bug 985201 - rename insanity::pkix to mozilla::pkix r=cviecco r=briansmith
authorDavid Keeler <dkeeler@mozilla.com>
Thu, 20 Mar 2014 14:29:21 -0700
changeset 194209 04ea38d3515f3dd7e739cfed8005fa70634c06fb
parent 194208 817ccd4562d0c518751b6b1e01ef64da1838014e
child 194210 98e17f725ba235fcd1fe65e5c640b47e1b788005
push id486
push userasasaki@mozilla.com
push dateMon, 14 Jul 2014 18:39:42 +0000
treeherdermozilla-release@d33428174ff1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerscviecco, briansmith
bugs985201
milestone31.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 985201 - rename insanity::pkix to mozilla::pkix r=cviecco r=briansmith
security/apps/AppSignatureVerification.cpp
security/apps/AppTrustDomain.cpp
security/apps/AppTrustDomain.h
security/apps/moz.build
security/certverifier/CertVerifier.cpp
security/certverifier/CertVerifier.h
security/certverifier/ExtendedValidation.cpp
security/certverifier/NSSCertDBTrustDomain.cpp
security/certverifier/NSSCertDBTrustDomain.h
security/certverifier/OCSPCache.cpp
security/certverifier/OCSPCache.h
security/certverifier/moz.build
security/insanity/include/insanity/ScopedPtr.h
security/insanity/include/insanity/bind.h
security/insanity/include/insanity/nullptr.h
security/insanity/include/insanity/pkix.h
security/insanity/include/insanity/pkixtypes.h
security/insanity/lib/pkixbind.cpp
security/insanity/lib/pkixbuild.cpp
security/insanity/lib/pkixcheck.cpp
security/insanity/lib/pkixcheck.h
security/insanity/lib/pkixder.cpp
security/insanity/lib/pkixder.h
security/insanity/lib/pkixkey.cpp
security/insanity/lib/pkixocsp.cpp
security/insanity/lib/pkixutil.h
security/insanity/moz.build
security/insanity/test/lib/moz.build
security/insanity/test/lib/pkixtestutil.cpp
security/insanity/test/lib/pkixtestutil.h
security/manager/ssl/src/SSLServerCertVerification.cpp
security/manager/ssl/src/TransportSecurityInfo.cpp
security/manager/ssl/src/moz.build
security/manager/ssl/src/nsCMS.cpp
security/manager/ssl/src/nsCertOverrideService.cpp
security/manager/ssl/src/nsCertPicker.cpp
security/manager/ssl/src/nsCertTree.cpp
security/manager/ssl/src/nsCrypto.cpp
security/manager/ssl/src/nsNSSCallbacks.cpp
security/manager/ssl/src/nsNSSCertCache.cpp
security/manager/ssl/src/nsNSSCertificate.cpp
security/manager/ssl/src/nsNSSCertificate.h
security/manager/ssl/src/nsNSSCertificateDB.cpp
security/manager/ssl/src/nsNSSComponent.cpp
security/manager/ssl/src/nsNSSIOLayer.cpp
security/manager/ssl/src/nsPKCS12Blob.cpp
security/manager/ssl/src/nsRecentBadCerts.cpp
security/manager/ssl/tests/gtest/moz.build
security/manager/ssl/tests/unit/test_cert_overrides.js
security/manager/ssl/tests/unit/test_cert_signatures.js
security/manager/ssl/tests/unit/test_cert_trust.js
security/manager/ssl/tests/unit/test_certificate_usages.js
security/manager/ssl/tests/unit/test_ev_certs.js
security/manager/ssl/tests/unit/test_getchain.js
security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
security/manager/ssl/tests/unit/test_name_constraints.js
security/manager/ssl/tests/unit/test_ocsp_caching.js
security/manager/ssl/tests/unit/test_ocsp_required.js
security/manager/ssl/tests/unit/test_ocsp_stapling.js
security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
security/manager/ssl/tests/unit/tlsserver/cmd/Makefile.in
security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
security/manager/ssl/tests/unit/tlsserver/lib/moz.build
security/pkix/include/pkix/ScopedPtr.h
security/pkix/include/pkix/bind.h
security/pkix/include/pkix/nullptr.h
security/pkix/include/pkix/pkix.h
security/pkix/include/pkix/pkixtypes.h
security/pkix/lib/pkixbind.cpp
security/pkix/lib/pkixbuild.cpp
security/pkix/lib/pkixcheck.cpp
security/pkix/lib/pkixcheck.h
security/pkix/lib/pkixder.cpp
security/pkix/lib/pkixder.h
security/pkix/lib/pkixkey.cpp
security/pkix/lib/pkixocsp.cpp
security/pkix/lib/pkixutil.h
security/pkix/moz.build
security/pkix/test/lib/moz.build
security/pkix/test/lib/pkixtestutil.cpp
security/pkix/test/lib/pkixtestutil.h
toolkit/components/telemetry/Histograms.json
--- a/security/apps/AppSignatureVerification.cpp
+++ b/security/apps/AppSignatureVerification.cpp
@@ -5,17 +5,17 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifdef MOZ_LOGGING
 #define FORCE_PR_LOG 1
 #endif
 
 #include "nsNSSCertificateDB.h"
 
-#include "insanity/pkix.h"
+#include "pkix/pkix.h"
 #include "mozilla/RefPtr.h"
 #include "CryptoTask.h"
 #include "AppTrustDomain.h"
 #include "nsComponentManagerUtils.h"
 #include "nsCOMPtr.h"
 #include "nsHashKeys.h"
 #include "nsIFile.h"
 #include "nsIInputStream.h"
@@ -28,17 +28,17 @@
 #include "ScopedNSSTypes.h"
 
 #include "base64.h"
 #include "certdb.h"
 #include "secmime.h"
 #include "plstr.h"
 #include "prlog.h"
 
-using namespace insanity::pkix;
+using namespace mozilla::pkix;
 using namespace mozilla;
 using namespace mozilla::psm;
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
 
 namespace {
@@ -520,19 +520,19 @@ ParseMF(const char* filebuf, nsIZipReade
   }
 
   return NS_OK;
 }
 
 nsresult
 VerifySignature(AppTrustedRoot trustedRoot,
                 const SECItem& buffer, const SECItem& detachedDigest,
-        /*out*/ insanity::pkix::ScopedCERTCertList& builtChain)
+        /*out*/ mozilla::pkix::ScopedCERTCertList& builtChain)
 {
-  insanity::pkix::ScopedPtr<NSSCMSMessage, NSS_CMSMessage_Destroy>
+  mozilla::pkix::ScopedPtr<NSSCMSMessage, NSS_CMSMessage_Destroy>
     cmsMsg(NSS_CMSMessage_CreateFromDER(const_cast<SECItem*>(&buffer), nullptr,
                                         nullptr, nullptr, nullptr, nullptr,
                                         nullptr));
   if (!cmsMsg) {
     return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING;
   }
 
   if (!NSS_CMSMessage_IsSigned(cmsMsg.get())) {
@@ -555,23 +555,23 @@ VerifySignature(AppTrustedRoot trustedRo
   // Set digest value.
   if (NSS_CMSSignedData_SetDigestValue(signedData, SEC_OID_SHA1,
                                        const_cast<SECItem*>(&detachedDigest))) {
     return NS_ERROR_CMS_VERIFY_BAD_DIGEST;
   }
 
   // Parse the certificates into CERTCertificate objects held in memory, so that
   // AppTrustDomain will be able to find them during path building.
-  insanity::pkix::ScopedCERTCertList certs(CERT_NewCertList());
+  mozilla::pkix::ScopedCERTCertList certs(CERT_NewCertList());
   if (!certs) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
   if (signedData->rawCerts) {
     for (size_t i = 0; signedData->rawCerts[i]; ++i) {
-      insanity::pkix::ScopedCERTCertificate
+      mozilla::pkix::ScopedCERTCertificate
         cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
                                      signedData->rawCerts[i], nullptr, false,
                                      true));
       // Skip certificates that fail to parse
       if (cert) {
         if (CERT_AddCertToListTail(certs.get(), cert.get()) == SECSuccess) {
           cert.release(); // ownership transfered
         } else {
@@ -661,17 +661,17 @@ OpenSignedAppFile(AppTrustedRoot aTruste
   Digest sfCalculatedDigest;
   rv = FindAndLoadOneEntry(zip, NS_LITERAL_CSTRING(JAR_SF_SEARCH_STRING),
                            sfFilename, sfBuffer, &sfCalculatedDigest);
   if (NS_FAILED(rv)) {
     return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
   }
 
   sigBuffer.type = siBuffer;
-  insanity::pkix::ScopedCERTCertList builtChain;
+  mozilla::pkix::ScopedCERTCertList builtChain;
   rv = VerifySignature(aTrustedRoot, sigBuffer, sfCalculatedDigest.get(),
                        builtChain);
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   ScopedAutoSECItem mfDigest;
   rv = ParseSF(char_ptr_cast(sfBuffer.data), mfDigest);
--- a/security/apps/AppTrustDomain.cpp
+++ b/security/apps/AppTrustDomain.cpp
@@ -5,30 +5,30 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifdef MOZ_LOGGING
 #define FORCE_PR_LOG 1
 #endif
 
 #include "AppTrustDomain.h"
 #include "certdb.h"
-#include "insanity/pkix.h"
+#include "pkix/pkix.h"
 #include "mozilla/ArrayUtils.h"
 #include "nsIX509CertDB.h"
 #include "prerror.h"
 #include "secerr.h"
 
 // Generated in Makefile.in
 #include "marketplace-prod-public.inc"
 #include "marketplace-prod-reviewers.inc"
 #include "marketplace-dev-public.inc"
 #include "marketplace-dev-reviewers.inc"
 #include "xpcshell.inc"
 
-using namespace insanity::pkix;
+using namespace mozilla::pkix;
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
 
 namespace mozilla { namespace psm {
 
 AppTrustDomain::AppTrustDomain(void* pinArg)
@@ -83,17 +83,17 @@ AppTrustDomain::SetTrustedRoot(AppTruste
   }
 
   return SECSuccess;
 }
 
 SECStatus
 AppTrustDomain::FindPotentialIssuers(const SECItem* encodedIssuerName,
                                      PRTime time,
-                             /*out*/ insanity::pkix::ScopedCERTCertList& results)
+                             /*out*/ mozilla::pkix::ScopedCERTCertList& results)
 {
   MOZ_ASSERT(mTrustedRoot);
   if (!mTrustedRoot) {
     PR_SetError(PR_INVALID_STATE_ERROR, 0);
     return SECFailure;
   }
 
   results = CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),
@@ -163,17 +163,17 @@ AppTrustDomain::GetCertTrust(EndEntityOr
   *trustLevel = InheritsTrust;
   return SECSuccess;
 }
 
 SECStatus
 AppTrustDomain::VerifySignedData(const CERTSignedData* signedData,
                                   const CERTCertificate* cert)
 {
-  return ::insanity::pkix::VerifySignedData(signedData, cert, mPinArg);
+  return ::mozilla::pkix::VerifySignedData(signedData, cert, mPinArg);
 }
 
 SECStatus
 AppTrustDomain::CheckRevocation(EndEntityOrCA,
                                 const CERTCertificate*,
                                 /*const*/ CERTCertificate*,
                                 PRTime time,
                                 /*optional*/ const SECItem*)
--- a/security/apps/AppTrustDomain.h
+++ b/security/apps/AppTrustDomain.h
@@ -2,44 +2,44 @@
 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef mozilla_psm_AppsTrustDomain_h
 #define mozilla_psm_AppsTrustDomain_h
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "nsDebug.h"
 #include "nsIX509CertDB.h"
 
 namespace mozilla { namespace psm {
 
-class AppTrustDomain MOZ_FINAL : public insanity::pkix::TrustDomain
+class AppTrustDomain MOZ_FINAL : public mozilla::pkix::TrustDomain
 {
 public:
   AppTrustDomain(void* pinArg);
 
   SECStatus SetTrustedRoot(AppTrustedRoot trustedRoot);
 
-  SECStatus GetCertTrust(insanity::pkix::EndEntityOrCA endEntityOrCA,
+  SECStatus GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA,
                          SECOidTag policy,
                          const CERTCertificate* candidateCert,
                  /*out*/ TrustLevel* trustLevel) MOZ_OVERRIDE;
   SECStatus FindPotentialIssuers(const SECItem* encodedIssuerName,
                                  PRTime time,
-                         /*out*/ insanity::pkix::ScopedCERTCertList& results)
+                         /*out*/ mozilla::pkix::ScopedCERTCertList& results)
                                  MOZ_OVERRIDE;
   SECStatus VerifySignedData(const CERTSignedData* signedData,
                              const CERTCertificate* cert) MOZ_OVERRIDE;
-  SECStatus CheckRevocation(insanity::pkix::EndEntityOrCA endEntityOrCA,
+  SECStatus CheckRevocation(mozilla::pkix::EndEntityOrCA endEntityOrCA,
                             const CERTCertificate* cert,
                             /*const*/ CERTCertificate* issuerCertToDup,
                             PRTime time,
                             /*optional*/ const SECItem* stapledOCSPresponse);
 private:
   void* mPinArg; // non-owning!
-  insanity::pkix::ScopedCERTCertificate mTrustedRoot;
+  mozilla::pkix::ScopedCERTCertificate mTrustedRoot;
 };
 
 } } // namespace mozilla::psm
 
 #endif // mozilla_psm_AppsTrustDomain_h
--- a/security/apps/moz.build
+++ b/security/apps/moz.build
@@ -11,15 +11,15 @@ SOURCES += [
 ]
 
 FAIL_ON_WARNINGS = True
 
 FINAL_LIBRARY = 'xul'
 
 LOCAL_INCLUDES += [
     '../certverifier',
-    '../insanity/include',
     '../manager/ssl/src',
+    '../pkix/include',
 ]
 
 DEFINES['NSS_ENABLE_ECC'] = 'True'
 for var in ('DLL_PREFIX', 'DLL_SUFFIX'):
     DEFINES[var] = '"%s"' % CONFIG[var]
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -3,28 +3,28 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "CertVerifier.h"
 
 #include <stdint.h>
 
-#include "insanity/pkix.h"
+#include "pkix/pkix.h"
 #include "ExtendedValidation.h"
 #include "NSSCertDBTrustDomain.h"
 #include "cert.h"
 #include "ocsp.h"
 #include "secerr.h"
 #include "prerror.h"
 #include "sslerr.h"
 
-// ScopedXXX in this file are insanity::pkix::ScopedXXX, not
+// ScopedXXX in this file are mozilla::pkix::ScopedXXX, not
 // mozilla::ScopedXXX.
-using namespace insanity::pkix;
+using namespace mozilla::pkix;
 using namespace mozilla::psm;
 
 #ifdef PR_LOGGING
 PRLogModuleInfo* gCertVerifierLog = nullptr;
 #endif
 
 namespace mozilla { namespace psm {
 
@@ -60,17 +60,17 @@ InitCertVerifierLog()
 #ifdef PR_LOGGING
   if (!gCertVerifierLog) {
     gCertVerifierLog = PR_NewLogModule("certverifier");
   }
 #endif
 }
 
 #if 0
-// Once we migrate to insanity::pkix or change the overridable error
+// Once we migrate to mozilla::pkix or change the overridable error
 // logic this will become unnecesary.
 static SECStatus
 insertErrorIntoVerifyLog(CERTCertificate* cert, const PRErrorCode err,
                          CERTVerifyLog* verifyLog){
   CERTVerifyLogNode* node;
   node = (CERTVerifyLogNode *)PORT_ArenaAlloc(verifyLog->arena,
                                               sizeof(CERTVerifyLogNode));
   if (!node) {
@@ -218,27 +218,27 @@ BuildCertChainForOneKeyUsage(TrustDomain
         PR_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE, 0);
       }
     }
   }
   return rv;
 }
 
 SECStatus
-CertVerifier::InsanityVerifyCert(
+CertVerifier::MozillaPKIXVerifyCert(
                    CERTCertificate* cert,
                    const SECCertificateUsage usage,
                    const PRTime time,
                    void* pinArg,
                    const Flags flags,
       /*optional*/ const SECItem* stapledOCSPResponse,
-  /*optional out*/ insanity::pkix::ScopedCERTCertList* validationChain,
+  /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
   /*optional out*/ SECOidTag* evOidPolicy)
 {
-  PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of InsanityVerifyCert\n"));
+  PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of MozillaPKIXVerifyCert\n"));
 
   PR_ASSERT(cert);
   PR_ASSERT(usage == certificateUsageSSLServer || !(flags & FLAG_MUST_BE_EV));
 
   if (validationChain) {
     *validationChain = nullptr;
   }
   if (evOidPolicy) {
@@ -262,17 +262,17 @@ CertVerifier::InsanityVerifyCert(
   // TODO(bug 970750): anyExtendedKeyUsage
   // TODO: encipherOnly/decipherOnly
   // S/MIME Key Usage: http://tools.ietf.org/html/rfc3850#section-4.4.2
   // S/MIME EKU:       http://tools.ietf.org/html/rfc3850#section-4.4.4
 
   // TODO(bug 915931): Pass in stapled OCSP response in all calls to
   //                   BuildCertChain.
 
