do_CreateInstance(NS_DIALOGPARAMBLOCK_CONTRACTID, &rv);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  block->SetNumberStrings(3 + aCount * 2);
-
-  rv = block->SetString(0, PromiseFlatString(aHost).get());
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  rv = block->SetString(1, PromiseFlatString(aSignText).get());
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  uint32_t i;
-  for (i = 0; i < aCount; ++i) {
-    rv = block->SetString(2 + 2 * i, aCertNickList[i]);
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    rv = block->SetString(2 + (2 * i + 1), aCertDetailsList[i]);
-    NS_ENSURE_SUCCESS(rv, rv);
-  }
-
-  rv = block->SetInt(0, aCount);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  rv = nsNSSDialogHelper::openDialog(parent,
-                                     "chrome://pippki/content/formsigning.xul",
-                                     block);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  int32_t status;
-  rv = block->GetInt(0, &status);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  if (status == 0) {
-    *aCanceled = true;
-  }
-  else {
-    *aCanceled = false;
-
-    rv = block->GetInt(1, aSelectedIndex);
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    nsXPIDLString pw;
-    rv = block->GetString(0, getter_Copies(pw));
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    aPassword = pw;
-  }
-
-  return NS_OK;
-}
deleted file mode 100644
--- a/security/manager/pki/src/nsFormSigningDialog.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef __NS_NSFORMSIGNINGDIALOG_H__
-#define __NS_NSFORMSIGNINGDIALOG_H__
-
-#include "nsIFormSigningDialog.h"
-#include "mozilla/Attributes.h"
-
-#define NS_FORMSIGNINGDIALOG_CID \
-  { 0xa4bd2161, 0x7892, 0x4389, \
-    { 0x8d, 0x5a, 0x31, 0x11, 0xa6, 0xd1, 0x7e, 0xc7 }}
-
-class nsFormSigningDialog MOZ_FINAL : public nsIFormSigningDialog
-{
-private:
-  ~nsFormSigningDialog();
-public:
-  nsFormSigningDialog();
-
-  NS_DECL_THREADSAFE_ISUPPORTS
-  NS_DECL_NSIFORMSIGNINGDIALOG
-};
-
-#endif
--- a/security/manager/pki/src/nsPKIModule.cpp
+++ b/security/manager/pki/src/nsPKIModule.cpp
@@ -4,48 +4,43 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "mozilla/ModuleUtils.h"
 
 #include "nsNSSDialogs.h"
 #include "nsPKIParamBlock.h"
 #include "nsASN1Tree.h"
-#include "nsFormSigningDialog.h"
 
 NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(nsNSSDialogs, Init)
 NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(nsPKIParamBlock, Init)
 NS_GENERIC_FACTORY_CONSTRUCTOR(nsNSSASN1Tree)
-NS_GENERIC_FACTORY_CONSTRUCTOR(nsFormSigningDialog)
 
 NS_DEFINE_NAMED_CID(NS_NSSDIALOGS_CID);
 NS_DEFINE_NAMED_CID(NS_NSSASN1OUTINER_CID);
 NS_DEFINE_NAMED_CID(NS_PKIPARAMBLOCK_CID);
-NS_DEFINE_NAMED_CID(NS_FORMSIGNINGDIALOG_CID);
 
 
 static const mozilla::Module::CIDEntry kPKICIDs[] = {
   { &kNS_NSSDIALOGS_CID, false, nullptr, nsNSSDialogsConstructor },
   { &kNS_NSSASN1OUTINER_CID, false, nullptr, nsNSSASN1TreeConstructor },
   { &kNS_PKIPARAMBLOCK_CID, false, nullptr, nsPKIParamBlockConstructor },
-  { &kNS_FORMSIGNINGDIALOG_CID, false, nullptr, nsFormSigningDialogConstructor },
   { nullptr }
 };
 
 static const mozilla::Module::ContractIDEntry kPKIContracts[] = {
   { NS_TOKENPASSWORDSDIALOG_CONTRACTID, &kNS_NSSDIALOGS_CID },
   { NS_CERTIFICATEDIALOGS_CONTRACTID, &kNS_NSSDIALOGS_CID },
   { NS_CLIENTAUTHDIALOGS_CONTRACTID, &kNS_NSSDIALOGS_CID },
   { NS_CERTPICKDIALOGS_CONTRACTID, &kNS_NSSDIALOGS_CID },
   { NS_TOKENDIALOGS_CONTRACTID, &kNS_NSSDIALOGS_CID },
   { NS_DOMCRYPTODIALOGS_CONTRACTID, &kNS_NSSDIALOGS_CID },
   { NS_GENERATINGKEYPAIRINFODIALOGS_CONTRACTID, &kNS_NSSDIALOGS_CID },
   { NS_ASN1TREE_CONTRACTID, &kNS_NSSASN1OUTINER_CID },
   { NS_PKIPARAMBLOCK_CONTRACTID, &kNS_PKIPARAMBLOCK_CID },
-  { NS_FORMSIGNINGDIALOG_CONTRACTID, &kNS_FORMSIGNINGDIALOG_CID },
   { nullptr }
 };
 
 static const mozilla::Module kPKIModule = {
   mozilla::Module::kVersion,
   kPKICIDs,
   kPKIContracts
 };
deleted file mode 100644
--- a/security/manager/ssl/crashtests/327524-1.html
+++ /dev/null
@@ -1,10 +0,0 @@
-<html><head>
-<meta http-equiv="content-type" content="text/html; charset=UTF-8">
-
-<title>Testcase bug 327524 - Crash when using crypto.generateCRMFRequest(document.documentElement);</title>
-</head><body>
-This should not crash Mozilla
-<script>
-crypto.generateCRMFRequest(document.documentElement);
-</script>
-</body></html>
\ No newline at end of file
--- a/security/manager/ssl/crashtests/crashtests.list
+++ b/security/manager/ssl/crashtests/crashtests.list
@@ -1,2 +1,1 @@
-skip-if(browserIsRemote) asserts-if(browserIsRemote,0-1) load 327524-1.html # bug 582297, bug 918119
 asserts-if(browserIsRemote,1) load 398665-1.html # bug 582297
--- a/security/manager/ssl/public/moz.build
+++ b/security/manager/ssl/public/moz.build
@@ -12,17 +12,16 @@ XPIDL_SOURCES += [
     'nsIBadCertListener2.idl',
     'nsICertificateDialogs.idl',
     'nsICertificatePrincipal.idl',
     'nsICertOverrideService.idl',
     'nsICertPickDialogs.idl',
     'nsIClientAuthDialogs.idl',
     'nsIDataSignatureVerifier.idl',
     'nsIDOMCryptoDialogs.idl',
-    'nsIFormSigningDialog.idl',
     'nsIGenKeypairInfoDlg.idl',
     'nsIIdentityInfo.idl',
     'nsIKeygenThread.idl',
     'nsIKeyModule.idl',
     'nsINSSCertCache.idl',
     'nsINSSVersion.idl',
     'nsIPK11Token.idl',
     'nsIPK11TokenDB.idl',
deleted file mode 100644
--- a/security/manager/ssl/public/nsIFormSigningDialog.idl
+++ /dev/null
@@ -1,39 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsISupports.idl"
-
-interface nsIInterfaceRequestor;
-
-/**
- * nsIFormSigningDialog
- * Provides UI for form signing.
- */
-[scriptable, uuid(4fe04d6d-4b66-4023-a0bc-b43ce68b3e15)]
-interface nsIFormSigningDialog : nsISupports
-{
-  /**
-   *  confirmSignText
-   *    UI shown when a web site calls crypto.signText,
-   *    asking the user to confirm the confirm the signing request.
-   *
-   *  returns true if the user confirmed, false on cancel
-   */
-  boolean confirmSignText(in nsIInterfaceRequestor ctxt,
-                          in AString host,
-                          in AString signText,
-                          [array, size_is(count)] in wstring certNickList,
-                          [array, size_is(count)] in wstring certDetailsList,
-                          in uint32_t count,
-                          out int32_t selectedIndex,
-                          out AString password);
-};
-
-/**
- * NS_FORMSIGNINGDIALOG_CONTRACTID - contract id to obtain an instance
- *   that implements nsIFormSigningDialog.
- */
-%{C++
-#define NS_FORMSIGNINGDIALOG_CONTRACTID "@mozilla.org/nsFormSigningDialog;1"
-%}
--- a/security/manager/ssl/src/moz.build
+++ b/security/manager/ssl/src/moz.build
@@ -68,17 +68,17 @@ SOURCES += [
 SOURCES += [
     'nsCryptoHash.cpp',
     'nsNSSCertificateDB.cpp',
     'nsNSSComponent.cpp',
     'nsNSSVersion.cpp',
     'PSMContentListener.cpp',
 ]
 
-if not CONFIG['MOZ_DISABLE_CRYPTOLEGACY']:
+if not CONFIG['MOZ_NO_SMART_CARDS']:
     SOURCES += [
         'nsSmartCardMonitor.cpp',
     ]
 
 if CONFIG['MOZ_XUL']:
     SOURCES += [
         'nsCertTree.cpp',
     ]
--- a/security/manager/ssl/src/nsCrypto.cpp
+++ b/security/manager/ssl/src/nsCrypto.cpp
@@ -9,2818 +9,25 @@
 
 #include "nsReadableUtils.h"
 #include "nsCRT.h"
 #include "nsXPIDLString.h"
 #include "nsISaveAsCharset.h"
 #include "nsNativeCharsetUtils.h"
 #include "nsServiceManagerUtils.h"
 
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
-#include "mozilla/dom/ScriptSettings.h"
-#include "nsKeygenHandler.h"
-#include "nsKeygenThread.h"
-#include "nsNSSCertificate.h"
-#include "nsNSSCertificateDB.h"
-#include "nsPKCS12Blob.h"
-#include "nsPK11TokenDB.h"
-#include "nsThreadUtils.h"
-#include "nsIServiceManager.h"
-#include "nsIMemory.h"
-#include "nsAlgorithm.h"
-#include "prprf.h"
-#include "nsDOMCID.h"
-#include "nsIDOMWindow.h"
-#include "nsIDOMClassInfo.h"
-#include "nsIDOMDocument.h"
-#include "nsIDocument.h"
-#include "nsIScriptObjectPrincipal.h"
-#include "nsIScriptContext.h"
-#include "nsIGlobalObject.h"
-#include "nsContentUtils.h"
-#include "nsCxPusher.h"
-#include "nsDOMJSUtils.h"
-#include "nsJSUtils.h"
-#include "nsIXPConnect.h"
-#include "nsIRunnable.h"
-#include "nsIWindowWatcher.h"
-#include "nsIPrompt.h"
-#include "nsIFilePicker.h"
-#include "nsJSPrincipals.h"
-#include "nsJSUtils.h"
-#include "nsIPrincipal.h"
-#include "nsIScriptSecurityManager.h"
-#include "nsIGenKeypairInfoDlg.h"
-#include "nsIDOMCryptoDialogs.h"
-#include "nsIFormSigningDialog.h"
-#include "nsIContentSecurityPolicy.h"
-#include "nsIURI.h"
-#include "jsapi.h"
-#include "js/OldDebugAPI.h"
-#include <ctype.h>
-#include "pk11func.h"
-#include "keyhi.h"
-#include "cryptohi.h"
-#include "seccomon.h"
-#include "secerr.h"
-#include "sechash.h"
-#include "crmf.h"
-#include "pk11pqg.h"
-#include "cmmf.h"
-#include "nssb64.h"
-#include "base64.h"
-#include "cert.h"
-#include "certdb.h"
-#include "secmod.h"
-#include "ScopedNSSTypes.h"
-#include "pkix/pkixtypes.h"
-
-#include "ssl.h" // For SSL_ClearSessionCache
-
-#include "nsNSSCleaner.h"
-
-#include "nsNSSCertHelper.h"
-#include <algorithm>
-#include "nsWrapperCacheInlines.h"
-#endif
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
-#include "mozilla/dom/CRMFObjectBinding.h"
-#endif
-
-using namespace mozilla;
-using namespace mozilla::dom;
-
-/*
- * These are the most common error strings that are returned
- * by the JavaScript methods in case of error.
- */
-
-#define JS_ERROR       "error:"
-#define JS_ERROR_INTERNAL  JS_ERROR"internalError"
-
-#undef REPORT_INCORRECT_NUM_ARGS
-
-#define JS_OK_ADD_MOD                      3
-#define JS_OK_DEL_EXTERNAL_MOD             2
-#define JS_OK_DEL_INTERNAL_MOD             1
-
-#define JS_ERR_INTERNAL                   -1
-#define JS_ERR_USER_CANCEL_ACTION         -2
-#define JS_ERR_INCORRECT_NUM_OF_ARGUMENTS -3
-#define JS_ERR_DEL_MOD                    -4
-#define JS_ERR_ADD_MOD                    -5
-#define JS_ERR_BAD_MODULE_NAME            -6
-#define JS_ERR_BAD_DLL_NAME               -7
-#define JS_ERR_BAD_MECHANISM_FLAGS        -8
-#define JS_ERR_BAD_CIPHER_ENABLE_FLAGS    -9
-#define JS_ERR_ADD_DUPLICATE_MOD          -10
-
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
-
-NSSCleanupAutoPtrClass_WithParam(PK11Context, PK11_DestroyContext, TrueParam, true)
-
-/*
- * This structure is used to store information for one key generation.
- * The nsCrypto::GenerateCRMFRequest method parses the inputs and then
- * stores one of these structures for every key generation that happens.
- * The information stored in this structure is then used to set some
- * values in the CRMF request.
- */
-typedef enum {
-  rsaEnc, rsaDualUse, rsaSign, rsaNonrepudiation, rsaSignNonrepudiation,
-  ecEnc, ecDualUse, ecSign, ecNonrepudiation, ecSignNonrepudiation,
-  dhEx, dsaSignNonrepudiation, dsaSign, dsaNonrepudiation, invalidKeyGen
-} nsKeyGenType;
-
-bool isECKeyGenType(nsKeyGenType kgt)
-{
-  switch (kgt)
-  {
-    case ecEnc:
-    case ecDualUse:
-    case ecSign:
-    case ecNonrepudiation:
-    case ecSignNonrepudiation:
-      return true;
-    
-    default:
-      break;
-  }
-
-  return false;
-}
-
-typedef struct nsKeyPairInfoStr {
-  SECKEYPublicKey  *pubKey;     /* The putlic key associated with gen'd 
-                                   priv key. */
-  SECKEYPrivateKey *privKey;    /* The private key we generated */ 
-  nsKeyGenType      keyGenType; /* What type of key gen are we doing.*/
-
-  CERTCertificate *ecPopCert;
-                   /* null: use signing for pop
-                      other than null: a cert that defines EC keygen params
-                                       and will be used for dhMac PoP. */
-
-  SECKEYPublicKey  *ecPopPubKey;
-                   /* extracted public key from ecPopCert */
-} nsKeyPairInfo;
-
-
-//This class is just used to pass arguments
-//to the nsCryptoRunnable event.
-class nsCryptoRunArgs : public nsISupports {
-public:
-  nsCryptoRunArgs();
-  nsCOMPtr<nsIGlobalObject> m_globalObject;
-  nsXPIDLCString m_jsCallback;
-  NS_DECL_ISUPPORTS
-protected:
-  virtual ~nsCryptoRunArgs();
-};
-
-//This class is used to run the callback code
-//passed to crypto.generateCRMFRequest
-//We have to do that for backwards compatibility
-//reasons w/ PSM 1.x and Communciator 4.x
-class nsCryptoRunnable : public nsIRunnable {
-public:
-  nsCryptoRunnable(nsCryptoRunArgs *args);
-
-  NS_IMETHOD Run ();
-  NS_DECL_ISUPPORTS
-private:
-  virtual ~nsCryptoRunnable();
-
-  nsCryptoRunArgs *m_args;
-};
-
-//We're going to inherit the memory passed
-//into us.
-//This class backs up an array of certificates
-//as an event.
-class nsP12Runnable : public nsIRunnable {
-public:
-  nsP12Runnable(nsIX509Cert **certArr, int32_t numCerts, nsIPK11Token *token);
-
-  NS_IMETHOD Run();
-  NS_DECL_ISUPPORTS
-protected:
-  virtual ~nsP12Runnable();
-private:
-  nsCOMPtr<nsIPK11Token> mToken;
-  nsIX509Cert **mCertArr;
-  int32_t       mNumCerts;
-};
-
-// QueryInterface implementation for nsCrypto
-NS_INTERFACE_MAP_BEGIN(nsCrypto)
-  NS_INTERFACE_MAP_ENTRY(nsIDOMCrypto)
-NS_INTERFACE_MAP_END_INHERITING(mozilla::dom::Crypto)
-
-NS_IMPL_ADDREF_INHERITED(nsCrypto, mozilla::dom::Crypto)
-NS_IMPL_RELEASE_INHERITED(nsCrypto, mozilla::dom::Crypto)
-
 // QueryInterface implementation for nsPkcs11
-#endif // MOZ_DISABLE_CRYPTOLEGACY
-
 NS_INTERFACE_MAP_BEGIN(nsPkcs11)
   NS_INTERFACE_MAP_ENTRY(nsIPKCS11)
   NS_INTERFACE_MAP_ENTRY(nsISupports)
 NS_INTERFACE_MAP_END
 
 NS_IMPL_ADDREF(nsPkcs11)
 NS_IMPL_RELEASE(nsPkcs11)
 
