349 files changed, 26616 insertions, 0 deletions

diff --git a/security/nss/tests/README.txt b/security/nss/tests/README.txt
new file mode 100644
index 000000000..08088b50b
--- /dev/null
+++ b/security/nss/tests/README.txt
@@ -0,0 +1,6 @@
+Hints for running the NSS test suite:
+
+- all.sh is used to run all tests
+
+- if your host is not registered with DNS you may use:
+  HOST=localhost DOMSUF=localdomain ./all.sh
diff --git a/security/nss/tests/all.sh b/security/nss/tests/all.sh
new file mode 100755
index 000000000..8305e6766
--- /dev/null
+++ b/security/nss/tests/all.sh
@@ -0,0 +1,311 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/all.sh
+#
+# Script to start selected available NSS QA suites on one machine
+# this script is called or sourced by NSS QA which runs on all required
+# platforms
+#
+# Needs to work on all Unix and Windows platforms
+#
+# Currently available NSS QA suites:
+# ----------------------------------
+#   cipher.sh    - tests NSS ciphers
+#   libpkix.sh   - tests PKIX functionality
+#   cert.sh      - exercises certutil and creates certs necessary for
+#                  all other tests
+#   dbtests.sh   - tests related to certificate databases
+#   tools.sh     - tests the majority of the NSS tools
+#   fips.sh      - tests basic functionallity of NSS in FIPS-compliant
+#                - mode
+#   sdr.sh       - tests NSS SDR
+#   crmf.sh      - CRMF/CMMF testing
+#   smime.sh     - S/MIME testing
+#   ssl.sh       - tests SSL V2 SSL V3 and TLS
+#   ocsp.sh      - OCSP testing
+#   merge.sh     - tests merging old and new shareable databases
+#   pkits.sh     - NIST/PKITS tests
+#   chains.sh    - PKIX cert chains tests
+#   dbupgrade.sh - upgrade databases to new shareable version (used
+#                  only in upgrade test cycle)
+#   memleak.sh   - memory leak testing (optional)
+#   ssl_gtests.sh- Gtest based unit tests for ssl
+#   gtests.sh    - Gtest based unit tests for everything else
+#   bogo.sh      - Bogo interop tests (disabled by default)
+#                  https://boringssl.googlesource.com/boringssl/+/master/ssl/test/PORTING.md
+#
+# NSS testing is now devided to 4 cycles:
+# ---------------------------------------
+#   standard     - run test suites with defaults settings
+#   pkix         - run test suites with PKIX enabled
+#   upgradedb    - upgrade existing certificate databases to shareable
+#                  format (creates them if doesn't exist yet) and run
+#                  test suites with those databases
+#   sharedb      - run test suites with shareable database format
+#                  enabled (databases are created directly to this
+#                  format)
+#
+# Mandatory environment variables (to be set before testing):
+# -----------------------------------------------------------
+#   HOST         - test machine host name
+#   DOMSUF       - test machine domain name
+#
+# Optional environment variables to specify build to use:
+# -------------------------------------------------------
+#   BUILT_OPT    - use optimized/debug build
+#   USE_64       - use 64bit/32bit build
+#   USE_ASAN     - use Address Sanitizer build
+#
+# Optional environment variables to enable specific NSS features:
+# ---------------------------------------------------------------
+#   NSS_DISABLE_ECC             - disable ECC
+#
+# Optional environment variables to select which cycles/suites to test:
+# ---------------------------------------------------------------------
+#   NSS_CYCLES     - list of cycles to run (separated by space
+#                    character)
+#                  - by default all cycles are tested
+#
+#   NSS_TESTS      - list of all test suites to run (separated by space
+#                    character, without trailing .sh)
+#                  - this list can be reduced for individual test cycles
+#
+#   NSS_SSL_TESTS  - list of ssl tests to run (see ssl.sh)
+#   NSS_SSL_RUN    - list of ssl sub-tests to run (see ssl.sh)
+#
+# Testing schema:
+# ---------------
+#                           all.sh                       ~  (main)
+#                              |                               |
+#          +------------+------------+-----------+       ~  run_cycles
+#          |            |            |           |             |
+#      standard       pkix       upgradedb     sharedb   ~  run_cycle_*
+#                       |                                      |
+#                +------+------+------+----->            ~  run_tests
+#                |      |      |      |                        |
+#              cert   tools   fips   ssl   ...           ~  . *.sh
+#
+# Special strings:
+# ----------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+# NOTE:
+# -----
+#   Unlike the old QA this is based on files sourcing each other
+#   This is done to save time, since a great portion of time is lost
+#   in calling and sourcing the same things multiple times over the
+#   network. Also, this way all scripts have all shell function
+#   available and a completely common environment
+#
+########################################################################
+
+############################## run_tests ###############################
+# run test suites defined in TESTS variable, skip scripts defined in
+# TESTS_SKIP variable
+########################################################################
+run_tests()
+{
+    for TEST in ${TESTS}
+    do
+        # NOTE: the spaces are important. If you don't include
+        # the spaces, then turning off ssl_gtests will also turn off ssl
+        # tests.
+        echo " ${TESTS_SKIP} " | grep " ${TEST} " > /dev/null
+        if [ $? -eq 0 ]; then
+            continue
+        fi
+
+        SCRIPTNAME=${TEST}.sh
+        echo "Running tests for ${TEST}"
+        echo "TIMESTAMP ${TEST} BEGIN: `date`"
+        (cd ${QADIR}/${TEST}; . ./${SCRIPTNAME} 2>&1)
+        echo "TIMESTAMP ${TEST} END: `date`"
+    done
+}
+
+########################## run_cycle_standard ##########################
+# run test suites with defaults settings (no PKIX, no sharedb)
+########################################################################
+run_cycle_standard()
+{
+    TEST_MODE=STANDARD
+
+    TESTS="${ALL_TESTS}"
+    TESTS_SKIP=
+
+    run_tests
+}
+
+############################ run_cycle_pkix ############################
+# run test suites with PKIX enabled
+########################################################################
+run_cycle_pkix()
+{
+    TEST_MODE=PKIX
+
+    TABLE_ARGS="bgcolor=cyan"
+    html_head "Testing with PKIX"
+    html "</TABLE><BR>"
+
+    HOSTDIR="${HOSTDIR}/pkix"
+    mkdir -p "${HOSTDIR}"
+    init_directories
+
+    NSS_ENABLE_PKIX_VERIFY="1"
+    export NSS_ENABLE_PKIX_VERIFY
+
+    TESTS="${ALL_TESTS}"
+    TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit"
+    NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"`
+
+    run_tests
+}
+
+######################### run_cycle_upgrade_db #########################
+# upgrades certificate database to shareable format and run test suites
+# with those databases
+########################################################################
+run_cycle_upgrade_db()
+{
+    TEST_MODE=UPGRADE_DB
+
+    TABLE_ARGS="bgcolor=pink"
+    html_head "Testing with upgraded library"
+    html "</TABLE><BR>"
+
+    OLDHOSTDIR="${HOSTDIR}"
+    HOSTDIR="${HOSTDIR}/upgradedb"
+    mkdir -p "${HOSTDIR}"
+    init_directories
+
+    if [ -r "${OLDHOSTDIR}/cert.log" ]; then
+        DIRS="alicedir bobdir CA cert_extensions client clientCA dave eccurves eve ext_client ext_server fips SDR server serverCA stapling tools/copydir cert.log cert.done tests.*"
+        for i in $DIRS
+        do
+            cp -r ${OLDHOSTDIR}/${i} ${HOSTDIR} #2> /dev/null
+        done
+    fi
+
+    # upgrade certs dbs to shared db
+    TESTS="dbupgrade"
+    TESTS_SKIP=
+
+    run_tests
+
+    NSS_DEFAULT_DB_TYPE="sql"
+    export NSS_DEFAULT_DB_TYPE
+
+    # run the subset of tests with the upgraded database
+    TESTS="${ALL_TESTS}"
+    TESTS_SKIP="cipher libpkix cert dbtests sdr ocsp pkits chains"
+
+    NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"`
+    NSS_SSL_RUN=`echo "${NSS_SSL_RUN}" | sed -e "s/cov//g" -e "s/auth//g"`
+
+    run_tests
+}
+
+########################## run_cycle_shared_db #########################
+# run test suites with certificate databases set to shareable format
+########################################################################
+run_cycle_shared_db()
+{
+    TEST_MODE=SHARED_DB
+
+    TABLE_ARGS="bgcolor=yellow"
+    html_head "Testing with shared library"
+    html "</TABLE><BR>"
+
+    HOSTDIR="${HOSTDIR}/sharedb"
+    mkdir -p "${HOSTDIR}"
+    init_directories
+
+    NSS_DEFAULT_DB_TYPE="sql"
+    export NSS_DEFAULT_DB_TYPE
+
+    # run the tests for native sharedb support
+    TESTS="${ALL_TESTS}"
+    TESTS_SKIP="cipher libpkix dbupgrade sdr ocsp pkits"
+
+    NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"`
+    NSS_SSL_RUN=`echo "${NSS_SSL_RUN}" | sed -e "s/cov//g" -e "s/auth//g"`
+
+    run_tests
+}
+
+############################# run_cycles ###############################
+# run test cycles defined in CYCLES variable
+########################################################################
+run_cycles()
+{
+    for CYCLE in ${CYCLES}
+    do
+        case "${CYCLE}" in
+        "standard")
+            run_cycle_standard
+            ;;
+        "pkix")
+            if [ -z "$NSS_DISABLE_LIBPKIX" ]; then
+                run_cycle_pkix
+            fi
+            ;;
+        "upgradedb")
+            run_cycle_upgrade_db
+            ;;
+        "sharedb")
+            run_cycle_shared_db
+            ;;
+        esac
+        . ${ENV_BACKUP}
+    done
+}
+
+############################## main code ###############################
+
+cycles="standard pkix upgradedb sharedb"
+CYCLES=${NSS_CYCLES:-$cycles}
+
+tests="cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
+TESTS=${NSS_TESTS:-$tests}
+
+ALL_TESTS=${TESTS}
+
+nss_ssl_tests="crl fips_normal normal_fips iopr policy"
+NSS_SSL_TESTS="${NSS_SSL_TESTS:-$nss_ssl_tests}"
+
+nss_ssl_run="cov auth stapling stress"
+NSS_SSL_RUN="${NSS_SSL_RUN:-$nss_ssl_run}"
+
+SCRIPTNAME=all.sh
+CLEANUP="${SCRIPTNAME}"
+cd `dirname $0`
+
+# all.sh should be the first one to try to source the init
+if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+    cd common
+    . ./init.sh
+fi
+
+# NOTE:
+# Lists of enabled tests and other settings are stored to ${ENV_BACKUP}
+# file and are are restored after every test cycle.
+
+ENV_BACKUP=${HOSTDIR}/env.sh
+env_backup > ${ENV_BACKUP}
+
+if [ "${O_CRON}" = "ON" ]; then
+    run_cycles >> ${LOGFILE}
+else
+    run_cycles | tee -a ${LOGFILE}
+fi
+
+SCRIPTNAME=all.sh
+
+. ${QADIR}/common/cleanup.sh
diff --git a/security/nss/tests/bogo/bogo.sh b/security/nss/tests/bogo/bogo.sh
new file mode 100755
index 000000000..7503d230e
--- /dev/null
+++ b/security/nss/tests/bogo/bogo.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# tests/bogo/bogo.sh
+#
+# Script to drive the ssl bogo interop unit tests
+#
+########################################################################
+
+bogo_init()
+{
+  SCRIPTNAME="bogo.sh"
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then
+    cd ../common
+    . ./init.sh
+  fi
+
+  mkdir -p "${HOSTDIR}/bogo"
+  cd "${HOSTDIR}/bogo"
+  BORING=${BORING:=boringssl}
+  if [ ! -d "$BORING" ]; then
+    git clone -q https://boringssl.googlesource.com/boringssl "$BORING"
+    git -C "$BORING" checkout -q ea80f9d5df4c302de391e999395e1c87f9c786b3
+  fi
+
+  SCRIPTNAME="bogo.sh"
+  html_head "bogo test"
+}
+
+bogo_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+# Need to add go to the PATH.
+export PATH=$PATH:/usr/lib/go-1.6/bin
+
+cd "$(dirname "$0")"
+SOURCE_DIR="$PWD"/../..
+bogo_init
+(cd "$BORING"/ssl/test/runner;
+ GOPATH="$PWD" go test -pipe -shim-path "${BINDIR}"/nss_bogo_shim \
+	 -loose-errors -allow-unimplemented \
+	 -shim-config "${SOURCE_DIR}/gtests/nss_bogo_shim/config.json") \
+	 2>bogo.errors | tee bogo.log
+html_msg "${PIPESTATUS[0]}" 0 "Bogo" "Run successfully"
+grep -i 'FAILED\|Assertion failure' bogo.errors
+html_msg $? 1 "Bogo" "No failures"
+bogo_cleanup
diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh
new file mode 100755
index 000000000..9b3455747
--- /dev/null
+++ b/security/nss/tests/cert/cert.sh
@@ -0,0 +1,2012 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/cert/rcert.sh
+#
+# Certificate generating and handeling for NSS QA, can be included 
+# multiple times from all.sh and the individual scripts
+#
+# needs to work on all Unix and Windows platforms
+#
+# included from (don't expect this to be up to date)
+# --------------------------------------------------
+#   all.sh
+#   ssl.sh
+#   smime.sh
+#   tools.sh
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+# FIXME - Netscape - NSS
+########################################################################
+
+############################## cert_init ###############################
+# local shell function to initialize this script
+########################################################################
+cert_init()
+{
+  SCRIPTNAME="cert.sh"
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+  if [ -z "${INIT_SOURCED}" ] ; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ -z "${IOPR_CERT_SOURCED}" ]; then
+       . ../iopr/cert_iopr.sh
+  fi
+  SCRIPTNAME="cert.sh"
+  CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
+      html_head "Certutil and Crlutil Tests with ECC"
+  else
+      html_head "Certutil and Crlutil Tests"
+  fi
+
+  LIBDIR="${DIST}/${OBJDIR}/lib"
+
+  ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi* | head -1`
+  if [ ! "${ROOTCERTSFILE}" ] ; then
+      html_failed "Looking for root certs module." 
+      cert_log "ERROR: Root certs module not found."
+      Exit 5 "Fatal - Root certs module not found."
+  else
+      html_passed "Looking for root certs module."
+  fi
+
+  if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+	ROOTCERTSFILE=`cygpath -m ${ROOTCERTSFILE}`
+  fi
+}
+
+cert_log() ######################    write the cert_status file
+{
+    echo "$SCRIPTNAME $*"
+    echo $* >>${CERT_LOG_FILE}
+}
+
+########################################################################
+# function wraps calls to pk12util, also: writes action and options
+# to stdout.
+# Params are the same as to pk12util.
+# Returns pk12util status
+#
+pk12u()
+{
+    echo "${CU_ACTION} --------------------------"
+
+    echo "pk12util $@"
+    ${BINDIR}/pk12util $@
+    RET=$?
+
+    return $RET
+}
+
+################################ certu #################################
+# local shell function to call certutil, also: writes action and options to
+# stdout, sets variable RET and writes results to the html file results
+########################################################################
+certu()
+{
+    echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
+    EXPECTED=${RETEXPECTED-0}
+
+    if [ -n "${CU_SUBJECT}" ]; then
+        #the subject of the cert contains blanks, and the shell 
+        #will strip the quotes off the string, if called otherwise...
+        echo "certutil -s \"${CU_SUBJECT}\" $*"
+        ${PROFTOOL} ${BINDIR}/certutil -s "${CU_SUBJECT}" $*
+        RET=$?
+        CU_SUBJECT=""
+    else
+        echo "certutil $*"
+        ${PROFTOOL} ${BINDIR}/certutil $*
+        RET=$?
+    fi
+    if [ "$RET" -ne "$EXPECTED" ]; then
+        CERTFAILED=$RET
+        html_failed "${CU_ACTION} ($RET=$EXPECTED) " 
+        cert_log "ERROR: ${CU_ACTION} failed $RET"
+    else
+        html_passed "${CU_ACTION}"
+    fi
+
+    return $RET
+}
+
+################################ crlu #################################
+# local shell function to call crlutil, also: writes action and options to
+# stdout, sets variable RET and writes results to the html file results
+########################################################################
+crlu()
+{
+    echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
+    
+    CRLUTIL="crlutil -q"
+    echo "$CRLUTIL $*"
+    ${PROFTOOL} ${BINDIR}/$CRLUTIL $*
+    RET=$?
+    if [ "$RET" -ne 0 ]; then
+        CRLFAILED=$RET
+        html_failed "${CU_ACTION} ($RET) " 
+        cert_log "ERROR: ${CU_ACTION} failed $RET"
+    else
+        html_passed "${CU_ACTION}"
+    fi
+
+    return $RET
+}
+
+################################ ocspr ##################################
+# local shell function to call ocsresp, also: writes action and options to
+# stdout, sets variable RET and writes results to the html file results
+#########################################################################
+ocspr()
+{
+    echo "$SCRIPTNAME: ${OR_ACTION} --------------------------"
+
+    OCSPRESP="ocspresp"
+    echo "$OCSPRESP $*"
+    ${PROFTOOL} ${BINDIR}/$OCSPRESP $*
+    RET=$?
+    if [ "$RET" -ne 0 ]; then
+        OCSPFAILED=$RET
+        html_failed "${OR_ACTION} ($RET) "
+        cert_log "ERROR: ${OR_ACTION} failed $RET"
+    else
+        html_passed "${OR_ACTION}"
+    fi
+
+    return $RET
+}
+
+modu()
+{
+    echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
+
+    MODUTIL="modutil"
+    echo "$MODUTIL $*"
+    # echo is used to press Enter expected by modutil
+    echo | ${BINDIR}/$MODUTIL $*
+    RET=$?
+    if [ "$RET" -ne 0 ]; then
+        MODFAILED=$RET
+        html_failed "${CU_ACTION} ($RET) " 
+        cert_log "ERROR: ${CU_ACTION} failed $RET"
+    else
+        html_passed "${CU_ACTION}"
+    fi
+
+    return $RET
+}
+
+############################# cert_init_cert ##########################
+# local shell function to initialize creation of client and server certs
+########################################################################
+cert_init_cert()
+{
+    CERTDIR="$1"
+    CERTNAME="$2"
+    CERTSERIAL="$3"
+    DOMAIN="$4"
+
+    if [ ! -d "${CERTDIR}" ]; then
+        mkdir -p "${CERTDIR}"
+    else
+        echo "$SCRIPTNAME: WARNING - ${CERTDIR} exists"
+    fi
+    cd "${CERTDIR}"
+    CERTDIR="."
+
+    PROFILEDIR=`cd ${CERTDIR}; pwd`
+    if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+        PROFILEDIR=`cygpath -m ${PROFILEDIR}`
+    fi
+    if [ -n "${MULTIACCESS_DBM}" ]; then
+	PROFILEDIR="multiaccess:${DOMAIN}"
+    fi
+
+    noise
+}
+
+############################# hw_acc #################################
+# local shell function to add hw accelerator modules to the db
+########################################################################
+hw_acc()
+{
+    HW_ACC_RET=0
+    HW_ACC_ERR=""
+    if [ -n "$O_HWACC" -a "$O_HWACC" = ON -a -z "$USE_64" ] ; then
+        echo "creating $CERTNAME s cert with hwaccelerator..."
+        #case $ACCELERATOR in
+        #rainbow)
+
+        echo "modutil -add rainbow -libfile /usr/lib/libcryptoki22.so "
+        echo "         -dbdir ${PROFILEDIR} 2>&1 "
+        echo | ${BINDIR}/modutil -add rainbow -libfile /usr/lib/libcryptoki22.so \
+            -dbdir ${PROFILEDIR} 2>&1 
+        if [ "$?" -ne 0 ]; then
+            echo "modutil -add rainbow failed in `pwd`"
+            HW_ACC_RET=1
+            HW_ACC_ERR="modutil -add rainbow"
+        fi
+    
+        echo "modutil -add ncipher "
+        echo "         -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so "
+        echo "         -dbdir ${PROFILEDIR} 2>&1 "
+        echo | ${BINDIR}/modutil -add ncipher \
+            -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so \
+            -dbdir ${PROFILEDIR} 2>&1 
+        if [ "$?" -ne 0 ]; then
+            echo "modutil -add ncipher failed in `pwd`"
+            HW_ACC_RET=`expr $HW_ACC_RET + 2`
+            HW_ACC_ERR="$HW_ACC_ERR,modutil -add ncipher"
+        fi
+        if [ "$HW_ACC_RET" -ne 0 ]; then
+            html_failed "Adding HW accelerators to certDB for ${CERTNAME} ($HW_ACC_RET) " 
+        else
+            html_passed "Adding HW accelerators to certDB for ${CERTNAME}"
+        fi
+
+    fi
+    return $HW_ACC_RET
+}
+
+############################# cert_create_cert #########################
+# local shell function to create client certs 
+#     initialize DB, import
+#     root cert
+#     add cert to DB
+########################################################################
+cert_create_cert()
+{
+    cert_init_cert "$1" "$2" "$3" "$4"
+
+    CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
+    certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+    if [ "$RET" -ne 0 ]; then
+        return $RET
+    fi
+
+    CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB"
+    modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1   
+    if [ "$RET" -ne 0 ]; then
+        return $RET
+    fi
+
+    hw_acc
+
+    CU_ACTION="Import Root CA for $CERTNAME"
+    certu -A -n "TestCA" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+          -i "${R_CADIR}/TestCA.ca.cert" 2>&1
+    if [ "$RET" -ne 0 ]; then
+        return $RET
+    fi
+
+	CU_ACTION="Import DSA Root CA for $CERTNAME"
+	certu -A -n "TestCA-dsa" -t "TC,TC,TC" -f "${R_PWFILE}" \
+	    -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-dsa.ca.cert" 2>&1
+	if [ "$RET" -ne 0 ]; then
+            return $RET
+	fi
+
+
+    if [ -z "$NSS_DISABLE_ECC" ] ; then
+	CU_ACTION="Import EC Root CA for $CERTNAME"
+	certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
+	    -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1
+	if [ "$RET" -ne 0 ]; then
+            return $RET
+	fi
+    fi
+
+    cert_add_cert "$5"
+    return $?
+}
+
+############################# cert_add_cert ############################
+# local shell function to add client certs to an existing CERT DB
+#     generate request
+#     sign request
+#     import Cert
+#
+########################################################################
+cert_add_cert()
+{
+    CU_ACTION="Generate Cert Request for $CERTNAME"
+    CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
+    if [ "$RET" -ne 0 ]; then
+        return $RET
+    fi
+
+    CU_ACTION="Sign ${CERTNAME}'s Request"
+    certu -C -c "TestCA" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
+          -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+    if [ "$RET" -ne 0 ]; then
+        return $RET
+    fi
+
+    CU_ACTION="Import $CERTNAME's Cert"
+    certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+          -i "${CERTNAME}.cert" 2>&1
+    if [ "$RET" -ne 0 ]; then
+        return $RET
+    fi
+
+    cert_log "SUCCESS: $CERTNAME's Cert Created"
+
+#
+#   Generate and add DSA cert
+#
+	CU_ACTION="Generate DSA Cert Request for $CERTNAME"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+	    -z "${R_NOISE_FILE}" -o req  2>&1
+	if [ "$RET" -ne 0 ]; then
+            return $RET
+	fi
+
+	CU_ACTION="Sign ${CERTNAME}'s DSA Request"
+	certu -C -c "TestCA-dsa" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
+            -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" "$1" 2>&1
+	if [ "$RET" -ne 0 ]; then
+            return $RET
+	fi
+
+	CU_ACTION="Import $CERTNAME's DSA Cert"
+	certu -A -n "${CERTNAME}-dsa" -t "u,u,u" -d "${PROFILEDIR}" \
+	    -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1
+	if [ "$RET" -ne 0 ]; then
+            return $RET
+	fi
+	cert_log "SUCCESS: $CERTNAME's DSA Cert Created"
+
+#    Generate DSA certificate signed with RSA
+	CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+	    -z "${R_NOISE_FILE}" -o req  2>&1
+	if [ "$RET" -ne 0 ]; then
+            return $RET
+	fi
+
+	CU_ACTION="Sign ${CERTNAME}'s DSA Request with RSA"
+# Avoid conflicting serial numbers with TestCA issuer by keeping
+# this set far away. A smaller number risks colliding with the
+# extended ssl user certificates.
+	NEWSERIAL=`expr ${CERTSERIAL} + 20000`
+        certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \
+            -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" "$1" 2>&1
+	if [ "$RET" -ne 0 ]; then
+            return $RET
+	fi
+
+	CU_ACTION="Import $CERTNAME's mixed DSA Cert"
+	certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \
+	    -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1
+	if [ "$RET" -ne 0 ]; then
+            return $RET
+	fi
+	cert_log "SUCCESS: $CERTNAME's mixed DSA Cert Created"
+
+#
+#   Generate and add EC cert
+#
+    if [ -z "$NSS_DISABLE_ECC" ] ; then
+	CURVE="secp384r1"
+	CU_ACTION="Generate EC Cert Request for $CERTNAME"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+	    -z "${R_NOISE_FILE}" -o req  2>&1
+	if [ "$RET" -ne 0 ]; then
+            return $RET
+	fi
+
+	CU_ACTION="Sign ${CERTNAME}'s EC Request"
+	certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
+            -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
+	if [ "$RET" -ne 0 ]; then
+            return $RET
+	fi
+
+	CU_ACTION="Import $CERTNAME's EC Cert"
+	certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
+	    -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
+	if [ "$RET" -ne 0 ]; then
+            return $RET
+	fi
+	cert_log "SUCCESS: $CERTNAME's EC Cert Created"
+
+#    Generate EC certificate signed with RSA
+	CU_ACTION="Generate mixed EC Cert Request for $CERTNAME"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+	    -z "${R_NOISE_FILE}" -o req  2>&1
+	if [ "$RET" -ne 0 ]; then
+            return $RET
+	fi
+
+	CU_ACTION="Sign ${CERTNAME}'s EC Request with RSA"
+# Avoid conflicting serial numbers with TestCA issuer by keeping
+# this set far away. A smaller number risks colliding with the
+# extended ssl user certificates.
+	NEWSERIAL=`expr ${CERTSERIAL} + 10000`
+        certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \
+            -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" "$1" 2>&1
+	if [ "$RET" -ne 0 ]; then
+            return $RET
+	fi
+
+	CU_ACTION="Import $CERTNAME's mixed EC Cert"
+	certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
+	    -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
+	if [ "$RET" -ne 0 ]; then
+            return $RET
+	fi
+	cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created"
+    fi
+
+    return 0
+}
+
+################################# cert_all_CA ################################
+# local shell function to build the additional Temp. Certificate Authority (CA)
+# used for the "real life" ssl test with 2 different CA's in the
+# client and in the server's dir
+##########################################################################
+cert_all_CA()
+{
+    echo nss > ${PWFILE}
+
+    ALL_CU_SUBJECT="CN=NSS Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    cert_CA $CADIR TestCA -x "CTu,CTu,CTu" ${D_CA} "1"
+
+    ALL_CU_SUBJECT="CN=NSS Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+    cert_CA $SERVER_CADIR serverCA -x "Cu,Cu,Cu" ${D_SERVER_CA} "2"
+    ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+    cert_CA $SERVER_CADIR chain-1-serverCA "-c serverCA" "u,u,u" ${D_SERVER_CA} "3"
+    ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 
+    cert_CA $SERVER_CADIR chain-2-serverCA "-c chain-1-serverCA" "u,u,u" ${D_SERVER_CA} "4"
+
+
+
+    ALL_CU_SUBJECT="CN=NSS Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+    cert_CA $CLIENT_CADIR clientCA -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5"
+    ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+    cert_CA $CLIENT_CADIR chain-1-clientCA "-c clientCA" "u,u,u" ${D_CLIENT_CA} "6"
+    ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+    cert_CA $CLIENT_CADIR chain-2-clientCA "-c chain-1-clientCA" "u,u,u" ${D_CLIENT_CA} "7"
+
+    rm $CLIENT_CADIR/root.cert $SERVER_CADIR/root.cert
+
+    # root.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last 
+    # in the chain
+
+
+#
+#       Create DSA version of TestCA
+	ALL_CU_SUBJECT="CN=NSS Test CA (DSA), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	cert_dsa_CA $CADIR TestCA-dsa -x "CTu,CTu,CTu" ${D_CA} "1"
+#
+#       Create DSA versions of the intermediate CA certs
+	ALL_CU_SUBJECT="CN=NSS Server Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+	cert_dsa_CA $SERVER_CADIR serverCA-dsa -x "Cu,Cu,Cu" ${D_SERVER_CA} "2"
+	ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+	cert_dsa_CA $SERVER_CADIR chain-1-serverCA-dsa "-c serverCA-dsa" "u,u,u" ${D_SERVER_CA} "3"
+	ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 
+	cert_dsa_CA $SERVER_CADIR chain-2-serverCA-dsa "-c chain-1-serverCA-dsa" "u,u,u" ${D_SERVER_CA} "4"
+
+	ALL_CU_SUBJECT="CN=NSS Client Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+	cert_dsa_CA $CLIENT_CADIR clientCA-dsa -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5"
+	ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+	cert_dsa_CA $CLIENT_CADIR chain-1-clientCA-dsa "-c clientCA-dsa" "u,u,u" ${D_CLIENT_CA} "6"
+	ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+	cert_dsa_CA $CLIENT_CADIR chain-2-clientCA-dsa "-c chain-1-clientCA-dsa" "u,u,u" ${D_CLIENT_CA} "7"
+
+	rm $CLIENT_CADIR/dsaroot.cert $SERVER_CADIR/dsaroot.cert
+#	dsaroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last 
+#	in the chain
+
+
+
+
+    if [ -z "$NSS_DISABLE_ECC" ] ; then
+#
+#       Create EC version of TestCA
+	CA_CURVE="secp521r1"
+	ALL_CU_SUBJECT="CN=NSS Test CA (ECC), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	cert_ec_CA $CADIR TestCA-ec -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE}
+#
+#       Create EC versions of the intermediate CA certs
+	ALL_CU_SUBJECT="CN=NSS Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+	cert_ec_CA $SERVER_CADIR serverCA-ec -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ${CA_CURVE}
+	ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+	cert_ec_CA $SERVER_CADIR chain-1-serverCA-ec "-c serverCA-ec" "u,u,u" ${D_SERVER_CA} "3" ${CA_CURVE}
+	ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 
+	cert_ec_CA $SERVER_CADIR chain-2-serverCA-ec "-c chain-1-serverCA-ec" "u,u,u" ${D_SERVER_CA} "4" ${CA_CURVE}
+
+	ALL_CU_SUBJECT="CN=NSS Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+	cert_ec_CA $CLIENT_CADIR clientCA-ec -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ${CA_CURVE}
+	ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+	cert_ec_CA $CLIENT_CADIR chain-1-clientCA-ec "-c clientCA-ec" "u,u,u" ${D_CLIENT_CA} "6" ${CA_CURVE}
+	ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+	cert_ec_CA $CLIENT_CADIR chain-2-clientCA-ec "-c chain-1-clientCA-ec" "u,u,u" ${D_CLIENT_CA} "7" ${CA_CURVE}
+
+	rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert
+#	ecroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last 
+#	in the chain
+
+    fi
+}
+
+################################# cert_CA ################################
+# local shell function to build the Temp. Certificate Authority (CA)
+# used for testing purposes, creating  a CA Certificate and a root cert
+##########################################################################
+cert_CA()
+{
+  CUR_CADIR=$1
+  NICKNAME=$2
+  SIGNER=$3
+  TRUSTARG=$4
+  DOMAIN=$5
+  CERTSERIAL=$6
+
+  echo "$SCRIPTNAME: Creating a CA Certificate $NICKNAME =========================="
+
+  if [ ! -d "${CUR_CADIR}" ]; then
+      mkdir -p "${CUR_CADIR}"
+  fi
+  cd ${CUR_CADIR}
+  pwd
+
+  LPROFILE=`pwd`
+  if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+     LPROFILE=`cygpath -m ${LPROFILE}`
+  fi
+  if [ -n "${MULTIACCESS_DBM}" ]; then
+	LPROFILE="multiaccess:${DOMAIN}"
+  fi
+
+  if [ "$SIGNER" = "-x" ] ; then # self signed -> create DB
+      CU_ACTION="Creating CA Cert DB"
+      certu -N -d "${LPROFILE}" -f ${R_PWFILE} 2>&1
+      if [ "$RET" -ne 0 ]; then
+          Exit 5 "Fatal - failed to create CA $NICKNAME "
+      fi
+
+      CU_ACTION="Loading root cert module to CA Cert DB"
+      modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${LPROFILE}" 2>&1   
+      if [ "$RET" -ne 0 ]; then
+          return $RET
+      fi
+
+      echo "$SCRIPTNAME: Certificate initialized ----------"
+  fi
+
+
+  ################# Creating CA Cert ######################################
+  #
+  CU_ACTION="Creating CA Cert $NICKNAME "
+  CU_SUBJECT=$ALL_CU_SUBJECT
+  certu -S -n $NICKNAME -t $TRUSTARG -v 600 $SIGNER -d ${LPROFILE} -1 -2 -5 \
+        -f ${R_PWFILE} -z ${R_NOISE_FILE} -m $CERTSERIAL 2>&1 <<CERTSCRIPT
+5
+6
+9
+n
+y
+-1
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+  if [ "$RET" -ne 0 ]; then
+      echo "return value is $RET"
+      Exit 6 "Fatal - failed to create CA cert"
+  fi
+
+  ################# Exporting Root Cert ###################################
+  #
+  CU_ACTION="Exporting Root Cert"
+  certu -L -n  $NICKNAME -r -d ${LPROFILE} -o root.cert 
+  if [ "$RET" -ne 0 ]; then
+      Exit 7 "Fatal - failed to export root cert"
+  fi
+  cp root.cert ${NICKNAME}.ca.cert
+}
+
+
+
+
+
+################################ cert_dsa_CA #############################
+# local shell function to build the Temp. Certificate Authority (CA)
+# used for testing purposes, creating  a CA Certificate and a root cert
+# This is the ECC version of cert_CA.
+##########################################################################
+cert_dsa_CA()
+{
+  CUR_CADIR=$1
+  NICKNAME=$2
+  SIGNER=$3
+  TRUSTARG=$4
+  DOMAIN=$5
+  CERTSERIAL=$6
+
+  echo "$SCRIPTNAME: Creating an DSA CA Certificate $NICKNAME =========================="
+
+  if [ ! -d "${CUR_CADIR}" ]; then
+      mkdir -p "${CUR_CADIR}"
+  fi
+  cd ${CUR_CADIR}
+  pwd
+
+  LPROFILE=.
+  if [ -n "${MULTIACCESS_DBM}" ]; then
+	LPROFILE="multiaccess:${DOMAIN}"
+  fi
+
+  ################# Creating an DSA CA Cert ###############################
+  #
+  CU_ACTION="Creating DSA CA Cert $NICKNAME "
+  CU_SUBJECT=$ALL_CU_SUBJECT
+  certu -S -n $NICKNAME -k dsa -t $TRUSTARG -v 600 $SIGNER \
+    -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \
+    -m $CERTSERIAL 2>&1 <<CERTSCRIPT
+5
+6
+9
+n
+y
+-1
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+  if [ "$RET" -ne 0 ]; then
+      echo "return value is $RET"
+      Exit 6 "Fatal - failed to create DSA CA cert"
+  fi
+
+  ################# Exporting DSA Root Cert ###############################
+  #
+  CU_ACTION="Exporting DSA Root Cert"
+  certu -L -n  $NICKNAME -r -d ${LPROFILE} -o dsaroot.cert 
+  if [ "$RET" -ne 0 ]; then
+      Exit 7 "Fatal - failed to export dsa root cert"
+  fi
+  cp dsaroot.cert ${NICKNAME}.ca.cert
+}
+
+
+
+
+################################ cert_ec_CA ##############################
+# local shell function to build the Temp. Certificate Authority (CA)
+# used for testing purposes, creating  a CA Certificate and a root cert
+# This is the ECC version of cert_CA.
+##########################################################################
+cert_ec_CA()
+{
+  CUR_CADIR=$1
+  NICKNAME=$2
+  SIGNER=$3
+  TRUSTARG=$4
+  DOMAIN=$5
+  CERTSERIAL=$6
+  CURVE=$7
+
+  echo "$SCRIPTNAME: Creating an EC CA Certificate $NICKNAME =========================="
+
+  if [ ! -d "${CUR_CADIR}" ]; then
+      mkdir -p "${CUR_CADIR}"
+  fi
+  cd ${CUR_CADIR}
+  pwd
+
+  LPROFILE=.
+  if [ -n "${MULTIACCESS_DBM}" ]; then
+	LPROFILE="multiaccess:${DOMAIN}"
+  fi
+
+  ################# Creating an EC CA Cert ################################
+  #
+  CU_ACTION="Creating EC CA Cert $NICKNAME "
+  CU_SUBJECT=$ALL_CU_SUBJECT
+  certu -S -n $NICKNAME -k ec -q $CURVE -t $TRUSTARG -v 600 $SIGNER \
+    -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \
+    -m $CERTSERIAL 2>&1 <<CERTSCRIPT
+5
+6
+9
+n
+y
+-1
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+  if [ "$RET" -ne 0 ]; then
+      echo "return value is $RET"
+      Exit 6 "Fatal - failed to create EC CA cert"
+  fi
+
+  ################# Exporting EC Root Cert ################################
+  #
+  CU_ACTION="Exporting EC Root Cert"
+  certu -L -n  $NICKNAME -r -d ${LPROFILE} -o ecroot.cert 
+  if [ "$RET" -ne 0 ]; then
+      Exit 7 "Fatal - failed to export ec root cert"
+  fi
+  cp ecroot.cert ${NICKNAME}.ca.cert
+}
+
+############################## cert_smime_client #############################
+# local shell function to create client Certificates for S/MIME tests 
+##############################################################################
+cert_smime_client()
+{
+  CERTFAILED=0
+  echo "$SCRIPTNAME: Creating Client CA Issued Certificates =============="
+
+  cert_create_cert ${ALICEDIR} "Alice" 30 ${D_ALICE}
+  cert_create_cert ${BOBDIR} "Bob" 40  ${D_BOB}
+
+  echo "$SCRIPTNAME: Creating Dave's Certificate -------------------------"
+  cert_create_cert "${DAVEDIR}" Dave 50 ${D_DAVE}
+
+## XXX With this new script merging ECC and non-ECC tests, the
+## call to cert_create_cert ends up creating two separate certs
+## one for Eve and another for Eve-ec but they both end up with
+## the same Subject Alt Name Extension, i.e., both the cert for
+## Eve@bogus.com and the cert for Eve-ec@bogus.com end up 
+## listing eve@bogus.net in the Certificate Subject Alt Name extension. 
+## This can cause a problem later when cmsutil attempts to create
+## enveloped data and accidently picks up the ECC cert (NSS currently
+## does not support ECC for enveloped data creation). This script
+## avoids the problem by ensuring that these conflicting certs are
+## never added to the same cert database (see comment marked XXXX).
+  echo "$SCRIPTNAME: Creating multiEmail's Certificate --------------------"
+  cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@bogus.net,eve@bogus.cc,beve@bogus.com"
+
+  #echo "************* Copying CA files to ${SERVERDIR}"
+  #cp ${CADIR}/*.db .
+  #hw_acc
+
+  #########################################################################
+  #
+  #cd ${CERTDIR}
+  #CU_ACTION="Creating ${CERTNAME}'s Server Cert"
+  #CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
+  #certu -S -n "${CERTNAME}" -c "TestCA" -t "u,u,u" -m "$CERTSERIAL" \
+  #	-d ${PROFILEDIR} -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
+
+  #CU_ACTION="Export Dave's Cert"
+  #cd ${DAVEDIR}
+  #certu -L -n "Dave" -r -d ${P_R_DAVE} -o Dave.cert
+
+  ################# Importing Certificates for S/MIME tests ###############
+  #
+  echo "$SCRIPTNAME: Importing Certificates =============================="
+  CU_ACTION="Import Bob's cert into Alice's db"
+  certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+        -i ${R_BOBDIR}/Bob.cert 2>&1
+
+  CU_ACTION="Import Dave's cert into Alice's DB"
+  certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+        -i ${R_DAVEDIR}/Dave.cert 2>&1
+
+  CU_ACTION="Import Dave's cert into Bob's DB"
+  certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
+        -i ${R_DAVEDIR}/Dave.cert 2>&1
+
+  CU_ACTION="Import Eve's cert into Alice's DB"
+  certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+        -i ${R_EVEDIR}/Eve.cert 2>&1
+
+  CU_ACTION="Import Eve's cert into Bob's DB"
+  certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
+        -i ${R_EVEDIR}/Eve.cert 2>&1
+
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
+      echo "$SCRIPTNAME: Importing EC Certificates =============================="
+      CU_ACTION="Import Bob's EC cert into Alice's db"
+      certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+          -i ${R_BOBDIR}/Bob-ec.cert 2>&1
+
+      CU_ACTION="Import Dave's EC cert into Alice's DB"
+      certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+          -i ${R_DAVEDIR}/Dave-ec.cert 2>&1
+
+      CU_ACTION="Import Dave's EC cert into Bob's DB"
+      certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
+          -i ${R_DAVEDIR}/Dave-ec.cert 2>&1
+
+## XXXX Do not import Eve's EC cert until we can make sure that
+## the email addresses listed in the Subject Alt Name Extension 
+## inside Eve's ECC and non-ECC certs are different.
+#     CU_ACTION="Import Eve's EC cert into Alice's DB"
+#     certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+#         -i ${R_EVEDIR}/Eve-ec.cert 2>&1
+
+#     CU_ACTION="Import Eve's EC cert into Bob's DB"
+#     certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
+#         -i ${R_EVEDIR}/Eve-ec.cert 2>&1
+  fi
+
+  if [ "$CERTFAILED" != 0 ] ; then
+      cert_log "ERROR: SMIME failed $RET"
+  else
+      cert_log "SUCCESS: SMIME passed"
+  fi
+}
+
+############################## cert_extended_ssl #######################
+# local shell function to create client + server certs for extended SSL test
+########################################################################
+cert_extended_ssl()
+{
+
+  ################# Creating Certs for extended SSL test ####################
+  #
+  CERTFAILED=0
+  echo "$SCRIPTNAME: Creating Certificates, issued by the last ==============="
+  echo "     of a chain of CA's which are not in the same database============"
+
+  echo "Server Cert"
+  cert_init_cert ${EXT_SERVERDIR} "${HOSTADDR}" 1 ${D_EXT_SERVER}
+
+  CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
+  certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+
+  CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
+  modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
+
+  CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+  CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
+  cp ${CERTDIR}/req ${SERVER_CADIR}
+  certu -C -c "chain-2-serverCA" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
+        -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
+
+  CU_ACTION="Import $CERTNAME's Cert  -t u,u,u (ext)"
+  certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+        -i "${CERTNAME}.cert" 2>&1
+
+  CU_ACTION="Import Client Root CA -t T,, for $CERTNAME (ext.)"
+  certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+          -i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1
+
+#
+#     Repeat the above for DSA certs
+#
+      CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
+	  -z "${R_NOISE_FILE}" -o req 2>&1
+
+      CU_ACTION="Sign ${CERTNAME}'s DSA Request (ext)"
+      cp ${CERTDIR}/req ${SERVER_CADIR}
+      certu -C -c "chain-2-serverCA-dsa" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
+          -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" 2>&1
+
+      CU_ACTION="Import $CERTNAME's DSA Cert  -t u,u,u (ext)"
+      certu -A -n "${CERTNAME}-dsa" -t "u,u,u" -d "${PROFILEDIR}" \
+	  -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1
+
+      CU_ACTION="Import Client DSA Root CA -t T,, for $CERTNAME (ext.)"
+      certu -A -n "clientCA-dsa" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+          -i "${CLIENT_CADIR}/clientCA-dsa.ca.cert" 2>&1
+#
+#     done with DSA certs
+#
+#     Repeat again for mixed DSA certs
+#
+      CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
+	  -z "${R_NOISE_FILE}" -o req 2>&1
+
+      CU_ACTION="Sign ${CERTNAME}'s mixed DSA Request (ext)"
+      cp ${CERTDIR}/req ${SERVER_CADIR}
+      certu -C -c "chain-2-serverCA" -m 202 -v 60 -d "${P_SERVER_CADIR}" \
+          -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" 2>&1
+
+      CU_ACTION="Import $CERTNAME's mixed DSA Cert  -t u,u,u (ext)"
+      certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \
+	  -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1
+
+#      CU_ACTION="Import Client mixed DSA Root CA -t T,, for $CERTNAME (ext.)"
+#      certu -A -n "clientCA-dsamixed" -t "T,," -f "${R_PWFILE}" \
+#	  -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-dsamixed.ca.cert" \
+#	  2>&1
+
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
+#
+#     Repeat the above for EC certs
+#
+      EC_CURVE="secp256r1"
+      CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
+	  -z "${R_NOISE_FILE}" -o req 2>&1
+
+      CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
+      cp ${CERTDIR}/req ${SERVER_CADIR}
+      certu -C -c "chain-2-serverCA-ec" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
+          -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
+
+      CU_ACTION="Import $CERTNAME's EC Cert  -t u,u,u (ext)"
+      certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
+	  -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
+
+      CU_ACTION="Import Client EC Root CA -t T,, for $CERTNAME (ext.)"
+      certu -A -n "clientCA-ec" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+          -i "${CLIENT_CADIR}/clientCA-ec.ca.cert" 2>&1
+#
+#     done with EC certs
+#
+#     Repeat again for mixed EC certs
+#
+      EC_CURVE="secp256r1"
+      CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
+	  -z "${R_NOISE_FILE}" -o req 2>&1
+
+      CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)"
+      cp ${CERTDIR}/req ${SERVER_CADIR}
+      certu -C -c "chain-2-serverCA" -m 201 -v 60 -d "${P_SERVER_CADIR}" \
+          -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1
+
+      CU_ACTION="Import $CERTNAME's mixed EC Cert  -t u,u,u (ext)"
+      certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
+	  -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
+
+#      CU_ACTION="Import Client mixed EC Root CA -t T,, for $CERTNAME (ext.)"
+#      certu -A -n "clientCA-ecmixed" -t "T,," -f "${R_PWFILE}" \
+#	  -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-ecmixed.ca.cert" \
+#	  2>&1
+  fi
+
+  echo "Importing all the server's own CA chain into the servers DB"
+  for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ;
+  do
+      N=`basename $CA | sed -e "s/.ca.cert//"`
+      if [ $N = "serverCA" -o $N = "serverCA-ec" -o $N = "serverCA-dsa" ] ; then
+          T="-t C,C,C"
+      else
+          T="-t u,u,u"
+      fi
+      CU_ACTION="Import $N CA $T for $CERTNAME (ext.) "
+      certu -A -n $N  $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+          -i "${CA}" 2>&1
+  done
+#============
+  echo "Client Cert"
+  cert_init_cert ${EXT_CLIENTDIR} ExtendedSSLUser 1 ${D_EXT_CLIENT}
+
+  CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
+  certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+
+  CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
+  modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
+
+  CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" \
+      -o req 2>&1
+
+  CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
+  cp ${CERTDIR}/req ${CLIENT_CADIR}
+  certu -C -c "chain-2-clientCA" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
+        -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
+
+  CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)"
+  certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+        -i "${CERTNAME}.cert" 2>&1
+  CU_ACTION="Import Server Root CA -t C,C,C for $CERTNAME (ext.)"
+  certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+          -i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1
+
+#
+#     Repeat the above for DSA certs
+#
+      CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
+	  -z "${R_NOISE_FILE}" -o req 2>&1
+
+      CU_ACTION="Sign ${CERTNAME}'s DSA Request (ext)"
+      cp ${CERTDIR}/req ${CLIENT_CADIR}
+      certu -C -c "chain-2-clientCA-dsa" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
+          -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" 2>&1
+
+      CU_ACTION="Import $CERTNAME's DSA Cert -t u,u,u (ext)"
+      certu -A -n "${CERTNAME}-dsa" -t "u,u,u" -d "${PROFILEDIR}" \
+	  -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1
+
+      CU_ACTION="Import Server DSA Root CA -t C,C,C for $CERTNAME (ext.)"
+      certu -A -n "serverCA-dsa" -t "C,C,C" -f "${R_PWFILE}" \
+	  -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-dsa.ca.cert" 2>&1
+#
+# done with DSA certs
+#
+#
+#     Repeat the above for mixed DSA certs
+#
+      CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
+	  -z "${R_NOISE_FILE}" -o req 2>&1
+
+      CU_ACTION="Sign ${CERTNAME}'s mixed DSA Request (ext)"
+      cp ${CERTDIR}/req ${CLIENT_CADIR}
+      certu -C -c "chain-2-clientCA" -m 302 -v 60 -d "${P_CLIENT_CADIR}" \
+          -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" 2>&1
+
+      CU_ACTION="Import $CERTNAME's mixed DSA Cert -t u,u,u (ext)"
+      certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \
+	  -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1
+
+#      CU_ACTION="Import Server DSA Root CA -t C,C,C for $CERTNAME (ext.)"
+#      certu -A -n "serverCA-dsa" -t "C,C,C" -f "${R_PWFILE}" \
+#	  -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-dsa.ca.cert" 2>&1
+#
+# done with mixed DSA certs
+#
+
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
+#
+#     Repeat the above for EC certs
+#
+      CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
+	  -z "${R_NOISE_FILE}" -o req 2>&1
+
+      CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
+      cp ${CERTDIR}/req ${CLIENT_CADIR}
+      certu -C -c "chain-2-clientCA-ec" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
+          -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
+
+      CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)"
+      certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
+	  -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
+
+      CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)"
+      certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \
+	  -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
+#
+# done with EC certs
+#
+#
+#     Repeat the above for mixed EC certs
+#
+      CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
+	  -z "${R_NOISE_FILE}" -o req 2>&1
+
+      CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)"
+      cp ${CERTDIR}/req ${CLIENT_CADIR}
+      certu -C -c "chain-2-clientCA" -m 301 -v 60 -d "${P_CLIENT_CADIR}" \
+          -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1
+
+      CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)"
+      certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
+	  -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
+
+#      CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)"
+#      certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \
+#	  -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
+#
+# done with mixed EC certs
+#
+  fi
+
+  echo "Importing all the client's own CA chain into the servers DB"
+  for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ;
+  do
+      N=`basename $CA | sed -e "s/.ca.cert//"`
+      if [ $N = "clientCA" -o $N = "clientCA-ec" -o $N = "clientCA-dsa" ] ; then
+          T="-t T,C,C"
+      else
+          T="-t u,u,u"
+      fi
+      CU_ACTION="Import $N CA $T for $CERTNAME (ext.)"
+      certu -A -n $N  $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+          -i "${CA}" 2>&1
+  done
+  if [ "$CERTFAILED" != 0 ] ; then
+      cert_log "ERROR: EXT failed $RET"
+  else
+      cert_log "SUCCESS: EXT passed"
+  fi
+}
+
+############################## cert_ssl ################################
+# local shell function to create client + server certs for SSL test
+########################################################################
+cert_ssl()
+{
+  ################# Creating Certs for SSL test ###########################
+  #
+  CERTFAILED=0
+  echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============="
+  cert_create_cert ${CLIENTDIR} "TestUser" 70 ${D_CLIENT}
+
+  echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\"
+  echo "             ${HOSTADDR} ------------------------------------"
+  cert_create_cert ${SERVERDIR} "${HOSTADDR}" 100 ${D_SERVER}
+  echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\"
+  echo "             ${HOSTADDR}-sni --------------------------------"
+  CERTSERIAL=101
+  CERTNAME="${HOST}-sni${sniCertCount}.${DOMSUF}"
+  cert_add_cert 
+  CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC"
+  certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
+
+  CU_ACTION="Modify trust attributes of DSA Root CA -t TC,TC,TC"
+  certu -M -n "TestCA-dsa" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
+
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
+      CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
+      certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
+  fi
+#  cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER}
+#  echo "************* Copying CA files to ${SERVERDIR}"
+#  cp ${CADIR}/*.db .
+#  hw_acc
+#  CU_ACTION="Creating ${CERTNAME}'s Server Cert"
+#  CU_SUBJECT="CN=${CERTNAME}, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
+#  certu -S -n "${CERTNAME}" -c "TestCA" -t "Pu,Pu,Pu" -d ${PROFILEDIR} \
+#	 -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
+
+  if [ "$CERTFAILED" != 0 ] ; then
+      cert_log "ERROR: SSL failed $RET"
+  else
+      cert_log "SUCCESS: SSL passed"
+  fi
+
+  echo "$SCRIPTNAME: Creating database for OCSP stapling tests  ==============="
+  echo "cp -r ${SERVERDIR} ${STAPLINGDIR}"
+  cp -r ${R_SERVERDIR} ${R_STAPLINGDIR}
+  pk12u -o ${R_STAPLINGDIR}/ca.p12 -n TestCA -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_CADIR}
+  pk12u -i ${R_STAPLINGDIR}/ca.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_STAPLINGDIR}
+}
+
+############################## cert_stresscerts ################################
+# local shell function to create client certs for SSL stresstest
+########################################################################
+cert_stresscerts()
+{
+
+  ############### Creating Certs for SSL stress test #######################
+  #
+  CERTDIR="$CLIENTDIR"
+  cd "${CERTDIR}"
+
+  PROFILEDIR=`cd ${CERTDIR}; pwd`
+  if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+     PROFILEDIR=`cygpath -m ${PROFILEDIR}`
+  fi  
+  if [ -n "${MULTIACCESS_DBM}" ]; then
+     PROFILEDIR="multiaccess:${D_CLIENT}"
+  fi
+  CERTFAILED=0
+  echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============="
+
+  CONTINUE=$GLOB_MAX_CERT
+  CERTSERIAL=10
+
+  while [ $CONTINUE -ge $GLOB_MIN_CERT ]
+  do
+      CERTNAME="TestUser$CONTINUE"
+#      cert_add_cert ${CLIENTDIR} "TestUser$CONTINUE" $CERTSERIAL
+      cert_add_cert 
+      CERTSERIAL=`expr $CERTSERIAL + 1 `
+      CONTINUE=`expr $CONTINUE - 1 `
+  done
+  if [ "$CERTFAILED" != 0 ] ; then
+      cert_log "ERROR: StressCert failed $RET"
+  else
+      cert_log "SUCCESS: StressCert passed"
+  fi
+}
+
+############################## cert_fips #####################################
+# local shell function to create certificates for FIPS tests 
+##############################################################################
+cert_fips()
+{
+  CERTFAILED=0
+  echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates =============="
+  cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}"
+
+  CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
+  certu -N -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
+
+  CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
+  modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
+
+  echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------"
+  CU_ACTION="Enable FIPS mode on database for ${CERTNAME}"
+  echo "modutil -dbdir ${PROFILEDIR} -fips true "
+  ${BINDIR}/modutil -dbdir ${PROFILEDIR} -fips true 2>&1 <<MODSCRIPT
+y
+MODSCRIPT
+  RET=$?
+  if [ "$RET" -ne 0 ]; then
+    html_failed "${CU_ACTION} ($RET) " 
+    cert_log "ERROR: ${CU_ACTION} failed $RET"
+  else
+    html_passed "${CU_ACTION}"
+  fi
+
+  CU_ACTION="Generate Certificate for ${CERTNAME}"
+  CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
+  certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1
+  if [ "$RET" -eq 0 ]; then
+    cert_log "SUCCESS: FIPS passed"
+  fi
+}
+
+############################## cert_eccurves ###########################
+# local shell function to create server certs for all EC curves
+########################################################################
+cert_eccurves()
+{
+  ################# Creating Certs for EC curves test ########################
+  #
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
+    echo "$SCRIPTNAME: Creating Server CA Issued Certificate for "
+    echo "             EC Curves Test Certificates ------------------------------------"
+
+    cert_init_cert "${ECCURVES_DIR}" "EC Curves Test Certificates" 1 ${D_ECCURVES}
+
+    CU_ACTION="Initializing EC Curve's Cert DB"
+    certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+
+    CU_ACTION="Loading root cert module to EC Curve's Cert DB"
+    modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
+
+    CU_ACTION="Import EC Root CA for $CERTNAME"
+    certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
+        -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1
+
+    CURVE_LIST="nistp256 nistp384 nistp521"
+    CERTSERIAL=2000
+
+    for CURVE in ${CURVE_LIST}
+    do
+	CERTFAILED=0
+	CERTNAME="Curve-${CURVE}"
+	CERTSERIAL=`expr $CERTSERIAL + 1 `
+	CU_ACTION="Generate EC Cert Request for $CERTNAME"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+		-z "${R_NOISE_FILE}" -o req  2>&1
+	
+	if [ $RET -eq 0 ] ; then
+	  CU_ACTION="Sign ${CERTNAME}'s EC Request"
+	  certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
+		-i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
+	fi
+	
+	if [ $RET -eq 0 ] ; then
+	  CU_ACTION="Import $CERTNAME's EC Cert"
+	  certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
+		-f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
+	fi
+    done
+
+  fi # $NSS_DISABLE_ECC
+}
+
+########################### cert_extensions_test #############################
+# local shell function to test cert extensions generation
+##############################################################################
+cert_extensions_test()
+{
+    COUNT=`expr ${COUNT} + 1`
+    CERTNAME=TestExt${COUNT}
+    CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+
+    echo
+    echo certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
+        -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
+        -z "${R_NOISE_FILE}" -${OPT} \< ${TARG_FILE}
+    echo "certutil options:"
+    cat ${TARG_FILE}
+    ${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
+        -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
+        -z "${R_NOISE_FILE}" -${OPT} < ${TARG_FILE}
+    RET=$?
+    if [ "${RET}" -ne 0 ]; then
+        CERTFAILED=1
+        html_failed "${TESTNAME} (${COUNT}) - Create and Add Certificate" 
+        cert_log "ERROR: ${TESTNAME} - Create and Add Certificate failed" 
+        return 1
+    fi
+
+    echo certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME} 
+    EXTLIST=`${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME}`
+    RET=$?
+    echo "${EXTLIST}"
+    if [ "${RET}" -ne 0 ]; then
+        CERTFAILED=1
+        html_failed "${TESTNAME} (${COUNT}) - List Certificate" 
+        cert_log "ERROR: ${TESTNAME} - List Certificate failed" 
+        return 1
+    fi
+
+    for FL in `echo ${FILTERLIST} | tr \| ' '`; do
+        FL="`echo ${FL} | tr _ ' '`"
+        EXPSTAT=0
+        if [ X`echo "${FL}" | cut -c 1` = 'X!' ]; then
+            EXPSTAT=1
+            FL=`echo ${FL} | tr -d '!'`
+        fi
+        echo "${EXTLIST}" | grep "${FL}" >/dev/null 2>&1
+        RET=$?
+        if [ "${RET}" -ne "${EXPSTAT}" ]; then
+            CERTFAILED=1
+            html_failed "${TESTNAME} (${COUNT}) - Looking for ${FL}" "returned ${RET}, expected is ${EXPSTAT}" 
+            cert_log "ERROR: ${TESTNAME} - Looking for ${FL} failed"
+            return 1
+        fi
+    done
+
+    html_passed "${TESTNAME} (${COUNT})"
+    return 0
+}
+
+############################## cert_extensions ###############################
+# local shell function to run cert extensions tests
+##############################################################################
+cert_extensions()
+{
+    CERTNAME=TestExt
+    cert_create_cert ${CERT_EXTENSIONS_DIR} ${CERTNAME} 90 ${D_CERT_EXTENSTIONS}
+    TARG_FILE=${CERT_EXTENSIONS_DIR}/test.args
+
+    COUNT=0
+    while read ARG OPT FILTERLIST; do
+        if [ X"`echo ${ARG} | cut -c 1`" = "X#" ]; then
+            continue
+        fi
+        if [ X"`echo ${ARG} | cut -c 1`" = "X!" ]; then
+            TESTNAME="${FILTERLIST}"
+            continue
+        fi
+        if [ X"${ARG}" = "X=" ]; then
+            cert_extensions_test
+            rm -f ${TARG_FILE}
+        else
+            echo ${ARG} >> ${TARG_FILE}
+        fi
+    done < ${QADIR}/cert/certext.txt
+}
+
+cert_make_with_param()
+{
+    DIRPASS="$1"
+    CERTNAME="$2"
+    MAKE="$3"
+    SUBJ="$4"
+    EXTRA="$5"
+    EXPECT="$6"
+    TESTNAME="$7"
+
+    echo certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA}
+    ${BINDIR}/certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA}
+        
+    RET=$?
+    if [ "${RET}" -ne "${EXPECT}" ]; then
+        # if we expected failure to create, then delete unexpected certificate
+        if [ "${EXPECT}" -ne 0 ]; then
+            ${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME}
+        fi
+    
+        CERTFAILED=1
+        html_failed "${TESTNAME} (${COUNT}) - ${EXTRA}" 
+        cert_log "ERROR: ${TESTNAME} - ${EXTRA} failed"
+        return 1
+    fi
+
+    html_passed "${TESTNAME} (${COUNT})"
+    return 0
+}
+
+cert_list_and_count_dns()
+{
+    DIRPASS="$1"
+    CERTNAME="$2"
+    EXPECT="$3"
+    EXPECTCOUNT="$4"
+    TESTNAME="$5"
+
+    echo certutil ${DIRPASS} -L ${CERTNAME}
+    ${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME}
+
+    RET=$?
+    if [ "${RET}" -ne "${EXPECT}" ]; then
+        CERTFAILED=1
+        html_failed "${TESTNAME} (${COUNT}) - list and count" 
+        cert_log "ERROR: ${TESTNAME} - list and count failed"
+        return 1
+    fi
+
+    LISTCOUNT=`${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} | grep -wc DNS`
+    if [ "${LISTCOUNT}" -ne "${EXPECTCOUNT}" ]; then
+        CERTFAILED=1
+        html_failed "${TESTNAME} (${COUNT}) - list and count" 
+        cert_log "ERROR: ${TESTNAME} - list and count failed"
+        return 1
+    fi
+
+    html_passed "${TESTNAME} (${COUNT})"
+    return 0
+}
+
+cert_dump_ext_to_file()
+{
+    DIRPASS="$1"
+    CERTNAME="$2"
+    OID="$3"
+    OUTFILE="$4"
+    EXPECT="$5"
+    TESTNAME="$6"
+
+    echo certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID}
+    echo "writing output to ${OUTFILE}"
+    ${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID} > ${OUTFILE}
+        
+    RET=$?
+    if [ "${RET}" -ne "${EXPECT}" ]; then
+        CERTFAILED=1
+        html_failed "${TESTNAME} (${COUNT}) - dump to file"
+        cert_log "ERROR: ${TESTNAME} - dump to file failed"
+        return 1
+    fi
+
+    html_passed "${TESTNAME} (${COUNT})"
+    return 0
+}
+
+cert_delete()
+{
+    DIRPASS="$1"
+    CERTNAME="$2"
+    EXPECT="$3"
+    TESTNAME="$4"
+
+    echo certutil ${DIRPASS} -D ${CERTNAME}
+    ${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME}
+        
+    RET=$?
+    if [ "${RET}" -ne "${EXPECT}" ]; then
+        CERTFAILED=1
+        html_failed "${TESTNAME} (${COUNT}) - delete cert" 
+        cert_log "ERROR: ${TESTNAME} - delete cert failed"
+        return 1
+    fi
+
+    html_passed "${TESTNAME} (${COUNT})"
+    return 0
+}
+
+cert_inc_count()
+{
+    COUNT=`expr ${COUNT} + 1`
+}
+
+############################## cert_crl_ssl ############################
+# test adding subject-alt-name, dumping, and adding generic extension
+########################################################################
+cert_san_and_generic_extensions()
+{
+    EXTDUMP=${CERT_EXTENSIONS_DIR}/sanext.der
+
+    DIR="-d ${CERT_EXTENSIONS_DIR} -f ${R_PWFILE}"
+    CERTNAME="-n WithSAN"
+    MAKE="-S -t ,, -x -z ${R_NOISE_FILE}"
+    SUBJ="CN=example.com"
+
+    TESTNAME="san-and-generic-extensions"
+
+    cert_inc_count
+    cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
+        "--extSAN example.com" 255 \
+        "create cert with invalid SAN parameter"
+
+    cert_inc_count
+    cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
+        "--extSAN example.com,dns:www.example.com" 255 \
+        "create cert with invalid SAN parameter"
+
+    TN="create cert with valid SAN parameter"
+
+    cert_inc_count
+    cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
+        "--extSAN dns:example.com,dns:www.example.com" 0 \
+        "${TN}"
+
+    cert_inc_count
+    cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \
+        "${TN}"
+
+    cert_inc_count
+    cert_dump_ext_to_file "${DIR}" "${CERTNAME}" "2.5.29.17" "${EXTDUMP}" 0 \
+        "dump extension 2.5.29.17 to file ${EXTDUMP}"
+
+    cert_inc_count
+    cert_delete "${DIR}" "${CERTNAME}" 0 \
+        "${TN}"
+
+    cert_inc_count
+    cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \
+        "expect failure to list cert, because we deleted it"
+
+    cert_inc_count
+    cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
+        "--extGeneric ${EXTDUMP}" 255 \
+        "create cert with invalid generic ext parameter"
+
+    cert_inc_count
+    cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
+        "--extGeneric not-critical:${EXTDUMP}" 255 \
+        "create cert with invalid generic ext parameter"
+
+    cert_inc_count
+    cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
+        "--extGeneric not-critical:${EXTDUMP},2.5.29.17:critical:${EXTDUMP}" 255 \
+        "create cert with invalid generic ext parameter"
+
+    TN="create cert with valid generic ext parameter"
+
+    cert_inc_count
+    cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
+        "--extGeneric 2.5.29.17:not-critical:${EXTDUMP}" 0 \
+        "${TN}"
+
+    cert_inc_count
+    cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \
+        "${TN}"
+
+    cert_inc_count
+    cert_delete "${DIR}" "${CERTNAME}" 0 \
+        "${TN}"
+
+    cert_inc_count
+    cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \
+        "expect failure to list cert, because we deleted it"
+}
+
+############################## cert_crl_ssl ############################
+# local shell function to generate certs and crls for SSL tests
+########################################################################
+cert_crl_ssl()
+{
+    
+  ################# Creating Certs ###################################
+  #
+  CERTFAILED=0
+  CERTSERIAL=${CRL_GRP_1_BEGIN}
+
+  cd $CADIR
+  
+  PROFILEDIR=`cd ${CLIENTDIR}; pwd`
+  if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+     PROFILEDIR=`cygpath -m ${PROFILEDIR}`
+  fi
+  CRL_GRPS_END=`expr ${CRL_GRP_1_BEGIN} + ${TOTAL_CRL_RANGE} - 1`
+  echo "$SCRIPTNAME: Creating Client CA Issued Certificates Range $CRL_GRP_1_BEGIN - $CRL_GRPS_END ==="
+  CU_ACTION="Creating client test certs"
+
+  while [ $CERTSERIAL -le $CRL_GRPS_END ]
+  do
+      CERTNAME="TestUser$CERTSERIAL"
+      cert_add_cert 
+      CERTSERIAL=`expr $CERTSERIAL + 1 `
+  done
+
+  #################### CRL Creation ##############################
+  CRL_GEN_RES=0
+  echo "$SCRIPTNAME: Creating CA CRL ====================================="
+
+  CRL_GRP_END=`expr ${CRL_GRP_1_BEGIN} + ${CRL_GRP_1_RANGE} - 1`
+  CRL_FILE_GRP_1=${R_SERVERDIR}/root.crl_${CRL_GRP_1_BEGIN}-${CRL_GRP_END}
+  CRL_FILE=${CRL_FILE_GRP_1}
+  
+  CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
+  CU_ACTION="Generating CRL for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA authority"
+  CRL_GRP_END_=`expr ${CRL_GRP_END} - 1`
+  crlu -d $CADIR -G -n "TestCA" -f ${R_PWFILE} \
+      -o ${CRL_FILE_GRP_1}_or <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
+addext reasonCode 0 4
+addext issuerAltNames 0 "rfc822Name:caemail@ca.com|dnsName:ca.com|directoryName:CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca.com|ipAddress:192.168.0.1|registerID=reg CA"
+EOF_CRLINI
+# This extension should be added to the list, but currently nss has bug
+#addext authKeyId 0 "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" 1
+  CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+  chmod 600 ${CRL_FILE_GRP_1}_or
+
+
+      CU_ACTION="Generating CRL (DSA) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-dsa authority"
+
+#     Until Bug 292285 is resolved, do not encode x400 Addresses. After
+#     the bug is resolved, reintroduce "x400Address:x400Address" within
+#     addext issuerAltNames ...
+      crlu -q -d $CADIR -G -n "TestCA-dsa" -f ${R_PWFILE} \
+	  -o ${CRL_FILE_GRP_1}_or-dsa <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
+addext reasonCode 0 4
+addext issuerAltNames 0 "rfc822Name:ca-dsaemail@ca.com|dnsName:ca-dsa.com|directoryName:CN=NSS Test CA (DSA),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca-dsa.com|ipAddress:192.168.0.1|registerID=reg CA (DSA)"
+EOF_CRLINI
+      CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+      chmod 600 ${CRL_FILE_GRP_1}_or-dsa
+
+
+
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
+      CU_ACTION="Generating CRL (ECC) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-ec authority"
+
+#     Until Bug 292285 is resolved, do not encode x400 Addresses. After
+#     the bug is resolved, reintroduce "x400Address:x400Address" within
+#     addext issuerAltNames ...
+      crlu -q -d $CADIR -G -n "TestCA-ec" -f ${R_PWFILE} \
+	  -o ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
+addext reasonCode 0 4
+addext issuerAltNames 0 "rfc822Name:ca-ecemail@ca.com|dnsName:ca-ec.com|directoryName:CN=NSS Test CA (ECC),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca-ec.com|ipAddress:192.168.0.1|registerID=reg CA (ECC)"
+EOF_CRLINI
+      CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+      chmod 600 ${CRL_FILE_GRP_1}_or-ec
+  fi
+
+  echo test > file
+  ############################# Modification ##################################
+
+  echo "$SCRIPTNAME: Modifying CA CRL by adding one more cert ============"
+  sleep 2
+  CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
+  CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
+  CU_ACTION="Modify CRL by adding one more cert"
+  crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1 \
+      -i ${CRL_FILE_GRP_1}_or <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_END} $CRL_GRP_DATE
+EOF_CRLINI
+  CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+  chmod 600 ${CRL_FILE_GRP_1}_or1
+  TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or"
+
+
+  CU_ACTION="Modify CRL (DSA) by adding one more cert"
+  crlu -d $CADIR -M -n "TestCA-dsa" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1-dsa \
+      -i ${CRL_FILE_GRP_1}_or-dsa <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_END} $CRL_GRP_DATE
+EOF_CRLINI
+  CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+  chmod 600 ${CRL_FILE_GRP_1}_or1-dsa
+  TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-dsa"
+
+
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
+      CU_ACTION="Modify CRL (ECC) by adding one more cert"
+      crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} \
+	  -o ${CRL_FILE_GRP_1}_or1-ec -i ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_END} $CRL_GRP_DATE
+EOF_CRLINI
+      CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+      chmod 600 ${CRL_FILE_GRP_1}_or1-ec
+      TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-ec"
+  fi
+
+  ########### Removing one cert ${UNREVOKED_CERT_GRP_1} #######################
+  echo "$SCRIPTNAME: Modifying CA CRL by removing one cert ==============="
+  CU_ACTION="Modify CRL by removing one cert"
+  sleep 2
+  CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
+  crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1} \
+      -i ${CRL_FILE_GRP_1}_or1 <<EOF_CRLINI
+update=$CRLUPDATE
+rmcert  ${UNREVOKED_CERT_GRP_1}
+EOF_CRLINI
+  chmod 600 ${CRL_FILE_GRP_1}
+  TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1"
+
+
+  CU_ACTION="Modify CRL (DSA) by removing one cert"
+  sleep 2
+  CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
+  crlu -d $CADIR -M -n "TestCA-dsa" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1} \
+      -i ${CRL_FILE_GRP_1}_or1 <<EOF_CRLINI
+update=$CRLUPDATE
+rmcert  ${UNREVOKED_CERT_GRP_1}
+EOF_CRLINI
+  chmod 600 ${CRL_FILE_GRP_1}
+  TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-dsa"
+
+
+
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
+      CU_ACTION="Modify CRL (ECC) by removing one cert"
+      crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}-ec \
+	  -i ${CRL_FILE_GRP_1}_or1-ec <<EOF_CRLINI
+update=$CRLUPDATE
+rmcert  ${UNREVOKED_CERT_GRP_1}
+EOF_CRLINI
+      chmod 600 ${CRL_FILE_GRP_1}-ec
+      TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-ec"
+  fi
+
+  ########### Creating second CRL which includes groups 1 and 2 ##############
+  CRL_GRP_END=`expr ${CRL_GRP_2_BEGIN} + ${CRL_GRP_2_RANGE} - 1`
+  CRL_FILE_GRP_2=${R_SERVERDIR}/root.crl_${CRL_GRP_2_BEGIN}-${CRL_GRP_END}
+
+  echo "$SCRIPTNAME: Creating CA CRL for groups 1 and 2  ==============="
+  sleep 2
+  CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
+  CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
+  CU_ACTION="Creating CRL for groups 1 and 2"
+  crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2} \
+          -i ${CRL_FILE_GRP_1} <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
+addext invalidityDate 0 $CRLUPDATE
+rmcert  ${UNREVOKED_CERT_GRP_2}
+EOF_CRLINI
+  CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+  chmod 600 ${CRL_FILE_GRP_2}
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
+      CU_ACTION="Creating CRL (ECC) for groups 1 and 2"
+      crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2}-ec \
+          -i ${CRL_FILE_GRP_1}-ec <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
+addext invalidityDate 0 $CRLUPDATE
+rmcert  ${UNREVOKED_CERT_GRP_2}
+EOF_CRLINI
+      CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+      chmod 600 ${CRL_FILE_GRP_2}-ec
+  fi
+
+  ########### Creating second CRL which includes groups 1, 2 and 3 ##############
+  CRL_GRP_END=`expr ${CRL_GRP_3_BEGIN} + ${CRL_GRP_3_RANGE} - 1`
+  CRL_FILE_GRP_3=${R_SERVERDIR}/root.crl_${CRL_GRP_3_BEGIN}-${CRL_GRP_END}
+
+
+
+  echo "$SCRIPTNAME: Creating CA CRL for groups 1, 2 and 3  ==============="
+  sleep 2
+  CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
+  CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
+  CU_ACTION="Creating CRL for groups 1, 2 and 3"
+  crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3} \
+            -i ${CRL_FILE_GRP_2} <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
+rmcert  ${UNREVOKED_CERT_GRP_3}
+addext crlNumber 0 2
+EOF_CRLINI
+  CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+  chmod 600 ${CRL_FILE_GRP_3}
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
+      CU_ACTION="Creating CRL (ECC) for groups 1, 2 and 3"
+      crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3}-ec \
+          -i ${CRL_FILE_GRP_2}-ec <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
+rmcert  ${UNREVOKED_CERT_GRP_3}
+addext crlNumber 0 2
+EOF_CRLINI
+      CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+      chmod 600 ${CRL_FILE_GRP_3}-ec
+  fi
+
+  ############ Importing Server CA Issued CRL for certs of first group #######
+
+  echo "$SCRIPTNAME: Importing Server CA Issued CRL for certs ${CRL_GRP_BEGIN} trough ${CRL_GRP_END}"
+  CU_ACTION="Importing CRL for groups 1"
+  crlu -D -n TestCA  -f "${R_PWFILE}" -d "${R_SERVERDIR}"
+  crlu -I -i ${CRL_FILE} -n "TestCA" -f "${R_PWFILE}" -d "${R_SERVERDIR}"
+  CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
+      CU_ACTION="Importing CRL (ECC) for groups 1"
+      crlu -D -n TestCA-ec  -f "${R_PWFILE}" -d "${R_SERVERDIR}"
+      crlu -I -i ${CRL_FILE}-ec -n "TestCA-ec" -f "${R_PWFILE}" \
+	  -d "${R_SERVERDIR}"
+      CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+  fi
+
+  if [ "$CERTFAILED" != 0 -o "$CRL_GEN_RES" != 0 ] ; then
+      cert_log "ERROR: SSL CRL prep failed $CERTFAILED : $CRL_GEN_RES"
+  else
+      cert_log "SUCCESS: SSL CRL prep passed"
+  fi
+}
+
+#################
+# Verify the we can successfully change the password on the database
+#
+cert_test_password()
+{
+  CERTFAILED=0
+  echo "$SCRIPTNAME: Create A Password Test Cert  =============="
+  cert_init_cert "${DBPASSDIR}" "Password Test Cert" 1000 "${D_DBPASSDIR}"
+
+  echo "$SCRIPTNAME: Create A Password Test Ca  --------"
+  ALL_CU_SUBJECT="CN=NSS Password Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  cert_CA ${DBPASSDIR} PasswordCA -x "CTu,CTu,CTu" ${D_DBPASS} "1"
+
+  # now change the password
+  CU_ACTION="Changing password on ${CERTNAME}'s Cert DB"
+  certu -W -d "${PROFILEDIR}" -f "${R_PWFILE}" -@ "${R_FIPSPWFILE}" 2>&1
+
+  # finally make sure we can use the old key with the new password
+  CU_ACTION="Generate Certificate for ${CERTNAME} with new password"
+  CU_SUBJECT="CN=${CERTNAME}, E=password@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  certu -S -n PasswordCert -c PasswordCA -t "u,u,u" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -z "${R_NOISE_FILE}" 2>&1
+  if [ "$RET" -eq 0 ]; then
+    cert_log "SUCCESS: PASSWORD passed"
+  fi
+  CU_ACTION="Verify Certificate for ${CERTNAME} with new password"
+  certu -V -n PasswordCert -u S -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
+}
+
+###############################
+# test if we can distrust a certificate.
+#
+# we create 3 new certs:
+#   1 leaf signed by the trusted root.
+#   1 intermediate signed by the trusted root.
+#   1 leaf signed by the intermediate.
+#
+#  we mark the first leaf and the intermediate as explicitly untrusted.
+#  we then try to verify the two leaf certs for our possible usages.
+#  All verification should fail.
+# 
+cert_test_distrust()
+{
+  echo "$SCRIPTNAME: Creating Distrusted Certificate"
+  cert_create_cert ${DISTRUSTDIR} "Distrusted" 2000 ${D_DISTRUST}
+  CU_ACTION="Mark CERT as unstrusted"
+  certu -M -n "Distrusted" -t p,p,p -d ${PROFILEDIR} -f "${R_PWFILE}" 2>&1
+  echo "$SCRIPTNAME: Creating Distrusted Intermediate"
+  CERTNAME="DistrustedCA"
+  ALL_CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  cert_CA ${CADIR} "${CERTNAME}" "-c TestCA" ",," ${D_CA} 2010 2>&1
+  CU_ACTION="Import Distrusted Intermediate"
+  certu -A -n "${CERTNAME}" -t "p,p,p" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+          -i "${R_CADIR}/DistrustedCA.ca.cert" 2>&1
+
+  # now create the last leaf signed by our distrusted CA
+  # since it's not signed by TestCA it requires more steps.
+  CU_ACTION="Generate Cert Request for Leaf Chained to Distrusted CA"
+  CERTNAME="LeafChainedToDistrustedCA"
+  CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+  CU_ACTION="Sign ${CERTNAME}'s Request"
+  cp ${CERTDIR}/req ${CADIR}
+  certu -C -c "DistrustedCA" -m 100 -v 60 -d "${P_R_CADIR}" \
+        -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
+
+  CU_ACTION="Import $CERTNAME's Cert  -t u,u,u"
+  certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+        -i "${CERTNAME}.cert" 2>&1
+
+  RETEXPECTED=255
+  CU_ACTION="Verify ${CERTNAME} Cert for SSL Server"
+  certu -V -n ${CERTNAME} -u V -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+  CU_ACTION="Verify ${CERTNAME} Cert for SSL Client"
+  certu -V -n ${CERTNAME} -u C -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+  CU_ACTION="Verify ${CERTNAME} Cert for Email signer"
+  certu -V -n ${CERTNAME} -u S -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+  CU_ACTION="Verify ${CERTNAME} Cert for Email recipient"
+  certu -V -n ${CERTNAME} -u R -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+  CU_ACTION="Verify ${CERTNAME} Cert for OCSP responder"
+  certu -V -n ${CERTNAME} -u O -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+  CU_ACTION="Verify ${CERTNAME} Cert for Object Signer"
+  certu -V -n ${CERTNAME} -u J -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+
+  CERTNAME="Distrusted"
+  CU_ACTION="Verify ${CERTNAME} Cert for SSL Server"
+  certu -V -n ${CERTNAME} -u V -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+  CU_ACTION="Verify ${CERTNAME} Cert for SSL Client"
+  certu -V -n ${CERTNAME} -u C -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+  CU_ACTION="Verify ${CERTNAME} Cert for Email signer"
+  certu -V -n ${CERTNAME} -u S -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+  CU_ACTION="Verify ${CERTNAME} Cert for Email recipient"
+  certu -V -n ${CERTNAME} -u R -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+  CU_ACTION="Verify ${CERTNAME} Cert for OCSP responder"
+  certu -V -n ${CERTNAME} -u O -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+  CU_ACTION="Verify ${CERTNAME} Cert for Object Signer"
+  certu -V -n ${CERTNAME} -u J -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+  RETEXPECTED=0
+}
+
+cert_test_ocspresp()
+{
+  echo "$SCRIPTNAME: OCSP response creation selftest"
+  OR_ACTION="perform selftest"
+  RETEXPECTED=0
+  ocspr ${SERVER_CADIR} "serverCA" "chain-1-serverCA" -f "${R_PWFILE}" 2>&1
+}
+
+############################## cert_cleanup ############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+cert_cleanup()
+{
+  cert_log "$SCRIPTNAME: finished $SCRIPTNAME"
+  html "</TABLE><BR>" 
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+
+cert_init 
+cert_all_CA
+cert_extended_ssl 
+cert_ssl 
+cert_smime_client        
+if [ -z "$NSS_TEST_DISABLE_FIPS" ]; then
+    cert_fips
+fi
+cert_eccurves
+cert_extensions
+cert_san_and_generic_extensions
+cert_test_password
+cert_test_distrust
+cert_test_ocspresp
+
+if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
+    cert_crl_ssl
+else
+    echo "$SCRIPTNAME: Skipping CRL Tests"
+fi
+
+if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
+    cert_stresscerts 
+fi
+
+cert_iopr_setup
+
+cert_cleanup
diff --git a/security/nss/tests/cert/certext.txt b/security/nss/tests/cert/certext.txt
new file mode 100644
index 000000000..4bcda814f
--- /dev/null
+++ b/security/nss/tests/cert/certext.txt
@@ -0,0 +1,130 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# File syntax:
+# '#' comments.
+# If the line starts from '!'('! TEST_N Test Name String'),
+# then  'Test Name String' will be the name of a test(starting
+# from second space till the rest of the line).
+# All uncommented lines are hard codded answers to certutil
+# extension questions.
+# Line '= N string1|string2|string3': '=' is a stop sign
+# of certutil inputs and start of the test. 'N' is the number
+# of extension that will be tested. 'string1|string2|string3'
+# are grep patterns for test result verification. '_' in stringN
+# will be replaced to a space.
+# ################################################################
+! TEST_1 Certificate Key Usage Extension
+0
+1
+2
+3
+4
+5
+6
+10
+n
+= 1 Certificate_Key_Usage|Digital_Signature|Non-Repudiation|Key_Encipherment|Data_Encipherment|Key_Agreement|Certificate_Signing|CRL_Signing
+# ################################################################
+! TEST_2 Certificate Key Usage Extension
+0
+1
+2
+3
+4
+5
+6
+10
+y
+= 1 Certificate_Key_Usage|Digital_Signature|Critical:_True
+# ################################################################
+! TEST_3 Certificate Basic Constraints Extension
+y
+-1
+n
+= 2 Name:_Certificate_Basic_Constraints|Data:_Is_a_CA_with_no_maximum
+# ################################################################
+! TEST_4 Certificate Basic Constraints Extension
+n
+-1
+y
+= 2 Name:_Certificate_Basic_Constraints|Data:_Is_not_a_CA|Critical:_True
+# ################################################################
+! TEST_5 Certificate Authority Key Identifier Extension
+y
+12341235123
+
+
+y
+= 3 Name:_Certificate_Authority_Key_Identifier|Critical:_True|Key_ID:|12341235123
+# ################################################################
+! TEST_6 Certificate Authority Key Identifier Extension
+y
+
+3
+test.com
+
+214123
+y
+= 3 Name:_Certificate_Authority_Key_Identifier|Critical:_True|Issuer:|DNS_name:_"test.com"|Serial_Number:|214123
+# ################################################################
+! TEST_7 CRL Distribution Points Extension
+1
+2
+rfc822@name.tld
+3
+test.com
+8
+1.2.3.4
+9
+OID.0.2.213
+10
+0
+10
+n
+n
+= 4 Name:_CRL_Distribution_Points|rfc822@name.tld
+# #################################################################
+! TEST_8 CRL Distribution Points Extension
+2
+SN=asdfsdf
+4
+3
+test.com
+10
+n
+n
+= 4 Name:_CRL_Distribution_Points|asdfsdf|Reasons:|DNS_name:_"test.com"
+# ################################################################
+! TEST_9 Certificate Type Extension
+0
+1
+2
+10
+n
+= 5 Name:_Certificate_Type|Data:_<SSL_Client,SSL_Server,S/MIME>
+# ################################################################
+! TEST_10 Extended Key Usage Extension
+0
+1
+2
+3
+4
+5
+6
+10
+y
+= 6 Name:_Extended_Key_Usage|Critical:_True|TLS_Web_Server_Authentication_Certificate|TLS_Web_Client_Authentication_Certificate|Code_Signing_Certificate|E-Mail_Protection_Certificate|Time_Stamping_Certifcate|OCSP_Responder_Certificate|Strong_Crypto_Export_Approved
+# ################################################################
+! TEST_11 Certificate Key Usage Extension
+
+1
+2
+3
+4
+5
+6
+10
+n
+= 1 Certificate_Key_Usage|!Digital_Signature|Non-Repudiation|Key_Encipherment|Data_Encipherment|Key_Agreement|Certificate_Signing|CRL_Signing
diff --git a/security/nss/tests/chains/chains.sh b/security/nss/tests/chains/chains.sh
new file mode 100755
index 000000000..4c3fa57a0
--- /dev/null
+++ b/security/nss/tests/chains/chains.sh
@@ -0,0 +1,1308 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/cert/chains.sh
+#
+# Script to test certificate chains validity. 
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+########################################################################
+
+########################### is_httpserv_alive ##########################
+# local shell function to exit with a fatal error if selfserver is not
+# running
+########################################################################
+is_httpserv_alive()
+{
+  if [ ! -f "${HTTPPID}" ]; then
+      echo "$SCRIPTNAME: Error - httpserv PID file ${HTTPPID} doesn't exist"
+      sleep 5
+      if [ ! -f "${HTTPPID}" ]; then
+          Exit 9 "Fatal - httpserv pid file ${HTTPPID} does not exist"
+      fi
+  fi
+  
+  if [ "${OS_ARCH}" = "WINNT" ] && \
+     [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+      PID=${SHELL_HTTPPID}
+  else
+      PID=`cat ${HTTPPID}`
+  fi
+
+  echo "kill -0 ${PID} >/dev/null 2>/dev/null" 
+  kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - httpserv process not detectable"
+
+  echo "httpserv with PID ${PID} found at `date`"
+}
+
+########################### wait_for_httpserv ##########################
+# local shell function to wait until httpserver is running and initialized
+########################################################################
+wait_for_httpserv()
+{
+  echo "trying to connect to httpserv at `date`"
+  echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
+  ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
+  if [ $? -ne 0 ]; then
+      sleep 5
+      echo "retrying to connect to httpserv at `date`"
+      echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
+      ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
+      if [ $? -ne 0 ]; then
+          html_failed "Waiting for Server"
+      fi
+  fi
+  is_httpserv_alive
+}
+
+########################### kill_httpserv ##############################
+# local shell function to kill the httpserver after the tests are done
+########################################################################
+kill_httpserv()
+{
+  if [ "${OS_ARCH}" = "WINNT" ] && \
+     [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+      PID=${SHELL_HTTPPID}
+  else
+      PID=`cat ${HTTPPID}`
+  fi
+
+  echo "trying to kill httpserv with PID ${PID} at `date`"
+
+  if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then
+      echo "${KILL} ${PID}"
+      ${KILL} ${PID}
+  else
+      echo "${KILL} -USR1 ${PID}"
+      ${KILL} -USR1 ${PID}
+  fi
+  wait ${PID}
+
+  # On Linux httpserv needs up to 30 seconds to fully die and free
+  # the port.  Wait until the port is free. (Bug 129701)
+  if [ "${OS_ARCH}" = "Linux" ]; then
+      echo "httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null;"
+      until ${BINDIR}/httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null; do
+          echo "RETRY: httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null;"
+          sleep 1
+      done
+  fi
+
+  echo "httpserv with PID ${PID} killed at `date`"
+
+  rm ${HTTPPID}
+  html_detect_core "kill_httpserv core detection step"
+}
+
+########################### start_httpserv #############################
+# local shell function to start the httpserver with the parameters required 
+# for this test and log information (parameters, start time)
+# also: wait until the server is up and running
+########################################################################
+start_httpserv()
+{
+  HTTP_METHOD=$1
+
+  if [ -n "$testname" ] ; then
+      echo "$SCRIPTNAME: $testname ----"
+  fi
+  echo "httpserv starting at `date`"
+  ODDIR="${HOSTDIR}/chains/OCSPD"
+  echo "httpserv -D -p ${NSS_AIA_PORT} ${SERVER_OPTIONS} \\"
+  echo "         -A OCSPRoot -C ${ODDIR}/OCSPRoot.crl -A OCSPCA1 -C ${ODDIR}/OCSPCA1.crl \\"
+  echo "         -A OCSPCA2  -C ${ODDIR}/OCSPCA2.crl  -A OCSPCA3 -C ${ODDIR}/OCSPCA3.crl \\"
+  echo "         -O ${HTTP_METHOD} -d ${ODDIR}/ServerDB/ -f ${ODDIR}/ServerDB/dbpasswd \\"
+  echo "         -i ${HTTPPID} $verbose &"
+  ${PROFTOOL} ${BINDIR}/httpserv -D -p ${NSS_AIA_PORT} ${SERVER_OPTIONS} \
+                 -A OCSPRoot -C ${ODDIR}/OCSPRoot.crl -A OCSPCA1 -C ${ODDIR}/OCSPCA1.crl \
+                 -A OCSPCA2  -C ${ODDIR}/OCSPCA2.crl  -A OCSPCA3 -C ${ODDIR}/OCSPCA3.crl \
+                 -O ${HTTP_METHOD} -d ${ODDIR}/ServerDB/ -f ${ODDIR}/ServerDB/dbpasswd \
+                 -i ${HTTPPID} $verbose &
+  RET=$?
+
+  # The PID $! returned by the MKS or Cygwin shell is not the PID of
+  # the real background process, but rather the PID of a helper
+  # process (sh.exe).  MKS's kill command has a bug: invoking kill
+  # on the helper process does not terminate the real background
+  # process.  Our workaround has been to have httpserv save its PID
+  # in the ${HTTPPID} file and "kill" that PID instead.  But this
+  # doesn't work under Cygwin; its kill command doesn't recognize
+  # the PID of the real background process, but it does work on the
+  # PID of the helper process.  So we save the value of $! in the
+  # SHELL_HTTPPID variable, and use it instead of the ${HTTPPID}
+  # file under Cygwin.  (In fact, this should work in any shell
+  # other than the MKS shell.)
+  SHELL_HTTPPID=$!
+  wait_for_httpserv
+
+  if [ "${OS_ARCH}" = "WINNT" ] && \
+     [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+      PID=${SHELL_HTTPPID}
+  else
+      PID=`cat ${HTTPPID}`
+  fi
+
+  echo "httpserv with PID ${PID} started at `date`"
+}
+
+############################# chains_init ##############################
+# local shell function to initialize this script
+########################################################################
+chains_init()
+{
+    if [ -z "${CLEANUP}" ] ; then   # if nobody else is responsible for
+        CLEANUP="${SCRIPTNAME}"     # cleaning this script will do it
+    fi
+    if [ -z "${INIT_SOURCED}" ] ; then
+        cd ../common
+        . ./init.sh
+    fi
+
+    SCRIPTNAME="chains.sh"
+
+    CHAINS_DIR="${HOSTDIR}/chains"
+    mkdir -p ${CHAINS_DIR}
+    cd ${CHAINS_DIR}
+
+    CHAINS_SCENARIOS="${QADIR}/chains/scenarios/scenarios"
+
+    CERT_SN_CNT=$(date '+%m%d%H%M%S' | sed "s/^0*//")
+    CERT_SN_FIX=$(expr ${CERT_SN_CNT} - 1000)
+
+    PK7_NONCE=${CERT_SN_CNT}
+    SCEN_CNT=${CERT_SN_CNT}
+
+    AIA_FILES="${HOSTDIR}/aiafiles"
+
+    CU_DATA=${HOSTDIR}/cu_data
+    CRL_DATA=${HOSTDIR}/crl_data
+
+    DEFAULT_AIA_BASE_PORT=$(expr ${PORT:-8631} + 10)
+    NSS_AIA_PORT=${NSS_AIA_PORT:-$DEFAULT_AIA_BASE_PORT}
+    DEFAULT_UNUSED_PORT=$(expr ${PORT:-8631} + 11)
+    NSS_UNUSED_PORT=${NSS_UNUSED_PORT:-$DEFAULT_UNUSED_PORT}
+    NSS_AIA_HTTP=${NSS_AIA_HTTP:-"http://${HOSTADDR}:${NSS_AIA_PORT}"}
+    NSS_AIA_PATH=${NSS_AIA_PATH:-$HOSTDIR/aiahttp}
+    NSS_AIA_OCSP=${NSS_AIA_OCSP:-$NSS_AIA_HTTP/ocsp}
+    NSS_OCSP_UNUSED=${NSS_AIA_OCSP_UNUSED:-"http://${HOSTADDR}:${NSS_UNUSED_PORT}"}
+
+    html_head "Certificate Chains Tests"
+}
+
+chains_run_httpserv()
+{
+    HTTP_METHOD=$1
+
+    if [ -n "${NSS_AIA_PATH}" ]; then
+        HTTPPID=${NSS_AIA_PATH}/http_pid.$$
+        mkdir -p "${NSS_AIA_PATH}"
+        SAVEPWD=`pwd`
+        cd "${NSS_AIA_PATH}"
+        # Start_httpserv sets environment variables, which are required for
+        # correct cleanup. (Running it in a subshell doesn't work, the
+        # value of $SHELL_HTTPPID wouldn't arrive in this scope.)
+        start_httpserv ${HTTP_METHOD}
+        cd "${SAVEPWD}"
+    fi
+}
+
+chains_stop_httpserv()
+{
+    if [ -n "${NSS_AIA_PATH}" ]; then
+        kill_httpserv
+    fi
+}
+
+############################ chains_cleanup ############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+chains_cleanup()
+{
+    html "</TABLE><BR>"
+    cd ${QADIR}
+    . common/cleanup.sh
+}
+
+############################ print_cu_data #############################
+# local shell function to print certutil input data
+########################################################################
+print_cu_data()
+{
+    echo "=== Certutil input data ==="
+    cat ${CU_DATA}
+    echo "==="
+}
+
+set_cert_sn()
+{
+    if [ -z "${SERIAL}" ]; then
+        CERT_SN_CNT=$(expr ${CERT_SN_CNT} + 1)
+        CERT_SN=${CERT_SN_CNT}
+    else
+        echo ${SERIAL} | cut -b 1 | grep '+' > /dev/null
+        if [ $? -eq 0 ]; then
+            CERT_SN=$(echo ${SERIAL} | cut -b 2-)
+            CERT_SN=$(expr ${CERT_SN_FIX} + ${CERT_SN})
+        else
+            CERT_SN=${SERIAL}
+        fi 
+    fi
+}
+
+############################# create_db ################################
+# local shell function to create certificate database
+########################################################################
+create_db()
+{
+    DB=$1
+
+    [ -d "${DB}" ] && rm -rf ${DB}
+    mkdir -p ${DB}
+
+    echo "${DB}passwd" > ${DB}/dbpasswd
+
+    TESTNAME="Creating DB ${DB}"
+    echo "${SCRIPTNAME}: ${TESTNAME}"
+    echo "certutil -N -d ${DB} -f ${DB}/dbpasswd" 
+    ${BINDIR}/certutil -N -d ${DB} -f ${DB}/dbpasswd
+    html_msg $? 0 "${SCENARIO}${TESTNAME}" 
+}
+
+########################### create_root_ca #############################
+# local shell function to generate self-signed root certificate
+########################################################################
+create_root_ca()
+{
+    ENTITY=$1
+    ENTITY_DB=${ENTITY}DB
+
+    set_cert_sn
+    date >> ${NOISE_FILE} 2>&1
+
+    CTYPE_OPT=
+    if [ -n "${CTYPE}" ]; then
+        CTYPE_OPT="-k ${CTYPE}"
+    fi
+
+    echo "5
+6
+9
+n
+y
+-1
+n
+5
+6
+7
+9
+n
+" > ${CU_DATA}
+
+    TESTNAME="Creating Root CA ${ENTITY}"
+    echo "${SCRIPTNAME}: ${TESTNAME}"
+    echo "certutil -s \"CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US\" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA}"
+    print_cu_data
+    ${BINDIR}/certutil -s "CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA}
+    html_msg $? 0 "${SCENARIO}${TESTNAME}"
+
+    TESTNAME="Exporting Root CA ${ENTITY}.der"
+    echo "${SCRIPTNAME}: ${TESTNAME}"
+    echo "certutil -L -d ${ENTITY_DB} -r -n ${ENTITY} -o ${ENTITY}.der"
+    ${BINDIR}/certutil -L -d ${ENTITY_DB} -r -n ${ENTITY} -o ${ENTITY}.der
+    html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+########################### create_cert_req ############################
+# local shell function to generate certificate sign request
+########################################################################
+create_cert_req()
+{
+    ENTITY=$1
+    TYPE=$2
+
+    ENTITY_DB=${ENTITY}DB
+
+    REQ=${ENTITY}Req.der
+
+    date >> ${NOISE_FILE} 2>&1
+
+    CTYPE_OPT=
+    if [ -n "${CTYPE}" ]; then
+        CTYPE_OPT="-k ${CTYPE}"
+    fi
+
+    CA_FLAG=
+    EXT_DATA=
+    OPTIONS=
+
+    if [ "${TYPE}" != "EE" ]; then
+        CA_FLAG="-2"
+        EXT_DATA="y
+-1
+y
+"
+    fi
+
+    process_crldp
+
+    echo "${EXT_DATA}" > ${CU_DATA}
+
+    TESTNAME="Creating ${TYPE} certifiate request ${REQ}"
+    echo "${SCRIPTNAME}: ${TESTNAME}"
+    echo "certutil -s \"CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US\" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA}"
+    print_cu_data
+    ${BINDIR}/certutil -s "CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA} 
+    html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+############################ create_entity #############################
+# local shell function to create certificate chain entity
+########################################################################
+create_entity()
+{
+    ENTITY=$1
+    TYPE=$2
+
+    if [ -z "${ENTITY}" ]; then
+        echo "Configuration error: Unnamed entity"
+        exit 1
+    fi
+
+    DB=${ENTITY}DB
+    ENTITY_DB=${ENTITY}DB
+
+    case "${TYPE}" in
+    "Root")
+        create_db "${DB}"
+        create_root_ca "${ENTITY}"
+        ;;
+    "Intermediate" | "Bridge" | "EE")
+        create_db "${DB}"
+        create_cert_req "${ENTITY}" "${TYPE}"
+        ;;
+    "*")
+        echo "Configuration error: Unknown type ${TYPE}"
+        exit 1
+        ;;
+    esac
+}
+
+########################################################################
+# List of global variables related to certificate extensions processing:
+#
+# Generated by process_extensions and functions called from it:
+# OPTIONS - list of command line policy extensions 
+# DATA - list of inpud data related to policy extensions
+#
+# Generated by parse_config:
+# POLICY - list of certificate policies
+# MAPPING - list of policy mappings 
+# INHIBIT - inhibit flag
+# AIA - AIA list
+########################################################################
+
+############################ process_policy ############################
+# local shell function to process policy extension parameters and 
+# generate input for certutil
+########################################################################
+process_policy()
+{
+    if [ -n "${POLICY}" ]; then
+        OPTIONS="${OPTIONS} --extCP"
+
+        NEXT=
+        for ITEM in ${POLICY}; do
+            if [ -n "${NEXT}" ]; then
+                DATA="${DATA}y
+"
+            fi
+
+            NEXT=1
+            DATA="${DATA}${ITEM}
+1
+
+n
+"
+        done
+
+        DATA="${DATA}n
+n
+"
+    fi
+}
+
+########################### process_mapping ############################
+# local shell function to process policy mapping parameters and 
+# generate input for certutil
+########################################################################
+process_mapping()
+{
+    if [ -n "${MAPPING}" ]; then
+        OPTIONS="${OPTIONS} --extPM"
+
+        NEXT=
+        for ITEM in ${MAPPING}; do
+            if [ -n "${NEXT}" ]; then
+                DATA="${DATA}y
+"
+            fi
+
+            NEXT=1
+            IDP=`echo ${ITEM} | cut -d: -f1`
+            SDP=`echo ${ITEM} | cut -d: -f2`
+            DATA="${DATA}${IDP}
+${SDP}
+"
+        done
+
+        DATA="${DATA}n
+n
+"
+    fi
+}
+
+########################### process_inhibit#############################
+# local shell function to process inhibit extension and generate input 
+# for certutil
+########################################################################
+process_inhibit()
+{
+    if [ -n "${INHIBIT}" ]; then
+        OPTIONS="${OPTIONS} --extIA"
+
+        DATA="${DATA}${INHIBIT}
+n
+"
+    fi
+}
+
+############################# process_aia ##############################
+# local shell function to process AIA extension parameters and 
+# generate input for certutil
+########################################################################
+process_aia()
+{
+    if [ -n "${AIA}" ]; then
+        OPTIONS="${OPTIONS} --extAIA"
+
+        DATA="${DATA}1
+"
+
+        for ITEM in ${AIA}; do
+            PK7_NONCE=`expr $PK7_NONCE + 1`
+
+            echo ${ITEM} | grep ":" > /dev/null
+            if [ $? -eq 0 ]; then
+                CERT_NICK=`echo ${ITEM} | cut -d: -f1`
+                CERT_ISSUER=`echo ${ITEM} | cut -d: -f2`
+                CERT_LOCAL="${CERT_NICK}${CERT_ISSUER}.der"
+                CERT_PUBLIC="${HOST}-$$-${CERT_NICK}${CERT_ISSUER}-${PK7_NONCE}.der"
+            else
+                CERT_LOCAL="${ITEM}.p7"
+                CERT_PUBLIC="${HOST}-$$-${ITEM}-${PK7_NONCE}.p7"
+            fi
+
+            DATA="${DATA}7
+${NSS_AIA_HTTP}/${CERT_PUBLIC}
+"
+
+            if [ -n "${NSS_AIA_PATH}" ]; then
+                cp ${CERT_LOCAL} ${NSS_AIA_PATH}/${CERT_PUBLIC} 2> /dev/null
+                chmod a+r ${NSS_AIA_PATH}/${CERT_PUBLIC}
+                echo ${NSS_AIA_PATH}/${CERT_PUBLIC} >> ${AIA_FILES}
+            fi
+        done
+
+        DATA="${DATA}0
+n
+n"
+    fi
+}
+
+process_ocsp()
+{
+    if [ -n "${OCSP}" ]; then
+        OPTIONS="${OPTIONS} --extAIA"
+ 
+	if [ "${OCSP}" = "offline" ]; then
+	    MY_OCSP_URL=${NSS_OCSP_UNUSED}
+	else
+	    MY_OCSP_URL=${NSS_AIA_OCSP}
+	fi
+
+        DATA="${DATA}2
+7
+${MY_OCSP_URL}
+0
+n
+n
+"
+    fi
+}
+
+process_crldp()
+{
+    if [ -n "${CRLDP}" ]; then
+        OPTIONS="${OPTIONS} -4"
+
+        EXT_DATA="${EXT_DATA}1
+"
+
+        for ITEM in ${CRLDP}; do
+            CRL_PUBLIC="${HOST}-$$-${ITEM}-${SCEN_CNT}.crl"
+
+            EXT_DATA="${EXT_DATA}7
+${NSS_AIA_HTTP}/${CRL_PUBLIC}
+"
+        done
+
+        EXT_DATA="${EXT_DATA}-1
+-1
+-1
+n
+n
+"
+    fi
+}
+
+process_ku_ns_eku()
+{
+    if [ -n "${EXT_KU}" ]; then
+        OPTIONS="${OPTIONS} --keyUsage ${EXT_KU}"
+    fi
+    if [ -n "${EXT_NS}" ]; then
+        EXT_NS_KEY=$(echo ${EXT_NS} | cut -d: -f1)
+        EXT_NS_CODE=$(echo ${EXT_NS} | cut -d: -f2)
+
+        OPTIONS="${OPTIONS} --nsCertType ${EXT_NS_KEY}"
+        DATA="${DATA}${EXT_NS_CODE}
+-1
+n
+"
+    fi
+    if [ -n "${EXT_EKU}" ]; then
+        OPTIONS="${OPTIONS} --extKeyUsage ${EXT_EKU}"
+    fi
+}
+
+copy_crl()
+
+{
+    if [ -z "${NSS_AIA_PATH}" ]; then
+        return;
+    fi
+
+    CRL_LOCAL="${COPYCRL}.crl"
+    CRL_PUBLIC="${HOST}-$$-${COPYCRL}-${SCEN_CNT}.crl"
+
+    cp ${CRL_LOCAL} ${NSS_AIA_PATH}/${CRL_PUBLIC} 2> /dev/null
+    chmod a+r ${NSS_AIA_PATH}/${CRL_PUBLIC}
+    echo ${NSS_AIA_PATH}/${CRL_PUBLIC} >> ${AIA_FILES}
+}
+
+########################## process_extension ###########################
+# local shell function to process entity extension parameters and 
+# generate input for certutil
+########################################################################
+process_extensions()
+{
+    OPTIONS=
+    DATA=
+
+    process_policy
+    process_mapping
+    process_inhibit
+    process_aia
+    process_ocsp
+    process_ku_ns_eku
+}
+
+############################## sign_cert ###############################
+# local shell function to sign certificate sign reuqest
+########################################################################
+sign_cert()
+{
+    ENTITY=$1
+    ISSUER=$2
+    TYPE=$3
+
+    [ -z "${ISSUER}" ] && return
+
+    ENTITY_DB=${ENTITY}DB
+    ISSUER_DB=${ISSUER}DB
+    REQ=${ENTITY}Req.der
+    CERT=${ENTITY}${ISSUER}.der
+
+    set_cert_sn
+
+    EMAIL_OPT=
+    if [ "${TYPE}" = "Bridge" ]; then
+        EMAIL_OPT="-7 ${ENTITY}@${ISSUER}"
+
+        [ -n "${EMAILS}" ] && EMAILS="${EMAILS},"
+        EMAILS="${EMAILS}${ENTITY}@${ISSUER}"
+    fi
+
+    process_extensions 
+
+    echo "${DATA}" > ${CU_DATA}
+
+    TESTNAME="Creating certficate ${CERT} signed by ${ISSUER}"
+    echo "${SCRIPTNAME}: ${TESTNAME}"
+    echo "certutil -C -c ${ISSUER} -v 60 -d ${ISSUER_DB} -i ${REQ} -o ${CERT} -f ${ISSUER_DB}/dbpasswd -m ${CERT_SN} ${EMAIL_OPT} ${OPTIONS} < ${CU_DATA}"
+    print_cu_data
+    ${BINDIR}/certutil -C -c ${ISSUER} -v 60 -d ${ISSUER_DB} -i ${REQ} -o ${CERT} -f ${ISSUER_DB}/dbpasswd -m ${CERT_SN} ${EMAIL_OPT} ${OPTIONS} < ${CU_DATA}
+    html_msg $? 0 "${SCENARIO}${TESTNAME}"
+
+    TESTNAME="Importing certificate ${CERT} to ${ENTITY_DB} database"
+    echo "${SCRIPTNAME}: ${TESTNAME}"
+    echo "certutil -A -n ${ENTITY} -t u,u,u -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -i ${CERT}"
+    ${BINDIR}/certutil -A -n ${ENTITY} -t u,u,u -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -i ${CERT}
+    html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+############################# create_pkcs7##############################
+# local shell function to package bridge certificates into pkcs7 
+# package
+########################################################################
+create_pkcs7()
+{
+    ENTITY=$1
+    ENTITY_DB=${ENTITY}DB
+
+    TESTNAME="Generating PKCS7 package from ${ENTITY_DB} database"
+    echo "${SCRIPTNAME}: ${TESTNAME}"
+    echo "cmsutil -O -r \"${EMAILS}\" -d ${ENTITY_DB} > ${ENTITY}.p7"
+    ${BINDIR}/cmsutil -O -r "${EMAILS}" -d ${ENTITY_DB} > ${ENTITY}.p7
+    html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+############################# import_key ###############################
+# local shell function to import private key + cert into database
+########################################################################
+import_key()
+{
+    KEY_NAME=$1.p12
+    DB=$2
+
+    KEY_FILE=../OCSPD/${KEY_NAME}
+
+    TESTNAME="Importing p12 key ${KEY_NAME} to ${DB} database"
+    echo "${SCRIPTNAME}: ${TESTNAME}"
+    echo "${BINDIR}/pk12util -d ${DB} -i ${KEY_FILE} -k ${DB}/dbpasswd -W nssnss"
+    ${BINDIR}/pk12util -d ${DB} -i ${KEY_FILE} -k ${DB}/dbpasswd -W nssnss
+    html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+export_key()
+{
+    KEY_NAME=$1.p12
+    DB=$2
+
+    TESTNAME="Exporting $1 as ${KEY_NAME} from ${DB} database"
+    echo "${SCRIPTNAME}: ${TESTNAME}"
+    echo "${BINDIR}/pk12util -d ${DB} -o ${KEY_NAME} -n $1 -k ${DB}/dbpasswd -W nssnss"
+    ${BINDIR}/pk12util -d ${DB} -o ${KEY_NAME} -n $1 -k ${DB}/dbpasswd -W nssnss
+    html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+############################# import_cert ##############################
+# local shell function to import certificate into database
+########################################################################
+import_cert()
+{
+    IMPORT=$1
+    DB=$2
+
+    CERT_NICK=`echo ${IMPORT} | cut -d: -f1`
+    CERT_ISSUER=`echo ${IMPORT} | cut -d: -f2`
+    CERT_TRUST=`echo ${IMPORT} | cut -d: -f3`
+
+    if [ "${CERT_ISSUER}" = "x" ]; then
+        CERT_ISSUER=
+        CERT=${CERT_NICK}.cert
+        CERT_FILE="${QADIR}/libpkix/certs/${CERT}"
+    elif [ "${CERT_ISSUER}" = "d" ]; then
+        CERT_ISSUER=
+        CERT=${CERT_NICK}.der
+        CERT_FILE="../OCSPD/${CERT}"
+    else
+        CERT=${CERT_NICK}${CERT_ISSUER}.der
+        CERT_FILE=${CERT}
+    fi
+
+    IS_ASCII=`grep -c -- "-----BEGIN CERTIFICATE-----" ${CERT_FILE}`
+
+    ASCII_OPT=
+    if [ "${IS_ASCII}" -gt 0 ]; then
+        ASCII_OPT="-a"
+    fi
+   
+    TESTNAME="Importing certificate ${CERT} to ${DB} database"
+    echo "${SCRIPTNAME}: ${TESTNAME}"
+    echo "certutil -A -n ${CERT_NICK} ${ASCII_OPT} -t \"${CERT_TRUST}\" -d ${DB} -f ${DB}/dbpasswd -i ${CERT_FILE}"
+    ${BINDIR}/certutil -A -n ${CERT_NICK} ${ASCII_OPT} -t "${CERT_TRUST}" -d ${DB} -f ${DB}/dbpasswd -i ${CERT_FILE} 
+    html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+import_crl()
+{
+    IMPORT=$1
+    DB=$2
+
+    CRL_NICK=`echo ${IMPORT} | cut -d: -f1`
+    CRL_FILE=${CRL_NICK}.crl
+
+    if [ ! -f "${CRL_FILE}" ]; then
+        return
+    fi 
+
+    TESTNAME="Importing CRL ${CRL_FILE} to ${DB} database"
+    echo "${SCRIPTNAME}: ${TESTNAME}"
+    echo "crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE}"
+    ${BINDIR}/crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE} 
+    html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+create_crl()
+{
+    ISSUER=$1
+    ISSUER_DB=${ISSUER}DB
+
+    CRL=${ISSUER}.crl
+
+    DATE=$(date -u '+%Y%m%d%H%M%SZ')
+    DATE_LAST="${DATE}"
+
+    UPDATE=$(expr $(date -u '+%Y') + 1)$(date -u '+%m%d%H%M%SZ')
+
+    echo "update=${DATE}" > ${CRL_DATA}
+    echo "nextupdate=${UPDATE}" >> ${CRL_DATA}
+
+    TESTNAME="Create CRL for ${ISSUER_DB}"
+    echo "${SCRIPTNAME}: ${TESTNAME}"
+    echo "crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}"
+    echo "=== Crlutil input data ==="
+    cat ${CRL_DATA}
+    echo "==="
+    ${BINDIR}/crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA}
+    html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+revoke_cert()
+{
+    ISSUER=$1
+    ISSUER_DB=${ISSUER}DB
+
+    CRL=${ISSUER}.crl
+
+    set_cert_sn
+
+    DATE=$(date -u '+%Y%m%d%H%M%SZ')
+    while [ "${DATE}" = "${DATE_LAST}" ]; do
+        sleep 1
+        DATE=$(date -u '+%Y%m%d%H%M%SZ')
+    done
+    DATE_LAST="${DATE}"
+
+    echo "update=${DATE}" > ${CRL_DATA}
+    echo "addcert ${CERT_SN} ${DATE}" >> ${CRL_DATA}
+
+    TESTNAME="Revoking certificate with SN ${CERT_SN} issued by ${ISSUER}"
+    echo "${SCRIPTNAME}: ${TESTNAME}"
+    echo "crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}"
+    echo "=== Crlutil input data ==="
+    cat ${CRL_DATA}
+    echo "==="
+    ${BINDIR}/crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA}
+    html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+########################################################################
+# List of global variables related to certificate verification:
+#
+# Generated by parse_config:
+# DB - DB used for testing
+# FETCH - fetch flag (used with AIA extension)
+# POLICY - list of policies
+# TRUST - trust anchor
+# TRUST_AND_DB - Examine both trust anchors and the cert db for trust
+# VERIFY - list of certificates to use as vfychain parameters
+# EXP_RESULT - expected result
+# REV_OPTS - revocation options
+########################################################################
+
+############################# verify_cert ##############################
+# local shell function to verify certificate validity
+########################################################################
+verify_cert()
+{
+    ENGINE=$1
+
+    DB_OPT=
+    FETCH_OPT=
+    POLICY_OPT=
+    TRUST_OPT=
+    VFY_CERTS=
+    VFY_LIST=
+    TRUST_AND_DB_OPT=
+
+    if [ -n "${DB}" ]; then
+        DB_OPT="-d ${DB}"
+    fi
+
+    if [ -n "${FETCH}" ]; then
+        FETCH_OPT="-f"
+        if [ -z "${NSS_AIA_HTTP}" ]; then
+            echo "${SCRIPTNAME} Skipping test using AIA fetching, NSS_AIA_HTTP not defined"
+            return
+        fi
+    fi
+
+    if [ -n "${TRUST_AND_DB}" ]; then
+        TRUST_AND_DB_OPT="-T"
+    fi
+
+    for ITEM in ${POLICY}; do
+        POLICY_OPT="${POLICY_OPT} -o ${ITEM}"
+    done
+
+    for ITEM in ${TRUST}; do
+        echo ${ITEM} | grep ":" > /dev/null
+        if [ $? -eq 0 ]; then
+            CERT_NICK=`echo ${ITEM} | cut -d: -f1`
+            CERT_ISSUER=`echo ${ITEM} | cut -d: -f2`
+            CERT=${CERT_NICK}${CERT_ISSUER}.der
+
+            TRUST_OPT="${TRUST_OPT} -t ${CERT}"
+        else
+            TRUST_OPT="${TRUST_OPT} -t ${ITEM}"
+        fi
+    done
+
+    for ITEM in ${VERIFY}; do
+        CERT_NICK=`echo ${ITEM} | cut -d: -f1`
+        CERT_ISSUER=`echo ${ITEM} | cut -d: -f2`
+
+        if [ "${CERT_ISSUER}" = "x" ]; then
+            CERT="${QADIR}/libpkix/certs/${CERT_NICK}.cert"
+            VFY_CERTS="${VFY_CERTS} ${CERT}"
+            VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert"
+        elif [ "${CERT_ISSUER}" = "d" ]; then
+            CERT="../OCSPD/${CERT_NICK}.der"
+            VFY_CERTS="${VFY_CERTS} ${CERT}"
+            VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert"
+        else
+            CERT=${CERT_NICK}${CERT_ISSUER}.der
+            VFY_CERTS="${VFY_CERTS} ${CERT}"
+            VFY_LIST="${VFY_LIST} ${CERT}"
+        fi
+    done
+
+    VFY_OPTS_TNAME="${DB_OPT} ${ENGINE} ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}"
+    VFY_OPTS_ALL="${DB_OPT} ${ENGINE} -vv ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
+
+    TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${VFY_OPTS_TNAME}"
+    echo "${SCRIPTNAME}: ${TESTNAME}"
+    echo "vfychain ${VFY_OPTS_ALL}"
+
+    if [ -z "${MEMLEAK_DBG}" ]; then
+        VFY_OUT=$(${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>&1)
+        RESULT=$?