-  insanity::pkix::ScopedCERTCertList builtChain;
+  mozilla::pkix::ScopedCERTCertList builtChain;
   switch (usage) {
     case certificateUsageSSLClient: {
       // XXX: We don't really have a trust bit for SSL client authentication so
       // just use trustEmail as it is the closest alternative.
       NSSCertDBTrustDomain trustDomain(trustEmail, ocspFetching, mOCSPCache,
                                        pinArg);
       rv = BuildCertChain(trustDomain, cert, time, MustBeEndEntity,
                           KU_DIGITAL_SIGNATURE,
@@ -384,18 +384,18 @@ CertVerifier::InsanityVerifyCert(
     }
 
     case certificateUsageVerifyCA:
     case certificateUsageStatusResponder: {
       // XXX This is a pretty useless way to verify a certificate. It is used
       // by the implementation of window.crypto.importCertificates and in the
       // certificate viewer UI. Because we don't know what trust bit is
       // interesting, we just try them all.
-      insanity::pkix::EndEntityOrCA endEntityOrCA;
-      insanity::pkix::KeyUsages keyUsage;
+      mozilla::pkix::EndEntityOrCA endEntityOrCA;
+      mozilla::pkix::KeyUsages keyUsage;
       SECOidTag eku;
       if (usage == certificateUsageVerifyCA) {
         endEntityOrCA = MustBeCA;
         keyUsage = KU_KEY_CERT_SIGN;
         eku = SEC_OID_UNKNOWN;
       } else {
         endEntityOrCA = MustBeEndEntity;
         keyUsage = KU_DIGITAL_SIGNATURE;
@@ -444,20 +444,20 @@ CertVerifier::VerifyCert(CERTCertificate
                          const SECCertificateUsage usage,
                          const PRTime time,
                          void* pinArg,
                          const Flags flags,
                          /*optional out*/ ScopedCERTCertList* validationChain,
                          /*optional out*/ SECOidTag* evOidPolicy,
                          /*optional out*/ CERTVerifyLog* verifyLog)
 {
-  if (mImplementation == insanity) {
-    return InsanityVerifyCert(cert, usage, time, pinArg, flags,
-                              stapledOCSPResponse, validationChain,
-                              evOidPolicy);
+  if (mImplementation == mozillapkix) {
+    return MozillaPKIXVerifyCert(cert, usage, time, pinArg, flags,
+                                 stapledOCSPResponse, validationChain,
+                                 evOidPolicy);
   }
 
   if (!cert)
   {
     PR_NOT_REACHED("Invalid arguments to CertVerifier::VerifyCert");
     PORT_SetError(SEC_ERROR_INVALID_ARGS);
     return SECFailure;
   }
@@ -794,17 +794,17 @@ pkix_done:
 
 SECStatus
 CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert,
                      /*optional*/ const SECItem* stapledOCSPResponse,
                                   PRTime time,
                      /*optional*/ void* pinarg,
                                   const char* hostname,
                                   bool saveIntermediatesInPermanentDatabase,
-                 /*optional out*/ insanity::pkix::ScopedCERTCertList* certChainOut,
+                 /*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut,
                  /*optional out*/ SECOidTag* evOidPolicy)
 {
   PR_ASSERT(peerCert);
   // XXX: PR_ASSERT(pinarg)
   PR_ASSERT(hostname);
   PR_ASSERT(hostname[0]);
 
   if (certChainOut) {
--- a/security/certverifier/CertVerifier.h
+++ b/security/certverifier/CertVerifier.h
@@ -2,17 +2,17 @@
 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef mozilla_psm__CertVerifier_h
 #define mozilla_psm__CertVerifier_h
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "OCSPCache.h"
 
 namespace mozilla { namespace psm {
 
 class CertVerifier
 {
 public:
   typedef unsigned int Flags;
@@ -24,37 +24,37 @@ public:
   // *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV
   // Only one usage per verification is supported.
   SECStatus VerifyCert(CERTCertificate* cert,
           /*optional*/ const SECItem* stapledOCSPResponse,
                        const SECCertificateUsage usage,
                        const PRTime time,
                        void* pinArg,
                        const Flags flags = 0,
-      /*optional out*/ insanity::pkix::ScopedCERTCertList* validationChain = nullptr,
+      /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain = nullptr,
       /*optional out*/ SECOidTag* evOidPolicy = nullptr ,
       /*optional out*/ CERTVerifyLog* verifyLog = nullptr);
 
   SECStatus VerifySSLServerCert(
                     CERTCertificate* peerCert,
        /*optional*/ const SECItem* stapledOCSPResponse,
                     PRTime time,
        /*optional*/ void* pinarg,
                     const char* hostname,
                     bool saveIntermediatesInPermanentDatabase = false,
-   /*optional out*/ insanity::pkix::ScopedCERTCertList* certChainOut = nullptr,
+   /*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut = nullptr,
    /*optional out*/ SECOidTag* evOidPolicy = nullptr);
 
 
   enum implementation_config {
     classic = 0,
 #ifndef NSS_NO_LIBPKIX
     libpkix = 1,
 #endif
-    insanity = 2
+    mozillapkix = 2
   };
 
   enum missing_cert_download_config { missing_cert_download_off = 0, missing_cert_download_on };
   enum crl_download_config { crl_local_only = 0, crl_download_allowed };
   enum ocsp_download_config { ocsp_off = 0, ocsp_on };
   enum ocsp_strict_config { ocsp_relaxed = 0, ocsp_strict };
   enum ocsp_get_config { ocsp_get_disabled = 0, ocsp_get_enabled = 1 };
 
@@ -75,23 +75,23 @@ public:
   const bool mMissingCertDownloadEnabled;
   const bool mCRLDownloadEnabled;
 #endif
   const bool mOCSPDownloadEnabled;
   const bool mOCSPStrict;
   const bool mOCSPGETEnabled;
 
 private:
-  SECStatus InsanityVerifyCert(CERTCertificate* cert,
+  SECStatus MozillaPKIXVerifyCert(CERTCertificate* cert,
       const SECCertificateUsage usage,
       const PRTime time,
       void* pinArg,
       const Flags flags,
       /*optional*/ const SECItem* stapledOCSPResponse,
-      /*optional out*/ insanity::pkix::ScopedCERTCertList* validationChain,
+      /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
       /*optional out*/ SECOidTag* evOidPolicy);
 
   OCSPCache mOCSPCache;
 };
 
 void InitCertVerifierLog();
 } } // namespace mozilla::psm
 
--- a/security/certverifier/ExtendedValidation.cpp
+++ b/security/certverifier/ExtendedValidation.cpp
@@ -4,17 +4,17 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "ExtendedValidation.h"
 
 #include "cert.h"
 #include "certdb.h"
 #include "base64.h"
-#include "insanity/nullptr.h"
+#include "pkix/nullptr.h"
 #include "pk11pub.h"
 #include "secerr.h"
 #include "prerror.h"
 #include "prinit.h"
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -5,28 +5,28 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "NSSCertDBTrustDomain.h"
 
 #include <stdint.h>
 
 #include "ExtendedValidation.h"
 #include "certdb.h"
-#include "insanity/pkix.h"
+#include "pkix/pkix.h"
 #include "mozilla/Telemetry.h"
 #include "nss.h"
 #include "ocsp.h"
 #include "pk11pub.h"
 #include "prerror.h"
 #include "prmem.h"
 #include "prprf.h"
 #include "secerr.h"
 #include "secmod.h"
 
-using namespace insanity::pkix;
+using namespace mozilla::pkix;
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gCertVerifierLog;
 #endif
 
 namespace mozilla { namespace psm {
 
 const char BUILTIN_ROOTS_MODULE_DEFAULT_NAME[] = "Builtin Roots Module";
@@ -48,17 +48,17 @@ NSSCertDBTrustDomain::NSSCertDBTrustDoma
   , mOCSPCache(ocspCache)
   , mPinArg(pinArg)
 {
 }
 
 SECStatus
 NSSCertDBTrustDomain::FindPotentialIssuers(
   const SECItem* encodedIssuerName, PRTime time,
-  /*out*/ insanity::pkix::ScopedCERTCertList& results)
+  /*out*/ mozilla::pkix::ScopedCERTCertList& results)
 {
   // TODO: normalize encodedIssuerName
   // TODO: NSS seems to be ambiguous between "no potential issuers found" and
   // "there was an error trying to retrieve the potential issuers."
   results = CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),
                                        encodedIssuerName, time, true);
   return SECSuccess;
 }
@@ -126,32 +126,32 @@ NSSCertDBTrustDomain::GetCertTrust(EndEn
   *trustLevel = InheritsTrust;
   return SECSuccess;
 }
 
 SECStatus
 NSSCertDBTrustDomain::VerifySignedData(const CERTSignedData* signedData,
                                        const CERTCertificate* cert)
 {
-  return ::insanity::pkix::VerifySignedData(signedData, cert, mPinArg);
+  return ::mozilla::pkix::VerifySignedData(signedData, cert, mPinArg);
 }
 
 SECStatus
 NSSCertDBTrustDomain::CheckRevocation(
-  insanity::pkix::EndEntityOrCA endEntityOrCA,
+  mozilla::pkix::EndEntityOrCA endEntityOrCA,
   const CERTCertificate* cert,
   /*const*/ CERTCertificate* issuerCert,
   PRTime time,
   /*optional*/ const SECItem* stapledOCSPResponse)
 {
   // Actively distrusted certificates will have already been blocked by
   // GetCertTrust.
 
   // TODO: need to verify that IsRevoked isn't called for trust anchors AND
-  // that that fact is documented in insanity.
+  // that that fact is documented in mozillapkix.
 
   PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
          ("NSSCertDBTrustDomain: Top of CheckRevocation\n"));
 
   PORT_Assert(cert);
   PORT_Assert(issuerCert);
   if (!cert || !issuerCert) {
     PORT_SetError(SEC_ERROR_INVALID_ARGS);
--- a/security/certverifier/NSSCertDBTrustDomain.h
+++ b/security/certverifier/NSSCertDBTrustDomain.h
@@ -2,17 +2,17 @@
 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef mozilla_psm__NSSCertDBTrustDomain_h
 #define mozilla_psm__NSSCertDBTrustDomain_h
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "secmodt.h"
 #include "CertVerifier.h"
 
 namespace mozilla { namespace psm {
 
 SECStatus InitializeNSS(const char* dir, bool readOnly);
 
 void DisableMD5();
@@ -38,46 +38,46 @@ void UnloadLoadableRoots(const char* mod
 void
 SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled,
                        CertVerifier::ocsp_strict_config strict,
                        CertVerifier::ocsp_get_config get);
 
 // Caller must free the result with PR_Free
 char* DefaultServerNicknameForCert(CERTCertificate* cert);
 
-void SaveIntermediateCerts(const insanity::pkix::ScopedCERTCertList& certList);
+void SaveIntermediateCerts(const mozilla::pkix::ScopedCERTCertList& certList);
 
-class NSSCertDBTrustDomain : public insanity::pkix::TrustDomain
+class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain
 {
 
 public:
   enum OCSPFetching {
     NeverFetchOCSP = 0,
     FetchOCSPForDVSoftFail = 1,
     FetchOCSPForDVHardFail = 2,
     FetchOCSPForEV = 3,
     LocalOnlyOCSPForEV = 4,
   };
   NSSCertDBTrustDomain(SECTrustType certDBTrustType, OCSPFetching ocspFetching,
                        OCSPCache& ocspCache, void* pinArg);
 
   virtual SECStatus FindPotentialIssuers(
                         const SECItem* encodedIssuerName,
                         PRTime time,
-                /*out*/ insanity::pkix::ScopedCERTCertList& results);
+                /*out*/ mozilla::pkix::ScopedCERTCertList& results);
 
-  virtual SECStatus GetCertTrust(insanity::pkix::EndEntityOrCA endEntityOrCA,
+  virtual SECStatus GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA,
                                  SECOidTag policy,
                                  const CERTCertificate* candidateCert,
                          /*out*/ TrustLevel* trustLevel);
 
   virtual SECStatus VerifySignedData(const CERTSignedData* signedData,
                                      const CERTCertificate* cert);
 
-  virtual SECStatus CheckRevocation(insanity::pkix::EndEntityOrCA endEntityOrCA,
+  virtual SECStatus CheckRevocation(mozilla::pkix::EndEntityOrCA endEntityOrCA,
                                     const CERTCertificate* cert,
                           /*const*/ CERTCertificate* issuerCert,
                                     PRTime time,
                        /*optional*/ const SECItem* stapledOCSPResponse);
 
 private:
   SECStatus VerifyAndMaybeCacheEncodedOCSPResponse(
     const CERTCertificate* cert, CERTCertificate* issuerCert, PRTime time,
--- a/security/certverifier/OCSPCache.cpp
+++ b/security/certverifier/OCSPCache.cpp
@@ -23,24 +23,24 @@
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gCertVerifierLog;
 #endif
 
 namespace mozilla { namespace psm {
 
 void
-Insanity_PK11_DestroyContext_true(PK11Context* context)
+MozillaPKIX_PK11_DestroyContext_true(PK11Context* context)
 {
   PK11_DestroyContext(context, true);
 }
 
-typedef insanity::pkix::ScopedPtr<PK11Context,
-                                  Insanity_PK11_DestroyContext_true>
-                                  ScopedPK11Context;
+typedef mozilla::pkix::ScopedPtr<PK11Context,
+                                 MozillaPKIX_PK11_DestroyContext_true>
+                                 ScopedPK11Context;
 
 // Let derIssuer be the DER encoding of the issuer of aCert.
 // Let derPublicKey be the DER encoding of the public key of aIssuerCert.
 // Let serialNumber be the bytes of the serial number of aCert.
 // The value calculated is SHA384(derIssuer || derPublicKey || serialNumber).
 // Because the DER encodings include the length of the data encoded,
 // there do not exist A(derIssuerA, derPublicKeyA, serialNumberA) and
 // B(derIssuerB, derPublicKeyB, serialNumberB) such that the concatenation of
@@ -133,19 +133,19 @@ OCSPCache::FindInternal(const CERTCertif
 }
 
 void
 OCSPCache::LogWithCerts(const char* aMessage, const CERTCertificate* aCert,
                         const CERTCertificate* aIssuerCert)
 {
 #ifdef PR_LOGGING
   if (PR_LOG_TEST(gCertVerifierLog, PR_LOG_DEBUG)) {
-    insanity::pkix::ScopedPtr<char, mozilla::psm::PORT_Free_string>
+    mozilla::pkix::ScopedPtr<char, mozilla::psm::PORT_Free_string>
       cn(CERT_GetCommonName(&aCert->subject));
-    insanity::pkix::ScopedPtr<char, mozilla::psm::PORT_Free_string>
+    mozilla::pkix::ScopedPtr<char, mozilla::psm::PORT_Free_string>
       cnIssuer(CERT_GetCommonName(&aIssuerCert->subject));
     PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, (aMessage, cn.get(), cnIssuer.get()));
   }
 #endif
 }
 
 void
 OCSPCache::MakeMostRecentlyUsed(size_t aIndex,
--- a/security/certverifier/OCSPCache.h
+++ b/security/certverifier/OCSPCache.h
@@ -15,17 +15,17 @@
  * limitations under the License.
  */
 
 #ifndef mozilla_psm_OCSPCache_h
 #define mozilla_psm_OCSPCache_h
 
 #include "certt.h"
 #include "hasht.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "mozilla/Mutex.h"
 #include "mozilla/Vector.h"
 #include "prerror.h"
 
 namespace mozilla { namespace psm {
 
 // make SHA384Buffer be of type "array of uint8_t of length SHA384_LENGTH"
 typedef uint8_t SHA384Buffer[SHA384_LENGTH];
--- a/security/certverifier/moz.build
+++ b/security/certverifier/moz.build
@@ -11,20 +11,20 @@ UNIFIED_SOURCES += [
 ]
 
 if not CONFIG['NSS_NO_EV_CERTS']:
     UNIFIED_SOURCES += [
         'ExtendedValidation.cpp',
     ]
 
 LOCAL_INCLUDES += [
-    '../insanity/include',
+    '../pkix/include',
 ]
 
 DIRS += [
-    '../insanity',
+    '../pkix',
 ]
 
 FAIL_ON_WARNINGS = True
 
 LIBRARY_NAME = 'certverifier'
 
 FINAL_LIBRARY = 'xul'
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -91,17 +91,17 @@
 // an SSL handshake) and the PSM NSS I/O layer are not thread-safe, and because
 // we need the event to interrupt the PR_Poll that may waiting for I/O on the
 // socket for which we are validating the cert.
 
 #include "SSLServerCertVerification.h"
 
 #include <cstring>
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "CertVerifier.h"
 #include "CryptoTask.h"
 #include "ExtendedValidation.h"
 #include "NSSCertDBTrustDomain.h"
 #include "nsIBadCertListener2.h"
 #include "nsICertOverrideService.h"
 #include "nsISiteSecurityService.h"
 #include "nsNSSComponent.h"
@@ -309,32 +309,32 @@ MapCertErrorToProbeValue(PRErrorCode err
     case SEC_ERROR_EXPIRED_CERTIFICATE:                return 10;
   }
   NS_WARNING("Unknown certificate error code. Does MapCertErrorToProbeValue "
              "handle everything in PRErrorCodeToOverrideType?");
   return 0;
 }
 
 SECStatus
-InsanityDetermineCertOverrideErrors(CERTCertificate* cert,
-                                    const char* hostName, PRTime now,
-                                    PRErrorCode defaultErrorCodeToReport,
-                                    /*out*/ uint32_t& collectedErrors,
-                                    /*out*/ PRErrorCode& errorCodeTrust,
-                                    /*out*/ PRErrorCode& errorCodeMismatch,
-                                    /*out*/ PRErrorCode& errorCodeExpired)
+MozillaPKIXDetermineCertOverrideErrors(CERTCertificate* cert,
+                                       const char* hostName, PRTime now,
+                                       PRErrorCode defaultErrorCodeToReport,
+                                       /*out*/ uint32_t& collectedErrors,
+                                       /*out*/ PRErrorCode& errorCodeTrust,
+                                       /*out*/ PRErrorCode& errorCodeMismatch,
+                                       /*out*/ PRErrorCode& errorCodeExpired)
 {
   MOZ_ASSERT(cert);
   MOZ_ASSERT(hostName);
   MOZ_ASSERT(collectedErrors == 0);
   MOZ_ASSERT(errorCodeTrust == 0);
   MOZ_ASSERT(errorCodeMismatch == 0);
   MOZ_ASSERT(errorCodeExpired == 0);
 
-  // Assumes the error prioritization described in insanity::pkix's
+  // Assumes the error prioritization described in mozilla::pkix's
   // BuildForward function. Also assumes that CERT_VerifyCertName was only
   // called if CertVerifier::VerifyCert succeeded.
   switch (defaultErrorCodeToReport) {
     case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
     case SEC_ERROR_UNKNOWN_ISSUER:
     {
       collectedErrors = nsICertOverrideService::ERROR_UNTRUSTED;
       errorCodeTrust = defaultErrorCodeToReport;
@@ -702,24 +702,24 @@ CreateCertErrorRunnable(CertVerifier& ce
 #endif
       rv = NSSDetermineCertOverrideErrors(certVerifier, cert, stapledOCSPResponse,
                                           infoObject, now,
                                           defaultErrorCodeToReport,
                                           collected_errors, errorCodeTrust,
                                           errorCodeMismatch, errorCodeExpired);
       break;
 
-    case CertVerifier::insanity:
-      rv = InsanityDetermineCertOverrideErrors(cert,
-                                               infoObject->GetHostNameRaw(),
-                                               now, defaultErrorCodeToReport,
-                                               collected_errors,
-                                               errorCodeTrust,
-                                               errorCodeMismatch,
-                                               errorCodeExpired);
+    case CertVerifier::mozillapkix:
+      rv = MozillaPKIXDetermineCertOverrideErrors(cert,
+                                                  infoObject->GetHostNameRaw(),
+                                                  now, defaultErrorCodeToReport,
+                                                  collected_errors,
+                                                  errorCodeTrust,
+                                                  errorCodeMismatch,
+                                                  errorCodeExpired);
       break;
 
     default:
       MOZ_CRASH("unexpected CertVerifier implementation");
       PR_SetError(defaultErrorCodeToReport, 0);
       return nullptr;
 