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
-
-// ISupports implementation for nsCryptoRunnable
-NS_IMPL_ISUPPORTS(nsCryptoRunnable, nsIRunnable)
-
-// ISupports implementation for nsP12Runnable
-NS_IMPL_ISUPPORTS(nsP12Runnable, nsIRunnable)
-
-// ISupports implementation for nsCryptoRunArgs
-NS_IMPL_ISUPPORTS0(nsCryptoRunArgs)
-
-nsCrypto::nsCrypto() :
-  mEnableSmartCardEvents(false)
-{
-}
-
-nsCrypto::~nsCrypto()
-{
-}
-
-void
-nsCrypto::Init(nsIDOMWindow* aWindow)
-{
-  mozilla::dom::Crypto::Init(aWindow);
-}
-
-void
-nsCrypto::SetEnableSmartCardEvents(bool aEnable, ErrorResult& aRv)
-{
-  NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
-
-  nsresult rv = NS_OK;
-
-  // this has the side effect of starting the nssComponent (and initializing
-  // NSS) even if it isn't already going. Starting the nssComponent is a
-  // prerequisite for getting smartCard events.
-  if (aEnable) {
-    nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv));
-  }
-
-  if (NS_FAILED(rv)) {
-    aRv.Throw(rv);
-    return;
-  }
-
-  mEnableSmartCardEvents = aEnable;
-}
-
-NS_IMETHODIMP
-nsCrypto::SetEnableSmartCardEvents(bool aEnable)
-{
-  ErrorResult rv;
-  SetEnableSmartCardEvents(aEnable, rv);
-  return rv.ErrorCode();
-}
-
-bool
-nsCrypto::EnableSmartCardEvents()
-{
-  return mEnableSmartCardEvents;
-}
-
-NS_IMETHODIMP
-nsCrypto::GetEnableSmartCardEvents(bool *aEnable)
-{
-  *aEnable = EnableSmartCardEvents();
-  return NS_OK;
-}
-
-//A quick function to let us know if the key we're trying to generate
-//can be escrowed.
-static bool
-ns_can_escrow(nsKeyGenType keyGenType)
-{
-  /* For now, we only escrow rsa-encryption and ec-encryption keys. */
-  return (bool)(keyGenType == rsaEnc || keyGenType == ecEnc);
-}
-
-//Retrieve crypto.version so that callers know what
-//version of PSM this is.
-void
-nsCrypto::GetVersion(nsString& aVersion)
-{
-  aVersion.Assign(NS_LITERAL_STRING(PSM_VERSION_STRING));
-}
-
-/*
- * Given an nsKeyGenType, return the PKCS11 mechanism that will
- * perform the correct key generation.
- */
-static uint32_t
-cryptojs_convert_to_mechanism(nsKeyGenType keyGenType)
-{
-  uint32_t retMech;
-
-  switch (keyGenType) {
-  case rsaEnc:
-  case rsaDualUse:
-  case rsaSign:
-  case rsaNonrepudiation:
-  case rsaSignNonrepudiation:
-    retMech = CKM_RSA_PKCS_KEY_PAIR_GEN;
-    break;
-  case ecEnc:
-  case ecDualUse:
-  case ecSign:
-  case ecNonrepudiation:
-  case ecSignNonrepudiation:
-    retMech = CKM_EC_KEY_PAIR_GEN;
-    break;
-  case dhEx:
-    retMech = CKM_DH_PKCS_KEY_PAIR_GEN;
-    break;
-  case dsaSign:
-  case dsaSignNonrepudiation:
-  case dsaNonrepudiation:
-    retMech = CKM_DSA_KEY_PAIR_GEN;
-    break;
-  default:
-    retMech = CKM_INVALID_MECHANISM;
-  }
-  return retMech;
-}
-
-/*
- * This function takes a string read through JavaScript parameters
- * and translates it to the internal enumeration representing the
- * key gen type. Leading and trailing whitespace must be already removed.
- */
-static nsKeyGenType
-cryptojs_interpret_key_gen_type(const nsAString& keyAlg)
-{
-  if (keyAlg.EqualsLiteral("rsa-ex")) {
-    return rsaEnc;
-  }
-  if (keyAlg.EqualsLiteral("rsa-dual-use")) {
-    return rsaDualUse;
-  }
-  if (keyAlg.EqualsLiteral("rsa-sign")) {
-    return rsaSign;
-  }
-  if (keyAlg.EqualsLiteral("rsa-sign-nonrepudiation")) {
-    return rsaSignNonrepudiation;
-  }
-  if (keyAlg.EqualsLiteral("rsa-nonrepudiation")) {
-    return rsaNonrepudiation;
-  }
-  if (keyAlg.EqualsLiteral("ec-ex")) {
-    return ecEnc;
-  }
-  if (keyAlg.EqualsLiteral("ec-dual-use")) {
-    return ecDualUse;
-  }
-  if (keyAlg.EqualsLiteral("ec-sign")) {
-    return ecSign;
-  }
-  if (keyAlg.EqualsLiteral("ec-sign-nonrepudiation")) {
-    return ecSignNonrepudiation;
-  }
-  if (keyAlg.EqualsLiteral("ec-nonrepudiation")) {
-    return ecNonrepudiation;
-  }
-  if (keyAlg.EqualsLiteral("dsa-sign-nonrepudiation")) {
-    return dsaSignNonrepudiation;
-  }
-  if (keyAlg.EqualsLiteral("dsa-sign")) {
-    return dsaSign;
-  }
-  if (keyAlg.EqualsLiteral("dsa-nonrepudiation")) {
-    return dsaNonrepudiation;
-  }
-  if (keyAlg.EqualsLiteral("dh-ex")) {
-    return dhEx;
-  }
-  return invalidKeyGen;
-}
-
-/* 
- * input: null terminated char* pointing to (the remainder of) an
- * EC key param string.
- *
- * bool return value, false means "no more name=value pair found",
- *                    true means "found, see out params"
- * 
- * out param name: char * pointing to name (not zero terminated)
- * out param name_len: length of found name
- * out param value: char * pointing to value (not zero terminated)
- * out param value_len: length of found value
- * out param next_pair: to be used for a follow up call to this function
- */
-
-bool getNextNameValueFromECKeygenParamString(char *input,
-                                               char *&name,
-                                               int &name_len,
-                                               char *&value,
-                                               int &value_len,
-                                               char *&next_call)
-{
-  if (!input || !*input)
-    return false;
-
-  // we allow leading ; and leading space in front of each name value pair
-
-  while (*input && *input == ';')
-    ++input;
-
-  while (*input && *input == ' ')
-    ++input;
-
-  name = input;
-
-  while (*input && *input != '=')
-    ++input;
-
-  if (*input != '=')
-    return false;
-
-  name_len = input - name;
-  ++input;
-
-  value = input;
-
-  while (*input && *input != ';')
-    ++input;
-
-  value_len = input - value;
-  next_call = input;
-
-  return true;
-}
-
-//Take the string passed into us via crypto.generateCRMFRequest
-//as the keygen type parameter and convert it to parameters 
-//we can actually pass to the PKCS#11 layer.
-static void*
-nsConvertToActualKeyGenParams(uint32_t keyGenMech, char *params,
-                              uint32_t paramLen, int32_t keySize,
-                              nsKeyPairInfo *keyPairInfo)
-{
-  void *returnParams = nullptr;
-
-
-  switch (keyGenMech) {
-  case CKM_RSA_PKCS_KEY_PAIR_GEN:
-  {
-    // For RSA, we don't support passing in key generation arguments from
-    // the JS code just yet.
-    if (params)
-      return nullptr;
-
-    PK11RSAGenParams *rsaParams;
-    rsaParams = static_cast<PK11RSAGenParams*>
-                           (nsMemory::Alloc(sizeof(PK11RSAGenParams)));
-                              
-    if (!rsaParams) {
-      return nullptr;
-    }
-    /* I'm just taking the same parameters used in 
-     * certdlgs.c:GenKey
-     */
-    if (keySize > 0) {
-      rsaParams->keySizeInBits = keySize;
-    } else {
-      rsaParams->keySizeInBits = 1024;
-    }
-    rsaParams->pe = DEFAULT_RSA_KEYGEN_PE;
-    returnParams = rsaParams;
-    break;
-  }
-  case CKM_EC_KEY_PAIR_GEN:
-  {
-    /*
-     * keygen params for generating EC keys must be composed of name=value pairs,
-     * multiple pairs allowed, separated using semicolon ;
-     *
-     * Either param "curve" or param "popcert" must be specified.
-     * curve=name-of-curve
-     * popcert=base64-encoded-cert
-     *
-     * When both params are specified, popcert will be used.
-     * If no popcert param is given, or if popcert can not be decoded,
-     * we will fall back to the curve param.
-     *
-     * Additional name=value pairs may be defined in the future.
-     *
-     * If param popcert is present and valid, the given certificate will be used
-     * to determine the key generation params. In addition the certificate
-     * will be used to produce a dhMac based Proof of Posession,
-     * using the cert's public key, subject and issuer names,
-     * as specified in RFC 2511 section 4.3 paragraph 2 and Appendix A.
-     *
-     * If neither param popcert nor param curve could be used,
-     * tse a curve based on the keysize param.
-     * NOTE: Here keysize is used only as an indication of
-     * High/Medium/Low strength; elliptic curve
-     * cryptography uses smaller keys than RSA to provide
-     * equivalent security.
-     */
-
-    char *curve = nullptr;
-
-    {
-      // extract components of name=value list
-
-      char *next_input = params;
-      char *name = nullptr;
-      char *value = nullptr;
-      int name_len = 0;
-      int value_len = 0;
-  
-      while (getNextNameValueFromECKeygenParamString(
-              next_input, name, name_len, value, value_len,
-              next_input))
-      {
-        // use only the first specified curve
-        if (!curve && PL_strncmp(name, "curve", std::min(name_len, 5)) == 0)
-        {
-          curve = PL_strndup(value, value_len);
-        }
-        // use only the first specified popcert
-        else if (!keyPairInfo->ecPopCert &&
-                 PL_strncmp(name, "popcert", std::min(name_len, 7)) == 0)
-        {
-          char *certstr = PL_strndup(value, value_len);
-          if (certstr) {
-            keyPairInfo->ecPopCert = CERT_ConvertAndDecodeCertificate(certstr);
-            PL_strfree(certstr);
-
-            if (keyPairInfo->ecPopCert)
-            {
-              keyPairInfo->ecPopPubKey = CERT_ExtractPublicKey(keyPairInfo->ecPopCert);
-            }
-          }
-        }
-      }
-    }
-
-    // first try to use the params of the provided CA cert
-    if (keyPairInfo->ecPopPubKey && keyPairInfo->ecPopPubKey->keyType == ecKey)
-    {
-      returnParams = SECITEM_DupItem(&keyPairInfo->ecPopPubKey->u.ec.DEREncodedParams);
-    }
-
-    // if we did not yet find good params, do we have a curve name?
-    if (!returnParams && curve)
-    {
-      returnParams = decode_ec_params(curve);
-    }
-
-    // if we did not yet find good params, do something based on keysize
-    if (!returnParams)
-    {
-      switch (keySize) {
-      case 512:
-      case 1024:
-          returnParams = decode_ec_params("secp256r1");
-          break;
-      case 2048:
-      default:
-          returnParams = decode_ec_params("secp384r1");
-          break;
-      }
-    }
-
-    if (curve)
-      PL_strfree(curve);
-
-    break;
-  }
-  case CKM_DSA_KEY_PAIR_GEN:
-  {
-    // For DSA, we don't support passing in key generation arguments from
-    // the JS code just yet.
-    if (params)
-      return nullptr;
-
-    PQGParams *pqgParams = nullptr;
-    PQGVerify *vfy = nullptr;
-    SECStatus  rv;
-    int        index;
-       
-    index = PQG_PBITS_TO_INDEX(keySize);
-    if (index == -1) {
-      returnParams = nullptr;
-      break;
-    }
-    rv = PK11_PQG_ParamGen(0, &pqgParams, &vfy);
-    if (vfy) {
-      PK11_PQG_DestroyVerify(vfy);
-    }
-    if (rv != SECSuccess) {
-      if (pqgParams) {
-        PK11_PQG_DestroyParams(pqgParams);
-      }
-      return nullptr;
-    }
-    returnParams = pqgParams;
-    break;
-  }
-  default:
-    returnParams = nullptr;
-  }
-  return returnParams;
-}
-
-//We need to choose which PKCS11 slot we're going to generate
-//the key on.  Calls the default implementation provided by
-//nsKeygenHandler.cpp
-static PK11SlotInfo*
-nsGetSlotForKeyGen(nsKeyGenType keyGenType, nsIInterfaceRequestor *ctx)
-{
-  nsNSSShutDownPreventionLock locker;
-  uint32_t mechanism = cryptojs_convert_to_mechanism(keyGenType);
-  PK11SlotInfo *slot = nullptr;
-  nsresult rv = GetSlotWithMechanism(mechanism,ctx, &slot);
-  if (NS_FAILED(rv)) {
-    if (slot)
-      PK11_FreeSlot(slot);
-    slot = nullptr;
-  }
-  return slot;
-}
-
-//Free the parameters that were passed into PK11_GenerateKeyPair
-//depending on the mechanism type used.
-static void
-nsFreeKeyGenParams(CK_MECHANISM_TYPE keyGenMechanism, void *params)
-{
-  switch (keyGenMechanism) {
-  case CKM_RSA_PKCS_KEY_PAIR_GEN:
-    nsMemory::Free(params);
-    break;
-  case CKM_EC_KEY_PAIR_GEN:
-    SECITEM_FreeItem(reinterpret_cast<SECItem*>(params), true);
-    break;
-  case CKM_DSA_KEY_PAIR_GEN:
-    PK11_PQG_DestroyParams(static_cast<PQGParams*>(params));
-    break;
-  }
-}
-
-//Function that is used to generate a single key pair.
-//Once all the arguments have been parsed and processed, this
-//function gets called and takes care of actually generating
-//the key pair passing the appopriate parameters to the NSS
-//functions.
-static nsresult
-cryptojs_generateOneKeyPair(JSContext *cx, nsKeyPairInfo *keyPairInfo, 
-                            int32_t keySize, char *params, 
-                            nsIInterfaceRequestor *uiCxt,
-                            PK11SlotInfo *slot, bool willEscrow)
-                            
-{
-  const PK11AttrFlags sensitiveFlags = (PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE);
-  const PK11AttrFlags temporarySessionFlags = PK11_ATTR_SESSION;
-  const PK11AttrFlags permanentTokenFlags = PK11_ATTR_TOKEN;
-  const PK11AttrFlags extractableFlags = PK11_ATTR_EXTRACTABLE;
-  
-  nsIGeneratingKeypairInfoDialogs * dialogs;
-  nsKeygenThread *KeygenRunnable = 0;
-  nsCOMPtr<nsIKeygenThread> runnable;
-
-  uint32_t mechanism = cryptojs_convert_to_mechanism(keyPairInfo->keyGenType);
-  void *keyGenParams = nsConvertToActualKeyGenParams(mechanism, params, 
-                                                     (params) ? strlen(params):0, 
-                                                     keySize, keyPairInfo);
-
-  if (!keyGenParams || !slot) {
-    return NS_ERROR_INVALID_ARG;
-  }
-
-  // Make sure the token has password already set on it before trying
-  // to generate the key.
-
-  nsresult rv = setPassword(slot, uiCxt);
-  if (NS_FAILED(rv))
-    return rv;
-
-  if (PK11_Authenticate(slot, true, uiCxt) != SECSuccess)
-    return NS_ERROR_FAILURE;
- 
-  // Smart cards will not let you extract a private key once 
-  // it is on the smart card.  If we've been told to escrow
-  // a private key that will be stored on a smart card,
-  // then we'll use the following strategy to ensure we can escrow it.
-  // We'll attempt to generate the key on our internal token,
-  // because this is expected to avoid some problems.
-  // If it works, we'll escrow, move the key to the smartcard, done.
-  // If it didn't work (or the internal key doesn't support the desired
-  // mechanism), then we'll attempt to generate the key on
-  // the destination token, with the EXTRACTABLE flag set.
-  // If it works, we'll extract, escrow, done.
-  // If it failed, then we're unable to escrow and return failure.
-  // NOTE: We call PK11_GetInternalSlot instead of PK11_GetInternalKeySlot
-  //       so that the key has zero chance of being store in the
-  //       user's key3.db file.  Which the slot returned by
-  //       PK11_GetInternalKeySlot has access to and PK11_GetInternalSlot
-  //       does not.
-  ScopedPK11SlotInfo intSlot;
-  
-  if (willEscrow && !PK11_IsInternal(slot)) {
-    intSlot = PK11_GetInternalSlot();
-    NS_ASSERTION(intSlot,"Couldn't get the internal slot");
-    
-    if (!PK11_DoesMechanism(intSlot, mechanism)) {
-      // Set to null, and the subsequent code will not attempt to use it.
-      intSlot = nullptr;
-    }
-  }
-
-  rv = getNSSDialogs((void**)&dialogs,
-                     NS_GET_IID(nsIGeneratingKeypairInfoDialogs),
-                     NS_GENERATINGKEYPAIRINFODIALOGS_CONTRACTID);
-
-  if (NS_SUCCEEDED(rv)) {
-    KeygenRunnable = new nsKeygenThread();
-    if (KeygenRunnable) {
-      NS_ADDREF(KeygenRunnable);
-    }
-  }
-  
-  // "firstAttemptSlot" and "secondAttemptSlot" are alternative names
-  // for better code readability, we don't increase the reference counts.
-  
-  PK11SlotInfo *firstAttemptSlot = nullptr;
-  PK11AttrFlags firstAttemptFlags = 0;
-
-  PK11SlotInfo *secondAttemptSlot = slot;
-  PK11AttrFlags secondAttemptFlags = sensitiveFlags | permanentTokenFlags;
-  
-  if (willEscrow) {
-    secondAttemptFlags |= extractableFlags;
-  }
-  
-  if (!intSlot || PK11_IsInternal(slot)) {
-    // if we cannot use the internal slot, then there is only one attempt
-    // if the destination slot is the internal slot, then there is only one attempt