+        echo "${VFY_OUT}"
+    else 
+        VFY_OUT=$(${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>> ${LOGFILE})
+        RESULT=$?
+        echo "${VFY_OUT}"
+    fi
+
+    echo "${VFY_OUT}" | grep "ERROR -5990: I/O operation timed out" > /dev/null
+    E5990=$?
+    echo "${VFY_OUT}" | grep "ERROR -8030: Server returned bad HTTP response" > /dev/null
+    E8030=$?
+
+    if [ $E5990 -eq 0 -o $E8030 -eq 0 ]; then
+        echo "Result of this test is not valid due to network time out."
+        html_unknown "${SCENARIO}${TESTNAME}"
+        return
+    fi
+
+    echo "Returned value is ${RESULT}, expected result is ${EXP_RESULT}"
+    
+    if [ "${EXP_RESULT}" = "pass" -a ${RESULT} -eq 0 ]; then
+        html_passed "${SCENARIO}${TESTNAME}"
+    elif [ "${EXP_RESULT}" = "fail" -a ${RESULT} -ne 0 ]; then
+        html_passed "${SCENARIO}${TESTNAME}"
+    else
+        html_failed "${SCENARIO}${TESTNAME}"
+    fi
+}
+
+check_ocsp()
+{
+    OCSP_CERT=$1
+
+    CERT_NICK=`echo ${OCSP_CERT} | cut -d: -f1`
+    CERT_ISSUER=`echo ${OCSP_CERT} | cut -d: -f2`
+
+    if [ "${CERT_ISSUER}" = "x" ]; then
+        CERT_ISSUER=
+        CERT=${CERT_NICK}.cert
+        CERT_FILE="${QADIR}/libpkix/certs/${CERT}"
+    elif [ "${CERT_ISSUER}" = "d" ]; then
+        CERT_ISSUER=
+        CERT=${CERT_NICK}.der
+        CERT_FILE="../OCSPD/${CERT}"
+    else
+        CERT=${CERT_NICK}${CERT_ISSUER}.der
+        CERT_FILE=${CERT}
+    fi
+
+    # sample line:
+    #   URI: "http://ocsp.server:2601"
+    OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
+    OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/")
+
+    echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20"
+    tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20
+    return $?
+}
+
+############################ parse_result ##############################
+# local shell function to process expected result value
+# this function was created for case that expected result depends on
+# some conditions - in our case type of cert DB
+#
+# default results are pass and fail
+# this function added parsable values in format:
+# type1:value1 type2:value2 .... typex:valuex
+#
+# allowed types are dbm, sql, all (all means all other cases)
+# allowed values are pass and fail
+#
+# if this format is not used, EXP_RESULT will stay unchanged (this also
+# covers pass and fail states)
+########################################################################
+parse_result()
+{
+    for RES in ${EXP_RESULT}
+    do
+        RESTYPE=$(echo ${RES} | cut -d: -f1)
+        RESSTAT=$(echo ${RES} | cut -d: -f2)
+
+        if [ "${RESTYPE}" = "${NSS_DEFAULT_DB_TYPE}" -o "${RESTYPE}" = "all" ]; then
+            EXP_RESULT=${RESSTAT}
+            break
+        fi
+    done
+}
+
+############################ parse_config ##############################
+# local shell function to parse and process file containing certificate
+# chain configuration and list of tests
+########################################################################
+parse_config()
+{
+    SCENARIO=
+    LOGNAME=
+
+    while read KEY VALUE
+    do
+        case "${KEY}" in
+        "entity")
+            ENTITY="${VALUE}"
+            TYPE=
+            ISSUER=
+            CTYPE=
+            POLICY=
+            MAPPING=
+            INHIBIT=
+            AIA=
+            CRLDP=
+            OCSP=
+            DB=
+            EMAILS=
+            EXT_KU=
+            EXT_NS=
+            EXT_EKU=
+            SERIAL=
+	    EXPORT_KEY=
+            ;;
+        "type")
+            TYPE="${VALUE}"
+            ;;
+        "issuer")
+            if [ -n "${ISSUER}" ]; then
+                if [ -z "${DB}" ]; then
+                    create_entity "${ENTITY}" "${TYPE}"
+                fi
+                sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}"
+            fi
+
+            ISSUER="${VALUE}"
+            POLICY=
+            MAPPING=
+            INHIBIT=
+            AIA=
+            EXT_KU=
+            EXT_NS=
+            EXT_EKU=
+            ;;
+        "ctype") 
+            CTYPE="${VALUE}"
+            ;;
+        "policy")
+            POLICY="${POLICY} ${VALUE}"
+            ;;
+        "mapping")
+            MAPPING="${MAPPING} ${VALUE}"
+            ;;
+        "inhibit")
+            INHIBIT="${VALUE}"
+            ;;
+        "aia")
+            AIA="${AIA} ${VALUE}"
+            ;;
+        "crldp")
+            CRLDP="${CRLDP} ${VALUE}"
+            ;;
+        "ocsp")
+            OCSP="${VALUE}"
+            ;;
+        "db")
+            DB="${VALUE}DB"
+            create_db "${DB}"
+            ;;
+        "import")
+            IMPORT="${VALUE}"
+            import_cert "${IMPORT}" "${DB}"
+            import_crl "${IMPORT}" "${DB}"
+            ;;
+        "import_key")
+            IMPORT="${VALUE}"
+            import_key "${IMPORT}" "${DB}"
+            ;;
+        "crl")
+            ISSUER="${VALUE}"
+            create_crl "${ISSUER}"
+            ;;
+        "revoke")
+            REVOKE="${VALUE}"
+            ;;
+        "serial")
+            SERIAL="${VALUE}"
+            ;;
+	"export_key")
+	    EXPORT_KEY=1
+	    ;;
+        "copycrl")
+            COPYCRL="${VALUE}"
+            copy_crl "${COPYCRL}"
+            ;;
+        "verify")
+            VERIFY="${VALUE}"
+            TRUST=
+            TRUST_AND_DB=
+            POLICY=
+            FETCH=
+            EXP_RESULT=
+            REV_OPTS=
+            USAGE_OPT=
+            ;;
+        "cert")
+            VERIFY="${VERIFY} ${VALUE}"
+            ;;
+        "testdb")
+            if [ -n "${VALUE}" ]; then
+                DB="${VALUE}DB"
+            else
+                DB=
+            fi
+            ;;
+        "trust")
+            TRUST="${TRUST} ${VALUE}"
+            ;;
+        "trust_and_db")
+            TRUST_AND_DB=1
+            ;;
+        "fetch")
+            FETCH=1
+            ;;
+        "result")
+            EXP_RESULT="${VALUE}"
+            parse_result
+            ;;
+        "rev_type")
+            REV_OPTS="${REV_OPTS} -g ${VALUE}"
+            ;;
+        "rev_flags")
+            REV_OPTS="${REV_OPTS} -h ${VALUE}"
+            ;;
+        "rev_mtype")
+            REV_OPTS="${REV_OPTS} -m ${VALUE}"
+            ;;
+        "rev_mflags")
+            REV_OPTS="${REV_OPTS} -s ${VALUE}"
+            ;;
+        "scenario")
+            SCENARIO="${VALUE}: "
+
+            CHAINS_DIR="${HOSTDIR}/chains/${VALUE}"
+            mkdir -p ${CHAINS_DIR}
+            cd ${CHAINS_DIR}
+
+            if [ -n "${MEMLEAK_DBG}" ]; then
+                LOGNAME="libpkix-${VALUE}"
+                LOGFILE="${LOGDIR}/${LOGNAME}"
+            fi
+
+            SCEN_CNT=$(expr ${SCEN_CNT} + 1)
+            ;;
+        "sleep")
+            sleep ${VALUE}
+            ;;
+        "break")
+            break
+            ;;
+        "check_ocsp")
+            TESTNAME="Test that OCSP server is reachable"
+            check_ocsp ${VALUE}
+            if [ $? -ne 0 ]; then
+                html_failed "$TESTNAME"
+                break;
+            else
+                html_passed "$TESTNAME"
+            fi
+            ;;
+        "ku")
+            EXT_KU="${VALUE}"
+            ;;
+        "ns")
+            EXT_NS="${VALUE}"
+            ;;
+        "eku")
+            EXT_EKU="${VALUE}"
+            ;;
+        "usage")
+            USAGE_OPT="-u ${VALUE}"
+            ;;
+        "")
+            if [ -n "${ENTITY}" ]; then
+                if [ -z "${DB}" ]; then
+                    create_entity "${ENTITY}" "${TYPE}"
+                fi
+                sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}"
+                if [ "${TYPE}" = "Bridge" ]; then
+                    create_pkcs7 "${ENTITY}"
+                fi
+		if [ -n "${EXPORT_KEY}" ]; then
+		    export_key "${ENTITY}" "${DB}"
+		fi
+                ENTITY=
+            fi
+
+            if [ -n "${VERIFY}" ] && \
+               [ -z "$NSS_DISABLE_LIBPKIX" ]; then
+                verify_cert "-pp"
+		if [ -n "${VERIFY_CLASSIC_ENGINE_TOO}" ] && \
+		   [ -z "$NSS_DISABLE_LIBPKIX" ]; then
+		    verify_cert ""
+		    verify_cert "-p"
+		fi
+                VERIFY=
+            fi
+
+            if [ -n "${REVOKE}" ]; then
+                revoke_cert "${REVOKE}" "${DB}"
+                REVOKE=
+            fi
+            ;;
+        *)
+            if [ `echo ${KEY} | cut -b 1` != "#" ]; then
+                echo "Configuration error: Unknown keyword ${KEY}"
+                exit 1
+            fi
+            ;;
+        esac
+    done
+
+    if [ -n "${MEMLEAK_DBG}" ]; then
+        log_parse
+        html_msg $? 0 "${SCENARIO}Memory leak checking" 
+    fi
+}
+
+process_scenario()
+{
+    SCENARIO_FILE=$1
+
+    > ${AIA_FILES}
+
+    parse_config < "${QADIR}/chains/scenarios/${SCENARIO_FILE}"
+
+    while read AIA_FILE
+    do
+	rm ${AIA_FILE} 2> /dev/null
+    done < ${AIA_FILES}
+    rm ${AIA_FILES}
+}
+
+# process ocspd.cfg separately
+chains_ocspd()
+{
+    process_scenario "ocspd.cfg"
+}
+
+# process ocsp.cfg separately
+chains_method()
+{
+    process_scenario "method.cfg"
+}
+
+############################# chains_main ##############################
+# local shell function to process all testing scenarios
+########################################################################
+chains_main()
+{
+    while read LINE 
+    do
+        [ `echo ${LINE} | cut -b 1` != "#" ] || continue
+
+	[ ${LINE} != 'ocspd.cfg' ] || continue
+	[ ${LINE} != 'method.cfg' ] || continue
+
+	process_scenario ${LINE}
+    done < "${CHAINS_SCENARIOS}"
+}
+
+################################ main ##################################
+
+chains_init
+VERIFY_CLASSIC_ENGINE_TOO=
+chains_ocspd
+VERIFY_CLASSIC_ENGINE_TOO=1
+chains_run_httpserv get
+chains_method
+chains_stop_httpserv
+chains_run_httpserv post
+chains_method
+chains_stop_httpserv
+VERIFY_CLASSIC_ENGINE_TOO=
+chains_run_httpserv random
+chains_main
+chains_stop_httpserv
+chains_run_httpserv get-unknown
+chains_main
+chains_stop_httpserv
+chains_cleanup
diff --git a/security/nss/tests/chains/ocspd-config/ocspd-certs.sh b/security/nss/tests/chains/ocspd-config/ocspd-certs.sh
new file mode 100755
index 000000000..2f7d45898
--- /dev/null
+++ b/security/nss/tests/chains/ocspd-config/ocspd-certs.sh
@@ -0,0 +1,116 @@
+#!/bin/bash
+
+DATA_DIR=$1
+OCSP_DIR=$2
+CERT_DIR=$3
+
+TEST_PWD="nssnss"
+CONF_TEMPLATE="ocspd.conf.template"
+
+convert_cert()
+{
+    CERT_NAME=$1
+    CERT_SIGNER=$2
+
+    openssl x509 -in ${DATA_DIR}/${CERT_NAME}${CERT_SIGNER}.der -inform DER -out ${DATA_DIR}/${CERT_NAME}.pem -outform PEM
+}
+
+convert_crl()
+{
+    CRL_NAME=$1
+
+    openssl crl -in ${DATA_DIR}/${CRL_NAME}.crl -inform DER -out ${DATA_DIR}/${CRL_NAME}crl.pem -outform PEM
+}
+
+convert_key()
+{
+    KEY_NAME=$1
+
+    pk12util -o ${DATA_DIR}/${KEY_NAME}.p12 -n ${KEY_NAME} -d ${DATA_DIR}/${KEY_NAME}DB -k ${DATA_DIR}/${KEY_NAME}DB/dbpasswd -W ${TEST_PWD}
+    openssl pkcs12 -in ${DATA_DIR}/${KEY_NAME}.p12 -out ${DATA_DIR}/${KEY_NAME}.key.tmp -passin pass:${TEST_PWD} -passout pass:${TEST_PWD}
+
+    STATUS=0
+    cat ${DATA_DIR}/${KEY_NAME}.key.tmp | while read LINE; do
+        echo "${LINE}" | grep "BEGIN ENCRYPTED PRIVATE KEY" > /dev/null && STATUS=1
+        [ ${STATUS} -eq 1 ] && echo "${LINE}"
+        echo "${LINE}" | grep "END ENCRYPTED PRIVATE KEY" > /dev/null && break
+    done > ${DATA_DIR}/${KEY_NAME}.key
+    
+    rm ${DATA_DIR}/${KEY_NAME}.key.tmp
+}
+
+create_conf()
+{
+    CONF_FILE=$1
+    CA=$2
+    OCSP=$3
+    PORT=$4 
+
+    cat ${CONF_TEMPLATE} | \
+        sed "s:@DIR@:${OCSP_DIR}:" | \
+        sed "s:@CA_CERT@:${DATA_DIR}/${CA}.pem:" | \
+        sed "s:@CA_CRL@:${DATA_DIR}/${CA}crl.pem:" | \
+        sed "s:@CA_KEY@:${DATA_DIR}/${CA}.key:" | \
+        sed "s:@OCSP_PID@:${OCSP}.pid:" | \
+        sed "s:@PORT@:${PORT}:" \
+        > ${CONF_FILE}
+}
+
+copy_cert()
+{
+    CERT_NAME=$1
+    CERT_SIGNER=$2
+
+    cp ${DATA_DIR}/${CERT_NAME}${CERT_SIGNER}.der ${CERT_DIR}/${CERT_NAME}.cert
+}
+
+
+copy_key()
+{
+    KEY_NAME=$1
+
+    cp ${DATA_DIR}/${KEY_NAME}.p12 ${CERT_DIR}/${KEY_NAME}.p12
+}
+
+convert_cert OCSPRoot
+convert_crl OCSPRoot
+convert_key OCSPRoot
+
+convert_cert OCSPCA1 OCSPRoot
+convert_crl OCSPCA1
+convert_key OCSPCA1
+
+convert_cert OCSPCA2 OCSPRoot
+convert_crl OCSPCA2
+convert_key OCSPCA2
+
+convert_cert OCSPCA3 OCSPRoot
+convert_crl OCSPCA3
+convert_key OCSPCA3
+
+create_conf ocspd0.conf OCSPRoot ocspd0 2600
+create_conf ocspd1.conf OCSPCA1 ocspd1 2601
+create_conf ocspd2.conf OCSPCA2 ocspd2 2602
+create_conf ocspd3.conf OCSPCA3 ocspd3 2603
+
+copy_cert OCSPRoot
+copy_cert OCSPCA1 OCSPRoot
+copy_cert OCSPCA2 OCSPRoot
+copy_cert OCSPCA3 OCSPRoot
+copy_cert OCSPEE11 OCSPCA1
+copy_cert OCSPEE12 OCSPCA1
+copy_cert OCSPEE13 OCSPCA1
+copy_cert OCSPEE14 OCSPCA1
+copy_cert OCSPEE15 OCSPCA1
+copy_cert OCSPEE21 OCSPCA2
+copy_cert OCSPEE22 OCSPCA2
+copy_cert OCSPEE23 OCSPCA2
+copy_cert OCSPEE31 OCSPCA3
+copy_cert OCSPEE32 OCSPCA3
+copy_cert OCSPEE33 OCSPCA3
+
+copy_key OCSPRoot
+copy_key OCSPCA1
+copy_key OCSPCA2
+copy_key OCSPCA3
+
diff --git a/security/nss/tests/chains/ocspd-config/ocspd.conf.template b/security/nss/tests/chains/ocspd-config/ocspd.conf.template
new file mode 100644
index 000000000..456c74a16
--- /dev/null
+++ b/security/nss/tests/chains/ocspd-config/ocspd.conf.template
@@ -0,0 +1,46 @@
+[ ocspd ]
+
+default_ocspd = OCSPD_default
+
+[ OCSPD_default ]
+
+dir = @DIR@
+db = $dir/index.txt
+md = sha1
+
+ca_certificate = $dir/@CA_CERT@
+ocspd_certificate = $dir/@CA_CERT@
+ocspd_key = $dir/@CA_KEY@
+pidfile = $dir/@OCSP_PID@
+
+user = nobody 
+group = nobody
+
+bind = *
+port = @PORT@
+
+max_req_size = 8192
+threads_num = 150
+max_timeout_secs = 5
+crl_auto_reload = 3600
+crl_check_validity = 600
+crl_reload_expired = yes
+response = ocsp_response
+dbms = dbms_file
+
+[ ocsp_response ]
+
+dir = @DIR@
+next_update_days = 0
+next_update_mins = 5
+
+[ dbms_file ]
+
+0.ca = @first_ca
+
+[ first_ca ]
+
+crl_url = file:///@DIR@/@CA_CRL@
+ca_url  = file:///@DIR@/@CA_CERT@
+server_cert  = file:///@DIR@/@CA_CERT@
+
diff --git a/security/nss/tests/chains/ocspd-config/readme b/security/nss/tests/chains/ocspd-config/readme
new file mode 100644
index 000000000..5069af6fe
--- /dev/null
+++ b/security/nss/tests/chains/ocspd-config/readme
@@ -0,0 +1,3 @@
+OBSOLETE
+
+tests have been changed to use a local ocsp server (using httpserv)
diff --git a/security/nss/tests/chains/scenarios/aia.cfg b/security/nss/tests/chains/scenarios/aia.cfg
new file mode 100644
index 000000000..df3b1ef02
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/aia.cfg
@@ -0,0 +1,35 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario AIA
+
+entity Root
+  type Root
+
+entity CA1
+  type Intermediate
+  issuer Root
+
+entity CA2
+  type Intermediate
+  issuer CA1
+    aia CA1:Root
+
+entity User
+  type EE
+  issuer CA2
+
+testdb User
+
+verify User:CA2
+  cert CA2:CA1
+  trust Root:
+  result fail
+
+verify User:CA2
+  cert CA2:CA1
+  trust Root:
+  fetch
+  result pass
+
diff --git a/security/nss/tests/chains/scenarios/anypolicy.cfg b/security/nss/tests/chains/scenarios/anypolicy.cfg
new file mode 100644
index 000000000..fd647ad23
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/anypolicy.cfg
@@ -0,0 +1,77 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario AnyPolicy
+
+entity RootCA
+  type Root
+
+entity CA1
+  type Intermediate
+  issuer RootCA
+  policy any
+
+entity CA2
+  type Intermediate
+  issuer CA1
+  policy OID.1.0
+  inhibit 0
+
+entity CA3
+  type Intermediate
+  issuer CA1
+  policy OID.1.0
+
+entity User1
+  type EE
+  issuer CA2
+  policy OID.1.0
+
+entity User2
+  type EE
+  issuer CA2
+  policy any
+
+entity User3
+  type EE
+  issuer CA3
+  policy any
+ 
+db All
+
+import RootCA::
+import CA1:RootCA:
+import CA2:CA1:
+import CA3:CA1:
+
+verify User1:CA2
+  trust RootCA
+  policy OID.1.0
+  result pass
+
+verify User1:CA2
+  trust RootCA
+  policy OID.2.0
+  result fail
+
+verify User2:CA2
+  trust RootCA
+  policy OID.1.0
+  result fail
+
+verify User2:CA2
+  trust RootCA
+  policy OID.2.0
+  result fail
+
+verify User3:CA3
+  trust RootCA
+  policy OID.1.0
+  result pass
+
+verify User3:CA3
+  trust RootCA
+  policy OID.2.0
+  result fail
+
diff --git a/security/nss/tests/chains/scenarios/anypolicywithlevel.cfg b/security/nss/tests/chains/scenarios/anypolicywithlevel.cfg
new file mode 100644
index 000000000..9dd84a797
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/anypolicywithlevel.cfg
@@ -0,0 +1,399 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario AnyPolicyWithLevel
+
+entity RootCA
+  type Root
+
+entity CA1
+  type Intermediate
+  issuer RootCA
+  policy any
+  inhibit 1
+
+entity CA12
+  type Intermediate
+  issuer CA1
+  policy any
+
+entity CA13
+  type Intermediate
+  issuer CA12
+  policy OID.1.0
+
+entity EE1 
+  type EE
+  issuer CA13
+  policy OID.1.0
+
+entity CA22
+  type Intermediate
+  issuer CA1
+  policy any
+
+entity CA23
+  type Intermediate
+  issuer CA22
+  policy any
+
+entity EE2
+  type EE
+  issuer CA23
+  policy OID.1.0
+
+entity CA32
+  type Intermediate
+  issuer CA1
+  policy any
+  inhibit 1
+
+entity CA33
+  type Intermediate
+  issuer CA32
+  policy any
+
+entity EE3
+  type EE
+  issuer CA33
+  policy OID.1.0
+
+entity CA42
+  type Intermediate
+  issuer CA1
+  policy any
+  policy OID.1.0
+
+entity CA43
+  type Intermediate
+  issuer CA42
+  policy any
+  policy OID.1.0
+
+entity EE4
+  type EE
+  issuer CA43
+  policy OID.1.0
+
+entity CA52
+  type Intermediate
+  issuer CA1
+  policy any
+  policy OID.1.0
+
+entity CA53
+  type Intermediate
+  issuer CA52
+  policy any
+
+entity EE5
+  type EE
+  issuer CA53
+  policy OID.1.0
+
+entity CA61
+  type Intermediate
+  issuer RootCA
+  policy any
+  inhibit 5
+
+entity CA62
+  type Intermediate
+  issuer CA61
+  policy any
+
+entity EE62
+  type EE
+  issuer CA62
+  policy OID.1.0
+
+entity CA63
+  type Intermediate
+  issuer CA62
+  policy any
+
+entity EE63
+  type EE
+  issuer CA63
+  policy OID.1.0
+
+entity CA64
+  type Intermediate
+  issuer CA63
+  policy any
+
+entity EE64
+  type EE
+  issuer CA64
+  policy OID.1.0
+
+entity CA65
+  type Intermediate
+  issuer CA64
+  policy any
+
+entity EE65
+  type EE
+  issuer CA65
+  policy OID.1.0
+
+entity CA66
+  type Intermediate
+  issuer CA65
+  policy any
+
+entity EE66
+  type EE
+  issuer CA66
+  policy OID.1.0
+
+entity CA67
+  type Intermediate
+  issuer CA66
+  policy any
+
+entity EE67
+  type EE
+  issuer CA67
+  policy OID.1.0
+
+db All
+
+verify EE1:CA13
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA12:CA1
+  cert CA13:CA12
+  trust RootCA:
+  policy OID.1.0
+  result pass 
+
+verify EE1:CA13
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA12:CA1
+  cert CA13:CA12
+  trust RootCA:
+  policy OID.2.0
+  result fail
+
+verify EE1:CA13
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA12:CA1
+  cert CA13:CA12
+  trust RootCA:
+  policy OID.2.5.29.32.0
+  result pass
+
+verify EE2:CA23
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA22:CA1
+  cert CA23:CA22
+  trust RootCA:
+  policy OID.1.0
+  result fail
+
+verify EE2:CA23
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA22:CA1
+  cert CA23:CA22
+  trust RootCA:
+  policy OID.2.0
+  result fail
+
+verify EE2:CA23
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA22:CA1
+  cert CA23:CA22
+  trust RootCA:
+  policy OID.2.5.29.32.0
+  result fail
+
+verify EE2:CA23
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA22:CA1
+  cert CA23:CA22
+  trust RootCA:
+  result pass
+
+verify EE3:CA33
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA32:CA1
+  cert CA33:CA32
+  trust RootCA:
+  policy OID.1.0
+  result fail
+
+verify EE3:CA33
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA32:CA1
+  cert CA33:CA32
+  trust RootCA:
+  policy OID.2.0
+  result fail
+
+verify EE3:CA33
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA32:CA1
+  cert CA33:CA32
+  trust RootCA:
+  policy OID.2.5.29.32.0
+  result fail
+
+verify EE3:CA33
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA32:CA1
+  cert CA33:CA32
+  trust RootCA:
+  result pass
+
+verify EE4:CA43
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA42:CA1
+  cert CA43:CA42
+  trust RootCA:
+  policy OID.1.0
+  result pass
+
+verify EE4:CA43
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA42:CA1
+  cert CA43:CA42
+  trust RootCA:
+  policy OID.2.0
+  result fail
+
+verify EE4:CA43
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA42:CA1
+  cert CA43:CA42
+  trust RootCA:
+  policy OID.2.5.29.32.0
+  result pass
+
+verify EE5:CA53
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA52:CA1
+  cert CA53:CA52
+  trust RootCA:
+  policy OID.1.0
+  result fail
+
+verify EE5:CA53
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA52:CA1
+  cert CA53:CA52
+  trust RootCA:
+  policy OID.2.0
+  result fail
+
+verify EE5:CA53
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA52:CA1
+  cert CA53:CA52
+  trust RootCA:
+  policy OID.2.5.29.32.0
+  result fail
+
+verify EE5:CA53
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA52:CA1
+  cert CA53:CA52
+  trust RootCA:
+  result pass
+
+verify EE62:CA62
+  cert RootCA:
+  cert CA61:RootCA
+  cert CA62:CA61
+  cert CA63:CA62
+  cert CA64:CA63
+  cert CA65:CA64
+  cert CA66:CA65
+  cert CA67:CA66
+  trust RootCA:
+  policy OID.1.0
+  result pass
+
+verify EE63:CA63
+  cert RootCA:
+  cert CA61:RootCA
+  cert CA62:CA61
+  cert CA63:CA62
+  cert CA64:CA63
+  cert CA65:CA64
+  cert CA66:CA65
+  cert CA67:CA66
+  trust RootCA:
+  policy OID.1.0
+  result pass
+
+verify EE64:CA64
+  cert RootCA:
+  cert CA61:RootCA
+  cert CA62:CA61
+  cert CA63:CA62
+  cert CA64:CA63
+  cert CA65:CA64
+  cert CA66:CA65
+  cert CA67:CA66
+  trust RootCA:
+  policy OID.1.0
+  result pass
+
+verify EE65:CA65
+  cert RootCA:
+  cert CA61:RootCA
+  cert CA62:CA61
+  cert CA63:CA62
+  cert CA64:CA63
+  cert CA65:CA64
+  cert CA66:CA65
+  cert CA67:CA66
+  trust RootCA:
+  policy OID.1.0
+  result pass
+
+verify EE66:CA66
+  cert RootCA:
+  cert CA61:RootCA
+  cert CA62:CA61
+  cert CA63:CA62
+  cert CA64:CA63
+  cert CA65:CA64
+  cert CA66:CA65
+  cert CA67:CA66
+  trust RootCA:
+  policy OID.1.0
+  result pass
+
+verify EE67:CA67
+  cert RootCA:
+  cert CA61:RootCA
+  cert CA62:CA61
+  cert CA63:CA62
+  cert CA64:CA63
+  cert CA65:CA64
+  cert CA66:CA65
+  cert CA67:CA66
+  trust RootCA:
+  policy OID.1.0
+  result fail
+
diff --git a/security/nss/tests/chains/scenarios/bridge.cfg b/security/nss/tests/chains/scenarios/bridge.cfg
new file mode 100644
index 000000000..14dba6adc
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/bridge.cfg
@@ -0,0 +1,106 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Bridge
+
+entity Army
+  type Root
+
+entity Navy
+  type Root
+
+entity Bridge
+  type Bridge
+  issuer Army
+  issuer Navy
+
+entity User
+  type EE
+  issuer Bridge
+
+db All
+
+import Army::
+import Navy::
+
+verify User:Bridge
+  cert Bridge:Navy
+  trust Navy 
+  result pass
+
+verify User:Bridge
+  cert Bridge:Army
+  trust Army
+  result pass
+
+verify User:Bridge
+  cert Bridge:Navy
+  trust Army
+  result fail
+
+import Bridge:Army:
+import Bridge:Navy:
+
+verify User:Bridge
+  trust Army
+  result pass
+
+verify User:Bridge
+  trust Navy 
+  result pass
+
+db ArmyOnly
+
+import Army::C,,
+
+verify User:Bridge
+  result fail
+
+verify User:Bridge
+  cert Bridge:Navy
+  result fail
+
+verify User:Bridge
+  cert Bridge:Navy
+  cert Navy:
+  result fail
+
+verify User:Bridge
+  cert Bridge:Navy
+  cert Navy:
+  trust Navy:
+  result pass
+
+verify User:Bridge
+  cert Bridge:Navy
+  trust Navy:
+  result pass
+
+db NavyOnly
+
+import Navy::C,,
+
+verify User:Bridge
+  result fail
+
+verify User:Bridge
+  cert Bridge:Army
+  result fail
+
+verify User:Bridge
+  cert Bridge:Army
+  cert Army:
+  result fail
+
+verify User:Bridge
+  cert Bridge:Army
+  cert Army:
+  trust Army:
+  result pass
+
+verify User:Bridge
+  cert Bridge:Army
+  trust Army:
+  result pass
+
diff --git a/security/nss/tests/chains/scenarios/bridgewithaia.cfg b/security/nss/tests/chains/scenarios/bridgewithaia.cfg
new file mode 100644
index 000000000..640edb87a
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/bridgewithaia.cfg
@@ -0,0 +1,54 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario BridgeWithAIA
+
+entity Army
+  type Root
+
+entity Navy
+  type Root
+
+entity Bridge
+  type Bridge
+  issuer Army
+  issuer Navy
+
+entity CA1
+  type Intermediate
+  issuer Bridge
+    aia Bridge
+
+entity EE1
+  type EE
+  issuer CA1
+
+testdb EE1
+
+verify EE1:CA1
+  cert CA1:Bridge
+  trust Army:
+  result fail
+
+verify EE1:CA1
+  cert CA1:Bridge
+  trust Army:
+  fetch
+# should pass, bug 435314
+# temporary result - test fails only with dbm cert db
+  result dbm:fail all:pass
+
+verify EE1:CA1
+  cert CA1:Bridge
+  trust Navy:
+  fetch
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge
+  cert Bridge:Army
+  trust Navy:
+  fetch
+  result pass
+
diff --git a/security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg b/security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg
new file mode 100644
index 000000000..914828ea1
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg
@@ -0,0 +1,89 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario BridgeWithHalfAIA
+
+entity Army
+  type Root
+
+entity Navy
+  type Root
+
+entity Bridge
+  type Bridge
+  issuer Army
+  issuer Navy
+
+entity CA1
+  type Intermediate
+  issuer Bridge
+    aia Bridge
+
+entity EE1
+  type EE
+  issuer CA1
+
+entity CA2
+  type Intermediate
+  issuer Bridge
+    aia Bridge:Navy
+
+entity EE2
+  type EE
+  issuer CA2
+
+testdb EE1
+
+verify EE1:CA1
+  cert CA1:Bridge
+  trust Army:
+  result fail
+
+verify EE1:CA1
+  cert CA1:Bridge
+  trust Army:
+  fetch
+# should pass, bug 435314
+# temporary result - test fails only with dbm cert db
+  result dbm:fail all:pass
+
+verify EE1:CA1
+  cert CA1:Bridge
+  trust Navy:
+  fetch
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge
+  cert Bridge:Army
+  trust Navy:
+  fetch
+  result pass
+
+verify EE2:CA2
+  cert Bridge:Army
+  trust Army:
+  fetch
+  result fail
+
+verify EE2:CA2
+  cert CA2:Bridge
+  cert Bridge:Army
+  trust Army:
+  fetch
+  result pass
+
+verify EE2:CA2
+  cert CA2:Bridge
+  trust Navy:
+  fetch
+  result pass
+
+verify EE2:CA2
+  cert CA2:Bridge
+  cert Bridge:Army
+  trust Navy:
+  fetch
+  result pass
+
diff --git a/security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg b/security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg
new file mode 100644
index 000000000..f7554cabc
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg
@@ -0,0 +1,187 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario BridgeWithPolicyExtensionAndMapping
+
+entity Army
+  type Root
+
+entity Navy
+  type Root
+
+entity CAArmy
+  type Intermediate
+  issuer Army
+    policy OID.1.0
+    policy OID.1.1
+
+entity CANavy
+  type Intermediate
+  issuer Navy
+    policy OID.2.0
+    policy OID.2.1
+
+entity Bridge
+  type Bridge
+  issuer CAArmy
+    policy OID.1.0
+    policy OID.1.1
+    mapping OID.1.1:OID.2.1
+  issuer CANavy
+    policy OID.2.0
+    policy OID.2.1
+    mapping OID.2.1:OID.1.1
+
+entity CA1
+  type Intermediate
+  issuer Bridge
+    policy OID.1.1
+    policy OID.2.1
+
+entity CA2
+  type Intermediate
+  issuer Bridge
+    policy OID.1.0
+    policy OID.2.0
+
+entity EE1
+  type EE
+  issuer CA1
+    policy OID.2.1
+
+entity EE2
+  type EE
+  issuer CA2
+    policy OID.2.0
+
+testdb
+
+verify EE1:CA1
+  cert CA1:Bridge
+  cert Bridge:CAArmy
+  cert CAArmy:Army
+  trust Army:
+  policy OID.1.0
+  result fail
+
+verify EE1:CA1
+  cert CA1:Bridge
+  cert Bridge:CAArmy
+  cert CAArmy:Army
+  trust Army:
+  policy OID.1.1
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge
+  cert Bridge:CAArmy
+  cert CAArmy:Army
+  trust Army:
+  policy OID.2.0
+  result fail
+
+verify EE1:CA1
+  cert CA1:Bridge
+  cert Bridge:CAArmy
+  cert CAArmy:Army
+  trust Army:
+  policy OID.2.1
+  result fail
+
+verify EE1:CA1
+  cert CA1:Bridge
+  cert Bridge:CANavy
+  cert CANavy:Navy
+  trust Navy:
+  policy OID.1.0
+  result fail
+
+verify EE1:CA1
+  cert CA1:Bridge
+  cert Bridge:CANavy
+  cert CANavy:Navy
+  trust Navy:
+  policy OID.1.1
+  result fail
+
+verify EE1:CA1
+  cert CA1:Bridge
+  cert Bridge:CANavy
+  cert CANavy:Navy
+  trust Navy:
+  policy OID.2.0
+  result fail
+
+verify EE1:CA1
+  cert CA1:Bridge
+  cert Bridge:CANavy
+  cert CANavy:Navy
+  trust Navy:
+  policy OID.2.1
+  result fail
+
+verify EE2:CA2
+  cert CA2:Bridge
+  cert Bridge:CANavy
+  cert CANavy:Navy
+  trust Navy:
+  policy OID.1.0
+  result fail
+
+verify EE2:CA2
+  cert CA2:Bridge
+  cert Bridge:CANavy
+  cert CANavy:Navy
+  trust Navy:
+  policy OID.1.1
+  result fail
+
+verify EE2:CA2
+  cert CA2:Bridge
+  cert Bridge:CANavy
+  cert CANavy:Navy
+  trust Navy:
+  policy OID.2.0
+  result pass
+
+verify EE2:CA2
+  cert CA2:Bridge
+  cert Bridge:CANavy
+  cert CANavy:Navy
+  trust Navy:
+  policy OID.2.1
+  result fail
+
+verify EE2:CA2
+  cert CA2:Bridge
+  cert Bridge:CAArmy
+  cert CAArmy:Army
+  trust Army:
+  policy OID.1.0
+  result fail
+
+verify EE2:CA2
+  cert CA2:Bridge
+  cert Bridge:CAArmy
+  cert CAArmy:Army
+  trust Army:
+  policy OID.1.1
+  result fail
+
+verify EE2:CA2
+  cert CA2:Bridge
+  cert Bridge:CAArmy
+  cert CAArmy:Army
+  trust Army:
+  policy OID.2.0
+  result fail
+
+verify EE2:CA2
+  cert CA2:Bridge
+  cert Bridge:CAArmy
+  cert CAArmy:Army
+  trust Army:
+  policy OID.2.1
+  result fail
+
diff --git a/security/nss/tests/chains/scenarios/crldp.cfg b/security/nss/tests/chains/scenarios/crldp.cfg
new file mode 100644
index 000000000..a9949ae40
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/crldp.cfg
@@ -0,0 +1,105 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario CRLDP
+
+entity Root
+  type Root
+
+entity CA0
+  type Intermediate
+  issuer Root
+
+entity CA1
+  type Intermediate
+  crldp CA0
+  issuer CA0
+  serial 10
+    aia CA0:Root
+
+entity EE11
+  type EE
+  crldp CA0
+  issuer CA1
+
+entity CA2
+  type Intermediate
+  crldp CA0
+  issuer CA0
+  serial 20
+    aia CA0:Root
+
+entity EE21
+  type EE
+  issuer CA2
+
+entity EE1
+  type EE
+  crldp CA0
+  issuer CA0
+  serial 30
+    aia CA0:Root
+
+entity EE2
+  type EE
+  crldp CA0
+  issuer CA0
+  serial 40
+    aia CA0:Root
+
+crl Root
+crl CA0
+crl CA1
+crl CA2
+
+revoke CA0
+  serial 20
+
+revoke CA0
+  serial 40
+
+copycrl CA0
+
+db All
+
+import Root::CTu,CTu,CTu
+
+# intermediate CA - OK, EE - OK
+verify EE11:CA1
+  cert CA1:CA0
+  trust Root:
+  fetch
+  rev_type chain
+  rev_flags requireFreshInfo
+  rev_mtype crl
+  result pass
+
+# intermediate CA - revoked, EE - OK
+verify EE21:CA2
+  cert CA2:CA0
+  trust Root:
+  fetch
+  rev_type chain
+  rev_flags requireFreshInfo
+  rev_mtype crl
+  result fail
+
+# direct EE - OK 
+verify EE1:CA0
+  trust Root:
+  fetch
+  rev_type leaf
+  rev_flags requireFreshInfo
+  rev_mtype crl
+  result pass
+
+# direct EE - revoked
+verify EE2:CA0
+  trust Root:
+  fetch
+  rev_type leaf
+  rev_flags requireFreshInfo
+  rev_mtype crl
+  result fail
+
diff --git a/security/nss/tests/chains/scenarios/dsa.cfg b/security/nss/tests/chains/scenarios/dsa.cfg
new file mode 100644
index 000000000..896e455fe
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/dsa.cfg
@@ -0,0 +1,72 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario DSA
+
+entity Root
+  type Root
+  ctype dsa
+
+entity CA1
+  type Intermediate
+  issuer Root
+  ctype dsa
+
+entity EE1
+  type EE
+  issuer CA1
+  ctype dsa
+
+entity CA2
+  type Intermediate
+  issuer Root
+  ctype dsa
+
+entity EE2
+  type EE
+  issuer CA2
+  ctype rsa
+
+entity CA3
+  type Intermediate
+  issuer Root
+  ctype rsa
+
+entity EE3
+  type EE
+  issuer CA3
+  ctype dsa
+
+entity CA4
+  type Intermediate
+  issuer Root
+  ctype rsa
+
+entity EE4
+  type EE
+  issuer CA4
+  ctype rsa
+
+db All
+
+verify EE1:CA1
+  cert CA1:Root
+  trust Root:
+  result pass
+
+verify EE2:CA2
+  cert CA2:Root
+  trust Root:
+  result pass
+
+verify EE3:CA3
+  cert CA3:Root
+  trust Root:
+  result pass
+
+verify EE4:CA4
+  cert CA4:Root
+  trust Root:
+  result pass
+
diff --git a/security/nss/tests/chains/scenarios/explicitPolicy.cfg b/security/nss/tests/chains/scenarios/explicitPolicy.cfg
new file mode 100644
index 000000000..20f79c45b
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/explicitPolicy.cfg
@@ -0,0 +1,78 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario explicitPolicy
+
+entity Root
+  type Root
+
+entity nonEVCA
+  type Intermediate
+  issuer Root 
+
+entity EVCA
+  type Intermediate
+  issuer Root 
+    policy OID.1.0
+
+entity otherEVCA
+  type Intermediate
+  issuer Root 
+    policy OID.2.0
+
+entity validEV
+  type EE
+  issuer EVCA
+    policy OID.1.0
+
+entity invalidEV
+  type EE
+  issuer nonEVCA
+    policy OID.1.0
+
+entity wrongEVOID
+  type EE
+  issuer otherEVCA
+    policy OID.1.0
+
+db All
+
+verify validEV:EVCA
+  cert EVCA:Root
+  cert Root:
+  trust Root:
+  policy OID.1.0
+  result pass
+
+verify invalidEV:nonEVCA
+  cert nonEVCA:Root
+  cert Root:
+  trust Root:
+  policy OID.1.0
+  result fail
+
+verify wrongEVOID:otherEVCA
+  cert otherEVCA:Root
+  cert Root:
+  trust Root:
+  policy OID.1.0
+  result fail
+
+import Root::C,C,C
+
+verify validEV:EVCA
+  cert EVCA:Root
+  policy OID.1.0
+  result pass
+
+verify invalidEV:nonEVCA
+  cert nonEVCA:Root
+  policy OID.1.0
+  result fail
+
+verify wrongEVOID:otherEVCA
+  cert otherEVCA:Root
+  policy OID.1.0
+  result fail
+
diff --git a/security/nss/tests/chains/scenarios/extension.cfg b/security/nss/tests/chains/scenarios/extension.cfg
new file mode 100644
index 000000000..fd1c3a0da
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/extension.cfg
@@ -0,0 +1,102 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Extension
+
+entity Root
+  type Root
+
+entity CA1
+  type Intermediate
+  issuer Root 
+    policy OID.1.0
+
+entity CA2
+  type Intermediate
+  issuer CA1
+    policy OID.1.0
+
+entity User
+  type EE
+  issuer CA2
+    policy OID.1.0
+
+db All
+
+verify User:CA2
+  cert CA2:CA1
+  cert CA1:Root
+  cert Root:
+  trust Root:
+  policy OID.1.0
+  result pass
+
+verify User:CA2
+  cert CA2:CA1
+  cert CA1:Root
+  cert Root:
+  trust Root:
+  policy OID.2.0
+  result fail
+
+verify User:CA2
+  cert CA2:CA1
+  cert CA1:Root
+  trust CA1:Root
+  policy OID.1.0
+  result pass
+
+verify User:CA2
+  cert CA2:CA1
+  cert CA1:Root
+  trust CA1:Root
+  policy OID.2.0
+  result fail
+
+verify User:CA2
+  cert CA2:CA1
+  trust CA2:CA1
+  policy OID.1.0
+  result pass
+
+verify User:CA2
+  cert CA2:CA1
+  trust CA2:CA1
+  policy OID.2.0
+  result fail
+
+import Root::
+import CA1:Root:
+import CA2:CA1:
+
+verify User:CA2
+  trust Root
+  policy OID.1.0
+  result pass
+
+verify User:CA2
+  trust Root
+  policy OID.2.0
+  result fail
+
+verify User:CA2
+  trust CA1
+  policy OID.1.0
+  result pass
+
+verify User:CA2
+  trust CA1
+  policy OID.2.0
+  result fail
+
+verify User:CA2
+  trust CA2
+  policy OID.1.0
+  result pass
+
+verify User:CA2
+  trust CA2
+  policy OID.2.0
+  result fail
+
diff --git a/security/nss/tests/chains/scenarios/extension2.cfg b/security/nss/tests/chains/scenarios/extension2.cfg
new file mode 100644
index 000000000..9a6a7cd2d
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/extension2.cfg
@@ -0,0 +1,140 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Extension2
+
+entity Root
+  type Root
+
+entity CA1
+  type Intermediate
+  issuer Root 
+    policy OID.1.0
+    policy OID.2.0
+
+entity CA2
+  type Intermediate
+  issuer CA1
+    policy OID.1.0
+    policy OID.2.0
+
+entity User1
+  type EE
+  issuer CA2
+    policy OID.1.0
+
+entity User2
+  type EE
+  issuer CA2
+    policy OID.1.0
+    policy OID.2.0
+
+db All
+
+verify User1:CA2
+  cert CA2:CA1
+  cert CA1:Root
+  cert Root:
+  trust Root:
+  policy OID.1.0
+  result pass
+
+verify User1:CA2
+  cert CA2:CA1
+  cert CA1:Root
+  cert Root:
+  trust Root:
+  policy OID.2.0
+  result fail
+
+verify User1:CA2
+  cert CA2:CA1
+  cert CA1:Root
+  trust CA1:Root
+  policy OID.1.0
+  result pass
+
+verify User1:CA2
+  cert CA2:CA1
+  cert CA1:Root
+  trust CA1:Root
+  policy OID.2.0
+  result fail
+
+verify User1:CA2
+  cert CA2:CA1
+  trust CA2:CA1
+  policy OID.1.0
+  result pass
+
+verify User1:CA2
+  cert CA2:CA1
+  trust CA2:CA1
+  policy OID.2.0
+  result fail
+
+import Root::
+import CA1:Root:
+import CA2:CA1:
+
+verify User1:CA2
+  trust Root
+  policy OID.1.0
+  result pass
+
+verify User1:CA2
+  trust Root
+  policy OID.2.0
+  result fail
+
+verify User1:CA2
+  trust CA1
+  policy OID.1.0
+  result pass
+
+verify User1:CA2
+  trust CA1
+  policy OID.2.0
+  result fail
+
+verify User1:CA2
+  trust CA2
+  policy OID.1.0
+  result pass
+
+verify User1:CA2
+  trust CA2
+  policy OID.2.0
+  result fail
+
+verify User2:CA2
+  trust Root
+  policy OID.1.0
+  result pass
+
+verify User2:CA2
+  trust Root
+  policy OID.2.0
+  result pass
+
+verify User2:CA2
+  trust CA1
+  policy OID.1.0
+  result pass
+
+verify User2:CA2
+  trust CA1
+  policy OID.2.0
+  result pass
+
+verify User2:CA2
+  trust CA2
+  policy OID.1.0
+  result pass
+
+verify User2:CA2
+  trust CA2
+  policy OID.2.0
+  result pass
+
diff --git a/security/nss/tests/chains/scenarios/mapping.cfg b/security/nss/tests/chains/scenarios/mapping.cfg
new file mode 100644
index 000000000..d4e4a296d
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/mapping.cfg
@@ -0,0 +1,63 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Mapping
+
+entity Root
+  type Root
+
+entity CA1
+  type Intermediate
+  issuer Root 
+    policy OID.1.0
+    mapping OID.1.0:OID.1.1
+
+entity CA2
+  type Intermediate
+  issuer CA1
+    policy OID.1.1
+
+entity User
+  type EE
+  issuer CA2
+    policy OID.1.1
+
+db All
+
+import Root::
+import CA1:Root:
+import CA2:CA1:
+
+verify User:CA2
+  trust Root
+  policy OID.1.0
+# should fail, bug 430859
+  result pass
+
+verify User:CA2
+  trust Root
+  policy OID.1.1
+# should pass, bug 430859
+  result fail
+
+verify User:CA2
+  trust CA1
+  policy OID.1.0
+  result fail
+
+verify User:CA2
+  trust CA1
+  policy OID.1.1
+  result pass
+
+verify User:CA2
+  trust CA2
+  policy OID.1.0
+  result fail
+
+verify User:CA2
+  trust CA2
+  policy OID.1.1
+  result pass
+
diff --git a/security/nss/tests/chains/scenarios/mapping2.cfg b/security/nss/tests/chains/scenarios/mapping2.cfg
new file mode 100644
index 000000000..cae1daf07
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/mapping2.cfg
@@ -0,0 +1,71 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Mapping2
+
+entity Root
+  type Root
+
+entity CA1
+  type Intermediate
+  issuer Root 
+    policy OID.1.0
+
+entity CA2
+  type Intermediate
+  issuer CA1
+    policy OID.1.0
+    mapping OID.1.0:OID.1.1
+
+entity CA3
+  type Intermediate
+  issuer CA2
+    policy OID.1.1
+
+entity User
+  type EE
+  issuer CA3
+    policy OID.1.1
+
+db All
+
+import Root::
+import CA1:Root:
+import CA2:CA1:
+import CA3:CA2:
+
+verify User:CA3
+  trust Root
+  policy OID.1.0
+# should fail, bug 430859
+  result pass
+
+verify User:CA3
+  trust Root
+  policy OID.1.1
+# should pass, bug 430859
+  result fail
+
+verify User:CA3
+  trust CA1
+  policy OID.1.0
+# should fail, bug 430859
+  result pass
+
+verify User:CA3
+  trust CA1
+  policy OID.1.1
+# should pass, bug 430859
+  result fail
+
+verify User:CA3
+  trust CA2
+  policy OID.1.0
+  result fail
+
+verify User:CA3
+  trust CA2
+  policy OID.1.1
+  result pass
+
diff --git a/security/nss/tests/chains/scenarios/megabridge_3_2.cfg b/security/nss/tests/chains/scenarios/megabridge_3_2.cfg
new file mode 100644
index 000000000..f1d4545fc
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/megabridge_3_2.cfg
@@ -0,0 +1,130 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario MegaBridge_3_2
+
+entity Root1
+  type Root
+
+entity Root2
+  type Root
+
+entity Root3
+  type Root
+
+entity Root4
+  type Root
+
+entity Root5
+  type Root
+
+entity Root6
+  type Root
+
+entity Root7
+  type Root
+
+entity Root8
+  type Root
+
+entity Root9
+  type Root
+
+entity Bridge11
+  type Bridge
+  issuer Root1
+  issuer Root2
+  issuer Root3
+
+entity Bridge12
+  type Bridge
+  issuer Root4
+  issuer Root5
+  issuer Root6
+
+entity Bridge13
+  type Bridge
+  issuer Root7
+  issuer Root8
+  issuer Root9
+
+entity Bridge21
+  type Bridge
+  issuer Bridge11
+  issuer Bridge12
+  issuer Bridge13
+
+entity CA1
+  type Intermediate
+  issuer Bridge21
+
+entity EE1
+  type EE
+  issuer CA1
+
+testdb EE1
+
+verify EE1:CA1
+  cert CA1:Bridge21
+  cert Bridge21:Bridge11
+  cert Bridge11:Root1
+  trust Root1:
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge21
+  cert Bridge21:Bridge11
+  cert Bridge11:Root2
+  trust Root2:
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge21
+  cert Bridge21:Bridge11
+  cert Bridge11:Root3
+  trust Root3:
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge21
+  cert Bridge21:Bridge12
+  cert Bridge12:Root4
+  trust Root4:
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge21
+  cert Bridge21:Bridge12
+  cert Bridge12:Root5
+  trust Root5:
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge21
+  cert Bridge21:Bridge12
+  cert Bridge12:Root6
+  trust Root6:
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge21
+  cert Bridge21:Bridge13
+  cert Bridge13:Root7
+  trust Root7:
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge21
+  cert Bridge21:Bridge13
+  cert Bridge13:Root8
+  trust Root8:
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge21
+  cert Bridge21:Bridge13
+  cert Bridge13:Root9
+  trust Root9:
+  result pass
+
diff --git a/security/nss/tests/chains/scenarios/method.cfg b/security/nss/tests/chains/scenarios/method.cfg
new file mode 100644
index 000000000..4223c39cc
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/method.cfg
@@ -0,0 +1,25 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Method
+
+check_ocsp OCSPEE11OCSPCA1:d
+
+testdb ../OCSPD/Client
+
+#EE - OK, CA - OK
+verify OCSPEE11OCSPCA1:d
+  cert OCSPCA1OCSPRoot:d
+  rev_type leaf
+  rev_flags requireFreshInfo
+  rev_mtype ocsp
+  result pass
+
+#EE - revoked, CA - OK
+verify OCSPEE12OCSPCA1:d
+  cert OCSPCA1OCSPRoot:d
+  rev_type leaf
+  rev_flags requireFreshInfo
+  rev_mtype ocsp
+  result fail
diff --git a/security/nss/tests/chains/scenarios/nameconstraints.cfg b/security/nss/tests/chains/scenarios/nameconstraints.cfg
new file mode 100644
index 000000000..6eda441ce
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/nameconstraints.cfg
@@ -0,0 +1,161 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario TrustAnchors
+
+db trustanchors
+
+import NameConstraints.ca:x:CT,C,C
+# Name Constrained CA:  Name constrained to permited DNSName ".example"
+import NameConstraints.ncca:x:CT,C,C
+import NameConstraints.dcisscopy:x:CT,C,C
+
+# Intermediate 1: Name constrained to permited DNSName ".example"
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
+# altDNS: test.invalid
+#   Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server1:x
+  cert NameConstraints.intermediate:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
+#   Fail: CN not in name constraints
+verify NameConstraints.server2:x
+  cert NameConstraints.intermediate:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
+# altDNS: test.example
+verify NameConstraints.server3:x
+  cert NameConstraints.intermediate:x
+  result pass
+
+# Intermediate 2: No name constraints, signed by Intermediate 1 (inherits name constraints)
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
+# altDNS: test.invalid
+#   Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server4:x
+  cert NameConstraints.intermediate2:x
+  cert NameConstraints.intermediate:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
+#   Fail: CN not in name constraints
+verify NameConstraints.server5:x
+  cert NameConstraints.intermediate2:x
+  cert NameConstraints.intermediate:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
+# altDNS: test.example
+verify NameConstraints.server6:x
+  cert NameConstraints.intermediate2:x
+  cert NameConstraints.intermediate:x
+  result pass
+
+# Intermediate 3: Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=NSS Intermediate CA3"
+#                 Name constrained to a permitted DirectoryName of "C=US, ST=CA, O=Foo"
+#                 and a permitted DNSName of "foo.example"
+
+# Intermediate 4: Subject: "C=US, ST=CA, O=Foo, CN=NSS Intermediate CA 2"
+#                 No name constraints present
+#                 Signed by Intermediate 3 (inherits name constraints)
+
+# Subject: "C=US, ST=CA, O=Foo, OU=bar, CN=bat.foo.example", no SAN
+verify NameConstraints.server7:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result pass
+
+# Subject: "C=US, ST=CA, O=Foo, CN=bat.foo.example", no SAN
+verify NameConstraints.server8:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result pass
+
+# Subject: "C=US, O=Foo, CN=bat.foo.example", no SAN
+#  Fail: ST is missing in the DirectoryName, thus not matching name constraints
+verify NameConstraints.server9:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=bar.example"
+#  Fail: CN not in name constraints
+verify NameConstraints.server10:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=site.example"
+# altDNS:foo.example
+#   Pass: Ignores CN constraint name violation because SAN is present
+verify NameConstraints.server11:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result pass
+
+# Subject: "C=US, ST=CA, O=Foo, CN=Honest Achmed"
+#   Fail: CN does not match DNS name constraints - even though is not 'DNS shaped'
+verify NameConstraints.server12:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Intermediate 5: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA 2"
+#                 No name constraints present
+#                 Signed by Intermediate 3.
+#                 Intermediate 5's subject is not in Intermediate 3's permitted
+#                 names, so all certs issued by it are invalid.
+
+# Subject: "C=US, ST=CA, O=OtherOrg, CN=bat.foo.example"
+#   Fail: Org matches Intermediate 5's name constraints, but does not match
+#         Intermediate 3' name constraints
+verify NameConstraints.server13:x
+  cert NameConstraints.intermediate5:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=another.foo.example"
+#  Fail: Matches Intermediate 5's name constraints, but fails because
+#        Intermediate 5 does not match Intermediate 3's name constraints
+verify NameConstraints.server14:x
+  cert NameConstraints.intermediate5:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Intermediate 6: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA6"
+#                 No name constraints present
+#                 Signed by Named Constrained CA (inherits root name constraints)
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=testfoo.invalid"
+# altDNS: testfoo.invalid
+#   Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server15:x
+  cert NameConstraints.intermediate6:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test3.invalid", no SAN
+#   Fail: CN not in name constraints
+verify NameConstraints.server16:x
+  cert NameConstraints.intermediate6:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example"
+# altDNS: test4.example
+verify NameConstraints.server17:x
+  cert NameConstraints.intermediate6:x
+  result pass
+
+# Subject: "C = US, ST=CA, O=Foo CN=foo.example.com"
+verify NameConstraints.dcissblocked:x
+  result fail
+
+# Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr"
+verify NameConstraints.dcissallowed:x
+  result pass
+
+
diff --git a/security/nss/tests/chains/scenarios/ocsp.cfg b/security/nss/tests/chains/scenarios/ocsp.cfg
new file mode 100644
index 000000000..cdfff89fe
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/ocsp.cfg
@@ -0,0 +1,177 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario OCSP
+
+check_ocsp OCSPEE11OCSPCA1:d
+
+db OCSPRoot
+import OCSPRoot:d:CT,C,C
+
+db OCSPCA1
+import_key OCSPCA1
+
+crl OCSPCA1
+
+revoke OCSPCA1
+  serial 3
+
+revoke OCSPCA1
+  serial 4 
+
+testdb OCSPRoot
+
+#EE - OK, CA - OK
+verify OCSPEE11OCSPCA1:d
+  cert OCSPCA1OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_flags requireFreshInfo
+  rev_mtype ocsp
+  result pass
+
+#EE - revoked, CA - OK
+verify OCSPEE12OCSPCA1:d
+  cert OCSPCA1OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_flags requireFreshInfo
+  rev_mtype ocsp
+  result fail
+
+#EE - unknown 
+verify OCSPEE15OCSPCA1:d
+  cert OCSPCA1OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_mtype ocsp
+  result pass
+
+#EE - unknown, requireFreshInfo
+verify OCSPEE15OCSPCA1:d
+  cert OCSPCA1OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_flags requireFreshInfo
+  rev_mtype ocsp
+  result fail
+
+#EE - OK, CA - revoked, leaf, no fresh info
+verify OCSPEE21OCSPCA2:d
+  cert OCSPCA2OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_mtype ocsp
+  result pass
+
+#EE - OK, CA - revoked, leaf, requireFreshInfo
+verify OCSPEE21OCSPCA2:d
+  cert OCSPCA2OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_flags requireFreshInfo
+  rev_mtype ocsp
+  result fail
+
+#EE - OK, CA - revoked, chain, requireFreshInfo
+verify OCSPEE21OCSPCA2:d
+  cert OCSPCA2OCSPRoot:d
+  trust OCSPRoot
+  rev_type chain
+  rev_flags requireFreshInfo
+  rev_mtype ocsp
+  result fail
+
+#EE - OK, CA - unknown
+verify OCSPEE31OCSPCA3:d
+  cert OCSPCA3OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_mtype ocsp
+  result pass
+
+#EE - OK, CA - unknown, requireFreshInfo
+verify OCSPEE31OCSPCA3:d
+  cert OCSPCA3OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_flags requireFreshInfo
+  rev_mtype ocsp
+  result fail
+
+#EE - revoked, doNotUse
+verify OCSPEE12OCSPCA1:d
+  cert OCSPCA1OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_mtype ocsp
+  rev_mflags doNotUse
+  result pass
+
+#EE - revoked, forbidFetching
+verify OCSPEE12OCSPCA1:d
+  cert OCSPCA1OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_mtype ocsp
+  rev_mflags forbidFetching
+  result pass
+
+#EE - unknown status, failIfNoInfo
+verify OCSPEE15OCSPCA1:d
+  cert OCSPCA1OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_mtype ocsp
+  rev_mflags failIfNoInfo
+  result fail
+
+#EE - OK, CA - revoked, leaf, failIfNoInfo
+verify OCSPEE21OCSPCA2:d
+  cert OCSPCA2OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_mtype ocsp
+  rev_mflags failIfNoInfo
+  result fail
+
+testdb OCSPCA1
+
+#EE - OK on OCSP, revoked locally - should fail ??
+# two things about this test: crl is not imported into the db and
+# cert 13 is not revoked by crl.
+verify OCSPEE13OCSPCA1:d
+  cert OCSPCA1OCSPRoot:d
+  trust OCSPCA1
+  rev_type leaf
+  rev_flags testLocalInfoFirst
+  rev_mtype ocsp
+  result pass
+
+db OCSPRoot1
+import OCSPRoot:d:CT,C,C
+
+verify OCSPEE23OCSPCA2:d
+  cert OCSPCA2OCSPRoot:d
+  trust OCSPRoot
+  rev_type chain
+  rev_mtype ocsp
+  rev_type leaf
+  rev_mtype ocsp
+  result fail
+
+db OCSPRoot2
+import OCSPRoot:d:T,,
+
+# bug 527438
+# expected result of this test is FAIL
+verify OCSPEE23OCSPCA2:d
+  cert OCSPCA2OCSPRoot:d
+  trust OCSPRoot
+  rev_type chain
+  rev_mtype ocsp
+  rev_type leaf
+  rev_mtype ocsp
+  result pass
+
diff --git a/security/nss/tests/chains/scenarios/ocspd.cfg b/security/nss/tests/chains/scenarios/ocspd.cfg
new file mode 100644
index 000000000..e48f9068e
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/ocspd.cfg
@@ -0,0 +1,172 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario OCSPD
+
+#root CA
+entity OCSPRoot
+  type Root
+  export_key
+
+#CA - OK
+entity OCSPCA1
+  type Intermediate
+  issuer OCSPRoot
+  serial 1
+  ocsp online
+  export_key
+
+#CA - revoked
+entity OCSPCA2
+  type Intermediate
+  issuer OCSPRoot
+  serial 2
+  ocsp online
+  export_key
+
+#CA - unknown status
+entity OCSPCA3
+  type Intermediate
+  issuer OCSPRoot
+  serial 3
+  ocsp offline
+  export_key
+
+#EE - OK
+entity OCSPEE11
+  type EE
+  issuer OCSPCA1
+  serial 1
+  ocsp online
+
+#EE - revoked on OCSP
+entity OCSPEE12
+  type EE
+  issuer OCSPCA1
+  serial 2
+  ocsp online
+
+#EE - revoked on CRL
+entity OCSPEE13
+  type EE
+  issuer OCSPCA1
+  serial 3
+  ocsp online
+
+#EE - revoked on OCSP and CRL
+entity OCSPEE14
+  type EE
+  issuer OCSPCA1
+  serial 4
+  ocsp online
+
+#EE - unknown status
+entity OCSPEE15
+  type EE
+  issuer OCSPCA1
+  serial 5
+  ocsp offline
+
+#EE - valid EE, revoked CA
+entity OCSPEE21
+  type EE
+  issuer OCSPCA2
+  serial 1
+  ocsp online
+
+#EE - revoked EE, revoked CA
+entity OCSPEE22
+  type EE 
+  issuer OCSPCA2 
+  serial 2
+  ocsp online
+
+#EE - revoked EE, CA pointing to invalid OCSP
+entity OCSPEE23
+  type EE 
+  issuer OCSPCA2 
+  serial 3
+  ocsp offline
+
+#EE - valid EE, CA pointing to invalid OCSP
+entity OCSPEE31
+  type EE
+  issuer OCSPCA3
+  serial 1
+  ocsp online
+
+#EE - revoked EE, CA pointing to invalid OCSP
+entity OCSPEE32
+  type EE 
+  issuer OCSPCA3 
+  serial 2
+  ocsp online
+
+#EE - EE pointing to invalid OCSP, CA pointing to invalid OCSP
+entity OCSPEE33
+  type EE 
+  issuer OCSPCA3 
+  serial 3
+  ocsp offline
+
+crl OCSPRoot
+
+revoke OCSPRoot
+  serial 2
+
+crl OCSPCA1
+
+revoke OCSPCA1
+  serial 2
+
+revoke OCSPCA1
+  serial 4
+
+crl OCSPCA2
+
+revoke OCSPCA2
+  serial 2
+
+revoke OCSPCA2
+  serial 3
+
+crl OCSPCA3
+
+revoke OCSPCA3
+  serial 2
+
+revoke OCSPCA3
+  serial 3
+
+# Used for running a single OCSP server (httpserv) instance that can
+# handle multiple CAs, e.g.:
+# httpserv -p 8641 -d . -f dbpasswd \
+#   -A OCSPRoot -C OCSPRoot.crl -A OCSPCA1 -C OCSPCA1.crl \
+#   -A OCSPCA2 -C OCSPCA2.crl -A OCSPCA3 -C OCSPCA3.crl
+db Server
+import OCSPRoot::CT,C,C
+import_key OCSPRoot
+import_key OCSPCA1
+import_key OCSPCA2
+import_key OCSPCA3
+
+# A DB containing all certs, but no keys.
+# Useful for manual OCSP client testing, e.g.:
+# ocspclnt -d .  -S OCSPEE12OCSPCA1 -u s
+db Client
+import OCSPRoot::CT,C,C
+import OCSPCA1OCSPRoot::
+import OCSPCA2OCSPRoot::
+import OCSPCA3OCSPRoot::
+import OCSPEE11OCSPCA1::
+import OCSPEE12OCSPCA1::
+import OCSPEE13OCSPCA1::
+import OCSPEE14OCSPCA1::
+import OCSPEE15OCSPCA1::
+import OCSPEE21OCSPCA2::
+import OCSPEE22OCSPCA2::
+import OCSPEE23OCSPCA2::
+import OCSPEE31OCSPCA3::
+import OCSPEE32OCSPCA3::
+import OCSPEE33OCSPCA3::
diff --git a/security/nss/tests/chains/scenarios/realcerts.cfg b/security/nss/tests/chains/scenarios/realcerts.cfg
new file mode 100644
index 000000000..d2a8c7143
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/realcerts.cfg
@@ -0,0 +1,29 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario RealCerts
+
+db All
+
+import TestCA.ca:x:CT,C,C
+import TestUser50:x:
+import TestUser51:x:
+import PayPalRootCA:x:CT,C,C
+import PayPalICA:x:
+import PayPalEE:x:
+import BrAirWaysBadSig:x:
+
+verify TestUser50:x
+  result pass
+
+verify TestUser51:x
+  result pass
+
+verify PayPalEE:x
+  policy OID.2.16.840.1.114412.1.1 
+  result pass
+
+verify BrAirWaysBadSig:x
+  result fail
+
diff --git a/security/nss/tests/chains/scenarios/revoc.cfg b/security/nss/tests/chains/scenarios/revoc.cfg
new file mode 100644
index 000000000..a4ec78622
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/revoc.cfg
@@ -0,0 +1,86 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Revocation
+
+entity Root
+  type Root
+  serial 10
+
+entity CA0
+  type Intermediate
+  issuer Root
+  serial 11
+
+entity CA1
+  type Intermediate
+  issuer CA0
+  serial 12
+
+entity EE11
+  type EE
+  issuer CA1
+  serial 13
+
+entity EE12
+  type EE
+  issuer CA1
+  serial 14
+
+entity CA2
+  type Intermediate
+  issuer CA0
+  serial 15
+
+entity EE21
+  type EE
+  issuer CA2
+  serial 16
+
+crl Root
+crl CA0
+crl CA1
+crl CA2
+
+revoke CA1
+  serial 14
+
+revoke CA0
+  serial 15
+
+db All
+
+import Root::CTu,CTu,CTu
+import CA0:Root:
+import CA1:CA0:
+import CA2:CA0:
+
+# EE11 - not revoked 
+verify EE11:CA1
+  trust Root:
+  rev_type leaf
+  rev_mtype crl
+  result pass
+
+# EE12 - revoked
+verify EE12:CA1
+  trust Root:
+  rev_type leaf
+  rev_mtype crl
+  result fail
+
+# EE11 - CA1 not revoked 
+verify EE11:CA1
+  trust Root:
+  rev_type chain
+  rev_mtype crl
+  result pass
+
+# EE21 - CA2 revoked
+verify EE21:CA2
+  trust Root:
+  rev_type chain
+  rev_mtype crl
+  result fail
+
diff --git a/security/nss/tests/chains/scenarios/scenarios b/security/nss/tests/chains/scenarios/scenarios
new file mode 100644
index 000000000..d26c3f92e
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/scenarios
@@ -0,0 +1,24 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+bridge.cfg
+megabridge_3_2.cfg
+extension.cfg
+extension2.cfg
+anypolicy.cfg
+anypolicywithlevel.cfg
+explicitPolicy.cfg
+mapping.cfg
+mapping2.cfg
+aia.cfg
+bridgewithaia.cfg
+bridgewithhalfaia.cfg
+bridgewithpolicyextensionandmapping.cfg
+realcerts.cfg
+dsa.cfg
+revoc.cfg
+ocsp.cfg
+crldp.cfg
+trustanchors.cfg
+nameconstraints.cfg
diff --git a/security/nss/tests/chains/scenarios/trustanchors.cfg b/security/nss/tests/chains/scenarios/trustanchors.cfg
new file mode 100644
index 000000000..db18990ac
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/trustanchors.cfg
@@ -0,0 +1,114 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario TrustAnchors
+
+entity RootCA
+  type Root
+
+entity CA1
+  type Intermediate
+  issuer RootCA
+
+entity CA2
+  type Intermediate
+  issuer CA1
+
+entity EE1
+  type EE
+  issuer CA2
+
+entity OtherRoot
+  type Root
+
+entity OtherIntermediate
+  type Intermediate
+  issuer OtherRoot
+
+entity EE2
+  type EE
+  issuer OtherIntermediate
+
+# Scenarios where trust only comes from the DB
+db DBOnly
+
+import RootCA::CT,C,C
+import CA1:RootCA:
+
+# Simple chaining - no trust anchors
+verify EE1:CA2
+  cert CA2:CA1
+  result pass
+
+# Simple trust anchors - ignore the Cert DB
+verify EE1:CA2
+  trust CA2:CA1
+  result pass
+
+# Redundant trust - trust anchor and DB
+verify EE1:CA2
+  cert CA2:CA1
+  trust RootCA
+  result pass
+
+
+# Scenarios where trust only comes from trust anchors
+db TrustOnly
+
+# Simple checking - direct trust anchor
+verify EE1:CA2
+  cert CA2:CA1
+  cert CA1:RootCA:
+  trust RootCA:
+  result pass
+
+# Partial chain (not self-signed), with a trust anchor
+verify EE1:CA2
+  trust CA2:CA1
+  result pass
+
+
+# Scenarios where trust comes from both trust anchors and the DB
+db TrustAndDB
+
+import RootCA::CT,C,C
+import CA1:RootCA:
+
+# Check that trust in the DB works
+verify EE1:CA2
+  cert CA2:CA1
+  result pass
+
+# Check that trust anchors work
+verify EE2:OtherIntermediate
+  cert OtherIntermediate:OtherRoot
+  trust OtherRoot:
+  result pass
+
+# Check that specifying a trust anchor still allows searching the cert DB
+verify EE1:CA2
+  trust_and_db
+  cert CA2:CA1
+  trust OtherIntermediate:OtherRoot
+  trust OtherRoot:
+  result pass
+
+# Scenarios where the trust DB has explicitly distrusted one or more certs,
+# even when the trust anchors indicate trust
+db ExplicitDistrust
+
+import RootCA::CT,C,C
+import CA1:RootCA:p,p,p
+import OtherRoot::p,p,p
+
+# Verify that a distrusted intermediate, but trusted root, is rejected.
+verify EE1:CA2
+  cert CA2:CA1
+  trust CA1:RootCA
+  result fail
+
+# Verify that a trusted intermediate, but distrusted root, is accepted.
+verify EE2:OtherIntermediate
+  trust OtherIntermediate:OtherRoot
+  result pass
diff --git a/security/nss/tests/cipher/cipher.sh b/security/nss/tests/cipher/cipher.sh
new file mode 100755
index 000000000..1d2561d9c
--- /dev/null
+++ b/security/nss/tests/cipher/cipher.sh
@@ -0,0 +1,140 @@
+#! /bin/bash  
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/cipher/cipher.sh
+#
+# Script to test NSS ciphers
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## cipher_init #############################
+# local shell function to initialize this script
+########################################################################
+cipher_init()
+{
+  SCRIPTNAME="cipher.sh"
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+  if [ -z "${INIT_SOURCED}" ] ; then
+      cd ../common
+      . ./init.sh
+  fi
+  SCRIPTNAME="cipher.sh"
+  html_head "Cipher Tests"
+
+  CIPHERDIR=${HOSTDIR}/cipher
+  CIPHERTESTDIR=${QADIR}/../cmd/bltest
+  GCMTESTDIR=${QADIR}/../cmd/pk11gcmtest
+  D_CIPHER="Cipher.$version"
+
+  CIPHER_TXT=${QADIR}/cipher/cipher.txt
+  GCM_TXT=${QADIR}/cipher/gcm.txt
+
+  mkdir -p ${CIPHERDIR}
+
+  cd ${CIPHERDIR}
+  P_CIPHER=.
+  if [ -n "${MULTIACCESS_DBM}" ]; then
+    P_CIPHER="multiaccess:${D_CIPHER}"
+  fi
+}
+
+############################## cipher_main #############################
+# local shell function to test NSS ciphers
+########################################################################
+cipher_main()
+{
+  while read EXP_RET PARAM TESTNAME
+  do
+      if [ -n "$EXP_RET" -a "$EXP_RET" != "#" ] ; then
+          PARAM=`echo $PARAM | sed -e "s/_-/ -/g"`
+          TESTNAME=`echo $TESTNAME | sed -e "s/_/ /g"`
+          echo "$SCRIPTNAME: $TESTNAME --------------------------------"
+          failedStr=""
+          inOff=0
+          res=0
+          while [ $inOff -lt 8 ]
+          do
+             outOff=0
+             while [ $outOff -lt 8 ]
+             do
+                 echo "bltest -T -m $PARAM -d $CIPHERTESTDIR -1 $inOff -2 $outOff"
+                 ${PROFTOOL} ${BINDIR}/bltest${PROG_SUFFIX} -T -m $PARAM -d $CIPHERTESTDIR -1 $inOff -2 $outOff
+                 if [ $? -ne 0 ]; then
+                     failedStr="$failedStr[$inOff:$outOff]"
+                 fi
+                 outOff=`expr $outOff + 1`
+             done
+             inOff=`expr $inOff + 1`
+          done
+          if [ -n "$failedStr" ]; then
+              html_msg 1 $EXP_RET "$TESTNAME (Failed in/out offset pairs:" \
+                        " $failedStr)"
+          else
+              html_msg $res $EXP_RET "$TESTNAME"
+          fi
+      fi
+  done < ${CIPHER_TXT}
+}
+
+############################## cipher_gcm #############################
+# local shell function to test NSS AES GCM
+########################################################################
+cipher_gcm()
+{
+  while read EXP_RET INPUT_FILE TESTNAME
+  do
+      if [ -n "$EXP_RET" -a "$EXP_RET" != "#" ] ; then
+          TESTNAME=`echo $TESTNAME | sed -e "s/_/ /g"`
+          echo "$SCRIPTNAME: $TESTNAME --------------------------------"
+          echo "pk11gcmtest aes kat gcm $GCMTESTDIR/tests/$INPUT_FILE"
+          ${PROFTOOL} ${BINDIR}/pk11gcmtest aes kat gcm $GCMTESTDIR/tests/$INPUT_FILE
+          html_msg $? $EXP_RET "$TESTNAME"
+      fi
+  done < ${GCM_TXT}
+}
+
+############################## cipher_cleanup ############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+cipher_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+
+# When building without softoken, bltest isn't built. It was already
+# built and the cipher suite run as part of an nss-softoken build. 
+if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${PROG_SUFFIX} ]; then
+    echo "bltest not built, skipping this test." >> ${LOGFILE}
+    res=0
+    html_msg $res $EXP_RET "$TESTNAME"
+    return 0
+fi
+cipher_init
+# Skip cipher_main if this an NSS without softoken build.
+if [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" != "1" ]; then
+    cipher_main
+fi
+# Skip cipher_gcm if this is a softoken only build.
+if [ "${NSS_BUILD_SOFTOKEN_ONLY}" != "1" ]; then
+    cipher_gcm
+fi
+cipher_cleanup
diff --git a/security/nss/tests/cipher/cipher.txt b/security/nss/tests/cipher/cipher.txt
new file mode 100644
index 000000000..4e47a9f97
--- /dev/null
+++ b/security/nss/tests/cipher/cipher.txt
@@ -0,0 +1,57 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file defines the cipher tests
+#
+# expected
+#   return	bltest		Test Case name
+#    value	params
+#  -------	----------	---------------
+	0	des_ecb_-E	DES_ECB_Encrypt
+	0	des_ecb_-D	DES_ECB_Decrypt
+	0	des_cbc_-E	DES_CBC_Encrypt
+	0	des_cbc_-D	DES_CBC_Decrypt
+	0	des3_ecb_-E	DES3_ECB_Encrypt
+	0	des3_ecb_-D	DES3_ECB_Decrypt
+	0	des3_cbc_-E	DES3_CBC_Encrypt
+	0	des3_cbc_-D	DES3_CBC_Decrypt
+	0	aes_ecb_-E	AES_ECB_Encrypt
+	0	aes_ecb_-D	AES_ECB_Decrypt
+	0	aes_cbc_-E	AES_CBC_Encrypt
+	0	aes_cbc_-D	AES_CBC_Decrypt
+	0	aes_ctr		AES_CTR
+	0	aes_cts		AES_CTS
+	0	aes_gcm		AES_GCM
+	0	camellia_ecb_-E	Camellia_ECB_Encrypt
+	0	camellia_ecb_-D	Camellia_ECB_Decrypt
+	0	camellia_cbc_-E	Camellia_CBC_Encrypt
+	0	camellia_cbc_-D	Camellia_CBC_Decrypt
+	0	seed_ecb_-E	SEED_ECB_Encrypt
+	0	seed_ecb_-D	SEED_ECB_Decrypt
+	0	seed_cbc_-E	SEED_CBC_Encrypt
+	0	seed_cbc_-D	SEED_CBC_Decrypt
+	0	chacha20_poly1305_-E ChaCha20_Poly1305_Encrypt
+	0	chacha20_poly1305_-D ChaCha20_Poly1305_Decrypt
+	0	rc2_ecb_-E	RC2_ECB_Encrypt
+	0	rc2_ecb_-D	RC2_ECB_Decrypt
+	0	rc2_cbc_-E	RC2_CBC_Encrypt
+	0	rc2_cbc_-D	RC2_CBC_Decrypt
+	0	rc4_-E		RC4_Encrypt
+	0	rc4_-D		RC4_Decrypt
+	0	rsa_-E		RSA_Encrypt
+	0	rsa_-D		RSA_Decrypt
+	0	rsa_oaep_-E	RSA_EncryptOAEP
+	0	rsa_oaep_-D	RSA_DecryptOAEP
+	0	rsa_pss_-S	RSA_SignPSS
+	0	rsa_pss_-V	RSA_CheckSignPSS
+	0	rsa_-K		RSA_Populate
+	0	dsa_-S		DSA_Sign
+	0	dsa_-V		DSA_Verify
+	0	md2_-H		MD2_Hash
+	0	md5_-H		MD5_Hash
+	0	sha1_-H		SHA1_Hash
+	0	sha224_-H	SHA224_Hash
+	0	sha256_-H	SHA256_Hash
+	0	sha384_-H	SHA384_Hash
+	0	sha512_-H	SHA512_Hash
diff --git a/security/nss/tests/cipher/dsa.txt b/security/nss/tests/cipher/dsa.txt
new file mode 100644
index 000000000..f2d3401f4
--- /dev/null
+++ b/security/nss/tests/cipher/dsa.txt
@@ -0,0 +1,13 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file enables test coverage of the dsa performance tests
+#
+#
+# mode     keysize   bufsize   repetitions cxrepetitions
+  dsa        64         20         200         5
+  dsa        96         20         200         3
+  dsa       128         20         200         3
+  dsa       256         20         200         3
+  dsa       384         20         200         3
diff --git a/security/nss/tests/cipher/gcm.txt b/security/nss/tests/cipher/gcm.txt
new file mode 100644
index 000000000..4550faf49
--- /dev/null
+++ b/security/nss/tests/cipher/gcm.txt
@@ -0,0 +1,16 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file defines the AES GCM tests
+#
+# expected
+#   return	pk11gcmtest		Test Case name
+#    value	input file
+#  -------	----------------------	-----------------------
+	0	gcmDecrypt128.rsp	NIST_AES128_GCM_Decrypt
+	0	gcmDecrypt192.rsp	NIST_AES192_GCM_Decrypt
+	0	gcmDecrypt256.rsp	NIST_AES256_GCM_Decrypt
+	0	gcmEncryptExtIV128.rsp	NIST_AES128_GCM_Encrypt
+	0	gcmEncryptExtIV192.rsp	NIST_AES192_GCM_Encrypt
+	0	gcmEncryptExtIV256.rsp	NIST_AES256_GCM_Encrypt
diff --git a/security/nss/tests/cipher/hash.txt b/security/nss/tests/cipher/hash.txt
new file mode 100644
index 000000000..9bee5ba11
--- /dev/null
+++ b/security/nss/tests/cipher/hash.txt
@@ -0,0 +1,11 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file enables test coverage of the cryptographic hash performance tests
+#
+#
+# mode      bufsize   repetitions
+  md2        10240        5000
+  md5        10240        100000
+  sha1       10240        100000
diff --git a/security/nss/tests/cipher/performance.sh b/security/nss/tests/cipher/performance.sh
new file mode 100755
index 000000000..dd7c74ee2
--- /dev/null
+++ b/security/nss/tests/cipher/performance.sh
@@ -0,0 +1,156 @@
+#!/bin/sh  
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This is just a quick script so we can still run our testcases.
+# Longer term we need a scriptable test environment..
+#
+. ../common/init.sh
+CURDIR=`pwd`
+if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+	CURDIR=`cygpath -m ${CURDIR}`
+fi
+
+CIPHERDIR=${HOSTDIR}/cipher
+SKTESTS=${CURDIR}/symmkey.txt
+RSATESTS=${CURDIR}/rsa.txt
+DSATESTS=${CURDIR}/dsa.txt
+HASHTESTS=${CURDIR}/hash.txt
+SKPERFOUT=${CIPHERDIR}/skperfout.data
+RSAPERFOUT=${CIPHERDIR}/rsaperfout.data
+DSAPERFOUT=${CIPHERDIR}/dsaperfout.data
+HASHPERFOUT=${CIPHERDIR}/hashperfout.data
+PERFRESULTS=${HOSTDIR}/performance.html
+
+echo "<HTML><BODY>" >> ${PERFRESULTS}
+
+mkdir -p ${CIPHERDIR}
+cd ${CIPHERDIR}
+
+if [ -z $1 ]; then
+    TESTSET="all"
+else
+    TESTSET=$1
+fi
+
+if [ $TESTSET = "all" -o $TESTSET = "symmkey" ]; then
+echo "<TABLE BORDER=1><TR><TH COLSPAN=6>Symmetric Key Cipher Performance</TH></TR>" >> ${PERFRESULTS}
+echo "<TR bgcolor=lightGreen><TH>MODE</TH><TH>INPUT SIZE (bytes)</TH><TH>SYMMETRIC KEY SIZE (bits)</TH><TH>REPETITIONS (cx/op)</TH><TH>CONTEXT CREATION TIME (ms)</TH><TH>OPERATION TIME (ms)</TH></TR>" >> ${PERFRESULTS}
+
+while read mode keysize bufsize reps cxreps
+do
+    if [ $mode != "#" ]; then
+	echo "bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps"
+	${BINDIR}/bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps >> ${SKPERFOUT}
+	mv "tmp.in.0" "$mode.in"
+	mv tmp.key $mode.key
+	if [ -f tmp.iv ]; then
+	    mv tmp.iv $mode.iv
+	fi
+	echo "bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.out"
+	${BINDIR}/bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.out >> ${SKPERFOUT}
+	echo "bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.inv"
+	${BINDIR}/bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.inv >> ${SKPERFOUT}
+    fi
+done < ${SKTESTS} 
+
+while read md buf sk rps cxrps cx op
+do
+    if [ $md != "#" ]; then
+	echo "<TR><TH>$md</TH><TD align=right>$buf</TD><TD align=right>$sk</TD><TD align=right>$cxrps/$rps</TD><TD align=right>$cx</TD><TD align=right>$op</TD></TR>" >> ${PERFRESULTS}
+    fi
+done < ${SKPERFOUT} 
+
+echo "</TABLE><BR>" >> ${PERFRESULTS}
+
+fi
+
+if [ $TESTSET = "all" -o $TESTSET = "rsa" ]; then
+while read mode keysize bufsize exp reps cxreps
+do
+    if [ $mode != "#" ]; then
+	echo "bltest -N -m $mode -b $bufsize -e $exp -g $keysize -u $cxreps"
+	${BINDIR}/bltest -N -m $mode -b $bufsize -e $exp -g $keysize -u $cxreps >> ${RSAPERFOUT}
+	mv "tmp.in.0" "$mode.in"
+	mv tmp.key $mode.key
+	echo "bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out"
+	${BINDIR}/bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out >> ${RSAPERFOUT}
+	echo "bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.inv"
+	${BINDIR}/bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.inv >> ${RSAPERFOUT}
+    fi
+done < ${RSATESTS} 
+
+echo "<TABLE BORDER=1><TR><TH COLSPAN=7>RSA Cipher Performance</TH></TR>" >> ${PERFRESULTS}
+echo "<TR bgcolor=lightGreen><TH>MODE</TH><TH>INPUT SIZE (bytes)</TH><TH>KEY SIZE (bits)</TH><TH>PUBLIC EXPONENT</TH><TH>REPETITIONS (cx/op)</TH><TH>CONTEXT CREATION TIME (ms)</TH><TH>OPERATION TIME (ms)</TH></TR>" >> ${PERFRESULTS}
+
+while read md buf mod pe rps cxrps cx op
+do
+    if [ $md != "#" ]; then
+	echo "<TR><TH>$md</TH><TD align=right>$buf</TD><TD align=right>$mod</TD><TD align=right>$pe</TD><TD align=right>$cxrps/$rps</TD><TD align=right>$cx</TD><TD align=right>$op</TD></TR>" >> ${PERFRESULTS}
+    fi
+done < ${RSAPERFOUT} 
+
+echo "</TABLE><BR>" >> ${PERFRESULTS}
+fi
+
+if [ $TESTSET = "all" -o $TESTSET = "dsa" ]; then
+
+while read mode keysize bufsize reps cxreps
+do
+    if [ $mode != "#" ]; then
+	echo "bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps"
+	${BINDIR}/bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps >> ${DSAPERFOUT}
+	mv "tmp.in.0" "$mode.in"
+	mv tmp.key $mode.key
+	rm -f $mode.out
+	echo "bltest -S -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out"
+	${BINDIR}/bltest -S -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out >> ${DSAPERFOUT}
+	echo "bltest -V -m $mode -f ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -i ${CIPHERDIR}/$mode.in -o ${CIPHERDIR}/$mode.out"
+	${BINDIR}/bltest -V -m $mode -f ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -i ${CIPHERDIR}/$mode.in -o ${CIPHERDIR}/$mode.out >> ${DSAPERFOUT}
+    fi
+done < ${DSATESTS} 
+
+echo "<TABLE BORDER=1><TR><TH COLSPAN=6>DSA Cipher Performance</TH></TR>" >> ${PERFRESULTS}
+echo "<TR bgcolor=lightGreen><TH>MODE</TH><TH>INPUT SIZE (bytes)</TH><TH>KEY SIZE (bits)</TH><TH>REPETITIONS (cx/op)</TH><TH>CONTEXT CREATION TIME (ms)</TH><TH>OPERATION TIME (ms)</TH></TR>" >> ${PERFRESULTS}
+
+while read md buf mod rps cxrps cx op
+do
+    if [ $md != "#" ]; then
+	echo "<TR><TH>$md</TH><TD align=right>$buf</TD><TD align=right>$mod</TD><TD align=right>$cxrps/$rps</TD><TD align=right>$cx</TD><TD align=right>$op</TD></TR>" >> ${PERFRESULTS}
+    fi
+done < ${DSAPERFOUT} 
+
+echo "</TABLE><BR>" >> ${PERFRESULTS}
+fi
+
+if [ $TESTSET = "all" -o $TESTSET = "hash" ]; then
+while read mode bufsize reps
+do
+    if [ $mode != "#" ]; then
+	echo "bltest -N -m $mode -b $bufsize"
+	${BINDIR}/bltest -N -m $mode -b $bufsize
+	mv "tmp.in.0" "$mode.in"
+	echo "bltest -H -m $mode -i ${CIPHERDIR}/$mode.in -p $reps -o ${CIPHERDIR}/$mode.out"
+	${BINDIR}/bltest -H -m $mode -i ${CIPHERDIR}/$mode.in -p $reps -o ${CIPHERDIR}/$mode.out >> ${HASHPERFOUT}
+    fi
+done < ${HASHTESTS} 
+
+echo "<TABLE BORDER=1><TR><TH COLSPAN=6>Hash Cipher Performance</TH></TR>" >> ${PERFRESULTS}
+echo "<TR bgcolor=lightGreen><TH>MODE</TH><TH>INPUT SIZE (bytes)</TH><TH>REPETITIONS</TH><TH>OPERATION TIME (ms)</TH></TR>" >> ${PERFRESULTS}
+
+while read md buf rps cxrps cx op
+do
+    if [ $md != "#" ]; then
+	echo "<TR><TH>$md</TH><TD align=right>$buf</TD><TD align=right>$rps</TD><TD align=right>$op</TD></TR>" >> ${PERFRESULTS}
+    fi
+done < ${HASHPERFOUT} 
+
+echo "</TABLE><BR>" >> ${PERFRESULTS}
+fi
+
+#rm -f ${TEMPFILES}
+cd ${CURDIR}
+
+echo "</BODY></HTML>" >> ${PERFRESULTS}
diff --git a/security/nss/tests/cipher/rsa.txt b/security/nss/tests/cipher/rsa.txt
new file mode 100644
index 000000000..aad71261b
--- /dev/null
+++ b/security/nss/tests/cipher/rsa.txt
@@ -0,0 +1,11 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file enables test coverage of the rsa performance tests
+#
+#
+# mode     keysize   bufsize   exponent  repetitions cxrepetitions
+  rsa        32         32       17          1000        5 
+  rsa        64         64        3          500         3 
+  rsa       128        128      65537        200         3 
diff --git a/security/nss/tests/cipher/symmkey.txt b/security/nss/tests/cipher/symmkey.txt
new file mode 100644
index 000000000..ad4b11ab4
--- /dev/null
+++ b/security/nss/tests/cipher/symmkey.txt
@@ -0,0 +1,36 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file enables test coverage of the symmetric key performance tests
+#
+#
+# mode     keysize   bufsize   repetitions cxrepetitions
+ des_ecb      8       8192       1000         100000
+ des_cbc      8       8192       1000         100000
+ des3_ecb    24       8192       1000         100000
+ des3_cbc    24       8192       1000         100000
+ rc2_ecb      5       8192       1000         100000
+ rc2_ecb      8       8192       1000         100000
+ rc2_ecb     16       8192       1000         100000
+ rc2_cbc      5       8192       1000         100000
+ rc2_cbc      8       8192       1000         100000
+ rc2_cbc     16       8192       1000         100000
+ rc4          5       8192       10000        100000
+ rc4          8       8192       10000        100000
+ rc4         16       8192       10000        100000
+ rc4         24       8192       10000        100000
+ aes_ecb     16       8192       10000        100000
+ aes_cbc     16       8192       10000        100000
+ aes_ecb     32       8192       10000        100000
+ aes_cbc     32       8192       10000        100000
+ aes_ctr     16       8192       10000        100000
+ aes_ctr     32       8192       10000        100000
+ aes_gcm     16       8192       10000        100000
+ aes_gcm     32       8192       10000        100000
+ camellia_ecb     16       8192       10000        100000
+ camellia_cbc     16       8192       10000        100000
+ camellia_ecb     32       8192       10000        100000
+ camellia_cbc     32       8192       10000        100000
+ seed_ecb    16       8192       10000        100000
+ seed_cbc    16       8192       10000        100000
diff --git a/security/nss/tests/clean_tbx b/security/nss/tests/clean_tbx
new file mode 100755
index 000000000..4de955576
--- /dev/null
+++ b/security/nss/tests/clean_tbx
@@ -0,0 +1,172 @@
+#! /bin/perl
+
+#######################################################################
+#
+# /u/sonmi/bin/clean_tbx.pl
+#
+# this script is supposed to remove tinderbox  QA if:
+# QA has passed, there are 2+ newer QA dirs of the same machine and 
+#     platform (32/64) and it is older than 2 hours
+# QA has failed, there are 2+ newer QA dirsof the same machine and 
+#     platform (32/64) with _identical failures and it is older than 
+#     2 hours
+# directory is older than 48 hours
+#
+#######################################################################
+
+use Time::Local;
+
+$ANY_TBX_KEEP_HOURS=48;
+$NOT_FAILED_TBX_KEEP_HOURS=24;
+$PASSED_TBX_KEEP_HOURS=2;
+$IF_TBX_KEEP_HOURS=2;
+$PASSED_NEWER_DIRS=2;
+$IF_NEWER_DIRS=2;
+$verbose = 1;
+
+$TBX_TESTDIR="/share/builds/mccrel3/nss/nsstip/tinderbox/tests_results/security";
+$FTP_STAGE="/u/sonmi/tmp/ftp_stage/tinderbox";
+
+@tbx_dirs = ();  
+
+$eANY_TBX_KEEP=$ANY_TBX_KEEP_HOURS*60*60;
+$ePASSED_TBX_KEEP=$PASSED_TBX_KEEP_HOURS*60*60;
+$eIF_TBX_KEEP=$IF_TBX_KEEP_HOURS*60*60;
+$eNOT_FAILED_TBX_KEEP=$NOT_FAILED_TBX_KEEP_HOURS*60*60;
+
+$year, $month, $days, $hours, $minutes, $seconds;
+$efulldate=0;
+
+$fulldate=0;
+
+$no_bits="";
+$last_no_bits="";
+
+$host="";
+$last_host="";
+
+@tbx_dirs = `ls -r $TBX_TESTDIR`; #sort first by host, 
+                               #then 64, 
+                               #then newest - oldest
+debug ("found $#tbx_dirs directories ");
+
+($seconds, $minutes, $hours, $days, $month, $year) = localtime; 
+
+debug ("$seconds, $minutes, $hours, $days, $month, $year");
+
+$enow = timelocal(localtime);
+
+sub debug;
+sub warning;
+sub error;
+sub msg;
+sub init;
+sub check_tbx_dirs;
+
+sub check_tbx_dirs
+{
+    my $platform_idx=0; # counts directories per platform, newest 
+                        # to oldest (ignores incomplete)
+    my $passed_idx=0;   # counts passed  directories newest to oldest
+    my $QAstatus="unknown";
+    foreach $tbx_dir  (@tbx_dirs) {
+        $tbx_dir =~ s/\n//g;
+        $fulldate = $tbx_dir;
+        $fulldate =~ s/^.*-(20.*-..\...$)/$1/;
+        $day = $month = $year = $hour = $min = $fulldate;
+        $host = $tbx_dir;
+        $host =~ s/-20.*//;
+        $no_bits = $host;
+        $host =~ s/64$//;
+        $no_bits =~ s/.*64$/64/;
+        $no_bits =~ s/^[^6].*/other/;
+        $year =~ s/(....).*/$1/;
+        $month =~ s/....(..).*/$1/;
+        $day =~ s/......(..).*/$1/;
+        $hour =~ s/........-(..).*/$1/;
+        $min =~ s/.*\.(..)$/$1/;
+        
+
+        if ( -f "$TBX_TESTDIR/$tbx_dir/QAstatus" ) {
+            $QAstatus=`cat $TBX_TESTDIR/$tbx_dir/QAstatus 2>/dev/null`;
+            $QAstatus =~ s/\n$//g;
+        } else {
+            $QAstatus="unknown";
+        }
+
+        $efulldate = timelocal( 0, $min, $hour, $day, $month-1, $year-1900);
+        if ( "$host" !~ "$last_host" || "$no_bits" !~ "$last_no_bits" ) {
+            if ( $QAstatus !~ "QA running" ) {
+                $platform_idx = 0;
+            } else {
+                $platform_idx = -1;
+            }
+            $passed_idx = 0;
+
+            $last_host = $host;
+            $last_no_bits = $no_bits;
+        } else {
+            $platform_idx ++;
+            $passed_idx++ if ( $QAstatus =~ "QA passed" ) ;
+        }
+
+        debug ("$tbx_dir host $host date $fulldate bits $no_bits $year/$month/$day  $hour:$min QAstatus $QAstatus pli $platform_idx pai $passed_idx");
+
+        if ( $passed_idx > $PASSED_NEWER_DIRS && $QAstatus =~ "QA passed" ) {
+            $ekeeptime=$efulldate + $ePASSED_TBX_KEEP;
+            #($s, $m, $h, $d, $mo, $y) = localtime($ekeeptime);
+            #debug ("$passed_idx > $PASSED_NEWER_DIRS ekeeptime ($s, $m, $h, $d, $mo, $y) == $ekeeptime");
+             rm_tbx ("Passed $PASSED_TBX_KEEP_HOURS +  hours old") if ( $ekeeptime <= $enow );
+        } elsif ( $QAstatus !~ "QA failed" ) {
+            $ekeeptime=$efulldate + $eNOT_FAILED_TBX_KEEP;
+            rm_tbx ("Not failed $NOT_FAILED_TBX_KEEP_HOURS + hours old") if ( $ekeeptime <= $enow );
+	} else {
+            $ekeeptime=$efulldate + $eANY_TBX_KEEP;
+             rm_tbx ("Passed 2+ hours old") if ( $ekeeptime <= $enow );
+        }
+        if  ( $QAstatus =~ "QA failed" ) {
+            $ekeeptime=$efulldate + $eIF_TBX_KEEP;
+            #FIXME - compare to the previous failure by filtering and 
+            #FIXME diffing the results.html files (first grep failed)
+        }
+    }
+
+}
+
+sub rm_tbx()
+{
+
+debug ("DELETING $tbx_dir... (@_[0]) ");
+system("rm -rf $TBX_TESTDIR/$tbx_dir");
+#debug ("rm -rf $TBX_TESTDIR/$tbx_dir");
+
+}
+
+sub msg
+{
+    my $i;
+    for ($i = 0; $i <= $#_ ; $i++ ) {
+        print "@_[$i] ";
+    }
+    print "\n";
+
+}
+sub error
+{
+    msg ("ERROR:  " ,@_ );
+}
+
+sub warning
+{
+    msg ("WARNING:" ,@_ );
+}
+sub debug
+{
+    if ( $verbose == 1 ) {
+        msg ("DEBUG:  " ,@_ );
+    } elsif ( $verbose == 2 ) {
+        msg (@_ );
+    }
+}
+
+check_tbx_dirs;
diff --git a/security/nss/tests/cmdtests/cmdtests.sh b/security/nss/tests/cmdtests/cmdtests.sh
new file mode 100644
index 000000000..cc925b213
--- /dev/null
+++ b/security/nss/tests/cmdtests/cmdtests.sh
@@ -0,0 +1,101 @@
+#! /bin/sh  
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+# Script to run small tests to test specific crashes of NSS
+#
+# needs to work on all Unix and Windows platforms
+#
+# included from 
+# --------------
+#   all.sh
+#
+# tests implemented:
+# vercrt (verify encryption cert - bugzilla bug 119059)
+# vercrtfps (verify encryption cert in fips mode - bugzilla bug 119214)
+# test3 (CERT_FindUserCertByUsage called 2nd time - bug 118864)
+#
+# special strings
+# ---------------
+#
+########################################################################
+
+############################## cmdtests_init ###########################
+# local shell function to initialize this script 
+########################################################################
+cmdtests_init()
+{
+  SCRIPTNAME=cmdtests.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ../cert
+      . ./cert.sh
+  fi
+  SCRIPTNAME=cmdtests.sh
+  html_head "Tests in cmd/tests"
+
+# grep "SUCCESS: cmd/tests passed" $CERT_LOG_FILE >/dev/null || {
+#     Exit 15 "Fatal - cert.sh needs to pass first"
+# }
+
+  CMDTESTSDIR=${HOSTDIR}/cmd/tests
+  COPYDIR=${CMDTESTSDIR}/copydir
+
+  R_CMDTESTSDIR=../cmd/tests
+  R_COPYDIR=../cmd/tests/copydir
+  P_R_COPYDIR=${R_COPYDIR}
+
+  if [ -n "${MULTIACCESS_DBM}" ]; then
+     P_R_COPYDIR="multiaccess:Cmdtests.$version"
+  fi
+
+  mkdir -p ${CMDTESTSDIR}
+  mkdir -p ${COPYDIR}
+  mkdir -p ${CMDTESTSDIR}/html
+
+  cd ${CMDTESTSDIR}
+}
+
+############################## ct_vercrt ##################################
+# CERT_VerifyCert should not fail when verifying encryption cert 
+# Bugzilla Bug 119059
+########################################################################
+#ct_vercrt()
+#{
+ # echo "$SCRIPTNAME: Verify encryption certificate ----------------------"
+ # echo "vercrt"
+ # vercrt
+ # ret=$?
+ # html_msg $ret 0 "Verify encryption certificate (vercrt)"
+#
+#}
+
+
+############################## cmdtests_cleanup ########################
+# local shell function to finish this script (no exit since it might be 
+# sourced)
+########################################################################
+cmdtests_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+
+cmdtests_init
+
+#ct_vercrt
+cmdtests_cleanup
diff --git a/security/nss/tests/common/Makefile b/security/nss/tests/common/Makefile
new file mode 100644
index 000000000..7faa677d2
--- /dev/null
+++ b/security/nss/tests/common/Makefile
@@ -0,0 +1,24 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+CORE_DEPTH	= ../..
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+objdir_name:
+	@echo $(OBJDIR_NAME)
+
+os_arch:
+	@echo $(OS_ARCH)
+
+dll_prefix:
+	@echo $(DLL_PREFIX)
+
+dll_suffix:
+	@echo $(DLL_SUFFIX)
+
+freebl_lowhash:
+	@echo $(FREEBL_LOWHASH)
diff --git a/security/nss/tests/common/cleanup.sh b/security/nss/tests/common/cleanup.sh
new file mode 100755
index 000000000..40d8bc40f
--- /dev/null
+++ b/security/nss/tests/common/cleanup.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+if [ -z "${CLEANUP}" -o "${CLEANUP}" = "${SCRIPTNAME}" ]; then
+    echo
+    echo "SUMMARY:"
+    echo "========"
+    echo "NSS variables:"
+    echo "--------------"
+    echo "HOST=${HOST}"
+    echo "DOMSUF=${DOMSUF}"
+    echo "BUILD_OPT=${BUILD_OPT}"
+    if [ "${OS_ARCH}" = "Linux" ]; then
+        echo "USE_X32=${USE_X32}"
+    fi
+    echo "USE_64=${USE_64}"
+    echo "NSS_CYCLES=\"${NSS_CYCLES}\""
+    echo "NSS_TESTS=\"${NSS_TESTS}\""
+    echo "NSS_SSL_TESTS=\"${NSS_SSL_TESTS}\""
+    echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\""
+    echo "NSS_AIA_PATH=${NSS_AIA_PATH}"
+    echo "NSS_AIA_HTTP=${NSS_AIA_HTTP}"
+    echo "NSS_AIA_OCSP=${NSS_AIA_OCSP}"
+    echo "IOPR_HOSTADDR_LIST=${IOPR_HOSTADDR_LIST}"
+    echo "PKITS_DATA=${PKITS_DATA}"
+    echo
+    echo "Tests summary:"
+    echo "--------------"
+    LINES_CNT=$(cat ${RESULTS} | grep ">Passed<" | wc -l | sed s/\ *//)
+    echo "Passed:             ${LINES_CNT}"
+    FAILED_CNT=$(cat ${RESULTS} | grep ">Failed<" | wc -l | sed s/\ *//)
+    echo "Failed:             ${FAILED_CNT}"
+    CORE_CNT=$(cat ${RESULTS} | grep ">Failed Core<" | wc -l | sed s/\ *//)
+    echo "Failed with core:   ${CORE_CNT}"
+    ASAN_CNT=$(cat $LOGFILE | grep "SUMMARY: AddressSanitizer" | wc -l | sed s/\ *//)
+    echo "ASan failures:      ${ASAN_CNT}"
+    LINES_CNT=$(cat ${RESULTS} | grep ">Unknown<" | wc -l | sed s/\ *//)
+    echo "Unknown status:     ${LINES_CNT}"
+    if [ ${LINES_CNT} -gt 0 ]; then
+        echo "TinderboxPrint:Unknown: ${LINES_CNT}"
+    fi
+    echo
+
+    html "END_OF_TEST<BR>"
+    html "</BODY></HTML>" 
+    rm -f ${TEMPFILES} 2>/dev/null
+    if [ ${FAILED_CNT} -gt 0 ] || [ ${ASAN_CNT} -gt 0 ]; then
+        exit 1
+    fi
+
+fi
diff --git a/security/nss/tests/common/init.sh b/security/nss/tests/common/init.sh
new file mode 100644
index 000000000..3598e8223
--- /dev/null
+++ b/security/nss/tests/common/init.sh
@@ -0,0 +1,672 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/common/init.sh
+#
+# initialization for NSS QA, can be included multiple times
+# from all.sh and the individual scripts
+#
+# variables, utilities and shellfunctions global to NSS QA
+# needs to work on all Unix and Windows platforms
+#
+# included from
+# -------------
+#   all.sh
+#   ssl.sh
+#   sdr.sh
+#   cipher.sh
+#   perf.sh
+#   cert.sh
+#   smime.sh
+#   tools.sh
+#   fips.sh
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+# NOTE:
+# -----
+#    Unlike the old QA this is based on files sourcing each other
+#    This is done to save time, since a great portion of time is lost
+#    in calling and sourcing the same things multiple times over the
+#    network. Also, this way all scripts have all shell function  available
+#    and a completely common environment
+#
+########################################################################
+
+NSS_STRICT_SHUTDOWN=1
+export NSS_STRICT_SHUTDOWN
+
+# Init directories based on HOSTDIR variable
+if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+    init_directories()
+    {
+        TMP=${HOSTDIR}      #TMP=${TMP-/tmp}
+        TEMP=${TMP}
+        TMPDIR=${TMP}
+
+        CADIR=${HOSTDIR}/CA
+        SERVERDIR=${HOSTDIR}/server
+        CLIENTDIR=${HOSTDIR}/client
+        ALICEDIR=${HOSTDIR}/alicedir
+        BOBDIR=${HOSTDIR}/bobdir
+        DAVEDIR=${HOSTDIR}/dave
+        EVEDIR=${HOSTDIR}/eve
+        FIPSDIR=${HOSTDIR}/fips
+        DBPASSDIR=${HOSTDIR}/dbpass
+        ECCURVES_DIR=${HOSTDIR}/eccurves
+        DISTRUSTDIR=${HOSTDIR}/distrust
+
+        SERVER_CADIR=${HOSTDIR}/serverCA
+        CLIENT_CADIR=${HOSTDIR}/clientCA
+        EXT_SERVERDIR=${HOSTDIR}/ext_server
+        EXT_CLIENTDIR=${HOSTDIR}/ext_client
+
+        IOPR_CADIR=${HOSTDIR}/CA_iopr
+        IOPR_SSL_SERVERDIR=${HOSTDIR}/server_ssl_iopr
+        IOPR_SSL_CLIENTDIR=${HOSTDIR}/client_ssl_iopr
+        IOPR_OCSP_CLIENTDIR=${HOSTDIR}/client_ocsp_iopr
+
+        CERT_EXTENSIONS_DIR=${HOSTDIR}/cert_extensions
+        STAPLINGDIR=${HOSTDIR}/stapling
+        SSLGTESTDIR=${HOSTDIR}/ssl_gtests
+        GTESTDIR=${HOSTDIR}/gtests
+
+        PWFILE=${HOSTDIR}/tests.pw
+        NOISE_FILE=${HOSTDIR}/tests_noise
+        CORELIST_FILE=${HOSTDIR}/clist
+
+        FIPSPWFILE=${HOSTDIR}/tests.fipspw
+        FIPSBADPWFILE=${HOSTDIR}/tests.fipsbadpw
+        FIPSP12PWFILE=${HOSTDIR}/tests.fipsp12pw
+
+        echo "fIps140" > ${FIPSPWFILE}
+        echo "fips104" > ${FIPSBADPWFILE}
+        echo "pKcs12fips140" > ${FIPSP12PWFILE}
+
+        noise
+
+        P_SERVER_CADIR=${SERVER_CADIR}
+        P_CLIENT_CADIR=${CLIENT_CADIR}
+
+        if [ -n "${MULTIACCESS_DBM}" ]; then
+            P_SERVER_CADIR="multiaccess:${D_SERVER_CA}"
+            P_CLIENT_CADIR="multiaccess:${D_CLIENT_CA}"
+        fi
+
+
+        # a new log file, short - fast to search, mostly for tools to
+        # see if their portion of the cert has succeeded, also for me -
+        CERT_LOG_FILE=${HOSTDIR}/cert.log      #the output.log is so crowded...
+
+        TEMPFILES=foobar   # keep "${PWFILE} ${NOISE_FILE}" around
+
+        export HOSTDIR
+    }
+
+# Generate noise file
+    noise()
+    {
+        # NOTE: these keys are only suitable for testing, as this whole thing
+        # bypasses the entropy gathering. Don't use this method to generate
+        # keys and certs for product use or deployment.
