/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/*
 * wrap.c
 *
 * This file contains the routines that actually implement the cryptoki
 * API, using the internal APIs of the NSS Cryptoki Framework.  There is
 * one routine here for every cryptoki routine.  For linking reasons
 * the actual entry points passed back with C_GetFunctionList have to
 * exist in one of the Module's source files; however, those are merely
 * simple wrappers that call these routines.  The intelligence of the
 * implementations is here.
 */

#ifndef CK_T
#include "ck.h"
#endif /* CK_T */

/*
 * NSSCKFWC_Initialize
 * NSSCKFWC_Finalize
 * NSSCKFWC_GetInfo
 * -- NSSCKFWC_GetFunctionList -- see the API insert file
 * NSSCKFWC_GetSlotList
 * NSSCKFWC_GetSlotInfo
 * NSSCKFWC_GetTokenInfo
 * NSSCKFWC_WaitForSlotEvent
 * NSSCKFWC_GetMechanismList
 * NSSCKFWC_GetMechanismInfo
 * NSSCKFWC_InitToken
 * NSSCKFWC_InitPIN
 * NSSCKFWC_SetPIN
 * NSSCKFWC_OpenSession
 * NSSCKFWC_CloseSession
 * NSSCKFWC_CloseAllSessions
 * NSSCKFWC_GetSessionInfo
 * NSSCKFWC_GetOperationState
 * NSSCKFWC_SetOperationState
 * NSSCKFWC_Login
 * NSSCKFWC_Logout
 * NSSCKFWC_CreateObject
 * NSSCKFWC_CopyObject
 * NSSCKFWC_DestroyObject
 * NSSCKFWC_GetObjectSize
 * NSSCKFWC_GetAttributeValue
 * NSSCKFWC_SetAttributeValue
 * NSSCKFWC_FindObjectsInit
 * NSSCKFWC_FindObjects
 * NSSCKFWC_FindObjectsFinal
 * NSSCKFWC_EncryptInit
 * NSSCKFWC_Encrypt
 * NSSCKFWC_EncryptUpdate
 * NSSCKFWC_EncryptFinal
 * NSSCKFWC_DecryptInit
 * NSSCKFWC_Decrypt
 * NSSCKFWC_DecryptUpdate
 * NSSCKFWC_DecryptFinal
 * NSSCKFWC_DigestInit
 * NSSCKFWC_Digest
 * NSSCKFWC_DigestUpdate
 * NSSCKFWC_DigestKey
 * NSSCKFWC_DigestFinal
 * NSSCKFWC_SignInit
 * NSSCKFWC_Sign
 * NSSCKFWC_SignUpdate
 * NSSCKFWC_SignFinal
 * NSSCKFWC_SignRecoverInit
 * NSSCKFWC_SignRecover
 * NSSCKFWC_VerifyInit
 * NSSCKFWC_Verify
 * NSSCKFWC_VerifyUpdate
 * NSSCKFWC_VerifyFinal
 * NSSCKFWC_VerifyRecoverInit
 * NSSCKFWC_VerifyRecover
 * NSSCKFWC_DigestEncryptUpdate
 * NSSCKFWC_DecryptDigestUpdate
 * NSSCKFWC_SignEncryptUpdate
 * NSSCKFWC_DecryptVerifyUpdate
 * NSSCKFWC_GenerateKey
 * NSSCKFWC_GenerateKeyPair
 * NSSCKFWC_WrapKey
 * NSSCKFWC_UnwrapKey
 * NSSCKFWC_DeriveKey
 * NSSCKFWC_SeedRandom
 * NSSCKFWC_GenerateRandom
 * NSSCKFWC_GetFunctionStatus
 * NSSCKFWC_CancelFunction
 */

/* figure out out locking semantics */
static CK_RV
nssCKFW_GetThreadSafeState(CK_C_INITIALIZE_ARGS_PTR pInitArgs,
                           CryptokiLockingState *pLocking_state)
{
    int functionCount = 0;

    /* parsed according to (PKCS #11 Section 11.4) */
    /* no args, the degenerate version of case 1 */
    if (!pInitArgs) {
        *pLocking_state = SingleThreaded;
        return CKR_OK;
    }

    /* CKF_OS_LOCKING_OK set, Cases 2 and 4 */
    if (pInitArgs->flags & CKF_OS_LOCKING_OK) {
        *pLocking_state = MultiThreaded;
        return CKR_OK;
    }
    if ((CK_CREATEMUTEX)NULL != pInitArgs->CreateMutex)
        functionCount++;
    if ((CK_DESTROYMUTEX)NULL != pInitArgs->DestroyMutex)
        functionCount++;
    if ((CK_LOCKMUTEX)NULL != pInitArgs->LockMutex)
        functionCount++;
    if ((CK_UNLOCKMUTEX)NULL != pInitArgs->UnlockMutex)
        functionCount++;

    /* CKF_OS_LOCKING_OK is not set, and not functions supplied,
     * explicit case 1 */
    if (0 == functionCount) {
        *pLocking_state = SingleThreaded;
        return CKR_OK;
    }

    /* OS_LOCKING_OK is not set and functions have been supplied. Since
     * ckfw uses nssbase library which explicitly calls NSPR, and since
     * there is no way to reliably override these explicit calls to NSPR,
     * therefore we can't support applications which have their own threading
     * module.  Return CKR_CANT_LOCK if they supplied the correct number of
     * arguments, or CKR_ARGUMENTS_BAD if they did not in either case we will
     * fail the initialize */
    return (4 == functionCount) ? CKR_CANT_LOCK : CKR_ARGUMENTS_BAD;
}

static PRInt32 liveInstances;

/*
 * NSSCKFWC_Initialize
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_Initialize(
    NSSCKFWInstance **pFwInstance,
    NSSCKMDInstance *mdInstance,
    CK_VOID_PTR pInitArgs)
{
    CK_RV error = CKR_OK;
    CryptokiLockingState locking_state;

    if ((NSSCKFWInstance **)NULL == pFwInstance) {
        error = CKR_GENERAL_ERROR;
        goto loser;
    }

    if (*pFwInstance) {
        error = CKR_CRYPTOKI_ALREADY_INITIALIZED;
        goto loser;
    }

    if (!mdInstance) {
        error = CKR_GENERAL_ERROR;
        goto loser;
    }

    error = nssCKFW_GetThreadSafeState(pInitArgs, &locking_state);
    if (CKR_OK != error) {
        goto loser;
    }

    *pFwInstance = nssCKFWInstance_Create(pInitArgs, locking_state, mdInstance, &error);
    if (!*pFwInstance) {
        goto loser;
    }
    PR_ATOMIC_INCREMENT(&liveInstances);
    return CKR_OK;

loser:
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_CANT_LOCK:
        case CKR_CRYPTOKI_ALREADY_INITIALIZED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_NEED_TO_CREATE_THREADS:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_Finalize
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_Finalize(
    NSSCKFWInstance **pFwInstance)
{
    CK_RV error = CKR_OK;

    if ((NSSCKFWInstance **)NULL == pFwInstance) {
        error = CKR_GENERAL_ERROR;
        goto loser;
    }

    if (!*pFwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    error = nssCKFWInstance_Destroy(*pFwInstance);

    /* In any case */
    *pFwInstance = (NSSCKFWInstance *)NULL;

loser:
    switch (error) {
        PRInt32 remainingInstances;
        case CKR_OK:
            remainingInstances = PR_ATOMIC_DECREMENT(&liveInstances);
            if (!remainingInstances) {
                nssArena_Shutdown();
            }
            break;
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
            break;
        default:
            error = CKR_GENERAL_ERROR;
            break;
    }

    /*
     * A thread's error stack is automatically destroyed when the thread
     * terminates or, for the primordial thread, by PR_Cleanup.  On
     * Windows with MinGW, the thread private data destructor PR_Free
     * registered by this module is actually a thunk for PR_Free defined
     * in this module.  When the thread that unloads this module terminates
     * or calls PR_Cleanup, the thunk for PR_Free is already gone with the
     * module.  Therefore we need to destroy the error stack before the
     * module is unloaded.
     */
    nss_DestroyErrorStack();
    return error;
}

/*
 * NSSCKFWC_GetInfo
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_GetInfo(
    NSSCKFWInstance *fwInstance,
    CK_INFO_PTR pInfo)
{
    CK_RV error = CKR_OK;

    if ((CK_INFO_PTR)CK_NULL_PTR == pInfo) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    /*
     * A purify error here means a caller error
     */
    (void)nsslibc_memset(pInfo, 0, sizeof(CK_INFO));

    pInfo->cryptokiVersion = nssCKFWInstance_GetCryptokiVersion(fwInstance);

    error = nssCKFWInstance_GetManufacturerID(fwInstance, pInfo->manufacturerID);
    if (CKR_OK != error) {
        goto loser;
    }

    pInfo->flags = nssCKFWInstance_GetFlags(fwInstance);

    error = nssCKFWInstance_GetLibraryDescription(fwInstance, pInfo->libraryDescription);
    if (CKR_OK != error) {
        goto loser;
    }

    pInfo->libraryVersion = nssCKFWInstance_GetLibraryVersion(fwInstance);

    return CKR_OK;

loser:
    switch (error) {
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
            break;
        default:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * C_GetFunctionList is implemented entirely in the Module's file which
 * includes the Framework API insert file.  It requires no "actual"
 * NSSCKFW routine.
 */

/*
 * NSSCKFWC_GetSlotList
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_GetSlotList(
    NSSCKFWInstance *fwInstance,
    CK_BBOOL tokenPresent,
    CK_SLOT_ID_PTR pSlotList,
    CK_ULONG_PTR pulCount)
{
    CK_RV error = CKR_OK;
    CK_ULONG nSlots;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    switch (tokenPresent) {
        case CK_TRUE:
        case CK_FALSE:
            break;
        default:
            error = CKR_ARGUMENTS_BAD;
            goto loser;
    }

    if ((CK_ULONG_PTR)CK_NULL_PTR == pulCount) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
    if ((CK_ULONG)0 == nSlots) {
        goto loser;
    }

    if ((CK_SLOT_ID_PTR)CK_NULL_PTR == pSlotList) {
        *pulCount = nSlots;
        return CKR_OK;
    }

    /*
     * A purify error here indicates caller error.
     */
    (void)nsslibc_memset(pSlotList, 0, *pulCount * sizeof(CK_SLOT_ID));

    if (*pulCount < nSlots) {
        *pulCount = nSlots;
        error = CKR_BUFFER_TOO_SMALL;
        goto loser;
    } else {
        CK_ULONG i;
        *pulCount = nSlots;