-    firstAttemptSlot = secondAttemptSlot;
-    firstAttemptFlags = secondAttemptFlags;
-    secondAttemptSlot = nullptr;
-    secondAttemptFlags = 0;
-  }
-  else {
-    firstAttemptSlot = intSlot;
-    firstAttemptFlags = sensitiveFlags | temporarySessionFlags;
-    
-    // We always need the extractable flag on the first attempt,
-    // because we want to move the key to another slot - ### is this correct?
-    firstAttemptFlags |= extractableFlags;
-  }
-
-  bool mustMoveKey = false;
-  
-  if (NS_FAILED(rv) || !KeygenRunnable) {
-    /* execute key generation on this thread */
-    rv = NS_OK;
-    
-    keyPairInfo->privKey = 
-      PK11_GenerateKeyPairWithFlags(firstAttemptSlot, mechanism,
-                                    keyGenParams, &keyPairInfo->pubKey,
-                                    firstAttemptFlags, uiCxt);
-    
-    if (keyPairInfo->privKey) {
-      // success on first attempt
-      if (secondAttemptSlot) {
-        mustMoveKey = true;
-      }
-    }
-    else {
-      keyPairInfo->privKey = 
-        PK11_GenerateKeyPairWithFlags(secondAttemptSlot, mechanism,
-                                      keyGenParams, &keyPairInfo->pubKey,
-                                      secondAttemptFlags, uiCxt);
-    }
-    
-  } else {
-    /* execute key generation on separate thread */
-    KeygenRunnable->SetParams( firstAttemptSlot, firstAttemptFlags,
-                               secondAttemptSlot, secondAttemptFlags,
-                               mechanism, keyGenParams, uiCxt );
-
-    runnable = do_QueryInterface(KeygenRunnable);
-
-    if (runnable) {
-      {
-        nsPSMUITracker tracker;
-        if (tracker.isUIForbidden()) {
-          rv = NS_ERROR_NOT_AVAILABLE;
-        }
-        else {
-          rv = dialogs->DisplayGeneratingKeypairInfo(uiCxt, runnable);
-          // We call join on the thread, 
-          // so we can be sure that no simultaneous access to the passed parameters will happen.
-          KeygenRunnable->Join();
-        }
-      }
-
-      NS_RELEASE(dialogs);
-      if (NS_SUCCEEDED(rv)) {
-        PK11SlotInfo *used_slot = nullptr;
-        rv = KeygenRunnable->ConsumeResult(&used_slot, 
-                                           &keyPairInfo->privKey, &keyPairInfo->pubKey);
-
-        if (NS_SUCCEEDED(rv)) {
-          if ((used_slot == firstAttemptSlot) && secondAttemptSlot) {
-            mustMoveKey = true;
-          }
-        
-          if (used_slot) {
-            PK11_FreeSlot(used_slot);
-          }
-        }
-      }
-    }
-  }
-
-  firstAttemptSlot = nullptr;
-  secondAttemptSlot = nullptr;
-  
-  nsFreeKeyGenParams(mechanism, keyGenParams);
-
-  if (KeygenRunnable) {
-    NS_RELEASE(KeygenRunnable);
-  }
-
-  if (!keyPairInfo->privKey || !keyPairInfo->pubKey) {
-    return NS_ERROR_FAILURE;
-  }
- 
-  //If we generated the key pair on the internal slot because the
-  // keys were going to be escrowed, move the keys over right now.
-  if (mustMoveKey) {
-    ScopedSECKEYPrivateKey newPrivKey(PK11_LoadPrivKey(slot,
-                                                    keyPairInfo->privKey,
-                                                    keyPairInfo->pubKey,
-                                                    true, true));
-    if (!newPrivKey)
-      return NS_ERROR_FAILURE;
-
-    // The private key is stored on the selected slot now, and the copy we
-    // ultimately use for escrowing when the time comes lives 
-    // in the internal slot.  We will delete it from that slot
-    // after the requests are made.
-  }  
-
-  return NS_OK;
-}
-
-/*
- * FUNCTION: cryptojs_ReadArgsAndGenerateKey
- * -------------------------------------
- * INPUTS:
- *  cx
- *    The JSContext associated with the execution of the corresponging
- *    crypto.generateCRMFRequest call
- *  argv
- *    A pointer to an array of JavaScript parameters passed to the
- *    method crypto.generateCRMFRequest.  The array should have the
- *    3 arguments keySize, "keyParams", and "keyGenAlg" mentioned in
- *    the definition of crypto.generateCRMFRequest at the following
- *    document http://docs.iplanet.com/docs/manuals/psm/11/cmcjavascriptapi.html 
- *  keyGenType
- *    A structure used to store the information about the newly created
- *    key pair.
- *  uiCxt
- *    An interface requestor that would be used to get an nsIPrompt
- *    if we need to ask the user for a password.
- *  slotToUse
- *    The PKCS11 slot to use for generating the key pair. If nullptr, then
- *    this function should select a slot that can do the key generation 
- *    from the keytype associted with the keyPairInfo, and pass it back to
- *    the caller so that subsequence key generations can use the same slot. 
- *  willEscrow
- *    If true, then that means we will try to escrow the generated
- *    private key when building the CRMF request.  If false, then
- *    we will not try to escrow the private key.
- *
- * NOTES:
- * This function takes care of reading a set of 3 parameters that define
- * one key generation.  The argv pointer should be one that originates
- * from the argv parameter passed in to the method nsCrypto::GenerateCRMFRequest.
- * The function interprets the argument in the first index as an integer and
- * passes that as the key size for the key generation-this parameter is
- * mandatory.  The second parameter is read in as a string.  This value can
- * be null in JavaScript world and everything will still work.  The third
- * parameter is a mandatory string that indicates what kind of key to generate.
- * There should always be 1-to-1 correspondence between the strings compared
- * in the function cryptojs_interpret_key_gen_type and the strings listed in
- * document at http://docs.iplanet.com/docs/manuals/psm/11/cmcjavascriptapi.html 
- * under the definition of the method generateCRMFRequest, for the parameter
- * "keyGenAlgN".  After reading the parameters, the function then 
- * generates the key pairs passing the parameters parsed from the JavaScript i
- * routine.  
- *
- * RETURN:
- * NS_OK if creating the Key was successful.  Any other return value
- * indicates an error.
- */
-
-static nsresult
-cryptojs_ReadArgsAndGenerateKey(JSContext *cx,
-                                JS::Value *argv,
-                                nsKeyPairInfo *keyGenType,
-                                nsIInterfaceRequestor *uiCxt,
-                                PK11SlotInfo **slot, bool willEscrow)
-{
-  JSString  *jsString;
-  JSAutoByteString params;
-  int    keySize;
-  nsresult  rv;
-
-  if (!argv[0].isInt32()) {
-    JS_ReportError(cx, "%s%s", JS_ERROR,
-                   "passed in non-integer for key size");
-    return NS_ERROR_FAILURE;
-  }
-  keySize = argv[0].toInt32();
-  if (!argv[1].isNull()) {
-    JS::Rooted<JS::Value> v(cx, argv[1]);
-    jsString = JS::ToString(cx, v);
-    NS_ENSURE_TRUE(jsString, NS_ERROR_OUT_OF_MEMORY);
-    argv[1] = STRING_TO_JSVAL(jsString);
-    params.encodeLatin1(cx, jsString);
-    NS_ENSURE_TRUE(!!params, NS_ERROR_OUT_OF_MEMORY);
-  }
-
-  if (argv[2].isNull()) {
-    JS_ReportError(cx,"%s%s", JS_ERROR,
-             "key generation type not specified");
-    return NS_ERROR_FAILURE;
-  }
-  JS::Rooted<JS::Value> v(cx, argv[2]);
-  jsString = JS::ToString(cx, v);
-  NS_ENSURE_TRUE(jsString, NS_ERROR_OUT_OF_MEMORY);
-  argv[2] = STRING_TO_JSVAL(jsString);
-  nsAutoJSString autoJSKeyGenAlg;
-  NS_ENSURE_TRUE(autoJSKeyGenAlg.init(cx, jsString), NS_ERROR_UNEXPECTED);
-  nsAutoString keyGenAlg(autoJSKeyGenAlg);
-  keyGenAlg.Trim("\r\n\t ");
-  keyGenType->keyGenType = cryptojs_interpret_key_gen_type(keyGenAlg);
-  if (keyGenType->keyGenType == invalidKeyGen) {
-    NS_LossyConvertUTF16toASCII keyGenAlgNarrow(autoJSKeyGenAlg);
-    JS_ReportError(cx, "%s%s%s", JS_ERROR,
-                   "invalid key generation argument:",
-                   keyGenAlgNarrow.get());
-    goto loser;
-  }
-  if (!*slot) {
-    *slot = nsGetSlotForKeyGen(keyGenType->keyGenType, uiCxt);
-    if (!*slot)
-      goto loser;
-  }
-
-  rv = cryptojs_generateOneKeyPair(cx,keyGenType,keySize,params.ptr(),uiCxt,
-                                   *slot,willEscrow);
-
-  if (rv != NS_OK) {
-    NS_LossyConvertUTF16toASCII keyGenAlgNarrow(autoJSKeyGenAlg);
-    JS_ReportError(cx,"%s%s%s", JS_ERROR,
-                   "could not generate the key for algorithm ",
-                   keyGenAlgNarrow.get());
-    goto loser;
-  }
-  return NS_OK;
-loser:
-  return NS_ERROR_FAILURE;
-}
-
-//Utility funciton to free up the memory used by nsKeyPairInfo
-//arrays.
-static void
-nsFreeKeyPairInfo(nsKeyPairInfo *keyids, int numIDs)
-{
-  NS_ASSERTION(keyids, "NULL pointer passed to nsFreeKeyPairInfo");
-  if (!keyids)
-    return;
-  int i;
-  for (i=0; i<numIDs; i++) {
-    if (keyids[i].pubKey)
-      SECKEY_DestroyPublicKey(keyids[i].pubKey);
-    if (keyids[i].privKey)
-      SECKEY_DestroyPrivateKey(keyids[i].privKey);
-    if (keyids[i].ecPopCert)
-      CERT_DestroyCertificate(keyids[i].ecPopCert);
-    if (keyids[i].ecPopPubKey)
-      SECKEY_DestroyPublicKey(keyids[i].ecPopPubKey);
-  }
-  delete []keyids;
-}
-
-//Utility funciton used to free the genertaed cert request messages
-static void
-nsFreeCertReqMessages(CRMFCertReqMsg **certReqMsgs, int32_t numMessages)
-{
-  int32_t i;
-  for (i=0; i<numMessages && certReqMsgs[i]; i++) {
-    CRMF_DestroyCertReqMsg(certReqMsgs[i]);
-  }
-  delete []certReqMsgs;
-}
-
-//If the form called for escrowing the private key we just generated,
-//this function adds all the correct elements to the request.
-//That consists of adding CRMFEncryptedKey to the reques as part
-//of the CRMFPKIArchiveOptions Control.
-static nsresult
-nsSetEscrowAuthority(CRMFCertRequest *certReq, nsKeyPairInfo *keyInfo,
-                     nsNSSCertificate *wrappingCert)
-{
-  if (!wrappingCert ||
-      CRMF_CertRequestIsControlPresent(certReq, crmfPKIArchiveOptionsControl)){
-    return NS_ERROR_FAILURE;
-  }
-  ScopedCERTCertificate cert(wrappingCert->GetCert());
-  if (!cert)
-    return NS_ERROR_FAILURE;
-
-  CRMFEncryptedKey *encrKey = 
-      CRMF_CreateEncryptedKeyWithEncryptedValue(keyInfo->privKey, cert.get());
-  if (!encrKey)
-    return NS_ERROR_FAILURE;
-
-  CRMFPKIArchiveOptions *archOpt = 
-      CRMF_CreatePKIArchiveOptions(crmfEncryptedPrivateKey, encrKey);
-  if (!archOpt) {
-    CRMF_DestroyEncryptedKey(encrKey);
-    return NS_ERROR_FAILURE;
-  }
-  SECStatus srv = CRMF_CertRequestSetPKIArchiveOptions(certReq, archOpt);
-  CRMF_DestroyEncryptedKey(encrKey);
-  CRMF_DestroyPKIArchiveOptions(archOpt);
-  if (srv != SECSuccess)
-    return NS_ERROR_FAILURE;
-
-  return NS_OK;
-}
-
-//Set the Distinguished Name (Subject Name) for the cert
-//being requested.
-static nsresult
-nsSetDNForRequest(CRMFCertRequest *certReq, char *reqDN)
-{
-  if (!reqDN || CRMF_CertRequestIsFieldPresent(certReq, crmfSubject)) {
-    return NS_ERROR_FAILURE;
-  }
-  ScopedCERTName subjectName(CERT_AsciiToName(reqDN));
-  if (!subjectName) {
-    return NS_ERROR_FAILURE;
-  }
-  SECStatus srv = CRMF_CertRequestSetTemplateField(certReq, crmfSubject,
-                                                   static_cast<void*>
-                                                              (subjectName));
-  return (srv == SECSuccess) ? NS_OK : NS_ERROR_FAILURE;
-}
-
-//Set Registration Token Control on the request.
-static nsresult
-nsSetRegToken(CRMFCertRequest *certReq, char *regToken)
-{
-  // this should never happen, but might as well add this.
-  NS_ASSERTION(certReq, "A bogus certReq passed to nsSetRegToken");
-  if (regToken){
-    if (CRMF_CertRequestIsControlPresent(certReq, crmfRegTokenControl))
-      return NS_ERROR_FAILURE;
-  
-    SECItem src;
-    src.data = (unsigned char*)regToken;
-    src.len  = strlen(regToken);
-    SECItem *derEncoded = SEC_ASN1EncodeItem(nullptr, nullptr, &src, 
-                                        SEC_ASN1_GET(SEC_UTF8StringTemplate));
-
-    if (!derEncoded)
-      return NS_ERROR_FAILURE;
-
-    SECStatus srv = CRMF_CertRequestSetRegTokenControl(certReq, derEncoded);
-    SECITEM_FreeItem(derEncoded,true);
-    if (srv != SECSuccess)
-      return NS_ERROR_FAILURE;
-  }
-  return NS_OK;
-}
-
-//Set the Authenticator control on the cert reuest.  It's just
-//a string that gets passed along.
-static nsresult
-nsSetAuthenticator(CRMFCertRequest *certReq, char *authenticator)
-{
-  //This should never happen, but might as well check.
-  NS_ASSERTION(certReq, "Bogus certReq passed to nsSetAuthenticator");
-  if (authenticator) {
-    if (CRMF_CertRequestIsControlPresent(certReq, crmfAuthenticatorControl))
-      return NS_ERROR_FAILURE;
-    
-    SECItem src;
-    src.data = (unsigned char*)authenticator;
-    src.len  = strlen(authenticator);
-    SECItem *derEncoded = SEC_ASN1EncodeItem(nullptr, nullptr, &src,
-                                     SEC_ASN1_GET(SEC_UTF8StringTemplate));
-    if (!derEncoded)
-      return NS_ERROR_FAILURE;
-
-    SECStatus srv = CRMF_CertRequestSetAuthenticatorControl(certReq, 
-                                                            derEncoded);
-    SECITEM_FreeItem(derEncoded, true);
-    if (srv != SECSuccess)
-      return NS_ERROR_FAILURE;
-  }
-  return NS_OK;
-}
-
-// ASN1 DER encoding rules say that when encoding a BIT string,
-// the length in the header for the bit string is the number 
-// of "useful" bits in the BIT STRING.  So the function finds
-// it and sets accordingly for the returned item.
-static void
-nsPrepareBitStringForEncoding (SECItem *bitsmap, SECItem *value)
-{
-  unsigned char onebyte;
-  unsigned int i, len = 0;
-
-  /* to prevent warning on some platform at compile time */
-  onebyte = '\0';
-  /* Get the position of the right-most turn-on bit */
-  for (i = 0; i < (value->len ) * 8; ++i) {
-    if (i % 8 == 0)
-      onebyte = value->data[i/8];
-    if (onebyte & 0x80)
-      len = i;
-    onebyte <<= 1;
-  }
-
-  bitsmap->data = value->data;
-  /* Add one here since we work with base 1 */
-  bitsmap->len = len + 1;
-}
-
-//This next section defines all the functions that sets the 
-//keyUsageExtension for all the different types of key gens
-//we handle.  The keyUsageExtension is just a bit flag extension
-//that we set in wrapper functions that call straight into
-//nsSetKeyUsageExtension.  There is one wrapper funciton for each
-//keyGenType.  The correct function will eventually be called 
-//by going through a switch statement based on the nsKeyGenType
-//in the nsKeyPairInfo struct.
-static nsresult
-nsSetKeyUsageExtension(CRMFCertRequest *crmfReq,
-                       unsigned char   keyUsage)
-{
-  SECItem                 *encodedExt= nullptr;
-  SECItem                  keyUsageValue = { (SECItemType) 0, nullptr, 0 };
-  SECItem                  bitsmap = { (SECItemType) 0, nullptr, 0 };
-  SECStatus                srv;
-  CRMFCertExtension       *ext = nullptr;
-  CRMFCertExtCreationInfo  extAddParams;
-  SEC_ASN1Template         bitStrTemplate = {SEC_ASN1_BIT_STRING, 0, nullptr,
-                                             sizeof(SECItem)};
-
-  keyUsageValue.data = &keyUsage;
-  keyUsageValue.len  = 1;
-  nsPrepareBitStringForEncoding(&bitsmap, &keyUsageValue);
-
-  encodedExt = SEC_ASN1EncodeItem(nullptr, nullptr, &bitsmap,&bitStrTemplate);
-  if (!encodedExt) {
-    goto loser;
-  }
-  ext = CRMF_CreateCertExtension(SEC_OID_X509_KEY_USAGE, true, encodedExt);
-  if (!ext) {
-      goto loser;
-  }
-  extAddParams.numExtensions = 1;
-  extAddParams.extensions = &ext;
-  srv = CRMF_CertRequestSetTemplateField(crmfReq, crmfExtension,
-                                         &extAddParams);
-  if (srv != SECSuccess) {
-      goto loser;
-  }
-  CRMF_DestroyCertExtension(ext);
-  SECITEM_FreeItem(encodedExt, true);
-  return NS_OK;
- loser:
-  if (ext) {
-    CRMF_DestroyCertExtension(ext);
-  }
-  if (encodedExt) {
-      SECITEM_FreeItem(encodedExt, true);
-  }
-  return NS_ERROR_FAILURE;
-}
-
-static nsresult