   }
@@ -804,17 +804,17 @@ private:
                                TransportSecurityInfo* infoObject,
                                CERTCertificate* cert,
                                SECItem* stapledOCSPResponse,
                                uint32_t providerFlags,
                                PRTime time);
   const RefPtr<SharedCertVerifier> mCertVerifier;
   const void* const mFdForLogging;
   const RefPtr<TransportSecurityInfo> mInfoObject;
-  const insanity::pkix::ScopedCERTCertificate mCert;
+  const mozilla::pkix::ScopedCERTCertificate mCert;
   const uint32_t mProviderFlags;
   const PRTime mTime;
   const TimeStamp mJobStartTime;
   const ScopedSECItem mStapledOCSPResponse;
 };
 
 SSLServerCertVerificationJob::SSLServerCertVerificationJob(
     const RefPtr<SharedCertVerifier>& certVerifier, const void* fdForLogging,
@@ -904,17 +904,17 @@ AuthCertificate(CertVerifier& certVerifi
                 CERTCertificate* cert, SECItem* stapledOCSPResponse,
                 uint32_t providerFlags, PRTime time)
 {
   MOZ_ASSERT(infoObject);
   MOZ_ASSERT(cert);
 
   SECStatus rv;
 
-  // TODO: Remove this after we switch to insanity::pkix as the
+  // TODO: Remove this after we switch to mozilla::pkix as the
   // only option
   if (certVerifier.mImplementation == CertVerifier::classic) {
     if (stapledOCSPResponse) {
       CERTCertDBHandle* handle = CERT_GetDefaultCertDB();
       rv = CERT_CacheOCSPResponseFromSideChannel(handle, cert, PR_Now(),
                                                  stapledOCSPResponse,
                                                  infoObject);
       if (rv != SECSuccess) {
@@ -960,17 +960,17 @@ AuthCertificate(CertVerifier& certVerifi
     }
   }
 
   // We want to avoid storing any intermediate cert information when browsing
   // in private, transient contexts.
   bool saveIntermediates =
     !(providerFlags & nsISocketProvider::NO_PERMANENT_STORAGE);
 
-  insanity::pkix::ScopedCERTCertList certList;
+  mozilla::pkix::ScopedCERTCertList certList;
   SECOidTag evOidPolicy;
   rv = certVerifier.VerifySSLServerCert(cert, stapledOCSPResponse,
                                         time, infoObject,
                                         infoObject->GetHostNameRaw(),
                                         saveIntermediates, nullptr,
                                         &evOidPolicy);
 
   // We want to remember the CA certs in the temp db, so that the application can find the
@@ -1085,21 +1085,21 @@ SSLServerCertVerificationJob::Run()
     Telemetry::ID failureTelemetry;
     switch (mCertVerifier->mImplementation) {
       case CertVerifier::classic:
         successTelemetry
           = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_CLASSIC;
         failureTelemetry
           = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC;
         break;
-      case CertVerifier::insanity:
+      case CertVerifier::mozillapkix:
         successTelemetry
-          = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_INSANITY;
+          = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX;
         failureTelemetry
-          = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_INSANITY;
+          = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX;
         break;
 #ifndef NSS_NO_LIBPKIX
       case CertVerifier::libpkix:
         successTelemetry
           = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_LIBPKIX;
         failureTelemetry
           = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX;
         break;
--- a/security/manager/ssl/src/TransportSecurityInfo.cpp
+++ b/security/manager/ssl/src/TransportSecurityInfo.cpp
@@ -1,17 +1,17 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "TransportSecurityInfo.h"
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "nsNSSComponent.h"
 #include "nsIWebProgressListener.h"
 #include "nsNSSCertificate.h"
 #include "nsIX509CertValidity.h"
 #include "nsIDateTimeFormat.h"
 #include "nsDateTimeFormatCID.h"
 #include "nsICertOverrideService.h"
 #include "nsIObjectInputStream.h"
@@ -750,17 +750,17 @@ AppendErrorTextMismatch(const nsString &
                         nsIX509Cert* ix509,
                         nsINSSComponent *component,
                         bool wantsHtml,
                         nsString &returnedMessage)
 {
   const char16_t *params[1];
   nsresult rv;
 
-  insanity::pkix::ScopedCERTCertificate nssCert;
+  mozilla::pkix::ScopedCERTCertificate nssCert;
 
   nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(ix509, &rv);
   if (cert2)
     nssCert = cert2->GetCert();
 
   if (!nssCert) {
     // We are unable to extract the valid names, say "not valid for name".
     params[0] = host.get();
--- a/security/manager/ssl/src/moz.build
+++ b/security/manager/ssl/src/moz.build
@@ -90,17 +90,17 @@ UNIFIED_SOURCES += [
 ]
 
 FAIL_ON_WARNINGS = True
 
 FINAL_LIBRARY = 'xul'
 
 LOCAL_INCLUDES += [
     '../../../certverifier',
-    '../../../insanity/include',
+    '../../../pkix/include',
 ]
 
 if CONFIG['NSS_DISABLE_DBM']:
     DEFINES['NSS_DISABLE_DBM'] = '1'
 
 DEFINES['SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES'] = 'True'
 DEFINES['NSS_ENABLE_ECC'] = 'True'
 for var in ('DLL_PREFIX', 'DLL_SUFFIX'):
--- a/security/manager/ssl/src/nsCMS.cpp
+++ b/security/manager/ssl/src/nsCMS.cpp
@@ -1,17 +1,17 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsCMS.h"
 
 #include "CertVerifier.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "nsISupports.h"
 #include "nsNSSHelper.h"
 #include "nsNSSCertificate.h"
 #include "smime.h"
 #include "cms.h"
 #include "nsICMSMessageErrors.h"
 #include "nsIArray.h"
 #include "nsArrayUtils.h"
@@ -510,17 +510,17 @@ NS_IMETHODIMP nsCMSMessage::CreateEncryp
   for (i=0; i<recipientCertCount; i++) {
     nsCOMPtr<nsIX509Cert> x509cert = do_QueryElementAt(aRecipientCerts, i);
 
     nssRecipientCert = do_QueryInterface(x509cert);
 
     if (!nssRecipientCert)
       return NS_ERROR_FAILURE;
 
-    insanity::pkix::ScopedCERTCertificate c(nssRecipientCert->GetCert());
+    mozilla::pkix::ScopedCERTCertificate c(nssRecipientCert->GetCert());
     recipientCerts.set(i, c.get());
   }
   
   // Find a bulk key algorithm //
   if (NSS_SMIMEUtil_FindBulkAlgForRecipients(recipientCerts.getRawArray(), &bulkAlgTag,
                                             &keySize) != SECSuccess) {
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't find bulk alg for recipients\n"));
     rv = NS_ERROR_CMS_ENCRYPT_NO_BULK_ALG;
@@ -548,17 +548,17 @@ NS_IMETHODIMP nsCMSMessage::CreateEncryp
   cinfo = NSS_CMSEnvelopedData_GetContentInfo(envd);
   if (NSS_CMSContentInfo_SetContent_Data(m_cmsMsg, cinfo, nullptr, false) != SECSuccess) {
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't set content data\n"));
     goto loser;
   }
 
   // Create and attach recipient information //
   for (i=0; i < recipientCertCount; i++) {
-    insanity::pkix::ScopedCERTCertificate rc(recipientCerts.get(i));
+    mozilla::pkix::ScopedCERTCertificate rc(recipientCerts.get(i));
     if ((recipientInfo = NSS_CMSRecipientInfo_Create(m_cmsMsg, rc.get())) == nullptr) {
       PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't create recipient info\n"));
       goto loser;
     }
     if (NSS_CMSEnvelopedData_AddRecipient(envd, recipientInfo) != SECSuccess) {
       PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't add recipient info\n"));
       goto loser;
     }
@@ -579,18 +579,18 @@ NS_IMETHODIMP nsCMSMessage::CreateSigned
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateSigned\n"));
   NSSCMSContentInfo *cinfo;
   NSSCMSSignedData *sigd;
   NSSCMSSignerInfo *signerinfo;
-  insanity::pkix::ScopedCERTCertificate scert;
-  insanity::pkix::ScopedCERTCertificate ecert;
+  mozilla::pkix::ScopedCERTCertificate scert;
+  mozilla::pkix::ScopedCERTCertificate ecert;
   nsCOMPtr<nsIX509Cert2> aSigningCert2 = do_QueryInterface(aSigningCert);
   nsresult rv = NS_ERROR_FAILURE;
 
   /* Get the certs */
   if (aSigningCert2) {
     scert = aSigningCert2->GetCert();
   }
   if (!scert) {
--- a/security/manager/ssl/src/nsCertOverrideService.cpp
+++ b/security/manager/ssl/src/nsCertOverrideService.cpp
@@ -1,17 +1,17 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsCertOverrideService.h"
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "nsIX509Cert.h"
 #include "NSSCertDBTrustDomain.h"
 #include "nsNSSCertificate.h"
 #include "nsNSSCertHelper.h"
 #include "nsCRT.h"
 #include "nsAppDirectoryServiceDefs.h"
 #include "nsStreamUtils.h"
 #include "nsNetUtil.h"
@@ -389,17 +389,17 @@ static nsresult
 GetCertFingerprintByOidTag(nsIX509Cert *aCert,
                            SECOidTag aOidTag, 
                            nsCString &fp)
 {
   nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert);
   if (!cert2)
     return NS_ERROR_FAILURE;
 
-  insanity::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
+  mozilla::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
   if (!nsscert)
     return NS_ERROR_FAILURE;
 
   return GetCertFingerprintByOidTag(nsscert.get(), aOidTag, fp);
 }
 
 static nsresult
 GetCertFingerprintByDottedOidString(CERTCertificate* nsscert,
@@ -427,17 +427,17 @@ static nsresult
 GetCertFingerprintByDottedOidString(nsIX509Cert *aCert,
                                     const nsCString &dottedOid, 
                                     nsCString &fp)
 {
   nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert);
   if (!cert2)
     return NS_ERROR_FAILURE;
 
-  insanity::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
+  mozilla::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
   if (!nsscert)
     return NS_ERROR_FAILURE;
 
   return GetCertFingerprintByDottedOidString(nsscert.get(), dottedOid, fp);
 }
 
 NS_IMETHODIMP
 nsCertOverrideService::RememberValidityOverride(const nsACString & aHostName, int32_t aPort, 
@@ -450,17 +450,17 @@ nsCertOverrideService::RememberValidityO
     return NS_ERROR_INVALID_ARG;
   if (aPort < -1)
     return NS_ERROR_INVALID_ARG;
 
   nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert);
   if (!cert2)
     return NS_ERROR_FAILURE;
 
-  insanity::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
+  mozilla::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
   if (!nsscert)
     return NS_ERROR_FAILURE;
 
   char* nickname = DefaultServerNicknameForCert(nsscert.get());
   if (!aTemporary && nickname && *nickname)
   {
     ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
     if (!slot) {
--- a/security/manager/ssl/src/nsCertPicker.cpp
+++ b/security/manager/ssl/src/nsCertPicker.cpp
@@ -1,15 +1,15 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsCertPicker.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "nsMemory.h"
 #include "nsCOMPtr.h"
 #include "nsXPIDLString.h"
 #include "nsIServiceManager.h"
 #include "nsNSSComponent.h"
 #include "nsNSSCertificate.h"
 #include "nsReadableUtils.h"
 #include "nsICertPickDialogs.h"
@@ -45,24 +45,24 @@ NS_IMETHODIMP nsCertPicker::PickByUsage(
   char16_t **certNicknameList = nullptr;
   char16_t **certDetailsList = nullptr;
   CERTCertListNode* node = nullptr;
   nsresult rv = NS_OK;
 
   {
     // Iterate over all certs. This assures that user is logged in to all hardware tokens.
     nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
-    insanity::pkix::ScopedCERTCertList allcerts(
+    mozilla::pkix::ScopedCERTCertList allcerts(
       PK11_ListCerts(PK11CertListUnique, ctx));
   }
 
   /* find all user certs that are valid and for SSL */
   /* note that we are allowing expired certs in this list */
 
-  insanity::pkix::ScopedCERTCertList certList( 
+  mozilla::pkix::ScopedCERTCertList certList(
     CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(), 
                               (SECCertUsage)certUsage,
                               !allowDuplicateNicknames,
                               !allowInvalid,
                               ctx));
   if (!certList) {
     return NS_ERROR_NOT_AVAILABLE;
   }
--- a/security/manager/ssl/src/nsCertTree.cpp
+++ b/security/manager/ssl/src/nsCertTree.cpp
@@ -1,15 +1,15 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsCertTree.h"
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "nsNSSComponent.h" // for PIPNSS string bundle calls.
 #include "nsITreeColumns.h"
 #include "nsIX509Cert.h"
 #include "nsIX509CertValidity.h"
 #include "nsIX509CertDB.h"
 #include "nsXPIDLString.h"
 #include "nsReadableUtils.h"
 #include "nsUnicharUtils.h"
@@ -633,17 +633,17 @@ nsCertTree::GetCertsByTypeFromCertList(C
 
 nsresult 
 nsCertTree::GetCertsByType(uint32_t           aType,
                            nsCertCompareFunc  aCertCmpFn,
                            void              *aCertCmpFnArg)
 {
   nsNSSShutDownPreventionLock locker;
   nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext();
-  insanity::pkix::ScopedCERTCertList certList(
+  mozilla::pkix::ScopedCERTCertList certList(
     PK11_ListCerts(PK11CertListUnique, cxt));
   return GetCertsByTypeFromCertList(certList.get(), aType, aCertCmpFn,
                                     aCertCmpFnArg);
 }
 
 nsresult 
 nsCertTree::GetCertsByTypeFromCache(nsINSSCertCache   *aCache,
                                     uint32_t           aType,
@@ -804,17 +804,17 @@ nsCertTree::DeleteEntryObject(uint32_t i
           } 
         }
         else {
           if (addonInfo && addonInfo->mUsageCount > 1) {
             // user is trying to delete a perm trusted cert,
             // although there are still overrides stored,
             // so, we keep the cert, but remove the trust
 
-            insanity::pkix::ScopedCERTCertificate nsscert;
+            mozilla::pkix::ScopedCERTCertificate nsscert;
 
             nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(cert);
             if (cert2) {
               nsscert = cert2->GetCert();
             }
 
             if (nsscert) {
               CERTCertTrust trust;
--- a/security/manager/ssl/src/nsCrypto.cpp
+++ b/security/manager/ssl/src/nsCrypto.cpp
@@ -65,17 +65,17 @@
 #include "pk11pqg.h"
 #include "cmmf.h"
 #include "nssb64.h"
 #include "base64.h"
 #include "cert.h"
 #include "certdb.h"
 #include "secmod.h"
 #include "ScopedNSSTypes.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 
 #include "ssl.h" // For SSL_ClearSessionCache
 
 #include "nsNSSCleaner.h"
 
 #include "nsNSSCertHelper.h"
 #include <algorithm>
 #include "nsWrapperCacheInlines.h"
@@ -1037,17 +1037,17 @@ nsFreeCertReqMessages(CRMFCertReqMsg **c
 static nsresult
 nsSetEscrowAuthority(CRMFCertRequest *certReq, nsKeyPairInfo *keyInfo,
                      nsNSSCertificate *wrappingCert)
 {
   if (!wrappingCert ||
       CRMF_CertRequestIsControlPresent(certReq, crmfPKIArchiveOptionsControl)){
     return NS_ERROR_FAILURE;
   }
-  insanity::pkix::ScopedCERTCertificate cert(wrappingCert->GetCert());
+  mozilla::pkix::ScopedCERTCertificate cert(wrappingCert->GetCert());
   if (!cert)
     return NS_ERROR_FAILURE;
 
   CRMFEncryptedKey *encrKey = 
       CRMF_CreateEncryptedKeyWithEncryptedValue(keyInfo->privKey, cert.get());
   if (!encrKey)
     return NS_ERROR_FAILURE;
 
@@ -1937,17 +1937,17 @@ nsCrypto::GenerateCRMFRequest(JSContext*
   bool willEscrow = false;
   if (!aEaCert.IsVoid()) {
     SECItem certDer = {siBuffer, nullptr, 0};
     SECStatus srv = ATOB_ConvertAsciiToItem(&certDer, aEaCert.get());
     if (srv != SECSuccess) {
       aRv.Throw(NS_ERROR_FAILURE);
       return nullptr;
     }
-    insanity::pkix::ScopedCERTCertificate cert(
+    mozilla::pkix::ScopedCERTCertificate cert(
       CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
                               &certDer, nullptr, false, true));
     if (!cert) {
       aRv.Throw(NS_ERROR_FAILURE);
       return nullptr;
     }
 
     escrowCert = nsNSSCertificate::Create(cert.get());
@@ -2206,17 +2206,17 @@ nsCryptoRunnable::Run()
 //Quick helper function to check if a newly issued cert
 //already exists in the user's database.
 static bool
 nsCertAlreadyExists(SECItem *derCert)
 {
   CERTCertDBHandle *handle = CERT_GetDefaultCertDB();
   bool retVal = false;
 
-  insanity::pkix::ScopedCERTCertificate cert(
+  mozilla::pkix::ScopedCERTCertificate cert(
     CERT_FindCertByDERCert(handle, derCert));
   if (cert) {
     if (cert->isperm && !cert->nickname && !cert->emailAddr) {
       //If the cert doesn't have a nickname or email addr, it is
       //bogus cruft, so delete it.
       SEC_DeletePermCertificate(cert.get());
     } else if (cert->isperm) {
       retVal = true;
@@ -2368,17 +2368,17 @@ nsCrypto::ImportUserCertificates(const n
     CMMF_DestroyCertResponse(currResponse);
   }
   //Let the loser: label take care of freeing up our reference to
   //nickname (This way we don't free it twice and avoid crashing.
   //That would be a good thing.
 