        /*
         * Our secret "mapping": CK_SLOT_IDs are integers [1,N], and we
         * just index one when we need it.
         */

        for (i = 0; i < nSlots; i++) {
            pSlotList[i] = i + 1;
        }

        return CKR_OK;
    }

loser:
    switch (error) {
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_GetSlotInfo
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_GetSlotInfo(
    NSSCKFWInstance *fwInstance,
    CK_SLOT_ID slotID,
    CK_SLOT_INFO_PTR pInfo)
{
    CK_RV error = CKR_OK;
    CK_ULONG nSlots;
    NSSCKFWSlot **slots;
    NSSCKFWSlot *fwSlot;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
    if ((CK_ULONG)0 == nSlots) {
        goto loser;
    }

    if ((slotID < 1) || (slotID > nSlots)) {
        error = CKR_SLOT_ID_INVALID;
        goto loser;
    }

    if ((CK_SLOT_INFO_PTR)CK_NULL_PTR == pInfo) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    /*
     * A purify error here indicates caller error.
     */
    (void)nsslibc_memset(pInfo, 0, sizeof(CK_SLOT_INFO));

    slots = nssCKFWInstance_GetSlots(fwInstance, &error);
    if ((NSSCKFWSlot **)NULL == slots) {
        goto loser;
    }

    fwSlot = slots[slotID - 1];

    error = nssCKFWSlot_GetSlotDescription(fwSlot, pInfo->slotDescription);
    if (CKR_OK != error) {
        goto loser;
    }

    error = nssCKFWSlot_GetManufacturerID(fwSlot, pInfo->manufacturerID);
    if (CKR_OK != error) {
        goto loser;
    }

    if (nssCKFWSlot_GetTokenPresent(fwSlot)) {
        pInfo->flags |= CKF_TOKEN_PRESENT;
    }

    if (nssCKFWSlot_GetRemovableDevice(fwSlot)) {
        pInfo->flags |= CKF_REMOVABLE_DEVICE;
    }

    if (nssCKFWSlot_GetHardwareSlot(fwSlot)) {
        pInfo->flags |= CKF_HW_SLOT;
    }

    pInfo->hardwareVersion = nssCKFWSlot_GetHardwareVersion(fwSlot);
    pInfo->firmwareVersion = nssCKFWSlot_GetFirmwareVersion(fwSlot);

    return CKR_OK;

loser:
    switch (error) {
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_SLOT_ID_INVALID:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
    }

    return error;
}

/*
 * NSSCKFWC_GetTokenInfo
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_GetTokenInfo(
    NSSCKFWInstance *fwInstance,
    CK_SLOT_ID slotID,
    CK_TOKEN_INFO_PTR pInfo)
{
    CK_RV error = CKR_OK;
    CK_ULONG nSlots;
    NSSCKFWSlot **slots;
    NSSCKFWSlot *fwSlot;
    NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
    if ((CK_ULONG)0 == nSlots) {
        goto loser;
    }

    if ((slotID < 1) || (slotID > nSlots)) {
        error = CKR_SLOT_ID_INVALID;
        goto loser;
    }

    if ((CK_TOKEN_INFO_PTR)CK_NULL_PTR == pInfo) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    /*
     * A purify error here indicates caller error.
     */
    (void)nsslibc_memset(pInfo, 0, sizeof(CK_TOKEN_INFO));

    slots = nssCKFWInstance_GetSlots(fwInstance, &error);
    if ((NSSCKFWSlot **)NULL == slots) {
        goto loser;
    }

    fwSlot = slots[slotID - 1];

    if (CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot)) {
        error = CKR_TOKEN_NOT_PRESENT;
        goto loser;
    }

    fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
    if (!fwToken) {
        goto loser;
    }

    error = nssCKFWToken_GetLabel(fwToken, pInfo->label);
    if (CKR_OK != error) {
        goto loser;
    }

    error = nssCKFWToken_GetManufacturerID(fwToken, pInfo->manufacturerID);
    if (CKR_OK != error) {
        goto loser;
    }

    error = nssCKFWToken_GetModel(fwToken, pInfo->model);
    if (CKR_OK != error) {
        goto loser;
    }

    error = nssCKFWToken_GetSerialNumber(fwToken, pInfo->serialNumber);
    if (CKR_OK != error) {
        goto loser;
    }

    if (nssCKFWToken_GetHasRNG(fwToken)) {
        pInfo->flags |= CKF_RNG;
    }

    if (nssCKFWToken_GetIsWriteProtected(fwToken)) {
        pInfo->flags |= CKF_WRITE_PROTECTED;
    }

    if (nssCKFWToken_GetLoginRequired(fwToken)) {
        pInfo->flags |= CKF_LOGIN_REQUIRED;
    }

    if (nssCKFWToken_GetUserPinInitialized(fwToken)) {
        pInfo->flags |= CKF_USER_PIN_INITIALIZED;
    }

    if (nssCKFWToken_GetRestoreKeyNotNeeded(fwToken)) {
        pInfo->flags |= CKF_RESTORE_KEY_NOT_NEEDED;
    }

    if (nssCKFWToken_GetHasClockOnToken(fwToken)) {
        pInfo->flags |= CKF_CLOCK_ON_TOKEN;
    }

    if (nssCKFWToken_GetHasProtectedAuthenticationPath(fwToken)) {
        pInfo->flags |= CKF_PROTECTED_AUTHENTICATION_PATH;
    }

    if (nssCKFWToken_GetSupportsDualCryptoOperations(fwToken)) {
        pInfo->flags |= CKF_DUAL_CRYPTO_OPERATIONS;
    }

    pInfo->ulMaxSessionCount = nssCKFWToken_GetMaxSessionCount(fwToken);
    pInfo->ulSessionCount = nssCKFWToken_GetSessionCount(fwToken);
    pInfo->ulMaxRwSessionCount = nssCKFWToken_GetMaxRwSessionCount(fwToken);
    pInfo->ulRwSessionCount = nssCKFWToken_GetRwSessionCount(fwToken);
    pInfo->ulMaxPinLen = nssCKFWToken_GetMaxPinLen(fwToken);
    pInfo->ulMinPinLen = nssCKFWToken_GetMinPinLen(fwToken);
    pInfo->ulTotalPublicMemory = nssCKFWToken_GetTotalPublicMemory(fwToken);
    pInfo->ulFreePublicMemory = nssCKFWToken_GetFreePublicMemory(fwToken);
    pInfo->ulTotalPrivateMemory = nssCKFWToken_GetTotalPrivateMemory(fwToken);
    pInfo->ulFreePrivateMemory = nssCKFWToken_GetFreePrivateMemory(fwToken);
    pInfo->hardwareVersion = nssCKFWToken_GetHardwareVersion(fwToken);
    pInfo->firmwareVersion = nssCKFWToken_GetFirmwareVersion(fwToken);

    error = nssCKFWToken_GetUTCTime(fwToken, pInfo->utcTime);
    if (CKR_OK != error) {
        goto loser;
    }

    return CKR_OK;

loser:
    switch (error) {
        case CKR_DEVICE_REMOVED:
        case CKR_TOKEN_NOT_PRESENT:
            if (fwToken)
                nssCKFWToken_Destroy(fwToken);
            break;
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_SLOT_ID_INVALID:
        case CKR_TOKEN_NOT_RECOGNIZED:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_WaitForSlotEvent
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_WaitForSlotEvent(
    NSSCKFWInstance *fwInstance,
    CK_FLAGS flags,
    CK_SLOT_ID_PTR pSlot,
    CK_VOID_PTR pReserved)
{
    CK_RV error = CKR_OK;
    CK_ULONG nSlots;
    CK_BBOOL block;
    NSSCKFWSlot **slots;
    NSSCKFWSlot *fwSlot;
    CK_ULONG i;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    if (flags & ~CKF_DONT_BLOCK) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    block = (flags & CKF_DONT_BLOCK) ? CK_TRUE : CK_FALSE;

    nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
    if ((CK_ULONG)0 == nSlots) {
        goto loser;
    }

    if ((CK_SLOT_ID_PTR)CK_NULL_PTR == pSlot) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    if ((CK_VOID_PTR)CK_NULL_PTR != pReserved) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    slots = nssCKFWInstance_GetSlots(fwInstance, &error);
    if ((NSSCKFWSlot **)NULL == slots) {
        goto loser;
    }

    fwSlot = nssCKFWInstance_WaitForSlotEvent(fwInstance, block, &error);
    if (!fwSlot) {
        goto loser;
    }

    for (i = 0; i < nSlots; i++) {
        if (fwSlot == slots[i]) {
            *pSlot = (CK_SLOT_ID)(CK_ULONG)(i + 1);
            return CKR_OK;
        }
    }

    error = CKR_GENERAL_ERROR; /* returned something not in the slot list */

loser:
    switch (error) {
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_NO_EVENT:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_GetMechanismList
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_GetMechanismList(
    NSSCKFWInstance *fwInstance,
    CK_SLOT_ID slotID,
    CK_MECHANISM_TYPE_PTR pMechanismList,
    CK_ULONG_PTR pulCount)
{
    CK_RV error = CKR_OK;
    CK_ULONG nSlots;
    NSSCKFWSlot **slots;
    NSSCKFWSlot *fwSlot;
    NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
    CK_ULONG count;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
    if ((CK_ULONG)0 == nSlots) {
        goto loser;
    }

    if ((slotID < 1) || (slotID > nSlots)) {
        error = CKR_SLOT_ID_INVALID;
        goto loser;
    }

    if ((CK_ULONG_PTR)CK_NULL_PTR == pulCount) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    slots = nssCKFWInstance_GetSlots(fwInstance, &error);
    if ((NSSCKFWSlot **)NULL == slots) {
        goto loser;
    }

    fwSlot = slots[slotID - 1];

    if (CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot)) {
        error = CKR_TOKEN_NOT_PRESENT;
        goto loser;
    }

    fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
    if (!fwToken) {
        goto loser;
    }

    count = nssCKFWToken_GetMechanismCount(fwToken);

    if ((CK_MECHANISM_TYPE_PTR)CK_NULL_PTR == pMechanismList) {
        *pulCount = count;
        return CKR_OK;
    }

    if (*pulCount < count) {
        *pulCount = count;
        error = CKR_BUFFER_TOO_SMALL;
        goto loser;
    }

    /*
     * A purify error here indicates caller error.
     */
    (void)nsslibc_memset(pMechanismList, 0, *pulCount * sizeof(CK_MECHANISM_TYPE));

    *pulCount = count;

    if (0 != count) {
        error = nssCKFWToken_GetMechanismTypes(fwToken, pMechanismList);
    } else {
        error = CKR_OK;
    }

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    switch (error) {
        case CKR_DEVICE_REMOVED:
        case CKR_TOKEN_NOT_PRESENT:
            if (fwToken)
                nssCKFWToken_Destroy(fwToken);
            break;
        case CKR_ARGUMENTS_BAD:
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_SLOT_ID_INVALID:
        case CKR_TOKEN_NOT_RECOGNIZED:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_GetMechanismInfo
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_GetMechanismInfo(
    NSSCKFWInstance *fwInstance,
    CK_SLOT_ID slotID,
    CK_MECHANISM_TYPE type,
    CK_MECHANISM_INFO_PTR pInfo)
{
    CK_RV error = CKR_OK;
    CK_ULONG nSlots;
    NSSCKFWSlot **slots;
    NSSCKFWSlot *fwSlot;
    NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
    NSSCKFWMechanism *fwMechanism;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
    if ((CK_ULONG)0 == nSlots) {
        goto loser;
    }

    if ((slotID < 1) || (slotID > nSlots)) {
        error = CKR_SLOT_ID_INVALID;
        goto loser;
    }

    slots = nssCKFWInstance_GetSlots(fwInstance, &error);
    if ((NSSCKFWSlot **)NULL == slots) {
        goto loser;
    }

    fwSlot = slots[slotID - 1];

    if (CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot)) {
        error = CKR_TOKEN_NOT_PRESENT;
        goto loser;
    }

    if ((CK_MECHANISM_INFO_PTR)CK_NULL_PTR == pInfo) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    /*
     * A purify error here indicates caller error.
     */
    (void)nsslibc_memset(pInfo, 0, sizeof(CK_MECHANISM_INFO));

    fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
    if (!fwToken) {
        goto loser;
    }

    fwMechanism = nssCKFWToken_GetMechanism(fwToken, type, &error);
    if (!fwMechanism) {
        goto loser;
    }

    pInfo->ulMinKeySize = nssCKFWMechanism_GetMinKeySize(fwMechanism, &error);
    pInfo->ulMaxKeySize = nssCKFWMechanism_GetMaxKeySize(fwMechanism, &error);