-nsSetRSADualUse(CRMFCertRequest *crmfReq)
-{
-  unsigned char keyUsage =   KU_DIGITAL_SIGNATURE
-                           | KU_NON_REPUDIATION
-                           | KU_KEY_ENCIPHERMENT;
-
-  return nsSetKeyUsageExtension(crmfReq, keyUsage);
-}
-
-static nsresult
-nsSetRSAKeyEx(CRMFCertRequest *crmfReq)
-{
-  unsigned char keyUsage = KU_KEY_ENCIPHERMENT;
-
-  return nsSetKeyUsageExtension(crmfReq, keyUsage);
-}
-
-static nsresult
-nsSetRSASign(CRMFCertRequest *crmfReq)
-{
-  unsigned char keyUsage = KU_DIGITAL_SIGNATURE;
-
-
-  return nsSetKeyUsageExtension(crmfReq, keyUsage);
-}
-
-static nsresult
-nsSetRSANonRepudiation(CRMFCertRequest *crmfReq)
-{
-  unsigned char keyUsage = KU_NON_REPUDIATION;
-
-  return nsSetKeyUsageExtension(crmfReq, keyUsage);
-}
-
-static nsresult
-nsSetRSASignNonRepudiation(CRMFCertRequest *crmfReq)
-{
-  unsigned char keyUsage = KU_DIGITAL_SIGNATURE |
-                           KU_NON_REPUDIATION;
-
-  return nsSetKeyUsageExtension(crmfReq, keyUsage);
-}
-
-static nsresult
-nsSetECDualUse(CRMFCertRequest *crmfReq)
-{
-  unsigned char keyUsage =   KU_DIGITAL_SIGNATURE
-                           | KU_NON_REPUDIATION
-                           | KU_KEY_AGREEMENT;
-
-  return nsSetKeyUsageExtension(crmfReq, keyUsage);
-}
-
-static nsresult
-nsSetECKeyEx(CRMFCertRequest *crmfReq)
-{
-  unsigned char keyUsage = KU_KEY_AGREEMENT;
-
-  return nsSetKeyUsageExtension(crmfReq, keyUsage);
-}
-
-static nsresult
-nsSetECSign(CRMFCertRequest *crmfReq)
-{
-  unsigned char keyUsage = KU_DIGITAL_SIGNATURE;
-
-
-  return nsSetKeyUsageExtension(crmfReq, keyUsage);
-}
-
-static nsresult
-nsSetECNonRepudiation(CRMFCertRequest *crmfReq)
-{
-  unsigned char keyUsage = KU_NON_REPUDIATION;
-
-  return nsSetKeyUsageExtension(crmfReq, keyUsage);
-}
-
-static nsresult
-nsSetECSignNonRepudiation(CRMFCertRequest *crmfReq)
-{
-  unsigned char keyUsage = KU_DIGITAL_SIGNATURE |
-                           KU_NON_REPUDIATION;
-
-  return nsSetKeyUsageExtension(crmfReq, keyUsage);
-}
-
-static nsresult
-nsSetDH(CRMFCertRequest *crmfReq)
-{
-  unsigned char keyUsage = KU_KEY_AGREEMENT;
-
-  return nsSetKeyUsageExtension(crmfReq, keyUsage);
-}
-
-static nsresult
-nsSetDSASign(CRMFCertRequest *crmfReq)
-{
-  unsigned char keyUsage = KU_DIGITAL_SIGNATURE;
-
-  return nsSetKeyUsageExtension(crmfReq, keyUsage);
-}
-
-static nsresult
-nsSetDSANonRepudiation(CRMFCertRequest *crmfReq)
-{
-  unsigned char keyUsage = KU_NON_REPUDIATION;
-
-  return nsSetKeyUsageExtension(crmfReq, keyUsage);
-}
-
-static nsresult
-nsSetDSASignNonRepudiation(CRMFCertRequest *crmfReq)
-{
-  unsigned char keyUsage = KU_DIGITAL_SIGNATURE |
-                           KU_NON_REPUDIATION;
-
-  return nsSetKeyUsageExtension(crmfReq, keyUsage);
-}
-
-static nsresult
-nsSetKeyUsageExtension(CRMFCertRequest *crmfReq, nsKeyGenType keyGenType)
-{
-  nsresult rv;
-
-  switch (keyGenType) {
-  case rsaDualUse:
-    rv = nsSetRSADualUse(crmfReq);
-    break;
-  case rsaEnc:
-    rv = nsSetRSAKeyEx(crmfReq);
-    break;
-  case rsaSign:
-    rv = nsSetRSASign(crmfReq);
-    break;
-  case rsaNonrepudiation:
-    rv = nsSetRSANonRepudiation(crmfReq);
-    break;
-  case rsaSignNonrepudiation:
-    rv = nsSetRSASignNonRepudiation(crmfReq);
-    break;
-  case ecDualUse:
-    rv = nsSetECDualUse(crmfReq);
-    break;
-  case ecEnc:
-    rv = nsSetECKeyEx(crmfReq);
-    break;
-  case ecSign:
-    rv = nsSetECSign(crmfReq);
-    break;
-  case ecNonrepudiation:
-    rv = nsSetECNonRepudiation(crmfReq);
-    break;
-  case ecSignNonrepudiation:
-    rv = nsSetECSignNonRepudiation(crmfReq);
-    break;
-  case dhEx:
-    rv = nsSetDH(crmfReq);
-    break;
-  case dsaSign:
-    rv = nsSetDSASign(crmfReq);
-    break;
-  case dsaNonrepudiation:
-    rv = nsSetDSANonRepudiation(crmfReq);
-    break;
-  case dsaSignNonrepudiation:
-    rv = nsSetDSASignNonRepudiation(crmfReq);
-    break;
-  default:
-    rv = NS_ERROR_FAILURE;
-    break;
-  }
-  return rv;
-}
-
-//Create a single CRMFCertRequest with all of the necessary parts 
-//already installed.  The request returned by this function will
-//have all the parts necessary and can just be added to a 
-//Certificate Request Message.
-static CRMFCertRequest*
-nsCreateSingleCertReq(nsKeyPairInfo *keyInfo, char *reqDN, char *regToken, 
-                      char *authenticator, nsNSSCertificate *wrappingCert)
-{
-  uint32_t reqID;
-  nsresult rv;
-
-  //The draft says the ID of the request should be a random
-  //number.  We don't have a way of tracking this number
-  //to compare when the reply actually comes back,though.
-  PK11_GenerateRandom((unsigned char*)&reqID, sizeof(reqID));
-  CRMFCertRequest *certReq = CRMF_CreateCertRequest(reqID);
-  if (!certReq)
-    return nullptr;
-
-  long version = SEC_CERTIFICATE_VERSION_3;
-  SECStatus srv;
-  CERTSubjectPublicKeyInfo *spki = nullptr;
-  srv = CRMF_CertRequestSetTemplateField(certReq, crmfVersion, &version);
-  if (srv != SECSuccess)
-    goto loser;
-  
-  spki = SECKEY_CreateSubjectPublicKeyInfo(keyInfo->pubKey);
-  if (!spki)
-    goto loser;
-
-  srv = CRMF_CertRequestSetTemplateField(certReq, crmfPublicKey, spki);
-  SECKEY_DestroySubjectPublicKeyInfo(spki);
-  if (srv != SECSuccess)
-    goto loser;
-
-  if (wrappingCert && ns_can_escrow(keyInfo->keyGenType)) {
-    rv = nsSetEscrowAuthority(certReq, keyInfo, wrappingCert);
-    if (NS_FAILED(rv))
-      goto loser;
-  }
-  rv = nsSetDNForRequest(certReq, reqDN);
-  if (NS_FAILED(rv))
-    goto loser;
-
-  rv = nsSetRegToken(certReq, regToken);
-  if (NS_FAILED(rv))
-    goto loser;
-
-  rv = nsSetAuthenticator(certReq, authenticator);
-  if (NS_FAILED(rv))
-    goto loser;
-
- rv = nsSetKeyUsageExtension(certReq, keyInfo->keyGenType); 
-  if (NS_FAILED(rv))
-    goto loser;
-
-  return certReq;
-loser:
-  if (certReq) {
-    CRMF_DestroyCertRequest(certReq);
-  }
-  return nullptr;
-}
-
-/*
- * This function will set the Proof Of Possession (POP) for a request
- * associated with a key pair intended to do Key Encipherment.  Currently
- * this means encryption only keys.
- */
-static nsresult
-nsSetKeyEnciphermentPOP(CRMFCertReqMsg *certReqMsg, bool isEscrowed)
-{
-  SECItem       bitString;
-  unsigned char der[2];
-  SECStatus     srv;
-
-  if (isEscrowed) {
-    /* For proof of possession on escrowed keys, we use the
-     * this Message option of POPOPrivKey and include a zero
-     * length bit string in the POP field.  This is OK because the encrypted
-     * private key already exists as part of the PKIArchiveOptions
-     * Control and that for all intents and purposes proves that
-     * we do own the private key.
-     */
-    der[0] = 0x03; /*We've got a bit string          */
-    der[1] = 0x00; /*We've got a 0 length bit string */
-    bitString.data = der;
-    bitString.len  = 2;
-    srv = CRMF_CertReqMsgSetKeyEnciphermentPOP(certReqMsg, crmfThisMessage,
-                                              crmfNoSubseqMess, &bitString);
-  } else {
-    /* If the encryption key is not being escrowed, then we set the 
-     * Proof Of Possession to be a Challenge Response mechanism.
-     */
-    srv = CRMF_CertReqMsgSetKeyEnciphermentPOP(certReqMsg,
-                                              crmfSubsequentMessage,
-                                              crmfChallengeResp, nullptr);
-  }
-  return (srv == SECSuccess) ? NS_OK : NS_ERROR_FAILURE;
-}
-
-static void
-nsCRMFEncoderItemCount(void *arg, const char *buf, unsigned long len);
-
-static void
-nsCRMFEncoderItemStore(void *arg, const char *buf, unsigned long len);
-
-static nsresult
-nsSet_EC_DHMAC_ProofOfPossession(CRMFCertReqMsg *certReqMsg, 
-                                 nsKeyPairInfo  *keyInfo,
-                                 CRMFCertRequest *certReq)
-{
-  // RFC 2511 Appendix A section 2 a) defines,
-  // the "text" input for HMAC shall be the DER encoded version of
-  // of the single cert request.
-  // We'll produce that encoding and destroy it afterwards,
-  // because when sending the complete package to the CA,
-  // we'll use a different encoding, one that includes POP and
-  // allows multiple requests to be sent in one step.
-
-  unsigned long der_request_len = 0;
-  ScopedSECItem der_request;
-
-  if (SECSuccess != CRMF_EncodeCertRequest(certReq, 
-                                           nsCRMFEncoderItemCount, 
-                                           &der_request_len))
-    return NS_ERROR_FAILURE;
-
-  der_request = SECITEM_AllocItem(nullptr, nullptr, der_request_len);
-  if (!der_request)
-    return NS_ERROR_FAILURE;
-
-  // set len in returned SECItem back to zero, because it will
-  // be used as the destination offset inside the 
-  // nsCRMFEncoderItemStore callback.
-
-  der_request->len = 0;
-
-  if (SECSuccess != CRMF_EncodeCertRequest(certReq, 
-                                           nsCRMFEncoderItemStore, 
-                                           der_request))
-    return NS_ERROR_FAILURE;
-
-  // RFC 2511 Appendix A section 2 c):
-  // "A key K is derived from the shared secret Kec and the subject and
-  //  issuer names in the CA's certificate as follows:
-  //  K = SHA1(DER-encoded-subjectName | Kec | DER-encoded-issuerName)"
-
-  ScopedPK11SymKey shared_secret;
-  ScopedPK11SymKey subject_and_secret;
-  ScopedPK11SymKey subject_and_secret_and_issuer;
-  ScopedPK11SymKey sha1_of_subject_and_secret_and_issuer;
-
-  shared_secret = 
-    PK11_PubDeriveWithKDF(keyInfo->privKey, // SECKEYPrivateKey *privKey
-                          keyInfo->ecPopPubKey,  // SECKEYPublicKey *pubKey
-                          false, // bool isSender
-                          nullptr, // SECItem *randomA
-                          nullptr, // SECItem *randomB
-                          CKM_ECDH1_DERIVE, // CK_MECHANISM_TYPE derive
-                          CKM_CONCATENATE_DATA_AND_BASE, // CK_MECHANISM_TYPE target
-                          CKA_DERIVE, // CK_ATTRIBUTE_TYPE operation
-                          0, // int keySize
-                          CKD_NULL, // CK_ULONG kdf
-                          nullptr, // SECItem *sharedData
-                          nullptr); // void *wincx
-
-  if (!shared_secret)
-    return NS_ERROR_FAILURE;
-
-  CK_KEY_DERIVATION_STRING_DATA concat_data_base;
-  concat_data_base.pData = keyInfo->ecPopCert->derSubject.data;
-  concat_data_base.ulLen = keyInfo->ecPopCert->derSubject.len;
-  SECItem concat_data_base_item;
-  concat_data_base_item.data = (unsigned char*)&concat_data_base;
-  concat_data_base_item.len = sizeof(CK_KEY_DERIVATION_STRING_DATA);
-
-  subject_and_secret =
-    PK11_Derive(shared_secret, // PK11SymKey *baseKey
-                CKM_CONCATENATE_DATA_AND_BASE, // CK_MECHANISM_TYPE mechanism
-                &concat_data_base_item, // SECItem *param
-                CKM_CONCATENATE_BASE_AND_DATA, // CK_MECHANISM_TYPE target
-                CKA_DERIVE, // CK_ATTRIBUTE_TYPE operation
-                0); // int keySize
-
-  if (!subject_and_secret)
-    return NS_ERROR_FAILURE;
-
-  CK_KEY_DERIVATION_STRING_DATA concat_base_data;
-  concat_base_data.pData = keyInfo->ecPopCert->derSubject.data;
-  concat_base_data.ulLen = keyInfo->ecPopCert->derSubject.len;
-  SECItem concat_base_data_item;
-  concat_base_data_item.data = (unsigned char*)&concat_base_data;
-  concat_base_data_item.len = sizeof(CK_KEY_DERIVATION_STRING_DATA);
-
-  subject_and_secret_and_issuer =
-    PK11_Derive(subject_and_secret, // PK11SymKey *baseKey
-                CKM_CONCATENATE_BASE_AND_DATA, // CK_MECHANISM_TYPE mechanism
-                &concat_base_data_item, // SECItem *param
-                CKM_SHA1_KEY_DERIVATION, // CK_MECHANISM_TYPE target
-                CKA_DERIVE, // CK_ATTRIBUTE_TYPE operation
-                0); // int keySize
-
-  if (!subject_and_secret_and_issuer)
-    return NS_ERROR_FAILURE;
-
-  sha1_of_subject_and_secret_and_issuer =
-    PK11_Derive(subject_and_secret_and_issuer, // PK11SymKey *baseKey
-                CKM_SHA1_KEY_DERIVATION, // CK_MECHANISM_TYPE mechanism
-                nullptr, // SECItem *param
-                CKM_SHA_1_HMAC, // CK_MECHANISM_TYPE target
-                CKA_SIGN, // CK_ATTRIBUTE_TYPE operation
-                0); // int keySize
-
-  if (!sha1_of_subject_and_secret_and_issuer)
-    return NS_ERROR_FAILURE;
-
-  PK11Context *context = nullptr;
-  PK11ContextCleanerTrueParam context_cleaner(context);
-
-  SECItem ignore;
-  ignore.data = 0;
-  ignore.len = 0;
-
-  context = 
-    PK11_CreateContextBySymKey(CKM_SHA_1_HMAC, // CK_MECHANISM_TYPE type
-                               CKA_SIGN, // CK_ATTRIBUTE_TYPE operation
-                               sha1_of_subject_and_secret_and_issuer, // PK11SymKey *symKey
-                               &ignore); // SECItem *param
-
-  if (!context)
-    return NS_ERROR_FAILURE;
-
-  if (SECSuccess != PK11_DigestBegin(context))
-    return NS_ERROR_FAILURE;
-
-  if (SECSuccess != 
-      PK11_DigestOp(context, der_request->data, der_request->len))
-    return NS_ERROR_FAILURE;
-
-  ScopedAutoSECItem result_hmac_sha1_item(SHA1_LENGTH);
-
-  if (SECSuccess !=
-      PK11_DigestFinal(context, 
-                       result_hmac_sha1_item.data, 
-                       &result_hmac_sha1_item.len, 
-                       SHA1_LENGTH))
-    return NS_ERROR_FAILURE;
-
-  if (SECSuccess !=
-      CRMF_CertReqMsgSetKeyAgreementPOP(certReqMsg, crmfDHMAC,
-                                        crmfNoSubseqMess, &result_hmac_sha1_item))
-    return NS_ERROR_FAILURE;
-
-  return NS_OK;
-}
-
-static nsresult
-nsSetProofOfPossession(CRMFCertReqMsg *certReqMsg, 
-                       nsKeyPairInfo  *keyInfo,
-                       CRMFCertRequest *certReq)
-{
-  // Depending on the type of cert request we'll try
-  // POP mechanisms in different order,
-  // and add the result to the cert request message.
-  //
-  // For any signing or dual use cert,
-  //   try signing first,
-  //   fall back to DHMAC if we can
-  //     (EC cert requests that provide keygen param "popcert"),
-  //   otherwise fail.
-  //
-  // For encryption only certs that get escrowed, this is sufficient.
-  //
-  // For encryption only certs, that are not being escrowed, 
-  //   try DHMAC if we can 
-  //     (EC cert requests that provide keygen param "popcert"),
-  //   otherwise we'll indicate challenge response should be used.
-  
-  bool isEncryptionOnlyCertRequest = false;
-  bool escrowEncryptionOnlyCert = false;
-  
-  switch (keyInfo->keyGenType)
-  {
-    case rsaEnc:
-    case ecEnc:
-      isEncryptionOnlyCertRequest = true;
-      break;
-    
-    case rsaSign:
-    case rsaDualUse:
-    case rsaNonrepudiation:
-    case rsaSignNonrepudiation:
-    case ecSign:
-    case ecDualUse:
-    case ecNonrepudiation:
-    case ecSignNonrepudiation:
-    case dsaSign:
-    case dsaNonrepudiation:
-    case dsaSignNonrepudiation:
-      break;
-    
-    case dhEx:
-    /* This case may be supported in the future, but for now, we just fall 
-      * though to the default case and return an error for diffie-hellman keys.
-    */
-    default:
-      return NS_ERROR_FAILURE;
-  };
-    
-  if (isEncryptionOnlyCertRequest)
-  {
-    escrowEncryptionOnlyCert = 
-      CRMF_CertRequestIsControlPresent(certReq,crmfPKIArchiveOptionsControl);
-  }
-    
-  bool gotDHMACParameters = false;
-  
-  if (isECKeyGenType(keyInfo->keyGenType) && 
-      keyInfo->ecPopCert && 
-      keyInfo->ecPopPubKey)
-  {
-    gotDHMACParameters = true;
-  }
-  
-  if (isEncryptionOnlyCertRequest)
-  {
-    if (escrowEncryptionOnlyCert)
-      return nsSetKeyEnciphermentPOP(certReqMsg, true); // escrowed
-    
-    if (gotDHMACParameters)
-      return nsSet_EC_DHMAC_ProofOfPossession(certReqMsg, keyInfo, certReq);
-    
-    return nsSetKeyEnciphermentPOP(certReqMsg, false); // not escrowed
-  }
-  
-  // !isEncryptionOnlyCertRequest
-  
-  SECStatus srv = CRMF_CertReqMsgSetSignaturePOP(certReqMsg,