   //Import the root chain into the cert db.
  {
-  insanity::pkix::ScopedCERTCertList
+  mozilla::pkix::ScopedCERTCertList
     caPubs(CMMF_CertRepContentGetCAPubs(certRepContent));
   if (caPubs) {
     int32_t numCAs = nsCertListCount(caPubs.get());
     
     NS_ASSERTION(numCAs > 0, "Invalid number of CA's");
     if (numCAs > 0) {
       CERTCertListNode *node;
       SECItem *derCerts;
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
@@ -1,16 +1,16 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsNSSCallbacks.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "mozilla/Telemetry.h"
 #include "mozilla/TimeStamp.h"
 #include "nsNSSComponent.h"
 #include "nsNSSIOLayer.h"
 #include "nsIWebProgressListener.h"
 #include "nsProtectedAuthThread.h"
 #include "nsITokenDialogs.h"
 #include "nsIUploadChannel.h"
@@ -1184,17 +1184,17 @@ void HandshakeCallback(PRFileDesc* fd, v
 
     nsAutoString msg;
     msg.Append(NS_ConvertASCIItoUTF16(hostName));
     msg.Append(NS_LITERAL_STRING(" : server does not support RFC 5746, see CVE-2009-3555"));
 
     nsContentUtils::LogSimpleConsoleError(msg, "SSL");
   }
 
-  insanity::pkix::ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd));
+  mozilla::pkix::ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd));
 
   /* Set the SSL Status information */
   RefPtr<nsSSLStatus> status(infoObject->SSLStatus());
   if (!status) {
     status = new nsSSLStatus();
     infoObject->SetSSLStatus(status);
   }
 
--- a/security/manager/ssl/src/nsNSSCertCache.cpp
+++ b/security/manager/ssl/src/nsNSSCertCache.cpp
@@ -41,17 +41,17 @@ NS_IMETHODIMP
 nsNSSCertCache::CacheAllCerts()
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext();
   
-  insanity::pkix::ScopedCERTCertList newList(
+  mozilla::pkix::ScopedCERTCertList newList(
     PK11_ListCerts(PK11CertListUnique, cxt));
 
   if (newList) {
     MutexAutoLock lock(mutex);
     mCertList = new nsNSSCertList(newList, locker);
   }
   
   return NS_OK;
--- a/security/manager/ssl/src/nsNSSCertificate.cpp
+++ b/security/manager/ssl/src/nsNSSCertificate.cpp
@@ -5,17 +5,17 @@
 
 #include "nsNSSCertificate.h"
 
 #include "prmem.h"
 #include "prerror.h"
 #include "prprf.h"
 #include "CertVerifier.h"
 #include "ExtendedValidation.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "nsNSSComponent.h" // for PIPNSS string bundle calls.
 #include "nsNSSCleaner.h"
 #include "nsCOMPtr.h"
 #include "nsIMutableArray.h"
 #include "nsNSSCertValidity.h"
 #include "nsPKCS12Blob.h"
 #include "nsPK11TokenDB.h"
 #include "nsIX509Cert.h"
@@ -817,17 +817,17 @@ nsNSSCertificate::GetChain(nsIArray** _r
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   NS_ENSURE_ARG(_rvChain);
   nsresult rv;
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting chain for \"%s\"\n", mCert->nickname));
 
-  ::insanity::pkix::ScopedCERTCertList nssChain;
+  ::mozilla::pkix::ScopedCERTCertList nssChain;
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
 
   // We want to test all usages, but we start with server because most of the
   // time Firefox users care about server certs.
   certVerifier->VerifyCert(mCert.get(), nullptr,
                            certificateUsageSSLServer, PR_Now(),
                            nullptr, /*XXX fixme*/
@@ -1537,17 +1537,17 @@ nsNSSCertificate::GetValidEVPolicyOid(ns
   }
 #endif
 
   return NS_OK;
 }
 
 NS_IMPL_ISUPPORTS1(nsNSSCertList, nsIX509CertList)
 
-nsNSSCertList::nsNSSCertList(insanity::pkix::ScopedCERTCertList& certList,
+nsNSSCertList::nsNSSCertList(mozilla::pkix::ScopedCERTCertList& certList,
                              const nsNSSShutDownPreventionLock& proofOfLock)
 {
   if (certList) {
     mCertList = certList.release();
   } else {
     mCertList = CERT_NewCertList();
   }
 }
--- a/security/manager/ssl/src/nsNSSCertificate.h
+++ b/security/manager/ssl/src/nsNSSCertificate.h
@@ -14,17 +14,17 @@
 #include "nsIASN1Object.h"
 #include "nsISMimeCert.h"
 #include "nsIIdentityInfo.h"
 #include "nsCOMPtr.h"
 #include "nsNSSShutDown.h"
 #include "nsISimpleEnumerator.h"
 #include "nsISerializable.h"
 #include "nsIClassInfo.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "certt.h"
 
 class nsAutoString;
 class nsINSSComponent;
 class nsIASN1Sequence;
 
 class nsNSSCertificate : public nsIX509Cert3,
                          public nsIIdentityInfo,
@@ -49,17 +49,17 @@ public:
   nsresult FormatUIStrings(const nsAutoString& nickname,
                            nsAutoString& nickWithSerial,
                            nsAutoString& details);
   static nsNSSCertificate* Create(CERTCertificate*cert = nullptr,
                                   SECOidTag* evOidPolicy = nullptr);
   static nsNSSCertificate* ConstructFromDER(char* certDER, int derLen);
 
 private:
-  insanity::pkix::ScopedCERTCertificate mCert;
+  mozilla::pkix::ScopedCERTCertificate mCert;
   bool             mPermDelete;
   uint32_t         mCertType;
   nsresult CreateASN1Struct(nsIASN1Object** aRetVal);
   nsresult CreateTBSCertificateASN1Struct(nsIASN1Sequence** retSequence,
                                           nsINSSComponent* nssComponent);
   nsresult GetSortableDate(PRTime aTime, nsAString& _aSortableDate);
   virtual void virtualDestroyNSSReference();
   void destructorSafeDestroyNSSReference();
@@ -76,30 +76,30 @@ private:
 class nsNSSCertList: public nsIX509CertList,
                      public nsNSSShutDownObject
 {
 public:
   NS_DECL_THREADSAFE_ISUPPORTS
   NS_DECL_NSIX509CERTLIST
 
   // certList is adopted
-  nsNSSCertList(insanity::pkix::ScopedCERTCertList& certList,
+  nsNSSCertList(mozilla::pkix::ScopedCERTCertList& certList,
                 const nsNSSShutDownPreventionLock& proofOfLock);
 
   nsNSSCertList();
 
   static CERTCertList* DupCertList(CERTCertList* aCertList,
                                    const nsNSSShutDownPreventionLock&
                                      proofOfLock);
 private:
    virtual ~nsNSSCertList();
    virtual void virtualDestroyNSSReference();
    void destructorSafeDestroyNSSReference();
 
-   insanity::pkix::ScopedCERTCertList mCertList;
+   mozilla::pkix::ScopedCERTCertList mCertList;
 
    nsNSSCertList(const nsNSSCertList&) MOZ_DELETE;
    void operator=(const nsNSSCertList&) MOZ_DELETE;
 };
 
 class nsNSSCertListEnumerator: public nsISimpleEnumerator,
                                public nsNSSShutDownObject
 {
@@ -109,17 +109,17 @@ public:
 
    nsNSSCertListEnumerator(CERTCertList* certList,
                            const nsNSSShutDownPreventionLock& proofOfLock);
 private:
    virtual ~nsNSSCertListEnumerator();
    virtual void virtualDestroyNSSReference();
    void destructorSafeDestroyNSSReference();
 
-   insanity::pkix::ScopedCERTCertList mCertList;
+   mozilla::pkix::ScopedCERTCertList mCertList;
 
    nsNSSCertListEnumerator(const nsNSSCertListEnumerator&) MOZ_DELETE;
    void operator=(const nsNSSCertListEnumerator&) MOZ_DELETE;
 };
 
 
 #define NS_NSS_LONG 4
 #define NS_NSS_GET_LONG(x) ((((unsigned long)((x)[0])) << 24) | \
--- a/security/manager/ssl/src/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/src/nsNSSCertificateDB.cpp
@@ -8,17 +8,17 @@
 #define CERT_AddTempCertToPerm __CERT_AddTempCertToPerm
 
 #include "nsNSSComponent.h"
 #include "nsNSSCertificateDB.h"
 
 #include "CertVerifier.h"
 #include "ExtendedValidation.h"
 #include "NSSCertDBTrustDomain.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "nsNSSComponent.h"
 #include "mozilla/Base64.h"
 #include "nsCOMPtr.h"
 #include "nsNSSCertificate.h"
 #include "nsNSSHelper.h"
 #include "nsNSSCertHelper.h"
 #include "nsNSSCertCache.h"
 #include "nsCRT.h"
@@ -108,17 +108,17 @@ nsNSSCertificateDB::FindCertByNickname(n
 {
   NS_ENSURE_ARG_POINTER(_rvCert);
   *_rvCert = nullptr;
 
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
-  insanity::pkix::ScopedCERTCertificate cert;
+  mozilla::pkix::ScopedCERTCertificate cert;
   char *asciiname = nullptr;
   NS_ConvertUTF16toUTF8 aUtf8Nickname(nickname);
   asciiname = const_cast<char*>(aUtf8Nickname.get());
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting \"%s\"\n", asciiname));
   cert = PK11_FindCertFromNickname(asciiname, nullptr);
   if (!cert) {
     cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), asciiname);
   }
@@ -154,17 +154,17 @@ nsNSSCertificateDB::FindCertByDBKey(cons
 
   dummy = NSSBase64_DecodeBuffer(nullptr, &keyItem, aDBkey,
                                  (uint32_t)strlen(aDBkey)); 
   if (!dummy || keyItem.len < NS_NSS_LONG*4) {
     PR_FREEIF(keyItem.data);
     return NS_ERROR_INVALID_ARG;
   }
 
-  insanity::pkix::ScopedCERTCertificate cert;
+  mozilla::pkix::ScopedCERTCertificate cert;
   // someday maybe we can speed up the search using the moduleID and slotID
   // moduleID = NS_NSS_GET_LONG(keyItem.data);
   // slotID = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG]);
 
   // build the issuer/SN structure
   issuerSN.serialNumber.len = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG*2]);
   issuerSN.derIssuer.len = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG*3]);
   if (issuerSN.serialNumber.len == 0 || issuerSN.derIssuer.len == 0
@@ -198,17 +198,17 @@ nsNSSCertificateDB::FindCertNicknames(ns
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   nsresult rv = NS_ERROR_FAILURE;
   /*
    * obtain the cert list from NSS
    */
-  insanity::pkix::ScopedCERTCertList certList;
+  mozilla::pkix::ScopedCERTCertList certList;
   certList = PK11_ListCerts(PK11CertListUnique, nullptr);
   if (!certList)
     goto cleanup;
   /*
    * get list of cert names from list of certs
    * XXX also cull the list (NSS only distinguishes based on user/non-user
    */
   getCertNames(certList.get(), aType, _count, _certNames, locker);
@@ -353,17 +353,17 @@ nsNSSCertificateDB::handleCACertDownload
  
   SECItem der;
   rv=certToShow->GetRawDER(&der.len, (uint8_t **)&der.data);
 
   if (NS_FAILED(rv))
     return rv;
 
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n"));
-  insanity::pkix::ScopedCERTCertificate tmpCert;
+  mozilla::pkix::ScopedCERTCertificate tmpCert;
   CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
   tmpCert = CERT_FindCertByDERCert(certdb, &der);
   if (!tmpCert) {
     tmpCert = CERT_NewTempCertificate(certdb, &der,
                                       nullptr, false, true);
   }
   nsMemory::Free(der.data);
   der.data = nullptr;
@@ -410,17 +410,17 @@ nsNSSCertificateDB::handleCACertDownload
                                            trust.GetTrust());
 
   if (srv != SECSuccess)
     return NS_ERROR_FAILURE;
 
   // Import additional delivered certificates that can be verified.
 
   // build a CertList for filtering
-  insanity::pkix::ScopedCERTCertList certList(CERT_NewCertList());
+  mozilla::pkix::ScopedCERTCertList certList(CERT_NewCertList());
   if (!certList) {
     return NS_ERROR_FAILURE;
   }
 
   // get all remaining certs into temp store
 
   for (uint32_t i=0; i<numCerts; i++) {
     if (i == selCertIndex) {
@@ -506,17 +506,17 @@ nsNSSCertificateDB::ImportCertificates(u
   }  
   PORT_FreeArena(arena, false);
   return nsrv;
 }
 
 static 
 SECStatus 
 ImportCertsIntoPermanentStorage(
-  const insanity::pkix::ScopedCERTCertList& certChain,
+  const mozilla::pkix::ScopedCERTCertList& certChain,
   const SECCertUsage usage, const PRBool caOnly)
 {
   CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
 
   int chainLen = 0;
   for (CERTCertListNode *chainNode = CERT_LIST_HEAD(certChain);
        !CERT_LIST_END(chainNode, certChain);
        chainNode = CERT_LIST_NEXT(chainNode)) {
@@ -556,17 +556,17 @@ nsNSSCertificateDB::ImportEmailCertifica
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   SECStatus srv = SECFailure;
   nsresult nsrv = NS_OK;
   CERTCertDBHandle *certdb;
   CERTCertificate **certArray = nullptr;
-  insanity::pkix::ScopedCERTCertList certList;
+  mozilla::pkix::ScopedCERTCertList certList;
   CERTCertListNode *node;
   SECItem **rawArray;
   int numcerts;
   int i;
 
   PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
   if (!arena)
     return NS_ERROR_OUT_OF_MEMORY;
@@ -627,17 +627,17 @@ nsNSSCertificateDB::ImportEmailCertifica
   for (node = CERT_LIST_HEAD(certList);
        !CERT_LIST_END(node,certList);
        node = CERT_LIST_NEXT(node)) {
 
     if (!node->cert) {
       continue;
     }
 
-    insanity::pkix::ScopedCERTCertList certChain;
+    mozilla::pkix::ScopedCERTCertList certChain;
 
     SECStatus rv = certVerifier->VerifyCert(node->cert, nullptr,
                                             certificateUsageEmailRecipient,
                                             now, ctx, 0, &certChain);
 
     if (rv != SECSuccess) {
       nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(node->cert);
       DisplayCertificateAlert(ctx, "NotImportingUnverifiedCert", certToShow, locker);
@@ -668,17 +668,17 @@ nsNSSCertificateDB::ImportServerCertific
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   SECStatus srv = SECFailure;
   nsresult nsrv = NS_OK;
-  insanity::pkix::ScopedCERTCertificate cert;
+  mozilla::pkix::ScopedCERTCertificate cert;
   SECItem **rawCerts = nullptr;
   int numcerts;
   int i;
   nsNSSCertTrust trust;
   char *serverNickname = nullptr;
  
   PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
   if (!arena)
@@ -795,17 +795,17 @@ nsNSSCertificateDB::ImportValidCACertsIn
   /* go down the remaining list of certs and verify that they have
    * valid chains, if yes, then import.
    */
   CERTCertListNode *node;
 
   for (node = CERT_LIST_HEAD(certList);
        !CERT_LIST_END(node,certList);
        node = CERT_LIST_NEXT(node)) {
-    insanity::pkix::ScopedCERTCertList certChain;
+    mozilla::pkix::ScopedCERTCertList certChain;
     SECStatus rv = certVerifier->VerifyCert(node->cert, nullptr,
                                             certificateUsageVerifyCA,
                                             PR_Now(), ctx, 0, &certChain);
     if (rv != SECSuccess) {
       nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(node->cert);
       DisplayCertificateAlert(ctx, "NotImportingUnverifiedCert", certToShow, proofOfLock);
       continue;
     }
@@ -872,17 +872,17 @@ nsNSSCertificateDB::ImportUserCertificat
 
   ScopedPK11SlotInfo slot;
   nsAutoCString nickname;
   nsresult rv = NS_ERROR_FAILURE;
   int numCACerts;
   SECItem *CACerts;
   CERTDERCerts * collectArgs;
   PLArenaPool *arena;
-  insanity::pkix::ScopedCERTCertificate cert;
+  mozilla::pkix::ScopedCERTCertificate cert;
 
   arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
   if (!arena) {
     goto loser;
   }
 
   collectArgs = getCertsFromPackage(arena, data, length, locker);
   if (!collectArgs) {
@@ -949,17 +949,17 @@ loser:
 NS_IMETHODIMP 
 nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert)
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
   nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert);
-  insanity::pkix::ScopedCERTCertificate cert(nssCert->GetCert());
+  mozilla::pkix::ScopedCERTCertificate cert(nssCert->GetCert());
   if (!cert) return NS_ERROR_FAILURE;
   SECStatus srv = SECSuccess;
 
   uint32_t certType;
   nssCert->GetCertType(&certType);
   if (NS_FAILED(nssCert->MarkForPermDeletion()))
   {
     return NS_ERROR_FAILURE;
@@ -996,17 +996,17 @@ nsNSSCertificateDB::SetCertTrust(nsIX509
     return NS_ERROR_NOT_AVAILABLE;
   }
   nsNSSCertTrust trust;
   nsresult rv;
   nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert, &rv);
   if (!pipCert) {
     return rv;
   }
-  insanity::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert());
+  mozilla::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert());
 
   rv = attemptToLogInWithDefaultPassword();
   if (NS_WARN_IF(rv != NS_OK)) {
     return rv;
   }
 
   SECStatus srv;
   if (type == nsIX509Cert::CA_CERT) {
@@ -1049,17 +1049,17 @@ nsNSSCertificateDB::IsCertTrusted(nsIX50
   *_isTrusted = false;
 
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
   SECStatus srv;
   nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert);
-  insanity::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert());
+  mozilla::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert());
   CERTCertTrust nsstrust;
   srv = CERT_GetCertTrust(nsscert.get(), &nsstrust);
   if (srv != SECSuccess)
     return NS_ERROR_FAILURE;
 
   nsNSSCertTrust trust(&nsstrust);
   if (certType == nsIX509Cert::CA_CERT) {
     if (trustType & nsIX509CertDB::TRUSTED_SSL) {
@@ -1297,17 +1297,17 @@ nsNSSCertificateDB::FindEmailEncryptionC
   }
 
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
   char *asciiname = nullptr;
   NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname);
   asciiname = const_cast<char*>(aUtf8Nickname.get());
 
   /* Find a good cert in the user's database */
-  insanity::pkix::ScopedCERTCertificate cert;
+  mozilla::pkix::ScopedCERTCertificate cert;
   cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), asciiname, 
            certUsageEmailRecipient, true, ctx);
   if (!cert) {
     return NS_OK;
   }
 
   nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert.get());
   if (!nssCert) {
@@ -1327,17 +1327,17 @@ nsNSSCertificateDB::FindEmailSigningCert
   if (aNickname.IsEmpty())
     return NS_OK;
 
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
-  insanity::pkix::ScopedCERTCertificate cert;
+  mozilla::pkix::ScopedCERTCertificate cert;
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
   char *asciiname = nullptr;
   NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname);
   asciiname = const_cast<char*>(aUtf8Nickname.get());
 