    if (nssCKFWMechanism_GetInHardware(fwMechanism, &error)) {
        pInfo->flags |= CKF_HW;
    }
    if (nssCKFWMechanism_GetCanEncrypt(fwMechanism, &error)) {
        pInfo->flags |= CKF_ENCRYPT;
    }
    if (nssCKFWMechanism_GetCanDecrypt(fwMechanism, &error)) {
        pInfo->flags |= CKF_DECRYPT;
    }
    if (nssCKFWMechanism_GetCanDigest(fwMechanism, &error)) {
        pInfo->flags |= CKF_DIGEST;
    }
    if (nssCKFWMechanism_GetCanSign(fwMechanism, &error)) {
        pInfo->flags |= CKF_SIGN;
    }
    if (nssCKFWMechanism_GetCanSignRecover(fwMechanism, &error)) {
        pInfo->flags |= CKF_SIGN_RECOVER;
    }
    if (nssCKFWMechanism_GetCanVerify(fwMechanism, &error)) {
        pInfo->flags |= CKF_VERIFY;
    }
    if (nssCKFWMechanism_GetCanVerifyRecover(fwMechanism, &error)) {
        pInfo->flags |= CKF_VERIFY_RECOVER;
    }
    if (nssCKFWMechanism_GetCanGenerate(fwMechanism, &error)) {
        pInfo->flags |= CKF_GENERATE;
    }
    if (nssCKFWMechanism_GetCanGenerateKeyPair(fwMechanism, &error)) {
        pInfo->flags |= CKF_GENERATE_KEY_PAIR;
    }
    if (nssCKFWMechanism_GetCanWrap(fwMechanism, &error)) {
        pInfo->flags |= CKF_WRAP;
    }
    if (nssCKFWMechanism_GetCanUnwrap(fwMechanism, &error)) {
        pInfo->flags |= CKF_UNWRAP;
    }
    if (nssCKFWMechanism_GetCanDerive(fwMechanism, &error)) {
        pInfo->flags |= CKF_DERIVE;
    }
    nssCKFWMechanism_Destroy(fwMechanism);

    return error;

loser:
    switch (error) {
        case CKR_DEVICE_REMOVED:
        case CKR_TOKEN_NOT_PRESENT:
            if (fwToken)
                nssCKFWToken_Destroy(fwToken);
            break;
        case CKR_ARGUMENTS_BAD:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_MECHANISM_INVALID:
        case CKR_SLOT_ID_INVALID:
        case CKR_TOKEN_NOT_RECOGNIZED:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_InitToken
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_InitToken(
    NSSCKFWInstance *fwInstance,
    CK_SLOT_ID slotID,
    CK_CHAR_PTR pPin,
    CK_ULONG ulPinLen,
    CK_CHAR_PTR pLabel)
{
    CK_RV error = CKR_OK;
    CK_ULONG nSlots;
    NSSCKFWSlot **slots;
    NSSCKFWSlot *fwSlot;
    NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
    NSSItem pin;
    NSSUTF8 *label;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
    if ((CK_ULONG)0 == nSlots) {
        goto loser;
    }

    if ((slotID < 1) || (slotID > nSlots)) {
        error = CKR_SLOT_ID_INVALID;
        goto loser;
    }

    slots = nssCKFWInstance_GetSlots(fwInstance, &error);
    if ((NSSCKFWSlot **)NULL == slots) {
        goto loser;
    }

    fwSlot = slots[slotID - 1];

    if (CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot)) {
        error = CKR_TOKEN_NOT_PRESENT;
        goto loser;
    }

    fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
    if (!fwToken) {
        goto loser;
    }

    pin.size = (PRUint32)ulPinLen;
    pin.data = (void *)pPin;
    label = (NSSUTF8 *)pLabel; /* identity conversion */

    error = nssCKFWToken_InitToken(fwToken, &pin, label);
    if (CKR_OK != error) {
        goto loser;
    }

    return CKR_OK;

loser:
    switch (error) {
        case CKR_DEVICE_REMOVED:
        case CKR_TOKEN_NOT_PRESENT:
            if (fwToken)
                nssCKFWToken_Destroy(fwToken);
            break;
        case CKR_ARGUMENTS_BAD:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_PIN_INCORRECT:
        case CKR_PIN_LOCKED:
        case CKR_SESSION_EXISTS:
        case CKR_SLOT_ID_INVALID:
        case CKR_TOKEN_NOT_RECOGNIZED:
        case CKR_TOKEN_WRITE_PROTECTED:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_InitPIN
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_InitPIN(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_CHAR_PTR pPin,
    CK_ULONG ulPinLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSItem pin, *arg;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    if ((CK_CHAR_PTR)CK_NULL_PTR == pPin) {
        arg = (NSSItem *)NULL;
    } else {
        arg = &pin;
        pin.size = (PRUint32)ulPinLen;
        pin.data = (void *)pPin;
    }

    error = nssCKFWSession_InitPIN(fwSession, arg);
    if (CKR_OK != error) {
        goto loser;
    }

    return CKR_OK;

loser:
    switch (error) {
        case CKR_SESSION_CLOSED:
            /* destroy session? */
            break;
        case CKR_DEVICE_REMOVED:
            /* (void)nssCKFWToken_Destroy(fwToken); */
            break;
        case CKR_ARGUMENTS_BAD:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_PIN_INVALID:
        case CKR_PIN_LEN_RANGE:
        case CKR_SESSION_READ_ONLY:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_TOKEN_WRITE_PROTECTED:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_SetPIN
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_SetPIN(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_CHAR_PTR pOldPin,
    CK_ULONG ulOldLen,
    CK_CHAR_PTR pNewPin,
    CK_ULONG ulNewLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSItem oldPin, newPin, *oldArg, *newArg;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    if ((CK_CHAR_PTR)CK_NULL_PTR == pOldPin) {
        oldArg = (NSSItem *)NULL;
    } else {
        oldArg = &oldPin;
        oldPin.size = (PRUint32)ulOldLen;
        oldPin.data = (void *)pOldPin;
    }

    if ((CK_CHAR_PTR)CK_NULL_PTR == pNewPin) {
        newArg = (NSSItem *)NULL;
    } else {
        newArg = &newPin;
        newPin.size = (PRUint32)ulNewLen;
        newPin.data = (void *)pNewPin;
    }

    error = nssCKFWSession_SetPIN(fwSession, oldArg, newArg);
    if (CKR_OK != error) {
        goto loser;
    }

    return CKR_OK;

loser:
    switch (error) {
        case CKR_SESSION_CLOSED:
            /* destroy session? */
            break;
        case CKR_DEVICE_REMOVED:
            /* (void)nssCKFWToken_Destroy(fwToken); */
            break;
        case CKR_ARGUMENTS_BAD:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_PIN_INCORRECT:
        case CKR_PIN_INVALID:
        case CKR_PIN_LEN_RANGE:
        case CKR_PIN_LOCKED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_SESSION_READ_ONLY:
        case CKR_TOKEN_WRITE_PROTECTED:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_OpenSession
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_OpenSession(
    NSSCKFWInstance *fwInstance,
    CK_SLOT_ID slotID,
    CK_FLAGS flags,
    CK_VOID_PTR pApplication,
    CK_NOTIFY Notify,
    CK_SESSION_HANDLE_PTR phSession)
{
    CK_RV error = CKR_OK;
    CK_ULONG nSlots;
    NSSCKFWSlot **slots;
    NSSCKFWSlot *fwSlot;
    NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
    NSSCKFWSession *fwSession;
    CK_BBOOL rw;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
    if ((CK_ULONG)0 == nSlots) {
        goto loser;
    }

    if ((slotID < 1) || (slotID > nSlots)) {
        error = CKR_SLOT_ID_INVALID;
        goto loser;
    }

    if (flags & CKF_RW_SESSION) {
        rw = CK_TRUE;
    } else {
        rw = CK_FALSE;
    }

    if (flags & CKF_SERIAL_SESSION) {
        ;
    } else {
        error = CKR_SESSION_PARALLEL_NOT_SUPPORTED;
        goto loser;
    }

    if (flags & ~(CKF_RW_SESSION | CKF_SERIAL_SESSION)) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    if ((CK_SESSION_HANDLE_PTR)CK_NULL_PTR == phSession) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    /*
     * A purify error here indicates caller error.
     */
    *phSession = (CK_SESSION_HANDLE)0;

    slots = nssCKFWInstance_GetSlots(fwInstance, &error);
    if ((NSSCKFWSlot **)NULL == slots) {
        goto loser;
    }

    fwSlot = slots[slotID - 1];

    if (CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot)) {
        error = CKR_TOKEN_NOT_PRESENT;
        goto loser;
    }

    fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
    if (!fwToken) {
        goto loser;
    }

    fwSession = nssCKFWToken_OpenSession(fwToken, rw, pApplication,
                                         Notify, &error);
    if (!fwSession) {
        goto loser;
    }

    *phSession = nssCKFWInstance_CreateSessionHandle(fwInstance,
                                                     fwSession, &error);
    if ((CK_SESSION_HANDLE)0 == *phSession) {
        goto loser;
    }

    return CKR_OK;

loser:
    switch (error) {
        case CKR_SESSION_CLOSED:
            /* destroy session? */
            break;
        case CKR_DEVICE_REMOVED:
            /* (void)nssCKFWToken_Destroy(fwToken); */
            break;
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_SESSION_COUNT:
        case CKR_SESSION_EXISTS:
        case CKR_SESSION_PARALLEL_NOT_SUPPORTED:
        case CKR_SESSION_READ_WRITE_SO_EXISTS:
        case CKR_SLOT_ID_INVALID:
        case CKR_TOKEN_NOT_PRESENT:
        case CKR_TOKEN_NOT_RECOGNIZED:
        case CKR_TOKEN_WRITE_PROTECTED:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_CloseSession
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_CloseSession(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    nssCKFWInstance_DestroySessionHandle(fwInstance, hSession);
    error = nssCKFWSession_Destroy(fwSession, CK_TRUE);

    if (CKR_OK != error) {
        goto loser;
    }

    return CKR_OK;

loser:
    switch (error) {
        case CKR_SESSION_CLOSED:
            /* destroy session? */
            break;
        case CKR_DEVICE_REMOVED:
            /* (void)nssCKFWToken_Destroy(fwToken); */
            break;
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_SESSION_HANDLE_INVALID:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_CloseAllSessions
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_CloseAllSessions(
    NSSCKFWInstance *fwInstance,
    CK_SLOT_ID slotID)
{
    CK_RV error = CKR_OK;
    CK_ULONG nSlots;
    NSSCKFWSlot **slots;
    NSSCKFWSlot *fwSlot;
    NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
    if ((CK_ULONG)0 == nSlots) {
        goto loser;
    }

    if ((slotID < 1) || (slotID > nSlots)) {
        error = CKR_SLOT_ID_INVALID;
        goto loser;
    }

    slots = nssCKFWInstance_GetSlots(fwInstance, &error);
    if ((NSSCKFWSlot **)NULL == slots) {
        goto loser;
    }

    fwSlot = slots[slotID - 1];

    if (CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot)) {
        error = CKR_TOKEN_NOT_PRESENT;
        goto loser;
    }

    fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
    if (!fwToken) {
        goto loser;
    }

    error = nssCKFWToken_CloseAllSessions(fwToken);
    if (CKR_OK != error) {
        goto loser;
    }

    return CKR_OK;

loser:
    switch (error) {
        case CKR_DEVICE_REMOVED:
            /* (void)nssCKFWToken_Destroy(fwToken); */
            break;
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_SLOT_ID_INVALID:
        case CKR_TOKEN_NOT_PRESENT:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_GetSessionInfo
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_GetSessionInfo(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_SESSION_INFO_PTR pInfo)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWSlot *fwSlot;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    if ((CK_SESSION_INFO_PTR)CK_NULL_PTR == pInfo) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    /*
     * A purify error here indicates caller error.
     */
    (void)nsslibc_memset(pInfo, 0, sizeof(CK_SESSION_INFO));