-                                                 keyInfo->privKey,
-                                                 keyInfo->pubKey, nullptr,
-                                                 nullptr, nullptr);
-
-  if (srv == SECSuccess)
-    return NS_OK;
-  
-  if (!gotDHMACParameters)
-    return NS_ERROR_FAILURE;
-  
-  return nsSet_EC_DHMAC_ProofOfPossession(certReqMsg, keyInfo, certReq);
-}
-
-static void
-nsCRMFEncoderItemCount(void *arg, const char *buf, unsigned long len)
-{
-  unsigned long *count = (unsigned long *)arg;
-  *count += len;
-}
-
-static void
-nsCRMFEncoderItemStore(void *arg, const char *buf, unsigned long len)
-{
-  SECItem *dest = (SECItem *)arg;
-  memcpy(dest->data + dest->len, buf, len);
-  dest->len += len;
-}
-
-static SECItem*
-nsEncodeCertReqMessages(CRMFCertReqMsg **certReqMsgs)
-{
-  unsigned long len = 0;
-  if (CRMF_EncodeCertReqMessages(certReqMsgs, nsCRMFEncoderItemCount, &len)
-      != SECSuccess) {
-    return nullptr;
-  }
-  SECItem *dest = (SECItem *)PORT_Alloc(sizeof(SECItem));
-  if (!dest) {
-    return nullptr;
-  }
-  dest->type = siBuffer;
-  dest->data = (unsigned char *)PORT_Alloc(len);
-  if (!dest->data) {
-    PORT_Free(dest);
-    return nullptr;
-  }
-  dest->len = 0;
-
-  if (CRMF_EncodeCertReqMessages(certReqMsgs, nsCRMFEncoderItemStore, dest)
-      != SECSuccess) {
-    SECITEM_FreeItem(dest, true);
-    return nullptr;
-  }
-  return dest;
-}
-
-//Create a Base64 encoded CRMFCertReqMsg that can be sent to a CA
-//requesting one or more certificates to be issued.  This function
-//creates a single cert request per key pair and then appends it to
-//a message that is ultimately sent off to a CA.
-static char*
-nsCreateReqFromKeyPairs(nsKeyPairInfo *keyids, int32_t numRequests,
-                        char *reqDN, char *regToken, char *authenticator,
-                        nsNSSCertificate *wrappingCert) 
-{
-  // We'use the goto notation for clean-up purposes in this function
-  // that calls the C API of NSS.
-  int32_t i;
-  // The ASN1 encoder in NSS wants the last entry in the array to be
-  // nullptr so that it knows when the last element is.
-  CRMFCertReqMsg **certReqMsgs = new CRMFCertReqMsg*[numRequests+1];
-  CRMFCertRequest *certReq;
-  if (!certReqMsgs)
-    return nullptr;
-  memset(certReqMsgs, 0, sizeof(CRMFCertReqMsg*)*(1+numRequests));
-  SECStatus srv;
-  nsresult rv;
-  SECItem *encodedReq;
-  char *retString;
-  for (i=0; i<numRequests; i++) {
-    certReq = nsCreateSingleCertReq(&keyids[i], reqDN, regToken, authenticator,
-                                    wrappingCert);
-    if (!certReq)
-      goto loser;
-
-    certReqMsgs[i] = CRMF_CreateCertReqMsg();
-    if (!certReqMsgs[i])
-      goto loser;
-    srv = CRMF_CertReqMsgSetCertRequest(certReqMsgs[i], certReq);
-    if (srv != SECSuccess)
-      goto loser;
-
-    rv = nsSetProofOfPossession(certReqMsgs[i], &keyids[i], certReq);
-    if (NS_FAILED(rv))
-      goto loser;
-    CRMF_DestroyCertRequest(certReq);
-  }
-  encodedReq = nsEncodeCertReqMessages(certReqMsgs);
-  nsFreeCertReqMessages(certReqMsgs, numRequests);
-
-  retString = NSSBase64_EncodeItem (nullptr, nullptr, 0, encodedReq);
-  SECITEM_FreeItem(encodedReq, true);
-  return retString;
-loser:
-  nsFreeCertReqMessages(certReqMsgs,numRequests);
-  return nullptr;
-}
-
-//The top level method which is a member of nsIDOMCrypto
-//for generate a base64 encoded CRMF request.
-CRMFObject*
-nsCrypto::GenerateCRMFRequest(JSContext* aContext,
-                              const nsCString& aReqDN,
-                              const nsCString& aRegToken,
-                              const nsCString& aAuthenticator,
-                              const nsCString& aEaCert,
-                              const nsCString& aJsCallback,
-                              const Sequence<JS::Value>& aArgs,
-                              ErrorResult& aRv)
-{
-  nsNSSShutDownPreventionLock locker;
-  nsresult nrv;
-
-  uint32_t argc = aArgs.Length();
-
-  /*
-   * Get all of the parameters.
-   */
-  if (argc % 3 != 0) {
-    aRv.ThrowNotEnoughArgsError();
-    return nullptr;
-  }
-
-  if (aReqDN.IsVoid()) {
-    NS_WARNING("no DN specified");
-    aRv.Throw(NS_ERROR_FAILURE);
-    return nullptr;
-  }
-
-  if (aJsCallback.IsVoid()) {
-    NS_WARNING("no completion function specified");
-    aRv.Throw(NS_ERROR_FAILURE);
-    return nullptr;
-  }
-
-  nsCOMPtr<nsIGlobalObject> globalObject = do_QueryInterface(GetParentObject());
-  if (MOZ_UNLIKELY(!globalObject)) {
-    aRv.Throw(NS_ERROR_UNEXPECTED);
-    return nullptr;
-  }
-
-  nsCOMPtr<nsIContentSecurityPolicy> csp;
-  if (!nsContentUtils::GetContentSecurityPolicy(getter_AddRefs(csp))) {
-    NS_ERROR("Error: failed to get CSP");
-    aRv.Throw(NS_ERROR_FAILURE);
-    return nullptr;
-  }
-
-  bool evalAllowed = true;
-  bool reportEvalViolations = false;
-  if (csp && NS_FAILED(csp->GetAllowsEval(&reportEvalViolations, &evalAllowed))) {
-    NS_WARNING("CSP: failed to get allowsEval");
-    aRv.Throw(NS_ERROR_FAILURE);
-    return nullptr;
-  }
-
-  if (reportEvalViolations) {
-    NS_NAMED_LITERAL_STRING(scriptSample, "window.crypto.generateCRMFRequest: call to eval() or related function blocked by CSP");
-
-    const char *fileName;
-    uint32_t lineNum;
-    nsJSUtils::GetCallingLocation(aContext, &fileName, &lineNum);
-    csp->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL,
-                             NS_ConvertASCIItoUTF16(fileName),
-                             scriptSample,
-                             lineNum,
-                             EmptyString(),
-                             EmptyString());
-  }
-
-  if (!evalAllowed) {
-    NS_WARNING("eval() not allowed by Content Security Policy");
-    aRv.Throw(NS_ERROR_FAILURE);
-    return nullptr;
-  }
-
-  //Put up some UI warning that someone is trying to
-  //escrow the private key.
-  //Don't addref this copy.  That way ths reference goes away
-  //at the same the nsIX09Cert ref goes away.
-  nsNSSCertificate *escrowCert = nullptr;
-  nsCOMPtr<nsIX509Cert> nssCert;
-  bool willEscrow = false;
-  if (!aEaCert.IsVoid()) {
-    SECItem certDer = {siBuffer, nullptr, 0};
-    SECStatus srv = ATOB_ConvertAsciiToItem(&certDer, aEaCert.get());
-    if (srv != SECSuccess) {
-      aRv.Throw(NS_ERROR_FAILURE);
-      return nullptr;
-    }
-    ScopedCERTCertificate cert(
-      CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
-                              &certDer, nullptr, false, true));
-    if (!cert) {
-      aRv.Throw(NS_ERROR_FAILURE);
-      return nullptr;
-    }
-
-    escrowCert = nsNSSCertificate::Create(cert.get());
-    nssCert = escrowCert;
-    if (!nssCert) {
-      aRv.Throw(NS_ERROR_OUT_OF_MEMORY);
-      return nullptr;
-    }
-
-    nsCOMPtr<nsIDOMCryptoDialogs> dialogs;
-    nsresult rv = getNSSDialogs(getter_AddRefs(dialogs),
-                                NS_GET_IID(nsIDOMCryptoDialogs),
-                                NS_DOMCRYPTODIALOGS_CONTRACTID);
-    if (NS_FAILED(rv)) {
-      aRv.Throw(rv);
-      return nullptr;
-    }
-
-    bool okay=false;
-    {
-      nsPSMUITracker tracker;
-      if (tracker.isUIForbidden()) {
-        okay = false;
-      }
-      else {
-        dialogs->ConfirmKeyEscrow(nssCert, &okay);
-      }
-    }
-    if (!okay) {
-      aRv.Throw(NS_ERROR_FAILURE);
-      return nullptr;
-    }
-    willEscrow = true;
-  }
-  nsCOMPtr<nsIInterfaceRequestor> uiCxt = new PipUIContext;
-  int32_t numRequests = argc / 3;
-  nsKeyPairInfo *keyids = new nsKeyPairInfo[numRequests];
-  memset(keyids, 0, sizeof(nsKeyPairInfo)*numRequests);
-  int keyInfoIndex;
-  uint32_t i;
-  PK11SlotInfo *slot = nullptr;
-  // Go through all of the arguments and generate the appropriate key pairs.
-  for (i=0,keyInfoIndex=0; i<argc; i+=3,keyInfoIndex++) {
-    nrv = cryptojs_ReadArgsAndGenerateKey(aContext,
-                                          const_cast<JS::Value*>(&aArgs[i]),
-                                          &keyids[keyInfoIndex],
-                                          uiCxt, &slot, willEscrow);
-
-    if (NS_FAILED(nrv)) {
-      if (slot)
-        PK11_FreeSlot(slot);
-      nsFreeKeyPairInfo(keyids,numRequests);
-      aRv.Throw(nrv);
-      return nullptr;
-    }
-  }
-  // By this time we'd better have a slot for the key gen.
-  NS_ASSERTION(slot, "There was no slot selected for key generation");
-  if (slot)
-    PK11_FreeSlot(slot);
-
-  char *encodedRequest = nsCreateReqFromKeyPairs(keyids,numRequests,
-                                                 const_cast<char*>(aReqDN.get()),
-                                                 const_cast<char*>(aRegToken.get()),
-                                                 const_cast<char*>(aAuthenticator.get()),
-                                                 escrowCert);
-  if (!encodedRequest) {
-    nsFreeKeyPairInfo(keyids, numRequests);
-    aRv.Throw(NS_ERROR_FAILURE);
-    return nullptr;
-  }
-  CRMFObject* newObject = new CRMFObject();
-  newObject->SetCRMFRequest(encodedRequest);
-  PORT_Free(encodedRequest);
-  nsFreeKeyPairInfo(keyids, numRequests);
-
-  // Post an event on the UI queue so that the JS gets called after
-  // we return control to the JS layer.  Why do we have to this?
-  // Because when this API was implemented for PSM 1.x w/ Communicator,
-  // the only way to make this method work was to have a callback
-  // in the JS layer that got called after key generation had happened.
-  // So for backwards compatibility, we return control and then just post
-  // an event to call the JS the script provides as the code to execute
-  // when the request has been generated.
-  //
-
-  MOZ_ASSERT(nsContentUtils::GetCurrentJSContext());
-  nsCryptoRunArgs *args = new nsCryptoRunArgs();
-
-  args->m_globalObject = globalObject;
-  if (!aJsCallback.IsVoid()) {
-    args->m_jsCallback = aJsCallback;
-  }
-
-  nsRefPtr<nsCryptoRunnable> cryptoRunnable(new nsCryptoRunnable(args));
-
-  nsresult rv = NS_DispatchToMainThread(cryptoRunnable);
-  if (NS_FAILED(rv)) {
-    aRv.Throw(rv);
-  }
-
-  return newObject;
-}
-
-// Reminder that we inherit the memory passed into us here.
-// An implementation to let us back up certs as an event.
-nsP12Runnable::nsP12Runnable(nsIX509Cert **certArr, int32_t numCerts,
-                             nsIPK11Token *token)
-{
-  mCertArr  = certArr;
-  mNumCerts = numCerts;
-  mToken = token;
-}
-
-nsP12Runnable::~nsP12Runnable()
-{
-  int32_t i;
-  for (i=0; i<mNumCerts; i++) {
-      NS_IF_RELEASE(mCertArr[i]);
-  }
-  delete []mCertArr;
-}
-
-
-//Implementation that backs cert(s) into a PKCS12 file
-NS_IMETHODIMP
-nsP12Runnable::Run()
-{
-  NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
-
-  NS_ASSERTION(NS_IsMainThread(), "nsP12Runnable dispatched to the wrong thread");
-
-  nsNSSShutDownPreventionLock locker;
-  NS_ASSERTION(mCertArr, "certArr is NULL while trying to back up");
-
-  nsString final;
-  nsString temp;
-  nsresult rv;
-
-  nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv));
-  if (NS_FAILED(rv))
-    return rv;
-
-  //Build up the message that let's the user know we're trying to 
-  //make PKCS12 backups of the new certs.
-  nssComponent->GetPIPNSSBundleString("ForcedBackup1", final);
-  final.Append(MOZ_UTF16("\n\n"));
-  nssComponent->GetPIPNSSBundleString("ForcedBackup2", temp);
-  final.Append(temp.get());
-  final.Append(MOZ_UTF16("\n\n"));
-
-  nssComponent->GetPIPNSSBundleString("ForcedBackup3", temp);
-
-  final.Append(temp.get());
-  nsNSSComponent::ShowAlertWithConstructedString(final);
-
-  nsCOMPtr<nsIFilePicker> filePicker = 
-                        do_CreateInstance("@mozilla.org/filepicker;1", &rv);
-  if (!filePicker) {
-    NS_ERROR("Could not create a file picker when backing up certs.");
-    return rv;
-  }
-
-  nsCOMPtr<nsIWindowWatcher> wwatch =
-    (do_GetService(NS_WINDOWWATCHER_CONTRACTID, &rv));
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  nsCOMPtr<nsIDOMWindow> window;
-  wwatch->GetActiveWindow(getter_AddRefs(window));
-
-  nsString filePickMessage;
-  nssComponent->GetPIPNSSBundleString("chooseP12BackupFileDialog",
-                                      filePickMessage);
-  rv = filePicker->Init(window, filePickMessage, nsIFilePicker::modeSave);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  filePicker->AppendFilter(NS_LITERAL_STRING("PKCS12"),
-                           NS_LITERAL_STRING("*.p12"));
-  filePicker->AppendFilters(nsIFilePicker::filterAll);
-
-  int16_t dialogReturn;
-  filePicker->Show(&dialogReturn);
-  if (dialogReturn == nsIFilePicker::returnCancel)
-    return NS_OK;  //User canceled.  It'd be nice if they couldn't, 
-                   //but oh well.
-
-  nsCOMPtr<nsIFile> localFile;
-  rv = filePicker->GetFile(getter_AddRefs(localFile));
-  if (NS_FAILED(rv))
-    return NS_ERROR_FAILURE;
-
-  nsPKCS12Blob p12Cxt;
-  
-  p12Cxt.SetToken(mToken);
-  p12Cxt.ExportToFile(localFile, mCertArr, mNumCerts);
-  return NS_OK;
-}
-
-nsCryptoRunArgs::nsCryptoRunArgs() {}
-
-nsCryptoRunArgs::~nsCryptoRunArgs() {}
-
-nsCryptoRunnable::nsCryptoRunnable(nsCryptoRunArgs *args)
-{
-  nsNSSShutDownPreventionLock locker;
-  NS_ASSERTION(args,"Passed nullptr to nsCryptoRunnable constructor.");
-  m_args = args;
-  NS_IF_ADDREF(m_args);
-}
-
-nsCryptoRunnable::~nsCryptoRunnable()
-{
-  nsNSSShutDownPreventionLock locker;
-  NS_IF_RELEASE(m_args);
-}
-
-//Implementation that runs the callback passed to 
-//crypto.generateCRMFRequest as an event.
-NS_IMETHODIMP
-nsCryptoRunnable::Run()
-{
-  nsNSSShutDownPreventionLock locker;
-
-  // We're going to run script via JS_EvaluateScript, so we need an
-  // AutoEntryScript. This is Gecko specific and not on a standards track.
-  AutoEntryScript aes(m_args->m_globalObject);
-  JSContext* cx = aes.cx();
-  JS::RootedObject scope(cx, JS::CurrentGlobalOrNull(cx));
-
-  bool ok =
-    JS_EvaluateScript(cx, scope, m_args->m_jsCallback,
-                      strlen(m_args->m_jsCallback), nullptr, 0);
-  return ok ? NS_OK : NS_ERROR_FAILURE;
-}
-
-//Quick helper function to check if a newly issued cert
-//already exists in the user's database.
-static bool
-nsCertAlreadyExists(SECItem *derCert)
-{
-  CERTCertDBHandle *handle = CERT_GetDefaultCertDB();
-  bool retVal = false;
-
-  ScopedCERTCertificate cert(CERT_FindCertByDERCert(handle, derCert));
-  if (cert) {
-    if (cert->isperm && !cert->nickname && !cert->emailAddr) {
-      //If the cert doesn't have a nickname or email addr, it is
-      //bogus cruft, so delete it.
-      SEC_DeletePermCertificate(cert.get());
-    } else if (cert->isperm) {
-      retVal = true;
-    }
-  }
-  return retVal;
-}
-
-static int32_t
-nsCertListCount(CERTCertList *certList)
-{
-  int32_t numCerts = 0;
-  CERTCertListNode *node;
-
-  node = CERT_LIST_HEAD(certList);
-  while (!CERT_LIST_END(node, certList)) {
-    numCerts++;
-    node = CERT_LIST_NEXT(node);
-  }
-  return numCerts;
-}
-
-//Import user certificates that arrive as a CMMF base64 encoded
-//string.
-void
-nsCrypto::ImportUserCertificates(const nsAString& aNickname,
-                                 const nsAString& aCmmfResponse,
-                                 bool aDoForcedBackup,
-                                 nsAString& aReturn,
-                                 ErrorResult& aRv)
-{
-  nsNSSShutDownPreventionLock locker;
-  char *nickname=nullptr, *cmmfResponse=nullptr;
-  CMMFCertRepContent *certRepContent = nullptr;
-  int numResponses = 0;
-  nsIX509Cert **certArr = nullptr;
-  int i;
-  CMMFCertResponse *currResponse;
-  CMMFPKIStatus reqStatus;
-  CERTCertificate *currCert;
-  PK11SlotInfo *slot;
-  nsAutoCString localNick;
-  nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
-  nsresult rv = NS_OK;
-  nsCOMPtr<nsIPK11Token> token;
-
-  nickname = ToNewCString(aNickname);
-  cmmfResponse = ToNewCString(aCmmfResponse);
-  if (nsCRT::strcmp("null", nickname) == 0) {
-    nsMemory::Free(nickname);
-    nickname = nullptr;
-  }
-