+        ps -efl > ${NOISE_FILE} 2>&1
+        ps aux >> ${NOISE_FILE} 2>&1
+        date >> ${NOISE_FILE} 2>&1
+    }
+
+# Print selected environment variable (used for backup)
+    env_backup()
+    {
+        echo "HOSTDIR=\"${HOSTDIR}\""
+        echo "TABLE_ARGS="
+        echo "NSS_TEST_DISABLE_CRL=${NSS_TEST_DISABLE_CRL}"
+        echo "NSS_SSL_TESTS=\"${NSS_SSL_TESTS}\""
+        echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\""
+        echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}"
+        echo "export NSS_DEFAULT_DB_TYPE"
+        echo "NSS_ENABLE_PKIX_VERIFY=${NSS_ENABLE_PKIX_VERIFY}"
+        echo "export NSS_ENABLE_PKIX_VERIFY"
+        echo "init_directories"
+    }
+
+# Exit shellfunction to clean up at exit (error, regular or signal)
+    Exit()
+    {
+        if [ -n "$1" ] ; then
+            echo "$SCRIPTNAME: Exit: $* - FAILED"
+            html_failed "$*"
+        fi
+        echo "</TABLE><BR>" >> ${RESULTS}
+        if [ -n "${SERVERPID}" -a -f "${SERVERPID}" ]; then
+            ${KILL} `cat ${SERVERPID}`
+        fi
+        cd ${QADIR}
+        . common/cleanup.sh
+        case $1 in
+            [0-4][0-9]|[0-9])
+                exit $1;
+                ;;
+            *)
+                exit 1
+                ;;
+        esac
+    }
+
+    detect_core()
+    {
+        [ ! -f $CORELIST_FILE ] && touch $CORELIST_FILE
+        mv $CORELIST_FILE ${CORELIST_FILE}.old
+        coreStr=`find $HOSTDIR -type f -name '*core*'`
+        res=0
+        if [ -n "$coreStr" ]; then
+            sum $coreStr > $CORELIST_FILE
+            res=`cat $CORELIST_FILE ${CORELIST_FILE}.old | sort | uniq -u | wc -l`
+        fi
+        return $res
+    }
+
+#html functions to give the resultfiles a consistant look
+    html() #########################    write the results.html file
+    {      # 3 functions so we can put targets in the output.log easier
+        echo $* >>${RESULTS}
+    }
+    increase_msg_id()
+    {
+        MSG_ID=`cat ${MSG_ID_FILE}`
+        MSG_ID=`expr ${MSG_ID} + 1`
+        echo ${MSG_ID} > ${MSG_ID_FILE}
+    }
+    html_passed_ignore_core()
+    {
+        increase_msg_id
+        html "<TR><TD>#${MSG_ID}: $1 ${HTML_PASSED}"
+        echo "${SCRIPTNAME}: #${MSG_ID}: $* - PASSED"
+    }
+    html_passed()
+    {
+        html_detect_core "$@" || return
+        html_passed_ignore_core "$@"
+    }
+    html_failed_ignore_core()
+    {
+        increase_msg_id
+        html "<TR><TD>#${MSG_ID}: $1 ${HTML_FAILED}"
+        echo "${SCRIPTNAME}: #${MSG_ID}: $* - FAILED"
+    }
+    html_failed()
+    {
+        html_detect_core "$@" || return
+        html_failed_ignore_core "$@" || return
+    }
+    html_unknown_ignore_core()
+    {
+        increase_msg_id
+        html "<TR><TD>#${MSG_ID}: $1 ${HTML_UNKNOWN}"
+        echo "${SCRIPTNAME}: #${MSG_ID}: $* - UNKNOWN"
+    }
+    html_unknown()
+    {
+        html_detect_core "$@" || return
+        increase_msg_id
+        html "<TR><TD>#${MSG_ID}: $1 ${HTML_UNKNOWN}"
+        echo "${SCRIPTNAME}: #${MSG_ID}: $* - UNKNOWN"
+    }
+    html_detect_core()
+    {
+        detect_core
+        if [ $? -ne 0 ]; then
+            increase_msg_id
+            html "<TR><TD>#${MSG_ID}: $* ${HTML_FAILED_CORE}"
+            echo "${SCRIPTNAME}: #${MSG_ID}: $* - Core file is detected - FAILED"
+            return 1
+        fi
+        return 0
+    }
+    html_head()
+    {
+
+        html "<TABLE BORDER=1 ${TABLE_ARGS}><TR><TH COLSPAN=3>$*</TH></TR>"
+        html "<TR><TH width=500>Test Case</TH><TH width=50>Result</TH></TR>"
+        echo "$SCRIPTNAME: $* ==============================="
+    }
+    html_msg()
+    {
+        if [ $1 -ne $2 ] ; then
+            html_failed "$3" "$4"
+        else
+            html_passed "$3" "$4"
+        fi
+    }
+    HTML_FAILED='</TD><TD bgcolor=red>Failed</TD><TR>'
+    HTML_FAILED_CORE='</TD><TD bgcolor=red>Failed Core</TD><TR>'
+    HTML_PASSED='</TD><TD bgcolor=lightGreen>Passed</TD><TR>'
+    HTML_UNKNOWN='</TD><TD>Unknown</TD><TR>'
+    TABLE_ARGS=
+
+
+#directory name init
+    SCRIPTNAME=init.sh
+
+    mozilla_root=`(cd ../../..; pwd)`
+    MOZILLA_ROOT=${MOZILLA_ROOT-$mozilla_root}
+
+    qadir=`(cd ..; pwd)`
+    QADIR=${QADIR-$qadir}
+
+    common=${QADIR}/common
+    COMMON=${TEST_COMMON-$common}
+    export COMMON
+
+    DIST=${DIST-${MOZILLA_ROOT}/dist}
+    TESTDIR=${TESTDIR-${MOZILLA_ROOT}/tests_results/security}
+
+    # Allow for override options from a config file
+    if [ -n "${OBJDIR}" -a -f ${DIST}/${OBJDIR}/platform.cfg ]; then
+        . ${DIST}/${OBJDIR}/platform.cfg
+    fi
+
+    # only need make if we don't already have certain variables set
+    if [ -z "${OBJDIR}" -o -z "${OS_ARCH}" -o -z "${DLL_PREFIX}" -o -z "${DLL_SUFFIX}" ]; then
+        MAKE=gmake
+        $MAKE -v >/dev/null 2>&1 || MAKE=make
+        $MAKE -v >/dev/null 2>&1 || { echo "You are missing make."; exit 5; }
+        MAKE="$MAKE --no-print-directory"
+    fi
+
+    if [ "${OBJDIR}" = "" ]; then
+        if [ -f ${DIST}/latest ]; then
+            OBJDIR=$(cat ${DIST}/latest)
+        else
+            OBJDIR=`($MAKE -s -C $COMMON objdir_name)`
+        fi
+    fi
+    if [ "${OS_ARCH}" = "" ]; then
+        OS_ARCH=`(cd $COMMON; $MAKE os_arch)`
+    fi
+    if [ "${DLL_PREFIX}" = "" ]; then
+        DLL_PREFIX=`(cd $COMMON; $MAKE dll_prefix)`
+    fi
+    if [ "${DLL_SUFFIX}" = "" ]; then
+        DLL_SUFFIX=`(cd $COMMON; $MAKE dll_suffix)`
+    fi
+    OS_NAME=`uname -s | sed -e "s/-[0-9]*\.[0-9]*//" | sed -e "s/-WOW64//"`
+
+    BINDIR="${DIST}/${OBJDIR}/bin"
+
+    # Pathnames constructed from ${TESTDIR} are passed to NSS tools
+    # such as certutil, which don't understand Cygwin pathnames.
+    # So we need to convert ${TESTDIR} to a Windows pathname (with
+    # regular slashes).
+    if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+        TESTDIR=`cygpath -m ${TESTDIR}`
+        QADIR=`cygpath -m ${QADIR}`
+    fi
+
+    # Same problem with MSYS/Mingw, except we need to start over with pwd -W
+    if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "MINGW32_NT" ]; then
+                mingw_mozilla_root=`(cd ../../..; pwd -W)`
+                MINGW_MOZILLA_ROOT=${MINGW_MOZILLA_ROOT-$mingw_mozilla_root}
+                TESTDIR=${MINGW_TESTDIR-${MINGW_MOZILLA_ROOT}/tests_results/security}
+    fi
+
+    # Same problem with MSYS/Mingw, except we need to start over with pwd -W
+    if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "MINGW32_NT" ]; then
+                mingw_mozilla_root=`(cd ../../..; pwd -W)`
+                MINGW_MOZILLA_ROOT=${MINGW_MOZILLA_ROOT-$mingw_mozilla_root}
+                TESTDIR=${MINGW_TESTDIR-${MINGW_MOZILLA_ROOT}/tests_results/security}
+    fi
+    echo testdir is $TESTDIR
+
+#in case of backward comp. tests the calling scripts set the
+#PATH and LD_LIBRARY_PATH and do not want them to be changed
+    if [ -z "${DON_T_SET_PATHS}" -o "${DON_T_SET_PATHS}" != "TRUE" ] ; then
+        if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME"  != "CYGWIN_NT" -a "$OS_NAME" != "MINGW32_NT" ]; then
+            PATH=.\;${DIST}/${OBJDIR}/bin\;${DIST}/${OBJDIR}/lib\;$PATH
+            PATH=`perl ../path_uniq -d ';' "$PATH"`
+        elif [ "${OS_ARCH}" = "Android" ]; then
+            # android doesn't have perl, skip the uniq step
+            PATH=.:${DIST}/${OBJDIR}/bin:${DIST}/${OBJDIR}/lib:$PATH
+        else
+            PATH=.:${DIST}/${OBJDIR}/bin:${DIST}/${OBJDIR}/lib:/bin:/usr/bin:$PATH
+            # added /bin and /usr/bin in the beginning so a local perl will
+            # be used
+            PATH=`perl ../path_uniq -d ':' "$PATH"`
+        fi
+
+        LD_LIBRARY_PATH=${DIST}/${OBJDIR}/lib:$LD_LIBRARY_PATH
+        SHLIB_PATH=${DIST}/${OBJDIR}/lib:$SHLIB_PATH
+        LIBPATH=${DIST}/${OBJDIR}/lib:$LIBPATH
+        DYLD_LIBRARY_PATH=${DIST}/${OBJDIR}/lib:$DYLD_LIBRARY_PATH
+    fi
+
+    if [ ! -d "${TESTDIR}" ]; then
+        echo "$SCRIPTNAME init: Creating ${TESTDIR}"
+        mkdir -p ${TESTDIR}
+    fi
+
+#HOST and DOMSUF are needed for the server cert
+
+    DOMAINNAME=`which domainname`
+    if [ -z "${DOMSUF}" -a $? -eq 0 -a -n "${DOMAINNAME}" ]; then
+        DOMSUF=`domainname`
+    fi
+
+    case $HOST in
+        *\.*)
+            if [ -z "${DOMSUF}" ]; then
+                DOMSUF=`echo $HOST | sed -e "s/^[^.]*\.//"`
+            fi
+            HOST=`echo $HOST | sed -e "s/\..*//"`
+            ;;
+        ?*)
+            ;;
+        *)
+            HOST=`uname -n`
+            case $HOST in
+                *\.*)
+                    if [ -z "${DOMSUF}" ]; then
+                        DOMSUF=`echo $HOST | sed -e "s/^[^.]*\.//"`
+                    fi
+                    HOST=`echo $HOST | sed -e "s/\..*//"`
+                    ;;
+                ?*)
+                    ;;
+                *)
+                    echo "$SCRIPTNAME: Fatal HOST environment variable is not defined."
+                    exit 1 #does not need to be Exit, very early in script
+                    ;;
+            esac
+            ;;
+    esac
+
+    if [ -z "${DOMSUF}" -a "${OS_ARCH}" != "Android" ]; then
+        echo "$SCRIPTNAME: Fatal DOMSUF env. variable is not defined."
+        exit 1 #does not need to be Exit, very early in script
+    fi
+
+#HOSTADDR was a workaround for the dist. stress test, and is probably
+#not needed anymore (purpose: be able to use IP address for the server
+#cert instead of PC name which was not in the DNS because of dyn IP address
+    if [ -z "$USE_IP" -o "$USE_IP" != "TRUE" ] ; then
+        if [ -z "${DOMSUF}" ]; then
+            HOSTADDR=${HOST}
+        else
+            HOSTADDR=${HOST}.${DOMSUF}
+        fi
+    else
+        HOSTADDR=${IP_ADDRESS}
+    fi
+
+#if running remote side of the distributed stress test we need to use
+#the files that the server side gives us...
+    if [ -n "$DO_REM_ST" -a "$DO_REM_ST" = "TRUE" ] ; then
+        for w in `ls -rtd ${TESTDIR}/${HOST}.[0-9]* 2>/dev/null |
+            sed -e "s/.*${HOST}.//"` ; do
+                version=$w
+        done
+        HOSTDIR=${TESTDIR}/${HOST}.$version
+        echo "$SCRIPTNAME init: HOSTDIR $HOSTDIR"
+        echo $HOSTDIR
+        if [ ! -d $HOSTDIR ] ; then
+            echo "$SCRIPTNAME: Fatal: Remote side of dist. stress test "
+            echo "       - server HOSTDIR $HOSTDIR does not exist"
+            exit 1 #does not need to be Exit, very early in script
+        fi
+    fi
+
+#find the HOSTDIR, where the results are supposed to go
+    if [ -n "${HOSTDIR}" ]; then
+        version=`echo $HOSTDIR | sed  -e "s/.*${HOST}.//"`
+    else
+        if [ -f "${TESTDIR}/${HOST}" ]; then
+            version=`cat ${TESTDIR}/${HOST}`
+        else
+            version=1
+        fi
+#file has a tendency to disappear, messing up the rest of QA -
+#workaround to find the next higher number if version file is not there
+        if [ -z "${version}" ]; then    # for some strange reason this file
+                                        # gets truncated at times... Windos
+            for w in `ls -d ${TESTDIR}/${HOST}.[0-9]* 2>/dev/null |
+                sort -t '.' -n | sed -e "s/.*${HOST}.//"` ; do
+                version=`expr $w + 1`
+            done
+            if [ -z "${version}" ]; then
+                version=1
+            fi
+        fi
+        expr $version + 1 > ${TESTDIR}/${HOST}
+
+        HOSTDIR=${TESTDIR}/${HOST}'.'$version
+
+        mkdir -p ${HOSTDIR}
+    fi
+
+#result and log file and filename init,
+    if [ -z "${LOGFILE}" ]; then
+        LOGFILE=${HOSTDIR}/output.log
+    fi
+    if [ ! -f "${LOGFILE}" ]; then
+        touch ${LOGFILE}
+    fi
+    if [ -z "${RESULTS}" ]; then
+        RESULTS=${HOSTDIR}/results.html
+    fi
+    if [ ! -f "${RESULTS}" ]; then
+        cp ${COMMON}/results_header.html ${RESULTS}
+        html "<H4>Platform: ${OBJDIR}<BR>"
+        html "Test Run: ${HOST}.$version</H4>"
+        html "${BC_ACTION}"
+        html "<HR><BR>"
+        html "<HTML><BODY>"
+
+        echo "********************************************" | tee -a ${LOGFILE}
+        echo "   Platform: ${OBJDIR}"                       | tee -a ${LOGFILE}
+        echo "   Results: ${HOST}.$version"                 | tee -a ${LOGFILE}
+        echo "********************************************" | tee -a ${LOGFILE}
+        echo "$BC_ACTION"                                   | tee -a ${LOGFILE}
+#if running remote side of the distributed stress test
+# let the user know who it is...
+    elif [ -n "$DO_REM_ST" -a "$DO_REM_ST" = "TRUE" ] ; then
+        echo "********************************************" | tee -a ${LOGFILE}
+        echo "   Platform: ${OBJDIR}"                       | tee -a ${LOGFILE}
+        echo "   Results: ${HOST}.$version"                 | tee -a ${LOGFILE}
+        echo "   remote side of distributed stress test "   | tee -a ${LOGFILE}
+        echo "   `uname -n -s`"                             | tee -a ${LOGFILE}
+        echo "********************************************" | tee -a ${LOGFILE}
+    fi
+
+    echo "$SCRIPTNAME init: Testing PATH $PATH against LIB $LD_LIBRARY_PATH" |\
+        tee -a ${LOGFILE}
+
+    KILL="kill"
+
+    if [ `uname -s` = "SunOS" ]; then
+        PS="/usr/5bin/ps"
+    else
+        PS="ps"
+    fi
+#found 3 rsh's so far that do not work as expected - cygnus mks6
+#(restricted sh) and mks 7 - if it is not in c:/winnt/system32 it
+#needs to be set in the environ.ksh
+    if [ -z "$RSH" ]; then
+        if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME"  = "CYGWIN_NT" ]; then
+            RSH=/cygdrive/c/winnt/system32/rsh
+        elif [ "${OS_ARCH}" = "WINNT" ]; then
+            RSH=c:/winnt/system32/rsh
+        else
+            RSH=rsh
+        fi
+    fi
+
+
+#more filename and directoryname init
+    CURDIR=`pwd`
+
+    CU_ACTION='Unknown certutil action'
+
+    # would like to preserve some tmp files, also easier to see if there
+    # are "leftovers" - another possibility ${HOSTDIR}/tmp
+
+    init_directories
+
+    FIPSCERTNICK="FIPS_PUB_140_Test_Certificate"
+
+    # domains to handle ipc based access to databases
+    D_CA="TestCA.$version"
+    D_ALICE="Alice.$version"
+    D_BOB="Bob.$version"
+    D_DAVE="Dave.$version"
+    D_EVE="Eve.$version"
+    D_SERVER_CA="ServerCA.$version"
+    D_CLIENT_CA="ClientCA.$version"
+    D_SERVER="Server.$version"
+    D_CLIENT="Client.$version"
+    D_FIPS="FIPS.$version"
+    D_DBPASS="DBPASS.$version"
+    D_ECCURVES="ECCURVES.$version"
+    D_EXT_SERVER="ExtendedServer.$version"
+    D_EXT_CLIENT="ExtendedClient.$version"
+    D_CERT_EXTENSTIONS="CertExtensions.$version"
+    D_DISTRUST="Distrust.$version"
+
+    # we need relative pathnames of these files abd directories, since our
+    # tools can't handle the unix style absolut pathnames on cygnus
+
+    R_CADIR=../CA
+    R_SERVERDIR=../server
+    R_CLIENTDIR=../client
+    R_IOPR_CADIR=../CA_iopr
+    R_IOPR_SSL_SERVERDIR=../server_ssl_iopr
+    R_IOPR_SSL_CLIENTDIR=../client_ssl_iopr
+    R_IOPR_OCSP_CLIENTDIR=../client_ocsp_iopr
+    R_ALICEDIR=../alicedir
+    R_BOBDIR=../bobdir
+    R_DAVEDIR=../dave
+    R_EVEDIR=../eve
+    R_EXT_SERVERDIR=../ext_server
+    R_EXT_CLIENTDIR=../ext_client
+    R_CERT_EXT=../cert_extensions
+    R_STAPLINGDIR=../stapling
+    R_SSLGTESTDIR=../ssl_gtests
+    R_GTESTDIR=../gtests
+
+    #
+    # profiles are either paths or domains depending on the setting of
+    # MULTIACCESS_DBM
+    #
+    P_R_CADIR=${R_CADIR}
+    P_R_ALICEDIR=${R_ALICEDIR}
+    P_R_BOBDIR=${R_BOBDIR}
+    P_R_DAVEDIR=${R_DAVEDIR}
+    P_R_EVEDIR=${R_EVEDIR}
+    P_R_SERVERDIR=${R_SERVERDIR}
+    P_R_CLIENTDIR=${R_CLIENTDIR}
+    P_R_EXT_SERVERDIR=${R_EXT_SERVERDIR}
+    P_R_EXT_CLIENTDIR=${R_EXT_CLIENTDIR}
+    if [ -n "${MULTIACCESS_DBM}" ]; then
+        P_R_CADIR="multiaccess:${D_CA}"
+        P_R_ALICEDIR="multiaccess:${D_ALICE}"
+        P_R_BOBDIR="multiaccess:${D_BOB}"
+        P_R_DAVEDIR="multiaccess:${D_DAVE}"
+        P_R_EVEDIR="multiaccess:${D_EVE}"
+        P_R_SERVERDIR="multiaccess:${D_SERVER}"
+        P_R_CLIENTDIR="multiaccess:${D_CLIENT}"
+        P_R_EXT_SERVERDIR="multiaccess:${D_EXT_SERVER}"
+        P_R_EXT_CLIENTDIR="multiaccess:${D_EXT_CLIENT}"
+    fi
+
+    R_PWFILE=../tests.pw
+    R_NOISE_FILE=../tests_noise
+
+    R_FIPSPWFILE=../tests.fipspw
+    R_FIPSBADPWFILE=../tests.fipsbadpw
+    R_FIPSP12PWFILE=../tests.fipsp12pw
+
+    trap "Exit $0 Signal_caught" 2 3
+
+    export PATH LD_LIBRARY_PATH SHLIB_PATH LIBPATH DYLD_LIBRARY_PATH
+    export DOMSUF HOSTADDR
+    export KILL PS
+    export MOZILLA_ROOT DIST TESTDIR OBJDIR QADIR
+    export LOGFILE SCRIPTNAME
+
+#used for the distributed stress test, the server generates certificates
+#from GLOB_MIN_CERT to GLOB_MAX_CERT
+# NOTE - this variable actually gets initialized by directly by the
+# ssl_dist_stress.shs sl_ds_init() before init is called - need to change
+# in  both places. speaking of data encapsulatioN...
+
+    if [ -z "$GLOB_MIN_CERT" ] ; then
+        GLOB_MIN_CERT=0
+    fi
+    if [ -z "$GLOB_MAX_CERT" ] ; then
+        GLOB_MAX_CERT=200
+    fi
+    if [ -z "$MIN_CERT" ] ; then
+        MIN_CERT=$GLOB_MIN_CERT
+    fi
+    if [ -z "$MAX_CERT" ] ; then
+        MAX_CERT=$GLOB_MAX_CERT
+    fi
+
+    #################################################
+    # CRL SSL testing constatnts
+    #
+
+
+    CRL_GRP_1_BEGIN=40
+    CRL_GRP_1_RANGE=3
+    UNREVOKED_CERT_GRP_1=41
+
+    CRL_GRP_2_BEGIN=43
+    CRL_GRP_2_RANGE=6
+    UNREVOKED_CERT_GRP_2=46
+
+    CRL_GRP_3_BEGIN=49
+    CRL_GRP_3_RANGE=4
+    UNREVOKED_CERT_GRP_3=51
+
+    TOTAL_CRL_RANGE=`expr ${CRL_GRP_1_RANGE} + ${CRL_GRP_2_RANGE} + \
+                     ${CRL_GRP_3_RANGE}`
+
+    TOTAL_GRP_NUM=3
+
+    RELOAD_CRL=1
+
+    NSS_DEFAULT_DB_TYPE="dbm"
+    export NSS_DEFAULT_DB_TYPE
+
+    MSG_ID_FILE="${HOSTDIR}/id"
+    MSG_ID=0
+    echo ${MSG_ID} > ${MSG_ID_FILE}
+
+    #################################################
+    # Interoperability testing constatnts
+    #
+    # if suite is setup for testing, IOPR_HOSTADDR_LIST should have
+    # at least one host name(FQDN)
+    # Example   IOPR_HOSTADDR_LIST="goa1.SFBay.Sun.COM"
+
+    if [ -z "`echo ${IOPR_HOSTADDR_LIST} | grep '[A-Za-z]'`" ]; then
+        IOPR=0
+    else
+        IOPR=1
+    fi
+    #################################################
+
+    if [ "${OS_ARCH}" != "WINNT" -a "${OS_ARCH}" != "Android" ]; then
+        ulimit -c unlimited
+    fi
+
+    SCRIPTNAME=$0
+    INIT_SOURCED=TRUE   #whatever one does - NEVER export this one please
+fi
diff --git a/security/nss/tests/common/parsegtestreport.sed b/security/nss/tests/common/parsegtestreport.sed
new file mode 100644
index 000000000..d7c6ddada
--- /dev/null
+++ b/security/nss/tests/common/parsegtestreport.sed
@@ -0,0 +1,8 @@
+/\<testcase/{
+  s/^.* name="\([^"]*\)" value_param="\([^"]*\)" status="\([^"]*\)" time="[^"]*" classname="\([^"]*\)".*$/\3 '\4: \1 \2'/
+  t end
+  s/^.* name="\([^"]*\)" status="\([^"]*\)" time="[^"]*" classname="\([^"]*\)".*$/\2 '\3: \1'/
+  t end
+}
+d
+: end
diff --git a/security/nss/tests/common/results_header.html b/security/nss/tests/common/results_header.html
new file mode 100644
index 000000000..c09685b11
--- /dev/null
+++ b/security/nss/tests/common/results_header.html
@@ -0,0 +1,6 @@
+<HTML>
+<HEAD>
+<TITLE>Test Report for NSS</TITLE>
+</HEAD>
+<BODY BGCOLOR="#FFFFFF">
+<CENTER><H3>Test Report for NSS</H3></CENTER>
diff --git a/security/nss/tests/core_watch b/security/nss/tests/core_watch
new file mode 100755
index 000000000..a627983a3
--- /dev/null
+++ b/security/nss/tests/core_watch
@@ -0,0 +1,45 @@
+#############################################################
+# script to watch for cores during QA runs, so they won't overwrite one
+# another
+# Not activated for efficiency reasons, and problems on MKS, us
+# only when needed and remember to remove afterwards
+#############################################################
+
+#############################################################
+# to activate put the following into all.sh (after the HOSTDIR 
+# has been exported
+#############################################################
+# sh `dirname $0`/core_watch $HOSTDIR ${HOSTDIR} &    
+# CORE_WATCH_PID=$!
+# if [ -n "${KILLPIDS}" ]
+# then
+#     echo $CORE_WATCH_PID >>"${KILLPIDS}"            
+# fi
+#############################################################
+
+#############################################################
+# or put the following into nssqa to watch the whole RESULTDIR
+# start it shortly before run_all
+#
+# NOTE: the more efficient way is above, this is potentially going
+# thru 1000ds of files every 30 seconds
+#############################################################
+# sh `dirname $0`/core_watch $RESULTDIR &    
+# echo $! >>"${KILLPIDS}"        #so Exit() can hopefully kill the core_watch
+#############################################################
+
+# in both cases remember to kill the process when done, since 
+# the PIDs that end up in ${KILLPIDS} might not work for all OS
+# something like "kill_by_name core_watch
+
+echo $$ >>"${KILLPIDS}"     #so Exit() can hopefully kill this shell
+while [ 1 ]
+do
+    for w in `find $1 -name "core" -print`
+    do
+        echo "Found core $w"
+        mv $w $w.`date +%H%M%S`
+    done
+    sleep 30
+done
+
diff --git a/security/nss/tests/crmf/crmf.sh b/security/nss/tests/crmf/crmf.sh
new file mode 100644
index 000000000..6059c1991
--- /dev/null
+++ b/security/nss/tests/crmf/crmf.sh
@@ -0,0 +1,89 @@
+#! /bin/bash  
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/crmf/crmf.sh
+#
+# Script to test NSS crmf library (a static library) 
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## smime_init ##############################
+# local shell function to initialize this script
+########################################################################
+crmf_init()
+{
+  SCRIPTNAME=crmf.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ../cert
+      . ./cert.sh
+  fi
+  html_head "CRMF/CMMF Tests"
+
+  # cmrf uses the S/MIME certs to test with
+  grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
+      Exit 11 "Fatal - S/MIME of cert.sh needs to pass first"
+  }
+
+  CRMFDIR=${HOSTDIR}/crmf
+  R_CRMFDIR=../crmf
+  mkdir -p ${CRMFDIR}
+  cd ${CRMFDIR}
+}
+
+############################## crmf_main ##############################
+# local shell function to test basic CRMF request and CMMF responses
+# from 1 --> 2"
+########################################################################
+crmf_main()
+{
+  echo "$SCRIPTNAME: CRMF/CMMF Tests ------------------------------"
+  echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss crmf decode"
+  ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss crmf decode
+  html_msg $? 0 "CRMF test" "."
+
+  echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss cmmf"
+  ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss cmmf 
+  html_msg $? 0 "CMMF test" "."
+
+# Add tests for key recovery and challange as crmftest's capabilities increase
+
+}
+  
+############################## crmf_cleanup ###########################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+crmf_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+
+crmf_init
+crmf_main
+crmf_cleanup
+
diff --git a/security/nss/tests/dbtests/dbtests.sh b/security/nss/tests/dbtests/dbtests.sh
new file mode 100755
index 000000000..7b1ee351f
--- /dev/null
+++ b/security/nss/tests/dbtests/dbtests.sh
@@ -0,0 +1,262 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/dbtest/dbtest.sh
+#
+# Certificate generating and handeling for NSS QA, can be included 
+# multiple times from all.sh and the individual scripts
+#
+# needs to work on all Unix and Windows platforms
+#
+# included from (don't expect this to be up to date)
+# --------------------------------------------------
+#   all.sh
+#   ssl.sh
+#   smime.sh
+#   tools.sh
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+# FIXME - Netscape - NSS
+########################################################################
+
+############################## dbtest_init ###############################
+# local shell function to initialize this script
+########################################################################
+dbtest_init()
+{
+  SCRIPTNAME="dbtests.sh"
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+  if [ -z "${INIT_SOURCED}" ] ; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ../cert
+      . ./cert.sh
+  fi
+
+  SCRIPTNAME="dbtests.sh"
+  RONLY_DIR=${HOSTDIR}/ronlydir
+  EMPTY_DIR=${HOSTDIR}/emptydir
+  CONFLICT_DIR=${HOSTDIR}/conflictdir
+
+  html_head "CERT and Key DB Tests"
+
+}
+
+############################## dbtest_cleanup ############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+dbtest_cleanup()
+{
+  html "</TABLE><BR>" 
+  cd ${QADIR}
+  chmod a+rw $RONLY_DIR
+  . common/cleanup.sh
+}
+
+Echo()
+{
+    echo
+    echo "---------------------------------------------------------------"
+    echo "| $*"
+    echo "---------------------------------------------------------------"
+}
+dbtest_main()
+{
+    cd ${HOSTDIR}
+
+    
+    Echo "test opening the database read/write in a nonexisting directory"
+    ${BINDIR}/certutil -L -X -d ./non_existent_dir
+    ret=$?
+    if [ $ret -ne 255 ]; then
+      html_failed "Certutil succeeded in a nonexisting directory $ret"
+    else
+      html_passed "Certutil didn't work in a nonexisting dir $ret" 
+    fi
+    ${BINDIR}/dbtest -r -d ./non_existent_dir
+    ret=$?
+    if [ $ret -ne 46 ]; then
+      html_failed "Dbtest readonly succeeded in a nonexisting directory $ret"
+    else
+      html_passed "Dbtest readonly didn't work in a nonexisting dir $ret" 
+    fi
+
+    Echo "test force opening the database in a nonexisting directory"
+    ${BINDIR}/dbtest -f -d ./non_existent_dir
+    ret=$?
+    if [ $ret -ne 0 ]; then
+      html_failed "Dbtest force failed in a nonexisting directory $ret"
+    else
+      html_passed "Dbtest force succeeded in a nonexisting dir $ret"
+    fi
+
+    Echo "test opening the database readonly in an empty directory"
+    mkdir $EMPTY_DIR
+    ${BINDIR}/tstclnt -h  ${HOST}  -d $EMPTY_DIR 
+    ret=$?
+    if [ $ret -ne 1 ]; then
+      html_failed "Tstclnt succeded in an empty directory $ret"
+    else
+      html_passed "Tstclnt didn't work in an empty dir $ret"
+    fi
+    ${BINDIR}/dbtest -r -d $EMPTY_DIR
+    ret=$?
+    if [ $ret -ne 46 ]; then
+      html_failed "Dbtest readonly succeeded in an empty directory $ret"
+    else
+      html_passed "Dbtest readonly didn't work in an empty dir $ret" 
+    fi
+    rm -rf $EMPTY_DIR/* 2>/dev/null
+    ${BINDIR}/dbtest -i -d $EMPTY_DIR
+    ret=$?
+    if [ $ret -ne 0 ]; then
+      html_failed "Dbtest logout after empty DB Init loses key $ret"
+    else
+      html_passed "Dbtest logout after empty DB Init has key" 
+    fi
+    rm -rf $EMPTY_DIR/* 2>/dev/null
+    ${BINDIR}/dbtest -i -p pass -d $EMPTY_DIR
+    ret=$?
+    if [ $ret -ne 0 ]; then
+      html_failed "Dbtest password DB Init loses needlogin state $ret"
+    else
+      html_passed "Dbtest password DB Init maintains needlogin state" 
+    fi
+    rm -rf $EMPTY_DIR/* 2>/dev/null
+    ${BINDIR}/certutil -D -n xxxx -d $EMPTY_DIR #created DB
+    ret=$?
+    if [ $ret -ne 255 ]; then 
+        html_failed "Certutil succeeded in deleting a cert in an empty directory $ret"
+    else
+        html_passed "Certutil didn't work in an empty dir $ret"
+    fi
+    rm -rf $EMPTY_DIR/* 2>/dev/null
+    Echo "test force opening the database  readonly in a empty directory"
+    ${BINDIR}/dbtest -r -f -d $EMPTY_DIR
+    ret=$?
+    if [ $ret -ne 0 ]; then
+      html_failed "Dbtest force readonly failed in an empty directory $ret"
+    else
+      html_passed "Dbtest force readonly succeeded in an empty dir $ret"
+    fi
+
+    Echo "test opening the database r/w in a readonly directory"
+    mkdir $RONLY_DIR
+    cp -r ${CLIENTDIR}/* $RONLY_DIR
+    chmod -w $RONLY_DIR $RONLY_DIR/*
+
+    # On Mac OS X 10.1, if we do a "chmod -w" on files in an
+    # NFS-mounted directory, it takes several seconds for the
+    # first open to see the files are readonly, but subsequent
+    # opens immediately see the files are readonly.  As a
+    # workaround we open the files once first.  (Bug 185074)
+    if [ "${OS_ARCH}" = "Darwin" ]; then
+        cat $RONLY_DIR/* > /dev/null
+    fi
+
+    # skipping the next two tests when user is root,
+    # otherwise they would fail due to rooty powers
+    if [ $UID -ne 0 ]; then
+      ${BINDIR}/dbtest -d $RONLY_DIR
+    ret=$?
+    if [ $ret -ne 46 ]; then
+      html_failed "Dbtest r/w succeeded in a readonly directory $ret"
+    else
+      html_passed "Dbtest r/w didn't work in an readonly dir $ret" 
+    fi
+    else
+      html_passed "Skipping Dbtest r/w in a readonly dir because user is root"
+    fi
+    if [ $UID -ne 0 ]; then
+      ${BINDIR}/certutil -D -n "TestUser" -d .
+    ret=$?
+    if [ $ret -ne 255 ]; then
+      html_failed "Certutil succeeded in deleting a cert in a readonly directory $ret"
+    else
+      html_passed "Certutil didn't work in an readonly dir $ret"
+    fi
+    else
+        html_passed "Skipping Certutil delete cert in a readonly directory test because user is root" 
+    fi
+    
+    Echo "test opening the database ronly in a readonly directory"
+
+    ${BINDIR}/dbtest -d $RONLY_DIR -r
+    ret=$?
+    if [ $ret -ne 0 ]; then
+      html_failed "Dbtest readonly failed in a readonly directory $ret"
+    else
+      html_passed "Dbtest readonly succeeded in a readonly dir $ret" 
+    fi
+
+    Echo "test force opening the database  r/w in a readonly directory"
+    ${BINDIR}/dbtest -d $RONLY_DIR -f
+    ret=$?
+    if [ $ret -ne 0 ]; then
+      html_failed "Dbtest force failed in a readonly directory $ret"
+    else
+      html_passed "Dbtest force succeeded in a readonly dir $ret"
+    fi
+
+    Echo "ls -l $RONLY_DIR"
+    ls -ld $RONLY_DIR $RONLY_DIR/*
+
+    mkdir ${CONFLICT_DIR}
+    Echo "test creating a new cert with a conflicting nickname"
+    cd ${CONFLICT_DIR}
+    pwd
+    ${BINDIR}/certutil -N -d ${CONFLICT_DIR} -f ${R_PWFILE}
+    ret=$?
+    if [ $ret -ne 0 ]; then
+      html_failed "Nicknane conflict test failed, couldn't create database $ret"
+    else 
+      ${BINDIR}/certutil -A -n alice -t ,, -i ${R_ALICEDIR}/Alice.cert -d ${CONFLICT_DIR}
+      ret=$?
+      if [ $ret -ne 0 ]; then
+        html_failed "Nicknane conflict test failed, couldn't import alice cert $ret"
+      else
+        ${BINDIR}/certutil -A -n alice -t ,, -i ${R_BOBDIR}/Bob.cert -d ${CONFLICT_DIR}
+        ret=$?
+        if [ $ret -eq 0 ]; then
+          html_failed "Nicknane conflict test failed, could import conflict nickname $ret"
+        else
+          html_passed "Nicknane conflict test, could not import conflict nickname $ret"
+        fi
+      fi
+    fi
+
+    Echo "test importing an old cert to a conflicting nickname"
+    # first, import the certificate
+    ${BINDIR}/certutil -A -n bob -t ,, -i ${R_BOBDIR}/Bob.cert -d ${CONFLICT_DIR}
+    # now import with a different nickname
+    ${BINDIR}/certutil -A -n alice -t ,, -i ${R_BOBDIR}/Bob.cert -d ${CONFLICT_DIR}
+    # the old one should still be there...
+    ${BINDIR}/certutil -L -n bob -d ${CONFLICT_DIR}
+    ret=$?
+    if [ $ret -ne 0 ]; then
+      html_failed "Nicknane conflict test-setting nickname conflict incorrectly worked"
+    else
+      html_passed "Nicknane conflict test-setting nickname conflict was correctly rejected"
+    fi
+
+}
+
+################## main #################################################
+
+dbtest_init 
+dbtest_main 2>&1
+dbtest_cleanup
diff --git a/security/nss/tests/dbupgrade/dbupgrade.sh b/security/nss/tests/dbupgrade/dbupgrade.sh
new file mode 100755
index 000000000..0302e6143
--- /dev/null
+++ b/security/nss/tests/dbupgrade/dbupgrade.sh
@@ -0,0 +1,106 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/dbupgrade/dbupgrade.sh
+#
+# Script to upgrade databases to Shared DB
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################ dbupgrade_init ############################
+# local shell function to initialize this script
+########################################################################
+dbupgrade_init()
+{
+	if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then 
+		cd ${QADIR}/common
+		. ./init.sh
+	fi
+	
+	if [ ! -r "${CERT_LOG_FILE}" ]; then  # we need certificates here
+		cd ${QADIR}/cert 
+		. ./cert.sh
+	fi
+
+	if [ ! -d ${HOSTDIR}/SDR ]; then  # we also need sdr as well
+		cd ${QADIR}/sdr
+		. ./sdr.sh
+	fi
+	
+	SCRIPTNAME=dbupgrade.sh
+	if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+		CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+	fi
+	
+	echo "$SCRIPTNAME: DB upgrade tests ==============================="
+}
+
+############################ dbupgrade_main ############################
+# local shell function to upgrade certificate databases
+########################################################################
+dbupgrade_main()
+{
+	# 'reset' the databases to initial values
+	echo "Reset databases to their initial values:"
+	cd ${HOSTDIR}
+	${BINDIR}/certutil -D -n objsigner -d alicedir 2>&1
+	${BINDIR}/certutil -M -n FIPS_PUB_140_Test_Certificate -t "C,C,C" -d fips -f ${FIPSPWFILE} 2>&1
+	${BINDIR}/certutil -L -d fips 2>&1
+	rm -f smime/alicehello.env
+	
+	# test upgrade to the new database
+	echo "nss" > ${PWFILE}
+	html_head "Legacy to shared Library update"
+	dirs="alicedir bobdir CA cert_extensions client clientCA dave eccurves eve ext_client ext_server SDR server serverCA ssl_gtests stapling tools/copydir"
+	for i in $dirs
+	do
+		echo $i
+		if [ -d $i ]; then
+			echo "upgrading db $i"
+			${BINDIR}/certutil -G -g 512 -d sql:$i -f ${PWFILE} -z ${NOISE_FILE} 2>&1
+			html_msg $? 0 "Upgrading $i"
+		else
+			echo "skipping db $i"
+			html_msg 0 0 "No directory $i"
+		fi
+	done
+	
+	if [ -d fips ]; then
+		echo "upgrading db fips"
+		${BINDIR}/certutil -S -g 1024 -n tmprsa -t "u,u,u" -s "CN=tmprsa, C=US" -x -d sql:fips -f ${FIPSPWFILE} -z ${NOISE_FILE} 2>&1
+		html_msg $? 0 "Upgrading fips"
+		# remove our temp certificate we created in the fist token
+		${BINDIR}/certutil -F -n tmprsa -d sql:fips -f ${FIPSPWFILE} 2>&1
+		${BINDIR}/certutil -L -d sql:fips 2>&1
+	fi
+	
+	html "</TABLE><BR>"
+}
+
+########################## dbupgrade_cleanup ###########################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+dbupgrade_cleanup()
+{
+	cd ${QADIR}
+	. common/cleanup.sh
+}
+
+################################# main #################################
+
+dbupgrade_init
+dbupgrade_main
+dbupgrade_cleanup
diff --git a/security/nss/tests/dll_version.sh b/security/nss/tests/dll_version.sh
new file mode 100755
index 000000000..79a128585
--- /dev/null
+++ b/security/nss/tests/dll_version.sh
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# version controll for DLLs
+# ToDo: make version parameter or find version from first occurance of 3.x
+# make the 3 a variable..., include the header
+
+#OS=`uname -s`
+#DSO_SUFFIX=so
+#if [ "$OS" = "HP-UX" ]; then
+    #DSO_SUFFIX=sl
+#fi
+#what libnss3.$DSO_SUFFIX | grep NSS
+#what libsmime3.$DSO_SUFFIX | grep NSS
+#what libssl3.$DSO_SUFFIX | grep NSS
+#ident libnss3.$DSO_SUFFIX | grep NSS
+#ident libsmime3.$DSO_SUFFIX | grep NSS
+#ident libssl3.$DSO_SUFFIX | grep NSS
+
+for w in `find . -name "libnss3.s[ol]" ; find . -name "libsmime3.s[ol]"; find .  -name "libssl3.s[ol]"`
+do
+        NOWHAT=FALSE
+        NOIDENT=FALSE
+        echo $w
+        what $w | grep NSS || NOWHAT=TRUE
+        ident $w | grep NSS || NOIDENT=TRUE
+        if [ $NOWHAT = TRUE ]
+        then
+                echo "ERROR what $w does not contain NSS"
+        fi
+        if [ $NOIDENT = TRUE ]
+        then
+                echo "ERROR ident $w does not contain NSS"
+        fi
+done
+#for w in `find . -name "libnss3.s[ol]" ; find . -name "libsmime3.s[ol]"; find .
+#-name "libssl3.s[ol]"`
+#do
+        #NOWHAT=FALSE
+        #NOIDENT=FALSE
+        #echo $w
+        #what $w | grep NSS || NOWHAT=TRUE
+        #ident $w | grep NSS || NOIDENT=TRUE
+        #if [ $NOWHAT = TRUE -a $NOIDENT = TRUE ]
+        #then
+                #echo "WARNING what and ident $w does not contain NSS"
+                #strings $w  | grep NSS | grep '3.2' || echo "ERROR strings does
+#not either..."
+        #fi
+#done
+
diff --git a/security/nss/tests/doc/clean.gif b/security/nss/tests/doc/clean.gif
new file mode 100644
index 000000000..08781cb2b
--- /dev/null
+++ b/security/nss/tests/doc/clean.gif
diff --git a/security/nss/tests/doc/nssqa.txt b/security/nss/tests/doc/nssqa.txt
new file mode 100755
index 000000000..34fa0955b
--- /dev/null
+++ b/security/nss/tests/doc/nssqa.txt
@@ -0,0 +1,108 @@
+The new QA wrapper consistst mainly of 2 scripts, nssqa and qa_stat, both 
+include a common header (header) and a common environment (set_environment). 
+Also used is mksymlinks and path_uniq.
+
+The scripts that are used on a daily basis are located in /u/sonmi/bin. 
+
+Parameters and Options are the same for both scripts.
+
+Parameters
+----------
+	nssversion (supported: 30b, 31, tip)
+	builddate (default - today, format mmdd)
+
+Options
+-------
+	-y answer all questions with y - use at your own risk... ignores warnings 
+	-s silent (only usefull with -y)
+	-h, -? -help you guessed right - displays the usage
+	-d debug 
+	-f <filename> - write the (error)output to filename
+	-m <mailinglist> - send filename to mailinglist (csl) only useful
+		with -f on nssqa
+	-l <mozroot> run on a local build - does not work at this time
+	-cron equivalient to -y -s -d -f $RESULTDIR/$HOST.<scriptname>
+
+nssqa and qa_stat are Beta at the most
+--------------------------
+Please be aware that 
+
+-) machinenames are still hardcoded --FIXED
+-) other very iPlanet specific environments and features are being used.
+
+-d Debug option will be removed from cron in a few weeks - or maybe not
+-l QA on local build is not fully implemented yet
+
+Please do not use on Windows 95 and 98, ME platforms yet. 
+
+use -d if script behaves strange or exits unexpectedly
+
+How to use QA
+-------------
+To test a build, first run nssqa on the required QA platforms (some 
+buildplatforms require QA to be run on additional platforms - for 
+example Solaris 2.6 has to be tested on 2.8 32 and 64bit) If QA has 
+been run on multiple or all required platforms it makes sense to run 
+qa_stat on the output of nssqa as well.
+Before used on a new system (even if the same platform has been 
+tested before) please use completely interactive, to see what the 
+variables are being initialized to, and read the warnings. Same is 
+true if being run from a different user account than svbld.
+
+In any case, if you are using it, please let me know the results.
+
+Pseudocode Description of nssqa:
+--------------------------------
+not quite up to date
+
+	header:init (global)
+		set flags and variables to default values
+		signal trap (for interupts and kills)
+		set HOST and DOMSUF variables if running from cron
+		parse parameters and options
+		determine os and set up the environment (espec. PATH)
+		set the directories to run in (influenced by parameters and -l option)
+		set and initialize the tmp / debugging / output files
+
+	nssqa:init (local)
+		locking: if nssqa is already running on this systems (yes-exit, 
+			no-lockfile)
+		set HOST and DOMSUF variables if running interavtively
+		set flag to kill remaining selfserv processes during cleanup
+		if QA platform different from build platform create neccessary 
+			symbolic links
+		wait for the build to finish (max of 5h)
+
+	main:
+		repeated per test (optimized, debug, 32, 64 bit)
+			set flags for this run of all.sh (optimized, debug, 32, 64 bit)
+			set the DIST directory (where the binaries reside)
+			kill running selfservers (sorry - just don't use the svbld 
+				account if you need to do your own testing... I will fix 
+				selfserv as soon as I can - but it hangs too often and 
+				disturbs all following QA)
+			run all.sh 
+		
+	header:exit (global)
+		remove temporary files
+		kill remaining selfservers
+		send email to the list
+		
+		
+	errorhandling
+		Option / Parameter errors: Exit with usage information
+
+		Severe errors: Exit wit errormessage 
+			example: directory in which all.sh resides does not exist
+				can't create files or directories
+				build not done after 5 hours
+				is already running
+				
+		Other errors: User is prompted with the "errormessage - continue (y/n)?"
+			example: local DIST dir does not exist (continues with next all.sh)
+				outputdirectory does not exist (user can specify other)
+
+		Signals 2, 3, 15 are treated as severe errors
+		
+	
+
diff --git a/security/nss/tests/doc/platform_specific_problems b/security/nss/tests/doc/platform_specific_problems
new file mode 100644
index 000000000..92a22ca03
--- /dev/null
+++ b/security/nss/tests/doc/platform_specific_problems
@@ -0,0 +1,110 @@
+I will, eventually convert all files here to html - just right now I have no
+time to do it. Anyone who'd like to - please feel free, mail me the file and 
+I will check it in 
+sonmi@netscape.com
+
+
+The NSS 3.1 SSL Stress Tests fail for me on FreeBSD 3.5.  The end of the output
+of './ssl.sh stress' looks like this:
+
+********************* Stress Test  ****************************
+********************* Stress SSL2 RC4 128 with MD5 ****************************
+selfserv -p 8443 -d
+/local/llennox/NSS-PSM/mozilla/tests_results/security/conrail.20/server -n
+conrail.cs.columbia.edu -w nss   -i /tmp/tests_pid.5505  & strsclnt -p 8443 -d . -w nss -c 1000 -C A  conrail.cs.columbia.edu 
+strsclnt: -- SSL: Server Certificate Validated.
+strsclnt: PR_NewTCPSocket returned error -5974:
+Insufficient system resources.
+Terminated 
+********************* Stress SSL3 RC4 128 with MD5 ****************************
+selfserv -p 8443 -d
+/local/llennox/NSS-PSM/mozilla/tests_results/security/conrail.20/server -n
+conrail.cs.columbia.edu -w nss   -i /tmp/tests_pid.5505  & strsclnt -p 8443 -d . -w nss -c 1000 -C c  conrail.cs.columbia.edu 
+strsclnt: -- SSL: Server Certificate Validated.
+strsclnt: PR_NewTCPSocket returned error -5974:
+Insufficient system resources.
+Terminated 
+
+Running ktrace on the process (ktrace is a system-call tracer, the equivalent of
+Linux's strace) reveals that socket() failed with ENOBUFS after it was called
+for the 953rd time for the first test, and it failed after the 27th time it was
+called for the second test.
+
+The failure is consistent, both for debug and optimized builds; I haven't tested
+to see whether the count of socket() failures is consistent.
+
+All the other NSS tests pass successfully.
+
+
+------- Additional Comments From Nelson Bolyard 2000-11-01 23:08 -------
+
+I see no indication of any error on NSS's part from this description.
+It sounds like an OS kernel configuration problem on the 
+submittor's system.  The stress test is just that.  It stresses
+the server by pounding it with SSL connections.  Apparently this 
+test exhausts some kernel resource on the submittor's system.
+
+The only change to NSS that might be beneficial to this test 
+would be to respond to this error by waiting and trying again
+for some limited number of times, rather than immediately 
+treating it as a fatal error.  
+
+However, while such a change might make the test appear to pass,
+it would merely be hiding a very serious problem, namely,
+chronic system resource exhaustion.
+
+So, I suggest that, in this case, the failure serves the useful
+purpose of revealing the system problem, which needs to be 
+cured apart from any changes to NSS.
+
+I'll leave this bug open for a few more days, to give others
+a chance to persuade me that some NSS change would and should
+solve this problem.  
+
+
+------- Additional Comments From Jonathan Lennox 2000-11-02 13:13 -------
+
+Okay, some more investigation leads me to agree with you.  What's happening is
+that the TCP connections from the stress test stick around in TIME_WAIT for two
+minutes; my kernel is only configured to support 1064 simultaneous open sockets,
+which isn't enough for the 2K sockets opened by the stress test plus the 100 or
+so normally in use on my system.
+
+So I'd just suggest adding a note to the NSS test webpage to the effect of "The
+SSL stress test opens 2,048 TCP connections in quick succession.  Kernel data
+structures may remain allocated for these connections for up to two minutes. 
+Some systems may not be configured to allow this many simulatenous connections
+by default; if the stress tests fail, try increasing the number of simultaneous
+sockets supported."
+
+On FreeBSD, you can display the number of simultaneous sockets with the command
+	sysctl kern.ipc.maxsockets
+which on my system returns 1064.
+
+It looks like this can be fixed with the kernel config option
+	options NMBCLUSTERS=[something-large]
+or by increasing the 'maxusers' parameter.
+
+It looks like more recent FreeBSD implementations still have this limitation,
+and the same solutions apply, plus you can alternatively specify the maxsockets
+parameter in the boot loader.
+
+
+---------------------------------
+
+hpux HP-UX hp64 B.11.00 A 9000/800 2014971275 two-user license
+
+we had to change following kernelparameters to make our tests pass
+
+1. maxfiles.  old value = 60.  new value = 100.
+2. nkthread.  old value = 499.  new value = 1328.
+3. max_thread_proc.  old value = 64.  new value = 512.
+4. maxusers.  old value = 32.  new value = 64.
+5. maxuprc.  old value = 75.  new value = 512.
+6. nproc.  old formula = 20+8*MAXUSERS, which evaluated to 276.
+   new value (note: not a formula) = 750.
+
+A few other kernel parameters were also changed automatically
+as a result of the above changes.
+
+
diff --git a/security/nss/tests/doc/qa_wrapper.html b/security/nss/tests/doc/qa_wrapper.html
new file mode 100755
index 000000000..755cca236
--- /dev/null
+++ b/security/nss/tests/doc/qa_wrapper.html
@@ -0,0 +1,269 @@
+<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
+<html>
+<head>
+   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
+   <meta name="GENERATOR" content="Mozilla/4.7 [en] (X11; U; SunOS 5.8 sun4u) [Netscape]">
+</head>
+<body text="#000000" bgcolor="#FFFFFF" link="#0000EE" vlink="#551A8B" alink="#FF0000">
+
+<h3>
+<b><font face="Times New Roman,Times">Author Sonja Mirtitsch</font></b></h3>
+
+<h3>
+<b><font face="Times New Roman,Times">Last updated: 4/4/2001</font></b></h3>
+
+<h1>
+<b><font face="Times New Roman,Times">NSS 3.2.QA Wrapper</font></b></h1>
+
+<p><br>The QA&nbsp; wrapper tests the nightly builds of NSS. The actual
+tests are being run are called from the QA script all.sh. I will add documentation
+for the actual QA soon. The main purpose of the wrapper is: find out which
+build (NSS version, date, Build Platform) to test on which machine (OS,
+OS version) and construct a summary report, which is then mailed to the
+nss developers (aka mailing list nss-qa-report@netscape.com). Please see
+also the <a href="#advertisement">feature</a> section.
+<p><a href="#nssqa">nssqa</a>&nbsp; - the script that calls the actual
+qa script all.sh
+<br><a href="#qa_stat">qa_stat</a> - sends out status reports
+<br><a href="#qaclean">qaclean</a>&nbsp; - if everything else fails
+<p>Sample <a href="/u/sonmi/doc/publish/glob_result.html">global result</a>,
+<a href="/u/sonmi/doc/publish/results.html">individual result </a>and <a href="/u/sonmi/doc/publish/output.log">log
+files</a>
+<p>The QA wrapper consistst mainly of scripts, most located in security/nss/tests
+and subdirectories, but run from /u/sonmi/bin
+<p>nssqa and qa_stat, the main scripts both include a common header (<a href="../header">header</a>)
+and a common environment (<a href="../set_environment">set_environment</a>).
+<br>Also used is <a href="../mksymlinks">mksymlinks</a> and <a href="../path_uniq">path_uniq</a>
+and <a href="#qaclean">qaclean</a>.
+<p>The scripts that are used on a daily basis are located in /u/sonmi/bin
+and checked into security/nss/tests
+<p>Parameters and Options are the same for most scripts.
+<p><a NAME="Parameters"></a><b><u><font size=+1>Parameters</font></u></b>
+<br>&nbsp;&nbsp;&nbsp; nssversion (supported: 30b, 31, tip, default tip)
+<br>&nbsp;&nbsp;&nbsp; builddate (default - today, format mmdd)
+<p><a NAME="Options"></a><b><u><font size=+1>Options</font></u></b>
+<br>&nbsp;&nbsp;&nbsp; -y answer all questions with y - use at your own
+risk... ignores warnings
+<br>&nbsp;&nbsp;&nbsp; -s silent (only usefull with -y)
+<br>&nbsp;&nbsp;&nbsp; -h, -? -help you guessed right - displays the usage
+<br>&nbsp;&nbsp;&nbsp; -d debug
+<br>&nbsp;&nbsp;&nbsp; -f &lt;filename> - write the (error)output to filename
+<br>&nbsp;&nbsp;&nbsp; -fcron writes resultfile in the same location as
+would the -cron
+<br>&nbsp;&nbsp;&nbsp; -m &lt;mailinglist> - send filename to mailinglist
+(csl) only useful
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; with -f on nssqa
+<br>&nbsp;&nbsp;&nbsp; -l &lt;mozroot> run on a local build - does not
+work at this time
+<br>&nbsp;&nbsp;&nbsp; -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.&lt;scriptname>
+<br>&nbsp;
+<p>Please be aware that some iPlanet specific environments and features
+are being used.
+<p>-d Debug option might be removed from cron in a few weeks - or maybe
+not
+<br>-l QA on local build is not fully implemented yet - will not be implemented,
+all.sh can be called directly instead
+<p>Please do not use on Windows 95 and 98, ME platforms yet.
+<p>use -d if script behaves strange or exits unexpectedly
+<p><b><font size=+1>How to use the QA-wrapper</font></b>
+<br>To test a build, first run nssqa on the required QA platforms (some
+buildplatforms require QA to be run on additional platforms - for example
+Solaris 2.6 has to be tested on 2.8 32 and 64bit) If QA has been run on
+multiple or all required platforms it makes sense to run qa_stat on the
+output of nssqa as well.
+<br>Before used on a new system (even if the same platform has been tested
+before) please use completely interactive, to see what the variables are
+being initialized to, and read the warnings. Same is true if being run
+from a different user account than svbld.
+<p>In any case, if you are using it, please let me know the results.
+<p><a NAME="nssqa"></a><b><u><font size=+1>nssqa:</font></u></b>
+<p>the script that calls the actual qa script all.sh
+<p>nssqa <a href="#Parameters">parameters</a> and&nbsp; <a href="#Options">options</a>
+<p><a href="../nssqa">view the script</a>
+<p><b><u><font size=+1>Pseudocode Description of nssqa</font></u></b>
+<br>not quite up to date
+<p>&nbsp;&nbsp;&nbsp; header:init (global)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set flags and variables
+to default values
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; signal trap (for interupts
+and kills)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set HOST and DOMSUF variables
+if running from cron
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; parse parameters and options
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; determine os and set up
+the environment (espec. PATH)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set the directories to run
+in (influenced by parameters and -l option)<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set the directories for backward
+compatibility testing
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set and initialize the tmp
+/ debugging / output files
+<p>&nbsp;&nbsp;&nbsp; nssqa:init (local)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; locking: if nssqa is already
+running on this systems (yes-exit,
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+no-lockfile)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set HOST and DOMSUF variables
+if running interavtively
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set flag to kill remaining
+selfserv processes during cleanup
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if QA platform different
+from build platform create neccessary
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+symbolic links
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wait for the build to finish
+(max of 5h)
+<p>&nbsp;&nbsp;&nbsp; main:
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; repeated per test (optimized,
+debug, 32, 64 bit)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+set flags for this run of all.sh (optimized, debug, 32, 64 bit)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+set the DIST directory (where the binaries reside)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+kill running selfservers (sorry - just don't use the svbld
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+account if you need to do your own testing... I will fix
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+selfserv as soon as I can - but it hangs too often and
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+disturbs all following QA)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+run all.sh
+<p>&nbsp;&nbsp;&nbsp; header:exit (global)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; remove temporary files
+<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; kill remaining selfservers
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; send email to the list
+<br>&nbsp;
+<p>&nbsp;&nbsp;&nbsp; errorhandling
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Option / Parameter errors:
+Exit with usage information
+<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Severe errors: Exit wit errormessage
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+example: directory in which all.sh resides does not exist
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+can't create files or directories
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+build not done after 5 hours
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+is already running
+<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Other errors: User is prompted
+with the "errormessage - continue (y/n)?"
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+example: local DIST dir does not exist (continues with next all.sh)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+outputdirectory does not exist (user can specify other)
+<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Signals 2, 3, 15 are treated
+as severe errors
+<br>&nbsp;
+<br>&nbsp;
+<br>&nbsp;
+<p><img SRC="clean.gif" height=129 width=92 align=LEFT><a NAME="qaclean"></a><b><u><font size=+2>qaclean:</font></u></b>/u/sonmi/bin/qaclean
+<br>&nbsp;
+<p>Use qaclean as user "svbld" to get the propper permissions. It is supposed
+to clean up after a "hanging" QA and will also brutally kill, interupt
+and disturb any other nss related test or performance meassurement on the
+named machine. NT and 2000 might require an additional reboot, since the
+ps is not so good about telling us the actual programmname - so we can't
+kill them... Please note that this is a brute force script, it should not
+be used on a regular basis, file a bug whenever you have to use it, since
+hanging QA is nothing that should occur frequently
+<p>&nbsp;<a href="../qaclean">view the script</a>
+<p>What it does:
+<ol>
+<li>
+see if there is a lockfile (/tmp/nssqa.$$ or $TMP/nssqa.$$)</li>
+
+<br>if yes:
+<ol>kill the process of the lockfile <font color="#666666">(future expansion
+and if possible it's children )</font>
+<br>rm the lockfile</ol>
+
+<li>
+kill selfservers</li>
+
+<li>
+kill whatever other qa related processes might be hanging</li>
+
+<li>
+clean up tmp files</li>
+</ol>
+<b>QAClean Parameters:</b>
+<br>&nbsp;&nbsp;&nbsp; machinename.
+<br>&nbsp;&nbsp;&nbsp; for example
+<br>&nbsp;&nbsp;&nbsp; qaclean kentuckyderby
+<br>&nbsp;&nbsp;&nbsp; started on any machine, will clean up on kentuckyderby
+<p><a NAME="qa_stat"></a><b><u><font size=+2>qa_stat</font></u></b>
+<p>qa_stat is the script that is being started from the svbld cron on kentuckyderby
+every morning at 10:00 and runs some (very primitive) analysis on the qa
+results.
+<br>I'd like to rewrite the whole thing in perl, and in a few weeks I might
+just do this...
+<p>&nbsp;<a href="../qa_stat">view the script</a>
+<p>qa_stat <a href="#Parameters">parameters</a> and&nbsp; <a href="#Options">options</a>
+<p><a NAME="advertisement"></a><b><u><font size=+1>Why we need the QA wrapper</font></u></b>
+<p>We need the new QA wrapper, because we have to test on so many platforms,
+that running the tests and evaluating the results for the nightly builds
+took about an average workday.
+<p><b><font size=+1>New Features:</font></b>
+<ul>
+<li>
+runs from <b>cron</b> / rsh or <b>interactive</b> if desired</li>
+
+<li>
+generates <b>summary</b> (no need to look through 60-90 directories)</li>
+
+<li>
+sends <b>email</b> about results</li>
+
+<li>
+automatically <b>recognizes common errors</b> and problems and conflicts
+and corrects them</li>
+
+<br>(or attempts to correct them :-)
+<li>
+automatically determines <b>which build </b>to test (waits if build in
+progress, exits if no build)</li>
+
+<li>
+runs on <b>all required platforms</b> (Windows 98 and before not functional
+yet)</li>
+
+<li>
+Windows version runs on <b>free Cygnus</b> as well as on MKS</li>
+
+<li>
+debug mode, normal mode and silent mode</li>
+
+<li>
+<b>locking</b> mechanism so it won't run twice</li>
+
+<li>
+<b>cleanup</b> after being killed and most errors (no remaining selfservers,
+tmpfiles, lock files)</li>
+</ul>
+The 1st script is started via cron between 5:00 and 8:00 am on different
+systems, and starts QA on the nightly build. At 10:00 the next script is
+started, and sends a QA summary to the nss developers.
+<p><b>Cygnus Advantages</b>:
+<ul>
+<li>
+<b>free</b></li>
+
+<li>
+better handling of <b>processes</b> (background, processIDs, Signals)</li>
+
+<li>
+Unix / Linux <b>compatible</b> sh / bash</li>
+</ul>
+<b>Disadvantages</b>
+<ul>
+<li>
+MKS functionality needs to be preserved (makes <b>8 Windows platforms</b>
+instead of 4 for the QA suites - makes 32 testruns on Windows alone)</li>
+
+<br>In certain functionality's <b>slow</b>
+<br><b></b>&nbsp;</ul>
+<b>Porting the windows QA&nbsp;to Uwin as well is also being considered</b>
+</body>
+</html>
diff --git a/security/nss/tests/dummy/dummy.sh b/security/nss/tests/dummy/dummy.sh
new file mode 100644
index 000000000..27d3c9cf4
--- /dev/null
+++ b/security/nss/tests/dummy/dummy.sh
@@ -0,0 +1,19 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/dummy/dummy.sh
+#
+# Minimal test that doesn't do anything
+#
+# NSS_TESTS="dummy" can be used for quick testing of the
+#   test script infrastructure, without running any of the tests 
+#
+########################################################################
+
+# html_failed "dummy test fail"
+html_passed "dummy test ok"
diff --git a/security/nss/tests/ec/ec.sh b/security/nss/tests/ec/ec.sh
new file mode 100755
index 000000000..9869b6590
--- /dev/null
+++ b/security/nss/tests/ec/ec.sh
@@ -0,0 +1,37 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# tests/ec/ec.sh
+#
+# needs to work on all Unix and Windows platforms
+# this is a meta script to drive all ec tests
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## run_tests ###############################
+# run test suites defined in ECTESTS variable
+########################################################################
+run_ec_tests()
+{
+    for ECTEST in ${ECTESTS}
+    do
+        SCRIPTNAME=${ECTEST}.sh
+        echo "Running ec tests for ${ECTEST}"
+        echo "TIMESTAMP ${ECTEST} BEGIN: `date`"
+        (cd ${QADIR}/ec; . ./${SCRIPTNAME} 2>&1)
+        echo "TIMESTAMP ${ECTEST} END: `date`"
+    done
+}
+
+ECTESTS="ecperf ectest"
+run_ec_tests
diff --git a/security/nss/tests/ec/ecperf.sh b/security/nss/tests/ec/ecperf.sh
new file mode 100755
index 000000000..501488e08
--- /dev/null
+++ b/security/nss/tests/ec/ecperf.sh
@@ -0,0 +1,52 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# tests/ec/ecperf.sh
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## ecperf_init #############################
+# local shell function to initialize this script
+########################################################################
+
+ecperf_init()
+{
+  SCRIPTNAME="ecperf.sh"
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then
+      cd ../common
+      . ./init.sh
+  fi
+  SCRIPTNAME="ecperf.sh"
+  html_head "ecperf test"
+}
+
+ecperf_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+ecperf_init
+ECPERF_OUT=$(ecperf 2>&1)
+echo "$ECPERF_OUT"
+ECPERF_OUT=`echo $ECPERF_OUT | grep -i 'failed\|Assertion failure'`
+# TODO: this is a perf test we don't check for performance here but only failed
+if [ -n "$ECPERF_OUT" ] ; then
+  html_failed "ec(perf) test"
+else
+  html_passed "ec(perf) test"
+fi
+ecperf_cleanup
diff --git a/security/nss/tests/ec/ectest.sh b/security/nss/tests/ec/ectest.sh
new file mode 100644
index 000000000..e10760565
--- /dev/null
+++ b/security/nss/tests/ec/ectest.sh
@@ -0,0 +1,93 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# tests/ec/ectest.sh
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## ectest_init #############################
+# local shell function to initialize this script
+########################################################################
+
+ectest_init()
+{
+  SCRIPTNAME="ectest.sh"
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then
+      cd ../common
+      . ./init.sh
+  fi
+  SCRIPTNAME="ectest.sh"
+  html_head "freebl and pk11 ectest tests"
+}
+
+ectest_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+ectest_genkeydb_test()
+{
+  certutil -N -d "${HOSTDIR}" -f "${R_PWFILE}" 2>&1
+  if [ $? -ne 0 ]; then
+    return $?
+  fi
+  curves=( \
+    "curve25519" \
+    "secp256r1" \
+    "secp384r1" \
+    "secp521r1" \
+  )
+  for curve in "${curves[@]}"; do
+    echo "Test $curve key generation using certutil ..."
+    certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE}
+    if [ $? -ne 0 ]; then
+      html_failed "ec test certutil keygen - $curve"
+    else
+      html_passed "ec test certutil keygen - $curve"
+    fi
+  done
+  echo "Test sect571r1 key generation using certutil that should fail because it's not implemented ..."
+  certutil -G -d "${HOSTDIR}" -k ec -q sect571r1 -f "${R_PWFILE}" -z ${NOISE_FILE}
+  if [ $? -eq 0 ]; then
+    html_failed "ec test certutil keygen - $curve"
+  else
+    html_passed "ec test certutil keygen - $curve"
+  fi
+}
+
+ectest_init
+ectest_genkeydb_test
+# TODO: expose individual tests and failures instead of overall
+if [ -f ${BINDIR}/fbectest ]; then
+  FB_ECTEST_OUT=$(fbectest -n -d 2>&1)
+  FB_ECTEST_OUT=`echo $FB_ECTEST_OUT | grep -i 'not okay\|Assertion failure'`
+  if [ -n "$FB_ECTEST_OUT" ] ; then
+    html_failed "freebl ec tests"
+  else
+    html_passed "freebl ec tests"
+  fi
+fi
+if [ -f ${BINDIR}/pk11ectest ]; then
+  PK11_ECTEST_OUT=$(pk11ectest -n -d 2>&1)
+  PK11_ECTEST_OUT=`echo $PK11_ECTEST_OUT | grep -i 'not okay\|Assertion failure'`
+  if [ -n "$PK11_ECTEST_OUT" ] ; then
+    html_failed "pk11 ec tests"
+  else
+    html_passed "pk11 ec tests"
+  fi
+fi
+ectest_cleanup
diff --git a/security/nss/tests/fips/fips.sh b/security/nss/tests/fips/fips.sh
new file mode 100755
index 000000000..4153e61aa
--- /dev/null
+++ b/security/nss/tests/fips/fips.sh
@@ -0,0 +1,293 @@
+#! /bin/bash  
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+# mozilla/security/nss/tests/fips/fips.sh
+#
+# Script to test basic functionallity of NSS in FIPS-compliant mode
+#
+# needs to work on all Unix and Windows platforms
+#
+# tests implemented:
+#
+# special strings
+# ---------------
+#
+########################################################################
+
+############################## fips_init ##############################
+# local shell function to initialize this script 
+########################################################################
+fips_init()
+{
+  SCRIPTNAME=fips.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ../cert
+      . ./cert.sh
+  fi
+  SCRIPTNAME=fips.sh
+  html_head "FIPS 140 Compliance Tests"
+
+  grep "SUCCESS: FIPS passed" $CERT_LOG_FILE >/dev/null || {
+      Exit 15 "Fatal - FIPS of cert.sh needs to pass first"
+  }
+
+  COPYDIR=${FIPSDIR}/copydir
+
+  R_FIPSDIR=../fips
+  P_R_FIPSDIR=../fips
+  R_COPYDIR=../fips/copydir
+
+  if [ -n "${MULTIACCESS_DBM}" ]; then
+     P_R_FIPSDIR="multiaccess:${D_FIPS}"
+  fi
+
+  mkdir -p ${FIPSDIR}
+  mkdir -p ${COPYDIR}
+
+  cd ${FIPSDIR}
+}
+
+############################## fips_140 ##############################
+# local shell function to test basic functionality of NSS while in
+# FIPS 140 compliant mode
+########################################################################
+fips_140()
+{
+  echo "$SCRIPTNAME: Verify this module is in FIPS mode  -----------------"
+  echo "modutil -dbdir ${P_R_FIPSDIR} -list"
+  ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -list 2>&1
+  ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -chkfips true 2>&1
+  html_msg $? 0 "Verify this module is in FIPS mode (modutil -chkfips true)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${P_R_FIPSDIR} -L"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1
+  html_msg $? 0 "List the FIPS module certificates (certutil -L)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module keys -------------------------"
+  echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
+
+  echo "$SCRIPTNAME: Attempt to list FIPS module keys with incorrect password"
+  echo "certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE} 2>&1
+  RET=$?
+  html_msg $RET 255 "Attempt to list FIPS module keys with incorrect password (certutil -K)" "."
+  echo "certutil -K returned $RET"
+
+  echo "$SCRIPTNAME: Validate the certificate --------------------------"
+  echo "certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}
+  html_msg $? 0 "Validate the certificate (certutil -V -e)" "."
+
+  echo "$SCRIPTNAME: Export the certificate and key as a PKCS#12 file --"
+  echo "pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
+  ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)" "."
+
+  echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------"
+  echo "certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1
+  html_msg $? 0 "Export the certificate as a DER (certutil -L -r)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${P_R_FIPSDIR} -L"
+  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
+  ret=$?
+  echo "${certs}" 
+  if [ ${ret} -eq 0 ]; then
+    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
+    ret=$?
+  fi
+  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
+
+
+  echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module"
+  echo "certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "Delete the certificate and key from the FIPS module (certutil -F)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${P_R_FIPSDIR} -L"
+  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
+  ret=$?
+  echo "${certs}" 
+  if [ ${ret} -eq 0 ]; then
+    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
+    if [ $? -eq 0 ]; then
+      ret=255
+    fi
+  fi
+  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module keys."
+  echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
+  # certutil -K now returns a failure if no keys are found. This verifies that
+  # our delete succeded.
+  html_msg $? 255 "List the FIPS module keys (certutil -K)" "."
+
+
+  echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
+  echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
+  ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${P_R_FIPSDIR} -L"
+  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
+  ret=$?
+  echo "${certs}" 
+  if [ ${ret} -eq 0 ]; then
+    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
+    ret=$?
+  fi
+  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
+  echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
+
+
+  echo "$SCRIPTNAME: Delete the certificate from the FIPS module"
+  echo "certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK} 2>&1
+  html_msg $? 0 "Delete the certificate from the FIPS module (certutil -D)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${P_R_FIPSDIR} -L"
+  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
+  ret=$?
+  echo "${certs}" 
+  if [ ${ret} -eq 0 ]; then
+    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
+    if [ $? -eq 0 ]; then
+      ret=255
+    fi
+  fi
+  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
+
+
+  echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
+  echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
+  ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${P_R_FIPSDIR} -L"
+  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
+  ret=$?
+  echo "${certs}" 
+  if [ ${ret} -eq 0 ]; then
+    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
+    ret=$?
+  fi
+  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
+  echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
+
+
+  echo "$SCRIPTNAME: Run PK11MODE in FIPSMODE  -----------------"
+  echo "pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}"
+  ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}  2>&1
+  html_msg $? 0 "Run PK11MODE in FIPS mode (pk11mode)" "."
+
+  echo "$SCRIPTNAME: Run PK11MODE in Non FIPSMODE  -----------------"
+  echo "pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n"
+  ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n 2>&1
+  html_msg $? 0 "Run PK11MODE in Non FIPS mode (pk11mode -n)" "."
+
+  LIBDIR="${DIST}/${OBJDIR}/lib"
+  MANGLEDIR="${FIPSDIR}/mangle"
+   
+  # There are different versions of cp command on different systems, some of them 
+  # copies only symlinks, others doesn't have option to disable links, so there
+  # is needed to copy files one by one. 
+  echo "mkdir ${MANGLEDIR}"
+  mkdir ${MANGLEDIR}
+  for lib in `ls ${LIBDIR}`; do
+    echo "cp ${LIBDIR}/${lib} ${MANGLEDIR}"
+    cp ${LIBDIR}/${lib} ${MANGLEDIR}
+  done
+    
+  echo "$SCRIPTNAME: Detect mangled softoken--------------------------"
+  SOFTOKEN=${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX}
+
+  echo "mangling ${SOFTOKEN}"
+  echo "mangle -i ${SOFTOKEN} -o -8 -b 5"
+  # If nss was built without softoken use the system installed one.
+  # It's location must be specified by the package maintainer.
+  if [ ! -e  ${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ]; then
+    echo "cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR}"
+    cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR}
+  fi
+  ${BINDIR}/mangle -i ${SOFTOKEN} -o -8 -b 5 2>&1
+  if [ $? -eq 0 ]; then
+    if [ "${OS_ARCH}" = "WINNT" ]; then
+      DBTEST=`which dbtest`
+	  if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+		DBTEST=`cygpath -m ${DBTEST}`
+		MANGLEDIR=`cygpath -u ${MANGLEDIR}`
+	  fi
+      echo "PATH=${MANGLEDIR} ${DBTEST} -r -d ${P_R_FIPSDIR}"
+      PATH="${MANGLEDIR}" ${DBTEST} -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
+      RESULT=$?
+    elif [ "${OS_ARCH}" = "HP-UX" ]; then
+      echo "SHLIB_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
+      LD_LIBRARY_PATH="" SHLIB_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
+      RESULT=$?
+    elif [ "${OS_ARCH}" = "AIX" ]; then
+      echo "LIBPATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
+      LIBPATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
+      RESULT=$?
+    elif [ "${OS_ARCH}" = "Darwin" ]; then
+      echo "DYLD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
+      DYLD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
+      RESULT=$?
+    else
+      echo "LD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
+      LD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
+      RESULT=$?
+    fi  
+
+    html_msg ${RESULT} 46 "Init NSS with a corrupted library (dbtest -r)" "."
+  else
+    html_failed "Mangle ${DLL_PREFIX}softokn3.${DLL_SUFFIX}"
+  fi
+}
+
+############################## fips_cleanup ############################
+# local shell function to finish this script (no exit since it might be 
+# sourced)
+########################################################################
+fips_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+
+fips_init
+fips_140
+fips_cleanup
+echo "fips.sh done"
diff --git a/security/nss/tests/gtests/gtests.sh b/security/nss/tests/gtests/gtests.sh
new file mode 100755
index 000000000..f91349b9e
--- /dev/null
+++ b/security/nss/tests/gtests/gtests.sh
@@ -0,0 +1,88 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# similar to all.sh this file runs drives gtests.
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## gtest_init ##############################
+# local shell function to initialize this script
+########################################################################
+gtest_init()
+{
+  cd "$(dirname "$1")"
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd common
+      . ./init.sh
+  fi
+
+  SCRIPTNAME=gtests.sh
+
+  if [ -z "${CLEANUP}" ] ; then   # if nobody else is responsible for
+    CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+}
+
+########################## gtest_start #############################
+# Local function to actually start the test
+####################################################################
+gtest_start()
+{
+  echo "gtests: ${GTESTS}"
+  for i in ${GTESTS}; do
+    if [ ! -f ${BINDIR}/$i ]; then
+      html_unknown "Skipping $i (not built)"
+      continue
+    fi
+    GTESTDIR="${HOSTDIR}/$i"
+    html_head "$i"
+    if [ ! -d "$GTESTDIR" ]; then
+      mkdir -p "$GTESTDIR"
+    fi
+    cd "$GTESTDIR"
+    GTESTREPORT="$GTESTDIR/report.xml"
+    PARSED_REPORT="$GTESTDIR/report.parsed"
+    echo "executing $i"
+    ${BINDIR}/$i -d "$GTESTDIR" --gtest_output=xml:"${GTESTREPORT}" \
+                                --gtest_filter="${GTESTFILTER-*}"
+    html_msg $? 0 "$i run successfully"
+    echo "test output dir: ${GTESTREPORT}"
+    echo "executing sed to parse the xml report"
+    sed -f ${COMMON}/parsegtestreport.sed "${GTESTREPORT}" > "${PARSED_REPORT}"
+    echo "processing the parsed report"
+    cat "${PARSED_REPORT}" | while read result name; do
+      if [ "$result" = "notrun" ]; then
+        echo "$name" SKIPPED
+      elif [ "$result" = "run" ]; then
+        html_passed_ignore_core "$name"
+      else
+        html_failed_ignore_core "$name"
+      fi
+    done
+  done
+}
+
+gtest_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+GTESTS="der_gtest pk11_gtest util_gtest"
+gtest_init $0
+gtest_start
+gtest_cleanup
diff --git a/security/nss/tests/header b/security/nss/tests/header
new file mode 100644
index 000000000..5a1dead72
--- /dev/null
+++ b/security/nss/tests/header
@@ -0,0 +1,1636 @@
+#! /bin/sh
+
+########################################################################
+#
+# /u/sonmi/bin/header - /u/svbld/bin/init/nss/header
+#
+# variables, utilities and shellfunctions global to NSS QA
+# needs to work on all Unix platforms
+#
+# included from (don't expect this to be up to date)
+# --------------------------------------------------
+#   qa_stat
+#   mksymlinks 
+#   nssqa 
+#
+# parameters
+# ----------
+#   nssversion (supported: 30b, 31, 332, tip 32)
+#   builddate (default - today)
+#
+# options
+# -------
+#   -y answer all questions with y - use at your own risk... ignores warnings 
+#   -s silent (only usefull with -y)
+#   -h, -? - you guessed right - displays this text
+#   -d debug
+#   -f <filename> - write the (error)output to filename
+#   -fcronfile produces the resultfiles in the same locations
+#       as would have been produced with -cron
+#   -m <mailinglist> - send filename to mailinglist (csl) only useful
+#       with -f
+#   -ml <mailinglist> - send link to filename to mailinglist (csl) 
+#       only useful with -f
+#   -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.<scriptname>
+#   -t  run on a tinderbox build that means: local, from the startlocation
+#   -l <mozroot directory>  run on a local build mozroot
+#   -ln <mozroot> copy a networkbuild to a local directory mozroot, 
+#        used for networkindipendend QA
+#   -lt try to copy a networkbuild to a local directory, if not possible
+#        run on the network
+#        used for networkindipendend QA
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+# moduls (not yet)
+# ----------------
+#   --# INIT
+#   --# USERCOM
+#   --# UTILS
+#
+# FIXME - split in init / usercom / utils
+#
+########################################################################
+
+#------------------------------# INIT #------------------------------
+
+# below the option flags get initialized
+
+if [ -z "$QASCRIPT_DIR" ]
+then
+    QASCRIPT_DIR=`dirname $0`
+    if [ "$QASCRIPT_DIR" = '.' ]
+    then
+        QASCRIPT_DIR=`pwd`
+    fi
+fi
+export QASCRIPT_DIR
+
+O_HWACC=OFF
+if [ -z "$O_ALWAYS_YES" ] ; then
+    O_ALWAYS_YES=OFF    # turned on by -y answer all questions with y 
+fi
+
+if [ -z "$O_INIT" ] # header is global, some including scripts may not
+then                # want the init to run, the others don't need to bother
+    O_INIT=ON
+fi
+if [ -z "$O_PARAM" ] # header is global, some including scripts may not
+then                 # require parameters, the others don't need to bother
+    O_PARAM=ON
+fi
+if [ -z "$O_OPTIONS" ] # header is global, some including scripts may not
+then                # permit options, they don't need to bother
+    O_OPTIONS=OFF
+fi
+O_SILENT=OFF        # turned on by -s silent (only usefull with -y)
+if  [ -z "$O_DEBUG" ] ; then
+    O_DEBUG=OFF     # turned on by -d - calls to Debug produce output when ON
+fi
+O_FILE=OFF          # turned on by -f echo all output to a file $FILENAME
+O_CRON=OFF          # turned on by -cron cron use only
+O_CRONFILE=OFF      # turned on by -cron cron and -fcron
+O_LOCAL=OFF         # turned on by -l* run on a local build in $LOCAL_MOZROOT
+O_LN=OFF            # turned on by -ln and -lt, test a networkbuild locally
+O_MAIL=OFF          # turned on by -m - sends email
+O_MAIL_LINK=OFF     # turned on by -ml - sends email
+O_TBX=OFF           # turned on by -t run on a tinderbox build
+                    # that means: local, from the startlocation
+
+if  [ -z "$DOMSUF" ]
+then
+    
+    DOMSUF=red.iplanet.com
+    DS_WAS_SET=FALSE
+else
+    DS_WAS_SET=TRUE
+fi
+
+TMPFILES=""
+
+WAIT_FOR=600  # if waiting for an event sleep n seconds before rechecking 
+              # recomended value 10 minutes 600
+WAIT_TIMES=30 # recheck n times before giving up - recomended 30 - total of 5h
+
+if [ -z "$QAYEAR" ]   # may I introduce - the y2k+1 bug? QA for last year 
+then                  # might not work
+    QAYEAR=`date +%Y`
+fi
+
+if [ -z "$TMP" ]        
+then
+    if [  -z "$TEMP" ]
+    then
+        TMP="/tmp"
+    else
+        TMP=$TEMP
+    fi
+fi
+if [ ! -w "$TMP" ]        
+then
+    echo "Can't write to tmp directory $TMP - exiting"
+    echo "Can't write to tmp directory $TMP - exiting" >&2
+    exit 1
+fi
+
+KILLPIDS="$TMP/killpids.$$"
+export KILLERPIDS
+TMPFILES="$TMPFILES $KILLPIDS"
+
+KILL_SELFSERV=OFF   # if sourcing script sets this to on cleanup will also 
+                    # kill the running selfserv processes
+
+                    # Set the masterbuilds 
+if [ -z "$UX_MASTERBUILD" ]
+then                     
+    UX_MASTERBUILD=booboo_Solaris8
+    #if [ ! -d $UX_MASTERBUILD ] ; then
+        #UX_MASTERBUILD=booboo_Solaris8_forte6
+    #fi
+    UX_MB_WAS_SET=FALSE
+else
+    UX_MB_WAS_SET=TRUE
+fi
+if [ -z "$NT_MASTERBUILD" ]
+then                     
+    NT_MASTERBUILD=blowfish_NT4.0_Win95
+    NT_MB_WAS_SET=FALSE      # in this case later functions can override if
+                             # they find a different build that looks like NT
+else
+    NT_MB_WAS_SET=TRUE
+fi
+if [ -z "$MASTERBUILD" ]    
+then
+    MASTERBUILD=$UX_MASTERBUILD
+fi
+
+                    # Set the default build
+if [ -z "$BUILDNUMBER" ]    
+then
+    BUILDNUMBER=1
+fi
+export BUILDNUMBER
+O_LDIR=OFF          #local QA dir for NT, temporary
+
+if [ -z "$WIN_WAIT_FOREVER" ]    # header is global, some including scripts 
+then                # want the init to wait forever for directories to
+                    # appear (windows only) if OFF exit, if ON wait forever
+    WIN_WAIT_FOREVER=OFF
+fi
+
+                          # NOTE: following variables have to change 
+                          # from release to release
+if [ -z "$BC_MASTER" ]    # master directory for backwardscompatibility testing
+then
+    RH="NO"
+    grep 7.1 /etc/redhat-release > /dev/null 2>/dev/null && RH="YES"
+    grep 7.2 /etc/redhat-release > /dev/null 2>/dev/null && RH="YES"
+
+    if [ "$RH" = "YES" ] 
+    then                      # NSS-3-3-1RTM
+        BC_UX_MASTER=nss331/builds/20010928.2.331-RTM/booboo_Solaris8
+        BC_NT_MASTER=nss331/builds/20010928.2.331-RTM/blowfish_NT4.0_Win95
+    else                      # NSS-3-2-2RTM
+        BC_UX_MASTER=nss322/builds/20010820.1/y2sun2_Solaris8
+        BC_NT_MASTER=nss322/builds/20010820.1/blowfish_NT4.0_Win95
+    fi
+    BC_MASTER=$BC_UX_MASTER
+    BC_MASTER_WAS_SET=FALSE
+else
+    BC_MASTER_WAS_SET=TRUE
+fi
+BC_RELEASE=3.2
+export BC_RELEASE
+
+EARLY_EXIT=TRUE     #before the report file has been created, causes Exit to 
+                    #create it
+
+UX_D0=/share/builds/mccrel3/nss
+
+################################### glob_init ##########################
+# global shell function, main initialisation function
+########################################################################
+glob_init()
+{
+    if [ $O_PARAM = "ON" ] ; then
+        eval_opts $*    # parse parameters and options - set flags
+    fi
+                        # if running from cron HOST needs to be known early, 
+    init_host            # so the output file name can be constructed. 
+    Debug "Setting up environment...( $QASCRIPT_DIR/set_environment) "
+    . $QASCRIPT_DIR/set_environment #finds out if we are running on Windows
+    Debug "OPerating system: $os_name $os_full"
+    umask 0    
+    init_dirs
+    init_files
+    init_vars
+}
+
+################################### init_vars ###########################
+# global shell function, sets the environment variables, part of init 
+########################################################################
+init_vars()
+{
+    if [ -z "$LOGNAME" ]
+    then
+        if [ $O_WIN = "ON" ]
+        then
+            LOGNAME=$USERNAME
+        else
+            LOGNAME=$USER
+        fi
+        if [ -z "$LOGNAME" ]
+        then
+            LOGNAME=$UNAME
+            if [ -z "$LOGNAME" ]
+            then
+                LOGNAME=`basename $HOME`
+            fi
+        fi
+    fi
+    if [ -z "$LOGNAME" ]
+    then
+        Exit "Can't determine current user"
+    fi
+    case $HOST in
+        iws-perf)
+            O_HWACC=ON
+            HWACC_LIST="rainbow ncipher"
+            #MODUTIL="-add rainbow -libfile /usr/lib/libcryptoki22.so"
+            export HWACC_LIST
+            ;;
+        *)
+            O_HWACC=OFF
+            ;;
+    esac
+   export O_HWACC
+}
+
+########################################################################
+# functions below deal with setting up the directories and PATHs for
+# all different flavors of OS (Unix, Linux, NT MKS, NT Cygnus) and QA
+# (Standard, local tinderbox)
+########################################################################
+
+########################## find_nt_masterbuild #########################
+# global shell function, sets the nt masterbuild directories, part of init 
+########################################################################
+find_nt_masterbuild()
+{
+    NT_MASTERDIR=${DAILY_BUILD}/${NT_MASTERBUILD}
+    if [ "${NT_MB_WAS_SET}" = "FALSE" -a ! -d $NT_MASTERDIR ] ; then
+        if [ -d ${DAILY_BUILD}/*NT4* ] ; then
+            NT_MASTERBUILD=` cd ${DAILY_BUILD}; ls -d *NT4* `
+            Debug "NT_MASTERBUILD $NT_MASTERBUILD"
+            NT_MASTERDIR=${DAILY_BUILD}/${NT_MASTERBUILD}
+        fi
+    fi
+    Debug "NT_MASTERDIR $NT_MASTERDIR"
+}
+
+################################### set_daily_build_dirs ###########################
+# global shell function, sets directories 
+########################################################################
+set_daily_build_dirs()
+{
+    if [ "$O_LOCAL" = "ON" -a "$O_LN" = "OFF" ] ; then
+        DAILY_BUILD=${LOCAL_MOZROOT}        # on local builds NSS_VER_DIR and DAILY_BUILD are 
+                             # set to the LOCAL_MOZROOT, since it is not sure
+                             # if ../.. (DAILY_BUILD) even exists
+        LOCALDIST=${LOCAL_MOZROOT}/dist
+    elif [ "$O_TBX" = "ON" ] ; then
+        DAILY_BUILD="$TBX_DAILY_BUILD"
+        LOCALDIST=${UXDIST}
+    else
+        DAILY_BUILD=${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.${BUILDNUMBER}
+        LOCALDIST=${DAILY_BUILD}/${MASTERBUILD}/mozilla/dist
+    fi
+}
+
+map_os64()
+{
+  IS_64=""
+  case `uname -s` in
+      #OSF1) has been done already - always 64 bit
+      SunOS)
+          MAPPED_OS=Solaris*8
+          IS_64=`(isainfo -v | grep 64)>/dev/null 2>/dev/null && echo 64 bit`
+          if [ "$O_TBX" = "OFF" ] ; then
+              set_osdir
+              if [ -n "$IS_64" ]
+              then #Wait for the 64 bit build to finish...
+                  Debug Testing build for $MAPPED_OS in $OSDIR
+                  Wait ${OSDIR}/SVbuild.InProgress.1 0
+              fi
+          fi
+          ;;
+      AIX)
+          IS_64=`lslpp -l | grep "bos.64bit"> /dev/null && echo 64 bit`
+          ;;
+      HP-UX)
+          IS_64=`getconf KERNEL_BITS | grep 64 >/dev/null && echo 64 bit`
+          ;;
+  esac
+  Debug "Mapped OS to $MAPPED_OS"
+}
+
+
+
+################################### copy_to_local ########################
+# global shell function, copies the necessary directories from the 
+# daily build aerea to the local disk
+########################################################################
+copy_to_local()
+{
+    Debug "Copy network directories to local directories"
+    C2L_ERROR=0
+    if [ ! -d ${LOCAL_MOZROOT}/dist ] ; then
+        mkdir -p ${LOCAL_MOZROOT}/dist || C2L_ERROR=1
+    fi
+    if [ ! -d ${LOCAL_MOZROOT}/security/nss ] ; then
+        mkdir -p ${LOCAL_MOZROOT}/security/nss || C2L_ERROR=2
+    fi
+    if [ $C2L_ERROR != 0 ] ; then
+        Exit "copy_to_local: Can t make necesssary directories ($C2L_ERROR ) "
+    fi
+    if [ ! -d ${LOCAL_MOZROOT}/security/nss/tests ] ; then
+        cp -r ${TESTSCRIPTDIR} ${LOCAL_MOZROOT}/security/nss || C2L_ERROR=1
+    fi
+    if [ ! -d ${LOCAL_MOZROOT}/security/coreconf ] ; then
+        cp -r ${MOZILLA_ROOT}/security/coreconf ${LOCAL_MOZROOT}/security || C2L_ERROR=2
+    fi
+    
+    NO_DIRS=0;
+    if [ "$O_WIN" = "ON" ] ; then
+        OS_TARGET=WINNT;export OS_TARGET
+    fi
+    unset BUILD_OPT;export BUILD_OPT;
+    unset USE_64;export USE_64;
+#FIXME only tested on 64 bit Solaris and only got 32 bit builds
+    while [ $NO_DIRS -lt 4 ] ; do
+                                                  # first time thru: Debug 32 bit NT
+        set_objdir
+        Debug "Copying ${OBJDIR}..."
+        if [ ! -d ${LOCAL_MOZROOT}/dist/${OBJDIR} ] ; then
+            cp -r ${LOCALDIST}/${OBJDIR} ${LOCAL_MOZROOT}/dist || C2L_ERROR=3
+        fi
+        NO_DIRS=`expr $NO_DIRS + 1`
+        if [ $NO_DIRS = 1 ] ; then                # 2nd time: OPT 32 bit NT
+            BUILD_OPT=1; export BUILD_OPT;
+        elif [ $NO_DIRS = 2 ] ; then              # 3rd time: OPT, either 64 bit or Win95 or force exit
+            if [ "$O_WIN" = "ON" ] ; then
+                OS_TARGET=WIN95;export OS_TARGET
+            else
+                map_os64
+                if [ -z "$IS_64" ] ; then #32 bit platform
+                    NO_DIRS=4
+                else
+                    USE_64=1; export USE_64
+                fi
+            fi
+        elif [ $NO_DIRS = 3 ] ; then              # 4th time:  Debug either 64 bit or Win95
+            unset BUILD_OPT;export BUILD_OPT;
+        fi
+     
+            
+    done
+    if [ $C2L_ERROR != 0 ] ; then
+        Exit "copy_to_local: Can t copy necesssary directories ($C2L_ERROR ) "
+    fi
+    unset TESTSCRIPTDIR
+    unset TESTDIR
+    unset RESULTDIR
+    O_LN=OFF       #from here on pretend it is regular -l local QA FIXME, might cause 
+                   #problems with the backwardcompatibility tests
+    Debug "Successfully copied network directories to local directories"
+}
+
+################################### local_dirs ###########################
+# global shell function, sets the directories for local QA
+########################################################################
+local_dirs()
+{
+    Debug "Set directories for local QA"
+    #if [ "$O_WIN" = "ON" ] ; then
+        #win_set_tmp
+    #fi
+    NSS_VER_DIR=${LOCAL_MOZROOT}        # on local builds NSS_VER_DIR and DAILY_BUILD are 
+                         # set to the LOCAL_MOZROOT, since it is not sure
+                         # if ../../../.. (NSS_VER_DIR) even exists
+    if [ -z "${RESULTDIR}" ] ; then # needs to be local as well
+        Debug "Setting RESULTDIR for local QA"
+        RESULTDIR="${LOCAL_MOZROOT}/tests_results/security/${HOST}-`date +%Y%m%d-%H.%M`"
+    fi
+    set_daily_build_dirs
+    UX_MASTERDIR=`dirname ${LOCAL_MOZROOT}`
+    NT_MASTERDIR=$UX_MASTERDIR
+    MOZILLA_ROOT=${LOCAL_MOZROOT}
+
+    UXDIST=${MOZILLA_ROOT}/dist
+    NTDIST=${UXDIST}
+
+    if [ -z "${TESTDIR}" ] ; then 
+        Debug "Setting TESTDIR for local QA"
+        TESTDIR=${RESULTDIR}
+    fi
+    if [ -n "$TESTDIR" ] ; then
+        if [ ! -d $TESTDIR ] ; then
+            Debug "Making TESTDIR for local QA"
+            mkdir -p $TESTDIR
+        fi
+    fi
+    export TESTDIR
+    Debug "RESULTDIR $RESULTDIR TESTDIR $TESTDIR"
+
+    TESTSCRIPTDIR=${LOCAL_MOZROOT}/security/nss/tests
+    COMMON=${TESTSCRIPTDIR}/common
+
+    set_objdir
+    debug_dirs
+    export_dirs
+}
+
+
+################################### tbx_dirs ###########################
+# global shell function, sets the directories for tinderbox QA
+########################################################################
+tbx_dirs()
+{
+    Debug "Set directories for tinderbox"
+    if [ "$O_WIN" = "ON" ] ; then
+        win_set_d1 # we need the NSS_VER_DIR later
+    else
+        NSS_VER_DIR="$UX_D0"/nss$NSSVER
+    fi
+    if [ -z "${RESULTDIR}" ] ; then # needs to be different for tinderbox
+        Debug "Setting RESULTDIR for tinderbox"
+        TBX_NOBITS=""
+        echo $QASCRIPT_DIR | grep 64  >/dev/null && TBX_NOBITS=64
+        TRD="${HOST}${TBX_NOBITS}-`date +%Y%m%d-%H.%M`"
+        RESULTDIR="${NSS_VER_DIR}/tinderbox/tests_results/security/${TRD}"
+        if [ ${DOMSUF} = "mcom.com" -o  ${DOMSUF} = "netscape.com" -o ${DOMSUF} = "nscp.aoltw.net" ] ; then
+            URL="sbs-rel.nscp.aoltw.net"
+        else
+            URL="cindercone.red.iplanet.com"
+        fi
+        if [ "$O_WIN" = "ON" ] ; then
+            RESULTDIRURL="<a title=\"QA Results\" href=\"http://${URL}${UX_D0}/nsstip/tinderbox/tests_results/security/${TRD}\">QA</a>"
+        else
+            RESULTDIRURL="<a title=\"QA Results\" href=\"http://${URL}${RESULTDIR}\">QA</a>"
+        fi
+        Debug "RESULTDIRURL TinderboxPrint:$RESULTDIRURL"
+    fi
+    TBX_DAILY_BUILD=`cd ../../../../..;pwd`
+    NSS_VER_DIR="${TBX_DAILY_BUILD}/../.." 
+    TBX_LOGFILE_DIR=`ls ${NSS_VER_DIR}/logs/tinderbox | sed -e 's/ .*//g'`
+    if [ -z "$TBX_LOGFILE_DIR" ] ; then
+        TBX_LOGFILE_DIR=`ls ${NSS_VER_DIR}/logs/tbx | sed -e 's/ .*//g'`
+        TBX_LOGFILE_DIR="${NSS_VER_DIR}/logs/tbx/${TBX_LOGFILE_DIR}"
+    else
+        TBX_LOGFILE_DIR="${NSS_VER_DIR}/logs/tinderbox/${TBX_LOGFILE_DIR}"
+    fi
+    Debug "Set TBX_LOGFILE_DIR ${TBX_LOGFILE_DIR}"
+    
+    set_daily_build_dirs
+    UX_MASTERDIR=`cd ../../../..;pwd`
+    NT_MASTERDIR=$UX_MASTERDIR
+    MOZILLA_ROOT=$UX_MASTERDIR/mozilla
+
+    UXDIST=${MOZILLA_ROOT}/dist
+    NTDIST=${UXDIST}
+
+    if [ -z "${TESTDIR}" ] ; then 
+        Debug "Setting TESTDIR for tinderbox"
+        TESTDIR=${RESULTDIR}
+    fi
+    if [ -n "$TESTDIR" ] ; then
+        if [ ! -d $TESTDIR ] ; then
+            Debug "Making TESTDIR for tinderbox"
+            mkdir -p $TESTDIR
+        fi
+    fi
+    Debug "Making QAstatus file"
+    echo "QA running" >${TESTDIR}/QAstatus
+    export TESTDIR
+    Debug "RESULTDIR $RESULTDIR TESTDIR $TESTDIR"
+
+    TESTSCRIPTDIR=`pwd`
+    COMMON=${TESTSCRIPTDIR}/common
+
+    set_objdir
+    debug_dirs
+    export_dirs
+}
+
+################################### init_mcom ###########################
+# global shell function, sets domain specific variables for AOL's 
+# domains according to Bishakha's instructions
+########################################################################
+init_mcom()
+{
+    Debug "Running in mcom or netscape domain - changing directories..."
+    if [ "${UX_MB_WAS_SET}" = "FALSE" ] ; then #in case it was set
+        # before script was called use these values 
+        UX_MASTERBUILD=spd04_Solaris8
+    fi
+    if [ "${NT_MB_WAS_SET}" = "FALSE" ] ; then 
+        NT_MASTERBUILD=spd06_NT4
+    fi
+ 
+    MASTERBUILD=$UX_MASTERBUILD
+    if [ "${BC_MASTER_WAS_SET}" = "FALSE" ] ; then
+        BC_UX_MASTER=nss322/builds/20010820.1/y2sun2_Solaris8
+        BC_NT_MASTER=nss322/builds/20010820.1/blowfish_NT4.0_Win95
+        BC_MASTER=$BC_UX_MASTER
+    fi
+    UX_D0=/share/builds/sbsrel2/nss
+    URL="sbs-rel.nscp.aoltw.net"
+}
+################################### init_dirs ###########################
+# global shell function, sets the directories for standard QA
+# calls special functions for tinderbox, windows or local QA, part of init 
+########################################################################
+init_dirs()
+{
+    if [ ${DOMSUF} = "mcom.com" -o  ${DOMSUF} = "netscape.com" -o ${DOMSUF} = "nscp.aoltw.net" ] ; then
+        init_mcom
+    fi
+    if [ $O_WIN = "ON" ] ; then
+        win_set_tmp
+        write_to_tmpfile
+        MASTERBUILD=$NT_MASTERBUILD
+        BC_MASTER=$BC_NT_MASTER
+    fi
+    if [ "$O_LOCAL" = "ON" -a $O_LN = "OFF" ] ; then  # if it is a LN we need to know
+                       # all the directories off the network first to copy them
+        local_dirs     # O_LOCAL alone assumes that all the directories are already there 
+        return
+    elif [ "$O_TBX" = "ON" ] ; then
+        tbx_dirs
+        return
+    elif [ "$O_WIN" = "ON" ] ; then
+        win_set_d1
+    else
+        NSS_VER_DIR="$UX_D0"/nss$NSSVER
+    fi
+    #set -x
+
+    set_daily_build_dirs
+
+    if [ -z "${BCDIST}" ] ; then
+        #BCDIST=/share/builds/mccrel3/nss/${BC_MASTER}/mozilla/dist
+        BCDIST=${NSS_VER_DIR}/../${BC_MASTER}/mozilla/dist
+        if [ ! -d $BCDIST -a `basename $0` != jssqa ] ; then
+            ask "Backward compatibility directory $BCDIST does not exist, continue" "y" "n" || Exit
+        fi
+    fi
+
+    UX_MASTERDIR=${DAILY_BUILD}/${UX_MASTERBUILD}
+    find_nt_masterbuild
+
+    if [ "$O_WIN" = "ON" ]
+    then
+        MOZILLA_ROOT=${NT_MASTERDIR}/mozilla
+    else
+        MOZILLA_ROOT=${UX_MASTERDIR}/mozilla
+    fi
+
+    UXDIST=${UX_MASTERDIR}/mozilla/dist
+    NTDIST=${NT_MASTERDIR}/mozilla/dist
+
+    if [ -z "${RESULTDIR}" ] ; then 
+        RESULTDIR=${UX_MASTERDIR}/mozilla/tests_results/security
+    fi
+
+    if [ -n "$PRODUCT_TO_TEST" -a "$PRODUCT_TO_TEST" = "JSS" ] ; then
+
+        if [ "$O_WIN" = "ON" ] ; then
+            JSS_NSS_SRC_DIR=$JSS_NSS_NT_SRC_DIR
+        fi
+        TESTSCRIPTDIR=${NSS_VER_DIR}/../${JSS_NSS_SRC_DIR}/mozilla/security/nss/tests
+    else
+        TESTSCRIPTDIR=${MOZILLA_ROOT}/security/nss/tests
+    fi
+
+    if [ ! -d $TESTSCRIPTDIR -a `basename $0` != jssqa ] ; then
+        if [ "$O_WIN" = "ON" -a "$WIN_WAIT_FOREVER" = "ON" ]
+        then
+            WaitForever $TESTSCRIPTDIR/all.sh 1
+        else
+            Exit "Test directory $TESTSCRIPTDIR does not exist"
+        fi
+    fi
+
+    COMMON=${TESTSCRIPTDIR}/common
+    if [ "$O_LOCAL" = "ON" -a $O_LN = "ON" ] ; then  # if it is a LN we need to know
+                       # all the directories off the network first to copy them
+        copy_to_local
+        local_dirs     
+    fi
+    #set +x
+
+
+    set_objdir
+    debug_dirs
+    export_dirs
+}
+
+debug_dirs()
+{
+    Debug "NTDIST $NTDIST"
+    Debug "UXDIST $UXDIST"
+    Debug "TESTSCRIPTDIR $TESTSCRIPTDIR"
+    Debug "RESULTDIR $RESULTDIR"
+    Debug "TMP $TMP"
+    Debug "LOCALDIST_BIN $LOCALDIST_BIN"
+    Debug "COMMON $COMMON"
+    Debug "MOZILLA_ROOT $MOZILLA_ROOT"
+    Debug "BCDIST $BCDIST"
+}
+
+export_dirs()
+{
+    export NSS_VER_DIR DAILY_BUILD NTDIST UXDIST RESULTDIR TESTSCRIPTDIR BCDIST
+    export UX_MASTERDIR NT_MASTERDIR COMMON MOZILLA_ROOT
+}
+
+set_osdir()
+{
+    OSDIR=${DAILY_BUILD}/*${MAPPED_OS}*
+}
+
+################################### init_files ###########################
+# global shell function, sets filenames, initializes files, part of init 
+########################################################################
+init_files()
+{
+    if [ $O_CRONFILE = "ON" ]
+    then
+        Debug "attempting to create resultfiles"
+        if [ "$O_TBX" = "ON" ] ; then
+            NEWFILENAME=${TBX_LOGFILE_DIR}/qa.log
+            if [ ! -w ${TBX_LOGFILE_DIR} ] ; then
+                Exit "can't touch $NEWFILENAME"
+            fi
+        else
+            NEWFILENAME=$RESULTDIR/$HOST.`basename $0`
+        fi
+        if [ ! -d $RESULTDIR ]
+        then
+            mkdir -p $RESULTDIR || Exit "Error: can't make $RESULTDIR"
+        fi
+        if [ ! -w $RESULTDIR ] ; then
+            Exit "can't touch $NEWFILENAME"
+        fi
+        Debug "About to touch $NEWFILENAME "
+        touch $NEWFILENAME || Exit "Error: can't touch $NEWFILENAME"
+        if [ "$O_TBX" = "ON" ] ; then
+             echo "QA results in $RESULTDIR" >>$NEWFILENAME || Exit "Error: can't write to $NEWFILENAME"
+        fi
+        Debug "About to cat $FILENAME >>$NEWFILENAME "
+        cat $FILENAME >>$NEWFILENAME || Exit "Error: can't append $FILENAME to $NEWFILENAME"
+        TMPFILES="$TMPFILES $FILENAME"
+        FILENAME=$NEWFILENAME
+        Debug "Writing output to $FILENAME"
+    fi
+
+}
+
+################################### write_to_tmpfile ##########################
+# global shell function, for NT and cron operation, first a tmpfile 
+# needs to be created
+########################################################################
+write_to_tmpfile()
+{
+    O_CRONFILE=ON
+    O_FILE=ON
+    FILENAME=${TMP}/nsstmp.$$    # for now write to the temporary file
+                                 # since we don't know the hostname yet
+                                 # will be inserted to the real file later
+    TMPFILES="$TMPFILES nsstmp.$$"        
+    touch $FILENAME || Exit "Error: can't touch $FILENAME"
+    Debug "Writing output to $FILENAME"
+}
+
+############################# turn_on_cronoptions ######################
+# global shell function, turns on options needed for cron and tinderbox
+########################################################################
+turn_on_cronoptions()
+{
+    O_CRON=ON
+    O_SILENT=ON
+    O_DEBUG=ON                # FIXME take out!
+    O_ALWAYS_YES=ON
+    write_to_tmpfile
+}
+
+########################## test_mozroot ##########################
+# global shell function, determines if the variable LOCAL_MOZROOT is set, 
+# and is usable as mozilla root diretory for a local QA
+###################################################################
+test_mozroot()
+{
+  PWD=`pwd`
+  Debug "LOCAL_MOZROOT = $LOCAL_MOZROOT"
+  case "$LOCAL_MOZROOT" in
+      [0-9-]*|tip)
+          glob_usage "Error: -"$1" requires a directoryname to follow (start with a letter) "
+          ;;
+      \.\.)
+          LOCAL_MOZROOT=`dirname $PWD`
+          ;;
+      \.)
+          LOCAL_MOZROOT=$PWD
+          ;;
+      \.\/*)
+          LOCAL_MOZROOT=`echo $LOCAL_MOZROOT | sed -e "s/^\.//"`
+          LOCAL_MOZROOT="${PWD}${LOCAL_MOZROOT}"
+          ;;
+      \.\.\/*)
+          LOCAL_MOZROOT="${PWD}/${LOCAL_MOZROOT}"
+          ;;
+      \/*|[a-zA-Z]:\/*)
+          ;;
+      ?*)
+          LOCAL_MOZROOT="${PWD}/${LOCAL_MOZROOT}"
+          ;;
+      *)
+          glob_usage "Error: -"$1" requires a directoryname to follow"
+          ;;
+  esac
+  Debug "Reformated MOZROOT to $LOCAL_MOZROOT"
+  if [ "$1" = "ln" ] ; then
+      LOCAL_MOZROOT_PARENT=`dirname $LOCAL_MOZROOT`
+      if [ ! -d $LOCAL_MOZROOT_PARENT -o ! -w $LOCAL_MOZROOT_PARENT -o \
+           ! -x $LOCAL_MOZROOT_PARENT ] ; then
+              Exit "Error: Can't create $LOCAL_MOZROOT (permissions)"
+      fi
+      if [ ! -d "$LOCAL_MOZROOT" ] ; then
+          mkdir $LOCAL_MOZROOT ||
+              Exit "Error: Can't create mozroot $LOCAL_MOZROOT (mkdir failed)"
+      else
+          ask "mozroot $LOCAL_MOZROOT exists - continue (y will remove dir) ?" \
+               "y" "n" || Exit
+          rm -rf $LOCAL_MOZROOT/dist $LOCAL_MOZROOT/security $LOCAL_MOZROOT/tests_results ||
+              Exit "Error: Can't clean mozroot $LOCAL_MOZROOT"
+      fi
+  fi
+  if [ ! -d "$LOCAL_MOZROOT" ] ; then
+      glob_usage "Error: mozilla root $LOCAL_MOZROOT not a valid directory"
+  fi
+}
+
+################################### eval_opts ##########################
+# global shell function, evapuates options and parameters, sets flags
+# variables and defaults
+########################################################################
+eval_opts()
+{
+  while [ -n "$1" ]
+  do
+    case $1 in
+        -cron)
+            turn_on_cronoptions
+            ;;
+        -T*|-t*)
+            O_TBX=ON
+            turn_on_cronoptions
+            O_SILENT=OFF	#FIXME debug only
+            ;;
+        -S*|-s*)
+            O_SILENT=ON
+            ;;
+        -Y*|-y)
+            Debug "Option -y dedectet"
+            O_ALWAYS_YES=ON
+            ;;
+        -d*|-D)
+            O_DEBUG=ON
+            #set -x
+            ;;
+        -ml|-ML)
+            O_MAIL_LINK=ON
+            shift
+            MAILINGLIST=$1
+            if [ -z "$MAILINGLIST" ]
+            then
+                glob_usage "Error: -m requires a mailinglist to follow, for example sonmi,wtc,nelsonb "
+            fi
+            Debug "Sending link to result to $MAILINGLIST"
+            ;;
+        -m|-M)
+            O_MAIL=ON
+            shift
+            MAILINGLIST=$1
+            if [ -z "$MAILINGLIST" ]
+            then
+                glob_usage "Error: -m requires a mailinglist to follow, for example sonmi,wtc,nelsonb "
+            fi
+            Debug "Sending result to $MAILINGLIST"
+            ;;
+        -fcron*|-F[Cc][Rr][Oo][Nn]*)
+            write_to_tmpfile
+            ;;
+        -f|-F)
+            O_FILE=ON
+            shift
+            FILENAME=$1
+            if [ -z "$FILENAME" ]
+            then
+                glob_usage "Error: -f requires a filename to follow"
+            fi
+            #rm -f $FILENAME 2>/dev/null
+            touch $FILENAME || Exit "Error: can't touch $FILENAME"
+                                    #NOTE we append rather that creating
+            Debug "Writing output to $FILENAME"
+            ;;
+        -h|-help|"-?")
+            glob_usage
+            ;;
+        -ln)
+            if [ `basename $0` != nssqa ] ; then
+                glob_usage "Error: Can't handle option $1"
+            fi
+            O_LOCAL=ON
+            O_LN=ON
+            shift
+            LOCAL_MOZROOT=$1
+            test_mozroot ln
+            ;;
+        -lt)
+            if [ `basename $0` != nssqa ] ; then
+                glob_usage "Error: Can't handle option $1"
+            fi
+            O_LN=ON
+            O_LOCAL=ON
+            ;;
+        -l)
+            if [ `basename $0` != nssqa ] ; then
+                glob_usage "Error: Can't handle option $1"
+            fi
+            O_LOCAL=ON
+            shift
+            LOCAL_MOZROOT=$1
+            test_mozroot l
+            ;;
+        -p)
+            shift
+            PORT=$1
+            export PORT
+            ;;
+        -*)
+            glob_usage "Error: Can't handle option $1"
+            ;;
+        tip|3.|3..)
+            NSSVER=$1
+            if [ -z "$NSSVER" ] ; then
+                glob_usage "Error: illegal parameter"
+            fi
+            ;;
+        [01][0-9][0123][0-9])
+            BUILDDATE=$1
+            if [ -z "$BUILDDATE" ] ; then
+                glob_usage "Error: illegal parameter"
+            fi
+            ;;
+        ?*)
+            glob_usage "Error: Can't handle parameter $1"
+            ;;
+    esac
+    shift
+  done
+
+  if [ -z "$PORT" -a "$O_TBX" = "ON" ] ; then
+      PORT=8444
+      export PORT
+      if [ -z "$NSSVER" ] ; then
+          NSSVER="tip"
+          Debug "NSS Version: Parameters missing - defaulting to tip!"
+      fi
+  elif [ -z "$NSSVER" ] ; then
+      NSSVER="tip"
+      Debug "NSS Version: Parameters missing - defaulting to tip!"
+  fi
+  if [ -z "$BUILDDATE" ] ; then
+      BUILDDATE=`date +%m%d`
+      Debug "Builddate: Parameters missing - defaulting to today!"
+  fi
+  
+  Debug "Builddate $BUILDDATE NssVersion $NSSVER"
+  export BUILDDATE NSSVER
+  export O_CRON O_SILENT O_DEBUG O_ALWAYS_YES O_TBX
+}
+
+win_set_tmp()
+{
+    TMP=`echo "$TMP" | sed -e 's/	/\/t/g' -e 's//\/b/' -e 's/\\\/\//g'`
+    Debug "TMP reformated to $TMP"
+}
+
+######################### win_set_d1 ################################
+# global shell function, interactively finds the directories in case
+# windows can't get to the default
+########################################################################
+win_set_d1()
+{
+    Debug "set Windows Directories..."
+    #win_set_tmp
+    if [ "$O_CYGNUS" = ON ]
+    then
+        NSS_VER_DIR=/cygdrive/w/nss/nss$NSSVER
+    else
+        NSS_VER_DIR=w:/nss/nss$NSSVER
+    fi
+    if [ ! -w $NSS_VER_DIR ]
+    then
+        Echo "Windows special... can't write in $NSS_VER_DIR"
+        if [ "$O_CYGNUS" = ON ]
+        then
+            NSS_VER_DIR=/cygdrive/u/nss/nss$NSSVER
+        else
+            NSS_VER_DIR="u:/nss/nss$NSSVER"
+        fi
+    else
+        Debug "NSS_VER_DIR set to $NSS_VER_DIR"
+        return
+    fi
+
+    while [ ! -w $NSS_VER_DIR ]
+    do
+        if [ "$O_CRONFILE" = "ON" ] 
+        then
+            Exit "cant write in $NSS_VER_DIR" 
+        fi
+        Warning "cant write in $NSS_VER_DIR" 
+        Echo "input start directory (u:/nss, d:/src/nss, f:/shared/nss) "
+        read D
+        if [ -n "$D" ]
+        then
+            NSS_VER_DIR=$D/nss$NSSVER
+        fi
+    done
+    Debug "NSS_VER_DIR set to $NSS_VER_DIR"
+}
+
+########################### init_host ##################################
+# global shell function, sets required variables HOST and DOMSUF, and asks
+# the user if it has been set right
+########################################################################
+set_host()
+{
+    init_host
+}
+init_host()
+{
+    if [ `basename $0` != nssqa ] ; then
+        return
+    fi
+
+    init_host_done=0
+
+    if [ $DS_WAS_SET = FALSE ] #give chance to overwrite, espec. for NT
+    then
+        Debug "Domainname was not set..."
+        DOMSUF=`domainname 2>/dev/null`
+        if [ -z "$DOMSUF" ]
+        then
+            Debug "domainname command did not work ..."