    fwSlot = nssCKFWSession_GetFWSlot(fwSession);
    if (!fwSlot) {
        error = CKR_GENERAL_ERROR;
        goto loser;
    }

    pInfo->slotID = nssCKFWSlot_GetSlotID(fwSlot);
    pInfo->state = nssCKFWSession_GetSessionState(fwSession);

    if (CK_TRUE == nssCKFWSession_IsRWSession(fwSession)) {
        pInfo->flags |= CKF_RW_SESSION;
    }

    pInfo->flags |= CKF_SERIAL_SESSION; /* Always true */

    pInfo->ulDeviceError = nssCKFWSession_GetDeviceError(fwSession);

    return CKR_OK;

loser:
    switch (error) {
        case CKR_SESSION_CLOSED:
            /* destroy session? */
            break;
        case CKR_DEVICE_REMOVED:
            /* (void)nssCKFWToken_Destroy(fwToken); */
            break;
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_SESSION_HANDLE_INVALID:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_GetOperationState
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_GetOperationState(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pOperationState,
    CK_ULONG_PTR pulOperationStateLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    CK_ULONG len;
    NSSItem buf;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    if ((CK_ULONG_PTR)CK_NULL_PTR == pulOperationStateLen) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    len = nssCKFWSession_GetOperationStateLen(fwSession, &error);
    if (((CK_ULONG)0 == len) && (CKR_OK != error)) {
        goto loser;
    }

    if ((CK_BYTE_PTR)CK_NULL_PTR == pOperationState) {
        *pulOperationStateLen = len;
        return CKR_OK;
    }

    if (*pulOperationStateLen < len) {
        *pulOperationStateLen = len;
        error = CKR_BUFFER_TOO_SMALL;
        goto loser;
    }

    buf.size = (PRUint32)*pulOperationStateLen;
    buf.data = (void *)pOperationState;
    *pulOperationStateLen = len;
    error = nssCKFWSession_GetOperationState(fwSession, &buf);

    if (CKR_OK != error) {
        goto loser;
    }

    return CKR_OK;

loser:
    switch (error) {
        case CKR_SESSION_CLOSED:
            /* destroy session? */
            break;
        case CKR_DEVICE_REMOVED:
            /* (void)nssCKFWToken_Destroy(fwToken); */
            break;
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_STATE_UNSAVEABLE:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_SetOperationState
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_SetOperationState(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pOperationState,
    CK_ULONG ulOperationStateLen,
    CK_OBJECT_HANDLE hEncryptionKey,
    CK_OBJECT_HANDLE hAuthenticationKey)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWObject *eKey;
    NSSCKFWObject *aKey;
    NSSItem state;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    if ((CK_BYTE_PTR)CK_NULL_PTR == pOperationState) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    /*
     * We could loop through the buffer, to catch any purify errors
     * in a place with a "user error" note.
     */

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    if ((CK_OBJECT_HANDLE)0 == hEncryptionKey) {
        eKey = (NSSCKFWObject *)NULL;
    } else {
        eKey = nssCKFWInstance_ResolveObjectHandle(fwInstance, hEncryptionKey);
        if (!eKey) {
            error = CKR_KEY_HANDLE_INVALID;
            goto loser;
        }
    }

    if ((CK_OBJECT_HANDLE)0 == hAuthenticationKey) {
        aKey = (NSSCKFWObject *)NULL;
    } else {
        aKey = nssCKFWInstance_ResolveObjectHandle(fwInstance, hAuthenticationKey);
        if (!aKey) {
            error = CKR_KEY_HANDLE_INVALID;
            goto loser;
        }
    }

    state.data = pOperationState;
    state.size = ulOperationStateLen;

    error = nssCKFWSession_SetOperationState(fwSession, &state, eKey, aKey);
    if (CKR_OK != error) {
        goto loser;
    }

    return CKR_OK;

loser:
    switch (error) {
        case CKR_SESSION_CLOSED:
            /* destroy session? */
            break;
        case CKR_DEVICE_REMOVED:
            /* (void)nssCKFWToken_Destroy(fwToken); */
            break;
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_KEY_CHANGED:
        case CKR_KEY_NEEDED:
        case CKR_KEY_NOT_NEEDED:
        case CKR_SAVED_STATE_INVALID:
        case CKR_SESSION_HANDLE_INVALID:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_Login
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_Login(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_USER_TYPE userType,
    CK_CHAR_PTR pPin,
    CK_ULONG ulPinLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSItem pin, *arg;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    if ((CK_CHAR_PTR)CK_NULL_PTR == pPin) {
        arg = (NSSItem *)NULL;
    } else {
        arg = &pin;
        pin.size = (PRUint32)ulPinLen;
        pin.data = (void *)pPin;
    }

    error = nssCKFWSession_Login(fwSession, userType, arg);
    if (CKR_OK != error) {
        goto loser;
    }

    return CKR_OK;

loser:
    switch (error) {
        case CKR_SESSION_CLOSED:
            /* destroy session? */
            break;
        case CKR_DEVICE_REMOVED:
            /* (void)nssCKFWToken_Destroy(fwToken); */
            break;
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_PIN_EXPIRED:
        case CKR_PIN_INCORRECT:
        case CKR_PIN_LOCKED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_SESSION_READ_ONLY_EXISTS:
        case CKR_USER_ALREADY_LOGGED_IN:
        case CKR_USER_ANOTHER_ALREADY_LOGGED_IN:
        case CKR_USER_PIN_NOT_INITIALIZED:
        case CKR_USER_TOO_MANY_TYPES:
        case CKR_USER_TYPE_INVALID:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_Logout
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_Logout(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_Logout(fwSession);
    if (CKR_OK != error) {
        goto loser;
    }

    return CKR_OK;

loser:
    switch (error) {
        case CKR_SESSION_CLOSED:
            /* destroy session? */
            break;
        case CKR_DEVICE_REMOVED:
            /* (void)nssCKFWToken_Destroy(fwToken); */
            break;
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_CreateObject
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_CreateObject(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_ATTRIBUTE_PTR pTemplate,
    CK_ULONG ulCount,
    CK_OBJECT_HANDLE_PTR phObject)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWObject *fwObject;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    if ((CK_OBJECT_HANDLE_PTR)CK_NULL_PTR == phObject) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    /*
     * A purify error here indicates caller error.
     */
    *phObject = (CK_OBJECT_HANDLE)0;

    fwObject = nssCKFWSession_CreateObject(fwSession, pTemplate,
                                           ulCount, &error);
    if (!fwObject) {
        goto loser;
    }

    *phObject = nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error);
    if ((CK_OBJECT_HANDLE)0 == *phObject) {
        nssCKFWObject_Destroy(fwObject);
        goto loser;
    }

    return CKR_OK;

loser:
    switch (error) {
        case CKR_SESSION_CLOSED:
            /* destroy session? */
            break;
        case CKR_DEVICE_REMOVED:
            /* (void)nssCKFWToken_Destroy(fwToken); */
            break;
        case CKR_ATTRIBUTE_READ_ONLY:
        case CKR_ATTRIBUTE_TYPE_INVALID:
        case CKR_ATTRIBUTE_VALUE_INVALID:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_SESSION_READ_ONLY:
        case CKR_TEMPLATE_INCOMPLETE:
        case CKR_TEMPLATE_INCONSISTENT:
        case CKR_TOKEN_WRITE_PROTECTED:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_CopyObject
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_CopyObject(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_OBJECT_HANDLE hObject,
    CK_ATTRIBUTE_PTR pTemplate,
    CK_ULONG ulCount,
    CK_OBJECT_HANDLE_PTR phNewObject)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWObject *fwObject;
    NSSCKFWObject *fwNewObject;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    if ((CK_OBJECT_HANDLE_PTR)CK_NULL_PTR == phNewObject) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    /*
     * A purify error here indicates caller error.
     */
    *phNewObject = (CK_OBJECT_HANDLE)0;

    fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
    if (!fwObject) {
        error = CKR_OBJECT_HANDLE_INVALID;
        goto loser;
    }

    fwNewObject = nssCKFWSession_CopyObject(fwSession, fwObject,
                                            pTemplate, ulCount, &error);
    if (!fwNewObject) {
        goto loser;
    }

    *phNewObject = nssCKFWInstance_CreateObjectHandle(fwInstance,
                                                      fwNewObject, &error);
    if ((CK_OBJECT_HANDLE)0 == *phNewObject) {
        nssCKFWObject_Destroy(fwNewObject);
        goto loser;
    }

    return CKR_OK;

loser:
    switch (error) {
        case CKR_SESSION_CLOSED:
            /* destroy session? */
            break;
        case CKR_DEVICE_REMOVED:
            /* (void)nssCKFWToken_Destroy(fwToken); */
            break;
        case CKR_ATTRIBUTE_READ_ONLY:
        case CKR_ATTRIBUTE_TYPE_INVALID:
        case CKR_ATTRIBUTE_VALUE_INVALID:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OBJECT_HANDLE_INVALID:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_SESSION_READ_ONLY:
        case CKR_TEMPLATE_INCONSISTENT:
        case CKR_TOKEN_WRITE_PROTECTED:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_DestroyObject
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_DestroyObject(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_OBJECT_HANDLE hObject)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWObject *fwObject;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
    if (!fwObject) {
        error = CKR_OBJECT_HANDLE_INVALID;
        goto loser;
    }

    nssCKFWInstance_DestroyObjectHandle(fwInstance, hObject);
    nssCKFWObject_Destroy(fwObject);

    return CKR_OK;

loser:
    switch (error) {
        case CKR_SESSION_CLOSED:
            /* destroy session? */
            break;
        case CKR_DEVICE_REMOVED:
            /* (void)nssCKFWToken_Destroy(fwToken); */
            break;
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OBJECT_HANDLE_INVALID:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_SESSION_READ_ONLY:
        case CKR_TOKEN_WRITE_PROTECTED:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_GetObjectSize
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_GetObjectSize(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_OBJECT_HANDLE hObject,
    CK_ULONG_PTR pulSize)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWObject *fwObject;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
    if (!fwObject) {
        error = CKR_OBJECT_HANDLE_INVALID;
        goto loser;
    }

    if ((CK_ULONG_PTR)CK_NULL_PTR == pulSize) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    /*
     * A purify error here indicates caller error.
     */
    *pulSize = (CK_ULONG)0;