-  SECItem cmmfDer = {siBuffer, nullptr, 0};
-  SECStatus srv = ATOB_ConvertAsciiToItem(&cmmfDer, cmmfResponse);
-
-  if (srv != SECSuccess) {
-    rv = NS_ERROR_FAILURE;
-    goto loser;
-  }
-
-  certRepContent = CMMF_CreateCertRepContentFromDER(CERT_GetDefaultCertDB(),
-                                                    (const char*)cmmfDer.data,
-                                                    cmmfDer.len);
-  if (!certRepContent) {
-    rv = NS_ERROR_FAILURE;
-    goto loser;
-  }
-
-  numResponses = CMMF_CertRepContentGetNumResponses(certRepContent);
-
-  if (aDoForcedBackup) {
-    //We've been asked to force the user to back up these
-    //certificates.  Let's keep an array of them around which
-    //we pass along to the nsP12Runnable to use.
-    certArr = new nsIX509Cert*[numResponses];
-    // If this is nullptr, chances are we're gonna fail really
-    // soon, but let's try to keep going just in case.
-    if (!certArr)
-      aDoForcedBackup = false;
-
-    memset(certArr, 0, sizeof(nsIX509Cert*)*numResponses);
-  }
-  for (i=0; i<numResponses; i++) {
-    currResponse = CMMF_CertRepContentGetResponseAtIndex(certRepContent,i);
-    if (!currResponse) {
-      rv = NS_ERROR_FAILURE;
-      goto loser;
-    }
-    reqStatus = CMMF_CertResponseGetPKIStatusInfoStatus(currResponse);
-    if (!(reqStatus == cmmfGranted || reqStatus == cmmfGrantedWithMods)) {
-      // The CA didn't give us the cert we requested.
-      rv = NS_ERROR_FAILURE;
-      goto loser;
-    }
-    currCert = CMMF_CertResponseGetCertificate(currResponse, 
-                                               CERT_GetDefaultCertDB());
-    if (!currCert) {
-      rv = NS_ERROR_FAILURE;
-      goto loser;
-    }
-
-    if (nsCertAlreadyExists(&currCert->derCert)) {
-      if (aDoForcedBackup) {
-        certArr[i] = nsNSSCertificate::Create(currCert);
-        if (!certArr[i])
-          goto loser;
-        NS_ADDREF(certArr[i]);
-      }
-      CERT_DestroyCertificate(currCert);
-      CMMF_DestroyCertResponse(currResponse);
-      continue;
-    }
-    // Let's figure out which nickname to give the cert.  If 
-    // a certificate with the same subject name already exists,
-    // then just use that one, otherwise, get the default nickname.
-    if (currCert->nickname) {
-      localNick = currCert->nickname;
-    }
-    else if (!nickname || nickname[0] == '\0') {
-      nsNSSCertificateDB::get_default_nickname(currCert, ctx, localNick, locker);
-    } else {
-      //This is the case where we're getting a brand new
-      //cert that doesn't have the same subjectName as a cert
-      //that already exists in our db and the CA page has 
-      //designated a nickname to use for the newly issued cert.
-      localNick = nickname;
-    }
-    {
-      char *cast_const_away = const_cast<char*>(localNick.get());
-      slot = PK11_ImportCertForKey(currCert, cast_const_away, ctx);
-    }
-    if (!slot) {
-      rv = NS_ERROR_FAILURE;
-      goto loser;
-    }
-    if (aDoForcedBackup) {
-      certArr[i] = nsNSSCertificate::Create(currCert);
-      if (!certArr[i])
-        goto loser;
-      NS_ADDREF(certArr[i]);
-    }
-    CERT_DestroyCertificate(currCert);
-
-    if (!token)
-      token = new nsPK11Token(slot);
-
-    PK11_FreeSlot(slot);
-    CMMF_DestroyCertResponse(currResponse);
-  }
-  //Let the loser: label take care of freeing up our reference to
-  //nickname (This way we don't free it twice and avoid crashing.
-  //That would be a good thing.
-
-  //Import the root chain into the cert db.
- {
-  ScopedCERTCertList caPubs(CMMF_CertRepContentGetCAPubs(certRepContent));
-  if (caPubs) {
-    int32_t numCAs = nsCertListCount(caPubs.get());
-    
-    NS_ASSERTION(numCAs > 0, "Invalid number of CA's");
-    if (numCAs > 0) {
-      CERTCertListNode *node;
-      SECItem *derCerts;
-
-      derCerts = static_cast<SECItem*>
-                            (nsMemory::Alloc(sizeof(SECItem)*numCAs));
-      if (!derCerts) {
-        rv = NS_ERROR_OUT_OF_MEMORY;
-        goto loser;
-      }
-      for (node = CERT_LIST_HEAD(caPubs), i=0; 
-           !CERT_LIST_END(node, caPubs);
-           node = CERT_LIST_NEXT(node), i++) {
-        derCerts[i] = node->cert->derCert;
-      }
-      nsNSSCertificateDB::ImportValidCACerts(numCAs, derCerts, ctx, locker);
-      nsMemory::Free(derCerts);
-    }
-  }
- }
-
-  if (aDoForcedBackup) {
-    // I can't pop up a file picker from the depths of JavaScript,
-    // so I'll just post an event on the UI queue to do the backups
-    // later.
-    nsCOMPtr<nsIRunnable> p12Runnable = new nsP12Runnable(certArr, numResponses,
-                                                          token);
-    if (!p12Runnable) {
-      rv = NS_ERROR_FAILURE;
-      goto loser;
-    }
-
-    // null out the certArr pointer which has now been inherited by
-    // the nsP12Runnable instance so that we don't free up the
-    // memory on the way out.
-    certArr = nullptr;
-
-    rv = NS_DispatchToMainThread(p12Runnable);
-    if (NS_FAILED(rv))
-      goto loser;
-  }
-
- loser:
-  if (certArr) {
-    for (i=0; i<numResponses; i++) {
-      NS_IF_RELEASE(certArr[i]);
-    }
-    delete []certArr;
-  }
-  aReturn.Assign(EmptyString());
-  if (nickname) {
-    NS_Free(nickname);
-  }
-  if (cmmfResponse) {
-    NS_Free(cmmfResponse);
-  }
-  if (certRepContent) {
-    CMMF_DestroyCertRepContent(certRepContent);
-  }
-
-  if (NS_FAILED(rv)) {
-    aRv.Throw(rv);
-  }
-}
-
-static void
-GetDocumentFromContext(JSContext *cx, nsIDocument **aDocument)
-{
-  // Get the script context.
-  nsIScriptContext* scriptContext = GetScriptContextFromJSContext(cx);
-  if (!scriptContext) {
-    return;
-  }
-
-  nsCOMPtr<nsIDOMWindow> domWindow = 
-    do_QueryInterface(scriptContext->GetGlobalObject());
-  if (!domWindow) {
-    return;
-  }
-
-  nsCOMPtr<nsIDOMDocument> domDocument;
-  domWindow->GetDocument(getter_AddRefs(domDocument));
-  if (!domDocument) {
-    return;
-  }
-
-  CallQueryInterface(domDocument, aDocument);
-
-  return;
-}
-
-void signTextOutputCallback(void *arg, const char *buf, unsigned long len)
-{
-  ((nsCString*)arg)->Append(buf, len);
-}
-
-void
-nsCrypto::SignText(JSContext* aContext,
-                   const nsAString& aStringToSign,
-                   const nsAString& aCaOption,
-                   const Sequence<nsCString>& aArgs,
-                   nsAString& aReturn)
-{
-  // XXX This code should return error codes, but we're keeping this
-  //     backwards compatible with NS4.x and so we can't throw exceptions.
-  NS_NAMED_LITERAL_STRING(internalError, "error:internalError");
-
-  aReturn.Truncate();
-
-  uint32_t argc = aArgs.Length();
-
-  if (!aCaOption.EqualsLiteral("auto") &&
-      !aCaOption.EqualsLiteral("ask")) {
-    NS_WARNING("caOption argument must be ask or auto");
-    aReturn.Append(internalError);
-
-    return;
-  }
-
-  // It was decided to always behave as if "ask" were specified.
-  // XXX Should we warn in the JS Console for auto?
-
-  nsCOMPtr<nsIInterfaceRequestor> uiContext = new PipUIContext;
-  if (!uiContext) {
-    aReturn.Append(internalError);
-
-    return;
-  }
-
-  bool bestOnly = true;
-  bool validOnly = true;
-  CERTCertList* certList =
-    CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(), certUsageEmailSigner,
-                              bestOnly, validOnly, uiContext);
-
-  uint32_t numCAs = argc;
-  if (numCAs > 0) {
-    nsAutoArrayPtr<char*> caNames(new char*[numCAs]);
-    if (!caNames) {
-      aReturn.Append(internalError);
-      return;
-    }
-
-    uint32_t i;
-    for (i = 0; i < numCAs; ++i)
-      caNames[i] = const_cast<char*>(aArgs[i].get());
-
-    if (certList &&
-        CERT_FilterCertListByCANames(certList, numCAs, caNames,
-                                     certUsageEmailSigner) != SECSuccess) {
-      aReturn.Append(internalError);
-
-      return;
-    }
-  }
-
-  if (!certList || CERT_LIST_EMPTY(certList)) {
-    aReturn.AppendLiteral("error:noMatchingCert");
-
-    return;
-  }
-
-  nsCOMPtr<nsIFormSigningDialog> fsd =
-    do_CreateInstance(NS_FORMSIGNINGDIALOG_CONTRACTID);
-  if (!fsd) {
-    aReturn.Append(internalError);
-
-    return;
-  }
-
-  nsCOMPtr<nsIDocument> document;
-  GetDocumentFromContext(aContext, getter_AddRefs(document));
-  if (!document) {
-    aReturn.Append(internalError);
-
-    return;
-  }
-
-  // Get the hostname from the URL of the document.
-  nsIURI* uri = document->GetDocumentURI();
-  if (!uri) {
-    aReturn.Append(internalError);
-
-    return;
-  }
-
-  nsresult rv;
-
-  nsCString host;
-  rv = uri->GetHost(host);
-  if (NS_FAILED(rv)) {
-    aReturn.Append(internalError);
-
-    return;
-  }
-
-  int32_t numberOfCerts = 0;
-  CERTCertListNode* node;
-  for (node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList);
-       node = CERT_LIST_NEXT(node)) {
-    ++numberOfCerts;
-  }
-
-  ScopedCERTCertNicknames nicknames(getNSSCertNicknamesFromCertList(certList));
-
-  if (!nicknames) {
-    aReturn.Append(internalError);
-
-    return;
-  }
-
-  NS_ASSERTION(nicknames->numnicknames == numberOfCerts,
-               "nicknames->numnicknames != numberOfCerts");
-
-  nsAutoArrayPtr<char16_t*> certNicknameList(new char16_t*[nicknames->numnicknames * 2]);
-  if (!certNicknameList) {
-    aReturn.Append(internalError);
-
-    return;
-  }
-
-  char16_t** certDetailsList = certNicknameList.get() + nicknames->numnicknames;
-
-  int32_t certsToUse;
-  for (node = CERT_LIST_HEAD(certList), certsToUse = 0;
-       !CERT_LIST_END(node, certList) && certsToUse < nicknames->numnicknames;
-       node = CERT_LIST_NEXT(node)) {
-    RefPtr<nsNSSCertificate> tempCert(nsNSSCertificate::Create(node->cert));
-    if (tempCert) {
-      nsAutoString nickWithSerial, details;
-      rv = tempCert->FormatUIStrings(NS_ConvertUTF8toUTF16(nicknames->nicknames[certsToUse]),
-                                     nickWithSerial, details);
-      if (NS_SUCCEEDED(rv)) {
-        certNicknameList[certsToUse] = ToNewUnicode(nickWithSerial);
-        if (certNicknameList[certsToUse]) {
-          certDetailsList[certsToUse] = ToNewUnicode(details);
-          if (!certDetailsList[certsToUse]) {
-            nsMemory::Free(certNicknameList[certsToUse]);
-            continue;
-          }
-          ++certsToUse;
-        }
-      }
-    }
-  }
-
-  if (certsToUse == 0) {
-    aReturn.Append(internalError);
-
-    return;
-  }
-
-  NS_ConvertUTF8toUTF16 utf16Host(host);
-
-  CERTCertificate *signingCert = nullptr;
-  bool tryAgain, canceled;
-  nsAutoString password;
-  do {
-    // Throw up the form signing confirmation dialog and get back the index
-    // of the selected cert.
-    int32_t selectedIndex = -1;
-    rv = fsd->ConfirmSignText(uiContext, utf16Host, aStringToSign,
-                              const_cast<const char16_t**>(certNicknameList.get()),
-                              const_cast<const char16_t**>(certDetailsList),
-                              certsToUse, &selectedIndex, password,
-                              &canceled);
-    if (NS_FAILED(rv) || canceled) {
-      break; // out of tryAgain loop
-    }
-
-    int32_t j = 0;
-    for (node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList);
-         node = CERT_LIST_NEXT(node)) {
-      if (j == selectedIndex) {
-        signingCert = CERT_DupCertificate(node->cert);
-        break; // out of cert list iteration loop
-      }
-      ++j;
-    }
-
-    if (!signingCert) {
-      rv = NS_ERROR_FAILURE;
-      break; // out of tryAgain loop
-    }
-
-    NS_ConvertUTF16toUTF8 pwUtf8(password);
-
-    tryAgain =
-      PK11_CheckUserPassword(signingCert->slot,
-                             const_cast<char *>(pwUtf8.get())) != SECSuccess;
-    // XXX we should show an error dialog before retrying
-  } while (tryAgain);
-
-  int32_t k;
-  for (k = 0; k < certsToUse; ++k) {
-    nsMemory::Free(certNicknameList[k]);
-    nsMemory::Free(certDetailsList[k]);
-  }
-
-  if (NS_FAILED(rv)) { // something went wrong inside the tryAgain loop
-    aReturn.Append(internalError);
-
-    return;
-  }
-
-  if (canceled) {
-    aReturn.AppendLiteral("error:userCancel");
-
-    return;
-  }
-
-  SECKEYPrivateKey* privKey = PK11_FindKeyByAnyCert(signingCert, uiContext);
-  if (!privKey) {
-    aReturn.Append(internalError);
-
-    return;
-  }
-
-  nsAutoCString charset(document->GetDocumentCharacterSet());
-
-  // XXX Doing what nsFormSubmission::GetEncoder does (see
-  //     http://bugzilla.mozilla.org/show_bug.cgi?id=81203).
-  if (charset.EqualsLiteral("ISO-8859-1")) {
-    charset.AssignLiteral("windows-1252");
-  }
-
-  nsCOMPtr<nsISaveAsCharset> encoder =
-    do_CreateInstance(NS_SAVEASCHARSET_CONTRACTID);
-  if (encoder) {
-    rv = encoder->Init(charset.get(),
-                       (nsISaveAsCharset::attr_EntityAfterCharsetConv + 
-                       nsISaveAsCharset::attr_FallbackDecimalNCR),
-                       0);
-  }
-
-  nsXPIDLCString buffer;
-  if (aStringToSign.Length() > 0) {
-    if (encoder && NS_SUCCEEDED(rv)) {
-      rv = encoder->Convert(PromiseFlatString(aStringToSign).get(),
-                            getter_Copies(buffer));
-      if (NS_FAILED(rv)) {
-        aReturn.Append(internalError);
-
-        return;
-      }
-    }
-    else {
-      AppendUTF16toUTF8(aStringToSign, buffer);
-    }
-  }
-
-  HASHContext *hc = HASH_Create(HASH_AlgSHA1);
-  if (!hc) {
-    aReturn.Append(internalError);
-
-    return;
-  }
-
-  unsigned char hash[SHA1_LENGTH];
-
-  SECItem digest;
-  digest.data = hash;
-
-  HASH_Begin(hc);
-  HASH_Update(hc, reinterpret_cast<const unsigned char*>(buffer.get()),
-              buffer.Length());
-  HASH_End(hc, digest.data, &digest.len, SHA1_LENGTH);
-  HASH_Destroy(hc);
-
-  nsCString p7;
-  SECStatus srv = SECFailure;
-
-  SEC_PKCS7ContentInfo *ci = SEC_PKCS7CreateSignedData(signingCert,
-                                                       certUsageEmailSigner,
-                                                       nullptr, SEC_OID_SHA1,
-                                                       &digest, nullptr, uiContext);
-  if (ci) {
-    srv = SEC_PKCS7IncludeCertChain(ci, nullptr);
-    if (srv == SECSuccess) {
-      srv = SEC_PKCS7AddSigningTime(ci);
-      if (srv == SECSuccess) {
-        srv = SEC_PKCS7Encode(ci, signTextOutputCallback, &p7, nullptr, nullptr,
-                              uiContext);
-      }
-    }
-
-    SEC_PKCS7DestroyContentInfo(ci);
-  }
-
-  if (srv != SECSuccess) {
-    aReturn.Append(internalError);
-
-    return;
-  }
-
-  SECItem binary_item;
-  binary_item.data = reinterpret_cast<unsigned char*>
-                                     (const_cast<char*>(p7.get()));
-  binary_item.len = p7.Length();
-
-  char *result = NSSBase64_EncodeItem(nullptr, nullptr, 0, &binary_item);
-  if (result) {
-    AppendASCIItoUTF16(result, aReturn);
-  }
-  else {
-    aReturn.Append(internalError);
-  }
-
-  PORT_Free(result);
-
-  return;
-}
-
-void
-nsCrypto::Logout(ErrorResult& aRv)
-{
-  NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
-
-  nsresult rv;
-  nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv));
-  if (NS_FAILED(rv)) {
-    aRv.Throw(rv);
-    return;
-  }
-
-  {
-    nsNSSShutDownPreventionLock locker;
-    PK11_LogoutAll();
-    SSL_ClearSessionCache();
-  }
-
-  rv = nssComponent->LogoutAuthenticatedPK11();
-  if (NS_FAILED(rv)) {
-    aRv.Throw(rv);
-  }
-}
-
-CRMFObject::CRMFObject()
-{
-  MOZ_COUNT_CTOR(CRMFObject);
-}
-
-CRMFObject::~CRMFObject()
-{
-  MOZ_COUNT_DTOR(CRMFObject);
-}
-
-JSObject*
-CRMFObject::WrapObject(JSContext *aCx, bool* aTookOwnership)
-{
-  return CRMFObjectBinding::Wrap(aCx, this, aTookOwnership);
-}
-
-void
-CRMFObject::GetRequest(nsAString& aRequest)
-{
-  aRequest.Assign(mBase64Request);
-}
-
-nsresult
-CRMFObject::SetCRMFRequest(char *inRequest)
-{
-  mBase64Request.AssignWithConversion(inRequest);  
-  return NS_OK;
-}
-
-#endif // MOZ_DISABLE_CRYPTOLEGACY
-
 nsPkcs11::nsPkcs11()
 {
 }
 