   /* Find a good cert in the user's database */
   cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), asciiname, 
            certUsageEmailSigner, true, ctx);
@@ -1457,17 +1457,17 @@ nsNSSCertificateDB::ConstructX509(const 
     return NS_ERROR_INVALID_POINTER;
   }
 
   SECItem secitem_cert;
   secitem_cert.type = siDERCertBuffer;
   secitem_cert.data = (unsigned char*)certDER;
   secitem_cert.len = lengthDER;
 
-  insanity::pkix::ScopedCERTCertificate cert;
+  mozilla::pkix::ScopedCERTCertificate cert;
   cert =
     CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &secitem_cert,
                             nullptr, false, true);
   if (!cert)
     return (PORT_GetError() == SEC_ERROR_NO_MEMORY)
       ? NS_ERROR_OUT_OF_MEMORY : NS_ERROR_FAILURE;
 
   nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert.get());
@@ -1556,17 +1556,17 @@ nsNSSCertificateDB::get_default_nickname
       if (!tmp) {
         nickname.Truncate();
         return;
       }
       nickname = tmp;
       PR_smprintf_free(tmp);
     }
 
-    insanity::pkix::ScopedCERTCertificate dummycert;
+    mozilla::pkix::ScopedCERTCertificate dummycert;
 
     if (PK11_IsInternal(slot)) {
       /* look up the nickname to make sure it isn't in use already */
       dummycert = CERT_FindCertByNickname(defaultcertdb, nickname.get());
 
     } else {
       /*
        * Check the cert against others that already live on the smart 
@@ -1617,17 +1617,17 @@ NS_IMETHODIMP nsNSSCertificateDB::AddCer
   NS_ENSURE_SUCCESS(rv, rv);
 
   SECItem der;
   rv = newCert->GetRawDER(&der.len, (uint8_t **)&der.data);
   NS_ENSURE_SUCCESS(rv, rv);
 
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n"));
   CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
-  insanity::pkix::ScopedCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der));
+  mozilla::pkix::ScopedCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der));
   if (!tmpCert)
     tmpCert = CERT_NewTempCertificate(certdb, &der,
                                       nullptr, false, true);
   nsMemory::Free(der.data);
   der.data = nullptr;
   der.len = 0;
 
   if (!tmpCert) {
@@ -1672,17 +1672,17 @@ nsNSSCertificateDB::SetCertTrustFromStri
   CERTCertTrust trust;
 
   // need to calculate the trust bits from the aTrust string.
   SECStatus srv = CERT_DecodeTrustString(&trust,
                                          const_cast<char *>(trustString));
   if (srv != SECSuccess) {
     return MapSECStatus(SECFailure);
   }
-  insanity::pkix::ScopedCERTCertificate nssCert(cert->GetCert());
+  mozilla::pkix::ScopedCERTCertificate nssCert(cert->GetCert());
 
   nsresult rv = attemptToLogInWithDefaultPassword();
   if (NS_WARN_IF(rv != NS_OK)) {
     return rv;
   }
 
   srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nssCert.get(), &trust);
   return MapSECStatus(srv);
@@ -1693,17 +1693,17 @@ nsNSSCertificateDB::GetCerts(nsIX509Cert
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }  
 
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
   nsCOMPtr<nsIX509CertList> nssCertList;
-  insanity::pkix::ScopedCERTCertList certList(
+  mozilla::pkix::ScopedCERTCertList certList(
     PK11_ListCerts(PK11CertListUnique, ctx));
 
   // nsNSSCertList 1) adopts certList, and 2) handles the nullptr case fine.
   // (returns an empty list) 
   nssCertList = new nsNSSCertList(certList, locker);
 
   *_retval = nssCertList;
   NS_ADDREF(*_retval);
@@ -1763,17 +1763,17 @@ nsNSSCertificateDB::VerifyCertNow(nsIX50
   if (!x509Cert) {
     return NS_ERROR_INVALID_ARG;
   }
   ScopedCERTCertificate nssCert(x509Cert->GetCert());
 
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
 
-  insanity::pkix::ScopedCERTCertList resultChain;
+  mozilla::pkix::ScopedCERTCertList resultChain;
   SECOidTag evOidPolicy;
   SECStatus srv;
 
   srv = certVerifier->VerifyCert(nssCert, nullptr,
                                  aUsage, PR_Now(),
                                  nullptr, // Assume no context
                                  aFlags,
                                  &resultChain,
@@ -1806,17 +1806,17 @@ nsNSSCertificateDB::ClearOCSPCache()
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
-  if (certVerifier->mImplementation == CertVerifier::insanity) {
+  if (certVerifier->mImplementation == CertVerifier::mozillapkix) {
     certVerifier->ClearOCSPCache();
   } else {
     SECStatus srv = CERT_ClearOCSPCache();
     if (srv != SECSuccess) {
       return MapSECStatus(srv);
     }
   }
 
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@@ -966,19 +966,19 @@ void nsNSSComponent::setValidationOption
   bool ocspStaplingEnabled = Preferences::GetBool("security.ssl.enable_ocsp_stapling",
                                                   true);
   PublicSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
   PrivateSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
 
   CertVerifier::implementation_config certVerifierImplementation
     = CertVerifier::classic;
 
-  // The insanity::pkix pref overrides the libpkix pref
-  if (Preferences::GetBool("security.use_insanity_verification", false)) {
-    certVerifierImplementation = CertVerifier::insanity;
+  // The mozilla::pkix pref overrides the libpkix pref
+  if (Preferences::GetBool("security.use_mozillapkix_verification", false)) {
+    certVerifierImplementation = CertVerifier::mozillapkix;
   } else {
 #ifndef NSS_NO_LIBPKIX
   if (Preferences::GetBool("security.use_libpkix_verification", false)) {
     certVerifierImplementation = CertVerifier::libpkix;
   }
 #endif
   }
 
@@ -992,19 +992,19 @@ void nsNSSComponent::setValidationOption
 #ifndef NSS_NO_LIBPKIX
       aiaDownloadEnabled ?
         CertVerifier::missing_cert_download_on : CertVerifier::missing_cert_download_off,
       crlDownloading ?
         CertVerifier::crl_download_allowed : CertVerifier::crl_local_only,
 #endif
       odc, osc, ogc);
 
-  // insanity::pkix has its own OCSP cache, so disable the NSS cache
+  // mozilla::pkix has its own OCSP cache, so disable the NSS cache
   // if appropriate.
-  if (certVerifierImplementation == CertVerifier::insanity) {
+  if (certVerifierImplementation == CertVerifier::mozillapkix) {
     // Using -1 disables the cache. The other arguments are the default
     // values and aren't exposed by the API.
     CERT_OCSPCacheSettings(-1, 1*60*60L, 24*60*60L);
   } else {
     // Using 1000 enables the cache with the default size of 1000. Again,
     // these values are not exposed by the API.
     CERT_OCSPCacheSettings(1000, 1*60*60L, 24*60*60L);
   }
@@ -1612,17 +1612,17 @@ nsNSSComponent::Observe(nsISupports* aSu
                                                 ALPN_ENABLED_DEFAULT));
     } else if (prefName.Equals("security.OCSP.enabled")
                || prefName.Equals("security.CRL_download.enabled")
                || prefName.Equals("security.fresh_revocation_info.require")
                || prefName.Equals("security.missing_cert_download.enabled")
                || prefName.Equals("security.OCSP.require")
                || prefName.Equals("security.OCSP.GET.enabled")
                || prefName.Equals("security.ssl.enable_ocsp_stapling")
-               || prefName.Equals("security.use_insanity_verification")
+               || prefName.Equals("security.use_mozillapkix_verification")
                || prefName.Equals("security.use_libpkix_verification")) {
       MutexAutoLock lock(mutex);
       setValidationOptions(false, lock);
     } else if (prefName.Equals("network.ntlm.send-lm-response")) {
       bool sendLM = Preferences::GetBool("network.ntlm.send-lm-response",
                                          SEND_LM_DEFAULT);
       nsNTLMAuthModule::SetSendLM(sendLM);
       clearSessionCache = false;
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@@ -1,17 +1,17 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsNSSIOLayer.h"
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "nsNSSComponent.h"
 #include "mozilla/Casting.h"
 #include "mozilla/DebugOnly.h"
 #include "mozilla/Telemetry.h"
 
 #include "prlog.h"
 #include "prnetdb.h"
 #include "nsIPrefService.h"
@@ -1865,19 +1865,19 @@ nsNSS_SSLGetClientAuthData(void* arg, PR
   return runnable->mRV;
 }
 
 void
 ClientAuthDataRunnable::RunOnTargetThread()
 {
   PLArenaPool* arena = nullptr;
   char** caNameStrings;
-  insanity::pkix::ScopedCERTCertificate cert;
+  mozilla::pkix::ScopedCERTCertificate cert;
   ScopedSECKEYPrivateKey privKey;
-  insanity::pkix::ScopedCERTCertList certList;
+  mozilla::pkix::ScopedCERTCertList certList;
   CERTCertListNode* node;
   ScopedCERTCertNicknames nicknames;
   char* extracted = nullptr;
   int keyError = 0; // used for private key retrieval error
   SSM_UserCertChoice certChoice;
   int32_t NumberOfCerts = 0;
   void* wincx = mSocketInfo;
   nsresult rv;
--- a/security/manager/ssl/src/nsPKCS12Blob.cpp
+++ b/security/manager/ssl/src/nsPKCS12Blob.cpp
@@ -1,16 +1,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /* $Id: nsPKCS12Blob.cpp,v 1.49 2007/09/05 07:13:46 jwalden%mit.edu Exp $ */
 
 #include "nsPKCS12Blob.h"
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 
 #include "prmem.h"
 #include "prprf.h"
 
 #include "nsIFile.h"
 #include "nsNetUtil.h"
 #include "nsIDirectoryService.h"
 #include "nsThreadUtils.h"
@@ -302,17 +302,17 @@ nsPKCS12Blob::ExportToFile(nsIFile *file
     goto finish;
   }
   // add password integrity
   srv = SEC_PKCS12AddPasswordIntegrity(ecx, &unicodePw, SEC_OID_SHA1);
   if (srv) goto finish;
   for (i=0; i<numCerts; i++) {
     nsNSSCertificate *cert = (nsNSSCertificate *)certs[i];
     // get it as a CERTCertificate XXX
-    insanity::pkix::ScopedCERTCertificate nssCert(cert->GetCert());
+    mozilla::pkix::ScopedCERTCertificate nssCert(cert->GetCert());
     if (!nssCert) {
       rv = NS_ERROR_FAILURE;
       goto finish;
     }
     // We can only successfully export certs that are on 
     // internal token.  Most, if not all, smart card vendors
     // won't let you extract the private key (in any way
     // shape or form) from the card.  So let's punt if 
--- a/security/manager/ssl/src/nsRecentBadCerts.cpp
+++ b/security/manager/ssl/src/nsRecentBadCerts.cpp
@@ -1,17 +1,17 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsRecentBadCerts.h"
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "nsIX509Cert.h"
 #include "nsIObserverService.h"
 #include "mozilla/RefPtr.h"
 #include "mozilla/Services.h"
 #include "nsSSLStatus.h"
 #include "nsCOMPtr.h"
 #include "nsNSSCertificate.h"
 #include "nsCRT.h"
@@ -67,17 +67,17 @@ nsRecentBadCerts::GetRecentBadCert(const
         isNotValidAtThisTime = mCerts[i].isNotValidAtThisTime;
         isUntrusted = mCerts[i].isUntrusted;
       }
     }
   }
 
   if (foundDER.len) {
     CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
-    insanity::pkix::ScopedCERTCertificate nssCert(
+    mozilla::pkix::ScopedCERTCertificate nssCert(
       CERT_FindCertByDERCert(certdb, &foundDER));
     if (!nssCert) 
       nssCert = CERT_NewTempCertificate(certdb, &foundDER,
                                         nullptr, // no nickname
                                         false, // not perm
                                         true); // copy der
 
     SECITEM_FreeItem(&foundDER, false);
--- a/security/manager/ssl/tests/gtest/moz.build
+++ b/security/manager/ssl/tests/gtest/moz.build
@@ -10,13 +10,13 @@ LIBXUL_LIBRARY = True
 
 SOURCES += [
     'OCSPCacheTest.cpp',
     'TLSIntoleranceTest.cpp',
 ]
 
 LOCAL_INCLUDES += [
     '../../../../certverifier',
-    '../../../../insanity/include',
+    '../../../../pkix/include',
     '/security/manager/ssl/src',
 ]
 
 include('/ipc/chromium/chromium-config.mozbuild')
--- a/security/manager/ssl/tests/unit/test_cert_overrides.js
+++ b/security/manager/ssl/tests/unit/test_cert_overrides.js
@@ -67,76 +67,76 @@ function run_test() {
 
   add_test(function () {
     fakeOCSPResponder.stop(check_telemetry);
   });
 
   run_next_test();
 }
 
-function add_tests_in_mode(useInsanity) {
+function add_tests_in_mode(useMozillaPKIX) {
   add_test(function () {
-    Services.prefs.setBoolPref("security.use_insanity_verification",
-                               useInsanity);
+    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+                               useMozillaPKIX);
     run_next_test();
   });
 
-  add_simple_tests(useInsanity);
-  add_combo_tests(useInsanity);
-  add_distrust_tests(useInsanity);
+  add_simple_tests(useMozillaPKIX);
+  add_combo_tests(useMozillaPKIX);
+  add_distrust_tests(useMozillaPKIX);
 
   add_test(function () {
     certOverrideService.clearValidityOverride("all:temporary-certificates", 0);
     run_next_test();
   });
 }
 
-function add_simple_tests(useInsanity) {
+function add_simple_tests(useMozillaPKIX) {
   add_cert_override_test("expired.example.com",
                          Ci.nsICertOverrideService.ERROR_TIME,
                          getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_CERTIFICATE));
   add_cert_override_test("selfsigned.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                          getXPCOMStatusFromNSS(
-                            useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                        : SEC_ERROR_CA_CERT_INVALID));
+                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                           : SEC_ERROR_CA_CERT_INVALID));
   add_cert_override_test("unknownissuer.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                          getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
   add_cert_override_test("expiredissuer.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                          getXPCOMStatusFromNSS(
-                            useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                        : SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE));
+                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                           : SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE));
   add_cert_override_test("md5signature.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                          getXPCOMStatusFromNSS(
                             SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
   add_cert_override_test("mismatch.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH,
                          getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
 
   // A Microsoft IIS utility generates self-signed certificates with
   // properties similar to the one this "host" will present (see
   // tlsserver/generate_certs.sh).
   // One of the errors classic verification collects is that this
   // certificate has an inadequate key usage to sign a certificate
   // (i.e. itself). As a result, to be able to override this,
   // SEC_ERROR_INADEQUATE_KEY_USAGE must be overridable (although,
   // confusingly, this isn't the main error reported).
-  // insanity::pkix just says this certificate's issuer is unknown.
+  // mozilla::pkix just says this certificate's issuer is unknown.
   add_cert_override_test("selfsigned-inadequateEKU.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                          getXPCOMStatusFromNSS(
-                            useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                        : SEC_ERROR_CA_CERT_INVALID));
+                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                           : SEC_ERROR_CA_CERT_INVALID));
 
   // SEC_ERROR_INADEQUATE_KEY_USAGE is overridable in general for
-  // classic verification, but not for insanity::pkix verification.
-  if (useInsanity) {
+  // classic verification, but not for mozilla::pkix verification.
+  if (useMozillaPKIX) {
     add_connection_test("inadequatekeyusage.example.com",
                         getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE),
                         null,
                         function (securityInfo) {
                           // bug 754369 - no SSLStatus probably means this is
                           // a non-overridable error, which is what we're testing
                           // (although it would be best to test this directly).
                           securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
@@ -144,70 +144,70 @@ function add_simple_tests(useInsanity) {
                         });
   } else {
     add_cert_override_test("inadequatekeyusage.example.com",
                            Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                            getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE));
   }
 }
 
-function add_combo_tests(useInsanity) {
+function add_combo_tests(useMozillaPKIX) {
   // Note that "untrusted" here really is "unknown issuer" in the
-  // insanity::pkix case.
+  // mozilla::pkix case.
 
   add_cert_override_test("mismatch-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH |
                          Ci.nsICertOverrideService.ERROR_TIME,
                          getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
   add_cert_override_test("mismatch-untrusted.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH |
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                          getXPCOMStatusFromNSS(
-                            useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                        : SEC_ERROR_UNTRUSTED_ISSUER));
+                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                           : SEC_ERROR_UNTRUSTED_ISSUER));
   add_cert_override_test("untrusted-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED |
                          Ci.nsICertOverrideService.ERROR_TIME,
                          getXPCOMStatusFromNSS(
-                            useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                        : SEC_ERROR_UNTRUSTED_ISSUER));
+                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                           : SEC_ERROR_UNTRUSTED_ISSUER));
   add_cert_override_test("mismatch-untrusted-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH |
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED |
                          Ci.nsICertOverrideService.ERROR_TIME,
                          getXPCOMStatusFromNSS(
-                            useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                        : SEC_ERROR_UNTRUSTED_ISSUER));
+                            useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                           : SEC_ERROR_UNTRUSTED_ISSUER));
 
   add_cert_override_test("md5signature-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED |
                          Ci.nsICertOverrideService.ERROR_TIME,
                          getXPCOMStatusFromNSS(
                             SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
 }
 
-function add_distrust_tests(useInsanity) {
+function add_distrust_tests(useMozillaPKIX) {
   // Before we specifically distrust this certificate, it should be trusted.
   add_connection_test("untrusted.example.com", Cr.NS_OK);
 
   // XXX(Bug 975777): Active distrust is an overridable error when NSS-based
   // verification is used.
   add_distrust_override_test("tlsserver/default-ee.der",
                              "untrusted.example.com",
                              getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT),
-                             useInsanity
+                             useMozillaPKIX
                                 ? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT)
                                 : Cr.NS_OK);
 
   // XXX(Bug 975777): Active distrust is an overridable error when NSS-based
   // verification is used.
   add_distrust_override_test("tlsserver/other-test-ca.der",
                              "untrustedissuer.example.com",
                              getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER),
-                             useInsanity
+                             useMozillaPKIX
                                 ? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER)
                                 : Cr.NS_OK);
 }
 
 function add_distrust_override_test(certFileName, hostName,
                                     expectedResultBefore, expectedResultAfter) {
   let certToDistrust = constructCertFromFile(certFileName);
 