    *pulSize = nssCKFWObject_GetObjectSize(fwObject, &error);
    if (((CK_ULONG)0 == *pulSize) && (CKR_OK != error)) {
        goto loser;
    }

    return CKR_OK;

loser:
    switch (error) {
        case CKR_SESSION_CLOSED:
            /* destroy session? */
            break;
        case CKR_DEVICE_REMOVED:
            /* (void)nssCKFWToken_Destroy(fwToken); */
            break;
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_INFORMATION_SENSITIVE:
        case CKR_OBJECT_HANDLE_INVALID:
        case CKR_SESSION_HANDLE_INVALID:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_GetAttributeValue
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_GetAttributeValue(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_OBJECT_HANDLE hObject,
    CK_ATTRIBUTE_PTR pTemplate,
    CK_ULONG ulCount)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWObject *fwObject;
    CK_BBOOL sensitive = CK_FALSE;
    CK_BBOOL invalid = CK_FALSE;
    CK_BBOOL tooSmall = CK_FALSE;
    CK_ULONG i;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
    if (!fwObject) {
        error = CKR_OBJECT_HANDLE_INVALID;
        goto loser;
    }

    if ((CK_ATTRIBUTE_PTR)CK_NULL_PTR == pTemplate) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    for (i = 0; i < ulCount; i++) {
        CK_ULONG size = nssCKFWObject_GetAttributeSize(fwObject,
                                                       pTemplate[i].type, &error);
        if ((CK_ULONG)0 == size) {
            switch (error) {
                case CKR_ATTRIBUTE_SENSITIVE:
                case CKR_INFORMATION_SENSITIVE:
                    sensitive =
                        CK_TRUE;
                    pTemplate[i].ulValueLen =
                        (CK_ULONG)(-1);
                    continue;
                case CKR_ATTRIBUTE_TYPE_INVALID:
                    invalid =
                        CK_TRUE;
                    pTemplate[i].ulValueLen =
                        (CK_ULONG)(-1);
                    continue;
                case CKR_OK:
                    break;
                default:
                    goto loser;
            }
        }

        if ((CK_VOID_PTR)CK_NULL_PTR == pTemplate[i].pValue) {
            pTemplate[i].ulValueLen = size;
        } else {
            NSSItem it, *p;

            if (pTemplate[i].ulValueLen < size) {
                tooSmall = CK_TRUE;
                continue;
            }

            it.size = (PRUint32)pTemplate[i].ulValueLen;
            it.data = (void *)pTemplate[i].pValue;
            p = nssCKFWObject_GetAttribute(fwObject, pTemplate[i].type, &it,
                                           (NSSArena *)NULL, &error);
            if (!p) {
                switch (error) {
                    case CKR_ATTRIBUTE_SENSITIVE:
                    case CKR_INFORMATION_SENSITIVE:
                        sensitive =
                            CK_TRUE;
                        pTemplate[i].ulValueLen =
                            (CK_ULONG)(-1);
                        continue;
                    case CKR_ATTRIBUTE_TYPE_INVALID:
                        invalid =
                            CK_TRUE;
                        pTemplate[i].ulValueLen =
                            (CK_ULONG)(-1);
                        continue;
                    default:
                        goto loser;
                }
            }

            pTemplate[i].ulValueLen = size;
        }
    }

    if (sensitive) {
        error = CKR_ATTRIBUTE_SENSITIVE;
        goto loser;
    } else if (invalid) {
        error = CKR_ATTRIBUTE_TYPE_INVALID;
        goto loser;
    } else if (tooSmall) {
        error = CKR_BUFFER_TOO_SMALL;
        goto loser;
    }

    return CKR_OK;

loser:
    switch (error) {
        case CKR_SESSION_CLOSED:
            /* destroy session? */
            break;
        case CKR_DEVICE_REMOVED:
            /* (void)nssCKFWToken_Destroy(fwToken); */
            break;
        case CKR_ATTRIBUTE_SENSITIVE:
        case CKR_ATTRIBUTE_TYPE_INVALID:
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OBJECT_HANDLE_INVALID:
        case CKR_SESSION_HANDLE_INVALID:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_SetAttributeValue
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_SetAttributeValue(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_OBJECT_HANDLE hObject,
    CK_ATTRIBUTE_PTR pTemplate,
    CK_ULONG ulCount)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWObject *fwObject;
    CK_ULONG i;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
    if (!fwObject) {
        error = CKR_OBJECT_HANDLE_INVALID;
        goto loser;
    }

    if ((CK_ATTRIBUTE_PTR)CK_NULL_PTR == pTemplate) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    for (i = 0; i < ulCount; i++) {
        NSSItem value;

        value.data = pTemplate[i].pValue;
        value.size = pTemplate[i].ulValueLen;

        error = nssCKFWObject_SetAttribute(fwObject, fwSession,
                                           pTemplate[i].type, &value);

        if (CKR_OK != error) {
            goto loser;
        }
    }

    return CKR_OK;

loser:
    switch (error) {
        case CKR_SESSION_CLOSED:
            /* destroy session? */
            break;
        case CKR_DEVICE_REMOVED:
            /* (void)nssCKFWToken_Destroy(fwToken); */
            break;
        case CKR_ATTRIBUTE_READ_ONLY:
        case CKR_ATTRIBUTE_TYPE_INVALID:
        case CKR_ATTRIBUTE_VALUE_INVALID:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OBJECT_HANDLE_INVALID:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_SESSION_READ_ONLY:
        case CKR_TEMPLATE_INCONSISTENT:
        case CKR_TOKEN_WRITE_PROTECTED:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_FindObjectsInit
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_FindObjectsInit(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_ATTRIBUTE_PTR pTemplate,
    CK_ULONG ulCount)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWFindObjects *fwFindObjects;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    if (((CK_ATTRIBUTE_PTR)CK_NULL_PTR == pTemplate) && (ulCount != 0)) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    fwFindObjects = nssCKFWSession_GetFWFindObjects(fwSession, &error);
    if (fwFindObjects) {
        error = CKR_OPERATION_ACTIVE;
        goto loser;
    }

    if (CKR_OPERATION_NOT_INITIALIZED != error) {
        goto loser;
    }

    fwFindObjects = nssCKFWSession_FindObjectsInit(fwSession,
                                                   pTemplate, ulCount, &error);
    if (!fwFindObjects) {
        goto loser;
    }

    error = nssCKFWSession_SetFWFindObjects(fwSession, fwFindObjects);

    if (CKR_OK != error) {
        nssCKFWFindObjects_Destroy(fwFindObjects);
        goto loser;
    }

    return CKR_OK;

loser:
    switch (error) {
        case CKR_SESSION_CLOSED:
            /* destroy session? */
            break;
        case CKR_DEVICE_REMOVED:
            /* (void)nssCKFWToken_Destroy(fwToken); */
            break;
        case CKR_ATTRIBUTE_TYPE_INVALID:
        case CKR_ATTRIBUTE_VALUE_INVALID:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_ACTIVE:
        case CKR_SESSION_HANDLE_INVALID:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_FindObjects
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_FindObjects(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_OBJECT_HANDLE_PTR phObject,
    CK_ULONG ulMaxObjectCount,
    CK_ULONG_PTR pulObjectCount)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWFindObjects *fwFindObjects;
    CK_ULONG i;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    if ((CK_OBJECT_HANDLE_PTR)CK_NULL_PTR == phObject) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    /*
     * A purify error here indicates caller error.
     */
    (void)nsslibc_memset(phObject, 0, sizeof(CK_OBJECT_HANDLE) * ulMaxObjectCount);
    *pulObjectCount = (CK_ULONG)0;

    fwFindObjects = nssCKFWSession_GetFWFindObjects(fwSession, &error);
    if (!fwFindObjects) {
        goto loser;
    }

    for (i = 0; i < ulMaxObjectCount; i++) {
        NSSCKFWObject *fwObject = nssCKFWFindObjects_Next(fwFindObjects,
                                                          NULL, &error);
        if (!fwObject) {
            break;
        }

        phObject[i] = nssCKFWInstance_FindObjectHandle(fwInstance, fwObject);
        if ((CK_OBJECT_HANDLE)0 == phObject[i]) {
            phObject[i] = nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error);
        }
        if ((CK_OBJECT_HANDLE)0 == phObject[i]) {
            /* This isn't right either, is it? */
            nssCKFWObject_Destroy(fwObject);
            goto loser;
        }
    }

    *pulObjectCount = i;

    return CKR_OK;

loser:
    switch (error) {
        case CKR_SESSION_CLOSED:
            /* destroy session? */
            break;
        case CKR_DEVICE_REMOVED:
            /* (void)nssCKFWToken_Destroy(fwToken); */
            break;
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_HANDLE_INVALID:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_FindObjectsFinal
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_FindObjectsFinal(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWFindObjects *fwFindObjects;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    fwFindObjects = nssCKFWSession_GetFWFindObjects(fwSession, &error);
    if (!fwFindObjects) {
        error = CKR_OPERATION_NOT_INITIALIZED;
        goto loser;
    }

    nssCKFWFindObjects_Destroy(fwFindObjects);
    error = nssCKFWSession_SetFWFindObjects(fwSession,
                                            (NSSCKFWFindObjects *)NULL);

    if (CKR_OK != error) {
        goto loser;
    }

    return CKR_OK;

loser:
    switch (error) {
        case CKR_SESSION_CLOSED:
            /* destroy session? */
            break;
        case CKR_DEVICE_REMOVED:
            /* (void)nssCKFWToken_Destroy(fwToken); */
            break;
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_HANDLE_INVALID:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_EncryptInit
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_EncryptInit(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_MECHANISM_PTR pMechanism,
    CK_OBJECT_HANDLE hKey)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWObject *fwObject;
    NSSCKFWSlot *fwSlot;
    NSSCKFWToken *fwToken;
    NSSCKFWMechanism *fwMechanism;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
    if (!fwObject) {
        error = CKR_KEY_HANDLE_INVALID;
        goto loser;
    }

    fwSlot = nssCKFWSession_GetFWSlot(fwSession);
    if (!fwSlot) {
        error = CKR_GENERAL_ERROR; /* should never happen! */
        goto loser;
    }

    if (CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot)) {
        error = CKR_TOKEN_NOT_PRESENT;
        goto loser;
    }

    fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
    if (!fwToken) {
        goto loser;
    }

    fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
    if (!fwMechanism) {
        goto loser;
    }

    error = nssCKFWMechanism_EncryptInit(fwMechanism, pMechanism,
                                         fwSession, fwObject);

    nssCKFWMechanism_Destroy(fwMechanism);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_KEY_FUNCTION_NOT_PERMITTED:
        case CKR_KEY_HANDLE_INVALID:
        case CKR_KEY_SIZE_RANGE:
        case CKR_KEY_TYPE_INCONSISTENT:
        case CKR_MECHANISM_INVALID:
        case CKR_MECHANISM_PARAM_INVALID:
        case CKR_OPERATION_ACTIVE:
        case CKR_PIN_EXPIRED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_Encrypt
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_Encrypt(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pData,
    CK_ULONG ulDataLen,
    CK_BYTE_PTR pEncryptedData,
    CK_ULONG_PTR pulEncryptedDataLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_UpdateFinal(fwSession,
                                       NSSCKFWCryptoOperationType_Encrypt,
                                       NSSCKFWCryptoOperationState_EncryptDecrypt,
                                       pData, ulDataLen, pEncryptedData, pulEncryptedDataLen);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DATA_INVALID:
        case CKR_DATA_LEN_RANGE:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_SESSION_CLOSED:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_EncryptUpdate
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_EncryptUpdate(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pPart,
    CK_ULONG ulPartLen,
    CK_BYTE_PTR pEncryptedPart,
    CK_ULONG_PTR pulEncryptedPartLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_Update(fwSession,
                                  NSSCKFWCryptoOperationType_Encrypt,
                                  NSSCKFWCryptoOperationState_EncryptDecrypt,
                                  pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DATA_LEN_RANGE:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_EncryptFinal
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_EncryptFinal(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pLastEncryptedPart,
    CK_ULONG_PTR pulLastEncryptedPartLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_Final(fwSession,
                                 NSSCKFWCryptoOperationType_Encrypt,
                                 NSSCKFWCryptoOperationState_EncryptDecrypt,
                                 pLastEncryptedPart, pulLastEncryptedPartLen);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DATA_LEN_RANGE:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_DecryptInit
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_DecryptInit(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_MECHANISM_PTR pMechanism,
    CK_OBJECT_HANDLE hKey)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWObject *fwObject;
    NSSCKFWSlot *fwSlot;
    NSSCKFWToken *fwToken;
    NSSCKFWMechanism *fwMechanism;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
    if (!fwObject) {
        error = CKR_KEY_HANDLE_INVALID;
        goto loser;
    }

    fwSlot = nssCKFWSession_GetFWSlot(fwSession);
    if (!fwSlot) {
        error = CKR_GENERAL_ERROR; /* should never happen! */
        goto loser;
    }