+            DOMSUF=`echo $HOST | grep '\.' | sed -e "s/[^\.]*\.//"`
+    
+            if [ -z "$DOMSUF" ]
+            then
+                Debug "Domainname not part of the hostname"
+                DOMSUF=`cat /etc/defaultdomain 2>/dev/null`
+                if [ -z "$DOMSUF" ]
+                then
+                    Debug "Domainname needs to be hardcoded to red.iplanet.com"
+                    DOMSUF="red.iplanet.com"
+                fi
+            fi
+        fi
+    fi
+    case $HOST in
+        *\.*)
+            Debug "HOSTNAME $HOST contains Dot"
+            HOST=`echo $HOST | sed -e "s/\..*//"`
+            ;;
+    esac
+    if [ -z "$HOST" ]
+    then
+        HOST=`uname -n`
+        case $HOST in
+            *\.*)
+                Debug "HOSTNAME $HOST contains Dot"
+                HOST=`echo $HOST | sed -e "s/\..*//"`
+                ;;
+        esac
+    fi
+    if [ $O_DEBUG = "ON" ]
+    then
+        while [ $init_host_done -eq 0 ]
+        do
+            Echo
+            ask "DOMSUF=$DOMSUF, HOST=$HOST - OK", "y" "n" &&
+                init_host_done=1
+            if [ $init_host_done -eq 0 ]
+            then
+                Echo "input DOMSUF: "
+                read D
+                if [ -n "$D" ]
+                then
+                    DOMSUF=$D
+                fi
+                Echo "input HOST: "
+                read H
+                if [ -n "$H" ]
+                then
+                    HOST=$H
+                fi
+            fi
+        done
+    fi
+    export HOST DOMSUF
+    Debug "HOST: $HOST, DOMSUF: $DOMSUF"
+}
+
+#-----------------------------# UTILS #----------------------------------
+
+########################### qa_stat_get_sysinfo ########################
+# local shell function, tries to determine the QA operating system
+########################################################################
+qa_stat_get_sysinfo()
+{
+    case $1 in
+        ?*) REM_SYS=$1
+            GET_SYSINFO="rsh $1"
+            ;;
+        *)  REM_SYS=""
+            GET_SYSINFO=""
+            ;;
+    esac
+    QA_SYS=`$GET_SYSINFO uname -sr`
+    echo $QA_SYS | grep Linux >/dev/null &&
+              QA_RHVER=`$GET_SYSINFO cat /etc/redhat-release`
+    if [ -n "$QA_RHVER" ]
+    then
+        QA_OS=`echo $REM_SYS $QA_RHVER | sed -e "s/Red Hat /RH /" \
+                    -e "s/ release//"`
+    else
+        case $QA_SYS in
+            *SunOS*5.[89]*)
+                ISAINFO=`$GET_SYSINFO isainfo -v`
+                IS_64=`echo $ISAINFO | grep 64 >/dev/null && \
+                    echo 64 bit`
+                IS_I386=`echo $ISAINFO | grep i386 >/dev/null && \
+                    echo i86pc`
+                if [ -n "$IS_I386" ] ; then IS_64="$IS_I386"; fi;
+                if [ -z "$IS_64" ] ; then IS_64="32 bit"; fi;
+                ;;
+            *HP*)
+                IS_64=`$GET_SYSINFO getconf KERNEL_BITS |
+                    grep 64 >/dev/null && echo 64 bit`
+                if [ -z "$IS_64" ] ; then IS_64="32 bit"; fi;
+                ;;
+            *AIX*)
+                IS_64=`$GET_SYSINFO lslpp -l |
+                    grep "bos.64bit"> /dev/null && echo 64 bit`
+                if [ -z "$IS_64" ] ; then IS_64="32 bit"; fi;
+                ;;
+        esac
+        QA_OS=`echo "$REM_SYS $QA_SYS $IS_64"`
+    fi
+    if [ "$O_SILENT" != ON ] ; then
+        echo $QA_OS
+    fi
+    QA_OS_STRING=`echo $QA_OS | sed -e "s/^[_ ]//" -e "s/ /_/g"`
+}
+
+################################### set_objdir #########################
+# global shell function, sets the object directories and DIST
+########################################################################
+set_objdir()
+{
+    Debug "set object dir"
+    OBJDIR=`cd ${TESTSCRIPTDIR}/common; gmake objdir_name`
+    OS_ARCH=`cd ${TESTSCRIPTDIR}/common; gmake os_arch`
+    
+    #at this point $MASTERBUILD needs to be either NT or unix
+
+    set_daily_build_dirs
+    LOCALDIST_BIN=${LOCALDIST}/${OBJDIR}/bin
+    DIST=$LOCALDIST
+
+    if [ -z "${TEST_LEVEL}" ] ; then 
+        TEST_LEVEL=0
+    fi
+    bc ${TEST_LEVEL}   #set the path for the backward compatibility test
+
+    PATH_CONTAINS_BIN="TRUE"
+    export PATH_CONTAINS_BIN
+
+    export OBJDIR OS_ARCH LOCALDIST LOCALDIST_BIN DIST PATH 
+}
+
+########################### bc #########################################
+# global shell function , sets paths for the backward compatibility test
+########################################################################
+bc()
+{
+  if [ -n "$PRODUCT_TO_TEST" -a "$PRODUCT_TO_TEST" = "JSS" ] ; then
+      TESTDIR=${RESULTDIR}
+      BC_ACTION=""
+      DON_T_SET_PATHS="FALSE" #let init.sh override - FIXME - check if necessary
+      return
+  fi
+  DON_T_SET_PATHS="TRUE"
+  case $1 in
+    0)
+      #unset TESTDIR
+      TESTDIR=${RESULTDIR}
+      if [ "$O_WIN" = "ON" -a "$O_CYGNUS" != ON ] ; then
+          PATH="$TESTSCRIPTDIR;$LOCALDIST_BIN;$BASEPATH"
+      else
+          PATH=$TESTSCRIPTDIR:$LOCALDIST_BIN:$BASEPATH
+      fi
+      BC_ACTION=""
+      DON_T_SET_PATHS="FALSE" #let init.sh override - FIXME - check if necessary
+      ;;
+    *)
+      if [ "$O_LOCAL" = "ON" ] ; then
+          Exit "FIXME Can't run backwardcompatibility tests locally yet"
+      fi
+      TESTSCRIPTDIR=${BCDIST}/../security/nss/tests
+      COMMON=${TESTSCRIPTDIR}/common
+      TESTDIR=${RESULTDIR}/bct
+      BC_ACTION="backward compatibility of binaries in $BC_MASTER to new libs"
+      BCDIST_BIN=${BCDIST}/${OBJDIR}/bin
+      LD_LIBRARY_PATH=${LOCALDIST}/${OBJDIR}/lib
+      if [ "$O_WIN" = "ON" ] ; then
+          if [ "$O_CYGNUS" = ON ] ; then
+              PATH=$TESTSCRIPTDIR:$BCDIST_BIN:$BASEPATH:$LD_LIBRARY_PATH
+          else
+              PATH="$TESTSCRIPTDIR;$BCDIST_BIN;$BASEPATH;$LD_LIBRARY_PATH"
+          fi
+      else
+          PATH=$TESTSCRIPTDIR:$BCDIST_BIN:$BASEPATH
+      fi
+      Debug "1st stage of backward compatibility test"
+      ;;
+  esac
+  if [ -n "$TESTDIR" ] ; then
+      if [ ! -d $TESTDIR ] ; then
+          mkdir -p $TESTDIR
+      fi
+      export TESTDIR
+  fi
+  SHLIB_PATH=${LD_LIBRARY_PATH}
+  LIBPATH=${LD_LIBRARY_PATH}
+  Debug "PATH $PATH"
+  Debug "LD_LIBRARY_PATH $LD_LIBRARY_PATH"
+  export PATH LD_LIBRARY_PATH SHLIB_PATH LIBPATH
+  export DON_T_SET_PATHS BC_ACTION
+  export TESTSCRIPTDIR COMMON
+}
+
+########################### Ps #########################################
+# global shell function , attempts a platform specific ps
+########################################################################
+Ps()
+{
+#AIX, OSF ps -ef, solaris /usr/5bin/ps -ef, win ps -ef but no user id
+#linux ps -ef, HP
+
+    if [ $os_name = "SunOS" ]
+    then
+        /usr/5bin/ps -ef
+    else
+        ps -ef
+    fi
+}
+
+########################### kill_by_name ################################
+# global shell function , kills the process whose name is given as 
+# parameter 
+########################################################################
+kill_by_name()
+{
+    for PID in `Ps | grep "$1" | grep -v grep | \
+        sed -e "s/^ *//g" -e "s/^[^ ]* //" -e "s/^ *//g" -e "s/ .*//g"`
+    do
+        if [ $O_WIN = "ON" -a $O_CYGNUS = "ON" ]
+        then
+            ask "Do you want to kill Process $PID (`Ps | grep $PID | \
+                grep -v grep | awk '{ print $1, $2, $6, $7, $8, $9 }' | \
+                sed -e "s/[0-9]:[0-6][0-9]//g" | grep $PID `)" \
+                "y" "n" && {
+                kill $PID
+                sleep 1
+                kill -9 $PID 2>/dev/null
+            }
+        else
+            ask "Do you want to kill Process $PID (`Ps | grep $PID | \
+                grep -v grep | awk '{ print $1, $2, $8, $9, $10, $11 }' | \
+                sed -e "s/[0-9]:[0-6][0-9]//g" | grep $PID `)" \
+                "y" "n" && {
+                kill $PID
+                sleep 1
+                kill -9 $PID 2>/dev/null
+            }
+        fi
+    done
+}
+
+############################### early_exit ###################################
+# global shell function , attempts a little more usefull user notification
+# of a complete failure
+########################################################################
+
+early_exit()
+{
+    if [ -z "$DOCDIR" ]
+    then
+        DOCDIR=`dirname $0`/../doc
+    fi
+    if [ -f $DOCDIR/QAerror.html ]
+    then
+        Debug "Found QA errorheader"
+        rm ${FILENAME}.err 2>/dev/null
+        cp $DOCDIR/QAerror.html ${FILENAME}.err
+        echo "$1" >>${FILENAME}.err
+        echo '</font></b></h1>' >>${FILENAME}.err
+        if [ -n "$FILENAME" -a -f "$FILENAME" ]
+        then
+            cat $FILENAME | sed -e "s/^/<br>/" >>${FILENAME}.err
+        fi
+        echo '</body></html>' >>${FILENAME}.err
+        cat ${FILENAME}.err | $RMAIL $MAILINGLIST
+        
+        rm ${FILENAME}.err 2>/dev/null
+        #echo "cat ${FILENAME}.err | $RMAIL $MAILINGLIST "
+    fi
+}
+
+############################### Exit ###################################
+# global shell function , central exiting point
+# cleanup: temporary files, kill the remaining selfservers if sourcing
+# script sets KILL_SELFSERV 
+########################################################################
+Exit()
+{
+    Echo $1    
+    if [ "$O_CRON" = "OFF" ] 
+    then
+        echo $1 >&2
+    fi
+    if [ -f "${KILLPIDS}" ]
+    then
+        Debug "Attempting to kill background processes...`cat ${KILLPIDS}`"
+        kill `cat "${KILLPIDS}"` 
+        sleep 1
+        kill -9  `cat "${KILLPIDS}"`
+    fi
+    if [ -n "${TMPFILES}" ]
+    then
+        Debug "rm -f ${TMPFILES}"
+        rm -f $TMPFILES 2>/dev/null
+    fi
+    O_ALWAYS_YES=ON # set to non-interactive - don't ask anymore questions here
+    if [ $KILL_SELFSERV = "ON" ]
+    then
+        kill_by_name selfserv
+    fi
+    if [ $O_MAIL_LINK = "ON" -a $O_FILE = "ON" ]
+    then
+        if [ $EARLY_EXIT = TRUE ]    #before the report file has been created
+        then
+            early_exit "$1"
+        else
+            head -3  $FILENAME >$ML_FILE
+            echo "Content-Type: text/plain; charset=us-ascii; format=flowed
+    Content-Transfer-Encoding: 7bit
+
+" >>$ML_FILE
+            echo $HREF_TMP_HTML_FILE >>$ML_FILE
+            cat $ML_FILE | $RMAIL $MAILINGLIST
+        fi
+
+#FIXME - early exit etc
+    elif [ $O_MAIL = "ON" -a $O_FILE = "ON" ]
+    then
+        if [ $EARLY_EXIT = TRUE ]    #before the report file has been created
+        then
+            early_exit "$1"
+        elif [ -n "$FILENAME" -a -f "$FILENAME" ]
+        then
+            cat $FILENAME | $RMAIL $MAILINGLIST
+        fi
+        #rm $FILENAME 2>/dev/null
+    elif  [ $O_MAIL = "ON" -a $EARLY_EXIT = TRUE ]
+    then
+        early_exit "$1"
+        rm $FILENAME 2>/dev/null
+    fi
+    #chmod a+rw ${RESULTDIR} ${RESULTDIR}/* ${RESULTDIR}/*/* &
+    if [ -n "$O_TBX" -a "$O_TBX" = "ON" ] ; then
+        rm ${TESTDIR}/QAstatus
+
+        if [ "$1" = "killed... cleaning up..." ] ; then
+            echo "QA killed" >${TESTDIR}/QAstatus
+        elif [ "$TBX_EXIT" = 0 ] ; then
+            echo "QA passed" >${TESTDIR}/QAstatus
+        else
+            echo "QA failed" >${TESTDIR}/QAstatus
+        fi
+
+        exit $TBX_EXIT
+         
+    else
+        exit
+    fi
+}
+
+trap "rm -f ${TMPFILES} 2>/dev/null; Exit 'killed... cleaning up...'" 2 3 15
+
+################################ Wait ##################################
+# global shell function to wait for an event to happen, 1st parameter
+# filename to watch, 2nd parameter 0 - wait for it to disappear, 1 wait
+# for it to be created.
+# uses the variables WAIT_FOR and WAIT_TIMES
+# WAIT_FOR: if waiting for an event sleep n seconds before rechecking 
+#     recomended value 10 minutes 600
+# WAIT_TIMES: recheck n times before giving up to prevent endless loop
+#     recomended 30 - total of 5h
+########################################################################
+
+Wait()
+{
+    i=0
+    Debug "Waiting for $1"
+    while [ $i -lt $WAIT_TIMES ]
+    do
+        i=`expr $i + 1`
+        if [ -f "$1" -a $2 -eq 1 ]   # if file exists and is supposed to 
+        then
+            return
+        fi
+        if [ ! -f "$1" -a $2 -eq 0 ] # not exists and not supposed to exist
+        then
+            return
+        fi
+        Debug "Waiting for $1, loop #$i, about to sleep $WAIT_FOR seconds zzzz..."
+        sleep $WAIT_FOR
+    done
+    TOTAL=`expr $WAIT_TIMES \* $WAIT_FOR / 60`
+    Exit "I HAVE WAITED LONG ENOUGH FOR $1 NOW, I'M GONE! (THAT WAS A TOTAL OF $TOTAL MINUTES) I have better things to do... "
+}
+
+################################ WaitForever ##################################
+# global shell function to wait for an event to happen, 1st parameter
+# filename to watch, 2nd parameter 0 - wait for it to disappear, 1 wait
+# for it to be created.
+# because we daon't have any relyable cron on NT...
+########################################################################
+
+WaitForever()
+{
+    i=0
+    Debug "Waiting for $1"
+    TOTAL=0
+    while [ 1 ]
+    do
+        i=`expr $i + 1`
+        if [ -f "$1" -a $2 -eq 1 ] # if file exists and is supposed to 
+        then
+            return
+        fi
+        if [ ! -f "$1" -a $2 -eq 0 ] # not exists and not supposed to exist
+        then
+            return
+        fi
+        Debug "Waiting for $1, loop #$i, about to sleep $WAIT_FOR seconds Total $TOTAL"
+        sleep $WAIT_FOR
+        TOTAL=`expr $i \* $WAIT_FOR / 60`
+        if [ -n "$MAX_FOREVER" ] # we are cheating. Forever can be very short...
+        then
+            if [ "$TOTAL" -gt "$MAX_FOREVER" ] 
+            then
+                Exit "I HAVE WAITED LONG ENOUGH FOR $1 NOW, I'M GONE! (THAT WAS A TOTAL OF $TOTAL MINUTES) I have better things to do... "
+            fi
+        fi
+    done
+}
+################################### is_running #########################
+# global shell function , implements primitive locking mechanism
+# filename is passed as a parameter, if filename.* exists we assume calling
+# script is running already and exit, otherwise filename.processid is 
+# created 
+########################################################################
+is_running()
+{
+    Debug "Testing if $0 is already running... file ${1} - ${1}.$$"
+    if [ -f ${1}.* ]
+    then
+        Exit "$0 seems to be running already ($1 exists) - Exiting"
+    fi
+    TMPFILES="$TMPFILES ${1}.$$"
+    echo "running $0 on `date` PID $$" >${1}.$$
+    Debug "wrote \"running $0 on `date` PID $$\" to ${1}.$$"
+    
+}
+
+#---------------------------# USERCOM #---------------------------------
+############################## Echo #####################################
+# global shell function , depending on the options the output gets written 
+# to a file, or is being discarded
+# FIXME  \n and \c are mistreates by differnet shells, and linux has /bin/echo
+# instead of /usr/bin/echo
+########################################################################
+Echo ()
+{
+    if [ $O_SILENT = OFF ]
+    then
+        echo "$*"
+        #/usr/bin/echo "$*"
+    fi
+    if [ $O_FILE = ON ]
+    then
+        echo "$*" >>$FILENAME
+    fi
+}
+
+################################### ask ################################
+# global shell function, Asks the a question, and gives the returns 0
+# on the 1st choice, 1 on the 2nd choice
+#
+# PARAMETERS:
+#    $1 question text
+#    $2 1st choice
+#    $3 2nd choice
+#
+# MODIFIERS:
+#    -y O_ALWAYS_YES will assume a first choice always (not neccessaryly "y")
+#
+# RETURN:
+#    0 - User picked 1st choice
+#    1 - User picked 2nd choice
+#
+# EXAMPLE
+#    ask "Would you like to continue" "y" "n" || Exit
+#        will produce the string "Would you like to continue (y/n) ?",
+#        read input from keyboard (or assume a yes with option -y)
+#        - on a yes it will return 0, on a no it will return 1, the 
+#        shell interprets it as error and the || Exit will be executed
+#
+# NOTE: NEVER use "n" as the second parameter - it will mess up -y
+#    don't ask "Continue" "n" "y" || Exit # it will Exit on a "y"
+#
+########################################################################
+Ask()
+{
+    ask $*
+}
+
+ask()
+{
+    if [ $O_ALWAYS_YES = ON ]
+    then
+        Echo "$1 ($2/$3) ?"
+        Echo "YES!"
+        return 0
+    fi
+    A=""
+    while [ 1 ]
+    do
+    
+        Echo "$1 ($2/$3) ?"
+        read A
+        if [ -n "$A" ]
+        then
+            if [ $A = $2 ]
+            then
+                return 0
+            elif [ $A = $3 ]
+            then
+                return 1
+            fi
+        fi
+    done
+    return 0
+}
+
+################################### Warning ############################
+# global shell function, Asks the user a "... continue? (y/n)" question, 
+# and exits when the user answers with no
+# NOTE -y will answer the warnings always with yes
+########################################################################
+Warning ()
+{
+    ask "WARNING: $0: \n $* continue " "y" "n" || Exit 
+}
+
+################################### Debug ############################
+# global shell function, when option -d Debugging output is written
+########################################################################
+Debug()
+{
+    if [ $O_DEBUG = ON ]
+    then
+        Echo "DEBUG: (`date +%H:%M`) $0: $*"
+    fi
+}
+
+################################### line ###############################
+# global shell function, supposed to make output more readable...
+########################################################################
+line()
+{
+Echo
+#Echo "======================================================================="
+#Echo
+}
+
+################################### opt_usage ##########################
+# global shell function, tells user about available options
+########################################################################
+opt_usage()
+{
+  if [ $O_OPTIONS = "ON" ]
+  then
+    Echo
+    line
+    Echo
+    Echo "    -y answer all questions with y - use at your own risk..."
+    Echo "    -s silent (only usefull with -y)"
+    Echo "    -h, -? - you guessed right - displays this text"
+    Echo "    -d debug"
+    Echo "    -f <filename> - write the (error)output to filename"
+    Echo "    -fcronfile produces the resultfiles in the same locations"
+    Echo "        as would have been produced with -cron"
+    Echo "    -m <mailinglist> - send filename to mailinglist (csl "
+    Echo "         example sonmi,nelsonb,wtc) only useful with -f"
+    Echo "    -ml <mailinglist> - send link to filename to mailinglist "
+    Echo "         (csl example sonmi,nelsonb,wtc) only useful with -f"
+    Echo "    -cron equivalient to -y -s -d -f \$RESULTDIR/\$HOST.nssqa"
+    Echo "    -t run on a tinderbox build (included -cron)"
+    if [ `basename $0` = nssqa ] ; then
+        Echo "    -l <mozroot> run on a local build"
+        Echo "    -ln <mozroot> copy a networkbuild to a local directory "
+        Echo "        mozroot,  used for networkindipendend QA "
+        Echo "    -lt try to copy a networkbuild to a local directory, if"
+        Echo "        not possible run on the network
+        Echo "        used for networkindipendend QA
+    fi
+#
+# special strings
+  fi
+    
+}
+
+################################### glob_usage #########################
+# global shell function, how to use the calling script (parameters, options)
+########################################################################
+glob_usage()
+{
+    line
+    Echo $1
+    Echo
+    if [ $O_OPTIONS = "ON" ]
+    then
+        Echo "usage $0 [options] nssversion builddate"
+    else
+        Echo "usage $0 nssversion builddate"
+    fi
+        
+    Echo " for example: $0 30b 0926"
+    Echo "     $0 31 1002"
+    opt_usage
+    Echo
+    Exit "$1"
+}
+
+tell()
+{
+    if [ $O_SILENT = OFF ]
+    then
+        line
+        pwd
+        ls -CF
+        line
+    fi
+    if [ $O_FILE = ON ]
+    then
+        line
+        pwd >>$FILENAME
+        ls -CF >>$FILENAME
+        line 
+    fi
+}
+
+if [ $O_INIT = "ON" ]
+then
+    glob_init $*
+fi
+EARLY_EXIT=FALSE
diff --git a/security/nss/tests/iopr/cert_iopr.sh b/security/nss/tests/iopr/cert_iopr.sh
new file mode 100644
index 000000000..bb1bf047c
--- /dev/null
+++ b/security/nss/tests/iopr/cert_iopr.sh
@@ -0,0 +1,405 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/iopr/cert_iopr.sh
+#
+# Certificate generating and handeling for NSS interoperability QA. This file
+# is included from cert.sh
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+########################################################################
+
+IOPR_CERT_SOURCED=1
+
+########################################################################
+# function wraps calls to pk12util, also: writes action and options
+# to stdout. 
+# Params are the same as to pk12util.
+# Returns pk12util status
+#
+pk12u()
+{
+    echo "${CU_ACTION} --------------------------"
+
+    echo "pk12util $@"
+    ${BINDIR}/pk12util $@
+    RET=$?
+
+    return $RET
+}
+
+########################################################################
+# Initializes nss db directory and files if they don't exists
+# Params:
+#      $1 - directory location
+#
+createDBDir() {
+    trgDir=$1
+
+    if [ -z "`ls $trgDir | grep db`" ]; then
+        trgDir=`cd ${trgDir}; pwd`
+        if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+			trgDir=`cygpath -m ${trgDir}`
+        fi
+
+        CU_ACTION="Initializing DB at ${trgDir}"
+        certu -N -d "${trgDir}" -f "${R_PWFILE}" 2>&1
+        if [ "$RET" -ne 0 ]; then
+            return $RET
+        fi
+
+        CU_ACTION="Loading root cert module to Cert DB at ${trgDir}"
+        modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${trgDir}" 2>&1
+        if [ "$RET" -ne 0 ]; then
+            return $RET
+        fi
+    fi
+}
+########################################################################
+# takes care of downloading config, cert and crl files from remote
+# location. 
+# Params:
+#      $1 - name of the host file will be downloaded from
+#      $2 - path to the file as it appeared in url
+#      $3 - target directory the file will be saved at.
+# Returns tstclnt status.
+#
+download_file() {
+    host=$1
+    filePath=$2
+    trgDir=$3
+
+    file=$trgDir/`basename $filePath`
+
+    createDBDir $trgDir || return $RET
+
+#    echo wget -O $file http://${host}${filePath}
+#    wget -O $file http://${host}${filePath}
+#    ret=$?
+
+    req=$file.$$
+    echo "GET $filePath HTTP/1.0" > $req
+    echo >> $req
+
+    echo ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \
+        -v -w ${R_PWFILE} -o 
+    ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \
+        -v -w ${R_PWFILE} -o < $req > $file
+    ret=$?
+    rm -f $_tmp;
+    return $ret
+}
+
+########################################################################
+# Uses pk12util, certutil of cerlutil to import files to an nss db located
+# at <dir>(the value of $1 parameter). Chooses a utility to use based on
+# a file extension. Initializing a db if it does not exists.
+# Params:
+#      $1 - db location directory
+#      $2 - file name to import
+#      $3 - nick name an object in the file will be associated with
+#      $4 - trust arguments 
+# Returns status of import
+#      
+importFile() {
+    dir=$1\
+    file=$2
+    certName=$3
+    certTrust=$4
+
+    [ ! -d $dir ] && mkdir -p $dir;
+
+    createDBDir $dir || return $RET
+            
+    case `basename $file | sed 's/^.*\.//'` in
+        p12)
+            CU_ACTION="Importing p12 $file to DB at $dir"
+            pk12u -d $dir -i $file -k ${R_PWFILE} -W iopr
+            [ $? -ne 0 ] && return 1
+            CU_ACTION="Modifying trust for cert $certName at $dir"
+            certu -M -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}"
+            return $?
+            ;;
+        
+        crl) 
+            CU_ACTION="Importing crl $file to DB at $dir"
+            crlu -d ${dir} -I -n TestCA -i $file
+            return $?
+            ;;
+
+        crt | cert)
+            CU_ACTION="Importing cert $certName with trust $certTrust to $dir"
+            certu -A -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}" \
+                -i "$file"
+            return $?
+            ;;
+
+        *)
+            echo "Unknown file extension: $file:"
+            return 1
+            ;;
+    esac
+}
+
+
+#########################################################################
+# Downloads and installs test certs and crl from a remote webserver.
+# Generates server cert for reverse testing if reverse test run is turned on.
+# Params:
+#      $1 - host name to download files from.
+#      $2 - directory at which CA cert will be installed and used for
+#           signing a server cert.
+#      $3 - path to a config file in webserver context.
+#      $4 - ssl server db location
+#      $5 - ssl client db location
+#      $5 - ocsp client db location
+#
+# Returns 0 upon success, otherwise, failed command error code.
+#
+download_install_certs() {
+    host=$1
+    caDir=$2
+    confPath=$3
+    sslServerDir=$4
+    sslClientDir=$5
+    ocspClientDir=$6
+
+    [ ! -d "$caDir" ] && mkdir -p $caDir;
+
+    #=======================================================
+    # Getting config file
+    #
+    download_file $host "$confPath/iopr_server.cfg" $caDir
+    RET=$?
+    if [ $RET -ne 0 -o ! -f $caDir/iopr_server.cfg ]; then
+        html_failed "Fail to download website config file(ws: $host)" 
+        return 1
+    fi
+
+    . $caDir/iopr_server.cfg
+    RET=$?
+    if [ $RET -ne 0 ]; then
+        html_failed "Fail to source config file(ws: $host)" 
+        return $RET
+    fi
+
+    #=======================================================
+    # Getting CA file
+    #
+
+    #----------------- !!!WARNING!!! -----------------------
+    # Do NOT copy this scenario. CA should never accompany its
+    # cert with the private key when deliver cert to a customer.
+    #----------------- !!!WARNING!!! -----------------------
+
+    download_file $host $certDir/$caCertName.p12 $caDir
+    RET=$?
+    if [ $RET -ne 0 -o ! -f $caDir/$caCertName.p12 ]; then
+        html_failed "Fail to download $caCertName cert(ws: $host)" 
+        return 1
+    fi
+    tmpFiles="$caDir/$caCertName.p12"
+
+    importFile $caDir $caDir/$caCertName.p12 $caCertName "TC,C,C"
+    RET=$?
+    if [ $RET -ne 0 ]; then
+        html_failed "Fail to import $caCertName cert to CA DB(ws: $host)" 
+        return $RET
+    fi
+
+    CU_ACTION="Exporting Root CA cert(ws: $host)"
+    certu -L -n $caCertName -r -d ${caDir} -o $caDir/$caCertName.cert 
+    if [ "$RET" -ne 0 ]; then
+        Exit 7 "Fatal - failed to export $caCertName cert"
+    fi
+
+    #=======================================================
+    # Check what tests we want to run
+    #
+    doSslTests=0; doOcspTests=0
+    # XXX remove "_new" from variables below
+    [ -n "`echo ${supportedTests_new} | grep -i ssl`" ] && doSslTests=1
+    [ -n "`echo ${supportedTests_new} | grep -i ocsp`" ] && doOcspTests=1
+
+    if [ $doSslTests -eq 1 ]; then
+        if [ "$reverseRunCGIScript" ]; then
+            [ ! -d "$sslServerDir" ] && mkdir -p $sslServerDir;
+            #=======================================================
+            # Import CA cert to server DB
+            #
+            importFile $sslServerDir $caDir/$caCertName.cert server-client-CA \
+                        "TC,C,C"
+            RET=$?
+            if [ $RET -ne 0 ]; then
+                html_failed "Fail to import server-client-CA cert to \
+                             server DB(ws: $host)" 
+                return $RET
+            fi
+            
+            #=======================================================
+            # Creating server cert
+            #
+            CERTNAME=$HOSTADDR
+            
+            CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)"
+            CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, \
+                        L=Mountain View, ST=California, C=US"
+            certu -R -d "${sslServerDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}"\
+                -o $sslServerDir/req 2>&1
+            tmpFiles="$tmpFiles $sslServerDir/req"
+
+            # NOTE:
+            # For possible time synchronization problems (bug 444308) we generate
+            # certificates valid also some time in past (-w -1)
+
+            CU_ACTION="Sign ${CERTNAME}'s Request (ws: $host)"
+            certu -C -c "$caCertName" -m `date +"%s"` -v 60 -w -1 \
+                -d "${caDir}" \
+                -i ${sslServerDir}/req -o $caDir/${CERTNAME}.cert \
+                -f "${R_PWFILE}" 2>&1
+            
+            importFile $sslServerDir $caDir/$CERTNAME.cert $CERTNAME ",,"
+            RET=$?
+            if [ $RET -ne 0 ]; then
+                html_failed "Fail to import $CERTNAME cert to server\
+                             DB(ws: $host)" 
+                return $RET
+            fi
+            tmpFiles="$tmpFiles $caDir/$CERTNAME.cert"
+            
+            #=======================================================
+            # Download and import CA crl to server DB
+            #
+            download_file $host "$certDir/$caCrlName.crl" $sslServerDir
+            RET=$?
+            if [ $? -ne 0 ]; then
+                html_failed "Fail to download $caCertName crl\
+                             (ws: $host)" 
+                return $RET
+            fi
+            tmpFiles="$tmpFiles $sslServerDir/$caCrlName.crl"
+            
+            importFile $sslServerDir $sslServerDir/TestCA.crl
+            RET=$?
+            if [ $RET -ne 0 ]; then
+                html_failed "Fail to import TestCA crt to server\
+                             DB(ws: $host)" 
+                return $RET
+            fi
+        fi # if [ "$reverseRunCGIScript" ]
+        
+        [ ! -d "$sslClientDir" ] && mkdir -p $sslClientDir;
+        #=======================================================
+        # Import CA cert to ssl client DB
+        #
+        importFile $sslClientDir $caDir/$caCertName.cert server-client-CA \
+                   "TC,C,C"
+        RET=$?
+        if [ $RET -ne 0 ]; then
+            html_failed "Fail to import server-client-CA cert to \
+                         server DB(ws: $host)" 
+            return $RET
+        fi
+    fi
+
+    if [ $doOcspTests -eq 1 ]; then
+        [ ! -d "$ocspClientDir" ] && mkdir -p $ocspClientDir;
+        #=======================================================
+        # Import CA cert to ocsp client DB
+        #
+        importFile $ocspClientDir $caDir/$caCertName.cert server-client-CA \
+                   "TC,C,C"
+        RET=$?
+        if [ $RET -ne 0 ]; then
+            html_failed "Fail to import server-client-CA cert to \
+                         server DB(ws: $host)" 
+            return $RET
+        fi
+    fi
+
+    #=======================================================
+    # Import client certs to client DB
+    #
+    for fileName in $downloadFiles; do
+        certName=`echo $fileName | sed 's/\..*//'`
+
+        if [ -n "`echo $certName | grep ocsp`" -a $doOcspTests -eq 1 ]; then
+            clientDir=$ocspClientDir
+        elif [ $doSslTests -eq 1 ]; then
+            clientDir=$sslClientDir
+        else
+            continue
+        fi
+
+        download_file $host "$certDir/$fileName" $clientDir
+        RET=$?
+        if [ $RET -ne 0 -o ! -f $clientDir/$fileName ]; then
+            html_failed "Fail to download $certName cert(ws: $host)" 
+            return $RET
+        fi
+        tmpFiles="$tmpFiles $clientDir/$fileName"
+        
+        importFile $clientDir $clientDir/$fileName $certName ",,"
+        RET=$?
+        if [ $RET -ne 0 ]; then
+            html_failed "Fail to import $certName cert to client DB\
+                        (ws: $host)" 
+            return $RET
+        fi
+    done
+
+    rm -f $tmpFiles
+
+    return 0
+}
+
+
+#########################################################################
+# Initial point for downloading config, cert, crl files for multiple hosts
+# involved in interoperability testing. Called from nss/tests/cert/cert.sh
+# It will only proceed with downloading if environment variable 
+# IOPR_HOSTADDR_LIST is set and has a value of host names separated by space.
+#
+# Returns 1 if interoperability testing is off, 0 otherwise. 
+#
+cert_iopr_setup() {
+
+    if [ "$IOPR" -ne 1 ]; then
+        return 1
+    fi
+    num=1
+    IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f 1 -d' '`
+    while [ "$IOPR_HOST_PARAM" ]; do
+        IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`
+        IOPR_DOWNLOAD_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`
+        [ -z "$IOPR_DOWNLOAD_PORT" ] && IOPR_DOWNLOAD_PORT=443
+        IOPR_CONF_PATH=`echo "$IOPR_HOST_PARAM:" | cut -f 3 -d':'`
+        [ -z "$IOPR_CONF_PATH" ] && IOPR_CONF_PATH="/iopr"
+        
+        echo "Installing certs for $IOPR_HOSTADDR:$IOPR_DOWNLOAD_PORT:\
+              $IOPR_CONF_PATH"
+        
+        download_install_certs ${IOPR_HOSTADDR} ${IOPR_CADIR}_${IOPR_HOSTADDR} \
+            ${IOPR_CONF_PATH} ${IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} \
+            ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} \
+            ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR}
+        if [ $? -ne 0 ]; then
+            echo "wsFlags=\"NOIOPR $wsParam\"" >> \
+                ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
+        fi
+        num=`expr $num + 1`
+        IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+    done
+    
+    return 0
+}
diff --git a/security/nss/tests/iopr/ocsp_iopr.sh b/security/nss/tests/iopr/ocsp_iopr.sh
new file mode 100644
index 000000000..dcc6e1ffb
--- /dev/null
+++ b/security/nss/tests/iopr/ocsp_iopr.sh
@@ -0,0 +1,231 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/iopr/ocsp_iopr.sh
+#
+# NSS SSL interoperability QA. This file is included from ssl.sh
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+########################################################################
+IOPR_OCSP_SOURCED=1
+
+########################################################################
+# The funtion works with variables defined in interoperability 
+# configuration file that gets downloaded from a webserver.
+# The function sets test parameters defind for a particular type
+# of testing.
+#
+# No return value
+#
+setTestParam() {
+    type=$1
+    testParam=`eval 'echo $'${type}Param`
+    testDescription=`eval 'echo $'${type}Descr`
+    testProto=`eval 'echo $'${type}Proto`
+    testPort=`eval 'echo $'${type}Port`
+    testResponder=`eval 'echo $'${type}ResponderCert`
+    testValidCertNames=`eval 'echo $'${type}ValidCertNames`
+    testRevokedCertNames=`eval 'echo $'${type}RevokedCertNames`
+    testStatUnknownCertNames=`eval 'echo $'${type}StatUnknownCertNames`
+}
+
+########################################################################
+# The funtion checks status of a cert using ocspclnt.
+# Params:
+#    dbDir - nss cert db location
+#    cert - cert in question
+#    respUrl - responder url is available 
+#    defRespCert - trusted responder cert
+#
+# Return values:
+#    0 - test passed, 1 - otherwise.
+#
+ocsp_get_cert_status() {
+    dbDir=$1
+    cert=$2
+    respUrl=$3
+    defRespCert=$4
+    
+    if [ -n "$respUrl" -o -n "$defRespCert" ]; then
+        if [ -z "$respUrl" -o -z "$defRespCert" ]; then
+            html_failed "Incorrect test params" 
+            return 1
+        fi
+        clntParam="-l $respUrl -t $defRespCert"
+    fi
+
+    if [ -z "${MEMLEAK_DBG}" ]; then
+        outFile=$dbDir/ocsptest.out.$$
+        echo "ocspclnt -d $dbDir -S $cert $clntParam"
+        ${BINDIR}/ocspclnt -d $dbDir -S $cert $clntParam >$outFile 2>&1
+        ret=$?
+        echo "ocspclnt output:"
+        cat $outFile
+        [ -z "`grep succeeded $outFile`" ] && ret=1
+    
+        rm -f $outFile
+        return $ret
+    fi
+
+    OCSP_ATTR="-d $dbDir -S $cert $clntParam"
+    ${RUN_COMMAND_DBG} ${BINDIR}/ocspclnt ${OCSP_ATTR}
+}
+
+########################################################################
+# The funtion checks status of a cert using ocspclnt.
+# Params:
+#    testType - type of the test based on type of used responder
+#    servName - FQDM of the responder server
+#    dbDir - nss cert db location
+#
+# No return value
+#
+ocsp_iopr() {
+    testType=$1
+    servName=$2
+    dbDir=$3
+
+    setTestParam $testType
+    if [ "`echo $testParam | grep NOCOV`" != "" ]; then
+        echo "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR) excluded from " \
+            "run by server configuration"
+        return 0
+    fi
+    
+    if [ -z "${MEMLEAK_DBG}" ]; then
+        html_head "OCSP testing with responder at $IOPR_HOSTADDR. <br>" \
+            "Test Type: $testDescription"
+    fi
+
+    if [ -n "$testResponder" ]; then
+        responderUrl="$testProto://$servName:$testPort"
+    else
+        responderUrl=""
+    fi
+
+    if [ -z "${MEMLEAK_DBG}" ]; then
+        for certName in $testValidCertNames; do
+            ocsp_get_cert_status $dbDir $certName "$responderUrl" \
+                "$testResponder"
+            html_msg $? 0 "Getting status of a valid cert ($certName)" \
+                "produced a returncode of $ret, expected is 0."
+        done
+
+        for certName in $testRevokedCertNames; do
+            ocsp_get_cert_status $dbDir $certName "$responderUrl" \
+                "$testResponder"
+            html_msg $? 1 "Getting status of a unvalid cert ($certName)" \
+                "produced a returncode of $ret, expected is 1." 
+        done
+
+        for certName in $testStatUnknownCertNames; do
+            ocsp_get_cert_status $dbDir $certName "$responderUrl" \
+                "$testResponder"
+            html_msg $? 1 "Getting status of a cert with unknown status " \
+                        "($certName) produced a returncode of $ret, expected is 1."
+        done
+    else
+        for certName in $testValidCertNames $testRevokedCertNames \
+            $testStatUnknownCertName; do
+            ocsp_get_cert_status $dbDir $certName "$responderUrl" \
+                "$testResponder" 
+        done
+    fi
+}
+  
+#####################################################################
+# Initial point for running ocsp test againt multiple hosts involved in
+# interoperability testing. Called from nss/tests/ocsp/ocsp.sh
+# It will only proceed with test run for a specific host if environment variable 
+# IOPR_HOSTADDR_LIST was set, had the host name in the list
+# and all needed file were successfully downloaded and installed for the host.
+#
+# Returns 1 if interoperability testing is off, 0 otherwise. 
+#
+ocsp_iopr_run() {
+    NO_ECC_CERTS=1 # disable ECC for interoperability tests
+
+    if [ "$IOPR" -ne 1 ]; then
+        return 1
+    fi
+    cd ${CLIENTDIR}
+
+    if [ -n "${MEMLEAK_DBG}" ]; then
+        html_head "Memory leak checking - IOPR"
+    fi
+
+    num=1
+    IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+    while [ "$IOPR_HOST_PARAM" ]; do
+        IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`
+        IOPR_OPEN_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`
+        [ -z "$IOPR_OPEN_PORT" ] && IOPR_OPEN_PORT=443
+        
+        . ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
+        RES=$?
+        
+        num=`expr $num + 1`
+        IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+
+        if [ $RES -ne 0 -o X`echo "$wsFlags" | grep NOIOPR` != X ]; then
+            continue
+        fi
+        
+        #=======================================================
+        # Check what server is configured to run ssl tests
+        #
+        [ -z "`echo ${supportedTests_new} | grep -i ocsp`" ] && continue;
+
+        # Testing directories defined by webserver.
+        if [ -n "${MEMLEAK_DBG}" ]; then
+            LOGNAME=iopr-${IOPR_HOSTADDR}
+            LOGFILE=${LOGDIR}/${LOGNAME}.log
+        fi
+       
+        # Testing directories defined by webserver.
+        echo "Testing ocsp interoperability.
+                Client: local(tstclnt).
+                Responder: remote($IOPR_HOSTADDR)"
+
+        for ocspTestType in ${supportedTests_new}; do
+            if [ -z "`echo $ocspTestType | grep -i ocsp`" ]; then
+                continue
+            fi
+            if [ -n "${MEMLEAK_DBG}" ]; then
+                ocsp_iopr $ocspTestType ${IOPR_HOSTADDR} \
+                    ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR} 2>> ${LOGFILE}
+            else
+                ocsp_iopr $ocspTestType ${IOPR_HOSTADDR} \
+                    ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR}
+            fi
+        done
+
+        if [ -n "${MEMLEAK_DBG}" ]; then
+            log_parse
+            ret=$?
+            html_msg ${ret} 0 "${LOGNAME}" \
+                "produced a returncode of $ret, expected is 0"
+        fi
+
+        echo "================================================"
+        echo "Done testing ocsp interoperability with $IOPR_HOSTADDR"
+    done
+
+    if [ -n "${MEMLEAK_DBG}" ]; then
+        html "</TABLE><BR>"
+    fi
+
+    NO_ECC_CERTS=0
+    return 0
+}
+
diff --git a/security/nss/tests/iopr/server_scr/apache_unix.cfg b/security/nss/tests/iopr/server_scr/apache_unix.cfg
new file mode 100644
index 000000000..3992bf52d
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/apache_unix.cfg
@@ -0,0 +1,47 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#
+# Apache OPENSSL configuration file
+#
+
+#
+# Define what type of system this is.
+#
+$clientSys = "openssl";
+
+#
+# Cipher conversion table file
+#
+$cipherTableFile = "$certDir/cipher.list";
+
+#--------------------------------------------
+# Web server specific variables start here:
+#
+
+#
+# Location of installed openssl binary
+#
+$opensslb = "/usr/local/bin/openssl";
+
+
+#
+# General location of apache server
+#
+$apacheHttpd="/var/httpd-ssl";
+
+#
+# HTTP Request file
+#
+$reqFile = "$apacheHttpd/cgi-bin/sslreq.dat";
+
+#
+# OpenSSL certificate directory
+#
+$certDir = "$apacheHttpd/cert";
+
+#
+# CA certificate file
+#
+$caCertFile = "$certDir/serverCA.crt";
diff --git a/security/nss/tests/iopr/server_scr/cert_gen.sh b/security/nss/tests/iopr/server_scr/cert_gen.sh
new file mode 100644
index 000000000..17771ade1
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/cert_gen.sh
@@ -0,0 +1,367 @@
+#!/bin/bash    
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+######################################################################################
+# Server and client certs and crl generator functions. Generated files placed in a <dir>
+# directory to be accessible through http://<webserver>/iopr/TestCA.crt directory.
+# This functions is used for manual webserver configuration and it is not a part of
+# nss test run.
+# To create certs use the following command:
+#       sh cert_iopr.sh cert_gen <dir> <cert name> [cert req]
+# Where:
+#       dir - directory where to place created files
+#       cert name - name of created server cert(FQDN)
+#       cert req  - cert request to be used for cert generation.
+#
+repAndExec() {
+    echo
+    if [ "$1" = "certutil" -a "$2" = "-R" -o "$2" = "-S" ]; then
+        shift
+        echo certutil -s "$CU_SUBJECT" $@
+        certutil -s "$CU_SUBJECT" $@
+        RET=$?
+    else
+        echo $@
+        $@
+        RET=$?
+    fi
+
+    return $RET
+}
+
+setExtData() {
+    extData=$1
+
+    fldNum=0
+    extData=`echo $extData | sed 's/,/ /g'`
+    for extDT in $extData; do
+        if [ $fldNum -eq 0 ]; then
+            eval extType=$extDT
+            fldNum=1
+            continue
+        fi
+        eval data${fldNum}=$extDT
+        fldNum=`expr $fldNum + 1`
+    done
+}
+
+signCert() {
+    dir=$1
+    crtDir=$2
+    crtName=$3
+    crtSN=$4
+    req=$5
+    cuAddParam=$6
+    extList=$7
+
+    if [ -z "$certSigner" ]; then
+        certSigner=TestCA
+    fi
+
+    extCmdLine=""
+    extCmdFile=$dir/extInFile; rm -f $extCmdFile
+    touch $extCmdFile
+    extList=`echo $extList | sed 's/;/ /g'`
+    for ext in $extList; do
+        setExtData $ext
+        [ -z "$extType" ] && echo "incorrect extention format" && return 1
+        case $extType in
+        ocspDR)
+                extCmdLine="$extCmdLine -6"
+                cat <<EOF >> $extCmdFile
+5
+9
+y
+EOF
+                break
+                exit 1
+                ;;
+        AIA)    
+                extCmdLine="$extCmdLine -9"
+                cat <<EOF >> $extCmdFile
+2
+7
+$data1
+0
+n
+n
+EOF
+                break
+                ;;
+            *)
+                echo "Unsupported extension type: $extType"
+                break
+                ;;
+        esac
+    done
+    echo "cmdLine: $extCmdLine"
+    echo "cmdFile: "`cat $extCmdFile`
+    repAndExec \
+        certutil $cuAddParam -C -c $certSigner -m $crtSN -v 599 -d "${dir}" \
+        -i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" $extCmdLine <$extCmdFile 2>&1
+    return $RET
+}
+
+createSignedCert() {
+    dir=$1
+    certDir=$2
+    certName=$3
+    certSN=$4
+    certSubj=$5
+    keyType=$6
+    extList=$7
+
+    echo Creating cert $certName-$keyType with SN=$certSN
+
+    CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    repAndExec \
+        certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \
+                  -k $keyType -o $dir/req  2>&1
+    [ "$RET" -ne 0 ] && return $RET
+
+    signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    rm -f $dir/req
+
+    repAndExec \
+        certutil -A -n ${certName}-$keyType -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \
+                    -i "$dir/${certName}-$keyType.crt" 2>&1
+    [ "$RET" -ne 0 ] && return $RET
+
+    cp "$dir/${certName}-$keyType.crt" $certDir
+
+    repAndExec \
+        pk12util -d $dir -o $certDir/$certName-$keyType.p12 -n ${certName}-$keyType \
+                     -k ${PW_FILE} -W iopr
+    [ "$RET" -ne 0 ] && return $RET
+    return 0
+}
+
+generateAndExportSSLCerts() {
+    dir=$1
+    certDir=$2
+    serverName=$3
+    servCertReq=$4
+
+    if [ "$servCertReq" -a -f $servCertReq ]; then
+        grep REQUEST $servCertReq >/dev/null 2>&1
+        signCert $dir $certDir ${serverName}_ext 501 $servCertReq `test $? -eq 0 && echo -a`
+        ret=$?
+        [ "$ret" -ne 0 ] && return $ret
+    fi
+
+    certName=$serverName
+    createSignedCert $dir $certDir $certName 500 "$certSubj" rsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    createSignedCert $dir $certDir $certName 501 "$certSubj" dsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+   
+    certName=TestUser510
+    createSignedCert $dir $certDir $certName 510 "$certSubj" rsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=TestUser511
+    createSignedCert $dir $certDir $certName 511 "$certSubj" dsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=TestUser512
+    createSignedCert $dir $certDir $certName 512 "$certSubj" rsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=TestUser513
+    createSignedCert $dir $certDir $certName 513 "$certSubj" dsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+}
+
+generateAndExportOCSPCerts() {
+    dir=$1
+    certDir=$2
+
+    certName=ocspTrustedResponder
+    createSignedCert $dir $certDir $certName 525 "$certSubj" rsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspDesignatedResponder
+    createSignedCert $dir $certDir $certName 526 "$certSubj" rsa ocspDR
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspTRTestUser514
+    createSignedCert $dir $certDir $certName 514 "$certSubj" rsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspTRTestUser516
+    createSignedCert $dir $certDir $certName 516 "$certSubj" rsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspRCATestUser518
+    createSignedCert $dir $certDir $certName 518 "$certSubj" rsa \
+        AIA,http://dochinups.red.iplanet.com:2561
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspRCATestUser520
+    createSignedCert $dir $certDir $certName 520 "$certSubj" rsa \
+        AIA,http://dochinups.red.iplanet.com:2561
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspDRTestUser522
+    createSignedCert $dir $certDir $certName 522 "$certSubj" rsa \
+        AIA,http://dochinups.red.iplanet.com:2562
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspDRTestUser524
+    createSignedCert $dir $certDir $certName 524 "$certSubj" rsa \
+        AIA,http://dochinups.red.iplanet.com:2562
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    generateAndExportCACert $dir "" TestCA-unknown
+    [ $? -ne 0 ] && return $ret
+    
+    certSigner=TestCA-unknown
+    
+    certName=ocspTRUnkownIssuerCert
+    createSignedCert $dir $certDir $certName 531 "$certSubj" rsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspRCAUnkownIssuerCert
+    createSignedCert $dir $certDir $certName 532 "$certSubj" rsa \
+        AIA,http://dochinups.red.iplanet.com:2561
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspDRUnkownIssuerCert
+    createSignedCert $dir $certDir $certName 533 "$certSubj" rsa \
+        AIA,http://dochinups.red.iplanet.com:2562
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certSigner=""
+    
+    return 0
+}
+
+generateAndExportCACert() {
+    dir=$1
+    certDirL=$2
+    caName=$3
+
+    certName=TestCA
+    [ "$caName" ] && certName=$caName
+    CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    repAndExec \
+        certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \
+        -f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <<EOF
+5
+6
+9
+n
+y
+-1
+n
+EOF
+
+    if [ "$certDirL" ]; then
+        repAndExec \
+            certutil -L -n $certName -r -d ${dir} -o $certDirL/$certName.crt 
+        [ "$RET" -ne 0 ] && return $RET
+        
+        repAndExec \
+            pk12util -d $dir -o $certDirL/$certName.p12 -n $certName -k ${PW_FILE} -W iopr
+        [ "$RET" -ne 0 ] && return $RET
+    fi
+}
+
+
+generateCerts() {
+    certDir=$1
+    serverName=$2
+    reuseCACert=$3
+    servCertReq=$4
+    
+    [ -z "$certDir" ] && echo "Cert directory should not be empty" && exit 1
+    [ -z "$serverName" ] && echo "Server name should not be empty" && exit 1
+
+    mkdir -p $certDir
+    [ $? -ne 0 ] && echo "Can not create dir: $certDir" && exit 1
+    
+
+    dir=/tmp/db.$$
+    if [ -z "$reuseCACert" ]; then
+        if [ -d "$dir" ]; then
+            rm -f $dir
+        fi
+   
+        PW_FILE=$dir/nss.pwd
+        NOISE_FILE=$dir/nss.noise
+
+        mkdir -p $dir
+        [ $? -ne 0 ] && echo "Can not create dir: $dir" && exit 1
+        
+        echo nss > $PW_FILE
+        date >> ${NOISE_FILE} 2>&1
+        
+        repAndExec \
+            certutil -d $dir -N -f $PW_FILE
+        [ "$RET" -ne 0 ] && return $RET
+        
+        generateAndExportCACert $dir $certDir
+        [ "$RET" -ne 0 ] && return $RET
+    else
+        dir=$reuseCACert
+        PW_FILE=$dir/nss.pwd
+        NOISE_FILE=$dir/nss.noise
+        hasKey=`repAndExec certutil -d $dir -L | grep TestCA | grep CTu`
+        [ -z "$hasKey" ] && echo "reuse CA cert has not priv key" && \
+            return $RET;
+    fi
+
+    generateAndExportSSLCerts $dir $certDir $serverName $servCertReq
+    [ "$RET" -ne 0 ] && return $RET
+
+    generateAndExportOCSPCerts $dir $certDir
+    [ "$RET" -ne 0 ] && return $RET
+
+    crlUpdate=`date +%Y%m%d%H%M%SZ`
+    crlNextUpdate=`echo $crlUpdate | sed 's/20/21/'`
+    repAndExec \
+        crlutil -d $dir -G -n "TestCA" -f ${PW_FILE} -o $certDir/TestCA.crl <<EOF_CRLINI
+update=$crlUpdate
+nextupdate=$crlNextUpdate
+addcert 509-511 $crlUpdate
+addcert 516 $crlUpdate
+addcert 520 $crlUpdate
+addcert 524 $crlUpdate
+EOF_CRLINI
+    [ "$RET" -ne 0 ] && return $RET
+
+    rm -rf $dir
+    return 0
+}
+
+
+if [ -z "$1" -o -z "$2" ]; then
+    echo "$0 <dest dir> <server cert name> [reuse CA cert] [cert req]"
+    exit 1
+fi
+generateCerts $1 $2 "$3" $4
+exit $?
diff --git a/security/nss/tests/iopr/server_scr/cipher.list b/security/nss/tests/iopr/server_scr/cipher.list
new file mode 100644
index 000000000..668084c37
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/cipher.list
@@ -0,0 +1,98 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+nss                                      openssl                    iis 
+
+#
+# SSL v3.0 cipher suites.
+#
+SSL3_RSA_WITH_NULL_MD5                   NULL-MD5                   i
+SSL3_RSA_WITH_NULL_SHA                   NULL-SHA                   z
+SSL3_RSA_WITH_RC4_128_MD5                RC4-MD5                    c
+SSL3_RSA_WITH_RC4_128_SHA                RC4-SHA                    n
+SSL3_RSA_WITH_IDEA_CBC_SHA               IDEA-CBC-SHA
+SSL3_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA                e
+SSL3_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA               d
+
+SSL3_DH_DSS_WITH_DES_CBC_SHA             Not_implemented.
+SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA        Not_implemented.
+SSL3_DH_RSA_WITH_DES_CBC_SHA             Not_implemented.
+SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA        Not_implemented.
+SSL3_DHE_DSS_WITH_DES_CBC_SHA            EDH-DSS-CBC-SHA            s
+SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA       EDH-DSS-DES-CBC3-SHA       q
+SSL3_DHE_RSA_WITH_DES_CBC_SHA            EDH-RSA-DES-CBC-SHA
+SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA       EDH-RSA-DES-CBC3-SHA
+
+SSL3_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
+SSL3_DH_anon_WITH_DES_CBC_SHA            ADH-DES-CBC-SHA
+SSL3_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA
+
+SSL3_FORTEZZA_KEA_WITH_NULL_SHA          Not_implemented.
+SSL3_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA  Not_implemented.
+SSL3_FORTEZZA_KEA_WITH_RC4_128_SHA       Not_implemented.
+
+#
+# Next four added to have ciphers below for SSL3 protocol
+#
+SSL3_RSA_WITH_AES_128_CBC_SHA            AES128-SHA
+SSL3_RSA_WITH_AES_256_CBC_SHA            AES256-SHA
+
+#
+#TLS v1.0 cipher suites.
+#
+TLS_RSA_WITH_NULL_MD5                   NULL-MD5
+TLS_RSA_WITH_NULL_SHA                   NULL-SHA
+TLS_RSA_WITH_RC4_128_MD5                RC4-MD5
+TLS_RSA_WITH_RC4_128_SHA                RC4-SHA
+TLS_RSA_WITH_IDEA_CBC_SHA               IDEA-CBC-SHA
+TLS_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA
+TLS_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA
+
+TLS_DH_DSS_WITH_DES_CBC_SHA             Not_implemented.
+TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA        Not_implemented.
+TLS_DH_RSA_WITH_DES_CBC_SHA             Not_implemented.
+TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA        Not_implemented.
+TLS_DHE_DSS_WITH_DES_CBC_SHA            EDH-DSS-CBC-SHA
+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA       EDH-DSS-DES-CBC3-SHA
+TLS_DHE_RSA_WITH_DES_CBC_SHA            EDH-RSA-DES-CBC-SHA
+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       EDH-RSA-DES-CBC3-SHA
+
+TLS_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
+TLS_DH_anon_WITH_DES_CBC_SHA            ADH-DES-CBC-SHA
+TLS_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA
+
+#
+#AES ciphersuites from RFC3268, extending TLS v1.0
+#
+
+TLS_RSA_WITH_AES_128_CBC_SHA            AES128-SHA
+TLS_RSA_WITH_AES_256_CBC_SHA            AES256-SHA
+
+TLS_DH_DSS_WITH_AES_128_CBC_SHA         DH-DSS-AES128-SHA
+TLS_DH_DSS_WITH_AES_256_CBC_SHA         DH-DSS-AES256-SHA
+TLS_DH_RSA_WITH_AES_128_CBC_SHA         DH-RSA-AES128-SHA
+TLS_DH_RSA_WITH_AES_256_CBC_SHA         DH-RSA-AES256-SHA
+
+TLS_DHE_DSS_WITH_AES_128_CBC_SHA        DHE-DSS-AES128-SHA
+TLS_DHE_DSS_WITH_AES_256_CBC_SHA        DHE-DSS-AES256-SHA
+TLS_DHE_RSA_WITH_AES_128_CBC_SHA        DHE-RSA-AES128-SHA
+TLS_DHE_RSA_WITH_AES_256_CBC_SHA        DHE-RSA-AES256-SHA
+
+TLS_DH_anon_WITH_AES_128_CBC_SHA        ADH-AES128-SHA
+TLS_DH_anon_WITH_AES_256_CBC_SHA        ADH-AES256-SHA
+
+#
+#Additional cipher suites
+#
+#Note: these ciphers can also be used in SSL v3.
+#
+TLS_DHE_DSS_WITH_RC4_128_SHA            DHE-DSS-RC4-SHA
+
+#
+# FIPS cipher list
+#        
+TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA      Not_implemented
+TLS_RSA_FIPS_WITH_DES_CBC_SHA           Not_implemented
+SSL3_RSA_FIPS_WITH_3DES_EDE_CBC_SHA     Not_implemented
+SSL3_RSA_FIPS_WITH_DES_CBC_SHA          Not_implemented
diff --git a/security/nss/tests/iopr/server_scr/client.cgi b/security/nss/tests/iopr/server_scr/client.cgi
new file mode 100644
index 000000000..581ad06d1
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/client.cgi
@@ -0,0 +1,526 @@
+#!/usr/bin/perl
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#--------------------------------------------------------------
+# cgi script that parses request argument to appropriate 
+# open ssl or tstclntw options and starts ssl client.
+#
+
+use CGI qw/:standard/;
+
+use subs qw(debug);
+
+#--------------------------------------------------------------
+# Prints out an error string and exits the script with an
+# exitStatus.
+# Param:
+#    str : an error string
+#    exitStat: an exit status of the program
+#
+sub svr_error {
+    my ($str, $exitStat) = @_;
+
+    if (!defined $str || $str eq "") {
+        $str = $ERR;
+    }
+    print "SERVER ERROR: $str\n";
+    if ($exitStat) {
+        print end_html if ($osDataArr{wservRun});
+        exit $exitStat;
+    }
+}
+
+#--------------------------------------------------------------
+# Prints out a debug message
+# Params:
+#     str: debug message
+#     inVal: additional value to print(optional)
+#
+sub debug {
+    my ($str, $inVal) = @_;
+    
+    print "-- DEBUG: $str ($inVal)\n" if ($DEBUG == 1);
+}
+
+
+#--------------------------------------------------------------
+# Initializes execution context depending on a webserver the
+# script is running under.
+#
+sub init {
+    %osDataArr = (
+                  loadSupportedCipthersFn => \&osSpecific,
+                  cipherIsSupportedFn => \&verifyCipherSupport,
+                  cipherListFn => \&convertCipher,
+                  buildCipherTableFn => \&buildCipherTable,
+                  execCmdFn => \&osSpecific,
+                  );
+
+    $scriptName = $ENV{'SCRIPT_NAME'};
+    if (!defined $scriptName) {
+        $DEBUG=1;
+        debug "Debug is ON";
+    }
+    $DEBUG=1;
+    
+    $svrSoft = $ENV{'SERVER_SOFTWARE'};
+    if (defined $svrSoft) {
+        $_ = $svrSoft;
+        /.*Microsoft.*/ && ($osDataArr{wserv} = "IIS");
+        /.*Apache.*/ && ($osDataArr{wserv} = "Apache");
+        $osDataArr{wservRun} = 1;
+    } else {
+        $osDataArr{wserv} = "Apache";
+        $osDataArr{wservRun} = 0;
+    }
+}
+
+#--------------------------------------------------------------
+# Function-spigot to handle errors is OS specific functions are
+# not implemented for a particular OS.
+# Returns:
+#   always returns 0(failure)
+#
+sub osSpecific {
+    $ERR = "This function should be swapped to os specific function.";
+    return 0;
+}
+
+#--------------------------------------------------------------
+# Sets os specific execution context values.
+# Returns:
+#    1 upon success, or 0 upon failure(if OS was not recognized)
+#
+sub setFunctRefs {
+    
+    debug("Entering setFunctRefs function", $osDataArr{wserv});
+
+    if ($osDataArr{wserv} eq "Apache") {
+        $osDataArr{osConfigFile} = "apache_unix.cfg";
+        $osDataArr{suppCiphersCmd} = '$opensslb ciphers ALL:NULL';
+        $osDataArr{clientRunCmd} = '$opensslb s_client -host $in_host -port $in_port -cert $certDir/$in_cert.crt -key $certDir/$in_cert.key -CAfile $caCertFile $proto $ciphers -ign_eof < $reqFile';
+        $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Unix;
+        $osDataArr{execCmdFn} = \&execClientCmd_Unix;
+    } elsif ($osDataArr{wserv} eq "IIS") {
+        $osDataArr{osConfigFile} = "iis_windows.cfg";
+        $osDataArr{suppCiphersCmd} = '$tstclntwb';
+        $osDataArr{clientRunCmd} = '$tstclntwb -h $in_host -p $in_port -n $in_cert $proto $ciphers < $reqFile';
+        $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Win;
+        $osDataArr{execCmdFn} = \&execClientCmd_Win;
+    } else {
+        $ERR = "Unknown Web Server  type.";
+        return 0;
+    }
+    return 1;
+}
+
+#--------------------------------------------------------------
+# Parses data from HTTP request. Will print a form if request
+# does not contain sufficient number of parameters.
+# Returns: 
+#     1 if request has sufficient number of parameters
+#     0 if not.
+sub getReqData {
+    my $debug = param('debug');
+    $in_host = param('host');
+    $in_port = param('port');
+    $in_cert = param('cert');
+    $in_cipher = param('cipher');
+
+    if (!$osDataArr{wservRun}) {
+        $in_host="goa1";
+        $in_port="443";
+        $in_cert="TestUser511";
+        $in_cipher = "SSL3_RSA_WITH_NULL_SHA";
+    }
+
+    debug("Entering getReqData function", "$in_port:$in_host:$in_cert:$in_cipher");
+
+    if (defined $debug && $debug == "debug on") {
+        $DEBUG = 1;
+    }
+
+    if (!defined $in_host || $in_host eq "" ||
+        !defined $in_port || $in_port eq "" ||
+        !defined $in_cert || $in_cert eq "") {
+        if ($osDataArr{wservRun}) {
+            print h1('Command description form:'),
+            start_form(-method=>"get"),
+            "Host: ",textfield('host'),p,
+            "Port: ",textfield('port'),p,
+            "Cert: ",textfield('cert'),p,
+            "Cipher: ",textfield('cipher'),p,
+            checkbox_group(-name=>'debug',
+                           -values=>['debug on  ']),
+            submit,
+            end_form,
+            hr;
+        } else {
+            print "Printing html form to get client arguments\n";
+        }
+        $ERR = "the following parameters are required: host, port, cert";
+        return 0;
+    } else {
+        print "<pre>" if ($osDataArr{wservRun});
+        return 1;
+    }
+}
+
+
+#--------------------------------------------------------------
+# Building cipher conversion table from file based on the OS.
+# Params:
+#     tfile: cipher conversion file.
+#     sysName: system name
+#     tblPrt: returned pointer to a table.
+sub buildCipherTable {
+    my ($tfile, $sysName, $tblPrt) = @_;
+    my @retArr = @$tblPrt;
+    my %table, %rtable;
+    my $strCount = 0;
+
+    debug("Entering getReqData function", "$tfile:$sysName:$tblPrt");
+
+    ($ERR = "No system name supplied" && return 0) if ($sysName =~ /^$/);
+    if (!open(TFILE, "$tfile")) {
+        $ERR = "Missing cipher conversion table file.";
+        return 0;
+    }
+    foreach (<TFILE>) {
+        chop;
+        /^#.*/ && next;
+        /^\s*$/ && next;
+        if ($strCount++ == 0) {
+            my @sysArr =  split /\s+/;
+            $colCount = 0;
+            for (;$colCount <= $#sysArr;$colCount++) {
+                last if ($sysArr[$colCount] =~ /(.*:|^)$sysName.*/);
+            }
+            next;
+        }
+        my @ciphArr =  split /\s+/, $_;
+        $table{$ciphArr[0]} = $ciphArr[$colCount];
+        $rtable{$ciphArr[$colCount]} = $ciphArr[0];
+    }
+    close(TFILE);
+    $cipherTablePtr[0] = \%table;
+    $cipherTablePtr[1] = \%rtable;
+    return 1
+}
+
+#--------------------------------------------------------------
+# Client configuration function. Loads client configuration file.
+# Initiates cipher table. Loads cipher list supported by ssl client.
+#
+sub configClient {
+
+    debug "Entering configClient function";
+
+    my $res = &setFunctRefs();
+    return $res if (!$res);
+
+    open(CFILE, $osDataArr{'osConfigFile'}) ||
+        ($ERR = "Missing configuration file." && return 0);
+    foreach (<CFILE>) {
+        /^#.*/ && next;
+        chop;
+        eval $_;
+    }
+    close(CFILE);
+   
+    local @cipherTablePtr = ();
+    $osDataArr{'buildCipherTableFn'}->($cipherTableFile, $clientSys) || return 0;
+    $osDataArr{cipherTable} = $cipherTablePtr[0];
+    $osDataArr{rcipherTable} = $cipherTablePtr[1];
+    
+    local $suppCiphersTablePrt;
+    &{$osDataArr{'loadSupportedCipthersFn'}} || return 0;
+    $osDataArr{suppCiphersTable} = $suppCiphersTablePrt;
+}
+
+#--------------------------------------------------------------
+# Verifies that a particular cipher is supported.
+# Params:
+#    checkCipher: cipher name
+# Returns:
+#    1 - cipher is supported(also echos the cipher).
+#    0 - not supported.
+#
+sub verifyCipherSupport {
+    my ($checkCipher) = @_;
+    my @suppCiphersTable = @{$osDataArr{suppCiphersTable}};
+
+    debug("Entering verifyCipherSupport", $checkCipher);
+    foreach (@suppCiphersTable) {
+        return 1 if ($checkCipher eq $_);
+    }
+    $ERR = "cipher is not supported.";
+    return 0;
+}
+
+#--------------------------------------------------------------
+# Converts long(?name of the type?) cipher name to 
+# openssl/tstclntw cipher name.
+# Returns:
+#   0 if cipher was not listed. 1 upon success.
+#
+sub convertCipher {
+    my ($cipher) = @_;
+    my @retList;
+    my $resStr;
+    my %cipherTable = %{$osDataArr{cipherTable}};
+
+    debug("Entering convertCipher", $cipher);
+    if (defined $cipher) {
+        my $cphr = $cipherTable{$cipher};
+        if (!defined $cphr) {
+            $ERR = "cipher is not listed.";
+            return 0;
+        }        
+        &{$osDataArr{'cipherIsSupportedFn'}}($cphr) || return 0;
+        $ciphers = "$cphr";
+        return 1;
+    }
+    return 0;
+}
+
+#################################################################
+#  UNIX Apache Specific functions
+#----------------------------------------------------------------
+
+#--------------------------------------------------------------
+# Executes ssl client command to get a list of ciphers supported
+# by client.
+#
+sub getSupportedCipherList_Unix {
+    my @arr, @suppCiphersTable;
+
+    debug "Entering getSupportedCipherList_Unix function";
+
+    eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"';
+    if (!open (OUT, "$sLisrCmd|")) {
+        $ERR="Can not run command to verify supported cipher list.";
+        return 0;
+    }
+    @arr = <OUT>;
+    chop $arr[0];
+    @suppCiphersTable = split /:/, $arr[0];
+    debug("Supported ciphers", $arr[0]);
+    $suppCiphersTablePrt = \@suppCiphersTable;
+    close(OUT);
+    return 1;
+}
+
+#--------------------------------------------------------------
+# Lunches ssl client command in response to a request.
+#
+#
+sub execClientCmd_Unix {
+    my $proto;
+    local $ciphers;
+
+    debug "Entering execClientCmd_Unix";
+    if (defined $in_cipher && $in_cipher ne "") {
+        my @arr = split /_/, $in_cipher, 2;
+        $proto = "-".$arr[0];
+        $proto =~ tr /SLT/slt/;
+        $proto = "-tls1" if ($proto eq "-tls");
+        return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher));
+        $ciphers = "-cipher $ciphers";
+        debug("Return from cipher conversion", "$ciphers");
+    }
+
+    eval '$command = "'.$osDataArr{'clientRunCmd'}.'"';
+    debug("Executing command", $command);
+    if (!open CMD_OUT, "$command 2>&1 |") {
+       $ERR = "can not launch client";
+       return 0;
+    }
+
+    my @cmdOutArr = <CMD_OUT>;
+    
+    foreach (@cmdOutArr) {
+        print $_;
+    }
+
+    my $haveVerify = 0;
+    my $haveErrors = 0;
+    foreach (@cmdOutArr) {
+        chop;
+        if (/unknown option/) {
+            $haveErrors++;
+            svr_error "unknown option\n";
+            next;
+        }
+        if (/:no ciphers available/) {
+            $haveErrors++;
+            svr_error "no cipthers available\n";
+            next;
+        }
+        if (/verify error:/) {
+            $haveErrors++;
+            svr_error "unable to do verification\n";
+            next;
+        }
+        if (/alert certificate revoked:/) {
+            $haveErrors++;
+            svr_error "attempt to connect with revoked sertificate\n";
+            next;
+        }
+        if (/(error|ERROR)/) {
+            $haveErrors++;
+            svr_error "found errors in server log\n";
+            next;
+        }
+        /verify return:1/ && ($haveVerify = 1);
+    }
+     if ($haveVerify == 0) {
+         svr_error "no 'verify return:1' found in server log\n";
+         $haveErrors++;
+     }
+
+    if ($haveErrors > 0) {
+        $ERR = "Have $haveErrors server errors";
+        debug "Exiting execClientCmd_Unix";
+        return 0;
+    }
+    debug "Exiting execClientCmd_Unix";
+    return 1;
+}
+
+#################################################################
+#  Windows IIS Specific functions
+#----------------------------------------------------------------
+
+#--------------------------------------------------------------
+# Executes ssl client command to get a list of ciphers supported
+# by client.
+#
+sub getSupportedCipherList_Win {
+    my @arr, @suppCiphersTable;
+
+    debug "Entering getSupportedCipherList_Win function";
+
+    eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"';
+    if (!open (OUT, "$sLisrCmd|")) {
+        $ERR="Can not run command to verify supported cipher list.";
+        return 0;
+    }
+    my $startCipherList = 0;
+    foreach (<OUT>) {
+        chop;
+        if ($startCipherList) {
+            /^([a-zA-Z])\s+/ && push @suppCiphersTable, $1;
+            next;
+        }
+        /.*from list below.*/ && ($startCipherList = 1);
+    }
+    debug("Supported ciphers", join ':', @suppCiphersTable);
+    $suppCiphersTablePrt = \@suppCiphersTable;
+    close(OUT);
+    return 1;
+}
+
+#--------------------------------------------------------------
+# Lunches ssl client command in response to a request.
+#
+#
+sub execClientCmd_Win {
+    my $proto;
+    local $ciphers;
+
+    debug "Entering execClientCmd_Win";
+    if (defined $in_cipher && $in_cipher ne "") {
+        my @arr = split /_/, $in_cipher, 2;
+        $proto = "-2 -3 -T";
+
+        $proto =~ s/-T// if ($arr[0] eq "TLS");
+        $proto =~ s/-3// if ($arr[0] eq "SSL3");
+        $proto =~ s/-2// if ($arr[0] eq "SSL2");
+	return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher));
+        $ciphers = "-c $ciphers";
+        debug("Return from cipher conversion", $ciphers);
+    }
+
+    eval '$command = "'.$osDataArr{'clientRunCmd'}.'"';
+    debug("Executing command", $command);
+    if (!open CMD_OUT, "$command 2>&1 |") {
+        $ERR = "can not launch client";
+        return 0;
+    }
+
+    my @cmdOutArr = <CMD_OUT>;
+    
+    foreach (@cmdOutArr) {
+        print $_;
+    }
+
+    my $haveVerify = 0;
+    my $haveErrors = 0;
+    foreach (@cmdOutArr) {
+        chop;
+        if (/unknown option/) {
+            $haveErrors++;
+            svr_error "unknown option\n";
+            next;
+        }
+        if (/Error performing handshake/) {
+            $haveErrors++;
+            svr_error "Error performing handshake\n";
+            next;
+        }
+        if (/Error creating credentials/) {
+            $haveErrors++;
+            svr_error "Error creating credentials\n";
+            next;
+        }
+        if (/Error .* authenticating server credentials!/) {
+            $haveErrors++;
+            svr_error "Error authenticating server credentials\n";
+            next;
+        }
+        if (/(error|ERROR|Error)/) {
+            $haveErrors++;
+            svr_error "found errors in server log\n";
+            next;
+        }
+    }
+
+    if ($haveErrors > 0) {
+        $ERR = "Have $haveErrors server errors";
+        debug "Exiting execClientCmd_Win";
+        return 0;
+    }
+    debug "Exiting execClientCmd_Win";
+    return 1;
+}
+
+#################################################################
+#  Main line of execution
+#----------------------------------------------------------------
+&init;
+
+if ($osDataArr{wservRun}) {
+    print header('text/html').
+        start_html('iopr client');
+}
+ 
+print "SCRIPT=OK\n";
+
+if (!&getReqData) { 
+    svr_error($ERR, 1);
+}
+
+if (!&configClient) { 
+    svr_error($ERR, 1);
+}
+
+&{$osDataArr{'execCmdFn'}} || svr_error;
+
+if ($osDataArr{wservRun}) {
+    print "</pre>";
+    print end_html;
+}
diff --git a/security/nss/tests/iopr/server_scr/config b/security/nss/tests/iopr/server_scr/config
new file mode 100644
index 000000000..9e65b926c
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/config
@@ -0,0 +1,17 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+certDir=/iopr
+caCertName=TestCA
+caCrlName=TestCA
+userCertNames="TestUser510 TestUser511"
+userRevokedCertNames="TestUser510"
+reverseRunCGIScript="/cgi-bin/client.cgi"
+supportedTests="SslSingleHs"
+# SslSingleHs: ssl single handshake with out client cert auth
+SslSingleHsPort=443
+SslSingleHsUrl=/
+SslSingleHsParam=NOAUTH:NOCOV:NOCRL
+#ParamSslSingleHandshakeWithOutClientCertAuth="443 / NOAUTH:NOCOV:NOCRL"
+#ParamSslSingleHandshakeWithOutClientCertAuth="443 /"
diff --git a/security/nss/tests/iopr/server_scr/iis_windows.cfg b/security/nss/tests/iopr/server_scr/iis_windows.cfg
new file mode 100644
index 000000000..76499b8b6
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/iis_windows.cfg
@@ -0,0 +1,33 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#
+# IIS windows configuration file
+#
+
+#
+# Define what type of system this is.
+#
+$clientSys = "iis";
+
+#
+# Cipher conversion table file
+#
+$cipherTableFile = "cipher.list";
+
+#--------------------------------------------
+# Web server specific variables start here:
+#
+
+#
+# Location of installed tstclntb binary
+#
+$tstclntwb = "./tstclntw.exe";
+
+#
+# HTTP Request file
+#
+$reqFile = "sslreq.dat";
+
+
diff --git a/security/nss/tests/iopr/server_scr/iopr_server.cfg b/security/nss/tests/iopr/server_scr/iopr_server.cfg
new file mode 100644
index 000000000..2b196e015
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/iopr_server.cfg
@@ -0,0 +1,67 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+certDir=/iopr
+caCertName=TestCA
+caCrlName=TestCA
+
+#old values
+userCertNames="TestUser510-rsa TestUser512-rsa"
+userRevokedCertNames="TestUser510-rsa"
+reverseRunCGIScript="/cgi-bin/client.cgi"
+#reverseTestParam=NOREVALL
+supportedTests="SslSingleHs SslSecondHs"
+#supportedTests="SslSecondHs"
+
+
+downloadFiles="TestUser510-rsa.p12 TestUser512-rsa.p12 ocspTrustedResponder-rsa.crt ocspTRTestUser514-rsa.crt ocspTRTestUser516-rsa.crt ocspRCATestUser518-rsa.crt ocspRCATestUser520-rsa.crt ocspDRTestUser522-rsa.crt ocspDRTestUser524-rsa.crt ocspTRUnknownIssuerCert-rsa.crt ocspRCAUnknownIssuerCert-rsa.crt ocspDRUnknownIssuerCert-rsa.crt"
+# Keep a space at the end of
+SslClntValidCertName="TestUser512-rsa"
+SslClntRevokedCertName="TestUser510-rsa"
+reverseRunCGIScript="/cgi-bin/client.cgi"
+#reverseTestParam=NOREVALL
+
+supportedTests_new="SslSingleHs SslSecondHs OcspTrustedResponder OcspResponderCA OcspDesinatedResponder"
+
+#
+# SslSingleHs: ssl single handshake with out client cert auth
+SslSingleHsDescr="ssl with single handshake without client cert auth"
+SslSingleHsPort=443
+SslSingleHsUrl=/iopr_test/test_pg.html
+SslSingleHsParam=NOAUTH
+
+#
+# SslSecondHs: ssl with secondary hs when accessing direcory 
+# that requires cert verification
+SslSecondHsDescr="ssl with secondary hs when accessing direcory that requires cert verification"
+SslSecondHsPort=443
+SslSecondHsUrl=/iopr_test_2hs/test_pg.html
+SslSecondHsParam=NOCOV
+
+#
+# OcspTrustedResponder - trusted responder key is used to sign OCSP response
+#
+OcspTrustedResponderDescr="trusted responder key is used to sign OCSP response"
+OcspTrustedResponderProto=http
+OcspTrustedResponderPort=2560
+OcspTrustedResponderResponderCert=ocspTrustedResponder-rsa
+OcspTrustedResponderValidCertNames="ocspTRTestUser516-rsa"
+OcspTrustedResponderRevokedCertNames="ocspTRTestUser514-rsa"
+OcspTrustedResponderStatUnknownCertNames="ocspTRUnknownIssuerCert-rsa"
+
+#
+# OcspResponderCA - CA key is used to sign OCSP response
+#
+OcspResponderCADescr="CA key is used to sign OCSP response"
+OcspResponderCAValidCertNames="ocspRCATestUser518-rsa"
+OcspResponderCARevokedCertNames="ocspRCATestUser520-rsa"
+OcspResponderCAStatUnknownCertNames="ocspRCAUnknownIssuerCert-rsa"
+
+#
+# OcspDesinatedResponder - CA Designated Responder key is used to sign OCSP response
+#
+OcspDesinatedResponderDescr="CA Designated Responder key is used to sign OCSP response"
+OcspDesinatedResponderValidCertNames="ocspDRTestUser522-rsa"
+OcspDesinatedResponderRevokedCertNames="ocspDRTestUser524-rsa"
+OcspDesinatedResponderStatUnknownCertNames="ocspDRUnknownIssuerCert-rsa"
diff --git a/security/nss/tests/iopr/server_scr/sslreq.dat b/security/nss/tests/iopr/server_scr/sslreq.dat
new file mode 100644
index 000000000..2f7ad7736
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/sslreq.dat
@@ -0,0 +1,2 @@
+GET / HTTP/1.0

+

diff --git a/security/nss/tests/iopr/ssl_iopr.sh b/security/nss/tests/iopr/ssl_iopr.sh
new file mode 100644
index 000000000..0f9742662
--- /dev/null
+++ b/security/nss/tests/iopr/ssl_iopr.sh
@@ -0,0 +1,643 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/iopr/ssl_iopr.sh
+#
+# NSS SSL interoperability QA. This file is included from ssl.sh
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+########################################################################
+IOPR_SSL_SOURCED=1
+
+########################################################################
+# The functions works with variables defined in interoperability 
+# configuration file that was downloaded from a webserver.
+# It tries to find unrevoked cert based on value of variable
+# "SslClntValidCertName" defined in the configuration file.
+# Params NONE.
+# Returns 0 if found, 1 otherwise.
+#
+setValidCert() {
+    testUser=$SslClntValidCertName
+    [ -z "$testUser" ] && return 1
+    return 0
+}
+
+########################################################################
+# The funtions works with variables defined in interoperability 
+# configuration file that was downloaded from a webserver.
+# The function sets port, url, param and description test parameters
+# that was defind for a particular type of testing.
+# Params:
+#      $1 - supported types of testing. Currently have maximum
+#           of two: forward and reverse. But more can be defined. 
+# No return value
+#
+setTestParam() {
+    type=$1
+    sslPort=`eval 'echo $'${type}Port`
+    sslUrl=`eval 'echo $'${type}Url`
+    testParam=`eval 'echo $'${type}Param`
+    testDescription=`eval 'echo $'${type}Descr`
+    [ -z "$sslPort" ] && sslPort=443
+    [ -z "$sslUrl" ] && sslUrl="/iopr_test/test_pg.html"
+    [ "$sslUrl" = "/" ] && sslUrl="/test_pg.html"
+}
+
+
+#######################################################################
+# local shell function to perform SSL Cipher Suite Coverage tests
+# in interoperability mode. Tests run against web server by using nss
+# test client
+# Params:
+#      $1 - supported type of testing.
+#      $2 - testing host
+#      $3 - nss db location
+# No return value
+#  
+ssl_iopr_cov_ext_server()
+{
+  testType=$1
+  host=$2
+  dbDir=$3
+
+  setTestParam $testType
+  if [ "`echo $testParam | grep NOCOV`" != "" ]; then
+      echo "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR) excluded from " \
+           "run by server configuration"
+      return 0
+  fi
+
+  html_head "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR" \
+      "$BYPASS_STRING $NORM_EXT): $testDescription"
+
+  setValidCert; ret=$?
+  if [ $ret -ne 0 ]; then
+      html_failed "Fail to find valid test cert(ws: $host)" 
+      return $ret
+  fi
+
+  SSL_REQ_FILE=${TMP}/sslreq.dat.$$
+  echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE
+  echo >> $SSL_REQ_FILE
+  
+  while read ecc tls param testname therest; do
+      [ -z "$ecc" -o "$ecc" = "#" -o "`echo $testname | grep FIPS`" -o \
+          "$ecc" = "ECC" ] && continue; 
+      
+      echo "$SCRIPTNAME: running $testname ----------------------------"
+      TLS_FLAG=-T
+      if [ "$tls" = "TLS" ]; then
+          TLS_FLAG=""
+      fi
+      
+      resFile=${TMP}/$HOST.tmpRes.$$
+      rm $resFile 2>/dev/null
+      
+      echo "tstclnt -p ${sslPort} -h ${host} -c ${param} ${TLS_FLAG} \\"
+      echo "      -n $testUser -v -w nss ${CLIEN_OPTIONS} -f \\"
+      echo "      -d ${dbDir} < ${SSL_REQ_FILE} > $resFile"
+      
+      ${BINDIR}/tstclnt -p ${sslPort} -h ${host} -c ${param} \
+          ${TLS_FLAG} ${CLIEN_OPTIONS} -f -n $testUser -v -w nss \
+          -d ${dbDir} < ${SSL_REQ_FILE} >$resFile  2>&1
+      ret=$?
+      grep "ACCESS=OK" $resFile
+      test $? -eq 0 -a $ret -eq 0
+      ret=$?
+      [ $ret -ne 0 ] && cat $resFile
+      rm -f $resFile 2>/dev/null
+      html_msg $ret 0 "${testname}"
+  done < ${SSLCOV}
+  rm -f $SSL_REQ_FILE 2>/dev/null
+
+  html "</TABLE><BR>"
+}
+
+#######################################################################
+# local shell function to perform SSL  Client Authentication tests
+# in interoperability mode. Tests run against web server by using nss
+# test client
+# Params:
+#      $1 - supported type of testing.
+#      $2 - testing host
+#      $3 - nss db location
+# No return value
+#  
+ssl_iopr_auth_ext_server()
+{
+  testType=$1
+  host=$2
+  dbDir=$3
+
+  setTestParam $testType
+  if [ "`echo $testParam | grep NOAUTH`" != "" ]; then
+      echo "SSL Client Authentication WebServ($IOPR_HOSTADDR) excluded from " \
+           "run by server configuration"
+      return 0
+  fi
+
+  html_head "SSL Client Authentication WebServ($IOPR_HOSTADDR $BYPASS_STRING $NORM_EXT):
+             $testDescription"
+
+  setValidCert;ret=$?
+  if [ $ret -ne 0 ]; then
+      html_failed "Fail to find valid test cert(ws: $host)" 
+      return $ret
+  fi
+
+  SSL_REQ_FILE=${TMP}/sslreq.dat.$$
+  echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE
+  echo >> $SSL_REQ_FILE
+  
+  SSLAUTH_TMP=${TMP}/authin.tl.tmp
+  grep -v "^#" ${SSLAUTH} | grep -- "-r_-r_-r_-r" > ${SSLAUTH_TMP}
+
+  while read ecc value sparam cparam testname; do
+      [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
+
+      cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$testUser/g" `
+      
+      echo "tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \\"
+      echo "         -d ${dbDir} -v < ${SSL_REQ_FILE}"
+      
+      resFile=${TMP}/$HOST.tmp.$$
+      rm $rsFile 2>/dev/null
+
+      ${BINDIR}/tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \
+          -d ${dbDir} -v < ${SSL_REQ_FILE} >$resFile  2>&1
+      ret=$?
+      grep "ACCESS=OK" $resFile
+      test $? -eq 0 -a $ret -eq 0
+      ret=$?
+      [ $ret -ne 0 ] && cat $resFile
+      rm $resFile 2>/dev/null
+      
+      html_msg $ret $value "${testname}. Client params: $cparam"\
+          "produced a returncode of $ret, expected is $value"
+  done < ${SSLAUTH_TMP}
+  rm -f ${SSLAUTH_TMP} ${SSL_REQ_FILE}
+
+  html "</TABLE><BR>"
+}
+
+########################################################################
+# local shell function to perform SSL interoperability test with/out
+# revoked certs tests. Tests run against web server by using nss
+# test client
+# Params:
+#      $1 - supported type of testing.
+#      $2 - testing host
+#      $3 - nss db location
+# No return value
+#  
+ssl_iopr_crl_ext_server()
+{
+  testType=$1
+  host=$2
+  dbDir=$3
+
+  setTestParam $testType
+  if [ "`echo $testParam | grep NOCRL`" != "" ]; then
+      echo "CRL SSL Client Tests of WebServerv($IOPR_HOSTADDR) excluded from " \
+           "run by server configuration"
+      return 0
+  fi
+
+  html_head "CRL SSL Client Tests of WebServer($IOPR_HOSTADDR $BYPASS_STRING $NORM_EXT): $testDescription"
+  
+  SSL_REQ_FILE=${TMP}/sslreq.dat.$$
+  echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE
+  echo >> $SSL_REQ_FILE
+  
+  SSLAUTH_TMP=${TMP}/authin.tl.tmp
+  grep -v "^#" ${SSLAUTH} | grep -- "-r_-r_-r_-r" | grep -v bogus | \
+      grep -v none > ${SSLAUTH_TMP}
+
+  while read ecc value sparam _cparam testname; do
+      [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
+
+      rev_modvalue=254
+      for testUser in $SslClntValidCertName $SslClntRevokedCertName; do
+          cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$testUser/g" `
+	  
+          echo "tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} \\"
+          echo "        -f -d ${dbDir} -v ${cparam}  < ${SSL_REQ_FILE}"
+          resFile=${TMP}/$HOST.tmp.$$
+          rm -f $resFile 2>/dev/null
+          ${BINDIR}/tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \
+              -d ${dbDir} -v < ${SSL_REQ_FILE} \
+              > $resFile  2>&1
+          ret=$?
+          grep "ACCESS=OK" $resFile
+          test $? -eq 0 -a $ret -eq 0
+          ret=$?
+          [ $ret -ne 0 ] && ret=$rev_modvalue;
+          [ $ret -ne 0 ] && cat $resFile
+          rm -f $resFile 2>/dev/null
+
+          if [ "`echo $SslClntRevokedCertName | grep $testUser`" != "" ]; then
+              modvalue=$rev_modvalue
+              testAddMsg="revoked"
+          else
+              testAddMsg="not revoked"
+              modvalue=$value
+          fi
+          html_msg $ret $modvalue "${testname} (cert ${testUser} - $testAddMsg)" \
+              "produced a returncode of $ret, expected is $modvalue"
+      done
+  done < ${SSLAUTH_TMP}
+  rm -f ${SSLAUTH_TMP} ${SSL_REQ_FILE}
+  
+  html "</TABLE><BR>"
+}
+
+
+########################################################################
+# local shell function to perform SSL Cipher Coverage tests of nss server
+# by invoking remote test client on web server side.
+# Invoked only if reverse testing is supported by web server.
+# Params:
+#      $1 - remote web server host
+#      $2 - open port to connect to invoke CGI script
+#      $3 - host where selfserv is running(name of the host nss tests
+#           are running)
+#      $4 - port where selfserv is running
+#      $5 - selfserv nss db location
+# No return value
+#  
+ssl_iopr_cov_ext_client()
+{
+  host=$1
+  port=$2
+  sslHost=$3
+  sslPort=$4
+  serDbDir=$5
+
+  html_head "SSL Cipher Coverage of SelfServ $IOPR_HOSTADDR. $BYPASS_STRING $NORM_EXT"
+
+  setValidCert
+  ret=$?
+  if [ $res -ne 0 ]; then
+      html_failed "Fail to find valid test cert(ws: $host)" 
+      return $ret
+  fi
+
+  # P_R_SERVERDIR switch require for selfserv to work.
+  # Will be restored after test
+  OR_P_R_SERVERDIR=$P_R_SERVERDIR
+  P_R_SERVERDIR=$serDbDir
+  OR_P_R_CLIENTDIR=$P_R_CLIENTDIR
+  P_R_CLIENTDIR=$serDbDir
+  testname=""
+  sparam="-vvvc ABCDEFcdefgijklmnvyz"
+  # Launch the server
+  start_selfserv 
+  
+  while read ecc tls param cipher therest; do
+      [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
+      echo "============= Beginning of the test ===================="
+      echo
+      
+      is_selfserv_alive
+      
+      TEST_IN=${TMP}/${HOST}_IN.tmp.$$
+      TEST_OUT=${TMP}/$HOST.tmp.$$
+      rm -f $TEST_IN $TEST_OUT 2>/dev/null
+      
+      echo "GET $reverseRunCGIScript?host=$sslHost&port=$sslPort&cert=$testUser&cipher=$cipher HTTP/1.0" > $TEST_IN
+      echo >> $TEST_IN
+      
+      echo "------- Request ----------------------"
+      cat $TEST_IN
+      echo "------- Command ----------------------"
+      echo tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
+          -h $host \< $TEST_IN \>\> $TEST_OUT
+
+      ${BINDIR}/tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
+          -h $host <$TEST_IN > $TEST_OUT 
+
+      echo "------- Server output Begin ----------"
+      cat $TEST_OUT
+      echo "------- Server output End   ----------"
+      
+      echo "Checking for errors in log file..."
+      grep "SCRIPT=OK" $TEST_OUT 2>&1 >/dev/null
+      if [ $? -eq 0 ]; then
+          grep "cipher is not supported" $TEST_OUT 2>&1 >/dev/null
+          if [ $? -eq 0 ]; then
+              echo "Skiping test: no support for the cipher $cipher on server side"
+              continue
+          fi
+          
+          grep -i "SERVER ERROR:" $TEST_OUT
+          ret=$?
+          if [ $ret -eq 0 ]; then
+              echo "Found problems. Reseting exit code to failure."
+              
+              ret=1
+          else
+              ret=0
+          fi
+      else
+          echo "Script was not executed. Reseting exit code to failure."
+          ret=11
+      fi
+      
+      html_msg $ret 0 "Test ${cipher}. Server params: $sparam " \
+          " produced a returncode of $ret, expected is 0"
+      rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null
+  done < ${SSLCOV}
+  kill_selfserv
+  
+  P_R_SERVERDIR=$OR_P_R_SERVERDIR
+  P_R_CLIENTDIR=$OR_P_R_CLIENTDIR
+  
+  rm -f ${TEST_IN} ${TEST_OUT}
+  html "</TABLE><BR>"
+}
+
+########################################################################
+# local shell function to perform SSL Authentication tests of nss server
+# by invoking remove test client on web server side
+# Invoked only if reverse testing is supported by web server.
+# Params:
+#      $1 - remote web server host
+#      $2 - open port to connect to invoke CGI script
+#      $3 - host where selfserv is running(name of the host nss tests
+#           are running)
+#      $4 - port where selfserv is running
+#      $5 - selfserv nss db location
+# No return value
+#  
+ssl_iopr_auth_ext_client()
+{
+  host=$1
+  port=$2
+  sslHost=$3
+  sslPort=$4
+  serDbDir=$5
+
+  html_head "SSL Client Authentication with Selfserv from $IOPR_HOSTADDR. $BYPASS_STRING $NORM_EXT"
+
+  setValidCert
+  ret=$?
+  if [ $res -ne 0 ]; then
+      html_failed "Fail to find valid test cert(ws: $host)" 
+      return $ret
+  fi
+
+  OR_P_R_SERVERDIR=$P_R_SERVERDIR
+  P_R_SERVERDIR=${serDbDir}
+  OR_P_R_CLIENTDIR=$P_R_CLIENTDIR
+  P_R_CLIENTDIR=${serDbDir}
+
+  SSLAUTH_TMP=${TMP}/authin.tl.tmp
+
+  grep -v "^#" $SSLAUTH | grep "\s*0\s*" > ${SSLAUTH_TMP}
+
+  while read ecc value sparam cparam testname; do
+      [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
+
+      echo "Server params: $sparam"
+      sparam=$sparam" -vvvc ABCDEFcdefgijklmnvyz"
+      start_selfserv
+      
+      TEST_IN=${TMP}/$HOST_IN.tmp.$$
+      TEST_OUT=${TMP}/$HOST.tmp.$$
+      rm -f $TEST_IN $TEST_OUT 2>/dev/null
+
+      echo "GET $reverseRunCGIScript?host=$sslHost&port=$sslPort&cert=$testUser HTTP/1.0" > $TEST_IN
+      echo >> $TEST_IN
+      
+      echo "------- Request ----------------------"
+      cat $TEST_IN
+      echo "------- Command ----------------------"
+      echo tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
+          -h $host \< $TEST_IN \>\> $TEST_OUT
+      
+      ${BINDIR}/tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
+          -h $host <$TEST_IN > $TEST_OUT 
+      
+      echo "------- Server output Begin ----------"
+      cat $TEST_OUT
+      echo "------- Server output End   ----------"
+
+      echo "Checking for errors in log file..."
+      grep "SCRIPT=OK" $TEST_OUT 2>&1 >/dev/null
+      if [ $? -eq 0 ]; then
+          echo "Checking for error in log file..."
+          grep -i "SERVER ERROR:" $TEST_OUT
+          ret=$?
+          if [ $ret -eq 0 ]; then
+              echo "Found problems. Reseting exit code to failure."
+              ret=1
+          else
+              ret=0
+          fi
+      else
+          echo "Script was not executed. Reseting exit code to failure."
+          ret=11
+      fi
+      
+      html_msg $ret $value "${testname}. Server params: $sparam"\
+          "produced a returncode of $ret, expected is $value"
+      kill_selfserv
+      rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null
+  done < ${SSLAUTH_TMP}
+
+  P_R_SERVERDIR=$OR_P_R_SERVERDIR
+  P_R_CLIENTDIR=$OR_P_R_CLIENTDIR
+
+  rm -f ${SSLAUTH_TMP} ${TEST_IN} ${TEST_OUT}
+  html "</TABLE><BR>"
+}
+
+#########################################################################
+# local shell function to perform SSL CRL testing of nss server
+# by invoking remote test client on web server side
+# Invoked only if reverse testing is supported by web server.
+# Params:
+#      $1 - remote web server host
+#      $2 - open port to connect to invoke CGI script
+#      $3 - host where selfserv is running(name of the host nss tests
+#           are running)
+#      $4 - port where selfserv is running
+#      $5 - selfserv nss db location
+# No return value
+#  
+ssl_iopr_crl_ext_client()
+{
+  host=$1
+  port=$2
+  sslHost=$3
+  sslPort=$4
+  serDbDir=$5
+
+  html_head "CRL SSL Selfserv Tests from $IOPR_HOSTADDR. $BYPASS_STRING $NORM_EXT"
+  
+  OR_P_R_SERVERDIR=$P_R_SERVERDIR
+  P_R_SERVERDIR=${serDbDir}
+  OR_P_R_CLIENTDIR=$P_R_CLIENTDIR
+  P_R_CLIENTDIR=$serDbDir
+
+  SSLAUTH_TMP=${TMP}/authin.tl.tmp
+  grep -v "^#" $SSLAUTH | grep "\s*0\s*" > ${SSLAUTH_TMP}
+
+  while read ecc value sparam _cparam testname; do
+      [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
+      sparam="$sparam  -vvvc ABCDEFcdefgijklmnvyz"
+      start_selfserv
+
+      for testUser in $SslClntValidCertName $SslClntRevokedCertName; do
+	  
+          is_selfserv_alive
+          
+          TEST_IN=${TMP}/${HOST}_IN.tmp.$$
+          TEST_OUT=${TMP}/$HOST.tmp.$$
+          rm -f $TEST_IN $TEST_OUT 2>/dev/null
+
+          echo "GET $reverseRunCGIScript?host=$sslHost&port=$sslPort&cert=$testUser HTTP/1.0" > $TEST_IN
+          echo >> $TEST_IN
+          
+          echo "------- Request ----------------------"
+          cat $TEST_IN
+          echo "------- Command ----------------------"
+          echo tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
+              -h ${host} \< $TEST_IN \>\> $TEST_OUT
+            
+          ${BINDIR}/tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
+              -h ${host} <$TEST_IN > $TEST_OUT 
+          echo "------- Request ----------------------"
+          cat $TEST_IN
+          echo "------- Server output Begin ----------"
+          cat $TEST_OUT
+          echo "------- Server output End   ----------"
+          
+          echo "Checking for errors in log file..."
+          grep "SCRIPT=OK" $TEST_OUT 2>&1 >/dev/null
+          if [ $? -eq 0 ]; then
+              grep -i "SERVER ERROR:" $TEST_OUT
+              ret=$?
+              if [ $ret -eq 0 ]; then
+                  echo "Found problems. Reseting exit code to failure."
+                  ret=1
+              else
+                  ret=0
+              fi
+          else
+              echo "Script was not executed. Reseting exit code to failure."
+              ret=11
+          fi
+          
+          if [ "`echo $SslClntRevokedCertName | grep $testUser`" != "" ]; then
+              modvalue=1
+              testAddMsg="revoked"
+          else
+              testAddMsg="not revoked"
+              modvalue=0
+          fi
+          
+          html_msg $ret $modvalue "${testname} (cert ${testUser} - $testAddMsg)" \
+		"produced a returncode of $ret, expected is $modvalue(selfserv args: $sparam)"
+          rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null
+      done
+      kill_selfserv
+  done < ${SSLAUTH_TMP}
+
+  P_R_SERVERDIR=$OR_P_R_SERVERDIR
+  P_R_CLIENTDIR=$OR_P_R_CLIENTDIR
+
+  rm -f ${SSLAUTH_TMP}
+  html "</TABLE><BR>"
+}
+
+#####################################################################
+# Initial point for running ssl test againt multiple hosts involved in
+# interoperability testing. Called from nss/tests/ssl/ssl.sh
+# It will only proceed with test run for a specific host if environment variable 
+# IOPR_HOSTADDR_LIST was set, had the host name in the list
+# and all needed file were successfully downloaded and installed for the host.
+#
+# Returns 1 if interoperability testing is off, 0 otherwise. 
+#
+ssl_iopr_run() {
+    if [ "$IOPR" -ne 1 ]; then
+        return 1
+    fi
+    cd ${CLIENTDIR}
+    
+    ORIG_ECC_CERT=${NO_ECC_CERTS}
+    NO_ECC_CERTS=1 # disable ECC for interoperability tests
+
+    NSS_SSL_ENABLE_RENEGOTIATION=u
+    export NSS_SSL_ENABLE_RENEGOTIATION
+
+    num=1
+    IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+    while [ "$IOPR_HOST_PARAM" ]; do
+        IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`
+        IOPR_OPEN_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`
+        [ -z "$IOPR_OPEN_PORT" ] && IOPR_OPEN_PORT=443
+        
+        . ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
+        RES=$?
+        
+        if [ $RES -ne 0 -o X`echo "$wsFlags" | grep NOIOPR` != X ]; then
+            num=`expr $num + 1`
+            IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+            continue
+        fi
+        
+        #=======================================================
+        # Check if server is capable to run ssl tests
+        #
+        [ -z "`echo ${supportedTests_new} | grep -i ssl`" ] && continue;
+
+        # Testing directories defined by webserver.
+        echo "Testing ssl interoperability.
+                Client: local(tstclnt).
+                Server: remote($IOPR_HOSTADDR:$IOPR_OPEN_PORT)"
+        
+        for sslTestType in ${supportedTests_new}; do
+            if [ -z "`echo $sslTestType | grep -i ssl`" ]; then
+                continue
+            fi
+            ssl_iopr_cov_ext_server $sslTestType ${IOPR_HOSTADDR} \
+                ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR}
+            ssl_iopr_auth_ext_server $sslTestType ${IOPR_HOSTADDR} \
+                ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR}
+            ssl_iopr_crl_ext_server $sslTestType ${IOPR_HOSTADDR} \
+                ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR}
+        done
+        
+        
+        # Testing selfserv with client located at the webserver.
+        echo "Testing ssl interoperability.
+                Client: remote($IOPR_HOSTADDR:$PORT)
+                Server: local(selfserv)"
+        ssl_iopr_cov_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \
+            ${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR}
+        ssl_iopr_auth_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \
+            ${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR}
+        ssl_iopr_crl_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \
+            ${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR}
+        echo "================================================"
+        echo "Done testing interoperability with $IOPR_HOSTADDR"
+        num=`expr $num + 1`
+        IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+    done
+    NO_ECC_CERTS=${ORIG_ECC_CERTS}
+    return 0
+}
+
diff --git a/security/nss/tests/jss_dll_version.sh b/security/nss/tests/jss_dll_version.sh
new file mode 100755
index 000000000..cb29c4a1a
--- /dev/null
+++ b/security/nss/tests/jss_dll_version.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# version controll for DLLs
+# ToDo: make version parameter or find version from first occurance of 3.x
+# make the 3 a variable..., include the header
+
+for w in `find . -name "libjss3.s[ol]"`
+do
+        NOWHAT=FALSE
+        NOIDENT=FALSE
+        echo $w
+        what $w | grep JSS || NOWHAT=TRUE
+        ident $w | grep JSS || NOIDENT=TRUE
+        if [ $NOWHAT = TRUE ]
+        then
+                echo "ERROR what $w does not contain JSS"
+        fi
+        if [ $NOIDENT = TRUE ]
+        then
+                echo "ERROR ident $w does not contain JSS"
+        fi
+done
diff --git a/security/nss/tests/jssdir b/security/nss/tests/jssdir
new file mode 100755
index 000000000..1609fbfcf
--- /dev/null
+++ b/security/nss/tests/jssdir
@@ -0,0 +1,28 @@
+if ( "$2" == ""  ) then
+	setenv BUILDDATE `date +%m%d`
+else
+	setenv BUILDDATE $2
+endif
+
+if ( "$1" == ""  ) then
+	setenv JSSVER tip
+else
+	setenv JSSVER $1
+endif
+
+if ( ! ${?QAYEAR} ) then 
+        setenv QAYEAR `date +%Y`
+else if ( "$QAYEAR" == ""  ) then
+	setenv QAYEAR `date +%Y`
+	
+endif
+
+setenv JSS_VER_DIR /share/builds/mccrel3/jss/jss$JSSVER
+setenv NTDIST ${JSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/blowfish_NT4.0_Win95/mozilla/dist
+setenv UXDIST ${JSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/dist
+setenv TESTSCRIPTDIR ${JSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/security/jss/tests
+setenv RESULTDIR ${JSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/tests_results/security
+
+cd ${JSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8
+pwd
+ls
diff --git a/security/nss/tests/jssqa b/security/nss/tests/jssqa
new file mode 100755
index 000000000..d5356b9e8
--- /dev/null
+++ b/security/nss/tests/jssqa
@@ -0,0 +1,220 @@
+#! /bin/sh  
+
+########################################################################
+#
+# /u/sonmi/bin/jssqa
+#
+# this script is supposed to automatically run - now a sanity test, later QA for 
+# JSS on all required Unix and Windows (NT and 2000) platforms
+#
+# parameters
+# ----------
+#   jssversion  (supported: 31, tip)
+#   builddate   (default - today)
+#
+# options
+# -------
+#   -y answer all questions with y - use at your own risk...ignores warnings
+#   -s silent (only usefull with -y)
+#   -h, -? - you guessed right - displays this text
+#   -d debug
+#   -f <filename> - write the (error)output to filename
+#   -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.nssqa
+#
+########################################################################
+
+O_OPTIONS=ON            # accept options (see above for listing)
+WIN_WAIT_FOREVER=OFF    # don't wait for the NSS testdir
+PRODUCT_TO_TEST="JSS"
+JSS_NSPR_DIR="/share/builds/components/nspr20/v4.1.2"
+JSS_NSS_DIR="/share/builds/components/nss/NSS_3_3_1_RTM"
+JSS_NSS_UX_SRC_DIR="nss331/builds/20010928.2.331-RTM/booboo_Solaris8"
+JSS_NSS_NT_SRC_DIR="nss331/builds/20010928.2.331-RTM/blowfish_NT4.0_Win95"
+JSS_NSS_SRC_DIR=$JSS_NSS_UX_SRC_DIR
+NATIVE_FLAG=""
+
+. `dirname $0`/header   # utilities, shellfunctions etc, global to NSS and JSS QA
+
+if [ -z "$O_TBX" -o "$O_TBX" != "ON" ] ; then
+    is_running ${TMP}/jssqa
+                        # checks if the file exists, if yes Exits, if not
+                        # creates to implement a primitive locking mechanism
+fi
+
+INTERNAL_TOKEN="NSS Certificate DB"
+SIGTEST_INTERNAL_TOKEN="Internal Key Storage Token"
+
+################################ jss_init #########################
+# 
+# Most of the procedure is setting up the test environment.
+# set all necessary dir and file variables, set all paths, copy the shared libs 
+# Put all the shared libraries into a lib directory, <libdir>.
+# including the libjss3.so that was built by the build process.
+# set LD_LIBRARY PATH and CLASSPATH
+# The xpclass.jar produced by the JSS build needs to be in the classpath.
+# The classpath must also include the current directory so we can run our test
+# programs.
+################################################################################
+
+jss_init()
+{
+  Debug "Jss init"
+  #correct all directories that the header has set...
+  NTDIST=`echo $NTDIST | sed -e 's/nss/jss/g'`
+  UXDIST=`echo $UXDIST | sed -e 's/nss/jss/g'`
+  RESULTDIR=`echo $RESULTDIR | sed -e 's/nss/jss/g'`
+  mkdir -p ${RESULTDIR} 2>/dev/null
+  JSS_LOGFILE=${RESULTDIR}/${HOST}.txt
+  FILENAME=$JSS_LOGFILE
+  O_FILE=ON
+
+  MOZILLA_ROOT=`echo $MOZILLA_ROOT | sed -e 's/nss/jss/g'`
+
+  JSS_SAMPLES="$MOZILLA_ROOT/security/jss/samples"
+  JSS_CLASSPATH=`echo $MOZILLA_ROOT | 
+      sed -e "s/jss$NSSVER.builds/jss$NSSVER\/ships/g" -e "s/mozilla/jss\/${QAYEAR}${BUILDDATE}/"`
+  Debug "JSS_CLASSPATH=$JSS_CLASSPATH"
+  Debug "JSS_SAMPLES=$JSS_SAMPLES"
+
+  if [ ! -d $JSS_SAMPLES ] ; then
+      if [ "$O_WIN" = "ON" -a "$WIN_WAIT_FOREVER" = "ON" ]
+      then
+          WaitForever $JSS_SAMPLES/TestKeyGen.java 1
+      else
+          Exit "Test directory $JSS_SAMPLES does not exist"
+      fi
+  fi
+
+  PWFILE="$JSS_SAMPLES/passwd"
+  EMPTYFILE="$JSS_SAMPLES/emptyfile"
+  rm $PWFILE $EMPTYFILE 2>/dev/null
+  echo "jss" >$PWFILE
+  echo "" >$EMPTYFILE
+  echo "" >>$EMPTYFILE
+  echo "" >>$EMPTYFILE
+
+  INIT_PATH=$PATH
+  INIT_LD_LIBRARY_PATH=$LD_LIBRARY_PATH
+}
+
+
+jss_mode_init()
+{
+  OBJDIR=`cd ${TESTSCRIPTDIR}/common; gmake objdir_name`
+
+  LOCALDIST_BIN=`echo $LOCALDIST_BIN | sed -e 's/nss/jss/g'`
+  LOCALDIST_LIB=$LOCALDIST_BIN/../lib
+  debug_dirs
+
+  #make testdir/libdir
+
+  JSS_LIBDIR=${RESULTDIR}/${HOST}.libdir/${OBJDIR}
+  mkdir -p ${JSS_LIBDIR} 2>/dev/null
+  Debug "JSS_LIBDIR=$JSS_LIBDIR"
+
+  #Put all the shared libraries into a lib directory
+  Debug "copy all needed libs to ${JSS_LIBDIR}"
+  cp $JSS_NSPR_DIR/${OBJDIR}/lib/* ${JSS_LIBDIR}
+  cp $JSS_NSS_DIR/${OBJDIR}/lib/* ${JSS_LIBDIR}
+  cp $LOCALDIST_LIB/libjss3.*  ${JSS_LIBDIR}
+  #FIXME uncomment above
+
+  if [ $O_DEBUG = ON ] ; then
+      Debug "ls $JSS_LIBDIR"
+      ls $JSS_LIBDIR
+  fi
+
+  #LD_LIBRARY_PATH=$INIT_LD_LIBRARY_PATH:${JSS_LIBDIR}
+  LD_LIBRARY_PATH=${JSS_LIBDIR} #remove to avoid HP coredump
+  CLASSPATH="$JSS_CLASSPATH/xpclass.jar:."
+
+  SHLIB_PATH=${LD_LIBRARY_PATH}
+  LIBPATH=${LD_LIBRARY_PATH}
+
+  PATH=$JSS_NSPR_DIR/${OBJDIR}/bin:$JSS_NSS_DIR/${OBJDIR}//bin:$INIT_PATH
+  Debug "PATH $PATH"
+  Debug "LD_LIBRARY_PATH $LD_LIBRARY_PATH"
+  Debug "CLASSPATH=$CLASSPATH"
+
+  export CLASSPATH LD_LIBRARY_PATH SHLIB_PATH LIBPATH
+  export TESTSCRIPTDIR COMMON
+  export_dirs
+}
+
+  
+################################ jss_test #########################
+# 
+# go into the build tree. cd to mozilla/security/jss/samples.
+# Create NSS directories in this directory with modutil and set the password
+#
+#6. Create an alias for the "java" and "javac" commands. You'll need to set
+#it to whatever version of the JDK you used to build on this platform. For
+#example, 
+      #alias java /share/builds/components/cms_jdk/AIX/1.3.0/jre/bin/java
+        #alias javac /share/builds/components/cms_jdk/AIX/1.3.0/bin/javac
+# instead $JAVA and $JAVAC
+# 7. Compile the tests.
+#####################################################################
+jss_test()
+{
+  O_FILE=OFF
+  Debug "JSS main test"
+  #set -x
+  cd $JSS_SAMPLES
+
+  Debug "Cleaning  $JSS_SAMPLES"
+  rm cert7.db key3.db 2>/dev/null
+
+  Debug "echo | modutil -dbdir . -create -force"
+  echo | modutil -dbdir . -create -force
+  Debug "modutil returned $?"
+
+  modutil -dbdir . -list
+
+  Debug "echo | modutil -dbdir . -changepw \"$INTERNAL_TOKEN\" -newpwfile $PWFILE -force"
+  modutil -dbdir . -changepw "$INTERNAL_TOKEN" -newpwfile $PWFILE  -force <$EMPTYFILE
+  #modutil -dbdir . -changepw "$INTERNAL_TOKEN" -pwfile $PWFILE -newpwfile $PWFILE <$EMPTYFILE
+  Debug "modutil returned $?"
+
+  Debug "$JAVAC TestKeyGen.java"
+  $JAVAC TestKeyGen.java
+  Debug "$JAVAC TestKeyGen.java returned $?"
+
+  Debug "$JAVAC SigTest.java"
+  $JAVAC SigTest.java
+  Debug "$JAVAC SigTest.java returned $?"
+          
+  echo "Starting new jss test on $HOST"  
+  date
+
+  # Run the actual tests
+
+  Debug "$JAVA $NATIVE_FLAG TestKeyGen ." 
+  $JAVA $NATIVE_FLAG TestKeyGen . 
+  Debug "$JAVA TestKeyGen returned $?"
+
+  Debug "$JAVA $NATIVE_FLAG SigTest . \"$SIGTEST_INTERNAL_TOKEN\""
+  $JAVA $NATIVE_FLAG SigTest . "$SIGTEST_INTERNAL_TOKEN"
+  Debug "$JAVA SigTest returned $?"