--- a/security/manager/ssl/tests/unit/test_cert_signatures.js
+++ b/security/manager/ssl/tests/unit/test_cert_signatures.js
@@ -44,33 +44,33 @@ function run_test() {
   load_ca("ca-rsa");
   load_ca("ca-p384");
   load_ca("ca-dsa");
 
   run_test_in_mode(true);
   run_test_in_mode(false);
 }
 
-function run_test_in_mode(useInsanity) {
-  Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
+function run_test_in_mode(useMozillaPKIX) {
+  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
   clearOCSPCache();
   clearSessionCache();
 
   check_ca("ca-rsa");
   check_ca("ca-p384");
   check_ca("ca-dsa");
 
-  // insanity::pkix does not allow CA certs to be validated for end-entity
+  // mozilla::pkix does not allow CA certs to be validated for end-entity
   // usages.
-  let int_usage = useInsanity
+  let int_usage = useMozillaPKIX
                 ? 'SSL CA'
                 : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
 
-  // insanity::pkix doesn't implement the Netscape Object Signer restriction.
-  const ee_usage = useInsanity
+  // mozilla::pkix doesn't implement the Netscape Object Signer restriction.
+  const ee_usage = useMozillaPKIX
                  ? 'Client,Server,Sign,Encrypt,Object Signer'
                  : 'Client,Server,Sign,Encrypt';
 
   let cert2usage = {
     // certs without the "int" prefix are end entity certs.
     'int-rsa-valid': int_usage,
     'rsa-valid': ee_usage,
     'int-p384-valid': int_usage,
--- a/security/manager/ssl/tests/unit/test_cert_trust.js
+++ b/security/manager/ssl/tests/unit/test_cert_trust.js
@@ -34,207 +34,207 @@ function check_cert_err_generic(cert, ex
   do_print("cert issuer cn=" + cert.issuerCommonName);
   let hasEVPolicy = {};
   let verifiedChain = {};
   let error = certdb.verifyCertNow(cert, usage,
                                    NO_FLAGS, verifiedChain, hasEVPolicy);
   do_check_eq(error,  expected_error);
 };
 
-function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useInsanity) {
+function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKIX) {
   // On reset most usages are successful
   check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
   check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageSSLCA);  // expected no bc
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useInsanity ? 0
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageObjectSigner); // expected
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INVALID_ARGS,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INVALID_ARGS,
                          certificateUsageVerifyCA); // expected no bc
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder); //expected
 
 
   // Test of active distrust. No usage should pass.
   setCertTrust(cert_to_modify_trust, 'p,p,p');
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageSSLServer);
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageSSLCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageEmailSigner);
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_UNTRUSTED_ISSUER
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INVALID_ARGS,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INVALID_ARGS,
                          certificateUsageVerifyCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 
 
   // Trust set to T  -  trusted CA to issue client certs, where client cert is
   // usageSSLClient.
   setCertTrust(cert_to_modify_trust, 'T,T,T');
-  check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                                         : SEC_ERROR_UNTRUSTED_ISSUER
+  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                                            : SEC_ERROR_UNTRUSTED_ISSUER
                                            : 0,
                          certificateUsageSSLServer);
 
-  check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER //XXX Bug 982340
-                                                         : 0
+  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER //XXX Bug 982340
+                                                            : 0
                                            : 0,
                          certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageSSLCA);
 
-  check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                                         : SEC_ERROR_UNTRUSTED_ISSUER
+  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                                            : SEC_ERROR_UNTRUSTED_ISSUER
                                            : 0,
                          certificateUsageEmailSigner);
-  check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                                         : SEC_ERROR_UNTRUSTED_ISSUER
+  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                                            : SEC_ERROR_UNTRUSTED_ISSUER
                                            : 0,
                          certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                                         : SEC_ERROR_INADEQUATE_CERT_TYPE
-                                           : useInsanity ? 0
-                                                         : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                                            : SEC_ERROR_INADEQUATE_CERT_TYPE
+                                           : useMozillaPKIX ? 0
+                                                            : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INVALID_ARGS,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INVALID_ARGS,
                          certificateUsageVerifyCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 
 
   // Now tests on the SSL trust bit
   setCertTrust(cert_to_modify_trust, 'p,C,C');
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageSSLServer);
-  check_cert_err_generic(ee_cert, useInsanity ? 0  //XXX Bug 982340
-                                              : SEC_ERROR_UNTRUSTED_ISSUER,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0  //XXX Bug 982340
+                                                 : SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageSSLCA);
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useInsanity ? 0
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INVALID_ARGS,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INVALID_ARGS,
                          certificateUsageVerifyCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 
   // Inherited trust SSL
   setCertTrust(cert_to_modify_trust, ',C,C');
-  check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                                         : SEC_ERROR_UNTRUSTED_ISSUER
+  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                                            : SEC_ERROR_UNTRUSTED_ISSUER
                                            : 0,
                          certificateUsageSSLServer);
-  check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? 0  // XXX Bug 982340
-                                                         : SEC_ERROR_UNTRUSTED_ISSUER
+  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? 0  // XXX Bug 982340
+                                                            : SEC_ERROR_UNTRUSTED_ISSUER
                                            : 0,
                          certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageSSLCA);
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
   check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useInsanity ? 0
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INVALID_ARGS,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INVALID_ARGS,
                          certificateUsageVerifyCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 
   // Now tests on the EMAIL trust bit
   setCertTrust(cert_to_modify_trust, 'C,p,C');
   check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
   check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER
-                                           : useInsanity ? SEC_ERROR_UNTRUSTED_ISSUER
-                                                         : 0, // Insanity is OK, NSS bug
+                                           : useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER
+                                                            : 0, // Insanity is OK, NSS bug
                          certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageSSLCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageEmailSigner);
   check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                          certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useInsanity ? 0
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INVALID_ARGS,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INVALID_ARGS,
                          certificateUsageVerifyCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 
 
   //inherited EMAIL Trust
   setCertTrust(cert_to_modify_trust, 'C,,C');
   check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
-  check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                                         : SEC_ERROR_UNTRUSTED_ISSUER
+  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                                            : SEC_ERROR_UNTRUSTED_ISSUER
                                            : 0,
                          certificateUsageSSLClient);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageSSLCA);
-  check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                                         : SEC_ERROR_UNTRUSTED_ISSUER
+  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                                            : SEC_ERROR_UNTRUSTED_ISSUER
                                            : 0,
                          certificateUsageEmailSigner);
-  check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                                                         : SEC_ERROR_UNTRUSTED_ISSUER
+  check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                                            : SEC_ERROR_UNTRUSTED_ISSUER
                                            : 0,
                          certificateUsageEmailRecipient);
-  check_cert_err_generic(ee_cert, useInsanity ? 0
-                                              : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
+                                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageObjectSigner);
-  check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
-                                              : SEC_ERROR_INVALID_ARGS,
+  check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+                                                 : SEC_ERROR_INVALID_ARGS,
                          certificateUsageVerifyCA);
   check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
                          certificateUsageStatusResponder);
 }
 
 
-function run_test_in_mode(useInsanity) {
-  Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
+function run_test_in_mode(useMozillaPKIX) {
+  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
 
   let ca_cert = certdb.findCertByNickname(null, 'ca');
   do_check_false(!ca_cert)
   let int_cert = certdb.findCertByNickname(null, 'int');
   do_check_false(!int_cert)
   let ee_cert = certdb.findCertByNickname(null, 'ee');
   do_check_false(!ee_cert);
 
   setup_basic_trusts(ca_cert, int_cert);
-  test_ca_distrust(ee_cert, ca_cert, true, useInsanity);
+  test_ca_distrust(ee_cert, ca_cert, true, useMozillaPKIX);
 
   setup_basic_trusts(ca_cert, int_cert);
-  test_ca_distrust(ee_cert, int_cert, false, useInsanity);
+  test_ca_distrust(ee_cert, int_cert, false, useMozillaPKIX);
 }
 
 function run_test() {
   for (let i = 0 ; i < certList.length; i++) {
     load_cert(certList[i], ',,');
   }
 
   run_test_in_mode(true);
--- a/security/manager/ssl/tests/unit/test_certificate_usages.js
+++ b/security/manager/ssl/tests/unit/test_certificate_usages.js
@@ -30,46 +30,46 @@ function run_test() {
     do_print("ca_name=" + ca_name);
     var cert = certdb.findCertByNickname(null, ca_name);
   }
 
   run_test_in_mode(true);
   run_test_in_mode(false);
 }
 
-function run_test_in_mode(useInsanity) {
-  Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
+function run_test_in_mode(useMozillaPKIX) {
+  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
   clearOCSPCache();
   clearSessionCache();
 
-  // insanity::pkix does not allow CA certs to be validated for non-CA usages.
-  var allCAUsages = useInsanity
+  // mozilla::pkix does not allow CA certs to be validated for non-CA usages.
+  var allCAUsages = useMozillaPKIX
                   ? 'SSL CA'
                   : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
 
-  // insanity::pkix doesn't allow CA certificates to have the Status Responder
+  // mozilla::pkix doesn't allow CA certificates to have the Status Responder
   // EKU.
   var ca_usages = [allCAUsages,
                    'SSL CA',
                    allCAUsages,
-                   useInsanity ? ''
-                               : 'Client,Server,Sign,Encrypt,Status Responder'];
+                   useMozillaPKIX ? ''
+                                  : 'Client,Server,Sign,Encrypt,Status Responder'];
 
-  // insanity::pkix doesn't implement the Netscape Object Signer restriction.
-  var basicEndEntityUsages = useInsanity
+  // mozilla::pkix doesn't implement the Netscape Object Signer restriction.
+  var basicEndEntityUsages = useMozillaPKIX
                            ? 'Client,Server,Sign,Encrypt,Object Signer'
                            : 'Client,Server,Sign,Encrypt';
   var basicEndEntityUsagesWithObjectSigner = basicEndEntityUsages + ",Object Signer"
 
-  // insanity::pkix won't let a certificate with the "Status Responder" EKU get
+  // mozilla::pkix won't let a certificate with the "Status Responder" EKU get
   // validated for any other usage.
-  var statusResponderUsages = (useInsanity ? "" : "Server,") + "Status Responder";
+  var statusResponderUsages = (useMozillaPKIX ? "" : "Server,") + "Status Responder";
   var statusResponderUsagesFull
-      = useInsanity ? statusResponderUsages
-                    : basicEndEntityUsages + ',Object Signer,Status Responder';
+      = useMozillaPKIX ? statusResponderUsages
+                       : basicEndEntityUsages + ',Object Signer,Status Responder';
 
   var ee_usages = [
     [ basicEndEntityUsages,
       basicEndEntityUsages,
       basicEndEntityUsages,
       '',
       statusResponderUsagesFull,
       'Client,Server',
@@ -96,26 +96,26 @@ function run_test_in_mode(useInsanity) {
       'Sign,Encrypt,Object Signer',
       statusResponderUsages
     ],
 
     // The CA has isCA=true without keyCertSign.
     //
     // The 'classic' NSS mode uses the 'union' of the
     // capabilites so the cert is considered a CA.
-    // insanity::pkix and libpkix use the intersection of
+    // mozilla::pkix and libpkix use the intersection of
     // capabilites, so the cert is NOT considered a CA.
-    [ useInsanity ? '' : basicEndEntityUsages,
-      useInsanity ? '' : basicEndEntityUsages,
-      useInsanity ? '' : basicEndEntityUsages,
+    [ useMozillaPKIX ? '' : basicEndEntityUsages,
+      useMozillaPKIX ? '' : basicEndEntityUsages,
+      useMozillaPKIX ? '' : basicEndEntityUsages,
       '',
-      useInsanity ? '' : statusResponderUsagesFull,
-      useInsanity ? '' : 'Client,Server',
-      useInsanity ? '' : 'Sign,Encrypt,Object Signer',
-      useInsanity ? '' : 'Server,Status Responder'
+      useMozillaPKIX ? '' : statusResponderUsagesFull,
+      useMozillaPKIX ? '' : 'Client,Server',
+      useMozillaPKIX ? '' : 'Sign,Encrypt,Object Signer',
+      useMozillaPKIX ? '' : 'Server,Status Responder'
      ]
   ];
 
   do_check_eq(gNumCAs, ca_usages.length);
 
   for (var i = 0; i < gNumCAs; i++) {
     var ca_name = "ca-" + (i + 1);
     var verified = {};
--- a/security/manager/ssl/tests/unit/test_ev_certs.js
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@@ -114,21 +114,21 @@ function run_test() {
   // setup and start ocsp responder
   Services.prefs.setCharPref("network.dns.localDomains",
                              'www.example.com, crl.example.com');
   add_tests_in_mode(true);
   add_tests_in_mode(false);
   run_next_test();
 }
 
-function add_tests_in_mode(useInsanity)
+function add_tests_in_mode(useMozillaPKIX)
 {
   add_test(function () {
-    Services.prefs.setBoolPref("security.use_insanity_verification",
-                               useInsanity);
+    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+                               useMozillaPKIX);
     run_next_test();
   });
 
   add_test(function () {
     clearOCSPCache();
     let ocspResponder = start_ocsp_responder(
                           isDebugBuild ? ["int-ev-valid", "ev-valid"]
                                        : ["ev-valid"]);
@@ -157,18 +157,18 @@ function add_tests_in_mode(useInsanity)
   const nsIX509Cert = Ci.nsIX509Cert;
   add_test(function() {
     let evRootCA = certdb.findCertByNickname(null, evrootnick);
     certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, 0);
 
     clearOCSPCache();
     let ocspResponder = failingOCSPResponder();
     check_cert_err("ev-valid",
-                   useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
-                               : SEC_ERROR_UNTRUSTED_ISSUER);
+                   useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+                                  : SEC_ERROR_UNTRUSTED_ISSUER);
     ocspResponder.stop(run_next_test);
   });
 
   // bug 917380: Chcek that a trusted EV root is trusted after disabling and
   // re-enabling trust.
   add_test(function() {
     let evRootCA = certdb.findCertByNickname(null, evrootnick);
     certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT,
@@ -181,33 +181,33 @@ function add_tests_in_mode(useInsanity)
                           isDebugBuild ? ["int-ev-valid", "ev-valid"]
                                        : ["ev-valid"]);
     check_ee_for_ev("ev-valid", isDebugBuild);
     ocspResponder.stop(run_next_test);
   });
 
   add_test(function () {
     check_no_ocsp_requests("ev-valid",
-      useInsanity ? SEC_ERROR_POLICY_VALIDATION_FAILED
-                  : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
-                                  : SEC_ERROR_EXTENSION_NOT_FOUND));
+      useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
+                     : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
+                                     : SEC_ERROR_EXTENSION_NOT_FOUND));
   });
 
   add_test(function () {
     check_no_ocsp_requests("non-ev-root",
-      useInsanity ? SEC_ERROR_POLICY_VALIDATION_FAILED
-                  : (isDebugBuild ? SEC_ERROR_UNTRUSTED_ISSUER
-                                  : SEC_ERROR_EXTENSION_NOT_FOUND));
+      useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
+                     : (isDebugBuild ? SEC_ERROR_UNTRUSTED_ISSUER
+                                     : SEC_ERROR_EXTENSION_NOT_FOUND));
   });
 
   add_test(function () {
     check_no_ocsp_requests("no-ocsp-url-cert",
-      useInsanity ? SEC_ERROR_POLICY_VALIDATION_FAILED
-                  : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
-                                  : SEC_ERROR_EXTENSION_NOT_FOUND));
+      useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
+                     : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
+                                     : SEC_ERROR_EXTENSION_NOT_FOUND));
   });
 
   // Test the EV continues to work with flags after successful EV verification
   add_test(function () {
     clearOCSPCache();
     let ocspResponder = start_ocsp_responder(
                           isDebugBuild ? ["int-ev-valid", "ev-valid"]
                                        : ["ev-valid"]);
@@ -221,18 +221,18 @@ function add_tests_in_mode(useInsanity)
       let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
                   Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
 
       let error = certdb.verifyCertNow(cert, certificateUsageSSLServer,
                                        flags, verifiedChain, hasEVPolicy);
       do_check_eq(hasEVPolicy.value, isDebugBuild);
       do_check_eq(error,
                   isDebugBuild ? 0
-                               : (useInsanity ? SEC_ERROR_POLICY_VALIDATION_FAILED
-                                              : SEC_ERROR_EXTENSION_NOT_FOUND));
+                               : (useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
+                                                 : SEC_ERROR_EXTENSION_NOT_FOUND));
       failingOcspResponder.stop(run_next_test);
     });
   });
 }
 
 // bug 950240: add FLAG_MUST_BE_EV to CertVerifier::VerifyCert
 // to prevent spurious OCSP requests that race with OCSP stapling.
 // This has the side-effect of saying an EV certificate is not EV if
--- a/security/manager/ssl/tests/unit/test_getchain.js
+++ b/security/manager/ssl/tests/unit/test_getchain.js
@@ -65,18 +65,18 @@ function check_getchain(ee_cert, ssl_ca,
   certdb.setCertTrust(ssl_ca, nsIX509Cert.CA_CERT, 0);
   check_matching_issuer_and_getchain(email_ca.serialNumber, ee_cert);
   certdb.setCertTrust(email_ca, nsIX509Cert.CA_CERT, 0);
   // Do a final test on the case of no trust. The results must
   // be cosistent (the actual value is non-deterministic).
   check_matching_issuer_and_getchain(ee_cert.issuer.serialNumber, ee_cert);
 }
 
-function run_test_in_mode(useInsanity) {
-  Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
+function run_test_in_mode(useMozillaPKIX) {
+  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
   clearOCSPCache();
   clearSessionCache();
 
   for (let i = 0 ; i < certList.length; i++) {
     load_cert(certList[i], ',,');
   }
 
   let ee_cert = certdb.findCertByNickname(null, 'ee');
--- a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
@@ -33,28 +33,28 @@ function test_cert_for_usages(certChainN
   let cert = certs[0];
   let verified = {};
   let usages = {};
   cert.getUsagesString(true, verified, usages);
   do_print("usages.value = " + usages.value);
   do_check_eq(expected_usages_string, usages.value);
 }
 
-function run_test_in_mode(useInsanity) {
-  Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
+function run_test_in_mode(useMozillaPKIX) {
+  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
 
-  // insanity::pkix doesn't support the obsolete Netscape object signing
+  // mozilla::pkix doesn't support the obsolete Netscape object signing
   // extension, but NSS does.
-  let ee_usage1 = useInsanity
+  let ee_usage1 = useMozillaPKIX
                 ? 'Client,Server,Sign,Encrypt,Object Signer'
                 : 'Client,Server,Sign,Encrypt'
 