    if (CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot)) {
        error = CKR_TOKEN_NOT_PRESENT;
        goto loser;
    }

    fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
    if (!fwToken) {
        goto loser;
    }

    fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
    if (!fwMechanism) {
        goto loser;
    }

    error = nssCKFWMechanism_DecryptInit(fwMechanism, pMechanism,
                                         fwSession, fwObject);
    nssCKFWMechanism_Destroy(fwMechanism);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_KEY_FUNCTION_NOT_PERMITTED:
        case CKR_KEY_HANDLE_INVALID:
        case CKR_KEY_SIZE_RANGE:
        case CKR_KEY_TYPE_INCONSISTENT:
        case CKR_MECHANISM_INVALID:
        case CKR_MECHANISM_PARAM_INVALID:
        case CKR_OPERATION_ACTIVE:
        case CKR_PIN_EXPIRED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_Decrypt
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_Decrypt(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pEncryptedData,
    CK_ULONG ulEncryptedDataLen,
    CK_BYTE_PTR pData,
    CK_ULONG_PTR pulDataLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_UpdateFinal(fwSession,
                                       NSSCKFWCryptoOperationType_Decrypt,
                                       NSSCKFWCryptoOperationState_EncryptDecrypt,
                                       pEncryptedData, ulEncryptedDataLen, pData, pulDataLen);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_ENCRYPTED_DATA_INVALID:
        case CKR_ENCRYPTED_DATA_LEN_RANGE:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        case CKR_DATA_LEN_RANGE:
            error = CKR_ENCRYPTED_DATA_LEN_RANGE;
            break;
        case CKR_DATA_INVALID:
            error = CKR_ENCRYPTED_DATA_INVALID;
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_DecryptUpdate
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_DecryptUpdate(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pEncryptedPart,
    CK_ULONG ulEncryptedPartLen,
    CK_BYTE_PTR pPart,
    CK_ULONG_PTR pulPartLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_Update(fwSession,
                                  NSSCKFWCryptoOperationType_Decrypt,
                                  NSSCKFWCryptoOperationState_EncryptDecrypt,
                                  pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_ENCRYPTED_DATA_INVALID:
        case CKR_ENCRYPTED_DATA_LEN_RANGE:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        case CKR_DATA_LEN_RANGE:
            error = CKR_ENCRYPTED_DATA_LEN_RANGE;
            break;
        case CKR_DATA_INVALID:
            error = CKR_ENCRYPTED_DATA_INVALID;
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_DecryptFinal
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_DecryptFinal(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pLastPart,
    CK_ULONG_PTR pulLastPartLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_Final(fwSession,
                                 NSSCKFWCryptoOperationType_Decrypt,
                                 NSSCKFWCryptoOperationState_EncryptDecrypt,
                                 pLastPart, pulLastPartLen);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_FAILED:
        case CKR_FUNCTION_CANCELED:
        case CKR_ENCRYPTED_DATA_INVALID:
        case CKR_ENCRYPTED_DATA_LEN_RANGE:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        case CKR_DATA_LEN_RANGE:
            error = CKR_ENCRYPTED_DATA_LEN_RANGE;
            break;
        case CKR_DATA_INVALID:
            error = CKR_ENCRYPTED_DATA_INVALID;
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_DigestInit
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_DigestInit(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_MECHANISM_PTR pMechanism)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWSlot *fwSlot;
    NSSCKFWToken *fwToken;
    NSSCKFWMechanism *fwMechanism;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    fwSlot = nssCKFWSession_GetFWSlot(fwSession);
    if (!fwSlot) {
        error = CKR_GENERAL_ERROR; /* should never happen! */
        goto loser;
    }

    if (CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot)) {
        error = CKR_TOKEN_NOT_PRESENT;
        goto loser;
    }

    fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
    if (!fwToken) {
        goto loser;
    }

    fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
    if (!fwMechanism) {
        goto loser;
    }

    error = nssCKFWMechanism_DigestInit(fwMechanism, pMechanism, fwSession);

    nssCKFWMechanism_Destroy(fwMechanism);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_MECHANISM_INVALID:
        case CKR_MECHANISM_PARAM_INVALID:
        case CKR_OPERATION_ACTIVE:
        case CKR_PIN_EXPIRED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_Digest
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_Digest(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pData,
    CK_ULONG ulDataLen,
    CK_BYTE_PTR pDigest,
    CK_ULONG_PTR pulDigestLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_UpdateFinal(fwSession,
                                       NSSCKFWCryptoOperationType_Digest,
                                       NSSCKFWCryptoOperationState_Digest,
                                       pData, ulDataLen, pDigest, pulDigestLen);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_DigestUpdate
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_DigestUpdate(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pData,
    CK_ULONG ulDataLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_DigestUpdate(fwSession,
                                        NSSCKFWCryptoOperationType_Digest,
                                        NSSCKFWCryptoOperationState_Digest,
                                        pData, ulDataLen);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_DigestKey
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_DigestKey(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_OBJECT_HANDLE hKey)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWObject *fwObject;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
    if (!fwObject) {
        error = CKR_KEY_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_DigestKey(fwSession, fwObject);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_KEY_HANDLE_INVALID:
        case CKR_KEY_INDIGESTIBLE:
        case CKR_KEY_SIZE_RANGE:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_DigestFinal
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_DigestFinal(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pDigest,
    CK_ULONG_PTR pulDigestLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_Final(fwSession,
                                 NSSCKFWCryptoOperationType_Digest,
                                 NSSCKFWCryptoOperationState_Digest,
                                 pDigest, pulDigestLen);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_SignInit
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_SignInit(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_MECHANISM_PTR pMechanism,
    CK_OBJECT_HANDLE hKey)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWObject *fwObject;
    NSSCKFWSlot *fwSlot;
    NSSCKFWToken *fwToken;
    NSSCKFWMechanism *fwMechanism;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
    if (!fwObject) {
        error = CKR_KEY_HANDLE_INVALID;
        goto loser;
    }

    fwSlot = nssCKFWSession_GetFWSlot(fwSession);
    if (!fwSlot) {
        error = CKR_GENERAL_ERROR; /* should never happen! */
        goto loser;
    }

    if (CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot)) {
        error = CKR_TOKEN_NOT_PRESENT;
        goto loser;
    }

    fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
    if (!fwToken) {
        goto loser;
    }

    fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
    if (!fwMechanism) {
        goto loser;
    }

    error = nssCKFWMechanism_SignInit(fwMechanism, pMechanism, fwSession,
                                      fwObject);

    nssCKFWMechanism_Destroy(fwMechanism);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_KEY_FUNCTION_NOT_PERMITTED:
        case CKR_KEY_HANDLE_INVALID:
        case CKR_KEY_SIZE_RANGE:
        case CKR_KEY_TYPE_INCONSISTENT:
        case CKR_MECHANISM_INVALID:
        case CKR_MECHANISM_PARAM_INVALID:
        case CKR_OPERATION_ACTIVE:
        case CKR_PIN_EXPIRED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_Sign
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_Sign(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pData,
    CK_ULONG ulDataLen,
    CK_BYTE_PTR pSignature,
    CK_ULONG_PTR pulSignatureLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_UpdateFinal(fwSession,
                                       NSSCKFWCryptoOperationType_Sign,
                                       NSSCKFWCryptoOperationState_SignVerify,
                                       pData, ulDataLen, pSignature, pulSignatureLen);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DATA_INVALID:
        case CKR_DATA_LEN_RANGE:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_USER_NOT_LOGGED_IN:
        case CKR_FUNCTION_REJECTED:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_SignUpdate
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_SignUpdate(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pPart,
    CK_ULONG ulPartLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_DigestUpdate(fwSession,
                                        NSSCKFWCryptoOperationType_Sign,
                                        NSSCKFWCryptoOperationState_SignVerify,
                                        pPart, ulPartLen);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DATA_LEN_RANGE:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_SignFinal
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_SignFinal(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pSignature,
    CK_ULONG_PTR pulSignatureLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_Final(fwSession,
                                 NSSCKFWCryptoOperationType_Sign,
                                 NSSCKFWCryptoOperationState_SignVerify,
                                 pSignature, pulSignatureLen);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DATA_LEN_RANGE:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_USER_NOT_LOGGED_IN:
        case CKR_FUNCTION_REJECTED:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_SignRecoverInit
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_SignRecoverInit(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_MECHANISM_PTR pMechanism,
    CK_OBJECT_HANDLE hKey)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWObject *fwObject;
    NSSCKFWSlot *fwSlot;
    NSSCKFWToken *fwToken;
    NSSCKFWMechanism *fwMechanism;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
    if (!fwObject) {
        error = CKR_KEY_HANDLE_INVALID;
        goto loser;
    }

    fwSlot = nssCKFWSession_GetFWSlot(fwSession);
    if (!fwSlot) {
        error = CKR_GENERAL_ERROR; /* should never happen! */
        goto loser;
    }

    if (CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot)) {
        error = CKR_TOKEN_NOT_PRESENT;
        goto loser;
    }

    fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
    if (!fwToken) {
        goto loser;
    }

    fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
    if (!fwMechanism) {
        goto loser;
    }

    error = nssCKFWMechanism_SignRecoverInit(fwMechanism, pMechanism, fwSession,
                                             fwObject);

    nssCKFWMechanism_Destroy(fwMechanism);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_KEY_FUNCTION_NOT_PERMITTED:
        case CKR_KEY_HANDLE_INVALID:
        case CKR_KEY_SIZE_RANGE:
        case CKR_KEY_TYPE_INCONSISTENT:
        case CKR_MECHANISM_INVALID:
        case CKR_MECHANISM_PARAM_INVALID:
        case CKR_OPERATION_ACTIVE:
        case CKR_PIN_EXPIRED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_SignRecover
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_SignRecover(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pData,
    CK_ULONG ulDataLen,
    CK_BYTE_PTR pSignature,
    CK_ULONG_PTR pulSignatureLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_UpdateFinal(fwSession,
                                       NSSCKFWCryptoOperationType_SignRecover,
                                       NSSCKFWCryptoOperationState_SignVerify,
                                       pData, ulDataLen, pSignature, pulSignatureLen);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DATA_INVALID:
        case CKR_DATA_LEN_RANGE:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_VerifyInit
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_VerifyInit(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_MECHANISM_PTR pMechanism,
    CK_OBJECT_HANDLE hKey)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWObject *fwObject;
    NSSCKFWSlot *fwSlot;
    NSSCKFWToken *fwToken;
    NSSCKFWMechanism *fwMechanism;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
    if (!fwObject) {
        error = CKR_KEY_HANDLE_INVALID;
        goto loser;
    }

    fwSlot = nssCKFWSession_GetFWSlot(fwSession);
    if (!fwSlot) {
        error = CKR_GENERAL_ERROR; /* should never happen! */
        goto loser;
    }

    if (CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot)) {
        error = CKR_TOKEN_NOT_PRESENT;
        goto loser;
    }

    fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
    if (!fwToken) {
        goto loser;
    }

    fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
    if (!fwMechanism) {
        goto loser;
    }

    error = nssCKFWMechanism_VerifyInit(fwMechanism, pMechanism, fwSession,
                                        fwObject);