+
+  O_FILE=ON
+}
+
+jss_init
+jss_mode_init
+
+if [ "$O_CRON" = "ON" -o "$O_WIN" = "ON" ]
+then
+    jss_test >>$JSS_LOGFILE  2>&1
+else
+    jss_test 2>&1 | tee -a $JSS_LOGFILE
+fi
+BUILD_OPT=1; export BUILD_OPT; Debug "BUILD_OPT $BUILD_OPT"
+jss_mode_init
+if [ "$O_CRON" = "ON" -o "$O_WIN" = "ON" ]
+then
+    jss_test >>$JSS_LOGFILE  2>&1
+else
+    jss_test 2>&1 | tee -a $JSS_LOGFILE
+fi
+Exit "jssqa completed. Done `uname -n` $QA_OS_STRING"
diff --git a/security/nss/tests/libpkix/cert_trust.map b/security/nss/tests/libpkix/cert_trust.map
new file mode 100644
index 000000000..c992435f9
--- /dev/null
+++ b/security/nss/tests/libpkix/cert_trust.map
@@ -0,0 +1,6 @@
+TestCA.ca CT,C,C
+TestUser50 ,,
+TestUser51 ,,
+PayPalRootCA CT,C,C
+PayPalICA ,,
+PayPalEE ,,
diff --git a/security/nss/tests/libpkix/certs/BrAirWaysBadSig.cert b/security/nss/tests/libpkix/certs/BrAirWaysBadSig.cert
new file mode 100644
index 000000000..30d2f18c3
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/BrAirWaysBadSig.cert
diff --git a/security/nss/tests/libpkix/certs/CertificatePoliciesCritical.crt b/security/nss/tests/libpkix/certs/CertificatePoliciesCritical.crt
new file mode 100755
index 000000000..efc2f2cd5
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/CertificatePoliciesCritical.crt
diff --git a/security/nss/tests/libpkix/certs/GoodCACert.crt b/security/nss/tests/libpkix/certs/GoodCACert.crt
new file mode 100644
index 000000000..5aecbc0cf
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/GoodCACert.crt
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.ca.cert b/security/nss/tests/libpkix/certs/NameConstraints.ca.cert
new file mode 100644
index 000000000..6d2e8469d
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.ca.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.dcissallowed.cert b/security/nss/tests/libpkix/certs/NameConstraints.dcissallowed.cert
new file mode 100644
index 000000000..539adcfee
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.dcissallowed.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.dcissblocked.cert b/security/nss/tests/libpkix/certs/NameConstraints.dcissblocked.cert
new file mode 100644
index 000000000..28f84919d
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.dcissblocked.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.dcisscopy.cert b/security/nss/tests/libpkix/certs/NameConstraints.dcisscopy.cert
new file mode 100644
index 000000000..a3fbd91f3
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.dcisscopy.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.intermediate.cert b/security/nss/tests/libpkix/certs/NameConstraints.intermediate.cert
new file mode 100644
index 000000000..a310aa1ac
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.intermediate.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.intermediate2.cert b/security/nss/tests/libpkix/certs/NameConstraints.intermediate2.cert
new file mode 100644
index 000000000..fc4b7c1c1
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.intermediate2.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.intermediate3.cert b/security/nss/tests/libpkix/certs/NameConstraints.intermediate3.cert
new file mode 100644
index 000000000..051e55e56
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.intermediate3.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.intermediate4.cert b/security/nss/tests/libpkix/certs/NameConstraints.intermediate4.cert
new file mode 100644
index 000000000..6e7efd53e
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.intermediate4.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.intermediate5.cert b/security/nss/tests/libpkix/certs/NameConstraints.intermediate5.cert
new file mode 100644
index 000000000..823eccc05
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.intermediate5.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.intermediate6.cert b/security/nss/tests/libpkix/certs/NameConstraints.intermediate6.cert
new file mode 100644
index 000000000..a2f17054e
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.intermediate6.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.ncca.cert b/security/nss/tests/libpkix/certs/NameConstraints.ncca.cert
new file mode 100644
index 000000000..ecb24c7d5
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.ncca.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server1.cert b/security/nss/tests/libpkix/certs/NameConstraints.server1.cert
new file mode 100644
index 000000000..60e8a1c69
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server1.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server10.cert b/security/nss/tests/libpkix/certs/NameConstraints.server10.cert
new file mode 100644
index 000000000..21d9e8767
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server10.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server11.cert b/security/nss/tests/libpkix/certs/NameConstraints.server11.cert
new file mode 100644
index 000000000..c458c8ce7
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server11.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server12.cert b/security/nss/tests/libpkix/certs/NameConstraints.server12.cert
new file mode 100644
index 000000000..1a4e6fec2
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server12.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server13.cert b/security/nss/tests/libpkix/certs/NameConstraints.server13.cert
new file mode 100644
index 000000000..8b7295fb2
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server13.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server14.cert b/security/nss/tests/libpkix/certs/NameConstraints.server14.cert
new file mode 100644
index 000000000..8a989f996
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server14.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server15.cert b/security/nss/tests/libpkix/certs/NameConstraints.server15.cert
new file mode 100644
index 000000000..69d057c9a
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server15.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server16.cert b/security/nss/tests/libpkix/certs/NameConstraints.server16.cert
new file mode 100644
index 000000000..0b24d7abb
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server16.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server17.cert b/security/nss/tests/libpkix/certs/NameConstraints.server17.cert
new file mode 100644
index 000000000..2fc9437cd
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server17.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server2.cert b/security/nss/tests/libpkix/certs/NameConstraints.server2.cert
new file mode 100644
index 000000000..1c6e5510d
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server2.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server3.cert b/security/nss/tests/libpkix/certs/NameConstraints.server3.cert
new file mode 100644
index 000000000..bd93572dd
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server3.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server4.cert b/security/nss/tests/libpkix/certs/NameConstraints.server4.cert
new file mode 100644
index 000000000..ca9d1b1c3
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server4.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server5.cert b/security/nss/tests/libpkix/certs/NameConstraints.server5.cert
new file mode 100644
index 000000000..1798de766
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server5.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server6.cert b/security/nss/tests/libpkix/certs/NameConstraints.server6.cert
new file mode 100644
index 000000000..5698f8ebd
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server6.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server7.cert b/security/nss/tests/libpkix/certs/NameConstraints.server7.cert
new file mode 100644
index 000000000..3cf85d047
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server7.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server8.cert b/security/nss/tests/libpkix/certs/NameConstraints.server8.cert
new file mode 100644
index 000000000..f0694ed03
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server8.cert
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server9.cert b/security/nss/tests/libpkix/certs/NameConstraints.server9.cert
new file mode 100644
index 000000000..517c0ae31
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server9.cert
diff --git a/security/nss/tests/libpkix/certs/OCSPCA1.cert b/security/nss/tests/libpkix/certs/OCSPCA1.cert
new file mode 100644
index 000000000..cac92b790
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPCA1.cert
diff --git a/security/nss/tests/libpkix/certs/OCSPCA1.p12 b/security/nss/tests/libpkix/certs/OCSPCA1.p12
new file mode 100644
index 000000000..82cc31034
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPCA1.p12
diff --git a/security/nss/tests/libpkix/certs/OCSPCA2.cert b/security/nss/tests/libpkix/certs/OCSPCA2.cert
new file mode 100644
index 000000000..3dd31100f
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPCA2.cert
diff --git a/security/nss/tests/libpkix/certs/OCSPCA2.p12 b/security/nss/tests/libpkix/certs/OCSPCA2.p12
new file mode 100644
index 000000000..1c03d0d7e
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPCA2.p12
diff --git a/security/nss/tests/libpkix/certs/OCSPCA3.cert b/security/nss/tests/libpkix/certs/OCSPCA3.cert
new file mode 100644
index 000000000..7d0645830
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPCA3.cert
diff --git a/security/nss/tests/libpkix/certs/OCSPCA3.p12 b/security/nss/tests/libpkix/certs/OCSPCA3.p12
new file mode 100644
index 000000000..610eb50a1
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPCA3.p12
diff --git a/security/nss/tests/libpkix/certs/OCSPEE11.cert b/security/nss/tests/libpkix/certs/OCSPEE11.cert
new file mode 100644
index 000000000..093756d3d
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE11.cert
diff --git a/security/nss/tests/libpkix/certs/OCSPEE12.cert b/security/nss/tests/libpkix/certs/OCSPEE12.cert
new file mode 100644
index 000000000..14cd5b9ce
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE12.cert
diff --git a/security/nss/tests/libpkix/certs/OCSPEE13.cert b/security/nss/tests/libpkix/certs/OCSPEE13.cert
new file mode 100644
index 000000000..058b59d80
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE13.cert
diff --git a/security/nss/tests/libpkix/certs/OCSPEE14.cert b/security/nss/tests/libpkix/certs/OCSPEE14.cert
new file mode 100644
index 000000000..4f937b9e9
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE14.cert
diff --git a/security/nss/tests/libpkix/certs/OCSPEE15.cert b/security/nss/tests/libpkix/certs/OCSPEE15.cert
new file mode 100644
index 000000000..fbb2000dd
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE15.cert
diff --git a/security/nss/tests/libpkix/certs/OCSPEE21.cert b/security/nss/tests/libpkix/certs/OCSPEE21.cert
new file mode 100644
index 000000000..a3f1305fd
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE21.cert
diff --git a/security/nss/tests/libpkix/certs/OCSPEE22.cert b/security/nss/tests/libpkix/certs/OCSPEE22.cert
new file mode 100644
index 000000000..198f2068d
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE22.cert
diff --git a/security/nss/tests/libpkix/certs/OCSPEE23.cert b/security/nss/tests/libpkix/certs/OCSPEE23.cert
new file mode 100644
index 000000000..32b3a631d
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE23.cert
diff --git a/security/nss/tests/libpkix/certs/OCSPEE31.cert b/security/nss/tests/libpkix/certs/OCSPEE31.cert
new file mode 100644
index 000000000..3df0f62cb
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE31.cert
diff --git a/security/nss/tests/libpkix/certs/OCSPEE32.cert b/security/nss/tests/libpkix/certs/OCSPEE32.cert
new file mode 100644
index 000000000..9bf5354ab
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE32.cert
diff --git a/security/nss/tests/libpkix/certs/OCSPEE33.cert b/security/nss/tests/libpkix/certs/OCSPEE33.cert
new file mode 100644
index 000000000..4a3c10228
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE33.cert
diff --git a/security/nss/tests/libpkix/certs/OCSPRoot.cert b/security/nss/tests/libpkix/certs/OCSPRoot.cert
new file mode 100644
index 000000000..8abc6bc87
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPRoot.cert
diff --git a/security/nss/tests/libpkix/certs/OCSPRoot.p12 b/security/nss/tests/libpkix/certs/OCSPRoot.p12
new file mode 100644
index 000000000..166baf3f4
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPRoot.p12
diff --git a/security/nss/tests/libpkix/certs/PayPalEE.cert b/security/nss/tests/libpkix/certs/PayPalEE.cert
new file mode 100644
index 000000000..d71fbb501
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/PayPalEE.cert
diff --git a/security/nss/tests/libpkix/certs/PayPalICA.cert b/security/nss/tests/libpkix/certs/PayPalICA.cert
new file mode 100644
index 000000000..07e025def
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/PayPalICA.cert
diff --git a/security/nss/tests/libpkix/certs/PayPalRootCA.cert b/security/nss/tests/libpkix/certs/PayPalRootCA.cert
new file mode 100644
index 000000000..dae019650
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/PayPalRootCA.cert
diff --git a/security/nss/tests/libpkix/certs/TestCA.ca.cert b/security/nss/tests/libpkix/certs/TestCA.ca.cert
new file mode 100644
index 000000000..929b793d3
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/TestCA.ca.cert
diff --git a/security/nss/tests/libpkix/certs/TestUser50.cert b/security/nss/tests/libpkix/certs/TestUser50.cert
new file mode 100644
index 000000000..ed71727fa
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/TestUser50.cert
diff --git a/security/nss/tests/libpkix/certs/TestUser51.cert b/security/nss/tests/libpkix/certs/TestUser51.cert
new file mode 100644
index 000000000..1b45db286
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/TestUser51.cert
diff --git a/security/nss/tests/libpkix/certs/TrustAnchorRootCertificate.crt b/security/nss/tests/libpkix/certs/TrustAnchorRootCertificate.crt
new file mode 100644
index 000000000..21f520ee5
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/TrustAnchorRootCertificate.crt
diff --git a/security/nss/tests/libpkix/certs/ValidCertificatePathTest1EE.crt b/security/nss/tests/libpkix/certs/ValidCertificatePathTest1EE.crt
new file mode 100644
index 000000000..26985c9f6
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/ValidCertificatePathTest1EE.crt
diff --git a/security/nss/tests/libpkix/certs/anchor2dsa b/security/nss/tests/libpkix/certs/anchor2dsa
new file mode 100755
index 000000000..a1f9e05f6
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/anchor2dsa
diff --git a/security/nss/tests/libpkix/certs/crldiff.crl b/security/nss/tests/libpkix/certs/crldiff.crl
new file mode 100755
index 000000000..d076ef89f
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/crldiff.crl
diff --git a/security/nss/tests/libpkix/certs/crlgood.crl b/security/nss/tests/libpkix/certs/crlgood.crl
new file mode 100755
index 000000000..1ad019ed1
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/crlgood.crl
diff --git a/security/nss/tests/libpkix/certs/extKeyUsage/codeSigningEKUCert b/security/nss/tests/libpkix/certs/extKeyUsage/codeSigningEKUCert
new file mode 100755
index 000000000..a1afd6a2d
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/extKeyUsage/codeSigningEKUCert
diff --git a/security/nss/tests/libpkix/certs/extKeyUsage/multiEKUCert b/security/nss/tests/libpkix/certs/extKeyUsage/multiEKUCert
new file mode 100755
index 000000000..55568917c
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/extKeyUsage/multiEKUCert
diff --git a/security/nss/tests/libpkix/certs/extKeyUsage/noEKUCert b/security/nss/tests/libpkix/certs/extKeyUsage/noEKUCert
new file mode 100755
index 000000000..f9c83dc95
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/extKeyUsage/noEKUCert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameDnCert b/security/nss/tests/libpkix/certs/generalName/altNameDnCert
new file mode 100755
index 000000000..43dac7341
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameDnCert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameDnCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameDnCert_diff
new file mode 100755
index 000000000..04d133f74
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameDnCert_diff
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameDnsCert b/security/nss/tests/libpkix/certs/generalName/altNameDnsCert
new file mode 100755
index 000000000..63754141a
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameDnsCert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameDnsCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameDnsCert_diff
new file mode 100755
index 000000000..4fe947e73
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameDnsCert_diff
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameEdiCert b/security/nss/tests/libpkix/certs/generalName/altNameEdiCert
new file mode 100755
index 000000000..95ec20423
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameEdiCert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameEdiCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameEdiCert_diff
new file mode 100755
index 000000000..50e5440d9
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameEdiCert_diff
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameIpCert b/security/nss/tests/libpkix/certs/generalName/altNameIpCert
new file mode 100755
index 000000000..5f0e528a1
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameIpCert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameIpCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameIpCert_diff
new file mode 100755
index 000000000..2407be54f
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameIpCert_diff
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameNoneCert b/security/nss/tests/libpkix/certs/generalName/altNameNoneCert
new file mode 100755
index 000000000..f9c83dc95
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameNoneCert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameOidCert b/security/nss/tests/libpkix/certs/generalName/altNameOidCert
new file mode 100755
index 000000000..fa92c9ecd
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameOidCert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameOidCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameOidCert_diff
new file mode 100755
index 000000000..635e4d143
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameOidCert_diff
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameOtherCert b/security/nss/tests/libpkix/certs/generalName/altNameOtherCert
new file mode 100755
index 000000000..bdfc7cb6a
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameOtherCert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameOtherCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameOtherCert_diff
new file mode 100755
index 000000000..bfc8a7973
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameOtherCert_diff
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert b/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert
new file mode 100755
index 000000000..9ad3271ab
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert_diff b/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert_diff
new file mode 100755
index 000000000..b8e5b2e70
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert_diff
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameRfc822DnsCert b/security/nss/tests/libpkix/certs/generalName/altNameRfc822DnsCert
new file mode 100755
index 000000000..89be1811d
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameRfc822DnsCert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameUriCert b/security/nss/tests/libpkix/certs/generalName/altNameUriCert
new file mode 100755
index 000000000..1f46e79f0
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameUriCert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameUriCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameUriCert_diff
new file mode 100755
index 000000000..864e86fb5
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameUriCert_diff
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameX400Cert b/security/nss/tests/libpkix/certs/generalName/altNameX400Cert
new file mode 100755
index 000000000..b0d10cf32
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameX400Cert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameX400Cert_diff b/security/nss/tests/libpkix/certs/generalName/altNameX400Cert_diff
new file mode 100755
index 000000000..652388847
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameX400Cert_diff
diff --git a/security/nss/tests/libpkix/certs/hanfeiyu2hanfeiyu b/security/nss/tests/libpkix/certs/hanfeiyu2hanfeiyu
new file mode 100755
index 000000000..3f3452683
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/hanfeiyu2hanfeiyu
diff --git a/security/nss/tests/libpkix/certs/hy2hc-bc b/security/nss/tests/libpkix/certs/hy2hc-bc
new file mode 100755
index 000000000..691b8d982
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/hy2hc-bc
diff --git a/security/nss/tests/libpkix/certs/hy2hy-bc0 b/security/nss/tests/libpkix/certs/hy2hy-bc0
new file mode 100755
index 000000000..18b5fe4a8
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/hy2hy-bc0
diff --git a/security/nss/tests/libpkix/certs/issuer-hanfei.crl b/security/nss/tests/libpkix/certs/issuer-hanfei.crl
new file mode 100755
index 000000000..6c9f0dbaa
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/issuer-hanfei.crl
diff --git a/security/nss/tests/libpkix/certs/issuer-none.crl b/security/nss/tests/libpkix/certs/issuer-none.crl
new file mode 100755
index 000000000..c1c83ba2c
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/issuer-none.crl
diff --git a/security/nss/tests/libpkix/certs/keyIdentifier/authKeyIDCert b/security/nss/tests/libpkix/certs/keyIdentifier/authKeyIDCert
new file mode 100755
index 000000000..7eae4863e
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/keyIdentifier/authKeyIDCert
diff --git a/security/nss/tests/libpkix/certs/keyIdentifier/subjKeyIDCert b/security/nss/tests/libpkix/certs/keyIdentifier/subjKeyIDCert
new file mode 100755
index 000000000..a1f9e05f6
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/keyIdentifier/subjKeyIDCert
diff --git a/security/nss/tests/libpkix/certs/keyUsage/decipherOnlyCert b/security/nss/tests/libpkix/certs/keyUsage/decipherOnlyCert
new file mode 100755
index 000000000..11a132d10
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/keyUsage/decipherOnlyCert
diff --git a/security/nss/tests/libpkix/certs/keyUsage/encipherOnlyCert b/security/nss/tests/libpkix/certs/keyUsage/encipherOnlyCert
new file mode 100755
index 000000000..9b9377119
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/keyUsage/encipherOnlyCert
diff --git a/security/nss/tests/libpkix/certs/keyUsage/multiKeyUsagesCert b/security/nss/tests/libpkix/certs/keyUsage/multiKeyUsagesCert
new file mode 100755
index 000000000..f9c83dc95
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/keyUsage/multiKeyUsagesCert
diff --git a/security/nss/tests/libpkix/certs/keyUsage/noKeyUsagesCert b/security/nss/tests/libpkix/certs/keyUsage/noKeyUsagesCert
new file mode 100755
index 000000000..c58d9a2aa
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/keyUsage/noKeyUsagesCert
diff --git a/security/nss/tests/libpkix/certs/make-ca-u50-u51 b/security/nss/tests/libpkix/certs/make-ca-u50-u51
new file mode 100755
index 000000000..5d8f920a9
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/make-ca-u50-u51
@@ -0,0 +1,37 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+mkdir tmp
+cd tmp
+dd if=/dev/urandom bs=512 count=1 of=noise
+echo "" > pwfile
+
+certutil -d . -N -f pwfile
+
+certutil -S -z noise -g 1024 -d . -n ca -s "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t C,C,C -x -m 1 -w -1 -v 600 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n u50 -s "CN=TestUser50,E=TestUser50@bogus.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 50 -v 598
+
+certutil -S -z noise -g 1024 -d . -n u51 -s "CN=TestUser51,E=TestUser51@bogus.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 51 -v 598
+
+certutil -d . -L -n ca -r > TestCA.ca.cert
+certutil -d . -L -n u50 -r > TestUser50.cert
+certutil -d . -L -n u51 -r > TestUser51.cert
+
+echo "Created multiple files in subdirectory tmp: TestCA.ca.cert TestUser50.cert TestUser51.cert"
diff --git a/security/nss/tests/libpkix/certs/make-nc b/security/nss/tests/libpkix/certs/make-nc
new file mode 100755
index 000000000..aaab1edfa
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/make-nc
@@ -0,0 +1,508 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+mkdir tmp
+cd tmp
+dd if=/dev/urandom bs=512 count=1 of=noise
+echo "" > pwfile
+
+certutil -d . -N -f pwfile
+
+certutil -S -z noise -g 1024 -d . -n ca -s "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t C,C,C -x -m 1 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica -s "CN=NSS Intermediate CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 20 -w -1 -v 118 -1 -2 -5 --extNC <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+3
+.example
+1
+n
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server1 -s "CN=test.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 40 -v 115 -1 -2 -5 -8 test.invalid <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server2 -s "CN=another_test.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 41 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server3 -s "CN=test.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 42 -v 115 -1 -2 -5 -8 test.example <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica2 -s "CN=NSS Intermediate CA 2,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 21 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server4 -s "CN=test2.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica2 -m 50 -v 115 -1 -2 -5 -8 test.invalid <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server5 -s "CN=another_test2.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica2 -m 51 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+
+certutil -S -z noise -g 1024 -d . -n server6 -s "CN=test2.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica2 -m 52 -v 115 -1 -2 -5 -8 test.example <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica3 -s "CN=NSS Intermediate CA3,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 21 -w -1 -v 118 -1 -2 -5 --extNC <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+3
+foo.example
+1
+y
+5
+O=Foo,st=ca,c=us
+1
+n
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica4 -s "CN=NSS Intermediate CA 2,O=Foo,ST=CA,C=US" -t ,, -c ica3 -m 61 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server7 -s "CN=bat.foo.example,ou=bar,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 41 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server8 -s "CN=bat.foo.example,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 42 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server9 -s "CN=bat.foo.example,O=Foo,C=US" -t ,, -c ica4 -m 43 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server10 -s "CN=bar.example,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 44 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server11 -s "CN=site.example,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 45 -v 115 -1 -2 -5 -8 foo.example <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server12 -s "CN=Honest Achmed,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 46 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica5 -s "CN=NSS Intermediate CA 2,O=OtherOrg,ST=CA,C=US" -t ,, -c ica3 -m 62 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server13 -s "CN=bat.foo.example,O=OtherOrg,ST=CA,C=US" -t ,, -c ica5 -m 41 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server14 -s "CN=another.foo.example,O=Foo,ST=CA,C=US" -t ,, -c ica5 -m 490 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ncca -s "CN=NSS Name Constrained Root CA,O=BOGUS NSS,L=Mountain View,ST=CA,C=US" -t C,C,C -x -m 2 -w -1 -v 118 -1 -2 -5 --extNC <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+3
+.example
+1
+n
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica6 -s "CN=NSS Intermediate CA6,O=OtherOrg,ST=CA,C=US" -t ,, -c ncca -m 63 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server15 -s "CN=testfoo.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 64 -v 115 -1 -2 -5 -8 testfoo.invalid <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server16 -s "CN=another_test3.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 65 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server17 -s "CN=test4.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 66 -v 115 -1 -2 -5 -8 test4.example <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+#DCISS copy certs
+certutil -S -z noise -g 2048 -d . -n dcisscopy -s "E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR" -t C,C,C -x -m 998899 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+#the following cert MUST not pass
+certutil -S -z noise -g 2048 -d . -n dcissblocked -s "CN=foo.example.com,O=Foo,ST=CA,C=US" -t ,, -c dcisscopy -m 998900 -v 120 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+#the following cert MUST pass
+certutil -S -z noise -g 2048 -d . -n dcissallowed -s "CN=foo.example.fr,O=Foo,ST=CA,C=US" -t ,, -c dcisscopy -m 998901 -v 120 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+
+
+certutil -d . -L -n ca -r > NameConstraints.ca.cert
+certutil -d . -L -n ica -r > NameConstraints.intermediate.cert
+certutil -d . -L -n server1 -r > NameConstraints.server1.cert
+certutil -d . -L -n server2 -r > NameConstraints.server2.cert
+certutil -d . -L -n server3 -r > NameConstraints.server3.cert
+certutil -d . -L -n ica2 -r > NameConstraints.intermediate2.cert
+certutil -d . -L -n server4 -r > NameConstraints.server4.cert
+certutil -d . -L -n server5 -r > NameConstraints.server5.cert
+certutil -d . -L -n server6 -r > NameConstraints.server6.cert
+certutil -d . -L -n ica3 -r > NameConstraints.intermediate3.cert
+certutil -d . -L -n ica4 -r > NameConstraints.intermediate4.cert
+certutil -d . -L -n server7 -r > NameConstraints.server7.cert
+certutil -d . -L -n server8 -r > NameConstraints.server8.cert
+certutil -d . -L -n server9 -r > NameConstraints.server9.cert
+certutil -d . -L -n server10 -r > NameConstraints.server10.cert
+certutil -d . -L -n server11 -r > NameConstraints.server11.cert
+certutil -d . -L -n server11 -r > NameConstraints.server11.cert
+certutil -d . -L -n server12 -r > NameConstraints.server12.cert
+certutil -d . -L -n ica5 -r > NameConstraints.intermediate5.cert
+certutil -d . -L -n server13 -r > NameConstraints.server13.cert
+certutil -d . -L -n server14 -r > NameConstraints.server14.cert
+certutil -d . -L -n ncca -r > NameConstraints.ncca.cert
+certutil -d . -L -n ica6 -r > NameConstraints.intermediate6.cert
+certutil -d . -L -n server15 -r > NameConstraints.server15.cert
+certutil -d . -L -n server16 -r > NameConstraints.server16.cert
+certutil -d . -L -n server17 -r > NameConstraints.server17.cert
+certutil -d . -L -n dcisscopy -r >  NameConstraints.dcisscopy.cert
+certutil -d . -L -n dcissblocked -r >  NameConstraints.dcissblocked.cert
+certutil -d . -L -n dcissallowed -r >  NameConstraints.dcissallowed.cert
+
+echo "Created multiple files in subdirectory tmp: NameConstraints.ca.cert NameConstraints.intermediate.cert NameConstraints.server1.cert NameConstraints.server2.cert NameConstraints.server3.cert NameConstraints.intermediate2.cert NameConstraints.server4.cert NameConstraints.server5.cert NameConstraints.server6.cert"
diff --git a/security/nss/tests/libpkix/certs/noExtensionsCert b/security/nss/tests/libpkix/certs/noExtensionsCert
new file mode 100755
index 000000000..f3dc1c973
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/noExtensionsCert
diff --git a/security/nss/tests/libpkix/certs/nss2alice b/security/nss/tests/libpkix/certs/nss2alice
new file mode 100755
index 000000000..48172a5ed
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/nss2alice
diff --git a/security/nss/tests/libpkix/certs/publicKey/dsaWithParams b/security/nss/tests/libpkix/certs/publicKey/dsaWithParams
new file mode 100755
index 000000000..a1f9e05f6
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/publicKey/dsaWithParams
diff --git a/security/nss/tests/libpkix/certs/publicKey/dsaWithoutParams b/security/nss/tests/libpkix/certs/publicKey/dsaWithoutParams
new file mode 100755
index 000000000..7eae4863e
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/publicKey/dsaWithoutParams
diff --git a/security/nss/tests/libpkix/certs/publicKey/labs2yassir b/security/nss/tests/libpkix/certs/publicKey/labs2yassir
new file mode 100755
index 000000000..f5fe26115
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/publicKey/labs2yassir
diff --git a/security/nss/tests/libpkix/certs/publicKey/yassir2labs b/security/nss/tests/libpkix/certs/publicKey/yassir2labs
new file mode 100755
index 000000000..f94385403
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/publicKey/yassir2labs
diff --git a/security/nss/tests/libpkix/certs/sun2sun b/security/nss/tests/libpkix/certs/sun2sun
new file mode 100755
index 000000000..c75192be1
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/sun2sun
diff --git a/security/nss/tests/libpkix/certs/yassir2bcn b/security/nss/tests/libpkix/certs/yassir2bcn
new file mode 100755
index 000000000..f9c83dc95
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/yassir2bcn
diff --git a/security/nss/tests/libpkix/certs/yassir2yassir b/security/nss/tests/libpkix/certs/yassir2yassir
new file mode 100755
index 000000000..8444af5a3
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/yassir2yassir
diff --git a/security/nss/tests/libpkix/common/libpkix_init.sh b/security/nss/tests/libpkix/common/libpkix_init.sh
new file mode 100644
index 000000000..01eb070e1
--- /dev/null
+++ b/security/nss/tests/libpkix/common/libpkix_init.sh
@@ -0,0 +1,324 @@
+#!/bin/sh
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# libpkix_init.sh
+#
+
+### when the script is exiting, handle it in the Cleanup routine...the result
+### value will get set to 0 if all the tests completed successfully, so we can
+### use that value in the handler
+
+trap 'Cleanup' EXIT
+
+result=1
+checkmem=0
+arenas=0
+quiet=0
+
+doNIST=1
+doNIST_PDTest=0
+doPD=0
+doTop=0
+doModule=0
+doPki=0
+doOCSP=0
+doOCSPTest=0
+
+combinedErrors=0
+totalErrors=0
+prematureTermination=0
+errors=0
+
+if [ -z "${INIT_SOURCED}" ] ; then
+    libpkixCommondir=`pwd`
+    cd ../../common
+    . ./init.sh > /dev/null
+    cd ${libpkixCommondir}
+fi
+
+DIST_BIN=${DIST}/${OBJDIR}/bin
+
+### setup some defaults
+WD=`pwd`
+prog=`basename $0`
+testOut=${HOSTDIR}/${prog}.$$
+testOutMem=${HOSTDIR}/${prog}_mem.$$
+
+####################
+# cleanup from tests
+####################
+Cleanup()
+{
+    if [ ${testOut} != "" ]; then
+        rm -f ${testOut}
+    fi
+
+    if [ ${testOutMem} != "" ]; then
+        rm -f ${testOutMem}
+    fi
+
+    if [ -d ../../nist_pkits/certs ]; then
+        rm -f ../../nist_pkits/certs
+    fi
+
+    if [ ${doTop} -eq 1 ]; then
+        for i in ${linkMStoreNistFiles}; do
+            if [ -f ${HOSTDIR}/rev_data/multiple_certstores/$i ]; then
+                rm -f ${HOSTDIR}/rev_data/multiple_certstores/$i
+            fi
+        done
+        if [ -d ${HOSTDIR}/rev_data/multiple_certstores ]; then
+            rm -fr ${HOSTDIR}/rev_data/multiple_certstores
+        fi
+    fi
+
+    if [ ${doModule} -eq 1 ]; then
+        for i in ${linkModuleNistFiles}; do
+            if [ -f ${HOSTDIR}/rev_data/local/$i ]; then
+                rm -f ${HOSTDIR}/rev_data/local/$i
+            fi
+        done
+        for i in ${localCRLFiles}; do
+            if [ -f ${HOSTDIR}/rev_data/local/$i ]; then
+                rm -f ${HOSTDIR}/rev_data/local/$i
+            fi
+        done
+    fi
+
+    if [ ${doPki} -eq 1 ]; then
+        for i in ${linkPkiNistFiles}; do
+            if [ -f ${HOSTDIR}/rev_data/local/$i ]; then
+                rm -f ${HOSTDIR}/rev_data/local/$i
+            fi
+        done
+    fi
+
+    return ${result}
+}
+
+### ParseArgs
+ParseArgs() # args
+{
+    while [ $# -gt 0 ]; do
+        if [ $1 = "-checkmem" ]; then
+            checkmem=1
+        elif [ $1 = "-quiet" ]; then
+            quiet=1
+        elif [ $1 = "-arenas" ]; then
+            arenas=1
+        fi
+        shift
+    done
+}
+
+Display() # string
+{
+    if [ ${quiet} -eq 0 ]; then
+        echo "$1"
+    fi
+}
+
+testHeadingEcho()
+{
+    echo "*******************************************************************************"
+    echo "START OF TESTS FOR ${testunit}${memText}"
+    echo "*******************************************************************************"
+    echo ""
+}
+
+testEndingEcho()
+{
+    if [ ${totalErrors} -eq 0 ]; then
+        echo ""
+        echo "************************************************************"
+        echo "END OF TESTS FOR ${testunit}: ALL TESTS COMPLETED SUCCESSFULLY"
+        echo "************************************************************"
+        echo ""
+        return 0
+    fi
+
+    if [ ${totalErrors} -eq 1 ]; then
+        plural=""
+    else
+        plural="S"
+    fi
+
+    echo ""
+    echo "************************************************************"
+    echo "END OF TESTS FOR ${testunit}: ${totalErrors} TEST${plural} FAILED"
+    echo "************************************************************"
+    echo ""
+    return ${totalErrors}
+}
+
+###########
+# RunTests
+###########
+RunTests()
+{
+    errors=0
+    memErrors=0
+    prematureErrors=0
+
+    failedpgms=""
+    failedmempgms=""
+    failedprematurepgms=""
+    memText=""
+    arenaCmd=""
+
+    if [ ${checkmem} -eq 1 ]; then
+            memText="   (Memory Checking Enabled)"
+    fi
+
+    if [ ${arenas} -eq 1 ]; then
+            arenaCmd="-arenas"
+    fi
+
+    #
+    # Announce start of tests
+    #
+    Display "*******************************************************************************"
+    Display "START OF TESTS FOR PKIX ${testunit} ${memText}"
+    Display "*******************************************************************************"
+    Display ""
+
+    # run each test specified by the input redirection below
+
+    while read testPgm args; do
+
+        shortTestPurpose=`echo $args | awk '{print $1 " " $2 " "}'`
+        fullTestPurpose=${args}
+        if [ ${doTop} -eq 1 -o ${doModule} -eq 1 -o ${doPki} -eq 1 ]; then
+            testPurpose=${shortTestPurpose}
+        else
+            testPurpose=${fullTestPurpose}
+        fi
+
+        # If we want shorter command printout for NIST tests, delete next line
+        testPurpose=${fullTestPurpose}
+
+        # Skip OCSP tests if OCSP is not defined in the environment
+        if [ ${doOCSPTest} -eq 0 ]; then
+            hasOCSP=`echo ${args} | grep OCSP-Test`
+            if [ ! -z "${hasOCSP}" ]; then
+                Display "SKIPPING ${testPgm} ${testPurpose}"
+	        continue
+	    fi
+        fi
+
+        if [ ${doNIST} -eq 0 ]; then
+            hasNIST=`echo ${args} | grep NIST-Test`
+            if [ ! -z "${hasNIST}" ]; then
+                Display "SKIPPING ${testPgm} ${testPurpose}"
+	        continue
+	    fi
+        fi
+
+        # This "if" is not reached when doNIST is not set. The assumption
+        # is that NIST tests are basic, NIST Path Discovery tests are
+        # additional
+        if [ ${doNIST_PDTest} -eq 0 ]; then
+            hasNIST=`echo ${args} | grep NIST-PDTest`
+            if [ ! -z "${hasNIST}" ]; then
+                Display "SKIPPING ${testPgm} ${testPurpose}"
+	        continue
+	    fi
+        fi
+
+        Display "RUNNING ${testPgm} ${arenaCmd} ${testPurpose}"
+
+        numtests=`expr ${numtests} + 1`
+
+        if [ ${checkmem} -eq 1 ]; then
+            dbx -C -c "runargs ${arenaCmd} ${args};check -all;run;exit" ${DIST_BIN}/${testPgm} > ${testOut} 2>&1
+        else
+            ${DIST_BIN}/${testPgm} ${arenaCmd} ${args} > ${testOut} 2>&1
+        fi
+
+        # Examine output file to see if test failed and keep track of number
+        # of failures and names of failed tests. This assumes that the test
+        # uses our utility library for displaying information
+
+        cat ${testOut} | tail -2 | grep "COMPLETED SUCCESSFULLY" >/dev/null 2>&1
+        
+        if [ $? -ne 0 ]; then
+            testFail=1
+            errors=`expr ${errors} + 1`
+            failedpgms="${failedpgms}\n${testPgm} ${testPurpose} "
+#            cat ${testOut}
+        else
+            testFail=0
+            passed=`expr ${passed} + 1`
+        fi
+        cat ${testOut}
+        html_msg ${testFail} 0 "${testPgm} ${arenaCmd} ${shortTestPurpose}"
+
+        if [ ${checkmem} -eq 1 ]; then
+            grep "(actual leaks:" ${testOut} > ${testOutMem} 2>&1
+            if [ $? -ne 0 ]; then
+                prematureErrors=`expr ${prematureErrors} + 1`
+                failedprematurepgms="${failedprematurepgms}${testPgm} "
+                Display "...program terminated prematurely (unable to check for memory leak errors) ..."
+            else
+                #grep "(actual leaks:         0" ${testOut} > /dev/null 2>&1
+                # special consideration for memory leak in NSS_NoDB_Init
+                grep  "(actual leaks:         1  total size:       4 bytes)" ${testOut} > /dev/null 2>&1
+                if [ $? -ne 0 ]; then
+                    memErrors=`expr ${memErrors} + 1`
+                    failedmempgms="${failedmempgms}${testPgm} "
+                    cat ${testOutMem}
+                fi
+            fi
+        fi
+
+    done
+
+    if [ ${errors} -eq 0 ]; then
+        if [ ${memErrors} -eq 0 ]; then
+            Display ""
+            Display "************************************************************"
+            Display "END OF TESTS FOR PKIX ${testunit}: ALL TESTS COMPLETED SUCCESSFULLY"
+            Display "************************************************************"
+            Display ""
+            return 0
+        fi
+    fi
+
+    if [ ${errors} -eq 1 ]; then
+        plural=""
+    else
+        plural="S"
+    fi
+
+    Display ""
+    Display "*******************************************************************************"
+    Display "END OF TESTS FOR PKIX ${testunit}: ${errors} UNIT TEST${plural} FAILED: ${failedpgms}"
+    Display ""
+    if [ ${checkmem} -eq 1 ]; then
+        if [ ${memErrors} -eq 1 ]; then
+            memPlural=""
+        else
+            memPlural="S"
+        fi
+        Display "                          ${memErrors} MEMORY LEAK TEST${memPlural} FAILED: ${failedmempgms}"
+        
+        if [ ${prematureErrors} -ne 0 ]; then
+            if [ ${prematureErrors} -eq 1 ]; then
+                prematurePlural=""
+            else
+                prematurePlural="S"
+            fi
+            Display "                          ${prematureErrors} MEMORY LEAK TEST${prematurePlural} INDETERMINATE: ${failedprematurepgms}"
+        fi
+
+    fi
+    Display "*******************************************************************************"
+    Display ""
+    combinedErrors=`expr ${errors} + ${memErrors} + ${prematureErrors}`
+
+    return ${combinedErrors}
+
+}
diff --git a/security/nss/tests/libpkix/common/libpkix_init_nist.sh b/security/nss/tests/libpkix/common/libpkix_init_nist.sh
new file mode 100644
index 000000000..d4dfd2a6c
--- /dev/null
+++ b/security/nss/tests/libpkix/common/libpkix_init_nist.sh
@@ -0,0 +1,70 @@
+#!/bin/sh
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# libpkix_init_nist.sh
+#
+
+#
+# Any test that uses NIST files should have a tag of either NIST-Test or
+# NIST-Test-Files-Used at the command option so if there are no NIST files
+# installed in the system, the test can be skipped
+#
+
+if [ -z "${NIST_FILES_DIR}" ] ; then
+    Display ""
+    Display "*******************************************************************************"
+    Display "The environment variable NIST_FILES_DIR is not defined. Therefore"
+    Display "tests depending on it will be skipped. To enable these tests set"
+    Display "NIST_FILES_DIR to the directory where NIST Certificates and CRLs"
+    Display "are located." 
+    Display "*******************************************************************************"
+    Display ""
+    doNIST=0
+else
+
+    NIST=${NIST_FILES_DIR}
+    doNIST=1
+fi
+
+#
+# Any tests that use NIST Path Discovery files should have a tag of NIST-PDTest
+# at the command option so if there are no NIST Path Discovery files
+# installed in the system, the test can be skipped
+#
+if [ ${doPD} -eq 1 -a -z "${PDVAL}" ] ; then
+
+    Display ""
+    Display "*******************************************************************************"
+    Display "The environment variable PDVAL is not defined. Therefore tests"
+    Display "depending on it will be skipped. To enable these tests set PDVAL to"
+    Display "the directory where NIST Path Discovery Certificates are located." 
+    Display "*******************************************************************************"
+    Display ""
+    doNIST_PDTest=0
+else
+
+    NIST_PDTEST=${PDVAL}
+    doNIST_PDTest=1
+fi
+
+#
+# Any tests that use an OCSP Server should have a tag of OCSP-Test at the
+# command option so if there is no OCSP Server installed in the system, the
+# test can be skipped
+#
+if [  ${doOCSP} -eq 1 -a -z "${OCSP}" ] ; then
+
+    Display ""
+    Display "*******************************************************************************"
+    Display "The environment variable OCSP is not defined. Therefore tests"
+    Display "depending on it will be skipped. To enable these tests set OCSP"
+    Display "non-NULL (the actual URI used is taken from the AIA extension)." 
+    Display "*******************************************************************************"
+    Display ""
+    doOCSPTest=0
+else
+    doOCSPTest=1
+fi
diff --git a/security/nss/tests/libpkix/libpkix.sh b/security/nss/tests/libpkix/libpkix.sh
new file mode 100755
index 000000000..25d38ccbe
--- /dev/null
+++ b/security/nss/tests/libpkix/libpkix.sh
@@ -0,0 +1,139 @@
+#! /bin/sh
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh
+#
+
+totalErrors=0
+pkixErrors=0
+pkixplErrors=0
+checkMemArg=""
+arenasArg=""
+quietArg=""
+memText=""
+
+############################## libpkix_init ###############################
+# local shell function to initialize this script
+########################################################################
+libpkix_init()
+{
+  SCRIPTNAME="libpkix.sh"
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+
+  LIBPKIX_CURDIR=`pwd`
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then
+      cd ../common
+      . ./init.sh
+  fi
+  cd ${LIBPKIX_CURDIR}
+
+  SCRIPTNAME="libpkix.sh"
+}
+
+############################## libpkix_cleanup ############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+libpkix_cleanup()
+{
+  html "</TABLE><BR>" 
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+############################## libpkix_UT_main ############################
+# local shell function to run libpkix unit tests
+########################################################################
+ParseArgs ()
+{
+    while [ $# -gt 0 ]; do
+        if [ $1 == "-checkmem" ]; then
+            checkMemArg=$1
+            memText="   (Memory Checking Enabled)"
+        elif [ $1 == "-quiet" ]; then
+            quietArg=$1
+        elif [ $1 == "-arenas" ]; then
+            arenasArg=$1
+        fi
+        shift
+    done
+}
+
+libpkix_UT_main()
+{
+
+html_head "LIBPKIX Unit Tests"
+
+ParseArgs 
+
+echo "*******************************************************************************"
+echo "START OF ALL TESTS${memText}"
+echo "*******************************************************************************"
+echo ""
+
+echo "RUNNING tests in pkix_pl_test";
+html_msg 0 0 "Running tests in pkix_pl_test:"
+cd pkix_pl_tests;
+runPLTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+pkixplErrors=$?
+html_msg $? 0 "Results of tests in pkix_pl_test"
+
+echo "RUNNING tests in pkix_test";
+html_msg 0 0 "Running tests in pkix_test:"
+cd ../pkix_tests;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+pkixErrors=$?
+html_msg $? 0 "Results of tests in pkix_test"
+
+echo "RUNNING performance tests in sample_apps";
+html_msg 0 0 "Running performance tests in sample_apps:"
+cd ../sample_apps;
+runPerf.sh ${arenasArg} ${checkMemArg} ${quietArg}
+pkixPerfErrors=$?
+html_msg $? 0 "Results of performance tests in sample_apps"
+
+totalErrors=`expr ${pkixErrors} + ${pkixplErrors} + ${pkixPerfErrors}`
+
+if [ ${totalErrors} -eq 0 ]; then
+    echo ""
+    echo "************************************************************"
+    echo "END OF ALL TESTS: ALL TESTS COMPLETED SUCCESSFULLY"
+    echo "************************************************************"
+    html_msg ${totalErrors} 0 "ALL LIBPKIX TESTS COMPLETED SUCCESSFULLY"
+
+    return 0
+fi
+
+if [ ${totalErrors} -eq 1 ]; then
+    plural=""
+else
+    plural="S"
+fi
+
+if [ ${totalErrors} -ne 0 ]; then
+    echo ""
+    echo "************************************************************"
+    echo "END OF ALL TESTS: ${totalErrors} TEST${plural} FAILED"
+    echo "************************************************************"
+    html_msg 1 0 "${totalErrors} LIBPKIX TEST${plural} FAILED"
+return 1
+fi
+}
+
+libpkix_run_tests()
+{
+    if [ -n "${BUILD_LIBPKIX_TESTS}" ]; then
+         libpkix_UT_main 
+    fi
+}
+
+################## main #################################################
+
+libpkix_init 
+libpkix_run_tests
+libpkix_cleanup
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/cert8.db b/security/nss/tests/libpkix/pkix_pl_tests/module/cert8.db
new file mode 100755
index 000000000..f09bebbcf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/cert8.db
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/key3.db b/security/nss/tests/libpkix/pkix_pl_tests/module/key3.db
new file mode 100755
index 000000000..5c3b3ebbb
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/key3.db
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crldiff.crl b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crldiff.crl
new file mode 100755
index 000000000..d076ef89f
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crldiff.crl
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crlgood.crl b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crlgood.crl
new file mode 100755
index 000000000..1ad019ed1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crlgood.crl
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-hanfei.crl b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-hanfei.crl
new file mode 100755
index 000000000..6c9f0dbaa
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-hanfei.crl
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-none.crl b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-none.crl
new file mode 100755
index 000000000..c1c83ba2c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-none.crl
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_all.crt b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_all.crt
new file mode 100755
index 000000000..89b59d17d
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_all.crt
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_allbutcodesigningEE.crt b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_allbutcodesigningEE.crt
new file mode 100755
index 000000000..a80c10cd3
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_allbutcodesigningEE.crt
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauth.crt b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauth.crt
new file mode 100755
index 000000000..3cd7bc9bc
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauth.crt
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauthEE.crt b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauthEE.crt
new file mode 100755
index 000000000..b0119ed26
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauthEE.crt
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_codesigning_clientauth.crt b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_codesigning_clientauth.crt
new file mode 100755
index 000000000..f90df0dac
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_codesigning_clientauth.crt
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/runPLTests.sh b/security/nss/tests/libpkix/pkix_pl_tests/module/runPLTests.sh
new file mode 100755
index 000000000..4c4cebe28
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/runPLTests.sh
@@ -0,0 +1,101 @@
+#!/bin/sh
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runPLTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+. ./libpkix_init_nist.sh 
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=MODULE
+doModule=1
+
+### setup NIST files need to link in
+linkModuleNistFiles="InvalidDNnameConstraintsTest3EE.crt 
+        InvalidonlySomeReasonsTest21EE.crt 
+        indirectCRLCA3cRLIssuerCRL.crl  
+        nameConstraintsDN3subCA2Cert.crt 
+        nameConstraintsDN4CACert.crt 
+        nameConstraintsDN5CACert.crt 
+        onlyContainsAttributeCertsCACRL.crl 
+        onlyContainsCACertsCACRL.crl 
+        onlyContainsUserCertsCACRL.crl 
+        onlySomeReasonsCA3compromiseCRL.crl
+        requireExplicitPolicy2CACert.crt 
+        inhibitPolicyMapping5CACert.crt 
+        inhibitAnyPolicy5CACert.crt 
+        inhibitAnyPolicy0CACert.crt 
+        P1Mapping1to234CACert.crt 
+        UserNoticeQualifierTest15EE.crt 
+        UserNoticeQualifierTest16EE.crt 
+        UserNoticeQualifierTest17EE.crt 
+        UserNoticeQualifierTest18EE.crt 
+        CPSPointerQualifierTest20EE.crt"
+
+if [ -n "${NIST_FILES_DIR}" ]; then
+    if [ ! -d ${HOSTDIR}/rev_data/local ]; then
+        mkdir -p ${HOSTDIR}/rev_data/local
+    fi
+ 
+     for i in ${linkModuleNistFiles}; do
+         if [ -f ${HOSTDIR}/rev_data/local/$i ]; then
+             rm ${HOSTDIR}/rev_data/local/$i
+         fi
+         cp ${NIST_FILES_DIR}/$i ${HOSTDIR}/rev_data/local/$i
+     done
+
+    localCRLFiles="crlgood.crl
+	crldiff.crl
+	issuer-hanfei.crl
+	issuer-none.crl"
+
+    for i in ${localCRLFiles}; do
+        cp ${curdir}/rev_data/local/$i ${HOSTDIR}/rev_data/local/$i
+    done
+fi
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+SOCKETTRACE=0
+export SOCKETTRACE
+
+RunTests <<EOF
+pkixutil test_colcertstore NIST-Test-Files-Used rev_data/local ${HOSTDIR}
+pkixutil test_pk11certstore -d ../../pkix_pl_tests/module ../../pkix_tests/top/rev_data/crlchecker
+pkixutil test_ekuchecker "Test-EKU-without-OID" ENE "" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt
+pkixutil test_ekuchecker "Test-EKU-with-good-OID" ENE "1.3.6.1.5.5.7.3.3" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt 
+pkixutil test_ekuchecker "Test-EKU-with-bad-OID" EE "1.3.6.1.5.5.7.3.4" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt 
+pkixutil test_ekuchecker "Test-EKU-with-good-and-bad-OID" EE "1.3.6.1.5.5.7.3.3,1.3.6.1.5.5.7.3.4" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-with-good-OID" ENE "E1.3.6.1.5.5.7.3.3" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-with-bad-OID" EE "E1.3.6.1.5.5.7.3.4" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt
+pkixutil test_ekuchecker "Test-EKU-serverAuth" ENE "1.3.6.1.5.5.7.3.1" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-clientAuth" ENE "1.3.6.1.5.5.7.3.2" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-codesigning-without-OID" EE "1.3.6.1.5.5.7.3.3" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-emailProtection" ENE "1.3.6.1.5.5.7.3.4" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-timestamping" ENE "1.3.6.1.5.5.7.3.8" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-OCSPSigning" ENE "1.3.6.1.5.5.7.3.9" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-serverAuth" ENE "E1.3.6.1.5.5.7.3.1" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-clientAuth" ENE "E1.3.6.1.5.5.7.3.2" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-codesigning-without-OID" EE "E1.3.6.1.5.5.7.3.3" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-emailProtection" ENE "E1.3.6.1.5.5.7.3.4" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-timestamping" ENE "E1.3.6.1.5.5.7.3.8" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-ocspSigning" ENE "E1.3.6.1.5.5.7.3.9" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_socket ${HOSTADDR}:2000
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
+
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/secmod.db b/security/nss/tests/libpkix/pkix_pl_tests/module/secmod.db
new file mode 100755
index 000000000..772583d58
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/secmod.db
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/README b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/README
new file mode 100755
index 000000000..50e1b98ec
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/README
@@ -0,0 +1,3 @@
+If the total number of CRL files is changed in this directory, 
+the define PKIX_TEST_COLLECTIONCERTSTORE_NUM_CRLS under the
+test directory also need to be changed.
\ No newline at end of file
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crldiff.crl b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crldiff.crl
new file mode 100755
index 000000000..d076ef89f
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crldiff.crl
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crlgood.crl b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crlgood.crl
new file mode 100755
index 000000000..1ad019ed1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crlgood.crl
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-hanfei.crl b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-hanfei.crl
new file mode 100755
index 000000000..6c9f0dbaa
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-hanfei.crl
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-none.crl b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-none.crl
new file mode 100755
index 000000000..c1c83ba2c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-none.crl
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/runPLTests.sh b/security/nss/tests/libpkix/pkix_pl_tests/pki/runPLTests.sh
new file mode 100755
index 000000000..7857aad3f
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/runPLTests.sh
@@ -0,0 +1,81 @@
+#!/bin/sh
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runPLTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+doPD=1
+. ./libpkix_init_nist.sh
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=PKI
+doPki=1
+
+### setup NIST files need to link in
+linkPkiNistFiles="InvalidDNnameConstraintsTest3EE.crt 
+        InvalidonlySomeReasonsTest21EE.crt 
+        indirectCRLCA3cRLIssuerCRL.crl  
+        nameConstraintsDN3subCA2Cert.crt 
+        nameConstraintsDN4CACert.crt 
+        nameConstraintsDN5CACert.crt 
+        onlyContainsAttributeCertsCACRL.crl 
+        onlyContainsCACertsCACRL.crl 
+        onlyContainsUserCertsCACRL.crl 
+        onlySomeReasonsCA3compromiseCRL.crl
+        requireExplicitPolicy2CACert.crt 
+        inhibitPolicyMapping5CACert.crt 
+        inhibitAnyPolicy5CACert.crt 
+        inhibitAnyPolicy0CACert.crt 
+        P1Mapping1to234CACert.crt 
+        UserNoticeQualifierTest15EE.crt 
+        UserNoticeQualifierTest16EE.crt 
+        UserNoticeQualifierTest17EE.crt 
+        UserNoticeQualifierTest18EE.crt 
+        CPSPointerQualifierTest20EE.crt"
+
+if [ -n "${NIST_FILES_DIR}" ]; then
+    if [ ! -d ${HOSTDIR}/rev_data/local ]; then
+        mkdir -p ${HOSTDIR}/rev_data/local
+    fi
+
+    for i in ${linkPkiNistFiles}; do
+        if [ -f ${HOSTDIR}/rev_data/local/$i ]; then
+            rm ${HOSTDIR}/rev_data/local/$i
+        fi
+        cp ${NIST_FILES_DIR}/$i ${HOSTDIR}/rev_data/local/$i
+    done
+fi
+
+##########
+# main
+#########
+
+TZ=US/Eastern
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_cert NIST-Test-Files-Used ../../certs ${HOSTDIR}/rev_data/local
+pkixutil test_crl NIST-Test-Files-Used ../../certs
+pkixutil test_x500name
+pkixutil test_generalname
+pkixutil test_date NIST-Test-Files-Used
+pkixutil test_crlentry ../../certs
+pkixutil test_nameconstraints NIST-Test-Files-Used rev_data/local ${HOSTDIR}
+pkixutil test_authorityinfoaccess NIST-PDTest ${NIST_PDTEST} certs/BasicLDAPURIPathDiscoveryOU1EE1.crt certs/BasicHTTPURITrustAnchorRootCert.crt
+pkixutil test_subjectinfoaccess NIST-PDTest ${NIST_PDTEST} certs/BasicHTTPURITrustAnchorRootCert.crt certs/BasicLDAPURIPathDiscoveryOU1EE1.crt
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
+
+
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/runPLTests.sh b/security/nss/tests/libpkix/pkix_pl_tests/runPLTests.sh
new file mode 100755
index 000000000..89ad1cb7a
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/runPLTests.sh
@@ -0,0 +1,67 @@
+#!/bin/sh
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runPLTests.sh
+#
+
+curdir=`pwd`
+cd ../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+testunit="PKIX_PL"
+
+totalErrors=0
+moduleErrors=0
+systemErrors=0
+pkiErrors=0
+quiet=0
+
+checkMemArg=""
+arenasArg=""
+quietArg=""
+
+### ParseArgs
+myParseArgs() # args
+{
+    while [ $# -gt 0 ]; do
+        if [ $1 = "-checkmem" ]; then
+            checkMemArg=$1
+        elif [ $1 = "-quiet" ]; then
+            quietArg=$1
+            quiet=1
+        elif [ $1 = "-arenas" ]; then
+            arenasArg=$1
+        fi
+        shift
+    done
+}
+
+myParseArgs $*
+
+testHeadingEcho
+
+echo "RUNNING tests in pki";
+cd pki;
+runPLTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+pkiErrors=$?
+
+echo "RUNNING tests in system";
+cd ../system;
+runPLTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+systemErrors=$?
+
+echo "RUNNING tests in module";
+cd ../module;
+runPLTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+moduleErrors=$?
+
+totalErrors=`expr $moduleErrors + $systemErrors + $pkiErrors`
+
+testEndingEcho
+
+exit ${totalErrors}
+
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/system/runPLTests.sh b/security/nss/tests/libpkix/pkix_pl_tests/system/runPLTests.sh
new file mode 100755
index 000000000..ec166cd08
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/system/runPLTests.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runPLTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=SYSTEM
+
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_mem
+pkixutil test_object
+pkixutil test_string
+pkixutil test_bigint
+pkixutil test_bytearray
+pkixutil test_mutex
+pkixutil test_mutex2
+pkixutil test_mutex3
+pkixutil test_monitorlock
+pkixutil test_oid
+pkixutil test_hashtable
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
+
+
+
+
diff --git a/security/nss/tests/libpkix/pkix_tests/certsel/keyUsage b/security/nss/tests/libpkix/pkix_tests/certsel/keyUsage
new file mode 100755
index 000000000..e69de29bb
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/certsel/keyUsage
diff --git a/security/nss/tests/libpkix/pkix_tests/certsel/runTests.sh b/security/nss/tests/libpkix/pkix_tests/certsel/runTests.sh
new file mode 100755
index 000000000..050e4aeef
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/certsel/runTests.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+. ./libpkix_init_nist.sh
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=CERTSEL
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_comcertselparams ${NIST} NIST-Test-Files-Used
+pkixutil test_certselector ${NIST} NIST-Test-Files-Used ../../pkix_pl_tests/module/rev_data
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/pkix_tests/checker/runTests.sh b/security/nss/tests/libpkix/pkix_tests/checker/runTests.sh
new file mode 100755
index 000000000..b63b2c576
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/checker/runTests.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=CHECKER
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_certchainchecker
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/pkix_tests/crlsel/runTests.sh b/security/nss/tests/libpkix/pkix_tests/crlsel/runTests.sh
new file mode 100755
index 000000000..7f5d2bf66
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/crlsel/runTests.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=CRLSEL
+
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_comcrlselparams ../../certs
+pkixutil test_crlselector
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/pkix_tests/params/runTests.sh b/security/nss/tests/libpkix/pkix_tests/params/runTests.sh
new file mode 100755
index 000000000..cd0e38a71
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/params/runTests.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+. ./libpkix_init_nist.sh
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=PARAMS
+
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_valparams ../../certs
+pkixutil test_procparams ../../certs
+pkixutil test_trustanchor ${NIST} ../../certs NIST-Test-Files-Used
+pkixutil test_resourcelimits
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/pkix_tests/results/runTests.sh b/security/nss/tests/libpkix/pkix_tests/results/runTests.sh
new file mode 100755
index 000000000..8a8461029
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/results/runTests.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+. ./libpkix_init_nist.sh
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=RESULTS
+
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_policynode ${NIST} NIST-Test-Files-Used
+pkixutil test_valresult ../../certs
+pkixutil test_buildresult ../../certs
+pkixutil test_verifynode ${NIST} TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/pkix_tests/runTests.sh b/security/nss/tests/libpkix/pkix_tests/runTests.sh
new file mode 100755
index 000000000..9f1b895fb
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/runTests.sh
@@ -0,0 +1,98 @@
+#!/bin/sh
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+testunit="PKIX"
+
+totalErrors=0
+utilErrors=0
+crlselErrors=0
+paramsErrors=0
+resultsErrors=0
+topErrors=0
+checkerErrors=0
+certselErrors=0
+quiet=0
+
+checkMemArg=""
+arenasArg=""
+quietArg=""
+memText=""
+
+### ParseArgs
+ParseArgs() # args
+{
+    while [ $# -gt 0 ]; do
+        if [ $1 = "-checkmem" ]; then
+            checkMemArg=$1
+            memText="   (Memory Checking Enabled)"
+        elif [ $1 = "-quiet" ]; then
+            quietArg=$1
+            quiet=1
+        elif [ $1 = "-arenas" ]; then
+            arenasArg=$1
+        fi
+        shift
+    done
+}
+
+ParseArgs $*
+
+testHeadingEcho
+
+echo "RUNNING tests in certsel";
+cd certsel;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+certselErrors=$?
+
+echo "RUNNING tests in checker";
+cd ../checker;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+checkerErrors=$?
+
+echo "RUNNING tests in results";
+cd ../results;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+resultsErrors=$?
+
+echo "RUNNING tests in params";
+cd ../params;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+paramsErrors=$?
+
+echo "RUNNING tests in crlsel";
+cd ../crlsel;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+crlselErrors=$?
+
+echo "RUNNING tests in store";
+cd ../store;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+storeErrors=$?
+
+echo "RUNNING tests in util";
+cd ../util;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+utilErrors=$?
+
+echo "RUNNING tests in top";
+cd ../top;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+topErrors=$?
+
+totalErrors=`expr ${certselErrors} + ${checkerErrors} + ${resultsErrors} + ${paramsErrors} + ${crlselErrors} + ${storeErrors} + ${utilErrors} + ${topErrors}`
+
+testEndingEcho
+
+exit ${totalErrors}
+
diff --git a/security/nss/tests/libpkix/pkix_tests/store/runTests.sh b/security/nss/tests/libpkix/pkix_tests/store/runTests.sh
new file mode 100755
index 000000000..7b0bb3745
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/store/runTests.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=STORE
+
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_store genericCertStore rev_data/crlchecker ${HOSTDIR}
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/pkix_tests/top/anchorcert.crt b/security/nss/tests/libpkix/pkix_tests/top/anchorcert.crt
new file mode 100644
index 000000000..1e2f7c7a1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/anchorcert.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg.crl
new file mode 100755
index 000000000..148b47815
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg2yassir_badsig.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg2yassir_badsig.crt
new file mode 100755
index 000000000..66563db40
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg2yassir_badsig.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes.crl
new file mode 100755
index 000000000..6cd8d2577
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2greg.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2jes.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2labs.crt
new file mode 100755
index 000000000..36591b8bf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2labs.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs.crl
new file mode 100755
index 000000000..8c96b41dc
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs2yassir.crt
new file mode 100755
index 000000000..119368ca5
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir.crl
new file mode 100755
index 000000000..eca3a5e84
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir2hanfei.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg.crl
new file mode 100755
index 000000000..148b47815
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg2yassir.crt
new file mode 100755
index 000000000..182472b21
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes.crl
new file mode 100755
index 000000000..e037e5047
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2greg.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2jes.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2labs.crt
new file mode 100755
index 000000000..36591b8bf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2labs.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs.crl
new file mode 100755
index 000000000..8c96b41dc
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs2yassir.crt
new file mode 100755
index 000000000..f5fe26115
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir.crl
new file mode 100755
index 000000000..eca3a5e84
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir2hanfei.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg.crl
new file mode 100755
index 000000000..148b47815
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg2yassir.crt
new file mode 100755
index 000000000..182472b21
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes.crl
new file mode 100755
index 000000000..e037e5047
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2greg.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2jes.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2labs.crt
new file mode 100755
index 000000000..36591b8bf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2labs.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs.crl
new file mode 100755
index 000000000..8c96b41dc
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs2yassir.crt
new file mode 100755
index 000000000..f5fe26115
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir.crl
new file mode 100755
index 000000000..eca3a5e84
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir2hanfei.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg.crl
new file mode 100755
index 000000000..148b47815
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg2yassir_badsig.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg2yassir_badsig.crt
new file mode 100755
index 000000000..66563db40
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg2yassir_badsig.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes.crl
new file mode 100755
index 000000000..e037e5047
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2greg.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2jes.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir.crl
new file mode 100755
index 000000000..eca3a5e84
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir2hanfei.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg.crl
new file mode 100755
index 000000000..148b47815
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg2yassir.crt
new file mode 100755
index 000000000..182472b21
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes.crl
new file mode 100755
index 000000000..e037e5047
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2greg.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2jes.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir.crl
new file mode 100755
index 000000000..eca3a5e84
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir2hanfei.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/greg2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/greg2yassir.crt
new file mode 100755
index 000000000..182472b21
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/greg2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2greg.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2jes.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2labs.crt
new file mode 100755
index 000000000..36591b8bf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2labs.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/labs2yassir.crt
new file mode 100755
index 000000000..f5fe26115
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/labs2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2hanfei.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2richard.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2richard.crt
new file mode 100755
index 000000000..b11826f97
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2richard.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2greg.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2jes.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2labs.crt
new file mode 100755
index 000000000..36591b8bf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2labs.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/labs2yassir.crt
new file mode 100755
index 000000000..2b4387d6c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/labs2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/nelson2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/nelson2yassir.crt
new file mode 100755
index 000000000..f5fe26115
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/nelson2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2hanfei.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2richard.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2richard.crt
new file mode 100755
index 000000000..b11826f97
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2richard.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2greg.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2jes.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2labs.crt
new file mode 100755
index 000000000..36591b8bf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2labs.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/labs2yassir.crt
new file mode 100755
index 000000000..2b4387d6c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/labs2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/nelson2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/nelson2yassir.crt
new file mode 100755
index 000000000..f5fe26115
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/nelson2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/yassir2hanfei.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/cert8.db b/security/nss/tests/libpkix/pkix_tests/top/cert8.db
new file mode 100644
index 000000000..a2bb46756
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/cert8.db
diff --git a/security/nss/tests/libpkix/pkix_tests/top/goodcert.crt b/security/nss/tests/libpkix/pkix_tests/top/goodcert.crt
new file mode 100644
index 000000000..c9904f4e0
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/goodcert.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/key3.db b/security/nss/tests/libpkix/pkix_tests/top/key3.db
new file mode 100644
index 000000000..fd1bee826
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/key3.db
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem.crl b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem.crl
new file mode 100755
index 000000000..9619c22cf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem2prof.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem2prof.crt
new file mode 100755
index 000000000..0022f3cbf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem2prof.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phy2prof.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phy2prof.crt
new file mode 100755
index 000000000..50be7df1f
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phy2prof.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phys.crl b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phys.crl
new file mode 100755
index 000000000..2deed93ed
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phys.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof.crl b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof.crl
new file mode 100755
index 000000000..fa9b2dc69
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof2test.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof2test.crt
new file mode 100755
index 000000000..04bc5f16a
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof2test.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci.crl b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci.crl
new file mode 100755
index 000000000..675e9a53f
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2chem.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2chem.crt
new file mode 100755
index 000000000..e12232b8a
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2chem.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2phy.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2phy.crt
new file mode 100755
index 000000000..f5a165baa
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2phy.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2sci.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2sci.crt
new file mode 100755
index 000000000..ca09c166e
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2sci.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/test.crl b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/test.crl
new file mode 100755
index 000000000..e37aa9c24
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/test.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/revokedcert.crt b/security/nss/tests/libpkix/pkix_tests/top/revokedcert.crt
new file mode 100644
index 000000000..0715ceb7b
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/revokedcert.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/runTests.sh b/security/nss/tests/libpkix/pkix_tests/top/runTests.sh
new file mode 100755
index 000000000..1e2080939
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/runTests.sh
@@ -0,0 +1,517 @@
+#!/bin/sh
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh
+#
+
+
+LDAP='nss.red.iplanet.com:1389'
+export LDAP
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+doPD=1
+doOCSP=1
+. ./libpkix_init_nist.sh
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=TOP
+doTop=1
+linkMStoreNistFiles="store1/TrustAnchorRootCRL.crl
+    store1/TwoCRLsCABadCRL.crl
+    store2/TwoCRLsCAGoodCRL.crl"
+
+if [ ! -z "${NIST_FILES_DIR}" ] ; then
+    if [ -d ${HOSTDIR}/rev_data/multiple_certstores ]; then
+        rm -fr ${HOSTDIR}/rev_data/multiple_certstores
+    fi
+    mkdir -p ${HOSTDIR}/rev_data/multiple_certstores
+    mkdir -p ${HOSTDIR}/rev_data/multiple_certstores/store1
+    mkdir -p ${HOSTDIR}/rev_data/multiple_certstores/store2
+    for i in ${linkMStoreNistFiles}; do
+        if [ -f ${HOSTDIR}/rev_data/multiple_certstores/$i ]; then
+            rm ${HOSTDIR}/rev_data/multiple_certstores/$i
+        fi
+        fname=`basename $i`
+        cp ${NIST_FILES_DIR}/${fname} ${HOSTDIR}/rev_data/multiple_certstores/$i
+    done
+fi
+
+ocspFiles="goodcert.crt revokedcert.crt anchorcert.crt
+    secmod.db key3.db cert8.db"
+
+if [ ! -z ${doOCSPTest} ] ; then
+    if [ -d ${HOSTDIR}/ocsp ]; then
+        rm -fr ${HOSTDIR}/ocsp
+    fi
+    mkdir -p ${HOSTDIR}/ocsp
+    for i in ${ocspFiles}; do
+        cp $i ${HOSTDIR}/ocsp/$i
+
+    done
+fi
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+Display ""
+Display "#    ENE = expect no error (validation should succeed)"
+Display "#    EE = expect error (validation should fail)"
+Display ""
+
+LOGGING=1
+SOCKETTRACE=1
+export LOGGING SOCKETTRACE
+
+RunTests <<EOF
+pkixutil test_validatechain_NB NIST-Test.4.1.1 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil_or test_validatechain_NB NIST-Test.4.1.1 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.2 EE $NIST TrustAnchorRootCertificate.crt BadSignedCACert.crt InvalidCASignatureTest2EE.crt
+pkixutil_or test_validatechain_NB NIST-Test.4.1.2 EE $NIST TrustAnchorRootCertificate.crt BadSignedCACert.crt InvalidCASignatureTest2EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt  InvalidEESignatureTest3EE.crt
+pkixutil_or test_validatechain_NB NIST-Test.4.1.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt  InvalidEESignatureTest3EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.4 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt ValidDSASignaturesTest4EE.crt
+pkixutil_or test_validatechain_NB NIST-Test.4.1.4 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt ValidDSASignaturesTest4EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.5 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt DSAParametersInheritedCACert.crt ValidDSAParameterInheritanceTest5EE.crt
+pkixutil_or test_validatechain_NB NIST-Test.4.1.5 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt DSAParametersInheritedCACert.crt ValidDSAParameterInheritanceTest5EE.crt
+EOF
+
+tracedErrors=$?
+
+LOGGING=0
+SOCKETTRACE=0
+
+RunTests <<EOF
+pkixutil test_basicchecker ../../certs
+pkixutil test_basicconstraintschecker "Two-Certificates-Chain" ENE ../../certs hy2hy-bc0 hy2hc-bc
+pkixutil test_basicconstraintschecker "Three-Certificates-Chain" ENE ../../certs hy2hy-bc0 hy2hy-bc0 hy2hc-bc
+pkixutil test_basicconstraintschecker "Four-Certificates-Chain-with-error" EE ../../certs hy2hy-bc0 hy2hy-bc0 hy2hc-bc hy2hc-bc
+pkixutil test_validatechain_bc  ../../certs/hy2hy-bc0 ../../certs/hy2hc-bc
+pkixutil test_policychecker NIST-Test-Files-Used ENE $NIST ../../certs
+pkixutil test_defaultcrlchecker2stores NIST-Test.4.4.7-with-multiple-CRL-stores ENE $NIST ${HOSTDIR}/rev_data/multiple_certstores/store1 ${HOSTDIR}/rev_data/multiple_certstores/store2 TrustAnchorRootCertificate.crt TwoCRLsCACert.crt ValidTwoCRLsTest7EE.crt
+pkixutil test_buildchain_resourcelimits ${LDAP} NIST-Test.4.5.1 ENE $NIST ValidBasicSelfIssuedOldWithNewTest1EE.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt BasicSelfIssuedNewKeyCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_customcrlchecker "CRL-test-without-revocation" ENE rev_data/crlchecker sci2sci.crt sci2phy.crt phy2prof.crt prof2test.crt
+pkixutil test_customcrlchecker "CRL-test-with-revocation-reasoncode" EE rev_data/crlchecker sci2sci.crt sci2chem.crt chem2prof.crt prof2test.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0R:testcertificates.gov+R:Test23EE@testcertificates.gov" ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA2Cert.crt ValidRFC822nameConstraintsTest23EE.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0R:TEST.gov" EE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA2Cert.crt ValidRFC822nameConstraintsTest23EE.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0N:testcertificates.gov+N:testserver.testcertificates.gov" ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS1CACert.crt ValidDNSnameConstraintsTest30EE.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0N:notestcertificates.gov" EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS1CACert.crt ValidDNSnameConstraintsTest30EE.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0U:.gov+U:http://testserver.testcertificates.gov/index.html" ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI1CACert.crt ValidURInameConstraintsTest34EE.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0U:test.testcertificates.gov" EE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI1CACert.crt ValidURInameConstraintsTest34EE.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "1D:C=US+D:CN=Certificates,C=US" EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN2CACert.crt ValidDNnameConstraintsTest5EE.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0D:O=TestCertificates,C=CN" EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN2CACert.crt ValidDNnameConstraintsTest5EE.crt
+pkixutil test_validatechain "CRL-test-without-key-usage-cRLsign-bit-NIST-Test-Files-Used" EE $NIST TrustAnchorRootCertificate.crt SeparateCertificateandCRLKeysCertificateSigningCACert.crt SeparateCertificateandCRLKeysCRLSigningCert.crt InvalidSeparateCertificateandCRLKeysTest20EE.crt
+pkixutil test_validatechain NIST-Test.4.1.1 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_validatechain NIST-Test.4.1.2 EE $NIST TrustAnchorRootCertificate.crt BadSignedCACert.crt InvalidCASignatureTest2EE.crt
+pkixutil test_validatechain NIST-Test.4.1.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt  InvalidEESignatureTest3EE.crt
+pkixutil test_validatechain NIST-Test.4.1.4 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt ValidDSASignaturesTest4EE.crt
+pkixutil test_validatechain NIST-Test.4.1.5 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt DSAParametersInheritedCACert.crt ValidDSAParameterInheritanceTest5EE.crt
+pkixutil test_validatechain NIST-Test.4.1.6 EE $NIST TrustAnchorRootCertificate.crt DSACACert.crt InvalidDSASignatureTest6EE.crt
+pkixutil test_validatechain NIST-Test.4.2.1 EE $NIST TrustAnchorRootCertificate.crt BadnotBeforeDateCACert.crt InvalidCAnotBeforeDateTest1EE.crt
+pkixutil test_validatechain NIST-Test.4.2.2 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEEnotBeforeDateTest2EE.crt
+pkixutil test_validatechain NIST-Test.4.2.3 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt Validpre2000UTCnotBeforeDateTest3EE.crt
+pkixutil test_validatechain NIST-Test.4.2.4 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidGeneralizedTimenotBeforeDateTest4EE.crt
+pkixutil test_validatechain NIST-Test.4.2.5 EE $NIST TrustAnchorRootCertificate.crt BadnotAfterDateCACert.crt InvalidCAnotAfterDateTest5EE.crt
+pkixutil test_validatechain NIST-Test.4.2.6 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEEnotAfterDateTest6EE.crt
+pkixutil test_validatechain NIST-Test.4.2.7 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt Invalidpre2000UTCEEnotAfterDateTest7EE.crt
+pkixutil test_validatechain NIST-Test.4.2.8 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidGeneralizedTimenotAfterDateTest8EE.crt
+pkixutil test_validatechain NIST-Test.4.3.1 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidNameChainingTest1EE.crt
+pkixutil test_validatechain NIST-Test.4.3.2 EE $NIST TrustAnchorRootCertificate.crt NameOrderingCACert.crt  InvalidNameChainingOrderTest2EE.crt
+pkixutil test_validatechain NIST-Test.4.3.3 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingWhitespaceTest3EE.crt
+pkixutil test_validatechain NIST-Test.4.3.4 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingWhitespaceTest4EE.crt
+pkixutil test_validatechain NIST-Test.4.3.5 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingCapitalizationTest5EE.crt
+pkixutil test_validatechain NIST-Test.4.3.6 ENE $NIST TrustAnchorRootCertificate.crt UIDCACert.crt  ValidNameUIDsTest6EE.crt
+pkixutil test_validatechain NIST-Test.4.3.9 ENE $NIST TrustAnchorRootCertificate.crt UTF8StringEncodedNamesCACert.crt  ValidUTF8StringEncodedNamesTest9EE.crt
+pkixutil test_validatechain NIST-Test.4.3.10 ENE $NIST TrustAnchorRootCertificate.crt RolloverfromPrintableStringtoUTF8StringCACert.crt  ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt
+pkixutil test_validatechain NIST-Test.4.3.11 ENE $NIST TrustAnchorRootCertificate.crt UTF8StringCaseInsensitiveMatchCACert.crt  ValidUTF8StringCaseInsensitiveMatchTest11EE.crt
+pkixutil test_validatechain NIST-Test.4.4.1 EE $NIST TrustAnchorRootCertificate.crt NoCRLCACert.crt InvalidMissingCRLTest1EE.crt
+pkixutil test_validatechain NIST-Test.4.4.2 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt RevokedsubCACert.crt InvalidRevokedCATest2EE.crt
+pkixutil test_validatechain NIST-Test.4.4.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidRevokedEETest3EE.crt
+pkixutil test_validatechain NIST-Test.4.4.4 EE $NIST TrustAnchorRootCertificate.crt BadCRLSignatureCACert.crt InvalidBadCRLSignatureTest4EE.crt
+pkixutil test_validatechain NIST-Test.4.4.5 EE $NIST TrustAnchorRootCertificate.crt BadCRLIssuerNameCACert.crt InvalidBadCRLIssuerNameTest5EE.crt
+pkixutil test_validatechain NIST-Test.4.4.6 EE $NIST TrustAnchorRootCertificate.crt WrongCRLCACert.crt InvalidWrongCRLTest6EE.crt
+pkixutil test_validatechain NIST-Test.4.4.7 ENE $NIST TrustAnchorRootCertificate.crt TwoCRLsCACert.crt ValidTwoCRLsTest7EE.crt
+pkixutil test_validatechain NIST-Test.4.4.8 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLEntryExtensionCACert.crt InvalidUnknownCRLEntryExtensionTest8EE.crt
+pkixutil test_validatechain NIST-Test.4.4.9 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLExtensionCACert.crt InvalidUnknownCRLExtensionTest9EE.crt
+pkixutil test_validatechain NIST-Test.4.4.10 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLExtensionCACert.crt InvalidUnknownCRLExtensionTest10EE.crt
+pkixutil test_validatechain NIST-Test.4.4.11 EE $NIST TrustAnchorRootCertificate.crt OldCRLnextUpdateCACert.crt InvalidOldCRLnextUpdateTest11EE.crt
+pkixutil test_validatechain NIST-Test.4.4.12 EE $NIST TrustAnchorRootCertificate.crt pre2000CRLnextUpdateCACert.crt Invalidpre2000CRLnextUpdateTest12EE.crt
+pkixutil test_validatechain NIST-Test.4.4.13 ENE $NIST TrustAnchorRootCertificate.crt GeneralizedTimeCRLnextUpdateCACert.crt ValidGeneralizedTimeCRLnextUpdateTest13EE.crt
+pkixutil test_validatechain NIST-Test.4.4.14 ENE $NIST TrustAnchorRootCertificate.crt NegativeSerialNumberCACert.crt ValidNegativeSerialNumberTest14EE.crt
+pkixutil test_validatechain NIST-Test.4.4.15 EE $NIST TrustAnchorRootCertificate.crt NegativeSerialNumberCACert.crt InvalidNegativeSerialNumberTest15EE.crt
+pkixutil test_validatechain NIST-Test.4.4.16 ENE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt ValidLongSerialNumberTest16EE.crt
+pkixutil test_validatechain NIST-Test.4.4.17 ENE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt ValidLongSerialNumberTest17EE.crt
+pkixutil test_validatechain NIST-Test.4.4.18 EE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt InvalidLongSerialNumberTest18EE.crt
+pkixutil test_validatechain NIST-Test.4.4.20 EE $NIST TrustAnchorRootCertificate.crt SeparateCertificateandCRLKeysCertificateSigningCACert.crt SeparateCertificateandCRLKeysCRLSigningCert.crt InvalidSeparateCertificateandCRLKeysTest20EE.crt
+pkixutil test_validatechain NIST-Test.4.5.1 ENE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedNewKeyCACert.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt ValidBasicSelfIssuedOldWithNewTest1EE.crt
+pkixutil test_validatechain NIST-Test.4.5.2 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedNewKeyCACert.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt InvalidBasicSelfIssuedOldWithNewTest2EE.crt
+pkixutil test_validatechain NIST-Test.4.5.5 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedOldKeyCACert.crt BasicSelfIssuedOldKeyNewWithOldCACert.crt InvalidBasicSelfIssuedNewWithOldTest5EE.crt
+pkixutil test_validatechain NIST-Test.4.5.7 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedCRLSigningKeyCACert.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt
+pkixutil test_validatechain NIST-Test.4.5.8 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedCRLSigningKeyCACert.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt
+pkixutil test_validatechain_NB "CRL-test-without-key-usage-cRLsign-bit-NIST-Test-Files-Used" EE $NIST TrustAnchorRootCertificate.crt SeparateCertificateandCRLKeysCertificateSigningCACert.crt SeparateCertificateandCRLKeysCRLSigningCert.crt InvalidSeparateCertificateandCRLKeysTest20EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.1 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.2 EE $NIST TrustAnchorRootCertificate.crt BadSignedCACert.crt InvalidCASignatureTest2EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt  InvalidEESignatureTest3EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.4 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt ValidDSASignaturesTest4EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.5 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt DSAParametersInheritedCACert.crt ValidDSAParameterInheritanceTest5EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.6 EE $NIST TrustAnchorRootCertificate.crt DSACACert.crt InvalidDSASignatureTest6EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.1 EE $NIST TrustAnchorRootCertificate.crt BadnotBeforeDateCACert.crt InvalidCAnotBeforeDateTest1EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.2 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEEnotBeforeDateTest2EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.3 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt Validpre2000UTCnotBeforeDateTest3EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.4 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidGeneralizedTimenotBeforeDateTest4EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.5 EE $NIST TrustAnchorRootCertificate.crt BadnotAfterDateCACert.crt InvalidCAnotAfterDateTest5EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.6 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEEnotAfterDateTest6EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.7 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt Invalidpre2000UTCEEnotAfterDateTest7EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.8 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidGeneralizedTimenotAfterDateTest8EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.1 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidNameChainingTest1EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.2 EE $NIST TrustAnchorRootCertificate.crt NameOrderingCACert.crt  InvalidNameChainingOrderTest2EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.3 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingWhitespaceTest3EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.4 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingWhitespaceTest4EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.5 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingCapitalizationTest5EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.6 ENE $NIST TrustAnchorRootCertificate.crt UIDCACert.crt  ValidNameUIDsTest6EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.9 ENE $NIST TrustAnchorRootCertificate.crt UTF8StringEncodedNamesCACert.crt  ValidUTF8StringEncodedNamesTest9EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.10 ENE $NIST TrustAnchorRootCertificate.crt RolloverfromPrintableStringtoUTF8StringCACert.crt  ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.11 ENE $NIST TrustAnchorRootCertificate.crt UTF8StringCaseInsensitiveMatchCACert.crt  ValidUTF8StringCaseInsensitiveMatchTest11EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.1 EE $NIST TrustAnchorRootCertificate.crt NoCRLCACert.crt InvalidMissingCRLTest1EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.2 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt RevokedsubCACert.crt InvalidRevokedCATest2EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidRevokedEETest3EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.4 EE $NIST TrustAnchorRootCertificate.crt BadCRLSignatureCACert.crt InvalidBadCRLSignatureTest4EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.5 EE $NIST TrustAnchorRootCertificate.crt BadCRLIssuerNameCACert.crt InvalidBadCRLIssuerNameTest5EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.6 EE $NIST TrustAnchorRootCertificate.crt WrongCRLCACert.crt InvalidWrongCRLTest6EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.7 ENE $NIST TrustAnchorRootCertificate.crt TwoCRLsCACert.crt ValidTwoCRLsTest7EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.8 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLEntryExtensionCACert.crt InvalidUnknownCRLEntryExtensionTest8EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.9 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLExtensionCACert.crt InvalidUnknownCRLExtensionTest9EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.10 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLExtensionCACert.crt InvalidUnknownCRLExtensionTest10EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.11 EE $NIST TrustAnchorRootCertificate.crt OldCRLnextUpdateCACert.crt InvalidOldCRLnextUpdateTest11EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.12 EE $NIST TrustAnchorRootCertificate.crt pre2000CRLnextUpdateCACert.crt Invalidpre2000CRLnextUpdateTest12EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.13 ENE $NIST TrustAnchorRootCertificate.crt GeneralizedTimeCRLnextUpdateCACert.crt ValidGeneralizedTimeCRLnextUpdateTest13EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.14 ENE $NIST TrustAnchorRootCertificate.crt NegativeSerialNumberCACert.crt ValidNegativeSerialNumberTest14EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.15 EE $NIST TrustAnchorRootCertificate.crt NegativeSerialNumberCACert.crt InvalidNegativeSerialNumberTest15EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.16 ENE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt ValidLongSerialNumberTest16EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.17 ENE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt ValidLongSerialNumberTest17EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.18 EE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt InvalidLongSerialNumberTest18EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.20 EE $NIST TrustAnchorRootCertificate.crt SeparateCertificateandCRLKeysCertificateSigningCACert.crt SeparateCertificateandCRLKeysCRLSigningCert.crt InvalidSeparateCertificateandCRLKeysTest20EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.5.1 ENE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedNewKeyCACert.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt ValidBasicSelfIssuedOldWithNewTest1EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.5.2 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedNewKeyCACert.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt InvalidBasicSelfIssuedOldWithNewTest2EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.5.5 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedOldKeyCACert.crt BasicSelfIssuedOldKeyNewWithOldCACert.crt InvalidBasicSelfIssuedNewWithOldTest5EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.5.7 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedCRLSigningKeyCACert.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.5.8 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedCRLSigningKeyCACert.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.1 EE $NIST TrustAnchorRootCertificate.crt MissingbasicConstraintsCACert.crt InvalidMissingbasicConstraintsTest1EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.2 EE $NIST TrustAnchorRootCertificate.crt basicConstraintsCriticalcAFalseCACert.crt InvalidcAFalseTest2EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.3 EE $NIST TrustAnchorRootCertificate.crt basicConstraintsNotCriticalcAFalseCACert.crt InvalidcAFalseTest3EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.4 ENE $NIST TrustAnchorRootCertificate.crt basicConstraintsNotCriticalCACert.crt ValidbasicConstraintsNotCriticalTest4EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.5 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt pathLenConstraint0subCACert.crt InvalidpathLenConstraintTest5EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.6 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt pathLenConstraint0subCACert.crt InvalidpathLenConstraintTest6EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.7 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt ValidpathLenConstraintTest7EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.8 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt ValidpathLenConstraintTest8EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.9 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6subsubCA00Cert.crt InvalidpathLenConstraintTest9EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.10 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6subsubCA00Cert.crt InvalidpathLenConstraintTest10EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.11 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subsubsubCA11XCert.crt InvalidpathLenConstraintTest11EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.12 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subsubsubCA11XCert.crt InvalidpathLenConstraintTest12EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.13 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subsubsubCA41XCert.crt ValidpathLenConstraintTest13EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.14 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subsubsubCA41XCert.crt ValidpathLenConstraintTest14EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.15 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt pathLenConstraint0SelfIssuedCACert.crt ValidSelfIssuedpathLenConstraintTest15EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.16 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt pathLenConstraint0SelfIssuedCACert.crt pathLenConstraint0subCA2Cert.crt InvalidSelfIssuedpathLenConstraintTest16EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.17 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint1CACert.crt pathLenConstraint1SelfIssuedCACert.crt pathLenConstraint1subCACert.crt pathLenConstraint1SelfIssuedsubCACert.crt ValidSelfIssuedpathLenConstraintTest17EE.crt
+pkixutil test_validatechain "NIST-Test.4.7.1" EE $NIST TrustAnchorRootCertificate.crt keyUsageCriticalkeyCertSignFalseCACert.crt InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt
+pkixutil test_validatechain "NIST-Test.4.7.2" EE $NIST TrustAnchorRootCertificate.crt keyUsageNotCriticalkeyCertSignFalseCACert.crt InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt
+pkixutil test_validatechain "NIST-Test.4.7.3" ENE $NIST TrustAnchorRootCertificate.crt keyUsageNotCriticalCACert.crt ValidkeyUsageNotCriticalTest3EE.crt
+pkixutil test_validatechain "NIST-Test.4.7.4" EE $NIST TrustAnchorRootCertificate.crt keyUsageCriticalcRLSignFalseCACert.crt InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt
+pkixutil test_validatechain "NIST-Test.4.7.5" EE $NIST TrustAnchorRootCertificate.crt  keyUsageNotCriticalcRLSignFalseCACert.crt InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt
+pkixutil test_policychecker NIST-Test.4.8.1.1-1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.8.1.1-2 ENE $NIST ../../certs "{2.5.29.32.0}" E TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.8.1.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" E TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.8.1.3 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.8.1.4 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1:2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.8.2.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt NoPoliciesCACert.crt AllCertificatesNoPoliciesTest2EE.crt
+pkixutil test_policychecker NIST-Test.4.8.2.2 EE $NIST ../../certs "{2.5.29.32.0}" E TrustAnchorRootCertificate.crt NoPoliciesCACert.crt AllCertificatesNoPoliciesTest2EE.crt
+pkixutil test_policychecker NIST-Test.4.8.3.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt PoliciesP2subCACert.crt DifferentPoliciesTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.8.3.2 EE $NIST ../../certs "{2.5.29.32.0}" E TrustAnchorRootCertificate.crt GoodCACert.crt PoliciesP2subCACert.crt DifferentPoliciesTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.8.3.3 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1:2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt GoodCACert.crt PoliciesP2subCACert.crt DifferentPoliciesTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.8.4 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt GoodsubCACert.crt DifferentPoliciesTest4EE.crt
+pkixutil test_policychecker NIST-Test.4.8.5 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt PoliciesP2subCA2Cert.crt DifferentPoliciesTest5EE.crt
+pkixutil test_policychecker NIST-Test.4.8.6.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP1234CACert.crt PoliciesP1234subCAP123Cert.crt PoliciesP1234subsubCAP123P12Cert.crt OverlappingPoliciesTest6EE.crt
+pkixutil test_policychecker NIST-Test.4.8.6.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt PoliciesP1234CACert.crt PoliciesP1234subCAP123Cert.crt PoliciesP1234subsubCAP123P12Cert.crt OverlappingPoliciesTest6EE.crt
+pkixutil test_policychecker NIST-Test.4.8.6.3 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt PoliciesP1234CACert.crt PoliciesP1234subCAP123Cert.crt PoliciesP1234subsubCAP123P12Cert.crt OverlappingPoliciesTest6EE.crt
+pkixutil test_policychecker NIST-Test.4.8.7 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP123CACert.crt PoliciesP123subCAP12Cert.crt PoliciesP123subsubCAP12P1Cert.crt DifferentPoliciesTest7EE.crt
+pkixutil test_policychecker NIST-Test.4.8.8 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt PoliciesP12subCAP1Cert.crt PoliciesP12subsubCAP1P2Cert.crt DifferentPoliciesTest8EE.crt
+pkixutil test_policychecker NIST-Test.4.8.9 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP123CACert.crt PoliciesP123subCAP12Cert.crt PoliciesP123subsubCAP12P2Cert.crt PoliciesP123subsubsubCAP12P2P1Cert.crt
+pkixutil test_policychecker NIST-Test.4.8.10.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt AllCertificatesSamePoliciesTest10EE.crt
+pkixutil test_policychecker NIST-Test.4.8.10.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt AllCertificatesSamePoliciesTest10EE.crt
+pkixutil test_policychecker NIST-Test.4.8.10.3 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt AllCertificatesSamePoliciesTest10EE.crt
+pkixutil test_policychecker NIST-Test.4.8.11.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt anyPolicyCACert.crt AllCertificatesanyPolicyTest11EE.crt
+pkixutil test_policychecker NIST-Test.4.8.11.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt anyPolicyCACert.crt AllCertificatesanyPolicyTest11EE.crt
+pkixutil test_policychecker NIST-Test.4.8.12 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP3CACert.crt DifferentPoliciesTest12EE.crt
+pkixutil test_policychecker NIST-Test.4.8.13.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt PoliciesP123CACert.crt AllCertificatesSamePoliciesTest13EE.crt
+pkixutil test_policychecker NIST-Test.4.8.13.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt PoliciesP123CACert.crt AllCertificatesSamePoliciesTest13EE.crt
+pkixutil test_policychecker NIST-Test.4.8.13.3 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.3}" TrustAnchorRootCertificate.crt PoliciesP123CACert.crt AllCertificatesSamePoliciesTest13EE.crt
+pkixutil test_policychecker NIST-Test.4.8.14.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt anyPolicyCACert.crt AnyPolicyTest14EE.crt
+pkixutil test_policychecker NIST-Test.4.8.14.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt anyPolicyCACert.crt AnyPolicyTest14EE.crt
+pkixutil test_policychecker NIST-Test.4.8.15.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" E TrustAnchorRootCertificate.crt UserNoticeQualifierTest15EE.crt
+pkixutil test_policychecker NIST-Test.4.8.15.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt UserNoticeQualifierTest15EE.crt
+pkixutil test_policychecker NIST-Test.4.8.16.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" E TrustAnchorRootCertificate.crt GoodCACert.crt UserNoticeQualifierTest16EE.crt
+pkixutil test_policychecker NIST-Test.4.8.16.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt GoodCACert.crt UserNoticeQualifierTest16EE.crt
+pkixutil test_policychecker NIST-Test.4.8.17 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt UserNoticeQualifierTest17EE.crt
+pkixutil test_policychecker NIST-Test.4.8.18.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt UserNoticeQualifierTest18EE.crt
+pkixutil test_policychecker NIST-Test.4.8.18.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt UserNoticeQualifierTest18EE.crt
+pkixutil test_policychecker NIST-Test.4.8.19 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt UserNoticeQualifierTest19EE.crt
+pkixutil test_policychecker NIST-Test.4.8.20 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt CPSPointerQualifierTest20EE.crt
+pkixutil test_policychecker NIST-Test.4.9.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy10CACert.crt requireExplicitPolicy10subCACert.crt requireExplicitPolicy10subsubCACert.crt requireExplicitPolicy10subsubsubCACert.crt ValidrequireExplicitPolicyTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.9.2 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy5CACert.crt requireExplicitPolicy5subCACert.crt requireExplicitPolicy5subsubCACert.crt requireExplicitPolicy5subsubsubCACert.crt ValidrequireExplicitPolicyTest2EE.crt
+pkixutil test_policychecker NIST-Test.4.9.3 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy4CACert.crt requireExplicitPolicy4subCACert.crt requireExplicitPolicy4subsubCACert.crt requireExplicitPolicy4subsubsubCACert.crt InvalidrequireExplicitPolicyTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.9.4 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy0CACert.crt requireExplicitPolicy0subCACert.crt requireExplicitPolicy0subsubCACert.crt requireExplicitPolicy0subsubsubCACert.crt ValidrequireExplicitPolicyTest4EE.crt
+pkixutil test_policychecker NIST-Test.4.9.5 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy7CACert.crt requireExplicitPolicy7subCARE2Cert.crt requireExplicitPolicy7subsubCARE2RE4Cert.crt requireExplicitPolicy7subsubsubCARE2RE4Cert.crt InvalidrequireExplicitPolicyTest5EE.crt
+pkixutil test_policychecker NIST-Test.4.9.6 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy2CACert.crt requireExplicitPolicy2SelfIssuedCACert.crt ValidSelfIssuedrequireExplicitPolicyTest6EE.crt
+pkixutil test_policychecker NIST-Test.4.9.7 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy2CACert.crt requireExplicitPolicy2SelfIssuedCACert.crt requireExplicitPolicy2subCACert.crt InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt
+pkixutil test_policychecker NIST-Test.4.9.8 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy2CACert.crt requireExplicitPolicy2SelfIssuedCACert.crt requireExplicitPolicy2subCACert.crt requireExplicitPolicy2SelfIssuedsubCACert.crt InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt
+pkixutil test_policychecker NIST-Test.4.10.1.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt Mapping1to2CACert.crt ValidPolicyMappingTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.10.1.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt Mapping1to2CACert.crt ValidPolicyMappingTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.10.1.3 EE $NIST ../../certs "{2.5.29.32.0}" P TrustAnchorRootCertificate.crt Mapping1to2CACert.crt ValidPolicyMappingTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.10.2.1 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt Mapping1to2CACert.crt InvalidPolicyMappingTest2EE.crt
+pkixutil test_policychecker NIST-Test.4.10.2.2 EE $NIST ../../certs "{2.5.29.32.0}" P TrustAnchorRootCertificate.crt Mapping1to2CACert.crt InvalidPolicyMappingTest2EE.crt
+pkixutil test_policychecker NIST-Test.4.10.3.1 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt P12Mapping1to3CACert.crt P12Mapping1to3subCACert.crt P12Mapping1to3subsubCACert.crt ValidPolicyMappingTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.10.3.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt P12Mapping1to3CACert.crt P12Mapping1to3subCACert.crt P12Mapping1to3subsubCACert.crt ValidPolicyMappingTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.10.4 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt P12Mapping1to3CACert.crt P12Mapping1to3subCACert.crt P12Mapping1to3subsubCACert.crt InvalidPolicyMappingTest4EE.crt
+pkixutil test_policychecker NIST-Test.4.10.5.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt P1Mapping1to234CACert.crt P1Mapping1to234subCACert.crt ValidPolicyMappingTest5EE.crt
+pkixutil test_policychecker NIST-Test.4.10.5.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.6}" TrustAnchorRootCertificate.crt P1Mapping1to234CACert.crt P1Mapping1to234subCACert.crt ValidPolicyMappingTest5EE.crt
+pkixutil test_policychecker NIST-Test.4.10.6.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt P1Mapping1to234CACert.crt P1Mapping1to234subCACert.crt ValidPolicyMappingTest6EE.crt
+pkixutil test_policychecker NIST-Test.4.10.6.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.6}" TrustAnchorRootCertificate.crt P1Mapping1to234CACert.crt P1Mapping1to234subCACert.crt ValidPolicyMappingTest6EE.crt TrustAnchorRootCertificate.crt
+pkixutil test_policychecker NIST-Test.4.10.7.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt MappingFromanyPolicyCACert.crt
+pkixutil test_policychecker NIST-Test.4.10.7.2 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt MappingFromanyPolicyCACert.crt InvalidMappingFromanyPolicyTest7EE.crt
+pkixutil test_policychecker NIST-Test.4.10.8.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt MappingToanyPolicyCACert.crt
+pkixutil test_policychecker NIST-Test.4.10.8.2 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt MappingToanyPolicyCACert.crt InvalidMappingToanyPolicyTest8EE.crt
+pkixutil test_policychecker NIST-Test.4.10.9 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PanyPolicyMapping1to2CACert.crt ValidPolicyMappingTest9EE.crt
+pkixutil test_policychecker NIST-Test.4.10.10 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt GoodsubCAPanyPolicyMapping1to2CACert.crt InvalidPolicyMappingTest10EE.crt
+pkixutil test_policychecker NIST-Test.4.10.11 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt GoodsubCAPanyPolicyMapping1to2CACert.crt ValidPolicyMappingTest11EE.crt
+pkixutil test_policychecker NIST-Test.4.10.12.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt P12Mapping1to3CACert.crt ValidPolicyMappingTest12EE.crt
+pkixutil test_policychecker NIST-Test.4.10.12.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt P12Mapping1to3CACert.crt ValidPolicyMappingTest12EE.crt
+pkixutil test_policychecker NIST-Test.4.10.13 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt P1anyPolicyMapping1to2CACert.crt ValidPolicyMappingTest13EE.crt
+pkixutil test_policychecker NIST-Test.4.10.14 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt P1anyPolicyMapping1to2CACert.crt ValidPolicyMappingTest14EE.crt
+pkixutil test_policychecker NIST-Test.4.11.1.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping0CACert.crt inhibitPolicyMapping0subCACert.crt
+pkixutil test_policychecker NIST-Test.4.11.1.2 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping0CACert.crt inhibitPolicyMapping0subCACert.crt InvalidinhibitPolicyMappingTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.11.2 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P12CACert.crt inhibitPolicyMapping1P12subCACert.crt ValidinhibitPolicyMappingTest2EE.crt
+pkixutil test_policychecker NIST-Test.4.11.3 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P12CACert.crt inhibitPolicyMapping1P12subCACert.crt inhibitPolicyMapping1P12subsubCACert.crt InvalidinhibitPolicyMappingTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.11.4 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P12CACert.crt inhibitPolicyMapping1P12subCACert.crt inhibitPolicyMapping1P12subsubCACert.crt ValidinhibitPolicyMappingTest4EE.crt
+pkixutil test_policychecker NIST-Test.4.11.5 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping5CACert.crt inhibitPolicyMapping5subCACert.crt inhibitPolicyMapping5subsubCACert.crt inhibitPolicyMapping5subsubsubCACert.crt InvalidinhibitPolicyMappingTest5EE.crt
+pkixutil test_policychecker NIST-Test.4.11.6 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P12CACert.crt inhibitPolicyMapping1P12subCAIPM5Cert.crt inhibitPolicyMapping1P12subsubCAIPM5Cert.crt InvalidinhibitPolicyMappingTest6EE.crt
+pkixutil test_policychecker NIST-Test.4.11.7 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P1CACert.crt inhibitPolicyMapping1P1SelfIssuedCACert.crt inhibitPolicyMapping1P1subCACert.crt ValidSelfIssuedinhibitPolicyMappingTest7EE.crt
+pkixutil test_policychecker NIST-Test.4.11.8 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P1CACert.crt inhibitPolicyMapping1P1SelfIssuedCACert.crt inhibitPolicyMapping1P1subCACert.crt inhibitPolicyMapping1P1subsubCACert.crt InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt
+pkixutil test_policychecker NIST-Test.4.11.9 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P1CACert.crt inhibitPolicyMapping1P1SelfIssuedCACert.crt inhibitPolicyMapping1P1subCACert.crt inhibitPolicyMapping1P1subsubCACert.crt InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt
+pkixutil test_policychecker NIST-Test.4.11.10 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P1CACert.crt inhibitPolicyMapping1P1SelfIssuedCACert.crt inhibitPolicyMapping1P1subCACert.crt inhibitPolicyMapping1P1SelfIssuedsubCACert.crt InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt
+pkixutil test_policychecker NIST-Test.4.11.11 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P1CACert.crt inhibitPolicyMapping1P1SelfIssuedCACert.crt inhibitPolicyMapping1P1subCACert.crt inhibitPolicyMapping1P1SelfIssuedsubCACert.crt InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt
+pkixutil test_policychecker NIST-Test.4.12.1 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy0CACert.crt InvalidinhibitAnyPolicyTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.12.2 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy0CACert.crt ValidinhibitAnyPolicyTest2EE.crt
+pkixutil test_policychecker NIST-Test.4.12.3.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1subCA1Cert.crt inhibitAnyPolicyTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.12.3.2 EE $NIST ../../certs "{2.5.29.32.0}" A TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1subCA1Cert.crt inhibitAnyPolicyTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.12.4 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1subCA1Cert.crt InvalidinhibitAnyPolicyTest4EE.crt
+pkixutil test_policychecker NIST-Test.4.12.5 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy5CACert.crt inhibitAnyPolicy5subCACert.crt inhibitAnyPolicy5subsubCACert.crt InvalidinhibitAnyPolicyTest5EE.crt
+pkixutil test_policychecker NIST-Test.4.12.6 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1subCAIAP5Cert.crt InvalidinhibitAnyPolicyTest6EE.crt
+pkixutil test_policychecker NIST-Test.4.12.7 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1SelfIssuedCACert.crt inhibitAnyPolicy1subCA2Cert.crt ValidSelfIssuedinhibitAnyPolicyTest7EE.crt
+pkixutil test_policychecker NIST-Test.4.12.8 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1SelfIssuedCACert.crt inhibitAnyPolicy1subCA2Cert.crt inhibitAnyPolicy1subsubCA2Cert.crt InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt
+pkixutil test_policychecker NIST-Test.4.12.9 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1SelfIssuedCACert.crt inhibitAnyPolicy1subCA2Cert.crt inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt ValidSelfIssuedinhibitAnyPolicyTest9EE.crt
+pkixutil test_policychecker NIST-Test.4.12.10 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1SelfIssuedCACert.crt inhibitAnyPolicy1subCA2Cert.crt InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.1 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt ValidDNnameConstraintsTest1EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.2 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt InvalidDNnameConstraintsTest2EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.3 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt InvalidDNnameConstraintsTest3EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.4 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt ValidDNnameConstraintsTest4EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.5 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN2CACert.crt ValidDNnameConstraintsTest5EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.6 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt ValidDNnameConstraintsTest6EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.7 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt InvalidDNnameConstraintsTest7EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.8 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN4CACert.crt InvalidDNnameConstraintsTest8EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.9 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN4CACert.crt InvalidDNnameConstraintsTest9EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.10 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN5CACert.crt InvalidDNnameConstraintsTest10EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.11 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN5CACert.crt ValidDNnameConstraintsTest11EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.12 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1subCA1Cert.crt InvalidDNnameConstraintsTest12EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.13 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1subCA2Cert.crt InvalidDNnameConstraintsTest13EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.14 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1subCA2Cert.crt ValidDNnameConstraintsTest14EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.15 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt nameConstraintsDN3subCA1Cert.crt InvalidDNnameConstraintsTest15EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.16 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt nameConstraintsDN3subCA1Cert.crt InvalidDNnameConstraintsTest16EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.17 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt nameConstraintsDN3subCA2Cert.crt InvalidDNnameConstraintsTest17EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.18 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt nameConstraintsDN3subCA2Cert.crt ValidDNnameConstraintsTest18EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.19 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1SelfIssuedCACert.crt ValidDNnameConstraintsTest19EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.20 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt InvalidDNnameConstraintsTest20EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.21 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA1Cert.crt ValidRFC822nameConstraintsTest21EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.22 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA1Cert.crt InvalidRFC822nameConstraintsTest22EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.23 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA2Cert.crt ValidRFC822nameConstraintsTest23EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.24 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA2Cert.crt InvalidRFC822nameConstraintsTest24EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.25 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA3Cert.crt ValidRFC822nameConstraintsTest25EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.26 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA3Cert.crt InvalidRFC822nameConstraintsTest26EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.27 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt  nameConstraintsDN1subCA3Cert.crt ValidDNandRFC822nameConstraintsTest27EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.28 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt  nameConstraintsDN1subCA3Cert.crt InvalidDNandRFC822nameConstraintsTest28EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.29 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt  nameConstraintsDN1subCA3Cert.crt InvalidDNandRFC822nameConstraintsTest29EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.30 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS1CACert.crt ValidDNSnameConstraintsTest30EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.31 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS1CACert.crt InvalidDNSnameConstraintsTest31EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.32 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS2CACert.crt ValidDNSnameConstraintsTest32EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.33 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS2CACert.crt InvalidDNSnameConstraintsTest33EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.34 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI1CACert.crt ValidURInameConstraintsTest34EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.35 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI1CACert.crt InvalidURInameConstraintsTest35EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.36 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI2CACert.crt ValidURInameConstraintsTest36EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.37 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI2CACert.crt InvalidURInameConstraintsTest37EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.38 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS1CACert.crt InvalidDNSnameConstraintsTest38EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.16.1 ENE $NIST TrustAnchorRootCertificate.crt ValidUnknownNotCriticalCertificateExtensionTest1EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.16.2 EE $NIST TrustAnchorRootCertificate.crt InvalidUnknownCriticalCertificateExtensionTest2EE.crt
+pkixutil test_buildchain_uchecker NIST-Test.4.1.1-without-OID ENE - $NIST ValidCertificatePathTest1EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain_uchecker NIST-Test.4.1.1-with-OID-without-forwardSupport ENE 2.5.29.19 $NIST ValidCertificatePathTest1EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain_uchecker NIST-Test.4.1.1-with-OID-forwardSupport ENE F2.5.29.19 $NIST ValidCertificatePathTest1EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.1.1 ENE $NIST ValidCertificatePathTest1EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.1.2 EE $NIST InvalidCASignatureTest2EE.crt BadSignedCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.1.3 EE $NIST InvalidEESignatureTest3EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.1.4 ENE $NIST ValidDSASignaturesTest4EE.crt DSACACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.1.5 ENE $NIST ValidDSAParameterInheritanceTest5EE.crt DSAParametersInheritedCACert.crt DSACACert.crt TrustAnchorRootCertificate.crt  
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.1.6 EE $NIST InvalidDSASignatureTest6EE.crt DSACACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.2.1 EE $NIST InvalidCAnotBeforeDateTest1EE.crt BadnotBeforeDateCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.2.2 EE $NIST InvalidEEnotBeforeDateTest2EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.2.3 ENE $NIST Validpre2000UTCnotBeforeDateTest3EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.2.4 ENE $NIST ValidGeneralizedTimenotBeforeDateTest4EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.2.5 EE $NIST InvalidCAnotAfterDateTest5EE.crt BadnotAfterDateCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.2.6 EE $NIST InvalidEEnotAfterDateTest6EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.2.7 EE $NIST Invalidpre2000UTCEEnotAfterDateTest7EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.2.8 ENE $NIST ValidGeneralizedTimenotAfterDateTest8EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.3.1 EE $NIST InvalidNameChainingTest1EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.3.2 EE $NIST InvalidNameChainingOrderTest2EE.crt NameOrderingCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.3.3 ENE $NIST ValidNameChainingWhitespaceTest3EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.3.4 ENE $NIST ValidNameChainingWhitespaceTest4EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.3.5 ENE $NIST ValidNameChainingCapitalizationTest5EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.3.6 ENE $NIST ValidNameUIDsTest6EE.crt UIDCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain -  NIST-Test.4.3.7 ENE $NIST ValidRFC3280MandatoryAttributeTypesTest7EE.crt RFC3280MandatoryAttributeTypesCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.3.9 ENE $NIST ValidUTF8StringEncodedNamesTest9EE.crt UTF8StringEncodedNamesCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.3.10 ENE $NIST ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt RolloverfromPrintableStringtoUTF8StringCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.3.11 ENE $NIST ValidUTF8StringCaseInsensitiveMatchTest11EE.crt UTF8StringCaseInsensitiveMatchCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.1 EE $NIST InvalidMissingCRLTest1EE.crt NoCRLCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.2 EE $NIST InvalidRevokedCATest2EE.crt RevokedsubCACert.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.3 EE $NIST InvalidRevokedEETest3EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.4 EE $NIST InvalidBadCRLSignatureTest4EE.crt BadCRLSignatureCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.5 EE $NIST InvalidBadCRLIssuerNameTest5EE.crt BadCRLIssuerNameCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.6 EE $NIST InvalidWrongCRLTest6EE.crt WrongCRLCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.7 ENE $NIST ValidTwoCRLsTest7EE.crt TwoCRLsCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.8 EE $NIST InvalidUnknownCRLEntryExtensionTest8EE.crt UnknownCRLEntryExtensionCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.9 EE $NIST InvalidUnknownCRLExtensionTest9EE.crt UnknownCRLExtensionCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.10 EE $NIST InvalidUnknownCRLExtensionTest10EE.crt UnknownCRLExtensionCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.11 EE $NIST InvalidOldCRLnextUpdateTest11EE.crt OldCRLnextUpdateCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.12 EE $NIST Invalidpre2000CRLnextUpdateTest12EE.crt pre2000CRLnextUpdateCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.13 ENE $NIST ValidGeneralizedTimeCRLnextUpdateTest13EE.crt GeneralizedTimeCRLnextUpdateCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.14 ENE $NIST ValidNegativeSerialNumberTest14EE.crt NegativeSerialNumberCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.15 EE $NIST InvalidNegativeSerialNumberTest15EE.crt NegativeSerialNumberCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.16 ENE $NIST ValidLongSerialNumberTest16EE.crt LongSerialNumberCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.17 ENE $NIST ValidLongSerialNumberTest17EE.crt LongSerialNumberCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.18 EE $NIST InvalidLongSerialNumberTest18EE.crt LongSerialNumberCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.20 EE $NIST InvalidSeparateCertificateandCRLKeysTest20EE.crt SeparateCertificateandCRLKeysCRLSigningCert.crt TrustAnchorRootCertificate.crt SeparateCertificateandCRLKeysCertificateSigningCACert.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.5.1 ENE $NIST ValidBasicSelfIssuedOldWithNewTest1EE.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt BasicSelfIssuedNewKeyCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.5.2 EE $NIST InvalidBasicSelfIssuedOldWithNewTest2EE.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt BasicSelfIssuedNewKeyCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.1 EE $NIST InvalidMissingbasicConstraintsTest1EE.crt MissingbasicConstraintsCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.2 EE $NIST InvalidcAFalseTest2EE.crt basicConstraintsCriticalcAFalseCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.3 EE $NIST InvalidcAFalseTest3EE.crt basicConstraintsNotCriticalcAFalseCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.4 ENE $NIST ValidbasicConstraintsNotCriticalTest4EE.crt basicConstraintsNotCriticalCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.5 EE $NIST InvalidpathLenConstraintTest5EE.crt pathLenConstraint0subCACert.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.6 EE $NIST InvalidpathLenConstraintTest6EE.crt pathLenConstraint0subCACert.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.7 ENE $NIST ValidpathLenConstraintTest7EE.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.8 ENE $NIST ValidpathLenConstraintTest8EE.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.9 EE $NIST InvalidpathLenConstraintTest9EE.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6subsubCA00Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.10 EE $NIST InvalidpathLenConstraintTest10EE.crt pathLenConstraint6subsubCA00Cert.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.11 EE $NIST InvalidpathLenConstraintTest11EE.crt pathLenConstraint6subsubsubCA11XCert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.12 EE $NIST InvalidpathLenConstraintTest12EE.crt pathLenConstraint6subsubsubCA11XCert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.13 ENE $NIST ValidpathLenConstraintTest13EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.14 ENE $NIST ValidpathLenConstraintTest14EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.15 ENE $NIST ValidSelfIssuedpathLenConstraintTest15EE.crt pathLenConstraint0SelfIssuedCACert.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.16 EE $NIST InvalidSelfIssuedpathLenConstraintTest16EE.crt pathLenConstraint0subCA2Cert.crt pathLenConstraint0SelfIssuedCACert.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.17 ENE $NIST ValidSelfIssuedpathLenConstraintTest17EE.crt pathLenConstraint1SelfIssuedsubCACert.crt pathLenConstraint1subCACert.crt pathLenConstraint1SelfIssuedCACert.crt pathLenConstraint1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.7.1 EE $NIST InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt keyUsageCriticalkeyCertSignFalseCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.7.2 EE $NIST InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt keyUsageNotCriticalkeyCertSignFalseCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.7.3 ENE $NIST ValidkeyUsageNotCriticalTest3EE.crt keyUsageNotCriticalCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.7.4 EE $NIST InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt keyUsageCriticalcRLSignFalseCACert.crt TrustAnchorRootCertificate.crt  
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.7.5 EE $NIST InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt keyUsageNotCriticalcRLSignFalseCACert.crt TrustAnchorRootCertificate.crt  
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.1 ENE $NIST ValidDNnameConstraintsTest1EE.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.2 EE $NIST InvalidDNnameConstraintsTest2EE.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.3 EE $NIST InvalidDNnameConstraintsTest3EE.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.4 ENE $NIST ValidDNnameConstraintsTest4EE.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.5 ENE $NIST ValidDNnameConstraintsTest5EE.crt nameConstraintsDN2CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.6 ENE $NIST ValidDNnameConstraintsTest6EE.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.7 EE $NIST InvalidDNnameConstraintsTest7EE.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.8 EE $NIST InvalidDNnameConstraintsTest8EE.crt nameConstraintsDN4CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.9 EE $NIST InvalidDNnameConstraintsTest9EE.crt nameConstraintsDN4CACert.crt nameConstraintsDN4CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.10 EE $NIST InvalidDNnameConstraintsTest10EE.crt nameConstraintsDN5CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.11 ENE $NIST ValidDNnameConstraintsTest11EE.crt nameConstraintsDN5CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.12 EE $NIST InvalidDNnameConstraintsTest12EE.crt nameConstraintsDN1subCA1Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.13 EE $NIST InvalidDNnameConstraintsTest13EE.crt nameConstraintsDN1subCA2Cert.crt nameConstraintsDN1subCA2Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.14 ENE $NIST ValidDNnameConstraintsTest14EE.crt  nameConstraintsDN1subCA2Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.15 EE $NIST InvalidDNnameConstraintsTest15EE.crt nameConstraintsDN3subCA1Cert.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.16 EE $NIST InvalidDNnameConstraintsTest16EE.crt nameConstraintsDN3subCA1Cert.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.17 EE $NIST InvalidDNnameConstraintsTest17EE.crt nameConstraintsDN3subCA2Cert.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.18 ENE $NIST ValidDNnameConstraintsTest18EE.crt nameConstraintsDN3subCA2Cert.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.19 ENE $NIST ValidDNnameConstraintsTest19EE.crt nameConstraintsDN1SelfIssuedCACert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.20 EE $NIST InvalidDNnameConstraintsTest20EE.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.21 ENE $NIST ValidRFC822nameConstraintsTest21EE.crt nameConstraintsRFC822CA1Cert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.22 EE $NIST InvalidRFC822nameConstraintsTest22EE.crt nameConstraintsRFC822CA1Cert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.23 ENE $NIST ValidRFC822nameConstraintsTest23EE.crt nameConstraintsRFC822CA2Cert.crt  TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.24 EE $NIST InvalidRFC822nameConstraintsTest24EE.crt nameConstraintsRFC822CA2Cert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.25 ENE $NIST ValidRFC822nameConstraintsTest25EE.crt nameConstraintsRFC822CA3Cert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.26 EE $NIST InvalidRFC822nameConstraintsTest26EE.crt nameConstraintsRFC822CA3Cert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.27 ENE $NIST ValidDNandRFC822nameConstraintsTest27EE.crt nameConstraintsDN1subCA3Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.28 EE $NIST InvalidDNandRFC822nameConstraintsTest28EE.crt nameConstraintsDN1subCA3Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.29 EE $NIST InvalidDNandRFC822nameConstraintsTest29EE.crt nameConstraintsDN1subCA3Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.30 ENE $NIST ValidDNSnameConstraintsTest30EE.crt nameConstraintsDNS1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.31 EE $NIST InvalidDNSnameConstraintsTest31EE.crt nameConstraintsDNS1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.32 ENE $NIST ValidDNSnameConstraintsTest32EE.crt nameConstraintsDNS2CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.33 EE $NIST InvalidDNSnameConstraintsTest33EE.crt nameConstraintsDNS2CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.34 ENE $NIST ValidURInameConstraintsTest34EE.crt nameConstraintsURI1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.35 EE $NIST InvalidURInameConstraintsTest35EE.crt nameConstraintsURI1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.36 ENE $NIST ValidURInameConstraintsTest36EE.crt nameConstraintsURI2CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.37 EE $NIST InvalidURInameConstraintsTest37EE.crt nameConstraintsURI2CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.38 EE $NIST InvalidDNSnameConstraintsTest38EE.crt nameConstraintsDNS1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain_partialchain ${LDAP}  NIST-Test.4.6.14 ENE $NIST ValidpathLenConstraintTest14EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain_partialchain ${LDAP}  NIST-Test.4.6.14 ENE $NIST ValidpathLenConstraintTest14EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt TrustAnchorRootCertificate.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain_partialchain ${LDAP}  NIST-Test.4.13.13 EE $NIST InvalidDNnameConstraintsTest13EE.crt nameConstraintsDN1subCA2Cert.crt nameConstraintsDN1subCA2Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain_partialchain ${LDAP}  NIST-Test.4.13.27 ENE $NIST ValidDNandRFC822nameConstraintsTest27EE.crt nameConstraintsDN1subCA3Cert.crt nameConstraintsDN1subCA2Cert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP} NIST-PDTest ENE ${NIST_PDTEST} certs/BasicHTTPURIPathDiscoveryTest2EE.crt certs/BasicHTTPURITrustAnchorRootCert.crt
+pkixutil test_ocsp -d ${HOSTDIR}/ocsp OCSP-Test ENE ${HOSTDIR}/ocsp anchorcert.crt goodcert.crt
+pkixutil test_ocsp -d ${HOSTDIR}/ocsp OCSP-Test EE ${HOSTDIR}/ocsp anchorcert.crt revokedcert.crt
+EOF
+
+totalErrors=$?