-  // insanity::pkix doesn't validate CA certificates for non-CA uses, but
+  // mozilla::pkix doesn't validate CA certificates for non-CA uses, but
   // NSS does.
-  let ca_usage1 = useInsanity
+  let ca_usage1 = useMozillaPKIX
                 ? "SSL CA"
                 : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
 
   // Load the ca into mem
   let ca_name = "ca";
   load_cert(ca_name, "CTu,CTu,CTu");
   do_print("ca_name = " + ca_name);
   test_cert_for_usages([ca_name], ca_usage1);
@@ -80,36 +80,36 @@ function run_test_in_mode(useInsanity) {
   test_cert_for_usages(["ee-int-limited-depth", "int-limited-depth"],
                        ee_usage1);
 
   // ca
   //   int-limited-depth (cA==true, pathLenConstraint==0)
   //      int-limited-depth-invalid (cA==true)
   //
   // XXX: It seems the NSS code does not consider the path length of the
-  // certificate we're validating, but insanity::pkix does. insanity::pkix's
+  // certificate we're validating, but mozilla::pkix does. mozilla::pkix's
   // behavior is correct.
   test_cert_for_usages(["int-limited-depth-invalid", "int-limited-depth"],
-                       useInsanity ? "" : ca_usage1);
+                       useMozillaPKIX ? "" : ca_usage1);
   test_cert_for_usages(["ee-int-limited-depth-invalid",
                         "int-limited-depth-invalid",
                         "int-limited-depth"],
                        "");
 
   // int-valid-ku-no-eku has keyCertSign
   test_cert_for_usages(["int-valid-ku-no-eku"], "SSL CA");
   test_cert_for_usages(["ee-int-valid-ku-no-eku", "int-valid-ku-no-eku"],
                        ee_usage1);
 
   // int-bad-ku-no-eku has basicConstraints.cA==true and has a KU extension
-  // but the KU extension is missing keyCertSign. Note that insanity::pkix
+  // but the KU extension is missing keyCertSign. Note that mozilla::pkix
   // doesn't validate certificates with basicConstraints.Ca==true for non-CA
   // uses, but NSS does.
   test_cert_for_usages(["int-bad-ku-no-eku"],
-                       useInsanity
+                       useMozillaPKIX
                           ? ""
                           : 'Client,Server,Sign,Encrypt,Status Responder');
   test_cert_for_usages(["ee-int-bad-ku-no-eku", "int-bad-ku-no-eku"], "");
 
   // int-no-ku-no-eku has basicConstraints.cA==true and no KU extension.
   // We treat a missing KU as "any key usage is OK".
   test_cert_for_usages(["int-no-ku-no-eku"], ca_usage1);
   test_cert_for_usages(["ee-int-no-ku-no-eku", "int-no-ku-no-eku"], ee_usage1);
--- a/security/manager/ssl/tests/unit/test_name_constraints.js
+++ b/security/manager/ssl/tests/unit/test_name_constraints.js
@@ -45,18 +45,18 @@ function check_ok_ca (x) {
 function check_fail(x) {
   return check_cert_err(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
 }
 
 function check_fail_ca(x) {
   return check_cert_err_generic(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLCA);
 }
 
-function run_test_in_mode(useInsanity) {
-  Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
+function run_test_in_mode(useMozillaPKIX) {
+  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
 
   // Note that CN is only looked at when there is NO subjectAltName!
 
   // Testing with a unconstrained root, and intermediate constrained to PERMIT
   // foo.com. All failures on this section are doe to the cert DNS names
   // not being under foo.com.
   check_ok_ca(load_cert('int-nc-perm-foo.com-ca-nc', ',,'));
   // no dirName
@@ -256,17 +256,17 @@ function run_test_in_mode(useInsanity) {
   check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-ca-nc-perm-foo.com.der'));
   check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.der'));
   check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.der'));
   check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.der'));
   check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.der'));
   check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.der'));
 
   // We don't enforce dNSName name constraints on CN unless we're validating
-  // for the server EKU. libpkix gets this wrong but insanity::pkix and classic
+  // for the server EKU. libpkix gets this wrong but mozilla::pkix and classic
   // NSS get it right.
   {
     let cert = certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc.der');
     check_cert_err_generic(cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLServer);
     check_cert_err_generic(cert, 0, certificateUsageSSLClient);
   }
 }
 
--- a/security/manager/ssl/tests/unit/test_ocsp_caching.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_caching.js
@@ -42,20 +42,20 @@ function run_test() {
 
   add_tests_in_mode(true);
   add_tests_in_mode(false);
 
   add_test(function() { ocspResponder.stop(run_next_test); });
   run_next_test();
 }
 
-function add_tests_in_mode(useInsanity) {
+function add_tests_in_mode(useMozillaPKIX) {
   add_test(function () {
-    Services.prefs.setBoolPref("security.use_insanity_verification",
-                               useInsanity);
+    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+                               useMozillaPKIX);
     run_next_test();
   });
 
   // This test assumes that OCSPStaplingServer uses the same cert for
   // ocsp-stapling-unknown.example.com and ocsp-stapling-none.example.com.
 
   // Get an Unknown response for the *.exmaple.com cert and put it in the
   // OCSP cache.
@@ -102,18 +102,18 @@ function add_tests_in_mode(useInsanity) 
   add_test(function() { clearOCSPCache(); gFetchCount = 0; run_next_test(); });
 
   // A failure to retrieve an OCSP response will result in an error entry being
   // added to the cache.
   add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
                       clearSessionCache);
   add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });
 
-  // TODO(bug 977865): implement this for insanity
-  if (!useInsanity) {
+  // TODO(bug 977865): implement this for mozilla::pkix
+  if (!useMozillaPKIX) {
     // The error entry will prevent a fetch from happening for a while.
     add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
                         clearSessionCache);
     add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });
   }
 
   // The error entry must not prevent a stapled OCSP response from being
   // honored.
--- a/security/manager/ssl/tests/unit/test_ocsp_required.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_required.js
@@ -35,28 +35,28 @@ function run_test() {
   add_tests_in_mode(true);
   add_tests_in_mode(false);
 
   add_test(function () { ocspResponder.stop(run_next_test); });
 
   run_next_test();
 }
 
-function add_tests_in_mode(useInsanity)
+function add_tests_in_mode(useMozillaPKIX)
 {
   add_test(function () {
-    Services.prefs.setBoolPref("security.use_insanity_verification",
-                               useInsanity);
+    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+                               useMozillaPKIX);
     run_next_test();
   });
 
   add_connection_test("ocsp-stapling-none.example.com",
                       getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE));
   add_connection_test("ocsp-stapling-none.example.com",
                       getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE));
   add_test(function () {
-    // TODO(bug 977865): insanity::pkix keeps requesting responses from
+    // TODO(bug 977865): mozilla::pkix keeps requesting responses from
     // failing responders
-    do_check_eq(gOCSPRequestCount, useInsanity ? 2 : 1);
+    do_check_eq(gOCSPRequestCount, useMozillaPKIX ? 2 : 1);
     gOCSPRequestCount = 0;
     run_next_test();
   });
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
@@ -16,20 +16,20 @@ function add_ocsp_test(aHost, aExpectedR
       gExpectOCSPRequest = !aStaplingEnabled;
       clearOCSPCache();
       clearSessionCache();
       Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling",
                                  aStaplingEnabled);
     });
 }
 
-function add_tests_in_mode(useInsanity, certDB, otherTestCA) {
+function add_tests_in_mode(useMozillaPKIX, certDB, otherTestCA) {
   add_test(function () {
-    Services.prefs.setBoolPref("security.use_insanity_verification",
-                               useInsanity);
+    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+                               useMozillaPKIX);
     run_next_test();
   });
 
   // In the absence of OCSP stapling, these should actually all work.
   add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-revoked.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-good-other-ca.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-malformed.example.com", Cr.NS_OK, false);
@@ -49,17 +49,17 @@ function add_tests_in_mode(useInsanity, 
 
   add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, true);
 
   add_ocsp_test("ocsp-stapling-revoked.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), true);
 
   // SEC_ERROR_OCSP_INVALID_SIGNING_CERT vs SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
   // depends on whether the CA that signed the response is a trusted CA
-  // (but only with the classic implementation - insanity::pkix always
+  // (but only with the classic implementation - mozilla::pkix always
   // results in the error SEC_ERROR_OCSP_INVALID_SIGNING_CERT).
 
   // This stapled response is from a CA that is untrusted and did not issue
   // the server's certificate.
   add_test(function() {
     certDB.setCertTrust(otherTestCA, Ci.nsIX509Cert.CA_CERT,
                         Ci.nsIX509CertDB.UNTRUSTED);
     run_next_test();
@@ -108,17 +108,17 @@ function add_tests_in_mode(useInsanity, 
       clearSessionCache();
       Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
     }
   );
   add_ocsp_test("ocsp-stapling-empty.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
 
   // TODO(bug 979070): NSS can't handle this yet.
-  if (useInsanity) {
+  if (useMozillaPKIX) {
     add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
                   getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
   }
 
   // ocsp-stapling-expired.example.com and
   // ocsp-stapling-expired-fresh-ca.example.com are handled in
   // test_ocsp_stapling_expired.js
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
@@ -57,21 +57,21 @@ function run_test() {
   add_tls_server_setup("OCSPStaplingServer");
   add_tests_in_mode(true);
   add_tests_in_mode(false);
   add_test(function () { ocspResponder.stop(run_next_test); });
   add_test(check_ocsp_stapling_telemetry);
   run_next_test();
 }
 
-function add_tests_in_mode(useInsanity)
+function add_tests_in_mode(useMozillaPKIX)
 {
   add_test(function () {
-    Services.prefs.setBoolPref("security.use_insanity_verification",
-                               useInsanity);
+    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+                               useMozillaPKIX);
     run_next_test();
   });
 
   // In these tests, the OCSP stapling server gives us a stapled
   // response based on the host name ("ocsp-stapling-expired" or
   // "ocsp-stapling-expired-fresh-ca"). We then ensure that we're
   // properly falling back to fetching revocation information.
   // For ocsp-stapling-expired.example.com, the OCSP stapling server
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
@@ -39,17 +39,17 @@ function run_test() {
   add_test(function () { ocspResponder.stop(run_next_test); });
   add_test(function() {
     do_check_eq(gOCSPRequestCount, 0);
     run_next_test();
   });
   run_next_test();
 }
 
-function add_tests_in_mode(useInsanity) {
+function add_tests_in_mode(useMozillaPKIX) {
   add_test(function () {
-    Services.prefs.setBoolPref("security.use_insanity_verification",
-                               useInsanity);
+    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+                               useMozillaPKIX);
     run_next_test();
   });
 
   add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK);
 }
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/Makefile.in
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/Makefile.in
@@ -5,14 +5,14 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 include $(topsrcdir)/config/config.mk
 
 LIBS = \
   $(NSPR_LIBS) \
   $(NSS_LIBS) \
   $(MOZALLOC_LIB) \
-  ../../../../../../insanity/$(LIB_PREFIX)insanitypkix.$(LIB_SUFFIX) \
-  ../../../../../../insanity/test/lib/$(LIB_PREFIX)pkixtestutil.$(LIB_SUFFIX) \
+  ../../../../../../pkix/$(LIB_PREFIX)mozillapkix.$(LIB_SUFFIX) \
+  ../../../../../../pkix/test/lib/$(LIB_PREFIX)pkixtestutil.$(LIB_SUFFIX) \
   ../lib/$(LIB_PREFIX)tlsserver.$(LIB_SUFFIX) \
   $(NULL)
 
 DEFINES += $(TK_CFLAGS)
--- a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
@@ -8,16 +8,17 @@
 
 #include "ScopedNSSTypes.h"
 #include "TLSServer.h"
 #include "pkixtestutil.h"
 #include "secerr.h"
 
 using namespace mozilla;
 using namespace mozilla::test;
+using namespace mozilla::pkix::test;
 
 
 SECItemArray *
 GetOCSPResponseForType(OCSPResponseType aORT, CERTCertificate *aCert,
                        PLArenaPool *aArena, const char *aAdditionalCertName)
 {
   if (aORT == ORTNone) {
     if (gDebugLevel >= DEBUG_WARNINGS) {
@@ -33,17 +34,17 @@ GetOCSPResponseForType(OCSPResponseType 
     arr->items[0].len = 0;
     return arr;
   }
 
   PRTime now = PR_Now();
   PRTime oneDay = 60*60*24 * (PRTime)PR_USEC_PER_SEC;
   PRTime oldNow = now - (8 * oneDay);
 
-  insanity::test::OCSPResponseContext context(aArena, aCert, now);
+  OCSPResponseContext context(aArena, aCert, now);
 
   if (aORT == ORTGoodOtherCert) {
     context.cert = PK11_FindCertFromNickname(aAdditionalCertName, nullptr);
     if (!context.cert) {
       PrintPRError("PK11_FindCertFromNickname failed");
       return nullptr;
     }
   }
@@ -98,17 +99,17 @@ GetOCSPResponseForType(OCSPResponseType 
   if (aORT == ORTBadSignature) {
     context.badSignature = true;
   }
 
   if (!context.signerCert) {
     context.signerCert = CERT_DupCertificate(context.issuerCert.get());
   }
 
-  SECItem* response = insanity::test::CreateEncodedOCSPResponse(context);
+  SECItem* response = CreateEncodedOCSPResponse(context);
   if (!response) {
     PrintPRError("CreateEncodedOCSPResponse failed");
     return nullptr;
   }
 
   SECItemArray* arr = SECITEM_AllocArray(aArena, nullptr, 1);
   arr->items[0].data = response ? response->data : nullptr;
   arr->items[0].len = response ? response->len : 0;
--- a/security/manager/ssl/tests/unit/tlsserver/lib/moz.build
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/moz.build
@@ -5,13 +5,13 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 UNIFIED_SOURCES += [
     'OCSPCommon.cpp',
     'TLSServer.cpp',
 ]
 
 LOCAL_INCLUDES += [
-    '../../../../../../insanity/include',
-    '../../../../../../insanity/test/lib',
+    '../../../../../../pkix/include',
+    '../../../../../../pkix/test/lib',
 ]
 
 LIBRARY_NAME = 'tlsserver'
rename from security/insanity/include/insanity/ScopedPtr.h
rename to security/pkix/include/pkix/ScopedPtr.h
--- a/security/insanity/include/insanity/ScopedPtr.h
+++ b/security/pkix/include/pkix/ScopedPtr.h
@@ -1,31 +1,31 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* Copyright 2013 Mozilla Foundation
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+/* Copyright 2013 Mozilla Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 
-#ifndef insanity_pkix__ScopedPtr_h
-#define insanity_pkix__ScopedPtr_h
+#ifndef mozilla_pkix__ScopedPtr_h
+#define mozilla_pkix__ScopedPtr_h
 
-#include "insanity/nullptr.h"
+#include "pkix/nullptr.h"
 
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
 
 // Similar to boost::scoped_ptr and std::unique_ptr. Does not support copying
 // or assignment.
 template <typename T, void (*Destroyer)(T*)>
 class ScopedPtr
 {
 public:
   explicit ScopedPtr(T* value = nullptr) : mValue(value) { }
@@ -89,11 +89,11 @@ operator!=(T* a, const ScopedPtr<T, Dest
 
 template <typename T, void(*Destroyer)(T*)>
 inline bool
 operator!=(const ScopedPtr<T, Destroyer>& a, T* b)
 {
   return a.get() != b;
 }
 
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
 
-#endif // insanity_pkix__ScopedPtr_h
+#endif // mozilla_pkix__ScopedPtr_h
rename from security/insanity/include/insanity/bind.h
rename to security/pkix/include/pkix/bind.h
--- a/security/insanity/include/insanity/bind.h
+++ b/security/pkix/include/pkix/bind.h
@@ -14,28 +14,28 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 // Work around missing std::bind, std::ref, std::cref in older compilers. This
 // implementation isn't intended to be complete; rather, it is the minimal
 // implementation needed to make our use of std::bind work.
 