    nssCKFWMechanism_Destroy(fwMechanism);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_KEY_FUNCTION_NOT_PERMITTED:
        case CKR_KEY_HANDLE_INVALID:
        case CKR_KEY_SIZE_RANGE:
        case CKR_KEY_TYPE_INCONSISTENT:
        case CKR_MECHANISM_INVALID:
        case CKR_MECHANISM_PARAM_INVALID:
        case CKR_OPERATION_ACTIVE:
        case CKR_PIN_EXPIRED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_Verify
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_Verify(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pData,
    CK_ULONG ulDataLen,
    CK_BYTE_PTR pSignature,
    CK_ULONG ulSignatureLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_UpdateFinal(fwSession,
                                       NSSCKFWCryptoOperationType_Verify,
                                       NSSCKFWCryptoOperationState_SignVerify,
                                       pData, ulDataLen, pSignature, &ulSignatureLen);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DATA_INVALID:
        case CKR_DATA_LEN_RANGE:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_SIGNATURE_INVALID:
        case CKR_SIGNATURE_LEN_RANGE:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_VerifyUpdate
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_VerifyUpdate(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pPart,
    CK_ULONG ulPartLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_DigestUpdate(fwSession,
                                        NSSCKFWCryptoOperationType_Verify,
                                        NSSCKFWCryptoOperationState_SignVerify,
                                        pPart, ulPartLen);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DATA_LEN_RANGE:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_VerifyFinal
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_VerifyFinal(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pSignature,
    CK_ULONG ulSignatureLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_Final(fwSession,
                                 NSSCKFWCryptoOperationType_Verify,
                                 NSSCKFWCryptoOperationState_SignVerify,
                                 pSignature, &ulSignatureLen);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DATA_LEN_RANGE:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_SIGNATURE_INVALID:
        case CKR_SIGNATURE_LEN_RANGE:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_VerifyRecoverInit
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_VerifyRecoverInit(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_MECHANISM_PTR pMechanism,
    CK_OBJECT_HANDLE hKey)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWObject *fwObject;
    NSSCKFWSlot *fwSlot;
    NSSCKFWToken *fwToken;
    NSSCKFWMechanism *fwMechanism;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
    if (!fwObject) {
        error = CKR_KEY_HANDLE_INVALID;
        goto loser;
    }

    fwSlot = nssCKFWSession_GetFWSlot(fwSession);
    if (!fwSlot) {
        error = CKR_GENERAL_ERROR; /* should never happen! */
        goto loser;
    }

    if (CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot)) {
        error = CKR_TOKEN_NOT_PRESENT;
        goto loser;
    }

    fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
    if (!fwToken) {
        goto loser;
    }

    fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
    if (!fwMechanism) {
        goto loser;
    }

    error = nssCKFWMechanism_VerifyRecoverInit(fwMechanism, pMechanism,
                                               fwSession, fwObject);

    nssCKFWMechanism_Destroy(fwMechanism);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_KEY_FUNCTION_NOT_PERMITTED:
        case CKR_KEY_HANDLE_INVALID:
        case CKR_KEY_SIZE_RANGE:
        case CKR_KEY_TYPE_INCONSISTENT:
        case CKR_MECHANISM_INVALID:
        case CKR_MECHANISM_PARAM_INVALID:
        case CKR_OPERATION_ACTIVE:
        case CKR_PIN_EXPIRED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_SESSION_CLOSED:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_VerifyRecover
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_VerifyRecover(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pSignature,
    CK_ULONG ulSignatureLen,
    CK_BYTE_PTR pData,
    CK_ULONG_PTR pulDataLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_UpdateFinal(fwSession,
                                       NSSCKFWCryptoOperationType_VerifyRecover,
                                       NSSCKFWCryptoOperationState_SignVerify,
                                       pSignature, ulSignatureLen, pData, pulDataLen);
    if (CKR_OK == error) {
        return CKR_OK;
    }
loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DATA_INVALID:
        case CKR_DATA_LEN_RANGE:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_SIGNATURE_INVALID:
        case CKR_SIGNATURE_LEN_RANGE:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_DigestEncryptUpdate
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_DigestEncryptUpdate(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pPart,
    CK_ULONG ulPartLen,
    CK_BYTE_PTR pEncryptedPart,
    CK_ULONG_PTR pulEncryptedPartLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_UpdateCombo(fwSession,
                                       NSSCKFWCryptoOperationType_Encrypt,
                                       NSSCKFWCryptoOperationType_Digest,
                                       NSSCKFWCryptoOperationState_Digest,
                                       pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DATA_LEN_RANGE:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_DecryptDigestUpdate
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_DecryptDigestUpdate(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pEncryptedPart,
    CK_ULONG ulEncryptedPartLen,
    CK_BYTE_PTR pPart,
    CK_ULONG_PTR pulPartLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_UpdateCombo(fwSession,
                                       NSSCKFWCryptoOperationType_Decrypt,
                                       NSSCKFWCryptoOperationType_Digest,
                                       NSSCKFWCryptoOperationState_Digest,
                                       pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_ENCRYPTED_DATA_INVALID:
        case CKR_ENCRYPTED_DATA_LEN_RANGE:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
            break;
        case CKR_DATA_INVALID:
            error = CKR_ENCRYPTED_DATA_INVALID;
            break;
        case CKR_DATA_LEN_RANGE:
            error = CKR_ENCRYPTED_DATA_LEN_RANGE;
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_SignEncryptUpdate
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_SignEncryptUpdate(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pPart,
    CK_ULONG ulPartLen,
    CK_BYTE_PTR pEncryptedPart,
    CK_ULONG_PTR pulEncryptedPartLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_UpdateCombo(fwSession,
                                       NSSCKFWCryptoOperationType_Encrypt,
                                       NSSCKFWCryptoOperationType_Sign,
                                       NSSCKFWCryptoOperationState_SignVerify,
                                       pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DATA_LEN_RANGE:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_DecryptVerifyUpdate
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_DecryptVerifyUpdate(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pEncryptedPart,
    CK_ULONG ulEncryptedPartLen,
    CK_BYTE_PTR pPart,
    CK_ULONG_PTR pulPartLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    error = nssCKFWSession_UpdateCombo(fwSession,
                                       NSSCKFWCryptoOperationType_Decrypt,
                                       NSSCKFWCryptoOperationType_Verify,
                                       NSSCKFWCryptoOperationState_SignVerify,
                                       pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DATA_LEN_RANGE:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_ENCRYPTED_DATA_INVALID:
        case CKR_ENCRYPTED_DATA_LEN_RANGE:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_NOT_INITIALIZED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
            break;
        case CKR_DATA_INVALID:
            error = CKR_ENCRYPTED_DATA_INVALID;
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_GenerateKey
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_GenerateKey(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_MECHANISM_PTR pMechanism,
    CK_ATTRIBUTE_PTR pTemplate,
    CK_ULONG ulCount,
    CK_OBJECT_HANDLE_PTR phKey)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWObject *fwObject;
    NSSCKFWSlot *fwSlot;
    NSSCKFWToken *fwToken;
    NSSCKFWMechanism *fwMechanism;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    fwSlot = nssCKFWSession_GetFWSlot(fwSession);
    if (!fwSlot) {
        error = CKR_GENERAL_ERROR; /* should never happen! */
        goto loser;
    }

    if (CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot)) {
        error = CKR_TOKEN_NOT_PRESENT;
        goto loser;
    }

    fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
    if (!fwToken) {
        goto loser;
    }

    fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
    if (!fwMechanism) {
        goto loser;
    }

    fwObject = nssCKFWMechanism_GenerateKey(
        fwMechanism,
        pMechanism,
        fwSession,
        pTemplate,
        ulCount,
        &error);

    nssCKFWMechanism_Destroy(fwMechanism);
    if (!fwObject) {
        goto loser;
    }
    *phKey = nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_ATTRIBUTE_READ_ONLY:
        case CKR_ATTRIBUTE_TYPE_INVALID:
        case CKR_ATTRIBUTE_VALUE_INVALID:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_MECHANISM_INVALID:
        case CKR_MECHANISM_PARAM_INVALID:
        case CKR_OPERATION_ACTIVE:
        case CKR_PIN_EXPIRED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_SESSION_READ_ONLY:
        case CKR_TEMPLATE_INCOMPLETE:
        case CKR_TEMPLATE_INCONSISTENT:
        case CKR_TOKEN_WRITE_PROTECTED:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_GenerateKeyPair
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_GenerateKeyPair(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_MECHANISM_PTR pMechanism,
    CK_ATTRIBUTE_PTR pPublicKeyTemplate,
    CK_ULONG ulPublicKeyAttributeCount,
    CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
    CK_ULONG ulPrivateKeyAttributeCount,
    CK_OBJECT_HANDLE_PTR phPublicKey,
    CK_OBJECT_HANDLE_PTR phPrivateKey)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWObject *fwPrivateKeyObject;
    NSSCKFWObject *fwPublicKeyObject;
    NSSCKFWSlot *fwSlot;
    NSSCKFWToken *fwToken;
    NSSCKFWMechanism *fwMechanism;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    fwSlot = nssCKFWSession_GetFWSlot(fwSession);
    if (!fwSlot) {
        error = CKR_GENERAL_ERROR; /* should never happen! */
        goto loser;
    }

    if (CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot)) {
        error = CKR_TOKEN_NOT_PRESENT;
        goto loser;
    }

    fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
    if (!fwToken) {
        goto loser;
    }

    fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
    if (!fwMechanism) {
        goto loser;
    }

    error = nssCKFWMechanism_GenerateKeyPair(
        fwMechanism,
        pMechanism,
        fwSession,
        pPublicKeyTemplate,
        ulPublicKeyAttributeCount,
        pPublicKeyTemplate,
        ulPublicKeyAttributeCount,
        &fwPublicKeyObject,
        &fwPrivateKeyObject);

    nssCKFWMechanism_Destroy(fwMechanism);
    if (CKR_OK != error) {
        goto loser;
    }
    *phPublicKey = nssCKFWInstance_CreateObjectHandle(fwInstance,
                                                      fwPublicKeyObject,
                                                      &error);
    if (CKR_OK != error) {
        goto loser;
    }
    *phPrivateKey = nssCKFWInstance_CreateObjectHandle(fwInstance,
                                                       fwPrivateKeyObject,
                                                       &error);
    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_ATTRIBUTE_READ_ONLY:
        case CKR_ATTRIBUTE_TYPE_INVALID:
        case CKR_ATTRIBUTE_VALUE_INVALID:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_DOMAIN_PARAMS_INVALID:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_MECHANISM_INVALID:
        case CKR_MECHANISM_PARAM_INVALID:
        case CKR_OPERATION_ACTIVE:
        case CKR_PIN_EXPIRED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_SESSION_READ_ONLY:
        case CKR_TEMPLATE_INCOMPLETE:
        case CKR_TEMPLATE_INCONSISTENT:
        case CKR_TOKEN_WRITE_PROTECTED:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_WrapKey
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_WrapKey(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_MECHANISM_PTR pMechanism,
    CK_OBJECT_HANDLE hWrappingKey,
    CK_OBJECT_HANDLE hKey,
    CK_BYTE_PTR pWrappedKey,
    CK_ULONG_PTR pulWrappedKeyLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWObject *fwKeyObject;
    NSSCKFWObject *fwWrappingKeyObject;
    NSSCKFWSlot *fwSlot;
    NSSCKFWToken *fwToken;
    NSSCKFWMechanism *fwMechanism;
    NSSItem wrappedKey;
    CK_ULONG wrappedKeyLength = 0;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    fwWrappingKeyObject = nssCKFWInstance_ResolveObjectHandle(fwInstance,
                                                              hWrappingKey);
    if (!fwWrappingKeyObject) {
        error = CKR_WRAPPING_KEY_HANDLE_INVALID;
        goto loser;
    }

    fwKeyObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
    if (!fwKeyObject) {
        error = CKR_KEY_HANDLE_INVALID;
        goto loser;
    }

    fwSlot = nssCKFWSession_GetFWSlot(fwSession);
    if (!fwSlot) {
        error = CKR_GENERAL_ERROR; /* should never happen! */
        goto loser;
    }

    if (CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot)) {
        error = CKR_TOKEN_NOT_PRESENT;
        goto loser;
    }

    fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
    if (!fwToken) {
        goto loser;
    }

    fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
    if (!fwMechanism) {
        goto loser;
    }