+totalErrors=`expr ${totalErrors} + ${tracedErrors}`
+
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
+
+##########################################################
+#
+# Document NIST tests that are not currently running for builder...
+# 4.3.8  4.4.19  4.4.21
+#
+# Others
+# 4.5.4  4.5.5, 4.5.6, 4.5.7, 4.5.8
+# 4.14.* Distribution Point - functionality not yet implemented
+# 4.15.* Delta CRL - not supported
+##########################################################
+# Following tests are not run because of bugs beyond libpkix:
+#pkixutil test_validatechain NIST-Test.4.3.7 ENE $NIST TrustAnchorRootCertificate.crt RFC3280MandatoryAttributeTypesCACert.crt ValidRFC3280MandatoryAttributeTypesTest7EE.crt
+# pkixutil test_buildchain NIST-Test.4.3.8 ENE $NIST ValidRFC3280OptionalAttributeTypesTest8EE.crt RFC3280OptionalAttributeTypesCACert.crt TrustAnchorRootCertificate.crt
+
+# Following tests are not supported by libpkix : separate certificate
+# NIST test 4.4.19 and 4.4.21
+
+# Following tests are not supported by libpkix : cert dp, cert chain definition
+# NIST tests 4.5.4, 4.5.5
+#pkixutil test_buildchain NIST-Test.4.5.7 EE $NIST InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt TrustAnchorRootCertificate.crt BasicSelfIssuedCRLSigningKeyCACert.crt 
+#pkixutil test_buildchain NIST-Test.4.5.8 EE $NIST InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt BasicSelfIssuedCRLSigningKeyCACert.crt TrustAnchorRootCertificate.crt 
+
+
+# Following tests are not supported by libpkix : self-issued, multiple keys, one for cert, one for CRL
+#pkixutil test_validatechain NIST-Test.4.5.3 ENE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedOldKeyCACert.crt BasicSelfIssuedOldKeyNewWithOldCACert.crt ValidBasicSelfIssuedNewWithOldTest3EE.crt
+#pkixutil test_defaultcrlchecker NIST-Test.4.5.4 ENE $NIST/../crls $NIST/TrustAnchorRootCertificate.crt $NIST/BasicSelfIssuedOldKeyCACert.crt $NIST/BasicSelfIssuedOldKeyNewWithOldCACert.crt $NIST/ValidBasicSelfIssuedNewWithOldTest4EE.crt
+#pkixutil test_defaultcrlchecker NIST-Test.4.5.6 ENE $NIST/../crls $NIST/TrustAnchorRootCertificate.crt $NIST/BasicSelfIssuedCRLSigningKeyCACert.crt $NIST/BasicSelfIssuedCRLSigningKeyCRLCert.crt $NIST/ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt
+
+# Need to recreate certs with BC extension and Key Usage
+#pkixutil test_buildchain single_sig ENE build_data/single_path/signature/pass yassir2hanfei.crt greg2yassir.crt jes2greg.crt jes2jes.crt
+#pkixutil test_buildchain single-sig EE build_data/single_path/signature/fail yassir2hanfei.crt jes2jes.crt
+#pkixutil test_buildchain multi-sig ENE build_data/multi_path/signature/pass yassir2hanfei.crt greg2yassir.crt jes2greg.crt jes2jes.crt
+#pkixutil test_buildchain multi-sig EE build_data/multi_path/signature/fail yassir2hanfei.crt greg2yassir.crt yassir2hanfei.crt
+#pkixutil test_buildchain backtrack-sig ENE build_data/backtracking/signature yassir2hanfei.crt labs2yassir.crt jes2labs.crt jes2jes.crtn
diff --git a/security/nss/tests/libpkix/pkix_tests/top/secmod.db b/security/nss/tests/libpkix/pkix_tests/top/secmod.db
new file mode 100644
index 000000000..772583d58
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/secmod.db
diff --git a/security/nss/tests/libpkix/pkix_tests/util/runTests.sh b/security/nss/tests/libpkix/pkix_tests/util/runTests.sh
new file mode 100755
index 000000000..a413535ef
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/util/runTests.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=UTIL
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_error
+pkixutil test_list
+pkixutil test_list2
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/runTests.sh b/security/nss/tests/libpkix/runTests.sh
new file mode 100755
index 000000000..190f5de6f
--- /dev/null
+++ b/security/nss/tests/libpkix/runTests.sh
@@ -0,0 +1,87 @@
+#! /bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh#
+#
+# This script enables all tests to be run together. It simply cd's into
+# the pkix_tests and pkix_pl_tests directories and runs test scripts
+#
+# This test is the original of libpkix.sh. While libpkix.sh is invoked by
+# all.sh as a /bin/sh script, runTests.sh is a /bin/ksh and provides the
+# options of checking memory and using different memory allcation schemes.
+#
+
+errors=0
+pkixErrors=0
+pkixplErrors=0
+checkMemArg=""
+arenasArg=""
+quietArg=""
+memText=""
+
+### ParseArgs
+ParseArgs() # args
+{
+    while [ $# -gt 0 ]; do
+	if [ $1 = "-checkmem" ]; then
+	    checkMemArg=$1
+	    memText="   (Memory Checking Enabled)"
+	elif [ $1 = "-quiet" ]; then
+	    quietArg=$1
+	elif [ $1 = "-arenas" ]; then
+	    arenasArg=$1
+	fi
+	shift
+    done
+}
+
+ParseArgs $*
+
+echo "*******************************************************************************"
+echo "START OF ALL TESTS${memText}"
+echo "*******************************************************************************"
+echo ""
+
+echo "RUNNING tests in pkix_pl_test";
+cd pkix_pl_tests;
+runPLTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+pkixplErrors=$?
+
+echo "RUNNING tests in pkix_test";
+cd ../pkix_tests;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+pkixErrors=$?
+
+echo "RUNNING tests in sample_apps (performance)";
+cd ../sample_apps;
+runPerf.sh ${arenasArg} ${checkMemArg} ${quietArg}
+pkixPerfErrors=$?
+
+errors=`expr ${pkixplErrors} + ${pkixErrors} + ${pkixPerfErrors}`
+
+if [ ${errors} -eq 0 ]; then
+    echo ""
+    echo "************************************************************"
+    echo "END OF ALL TESTS: ALL TESTS COMPLETED SUCCESSFULLY"
+    echo "************************************************************"
+    exit 0
+fi
+
+if [ ${errors} -eq 1 ]; then
+    plural=""
+else
+    plural="S"
+fi
+
+echo ""
+echo "************************************************************"
+echo "END OF ALL TESTS: ${errors} TEST${plural} FAILED"
+echo "************************************************************"
+exit 1
+
+
+
+
diff --git a/security/nss/tests/libpkix/sample_apps/README b/security/nss/tests/libpkix/sample_apps/README
new file mode 100755
index 000000000..012e7bf7e
--- /dev/null
+++ b/security/nss/tests/libpkix/sample_apps/README
@@ -0,0 +1,77 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+This directory contains both sample applications and performance evaluation
+applications.
+
+SAMPLE APPLICATIONS
+
+Currently, there are two performance applications: libpkix_buildThreads and
+nss_threads. And three sample applications: dumpcert, dumpcrl and 
+validateChain..
+
+============================================================================
+
+USAGE: 	dumpcert <certFile>
+	Parses a certificate located at <certFile> and displays it.
+
+Source: <root>/tests/sample_apps/dumpcert.c
+Binary: <root>/bin/sample_apps/dumpcert
+
+============================================================================
+
+USAGE: 	dumpcrl <crlFile>
+	Parses a CRL located at <crlFile> and displays it.
+
+Source: <root>/tests/sample_apps/dumpcrl.c
+Binary: <root>/bin/sample_apps/dumpcrl
+
+============================================================================
+
+USAGE: 	validateChain <trustedCert> <cert_1> <cert_2> ... <cert_n>
+	Validates a chain of n certificates using the given trust anchor.
+
+Source: <root>/tests/sample_apps/validateChain.c
+Binary: <root>/bin/sample_apps/validateChain
+
+============================================================================
+
+PERFORMANCE EVALUATION APPLICATIONS
+
+============================================================================
+
+USAGE:  libpkix_buildthreads <duration> <threads> <eecertNickname> 
+
+	Sets up and runs a PKIX_BuildChain call for the number of seconds
+	specified by <duration> using the number of threads specified by
+	<threads>. This application assumes that the NSS certutil application
+	has already been run to create the NSS databases and that the
+	various nicknames on the command line have been associated with
+	certificates in the NSS databases. The NSS databases MUST reside
+	in the directory where this file is located and MUST be named
+	"cert8.db", "key3.db", and "secmod.db". There must exist a nickname
+        in the databases which has been marked as trusted.
+
+Source: <root>/perf/libpkix_buildthreads/libpkix_buildthreads.c
+Binary: <root>/perf/libpkix_buildthreads/*.OBJ/libpkix_buildthreads
+
+============================================================================
+
+USAGE:  nssThreads <duration> <threads> <eecertNickname>
+
+	Sets up and runs a CERT_VerifyCertificate call for the number of
+	seconds specified by <duration> using the number of threads specified
+	by <threads>. This application assumes that the NSS certutil
+	application has already been run to create the NSS databases and that
+	the various nicknames on the command line have been associated with
+	certificates in the NSS databases. The NSS databases MUST reside
+	in the directory where this file is located and MUST be named
+	"cert8.db", "key3.db", and "secmod.db". There must exist a nickname in
+	the databases which has been marked as trusted.
+
+Source: <root>/perf/nss_threads/nss_threads.c
+Binary: <root>/perf/nss_threads/*.OBJ/nss_threads
+
+============================================================================
+
diff --git a/security/nss/tests/libpkix/sample_apps/cert8.db b/security/nss/tests/libpkix/sample_apps/cert8.db
new file mode 100755
index 000000000..b39de42f1
--- /dev/null
+++ b/security/nss/tests/libpkix/sample_apps/cert8.db
diff --git a/security/nss/tests/libpkix/sample_apps/key3.db b/security/nss/tests/libpkix/sample_apps/key3.db
new file mode 100755
index 000000000..9c03916ee
--- /dev/null
+++ b/security/nss/tests/libpkix/sample_apps/key3.db
diff --git a/security/nss/tests/libpkix/sample_apps/runPerf.sh b/security/nss/tests/libpkix/sample_apps/runPerf.sh
new file mode 100755
index 000000000..27b55215e
--- /dev/null
+++ b/security/nss/tests/libpkix/sample_apps/runPerf.sh
@@ -0,0 +1,143 @@
+#!/bin/sh
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runPerf.sh
+#
+
+curdir=`pwd`
+cd ../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=PERFORMANCE
+
+totalErrors=0
+loopErrors=0
+
+ParseArgs $*
+
+testHeadingEcho
+
+Display "\nRunning executables at ${DIST_BIN}"
+Display "Using libraries at ${LD_LIBRARY_PATH}"
+
+
+# Check the performance data ...
+perfTest()
+{
+
+    Display ""
+    Display "*******************************************************************************"
+    Display "START OF PKIX PERFORMANCE SCENARIOS ${memText}"
+Display "*******************************************************************************"
+    Display ""
+
+    while read perfPgm args; do
+        numtests=`expr ${numtests} + 1`
+        Display "Running ${perfPgm} ${args}"
+        if [ ${checkmem} -eq 1 ]; then
+            dbx -C -c "runargs $args; check -all ;run;exit" ${DIST_BIN}/${perfPgm} > ${testOut} 2>&1
+        else
+            ${DIST_BIN}/${perfPgm} ${args} > ${testOut} 2>&1
+        fi
+
+        # Examine output file to see if test failed and keep track of number
+        # of failures and names of failed tests. This assumes that the test
+        # uses our utility library for displaying information
+	
+        outputCount=`cat ${testOut} | grep "per second"`
+
+        if [ $? -ne 0 ]; then
+            errors=`expr ${errors} + 1`
+            failedpgms="${failedpgms}${perfPgm} ${args}\n"
+            cat ${testOut}
+        else
+            Display ${outputCount}
+            passed=`expr ${passed} + 1`
+        fi
+
+        if [ ${checkmem} -eq 1 ]; then
+            grep "(actual leaks:" ${testOut} > ${testOutMem} 2>&1
+            if [ $? -ne 0 ]; then
+                prematureErrors=`expr ${prematureErrors} + 1`
+                failedprematurepgms="${failedprematurepgms}${perfPgm} "
+                Display "...program terminated prematurely (unable to check for memory leak errors) ..."
+            else
+                grep  "(actual leaks:         1  total size:       4 bytes)" ${testOut} > /dev/null 2>&1
+                if [ $? -ne 0 ]; then
+                    memErrors=`expr ${memErrors} + 1`
+                    failedmempgms="${failedmempgms}${perfPgm} "
+                    Display ${testOutMem}
+                fi
+            fi
+        fi
+    done
+    return ${errors}
+}
+
+
+# If there is race condition bug, may this test catch it...
+loopTest()
+{
+    totalLoop=10
+
+    Display ""
+    Display "*******************************************************************************"
+    Display "START OF TESTS FOR PKIX PERFORMANCE SANITY LOOP (${totalLoop} times)"
+Display "*******************************************************************************"
+    Display ""
+
+    errors=0
+    iLoop=0
+    perfPgm="${DIST_BIN}/pkixutil libpkix_buildthreads -d . 5 8 ValidCertificatePathTest1EE"
+
+    while [ $iLoop -lt $totalLoop ]
+    do
+        iLoop=`expr $iLoop + 1`
+        numtests=`expr ${numtests} + 1`
+
+        Display "Running ${perfPgm}"
+        ${perfPgm} > ${testOut} 2>&1
+        Display `cat ${testOut} | grep "per second"`
+
+        outputCount=`cat ${testOut} | grep "per second"`
+
+        if [ $? -ne 0 ]; then
+            errors=`expr ${errors} + 1`
+            failedpgms="${failedpgms} ${perfPgm}\n"
+            cat ${testOut}
+        else
+            passed=`expr ${passed} + 1`
+        fi
+    done
+
+    return ${errors}
+
+}
+
+#main
+perfTest <<EOF
+pkixutil libpkix_buildthreads -d . 5 1 ValidCertificatePathTest1EE
+pkixutil libpkix_buildthreads -d . 5 8 ValidCertificatePathTest1EE
+pkixutil nss_threads -d . 5 1 ValidCertificatePathTest1EE
+pkixutil nss_threads -d . 5 8 ValidCertificatePathTest1EE
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;performance test: passed ${passed} of ${numtests} tests"
+
+numtests=0
+passed=0
+loopTest
+loopErrors=$?
+totalErrors=`expr ${totalErrors} + ${loopErrors}`
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;loop test: passed ${passed} of ${numtests} tests"
+
+testEndingEcho
+
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/sample_apps/secmod.db b/security/nss/tests/libpkix/sample_apps/secmod.db
new file mode 100755
index 000000000..772583d58
--- /dev/null
+++ b/security/nss/tests/libpkix/sample_apps/secmod.db
diff --git a/security/nss/tests/libpkix/vfychain_test.lst b/security/nss/tests/libpkix/vfychain_test.lst
new file mode 100644
index 000000000..78d6185c3
--- /dev/null
+++ b/security/nss/tests/libpkix/vfychain_test.lst
@@ -0,0 +1,4 @@
+# Status | Leaf Cert | Policies | Others(undef)
+0 TestUser50 undef
+0 TestUser51 undef
+0 PayPalEE OID.2.16.840.1.114412.1.1
diff --git a/security/nss/tests/lowhash/lowhash.sh b/security/nss/tests/lowhash/lowhash.sh
new file mode 100644
index 000000000..6de255be4
--- /dev/null
+++ b/security/nss/tests/lowhash/lowhash.sh
@@ -0,0 +1,97 @@
+#! /bin/bash  
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+# mozilla/security/nss/tests/lowhash/lowhash.sh
+#
+# Script to test basic functionallity of the NSSLoHash API
+#
+# included from 
+# --------------
+#   all.sh
+#
+# needs to work on all Linux platforms
+#
+# tests implemented:
+# lowash (verify encryption cert - bugzilla bug 119059)
+#
+# special strings
+# ---------------
+#
+########################################################################
+
+errors=0
+
+############################## lowhash_init ##############################
+# local shell function to initialize this script 
+########################################################################
+lowhash_init()
+{
+  SCRIPTNAME=lowhash.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  LOWHASHDIR=../lowhash
+  mkdir -p ${LOWHASHDIR}
+  if [ -f /proc/sys/crypto/fips_enabled ]; then
+    FVAL=`cat /proc/sys/crypto/fips_enabled`
+    html_head "Lowhash Tests - /proc/sys/crypto/fips_enabled is ${FVAL}"
+  else
+    html_head "Lowhash Tests"
+  fi
+  cd ${LOWHASHDIR}
+}
+
+############################## lowhash_test ##############################
+# local shell function to test basic the NSS Low Hash API both in
+# FIPS 140 compliant mode and not
+########################################################################
+lowhash_test()
+{
+  if [ ! -f ${BINDIR}/lowhashtest -a  \
+       ! -f ${BINDIR}/lowhashtest${PROG_SUFFIX} ]; then
+    echo "freebl lowhash not supported in this plaform."
+  else
+    TESTS="MD5 SHA1 SHA224 SHA256 SHA384 SHA512"
+    OLD_MODE=`echo ${NSS_FIPS}`
+    for fips_mode in 0 1; do
+      echo "lowhashtest with fips mode=${fips_mode}"
+      export NSS_FIPS=${fips_mode}
+      for TEST in ${TESTS}
+      do
+        echo "lowhashtest ${TEST}"
+        ${BINDIR}/lowhashtest ${TEST} 2>&1
+        RESULT=$?
+        html_msg ${RESULT} 0 "lowhashtest with fips mode=${fips_mode} for ${TEST}"
+      done
+    done
+    export NSS_FIPS=${OLD_MODE}
+  fi
+}
+
+############################## lowhash_cleanup ############################
+# local shell function to finish this script (no exit since it might be 
+# sourced)
+########################################################################
+lowhash_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+
+lowhash_init
+lowhash_test
+lowhash_cleanup
+echo "lowhash.sh done"
diff --git a/security/nss/tests/memleak/ignored b/security/nss/tests/memleak/ignored
new file mode 100644
index 000000000..60ed0db84
--- /dev/null
+++ b/security/nss/tests/memleak/ignored
@@ -0,0 +1,58 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#367374
+**/PR_ErrorInstallTable**
+**/_PR_ImplicitInitialization/**
+**/_PR_InitCMon/ExpandMonitorCache/**
+**/_PR_InitCMon/PR_NewLock/**
+**/_PR_InitLinker/**
+**/_PR_InitTPD/**
+**/_PR_InitZones/pr_FindSymbolInProg/**
+**/_PR_UnixInit/PR_NewLock/**
+**/_PR_UnixInit/PR_NewMonitor/**
+
+#367376
+**/_PR_CreateThread/pthread_create@@GLIBC_**
+**/_PR_CreateThread/PR_Calloc/**
+
+#367384
+**/PR_LoadLibraryWithFlags/**
+**/pr_LoadLibraryByPathname/**
+**/PR_LoadLibrary/**
+
+#397487
+**/__rpc_getconfip/setnetconfig/**
+
+#401100
+**/testThreadLockingBehavior/pthread_create@@GLIBC_**
+**/findLockInfo/pthread_create@@GLIBC_**
+
+#430544
+**/PR_CallOnce/InitializeArenas/PR_NewLock/**
+
+#458905
+**/cert_createObject/nssTrustDomain_AddCertsToCache/add_cert_to_cache/**
+**/cert_createObject/nssTrustDomain_AddCertsToCache/nssArena_Create/**
+
+#459237
+**/PR_FormatTime/strftime/**
+**/PR_FormatTime/__strftime_std/**
+
+#463208
+**/sqlite3UnixFullPathname/_getcwd/**
+**/unixFullPathname/_getcwd/**
+
+#463631
+vfychain/main/PL_CreateOptState/**
+
+#486298
+selfserv/main/PORT_Strdup_Util**
+
+#497251
+**/FREEBL_InitStubs/dlopen@@GLIBC_**
+
+#679524
+**/nss_Init/PR_CallOnce/nss_doLockInit/**
+
diff --git a/security/nss/tests/memleak/memleak.sh b/security/nss/tests/memleak/memleak.sh
new file mode 100755
index 000000000..45e432bee
--- /dev/null
+++ b/security/nss/tests/memleak/memleak.sh
@@ -0,0 +1,915 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/memleak/memleak.sh
+#
+# Script to test memory leaks in NSS
+#
+# needs to work on Solaris and Linux platforms, on others just print a message
+# that OS is not supported
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################# memleak_init #############################
+# local shell function to initialize this script 
+########################################################################
+memleak_init()
+{
+	if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+		cd ../common
+		. ./init.sh
+	fi
+	
+	if [ ! -r ${CERT_LOG_FILE} ]; then
+		cd ${QADIR}/cert
+		. ./cert.sh
+	fi
+
+	SCRIPTNAME="memleak.sh"
+	if [ -z "${CLEANUP}" ] ; then
+		CLEANUP="${SCRIPTNAME}"
+	fi
+
+	OLD_LIBRARY_PATH=${LD_LIBRARY_PATH}
+	TMP_LIBDIR="${HOSTDIR}/tmp"
+	TMP_STACKS="${HOSTDIR}/stacks"
+	TMP_SORTED="${HOSTDIR}/sorted"
+	TMP_COUNT="${HOSTDIR}/count"
+	DBXOUT="${HOSTDIR}/dbxout"
+	DBXERR="${HOSTDIR}/dbxerr"
+	DBXCMD="${HOSTDIR}/dbxcmd"
+	
+	PORT=${PORT:-8443}
+	
+	MODE_LIST="NORMAL BYPASS FIPS"
+	
+	SERVER_DB="${HOSTDIR}/server_memleak"
+	CLIENT_DB="${HOSTDIR}/client_memleak"
+	cp -r ${HOSTDIR}/server ${SERVER_DB}
+	cp -r ${HOSTDIR}/client ${CLIENT_DB}
+	
+	LOGDIR="${HOSTDIR}/memleak_logs"
+	mkdir -p ${LOGDIR}
+
+	FOUNDLEAKS="${LOGDIR}/foundleaks"
+	
+	REQUEST_FILE="${QADIR}/memleak/sslreq.dat"
+	IGNORED_STACKS="${QADIR}/memleak/ignored"
+	
+	gline=`echo ${OBJDIR} | grep "_64_"`
+	if [ -n "${gline}" ] ; then
+		BIT_NAME="64"
+	else
+		BIT_NAME="32"
+	fi
+		
+	case "${OS_NAME}" in
+	"SunOS")
+		DBX=`which dbx`
+		AWK=nawk
+		
+		if [ $? -eq 0 ] ; then
+			echo "${SCRIPTNAME}: DBX found: ${DBX}"
+		else
+			echo "${SCRIPTNAME}: DBX not found, skipping memory leak checking."
+			exit 0
+		fi
+		
+		PROC_ARCH=`uname -p`
+				
+		if [ "${PROC_ARCH}" = "sparc" ] ; then
+			if [ "${BIT_NAME}" = "64" ] ; then
+				FREEBL_DEFAULT="libfreebl_64fpu_3"
+				FREEBL_LIST="${FREEBL_DEFAULT} libfreebl_64int_3"
+			else
+				FREEBL_DEFAULT="libfreebl_32fpu_3"
+				FREEBL_LIST="${FREEBL_DEFAULT} libfreebl_32int64_3"
+			fi
+		else
+			if [ "${BIT_NAME}" = "64" ] ; then
+				echo "${SCRIPTNAME}: OS not supported for memory leak checking."
+				exit 0
+			fi
+			
+			FREEBL_DEFAULT="libfreebl_3"
+			FREEBL_LIST="${FREEBL_DEFAULT}"
+		fi
+		
+		RUN_COMMAND_DBG="run_command_dbx"
+		PARSE_LOGFILE="parse_logfile_dbx"
+		;;
+	"Linux")
+		VALGRIND=`which valgrind`
+		AWK=awk
+		
+		if [ $? -eq 0 ] ; then
+			echo "${SCRIPTNAME}: Valgrind found: ${VALGRIND}"
+		else
+			echo "${SCRIPTNAME}: Valgrind not found, skipping memory leak checking."
+			exit 0
+		fi
+
+		FREEBL_DEFAULT="libfreebl_3"
+		FREEBL_LIST="${FREEBL_DEFAULT}"
+				
+		RUN_COMMAND_DBG="run_command_valgrind"
+		PARSE_LOGFILE="parse_logfile_valgrind"
+		;;
+	*)
+		echo "${SCRIPTNAME}: OS not supported for memory leak checking."
+		exit 0
+		;;
+	esac
+
+	if [ "${BUILD_OPT}" = "1" ] ; then
+		OPT="OPT"
+	else 
+		OPT="DBG"
+	fi
+
+	NSS_DISABLE_UNLOAD="1"
+	export NSS_DISABLE_UNLOAD
+
+	SELFSERV_ATTR="-D -p ${PORT} -d ${SERVER_DB} -n ${HOSTADDR} -e ${HOSTADDR}-ec -w nss -c :C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014cdefgijklmnvyz -t 5 -V ssl3:tls1.2"
+	TSTCLNT_ATTR="-p ${PORT} -h ${HOSTADDR} -c j -f -d ${CLIENT_DB} -w nss -o"
+	STRSCLNT_ATTR="-q -p ${PORT} -d ${CLIENT_DB} -w nss -c 1000 -n TestUser ${HOSTADDR}"
+
+	tbytes=0
+	tblocks=0
+	truns=0
+	
+	MEMLEAK_DBG=1
+	export MEMLEAK_DBG
+}
+
+########################### memleak_cleanup ############################
+# local shell function to clean up after this script 
+########################################################################
+memleak_cleanup()
+{
+	unset MEMLEAK_DBG
+	unset NSS_DISABLE_UNLOAD
+	
+	. ${QADIR}/common/cleanup.sh
+}
+
+############################ set_test_mode #############################
+# local shell function to set testing mode for server and for client
+########################################################################
+set_test_mode()
+{
+	if [ "${server_mode}" = "BYPASS" ] ; then
+		echo "${SCRIPTNAME}: BYPASS is ON"
+		SERVER_OPTION="-B -s"
+		CLIENT_OPTION=""
+	elif [ "${client_mode}" = "BYPASS" ] ; then
+		echo "${SCRIPTNAME}: BYPASS is ON"
+		SERVER_OPTION=""
+		CLIENT_OPTION="-B -s"
+	else
+		echo "${SCRIPTNAME}: BYPASS is OFF"
+		SERVER_OPTION=""
+		CLIENT_OPTION=""
+	fi
+	
+	if [ "${server_mode}" = "FIPS" ] ; then
+		${BINDIR}/modutil -dbdir ${SERVER_DB} -fips true -force
+		${BINDIR}/modutil -dbdir ${SERVER_DB} -list
+		${BINDIR}/modutil -dbdir ${CLIENT_DB} -fips false -force
+		${BINDIR}/modutil -dbdir ${CLIENT_DB} -list
+		
+		echo "${SCRIPTNAME}: FIPS is ON"
+		cipher_list="c d e i j k n v y z"
+	elif [ "${client_mode}" = "FIPS" ] ; then
+		
+		${BINDIR}/modutil -dbdir ${SERVER_DB} -fips false -force
+		${BINDIR}/modutil -dbdir ${SERVER_DB} -list
+		${BINDIR}/modutil -dbdir ${CLIENT_DB} -fips true -force
+		${BINDIR}/modutil -dbdir ${CLIENT_DB} -list
+		
+		echo "${SCRIPTNAME}: FIPS is ON"
+		cipher_list="c d e i j k n v y z"
+	else
+		${BINDIR}/modutil -dbdir ${SERVER_DB} -fips false -force
+		${BINDIR}/modutil -dbdir ${SERVER_DB} -list
+		${BINDIR}/modutil -dbdir ${CLIENT_DB} -fips false -force
+		${BINDIR}/modutil -dbdir ${CLIENT_DB} -list
+		
+		echo "${SCRIPTNAME}: FIPS is OFF"
+		# ciphers l and m removed, see bug 1136095
+		cipher_list=":C001 :C002 :C003 :C004 :C005 :C006 :C007 :C008 :C009 :C00A :C010 :C011 :C012 :C013 :C014 c d e f g i j k n v y z"
+	fi
+}
+
+############################## set_freebl ##############################
+# local shell function to set freebl - sets temporary path for libraries
+########################################################################
+set_freebl()
+{
+	if [ "${freebl}" = "${FREEBL_DEFAULT}" ] ; then
+		LD_LIBRARY_PATH="${OLD_LIBRARY_PATH}"
+		export LD_LIBRARY_PATH
+	else
+		if [ -d "${TMP_LIBDIR}" ] ; then
+			rm -rf ${TMP_LIBDIR}
+		fi
+
+		mkdir ${TMP_LIBDIR}
+		[ $? -ne 0 ] && html_failed "Create temp directory" && return 1
+
+		cp ${DIST}/${OBJDIR}/lib/*.so ${DIST}/${OBJDIR}/lib/*.chk ${TMP_LIBDIR}
+		[ $? -ne 0 ] && html_failed "Copy libraries to temp directory" && return 1
+		
+		echo "${SCRIPTNAME}: Using ${freebl} instead of ${FREEBL_DEFAULT}"
+
+		mv ${TMP_LIBDIR}/${FREEBL_DEFAULT}.so ${TMP_LIBDIR}/${FREEBL_DEFAULT}.so.orig
+		[ $? -ne 0 ] && html_failed "Move ${FREEBL_DEFAULT}.so -> ${FREEBL_DEFAULT}.so.orig" && return 1
+
+		cp ${TMP_LIBDIR}/${freebl}.so ${TMP_LIBDIR}/${FREEBL_DEFAULT}.so
+		[ $? -ne 0 ] && html_failed "Copy ${freebl}.so -> ${FREEBL_DEFAULT}.so" && return 1
+
+		mv ${TMP_LIBDIR}/${FREEBL_DEFAULT}.chk ${TMP_LIBDIR}/${FREEBL_DEFAULT}.chk.orig
+		[ $? -ne 0 ] && html_failed "Move ${FREEBL_DEFAULT}.chk -> ${FREEBL_DEFAULT}.chk.orig" && return 1
+
+		cp ${TMP_LIBDIR}/${freebl}.chk ${TMP_LIBDIR}/${FREEBL_DEFAULT}.chk
+		[ $? -ne 0 ] && html_failed "Copy ${freebl}.chk to temp directory" && return 1
+
+		echo "ls -l ${TMP_LIBDIR}"
+		ls -l ${TMP_LIBDIR}
+
+		LD_LIBRARY_PATH="${TMP_LIBDIR}"
+		export LD_LIBRARY_PATH
+	fi
+
+	return 0
+}
+
+############################# clear_freebl #############################
+# local shell function to set default library path and clear temporary 
+# directory for libraries created by function set_freebl 
+########################################################################
+clear_freebl()
+{
+	LD_LIBRARY_PATH="${OLD_LIBRARY_PATH}"
+	export LD_LIBRARY_PATH
+
+	if [ -d "${TMP_LIBDIR}" ] ; then
+		rm -rf ${TMP_LIBDIR}
+	fi
+}
+
+############################ run_command_dbx ###########################
+# local shell function to run command under dbx tool
+########################################################################
+run_command_dbx()
+{
+	COMMAND=$1
+	shift
+	ATTR=$*
+	
+	COMMAND=`which ${COMMAND}`
+	
+	echo "dbxenv follow_fork_mode parent" > ${DBXCMD}
+	echo "dbxenv rtc_mel_at_exit verbose" >> ${DBXCMD}
+	echo "dbxenv rtc_biu_at_exit verbose" >> ${DBXCMD}
+	echo "check -memuse -match 16 -frames 16" >> ${DBXCMD}
+	echo "run ${ATTR}" >> ${DBXCMD}
+	
+	export NSS_DISABLE_ARENA_FREE_LIST=1
+	
+	echo "${SCRIPTNAME}: -------- Running ${COMMAND} under DBX:"
+	echo "${DBX} ${COMMAND}"
+	echo "${SCRIPTNAME}: -------- DBX commands:"
+	cat ${DBXCMD}
+	
+	( ${DBX} ${COMMAND} < ${DBXCMD} > ${DBXOUT} 2> ${DBXERR} )
+	grep -v Reading ${DBXOUT} 1>&2
+	cat ${DBXERR}
+	
+	unset NSS_DISABLE_ARENA_FREE_LIST
+	
+	grep "exit code is" ${DBXOUT}
+	grep "exit code is 0" ${DBXOUT} > /dev/null
+	return $?
+}
+
+######################### run_command_valgrind #########################
+# local shell function to run command under valgrind tool
+########################################################################
+run_command_valgrind()
+{
+	COMMAND=$1
+	shift
+	ATTR=$*
+	
+	export NSS_DISABLE_ARENA_FREE_LIST=1
+	
+	echo "${SCRIPTNAME}: -------- Running ${COMMAND} under Valgrind:"
+	echo "${VALGRIND} --tool=memcheck --leak-check=yes --show-reachable=yes --partial-loads-ok=yes --leak-resolution=high --num-callers=50 ${COMMAND} ${ATTR}"
+	echo "Running: ${COMMAND} ${ATTR}" 1>&2
+	${VALGRIND} --tool=memcheck --leak-check=yes --show-reachable=yes --partial-loads-ok=yes --leak-resolution=high --num-callers=50 ${COMMAND} ${ATTR} 1>&2
+	ret=$?
+	echo "==0=="
+	
+	unset NSS_DISABLE_ARENA_FREE_LIST
+	
+	return $ret
+}
+
+############################# run_selfserv #############################
+# local shell function to start selfserv
+########################################################################
+run_selfserv()
+{
+	echo "PATH=${PATH}"
+	echo "LD_LIBRARY_PATH=${LD_LIBRARY_PATH}"
+	echo "${SCRIPTNAME}: -------- Running selfserv:"
+	echo "selfserv ${SELFSERV_ATTR}"
+	${BINDIR}/selfserv ${SELFSERV_ATTR}
+	ret=$?
+	if [ $ret -ne 0 ]; then
+		html_failed "${LOGNAME}: Selfserv"
+		echo "${SCRIPTNAME} ${LOGNAME}: " \
+			"Selfserv produced a returncode of ${ret} - FAILED"
+	fi
+}
+
+########################### run_selfserv_dbg ###########################
+# local shell function to start selfserv under debug tool
+########################################################################
+run_selfserv_dbg()
+{
+	echo "PATH=${PATH}"
+	echo "LD_LIBRARY_PATH=${LD_LIBRARY_PATH}"
+	${RUN_COMMAND_DBG} ${BINDIR}/selfserv ${SERVER_OPTION} ${SELFSERV_ATTR}
+	ret=$?
+	if [ $ret -ne 0 ]; then
+		html_failed "${LOGNAME}: Selfserv"
+		echo "${SCRIPTNAME} ${LOGNAME}: " \
+			"Selfserv produced a returncode of ${ret} - FAILED"
+	fi
+}
+
+############################# run_strsclnt #############################
+# local shell function to run strsclnt for all ciphers and send stop
+# command to selfserv over tstclnt
+########################################################################
+run_strsclnt()
+{
+	for cipher in ${cipher_list}; do
+		VMIN="ssl3"
+		VMAX="tls1.2"
+		case "${cipher}" in
+		f|g)
+			# TLS 1.1 disallows export cipher suites.
+			VMAX="tls1.0"
+			;;
+		esac
+		ATTR="${STRSCLNT_ATTR} -C ${cipher} -V ${VMIN}:${VMAX}"
+		echo "${SCRIPTNAME}: -------- Trying cipher ${cipher}:"
+		echo "strsclnt ${ATTR}"
+		${BINDIR}/strsclnt ${ATTR}
+		ret=$?
+		if [ $ret -ne 0 ]; then
+			html_failed "${LOGNAME}: Strsclnt with cipher ${cipher}"
+			echo "${SCRIPTNAME} ${LOGNAME}: " \
+				"Strsclnt produced a returncode of ${ret} - FAILED"
+		fi
+	done
+	
+	ATTR="${TSTCLNT_ATTR} -V ssl3:tls1.2"
+	echo "${SCRIPTNAME}: -------- Stopping server:"
+	echo "tstclnt ${ATTR} < ${REQUEST_FILE}"
+	${BINDIR}/tstclnt ${ATTR} < ${REQUEST_FILE}
+	ret=$?
+	if [ $ret -ne 0 ]; then
+		html_failed "${LOGNAME}: Tstclnt"
+		echo "${SCRIPTNAME} ${LOGNAME}: " \
+			"Tstclnt produced a returncode of ${ret} - FAILED"
+	fi
+	
+	sleep 20
+	kill $(jobs -p) 2> /dev/null
+}
+
+########################### run_strsclnt_dbg ###########################
+# local shell function to run strsclnt under debug tool for all ciphers 
+# and send stop command to selfserv over tstclnt
+########################################################################
+run_strsclnt_dbg()
+{
+	for cipher in ${cipher_list}; do
+		VMIN="ssl3"
+		VMAX="tls1.2"
+		case "${cipher}" in
+		f|g)
+			# TLS 1.1 disallows export cipher suites.
+			VMAX="tls1.0"
+			;;
+		esac
+		ATTR="${STRSCLNT_ATTR} -C ${cipher} -V ${VMIN}:${VMAX}"
+		${RUN_COMMAND_DBG} ${BINDIR}/strsclnt ${CLIENT_OPTION} ${ATTR}
+		ret=$?
+		if [ $ret -ne 0 ]; then
+			html_failed "${LOGNAME}: Strsclnt with cipher ${cipher}"
+			echo "${SCRIPTNAME} ${LOGNAME}: " \
+				"Strsclnt produced a returncode of ${ret} - FAILED"
+		fi
+	done
+	
+	ATTR="${TSTCLNT_ATTR} -V ssl3:tls1.2"
+	echo "${SCRIPTNAME}: -------- Stopping server:"
+	echo "tstclnt ${ATTR} < ${REQUEST_FILE}"
+	${BINDIR}/tstclnt ${ATTR} < ${REQUEST_FILE}
+	ret=$?
+	if [ $ret -ne 0 ]; then
+		html_failed "${LOGNAME}: Tstclnt"
+		echo "${SCRIPTNAME} ${LOGNAME}: " \
+			"Tstclnt produced a returncode of ${ret} - FAILED"
+	fi
+	
+	kill $(jobs -p) 2> /dev/null
+}
+
+stat_clear()
+{
+	stat_minbytes=9999999
+	stat_maxbytes=0
+	stat_minblocks=9999999
+	stat_maxblocks=0
+	stat_bytes=0
+	stat_blocks=0
+	stat_runs=0
+}
+
+stat_add()
+{
+	read hash lbytes bytes_str lblocks blocks_str in_str lruns runs_str \
+		minbytes minbytes_str maxbytes maxbytes_str minblocks \
+		minblocks_str maxblocks maxblocks_str rest < ${TMP_COUNT} 
+	rm ${TMP_COUNT}
+	
+	tbytes=`expr ${tbytes} + ${lbytes}`
+	tblocks=`expr ${tblocks} + ${lblocks}`
+	truns=`expr ${truns} + ${lruns}`
+	
+	if [ ${stat_minbytes} -gt ${minbytes} ]; then
+		stat_minbytes=${minbytes}
+	fi
+			
+	if [ ${stat_maxbytes} -lt ${maxbytes} ]; then
+		stat_maxbytes=${maxbytes}
+	fi
+			
+	if [ ${stat_minblocks} -gt ${minblocks} ]; then
+		stat_minblocks=${minblocks}
+	fi
+			
+	if [ ${stat_maxblocks} -lt ${maxblocks} ]; then
+		stat_maxblocks=${maxblocks}
+	fi
+			
+	stat_bytes=`expr ${stat_bytes} + ${lbytes}`
+	stat_blocks=`expr ${stat_blocks} + ${lblocks}`
+	stat_runs=`expr ${stat_runs} + ${lruns}`
+}
+
+stat_print()
+{
+	if [ ${stat_runs} -gt 0 ]; then
+		stat_avgbytes=`expr "${stat_bytes}" / "${stat_runs}"`
+		stat_avgblocks=`expr "${stat_blocks}" / "${stat_runs}"`
+		
+		echo
+		echo "$1 statistics:"
+		echo "Leaked bytes: ${stat_minbytes} min, ${stat_avgbytes} avg, ${stat_maxbytes} max"
+		echo "Leaked blocks: ${stat_minblocks} min, ${stat_avgblocks} avg, ${stat_maxblocks} max"
+		echo "Total runs: ${stat_runs}"
+		echo
+	fi
+}
+
+########################## run_ciphers_server ##########################
+# local shell function to test server part of code (selfserv)
+########################################################################
+run_ciphers_server()
+{
+	html_head "Memory leak checking - server"
+	
+	stat_clear
+	
+	client_mode="NORMAL"	
+	for server_mode in ${MODE_LIST}; do
+		set_test_mode
+		
+		for freebl in ${FREEBL_LIST}; do
+			set_freebl || continue
+			
+			LOGNAME=server-${BIT_NAME}-${freebl}-${server_mode}
+			LOGFILE=${LOGDIR}/${LOGNAME}.log
+			echo "Running ${LOGNAME}"
+			
+			(
+			    run_selfserv_dbg 2>> ${LOGFILE} &
+			    sleep 5
+			    run_strsclnt
+			)
+			
+			sleep 20
+			clear_freebl
+			
+			log_parse
+			ret=$?
+			
+			html_msg ${ret} 0 "${LOGNAME}" "produced a returncode of $ret, expected is 0"
+		done
+	done
+	
+	stat_print "Selfserv"
+	
+	html "</TABLE><BR>"
+}
+
+########################## run_ciphers_client ##########################
+# local shell function to test client part of code (strsclnt)
+########################################################################
+run_ciphers_client()
+{
+	html_head "Memory leak checking - client"
+	
+	stat_clear
+	
+	server_mode="NORMAL"
+	for client_mode in ${MODE_LIST}; do
+		set_test_mode
+		
+		for freebl in ${FREEBL_LIST}; do
+			set_freebl || continue
+			
+			LOGNAME=client-${BIT_NAME}-${freebl}-${client_mode}
+			LOGFILE=${LOGDIR}/${LOGNAME}.log
+			echo "Running ${LOGNAME}"
+			
+			(
+			    run_selfserv &
+			    sleep 5
+			    run_strsclnt_dbg 2>> ${LOGFILE}
+			)
+			
+			sleep 20
+			clear_freebl
+			
+			log_parse
+			ret=$?
+			html_msg ${ret} 0 "${LOGNAME}" "produced a returncode of $ret, expected is 0"
+		done
+	done
+	
+	stat_print "Strsclnt"
+	
+	html "</TABLE><BR>"
+}
+
+########################## parse_logfile_dbx ###########################
+# local shell function to parse and process logs from dbx
+########################################################################
+parse_logfile_dbx()
+{
+	${AWK} '
+	BEGIN {
+		in_mel = 0
+		mel_line = 0
+		bytes = 0
+		lbytes = 0
+		minbytes = 9999999
+		maxbytes = 0
+		blocks = 0
+		lblocks = 0
+		minblocks = 9999999
+		maxblocks = 0
+		runs = 0
+		stack_string = ""
+		bin_name = ""
+	}
+	/Memory Leak \(mel\):/ ||
+	/Possible memory leak -- address in block \(aib\):/ ||
+	/Block in use \(biu\):/ {
+		in_mel = 1
+		stack_string = ""
+		next
+	}
+	in_mel == 1 && /^$/ {
+		print bin_name stack_string
+		in_mel = 0
+		mel_line = 0
+		next
+	}
+	in_mel == 1 {
+		mel_line += 1
+	}
+	/Found leaked block of size/ {
+		bytes += $6
+		blocks += 1
+		next
+	}
+	/Found .* leaked blocks/ {
+		bytes += $8
+		blocks += $2
+		next
+	}
+	/Found block of size/ {
+		bytes += $5
+		blocks += 1
+		next
+	}
+	/Found .* blocks totaling/ {
+		bytes += $5
+		blocks += $2
+		next
+	}
+	mel_line > 2 {
+		gsub(/\(\)/, "")
+		new_line = $2
+		stack_string = "/" new_line stack_string
+		next
+	}
+	/^Running: / {
+		bin_name = $2
+		next
+	}
+	/execution completed/ {
+		runs += 1
+		lbytes += bytes
+		minbytes = (minbytes < bytes) ? minbytes : bytes
+		maxbytes = (maxbytes > bytes) ? maxbytes : bytes
+		bytes = 0
+		lblocks += blocks
+		minblocks = (minblocks < blocks) ? minblocks : blocks
+		maxblocks = (maxblocks > blocks) ? maxblocks : blocks
+		blocks = 0
+		next
+	}
+	END {
+		print "# " lbytes " bytes " lblocks " blocks in " runs " runs " \
+		minbytes " minbytes " maxbytes " maxbytes " minblocks " minblocks " \
+		maxblocks " maxblocks " > "/dev/stderr"
+	}' 2> ${TMP_COUNT}
+	
+	stat_add
+}
+
+######################## parse_logfile_valgrind ########################
+# local shell function to parse and process logs from valgrind
+########################################################################
+parse_logfile_valgrind()
+{
+	${AWK} '
+	BEGIN {
+		in_mel = 0
+		in_sum = 0
+		bytes = 0
+		lbytes = 0
+		minbytes = 9999999
+		maxbytes = 0
+		blocks = 0
+		lblocks = 0
+		minblocks = 9999999
+		maxblocks = 0
+		runs = 0
+		stack_string = ""
+		bin_name = "" 
+	}
+	!/==[0-9]*==/ { 
+		if ( $1 == "Running:" ) 
+			bin_name = $2
+			bin_nf = split(bin_name, bin_fields, "/")
+			bin_name = bin_fields[bin_nf]
+		next
+	}
+	/blocks are/ {
+		in_mel = 1
+		stack_string = ""
+		next
+	}
+	/LEAK SUMMARY/ {
+		in_sum = 1
+		next
+	}
+	/^==[0-9]*== *$/ { 
+		if (in_mel)
+			print bin_name stack_string
+		if (in_sum) {
+			runs += 1
+			lbytes += bytes
+			minbytes = (minbytes < bytes) ? minbytes : bytes
+			maxbytes = (maxbytes > bytes) ? maxbytes : bytes
+			bytes = 0
+			lblocks += blocks
+			minblocks = (minblocks < blocks) ? minblocks : blocks
+			maxblocks = (maxblocks > blocks) ? maxblocks : blocks
+			blocks = 0
+		}
+		in_sum = 0
+		in_mel = 0
+		next
+	}
+	in_mel == 1 {	
+		new_line = $4
+		if ( new_line == "(within")
+			new_line = "*"
+		stack_string = "/" new_line stack_string
+	}
+	in_sum == 1 {
+		for (i = 2; i <= NF; i++) {
+			if ($i == "bytes") {
+				str = $(i - 1)
+				gsub(",", "", str)
+				bytes += str
+			}
+			if ($i == "blocks.") {
+				str = $(i - 1)
+				gsub(",", "", str)
+				blocks += str
+			}
+		}
+	}
+	END {
+		print "# " lbytes " bytes " lblocks " blocks in " runs " runs " \
+		minbytes " minbytes " maxbytes " maxbytes " minblocks " minblocks " \
+		maxblocks " maxblocks " > "/dev/stderr"
+	}' 2> ${TMP_COUNT}
+	
+	stat_add
+}
+
+############################# check_ignored ############################
+# local shell function to check all stacks if they are not ignored
+########################################################################
+check_ignored()
+{
+	${AWK} -F/ '
+	BEGIN {
+		ignore = "'${IGNORED_STACKS}'"
+		# read in the ignore file
+		BUGNUM = ""
+		count = 0
+		new = 0
+		while ((getline line < ignore) > 0)  {
+			if (line ~ "^#[0-9]+") {
+				BUGNUM = line
+			} else if (line ~ "^#") {
+				continue
+			} else if (line == "") {
+				continue
+			} else {
+				bugnum_array[count] = BUGNUM
+				# Create a regular expression for the ignored stack:
+				# replace * with % so we can later replace them with regular expressions
+				# without messing up everything (the regular expressions contain *)
+				gsub("\\*", "%", line)
+				# replace %% with .*
+				gsub("%%", ".*", line)
+				# replace % with [^/]*
+				gsub("%", "[^/]*", line)
+				# add ^ at the beginning
+				# add $ at the end
+				line_array[count] = "^" line "$"
+				count++
+			}
+		}
+	}
+	{
+		match_found = 0
+		# Look for matching ignored stack
+		for (i = 0; i < count; i++) {
+			if ($0 ~ line_array[i]) {
+				# found a match
+				match_found = 1
+				bug_found = bugnum_array[i]
+				break
+			}
+		}
+		# Process result
+		if (match_found == 1 ) {
+				if (bug_found != "") {
+					print "IGNORED STACK (" bug_found "): " $0
+				} else {
+					print "IGNORED STACK: " $0
+				}
+		} else {
+				print "NEW STACK: " $0
+				new = 1
+		}
+	}
+	END {
+		exit new
+	}'
+	ret=$?
+	return $ret
+}
+
+############################### parse_log ##############################
+# local shell function to parse log file
+########################################################################
+log_parse()
+{
+	${PARSE_LOGFILE} < ${LOGFILE} > ${TMP_STACKS}
+	echo "${SCRIPTNAME}: Processing log ${LOGNAME}:" > ${TMP_SORTED}
+	cat ${TMP_STACKS} | sort -u | check_ignored >> ${TMP_SORTED}
+	ret=$?
+	echo >> ${TMP_SORTED}
+	
+	cat ${TMP_SORTED} | tee -a ${FOUNDLEAKS}
+	rm ${TMP_STACKS} ${TMP_SORTED}
+	
+	return ${ret}
+}
+
+############################## cnt_total ###############################
+# local shell function to count total leaked bytes
+########################################################################
+cnt_total()
+{
+	echo ""
+	echo "TinderboxPrint:${OPT} Lk bytes: ${tbytes}"
+	echo "TinderboxPrint:${OPT} Lk blocks: ${tblocks}"
+	echo "TinderboxPrint:${OPT} # of runs: ${truns}"
+	echo ""
+}
+
+############################### run_ocsp ###############################
+# local shell function to run ocsp tests
+########################################################################
+run_ocsp()
+{
+	stat_clear
+	
+	cd ${QADIR}/iopr
+	. ./ocsp_iopr.sh
+	ocsp_iopr_run
+	
+	stat_print "Ocspclnt"
+}
+
+############################## run_chains ##############################
+# local shell function to run PKIX certificate chains tests
+########################################################################
+run_chains()
+{
+    stat_clear
+
+    LOGNAME="chains"
+    LOGFILE=${LOGDIR}/chains.log
+
+    . ${QADIR}/chains/chains.sh
+
+    stat_print "Chains"
+}
+
+############################## run_chains ##############################
+# local shell function to run memory leak tests
+#
+# NSS_MEMLEAK_TESTS - list of tests to run, if not defined before,
+# then is redefined to default list 
+########################################################################
+memleak_run_tests()
+{
+    nss_memleak_tests="ssl_server ssl_client chains ocsp"
+    NSS_MEMLEAK_TESTS="${NSS_MEMLEAK_TESTS:-$nss_memleak_tests}"
+
+    for MEMLEAK_TEST in ${NSS_MEMLEAK_TESTS}
+    do
+        case "${MEMLEAK_TEST}" in
+        "ssl_server")
+            run_ciphers_server
+            ;;
+        "ssl_client")
+            run_ciphers_client
+            ;;
+        "chains")
+            run_chains
+            ;;
+        "ocsp")
+            run_ocsp
+            ;;
+        esac
+    done
+}
+
+################################# main #################################
+
+memleak_init
+memleak_run_tests
+cnt_total
+memleak_cleanup
+
diff --git a/security/nss/tests/memleak/sslreq.dat b/security/nss/tests/memleak/sslreq.dat
new file mode 100644
index 000000000..1db703d1a
--- /dev/null
+++ b/security/nss/tests/memleak/sslreq.dat
@@ -0,0 +1,2 @@
+GET /stop HTTP/1.0

+

diff --git a/security/nss/tests/merge/merge.sh b/security/nss/tests/merge/merge.sh
new file mode 100755
index 000000000..1929b12c8
--- /dev/null
+++ b/security/nss/tests/merge/merge.sh
@@ -0,0 +1,277 @@
+#! /bin/bash  
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/merge/merge.sh
+#
+# Script to test NSS merge
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## merge_init ##############################
+# local shell function to initialize this script
+########################################################################
+merge_init()
+{
+  SCRIPTNAME=merge.sh      # sourced - $0 would point to all.sh
+  HAS_EXPLICIT_DB=0
+  if [ ! -z "${NSS_DEFAULT_DB_TYPE}" ]; then
+     HAS_EXPLICIT_DB=1
+  fi
+
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ${QADIR}/cert
+      . ./cert.sh
+  fi
+
+  if [ ! -d ${HOSTDIR}/SDR ]; then
+      cd ${QADIR}/sdr
+      . ./sdr.sh
+  fi
+  SCRIPTNAME=merge.sh
+
+  html_head "Merge Tests"
+
+  # need the SSL & SMIME directories from cert.sh
+  grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
+      Exit 11 "Fatal - S/MIME of cert.sh needs to pass first"
+  }
+  grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || {
+      Exit 8 "Fatal - SSL of cert.sh needs to pass first"
+  }
+
+  #temporary files for SDR tests
+  VALUE1=$HOSTDIR/tests.v1.$$
+  VALUE3=$HOSTDIR/tests.v3.$$
+
+  # local directories used in this test.
+  MERGEDIR=${HOSTDIR}/merge
+  R_MERGEDIR=../merge
+  D_MERGE="merge.$version"
+  # SDR not initialized in common/init
+  P_R_SDR=../SDR
+  D_SDR="SDR.$version"
+  mkdir -p ${MERGEDIR}
+
+  PROFILE=.
+  if [ -n "${MULTIACCESS_DBM}" ]; then
+     PROFILE="multiaccess:${D_MERGE}"
+     P_R_SDR="multiaccess:${D_SDR}"
+  fi
+
+  cd ${MERGEDIR}
+
+  # clear out any existing databases, potentially from a previous run.
+  rm -f *.db
+
+  # copy alicedir over as a seed database.
+  cp ${R_ALICEDIR}/* .
+  # copy the smime text samples
+  cp ${QADIR}/smime/*.txt .
+
+  # create a set of conflicting names.
+  CONFLICT1DIR=conflict1
+  CONFLICT2DIR=conflict2
+  mkdir ${CONFLICT1DIR}
+  mkdir ${CONFLICT2DIR}
+  # in the upgrade mode (dbm->sql), make sure our test databases
+  # are dbm databases.
+  if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
+	save=${NSS_DEFAULT_DB_TYPE}
+	NSS_DEFAULT_DB_TYPE= ; export NSS_DEFAULT_DB_TYPE
+  fi
+
+  certutil -N -d ${CONFLICT1DIR} -f ${R_PWFILE}
+  certutil -N -d ${CONFLICT2DIR} -f ${R_PWFILE}
+  certutil -A -n Alice -t ,, -i ${R_CADIR}/TestUser41.cert -d ${CONFLICT1DIR}
+  # modify CONFLICTDIR potentially corrupting the database
+  certutil -A -n "Alice #1" -t C,, -i ${R_CADIR}/TestUser42.cert -d ${CONFLICT1DIR} -f ${R_PWFILE}
+  certutil -M -n "Alice #1" -t ,, -d ${CONFLICT1DIR} -f ${R_PWFILE}
+  certutil -A -n "Alice #99" -t ,, -i ${R_CADIR}/TestUser43.cert -d ${CONFLICT1DIR}
+  certutil -A -n Alice -t ,, -i ${R_CADIR}/TestUser44.cert -d ${CONFLICT2DIR}
+  certutil -A -n "Alice #1" -t ,, -i ${R_CADIR}/TestUser45.cert -d ${CONFLICT2DIR}
+  certutil -A -n "Alice #99" -t ,, -i ${R_CADIR}/TestUser46.cert -d ${CONFLICT2DIR}
+  if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
+	NSS_DEFAULT_DB_TYPE=${save}; export NSS_DEFAULT_DB_TYPE
+  fi
+
+  #
+  # allow all the tests to run in standalone mode.
+  #  in standalone mode, TEST_MODE is not set.
+  #  if NSS_DEFAULT_DB_TYPE is dbm, then test merge with dbm
+  #  if NSS_DEFAULT_DB_TYPE is sql, then test merge with sql
+  #  if NSS_DEFAULT_DB_TYPE is not set, then test database upgrade merge
+  #   from dbm databases (created above) into a new sql db.
+  if [ -z "${TEST_MODE}" ] && [ ${HAS_EXPLICIT_DB} -eq 0 ]; then
+	echo "*** Using Standalone Upgrade DB mode"
+	NSS_DEFAULT_DB_TYPE=sql; export NSS_DEFAULT_DB_TYPE
+	echo certutil --upgrade-merge --source-dir ${P_R_ALICEDIR} --upgrade-id local -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
+	${BINDIR}/certutil --upgrade-merge --source-dir ${P_R_ALICEDIR} --upgrade-id local -d ${PROFILE}  -f ${R_PWFILE} -@ ${R_PWFILE}
+	TEST_MODE=UPGRADE_DB
+
+  fi
+	
+}
+
+#
+# this allows us to run this test for both merge and upgrade-merge cases.
+# merge_cmd takes the potential upgrade-id and the rest of the certutil
+# arguments.
+#
+merge_cmd()
+{
+  MERGE_CMD=--merge
+  if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
+     MERGE_CMD="--upgrade-merge --upgrade-token-name OldDB --upgrade-id ${1}"
+  fi
+  shift
+  echo certutil ${MERGE_CMD} $*
+  ${PROFTOOL} ${BINDIR}/certutil ${MERGE_CMD} $*
+}
+
+
+merge_main()
+{
+  # first create a local sdr key and encrypt some data with it
+  # This will cause a colision with the SDR key in ../SDR.
+  echo "$SCRIPTNAME: Creating an SDR key & Encrypt"
+  echo "sdrtest -d ${PROFILE} -o ${VALUE3} -t Test2 -f ${R_PWFILE}"
+  ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE3} -t Test2 -f ${R_PWFILE}
+  html_msg $? 0 "Creating SDR Key"
+
+  # Now merge in Dave
+  # Dave's cert is already in alicedir, but his key isn't. This will make
+  # sure we are updating the keys and CKA_ID's on the certificate properly.
+  MERGE_ID=dave
+  echo "$SCRIPTNAME: Merging in Key for Existing user"
+  merge_cmd dave --source-dir ${P_R_DAVEDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
+  html_msg $? 0 "Merging Dave"
+
+  # Merge in server
+  # contains a CRL and new user certs
+  MERGE_ID=server
+  echo "$SCRIPTNAME: Merging in new user "
+  merge_cmd server --source-dir ${P_R_SERVERDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
+  html_msg $? 0 "Merging server"
+
+  # Merge in ext_client
+  # contains a new certificate chain and additional trust flags
+  MERGE_ID=ext_client
+  echo "$SCRIPTNAME: Merging in new chain "
+  merge_cmd ext_client --source-dir ${P_R_EXT_CLIENTDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
+  html_msg $? 0 "Merging ext_client"
+
+  # Merge conflicting nicknames in conflict1dir
+  # contains several certificates with nicknames that conflict with the target
+  # database
+  MERGE_ID=conflict1
+  echo "$SCRIPTNAME: Merging in conflicting nicknames 1"
+  merge_cmd conflict1 --source-dir ${CONFLICT1DIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
+
+  html_msg $? 0 "Merging conflicting nicknames 1"
+
+  # Merge conflicting nicknames in conflict2dir
+  # contains several certificates with nicknames that conflict with the target
+  # database
+  MERGE_ID=conflict2
+  echo "$SCRIPTNAME: Merging in conflicting nicknames 1"
+  merge_cmd conflict2 --source-dir ${CONFLICT2DIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
+  html_msg $? 0 "Merging conflicting nicknames 2"
+
+  # Make sure conflicted names were properly sorted out.
+  echo "$SCRIPTNAME: Verify nicknames were deconflicted (Alice #4)"
+  certutil -L -n "Alice #4" -d ${PROFILE}
+  html_msg $? 0 "Verify nicknames were deconflicted (Alice #4)"
+
+  # Make sure conflicted names were properly sorted out.
+  echo "$SCRIPTNAME: Verify nicknames were deconflicted (Alice #100)"
+  certutil -L -n "Alice #100" -d ${PROFILE}
+  html_msg $? 0 "Verify nicknames were deconflicted (Alice #100)"
+
+  # Merge in SDR
+  # contains a secret SDR key
+  MERGE_ID=SDR
+  echo "$SCRIPTNAME: Merging in SDR "
+  merge_cmd sdr --source-dir ${P_R_SDR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
+  html_msg $? 0 "Merging SDR"
+
+  # insert a listing of the database into the log for diagonic purposes
+  ${BINDIR}/certutil -L -d ${PROFILE}
+  ${BINDIR}/crlutil -L -d ${PROFILE}
+
+  # Make sure we can decrypt with our original SDR key generated above
+  echo "$SCRIPTNAME: Decrypt - With Original SDR Key"
+  echo "sdrtest -d ${PROFILE} -i ${VALUE3} -t Test2 -f ${R_PWFILE}"
+  ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE3} -t Test2 -f ${R_PWFILE}
+  html_msg $? 0 "Decrypt - Value 3"
+
+  # Make sure we can decrypt with our the SDR key merged in from ../SDR
+  echo "$SCRIPTNAME: Decrypt - With Merged SDR Key"
+  echo "sdrtest -d ${PROFILE} -i ${VALUE1} -t Test1 -f ${R_PWFILE}"
+  ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE1} -t Test1 -f ${R_PWFILE}
+  html_msg $? 0 "Decrypt - Value 1"
+
+  # Make sure we can sign with merge certificate
+  echo "$SCRIPTNAME: Signing with merged key  ------------------"
+  echo "cmsutil -S -T -N Dave -H SHA1 -i alice.txt -d ${PROFILE} -p nss -o dave.dsig"
+  ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Dave -H SHA1 -i alice.txt -d ${PROFILE} -p nss -o dave.dsig
+  html_msg $? 0 "Create Detached Signature Dave" "."
+
+  echo "cmsutil -D -i dave.dsig -c alice.txt -d ${PROFILE} "
+  ${PROFTOOL} ${BINDIR}/cmsutil -D -i dave.dsig -c alice.txt -d ${PROFILE}
+  html_msg $? 0 "Verifying Dave's Detached Signature"
+
+  # Make sure that trust objects were properly merged
+  echo "$SCRIPTNAME: verifying  merged cert  ------------------"
+  echo "certutil -V -n ExtendedSSLUser -u C -d ${PROFILE}"
+  ${PROFTOOL} ${BINDIR}/certutil -V -n ExtendedSSLUser -u C -d ${PROFILE}
+  html_msg $? 0 "Verifying ExtendedSSL User Cert"
+
+  # Make sure that the crl got properly copied in
+  echo "$SCRIPTNAME: verifying  merged crl  ------------------"
+  echo "crlutil -L -n TestCA -d ${PROFILE}"
+  ${PROFTOOL} ${BINDIR}/crlutil -L -n TestCA -d ${PROFILE}
+  html_msg $? 0 "Verifying TestCA CRL"
+
+}
+  
+############################## smime_cleanup ###########################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+merge_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+
+merge_init
+merge_main
+echo "TEST_MODE=${TEST_MODE}"
+echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}"
+merge_cleanup
+
+
diff --git a/security/nss/tests/mksymlinks b/security/nss/tests/mksymlinks
new file mode 100755
index 000000000..aae3386ce
--- /dev/null
+++ b/security/nss/tests/mksymlinks
@@ -0,0 +1,115 @@
+#! /bin/sh
+
+O_OPTIONS=OFF
+. `dirname $0`/header
+
+if [ $O_DEBUG = ON ] ; then
+        Debug "NTDIST $NTDIST"
+        Debug "UXDIST $UXDIST"
+        Debug "TESTSCRIPTDIR $TESTSCRIPTDIR"
+fi
+
+if [ -d "$NSS_VER_DIR" ] ; then
+    cd $NSS_VER_DIR
+else
+    glob_usage "cant cd to $NSS_VER_DIR Exiting"
+fi
+
+if [ -d "$NTDIST" ] ; then
+    cd $NTDIST
+    if [  ! -h WINNT5.0_DBG.OBJ -a ! -d WINNT5.0_DBG.OBJ ] ; then 
+        ln -s WINNT4.0_DBG.OBJ WINNT5.0_DBG.OBJ
+    fi
+    if [  ! -h WINNT5.0_DBG.OBJD -a ! -d WINNT5.0_DBG.OBJD ] ; then 
+        ln -s WINNT4.0_DBG.OBJD WINNT5.0_DBG.OBJD
+    fi
+    if [  ! -h WINNT5.0_OPT.OBJ -a ! -d WINNT5.0_OPT.OBJ ] ; then 
+        ln -s WINNT4.0_OPT.OBJ WINNT5.0_OPT.OBJ
+    fi
+    if [  ! -h WINNT5.1_DBG.OBJ -a ! -d WINNT5.1_DBG.OBJ ] ; then 
+        ln -s WINNT4.0_DBG.OBJ WINNT5.1_DBG.OBJ
+    fi
+    if [  ! -h WINNT5.1_DBG.OBJD -a ! -d WINNT5.1_DBG.OBJD ] ; then 
+        ln -s WINNT4.0_DBG.OBJD WINNT5.1_DBG.OBJD
+    fi
+    if [  ! -h WINNT5.1_OPT.OBJ -a ! -d WINNT5.1_OPT.OBJ ] ; then 
+        ln -s WINNT4.0_OPT.OBJ WINNT5.1_OPT.OBJ
+    fi
+    
+    if [ $O_DEBUG = ON ] ; then
+        tell
+    fi
+else
+    if [ $O_DEBUG = ON ] ; then
+        Debug "WARNING!!! cant cd to $NTDIST "
+    fi
+fi
+
+if [ -d "$UXDIST" ]
+then
+    cd $UXDIST
+else
+    glob_usage "Error!!! cant cd to $UXDIST "
+fi
+
+ErrorFlag=0
+
+#if [  ! -h OSF1V5.1_DBG.OBJ -a ! -d OSF1V5.1_DBG.OBJ ] ; then 
+    #ln -s OSF1V4.0D_DBG.OBJ OSF1V5.1_DBG.OBJ || ErrorFlag=1
+#fi
+#if [  ! -h OSF1V5.1_OPT.OBJ -a ! -d OSF1V5.1_OPT.OBJ ] ; then 
+    #ln -s OSF1V4.0D_OPT.OBJ OSF1V5.1_OPT.OBJ || ErrorFlag=1
+#fi
+#if [  ! -h OSF1V5.0_DBG.OBJ -a ! -d OSF1V5.0_DBG.OBJ ] ; then 
+    #ln -s OSF1V4.0D_DBG.OBJ OSF1V5.0_DBG.OBJ || ErrorFlag=1
+#fi
+#if [  ! -h OSF1V5.0_OPT.OBJ -a ! -d OSF1V5.0_OPT.OBJ ] ; then 
+    #ln -s OSF1V4.0D_OPT.OBJ OSF1V5.0_OPT.OBJ || ErrorFlag=1
+#fi
+if [  ! -h SunOS5.9_64_DBG.OBJ  -a ! -d  SunOS5.9_64_DBG.OBJ ] ; then 
+    ln -s SunOS5.8_64_DBG.OBJ SunOS5.9_64_DBG.OBJ || ErrorFlag=1
+fi
+if [  ! -h SunOS5.9_64_OPT.OBJ  -a ! -d  SunOS5.9_64_OPT.OBJ ] ; then 
+    ln -s SunOS5.8_64_OPT.OBJ SunOS5.9_64_OPT.OBJ || ErrorFlag=1
+fi
+if [  ! -h SunOS5.9_DBG.OBJ  -a ! -d  SunOS5.9_DBG.OBJ ] ; then 
+    ln -s SunOS5.8_DBG.OBJ SunOS5.9_DBG.OBJ || ErrorFlag=1
+fi
+if [  ! -h SunOS5.9_OPT.OBJ  -a ! -d  SunOS5.9_OPT.OBJ ] ; then 
+    ln -s SunOS5.8_OPT.OBJ SunOS5.9_OPT.OBJ || ErrorFlag=1
+fi
+#sonmi - still leaving the section in there so 3.3 and 3.2 will not break
+#since 5.8 is the masterbuild it should never be executed
+#additionally: only creat link if the slave build is present, but 
+#master is not
+#if [  ! -h SunOS5.8_DBG.OBJ -a ! -d  SunOS5.8_DBG.OBJ ]  ; then 
+    #if [ -d SunOS5.6_DBG.OBJ ] ; then
+        #ln -s SunOS5.6_DBG.OBJ SunOS5.8_DBG.OBJ || ErrorFlag=1
+    #fi
+#fi
+#if [  ! -h SunOS5.8_OPT.OBJ -a ! -d  SunOS5.8_OPT.OBJ ] ; then 
+    #if [ -d SunOS5.6_OPT.OBJ ] ; then
+        #ln -s SunOS5.6_OPT.OBJ SunOS5.8_OPT.OBJ || ErrorFlag=1
+    #fi
+#fi
+#if [ ! -h Linux2.4_x86_glibc_PTH_DBG.OBJ -a ! -d Linux2.4_x86_glibc_PTH_DBG.OBJ]
+#then
+    #ln -s Linux2.2_x86_glibc_PTH_DBG.OBJ Linux2.4_x86_glibc_PTH_DBG.OBJ || ErrorFlag=1
+#fi
+#if [ ! -h Linux2.4_x86_glibc_PTH_OPT.OBJ -a ! -d Linux2.4_x86_glibc_PTH_OPT.OBJ]
+#then
+    #ln -s Linux2.2_x86_glibc_PTH_OPT.OBJ Linux2.4_x86_glibc_PTH_OPT.OBJ || ErrorFlag=1
+#fi
+
+if [  ! -h SunOS5.9_i86pc_DBG.OBJ  -a ! -d SunOS5.9_i86pc_DBG.OBJ ] ; then 
+    ln -s SunOS5.8_i86pc_DBG.OBJ SunOS5.9_i86pc_DBG.OBJ || ErrorFlag=1
+fi
+if [  ! -h SunOS5.9_i86pc_OPT.OBJ  -a ! -d SunOS5.9_i86pc_OPT.OBJ ] ; then 
+    ln -s SunOS5.8_i86pc_OPT.OBJ SunOS5.9_i86pc_OPT.OBJ || ErrorFlag=1
+fi
+
+if [ $O_DEBUG = ON ] ; then
+    tell
+fi
+
+exit $ErrorFlag #no cleanup here, no tempfiles
diff --git a/security/nss/tests/mpi/mpi.sh b/security/nss/tests/mpi/mpi.sh
new file mode 100644
index 000000000..5cda51615
--- /dev/null
+++ b/security/nss/tests/mpi/mpi.sh
@@ -0,0 +1,40 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+mpi_init()
+{
+  SCRIPTNAME="mpi.sh"
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then
+      cd ../common
+      . ./init.sh
+  fi
+  SCRIPTNAME="mpi.sh"
+  html_head "MPI tests"
+}
+
+mpi_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+mpi_init
+tests=($(mpi_tests list | awk '{print $1}'))
+for test in "${tests[@]}"
+do
+  OUT=$(mpi_tests $test 2>&1)
+  [ ! -z "$OUT" ] && echo "$OUT"
+  OUT=`echo $OUT | grep -i 'error\|Assertion failure'`
+
+  if [ -n "$OUT" ] ; then
+    html_failed "mpi $test test"
+  else
+    html_passed "mpi $test test"
+  fi
+done
+
+mpi_cleanup
diff --git a/security/nss/tests/multinit/multinit.sh b/security/nss/tests/multinit/multinit.sh
new file mode 100755
index 000000000..6ec605f0e
--- /dev/null
+++ b/security/nss/tests/multinit/multinit.sh
@@ -0,0 +1,158 @@
+#! /bin/sh  
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/multinit/multinit.sh
+#
+# Script to test NSS multinit
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## multinit_init ##############################
+# local shell function to initialize this script
+########################################################################
+multinit_init()
+{
+  SCRIPTNAME=multinit.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ../cert
+      . ./cert.sh
+  fi
+  SCRIPTNAME=multinit.sh
+
+  html_head "MULTI Tests"
+
+  grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
+      Exit 11 "Fatal - S/MIME of cert.sh needs to pass first"
+  }
+
+  # set up our directories
+  MULTINITDIR=${HOSTDIR}/multinit
+  MULTINITDIR_1=${MULTINITDIR}/dir1
+  MULTINITDIR_2=${MULTINITDIR}/dir2
+  MULTINITDIR_3=${MULTINITDIR}/dir3
+  R_MULINITDIR=../multinit
+  R_MULTINITDIR_1=${R_MULTINITDIR}/dir1
+  R_MULTINITDIR_2=${R_MULTINITDIR}/dir2
+  R_MULTINITDIR_3=${R_MULTINITDIR}/dir3
+  # first create them all
+  mkdir -p ${MULTINITDIR}
+  mkdir -p ${MULTINITDIR_1}
+  mkdir -p ${MULTINITDIR_2}
+  mkdir -p ${MULTINITDIR_3}
+  # now copy them fro alice, bob, and dave
+  cd ${MULTINITDIR}
+  cp ${P_R_ALICEDIR}/* ${MULTINITDIR_1}/
+  cp ${P_R_BOBDIR}/*   ${MULTINITDIR_2}/
+  cp ${P_R_DAVEDIR}/*  ${MULTINITDIR_3}/
+  # finally delete the RootCerts module to keep the certificate noice in the
+  # summary lines down
+  echo | modutil -delete RootCerts -dbdir ${MULTINITDIR_1}
+  echo | modutil -delete RootCerts -dbdir ${MULTINITDIR_2}
+  echo | modutil -delete RootCerts -dbdir ${MULTINITDIR_3}
+  MULTINIT_TESTS=${QADIR}/multinit/multinit.txt
+}
+
+
+############################## multinit_main ##############################
+# local shell function to test basic signed and enveloped messages 
+# from 1 --> 2"
+########################################################################
+multinit_main()
+{
+  html_head "Multi init interface testing"
+  exec < ${MULTINIT_TESTS}
+  while read order commands shutdown_type dirs readonly testname
+  do
+    if [ "$order" != "#" ]; then
+	read tag expected_result
+
+	# handle the case where we expect different results based on
+	# the database type.
+	if [ "$tag" != "all" ]; then
+	    read tag2 expected_result2
+	    if [ "$NSS_DEFAULT_DB_TYPE" == "$tag2" ]; then
+		expected_result=$expected_result2
+	    fi
+	fi
+
+	# convert shutdown type to option flags
+	shutdown_command="";
+	if [ "$shutdown_type" == "old" ]; then
+	   shutdown_command="--oldStype"
+	fi
+
+	# convert read only to option flags
+	ro_command="";
+	case $readonly in
+        all)  ro_command="--main_readonly --lib1_readonly --lib2_readonly";;
+        libs) ro_command="--lib1_readonly --lib2_readonly";;
+        main) ro_command="--main_readonly";;
+        lib1) ro_command="--lib1_readonly";;
+        lib2) ro_command="--lib2_readonly";;
+	none) ;;
+	*) ;;
+	esac
+
+	# convert commands to option flags
+	main_command=`echo $commands | sed -e 's;,.*$;;'`
+	lib1_command=`echo $commands | sed -e 's;,.*,;+&+;' -e 's;^.*+,;;' -e 's;,+.*$;;'`
+	lib2_command=`echo $commands | sed -e 's;^.*,;;'`
+
+	# convert db's to option flags
+	main_db=`echo $dirs | sed -e 's;,.*$;;'`
+	lib1_db=`echo $dirs | sed -e 's;,.*,;+&+;' -e 's;^.*+,;;' -e 's;,+.*$;;'`
+	lib2_db=`echo $dirs | sed -e 's;^.*,;;'`
+
+	# show us the command we are executing
+	echo ${PROFILETOOL} ${BINDIR}/multinit --order $order --main_command $main_command --lib1_command $lib1_command --lib2_command $lib2_command $shutdown_command --main_db $main_db --lib1_db $lib1_db --lib2_db $lib2_db $ro_command --main_token_name "Main" --lib1_token_name "Lib1" --lib2_token_name "Lib2" --verbose --summary 
+
+	# execute the command an collect the result. Most of the user
+	# visible output goes to stderr, so it's not captured by the pipe
+	actual_result=`${PROFILETOOL} ${BINDIR}/multinit --order $order --main_command $main_command --lib1_command $lib1_command --lib2_command $lib2_command $shutdown_command --main_db $main_db --lib1_db $lib1_db --lib2_db $lib2_db $ro_command --main_token_name "Main" --lib1_token_name "Lib1" --lib2_token_name "Lib2" --verbose --summary | grep "^result=" | sed -e 's;^result=;;'` 
+
+	# show what we got and what we expected for diagnostic purposes
+	echo "actual   = |$actual_result|"
+	echo "expected = |$expected_result|"
+	test  "$actual_result" == "$expected_result" 
+	html_msg $? 0 "$testname"
+    fi
+  done
+}
+  
+############################## multinit_cleanup ###########################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+multinit_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+
+multinit_init
+multinit_main
+multinit_cleanup
diff --git a/security/nss/tests/multinit/multinit.txt b/security/nss/tests/multinit/multinit.txt
new file mode 100644
index 000000000..d5296dc0e
--- /dev/null
+++ b/security/nss/tests/multinit/multinit.txt
@@ -0,0 +1,79 @@
+#
+# This file defines the tests for multiple initialization of NSS in
+#  different libraries.
+#
+# Test description lines control the parameters for the multinit test program.
+#
+# Init order: Upper case/digits indicate an init call, lower case indicate
+# a shutdown call.
+# 	M,m-Main 1,i-lib1, 2,z-lib2
+# Main calls the traditional NSS init calls (simulating the main application)
+# lib1 and lib2 call NSS_InitContext().
+#
+# All functions call NSS_ShutdownContext unless 'main shutdown type' is set to 
+# 'old', in which case main will call the traditional NSS_Shutdown().
+#
+# Commands: comma separated list of commands to execute. These simulate
+#  executing commands from either a library or main. In each cycle, multinit
+#  will do one initialize or shutdown, then execute all the commands
+#  for any of the libraries or main that is currently initialized. The same
+#  command is executed in each cycle that it's library is initialized.
+#
+#  Commands are given in order or 'main','lib1','lib2'. Valid commands are:
+#    none - don't execute any commands for this library (or main).
+#    list_certs - list all the visible certs in the system.
+#    list_slots - list all the slots in the system.
+#    key_slot - list the current default key slot.
+#
+# Main Shutdown Type - which kind of shutdown does main call. See Init order.
+#
+# Directories - which directory should each init open. Listed in order of:
+#   (main init directory),(lib1 init directory),(lib2 init directory).
+#
+# RO - Which databases to open up read only, valid values are:
+#   all - main, lib1, and lib2
+#   none - open all directories R/W
+#   libs - lib1 & lib2
+#   main, lib1, lib2 - their respective directories only.
+#
+# Test description lines are followed by their expected summary output.
+# output lines are of the form:
+#
+# tag expected output.
+#
+# where tag is one of
+# all - applies to all database types
+# sql - expected output for sql databases
+# dbm - expected output for dbm databases
+#
+# if you do not specify all, you must have one line each for sql and dbm
+#
+#                                  main
+#  init       main,lib1,lib2   shutdown  main,lib1,lib2      Test Case name
+#  order         commands          type  directories    RO
+# ------ ------------------------  ---  -----------   ----- --------------
+  1M2zmi list_slots,list_certs,none new dir1,dir2,dir3  all  Progressive init
+all 1C<Bob>uuuC<Dave>pppC<Eve>pppC<NSS Test CA>CTCCMS<NSS Generic Crypto Services>ttS<Main>ttS<Lib1>ttC<Alice>uuuC<Bob>pupupuC<Dave>pppC<Eve>pppC<NSS Test CA>CTCC2S<NSS Generic Crypto Services>ttS<Lib2>ttS<Main>ttS<Lib1>ttC<Alice>uuuC<Bob>pupupuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCZS<NSS Generic Crypto Services>ttS<Lib2>ttS<Main>ttS<Lib1>ttC<Alice>uuuC<Bob>pupupuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCNC<Alice>uuuC<Bob>pupupuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCI
+  1M2zmi list_certs,none,none       old dir1,dir2,dir3  all  Progressive init - oldStyle
+all 1MC<Alice>uuuC<Bob>pupupuC<Dave>pppC<Eve>pppC<NSS Test CA>CTCC2C<Alice>uuuC<Bob>pupupuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCZC<Alice>uuuC<Bob>pupupuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCNIE0xffffe09a
+  12Mizm none,list_certs,none       new dir1,dir2,dir3  all  Sequenced init
+all 1C<Bob>uuuC<Dave>pppC<Eve>pppC<NSS Test CA>CTCC2C<Bob>uuuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCMC<Alice>uuuC<Bob>pupupuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCIZN
+  12Mizm none,list_certs,none       old dir1,dir2,dir3  all  Sequenced init - old Style
+all 1C<Bob>uuuC<Dave>pppC<Eve>pppC<NSS Test CA>CTCC2C<Bob>uuuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCMC<Alice>uuuC<Bob>pupupuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCIZN
+  1Mi2mz none,list_certs,list_slots new dir1,dir2,dir3  all  Overlap shutdown
+all 1C<Bob>uuuC<Dave>pppC<Eve>pppC<NSS Test CA>CTCCMC<Alice>uuuC<Bob>pupupuC<Dave>pppC<Eve>pppC<NSS Test CA>CTCCI2S<NSS Generic Crypto Services>ttS<Lib2>ttS<Main>ttS<Lib1>ttNS<NSS Generic Crypto Services>ttS<Lib2>ttS<Main>ttS<Lib1>ttZ
+  1Mi2mz none,key_slot,none         new dir1,dir2,dir3  all  Keyslot test
+all 1S<Lib1>ttMS<Main>ttI2NZ
+  M12miz none,key_slot,none         new dir1,dir2,dir3  all  Main init first
+all M1S<Main>tt2S<Main>ttNS<Main>ttIZ
+  M12miz key_slot,none,none         old dir1,dir2,dir3  all  Main init first - old Style
+all MS<Main>tt1S<Main>tt2S<Main>ttNIE0xffffe09aZE0xffffe09a
+  M12miz list_slots,none,none       new dir1,dir1,dir2  all  Loading the same directory twice
+all MS<NSS Generic Crypto Services>ttS<Main>tt1S<NSS Generic Crypto Services>ttS<Main>tt2S<NSS Generic Crypto Services>ttS<Lib2>ttS<Main>ttNIZ
+  M12miz list_slots,none,none       new dir1,dir1,dir2  libs  Loading the same directory twice - r/w then ro
+all MS<NSS Generic Crypto Services>ttS<Main>tf1S<NSS Generic Crypto Services>ttS<Main>tf2S<NSS Generic Crypto Services>ttS<Lib2>ttS<Main>tfNIZ
+  M12miz list_slots,none,none       new dir1,dir1,dir2  main  Loading the same directory twice - ro then r/w
+sql MS<NSS Generic Crypto Services>ttS<Main>tt1S<NSS Generic Crypto Services>ttS<Lib1>tfS<Main>tt2S<NSS Generic Crypto Services>ttS<Lib2>tfS<Lib1>tfS<Main>ttNIZ
+dbm MS<NSS Generic Crypto Services>ttS<Main>tt1S<NSS Generic Crypto Services>ttS<Main>tt2S<NSS Generic Crypto Services>ttS<Lib2>tfS<Main>ttNIZ
+ M12miM1zim key_slot,none,none       old dir1,dir2,dir3  all  Properly detect shutdown of a closed handle
+all MS<Main>tt1S<Main>tt2S<Main>ttNIE0xffffe09aMS<Main>tt1S<Main>ttZE0xffffe09aS<Main>ttIS<Main>ttN
diff --git a/security/nss/tests/nssdir b/security/nss/tests/nssdir
new file mode 100755
index 000000000..884c299f5
--- /dev/null
+++ b/security/nss/tests/nssdir
@@ -0,0 +1,28 @@
+if ( "$2" == ""  ) then
+	setenv BUILDDATE `date +%m%d`
+else
+	setenv BUILDDATE $2
+endif
+
+if ( "$1" == ""  ) then
+	setenv NSSVER tip
+else
+	setenv NSSVER $1
+endif
+
+if ( ! ${?QAYEAR} ) then 
+        setenv QAYEAR `date +%Y`
+else if ( "$QAYEAR" == ""  ) then
+	setenv QAYEAR `date +%Y`
+	
+endif
+
+setenv NSS_VER_DIR /share/builds/mccrel3/nss/nss$NSSVER
+setenv NTDIST ${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/blowfish_NT4.0_Win95/mozilla/dist
+setenv UXDIST ${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/dist
+setenv TESTSCRIPTDIR ${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/security/nss/tests
+setenv RESULTDIR ${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/tests_results/security
+
+cd ${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8
+pwd
+ls
diff --git a/security/nss/tests/nsspath b/security/nss/tests/nsspath
new file mode 100755
index 000000000..5d5ececc6
--- /dev/null
+++ b/security/nss/tests/nsspath
@@ -0,0 +1,12 @@
+#! /bin/tcsh
+
+set PWD=`pwd`
+source /u/sonmi/bin/nssdir $*
+set OBJDIR=`(cd mozilla/security/nss/tests/common; gmake objdir_name)`
+setenv PATH `perl /u/sonmi/bin/path_uniq -s "${PATH}:${UXDIST}/${OBJDIR}/bin"`
+if ( `uname -n` == "iws-perf" ) then
+    setenv LD_LIBRARY_PATH "${UXDIST}/${OBJDIR}/lib:/opt/nfast/toolkits/pkcs11"
+else
+    setenv LD_LIBRARY_PATH "${UXDIST}/${OBJDIR}/lib"
+endif
+cd $PWD
diff --git a/security/nss/tests/nssqa b/security/nss/tests/nssqa
new file mode 100755
index 000000000..441128155
--- /dev/null
+++ b/security/nss/tests/nssqa
@@ -0,0 +1,286 @@
+#! /bin/sh
+
+########################################################################
+#
+# /u/sonmi/bin/nssqa - /u/svbld/bin/init/nss/nssqa
+#
+# this script is supposed to automatically run QA for NSS on all required
+# Unix and Windows (NT and 2000) platforms
+#
+# parameters
+# ----------
+#   nssversion  (supported: 30b, 31, tip)
+#   builddate   (default - today)
+#
+# options
+# -------
+#   -y answer all questions with y - use at your own risk...ignores warnings
+#   -s silent (only usefull with -y)
+#   -h, -? - you guessed right - displays this text
+#   -d debug
+#   -f <filename> - write the (error)output to filename
+#   -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.nssqa
+# 
+# 12/1/00
+# took out the (unused) local directory for releasebuild QA on NT
+# cleaned up 32 - 64 bit issues
+# took hardcoded machinenames out
+########################################################################
+
+O_OPTIONS=ON            # accept options (see above for listing)
+WIN_WAIT_FOREVER=ON     # first we wait forever for a TESTDIR to appear, than 
+                        # we wait forever for the build to finish...
+
+TBX_EXIT=50             # in case we are running on a tinderbox build, any 
+                        # early exit needs to return an error
+. `dirname $0`/header   # utilities, shellfunctions etc, global to NSS QA
+
+if [ -z "$O_TBX" -o "$O_TBX" != "ON" ] ; then
+    is_running ${TMP}/nssqa 
+                        # checks if the file exists, if yes Exits, if not 
+                        # creates to implement a primitive locking mechanism
+fi
+
+KILL_SELFSERV=OFF       # cleanup will also kill the leftover selfserv processes
+
+################################ check_distdir #########################
+# local shell function to check if the DIST directory exists, if not there 
+# is no use to continue the test
+########################################################################
+check_distdir()
+{
+    set_objdir
+
+    if [ ! -d "$LOCALDIST_BIN" ]
+    then
+        Debug "Dist $DIST"
+        Warning "$LOCALDIST_BIN (the dist binaries dir) does not exist"
+        return 1
+    fi
+
+    if [ ! -d "$LOCALDIST" -a ! -h "$LOCALDIST" ]
+    then
+        Debug "Dist $DIST"
+        Warning "$LOCALDIST (the dist directory) does not exist"
+        return 1
+    fi
+
+    Debug "LOCALDIST_BIN $LOCALDIST_BIN"
+    Debug "Dist $DIST"
+    return 0
+}
+
+################################ run_all ###############################
+# local shell function to start the all.sh after asking user and redirect 
+# the output apropriately
+########################################################################
+run_all()        
+{
+    check_distdir || return 1
+    #kill_by_name selfserv
+    ask "Testing $OBJDIR continue with all.sh" "y" "n" || Exit
+
+    Debug "running all.sh in `pwd`"
+    if [ $O_SILENT = ON ]
+    then
+        if [ $O_DEBUG = ON -a $O_FILE = ON ]
+        then
+            all.sh >>$FILENAME 2>>$FILENAME
+        else
+            all.sh >/dev/null 2>/dev/null
+        fi
+    else
+        all.sh
+    fi
+    Debug "Done with all.sh "
+    line
+}
+
+all_sh()
+{
+    echo
+}
+
+
+########################### wait_for_build #############################
+# local shell function to wait until the build is finished
+########################################################################
+wait_for_build()
+{
+  if [ $O_WIN = "ON" ]
+  then
+      WaitForever ${OSDIR}/SVbuild.InProgress.1 0 
+                     #Wait for the build to finish Windows a lot longer
+      OS_TARGET=WINNT;export OS_TARGET;Debug "OS_TARGET set to $OS_TARGET"
+      QA_OS_NAME=`cd ${TESTSCRIPTDIR}/common; gmake objdir_name | \
+          sed -e "s/WINNT4.0.*/Windows-NT-4.0/" -e "s/WINNT5.0.*/Windows-2000/"`
+      Echo "WINDOWS-OS-LINE: $QA_OS_NAME"
+  else
+      Wait ${OSDIR}/SVbuild.InProgress.1 0     
+                     #Wait for the build to finish... Unix a few hours
+      qa_stat_get_sysinfo
+      Echo "UNIX-OS-LINE: $QA_OS"
+  fi
+  find_nt_masterbuild
+}
+
+
+########################### map_os #############################
+# local shell function: From the operatingsystem figure out the name of 
+#     the build ; needed to detemine if the build finished, passed and for
+#     the directory names
+########################################################################
+map_os32()
+{
+    case `uname -s` in
+        SunOS)
+            S_REL=`uname -r | sed -e "s/^[^\.]*\.//g"`
+            if [ `uname -p` = "i386" ] ; then
+                MAPPED_OS=Solaris8_x86
+            elif [ "$S_REL" -lt 8 ] ; then
+                MAPPED_OS=Solaris2.6
+            else
+                MAPPED_OS=Solaris8_forte6
+            fi
+            ;;
+        OSF1)
+            MAPPED_OS=OSF1V4.0
+            ;;
+        Darwin)
+            MAPPED_OS=Darwin6.5
+            ;;	
+        AIX)
+            MAPPED_OS=AIX4.3
+            ;;
+        Linux)
+            RH_MR=`cat /etc/redhat-release | sed \
+                -e "s/Red Hat Linux release //" -e "s/ .*//g" \
+                -e "s/\..*//g"`
+            
+            if [ "$RH_MR" = "6" ] ; then
+                MAPPED_OS=Linux2.2
+            else
+                MAPPED_OS=Linux2.4
+                LD_ASSUME_KERNEL="2.2.5"
+                export LD_ASSUME_KERNEL
+            fi
+            ;;
+        HP-UX)
+            MAPPED_OS=HPUX11.00
+            ;;
+        *)
+            if [ "$os_name" = "Windows" ]
+            then
+                MAPPED_OS=NT4.0
+            else
+                Exit "Sorry, operating system `uname -s` is not supported yet"
+            fi
+            ;;
+    esac
+    set_osdir
+    Debug "Mapped OS to $MAPPED_OS"
+}
+
+############################# nssqa_main ###############################
+# local shell function main controlling function of the nss qa
+########################################################################
+nssqa_main()
+{
+  Debug "In function nssqa_main"
+
+  if [ $O_WIN = "OFF" -a "$O_TBX" = "OFF" -a $O_LOCAL = "OFF" ] ; then
+      if [ ! -h ${NTDIST}/WINNT5.0_DBG.OBJ -o \
+              ! -h ${UXDIST}/SunOS5.8_OPT.OBJ -o \
+              ! -h ${UXDIST}/OSF1V5.0_DBG.OBJ ] ; then
+          # determine if all needed symbolic links are present, in case
+          # we build on one platform and QA on another
+          # create the symbolic links
+          #mksymlinks $* ||
+          `dirname $0`/mksymlinks  $NSSVER $BUILDDATE ||
+              Warning "Can't make the neccessary symbolic links"
+      fi
+  fi
+
+  if [ -d $TESTSCRIPTDIR ]    #the directory mozilla/security/nss/tests, 
+  then            # where all.sh lives
+      cd $TESTSCRIPTDIR
+  else
+      Exit "cant cd to $TESTSCRIPTDIR Exiting"
+  fi
+
+  Debug "Testing from `pwd`"
+  line
+  Debug "HOST: $HOST, DOMSUF: $DOMSUF"
+
+  if [  "$O_TBX" = "OFF" ] ; then
+      map_os32 # From the operatingsystem figure out the name of the build 
+      Debug Testing build for $MAPPED_OS in $OSDIR
+      wait_for_build
+  fi
+  run_all
+  BUILD_OPT=1; export BUILD_OPT; Debug "BUILD_OPT $BUILD_OPT"
+  run_all
+  
+  # now for the 64 bit build!
+  map_os64 # From the operatingsystem figure out the name of the build 
+  if [ -n "$IS_64" ] ; then #Wait for the 64 bit build to finish...
+      Debug "This is a $IS_64 platform"
+      USE_64=1;export USE_64;Debug "Use_64 set to $USE_64"
+      unset BUILD_OPT;export BUILD_OPT;Debug "BUILD_OPT $BUILD_OPT"
+
+      run_all
+      BUILD_OPT=1; export BUILD_OPT; Debug "BUILD_OPT $BUILD_OPT"
+      run_all
+  elif [ "$O_WIN" = "ON" ] ; then
+      OS_TARGET=WIN95;export OS_TARGET
+      Debug "OS_TARGET set to $OS_TARGET"
+      #Echo "WINDOWS-OS-LINE: $os_name $os_full $OS_TARGET"
+      unset BUILD_OPT;export BUILD_OPT;Debug "BUILD_OPT $BUILD_OPT"
+      #if [ "$TEST_LEVEL" = "0" ] ; then
+          #QA_OS_NAME=`cd ${TESTSCRIPTDIR}/common; gmake objdir_name | \
+              #sed -e "s/WINNT4.0.*/Windows-NT-4.0/" -e \
+                     #"s/WINNT5.0.*/Windows-2000/"`
+          #Echo "WINDOWS-OS-LINE: $QA_OS_NAME $OS_TARGET"
+      #fi
+      run_all
+      BUILD_OPT=1; export BUILD_OPT; Debug "BUILD_OPT $BUILD_OPT"
+      run_all
+  else
+      Debug "This is a 32 bit platform"
+  fi
+}
+  
+TEST_LEVEL=0
+
+while [ $TEST_LEVEL -lt 2 ] ; do 
+    export TEST_LEVEL
+    unset BUILD_OPT;export BUILD_OPT;Debug "BUILD_OPT $BUILD_OPT"
+    unset USE_64;export USE_64;Debug "USE_64 $USE_64"
+    bc $TEST_LEVEL
+    Debug "About to start nssqa_main"
+    if [ $O_FILE = ON -a "$O_WIN" != "ON" ] ; then
+        nssqa_main 2>>$FILENAME
+    else
+        nssqa_main
+    fi
+    if [  "$O_TBX" = "ON" ] ; then      # do not do backward compatibility 
+         TEST_LEVEL=3                   # testing on tinderbox
+    else
+         TEST_LEVEL=`expr $TEST_LEVEL + 1 `
+    fi
+done
+
+if [  "$O_TBX" = "ON" -o "$O_LOCAL" = "ON" ] ; then
+#FIXME - maybe it should be copied back to the networkdrive later (-ln)
+    if [ -n "${TMPFILES}" ] ; then #caused problems on tinderbox machines
+        Debug "rm -f ${TMPFILES}"
+        rm -f $TMPFILES 2>/dev/null
+    fi
+    Debug "running qa_stat"
+    . `dirname $0`/qa_stat
+fi
+
+  
+qa_stat_get_sysinfo
+
+Exit "nssqa completed. Done `uname -n` $QA_OS_STRING"
diff --git a/security/nss/tests/ocsp/ocsp.sh b/security/nss/tests/ocsp/ocsp.sh
new file mode 100644
index 000000000..246e6e3d4
--- /dev/null
+++ b/security/nss/tests/ocsp/ocsp.sh
@@ -0,0 +1,54 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/ocsp/ocsp.sh
+#
+# Script to test NSS OCSP
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## ssl_init ################################
+# local shell function to initialize this script
+########################################################################
+ocsp_init()
+{
+  SCRIPTNAME=ocsp.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+  
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ -z "${IOPR_OCSP_SOURCED}" ]; then
+      . ../iopr/ocsp_iopr.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ../cert
+      . ./cert.sh
+  fi
+  SCRIPTNAME=ocsp.sh
+  echo "$SCRIPTNAME: OCSP tests ==============================="
+
+  REQF=${QADIR}/ssl/sslreq.dat
+
+  cd ${CLIENTDIR}
+}
+
+################## main #################################################
+ocsp_init
+ocsp_iopr_run
diff --git a/security/nss/tests/path_uniq b/security/nss/tests/path_uniq
new file mode 100755
index 000000000..f29f60a00
--- /dev/null
+++ b/security/nss/tests/path_uniq
@@ -0,0 +1,107 @@
+#! /bin/perl
+
+########################################################################
+#
+# /u/sonmi/bin/path_uniq
+#
+# this script makes components of a PATH like string unique cand prints
+# it to stdout
+#
+# parameters
+# ----------
+#    PATH
+#
+# options
+# -------
+#     -d delimiter - default : 
+#     -s shortens the path
+#
+# usefull enhancements: in the usage part, try to guess what was meant as 
+# a path and echo it to stdout to not break for PATHs with blanks
+#
+########################################################################
+
+sub usage {
+    print STDERR "usage $0 [-s] [-d <delimiter>] PATH\n";
+    print STDERR "    this script makes components of the PATH unique, if you\n";
+    print STDERR "    pass in a searchpath A:B:C:A:B:E it will print A:B:C:E to\n";
+    print STDERR "    the stdout\n\n";
+    print STDERR "    -s will mercylessly cut components from the path, \n";
+    print STDERR "    use at your own risk\n\n";
+    print STDERR "    the parameters you gave were: \n";
+    for ( $i = 0; $i <= $#ARGV; $i++ ) {
+        print STDERR "        $ARGV[$i]\n";
+    }
+    exit ;
+}
+
+
+$i = 0;
+$j = 0;
+$delimiter = ":";
+$searchpath = "";
+@pathcomponents;
+$found=0;
+$newpath="";
+$shorten=0;
+
+for ( $i=0; $i <= $#ARGV; $i++) {
+    if ( $ARGV[$i] eq '-d' ) {
+        $delimiter = $ARGV[++$i];
+    } elsif  ( $ARGV[$i] eq '-s' ) {
+        $shorten=1;
+    } else {
+        $searchpath = $ARGV[$i];
+    }
+}
+if ( $searchpath eq "" ) {
+    usage;
+}
+#print STDERR "delimiter $delimiter\n";
+#print STDERR "shorten $shorten\n";
+#print STDERR "searchpath $searchpath\n";
+
+@pathcomponents=split($delimiter, $searchpath);
+
+for ( $i = 0; $i <= $#pathcomponents; $i++ ) {
+    $found=0;
+    if ( $shorten == 1 ) {
+        if ( "\/tools\/ns-arch\/sparc_sun_solaris2\.4\/lib\/sparcworks\/SUNWspro/bin" eq $pathcomponents[$i] ||
+              "\/h\/tortoise\/export\/share\/builds\/tools\/sparc_sun_solaris2\.5\.1\/perl5\.004\/bin" eq $pathcomponents[$i] ||
+              "\/usr\/dist\/local\/exe" eq $pathcomponents[$i] ||
+              "\/opt\/SUNWspro\/bin" eq $pathcomponents[$i] ||
+              "\/opt\/SUNWwabi\/bin" eq $pathcomponents[$i] ||
+              "\/u\/svbld\/bin" eq $pathcomponents[$i] ||
+              "\/usr\/demos" eq $pathcomponents[$i] ||
+              "\/usr\/audio\/bin" eq $pathcomponents[$i] ||
+              "\/usr\/openwin\/demo" eq $pathcomponents[$i] ||
+              "\/tools\/contrib\/bin" eq $pathcomponents[$i] ||
+              "\/usr\/etc\/" eq $pathcomponents[$i] ||
+              "\/usr\/demos\/bin" eq $pathcomponents[$i] ) {
+
+            
+            #print "dumped: $pathcomponents[$i]\n";
+            next;
+        }
+            #print "keep: $pathcomponents[$i]\n";
+    }
+    for ( $j = 0; $j < $i; $j++ ) {
+        if ( $pathcomponents[$j] eq $pathcomponents[$i] ) {
+            #print "$i and $j match - $pathcomponents[$i] - $pathcomponents[$j]\n";
+            $found=1;
+            last;
+        }
+    }
+    if ( $found == 0 ) {
+        #print "$pathcomponents[$i]:";
+        if ($i == 0) {
+            $newpath = $pathcomponents[$i];
+        } else {
+            $newpath=join($delimiter, $newpath,$pathcomponents[$i]);
+        }
+    }
+}
+print "$newpath\n";
+exit;
+
+
diff --git a/security/nss/tests/perf/perf.sh b/security/nss/tests/perf/perf.sh
new file mode 100755
index 000000000..b398a0e57
--- /dev/null
+++ b/security/nss/tests/perf/perf.sh
@@ -0,0 +1,61 @@
+#! /bin/bash  
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/perf/perf.sh
+#
+# script run from the nightly NSS QA to measure nss performance
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## perf_init ##############################
+# local shell function to initialize this script
+########################################################################
+
+perf_init()
+{
+  SCRIPTNAME="perf.sh"
+  if [ -z "${INIT_SOURCED}" ] ; then
+      cd ../common
+      . ./init.sh
+  fi
+  SCRIPTNAME="perf.sh"
+  PERFDIR=${HOSTDIR}/perf
+  mkdir -p ${PERFDIR}
+}
+
+perf_init
+cd ${PERFDIR}
+RSAPERF_OUT=`${BINDIR}/rsaperf -i 300 -s -n none`
+RSAPERF_OUT=`echo $RSAPERF_OUT | sed \
+                -e "s/^/RSAPERF: $OBJDIR /" \
+                -e 's/microseconds/us/' \
+                -e 's/milliseconds/ms/' \
+                -e 's/seconds/s/' \
+                -e 's/ minutes, and /_min_/'`
+
+echo "$RSAPERF_OUT"
+
+
+
+#FIXME
+#export RSAPERF_OUT
+#
+#perl -e '
+
+#@rsaperf=split(/ /, $ENV{RSAPERF_OUT});
+
+#echo "${RSAPERF_OUT}" | read IT_NUM T1 T2 TOT_TIM TOT_TIM_U \
+    #T3 T4 T5 AVRG_TIM AVRG_TIM_U
+
+#300 iterations in 8.881 seconds one operation every 29606 microseconds
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/cert7.db b/security/nss/tests/pkcs11/netscape/suites/security/ssl/cert7.db
new file mode 100644
index 000000000..02f36ae28
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/cert7.db
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/key3.db b/security/nss/tests/pkcs11/netscape/suites/security/ssl/key3.db
new file mode 100644
index 000000000..1c015a4a2
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/key3.db
diff --git a/security/nss/tests/pkits/pkits.sh b/security/nss/tests/pkits/pkits.sh
new file mode 100755
index 000000000..ecf007736
--- /dev/null
+++ b/security/nss/tests/pkits/pkits.sh
@@ -0,0 +1,1988 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/pkits/pkits.sh
+#
+# Script to test the NIST PKITS tests 
+#
+# needs to work on all Unix and Windows platforms
+#
+# tests implemented:
+#    vfychain 
+#
+# special NOTES
+# ---------------
+# NIST PKITS data needs to be downloaded from
+# http://csrc.nist.gov/pki/testing/x509paths.html
+# Environment variable PKITS_DATA needs to be set to the directory
+# where this data is downloaded, or test data needs to be copied under 
+# the mozilla source tree in mozilla/PKITS_DATA
+########################################################################
+
+############################## pkits_init ##############################
+# local shell function to initialize this script 
+########################################################################
+pkits_init()
+{
+  SCRIPTNAME=pkits.sh
+
+  if [ -z "${CLEANUP}" ] ; then
+      CLEANUP="${SCRIPTNAME}"
+  fi
+
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+
+  if [ -z "${PKITS_DATA}" ]; then
+      echo "${SCRIPTNAME}: PKITS data directory not defined, skipping."
+      exit 0
+  fi      
+
+  if [ ! -d "${PKITS_DATA}" ]; then
+      echo "${SCRIPTNAME}: PKITS data directory ${PKITS_DATA} doesn't exist, skipping."
+      exit 0
+  fi
+
+  PKITSDIR=${HOSTDIR}/pkits
+
+  COPYDIR=${PKITSDIR}/copydir
+
+  mkdir -p ${PKITSDIR}
+  mkdir -p ${COPYDIR}
+  mkdir -p ${PKITSDIR}/html
+
+  certs=${PKITS_DATA}/certs
+  crls=${PKITS_DATA}/crls
+
+  cd ${PKITSDIR}
+
+  PKITSdb=${PKITSDIR}/PKITSdb
+  PKITSbkp=${PKITSDIR}/PKITSbkp
+
+  PKITS_LOG=${PKITSDIR}/pkits.log #getting its own logfile
+  pkits_log "Start of logfile $PKITS_LOG"
+
+  if [ ! -d "${PKITSdb}" ]; then
+      mkdir -p ${PKITSdb}
+  else
+      pkits_log "$SCRIPTNAME: WARNING - ${PKITSdb} exists"
+  fi
+
+  if [ ! -d "${PKITSbkp}" ]; then
+      mkdir -p ${PKITSbkp}
+  else
+      pkits_log "$SCRIPTNAME: WARNING - ${PKITSbkp} exists"
+  fi
+
+  echo "HOSTDIR" $HOSTDIR
+  echo "PKITSDIR" $PKITSDIR
+  echo "PKITSdb" $PKITSdb
+  echo "PKITSbkp" $PKITSbkp
+  echo "PKITS_DATA" $PKITS_DATA
+  echo "certs" $certs
+  echo "crls" $crls
+
+  echo nss > ${PKITSdb}/pw
+  ${BINDIR}/certutil -N -d ${PKITSdb} -f ${PKITSdb}/pw
+
+  ${BINDIR}/certutil -A -n TrustAnchorRootCertificate -t "C,C,C" -i \
+      $certs/TrustAnchorRootCertificate.crt -d $PKITSdb
+  if [ -z "$NSS_NO_PKITS_CRLS" ]; then
+    ${BINDIR}/crlutil -I -i $crls/TrustAnchorRootCRL.crl -d ${PKITSdb} -f ${PKITSdb}/pw
+  else
+    html  "<H3>NO CRLs are being used.</H3>"
+    pkits_log "NO CRLs are being used."
+  fi
+
+  cp ${PKITSdb}/* ${PKITSbkp}
+
+  KNOWN_BUG=
+}
+
+############################### pkits_log ##############################
+# write to pkits.log file
+########################################################################
+pkits_log()
+{
+  echo "$SCRIPTNAME $*"
+  echo $* >> ${PKITS_LOG}
+}
+
+restore_db()
+{
+  echo "Restore DB"
+  rm ${PKITSdb}/*
+  cp ${PKITSbkp}/* ${PKITSdb}
+}
+
+log_banner()
+{
+  echo ""
+  echo "--------------------------------------------------------------------"
+  echo "Test case ${VFY_ACTION}"
+  echo ""
+}
+
+start_table()
+{
+  html "<TABLE BORDER=1><TR><TH COLSPAN=3>$*</TH></TR>"
+  html "<TR><TH width=500>Test Case</TH><TH width=50>Result</TH></TR>" 
+  echo ""
+  echo "***************************************************************"
+  echo "$*"
+  echo "***************************************************************"
+}
+
+break_table()
+{
+  html "</TABLE><P>"
+  start_table "$@"
+}
+
+################################ pkits #################################
+# local shell function for positive testcases, calls vfychain, writes 
+# action and options to stdout, sets variable RET and writes results to 
+# the html file results
+########################################################################
+pkits()
+{
+  echo "vfychain -d $PKITSdb -u 4 $*"
+  ${BINDIR}/vfychain -d $PKITSdb -u 4 $* > ${PKITSDIR}/cmdout.txt 2>&1
+  RET=$?
+  CNT=`grep -c ERROR ${PKITSDIR}/cmdout.txt`
+  RET=`expr ${RET} + ${CNT}`
+  cat ${PKITSDIR}/cmdout.txt
+
+  if [ "$RET" -ne 0 ]; then
+      html_failed "${VFY_ACTION} ($RET) "
+      pkits_log "ERROR: ${VFY_ACTION} failed $RET"
+  else
+      html_passed "${VFY_ACTION}"
+      pkits_log "SUCCESS: ${VFY_ACTION} returned as expected $RET"
+  fi
+
+  return $RET
+}
+
+################################ pkitsn #################################
+# local shell function for negative testcases, calls vfychain, writes 
+# action and options to stdout, sets variable RET and writes results to 
+# the html file results
+########################################################################
+pkitsn()
+{
+  echo "vfychain -d $PKITSdb -u 4 $*"
+  ${BINDIR}/vfychain -d $PKITSdb -u 4 $* > ${PKITSDIR}/cmdout.txt 2>&1
+  RET=$?
+  CNT=`grep -c ERROR ${PKITSDIR}/cmdout.txt`
+  RET=`expr ${RET} + ${CNT}`
+  cat ${PKITSDIR}/cmdout.txt
+
+  if [ "$RET" -eq 0 ]; then
+      html_failed "${VFY_ACTION} ($RET) "
+      pkits_log "ERROR: ${VFY_ACTION} failed $RET"
+  else
+      html_passed "${VFY_ACTION} ($RET) "
+      pkits_log "SUCCESS: ${VFY_ACTION} returned as expected $RET"
+  fi
+  return $RET
+}
+
+################################ crlImport #############################
+# local shell function to import a CRL, calls crlutil -I -i, writes 
+# action and options to stdout
+########################################################################
+crlImport()
+{
+  if [ -z "$NSS_NO_PKITS_CRLS" ]; then
+    echo "crlutil -d $PKITSdb -I -f ${PKITSdb}/pw -i $crls/$*"
+    ${BINDIR}/crlutil -d ${PKITSdb} -I -f ${PKITSdb}/pw -i $crls/$* > ${PKITSDIR}/cmdout.txt 2>&1
+    RET=$?
+    cat ${PKITSDIR}/cmdout.txt
+
+    if [ "$RET" -ne 0 ]; then
+        html_failed "${VFY_ACTION} ($RET) "
+        pkits_log "ERROR: ${VFY_ACTION} failed $RET"
+    fi
+  fi
+}
+
+################################ crlImportn #############################
+# local shell function to import an incorrect CRL, calls crlutil -I -i, 
+# writes action and options to stdout
+########################################################################
+crlImportn()
+{
+  RET=0
+  if [ -z "$NSS_NO_PKITS_CRLS" ]; then
+    echo "crlutil -d $PKITSdb -I -f ${PKITSdb}/pw -i $crls/$*"
+    ${BINDIR}/crlutil -d ${PKITSdb} -I -f ${PKITSdb}/pw -i $crls/$* > ${PKITSDIR}/cmdout.txt 2>&1
+    RET=$?