-#ifndef insanity_pkix__bind_h
-#define insanity_pkix__bind_h
+#ifndef mozilla_pkix__bind_h
+#define mozilla_pkix__bind_h
 
 #ifdef _MSC_VER
 #pragma warning(disable:4275) //Suppress spurious MSVC warning
 #endif
 #include <functional>
 #ifdef _MSC_VER
 #pragma warning(default:4275)
 #endif
 
-namespace insanity {
+namespace mozilla { namespace pkix {
 
 #ifdef _MSC_VER
 
 using std::bind;
 using std::ref;
 using std::cref;
 using std::placeholders::_1;
 
@@ -87,11 +87,11 @@ template <typename R, typename P1, typen
 inline internal::Bind2<R, P1, B1, B2>
 bind(R (*f)(P1&, B1&, B2&), Placeholder1 &, B1 & b1, B2 & b2)
 {
   return internal::Bind2<R, P1, B1, B2>(f, b1, b2);
 }
 
 #endif // _MSC_VER
 
-} // namespace insanity
+} } // namespace mozilla::pkix
 
-#endif // insanity_pkix__bind_h
+#endif // mozilla_pkix__bind_h
rename from security/insanity/include/insanity/nullptr.h
rename to security/pkix/include/pkix/nullptr.h
--- a/security/insanity/include/insanity/nullptr.h
+++ b/security/pkix/include/pkix/nullptr.h
@@ -10,19 +10,19 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#ifndef insanity_pkix__nullptr_h
-#define insanity_pkix__nullptr_h
+#ifndef mozilla_pkix__nullptr_h
+#define mozilla_pkix__nullptr_h
 
 // GCC does not understand nullptr until 4.6
 #if defined(__GNUC__) && !defined(__clang__)
 #if __GNUC__ * 100 + __GNUC_MINOR__ < 406
 #define nullptr __null
 #endif
 #endif
 
-#endif // insanity_pkix__nullptr_h
+#endif // mozilla_pkix__nullptr_h
rename from security/insanity/include/insanity/pkix.h
rename to security/pkix/include/pkix/pkix.h
--- a/security/insanity/include/insanity/pkix.h
+++ b/security/pkix/include/pkix/pkix.h
@@ -10,23 +10,23 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#ifndef insanity_pkix__pkix_h
-#define insanity_pkix__pkix_h
+#ifndef mozilla_pkix__pkix_h
+#define mozilla_pkix__pkix_h
 
 #include "pkixtypes.h"
 #include "prtime.h"
 
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
 
 // ----------------------------------------------------------------------------
 // LIMITED SUPPORT FOR CERTIFICATE POLICIES
 //
 // If SEC_OID_X509_ANY_POLICY is passed as the value of the requiredPolicy
 // parameter then all policy validation will be skipped. Otherwise, path
 // building and validation will be done for the given policy.
 //
@@ -113,11 +113,11 @@ SECItem* CreateEncodedOCSPRequest(PLAren
 SECStatus VerifyEncodedOCSPResponse(TrustDomain& trustDomain,
                                     const CERTCertificate* cert,
                                     CERTCertificate* issuerCert,
                                     PRTime time,
                                     const SECItem* encodedResponse,
                  /* optional out */ PRTime* thisUpdate,
                  /* optional out */ PRTime* validThrough);
 
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
 
-#endif // insanity_pkix__pkix_h
+#endif // mozilla_pkix__pkix_h
rename from security/insanity/include/insanity/pkixtypes.h
rename to security/pkix/include/pkix/pkixtypes.h
--- a/security/insanity/include/insanity/pkixtypes.h
+++ b/security/pkix/include/pkix/pkixtypes.h
@@ -10,25 +10,25 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#ifndef insanity_pkix__pkixtypes_h
-#define insanity_pkix__pkixtypes_h
+#ifndef mozilla_pkix__pkixtypes_h
+#define mozilla_pkix__pkixtypes_h
 
-#include "insanity/ScopedPtr.h"
+#include "pkix/ScopedPtr.h"
 #include "plarena.h"
 #include "cert.h"
 #include "keyhi.h"
 
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
 
 typedef ScopedPtr<PLArenaPool, PL_FreeArenaPool> ScopedPLArenaPool;
 
 typedef ScopedPtr<CERTCertificate, CERT_DestroyCertificate>
         ScopedCERTCertificate;
 typedef ScopedPtr<CERTCertList, CERT_DestroyCertList> ScopedCERTCertList;
 typedef ScopedPtr<SECKEYPublicKey, SECKEY_DestroyPublicKey>
         ScopedSECKEYPublicKey;
@@ -83,17 +83,17 @@ public:
                                  /*out*/ ScopedCERTCertList& results) = 0;
 
   // Verify the given signature using the public key of the given certificate.
   // The implementation should be careful to ensure that the given certificate
   // has all the public key information needed--i.e. it should ensure that the
   // certificate is not trying to use EC(DSA) parameter inheritance.
   //
   // Most implementations of this function should probably forward the call
-  // directly to insanity::pkix::VerifySignedData.
+  // directly to mozilla::pkix::VerifySignedData.
   virtual SECStatus VerifySignedData(const CERTSignedData* signedData,
                                      const CERTCertificate* cert) = 0;
 
   // issuerCertToDup is only non-const so CERT_DupCertificate can be called on
   // it.
   virtual SECStatus CheckRevocation(EndEntityOrCA endEntityOrCA,
                                     const CERTCertificate* cert,
                           /*const*/ CERTCertificate* issuerCertToDup,
@@ -103,11 +103,11 @@ public:
 protected:
   TrustDomain() { }
 
 private:
   TrustDomain(const TrustDomain&) /* = delete */;
   void operator=(const TrustDomain&) /* = delete */;
 };
 
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
 
-#endif // insanity_pkix__pkixtypes_h
+#endif // mozilla_pkix__pkixtypes_h
rename from security/insanity/lib/pkixbind.cpp
rename to security/pkix/lib/pkixbind.cpp
--- a/security/insanity/lib/pkixbind.cpp
+++ b/security/pkix/lib/pkixbind.cpp
@@ -12,17 +12,17 @@
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 #ifndef _MSC_VER
 
-#include "insanity/bind.h"
+#include "pkix/bind.h"
 
-namespace insanity {
+namespace mozilla { namespace pkix {
 
 Placeholder1 _1;
-  
-} // namespace insanity
+
+} } // namespace mozilla::pkix
 
 #endif // _MSC_VER
rename from security/insanity/lib/pkixbuild.cpp
rename to security/pkix/lib/pkixbuild.cpp
--- a/security/insanity/lib/pkixbuild.cpp
+++ b/security/pkix/lib/pkixbuild.cpp
@@ -10,24 +10,24 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "insanity/pkix.h"
+#include "pkix/pkix.h"
 
 #include <limits>
 
 #include "pkixcheck.h"
 #include "pkixder.h"
 
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
 
 // We assume ext has been zero-initialized by its constructor and otherwise
 // not modified.
 //
 // TODO(perf): This sorting of extensions should be be moved into the
 // certificate decoder so that the results are cached with the certificate, so
 // that the decoding doesn't have to happen more than once per cert.
 Result
@@ -167,17 +167,17 @@ BuildForwardInner(TrustDomain& trustDoma
   return Success;
 }
 
 // Recursively build the path from the given subject certificate to the root.
 //
 // Be very careful about changing the order of checks. The order is significant
 // because it affects which error we return when a certificate or certificate
 // chain has multiple problems. See the error ranking documentation in
-// insanity/pkix.h.
+// pkix/pkix.h.
 static Result
 BuildForward(TrustDomain& trustDomain,
              BackCert& subject,
              PRTime time,
              EndEntityOrCA endEntityOrCA,
              KeyUsages requiredKeyUsagesIfPresent,
              SECOidTag requiredEKUIfPresent,
              SECOidTag requiredPolicy,
@@ -358,9 +358,9 @@ BackCert::PrependNSSCertToList(CERTCertL
   if (CERT_AddCertToListHead(results, dup) != SECSuccess) { // takes ownership
     CERT_DestroyCertificate(dup);
     return FatalError;
   }
 
   return Success;
 }
 
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
rename from security/insanity/lib/pkixcheck.cpp
rename to security/pkix/lib/pkixcheck.cpp
--- a/security/insanity/lib/pkixcheck.cpp
+++ b/security/pkix/lib/pkixcheck.cpp
@@ -10,23 +10,23 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "insanity/pkix.h"
+#include "pkix/pkix.h"
 #include "pkixcheck.h"
 #include "pkixder.h"
 #include "pkixutil.h"
 #include "secder.h"
 
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
 
 Result
 CheckTimes(const CERTCertificate* cert, PRTime time)
 {
   PR_ASSERT(cert);
 
   SECCertTimeValidity validity = CERT_CheckCertValidTimes(cert, time, false);
   if (validity != secCertTimeValid) {
@@ -474,9 +474,9 @@ CheckIssuerIndependentProperties(TrustDo
   rv = CheckTimes(cert.GetNSSCert(), time);
   if (rv != Success) {
     return rv;
   }
 
   return Success;
 }
 
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
rename from security/insanity/lib/pkixcheck.h
rename to security/pkix/lib/pkixcheck.h
--- a/security/insanity/lib/pkixcheck.h
+++ b/security/pkix/lib/pkixcheck.h
@@ -10,32 +10,32 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#ifndef insanity__pkixcheck_h
-#define insanity__pkixcheck_h
+#ifndef mozilla_pkix__pkixcheck_h
+#define mozilla_pkix__pkixcheck_h
 
 #include "pkixutil.h"
 #include "certt.h"
 
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
 
 Result CheckIssuerIndependentProperties(
           TrustDomain& trustDomain,
           BackCert& cert,
           PRTime time,
           EndEntityOrCA endEntityOrCA,
           KeyUsages requiredKeyUsagesIfPresent,
           SECOidTag requiredEKUIfPresent,
           SECOidTag requiredPolicy,
           unsigned int subCACount,
           /*optional out*/ TrustDomain::TrustLevel* trustLevel = nullptr);
 
 Result CheckNameConstraints(BackCert& cert);
 
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
 
-#endif // insanity__pkixcheck_h
+#endif // mozilla_pkix__pkixcheck_h
rename from security/insanity/lib/pkixder.cpp
rename to security/pkix/lib/pkixder.cpp
--- a/security/insanity/lib/pkixder.cpp
+++ b/security/pkix/lib/pkixder.cpp
@@ -12,17 +12,17 @@
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 #include "pkixder.h"
 
-namespace insanity { namespace der {
+namespace mozilla { namespace pkix { namespace der {
 
 // not inline
 Result
 Fail(PRErrorCode errorCode)
 {
   PR_SetError(errorCode, 0);
   return Failure;
 }
@@ -73,9 +73,9 @@ ExpectTagAndGetLength(Input& input, uint
   } else {
     // We don't support lengths larger than 2^16 - 1.
     return Fail(SEC_ERROR_BAD_DER);
   }
 
   return Success;
 }
 
-} } // namespace insanity::der
+} } } // namespace mozilla::pkix::der
rename from security/insanity/lib/pkixder.h
rename to security/pkix/lib/pkixder.h
--- a/security/insanity/lib/pkixder.h
+++ b/security/pkix/lib/pkixder.h
@@ -10,29 +10,29 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#ifndef insanity_pkix__pkixder_h
-#define insanity_pkix__pkixder_h
+#ifndef mozilla_pkix__pkixder_h
+#define mozilla_pkix__pkixder_h
 
-#include "insanity/nullptr.h"
+#include "pkix/nullptr.h"
 
 #include "prerror.h"
 #include "prlog.h"
 #include "secder.h"
 #include "secerr.h"
 #include "secoidt.h"
 #include "stdint.h"
 
-namespace insanity { namespace der {
+namespace mozilla { namespace pkix { namespace der {
 
 enum Class
 {
    UNIVERSAL = 0 << 6,
 // APPLICATION = 1 << 6, // unused
    CONTEXT_SPECIFIC = 2 << 6,
 // PRIVATE = 3 << 6 // unused
 };
@@ -514,11 +514,11 @@ OptionalVersion(Input& input, /*out*/ ui
     return Failure;
   }
   if (version & 0x80) { // negative
     return Fail(SEC_ERROR_BAD_DER);
   }
   return Success;
 }
 
-} } // namespace insanity::der
+} } } // namespace mozilla::pkix::der
 
-#endif // insanity_pkix__pkixder_h
+#endif // mozilla_pkix__pkixder_h
rename from security/insanity/lib/pkixkey.cpp
rename to security/pkix/lib/pkixkey.cpp
--- a/security/insanity/lib/pkixkey.cpp
+++ b/security/pkix/lib/pkixkey.cpp
@@ -10,27 +10,27 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#include "insanity/pkix.h"
+#include "pkix/pkix.h"
 
 #include <limits>
 #include <stdint.h>
 
 #include "cert.h"
 #include "cryptohi.h"
 #include "prerror.h"
 #include "secerr.h"
 
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
 
 SECStatus
 VerifySignedData(const CERTSignedData* sd, const CERTCertificate* cert,
                  void* pkcs11PinArg)
 {
   if (!sd || !sd->data.data || !sd->signatureAlgorithm.algorithm.data ||
       !sd->signature.data || !cert) {
     PR_NOT_REACHED("invalid args to VerifySignedData");
@@ -81,9 +81,9 @@ VerifySignedData(const CERTSignedData* s
   if ((policy & requiredPolicy) != requiredPolicy) {
     PR_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, 0);
     return SECFailure;
   }
 
   return SECSuccess;
 }
 
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
rename from security/insanity/lib/pkixocsp.cpp
rename to security/pkix/lib/pkixocsp.cpp
--- a/security/insanity/lib/pkixocsp.cpp
+++ b/security/pkix/lib/pkixocsp.cpp
@@ -12,18 +12,18 @@
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 #include <limits>
 
-#include "insanity/bind.h"
-#include "insanity/pkix.h"
+#include "pkix/bind.h"
+#include "pkix/pkix.h"
 #include "pkixcheck.h"
 #include "pkixder.h"
 
 #include "hasht.h"
 #include "pk11pub.h"
 #include "secder.h"
 
 #ifdef _MSC_VER
@@ -31,17 +31,17 @@
 #define ENUM_CLASS  __pragma(warning(disable: 4480)) enum
 #else
 #define ENUM_CLASS enum class
 #endif
 
 // TODO: use typed/qualified typedefs everywhere?
 // TODO: When should we return SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE?
 
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
 
 static const PRTime ONE_DAY
   = INT64_C(24) * INT64_C(60) * INT64_C(60) * PR_USEC_PER_SEC;
 static const PRTime SLOP = ONE_DAY;
 
 // These values correspond to the tag values in the ASN.1 CertStatus
 ENUM_CLASS CertStatus : uint8_t {
   Good = der::CONTEXT_SPECIFIC | 0,
@@ -988,9 +988,9 @@ CreateEncodedOCSPRequest(PLArenaPool* ar
     *d++ = cert->serialNumber.data[i];
   }
 
   PR_ASSERT(d == encodedRequest->data + totalLen);
 
   return encodedRequest;
 }
 
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
rename from security/insanity/lib/pkixutil.h
rename to security/pkix/lib/pkixutil.h
--- a/security/insanity/lib/pkixutil.h
+++ b/security/pkix/lib/pkixutil.h
@@ -10,25 +10,25 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#ifndef insanity_pkix__pkixutil_h
-#define insanity_pkix__pkixutil_h
+#ifndef mozilla_pkix__pkixutil_h
+#define mozilla_pkix__pkixutil_h
 
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
 #include "prerror.h"
 #include "seccomon.h"
 #include "secerr.h"
 
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
 
 enum Result
 {
   Success = 0,
   FatalError = -1,      // An error was encountered that caused path building
                         // to stop immediately. example: out-of-memory.
   RecoverableError = -2 // an error that will cause path building to continue
                         // searching for alternative paths. example: expired
@@ -136,11 +136,11 @@ private:
   ScopedPLArenaPool arena;
   CERTGeneralName* constrainedNames;
   ConstrainedNameOptions cnOptions;
 
   BackCert(const BackCert&) /* = delete */;
   void operator=(const BackCert&); /* = delete */;
 };
 
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
 
-#endif // insanity_pkix__pkixutil_h
+#endif // mozilla_pkix__pkixutil_h
rename from security/insanity/moz.build
rename to security/pkix/moz.build
--- a/security/insanity/moz.build
+++ b/security/pkix/moz.build
@@ -18,11 +18,11 @@ LOCAL_INCLUDES += [
 ]
 
 DIRS += [
     'test/lib',
 ]
 
 FAIL_ON_WARNINGS = True
 
-LIBRARY_NAME = 'insanitypkix'
+LIBRARY_NAME = 'mozillapkix'
 
 FINAL_LIBRARY = 'xul'
rename from security/insanity/test/lib/moz.build
rename to security/pkix/test/lib/moz.build
rename from security/insanity/test/lib/pkixtestutil.cpp
rename to security/pkix/test/lib/pkixtestutil.cpp
--- a/security/insanity/test/lib/pkixtestutil.cpp
+++ b/security/pkix/test/lib/pkixtestutil.cpp
@@ -20,17 +20,17 @@
 #include "pkixtestutil.h"
 
 #include "cryptohi.h"
 #include "hasht.h"
 #include "pk11pub.h"
 #include "prinit.h"
 #include "secder.h"
 
-namespace insanity { namespace test {
+namespace mozilla { namespace pkix { namespace test {
 
 class Output
 {
 public:
   Output()
     : numItems(0)
     , length(0)
   {
@@ -627,9 +627,9 @@ CertStatus(OCSPResponseContext& context)
     }
     default:
       PR_NOT_REACHED("CertStatus: bad context.certStatus");
       PR_Abort();
   }
   return nullptr;
 }
 
-} } // namespace insanity::test
+} } } // namespace mozilla::pkix::test
rename from security/insanity/test/lib/pkixtestutil.h
rename to security/pkix/test/lib/pkixtestutil.h
--- a/security/insanity/test/lib/pkixtestutil.h
+++ b/security/pkix/test/lib/pkixtestutil.h
@@ -10,24 +10,24 @@
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
-#ifndef insanity_test__pkixtestutils_h
-#define insanity_test__pkixtestutils_h
+#ifndef mozilla_pkix_test__pkixtestutils_h
+#define mozilla_pkix_test__pkixtestutils_h
 
-#include "insanity/ScopedPtr.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/ScopedPtr.h"
+#include "pkix/pkixtypes.h"
 #include "seccomon.h"
 
-namespace insanity { namespace test {
+namespace mozilla { namespace pkix { namespace test {
 
 class OCSPResponseContext
 {
 public:
   OCSPResponseContext(PLArenaPool* arena, CERTCertificate* cert, PRTime time);
 
   PLArenaPool* arena;
   // TODO(bug 980538): add a way to specify what certificates are included.
@@ -57,11 +57,11 @@ public:
 
 // The return value, if non-null, is owned by the arena in the context
 // and MUST NOT be freed.
 // This function does its best to respect the NSPR error code convention
 // (that is, if it returns null, calling PR_GetError() will return the
 // error of the failed operation). However, this is not guaranteed.
 SECItem* CreateEncodedOCSPResponse(OCSPResponseContext& context);
 
-} } // namespace insanity::test
+} } } // namespace mozilla::pkix::test
 
-#endif // insanity_test__pkixtestutils_h
+#endif // mozilla_pkix_test__pkixtestutils_h
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@@ -4249,23 +4249,23 @@
   "SSL_SUCCESFUL_CERT_VALIDATION_TIME_CLASSIC": {
     "expires_in_version": "never",
     "kind": "exponential",
     "high": "60000",
     "n_buckets": 50,
     "extended_statistics_ok": true,
     "description": "Time spent on a successful cert  verification in classic mode (ms)"
   },
-  "SSL_SUCCESFUL_CERT_VALIDATION_TIME_INSANITY" : {
+  "SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX" : {
     "expires_in_version": "never",
     "kind": "exponential",
     "high": "60000",
     "n_buckets": 50,
     "extended_statistics_ok": true,
-    "description": "Time spent on a successful cert verification in insanity mode (ms)"
+    "description": "Time spent on a successful cert verification in mozilla::pkix mode (ms)"
   },
   "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX" : {
     "expires_in_version": "never",
     "kind": "exponential",
     "high": "60000",
     "n_buckets": 50,
     "extended_statistics_ok": true,
     "description": "Time spent on an initially failed cert verification in libpix mode (ms)"
@@ -4273,23 +4273,23 @@
   "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC": {
     "expires_in_version": "never",
     "kind": "exponential",
     "high": "60000",
     "n_buckets": 50,
     "extended_statistics_ok": true,
     "description": "Time spent on an initially failed cert  verification in classic mode (ms)"
   },
-  "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_INSANITY" : {
+  "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX" : {
     "expires_in_version": "never",
     "kind": "exponential",
     "high": "60000",
     "n_buckets": 50,
     "extended_statistics_ok": true,
-    "description": "Time spent on an initially failed cert verification in insanity mode (ms)"
+    "description": "Time spent on an initially failed cert verification in mozilla::pkix mode (ms)"
   },
   "HEALTHREPORT_DB_OPEN_FIRSTRUN_MS": {
     "expires_in_version": "never",
     "kind": "exponential",
     "high": "20000",
     "n_buckets": 15,
     "description": "Time (ms) spent to open Firefox Health Report's database the first time, including schema setup."
   },