 nsPkcs11::~nsPkcs11()
 {
 }
 
@@ -2843,17 +50,17 @@ nsPkcs11::DeleteModule(const nsAString& 
   }
   
   NS_ConvertUTF16toUTF8 modName(aModuleName);
   int32_t modType;
   SECStatus srv = SECMOD_DeleteModule(modName.get(), &modType);
   if (srv == SECSuccess) {
     SECMODModule *module = SECMOD_FindModule(modName.get());
     if (module) {
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
+#ifndef MOZ_NO_SMART_CARDS
       nssComponent->ShutdownSmartCardThread(module);
 #endif
       SECMOD_DestroyModule(module);
     }
     rv = NS_OK;
   } else {
     rv = NS_ERROR_FAILURE;
   }
@@ -2879,17 +86,17 @@ nsPkcs11::AddModule(const nsAString& aMo
   NS_CopyUnicodeToNative(aLibraryFullPath, fullPath);
   uint32_t mechFlags = SECMOD_PubMechFlagstoInternal(aCryptoMechanismFlags);
   uint32_t cipherFlags = SECMOD_PubCipherFlagstoInternal(aCipherFlags);
   SECStatus srv = SECMOD_AddNewModule(moduleName.get(), fullPath.get(), 
                                       mechFlags, cipherFlags);
   if (srv == SECSuccess) {
     SECMODModule *module = SECMOD_FindModule(moduleName.get());
     if (module) {
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
+#ifndef MOZ_NO_SMART_CARDS
       nssComponent->LaunchSmartCardThread(module);
 #endif
       SECMOD_DestroyModule(module);
     }
   }
 
   // The error message we report to the user depends directly on 
   // what the return value for SEDMOD_AddNewModule is
@@ -2899,9 +106,8 @@ nsPkcs11::AddModule(const nsAString& aMo
   case SECFailure:
     return NS_ERROR_FAILURE;
   case -2:
     return NS_ERROR_ILLEGAL_VALUE;
   }
   NS_ERROR("Bogus return value, this should never happen");
   return NS_ERROR_FAILURE;
 }
-
--- a/security/manager/ssl/src/nsCrypto.h
+++ b/security/manager/ssl/src/nsCrypto.h
@@ -1,107 +1,16 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #ifndef _nsCrypto_h_
 #define _nsCrypto_h_
 
-#include "mozilla/dom/BindingDeclarations.h"
-#include "mozilla/ErrorResult.h"
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
-#include "mozilla/dom/NonRefcountedDOMObject.h"
-#include "Crypto.h"
-#include "nsCOMPtr.h"
-#include "nsIDOMCryptoLegacy.h"
-#include "nsIRunnable.h"
-#include "nsString.h"
-#include "nsIPrincipal.h"
-
-#define NS_CRYPTO_CID \
-  {0x929d9320, 0x251e, 0x11d4, { 0x8a, 0x7c, 0x00, 0x60, 0x08, 0xc8, 0x44, 0xc3} }
-#define PSM_VERSION_STRING "2.4"
-
-class nsIPSMComponent;
-class nsIDOMScriptObjectFactory;
-
-namespace mozilla {
-namespace dom {
-
-class CRMFObject : public NonRefcountedDOMObject
-{
-public:
-  CRMFObject();
-  virtual ~CRMFObject();
-
-  nsresult SetCRMFRequest(char *inRequest);
-
-  JSObject* WrapObject(JSContext *aCx, bool* aTookOwnership);
-
-  void GetRequest(nsAString& aRequest);
-
-private:
-  nsString mBase64Request;
-};
-
-}
-}
-
-class nsCrypto: public mozilla::dom::Crypto
-{
-public:
-  nsCrypto();
-
-  NS_DECL_ISUPPORTS_INHERITED
-
-  // If legacy DOM crypto is enabled this is the class that actually
-  // implements the legacy methods.
-  NS_DECL_NSIDOMCRYPTO
-
-  virtual bool EnableSmartCardEvents() MOZ_OVERRIDE;
-  virtual void SetEnableSmartCardEvents(bool aEnable,
-                                        mozilla::ErrorResult& aRv) MOZ_OVERRIDE;
-
-  virtual void GetVersion(nsString& aVersion) MOZ_OVERRIDE;
-
-  virtual mozilla::dom::CRMFObject*
-  GenerateCRMFRequest(JSContext* aContext,
-                      const nsCString& aReqDN,
-                      const nsCString& aRegToken,
-                      const nsCString& aAuthenticator,
-                      const nsCString& aEaCert,
-                      const nsCString& aJsCallback,
-                      const mozilla::dom::Sequence<JS::Value>& aArgs,
-                      mozilla::ErrorResult& aRv) MOZ_OVERRIDE;
-
-  virtual void ImportUserCertificates(const nsAString& aNickname,
-                                      const nsAString& aCmmfResponse,
-                                      bool aDoForcedBackup,
-                                      nsAString& aReturn,
-                                      mozilla::ErrorResult& aRv) MOZ_OVERRIDE;
-
-  virtual void SignText(JSContext* aContext,
-                        const nsAString& aStringToSign,
-                        const nsAString& aCaOption,
-                        const mozilla::dom::Sequence<nsCString>& aArgs,
-                        nsAString& aReturn) MOZ_OVERRIDE;
-
-  virtual void Logout(mozilla::ErrorResult& aRv) MOZ_OVERRIDE;
-
-protected:
-  virtual ~nsCrypto();
-
-private:
-  static already_AddRefed<nsIPrincipal> GetScriptPrincipal(JSContext *cx);
-
-  bool mEnableSmartCardEvents;
-};
-#endif // MOZ_DISABLE_CRYPTOLEGACY
-
 #include "nsIPKCS11.h"
 
 #define NS_PKCS11_CID \
   {0x74b7a390, 0x3b41, 0x11d4, { 0x8a, 0x80, 0x00, 0x60, 0x08, 0xc8, 0x44, 0xc3} }
 
 class nsPkcs11 : public nsIPKCS11
 {
 public:
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@@ -18,17 +18,17 @@
 #include "nsComponentManagerUtils.h"
 #include "nsDirectoryServiceDefs.h"
 #include "nsICertOverrideService.h"
 #include "mozilla/Preferences.h"
 #include "nsThreadUtils.h"
 #include "mozilla/PublicSSL.h"
 #include "mozilla/StaticPtr.h"
 
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
+#ifndef MOZ_NO_SMART_CARDS
 #include "nsSmartCardMonitor.h"
 #endif
 
 #include "nsCRT.h"
 #include "nsNTLMAuthModule.h"
 #include "nsIFile.h"
 #include "nsIProperties.h"
 #include "nsIWindowWatcher.h"
@@ -207,17 +207,17 @@ GetOCSPBehaviorFromPrefs(/*out*/ CertVer
        : CertVerifier::ocsp_get_disabled;
 
   SSL_ClearSessionCache();
 }
 
 nsNSSComponent::nsNSSComponent()
   :mutex("nsNSSComponent.mutex"),
    mNSSInitialized(false),
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
+#ifndef MOZ_NO_SMART_CARDS
    mThreadList(nullptr),
 #endif
    mCertVerificationThread(nullptr)
 {
 #ifdef PR_LOGGING
   if (!gPIPNSSLog)
     gPIPNSSLog = PR_NewLogModule("pipnss");
 #endif
@@ -351,17 +351,17 @@ nsNSSComponent::GetNSSBundleString(const
       outString = result;
       rv = NS_OK;
     }
   }
 
   return rv;
 }
 
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
+#ifndef MOZ_NO_SMART_CARDS
 void
 nsNSSComponent::LaunchSmartCardThreads()
 {
   nsNSSShutDownPreventionLock locker;
   {
     SECMODModuleList* list;
     SECMODListLock* lock = SECMOD_GetDefaultModuleListLock();
     if (!lock) {
@@ -407,17 +407,17 @@ nsNSSComponent::ShutdownSmartCardThread(
 }
 
 void
 nsNSSComponent::ShutdownSmartCardThreads()
 {
   delete mThreadList;
   mThreadList = nullptr;
 }
-#endif // MOZ_DISABLE_CRYPTOLEGACY
+#endif // MOZ_NO_SMART_CARDS
 
 void
 nsNSSComponent::LoadLoadableRoots()
 {
   nsNSSShutDownPreventionLock locker;
   SECMODModule* RootsModule = nullptr;
 
   // In the past we used SECMOD_AddNewModule to load our module containing
@@ -1028,17 +1028,17 @@ nsNSSComponent::InitializeNSS()
     return NS_ERROR_FAILURE;
   }
 
   // dynamic options from prefs
   setValidationOptions(true, lock);
 
   mHttpForNSS.initTable();
 
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
+#ifndef MOZ_NO_SMART_CARDS
   LaunchSmartCardThreads();
 #endif
 
   mozilla::pkix::RegisterErrorTable();
 
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("NSS Initialization done\n"));
   return NS_OK;
 }
@@ -1058,17 +1058,17 @@ nsNSSComponent::ShutdownNSS()
 
     PK11_SetPasswordFunc((PK11PasswordFunc)nullptr);
 
     Preferences::RemoveObserver(this, "security.");
     if (NS_FAILED(CipherSuiteChangeObserver::StopObserve())) {
       PR_LOG(gPIPNSSLog, PR_LOG_ERROR, ("nsNSSComponent::ShutdownNSS cannot stop observing cipher suite change\n"));
     }
 
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
+#ifndef MOZ_NO_SMART_CARDS
     ShutdownSmartCardThreads();
 #endif
     SSL_ClearSessionCache();
     UnloadLoadableRoots();
 #ifndef MOZ_NO_EV_CERTS
     CleanupIdentityInfo();
 #endif
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("evaporating psm resources\n"));
--- a/security/manager/ssl/src/nsNSSComponent.h
+++ b/security/manager/ssl/src/nsNSSComponent.h
@@ -9,18 +9,16 @@
 
 #include "mozilla/Mutex.h"
 #include "mozilla/RefPtr.h"
 #include "nsCOMPtr.h"
 #include "nsIEntropyCollector.h"
 #include "nsIStringBundle.h"
 #include "nsIObserver.h"
 #include "nsIObserverService.h"
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
-#endif
 #include "nsINSSErrorsService.h"
 #include "nsNSSCallbacks.h"
 #include "SharedCertVerifier.h"
 #include "nsNSSHelper.h"
 #include "nsClientAuthRemember.h"
 #include "prerror.h"
 
 class nsIDOMWindow;
@@ -82,17 +80,17 @@ class NS_NO_VTABLE nsINSSComponent : pub
                                 nsAString& outString) = 0;
   NS_IMETHOD NSSBundleFormatStringFromName(const char* name,
                                            const char16_t** params,
                                            uint32_t numParams,
                                            nsAString& outString) = 0;
 
   NS_IMETHOD LogoutAuthenticatedPK11() = 0;
 
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
+#ifndef MOZ_NO_SMART_CARDS
   NS_IMETHOD LaunchSmartCardThread(SECMODModule* module) = 0;
 
   NS_IMETHOD ShutdownSmartCardThread(SECMODModule* module) = 0;
 #endif
 
   NS_IMETHOD IsNSSInitialized(bool* initialized) = 0;
 
   virtual ::mozilla::TemporaryRef<mozilla::psm::SharedCertVerifier>
@@ -135,17 +133,17 @@ public:
                                            nsAString& outString);
   NS_IMETHOD GetNSSBundleString(const char* name, nsAString& outString);
   NS_IMETHOD NSSBundleFormatStringFromName(const char* name,
                                            const char16_t** params,
                                            uint32_t numParams,
                                            nsAString& outString);
   NS_IMETHOD LogoutAuthenticatedPK11();
 
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
+#ifndef MOZ_NO_SMART_CARDS
   NS_IMETHOD LaunchSmartCardThread(SECMODModule* module);
   NS_IMETHOD ShutdownSmartCardThread(SECMODModule* module);
   void LaunchSmartCardThreads();
   void ShutdownSmartCardThreads();
   nsresult DispatchEventToWindow(nsIDOMWindow* domWin,
                                  const nsAString& eventType,
                                  const nsAString& token);
 #endif
@@ -182,17 +180,17 @@ private:
   Mutex mutex;
 
   nsCOMPtr<nsIStringBundle> mPIPNSSBundle;
   nsCOMPtr<nsIStringBundle> mNSSErrorsBundle;
   bool mNSSInitialized;
   bool mObserversRegistered;
   static int mInstanceCount;
   nsNSSShutDownList* mShutdownObjectList;
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
+#ifndef MOZ_NO_SMART_CARDS
   SmartCardThreadList* mThreadList;
 #endif
   bool mIsNetworkDown;
 
   void deleteBackgroundThreads();
   void createBackgroundThreads();
   nsCertVerificationThread* mCertVerificationThread;
 
--- a/security/manager/ssl/src/nsNSSModule.cpp
+++ b/security/manager/ssl/src/nsNSSModule.cpp
@@ -183,19 +183,16 @@ NS_NSS_GENERIC_FACTORY_CONSTRUCTOR_BYPRO
                                              nsNSSCertificate,
                                              nsNSSCertificateFakeTransport)
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsNSSCertificateDB)
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsNSSCertCache)
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsNSSCertList)
 #ifdef MOZ_XUL
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsCertTree)
 #endif
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
-NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsCrypto)
-#endif
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsPkcs11)
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsCertPicker)
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR_INIT(nssEnsure, nsNTLMAuthModule, InitTest)
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsCryptoHash)
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsCryptoHMAC)
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsStreamCipher)
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsKeyObject)
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsKeyObjectFactory)
@@ -220,19 +217,16 @@ NS_DEFINE_NAMED_CID(NS_X509CERT_CID);
 NS_DEFINE_NAMED_CID(NS_X509CERTDB_CID);
 NS_DEFINE_NAMED_CID(NS_X509CERTLIST_CID);
 NS_DEFINE_NAMED_CID(NS_NSSCERTCACHE_CID);
 NS_DEFINE_NAMED_CID(NS_FORMPROCESSOR_CID);
 #ifdef MOZ_XUL
 NS_DEFINE_NAMED_CID(NS_CERTTREE_CID);
 #endif
 NS_DEFINE_NAMED_CID(NS_PKCS11_CID);
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
-NS_DEFINE_NAMED_CID(NS_CRYPTO_CID);
-#endif
 NS_DEFINE_NAMED_CID(NS_CRYPTO_HASH_CID);
 NS_DEFINE_NAMED_CID(NS_CRYPTO_HMAC_CID);
 NS_DEFINE_NAMED_CID(NS_CERT_PICKER_CID);
 NS_DEFINE_NAMED_CID(NS_NTLMAUTHMODULE_CID);
 NS_DEFINE_NAMED_CID(NS_STREAMCIPHER_CID);
 NS_DEFINE_NAMED_CID(NS_KEYMODULEOBJECT_CID);
 NS_DEFINE_NAMED_CID(NS_KEYMODULEOBJECTFACTORY_CID);
 NS_DEFINE_NAMED_CID(NS_DATASIGNATUREVERIFIER_CID);
@@ -255,19 +249,16 @@ static const mozilla::Module::CIDEntry k
   { &kNS_X509CERTDB_CID, false, nullptr, nsNSSCertificateDBConstructor },
   { &kNS_X509CERTLIST_CID, false, nullptr, nsNSSCertListConstructor },
   { &kNS_NSSCERTCACHE_CID, false, nullptr, nsNSSCertCacheConstructor },
   { &kNS_FORMPROCESSOR_CID, false, nullptr, nsKeygenFormProcessor::Create },
 #ifdef MOZ_XUL
   { &kNS_CERTTREE_CID, false, nullptr, nsCertTreeConstructor },
 #endif
   { &kNS_PKCS11_CID, false, nullptr, nsPkcs11Constructor },
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
-  { &kNS_CRYPTO_CID, false, nullptr, nsCryptoConstructor },
-#endif
   { &kNS_CRYPTO_HASH_CID, false, nullptr, nsCryptoHashConstructor },
   { &kNS_CRYPTO_HMAC_CID, false, nullptr, nsCryptoHMACConstructor },
   { &kNS_CERT_PICKER_CID, false, nullptr, nsCertPickerConstructor },
   { &kNS_NTLMAUTHMODULE_CID, false, nullptr, nsNTLMAuthModuleConstructor },
   { &kNS_STREAMCIPHER_CID, false, nullptr, nsStreamCipherConstructor },
   { &kNS_KEYMODULEOBJECT_CID, false, nullptr, nsKeyObjectConstructor },
   { &kNS_KEYMODULEOBJECTFACTORY_CID, false, nullptr, nsKeyObjectFactoryConstructor },
   { &kNS_DATASIGNATUREVERIFIER_CID, false, nullptr, nsDataSignatureVerifierConstructor },
@@ -293,19 +284,16 @@ static const mozilla::Module::ContractID
   { NS_X509CERTDB_CONTRACTID, &kNS_X509CERTDB_CID },
   { NS_X509CERTLIST_CONTRACTID, &kNS_X509CERTLIST_CID },
   { NS_NSSCERTCACHE_CONTRACTID, &kNS_NSSCERTCACHE_CID },
   { NS_FORMPROCESSOR_CONTRACTID, &kNS_FORMPROCESSOR_CID },
 #ifdef MOZ_XUL
   { NS_CERTTREE_CONTRACTID, &kNS_CERTTREE_CID },
 #endif
   { NS_PKCS11_CONTRACTID, &kNS_PKCS11_CID },
-#ifndef MOZ_DISABLE_CRYPTOLEGACY
-  { NS_CRYPTO_CONTRACTID, &kNS_CRYPTO_CID },
-#endif
   { NS_CRYPTO_HASH_CONTRACTID, &kNS_CRYPTO_HASH_CID },
   { NS_CRYPTO_HMAC_CONTRACTID, &kNS_CRYPTO_HMAC_CID },
   { NS_CERT_PICKER_CONTRACTID, &kNS_CERT_PICKER_CID },
   { "@mozilla.org/uriloader/psm-external-content-listener;1", &kNS_PSMCONTENTLISTEN_CID },
   { NS_CRYPTO_FIPSINFO_SERVICE_CONTRACTID, &kNS_PKCS11MODULEDB_CID },
   { NS_NTLMAUTHMODULE_CONTRACTID, &kNS_NTLMAUTHMODULE_CID },
   { NS_STREAMCIPHER_CONTRACTID, &kNS_STREAMCIPHER_CID },
   { NS_KEYMODULEOBJECT_CONTRACTID, &kNS_KEYMODULEOBJECT_CID },
--- a/security/manager/ssl/src/nsSmartCardMonitor.cpp
+++ b/security/manager/ssl/src/nsSmartCardMonitor.cpp
@@ -1,29 +1,22 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "nspr.h"
 