+    cat ${PKITSDIR}/cmdout.txt
+
+    if [ "$RET" -eq 0 ]; then
+        html_failed "${VFY_ACTION} ($RET) "
+        pkits_log "ERROR: ${VFY_ACTION} failed $RET"
+    else
+        html_passed "${VFY_ACTION} ($RET) "
+        pkits_log "SUCCESS: ${VFY_ACTION} returned as expected $RET"
+    fi
+  fi
+  return $RET
+}
+
+################################ certImport #############################
+# local shell function to import a Cert, calls certutil -A, writes 
+# action and options to stdout
+########################################################################
+certImport()
+{
+  echo "certutil -d $PKITSdb -A -t \",,\" -n $* -i $certs/$*.crt"
+  ${BINDIR}/certutil -d $PKITSdb -A -t ",," -n $* -i $certs/$*.crt > ${PKITSDIR}/cmdout.txt 2>&1
+  RET=$?
+  cat ${PKITSDIR}/cmdout.txt
+
+  if [ "$RET" -ne 0 ]; then
+      html_failed "${VFY_ACTION} ($RET) "
+      pkits_log "ERROR: ${VFY_ACTION} failed $RET"
+  fi
+}
+
+################################ certImportn #############################
+# local shell function to import an incorrect Cert, calls certutil -A, 
+# writes action and options to stdout
+########################################################################
+certImportn()
+{
+  RET=0
+  if [ -z "$NSS_NO_PKITS_CRLS" ]; then
+    echo "certutil -d $PKITSdb -A -t \",,\" -n $* -i $certs/$*.crt"
+    ${BINDIR}/certutil -d $PKITSdb -A -t ",," -n $* -i $certs/$*.crt > ${PKITSDIR}/cmdout.txt 2>&1
+    RET=$?
+    cat ${PKITSDIR}/cmdout.txt
+
+    if [ "$RET" -eq 0 ]; then
+        html_failed "${VFY_ACTION} ($RET) "
+        pkits_log "ERROR: ${VFY_ACTION} failed $RET"
+    else
+        html_passed "${VFY_ACTION} ($RET) "
+        pkits_log "SUCCESS: ${VFY_ACTION} returned as expected $RET"
+    fi
+  fi
+}
+
+############################## pkits_tests_bySection ###################
+# running the various PKITS tests
+########################################################################
+pkits_SignatureVerification()
+{
+  start_table "NIST PKITS Section 4.1: Signature Verification"
+
+  VFY_ACTION="Valid Signatures Test1"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/ValidCertificatePathTest1EE.crt $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid CA Signature Test2"; log_banner
+  certImport BadSignedCACert
+  crlImport BadSignedCACRL.crl
+  pkitsn $certs/InvalidCASignatureTest2EE.crt \
+    $certs/BadSignedCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid EE Signature Test3"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkitsn $certs/InvalidEESignatureTest3EE.crt $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid DSA Signatures Test4"; log_banner
+  certImport DSACACert
+  crlImport DSACACRL.crl
+  pkits $certs/ValidDSASignaturesTest4EE.crt $certs/DSACACert.crt
+  restore_db
+
+  # NSS doesn't support DSA parameter inheritance anymore (see bug 671097)
+  # VFY_ACTION="Valid DSA Parameter Inheritance Test5"; log_banner
+  # certImport DSACACert
+  # crlImport DSACACRL.crl
+  # certImport DSAParametersInheritedCACert
+  # crlImport DSAParametersInheritedCACRL.crl
+  # pkits $certs/ValidDSAParameterInheritanceTest5EE.crt \
+  #     $certs/DSAParametersInheritedCACert.crt \
+  #     $certs/DSACACert.crt
+  # restore_db
+
+  VFY_ACTION="Invalid DSA Signature Test6"; log_banner
+  certImport DSACACert
+  crlImport DSACACRL.crl
+  pkitsn $certs/InvalidDSASignatureTest6EE.crt $certs/DSACACert.crt
+  restore_db
+}
+
+pkits_ValidityPeriods()
+{
+  break_table "NIST PKITS Section 4.2: Validity Periods"
+
+  VFY_ACTION="Invalid CA notBefore Date Test1"; log_banner
+  certImport BadnotBeforeDateCACert
+  crlImportn BadnotBeforeDateCACRL.crl
+  if [ $RET -eq 0 ] ; then 
+      pkitsn $certs/InvalidCAnotBeforeDateTest1EE.crt \
+          $certs/BadnotBeforeDateCACert.crt
+  fi
+  restore_db
+
+  VFY_ACTION="Invalid EE notBefore Date Test2"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkitsn $certs/InvalidEEnotBeforeDateTest2EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid pre2000 UTC notBefore Date Test3"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/Validpre2000UTCnotBeforeDateTest3EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid GeneralizedTime notBefore Date Test4"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/ValidGeneralizedTimenotBeforeDateTest4EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid CA notAfter Date Test5"; log_banner
+  certImport BadnotAfterDateCACert
+  crlImportn BadnotAfterDateCACRL.crl
+  if [ $RET -eq 0 ] ; then 
+      pkitsn $certs/InvalidCAnotAfterDateTest5EE.crt \
+          $certs/BadnotAfterDateCACert.crt
+  fi
+  restore_db
+
+  VFY_ACTION="Invalid EE notAfter Date Test6"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkitsn $certs/InvalidEEnotAfterDateTest6EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid pre2000 UTC EE notAfter Date Test7"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkitsn $certs/Invalidpre2000UTCEEnotAfterDateTest7EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="ValidGeneralizedTime notAfter Date Test8"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/ValidGeneralizedTimenotAfterDateTest8EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+}
+
+pkits_NameChaining()
+{
+  break_table "NIST PKITS Section 4.3: Verifying NameChaining"
+
+  VFY_ACTION="Invalid Name Chaining EE Test1"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkitsn $certs/InvalidNameChainingTest1EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Name Chaining Order Test2"; log_banner
+  certImport NameOrderingCACert
+  crlImport NameOrderCACRL.crl
+  pkitsn $certs/InvalidNameChainingOrderTest2EE.crt \
+      $certs/NameOrderingCACert.crt
+  restore_db
+
+### bug 216123 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Valid Name Chaining Whitespace Test3"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/ValidNameChainingWhitespaceTest3EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Name Chaining Whitespace Test4"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/ValidNameChainingWhitespaceTest4EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Name Chaining Capitalization Test5"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/ValidNameChainingCapitalizationTest5EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+fi
+
+  VFY_ACTION="Valid Name Chaining UIDs Test6"; log_banner
+  certImport UIDCACert
+  crlImport UIDCACRL.crl
+  pkits $certs/ValidNameUIDsTest6EE.crt $certs/UIDCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid RFC3280 Mandatory Attribute Types Test7"; log_banner
+  certImport RFC3280MandatoryAttributeTypesCACert
+  crlImport RFC3280MandatoryAttributeTypesCACRL.crl
+  pkits $certs/ValidRFC3280MandatoryAttributeTypesTest7EE.crt \
+      $certs/RFC3280MandatoryAttributeTypesCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid RFC3280 Optional Attribute Types Test8"; log_banner
+  certImport RFC3280OptionalAttributeTypesCACert
+  crlImport RFC3280OptionalAttributeTypesCACRL.crl
+  pkits $certs/ValidRFC3280OptionalAttributeTypesTest8EE.crt \
+      $certs/RFC3280OptionalAttributeTypesCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid UTF8String Encoded Names Test9"; log_banner
+  certImport UTF8StringEncodedNamesCACert
+  crlImport UTF8StringEncodedNamesCACRL.crl
+  pkits $certs/ValidUTF8StringEncodedNamesTest9EE.crt \
+      $certs/UTF8StringEncodedNamesCACert.crt
+  restore_db
+
+### bug 216123 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Valid Rollover from PrintableString to UTF8String Test10"; log_banner
+  certImport RolloverfromPrintableStringtoUTF8StringCACert
+  crlImport RolloverfromPrintableStringtoUTF8StringCACRL.crl
+  pkits $certs/ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt \
+      $certs/RolloverfromPrintableStringtoUTF8StringCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid UTF8String case Insensitive Match Test11"; log_banner
+  certImport UTF8StringCaseInsensitiveMatchCACert
+  crlImport UTF8StringCaseInsensitiveMatchCACRL.crl
+  pkits $certs/ValidUTF8StringCaseInsensitiveMatchTest11EE.crt \
+      $certs/UTF8StringCaseInsensitiveMatchCACert.crt
+  restore_db
+fi
+}
+
+pkits_BasicCertRevocation()
+{
+  break_table "NIST PKITS Section 4.4: Basic Certificate Revocation Tests"
+
+### bug 414556 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Missing CRL Test1"; log_banner
+  pkitsn $certs/InvalidMissingCRLTest1EE.crt \
+      $certs/NoCRLCACert.crt
+fi
+
+  VFY_ACTION="Invalid Revoked CA Test2"; log_banner
+  certImport RevokedsubCACert
+  crlImport RevokedsubCACRL.crl
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkitsn $certs/InvalidRevokedCATest2EE.crt \
+     $certs/RevokedsubCACert.crt $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Revoked EE Test3"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkitsn $certs/InvalidRevokedEETest3EE.crt \
+     $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Bad CRL Signature Test4"; log_banner
+  certImport BadCRLSignatureCACert
+  crlImportn BadCRLSignatureCACRL.crl
+  if [ $RET -eq 0 ] ; then 
+      pkitsn $certs/InvalidBadCRLSignatureTest4EE.crt \
+          $certs/BadCRLSignatureCACert.crt
+  fi
+  restore_db
+
+  VFY_ACTION="Invalid Bad CRL Issuer Name Test5"; log_banner
+  certImport BadCRLIssuerNameCACert
+  crlImportn BadCRLIssuerNameCACRL.crl
+  if [ $RET -eq 0 ] ; then 
+      pkitsn $certs/InvalidBadCRLIssuerNameTest5EE.crt \
+          $certs/BadCRLIssuerNameCACert.crt
+  fi
+  restore_db
+
+### bug 414556 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Invalid Wrong CRL Test6"; log_banner
+  certImport WrongCRLCACert
+  crlImport WrongCRLCACRL.crl
+  pkitsn $certs/InvalidWrongCRLTest6EE.crt \
+      $certs/WrongCRLCACert.crt
+  restore_db
+fi
+
+  VFY_ACTION="Valid Two CRLs Test7"; log_banner
+  certImport TwoCRLsCACert
+  crlImport TwoCRLsCAGoodCRL.crl
+  crlImportn TwoCRLsCABadCRL.crl
+  pkits $certs/ValidTwoCRLsTest7EE.crt \
+     $certs/TwoCRLsCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Unknown CRL Entry Extension Test8"; log_banner
+  certImport UnknownCRLEntryExtensionCACert
+  crlImportn UnknownCRLEntryExtensionCACRL.crl
+  if [ $RET -eq 0 ] ; then 
+      pkitsn $certs/InvalidUnknownCRLEntryExtensionTest8EE.crt \
+          $certs/UnknownCRLEntryExtensionCACert.crt
+  fi
+  restore_db
+
+  VFY_ACTION="Invalid Unknown CRL Extension Test9"; log_banner
+  certImport UnknownCRLExtensionCACert
+  crlImportn UnknownCRLExtensionCACRL.crl
+  if [ $RET -eq 0 ] ; then 
+      pkitsn $certs/InvalidUnknownCRLExtensionTest9EE.crt \
+          $certs/UnknownCRLExtensionCACert.crt
+  fi
+  restore_db
+
+  VFY_ACTION="Invalid Unknown CRL Extension Test10"; log_banner
+  certImport UnknownCRLExtensionCACert
+  crlImportn UnknownCRLExtensionCACRL.crl
+  if [ $RET -eq 0 ] ; then 
+      pkitsn $certs/InvalidUnknownCRLExtensionTest10EE.crt \
+          $certs/UnknownCRLExtensionCACert.crt
+  fi
+  restore_db
+
+### bug 414563 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Invalid Old CRL nextUpdate Test11"; log_banner
+  certImport OldCRLnextUpdateCACert
+  crlImport OldCRLnextUpdateCACRL.crl
+  pkitsn $certs/InvalidOldCRLnextUpdateTest11EE.crt \
+     $certs/OldCRLnextUpdateCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid pre2000 CRL nextUpdate Test12"; log_banner
+  certImport pre2000CRLnextUpdateCACert
+  crlImport pre2000CRLnextUpdateCACRL.crl
+  pkitsn $certs/Invalidpre2000CRLnextUpdateTest12EE.crt \
+     $certs/pre2000CRLnextUpdateCACert.crt
+  restore_db
+fi
+
+  VFY_ACTION="Valid GeneralizedTime CRL nextUpdate Test13"; log_banner
+  certImport GeneralizedTimeCRLnextUpdateCACert
+  crlImport GeneralizedTimeCRLnextUpdateCACRL.crl
+  pkits $certs/ValidGeneralizedTimeCRLnextUpdateTest13EE.crt \
+     $certs/GeneralizedTimeCRLnextUpdateCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Negative Serial Number Test14"; log_banner
+  certImport NegativeSerialNumberCACert
+  crlImport NegativeSerialNumberCACRL.crl
+  pkits $certs/ValidNegativeSerialNumberTest14EE.crt \
+     $certs/NegativeSerialNumberCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Negative Serial Number Test15"; log_banner
+  certImport NegativeSerialNumberCACert
+  crlImport NegativeSerialNumberCACRL.crl
+  pkitsn $certs/InvalidNegativeSerialNumberTest15EE.crt \
+     $certs/NegativeSerialNumberCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Long Serial Number Test16"; log_banner
+  certImport LongSerialNumberCACert
+  crlImport LongSerialNumberCACRL.crl
+  pkits $certs/ValidLongSerialNumberTest16EE.crt \
+     $certs/LongSerialNumberCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Long Serial Number Test17"; log_banner
+  certImport LongSerialNumberCACert
+  crlImport LongSerialNumberCACRL.crl
+  pkits $certs/ValidLongSerialNumberTest17EE.crt \
+     $certs/LongSerialNumberCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Long Serial Number Test18"; log_banner
+  certImport LongSerialNumberCACert
+  crlImport LongSerialNumberCACRL.crl
+  pkitsn $certs/InvalidLongSerialNumberTest18EE.crt \
+     $certs/LongSerialNumberCACert.crt
+  restore_db
+
+### bug 232737 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Valid Separate Certificate and CRL Keys Test19"; log_banner
+  certImport SeparateCertificateandCRLKeysCertificateSigningCACert
+  certImport SeparateCertificateandCRLKeysCRLSigningCert
+  crlImport SeparateCertificateandCRLKeysCRL.crl
+  pkits $certs/ValidSeparateCertificateandCRLKeysTest19EE.crt \
+     $certs/SeparateCertificateandCRLKeysCRLSigningCert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Separate Certificate and CRL Keys Test20"; log_banner
+  certImport SeparateCertificateandCRLKeysCertificateSigningCACert
+  certImport SeparateCertificateandCRLKeysCRLSigningCert
+  crlImport SeparateCertificateandCRLKeysCRL.crl
+  pkits $certs/InvalidSeparateCertificateandCRLKeysTest20EE.crt \
+     $certs/SeparateCertificateandCRLKeysCRLSigningCert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Separate Certificate and CRL Keys Test21"; log_banner
+  certImport SeparateCertificateandCRLKeysCA2CertificateSigningCACert
+  certImport SeparateCertificateandCRLKeysCA2CRLSigningCert
+  crlImport SeparateCertificateandCRLKeysCA2CRL.crl
+  pkits $certs/InvalidSeparateCertificateandCRLKeysTest21EE.crt \
+     $certs/SeparateCertificateandCRLKeysCA2CRLSigningCert.crt
+  restore_db
+fi
+}
+
+pkits_PathVerificWithSelfIssuedCerts()
+{
+  break_table "NIST PKITS Section 4.5: Self-Issued Certificates"
+
+### bug 232737 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Valid Basic Self-Issued Old With New Test1"; log_banner
+  certImport BasicSelfIssuedNewKeyCACert
+  crlImport BasicSelfIssuedNewKeyCACRL.crl
+  pkits $certs/ValidBasicSelfIssuedOldWithNewTest1EE.crt \
+      $certs/BasicSelfIssuedNewKeyOldWithNewCACert.crt \
+      $certs/BasicSelfIssuedNewKeyCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Basic Self-Issued Old With New Test2"; log_banner
+  certImport BasicSelfIssuedNewKeyCACert
+  crlImport BasicSelfIssuedNewKeyCACRL.crl
+  pkitsn $certs/InvalidBasicSelfIssuedOldWithNewTest2EE.crt \
+      $certs/BasicSelfIssuedNewKeyOldWithNewCACert.crt \
+      $certs/BasicSelfIssuedNewKeyCACert.crt
+  restore_db
+fi
+
+### bugs 321755 & 418769 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Valid Basic Self-Issued New With Old Test3"; log_banner
+  certImport BasicSelfIssuedOldKeyCACert
+  crlImport BasicSelfIssuedOldKeyCACRL.crl
+  pkits $certs/ValidBasicSelfIssuedNewWithOldTest3EE.crt \
+      $certs/BasicSelfIssuedOldKeyNewWithOldCACert.crt \
+      $certs/BasicSelfIssuedOldKeyCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Basic Self-Issued New With Old Test4"; log_banner
+  certImport BasicSelfIssuedOldKeyCACert
+  crlImport BasicSelfIssuedOldKeyCACRL.crl
+  pkits $certs/ValidBasicSelfIssuedNewWithOldTest4EE.crt \
+      $certs/BasicSelfIssuedOldKeyNewWithOldCACert.crt \
+      $certs/BasicSelfIssuedOldKeyCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Basic Self-Issued New With Old Test5"; log_banner
+  certImport BasicSelfIssuedOldKeyCACert
+  crlImport BasicSelfIssuedOldKeyCACRL.crl
+  pkitsn $certs/InvalidBasicSelfIssuedNewWithOldTest5EE.crt \
+      $certs/BasicSelfIssuedOldKeyNewWithOldCACert.crt \
+      $certs/BasicSelfIssuedOldKeyCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Basic Self-Issued CRL Signing Key Test6"; log_banner
+  certImport BasicSelfIssuedCRLSigningKeyCACert
+  crlImport BasicSelfIssuedOldKeyCACRL.crl
+  pkits $certs/ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt \
+      $certs/BasicSelfIssuedCRLSigningKeyCRLCert.crt \
+      $certs/BasicSelfIssuedCRLSigningKeyCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Basic Self-Issued CRL Signing Key Test7"; log_banner
+  certImport BasicSelfIssuedCRLSigningKeyCACert
+  crlImport BasicSelfIssuedOldKeyCACRL.crl
+  pkitsn $certs/InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt \
+      $certs/BasicSelfIssuedCRLSigningKeyCRLCert.crt \
+      $certs/BasicSelfIssuedCRLSigningKeyCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Basic Self-Issued CRL Signing Key Test8"; log_banner
+  certImport BasicSelfIssuedCRLSigningKeyCACert
+  crlImport BasicSelfIssuedOldKeyCACRL.crl
+  pkitsn $certs/InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt \
+      $certs/BasicSelfIssuedCRLSigningKeyCRLCert.crt \
+      $certs/BasicSelfIssuedCRLSigningKeyCACert.crt
+  restore_db
+fi
+}
+
+pkits_BasicConstraints()
+{
+  break_table "NIST PKITS Section 4.6: Verifying Basic Constraints"
+
+  VFY_ACTION="Invalid Missing basicConstraints Test1"; log_banner
+  certImport MissingbasicConstraintsCACert
+  crlImport MissingbasicConstraintsCACRL.crl
+  pkitsn $certs/InvalidMissingbasicConstraintsTest1EE.crt \
+      $certs/MissingbasicConstraintsCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid cA False Test2"; log_banner
+  certImport basicConstraintsCriticalcAFalseCACert
+  crlImport basicConstraintsCriticalcAFalseCACRL.crl
+  pkitsn $certs/InvalidcAFalseTest2EE.crt \
+      $certs/basicConstraintsCriticalcAFalseCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid cA False Test3"; log_banner
+  certImport basicConstraintsNotCriticalcAFalseCACert
+  crlImport basicConstraintsNotCriticalcAFalseCACRL.crl
+  pkitsn $certs/InvalidcAFalseTest3EE.crt \
+      $certs/basicConstraintsNotCriticalcAFalseCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid basicConstraints Not Critical Test4"; log_banner
+  certImport basicConstraintsNotCriticalCACert
+  crlImport basicConstraintsNotCriticalCACRL.crl
+  pkits $certs/ValidbasicConstraintsNotCriticalTest4EE.crt \
+      $certs/basicConstraintsNotCriticalCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid pathLenConstraint Test5"; log_banner
+  certImport pathLenConstraint0CACert
+  crlImport pathLenConstraint0CACRL.crl
+  certImport pathLenConstraint0subCACert
+  crlImport pathLenConstraint0subCACRL.crl
+  pkitsn $certs/InvalidpathLenConstraintTest5EE.crt \
+      $certs/pathLenConstraint0subCACert.crt \
+      $certs/pathLenConstraint0CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid pathLenConstraint Test6"; log_banner
+  certImport pathLenConstraint0CACert
+  crlImport pathLenConstraint0CACRL.crl
+  certImport pathLenConstraint0subCACert
+  crlImport pathLenConstraint0subCACRL.crl
+  pkitsn $certs/InvalidpathLenConstraintTest6EE.crt \
+      $certs/pathLenConstraint0subCACert.crt \
+      $certs/pathLenConstraint0CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid pathLenConstraint Test7"; log_banner
+  certImport pathLenConstraint0CACert
+  crlImport pathLenConstraint0CACRL.crl
+  pkits $certs/ValidpathLenConstraintTest7EE.crt \
+      $certs/pathLenConstraint0CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid pathLenConstraint test8"; log_banner
+  certImport pathLenConstraint0CACert
+  crlImport pathLenConstraint0CACRL.crl
+  pkits $certs/ValidpathLenConstraintTest8EE.crt \
+      $certs/pathLenConstraint0CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid pathLenConstraint Test9"; log_banner
+  certImport pathLenConstraint6CACert
+  crlImport pathLenConstraint6CACRL.crl
+  certImport pathLenConstraint6subCA0Cert
+  crlImport pathLenConstraint6subCA0CRL.crl
+  certImport pathLenConstraint6subsubCA00Cert
+  crlImport pathLenConstraint6subsubCA00CRL.crl
+  pkitsn $certs/InvalidpathLenConstraintTest9EE.crt \
+      $certs/pathLenConstraint6subsubCA00Cert.crt \
+      $certs/pathLenConstraint6subCA0Cert.crt \
+      $certs/pathLenConstraint6CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid pathLenConstraint Test10"; log_banner
+  certImport pathLenConstraint6CACert
+  crlImport pathLenConstraint6CACRL.crl
+  certImport pathLenConstraint6subCA0Cert
+  crlImport pathLenConstraint6subCA0CRL.crl
+  certImport pathLenConstraint6subsubCA00Cert
+  crlImport pathLenConstraint6subsubCA00CRL.crl
+  pkitsn $certs/InvalidpathLenConstraintTest10EE.crt \
+      $certs/pathLenConstraint6subsubCA00Cert.crt \
+      $certs/pathLenConstraint6subCA0Cert.crt \
+      $certs/pathLenConstraint6CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid pathLenConstraint Test11"; log_banner
+  certImport pathLenConstraint6CACert
+  crlImport pathLenConstraint6CACRL.crl
+  certImport pathLenConstraint6subCA1Cert
+  crlImport pathLenConstraint6subCA1CRL.crl
+  certImport pathLenConstraint6subsubCA11Cert
+  crlImport pathLenConstraint6subsubCA11CRL.crl
+  certImport pathLenConstraint6subsubsubCA11XCert
+  crlImport pathLenConstraint6subsubsubCA11XCRL.crl
+  pkitsn $certs/InvalidpathLenConstraintTest11EE.crt \
+      $certs/pathLenConstraint6subsubsubCA11XCert.crt \
+      $certs/pathLenConstraint6subsubCA11Cert.crt \
+      $certs/pathLenConstraint6subCA1Cert.crt \
+      $certs/pathLenConstraint6CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid pathLenConstraint test12"; log_banner
+  certImport pathLenConstraint6CACert
+  crlImport pathLenConstraint6CACRL.crl
+  certImport pathLenConstraint6subCA1Cert
+  crlImport pathLenConstraint6subCA1CRL.crl
+  certImport pathLenConstraint6subsubCA11Cert
+  crlImport pathLenConstraint6subsubCA11CRL.crl
+  certImport pathLenConstraint6subsubsubCA11XCert
+  crlImport pathLenConstraint6subsubsubCA11XCRL.crl
+  pkitsn $certs/InvalidpathLenConstraintTest12EE.crt \
+      $certs/pathLenConstraint6subsubsubCA11XCert.crt \
+      $certs/pathLenConstraint6subsubCA11Cert.crt \
+      $certs/pathLenConstraint6subCA1Cert.crt \
+      $certs/pathLenConstraint6CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid pathLenConstraint Test13"; log_banner
+  certImport pathLenConstraint6CACert
+  crlImport pathLenConstraint6CACRL.crl
+  certImport pathLenConstraint6subCA4Cert
+  crlImport pathLenConstraint6subCA4CRL.crl
+  certImport pathLenConstraint6subsubCA41Cert
+  crlImport pathLenConstraint6subsubCA41CRL.crl
+  certImport pathLenConstraint6subsubsubCA41XCert
+  crlImport pathLenConstraint6subsubsubCA41XCRL.crl
+  pkits $certs/ValidpathLenConstraintTest13EE.crt \
+      $certs/pathLenConstraint6subsubsubCA41XCert.crt \
+      $certs/pathLenConstraint6subsubCA41Cert.crt \
+      $certs/pathLenConstraint6subCA4Cert.crt \
+      $certs/pathLenConstraint6CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid pathLenConstraint Test14"; log_banner
+  certImport pathLenConstraint6CACert
+  crlImport pathLenConstraint6CACRL.crl
+  certImport pathLenConstraint6subCA4Cert
+  crlImport pathLenConstraint6subCA4CRL.crl
+  certImport pathLenConstraint6subsubCA41Cert
+  crlImport pathLenConstraint6subsubCA41CRL.crl
+  certImport pathLenConstraint6subsubsubCA41XCert
+  crlImport pathLenConstraint6subsubsubCA41XCRL.crl
+  pkits $certs/ValidpathLenConstraintTest14EE.crt \
+      $certs/pathLenConstraint6subsubsubCA41XCert.crt \
+      $certs/pathLenConstraint6subsubCA41Cert.crt \
+      $certs/pathLenConstraint6subCA4Cert.crt \
+      $certs/pathLenConstraint6CACert.crt
+  restore_db
+
+### bug 232737 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Valid Self-Issued pathLenConstraint Test15"; log_banner
+  certImport pathLenConstraint0CACert
+  crlImport pathLenConstraint0CACRL.crl
+  pkits $certs/ValidSelfIssuedpathLenConstraintTest15EE.crt \
+      $certs/pathLenConstraint0SelfIssuedCACert.crt \
+      $certs/pathLenConstraint0CACert.crt
+  restore_db
+fi
+
+  VFY_ACTION="Invalid Self-Issued pathLenConstraint Test16"; log_banner
+  certImport pathLenConstraint0CACert
+  crlImport pathLenConstraint0CACRL.crl
+  certImport pathLenConstraint0subCA2Cert
+  crlImport pathLenConstraint0subCA2CRL.crl
+  pkitsn $certs/InvalidSelfIssuedpathLenConstraintTest16EE.crt \
+      $certs/pathLenConstraint0subCA2Cert.crt \
+      $certs/pathLenConstraint0SelfIssuedCACert.crt \
+      $certs/pathLenConstraint0CACert.crt
+  restore_db
+
+### bug 232737 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Valid Self-Issued pathLenConstraint Test17"; log_banner
+  certImport pathLenConstraint1CACert
+  crlImport pathLenConstraint1CACRL.crl
+  certImport pathLenConstraint1subCACert
+  crlImport pathLenConstraint1subCACRL.crl
+  pkits $certs/ValidSelfIssuedpathLenConstraintTest17EE.crt \
+      $certs/pathLenConstraint1SelfIssuedsubCACert.crt \
+      $certs/pathLenConstraint1subCACert.crt \
+      $certs/pathLenConstraint1SelfIssuedCACert.crt \
+      $certs/pathLenConstraint1CACert.crt
+  restore_db
+fi
+}
+
+pkits_KeyUsage()
+{
+  break_table "NIST PKITS Section 4.7: Key Usage"
+
+  VFY_ACTION="Invalid keyUsage Critical keyCertSign False Test1"; log_banner
+  certImport keyUsageCriticalkeyCertSignFalseCACert
+  crlImport keyUsageCriticalkeyCertSignFalseCACRL.crl
+  pkitsn $certs/InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt \
+      $certs/keyUsageCriticalkeyCertSignFalseCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid keyUsage Not Critical keyCertSign False Test2"; log_banner
+  certImport keyUsageNotCriticalkeyCertSignFalseCACert
+  crlImport keyUsageNotCriticalkeyCertSignFalseCACRL.crl
+  pkitsn $certs/InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt \
+      $certs/keyUsageNotCriticalkeyCertSignFalseCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid keyUsage Not Critical Test3"; log_banner
+  certImport keyUsageNotCriticalCACert
+  crlImport keyUsageNotCriticalCACRL.crl
+  pkits $certs/ValidkeyUsageNotCriticalTest3EE.crt \
+      $certs/keyUsageNotCriticalCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid keyUsage Critical cRLSign False Test4"; log_banner
+  certImport keyUsageCriticalcRLSignFalseCACert
+  crlImportn keyUsageCriticalcRLSignFalseCACRL.crl
+  if [ $RET -eq 0 ] ; then 
+      pkitsn $certs/InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt \
+          $certs/keyUsageCriticalcRLSignFalseCACert.crt
+  fi
+  restore_db
+
+  VFY_ACTION="Invalid keyUsage Not Critical cRLSign False Test5"; log_banner
+  certImport keyUsageNotCriticalcRLSignFalseCACert
+  crlImportn keyUsageNotCriticalcRLSignFalseCACRL.crl
+  if [ $RET -eq 0 ] ; then 
+      pkitsn $certs/InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt \
+          $certs/keyUsageNotCriticalcRLSignFalseCACert.crt
+  fi
+  restore_db
+}
+
+pkits_CertificatePolicies()
+{
+  break_table "NIST PKITS Section 4.8: Certificate Policies"
+
+  VFY_ACTION="All Certificates Same Policy Test1"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/ValidCertificatePathTest1EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="All Certificates No Policies Test2"; log_banner
+  certImport NoPoliciesCACert
+  crlImport NoPoliciesCACRL.crl
+  pkits $certs/AllCertificatesNoPoliciesTest2EE.crt \
+      $certs/NoPoliciesCACert.crt
+  restore_db
+
+  VFY_ACTION="Different Policies Test3"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  certImport PoliciesP2subCACert
+  crlImport PoliciesP2subCACRL.crl
+  pkits $certs/DifferentPoliciesTest3EE.crt \
+      $certs/PoliciesP2subCACert.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Different Policies Test4"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  certImport GoodsubCACert
+  crlImport GoodsubCACRL.crl
+  pkits $certs/DifferentPoliciesTest4EE.crt \
+      $certs/GoodsubCACert.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Different Policies Test5"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  certImport PoliciesP2subCA2Cert
+  crlImport PoliciesP2subCA2CRL.crl
+  pkits $certs/DifferentPoliciesTest5EE.crt \
+      $certs/PoliciesP2subCA2Cert.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Overlapping Policies Test6"; log_banner
+  certImport PoliciesP1234CACert
+  crlImport PoliciesP1234CACRL.crl
+  certImport PoliciesP1234subCAP123Cert
+  crlImport PoliciesP1234subCAP123CRL.crl
+  certImport PoliciesP1234subsubCAP123P12Cert
+  crlImport PoliciesP1234subsubCAP123P12CRL.crl
+  pkits $certs/OverlappingPoliciesTest6EE.crt \
+      $certs/PoliciesP1234subsubCAP123P12Cert.crt \
+      $certs/PoliciesP1234subCAP123Cert.crt \
+      $certs/PoliciesP1234CACert.crt
+  restore_db
+
+  VFY_ACTION="Different Policies Test7"; log_banner
+  certImport PoliciesP123CACert
+  crlImport PoliciesP123CACRL.crl
+  certImport PoliciesP123subCAP12Cert
+  crlImport PoliciesP123subCAP12CRL.crl
+  certImport PoliciesP123subsubCAP12P1Cert
+  crlImport PoliciesP123subsubCAP12P1CRL.crl
+  pkits $certs/DifferentPoliciesTest7EE.crt \
+      $certs/PoliciesP123subsubCAP12P1Cert.crt \
+      $certs/PoliciesP123subCAP12Cert.crt \
+      $certs/PoliciesP123CACert.crt
+  restore_db
+
+  VFY_ACTION="Different Policies Test8"; log_banner
+  certImport PoliciesP12CACert
+  crlImport PoliciesP12CACRL.crl
+  certImport PoliciesP12subCAP1Cert
+  crlImport PoliciesP12subCAP1CRL.crl
+  certImport PoliciesP12subsubCAP1P2Cert
+  crlImport PoliciesP12subsubCAP1P2CRL.crl
+  pkits $certs/DifferentPoliciesTest8EE.crt \
+      $certs/PoliciesP123subsubCAP12P1Cert.crt \
+      $certs/PoliciesP12subCAP1Cert.crt \
+      $certs/PoliciesP12CACert.crt
+  restore_db
+
+  VFY_ACTION="Different Policies Test9"; log_banner
+  certImport PoliciesP123CACert
+  crlImport PoliciesP123CACRL.crl
+  certImport PoliciesP123subCAP12Cert
+  crlImport PoliciesP123subCAP12CRL.crl
+  certImport PoliciesP123subsubCAP12P2Cert
+  crlImport PoliciesP123subsubCAP2P2CRL.crl
+  certImport PoliciesP123subsubsubCAP12P2P1Cert
+  crlImport PoliciesP123subsubsubCAP12P2P1CRL.crl
+  pkits $certs/DifferentPoliciesTest9EE.crt \
+      $certs/PoliciesP123subsubsubCAP12P2P1Cert.crt \
+      $certs/PoliciesP123subsubCAP12P1Cert.crt \
+      $certs/PoliciesP12subCAP1Cert.crt \
+      $certs/PoliciesP12CACert.crt
+  restore_db
+
+  VFY_ACTION="All Certificates Same Policies Test10"; log_banner
+  certImport PoliciesP12CACert
+  crlImport PoliciesP12CACRL.crl
+  pkits $certs/AllCertificatesSamePoliciesTest10EE.crt \
+      $certs/NoPoliciesCACert.crt
+  restore_db
+
+  VFY_ACTION="All Certificates AnyPolicy Test11"; log_banner
+  certImport anyPolicyCACert
+  crlImport anyPolicyCACRL.crl
+  pkits $certs/AllCertificatesanyPolicyTest11EE.crt \
+      $certs/anyPolicyCACert.crt
+  restore_db
+
+  VFY_ACTION="Different Policies Test12"; log_banner
+  certImport PoliciesP3CACert
+  crlImport PoliciesP3CACRL.crl
+  pkits $certs/DifferentPoliciesTest12EE.crt \
+      $certs/PoliciesP3CACert.crt
+  restore_db
+
+  VFY_ACTION="All Certificates Same Policies Test13"; log_banner
+  certImport PoliciesP123CACert
+  crlImport PoliciesP123CACRL.crl
+  pkits $certs/AllCertificatesSamePoliciesTest13EE.crt \
+      $certs/PoliciesP123CACert.crt
+  restore_db
+
+  VFY_ACTION="AnyPolicy Test14"; log_banner
+  certImport anyPolicyCACert
+  crlImport anyPolicyCACRL.crl
+  pkits $certs/AnyPolicyTest14EE.crt \
+      $certs/anyPolicyCACert.crt
+  restore_db
+
+  VFY_ACTION="User Notice Qualifier Test15"; log_banner
+  pkits $certs/UserNoticeQualifierTest15EE.crt
+
+  VFY_ACTION="User Notice Qualifier Test16"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/UserNoticeQualifierTest16EE.crt \
+      $certs/GoodCACert.crt
+
+  VFY_ACTION="User Notice Qualifier Test17"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/UserNoticeQualifierTest17EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="User Notice Qualifier Test18"; log_banner
+  certImport PoliciesP12CACert
+  crlImport PoliciesP12CACRL.crl
+  pkits $certs/UserNoticeQualifierTest18EE.crt \
+      $certs/PoliciesP12CACert.crt
+  restore_db
+
+  VFY_ACTION="User Notice Qualifier Test19"; log_banner
+  pkits $certs/UserNoticeQualifierTest19EE.crt
+
+  VFY_ACTION="CPS Pointer Qualifier Test20"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/CPSPointerQualifierTest20EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+}
+
+pkits_RequireExplicitPolicy()
+{
+  break_table "NIST PKITS Section 4.9: Require Explicit Policy"
+
+  VFY_ACTION="Valid RequireExplicitPolicy Test1"; log_banner
+  certImportn requireExplicitPolicy10CACert
+  crlImportn requireExplicitPolicy10CACRL.crl
+  certImport requireExplicitPolicy10subCACert
+  crlImport requireExplicitPolicy10subCACRL.crl
+  certImport requireExplicitPolicy10subsubCACert
+  crlImport requireExplicitPolicy10subsubCACRL.crl
+  certImport requireExplicitPolicy10subsubsubCACert
+  crlImport requireExplicitPolicy10subsubsubCACRL.crl
+  pkits $certs/ValidrequireExplicitPolicyTest1EE.crt \
+      $certs/requireExplicitPolicy10subsubsubCACert.crt \
+      $certs/requireExplicitPolicy10subsubCACert.crt \
+      $certs/requireExplicitPolicy10subCACert.crt \
+      $certs/requireExplicitPolicy10CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid RequireExplicitPolicy Test2"; log_banner
+  certImportn requireExplicitPolicy5CACert
+  crlImportn requireExplicitPolicy5CACRL.crl
+  certImport requireExplicitPolicy5subCACert
+  crlImport requireExplicitPolicy5subCACRL.crl
+  certImport requireExplicitPolicy5subsubCACert
+  crlImport requireExplicitPolicy5subsubCACRL.crl
+  certImport requireExplicitPolicy5subsubsubCACert
+  crlImport requireExplicitPolicy5subsubsubCACRL.crl
+  pkits $certs/ValidrequireExplicitPolicyTest2EE.crt \
+      $certs/requireExplicitPolicy5subsubsubCACert.crt \
+      $certs/requireExplicitPolicy5subsubCACert.crt \
+      $certs/requireExplicitPolicy5subCACert.crt \
+      $certs/requireExplicitPolicy5CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid RequireExplicitPolicy Test3"; log_banner
+  certImportn requireExplicitPolicy4CACert
+  crlImportn requireExplicitPolicy4CACRL.crl
+  certImport requireExplicitPolicy4subCACert
+  crlImport requireExplicitPolicy4subCACRL.crl
+  certImport requireExplicitPolicy4subsubCACert
+  crlImport requireExplicitPolicy4subsubCACRL.crl
+  certImport requireExplicitPolicy4subsubsubCACert
+  crlImport requireExplicitPolicy4subsubsubCACRL.crl
+  pkitsn $certs/InvalidrequireExplicitPolicyTest3EE.crt \
+      $certs/requireExplicitPolicy4subsubsubCACert.crt \
+      $certs/requireExplicitPolicy4subsubCACert.crt \
+      $certs/requireExplicitPolicy4subCACert.crt \
+      $certs/requireExplicitPolicy4CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid RequireExplicitPolicy Test4"; log_banner
+  certImportn requireExplicitPolicy0CACert
+  crlImportn requireExplicitPolicy0CACRL.crl
+  certImport requireExplicitPolicy0subCACert
+  crlImport requireExplicitPolicy0subCACRL.crl
+  certImport requireExplicitPolicy0subsubCACert
+  crlImport requireExplicitPolicy0subsubCACRL.crl
+  certImport requireExplicitPolicy0subsubsubCACert
+  crlImport requireExplicitPolicy0subsubsubCACRL.crl
+  pkits $certs/ValidrequireExplicitPolicyTest4EE.crt \
+      $certs/requireExplicitPolicy0subsubsubCACert.crt \
+      $certs/requireExplicitPolicy0subsubCACert.crt \
+      $certs/requireExplicitPolicy0subCACert.crt \
+      $certs/requireExplicitPolicy0CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid RequireExplicitPolicy Test5"; log_banner
+  certImportn requireExplicitPolicy7CACert
+  crlImportn requireExplicitPolicy7CACRL.crl
+  certImportn requireExplicitPolicy7subCARE2Cert
+  crlImportn requireExplicitPolicy7subCARE2CRL.crl
+  certImportn requireExplicitPolicy7subsubCARE2RE4Cert
+  crlImportn requireExplicitPolicy7subsubCARE2RE4CRL.crl
+  certImport requireExplicitPolicy7subsubsubCARE2RE4Cert
+  crlImport requireExplicitPolicy7subsubsubCARE2RE4CRL.crl
+  pkitsn $certs/InvalidrequireExplicitPolicyTest5EE.crt \
+      $certs/requireExplicitPolicy7subsubsubCARE2RE4Cert.crt \
+      $certs/requireExplicitPolicy7subsubCARE2RE4Cert.crt \
+      $certs/requireExplicitPolicy7subCARE2Cert.crt \
+      $certs/requireExplicitPolicy7CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Self-Issued RequireExplicitPolicy Test6"; log_banner
+  certImportn requireExplicitPolicy2CACert
+  crlImportn requireExplicitPolicy2CACRL.crl
+  pkits $certs/ValidSelfIssuedrequireExplicitPolicyTest6EE.crt \
+      $certs/requireExplicitPolicy2SelfIssuedCACert.crt \
+      $certs/requireExplicitPolicy2CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Self-Issued RequireExplicitPolicy Test7"; log_banner
+  certImportn requireExplicitPolicy2CACert
+  crlImportn requireExplicitPolicy2CACRL.crl
+  certImport requireExplicitPolicy2subCACert
+  crlImport requireExplicitPolicy2subCACRL.crl
+  pkitsn $certs/InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt \
+      $certs/requireExplicitPolicy2subCACert.crt \
+      $certs/requireExplicitPolicy2SelfIssuedCACert.crt \
+      $certs/requireExplicitPolicy2CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Self-Issued RequireExplicitPolicy Test8"; log_banner
+  certImportn requireExplicitPolicy2CACert
+  crlImportn requireExplicitPolicy2CACRL.crl
+  certImport requireExplicitPolicy2subCACert
+  crlImport requireExplicitPolicy2subCACRL.crl
+  pkitsn $certs/InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt \
+      $certs/requireExplicitPolicy2SelfIssuedsubCACert.crt \
+      $certs/requireExplicitPolicy2subCACert.crt \
+      $certs/requireExplicitPolicy2SelfIssuedCACert.crt \
+      $certs/requireExplicitPolicy2CACert.crt
+  restore_db
+}
+
+pkits_PolicyMappings()
+{
+  break_table "NIST PKITS Section 4.10: Policy Mappings"
+
+  VFY_ACTION="Valid Policy Mapping Test1"; log_banner
+  certImportn Mapping1to2CACert
+  crlImportn Mapping1to2CACRL.crl
+  pkits $certs/ValidPolicyMappingTest1EE.crt \
+      $certs/Mapping1to2CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Policy Mapping Test2"; log_banner
+  certImportn Mapping1to2CACert
+  crlImportn Mapping1to2CACRL.crl
+  pkitsn $certs/InvalidPolicyMappingTest2EE.crt \
+      $certs/Mapping1to2CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Policy Mapping Test3"; log_banner
+  certImportn P12Mapping1to3CACert
+  crlImportn P12Mapping1to3CACRL.crl
+  certImportn P12Mapping1to3subCACert
+  crlImportn P12Mapping1to3subCACRL.crl
+  certImportn P12Mapping1to3subsubCACert
+  crlImportn P12Mapping1to3subsubCACRL.crl
+  pkits $certs/ValidPolicyMappingTest3EE.crt \
+      $certs/P12Mapping1to3subsubCACert.crt \
+      $certs/P12Mapping1to3subCACert.crt \
+      $certs/P12Mapping1to3CA.crt
+  restore_db
+
+  VFY_ACTION="Invalid Policy Mapping Test4"; log_banner
+  certImportn P12Mapping1to3CACert
+  crlImportn P12Mapping1to3CACRL.crl
+  certImportn P12Mapping1to3subCACert
+  crlImportn P12Mapping1to3subCACRL.crl
+  certImportn P12Mapping1to3subsubCACert
+  crlImportn P12Mapping1to3subsubCACRL.crl
+  pkitsn $certs/InvalidPolicyMappingTest4EE.crt \
+      $certs/P12Mapping1to3subsubCACert.crt \
+      $certs/P12Mapping1to3subCACert.crt \
+      $certs/P12Mapping1to3CA.crt
+  restore_db
+
+  VFY_ACTION="Valid Policy Mapping Test5"; log_banner
+  certImportn P1Mapping1to234CACert
+  crlImportn P1Mapping1to234CACRL.crl
+  certImportn P1Mapping1to234subCACert
+  crlImportn P1Mapping1to234subCACRL.crl
+  pkits $certs/ValidPolicyMappingTest5EE.crt \
+      $certs/P1Mapping1to234subCACert.crt \
+      $certs/P1Mapping1to234CA.crt
+  restore_db
+
+  VFY_ACTION="Valid Policy Mapping Test6"; log_banner
+  certImportn P1Mapping1to234CACert
+  crlImportn P1Mapping1to234CACRL.crl
+  certImportn P1Mapping1to234subCACert
+  crlImportn P1Mapping1to234subCACRL.crl
+  pkits $certs/ValidPolicyMappingTest6EE.crt \
+      $certs/P1Mapping1to234subCACert.crt \
+      $certs/P1Mapping1to234CA.crt
+  restore_db
+
+  VFY_ACTION="Invalid Mapping from anyPolicy Test7"; log_banner
+  certImportn MappingFromanyPolicyCACert
+  crlImportn MappingFromanyPolicyCACRL.crl
+  pkitsn $certs/InvalidMappingFromanyPolicyTest7EE.crt \
+      $certs/MappingFromanyPolicyCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Mapping to anyPolicy Test8"; log_banner
+  certImportn MappingToanyPolicyCACert
+  crlImportn MappingToanyPolicyCACRL.crl
+  pkitsn $certs/InvalidMappingToanyPolicyTest8EE.crt \
+      $certs/MappingToanyPolicyCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Policy Mapping Test9"; log_banner
+  certImport PanyPolicyMapping1to2CACert
+  crlImport PanyPolicyMapping1to2CACRL.crl
+  pkits $certs/ValidPolicyMappingTest9EE.crt \
+      $certs/PanyPolicyMapping1to2CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Policy Mapping Test10"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  certImportn GoodsubCAPanyPolicyMapping1to2CACert
+  crlImportn GoodsubCAPanyPolicyMapping1to2CACRL.crl
+  pkitsn $certs/InvalidPolicyMappingTest10EE.crt \
+      $certs/GoodsubCAPanyPolicyMapping1to2CACert.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Policy Mapping Test11"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  certImportn GoodsubCAPanyPolicyMapping1to2CACert
+  crlImportn GoodsubCAPanyPolicyMapping1to2CACRL.crl
+  pkits $certs/ValidPolicyMappingTest11EE.crt \
+      $certs/GoodsubCAPanyPolicyMapping1to2CACert.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Policy Mapping Test12"; log_banner
+  certImportn P12Mapping1to3CACert
+  crlImportn P12Mapping1to3CACRL.crl
+  pkits $certs/ValidPolicyMappingTest12EE.crt \
+      $certs/P12Mapping1to3CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Policy Mapping Test13"; log_banner
+  certImportn P1anyPolicyMapping1to2CACert
+  crlImportn P1anyPolicyMapping1to2CACRL.crl
+  pkits $certs/ValidPolicyMappingTest13EE.crt \
+      $certs/P1anyPolicyMapping1to2CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Policy Mapping Test14"; log_banner
+  certImportn P1anyPolicyMapping1to2CACert
+  crlImportn P1anyPolicyMapping1to2CACRL.crl
+  pkits $certs/ValidPolicyMappingTest14EE.crt \
+      $certs/P1anyPolicyMapping1to2CACert.crt
+  restore_db
+}
+
+
+pkits_InhibitPolicyMapping()
+{
+  break_table "NIST PKITS Section 4.11: Inhibit Policy Mapping"
+
+  VFY_ACTION="Invalid inhibitPolicyMapping Test1"; log_banner
+  certImportn inhibitPolicyMapping0CACert
+  crlImportn inhibitPolicyMapping0CACRL.crl
+  certImportn inhibitPolicyMapping0subCACert
+  crlImportn inhibitPolicyMapping0subCACRL.crl
+  pkitsn $certs/InvalidinhibitPolicyMappingTest1EE.crt \
+      $certs/inhibitPolicyMapping0CACert.crt \
+      $certs/inhibitPolicyMapping0subCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid inhibitPolicyMapping Test2"; log_banner
+  certImportn inhibitPolicyMapping1P12CACert
+  crlImportn inhibitPolicyMapping1P12CACRL.crl
+  certImportn inhibitPolicyMapping1P12subCACert
+  crlImportn inhibitPolicyMapping1P12subCACRL.crl
+  pkits $certs/ValidinhibitPolicyMappingTest2EE.crt \
+      $certs/inhibitPolicyMapping1P12CACert.crt \
+      $certs/inhibitPolicyMapping1P12subCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid inhibitPolicyMapping Test3"; log_banner
+  certImportn inhibitPolicyMapping1P12CACert
+  crlImportn inhibitPolicyMapping1P12CACRL.crl
+  certImportn inhibitPolicyMapping1P12subCACert
+  crlImportn inhibitPolicyMapping1P12subCACRL.crl
+  certImportn inhibitPolicyMapping1P12subsubCACert
+  crlImportn inhibitPolicyMapping1P12subsubCACRL.crl
+  pkitsn $certs/InvalidinhibitPolicyMappingTest3EE.crt \
+      $certs/inhibitPolicyMapping1P12subsubCACert.crt \
+      $certs/inhibitPolicyMapping1P12subCACert.crt \
+      $certs/inhibitPolicyMapping1P12CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid inhibitPolicyMapping Test4"; log_banner
+  certImportn inhibitPolicyMapping1P12CACert
+  crlImportn inhibitPolicyMapping1P12CACRL.crl
+  certImportn inhibitPolicyMapping1P12subCACert
+  crlImportn inhibitPolicyMapping1P12subCACRL.crl
+  certImportn inhibitPolicyMapping1P12subsubCACert
+  crlImportn inhibitPolicyMapping1P12subsubCACRL.crl
+  pkits $certs/ValidinhibitPolicyMappingTest4EE.crt \
+      $certs/inhibitPolicyMapping1P12CACert.crt \
+      $certs/inhibitPolicyMapping1P12subCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid inhibitPolicyMapping Test5"; log_banner
+  certImportn inhibitPolicyMapping5CACert
+  crlImportn inhibitPolicyMapping5CACRL.crl
+  certImportn inhibitPolicyMapping5subCACert
+  crlImportn inhibitPolicyMapping5subCACRL.crl
+  certImport inhibitPolicyMapping5subsubCACert
+  crlImport inhibitPolicyMapping5subsubCACRL.crl
+  pkitsn $certs/InvalidinhibitPolicyMappingTest5EE.crt \
+      $certs/inhibitPolicyMapping5subsubCACert.crt \
+      $certs/inhibitPolicyMapping5subCACert.crt \
+      $certs/inhibitPolicyMapping5CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid inhibitPolicyMapping Test6"; log_banner
+  certImportn inhibitPolicyMapping1P12CACert
+  crlImportn inhibitPolicyMapping1P12CACRL.crl
+  certImportn inhibitPolicyMapping1P12subCAIPM5Cert
+  crlImportn inhibitPolicyMapping1P12subCAIPM5CRL.crl
+  certImport inhibitPolicyMapping1P12subsubCAIPM5Cert
+  crlImportn inhibitPolicyMapping1P12subsubCAIPM5CRL.crl
+  pkitsn $certs/InvalidinhibitPolicyMappingTest6EE.crt \
+      $certs/inhibitPolicyMapping1P12subsubCAIPM5Cert.crt \
+      $certs/inhibitPolicyMapping1P12subCAIPM5Cert.crt \
+      $certs/inhibitPolicyMapping1P12CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Self-Issued inhibitPolicyMapping Test7"; log_banner
+  certImportn inhibitPolicyMapping1P1CACert
+  crlImportn inhibitPolicyMapping1P1CACRL.crl
+  certImportn inhibitPolicyMapping1P1subCACert
+  crlImportn inhibitPolicyMapping1P1subCACRL.crl
+  pkits $certs/ValidSelfIssuedinhibitPolicyMappingTest7EE.crt \
+      $certs/inhibitPolicyMapping1P1subCACert.crt \
+      $certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt \
+      $certs/inhibitPolicyMapping1P1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Self-Issued inhibitPolicyMapping Test8"; log_banner
+  certImportn inhibitPolicyMapping1P1CACert
+  crlImportn inhibitPolicyMapping1P1CACRL.crl
+  certImportn inhibitPolicyMapping1P1subCACert
+  crlImportn inhibitPolicyMapping1P1subCACRL.crl
+  certImport inhibitPolicyMapping1P1subsubCACert
+  crlImportn inhibitPolicyMapping1P1subsubCACRL.crl
+  pkitsn $certs/InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt \
+      $certs/inhibitPolicyMapping1P1subsubCACert.crt \
+      $certs/inhibitPolicyMapping1P1subCACert.crt \
+      $certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt \
+      $certs/inhibitPolicyMapping1P1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Self-Issued inhibitPolicyMapping Test9"; log_banner
+  certImportn inhibitPolicyMapping1P1CACert
+  crlImportn inhibitPolicyMapping1P1CACRL.crl
+  certImportn inhibitPolicyMapping1P1subCACert
+  crlImportn inhibitPolicyMapping1P1subCACRL.crl
+  certImportn inhibitPolicyMapping1P1subsubCACert
+  crlImportn inhibitPolicyMapping1P1subsubCACRL.crl
+  pkitsn $certs/InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt \
+      $certs/inhibitPolicyMapping1P1subsubCACert.crt \
+      $certs/inhibitPolicyMapping1P1subCACert.crt \
+      $certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt \
+      $certs/inhibitPolicyMapping1P1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Self-Issued inhibitPolicyMapping Test10"; log_banner
+  certImportn inhibitPolicyMapping1P1CACert
+  crlImportn inhibitPolicyMapping1P1CACRL.crl
+  certImportn inhibitPolicyMapping1P1subCACert
+  crlImportn inhibitPolicyMapping1P1subCACRL.crl
+  pkitsn $certs/InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt \
+      $certs/inhibitPolicyMapping1P1SelfIssuedsubCACert.crt \
+      $certs/inhibitPolicyMapping1P1subCACert.crt \
+      $certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt \
+      $certs/inhibitPolicyMapping1P1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Self-Issued inhibitPolicyMapping Test11"; log_banner
+  certImportn inhibitPolicyMapping1P1CACert
+  crlImportn inhibitPolicyMapping1P1CACRL.crl
+  certImportn inhibitPolicyMapping1P1subCACert
+  crlImportn inhibitPolicyMapping1P1subCACRL.crl
+  pkitsn $certs/InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt \
+      $certs/inhibitPolicyMapping1P1SelfIssuedsubCACert.crt \
+      $certs/inhibitPolicyMapping1P1subCACert.crt \
+      $certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt \
+      $certs/inhibitPolicyMapping1P1CACert.crt
+  restore_db
+}
+
+
+pkits_InhibitAnyPolicy()
+{
+  break_table "NIST PKITS Section 4.12: Inhibit Any Policy"
+
+  VFY_ACTION="Invalid inhibitAnyPolicy Test1"; log_banner
+  certImportn inhibitAnyPolicy0CACert
+  crlImportn inhibitAnyPolicy0CACRL.crl
+  pkitsn $certs/InvalidinhibitAnyPolicyTest1EE.crt \
+      $certs/inhibitAnyPolicy0CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid inhibitAnyPolicy Test2"; log_banner
+  certImportn inhibitAnyPolicy0CACert
+  crlImportn inhibitAnyPolicy0CACRL.crl
+  pkits $certs/ValidinhibitAnyPolicyTest2EE.crt \
+      $certs/inhibitAnyPolicy0CACert.crt
+  restore_db
+
+  VFY_ACTION="inhibitAnyPolicy Test3"; log_banner
+  certImportn inhibitAnyPolicy1CACert
+  crlImportn inhibitAnyPolicy1CACRL.crl
+  certImport inhibitAnyPolicy1subCA1Cert
+  crlImport inhibitAnyPolicy1subCA1CRL.crl
+  pkits $certs/inhibitAnyPolicyTest3EE.crt \
+      $certs/inhibitAnyPolicy1CACert.crt \
+      $certs/inhibitAnyPolicy1subCA1Cert.crt
+  restore_db
+
+  VFY_ACTION="Invalid inhibitAnyPolicy Test4"; log_banner
+  certImportn inhibitAnyPolicy1CACert
+  crlImportn inhibitAnyPolicy1CACRL.crl
+  certImport inhibitAnyPolicy1subCA1Cert
+  crlImport inhibitAnyPolicy1subCA1CRL.crl
+  pkitsn $certs/InvalidinhibitAnyPolicyTest4EE.crt \
+      $certs/inhibitAnyPolicy1CACert.crt \
+      $certs/inhibitAnyPolicy1subCA1Cert.crt
+  restore_db
+
+  VFY_ACTION="Invalid inhibitAnyPolicy Test5"; log_banner
+  certImportn inhibitAnyPolicy5CACert
+  crlImportn inhibitAnyPolicy5CACRL.crl
+  certImportn inhibitAnyPolicy5subCACert
+  crlImportn inhibitAnyPolicy5subCACRL.crl
+  certImport inhibitAnyPolicy5subsubCACert
+  crlImport inhibitAnyPolicy5subsubCACRL.crl
+  pkitsn $certs/InvalidinhibitAnyPolicyTest5EE.crt \
+      $certs/inhibitAnyPolicy5CACert.crt \
+      $certs/inhibitAnyPolicy5subCACert.crt \
+      $certs/inhibitAnyPolicy5subsubCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid inhibitAnyPolicy Test6"; log_banner
+  certImportn inhibitAnyPolicy1CACert
+  crlImportn inhibitAnyPolicy1CACRL.crl
+  certImportn inhibitAnyPolicy1subCAIAP5Cert
+  crlImportn inhibitAnyPolicy1subCAIAP5CRL.crl
+  pkitsn $certs/InvalidinhibitAnyPolicyTest5EE.crt \
+      $certs/inhibitAnyPolicy1CACert.crt \
+      $certs/inhibitAnyPolicy5subCACert.crt \
+      $certs/inhibitAnyPolicy5subsubCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Self-Issued inhibitAnyPolicy Test7"; log_banner
+  certImportn inhibitAnyPolicy1CACert
+  crlImportn inhibitAnyPolicy1CACRL.crl
+  certImport inhibitAnyPolicy1subCA2Cert
+  crlImport inhibitAnyPolicy1subCA2CRL.crl
+  pkits $certs/ValidSelfIssuedinhibitAnyPolicyTest7EE.crt \
+      $certs/inhibitAnyPolicy1CACert.crt \
+      $certs/inhibitAnyPolicy1SelfIssuedCACert.crt \
+      $certs/inhibitAnyPolicy1subCA2Cert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Self-Issued inhibitAnyPolicy Test8"; log_banner
+  certImportn inhibitAnyPolicy1CACert
+  crlImportn inhibitAnyPolicy1CACRL.crl
+  certImport inhibitAnyPolicy1subCA2Cert
+  crlImport inhibitAnyPolicy1subCA2CRL.crl
+  certImport inhibitAnyPolicy1subsubCA2Cert
+  crlImport inhibitAnyPolicy1subsubCA2CRL.crl
+  pkitsn $certs/InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt \
+      $certs/inhibitAnyPolicy1CACert.crt \
+      $certs/inhibitAnyPolicy1SelfIssuedCACert.crt \
+      $certs/inhibitAnyPolicy1subCA2Cert.crt \
+      $certs/inhibitAnyPolicy1subsubCA2Cert.crt
+  restore_db
+
+  VFY_ACTION="Valid Self-Issued inhibitAnyPolicy Test9"; log_banner
+  certImportn inhibitAnyPolicy1CACert
+  crlImportn inhibitAnyPolicy1CACRL.crl
+  certImport inhibitAnyPolicy1subCA2Cert
+  crlImport inhibitAnyPolicy1subCA2CRL.crl
+  pkits $certs/ValidSelfIssuedinhibitAnyPolicyTest9EE.crt \
+      $certs/inhibitAnyPolicy1CACert.crt \
+      $certs/inhibitAnyPolicy1SelfIssuedCACert.crt \
+      $certs/inhibitAnyPolicy1subCA2Cert.crt \
+      $certs/inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Self-Issued inhibitAnyPolicy Test10"; log_banner
+  certImportn inhibitAnyPolicy1CACert
+  crlImportn inhibitAnyPolicy1CACRL.crl
+  certImport inhibitAnyPolicy1subCA2Cert
+  crlImport inhibitAnyPolicy1subCA2CRL.crl
+  pkitsn $certs/InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt \
+      $certs/inhibitAnyPolicy1CACert.crt \
+      $certs/inhibitAnyPolicy1SelfIssuedCACert.crt \
+      $certs/inhibitAnyPolicy1subCA2Cert.crt
+  restore_db
+}
+
+
+pkits_NameConstraints()
+{
+  break_table "NIST PKITS Section 4.13: Name Constraints"
+
+  VFY_ACTION="Valid DN nameConstraints Test1"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  pkits $certs/ValidDNnameConstraintsTest1EE.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test2"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest2EE.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test3"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest3EE.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid DN nameConstraints Test4"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  pkits $certs/ValidDNnameConstraintsTest4EE.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid DN nameConstraints Test5"; log_banner
+  certImport nameConstraintsDN2CACert
+  crlImport nameConstraintsDN2CACRL.crl
+  pkits $certs/ValidDNnameConstraintsTest5EE.crt \
+      $certs/nameConstraintsDN2CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid DN nameConstraints Test6"; log_banner
+  certImport nameConstraintsDN3CACert
+  crlImport nameConstraintsDN3CACRL.crl
+  pkits $certs/ValidDNnameConstraintsTest6EE.crt \
+      $certs/nameConstraintsDN3CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test7"; log_banner
+  certImport nameConstraintsDN3CACert
+  crlImport nameConstraintsDN3CACRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest7EE.crt \
+      $certs/nameConstraintsDN3CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test8"; log_banner
+  certImport nameConstraintsDN4CACert
+  crlImport nameConstraintsDN4CACRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest8EE.crt \
+      $certs/nameConstraintsDN4CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test9"; log_banner
+  certImport nameConstraintsDN4CACert
+  crlImport nameConstraintsDN4CACRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest9EE.crt \
+      $certs/nameConstraintsDN4CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test10"; log_banner
+  certImport nameConstraintsDN5CACert
+  crlImport nameConstraintsDN5CACRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest10EE.crt \
+      $certs/nameConstraintsDN5CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid DN nameConstraints Test11"; log_banner
+  certImport nameConstraintsDN5CACert
+  crlImport nameConstraintsDN5CACRL.crl
+  pkits $certs/ValidDNnameConstraintsTest11EE.crt \
+      $certs/nameConstraintsDN5CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test12"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  certImport nameConstraintsDN1subCA1Cert
+  crlImport nameConstraintsDN1subCA1CRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest12EE.crt \
+      $certs/nameConstraintsDN1subCA1Cert.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test13"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  certImport nameConstraintsDN1subCA2Cert
+  crlImport nameConstraintsDN1subCA2CRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest13EE.crt \
+      $certs/nameConstraintsDN1subCA2Cert.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid DN nameConstraints Test14"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  certImport nameConstraintsDN1subCA2Cert
+  crlImport nameConstraintsDN1subCA2CRL.crl
+  pkits $certs/ValidDNnameConstraintsTest14EE.crt \
+      $certs/nameConstraintsDN1subCA2Cert.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test15"; log_banner
+  certImport nameConstraintsDN3CACert
+  crlImport nameConstraintsDN3CACRL.crl
+  certImport nameConstraintsDN3subCA1Cert
+  crlImport nameConstraintsDN3subCA1CRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest15EE.crt \
+      $certs/nameConstraintsDN3subCA1Cert.crt \
+      $certs/nameConstraintsDN3CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test16"; log_banner
+  certImport nameConstraintsDN3CACert
+  crlImport nameConstraintsDN3CACRL.crl
+  certImport nameConstraintsDN3subCA1Cert
+  crlImport nameConstraintsDN3subCA1CRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest16EE.crt \
+      $certs/nameConstraintsDN3subCA1Cert.crt \
+      $certs/nameConstraintsDN3CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test17"; log_banner
+  certImport nameConstraintsDN3CACert
+  crlImport nameConstraintsDN3CACRL.crl
+  certImport nameConstraintsDN3subCA2Cert
+  crlImport nameConstraintsDN3subCA2CRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest17EE.crt \
+      $certs/nameConstraintsDN3subCA2Cert.crt \
+      $certs/nameConstraintsDN3CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid DN nameConstraints Test18"; log_banner
+  certImport nameConstraintsDN3CACert
+  crlImport nameConstraintsDN3CACRL.crl
+  certImport nameConstraintsDN3subCA2Cert
+  crlImport nameConstraintsDN3subCA2CRL.crl
+  pkits $certs/ValidDNnameConstraintsTest18EE.crt \
+      $certs/nameConstraintsDN3subCA2Cert.crt \
+      $certs/nameConstraintsDN3CACert.crt
+  restore_db
+
+### bug 232737 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Valid Self-Issued DN nameConstraints Test19"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  pkits $certs/ValidDNnameConstraintsTest19EE.crt \
+      $certs/nameConstraintsDN1SelfIssuedCACert.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+fi
+
+  VFY_ACTION="Invalid Self-Issued DN nameConstraints Test20"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest20EE.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid RFC822 nameConstraints Test21"; log_banner
+  certImport nameConstraintsRFC822CA1Cert
+  crlImport nameConstraintsRFC822CA1CRL.crl
+  pkits $certs/ValidRFC822nameConstraintsTest21EE.crt \
+      $certs/nameConstraintsRFC822CA1Cert.crt
+  restore_db
+
+  VFY_ACTION="Invalid RFC822 nameConstraints Test22"; log_banner
+  certImport nameConstraintsRFC822CA1Cert
+  crlImport nameConstraintsRFC822CA1CRL.crl
+  pkitsn $certs/InvalidRFC822nameConstraintsTest22EE.crt \
+      $certs/nameConstraintsRFC822CA1Cert.crt
+  restore_db
+
+  VFY_ACTION="Valid RFC822 nameConstraints Test23"; log_banner
+  certImport nameConstraintsRFC822CA2Cert
+  crlImport nameConstraintsRFC822CA2CRL.crl
+  pkits $certs/ValidRFC822nameConstraintsTest23EE.crt \
+      $certs/nameConstraintsRFC822CA2Cert.crt
+  restore_db
+
+  VFY_ACTION="Invalid RFC822 nameConstraints Test24"; log_banner
+  certImport nameConstraintsRFC822CA2Cert
+  crlImport nameConstraintsRFC822CA2CRL.crl
+  pkitsn $certs/InvalidRFC822nameConstraintsTest24EE.crt \
+      $certs/nameConstraintsRFC822CA2Cert.crt
+  restore_db
+
+  VFY_ACTION="Valid RFC822 nameConstraints Test25"; log_banner
+  certImport nameConstraintsRFC822CA3Cert
+  crlImport nameConstraintsRFC822CA3CRL.crl
+  pkits $certs/ValidRFC822nameConstraintsTest25EE.crt \
+      $certs/nameConstraintsRFC822CA3Cert.crt
+  restore_db
+
+  VFY_ACTION="Invalid RFC822 nameConstraints Test26"; log_banner
+  certImport nameConstraintsRFC822CA3Cert
+  crlImport nameConstraintsRFC822CA3CRL.crl
+  pkitsn $certs/InvalidRFC822nameConstraintsTest26EE.crt \
+      $certs/nameConstraintsRFC822CA3Cert.crt
+  restore_db
+
+  VFY_ACTION="Valid DN and RFC822 nameConstraints Test27"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  certImport nameConstraintsDN1subCA3Cert
+  crlImport nameConstraintsDN1subCA3CRL.crl
+  pkits $certs/ValidDNandRFC822nameConstraintsTest27EE.crt \
+      $certs/nameConstraintsDN1subCA3Cert.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN and RFC822 nameConstraints Test28"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  certImport nameConstraintsDN1subCA3Cert
+  crlImport nameConstraintsDN1subCA3CRL.crl
+  pkitsn $certs/InvalidDNandRFC822nameConstraintsTest28EE.crt \
+      $certs/nameConstraintsDN1subCA3Cert.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN and RFC822 nameConstraints Test29"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  certImport nameConstraintsDN1subCA3Cert
+  crlImport nameConstraintsDN1subCA3CRL.crl
+  pkitsn $certs/InvalidDNandRFC822nameConstraintsTest29EE.crt \
+      $certs/nameConstraintsDN1subCA3Cert.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid DNS nameConstraints Test30"; log_banner
+  certImport nameConstraintsDNS1CACert
+  crlImport nameConstraintsDNS1CACRL.crl
+  pkits $certs/ValidDNSnameConstraintsTest30EE.crt \
+      $certs/nameConstraintsDNS1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DNS nameConstraints Test31"; log_banner
+  certImport nameConstraintsDNS1CACert
+  crlImport nameConstraintsDNS1CACRL.crl
+  pkitsn $certs/InvalidDNSnameConstraintsTest31EE.crt \
+      $certs/nameConstraintsDNS1CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid DNS nameConstraints Test32"; log_banner
+  certImport nameConstraintsDNS2CACert
+  crlImport nameConstraintsDNS2CACRL.crl
+  pkits $certs/ValidDNSnameConstraintsTest32EE.crt \
+      $certs/nameConstraintsDNS2CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DNS nameConstraints Test33"; log_banner
+  certImport nameConstraintsDNS2CACert
+  crlImport nameConstraintsDNS2CACRL.crl
+  pkitsn $certs/InvalidDNSnameConstraintsTest33EE.crt \
+      $certs/nameConstraintsDNS2CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid URI nameConstraints Test34"; log_banner
+  certImport nameConstraintsURI1CACert
+  crlImport nameConstraintsURI1CACRL.crl
+  pkits $certs/ValidURInameConstraintsTest34EE.crt \
+      $certs/nameConstraintsURI1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid URI nameConstraints Test35"; log_banner
+  certImport nameConstraintsURI1CACert
+  crlImport nameConstraintsURI1CACRL.crl
+  pkitsn $certs/InvalidURInameConstraintsTest35EE.crt \
+      $certs/nameConstraintsURI1CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid URI nameConstraints Test36"; log_banner
+  certImport nameConstraintsURI2CACert
+  crlImport nameConstraintsURI2CACRL.crl
+  pkits $certs/ValidURInameConstraintsTest36EE.crt \
+      $certs/nameConstraintsURI2CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid URI nameConstraints Test37"; log_banner
+  certImport nameConstraintsURI2CACert
+  crlImport nameConstraintsURI2CACRL.crl
+  pkitsn $certs/InvalidURInameConstraintsTest37EE.crt \
+      $certs/nameConstraintsURI2CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DNS nameConstraints Test38"; log_banner
+  certImport nameConstraintsDNS1CACert
+  crlImport nameConstraintsDNS1CACRL.crl
+  pkitsn $certs/InvalidDNSnameConstraintsTest38EE.crt \
+      $certs/nameConstraintsDNS1CACert.crt
+  restore_db
+}
+
+pkits_PvtCertExtensions()
+{
+  break_table "NIST PKITS Section 4.16: Private Certificate Extensions"
+
+  VFY_ACTION="Valid Unknown Not Critical Certificate Extension Test1"; log_banner
+  pkits $certs/ValidUnknownNotCriticalCertificateExtensionTest1EE.crt
+
+  VFY_ACTION="Invalid Unknown Critical Certificate Extension Test2"; log_banner
+  pkitsn $certs/InvalidUnknownCriticalCertificateExtensionTest2EE.crt
+}
+
+############################## pkits_cleanup ###########################
+# local shell function to finish this script (no exit since it might be 
+# sourced)
+########################################################################
+pkits_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+
+################################## main ################################
+pkits_init 
+pkits_SignatureVerification | tee -a $PKITS_LOG
+pkits_ValidityPeriods | tee -a $PKITS_LOG
+pkits_NameChaining | tee -a $PKITS_LOG
+pkits_BasicCertRevocation | tee -a $PKITS_LOG
+pkits_PathVerificWithSelfIssuedCerts | tee -a $PKITS_LOG
+pkits_BasicConstraints | tee -a $PKITS_LOG
+pkits_KeyUsage | tee -a $PKITS_LOG
+if [ -n "$NSS_PKITS_POLICIES" ]; then
+  pkits_CertificatePolicies | tee -a $PKITS_LOG
+  pkits_RequireExplicitPolicy | tee -a $PKITS_LOG
+  pkits_PolicyMappings | tee -a $PKITS_LOG
+  pkits_InhibitPolicyMapping | tee -a $PKITS_LOG
+  pkits_InhibitAnyPolicy | tee -a $PKITS_LOG
+fi
+pkits_NameConstraints | tee -a $PKITS_LOG
+pkits_PvtCertExtensions | tee -a $PKITS_LOG
+pkits_cleanup
+
diff --git a/security/nss/tests/platformlist b/security/nss/tests/platformlist
new file mode 100644
index 000000000..19bf821e9
--- /dev/null
+++ b/security/nss/tests/platformlist
@@ -0,0 +1,11 @@
+Darwin6.5
+HP-UX_B.11.00_32_bit
+HP-UX_B.11.00_64
+RH_Linux_7.2_(Enigma)
+RH_Linux_7.3_(Valhalla)
+RH_Linux_Advanced_Server_2.1AS_(Pensacola)
+SunOS_5.8_32_bit
+SunOS_5.8_64_bit
+Windows-2000
+Windows-XP
+
diff --git a/security/nss/tests/platformlist.tbx b/security/nss/tests/platformlist.tbx
new file mode 100644
index 000000000..435284cff
--- /dev/null
+++ b/security/nss/tests/platformlist.tbx
@@ -0,0 +1,14 @@
+AIX_3_32_bit AIX4.3_DBG.OBJ AIX4.3_OPT.OBJ
+AIX_3_64_bit AIX4.3_DBG.OBJ AIX4.3_OPT.OBJ AIX4.3_64_DBG.OBJ AIX4.3_64_OPT.OBJ
+HP-UX_B.11.00_32_bit  HP-UXB.11.00_DBG.OBJ HP-UXB.11.00_OPT.OBJ
+HP-UX_B.11.00_64_bit  HP-UXB.11.00_DBG.OBJ HP-UXB.11.00_OPT.OBJ 
+OSF1_V4.0 OSF1V4.0D_DBG.OBJ OSF1V4.0D_OPT.OBJ
+OSF1_V5.0 OSF1V5.0_DBG.OBJ OSF1V5.0_OPT.OBJ
+RH_Linux_6.2_(Zoot) Linux2.2_x86_glibc_PTH_DBG.OBJ Linux2.2_x86_glibc_PTH_OPT.OBJ
+RH_Linux_6.1_(Cartman) Linux2.2_x86_glibc_PTH_DBG.OBJ Linux2.2_x86_glibc_PTH_OPT.OBJ
+RH_Linux_6.0_(Hedwig) Linux2.2_x86_glibc_PTH_DBG.OBJ Linux2.2_x86_glibc_PTH_OPT.OBJ
+SunOS_5.6 SunOS5.6_DBG.OBJ SunOS5.6_OPT.OBJ
+SunOS_5.8_32_bit 
+SunOS_5.8_64_bit 
+Windows-2000 WINNT5.0_DBG.OBJ WINNT5.0_OPT.OBJ WIN954.0_DBG.OBJ WIN954.0_OPT.OBJ
+Windows-NT-4.0 WIN954.0_DBG.OBJ WIN954.0_OPT.OBJ WINNT4.0_DBG.OBJ WINNT4.0_OPT.OBJ
diff --git a/security/nss/tests/qa_stage b/security/nss/tests/qa_stage
new file mode 100755
index 000000000..f0960c845
--- /dev/null
+++ b/security/nss/tests/qa_stage
@@ -0,0 +1,336 @@
+#! /bin/sh 
+########################################################################
+#
+# /u/sonmi/bin/qa_stage - /u/svbld/bin/init/nss/qa_stage
+#
+# this script is supposed to convert the tinderbox and daily QA files
+# for use on mozilla.org
+#
+# parameters
+# ----------
+#   nssversion  (supported: 30b, 31, tip)
+#   builddate   (default - today)
+#
+########################################################################
+
+if [ -z "$BUILDNUMBER" ]
+then
+    BUILDNUMBER=1
+fi
+if [ `uname` = "Linux" ] ; then
+    PATH=".:/u/sonmi/bin:/u/sonmi/bin/linux:/usr/bsd:/usr/ucb/:/bin:/usr/bin:/usr/ccs/bin:/usr/sbin:/usr/bin/X11:/usr/etc:/etc:/usr/demos:/usr/demos/bin:/usr/local/bin:/usr/local/X11/bin:/tools/ns/bin"
+    export PATH
+fi
+
+Echo()
+{
+    if [ "$O_SILENT" = "OFF" ] ; then
+        echo $*
+    fi
+}
+
+################################### qa_stage_init ##########################
+# 
+########################################################################
+qa_stage_init()
+{
+    umask 000
+
+    eval_opts $*
+
+    if [ -z "${QAYEAR}" ] ; then 
+        QAYEAR=`date +%Y`
+    elif [ "$QAYEAR" = ""  ] ; then
+        QAYEAR=`date +%Y`
+    fi
+
+    Echo "Init..."
+    DAYBUILD=${QAYEAR}${BUILDDATE}.${BUILDNUMBER}
+    NSS_D0=/share/builds/mccrel3/nss
+    NSS_VER_DIR=${NSS_D0}/nss${NSSVER}
+    NTDIST=${NSS_VER_DIR}/builds/${DAYBUILD}/blowfish_NT4.0_Win95/mozilla/dist
+    UXDIST=${NSS_VER_DIR}/builds/${DAYBUILD}/booboo_Solaris8/mozilla/dist
+    TESTSCRIPTDIR=${NSS_VER_DIR}/builds/${DAYBUILD}/booboo_Solaris8/mozilla/security/nss/tests
+    RESULTDIR=${NSS_VER_DIR}/builds/${DAYBUILD}/booboo_Solaris8/mozilla/tests_results/security
+    TBX_RESULTDIR=${NSS_D0}/nsstip/tinderbox/tests_results/security
+
+    MOZ_D0=/pub/security/nss
+    MOZ_RESULTDIR=${MOZ_D0}/daily_qa/${DAYBUILD}
+    MOZ_TBX_RESULTDIR=${MOZ_D0}/tinderbox
+    
+    export BUILDDATE NSSVER QAYEAR NTDIST UXDIST TESTSCRIPTDIR RESULTDIR 
+
+
+    IPLANET_TBX_URL="http://cindercone.red.iplanet.com${TBX_RESULTDIR}"
+    IPLANET_DQA_URL="http://cindercone.red.iplanet.com${RESULTDIR}"
+
+    MOZ_TBX_URL="ftp://ftp.mozilla.org${MOZ_TBX_RESULTDIR}"
+    MOZ_DQA_URL="ftp://ftp.mozilla.org${MOZ_RESULTDIR}"
+
+    export IPLANET_TBX_URL IPLANET_DQA_URL MOZ_TBX_URL MOZ_DQA_URL
+    STAGE_1=/u/sonmi/tmp/ftp_stage
+    
+    if [ ! -d  $STAGE_1 ] ; then
+        Echo "Staging area daily QA (DQA): $DQA_STAGE does not exist, exit"
+        exit 1
+    fi
+    cd $STAGE_1 || (Echo "Cant cd to $STAGE_1 , exit"; exit)
+    rm all.tar* 2>/dev/null
+    TBX_STAGE=$STAGE_1/tinderbox
+    DQA_STAGE=$STAGE_1/daily_qa/${DAYBUILD}
+    Echo "Staging area tbx: $TBX_STAGE"
+    Echo "Staging area daily QA (DQA): $DQA_STAGE"
+    Echo "Resultdir (sourcedir) for daily QA (RESULTDIR): $RESULTDIR"
+}
+
+################################### qa_stage_dqa ##########################
+# 
+########################################################################
+qa_stage_dqa()
+{
+    Echo "DQA:..."
+    Echo "Resultdir (sourcedir) for daily QA (RESULTDIR): $RESULTDIR"
+#set -x
+    if [ ! -d  $RESULTDIR ] ; then
+        Echo "Resultdir $RESULTDIR does not exist, can't push daily QA"
+        return
+    fi
+    cd $RESULTDIR || return
+    #for w in `find . -name "result*html"`
+    for w in `find . -name "result.html"`
+    do
+        if [ ! -d $DQA_STAGE/`dirname $w` ] ; then
+            mkdir -p $DQA_STAGE/`dirname $w`
+        fi
+        rm $DQA_STAGE/$w 2>/dev/null
+        cat $w | reformat_qa >$DQA_STAGE/$w
+    done
+    for w in `find . -name "output.log" -o  -name "results.html"`
+    do
+#echo $w
+        if [ ! -d $DQA_STAGE/`dirname $w` ] ; then
+            mkdir -p $DQA_STAGE/`dirname $w`
+        fi
+        cp $w $DQA_STAGE/$w
+    done
+}
+
+
+################################### qa_stage_tbx ##########################
+# 
+########################################################################
+qa_stage_tbx()
+{
+    Echo "tbx: "
+    if [ ! -d  $TBX_RESULTDIR ] ; then
+        Echo "TBX_RESULTDIR $TBX_RESULTDIR does not exist"
+        return
+    fi
+    cd $TBX_RESULTDIR || return
+    Echo "find from $TBX_FIND_FROM"
+    for w in `find $TBX_FIND_FROM  -name "result.html"`
+    do
+        if [ ! -d "$TBX_STAGE/`dirname $w`" ] ; then
+            mkdir -p $TBX_STAGE/`dirname $w`
+        fi
+        rm $TBX_STAGE/$w 2>/dev/null
+        cat $w | reformat_qa >$TBX_STAGE/$w
+    done
+    for w in `find $TBX_FIND_FROM -name "output.log" -o  -name "results.html"`
+    do
+        if [ ! -d $TBX_STAGE/`dirname $w` ] ; then
+            mkdir -p $TBX_STAGE/`dirname $w`
+        fi
+        cp $w $TBX_STAGE/$w
+    done
+}
+
+match_tbxdirs()
+{
+    YY=`date +%Y`
+    DD=`date +%d`
+    MM=`date +%m`
+    HH=`date +%H`
+
+    TBX_FIND_FROM="*-$YY$MM$DD-$HH.*"
+    i=$1
+    while [ $i -gt 0 ] ; do
+        i=`expr $i - 1`
+        HH=`expr $HH - 1`
+        if [ $HH -lt 0 ] ; then
+            HH=23
+            DD=`expr $DD - 1`
+            if [ $DD  -eq 0 ] ; then
+                MM=`expr $MM - 1`
+                case $MM in
+                    0)
+                        YY=`expr $YY - 1`
+                        MM=12
+                        DD=31
+                        ;;
+                    [13578]|10|12)
+                        DD=31
+                        ;;
+                    2)
+                        DD=28
+                        ;;
+                    [469]|11)
+                        DD=30
+                        ;;
+                esac
+            fi
+        fi
+        case $MM in
+            [123456789])
+               MM=0$MM
+               ;;
+        esac
+        case $DD in
+            [123456789])
+               DD=0$DD
+               ;;
+        esac
+        case $HH in
+            [0123456789])
+               HH=0$HH
+               ;;
+        esac
+        TBX_FIND_FROM="$TBX_FIND_FROM *-$YY$MM$DD-$HH.*"
+    done
+}
+
+################################### eval_opts ##########################
+# global shell function, evapuates options and parameters, sets flags
+# variables and defaults
+########################################################################
+eval_opts()
+{
+  DO_TBX=OFF
+  DO_DQA=OFF
+  DO_CLEAN=OFF
+  O_SILENT=OFF
+  O_INCREMENTAL=OFF
+  O_MAIL=OFF
+  BUILDDATE=`date +%m%d`
+  NSSVER=tip
+
+  TBX_FIND_FROM="."
+
+  while [ -n "$1" ]
+  do
+    case $1 in
+        -d)
+            DO_DQA=ON
+            ;;
+        -m)
+            O_MAIL=ON
+            shift
+            MAILINGLIST=$1
+            if [ -z "$MAILINGLIST" ]
+            then
+                echo "Error: -m requires a mailinglist to follow, for example sonmi@iplanet.com"
+                exit
+            fi
+            ;;
+        -ti)
+            DO_TBX=ON
+            match_tbxdirs 2
+            O_INCREMENTAL=ON
+            ;;
+        -t)
+            DO_TBX=ON
+            ;;
+        -c)
+            DO_CLEAN=ON
+            ;;
+        -s)
+            O_SILENT=ON
+            ;;
+
+        tip|3[0-9]*)
+            NSSVER=$1
+            ;;
+        [01][0-9][0-3][0-9])
+            BUILDDATE=$1
+            ;;
+    esac
+    shift
+  done
+}
+
+qa_stage_init $*
+
+if [ "$DO_CLEAN" = "ON" ] ; then
+    Echo "Cleaning old stuff"
+    if [ ! -d  $STAGE_1 ] ; then
+        Echo "Staging area daily QA (DQA): $DQA_STAGE does not exist, exit"
+        exit 1
+    fi
+    cd $STAGE_1 || (Echo "Cant cd to $STAGE_1 , exit"; exit)
+    if [ -n "$TBX_STAGE" -a -d "$TBX_STAGE" ] ; then
+        rm -rf $TBX_STAGE/*
+    else
+        Echo "nothing here to clean..."
+    fi
+fi
+if [ "$DO_DQA" = "ON" ] ; then
+    qa_stage_dqa 
+    if [ "$O_MAIL" = "ON" -a -f "$DQA_STAGE/result.html" ] ; then
+         cat $DQA_STAGE/result.html | /usr/sbin/sendmail $MAILINGLIST 
+    fi
+fi
+if [ "$DO_TBX" = "ON" ] ; then
+    qa_stage_tbx
+fi
+if [ ! -d  $STAGE_1 ] ; then
+    Echo "Staging area daily QA (DQA): $DQA_STAGE does not exist, exit"
+    exit 1
+fi
+cd $STAGE_1 || (Echo "Cant cd to $STAGE_1 , exit"; exit)
+Echo "tar..."
+if [ "$O_SILENT" = "ON" ] ; then
+    TARPARAM=cf
+else
+    TARPARAM=cvf
+fi
+
+
+if [ "$DO_DQA" = "ON" -a "$DO_TBX" = "ON" ] ; then
+        Echo "tar $TARPARAM all.tar daily_qa        tinderbox"
+        tar $TARPARAM all.tar daily_qa        tinderbox
+elif [ "$DO_DQA" = "ON" ] ; then
+        Echo "tar $TARPARAM all.tar daily_qa"
+        tar $TARPARAM all.tar daily_qa
+else
+        Echo "tar $TARPARAM all.tar tinderbox"
+        tar $TARPARAM all.tar tinderbox
+fi
+gzip all.tar
+# ssh-agent > /u/sonmi/.ssh/ssh-agent.info
+# setenv like it says in that file
+# ssh-add
+
+SSH_AUTH_SOCK=`grep SSH_AUTH_SOCK /u/sonmi/.ssh/ssh-agent.info | sed -e 's/setenv SSH_AUTH_SOCK //' -e 's/;//'`
+SSH_AGENT_PID=`grep SSH_AGENT_PID /u/sonmi/.ssh/ssh-agent.info | sed -e 's/setenv SSH_AGENT_PID //' -e 's/;//'`
+export SSH_AUTH_SOCK SSH_AGENT_PID
+if [ "$O_SILENT" = "OFF" ] ; then
+   set -x
+   scp all.tar.gz sonmi@stage.mozilla.org:/home/ftp/pub/security/nss
+   ssh -l sonmi stage.mozilla.org '/home/sonmi/bin/nssqa_stage '
+else
+   scp all.tar.gz sonmi@stage.mozilla.org:/home/ftp/pub/security/nss >/dev/null 2>/dev/null 
+   ssh -l sonmi stage.mozilla.org '/home/sonmi/bin/nssqa_stage ' >/dev/null 2>/dev/null 
+fi
+
+#" rlogin huey "
+#" sftp  sonmi@stage.mozilla.org"
+#" cd /home/ftp/pub/security/nss"
+#" lcd tmp/ftp_stage"
+#" put all.tar.gz"
+#" quit "
+#" ssh -l sonmi stage.mozilla.org"
+#" cd /home/ftp/pub/security/nss"
+#" gunzip all.tar.gz"
+#" tar xvf all.tar"
+#" rm all.tar"
+
diff --git a/security/nss/tests/qa_stat b/security/nss/tests/qa_stat
new file mode 100755
index 000000000..ddf8dd8d2
--- /dev/null
+++ b/security/nss/tests/qa_stat
@@ -0,0 +1,938 @@
+#! /bin/sh 
+########################################################################
+#
+# /u/sonmi/bin/qa_stat - /u/svbld/bin/init/nss/qa_stat
+#
+# this script is supposed to automatically run QA for NSS on all required
+# Unix platforms
+#
+# parameters
+# ----------
+#    nssversion (supported: 30b, 31, tip)
+#    builddate  (default - today)
+#
+# options
+# -------
+#    -y answer all questions with y - use at your own risk...ignores warnings
+#    -s silent (only usefull with -y)
+#    -h, -? - you guessed right - displays this text
+#    -d debug
+#    -f <filename> - write the (error)output to filename
+#    -m <mailinglist> - send filename to mailinglist (csl) only useful
+#        with -f
+#    -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.qa_stat
+#
+########################################################################
+
+O_OPTIONS=ON
+
+TBX_EXIT=49          # in case we are running on a tinderbox build, any
+                          # early exit needs to return an error
+if [ -z "$O_TBX" -o "$O_TBX" = "OFF" ] ; then
+    if [ -z "$O_LOCAL" -o "$O_LOCAL" = "OFF" ] ; then
+        . `dirname $0`/header
+    fi
+fi
+Debug "Sourced header O_TBX=$O_TBX O_LOCAL=$O_LOCAL"
+TBX_EXIT=48
+EARLY_EXIT=TRUE
+
+URL="cindercone.red.iplanet.com"
+
+DOCDIR=/u/sonmi/doc
+
+HTML_ERRORCOLOR=\"#FF0000\"
+HTML_ERRORMSG=Failed
+
+HTML_MISSINGCOLOR=\"#FFFFCC\"
+HTML_MISSINGMSG=Missing
+
+HTML_INCOMPLETECOLOR=$HTML_MISSINGCOLOR
+HTML_INCOMPLETEMSG=Incomplete
+
+HTML_PASSEDCOLOR=\"#66FF99\"
+HTML_PASSEDMSG=Passed
+
+# this file is used to deal with hanging rsh - a new shell is started 
+# for each rsh, and a function is called after it is finished - they
+# communicate with this file
+
+RSH_FILE=$TMP/rsh.$$
+echo >$RSH_FILE
+TMPFILES="$TMPFILES $WARNINGLIST $RSH_FILE "
+RSH_WAIT_TIME=80 #maximum time allowed for the 2 rsh to finish...
+#TOTAL_TESTS=106
+TOTAL_TESTS=252 #tip
+#TOTAL_TESTS=244 #3.4
+#TOTAL_TESTS=123 #3.3.2
+BCT_TOTAL_TESTS=122 #3.2.2
+#TOTAL_TESTS=133 #tip
+
+Debug "NTDIST $NTDIST"
+Debug "UXDIST $UXDIST"
+Debug "TESTSCRIPTDIR $TESTSCRIPTDIR"
+Debug "RESULTDIR $RESULTDIR"
+
+############################### watch_rsh ##############################
+# local shell function, deals with a hanging rsh (kills it...)
+# this function is started as a backgroundprocess before the rsh is started,
+# and writes info to the RSH_FILE, after the rsh is finished it writes finish
+# info to the same file (this time called as a function, forground). 
+# the backgroundprocess stays around for RSH_WAIT_TIME, if then the finish 
+# information is not there attempts to kill the rsh
+#
+# watch_rsh start qa_computername &
+# watch_rsh stop qa_computername 
+#
+########################################################################
+watch_rsh()
+{
+    case $1 in
+        start)
+            echo "$2 started" >>$RSH_FILE
+            sleep $RSH_WAIT_TIME
+            O_ALWAYS_YES=ON # may modify global flags because this is a 
+                            # forked off bg process - kill_by_name otherwise
+                            # will ask the user if it really should be killed 
+            grep "$2 finished" $RSH_FILE >/dev/null || kill_by_name "rsh $2"
+            exit
+            ;;
+        stop)
+            echo "$2 finished" >>$RSH_FILE
+            ;;
+    esac
+}
+
+############################### find_qa_systems ########################
+# local shell function, tries to determine the QA operating system
+# works remotely, and for Windows machines
+########################################################################
+find_qa_systems()
+{
+for QA_SYS in `ls $RESULTDIR | grep '\.1$' | sed -e "s/\..*//" | sort -u`
+do
+    NO_RSH="FALSE"
+    QA_OS=""
+    QA_RHVER=""
+    IS_64=""
+    IS_WIN=""
+
+    grep OS-LINE ${RESULTDIR}/${QA_SYS}.nssqa >/dev/null && NO_RSH=TRUE
+
+    if [ "$NO_RSH" = "TRUE" ]
+    then
+
+        QA_OS=`grep OS-LINE ${RESULTDIR}/${QA_SYS}.nssqa | sort -u | sed \
+            -e "s/.*-OS-LINE: /${QA_SYS}/"`
+        QA_OS_STRING=`echo $QA_OS | sed -e "s/^[_ ]//" -e "s/ /_/g"`
+        echo $QA_OS_STRING >>$PLATFORMLIST
+        if [ "$O_SILENT" != ON ] ; then
+            echo $QA_OS
+        fi
+
+        #grep OS-LINE ${RESULTDIR}/${QA_SYS}.nssqa | sort -u | sed \
+             #-e "s/.*-OS-LINE: /${QA_SYS}_/" >>$PLATFORMLIST
+        #if [ "$O_SILENT" != ON ] ; then
+            #grep OS-LINE ${RESULTDIR}/${QA_SYS}.nssqa | sort -u | sed \
+                 #-e "s/.*-OS-LINE:/${QA_SYS}/" 
+        #fi
+    else
+        REM_SYSNAME=$QA_SYS
+        watch_rsh start $REM_SYSNAME &
+        qa_stat_get_sysinfo $QA_SYS
+        watch_rsh stop $REM_SYSNAME 
+        echo $QA_OS_STRING >>$PLATFORMLIST
+                          # use later for missing list
+    fi
+done
+
+}
+
+################################### qa_stat_init ##########################
+# local shell function, sets the name of the resultfile to:
+#    <filename> if option -f <filename>
+#    $RESULTDIR/result if write permission 
+#        (mozilla/tests_results/security/result)
+#    $HOME/resultNSS${NSSVER}-${BUILDDATE} if no write permission in $RESULTDIR
+########################################################################
+qa_stat_init()
+{
+    if [ $O_FILE = ON -a $O_CRON = OFF ]    # if -f was specified write there 
+    then
+        RFILE=$FILENAME    
+    else
+        RFILE=${RESULTDIR}/result.$$
+        if [ ! -w $RESULTDIR ]
+        then
+            RFILE=$HOME/resultNSS${NSSVER}-${BUILDDATE}.$$
+            Debug "Using alternate resultfile $RFILE"
+        #elif [ $O_CRON = ON ]
+        #then
+             ##find ${RESULTDIR} -exec chmod a+rw {} \;    #FIXME - umask 
+                            ##doesn't seem to work - this is a tmp workaround
+        fi
+    
+        if [ ! -x $RESULTDIR -o ! -r  $RESULTDIR -o ! -w $RESULTDIR ]
+        then
+            glob_usage "$RESULTDIR does not have the right permissions `ls -l $RESULTDIR`"
+        fi
+        if [ -d $RESULTDIR ]
+        then
+            cd $RESULTDIR
+        else
+            glob_usage "$RESULTDIR does not exist"
+        fi
+    fi
+
+    ERRORLIST=${RFILE}.E
+    PLATFORMLIST=${RFILE}.P
+    PERFLIST=${RFILE}.PE
+    TMP_HTML_FILE=${RFILE}.html
+    HTML_FILE=${RESULTDIR}/result.html
+    WARNINGLIST=${RFILE}.W
+    BCMISSINGLIST=${RFILE}.BCM
+    BCERRORLIST=${RFILE}.BCE
+    TMPFILE=${RFILE}.T
+    ML_FILE=${RFILE}.ML
+
+    TMPFILES="$TMPFILES $TMPFILE"
+    TMPFILES="$TMPFILES $ERRORLIST $PLATFORMLIST $PERFLIST $WARNINGLIST \
+       $BCMISSINGLIST $BCERRORLIST $ML_FILE" #FIXME uncomment
+
+    FILENAME=$RFILE        #we might want to mail it...later switch to html file
+    O_FILE="ON"
+
+    rm $ERRORLIST $PLATFORMLIST $PERFLIST $WARNINGLIST \
+       $BCMISSINGLIST $BCERRORLIST $TMP_HTML_FILE  2>/dev/null
+    touch $ERRORLIST $PLATFORMLIST $PERFLIST $WARNINGLIST \
+       $BCMISSINGLIST $BCERRORLIST $TMP_HTML_FILE  2>/dev/null
+
+    if [  $O_WIN = "ON" -a "$O_TBX" = "ON" ] ; then
+        HTML_PATH="http://${URL}${UX_D0}/nss${NSSVER}/tinderbox/tests_results/security/`basename $RESULTDIR`"
+    else
+        HTML_PATH="http://${URL}${RESULTDIR}"
+    fi
+    HREF_TMP_HTML_FILE="${HTML_PATH}/`basename $HTML_FILE`"
+
+    write_qa_header_html >$TMP_HTML_FILE
+}
+
+################################# html_footer #########################
+# local shell function, writes end of the html body
+#######################################################################
+write_qa_header_html()
+{
+echo 'Subject: QA Report ' $NSSVER $BUILDDATE '
+From: sonmi@iplanet.com
+Reply-To: sonmi@iplanet.com
+Content-Type: text/html; charset=us-ascii
+<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
+<html>
+<head>
+   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
+   <meta name="GENERATOR" content="Mozilla/4.7 [en] (X11; U; SunOS 5.8 sun4u) [N
+etscape]">
+</head>
+<body>
+<br>
+&nbsp;
+<br>&nbsp;
+<h2>
+<a href="http://tinderbox.mozilla.org/showbuilds.cgi?tree=NSS">Tinderbox</a
+><br>
+<a href="http://cindercone.red.iplanet.com/share/builds/mccrel3/nss/nsstip/tinderbox/tests_results/security/">Tinderbox QA&nbsp;result</a><br>
+<a href="ftp://ftp.mozilla.org/pub/security/nss/daily_qa">Mozilla Daily NSS QA&nbsp;result</a></h2>
+&nbsp;
+
+&nbsp;
+<br>&nbsp;
+<center>
+<h1>
+<a NAME="Top"></a><b><font size=+2>QA&nbsp;Results</font></b></h1></center>
+
+
+<table BORDER WIDTH="100%" NOSAVE >
+<tr>
+<td>&nbsp;<b><font size=+1>Build-OS and version</font></b></td>
+<td><b><font size=+1>QA-OS</font></b></td>
+<td><b><font size=+1>Systemname</font></b></td>
+<td><b><font size=+1>P/F</font></b></td>
+<td><b><font size=+1>result</font></b></td>
+<td><b><font size=+1>output</font></b></td>
+<td><b><font size=+1>errors</font></b></td>
+<td><b><font size=+1>QA time / #</font></b></td>
+</tr>
+'
+}
+
+################################# html_footer #########################
+# local shell function, writes end of the html body
+#######################################################################
+html_footer()
+{
+  echo '</body>'
+  echo '</html>'
+}
+
+################################# setQAsysvars #########################
+# local shell function, sets system specific variables
+########################################################################
+setQAsysvars()
+{
+    if [ "$MACHINE" != "0" ]
+    then
+        MACHINE=`echo $MACHINE | sed -e 's/^bct.//g'`
+        TESTDATE=`ls -ld $MACHINE | awk '{ print $6, $7, $8 }'`
+        TESTNUMBER=`echo $MACHINE | sed -e 's/.*\.//'`
+        SYSNAME=`echo $MACHINE | sed -e 's/\..*//'`
+        Debug "SYSNAME= $SYSNAME"
+
+        if [  "$O_TBX" = "ON" -o "$O_LOCAL" = "ON" ] ; then
+            QA_SYS_OS=$QA_OS
+        else
+            QA_SYS_OS=`grep $SYSNAME $PLATFORMLIST |
+                sed -e 's/
//' | \
+                sort | uniq | sed  -e "s/$SYSNAME//" \
+                -e "s/^_//" | sort | uniq`
+        fi
+        Debug "QA_SYS_OS= $QA_SYS_OS"
+    fi
+    BUILD_SYS=`echo $BUILDPLATFORM | sed -e 's/\.OBJ//' -e 's/_DBG/ Debug/' \
+            -e 's/_OPT/ Optimized/'  -e 's/_64/ 64bit/' -e 's/_glibc_PTH//' \
+            -e 's/_/ /'`
+    Debug "BUILD_SYS=$BUILD_SYS"
+    if [ -f "${RESULTDIR}/${MACHINE}/results.html" ] ; then
+        RESULT="${HTML_PATH}/${MACHINE}/results.html"
+    else
+        RESULT="0"
+    fi
+    if [ -f "${RESULTDIR}/bct/${MACHINE}/results.html" ] ; then
+        BCB_RESULT="${HTML_PATH}/bct/${MACHINE}/results.html"
+    else
+      BCB_RESULT="0"
+    fi
+
+    if [ -f "${RESULTDIR}/${MACHINE}/output.log" ] ; then
+        LOG="${HTML_PATH}/${MACHINE}/output.log"
+    else
+        LOG="0"
+    fi
+    if [ -f "${RESULTDIR}/bct/${MACHINE}/output.log" ] ; then
+        BCB_LOG="${HTML_PATH}/bct/${MACHINE}/output.log"
+    else
+        BCB_LOG="0"
+    fi
+}
+
+################################# html_line() #########################
+# local shell function, writes a line in the html table
+########################################################################
+html_line()
+{
+  echo '<tr NOSAVE>'
+  echo '<td NOSAVE>'$BUILD_SYS'</td>'
+  echo ''
+  if [ "$QA_SYS_OS" != "0" ] ; then
+      echo '<td NOSAVE>'$QA_SYS_OS'</td>'
+  else
+      echo '<td></td>'
+  fi
+  echo ''
+  if [ "$SYSNAME" != "0" ] ; then
+      echo '<td>'$SYSNAME'</td>'
+  else
+      echo '<td></td>'
+  fi
+  #echo '<td>'$SYSNAME $TESTNUMBER $TESTDATE'</td>'
+  echo ''
+  # hopefully we never run more different tests on a tinderbox build...
+  # on win some shells can not handle exit codes greater then 52 (64???)
+  # so for very early exits the codes are set 50-45, for failures later
+  # in the process the higher the number, the more failures
+  if [ "$O_TBX" = "ON" -a "$TBX_EXIT" -gt 45 ] ; then
+      TBX_EXIT=0
+  fi
+  if [ "$1" = "failed" ]
+  then
+      TBX_EXIT=`expr $TBX_EXIT + 1`
+      echo '<td BGCOLOR='$HTML_ERRORCOLOR' NOSAVE><b>'$HTML_ERRORMSG'</b></td>'
+  elif [ "$1" = "passed" ]
+  then
+      echo '<td BGCOLOR='$HTML_PASSEDCOLOR' NOSAVE>'$HTML_PASSEDMSG'</td>'
+  elif [ "$1" = "incomplete" ]
+  then
+      TBX_EXIT=`expr $TBX_EXIT + 1`
+      echo '<td BGCOLOR='$HTML_INCOMPLETECOLOR' NOSAVE>'$HTML_INCOMPLETEMSG'</td>'
+  else
+      TBX_EXIT=`expr $TBX_EXIT + 1`
+      echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>'    
+  fi
+  if [ "$CURRENT_TABLE" != "BC" ] ; then
+      if [ "$RESULT" = "0" ] ; then
+          echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>'
+      else
+          echo '<td>&nbsp;<a href="'$RESULT'">result</a>&nbsp;</td>'
+      fi
+      if [ "$LOG" = "0" ] ; then
+          echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>'
+      else
+          echo '<td>&nbsp;<a href="'$LOG'">log</a>&nbsp;</td>'
+      fi
+      if [ "$1" = "failed" ] ; then
+          echo '<td>&nbsp;<a href="'${HREF_TMP_HTML_FILE}'#errorlist">error</a>&nbsp;</td>'
+      else
+          echo '<td></td>'
+      fi
+  else
+     #<td><b><font size=+1>errors</font></b></td>
+     #<td><b><font size=+1>P/F</font></b></td>
+     #<td><b><font size=+1>P/F</font></b></td>
+
+     #echo '<td><b><font size=+1>All Current</font></b></td>'
+     #echo '<td><b><font size=+1>old dlls</font></b></td>'
+     #echo '<td><b><font size=+1>old executables</font></b></td>'
+      #if [ "$RESULT" != "0" -a "$LOG" != "0" ] ; then
+          #echo '<td><a href="'$RESULT'">result</a>, <a href="'$LOG'">log</td>'
+      #elif [ "$RESULT" = "0" -a "$LOG" != "0" ] ; then
+          #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE><a href="'$LOG'">log</a></td>'
+      #elif [ "$RESULT" != "0" -a "$LOG" = "0" ] ; then
+          #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE><a href="'$RESULT'">result</a></td>'
+      #else
+          #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>'
+      #fi
+      #if [ "$BCB_RESULT" != "0" -a "$BCB_LOG" != "0" ] ; then
+          #echo '<td><a href="'$BCB_RESULT'">result</a>, <a href="'$BCB_LOG'"> log</td>'
+      #elif [ "$BCB_RESULT" = "0" -a "$BCB_LOG" != "0" ] ; then
+          #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE><a href="'$BCB_LOG'">log</a></td>'
+      #elif [ "$BCB_RESULT" != "0" -a "$BCB_LOG" = "0" ] ; then
+          #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE><a href="'$BCB_RESULT'">result</a></td>'
+      #else
+          #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>'
+      #fi
+      if [ "$BCB_RESULT" = "0" ] ; then
+          echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>'
+      else
+          echo '<td>&nbsp;<a href="'$BCB_RESULT'">result</a>&nbsp;</td>'
+      fi
+      if [ "$BCB_LOG" = "0" ] ; then
+          echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>'
+      else
+          echo '<td>&nbsp;<a href="'$BCB_LOG'">log</a>&nbsp;</td>'
+      fi
+  fi
+  echo '<td>'$TESTDATE $TESTNUMBER'</td>'
+  echo '</tr>'
+}
+
+################################# qa_errorlist #########################
+# local shell function, finds problems in the previously run QA
+# linux:the gnu grep, on Linux can output 10 lines above and 3 lines below 
+# the errormessage
+########################################################################
+qa_errorlist()
+{
+    grep "bgcolor=red" ${MACHINES_TO_CHECK}*/results.html | 
+        sed -e 's/.results.html:<TR><TD>/ /' -e 's/<[^>]*>/ /g'
+    grep 'cache hits; .* cache misses, .* cache not reusable' \
+        ${MACHINES_TO_CHECK}*/output.log | 
+        grep strsclnt |
+        grep -v '0 cache hits; 0 cache misses, 0 cache not reusable' | 
+        grep -v ' cache hits; 1 cache misses, 0 cache not reusable'
+    for logfile in ${MACHINES_TO_CHECK}*/output.log; do
+        grep -vi "write to SSL socket" $logfile |
+            grep -vi "HDX PR_Read returned error" |
+            grep -vi "no error" |
+            grep -vi "12285" |
+            grep -i  $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP error 
+            #grep -vi "5938" |  needed for -v option
+            #grep -vi "HDX PR_Read hit EOF" | 
+        grep  -vi "write to SSL socket" $logfile |
+            grep -vi "peer cannot verify" |
+            grep -vi "error" |
+            grep -vi "fatal" |
+            grep -vi "TCP Connection aborted" |
+            grep -vi "TCP connection reset" |
+            grep  $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP  -i failed
+    done
+    grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "segmentation violation" \
+        ${MACHINES_TO_CHECK}*/output.log
+    grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "memory fault" \
+        ${MACHINES_TO_CHECK}*/output.log
+    grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "bus error" \
+        ${MACHINES_TO_CHECK}*/output.log
+    grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "core dumped" \
+        ${MACHINES_TO_CHECK}*/output.log
+    grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP fatal \
+        ${MACHINES_TO_CHECK}*/output.log
+    grep -i  $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP -i\
+        "PKCS12 decode not verified"   ${MACHINES_TO_CHECK}*/output.log
+
+    if [ -n "${MACHINES_TO_CHECK}" ] ; then
+        find ${MACHINES_TO_CHECK}* -name core -print 2>/dev/null |
+            grep -v bct 
+    else
+        find . -name core -print 2>/dev/null |
+            grep -v bct 
+    fi
+}
+
+tbx_missing_platforms ()
+{
+    QA_MISSING="QA report missing"
+    MACHINE="0"
+
+    if [ "$QA_OS_STRING" = "WINNT4.0" ] ; then
+        QA_OS_STRING="Windows-NT-4.0"
+    fi
+    for BUILDPLATFORM in `grep $QA_OS_STRING $TESTSCRIPTDIR/platformlist.tbx`
+    do
+        if [ "$BUILDPLATFORM" != "$QA_OS_STRING" ] ; then
+            Debug  "BUILDPLATFORM = $BUILDPLATFORM QA_OS_STRING = $QA_OS_STRING"
+            grep $BUILDPLATFORM ${MACHINES_TO_CHECK}*/results.html \
+                >/dev/null || {
+                setQAsysvars
+                html_line missing >>$TMP_HTML_FILE
+            }
+        fi
+    done
+}
+
+############################ platform _list ###########################
+# local shell function, generate pass/fail information for each Platform
+########################################################################
+platformlist()
+{
+    grep Platform ${MACHINES_TO_CHECK}*/results.html | 
+        sed -e 's/.results.html:<H4>Platform: /---/' \
+            -e 's/<BR>//' >$TMPFILE
+    # this is done a little complicated to avoid starting a subshell in 
+    # a while read that gets the input from a pipeline, and variables set 
+    #in or underneath this function get unset after done...
+    for  MB in `cat $TMPFILE` ; do
+        MACHINE=`echo $MB | sed -e "s/---.*//"`
+        BUILDPLATFORM=`echo $MB | sed -e "s/.*---//"`
+        grep "${MACHINE}[^0-9]" $ERRORLIST >/dev/null
+        ret=$?
+        setQAsysvars
+        if [ $ret -eq 0 ]
+        then
+            echo "Failed $MACHINE $BUILDPLATFORM" >>$RFILE
+            html_line failed >>$TMP_HTML_FILE
+        else
+            echo "Passed $MACHINE $BUILDPLATFORM" >>$RFILE
+            html_line passed >>$TMP_HTML_FILE
+        fi
+    done 
+}
+
+############################ missing_platforms ###########################
+# local shell function, finds out if we ran on all required platforms
+########################################################################
+missing_platforms()
+{
+    QA_MISSING="QA report missing"
+    MACHINE="0"
+    SYSNAME="0"
+    QA_SYS_OS="0"
+
+    for BUILDPLATFORM in `cat $TESTSCRIPTDIR/platformlist`
+    do
+        grep $BUILDPLATFORM $PLATFORMLIST > /dev/null || {
+            setQAsysvars
+            html_line missing >>$TMP_HTML_FILE
+        }
+    done
+}
+
+############################ incomplete_results ###########################
+# local shell function, finds out if all qa runs were complete
+########################################################################
+incomplete_results ()
+{
+    
+    for w in `ls ${MACHINES_TO_CHECK}*/results.html`
+    do
+      grep bgcolor=red $w || {
+        PASSED_LINES=""
+        PASSED_LINES=`grep bgcolor=lightGreen $w | wc -l`
+        if [ -n "$PASSED_LINES" -a "$PASSED_LINES" -lt "$TOTAL_TESTS" ] ; then
+            BUILDPLATFORM=`grep Platform $w | sed -e 's/<H4>Platform:/    /'                   -e 's/<BR>//'` 
+            MACHINE=`echo $w | sed -e "s/.results.html//"`
+            #MACHINE=`echo $w | sed -e "s/\.[0-9]*.results.html//"`
+            setQAsysvars
+            html_line incomplete >>$TMP_HTML_FILE
+        elif [ "$PASSED_LINES" -gt "$TOTAL_TESTS" ] ; then
+            echo "WARNING - more tests than expected on $w ($PASSED_LINES)" >>$WARNINGLIST
+	fi
+      }
+    done
+}
+
+qa_stat_table()
+{
+    echo '&nbsp;'
+    echo '<br>&nbsp;'
+    echo '<center>'
+    echo '<h1>'
+    echo '<a NAME="'$1'"></a>'$1'</h1></center>'
+    echo '&nbsp;'
+    echo '<table BORDER WIDTH="100%" NOSAVE >'
+    echo '<tr NOSAVE>'
+}
+
+############################### psaperf ########################
+# local shell function, copies results of the daily performance test
+# into a table in the QA report
+########################################################################
+rsaperf()
+{
+    grep RSAPERF */output.log | grep -v "_DBG" > $PERFLIST
+    
+    qa_stat_table "Performance list"
+
+    echo '<td NOSAVE><b><font size=+1>Build-OS and version</font></b></td>'
+    echo '<td><b><font size=+1>Systemname</font></b></td>'
+    echo '<td><b><font size=+1># of iterations</font></b></td>'
+    echo '<td><b><font size=+1>average for one op</font></b></td>'
+    echo '<td><b><font size=+1>Total</font></b></td>'
+    echo '<td><b><font size=+1>QA time / #</font></b></td>'
+    echo '</tr>'
+    cat $PERFLIST | 
+    while read MACHINE BUILDPLATFORM no_iter t1 t2 total total_unit t3 \
+               t4 t5 average average_unit
+    do
+        #caution subshell, variables local to this loop
+        BUILD_SYS=`echo $BUILDPLATFORM | sed -e 's/\.OBJ//' \
+            -e 's/_DBG/ Debug/' \
+            -e 's/_OPT/ Optimized/'  -e 's/_64/ 64bit/' -e 's/_glibc_PTH//' \
+            -e 's/_/ /'`
+        TESTNUMBER=`echo $MACHINE | sed -e 's/[^\.]*\.//' -e 's/\/.*//'`
+        MACHINE=`echo $MACHINE | sed -e 's/\..*//'`
+        TESTDATE=`ls -ld ${MACHINE}.${TESTNUMBER} | awk '{ print $6, $7, $8 }'`
+        echo '<tr>'
+        echo '<td>'$BUILD_SYS'</td>'
+        echo ''
+        echo '<td>'$MACHINE'</td>'
+        echo ''
+        echo '<td>'$no_iter'</td>'
+        echo ''
+        echo '<td>'$average' '$average_unit'</td>'
+        echo ''
+        echo '<td>'$total' '$total_unit'</td>'
+        echo ''
+        echo '<td>'$TESTDATE $TESTNUMBER'</td>'
+        echo ''
+        echo '</tr>'
+    done
+    echo '</table>'
+}
+
+############################### qa_stat_cleanup ########################
+# local shell function, finishes html file, sets variables for global Exit
+########################################################################
+qa_stat_cleanup()
+{
+
+    html_footer >>$TMP_HTML_FILE
+
+    O_DEBUG=OFF
+
+    EARLY_EXIT=FALSE
+    cp $TMP_HTML_FILE $HTML_FILE
+    FILENAME=$HTML_FILE        #we might want to mail it...