    /*
   * first get the length...
   */
    wrappedKeyLength = nssCKFWMechanism_GetWrapKeyLength(
        fwMechanism,
        pMechanism,
        fwSession,
        fwWrappingKeyObject,
        fwKeyObject,
        &error);
    if ((CK_ULONG)0 == wrappedKeyLength) {
        nssCKFWMechanism_Destroy(fwMechanism);
        goto loser;
    }
    if ((CK_BYTE_PTR)NULL == pWrappedKey) {
        *pulWrappedKeyLen = wrappedKeyLength;
        nssCKFWMechanism_Destroy(fwMechanism);
        return CKR_OK;
    }
    if (wrappedKeyLength > *pulWrappedKeyLen) {
        *pulWrappedKeyLen = wrappedKeyLength;
        nssCKFWMechanism_Destroy(fwMechanism);
        error = CKR_BUFFER_TOO_SMALL;
        goto loser;
    }

    wrappedKey.data = pWrappedKey;
    wrappedKey.size = wrappedKeyLength;

    error = nssCKFWMechanism_WrapKey(
        fwMechanism,
        pMechanism,
        fwSession,
        fwWrappingKeyObject,
        fwKeyObject,
        &wrappedKey);

    nssCKFWMechanism_Destroy(fwMechanism);
    *pulWrappedKeyLen = wrappedKey.size;

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_KEY_HANDLE_INVALID:
        case CKR_KEY_NOT_WRAPPABLE:
        case CKR_KEY_SIZE_RANGE:
        case CKR_KEY_UNEXTRACTABLE:
        case CKR_MECHANISM_INVALID:
        case CKR_MECHANISM_PARAM_INVALID:
        case CKR_OPERATION_ACTIVE:
        case CKR_PIN_EXPIRED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_WRAPPING_KEY_HANDLE_INVALID:
        case CKR_WRAPPING_KEY_SIZE_RANGE:
        case CKR_WRAPPING_KEY_TYPE_INCONSISTENT:
            break;
        case CKR_KEY_TYPE_INCONSISTENT:
            error = CKR_WRAPPING_KEY_TYPE_INCONSISTENT;
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_UnwrapKey
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_UnwrapKey(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_MECHANISM_PTR pMechanism,
    CK_OBJECT_HANDLE hUnwrappingKey,
    CK_BYTE_PTR pWrappedKey,
    CK_ULONG ulWrappedKeyLen,
    CK_ATTRIBUTE_PTR pTemplate,
    CK_ULONG ulAttributeCount,
    CK_OBJECT_HANDLE_PTR phKey)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWObject *fwObject;
    NSSCKFWObject *fwWrappingKeyObject;
    NSSCKFWSlot *fwSlot;
    NSSCKFWToken *fwToken;
    NSSCKFWMechanism *fwMechanism;
    NSSItem wrappedKey;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    fwWrappingKeyObject = nssCKFWInstance_ResolveObjectHandle(fwInstance,
                                                              hUnwrappingKey);
    if (!fwWrappingKeyObject) {
        error = CKR_WRAPPING_KEY_HANDLE_INVALID;
        goto loser;
    }

    fwSlot = nssCKFWSession_GetFWSlot(fwSession);
    if (!fwSlot) {
        error = CKR_GENERAL_ERROR; /* should never happen! */
        goto loser;
    }

    if (CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot)) {
        error = CKR_TOKEN_NOT_PRESENT;
        goto loser;
    }

    fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
    if (!fwToken) {
        goto loser;
    }

    fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
    if (!fwMechanism) {
        goto loser;
    }

    wrappedKey.data = pWrappedKey;
    wrappedKey.size = ulWrappedKeyLen;

    fwObject = nssCKFWMechanism_UnwrapKey(
        fwMechanism,
        pMechanism,
        fwSession,
        fwWrappingKeyObject,
        &wrappedKey,
        pTemplate,
        ulAttributeCount,
        &error);

    nssCKFWMechanism_Destroy(fwMechanism);
    if (!fwObject) {
        goto loser;
    }
    *phKey = nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_ATTRIBUTE_READ_ONLY:
        case CKR_ATTRIBUTE_TYPE_INVALID:
        case CKR_ATTRIBUTE_VALUE_INVALID:
        case CKR_BUFFER_TOO_SMALL:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_DOMAIN_PARAMS_INVALID:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_MECHANISM_INVALID:
        case CKR_MECHANISM_PARAM_INVALID:
        case CKR_OPERATION_ACTIVE:
        case CKR_PIN_EXPIRED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_SESSION_READ_ONLY:
        case CKR_TEMPLATE_INCOMPLETE:
        case CKR_TEMPLATE_INCONSISTENT:
        case CKR_TOKEN_WRITE_PROTECTED:
        case CKR_UNWRAPPING_KEY_HANDLE_INVALID:
        case CKR_UNWRAPPING_KEY_SIZE_RANGE:
        case CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT:
        case CKR_USER_NOT_LOGGED_IN:
        case CKR_WRAPPED_KEY_INVALID:
        case CKR_WRAPPED_KEY_LEN_RANGE:
            break;
        case CKR_KEY_HANDLE_INVALID:
            error = CKR_UNWRAPPING_KEY_HANDLE_INVALID;
            break;
        case CKR_KEY_SIZE_RANGE:
            error = CKR_UNWRAPPING_KEY_SIZE_RANGE;
            break;
        case CKR_KEY_TYPE_INCONSISTENT:
            error = CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT;
            break;
        case CKR_ENCRYPTED_DATA_INVALID:
            error = CKR_WRAPPED_KEY_INVALID;
            break;
        case CKR_ENCRYPTED_DATA_LEN_RANGE:
            error = CKR_WRAPPED_KEY_LEN_RANGE;
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_DeriveKey
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_DeriveKey(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_MECHANISM_PTR pMechanism,
    CK_OBJECT_HANDLE hBaseKey,
    CK_ATTRIBUTE_PTR pTemplate,
    CK_ULONG ulAttributeCount,
    CK_OBJECT_HANDLE_PTR phKey)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSCKFWObject *fwObject;
    NSSCKFWObject *fwBaseKeyObject;
    NSSCKFWSlot *fwSlot;
    NSSCKFWToken *fwToken;
    NSSCKFWMechanism *fwMechanism;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    fwBaseKeyObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hBaseKey);
    if (!fwBaseKeyObject) {
        error = CKR_KEY_HANDLE_INVALID;
        goto loser;
    }

    fwSlot = nssCKFWSession_GetFWSlot(fwSession);
    if (!fwSlot) {
        error = CKR_GENERAL_ERROR; /* should never happen! */
        goto loser;
    }

    if (CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot)) {
        error = CKR_TOKEN_NOT_PRESENT;
        goto loser;
    }

    fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
    if (!fwToken) {
        goto loser;
    }

    fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
    if (!fwMechanism) {
        goto loser;
    }

    fwObject = nssCKFWMechanism_DeriveKey(
        fwMechanism,
        pMechanism,
        fwSession,
        fwBaseKeyObject,
        pTemplate,
        ulAttributeCount,
        &error);

    nssCKFWMechanism_Destroy(fwMechanism);
    if (!fwObject) {
        goto loser;
    }
    *phKey = nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error);

    if (CKR_OK == error) {
        return CKR_OK;
    }

loser:
    /* verify error */
    switch (error) {
        case CKR_ARGUMENTS_BAD:
        case CKR_ATTRIBUTE_READ_ONLY:
        case CKR_ATTRIBUTE_TYPE_INVALID:
        case CKR_ATTRIBUTE_VALUE_INVALID:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_DEVICE_REMOVED:
        case CKR_DOMAIN_PARAMS_INVALID:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_KEY_HANDLE_INVALID:
        case CKR_KEY_SIZE_RANGE:
        case CKR_KEY_TYPE_INCONSISTENT:
        case CKR_MECHANISM_INVALID:
        case CKR_MECHANISM_PARAM_INVALID:
        case CKR_OPERATION_ACTIVE:
        case CKR_PIN_EXPIRED:
        case CKR_SESSION_CLOSED:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_SESSION_READ_ONLY:
        case CKR_TEMPLATE_INCOMPLETE:
        case CKR_TEMPLATE_INCONSISTENT:
        case CKR_TOKEN_WRITE_PROTECTED:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }
    return error;
}

/*
 * NSSCKFWC_SeedRandom
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_SeedRandom(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pSeed,
    CK_ULONG ulSeedLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSItem seed;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    if ((CK_BYTE_PTR)CK_NULL_PTR == pSeed) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    /* We could read through the buffer in a Purify trap */

    seed.size = (PRUint32)ulSeedLen;
    seed.data = (void *)pSeed;

    error = nssCKFWSession_SeedRandom(fwSession, &seed);

    if (CKR_OK != error) {
        goto loser;
    }

    return CKR_OK;

loser:
    switch (error) {
        case CKR_SESSION_CLOSED:
            /* destroy session? */
            break;
        case CKR_DEVICE_REMOVED:
            /* (void)nssCKFWToken_Destroy(fwToken); */
            break;
        case CKR_ARGUMENTS_BAD:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_ACTIVE:
        case CKR_RANDOM_SEED_NOT_SUPPORTED:
        case CKR_RANDOM_NO_RNG:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_GenerateRandom
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_GenerateRandom(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession,
    CK_BYTE_PTR pRandomData,
    CK_ULONG ulRandomLen)
{
    CK_RV error = CKR_OK;
    NSSCKFWSession *fwSession;
    NSSItem buffer;

    if (!fwInstance) {
        error = CKR_CRYPTOKI_NOT_INITIALIZED;
        goto loser;
    }

    fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
    if (!fwSession) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto loser;
    }

    if ((CK_BYTE_PTR)CK_NULL_PTR == pRandomData) {
        error = CKR_ARGUMENTS_BAD;
        goto loser;
    }

    /*
   * A purify error here indicates caller error.
   */
    (void)nsslibc_memset(pRandomData, 0, ulRandomLen);

    buffer.size = (PRUint32)ulRandomLen;
    buffer.data = (void *)pRandomData;

    error = nssCKFWSession_GetRandom(fwSession, &buffer);

    if (CKR_OK != error) {
        goto loser;
    }

    return CKR_OK;

loser:
    switch (error) {
        case CKR_SESSION_CLOSED:
            /* destroy session? */
            break;
        case CKR_DEVICE_REMOVED:
            /* (void)nssCKFWToken_Destroy(fwToken); */
            break;
        case CKR_ARGUMENTS_BAD:
        case CKR_CRYPTOKI_NOT_INITIALIZED:
        case CKR_DEVICE_ERROR:
        case CKR_DEVICE_MEMORY:
        case CKR_FUNCTION_CANCELED:
        case CKR_FUNCTION_FAILED:
        case CKR_GENERAL_ERROR:
        case CKR_HOST_MEMORY:
        case CKR_OPERATION_ACTIVE:
        case CKR_RANDOM_NO_RNG:
        case CKR_SESSION_HANDLE_INVALID:
        case CKR_USER_NOT_LOGGED_IN:
            break;
        default:
        case CKR_OK:
            error = CKR_GENERAL_ERROR;
            break;
    }

    return error;
}

/*
 * NSSCKFWC_GetFunctionStatus
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_GetFunctionStatus(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession)
{
    return CKR_FUNCTION_NOT_PARALLEL;
}

/*
 * NSSCKFWC_CancelFunction
 *
 */
NSS_IMPLEMENT CK_RV
NSSCKFWC_CancelFunction(
    NSSCKFWInstance *fwInstance,
    CK_SESSION_HANDLE hSession)
{
    return CKR_FUNCTION_NOT_PARALLEL;
}