-#include "mozilla/dom/SmartCardEvent.h"
 #include "mozilla/Services.h"
 #include "mozilla/unused.h"
-#include "nsIDOMCryptoLegacy.h"
-#include "nsIDOMDocument.h"
-#include "nsIDOMWindow.h"
-#include "nsIDOMWindowCollection.h"
 #include "nsIObserverService.h"
-#include "nsISimpleEnumerator.h"
-#include "nsIWindowWatcher.h"
 #include "nsServiceManagerUtils.h"
 #include "nsSmartCardMonitor.h"
+#include "nsThreadUtils.h"
 #include "pk11func.h"
 
 using namespace mozilla;
-using namespace mozilla::dom;
 
 //
 // The SmartCard monitoring thread should start up for each module we load
 // that has removable tokens. This code calls an NSS function which waits
 // until there is a change in the token state. NSS uses the
 // C_WaitForSlotEvent() call in PKCS #11 if the module implements the call,
 // otherwise NSS will poll the token in a loop with a delay of 'latency'
 // between polls. Note that the C_WaitForSlotEvent() may wake up on any type
@@ -45,17 +38,16 @@ public:
   {
   }
 
   NS_DECL_THREADSAFE_ISUPPORTS
   NS_DECL_NSIRUNNABLE
 
 private:
   virtual ~nsTokenEventRunnable() {}
-  nsresult DispatchEventToWindow(nsIDOMWindow* domWin);
 
   nsString mType;
   nsString mTokenName;
 };
 
 NS_IMPL_ISUPPORTS(nsTokenEventRunnable, nsIRunnable)
 
 NS_IMETHODIMP
@@ -66,131 +58,18 @@ nsTokenEventRunnable::Run()
   nsCOMPtr<nsIObserverService> observerService =
     mozilla::services::GetObserverService();
   if (!observerService) {
     return NS_ERROR_FAILURE;
   }
   // This conversion is safe because mType can only be "smartcard-insert"
   // or "smartcard-remove".
   NS_ConvertUTF16toUTF8 eventTypeUTF8(mType);
-  nsresult rv = observerService->NotifyObservers(nullptr, eventTypeUTF8.get(),
-                                                 mTokenName.get());
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  // 'Dispatch' the event to all the windows. 'DispatchEventToWindow()' will
-  // first check to see if a given window has requested crypto events.
-  nsCOMPtr<nsIWindowWatcher> windowWatcher =
-    do_GetService(NS_WINDOWWATCHER_CONTRACTID, &rv);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  nsCOMPtr<nsISimpleEnumerator> enumerator;
-  rv = windowWatcher->GetWindowEnumerator(getter_AddRefs(enumerator));
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  for (;;) {
-    bool hasMoreWindows;
-    rv = enumerator->HasMoreElements(&hasMoreWindows);
-    if (NS_FAILED(rv) || !hasMoreWindows) {
-      return rv;
-    }
-    nsCOMPtr<nsISupports> supports;
-    enumerator->GetNext(getter_AddRefs(supports));
-    nsCOMPtr<nsIDOMWindow> domWin(do_QueryInterface(supports));
-    if (domWin) {
-      rv = DispatchEventToWindow(domWin);
-      if (NS_FAILED(rv)) {
-        return rv;
-      }
-    }
-  }
-  return rv;
-}
-
-nsresult
-nsTokenEventRunnable::DispatchEventToWindow(nsIDOMWindow* domWin)
-{
-  MOZ_ASSERT(NS_IsMainThread());
-  MOZ_ASSERT(domWin);
-
-  // first walk the children and dispatch their events
-  nsCOMPtr<nsIDOMWindowCollection> frames;
-  nsresult rv = domWin->GetFrames(getter_AddRefs(frames));
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  uint32_t length;
-  rv = frames->GetLength(&length);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-  for (uint32_t i = 0; i < length; i++) {
-    nsCOMPtr<nsIDOMWindow> childWin;
-    rv = frames->Item(i, getter_AddRefs(childWin));
-    if (NS_FAILED(rv)) {
-      return rv;
-    }
-    if (domWin) {
-      rv = DispatchEventToWindow(childWin);
-      if (NS_FAILED(rv)) {
-        return rv;
-      }
-    }
-  }
-
-  // check if we've enabled smart card events on this window
-  // NOTE: it's not an error to say that we aren't going to dispatch
-  // the event.
-  nsCOMPtr<nsIDOMCrypto> crypto;
-  rv = domWin->GetCrypto(getter_AddRefs(crypto));
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-  if (!crypto) {
-    return NS_OK; // nope, it doesn't have a crypto property
-  }
-
-  bool boolrv;
-  rv = crypto->GetEnableSmartCardEvents(&boolrv);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-  if (!boolrv) {
-    return NS_OK; // nope, it's not enabled.
-  }
-
-  // dispatch the event ...
-
-  // find the document
-  nsCOMPtr<nsIDOMDocument> doc;
-  rv = domWin->GetDocument(getter_AddRefs(doc));
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-  if (!doc) {
-    return NS_ERROR_FAILURE;
-  }
-
-  nsCOMPtr<EventTarget> d = do_QueryInterface(doc);
-
-  SmartCardEventInit init;
-  init.mBubbles = false;
-  init.mCancelable = true;
-  init.mTokenName = mTokenName;
-
-  nsRefPtr<SmartCardEvent> event(SmartCardEvent::Constructor(d, mType, init));
-  event->SetTrusted(true);
-
-  return d->DispatchEvent(event, &boolrv);
+  return observerService->NotifyObservers(nullptr, eventTypeUTF8.get(),
+                                          mTokenName.get());
 }
 
 // self linking and removing double linked entry
 // adopts the thread it is passed.
 class SmartCardThreadEntry
 {
 public:
   friend class SmartCardThreadList;
deleted file mode 100644
--- a/security/manager/ssl/tests/mochitest/bugs/mochitest-legacy.ini
+++ /dev/null
@@ -1,2 +0,0 @@
-[test_generateCRMFRequest.html]
-skip-if = e10s
\ No newline at end of file
--- a/security/manager/ssl/tests/mochitest/bugs/moz.build
+++ b/security/manager/ssl/tests/mochitest/bugs/moz.build
@@ -1,14 +1,9 @@
 # -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
 # vim: set filetype=python:
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 MOCHITEST_MANIFESTS += ['mochitest.ini']
-# test_generateCRMFRequest.html tests crypto.generateCRMFRequest, which isn't
-# available if legacy crypto has been disabled.
-if not CONFIG['MOZ_DISABLE_CRYPTOLEGACY']:
-    MOCHITEST_MANIFESTS += ['mochitest-legacy.ini']
-
 MOCHITEST_CHROME_MANIFESTS += ['chrome.ini']
 
deleted file mode 100644
--- a/security/manager/ssl/tests/mochitest/bugs/test_generateCRMFRequest.html
+++ /dev/null
@@ -1,146 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <title>crypto.generateCRMFRequest bugs</title>
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body onload="onWindowLoad()">
-<script class="testbody" type="text/javascript">
-
-  SimpleTest.waitForExplicitFinish();
-
-  function onWindowLoad() {
-    SpecialPowers.pushPrefEnv({"set": [["dom.unsafe_legacy_crypto.enabled", true]]},
-                              runTest);
-  }
-
-  function runTest() {
-    // Does it work at all?
-    try {
-      var crmfObject = crypto.generateCRMFRequest("CN=undefined", "regToken",
-                                                  "authenticator", null, "",
-                                                  512, null, "  rsa-ex   ",
-                                                  1024, null, "\r\n\t rsa-sign\t");
-      ok(true, "no exception thrown in generateCRMFRequest");
-    } catch (e) {
-      ok(false, "unexpected exception: " + e);
-    }
-
-    // bug 849553
-    // This should fail because 8 is too small of a key size.
-    try {
-      var crmfObject = crypto.generateCRMFRequest("CN=undefined", "regToken",
-                                                  "authenticator", null, "",
-                                                  8, null, "rsa-ex",
-                                                  1024, null, "rsa-sign");
-      ok(false, "execution should not reach this line");
-    } catch (e) {
-      is(e.toString(), "Error: error:could not generate the key for algorithm rsa-ex", "expected exception");
-    }
-    // This should fail because 65536 is too large of a key size.
-    try {
-      var crmfObject = crypto.generateCRMFRequest("CN=undefined", "regToken",
-                                                  "authenticator", null, "",
-                                                  65536, null, "rsa-ex",
-                                                  1024, null, "rsa-sign");
-      ok(false, "execution should not reach this line");
-    } catch (e) {
-      is(e.toString(), "Error: error:could not generate the key for algorithm rsa-ex", "expected exception");
-    }
-
-    // bug 882865
-    var o200 = document.documentElement;
-    var o1 = crypto;
-    try {
-      o1.generateCRMFRequest("undefined", o200, 'X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X', null, o1, 1404343237, Math.PI, []);
-      ok(false, "execution should not reach this line");
-    } catch (e) {
-      // The 'key generation argument' in this case was an empty array,
-      // which gets interpreted as an empty string.
-      is(e.toString(), "Error: error:invalid key generation argument:", "expected exception");
-    }
-
-    // Test that an rsa certificate isn't used to generate an ec key.
-    try {
-      var crmfObject = crypto.generateCRMFRequest("CN=a", "a", "a", null, "",
-                         1024, "popcert=MIIBjzCB+aADAgECAgUAnVC3BjANBgkqhkiG9w0BAQUFADAMMQowCAYDVQQDEwFhMB4XDTEzMTEwNjE3NDU1NFoXDTIzMTEwNjE3NDU1NFowDDEKMAgGA1UEAxMBYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3G2mwjE8IGVwv6H1NGZFSKE3UrTsgez2DtNIYb5zdi0P0w9SbmL2GWfveu9DZhRebhVz7QSMPKLagI4aoIzoP5BxRl7a8wR5wbU0z8qXnAvy9p3Ex5oN5vX47TWB7cnItoWpi6A81GSn5X1CFFHhVCEwnQsHuWXrEvLD5hrfdmcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCNo+yLKfAd2NBI5DUpwgHSFBA+59pdNtHY7E2KZjyc9tXN6PHkPp8nScVCtk0g60j4aiiZQm8maPQPLo7Hipgpk83iYqquHRvcJVX4fWJpS/7vX+qTNT0hRiKRhVlI6S4Ttp2J2W6uxy2xxeqC6nBbU98QmDj3UQAY31LyejbecQ==", "ec-dual-use");
-      ok(crmfObject, "generateCRMFRequest succeeded");
-      var request = crmfObject.request;
-      var bytes = atob(request.replace(/\r\n/g, ""));
-
-      // rsaEncryption oid encoded in the request (as ASN1)
-      var badIdentifier = [ 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
-                            0x01, 0x01, 0x01 ];
-      ok(!findIdentifierInString(badIdentifier, bytes),
-         "didn't find bad identifier in request");
-
-      // secp256r1 encoded in the request (as ASN1) (this is the default for
-      // a "1024-bit" ec key)
-      var goodIdentifier = [ 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03,
-                             0x01, 0x07 ];
-      ok(findIdentifierInString(goodIdentifier, bytes),
-         "found good identifier in request");
-    } catch (e) {
-      ok(false, "unexpected exception: " + e);
-    }
-
-    // Test that only the first of repeated keygen parameters are used.
-    try {
-      var curveCrmfObject = crypto.generateCRMFRequest("CN=a", "a", "a", null,
-                              "", 1024, "curve=secp521r1;curve=nistp384",
-                              "ec-dual-use");
-      ok(curveCrmfObject, "generateCRMFRequest succeeded");
-      var curveRequest = curveCrmfObject.request;
-      var curveBytes = atob(curveRequest.replace(/\r\n/g, ""));
-
-      // nistp384 encoded in the request (as ASN1)
-      var badIdentifier = [ 0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x22 ];
-      ok(!findIdentifierInString(badIdentifier, curveBytes),
-         "didn't find bad identifier in curve request");
-
-      // secp512r1 encoded in the request (as ASN1)
-      var goodIdentifier = [ 0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x23 ];
-      ok(findIdentifierInString(goodIdentifier, curveBytes),
-         "found good identifier in curve request");
-
-      // The popcert=MII... values are base-64 encodings of self-signed
-      // certificates. The key of the first one is a secp521r1 key, whereas
-      // the second is nistp384.
-      var popcertCrmfObject = crypto.generateCRMFRequest("CN=a", "a", "a",
-                                null, "", 1024, "popcert=MIIBjjCB8aADAgECAgUAnVEmVTAJBgcqhkjOPQQBMAwxCjAIBgNVBAMTAWkwHhcNMTMxMTA2MjE1NDUxWhcNMTQwMjA2MjE1NDUxWjAMMQowCAYDVQQDEwFpMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA5juM0J3Od2Ih4s0ZiTkzVkh96J4yO12/L71df3GWy/Ex3LaGcew/EucY5ZITEqNHn22+3pKf3pwL6GJ/zA/foJwBspiE42ITo2BHHXl2Uuf1QK70UH5gzaqf1Cc4lPv3ibOf3EAmHx0a8sdDxRlUN2+V38iYWnMmV1qf4jM15fsYEDMwCQYHKoZIzj0EAQOBjAAwgYgCQgDO34oQkVDNkwtto1OAEbFZgq1xP9aqc+Nt7vnOuEGTISdFXCjlhon7SysTejFhO8d8wG500NrlJEmaie9FJbmWpQJCARcVtnC0K+ilxz307GyuANTaLEd7vBJxTAho8l6xkibNoxY1D9+hcc6ECbK7PCtAaysZoAVx5XhJlsnFdJdDj3wG;popcert=MIIBRDCBy6ADAgECAgUAnVEotzAJBgcqhkjOPQQBMAwxCjAIBgNVBAMTAWkwHhcNMTMxMTA2MjIwMDExWhcNMTQwMjA2MjIwMDExWjAMMQowCAYDVQQDEwFpMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEXjFpZ9bodzikeN4C8p2mVj1Ia1t+8zIndSavQHmxaD3+kvhkt18+P20ZagfBOaVEQZdArZ6KxBeW9oYZqaNpqHLveGlKYi6u9z5FyozAx4MXzyLdfu+bzOLIsryKRnLFMAkGByqGSM49BAEDaQAwZgIxAJDawIJLQ5iZsJVC3vV1YEKsI2aNEicdZ3YTMp/zUy+64Z2/cjyyfa7d5m1xKLDBogIxANHOQoy/7DioCyWNDDzx5QK0M24dOURVWRXsxjAjrg4vDmV/fkVzwpUzIr5fMgXEyQ==", "ec-dual-use");
-      ok(popcertCrmfObject, "generateCRMFRequest succeeded");
-      var popcertRequest = popcertCrmfObject.request;
-      var popcertBytes = atob(popcertRequest.replace(/\r\n/g, ""));
-      ok(!findIdentifierInString(badIdentifier, popcertBytes),
-         "didn't find bad identifier in popcert request");
-
-      ok(findIdentifierInString(goodIdentifier, popcertBytes),
-         "found good identifier in popcert request");
-    } catch (e) {
-      ok(false, "unexpected exception: " + e);
-    }
-    SimpleTest.finish();
-  }
-
-  function findIdentifierInString(identifier, str) {
-    var matches = 0;
-    for (var i = 0; i < str.length - identifier.length;
-         i += (matches != 0 ? matches : 1)) {
-      matches = 0;
-      for (var j = 0; j < identifier.length; j++) {
-        if (identifier[j] == str.charCodeAt(i + j)) {
-          matches++;
-        } else {
-          break;
-        }
-      }
-      if (matches == identifier.length) {
-        return true;
-      }
-    }
-    return false;
-  }
-</script>
-</body>
-</html>
--- a/security/manager/ssl/tests/moz.build
+++ b/security/manager/ssl/tests/moz.build
@@ -12,10 +12,10 @@ TEST_DIRS += [
 ]
 
 TEST_DIRS += [
   'compiled',
 ]
 
 XPCSHELL_TESTS_MANIFESTS += ['unit/xpcshell.ini']
 
-if not CONFIG['MOZ_DISABLE_CRYPTOLEGACY']:
+if not CONFIG['MOZ_NO_SMART_CARDS']:
     XPCSHELL_TESTS_MANIFESTS += ['unit/xpcshell-smartcards.ini']
--- a/security/manager/ssl/tests/unit/moz.build
+++ b/security/manager/ssl/tests/unit/moz.build
@@ -1,10 +1,10 @@
 # -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
 # vim: set filetype=python:
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 DIRS += ['tlsserver']
 
-if not CONFIG['MOZ_DISABLE_CRYPTOLEGACY']:
+if not CONFIG['MOZ_NO_SMART_CARDS']:
     DIRS += ['pkcs11testmodule']