+    Exit
+}
+
+
+############################### bc_test ########################
+# local shell function, evaluates the results of the backward u
+# compatibility tests
+########################################################################
+bc_header()
+{
+CURRENT_TABLE="BC"   #so html_line can determine which fields to write
+  
+  qa_stat_table "Backward Compatibility Test"
+  echo '<td NOSAVE><b><font size=+1>Build-OS and version</font></b></td>'
+  echo '<td><b><font size=+1>QA-OS</font></b></td>'
+  echo '<td><b><font size=+1>Systemname</font></b></td>'
+  echo '<td><b><font size=+1>P/F</font></b></td>'
+  #echo '<td><b><font size=+1>All Current</font></b></td>'
+  #echo '<td><b><font size=+1>backward comp. test</font></b></td>'
+  echo '<td><b><font size=+1>result</font></b></td>'
+  echo '<td><b><font size=+1>output</font></b></td>'
+  echo '<td><b><font size=+1>QA time / #</font></b></td>'
+  echo '</tr>'
+
+}
+
+old_bc_test()
+{
+CURRENT_TABLE="BC"   #so html_line can determine which fields to write
+  
+  qa_stat_table "Backward Compatibility Test"
+  echo '<td NOSAVE><b><font size=+1>Build-OS and version</font></b></td>'
+  echo '<td><b><font size=+1>QA-OS</font></b></td>'
+  echo '<td><b><font size=+1>Systemname</font></b></td>'
+  echo '<td><b><font size=+1>P/F</font></b></td>'
+  #echo '<td><b><font size=+1>All Current</font></b></td>'
+  #echo '<td><b><font size=+1>backward comp. test</font></b></td>'
+  echo '<td><b><font size=+1>result</font></b></td>'
+  echo '<td><b><font size=+1>output</font></b></td>'
+  echo '<td><b><font size=+1>QA time / #</font></b></td>'
+  echo '</tr>'
+
+  for w in `ls */results.html`
+  do
+      TMP_RESULT="`dirname $w`/results.tmp"
+      TMP_BC_RESULT="`dirname bct/$w`/results.tmp"
+      rm $TMP_RESULT $TMP_BC_RESULT 2>/dev/null
+      cat $w | sed -e 's/<[^>]*>//g'  -e 's/ /_/g' \
+                   -e 's/signtool_-[vw]/signtool_-vw/' |
+               grep '_[PF]a[si][sl]ed' >$TMP_RESULT
+      cat bct/$w   | sed -e 's/<[^>]*>//g'  -e 's/ /_/g' \
+                         -e 's/signtool_-[vw]/signtool_-vw/' |
+                     grep '_[PF]a[si][sl]ed' >$TMP_BC_RESULT
+      diff $TMP_RESULT $TMP_BC_RESULT    2>>$BCMISSINGLIST |
+           grep -v "Create_objsign_cert_.signtool_-G.*Passed" |
+           grep -v "porting_Alice.s_email_cert" |
+           grep -v "^[0-9,cad]*$" | grep -v "^---$" | grep -v "^---.$" |
+           grep -v "Can.t_run_pk12util_tests_for_NSS_3.2"  >/dev/null && (
+                echo "$w differs" >> $BCMISSINGLIST
+                echo "========================================="
+                echo "diff $w bct/$w"
+                echo "========================================="
+                diff $TMP_RESULT $TMP_BC_RESULT 2>&1 |
+                     grep -v "Create_objsign_cert_.signtool_-G.*Passed" |
+                     grep -v "porting_Alice.s_email_cert" |
+                     grep -v "Can.t_run_pk12util_tests_for_NSS_3.2"  
+           )  2>&1 >>$BCERRORLIST
+
+      #diff -b $w bct/$w  2>>$BCMISSINGLIST | 
+           #grep -v "Create objsign cert .signtool -G.*Passed" |
+           #grep -v "Listing signed files in jar .signtool -v.*Passed" |
+           #grep -v "Listing signed files in jar .signtool -w.*Passed" |
+           #grep -v "backward compatibility" |
+           #grep -v "Can.t run pk12util tests for NSS 3.2" |
+           #grep -v "porting Alice.s email cert " |
+           #grep -v "^---$" | grep -v "^[<> ] $" | 
+           #grep -v "^---.$" | grep -v "^[<> ] .$" | 
+           #grep -v '< </BODY></HTML>' |
+           #grep -v "^[0-9,cad]*$" 2>>$BCMISSINGLIST >/dev/null &&  (
+                #echo "$w differs" >> $BCMISSINGLIST
+                #echo "========================================="
+                #echo "diff $w bct/$w"
+                #echo "========================================="
+                #diff -b $w bct/$w 2>&1 | 
+                     #grep -v "Listing signed files in jar .signtool -v.*Passed" |
+                     #grep -v "Listing signed files in jar .signtool -w.*Passed" |
+                     #grep -v "backward compatibility" |
+                     #grep -v "Can.t run pk12util tests for NSS 3.2" |
+                     #grep -v "porting Alice.s email cert " |
+                     #grep -v "^---$" | grep -v "^[<> ] $" | 
+                     #grep -v "^---.$" | grep -v "^[<> ] .$" | 
+                     #grep -v '< </BODY></HTML>' |
+                     #grep -v "^[0-9,cad]*$" \
+           #)  2>&1 >>$BCERRORLIST
+      rm $TMP_RESULT $TMP_BC_RESULT 2>/dev/null
+  done
+  rm $ERRORLIST
+  cat $BCMISSINGLIST | sed -e "s/^diff: bc_...s.//" \
+                    -e "s/.results.html.*/\/results.html/" | 
+                sort -u > $ERRORLIST
+
+  platformlist  
+  echo '</table>' >>$TMP_HTML_FILE
+
+  head -200 $BCERRORLIST | sed -e 's/<[^>]*>//g' -e "s/^/<br>/" 
+}
+
+bc_test()
+{
+CURRENT_TABLE="BC"   #so html_line can determine which fields to write
+  
+  qa_stat_table "Backward Compatibility Test"
+  echo '<td NOSAVE><b><font size=+1>Build-OS and version</font></b></td>'
+  echo '<td><b><font size=+1>QA-OS</font></b></td>'
+  echo '<td><b><font size=+1>Systemname</font></b></td>'
+  echo '<td><b><font size=+1>P/F</font></b></td>'
+  #echo '<td><b><font size=+1>All Current</font></b></td>'
+  #echo '<td><b><font size=+1>backward comp. test</font></b></td>'
+  echo '<td><b><font size=+1>result</font></b></td>'
+  echo '<td><b><font size=+1>output</font></b></td>'
+  echo '<td><b><font size=+1>QA time / #</font></b></td>'
+  echo '</tr>'
+
+set -x
+  for w in `ls */results.html`
+  do
+      BCT_DIR=`dirname "bct/$w"`
+      BCT_RESULT="bct/$w"
+      BCT_LOG="$BCT_DIR/output.log"
+      grep "bgcolor=red" $BCT_RESULT | 
+           sed -e 's/.results.html:<TR><TD>/ /' -e 's/<[^>]*>/ /g'
+      grep 'cache hits; .* cache misses, .* cache not reusable' \
+        $BCT_LOG |
+        grep -v selfserv |
+        grep -v '0 cache hits; 1 cache misses, 0 cache not reusable' |
+        grep -v '0 cache hits; 0 cache misses, 0 cache not reusable' |
+        grep -v ' cache hits; 1 cache misses, 0 cache not reusable'
+      grep -vi "write to SSL socket" $BCT_LOG |
+        grep -vi "HDX PR_Read returned error" |
+        grep -vi "no error" |
+        grep -vi "12285" |
+        grep -i  $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP error
+      grep  -vi "write to SSL socket" $BCT_LOG |
+        grep -vi "peer cannot verify" |
+        grep -vi "TCP Connection aborted" |
+        grep -vi "error" |
+        grep -vi "fatal" |
+        grep -vi "TCP connection reset" |
+        grep  $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP  -i failed $BCT_LOG
+      grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "segmentation violation"  $BCT_LOG
+      grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "memory fault" $BCT_LOG
+      grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "bus error" $BCT_LOG
+      grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "core dumped" $BCT_LOG
+      grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP fatal  $BCT_LOG
+      grep -i  $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP -i "PKCS12 decode not verified"   $BCT_LOG
+      find ${BTC_DIR} -name core -print
+
+  done 2>&1 >>$BCERRORLIST
+  rm $ERRORLIST
+  cat $BCMISSINGLIST | sed -e "s/^diff: bc_...s.//" \
+                    -e "s/.results.html.*/\/results.html/" | 
+                sort -u > $ERRORLIST
+
+  platformlist  
+  echo '</table>' >>$TMP_HTML_FILE
+
+  head -200 $BCERRORLIST | sed -e 's/<[^>]*>//g' -e "s/^/<br>/" 
+}
+
+
+############################### bc_test ########################
+# local shell function, evaluates the results of the backward u
+# compatibility tests
+# move the whole function to old to tests a new solution
+########################################################################
+bc_test_old()
+{
+CURRENT_TABLE="BC"   #so html_line can determine which fields to write
+  
+  qa_stat_table "Backward Compatibility Test"
+  echo '<td NOSAVE><b><font size=+1>Build-OS and version</font></b></td>'
+  echo '<td><b><font size=+1>QA-OS</font></b></td>'
+  echo '<td><b><font size=+1>Systemname</font></b></td>'
+  echo '<td><b><font size=+1>P/F</font></b></td>'
+  #echo '<td><b><font size=+1>All Current</font></b></td>'
+  #echo '<td><b><font size=+1>backward comp. test</font></b></td>'
+  echo '<td><b><font size=+1>result</font></b></td>'
+  echo '<td><b><font size=+1>output</font></b></td>'
+  echo '<td><b><font size=+1>QA time / #</font></b></td>'
+  echo '</tr>'
+
+  for w in `ls */results.html`
+  do
+      diff -b $w bct/$w  2>>$BCMISSINGLIST | 
+           grep -v "Create objsign cert .signtool -G.*Passed" |
+           grep -v "Listing signed files in jar .signtool -v.*Passed" |
+           grep -v "Listing signed files in jar .signtool -w.*Passed" |
+           grep -v "backward compatibility" |
+           grep -v "Can.t run pk12util tests for NSS 3.2" |
+           grep -v "porting Alice.s email cert " |
+           grep -v "^---$" | grep -v "^[<> ] $" | 
+           grep -v "^---.$" | grep -v "^[<> ] .$" | 
+           grep -v '< </BODY></HTML>' |
+           grep -v "^[0-9,cad]*$" 2>>$BCMISSINGLIST >/dev/null &&  (
+                echo "$w differs" >> $BCMISSINGLIST
+                echo "========================================="
+                echo "diff $w bct/$w"
+                echo "========================================="
+                diff -b $w bct/$w 2>&1 | 
+                     grep -v "Listing signed files in jar .signtool -v.*Passed" |
+                     grep -v "Listing signed files in jar .signtool -w.*Passed" |
+                     grep -v "backward compatibility" |
+                     grep -v "Can.t run pk12util tests for NSS 3.2" |
+                     grep -v "porting Alice.s email cert " |
+                     grep -v "^---$" | grep -v "^[<> ] $" | 
+                     grep -v "^---.$" | grep -v "^[<> ] .$" | 
+                     grep -v '< </BODY></HTML>' |
+                     grep -v "^[0-9,cad]*$" \
+           )  2>&1 >>$BCERRORLIST
+  done
+  rm $ERRORLIST
+  cat $BCMISSINGLIST | sed -e "s/^diff: bc_...s.//" \
+                    -e "s/.results.html.*/\/results.html/" | 
+                sort -u > $ERRORLIST
+
+  platformlist  
+  echo '</table>' >>$TMP_HTML_FILE
+
+  head -200 $BCERRORLIST | sed -e 's/<[^>]*>//g' -e "s/^/<br>/" 
+
+}
+
+############################### tbx_main ########################
+# local shell function, tinderbox variation of the qa status script
+########################################################################
+tbx_main()
+{
+    TBX_EXIT=47
+    qa_stat_get_sysinfo # find out the OS we are running and all required tests
+                        # on this OS
+    
+    MACHINES_TO_CHECK=$HOST  #`uname -n` only search the local tests for errors
+    qa_errorlist > $ERRORLIST        # 
+    platformlist 
+    #tbx_missing_platforms  #temp. taken out until we find a better way to
+    #determine if all necessary QA ran - right now we run different 
+    #tinderboxes on one machine
+    incomplete_results 
+    echo '</table>' >>$TMP_HTML_FILE
+    echo '<a NAME="errorlist"></a>' >> $TMP_HTML_FILE
+    cat $ERRORLIST  | sed -e "s/^/<br>/" >>$TMP_HTML_FILE
+
+}
+
+############################### qa_stat_main ########################
+# local shell function, main flow of the qa status script
+########################################################################
+qa_stat_main()
+{
+    find_qa_systems 2>/dev/null
+    MACHINES_TO_CHECK=""   # check all founf qa runs
+    qa_errorlist > $ERRORLIST
+    platformlist 
+    missing_platforms 
+    incomplete_results 
+    echo '</table>' >>$TMP_HTML_FILE
+    echo '<a NAME="errorlist"></a>' >> $TMP_HTML_FILE
+    cat $ERRORLIST  | sed -e "s/^/<br>/" >>$TMP_HTML_FILE
+    cat $WARNINGLIST 2>/dev/null | sed -e "s/^/<br>/" >>$TMP_HTML_FILE 2>/dev/null
+    rsaperf >>$TMP_HTML_FILE
+    bc_header >>$TMP_HTML_FILE
+    MACHINES_TO_CHECK="bct/"
+    TOTAL_TESTS=$BCT_TOTAL_TESTS
+    BEFORE_CONTEXT_GREP="" #WORKAROUND - errors in one outputlog within the first 
+    AFTER_CONTEXT_GREP=""  # or last lines will show up in the next/previos file
+    qa_errorlist > $ERRORLIST
+    platformlist 
+    missing_platforms 
+    incomplete_results 
+    echo '</table>' >>$TMP_HTML_FILE
+    echo '<a NAME="errorlist"></a>' >> $TMP_HTML_FILE
+    cat $ERRORLIST  | sed -e "s/^/<br>/" >>$TMP_HTML_FILE
+    cat $WARNINGLIST 2>/dev/null | sed -e "s/^/<br>/" >>$TMP_HTML_FILE 2>/dev/null
+    #bc_test >>$TMP_HTML_FILE
+}
+
+CURRENT_TABLE="Standard"
+qa_stat_init
+
+if [  "$O_TBX" = "ON" -o "$O_LOCAL" = "ON" ] ; then
+    tbx_main
+else
+    qa_stat_main
+fi
+
+qa_stat_cleanup
diff --git a/security/nss/tests/qaclean b/security/nss/tests/qaclean
new file mode 100755
index 000000000..14c71f390
--- /dev/null
+++ b/security/nss/tests/qaclean
@@ -0,0 +1,144 @@
+#! /bin/sh
+
+########################################################################
+#
+# /u/sonmi/bin/qaclean
+#
+# is supposed to clean up after a "hanging" QA
+#
+# 1) see if there is a lockfile 
+#    if yes: 
+#    1a) kill the process of the lockfile and if possible it's children
+#    1b) rm the lockfile
+# 2) kill selfservers
+# 3) clean up old tmp files
+#
+########################################################################
+
+if [ -z "$TMP" ]
+then
+    if [  -z "$TEMP" ]
+    then
+        TMP="/tmp"
+    else
+        TMP=$TEMP
+    fi
+fi
+if [ ! -w "$TMP" ]
+then
+    echo "Can't write to tmp directory $TMP - exiting"
+    echo "Can't write to tmp directory $TMP - exiting" >&2
+    exit 1
+fi
+
+########################### Ps #########################################
+# platform specific ps
+########################################################################
+Ps()
+{
+    if [ `uname -s` = "SunOS" ]
+    then
+        /usr/5bin/ps -e
+    else
+        ps -e
+    fi
+}
+
+Kill()
+{
+    if [ "$1" = "$$" ]
+    then
+        return
+    fi
+    echo "Killing PID $1"
+    kill $1
+    sleep 1
+    kill -9 $1 2>/dev/null
+}
+
+########################### kill_by_name ################################
+# like killall, only without permissionproblems, kills the process whose 
+# name is given as parameter
+########################################################################
+kill_by_name()
+{
+    echo "Killing all $1"
+ 
+    for PID in `Ps | grep "$1" | grep -v grep | \
+        sed -e "s/^[     ]*//g" -e "s/[     ].*//"`
+    do
+        Kill $PID
+    done
+}
+
+kill_the_rest()
+{
+i=0
+while [ $i -lt $1 ]
+do
+    kill_by_name nssqa
+    kill_by_name selfserv
+    kill_by_name strsclnt
+    kill_by_name all.sh
+    kill_by_name sdr.sh
+    kill_by_name ssl.sh
+    kill_by_name smime.sh
+    i=`expr $i + 1`
+done
+}
+
+nt_warning()
+{
+os_name=`uname -s`
+case $os_name in
+    CYGWIN*|WIN*|Win*)
+        echo
+        echo
+        echo
+        echo "Another Windows problem... If you have not already done so"
+        echo "after this script completes, please reboot, and log in as"
+        echo "user svbld again"
+        echo
+        echo
+        echo
+        ;;
+esac
+}
+
+nt_warning
+case $1 in 
+    -all)
+        for w in tommy booboo kentuckyderby galileo shame axilla columbus \
+                 smarch charm hp64 biggayal orville kwyjibo hbombaix raven \
+                 jordan hornet phaedrus louie box dbldog huey washer dryer \
+                 shabadoo trex bummer compaqtor jellyfish sjsu
+        do
+                echo $w
+                ping $w && rsh $w '/u/sonmi/bin/qaclean'
+        done
+
+        ;;
+    ?*)
+        rsh $1 '/u/sonmi/bin/qaclean'
+        exit
+        ;;
+esac
+
+uname -a
+echo
+
+if [ -f ${TMP}/nssqa.* ]
+then
+    echo "nssqa seems to be running ${TMP}/nssqa.*"
+    #cat ${TMP}/nssqa.*
+    NSSQA_PID=`ls ${TMP}/nssqa.* | sed -e 's/[^.]*\.//'`
+    Kill $NSSQA_PID
+    rm ${TMP}/nssqa.*
+fi
+
+kill_the_rest 3
+ls -l ${TMP}/nsstmp.*
+rm ${TMP}/nsstmp.* 2>/dev/null
+rm ${TMP}/certutilout.* 2>/dev/null
+rm ${TMP}/Pk12*
+nt_warning
diff --git a/security/nss/tests/remote/Makefile b/security/nss/tests/remote/Makefile
new file mode 100644
index 000000000..6c6e5bd55
--- /dev/null
+++ b/security/nss/tests/remote/Makefile
@@ -0,0 +1,153 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+TESTPACKAGE="nss-$(OS_TARGET)$(CPU_TAG).tgz"
+RTSH=$(DIST)/../../runtests.sh
+PCFG=$(DIST)/platform.cfg
+
+
+#Hint: In order to test the Makefiles without running the tests, use:
+#      make NSS_CYCLES="standard" NSS_TESTS="dummy"
+
+ifeq ($(OS_TARGET),Android)
+TEST_SHELL?=$$HOME/bin/sh
+ANDROID_PORT?="2222"
+#Define the subset of tests that is known to work on Android
+NSS_CYCLES?="standard pkix upgradedb sharedb"
+NSS_TESTS?="cipher lowhash libpkix cert dbtests tools sdr crmf smime ssl ocsp merge pkits chains"
+NSS_SSL_TESTS?="crl normal_normal iopr"
+NSS_SSL_RUN?="cov auth stress"
+else
+TEST_SHELL?="/bin/sh"
+endif
+
+# Create a package for test execution on a separate system.
+package_for_testing:
+	echo "export OBJDIR=$(OBJDIR_NAME)"     > $(PCFG)
+	echo "export OS_ARCH=$(OS_ARCH)"       >> $(PCFG)
+	echo "export OS_TARGET=$(OS_TARGET)"   >> $(PCFG)
+	echo "export DLL_PREFIX=$(DLL_PREFIX)" >> $(PCFG)
+	echo "export DLL_SUFFIX=$(DLL_SUFFIX)" >> $(PCFG)
+	echo 'echo "set HOST and DOMSUF if your system is not registered in DNS"' > $(RTSH)
+	cat $(PCFG)                                  >> $(RTSH)
+	echo 'export NSS_TESTS=$(NSS_TESTS)'         >> $(RTSH)
+	echo 'export NSS_SSL_TESTS=$(NSS_SSL_TESTS)' >> $(RTSH)
+	echo 'export NSS_SSL_RUN=$(NSS_SSL_RUN)'     >> $(RTSH)
+	echo 'export NSS_CYCLES=$(NSS_CYCLES)'       >> $(RTSH)
+	echo 'export USE_64=$(USE_64)'               >> $(RTSH)
+	echo 'export BUILD_OPT=$(BUILD_OPT)'         >> $(RTSH)
+	echo 'export PKITS_DATA=$(PKITS_DATA)'       >> $(RTSH)
+	echo 'export NSS_DISABLE_ECC=$(NSS_DISABLE_ECC)'                     >> $(RTSH)
+	echo 'export NSPR_LOG_MODULES=$(NSPR_LOG_MODULES)'                   >> $(RTSH)
+ifeq ($(OS_TARGET),Android)
+	# Android doesn't support FIPS tests, because
+	# dladdr does not return a full path for implicitly loaded libraries
+	echo "export NSS_TEST_DISABLE_FIPS=1" >> $(DIST)/platform.cfg
+endif
+ifeq ($(CROSS_COMPILE),1)
+# execute signing on test system
+	echo 'export DIST=$${HOME}/nsstest/dist/'           >> $(RTSH)
+	echo 'export NSPR_LIB_DIR=$${DIST}/$${OBJDIR}/lib/' >> $(RTSH)
+	echo 'echo "signing"'                               >> $(RTSH)
+# work around a bug in Android ash that has a corrupted work directory after login
+	echo 'cd $${HOME}/nsstest'                          >> $(RTSH)
+	echo 'cd nss/cmd/shlibsign'                         >> $(RTSH)
+	echo '$(TEST_SHELL) ./sign.sh $${DIST}/$${OBJDIR}/ $${DIST}/$${OBJDIR}/bin $${OS_TARGET} $${NSPR_LIB_DIR} $${NSPR_LIB_DIR}$${DLL_PREFIX}freebl3.$${DLL_SUFFIX}'  >> $(RTSH)
+	echo '$(TEST_SHELL) ./sign.sh $${DIST}/$${OBJDIR}/ $${DIST}/$${OBJDIR}/bin $${OS_TARGET} $${NSPR_LIB_DIR} $${NSPR_LIB_DIR}$${DLL_PREFIX}softokn3.$${DLL_SUFFIX}' >> $(RTSH)
+	echo '$(TEST_SHELL) ./sign.sh $${DIST}/$${OBJDIR}/ $${DIST}/$${OBJDIR}/bin $${OS_TARGET} $${NSPR_LIB_DIR} $${NSPR_LIB_DIR}$${DLL_PREFIX}nssdbm3.$${DLL_SUFFIX}'  >> $(RTSH)
+ifneq ($(OS_TARGET),Android)
+# Android's ash doesn't support "export -n" yet
+	echo 'export -n DIST'                          >> $(RTSH)
+	echo 'export -n NSPR_LIB_DIR'                  >> $(RTSH)
+endif
+	echo 'cd ../../../'                            >> $(RTSH)
+endif
+	echo 'rm -rf tests_results'                    >> $(RTSH)
+	echo 'echo "running tests"'                    >> $(RTSH)
+	echo 'cd nss/tests'                            >> $(RTSH)
+	# We require progress indication on stdout while running the tests (to avoid timeouts).
+	set -o pipefail
+	echo '$(TEST_SHELL) ./all.sh | tee ../../logfile 2>&1 |grep ": #"'          >> $(RTSH)
+	RETVAL=$?
+	echo 'cd ../../'                               >> $(RTSH)
+	# dump test summary from end of logfile
+	echo 'echo "=========="; tail -100 logfile'    >> $(RTSH)
+	echo 'tar czf tests_results.tgz tests_results'                              >> $(RTSH)
+	echo 'echo "created tests_results.tgz"'                                     >> $(RTSH)
+	echo 'echo "results are in directory: "`ls -1d tests_results/security/*.1`' >> $(RTSH)
+	echo 'echo exit status: $${RETVAL}'                                         >> $(RTSH)
+	echo 'exit $${RETVAL}'                                                      >> $(RTSH)
+	rm -f $(TESTPACKAGE)
+	(cd $(DIST)/../.. ; tar czhf dist/$(TESTPACKAGE) runtests.sh dist/$(OBJDIR_NAME) dist/public nss/tests nss/cmd/bltest/tests nss/cmd/pk11gcmtest/tests nss/cmd/shlibsign; echo "created "`pwd`"/dist/$(TESTPACKAGE)" )
+
+android_run_tests:
+	ssh -p $(ANDROID_PORT) -o CheckHostIP=no $(ANDROID_ADDR)  'pwd; cd; pwd; cd nsstest; export PATH=$$HOME/bin:$$PATH ; $(TEST_SHELL) runtests.sh'
+
+android_install:
+	rm -f $(DIST)/android.sftp
+	echo '-mkdir nsstest' > $(DIST)/android.sftp
+	echo '-rm nsstest/$(TESTPACKAGE)' >> $(DIST)/android.sftp
+	echo 'progress' >> $(DIST)/android.sftp
+	echo 'put $(DIST)/../$(TESTPACKAGE) nsstest' >> $(DIST)/android.sftp
+	sftp -o Port=$(ANDROID_PORT) -o CheckHostIP=no -b $(DIST)/android.sftp $(ANDROID_ADDR)
+	ssh -p $(ANDROID_PORT) -o CheckHostIP=no $(ANDROID_ADDR)  'cd nsstest ; $$HOME/bin/rm -rf logfile runtests.sh dist security tests_results tests_results.tgz;  $$HOME/bin/tar xzf $(TESTPACKAGE)'
+
+WORKDIR="$(DIST)/../../"
+RESULTSPACKAGE=tests_results.tgz
+android_get_result:
+	rm -f $(WORKDIR)/result.sftp $(WORKDIR)/$(RESULTSPACKAGE)
+	echo "progress" > $(WORKDIR)/result.sftp
+	echo 'get nsstest/$(RESULTSPACKAGE) $(WORKDIR)' >> $(WORKDIR)/result.sftp
+	sftp -o Port=$(ANDROID_PORT) -o CheckHostIP=no -b $(WORKDIR)/result.sftp $(ANDROID_ADDR) 
+	(cd $(WORKDIR); tar xzf $(RESULTSPACKAGE); rm -f result.sftp $(RESULTSPACKAGE) )
+
+# Android testing assumes having built with: OS_TARGET=Android CROSS_COMPILE=1
+# Connectivity tested with Android app: SSHDroid
+# Provide appropriate ANDROID_ADDR variable, e.g.:
+#   make test_android ANDROID_ADDR=root@192.168.4.5
+# See also: https://wiki.mozilla.org/NSS:Android
+
+test_android: package_for_testing android_install android_run_tests android_get_result
diff --git a/security/nss/tests/remote/manifest.mn b/security/nss/tests/remote/manifest.mn
new file mode 100644
index 000000000..049f1617c
--- /dev/null
+++ b/security/nss/tests/remote/manifest.mn
@@ -0,0 +1,6 @@
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+CORE_DEPTH = ../..
+DEPTH      = ../..
diff --git a/security/nss/tests/run_niscc.sh b/security/nss/tests/run_niscc.sh
new file mode 100755
index 000000000..def3fd07e
--- /dev/null
+++ b/security/nss/tests/run_niscc.sh
@@ -0,0 +1,982 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#
+# PRIOR TO RUNNING THIS SCRIPT
+# you should adjust MAIL_COMMAND and QA_LIST
+#
+# External dependencies:
+# - install the NISCC test files, e.g. at /niscc (readonly OK)
+# - libfaketimeMT because the test certificates have expired
+# - build environment for building NSS
+# - gdb to analyze core files
+# - a command line mail tool (e.g. mailx)
+# - openssl to combine input PEM files into pkcs#12
+# - curl for obtaining version information from the web
+#
+
+################################################################################
+# Print script usage
+################################################################################
+usage()
+{
+    cat << EOF
+Usage: $0 [options]
+
+Test NSS library against NISCC SMIME and TLS testcases.
+
+Options:
+ -h, --help           print this help message and exit
+ -v, --verbose        enable extra verbose output
+     --niscc-home DIR use NISCC testcases from directory DIR (default /niscc)
+     --host HOST      use host HOST (default '127.0.0.1')
+     --threads X      set thread number to X (max. 10, default 10)
+     --out DIR        set DIR as output directory (default '/out')
+     --mail ADDRESS   send mail with test result to ADDRESS
+     --nss DIR        set NSS directory to DIR (default '~/niscc-hg/nss')
+     --nss-hack DIR   set hacked NSS directory to DIR (default '~/niscc-hg/nss_hack')
+     --log-store      store all the logs (only summary by default)
+     --no-build-test  don't pull and build tested NSS
+     --no-build-hack  don't pull and build hacked NSS
+     --test-system    test system installed NSS
+     --date DATE      use DATE in log archive name and outgoing email
+     --libfaketime path.so  use faketime library with LD_PRELOAD=path.so
+     --smallset       test only a very small subset
+
+All options are optional.
+All options (and possibly more) can be also set through environment variables.
+Commandline options have higher priority than environment variables.
+For more information please refer to the source code of this script.
+
+For a successfull run the script NEEDS the core file pattern to be 'core.*',
+e.g. 'core.%t'. You can check the current pattern in
+'/proc/sys/kernel/core_pattern'. Otherwise the test will be unable to detect
+any failures and will pass every time.
+
+It is recommended to use hacked and tested binaries in a location, where their
+absolute path is max. 80 characters. If their path is longer and a core file is
+generated, its properties may be incomplete.
+
+Return value of the script indicates how many failures it experienced.
+
+EOF
+    exit $1
+}
+
+################################################################################
+# Process command-line arguments
+################################################################################
+process_args()
+{
+    HELP="false"
+    args=`getopt -u -l "niscc-home:,host:,threads:,out:,verbose,mail:,nss:,nss-hack:,log-store,no-build-test,no-build-hack,help,test-system,date:,libfaketime:,smallset" -- "hv" $*`
+    [ "$?" != "0" ] && usage 1
+    set -- $args
+    for i; do
+        case "$i" in
+            -v|--verbose)
+                shift
+                VERBOSE="-v"
+                ;;
+            --niscc-home)
+                shift
+                NISCC_HOME="$1"
+                shift
+                ;;
+            --host)
+                shift
+                HOST="$1"
+                shift
+                ;;
+            --threads)
+                shift
+                THREADS="$1"
+                shift
+                ;;
+            --out)
+                shift
+                TEST_OUTPUT="$1"
+                shift
+                ;;
+            --mail)
+                shift
+                USE_MAIL="true"
+                QA_LIST="$1"
+                shift
+                ;;
+            --nss)
+                shift
+                LOCALDIST="$1"
+                shift
+                ;;
+            --nss-hack)
+                shift
+                NSS_HACK="$1"
+                shift
+                ;;
+            --log-store)
+                shift
+                LOG_STORE="true"
+                ;;
+            --no-build-test)
+                shift
+                NO_BUILD_TEST="true"
+                ;;
+            --no-build-hack)
+                shift
+                NO_BUILD_HACK="true"
+                ;;
+            -h|--help)
+                shift
+                HELP="true"
+                ;;
+            --test-system)
+                shift
+                TEST_SYSTEM="true"
+                ;;
+            --date)
+                shift
+                DATE="$1"
+                shift
+                ;;
+            --libfaketime)
+                shift
+                FAKETIMELIB="$1"
+                shift
+                ;;
+            --smallset)
+                shift
+                SMALLSET="true"
+                ;;
+            --)
+                ;;
+            *)
+                ;;
+        esac
+    done
+    [ $HELP = "true" ] && usage 0
+}
+
+################################################################################
+# Create and set needed and useful environment variables
+################################################################################
+create_environment()
+{
+    # Base location of NISCC testcases
+    export NISCC_HOME=${NISCC_HOME:-/niscc}
+
+    # Base location of NSS
+    export HG=${HG:-"$HOME/niscc-hg"}
+
+    # NSS being tested
+    export LOCALDIST=${LOCALDIST:-"${HG}/nss"}
+
+    # Hacked NSS - built with "NISCC_TEST=1"
+    export NSS_HACK=${NSS_HACK:-"${HG}/nss_hack"}
+
+    # Hostname of the testmachine
+    export HOST=${HOST:-127.0.0.1}
+
+    # Whether to store logfiles
+    export LOG_STORE=${LOG_STORE:-"false"}
+
+    # Whether to mail the summary
+    export USE_MAIL=${USE_MAIL:-"false"}
+
+    # How to mail summary
+    export MAIL_COMMAND=${MAIL_COMMAND:-"mailx -S smtp=smtp://your.smtp.server:25 -r your+niscc@email.address"}
+
+    # List of mail addresses where to send summary
+    export QA_LIST=${QA_LIST:-"result@recipient.address"}
+
+    # Whether to use 64b build
+    export USE_64=${USE_64:-1}
+
+    # Directory where to write all the output data (around 650MiB for each run)
+    export TEST_OUTPUT=${TEST_OUTPUT:-"$HOME/out"}
+
+    # How many threads to use in selfserv and strsclnt (max. 10)
+    export THREADS=${THREADS:-10}
+
+    # If true, do not build tthe tested version of NSS
+    export NO_BUILD_TEST=${NO_BUILD_TEST:-"false"}
+
+    # If true, do not build the special NSS version for NISCC
+    export NO_BUILD_HACK=${NO_BUILD_HACK:-"false"}
+
+    # If true, do not rebuild client and server directories
+    export NO_SETUP=${NO_SETUP:-"false"}
+
+    # Location of NISCC SSL/TLS testcases
+    export TEST=${TEST:-"${NISCC_HOME}/NISCC_SSL_testcases"}
+
+    # If true, then be extra verbose
+    export VERBOSE=${VERBOSE:-""}
+
+    # If true, test the system installed NSS
+    export TEST_SYSTEM=${TEST_SYSTEM:-"false"}
+    [ "$TEST_SYSTEM" = "true" ] && export NO_BUILD_TEST="true"
+
+    [ ! -z "$VERBOSE" ] && set -xv
+
+    # Real date for naming of archives (system date must be 2002-11-18 .. 2007-11-18 due to certificate validity
+    DATE=${DATE:-`date`}
+    export DATE=`date -d "$DATE" +%Y%m%d`
+
+    FAKETIMELIB=${FAKETIMELIB:-""}
+    export DATE=`date -d "$DATE" +%Y%m%d`
+
+    # Whether to test only a very small subset
+    export SMALLSET=${SMALLSET:-"false"}
+
+    # Create output dir if it doesn't exist
+    mkdir -p ${TEST_OUTPUT}
+}
+
+################################################################################
+# Do a HG pull of NSS
+################################################################################
+hg_pull()
+{
+    # Tested NSS - by default using HG default tip
+    if [ "$NO_BUILD_TEST" = "false" ]; then
+        echo "cloning NSS sources to be tested from HG"
+        [ ! -d "$LOCALDIST" ] && mkdir -p "$LOCALDIST"
+        cd "$LOCALDIST"
+        [ ! -d "$LOCALDIST/nspr" ] && hg clone --noupdate https://hg.mozilla.org/projects/nspr
+        cd nspr; hg pull; hg update -C -r default; cd ..
+        [ ! -d "$LOCALDIST/nss" ] && hg clone --noupdate https://hg.mozilla.org/projects/nss
+        cd nss; hg pull; hg update -C -r default; cd ..
+        #find . -exec touch {} \;
+    fi
+
+    # Hacked NSS - by default using some RTM version.
+    # Do not use HEAD for hacked NSS - it needs to be stable and bug-free
+    if [ "$NO_BUILD_HACK" = "false" ]; then
+        echo "cloning NSS sources for a hacked build from HG"
+        [ ! -d "$NSS_HACK" ] && mkdir -p "$NSS_HACK"
+        cd "$NSS_HACK"
+        NSPR_TAG=`curl --silent http://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/nsprpub/TAG-INFO | head -1 | sed --regexp-extended 's/[[:space:]]//g' | awk '{print $1}'`
+        NSS_TAG=`curl --silent http://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/security/nss/TAG-INFO | head -1 | sed --regexp-extended 's/[[:space:]]//g' | awk '{print $1}'`
+        [ ! -d "$NSS_HACK/nspr" ] && hg clone --noupdate https://hg.mozilla.org/projects/nspr
+        cd nspr; hg pull; hg update -C -r "$NSPR_TAG"; cd ..
+        [ ! -d "$NSS_HACK/nss" ] && hg clone --noupdate https://hg.mozilla.org/projects/nss
+        cd nss; hg pull; hg update -C -r "$NSS_TAG"; cd ..
+        #find . -exec touch {} \;
+    fi
+}
+
+################################################################################
+# Build NSS after setting make variable NISCC_TEST
+################################################################################
+build_NSS()
+{
+    # Tested NSS
+    if [ "$NO_BUILD_TEST" = "false" ]; then
+        echo "building NSS to be tested"
+        cd "$LOCALDIST"
+        unset NISCC_TEST
+        cd nss
+        gmake nss_clean_all &>> $TEST_OUTPUT/nisccBuildLog
+        gmake nss_build_all &>> $TEST_OUTPUT/nisccBuildLog
+    fi
+
+    # Hacked NSS
+    if [ "$NO_BUILD_HACK" = "false" ]; then
+        echo "building hacked NSS"
+        cd "$NSS_HACK"
+        export NISCC_TEST=1
+        cd nss
+        gmake nss_clean_all &>> $TEST_OUTPUT/nisccBuildLogHack
+        gmake nss_build_all &>> $TEST_OUTPUT/nisccBuildLogHack
+    fi
+
+    unset NISCC_TEST
+}
+
+################################################################################
+# Set build dir, bin and lib directories
+################################################################################
+init()
+{
+    # Enable useful core files to be generated in case of crash
+    ulimit -c unlimited
+
+    # Pattern of core files, they should be created in current directory
+    echo "core_pattern $(cat /proc/sys/kernel/core_pattern)" > "$TEST_OUTPUT/nisccLog00"
+
+    # gmake is needed in the path for this suite to run
+    echo "PATH $PATH" >> "$TEST_OUTPUT/nisccLog00"
+
+    # Find out hacked NSS version
+    DISTTYPE=`cd "$NSS_HACK/nss/tests/common"; gmake objdir_name`
+    echo "NSS_HACK DISTTYPE $DISTTYPE" >> "$TEST_OUTPUT/nisccLog00"
+    export HACKBIN="$NSS_HACK/dist/$DISTTYPE/bin"
+    export HACKLIB="$NSS_HACK/dist/$DISTTYPE/lib"
+
+    if [ "$TEST_SYSTEM" = "false" ]; then
+        # Find out nss version
+        DISTTYPE=`cd "$LOCALDIST/nss/tests/common"; gmake objdir_name`
+        echo "NSS DISTTYPE $DISTTYPE" >> "$TEST_OUTPUT/nisccLog00"
+        export TESTBIN="$LOCALDIST/dist/$DISTTYPE/bin"
+        export TESTLIB="$LOCALDIST/dist/$DISTTYPE/lib"
+        export TESTTOOLS="$TESTBIN"
+    else
+        # Using system installed NSS
+        echo "USING SYSTEM NSS" >> "$TEST_OUTPUT/nisccLog00"
+        export TESTBIN="/usr/bin"
+        if [ `uname -m` = "x86_64" ]; then
+            export TESTLIB="/usr/lib64"
+            export TESTTOOLS="/usr/lib64/nss/unsupported-tools"
+        else
+            export TESTLIB="/usr/lib"
+            export TESTTOOLS="/usr/lib/nss/unsupported-tools"
+        fi
+    fi
+
+    # Verify NISCC_TEST was set in the proper library
+    if strings "$HACKLIB/libssl3.so" | grep NISCC_TEST > /dev/null 2>&1; then
+        echo "$HACKLIB/libssl3.so contains NISCC_TEST" >> "$TEST_OUTPUT/nisccLog00"
+    else
+        echo "$HACKLIB/libssl3.so does NOT contain NISCC_TEST" >> "$TEST_OUTPUT/nisccLog00"
+    fi
+
+    if strings "$TESTLIB/libssl3.so" | grep NISCC_TEST > /dev/null 2>&1; then
+        echo "$TESTLIB/libssl3.so contains NISCC_TEST" >> "$TEST_OUTPUT/nisccLog00"
+    else
+        echo "$TESTLIB/libssl3.so does NOT contain NISCC_TEST" >> "$TEST_OUTPUT/nisccLog00"
+    fi
+}
+
+################################################################################
+# Setup simple client and server directory
+################################################################################
+ssl_setup_dirs_simple()
+{
+    [ "$NO_SETUP" = "true" ] && return
+
+    echo "Setting up working directories for SSL simple tests"
+
+    CLIENT="$TEST_OUTPUT/niscc_ssl/simple_client"
+    SERVER="$TEST_OUTPUT/niscc_ssl/simple_server"
+
+    # Generate .p12 files
+    openssl pkcs12 -export -inkey "$TEST/client_key.pem" -in "$TEST/client_crt.pem" -out "$TEST_OUTPUT/client_crt.p12" -passout pass:testtest1 -name "client_crt"
+    openssl pkcs12 -export -inkey "$TEST/server_key.pem" -in "$TEST/server_crt.pem" -out "$TEST_OUTPUT/server_crt.p12" -passout pass:testtest1 -name "server_crt"
+
+    # Setup simple client directory
+    rm -rf "$CLIENT"
+    mkdir -p "$CLIENT"
+    echo test > "$CLIENT/password-is-test.txt"
+    export LD_LIBRARY_PATH="$TESTLIB"
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${TESTBIN}/certutil" -N -d "$CLIENT" -f "$CLIENT/password-is-test.txt" >> "$TEST_OUTPUT/nisccLog00" 2>&1
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${TESTBIN}/certutil" -A -d "$CLIENT" -n rootca -i "$TEST/rootca.crt" -t "C,C," >> "$TEST_OUTPUT/nisccLog00" 2>&1
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${TESTBIN}/pk12util" -i "$TEST_OUTPUT/client_crt.p12" -d "$CLIENT" -k "$CLIENT/password-is-test.txt" -W testtest1 >> "$TEST_OUTPUT/nisccLog00" 2>&1
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${TESTBIN}/certutil" -L -d "$CLIENT" >> "$TEST_OUTPUT/nisccLog00" 2>&1
+
+    # File containg message used for terminating the server
+    echo "GET /stop HTTP/1.0" > "$CLIENT/stop.txt"
+    echo ""                  >> "$CLIENT/stop.txt"
+
+    # Setup simple server directory
+    rm -rf "$SERVER"
+    mkdir -p "$SERVER"
+    echo test > "$SERVER/password-is-test.txt"
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${TESTBIN}/certutil" -N -d "$SERVER" -f "$SERVER/password-is-test.txt" >> "$TEST_OUTPUT/nisccLog00" 2>&1
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${TESTBIN}/certutil" -A -d "$SERVER" -n rootca -i "$TEST/rootca.crt" -t "TC,C," >> "$TEST_OUTPUT/nisccLog00" 2>&1
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${TESTBIN}/pk12util" -i "$TEST_OUTPUT/server_crt.p12" -d "$SERVER" -k "$SERVER/password-is-test.txt" -W testtest1 >> "$TEST_OUTPUT/nisccLog00" 2>&1
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${TESTBIN}/certutil" -L -d "$SERVER" >> "$TEST_OUTPUT/nisccLog00" 2>&1
+
+    unset LD_LIBRARY_PATH
+}
+
+################################################################################
+# Setup resigned client and server directory
+################################################################################
+ssl_setup_dirs_resigned()
+{
+    [ "$NO_SETUP" = "true" ] && return
+
+    echo "Setting up working directories for SSL resigned tests"
+
+    CLIENT="$TEST_OUTPUT/niscc_ssl/resigned_client"
+    SERVER="$TEST_OUTPUT/niscc_ssl/resigned_server"
+
+    # Setup resigned client directory
+    rm -rf "$CLIENT"
+    mkdir -p "$CLIENT"
+    echo test > "$CLIENT/password-is-test.txt"
+    export LD_LIBRARY_PATH="$TESTLIB"
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${TESTBIN}/certutil" -N -d "$CLIENT" -f "$CLIENT/password-is-test.txt" >> "$TEST_OUTPUT/nisccLog00" 2>&1
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${TESTBIN}/certutil" -A -d "$CLIENT" -n rootca -i "$TEST/rootca.crt" -t "C,C," >> "$TEST_OUTPUT/nisccLog00" 2>&1
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${TESTBIN}/pk12util" -i "$TEST_OUTPUT/client_crt.p12" -d "$CLIENT" -k "$CLIENT/password-is-test.txt" -W testtest1 >> "$TEST_OUTPUT/nisccLog00" 2>&1
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${TESTBIN}/certutil" -L -d "$CLIENT" >> "$TEST_OUTPUT/nisccLog00" 2>&1
+
+    echo "GET /stop HTTP/1.0" > "$CLIENT/stop.txt"
+    echo ""                  >> "$CLIENT/stop.txt"
+
+    # Setup resigned server directory
+    rm -rf "$SERVER"
+    mkdir -p "$SERVER"
+    echo test > "$SERVER/password-is-test.txt"
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${TESTBIN}/certutil" -N -d "$SERVER" -f "$SERVER/password-is-test.txt" >> "$TEST_OUTPUT/nisccLog00" 2>&1
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${TESTBIN}/certutil" -A -d "$SERVER" -n rootca -i "$TEST/rootca.crt" -t "TC,C," >> "$TEST_OUTPUT/nisccLog00" 2>&1
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${TESTBIN}/pk12util" -i "$TEST_OUTPUT/server_crt.p12" -d "$SERVER" -k "$SERVER/password-is-test.txt" -W testtest1 >> "$TEST_OUTPUT/nisccLog00" 2>&1
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${TESTBIN}/certutil" -L -d "$SERVER" >> "$TEST_OUTPUT/nisccLog00" 2>&1
+
+    unset LD_LIBRARY_PATH
+}
+
+################################################################################
+# NISCC SMIME tests
+################################################################################
+niscc_smime()
+{
+    cd "$TEST_OUTPUT"
+    DATA="$NISCC_HOME/NISCC_SMIME_testcases"
+
+    [ ! -d niscc_smime ] && mkdir -p niscc_smime
+
+    export SMIME_CERT_DB_DIR=envDB
+    export NSS_STRICT_SHUTDOWN=1
+    export NSS_DISABLE_ARENA_FREE_LIST=1
+    export LD_LIBRARY_PATH="$TESTLIB"
+
+    # Generate .p12 files
+    openssl pkcs12 -export -inkey "$DATA/Client.key" -in "$DATA/Client.crt" -out Client.p12 -passout pass:testtest1 &>/dev/null
+    openssl pkcs12 -export -inkey "$DATA/CA.key" -in "$DATA/CA.crt" -out CA.p12 -passout pass:testtest1 &>/dev/null
+
+    # Generate envDB if needed
+    if [ ! -d "$SMIME_CERT_DB_DIR" ]; then
+        mkdir -p "$SMIME_CERT_DB_DIR"
+        echo testtest1 > password-is-testtest1.txt
+        LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+        "${TESTBIN}/certutil" -N -d "./$SMIME_CERT_DB_DIR" -f password-is-testtest1.txt > /dev/null 2>&1
+        LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+        "${TESTBIN}/certutil" -A -d "$SMIME_CERT_DB_DIR" -f password-is-testtest1.txt -i "$DATA/CA.crt" -n CA -t "TC,C,"
+        LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+        "${TESTBIN}/certutil" -A -d "$SMIME_CERT_DB_DIR" -f password-is-testtest1.txt -i "$DATA/Client.crt" -n Client -t "TC,C,"
+        LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+        "${TESTBIN}/pk12util" -i ./CA.p12 -d "$SMIME_CERT_DB_DIR" -k password-is-testtest1.txt -W testtest1
+        LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+        "${TESTBIN}/pk12util" -i ./Client.p12 -d "$SMIME_CERT_DB_DIR" -k password-is-testtest1.txt -W testtest1
+    fi
+
+    # if p7m-ed-m-files.txt does not exist, then generate it.
+    [ -f "$DATA/p7m-ed-m-files.txt" ] && sed "s|^|$DATA/|" "$DATA/p7m-ed-m-files.txt" > p7m-ed-m-files.txt
+    export P7M_ED_M_FILES=p7m-ed-m-files.txt
+    if [ "$SMALLSET" = "true" ]; then
+        [ ! -f "$P7M_ED_M_FILES" ] && find "$DATA"/p7m-ed-m-0* -type f -print | head -10 >> "$P7M_ED_M_FILES"
+    else
+        [ ! -f "$P7M_ED_M_FILES" ] && find "$DATA"/p7m-ed-m-0* -type f -print >> "$P7M_ED_M_FILES"
+    fi
+
+    # Test "p7m-ed-m*" testcases
+    echo "Testing SMIME enveloped data testcases"
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${TESTBIN}/cmsutil" $VERBOSE -D -d "$SMIME_CERT_DB_DIR" -p testtest1 -b -i "$P7M_ED_M_FILES" > niscc_smime/p7m-ed-m-results.txt 2>&1
+
+    export SMIME_CERT_DB_DIR=sigDB
+    # Generate sigDB if needed
+    if [ ! -d "$SMIME_CERT_DB_DIR" ]; then
+        mkdir -p "$SMIME_CERT_DB_DIR"
+        LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+        "${TESTBIN}/certutil" -N -d "$SMIME_CERT_DB_DIR" -f password-is-testtest1.txt
+        LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+        "${TESTBIN}/certutil" -A -d "$SMIME_CERT_DB_DIR" -i "$DATA/CA.crt" -n CA -t "TC,C,"
+        LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+        "${TESTBIN}/certutil" -A -d "$SMIME_CERT_DB_DIR" -i "$DATA/Client.crt" -n Client -t "TC,C,"
+    fi
+
+    # if p7m-sd-dt-files.txt does not exist, then generate it.
+    [ -f "$DATA/p7m-sd-dt-files.txt" ] && sed "s|^|$DATA/|" "$DATA/p7m-sd-dt-files.txt" > p7m-sd-dt-files.txt
+    export P7M_SD_DT_FILES=p7m-sd-dt-files.txt
+    if [ "$SMALLSET" = "true" ]; then
+        [ ! -f "$P7M_SD_DT_FILES" ] && find "$DATA"/p7m-sd-dt-[cm]-* -type f -print | head -10 >> "$P7M_SD_DT_FILES"
+    else
+        [ ! -f "$P7M_SD_DT_FILES" ] && find "$DATA"/p7m-sd-dt-[cm]-* -type f -print >> "$P7M_SD_DT_FILES"
+    fi
+
+    [ ! -f detached.txt ] && touch detached.txt
+
+    # Test "p7m-sd-dt*" testcases
+    echo "Testing SMIME detached signed data testcases"
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${TESTBIN}/cmsutil" $VERBOSE -D -d "$SMIME_CERT_DB_DIR" -c detached.txt -b -i "$P7M_SD_DT_FILES" > niscc_smime/p7m-sd-dt-results.txt 2>&1
+
+    # if p7m-sd-op-files.txt does not exist, then generate it.
+    [ -f "$DATA/p7m-sd-op-files.txt" ] && sed "s|^|$DATA/|" "$DATA/p7m-sd-op-files.txt" > p7m-sd-op-files.txt
+    export P7M_SD_OP_FILES=p7m-sd-op-files.txt
+    if [ "$SMALLSET" = "true" ]; then
+        [ ! -f "$P7M_SD_OP_FILES" ] && find "$DATA"/p7m-sd-op-[cm]-* -type f -print | head -10 >> "$P7M_SD_OP_FILES"
+    else
+        [ ! -f "$P7M_SD_OP_FILES" ] && find "$DATA"/p7m-sd-op-[cm]-* -type f -print >> "$P7M_SD_OP_FILES"
+    fi
+
+    # Test "p7m-sd-op*" testcases
+    echo "Testing SMIME opaque signed data testcases"
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${TESTBIN}/cmsutil" $VERBOSE -D -d "$SMIME_CERT_DB_DIR" -b -i "$P7M_SD_OP_FILES" > niscc_smime/p7m-sd-op-results.txt 2>&1
+
+    unset LD_LIBRARY_PATH
+}
+
+################################################################################
+# Set env variables for NISCC SSL tests
+################################################################################
+niscc_ssl_init()
+{
+    export NSS_STRICT_SHUTDOWN=1
+    export NSS_DISABLE_ARENA_FREE_LIST=1
+    cd "$TEST_OUTPUT"
+}
+
+force_crash()
+{
+    echo "int main(int argc, char *argv[]) { int *i; i = (int*)(void*)1; *i = 1; }" > "$TEST_OUTPUT/crashme.c"
+    gcc -g -o "$TEST_OUTPUT/crashme" "$TEST_OUTPUT/crashme.c"
+    "$TEST_OUTPUT/crashme"
+}
+
+################################################################################
+# Do simple client auth tests
+# Use an altered client against the server
+################################################################################
+ssl_simple_client_auth()
+{
+    echo "Testing SSL simple client auth testcases"
+    export CLIENT="$TEST_OUTPUT/niscc_ssl/simple_client"
+    export SERVER="$TEST_OUTPUT/niscc_ssl/simple_server"
+    export PORT=8443
+    export START_AT=1
+    if [ "$SMALLSET" = "true" ]; then
+        export STOP_AT=10
+    else
+        export STOP_AT=106160
+    fi
+    unset NISCC_TEST
+    export LD_LIBRARY_PATH="$TESTLIB"
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${TESTTOOLS}/selfserv" $VERBOSE -p $PORT -d "$SERVER" -n server_crt -rr -t $THREADS -w test > "$TEST_OUTPUT/nisccLog01" 2>&1 &
+
+    export NISCC_TEST="$TEST/simple_client"
+    export LD_LIBRARY_PATH="$HACKLIB"
+
+    for START in `seq $START_AT $THREADS $STOP_AT`; do
+        START_AT=$START \
+        STOP_AT=$(($START+$THREADS)) \
+        LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+        "${HACKBIN}/strsclnt" $VERBOSE -d "$CLIENT" -n client_crt -p $PORT -t $THREADS -c $THREADS -o -N -w test $HOST >> "$TEST_OUTPUT/nisccLog02" 2>&1
+    done
+
+    unset NISCC_TEST
+    echo "starting tstclnt to shutdown simple client selfserv process"
+    for i in `seq 5`; do
+        LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+        "${HACKBIN}/tstclnt" -h $HOST -p $PORT -d "$CLIENT" -n client_crt -o -f -w test < "$CLIENT/stop.txt" >> "$TEST_OUTPUT/nisccLog02" 2>&1
+    done
+
+    unset LD_LIBRARY_PATH
+
+    sleep 1
+}
+
+################################################################################
+# Do simple server auth tests
+# Use an altered server against the client
+################################################################################
+ssl_simple_server_auth()
+{
+    echo "Testing SSL simple server auth testcases"
+    export CLIENT="$TEST_OUTPUT/niscc_ssl/simple_client"
+    export SERVER="$TEST_OUTPUT/niscc_ssl/simple_server"
+    export PORT=8444
+    export START_AT=00000001
+    if [ "$SMALLSET" = "true" ]; then
+        export STOP_AT=00000010
+    else
+        export STOP_AT=00106167
+    fi
+    export LD_LIBRARY_PATH="$HACKLIB"
+    export NISCC_TEST="$TEST/simple_server"
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${HACKBIN}/selfserv" $VERBOSE -p $PORT -d "$SERVER" -n server_crt -t $THREADS -w test > "$TEST_OUTPUT/nisccLog03" 2>&1 &
+
+    unset NISCC_TEST
+    export LD_LIBRARY_PATH="$TESTLIB"
+    for START in `seq $START_AT $THREADS $STOP_AT`; do
+        LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+        "${TESTTOOLS}/strsclnt" $VERBOSE -d "$CLIENT" -p $PORT -t $THREADS -c $THREADS -o -N $HOST >> "$TEST_OUTPUT/nisccLog04" 2>&1
+    done
+
+    echo "starting tstclnt to shutdown simple server selfserv process"
+    for i in `seq 5`; do
+        LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+        "${TESTTOOLS}/tstclnt" -h $HOST -p $PORT -d "$CLIENT" -n client_crt -o -f -w test < "$CLIENT/stop.txt" >> "$TEST_OUTPUT/nisccLog04" 2>&1
+    done
+
+    unset LD_LIBRARY_PATH
+
+    sleep 1
+}
+
+################################################################################
+# Do simple rootCA tests
+# Use an altered server against the client
+################################################################################
+ssl_simple_rootca()
+{
+    echo "Testing SSL simple rootCA testcases"
+    export CLIENT="$TEST_OUTPUT/niscc_ssl/simple_client"
+    export SERVER="$TEST_OUTPUT/niscc_ssl/simple_server"
+    export PORT=8445
+    export START_AT=1
+    if [ "$SMALLSET" = "true" ]; then
+        export STOP_AT=10
+    else
+        export STOP_AT=106190
+    fi
+    export LD_LIBRARY_PATH="$HACKLIB"
+    export NISCC_TEST="$TEST/simple_rootca"
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${HACKBIN}/selfserv" $VERBOSE -p $PORT -d "$SERVER" -n server_crt -t $THREADS -w test > "$TEST_OUTPUT/nisccLog05" 2>&1 &
+
+    unset NISCC_TEST
+    export LD_LIBRARY_PATH="$TESTLIB"
+    for START in `seq $START_AT $THREADS $STOP_AT`; do
+        LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+        "${TESTTOOLS}/strsclnt" $VERBOSE -d "$CLIENT" -p $PORT -t $THREADS -c $THREADS -o -N $HOST >> "$TEST_OUTPUT/nisccLog06" 2>&1
+    done
+
+    echo "starting tstclnt to shutdown simple rootca selfserv process"
+    for i in `seq 5`; do
+        LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+        "${TESTTOOLS}/tstclnt" -h $HOST -p $PORT -d "$CLIENT" -n client_crt -o -f -w test < "$CLIENT/stop.txt" >> "$TEST_OUTPUT/nisccLog06" 2>&1
+    done
+
+    unset LD_LIBRARY_PATH
+
+    sleep 1
+}
+
+################################################################################
+# Do resigned client auth tests
+# Use an altered client against the server
+################################################################################
+ssl_resigned_client_auth()
+{
+    echo "Testing SSL resigned client auth testcases"
+    export CLIENT="$TEST_OUTPUT/niscc_ssl/resigned_client"
+    export SERVER="$TEST_OUTPUT/niscc_ssl/resigned_server"
+    export PORT=8446
+    export START_AT=0
+    if [ "$SMALLSET" = "true" ]; then
+        export STOP_AT=9
+    else
+        export STOP_AT=99981
+    fi
+    unset NISCC_TEST
+    export LD_LIBRARY_PATH="$TESTLIB"
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${TESTTOOLS}/selfserv" $VERBOSE -p $PORT -d "$SERVER" -n server_crt -rr -t $THREADS -w test > "$TEST_OUTPUT/nisccLog07" 2>&1 &
+
+    export NISCC_TEST="$TEST/resigned_client"
+    export LD_LIBRARY_PATH="$HACKLIB"
+
+    for START in `seq $START_AT $THREADS $STOP_AT`; do
+        START_AT=$START \
+        STOP_AT=$(($START+$THREADS)) \
+        LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+        "${HACKBIN}/strsclnt" $VERBOSE -d "$CLIENT" -n client_crt -p $PORT -t $THREADS -c $THREADS -o -N -w test $HOST >> "$TEST_OUTPUT/nisccLog08" 2>&1
+    done
+
+    unset NISCC_TEST
+    echo "starting tstclnt to shutdown resigned client selfserv process"
+    for i in `seq 5`; do
+        LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+        "${HACKBIN}/tstclnt" -h $HOST -p $PORT -d "$CLIENT" -n client_crt -o -f -w test < "$CLIENT/stop.txt" >> "$TEST_OUTPUT/nisccLog08" 2>&1
+    done
+
+    unset LD_LIBRARY_PATH
+
+    sleep 1
+}
+
+################################################################################
+# Do resigned server auth tests
+# Use an altered server against the client
+################################################################################
+ssl_resigned_server_auth()
+{
+    echo "Testing SSL resigned server auth testcases"
+    export CLIENT="$TEST_OUTPUT/niscc_ssl/resigned_client"
+    export SERVER="$TEST_OUTPUT/niscc_ssl/resigned_server"
+    export PORT=8447
+    export START_AT=0
+    if [ "$SMALLSET" = "true" ]; then
+        export STOP_AT=9
+    else
+        export STOP_AT=100068
+    fi
+    export LD_LIBRARY_PATH="$HACKLIB"
+    export NISCC_TEST="$TEST/resigned_server"
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${HACKBIN}/selfserv" $VERBOSE -p $PORT -d "$SERVER" -n server_crt -t $THREADS -w test > "$TEST_OUTPUT/nisccLog09" 2>&1 &
+
+    unset NISCC_TEST
+    export LD_LIBRARY_PATH="$TESTLIB"
+    for START in `seq $START_AT $THREADS $STOP_AT`; do
+        LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+        "${TESTTOOLS}/strsclnt" $VERBOSE -d "$CLIENT" -p $PORT -t $THREADS -c $THREADS -o -N $HOST >> "$TEST_OUTPUT/nisccLog10" 2>&1
+    done
+
+    echo "starting tstclnt to shutdown resigned server selfserv process"
+    for i in `seq 5`; do
+        LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+        "${TESTTOOLS}/tstclnt" -h $HOST -p $PORT -d "$CLIENT" -n client_crt -o -f -w test < "$CLIENT/stop.txt" >> "$TEST_OUTPUT/nisccLog10" 2>&1
+    done
+
+    unset LD_LIBRARY_PATH
+
+    sleep 1
+}
+
+################################################################################
+# Do resigned rootCA tests
+# Use an altered server against the client
+################################################################################
+ssl_resigned_rootca()
+{
+    echo "Testing SSL resigned rootCA testcases"
+    export CLIENT="$TEST_OUTPUT/niscc_ssl/resigned_client"
+    export SERVER="$TEST_OUTPUT/niscc_ssl/resigned_server"
+    export PORT=8448
+    export START_AT=0
+    if [ "$SMALLSET" = "true" ]; then
+        export STOP_AT=9
+    else
+        export STOP_AT=99959
+    fi
+    export LD_LIBRARY_PATH="$HACKLIB"
+    export NISCC_TEST="$TEST/resigned_rootca"
+    LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+    "${HACKBIN}/selfserv" $VERBOSE -p $PORT -d "$SERVER" -n server_crt -t $THREADS -w test > "$TEST_OUTPUT/nisccLog11" 2>&1 &
+
+    unset NISCC_TEST
+    export LD_LIBRARY_PATH="$TESTLIB"
+    for START in `seq $START_AT $THREADS $STOP_AT`; do
+        LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+        "${TESTTOOLS}/strsclnt" $VERBOSE -d "$CLIENT" -p $PORT -t $THREADS -c $THREADS -o -N $HOST >> "$TEST_OUTPUT/nisccLog12" 2>&1
+    done
+
+    echo "starting tstclnt to shutdown resigned rootca selfserv process"
+    for i in `seq 5`; do
+        LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+        "${TESTTOOLS}/tstclnt" -h $HOST -p $PORT -d "$CLIENT" -n client_crt -o -f -w test < "$CLIENT/stop.txt" >> "$TEST_OUTPUT/nisccLog12" 2>&1
+    done
+
+    unset LD_LIBRARY_PATH
+
+    sleep 1
+}
+
+################################################################################
+# Email the test logfile, and if core found, notify of failure
+################################################################################
+mail_testLog()
+{
+    pushd "$TEST_OUTPUT"
+
+    # remove mozilla nss build false positives and core stored in previous runs
+    find . -name "core*" -print | grep -v coreconf | grep -v core_watch | grep -v archive >> crashLog
+    export SIZE=`cat crashLog | wc -l`
+
+    [ "$USE_MAIL" = "false" ] && return
+
+    # mail text
+    MT=mailText
+    rm -f $MT
+
+    if [ "$SIZE" -ne 1 ]; then
+        echo "### FAILED ###" >> $MT
+        echo "### Exactly one crash is expected." >> $MT
+        echo "### Zero means: crash detection is broken, fix the script!" >> $MT
+        echo "### > 1 means: robustness test failure, fix the bug! (check the logs)" >> $MT
+        cat crashLog >> nisccLogSummary
+        SUBJ="FAILED: NISCC TESTS (check file: crashLog)"
+    else
+        echo ":) PASSED :)" >> $MT
+        SUBJ="PASSED: NISCC tests"
+    fi
+
+    echo "Date used during test run: $DATE" >> $MT
+
+    echo "Count of lines in files:" >> $MT
+    wc -l crashLog nisccBuildLog nisccBuildLogHack nisccLog[0-9]* p7m-* |grep -vw total >> $MT
+    NUM=`cat nisccLog0[123456789] nisccLog1[12] | egrep -ic "success/passed"`
+    echo "Number of times the SSL tests reported success/passed (low expected): $NUM" >> $MT
+    NUM=`cat nisccLog0[123456789] nisccLog1[12] | egrep -ic "problem|failed|error"`
+    echo "Number of times the SSL tests reported problem/failed/error (high expected): $NUM" >> $MT
+    NUM=`cat niscc_smime/p7m*results.txt | egrep -ic "success/passed"`
+    echo "Number of times the S/MIME tests reported success/passed (low expected): $NUM" >> $MT
+    NUM=`cat niscc_smime/p7m*results.txt | egrep -ic "problem|failed|error"`
+    echo "Number of times the S/MIME tests reported problem/failed/error (high expected): $NUM" >> $MT
+    echo "==== tail of nisccBuildLog ====" >> $MT
+    tail -20 nisccBuildLog >> $MT
+    echo "===============================" >> $MT
+    echo "==== tail of nisccBuildLogHack ====" >> $MT
+    tail -20 nisccBuildLogHack >> $MT
+    echo "===================================" >> $MT
+
+    #NUM=``
+    #echo "Number of : $NUM" >> $MT
+
+    cat $MT | $MAIL_COMMAND -s "$SUBJ" $QA_LIST
+
+    popd
+}
+
+################################################################################
+# Summarize all logs
+################################################################################
+log_summary()
+{
+    echo "Summarizing all logs"
+    # Move old logs
+    [ -f "$TEST_OUTPUT/nisccLogSummary" ] && mv nisccLogSummary nisccLogSummary.old
+    [ -f "$TEST_OUTPUT/crashLog" ] && mv crashLog crashLog.old
+
+    for a in $TEST_OUTPUT/nisccLog[0-9]*; do
+        echo ================================== "$a"
+        grep -v using "$a" | sort | uniq -c | sort -b -n +0 -1
+    done > $TEST_OUTPUT/nisccLogSummary
+
+    for a in $TEST_OUTPUT/niscc_smime/p7m-*-results.txt; do
+        echo ================================== "$a"
+        grep -v using "$a" | sort | uniq -c | sort -b -n +0 -1
+    done >> $TEST_OUTPUT/nisccLogSummary
+}
+
+################################################################################
+# Process core files
+################################################################################
+core_process()
+{
+    echo "Processing core files"
+    cd "$TEST_OUTPUT"
+
+    for CORE in `cat crashLog`; do
+        FILE=`file "$CORE" | sed "s/.* from '//" | sed "s/'.*//"`
+        BINARY=`strings "$CORE" | grep "^${FILE}" | tail -1`
+        gdb "$BINARY" "$CORE" << EOF_GDB > "$CORE.details"
+where
+quit
+EOF_GDB
+    done
+}
+
+################################################################################
+# Move the old log files to save them, delete extra log files
+################################################################################
+move_files()
+{
+    echo "Moving and deleting log files"
+    cd "$TEST_OUTPUT"
+
+    rm -rf TRASH
+    mkdir TRASH
+
+    if [ "$LOG_STORE" = "true" ]; then
+        BRANCH=`echo $LOCALDIST | sed "s:.*/\(security.*\)/builds/.*:\1:"`
+        if [ "$BRANCH" = "$LOCALDIST" ]; then
+            ARCHIVE="$TEST_OUTPUT/archive"
+        else
+            ARCHIVE="$TEST_OUTPUT/archive/$BRANCH"
+        fi
+
+        # Check for archive directory
+        if [ ! -d "$ARCHIVE" ]; then
+            mkdir -p "$ARCHIVE"
+        fi
+
+        # Determine next log storage point
+        slot=`ls -1 "$ARCHIVE" | grep $DATE | wc -l`
+        slot=`expr $slot + 1`
+        location="$ARCHIVE/$DATE.$slot"
+        mkdir -p "$location"
+
+        # Archive the logs
+        mv nisccBuildLog "$location" 2> /dev/null
+        mv nisccBuildLogHack "$location" 2> /dev/null
+        mv nisccLogSummary "$location"
+        mv nisccLog* "$location"
+        mv niscc_smime/p7m-ed-m-results.txt "$location"
+        mv niscc_smime/p7m-sd-dt-results.txt "$location"
+        mv niscc_smime/p7m-sd-op-results.txt "$location"
+
+        # Archive any core files produced
+        for core in `cat "$TEST_OUTPUT/crashLog"`; do
+            mv "$core" "$location"
+            mv "$core.details" "$location"
+        done
+        mv crashLog "$location"
+    else
+        # Logs not stored => summaries, crashlog and corefiles not moved, other logs deleted
+        mv nisccLog00 nisccLog01 nisccLog02 nisccLog03 nisccLog04 nisccLog05 nisccLog06 nisccLog07 nisccLog08 nisccLog09 nisccLog10 nisccLog11 nisccLog12 TRASH/
+        mv niscc_smime/p7m-ed-m-results.txt niscc_smime/p7m-sd-dt-results.txt niscc_smime/p7m-sd-op-results.txt TRASH/
+    fi
+    mv envDB sigDB niscc_smime niscc_ssl TRASH/
+    mv CA.p12 Client.p12 client_crt.p12 server_crt.p12 TRASH/
+    mv p7m-ed-m-files.txt p7m-sd-dt-files.txt p7m-sd-op-files.txt password-is-testtest1.txt detached.txt TRASH/
+    mv crashme.c crashme TRASH/
+}
+
+################################################################################
+# Main
+################################################################################
+process_args $*
+create_environment
+hg_pull
+build_NSS
+init
+niscc_smime
+niscc_ssl_init
+force_crash
+ssl_setup_dirs_simple
+    ssl_simple_client_auth
+    ssl_simple_server_auth
+    ssl_simple_rootca
+ssl_setup_dirs_resigned
+    ssl_resigned_client_auth
+    ssl_resigned_server_auth
+    ssl_resigned_rootca
+# no idea what these commented-out lines are supposed to be!
+#ssl_setup_dirs_update
+#    ssl_update_server_auth der
+#    ssl_update_client_auth der
+#    ssl_update_server_auth resigned-der
+#    ssl_update_client_auth resigned-der
+log_summary
+mail_testLog
+core_process
+move_files
+exit $SIZE
diff --git a/security/nss/tests/sdr/sdr.sh b/security/nss/tests/sdr/sdr.sh
new file mode 100755
index 000000000..f846e9247
--- /dev/null
+++ b/security/nss/tests/sdr/sdr.sh
@@ -0,0 +1,111 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/sdr/sdr.sh
+#
+# Script to start test basic functionallity of NSS sdr
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## sdr_init ################################
+# local shell function to initialize this script
+########################################################################
+sdr_init()
+{
+  SCRIPTNAME=sdr.sh
+  if [ -z "${CLEANUP}" ] ; then
+      CLEANUP="${SCRIPTNAME}"
+  fi
+  
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  SCRIPTNAME=sdr.sh
+
+  #temporary files
+  VALUE1=$HOSTDIR/tests.v1.$$
+  VALUE2=$HOSTDIR/tests.v2.$$
+  VALUE3=$HOSTDIR/tests.v3.$$
+
+  T1="Test1"
+  T2="The quick brown fox jumped over the lazy dog"
+  T3="1234567"
+
+  SDRDIR=${HOSTDIR}/SDR
+  D_SDR="SDR.$version"
+  if [ ! -d ${SDRDIR} ]; then
+    mkdir -p ${SDRDIR}
+  fi
+
+  PROFILE=.
+  if [ -n "${MULTIACCESS_DBM}" ]; then
+     PROFILE="multiaccess:${D_SDR}"
+  fi
+
+  cd ${SDRDIR}
+  html_head "SDR Tests"
+}
+
+############################## sdr_main ################################
+# local shell function to test NSS SDR
+########################################################################
+sdr_main()
+{
+  echo "$SCRIPTNAME: Creating an SDR key/SDR Encrypt - Value 1"
+  echo "sdrtest -d ${PROFILE} -o ${VALUE1} -t \"${T1}\""
+  ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE1} -t "${T1}"
+  html_msg $? 0 "Creating SDR Key/Encrypt - Value 1"
+
+  echo "$SCRIPTNAME: SDR Encrypt - Value 2"
+  echo "sdrtest -d ${PROFILE} -o ${VALUE2} -t \"${T2}\""
+  ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE2} -t "${T2}"
+  html_msg $? 0 "Encrypt - Value 2"
+
+  echo "$SCRIPTNAME: SDR Encrypt - Value 3"
+  echo "sdrtest -d ${PROFILE} -o ${VALUE3} -t \"${T3}\""
+  ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE3} -t "${T3}"
+  html_msg $? 0 "Encrypt - Value 3"
+
+  echo "$SCRIPTNAME: SDR Decrypt - Value 1"
+  echo "sdrtest -d ${PROFILE} -i ${VALUE1} -t \"${T1}\""
+  ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE1} -t "${T1}"
+  html_msg $? 0 "Decrypt - Value 1"
+
+  echo "$SCRIPTNAME: SDR Decrypt - Value 2"
+  echo "sdrtest -d ${PROFILE} -i ${VALUE2} -t \"${T2}\""
+  ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE2} -t "${T2}"
+  html_msg $? 0 "Decrypt - Value 2"
+
+  echo "$SCRIPTNAME: SDR Decrypt - Value 3"
+  echo "sdrtest -d ${PROFILE} -i ${VALUE3} -t \"${T3}\""
+  ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE3} -t "${T3}"
+  html_msg $? 0 "Decrypt - Value 3"
+}
+
+############################## sdr_cleanup #############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+sdr_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+sdr_init
+sdr_main
+sdr_cleanup
diff --git a/security/nss/tests/set_environment b/security/nss/tests/set_environment
new file mode 100644
index 000000000..5a3515cca
--- /dev/null
+++ b/security/nss/tests/set_environment
@@ -0,0 +1,234 @@
+#! /bin/sh
+
+########################################################################
+#
+# /u/sonmi/bin/set_environment
+#
+# sourced from the header if running from cron to get the full environment
+# to run nssqa    - also used to unify all nssqa environments
+#
+# This is derived from the .cshrc file for the svbld account.  
+#
+########################################################################
+
+if [ -z "$HOME" ] 
+then
+    HOME=/u/svbld
+fi
+if [ -z "$QASCRIPT_DIR" ]
+then
+    QASCRIPT_DIR=`dirname $0`
+fi
+
+os_name=`uname -s`
+if [ "$os_name" != "Windows_95" -a \
+    "$os_name" != "Windows_NT" -a \
+    "$os_name" != "WINNT" -a \
+    "$os_name" != "Windows" -a \
+    "$os_name" != "Windows_98" -a \
+    "$os_name" != "CYGWIN_NT-4.0" -a \
+    "$os_name" != "CYGWIN_NT-5.0" -a \
+    "$os_name" != "CYGWIN_95-4.0" -a \
+    "$os_name" != "CYGWIN_98-4.10" ]
+then
+    PATH=.:$HOME/bin:/tools/ns/bin:/bin:/usr/bin:/usr/sbin:/usr/ccs/bin:/usr/dist/local/exe:/usr/bin/X11:/usr/audio/bin:/u/sonmi/bin:$PATH
+    JAVA_HOME="D:/i386/jdk1.2.2"
+    JAVA_HOME14="R:/jdk/1.4.0/WINNT"
+fi
+
+CVSROOT=:pserver:svbld@redcvs.red.iplanet.com:/m/src
+
+os_name=`uname -s`
+os_version=`uname -r`
+#os_p=`uname -p`
+os_full=""
+
+if [ -f /u/svbld/bin/nsarch  ]
+then
+    os_full=`/u/svbld/bin/nsarch -f`    #FIXME
+fi
+
+MANPATH=/usr/share/man:/usr/openwin/man:/usr/local/man
+
+RMAIL=rmail
+BEFORE_CONTEXT_GREP=""
+AFTER_CONTEXT_GREP=""
+
+export CVSROOT HOME os_name os_version os_full MANPATH
+
+
+if [ "$os_name" = "HP-UX" ]
+then
+    PATH=$PATH:/usr/local/bin:/opt/aCC/bin:/usr/local/bin/audio:/tools/ns/bin:/etc:/usr/contrib/bin:/usr/contrib/bin/X11:/usr/local/hpux/bin:/nfs/iapp1/hphome/bin:/etc:/u/svbld/bin/HP/perl/bin
+    JAVA_HOME="/share/builds/components/cms_jdk/HP-UX/1.2.2.04"
+    JAVA_HOME14=$JAVA_HOME
+#    JAVA_HOME="/share/builds/components/cms_jdk/HP-UX/1.3.0.00"
+elif [ "$os_name" = "SunOS" ]
+then
+    NATIVE_FLAG="-native"
+    XAPPLRESDIR=/usr/openwin/lib/app-defaults:/usr/local/lib/X11/app-defaults
+    OPENWINHOME=/usr/openwin
+    LD_LIBRARY_PATH=$OPENWINHOME/lib
+    if [ "$os_full" = "SOLARISx86 2.8" -o "$os_full" = "SOLARISx86 2.9" ] 
+    then
+        #PATH=/usr/ucb:/opt/usr/local/bin:$PATH
+        JAVA_HOME="/usr/java1.2"
+	JAVA_HOME14=/share/builds/components/jdk/1.4.0/SunOS_x86
+        PATH=".:/usr/dist/share/forte_dev_i386,v6.2/SUNWspro/bin:/opt/usr/local/perl5/bin:/opt/SUNWspro/bin:/opt/usr/local/bin:/bin:/usr/bin:/usr/sbin:/usr/ccs/bin:/usr/dist/local/exe:/usr/ccs/bin:/usr/ucb/bin:/usr/ucb:/opt/SUNWwabi/bin:/usr/local/bin:/tools/ns/bin:/etc:/tools/contrib/bin"
+    else
+        PATH=/usr/ucb:$PATH
+        JAVA_HOME="/share/builds/components/jdk/1.2.2/SunOS"
+	JAVA_HOME14=/share/builds/components/jdk/1.4.0/SunOS64
+        PATH=/tools/ns/bin:$PATH:/opt/SUNWspro/bin:/usr/bin/X11:/usr/openwin/bin:/usr/openwin/demo
+    
+        if [ "$os_version" = "5.8" -o "$os_version" = "5.7" -o \
+             "$os_version" = "5.9" ]
+        then
+            PATH=$PATH:/usr/dist/pkgs/forte_dev,v6.2/SUNWspro/bin:/tools/ns/workshop/bin
+        else
+            PATH=$PATH:/usr/dist/share/devpro,v5.0/5.x-sparc/bin:/tools/ns/workshop/bin
+        fi
+        PATH=$PATH:/usr/ccs/bin:/usr/ucb/bin:/opt/SUNWwabi/bin:/usr/local/bin:/tools/ns/bin:/etc:/tools/contrib/bin
+     fi
+    export XAPPLRESDIR  OPENWINHOME LD_LIBRARY_PATH
+
+elif [ "$os_name" = "IRIX" ]
+then
+    PATH=$PATH:/tools/ns/bin:/usr/local/bin:/etc:/usr/bsd
+    MANPATH=/tools/ns/man:/usr/local/man
+    JAVA_HOME="/share/builds/components/jdk/1.2.2/IRIX"
+    JAVA_HOME14=$JAVA_HOME
+elif [ "$os_name" = "IRIX64" ]
+then
+    PATH=$PATH:/tools/ns/bin:/usr/local/bin:/etc:/usr/bsd
+    MANPATH=/tools/ns/man:/usr/local/man
+    JAVA_HOME="/share/builds/components/jdk/1.2.2/IRIX"
+    JAVA_HOME14=$JAVA_HOME
+elif [ "$os_name" = "Linux" ]
+then
+    PATH=/lib:/usr/lib:/bin:/sbin:/usr/bin:/usr/sbin:$PATH
+    RMAIL=sendmail
+    #the gnu grep, on Linux can output 10 lines above and 3 lines below 
+    #the errormessage
+    BEFORE_CONTEXT_GREP="--before-context=10"
+    AFTER_CONTEXT_GREP="--after-context=3"
+    JAVA_HOME="/share/builds/components/jdk/1.2.2/Linux"
+    JAVA_HOME14=/share/builds/components/jdk/1.4.0/Linux
+elif [ "$os_name" = "AIX" ]
+then
+    PATH=$PATH:/tools/contrib/bin:/usr/local/bin 
+    TERM=vt100
+    export TERM
+    JAVA_HOME="/share/builds/components/cms_jdk/AIX/1.3.0"
+    JAVA_HOME14=$JAVA_HOME
+elif [ "$os_name" = "OSF1" ]
+then
+    PATH=$PATH:/usr/local/bin
+    JAVA_HOME="/share/builds/components/jdk/1.2.2/OSF1"
+    JAVA_HOME14=$JAVA_HOME
+fi
+
+if [ "$os_name" = "IRIX" ]
+then
+    PATH=/tools/ns-arch/soft/perl-5.004_04/run/default/mips_sgi_irix5.3/bin:$PATH
+elif [ "$os_name" = "IRIX64" ]
+then
+    PATH=/tools/ns-arch/soft/perl-5.004_04/run/default/mips_sgi_irix5.3/bin:$PATH
+fi
+
+O_CYGNUS=OFF
+O_MKS=OFF
+O_WIN=OFF
+
+if [ "$os_name" = "CYGWIN_NT-4.0" -o \
+    "$os_name" = "CYGWIN_NT-5.0" -o \
+    "$os_name" = "CYGWIN_95-4.0" -o \
+    "$os_name" = "CYGWIN_98-4.10" ]
+then
+    #FIXME net use, mount the neccessary pnetwork drives and partitiones first
+    #FIXME - take MKS out of the PATH
+    os_full=$os_name
+    os_name="Windows"
+    O_CYGNUS=ON
+    O_WIN=ON
+    PATH="`dirname $0`:.:/cygdrive/c/cygwin/bin:/cygdrive/z/nstools/bin:/cygdrive/z/nstools/perl5:/cygdrive/z/bin:/cygdrive/c/WINNT/System32:/cygdrive/c/WINNT"
+    RM=/cygdrive/c/cygwin/bin/rm.exe    #FIXME - in case we cant cporrect 
+                                        #these with the PATH alone
+    PATH=`perl $QASCRIPT_DIR/path_uniq "$PATH"`
+    RSH=/cygdrive/c/winnt/system32/rsh
+elif [ "$os_name" = "Windows_95" -o \
+    "$os_name" = "Windows_NT" -o \
+    "$os_name" = "WINNT" -o \
+    "$os_name" = "Windows" -o \
+    "$os_name" = "Windows_98" ]
+then
+    #FIXME net use, mount the neccessary pnetwork drives and partitiones first
+    PATH=`echo $SHELL | sed -e "s/.[kK][sS][Hh].[Ee][Xx][Ee]//g"  \
+				-e "s/.[sS][Hh].[Ee][Xx][Ee]//g"`
+    MOZTOOLS_IN_PATH=NO
+    if [ -n "$MOZ_TOOLS" -a -d  "$MOZ_TOOLS" ] ; then
+        MOZ_TOOLS=`ls -d "$MOZ_TOOLS" | sed -e 's/\\\/\//g'`
+        #echo "MOZ_TOOLS reformated to $MOZ_TOOLS"
+        if [ -d "$MOZ_TOOLS" ] ; then #still exist after reformating?
+            MOZTOOLS_IN_PATH=OK
+        fi
+    fi
+    if [ -n "$MOZTOOLS_IN_PATH" -a "$MOZTOOLS_IN_PATH" = "OK" ] ; then
+        #echo "Use MOZTOOLS in PATH"
+        PATH="$MOZ_TOOLS/bin;$MOZ_TOOLS/perl5;$PATH"
+    elif [ -d Z:/nstools/bin ] ; then
+        PATH="Z:/nstools/bin;Z:/nstools/perl5;$PATH"
+    elif [ -d C:/nstools/bin ] ; then
+        PATH="C:/nstools/bin;C:/nstools/perl5;$PATH"
+    elif [ -d D:/nstools/bin ] ; then
+        PATH="D:/nstools/bin;D:/nstools/perl5;$PATH"
+    elif [ -d D:/i386/nstools/bin ] ; then
+        PATH="D:/i386/nstools/bin;D:/i386/nstools/perl5;$PATH"
+    else
+        echo "FATAL: Can't find nstools"
+        exit
+    fi
+
+    if [  "$os_name" = "Windows_NT" -o \
+        "$os_name" = "WINNT" ]
+    then
+        PATH="${PATH};C:/WINNT/System32;C:/WINNT;.;"
+    fi
+    PATH="`dirname $0`;$PATH"
+    
+    PATH=`perl $QASCRIPT_DIR/path_uniq -d ';' "$PATH"`
+    echo $PATH
+    os_full=$os_name
+    os_name="Windows"
+    O_MKS=ON
+    O_WIN=ON
+    if [ -z $RSH ] ; then 
+        RSH=c:/winnt/system32/rsh
+    fi
+    
+else
+    EDITOR=vi
+    EMACSLOADPATH=/u/svbld/emacs
+    PYTHONPATH=.:/tools/ns/lib/python1.4
+    PAGER=less
+    XMCD_LIBDIR=/usr/local/lib/xmcd
+    DISPLAY=:0.0
+    PATH=`perl $QASCRIPT_DIR/path_uniq "$PATH"`
+    RSH=rsh
+fi
+
+BASEPATH=$PATH    # in  case we we set and reset DIST directories the PATH 
+                # needs to change accordingly
+export PATH EDITOR EMACSLOADPATH PYTHONPATH PAGER XMCD_LIBDIR DISPLAY MANPATH os_full os_name BASEPATH RSH O_WIN
+
+umask 022
+
+system=`uname -n`        # name of this system.
+
+JAVAC=$JAVA_HOME/bin/javac
+JAVA=$JAVA_HOME/bin/java
+JAVAC14=$JAVA_HOME14/bin/javac
+JAVA14=$JAVA_HOME14/bin/java
+#JAVA=$JAVA_HOME/jre/bin/java
+export JAVAC JAVA JAVA_HOME JAVAC14 JAVA_HOME14 JAVA14
+
diff --git a/security/nss/tests/smime/alice.txt b/security/nss/tests/smime/alice.txt
new file mode 100644
index 000000000..0378db464
--- /dev/null
+++ b/security/nss/tests/smime/alice.txt
@@ -0,0 +1,6 @@
+Date: Wed, 20 Sep 2000 00:00:01 -0700 (PDT)
+From: alice@bogus.com
+Subject: message Alice --> Bob
+To: bob@bogus.com
+
+This is a test message from Alice to Bob.
diff --git a/security/nss/tests/smime/bob.txt b/security/nss/tests/smime/bob.txt
new file mode 100644
index 000000000..330b2c94d
--- /dev/null
+++ b/security/nss/tests/smime/bob.txt
@@ -0,0 +1,6 @@
+Date: Wed, 20 Sep 2000 00:00:01 -0700 (PDT)
+From: bob@bogus.com
+Subject: message Bob --> Alice
+To: alice@bogus.com
+
+This is a test message from Bob to Alice.
diff --git a/security/nss/tests/smime/smime.sh b/security/nss/tests/smime/smime.sh
new file mode 100755
index 000000000..2360100de
--- /dev/null
+++ b/security/nss/tests/smime/smime.sh
@@ -0,0 +1,259 @@
+#! /bin/sh  
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/smime/smime.sh
+#
+# Script to test NSS smime
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## smime_init ##############################
+# local shell function to initialize this script
+########################################################################
+smime_init()
+{
+  SCRIPTNAME=smime.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ../cert
+      . ./cert.sh
+  fi
+  SCRIPTNAME=smime.sh
+
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
+      html_head "S/MIME Tests with ECC"
+  else
+      html_head "S/MIME Tests"
+  fi
+
+  grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
+      Exit 11 "Fatal - S/MIME of cert.sh needs to pass first"
+  }
+
+  SMIMEDIR=${HOSTDIR}/smime
+  R_SMIMEDIR=../smime
+  mkdir -p ${SMIMEDIR}
+  cd ${SMIMEDIR}
+  cp ${QADIR}/smime/alice.txt ${SMIMEDIR}
+}
+
+smime_sign()
+{
+  HASH_CMD="-H ${HASH}"
+  SIG=sig.${HASH}
+
+  echo "$SCRIPTNAME: Signing Detached Message {$HASH} ------------------"
+  echo "cmsutil -S -T -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.d${SIG}"
+  ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.d${SIG}
+  html_msg $? 0 "Create Detached Signature Alice (${HASH})" "."
+
+  echo "cmsutil -D -i alice.d${SIG} -c alice.txt -d ${P_R_BOBDIR} "
+  ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.d${SIG} -c alice.txt -d ${P_R_BOBDIR} 
+  html_msg $? 0 "Verifying Alice's Detached Signature (${HASH})" "."
+
+  echo "$SCRIPTNAME: Signing Attached Message (${HASH}) ------------------"
+  echo "cmsutil -S -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.${SIG}"
+  ${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.${SIG}
+  html_msg $? 0 "Create Attached Signature Alice (${HASH})" "."
+
+  echo "cmsutil -D -i alice.${SIG} -d ${P_R_BOBDIR} -o alice.data.${HASH}"
+  ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.${SIG} -d ${P_R_BOBDIR} -o alice.data.${HASH}
+  html_msg $? 0 "Decode Alice's Attached Signature (${HASH})" "."
+
+  echo "diff alice.txt alice.data.${HASH}"
+  diff alice.txt alice.data.${HASH}
+  html_msg $? 0 "Compare Attached Signed Data and Original (${HASH})" "."
+
+# Test ECDSA signing for all hash algorithms.
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
+      echo "$SCRIPTNAME: Signing Detached Message ECDSA w/ {$HASH} ------------------"
+      echo "cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}"
+      ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}
+      html_msg $? 0 "Create Detached Signature Alice (ECDSA w/ ${HASH})" "."
+
+      echo "cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} "
+      ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} 
+      html_msg $? 0 "Verifying Alice's Detached Signature (ECDSA w/ ${HASH})" "."
+
+      echo "$SCRIPTNAME: Signing Attached Message (ECDSA w/ ${HASH}) ------------------"
+      echo "cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}"
+      ${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}
+      html_msg $? 0 "Create Attached Signature Alice (ECDSA w/ ${HASH})" "."
+
+      echo "cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}"
+      ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}
+      html_msg $? 0 "Decode Alice's Attached Signature (ECDSA w/ ${HASH})" "."
+
+      echo "diff alice.txt alice-ec.data.${HASH}"
+      diff alice.txt alice-ec.data.${HASH}
+      html_msg $? 0 "Compare Attached Signed Data and Original (ECDSA w/ ${HASH})" "."
+  fi
+
+}
+
+
+
+smime_p7()
+{
+  echo "$SCRIPTNAME: p7 util Data Tests ------------------------------"
+  echo "p7env -d ${P_R_ALICEDIR} -r Alice -i alice.txt -o alice_p7.env"
+  ${PROFTOOL} ${BINDIR}/p7env -d ${P_R_ALICEDIR} -r Alice -i alice.txt -o alice.env
+  html_msg $? 0 "Creating envelope for user Alice" "."
+
+  echo "p7content -d ${P_R_ALICEDIR} -i alice.env -o alice_p7.data"
+  ${PROFTOOL} ${BINDIR}/p7content -d ${P_R_ALICEDIR} -i alice.env -o alice_p7.data -p nss
+  html_msg $? 0 "Verifying file delivered to user Alice" "."
+
+  sed -e '3,8p' -n alice_p7.data > alice_p7.data.sed
+
+  echo "diff alice.txt alice_p7.data.sed"
+  diff alice.txt alice_p7.data.sed
+  html_msg $? 0 "Compare Decoded Enveloped Data and Original" "."
+
+  echo "p7sign -d ${P_R_ALICEDIR} -k Alice -i alice.txt -o alice.sig -p nss -e"
+  ${PROFTOOL} ${BINDIR}/p7sign -d ${P_R_ALICEDIR} -k Alice -i alice.txt -o alice.sig -p nss -e
+  html_msg $? 0 "Signing file for user Alice" "."
+
+  echo "p7verify -d ${P_R_ALICEDIR} -c alice.txt -s alice.sig"
+  ${PROFTOOL} ${BINDIR}/p7verify -d ${P_R_ALICEDIR} -c alice.txt -s alice.sig
+  html_msg $? 0 "Verifying file delivered to user Alice" "."
+}
+
+############################## smime_main ##############################
+# local shell function to test basic signed and enveloped messages 
+# from 1 --> 2"
+########################################################################
+smime_main()
+{
+
+  HASH=SHA1
+  smime_sign
+  HASH=SHA256
+  smime_sign
+  HASH=SHA384
+  smime_sign
+  HASH=SHA512
+  smime_sign
+
+  echo "$SCRIPTNAME: Enveloped Data Tests ------------------------------"
+  echo "cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss \\"
+  echo "        -o alice.env"
+  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.env
+  html_msg $? 0 "Create Enveloped Data Alice" "."
+
+  echo "cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1"
+  ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1
+  html_msg $? 0 "Decode Enveloped Data Alice" "."
+
+  echo "diff alice.txt alice.data1"
+  diff alice.txt alice.data1
+  html_msg $? 0 "Compare Decoded Enveloped Data and Original" "."
+
+  # multiple recip
+  echo "$SCRIPTNAME: Testing multiple recipients ------------------------------"
+  echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \\"
+  echo "        -r bob@bogus.com,dave@bogus.com"
+  ${PROFTOOL} ${BINDIR}/cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \
+          -r bob@bogus.com,dave@bogus.com
+  ret=$?
+  html_msg $ret 0 "Create Multiple Recipients Enveloped Data Alice" "."
+  if [ $ret != 0 ] ; then
+	echo "certutil -L -d ${P_R_ALICEDIR}"
+	${BINDIR}/certutil -L -d ${P_R_ALICEDIR}
+	echo "certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com"
+	${BINDIR}/certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com
+  fi
+
+  echo "$SCRIPTNAME: Testing multiple email addrs ------------------------------"
+  echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \\"
+  echo "        -r eve@bogus.net"
+  ${PROFTOOL} ${BINDIR}/cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \
+          -r eve@bogus.net
+  ret=$?
+  html_msg $ret 0 "Encrypt to a Multiple Email cert" "."
+
+  echo "cmsutil -D -i alicecc.env -d ${P_R_BOBDIR} -p nss -o alice.data2"
+  ${PROFTOOL} ${BINDIR}/cmsutil -D -i alicecc.env -d ${P_R_BOBDIR} -p nss -o alice.data2
+  html_msg $? 0 "Decode Multiple Recipients Enveloped Data Alice by Bob" "."
+
+  echo "cmsutil -D -i alicecc.env -d ${P_R_DAVEDIR} -p nss -o alice.data3"
+  ${PROFTOOL} ${BINDIR}/cmsutil -D -i alicecc.env -d ${P_R_DAVEDIR} -p nss -o alice.data3
+  html_msg $? 0 "Decode Multiple Recipients Enveloped Data Alice by Dave" "."
+
+  echo "cmsutil -D -i aliceve.env -d ${P_R_EVEDIR} -p nss -o alice.data4"
+  ${PROFTOOL} ${BINDIR}/cmsutil -D -i aliceve.env -d ${P_R_EVEDIR} -p nss -o alice.data4
+  html_msg $? 0 "Decrypt with a Multiple Email cert" "."
+
+  diff alice.txt alice.data2
+  html_msg $? 0 "Compare Decoded Mult. Recipients Enveloped Data Alice/Bob" "."
+
+  diff alice.txt alice.data3
+  html_msg $? 0 "Compare Decoded Mult. Recipients Enveloped Data Alice/Dave" "."
+
+  diff alice.txt alice.data4
+  html_msg $? 0 "Compare Decoded with Multiple Email cert" "."
+  
+  echo "$SCRIPTNAME: Sending CERTS-ONLY Message ------------------------------"
+  echo "cmsutil -O -r \"Alice,bob@bogus.com,dave@bogus.com\" \\"
+  echo "        -d ${P_R_ALICEDIR} > co.der"
+  ${PROFTOOL} ${BINDIR}/cmsutil -O -r "Alice,bob@bogus.com,dave@bogus.com" -d ${P_R_ALICEDIR} > co.der
+  html_msg $? 0 "Create Certs-Only Alice" "."
+
+  echo "cmsutil -D -i co.der -d ${P_R_BOBDIR}"
+  ${PROFTOOL} ${BINDIR}/cmsutil -D -i co.der -d ${P_R_BOBDIR}
+  html_msg $? 0 "Verify Certs-Only by CA" "."
+
+  echo "$SCRIPTNAME: Encrypted-Data Message ---------------------------------"
+  echo "cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \\"
+  echo "        -r \"bob@bogus.com\" > alice.enc"
+  ${PROFTOOL} ${BINDIR}/cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \
+          -r "bob@bogus.com" > alice.enc
+  html_msg $? 0 "Create Encrypted-Data" "."
+
+  echo "cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss \\"
+  echo "        -o alice.data2"
+  ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss -o alice.data2
+  html_msg $? 0 "Decode Encrypted-Data" "."
+
+  diff alice.txt alice.data2
+  html_msg $? 0 "Compare Decoded and Original Data" "."
+}
+  
+############################## smime_cleanup ###########################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+smime_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+
+smime_init
+smime_main
+smime_p7
+smime_cleanup
+
diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh
new file mode 100755
index 000000000..b34c9c097
--- /dev/null
+++ b/security/nss/tests/ssl/ssl.sh
@@ -0,0 +1,1199 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/ssl/ssl.sh
+#
+# Script to test NSS SSL
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## ssl_init ################################
+# local shell function to initialize this script
+########################################################################
+ssl_init()
+{
+  SCRIPTNAME=ssl.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ -z "${IOPR_SSL_SOURCED}" ]; then
+      . ../iopr/ssl_iopr.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ../cert
+      . ./cert.sh
+  fi
+  SCRIPTNAME=ssl.sh
+  echo "$SCRIPTNAME: SSL tests ==============================="
+
+  grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || {
+      html_head "SSL Test failure"
+      Exit 8 "Fatal - cert.sh needs to pass first"
+  }
+
+  if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
+      grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || {
+          html_head "SSL Test failure"
+          Exit 8 "Fatal - SSL of cert.sh needs to pass first"
+      }
+  fi
+
+  PORT=${PORT-8443}
+  NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
+  nss_ssl_run="stapling signed_cert_timestamps cov auth stress"
+  NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
+
+  # Test case files
+  SSLCOV=${QADIR}/ssl/sslcov.txt
+  SSLAUTH=${QADIR}/ssl/sslauth.txt
+  SSLSTRESS=${QADIR}/ssl/sslstress.txt
+  SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
+  REQUEST_FILE=${QADIR}/ssl/sslreq.dat
+
+  #temparary files
+  SERVEROUTFILE=${TMP}/tests_server.$$
+  SERVERPID=${TMP}/tests_pid.$$
+
+  R_SERVERPID=../tests_pid.$$
+
+  TEMPFILES="$TMPFILES ${SERVEROUTFILE}  ${SERVERPID}"
+
+  fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't
+  #fileout=1
+  #verbose="-v" #FIXME - see where this is usefull
+
+  USER_NICKNAME=TestUser
+  NORM_EXT=""
+
+  EC_SUITES=":C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D"
+  EC_SUITES="${EC_SUITES}:C00E:C00F:C010:C011:C012:C013:C014:C023:C024:C027"
+  EC_SUITES="${EC_SUITES}:C028:C02B:C02C:C02F:C030:CCA8:CCA9:CCAA"
+
+  NON_EC_SUITES=":0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B"
+  NON_EC_SUITES="${NON_EC_SUITES}:0084:009C:009D:009E:009F:00A2:00A3:CCAAcdeinvyz"
+
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
+      ECC_STRING=" - with ECC"
+      # List of cipher suites to test, including ECC cipher suites.
+      CIPHER_SUITES="-c ${EC_SUITES}${NON_EC_SUITES}"
+  else
+      ECC_STRING=""
+      # List of cipher suites to test, excluding ECC cipher suites.
+      CIPHER_SUITES="-c ${NON_EC_SUITES}"
+  fi
+
+  if [ "${OS_ARCH}" != "WINNT" ]; then
+      ulimit -n 1000 # make sure we have enough file descriptors
+  fi
+
+  cd ${CLIENTDIR}
+}
+
+########################### is_selfserv_alive ##########################
+# local shell function to exit with a fatal error if selfserver is not
+# running
+########################################################################
+is_selfserv_alive()
+{
+  if [ ! -f "${SERVERPID}" ]; then
+      echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist"
+      sleep 5
+      if [ ! -f "${SERVERPID}" ]; then
+          Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist"
+      fi
+  fi
+
+  if [ "${OS_ARCH}" = "WINNT" ] && \
+     [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+      PID=${SHELL_SERVERPID}
+  else
+      PID=`cat ${SERVERPID}`
+  fi
+
+  echo "kill -0 ${PID} >/dev/null 2>/dev/null"
+  kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
+
+  echo "selfserv with PID ${PID} found at `date`"
+}
+
+########################### wait_for_selfserv ##########################
+# local shell function to wait until selfserver is running and initialized
+########################################################################
+wait_for_selfserv()
+{
+  #verbose="-v"
+  echo "trying to connect to selfserv at `date`"
+  echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
+  echo "        -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}"
+  ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+          -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
+  if [ $? -ne 0 ]; then
+      sleep 5
+      echo "retrying to connect to selfserv at `date`"
+      echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
+      echo "        -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}"
+      ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+              -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
+      if [ $? -ne 0 ]; then
+          html_failed "Waiting for Server"
+      fi
+  fi
+  is_selfserv_alive
+}
+
+########################### kill_selfserv ##############################
+# local shell function to kill the selfserver after the tests are done
+########################################################################
+kill_selfserv()
+{
+  if [ "${OS_ARCH}" = "WINNT" ] && \
+     [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+      PID=${SHELL_SERVERPID}
+  else
+      PID=`cat ${SERVERPID}`
+  fi
+
+  echo "trying to kill selfserv with PID ${PID} at `date`"
+
+  if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then
+      echo "${KILL} ${PID}"
+      ${KILL} ${PID}
+  else
+      echo "${KILL} -USR1 ${PID}"
+      ${KILL} -USR1 ${PID}
+  fi
+  wait ${PID}
+  if [ ${fileout} -eq 1 ]; then
+      cat ${SERVEROUTFILE}
+  fi
+
+  # On Linux selfserv needs up to 30 seconds to fully die and free
+  # the port.  Wait until the port is free. (Bug 129701)
+  if [ "${OS_ARCH}" = "Linux" ]; then
+      echo "selfserv -b -p ${PORT} 2>/dev/null;"
+      until ${BINDIR}/selfserv -b -p ${PORT} 2>/dev/null; do
+          echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;"
+          sleep 1
+      done
+  fi
+
+  echo "selfserv with PID ${PID} killed at `date`"
+
+  rm ${SERVERPID}
+  html_detect_core "kill_selfserv core detection step"
+}
+
+########################### start_selfserv #############################
+# local shell function to start the selfserver with the parameters required
+# for this test and log information (parameters, start time)
+# also: wait until the server is up and running
+########################################################################
+start_selfserv()
+{
+  if [ -n "$testname" ] ; then
+      echo "$SCRIPTNAME: $testname ----"
+  fi
+  sparam=`echo $sparam | sed -e 's;_; ;g'`
+  if [ -z "$NSS_DISABLE_ECC" ] && \
+     [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1"  ] ; then
+      ECC_OPTIONS="-e ${HOSTADDR}-ecmixed -e ${HOSTADDR}-ec"
+  else
+      ECC_OPTIONS=""
+  fi
+  echo "selfserv starting at `date`"
+  echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
+  echo "         ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
+  echo "         -V ssl3:tls1.2 $verbose -H 1 &"
+  if [ ${fileout} -eq 1 ]; then
+      ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
+               ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 \
+               > ${SERVEROUTFILE} 2>&1 &
+      RET=$?
+  else
+      ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
+               ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 &
+      RET=$?
+  fi
+
+  # The PID $! returned by the MKS or Cygwin shell is not the PID of
+  # the real background process, but rather the PID of a helper
+  # process (sh.exe).  MKS's kill command has a bug: invoking kill
+  # on the helper process does not terminate the real background
+  # process.  Our workaround has been to have selfserv save its PID
+  # in the ${SERVERPID} file and "kill" that PID instead.  But this
+  # doesn't work under Cygwin; its kill command doesn't recognize
+  # the PID of the real background process, but it does work on the
+  # PID of the helper process.  So we save the value of $! in the
+  # SHELL_SERVERPID variable, and use it instead of the ${SERVERPID}
+  # file under Cygwin.  (In fact, this should work in any shell
+  # other than the MKS shell.)
+  SHELL_SERVERPID=$!
+  wait_for_selfserv
+
+  if [ "${OS_ARCH}" = "WINNT" ] && \
+     [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+      PID=${SHELL_SERVERPID}
+  else
+      PID=`cat ${SERVERPID}`
+  fi
+
+  echo "selfserv with PID ${PID} started at `date`"
+}
+
+############################## ssl_cov #################################
+# local shell function to perform SSL Cipher Coverage tests
+########################################################################
+ssl_cov()
+{
+  #verbose="-v"
+  html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+  testname=""
+  sparam="$CIPHER_SUITES"
+
+  start_selfserv # Launch the server
+
+  VMIN="ssl3"
+  VMAX="tls1.1"
+
+  exec < ${SSLCOV}
+  while read ectype testmax param testname
+  do
+      echo "${testname}" | grep "EXPORT" > /dev/null
+      EXP=$?
+
+      if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+          echo "$SCRIPTNAME: skipping  $testname (ECC only)"
+      elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then
+          echo "$SCRIPTNAME: running $testname ----------------------------"
+          VMAX="ssl3"
+          if [ "$testmax" = "TLS10" ]; then
+              VMAX="tls1.0"
+          fi
+          if [ "$testmax" = "TLS11" ]; then
+              VMAX="tls1.1"
+          fi
+          if [ "$testmax" = "TLS12" ]; then
+              VMAX="tls1.2"
+          fi
+
+          echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+          echo "        -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
+
+          rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+          ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+                  -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
+                  >${TMP}/$HOST.tmp.$$  2>&1
+          ret=$?
+          cat ${TMP}/$HOST.tmp.$$
+          rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+          html_msg $ret 0 "${testname}" \
+                   "produced a returncode of $ret, expected is 0"
+      fi
+  done
+
+  kill_selfserv
+  html "</TABLE><BR>"
+}
+
+############################## ssl_auth ################################
+# local shell function to perform SSL  Client Authentication tests
+########################################################################
+ssl_auth()
+{
+  #verbose="-v"
+  html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+  exec < ${SSLAUTH}
+  while read ectype value sparam cparam testname
+  do
+      [ -z "$ectype" ] && continue
+      echo "${testname}" | grep "don't require client auth" > /dev/null
+      CAUTH=$?
+
+      if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
+          echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+      elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
+          echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
+      elif [ "$ectype" = "ECC" -a  -n "$NSS_DISABLE_ECC" ] ; then
+          echo "$SCRIPTNAME: skipping  $testname (ECC only)"
+      elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
+          cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+          if [ "$ectype" = "SNI" ]; then
+              cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
+              sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
+          fi
+          start_selfserv
+
+          echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+          echo "        ${cparam}  < ${REQUEST_FILE}"
+          rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+          ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} $verbose ${CLIENT_OPTIONS} \
+                  -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \
+                  >${TMP}/$HOST.tmp.$$  2>&1
+          ret=$?
+          cat ${TMP}/$HOST.tmp.$$
+          rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+
+          #workaround for bug #402058
+          [ $ret -ne 0 ] && ret=1
+          [ $value -ne 0 ] && value=1
+
+          html_msg $ret $value "${testname}" \
+                   "produced a returncode of $ret, expected is $value"
+          kill_selfserv
+      fi
+  done
+
+  html "</TABLE><BR>"
+}
+
+ssl_stapling_sub()
+{
+    #verbose="-v"
+    testname=$1
+    SO=$2
+    value=$3
+
+    if [ "$NORM_EXT" = "Extended Test" ] ; then
+	# these tests use the ext_client directory for tstclnt,
+	# which doesn't contain the required "TestCA" for server cert
+	# verification, I don't know if it would be OK to add it...
+	echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
+	return 0
+    fi
+    if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
+          echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+	return 0
+    fi
+
+    SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
+    SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"
+
+    SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}
+    P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/
+
+    echo "${testname}"
+
+    start_selfserv
+
+    echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+    echo "        -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE}"
+    rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+    ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+	    -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE} \
+	    >${TMP}/$HOST.tmp.$$  2>&1
+    ret=$?
+    cat ${TMP}/$HOST.tmp.$$
+    rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+
+    # hopefully no workaround for bug #402058 needed here?
+    # (see commands in ssl_auth
+
+    html_msg $ret $value "${testname}" \
+	    "produced a returncode of $ret, expected is $value"
+    kill_selfserv
+
+    SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
+    P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
+}
+
+ssl_stapling_stress()
+{
+    testname="Stress OCSP stapling, server uses random status"
+    SO="-A TestCA -T random"
+    value=0
+
+    if [ "$NORM_EXT" = "Extended Test" ] ; then
+	# these tests use the ext_client directory for tstclnt,
+	# which doesn't contain the required "TestCA" for server cert
+	# verification, I don't know if it would be OK to add it...
+	echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
+	return 0
+    fi
+    if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
+          echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+	return 0
+    fi
+
+    SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
+    SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"
+
+    SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}
+    P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/
+
+    echo "${testname}"
+    start_selfserv
+
+    echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \\"
+    echo "         -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}"
+    echo "strsclnt started at `date`"
+    ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \
+	    -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}
+    ret=$?
+
+    echo "strsclnt completed at `date`"
+    html_msg $ret $value \
+	    "${testname}" \
+	    "produced a returncode of $ret, expected is $value."
+    kill_selfserv
+
+    SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
+    P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
+}
+
+############################ ssl_stapling ##############################
+# local shell function to perform SSL Cert Status (OCSP Stapling) tests
+########################################################################
+ssl_stapling()
+{
+  html_head "SSL Cert Status (OCSP Stapling) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+  # tstclnt Exit code:
+  # 0: have fresh and valid revocation data, status good
+  # 1: cert failed to verify, prior to revocation checking
+  # 2: missing, old or invalid revocation data
+  # 3: have fresh and valid revocation data, status revoked
+
+  # selfserv modes
+  # good, revoked, unkown: Include locally signed response. Requires: -A
+  # failure: Include OCSP failure status, such as "try later" (unsigned)
+  # badsig: use a good status but with an invalid signature
+  # corrupted: stapled cert status is an invalid block of data
+
+  ssl_stapling_sub "OCSP stapling, signed response, good status"     "-A TestCA -T good"      0
+  ssl_stapling_sub "OCSP stapling, signed response, revoked status"  "-A TestCA -T revoked"   3
+  ssl_stapling_sub "OCSP stapling, signed response, unknown status"  "-A TestCA -T unknown"   2
+  ssl_stapling_sub "OCSP stapling, unsigned failure response"        "-A TestCA -T failure"   2
+  ssl_stapling_sub "OCSP stapling, good status, bad signature"       "-A TestCA -T badsig"    2
+  ssl_stapling_sub "OCSP stapling, invalid cert status data"         "-A TestCA -T corrupted" 2
+  ssl_stapling_sub "Valid cert, Server doesn't staple"               ""                       2
+
+  ssl_stapling_stress
+
+  html "</TABLE><BR>"
+}
+
+############################ ssl_signed_cert_timestamps #################
+# local shell function to perform SSL Signed Certificate Timestamp tests
+#########################################################################
+ssl_signed_cert_timestamps()
+{
+  #verbose="-v"
+  html_head "SSL Signed Certificate Timestamps $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+    testname="ssl_signed_cert_timestamps"
+    value=0
+
+    if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
+          echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+        return 0
+    fi
+
+    echo "${testname}"
+
+    start_selfserv
+
+    # Since we don't have server-side support, this test only covers advertising the
+    # extension in the client hello.
+    echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+    echo "        -U -V tls1.0:tls1.2 < ${REQUEST_FILE}"
+    rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+    ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+            -d ${P_R_CLIENTDIR} $verbose -U -V tls1.0:tls1.2 < ${REQUEST_FILE} \
+            >${TMP}/$HOST.tmp.$$  2>&1
+    ret=$?
+    cat ${TMP}/$HOST.tmp.$$
+    rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+
+    html_msg $ret $value "${testname}" \
+            "produced a returncode of $ret, expected is $value"
+    kill_selfserv
+  html "</TABLE><BR>"
+}
+
+
+############################## ssl_stress ##############################
+# local shell function to perform SSL stress test
+########################################################################
+ssl_stress()
+{
+  html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+  exec < ${SSLSTRESS}
+  while read ectype value sparam cparam testname
+  do
+      if [ -z "$ectype" ]; then
+          # silently ignore blank lines
+          continue
+      fi
+
+      echo "${testname}" | grep "client auth" > /dev/null
+      CAUTH=$?
+
+      if [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
+          echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
+      elif [ "$ectype" = "ECC" -a  -n "$NSS_DISABLE_ECC" ] ; then
+          echo "$SCRIPTNAME: skipping  $testname (ECC only)"
+      elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then
+          echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+      elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
+          cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+          if [ "$ectype" = "SNI" ]; then
+              cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
+              sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
+          fi
+
+          start_selfserv
+
+          if [ "`uname -n`" = "sjsu" ] ; then
+              echo "debugging disapering selfserv... ps -ef | grep selfserv"
+              ps -ef | grep selfserv
+          fi
+
+          echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\"
+          echo "         -V ssl3:tls1.2 $verbose ${HOSTADDR}"
+          echo "strsclnt started at `date`"
+          ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \
+                   -V ssl3:tls1.2 $verbose ${HOSTADDR}
+          ret=$?
+          echo "strsclnt completed at `date`"
+          html_msg $ret $value \
+                   "${testname}" \
+                   "produced a returncode of $ret, expected is $value. "
+          if [ "`uname -n`" = "sjsu" ] ; then
+              echo "debugging disapering selfserv... ps -ef | grep selfserv"
+              ps -ef | grep selfserv
+          fi
+          kill_selfserv
+      fi
+  done
+
+  html "</TABLE><BR>"
+}
+
+############################ ssl_crl_ssl ###############################
+# local shell function to perform SSL test with/out revoked certs tests
+########################################################################
+ssl_crl_ssl()
+{
+  #verbose="-v"
+  html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING"
+
+  # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it.
+  # Cert number $UNREVOKED_CERT_GRP_1 was not revoked
+  CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN
+  CRL_GROUP_RANGE=$CRL_GRP_1_RANGE
+  UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1
+
+  exec < ${SSLAUTH}
+  while read ectype value sparam cparam testname
+  do
+    [ "$ectype" = "" ] && continue
+    if [ "$ectype" = "ECC" -a  -n "$NSS_DISABLE_ECC" ] ; then
+        echo "$SCRIPTNAME: skipping $testname (ECC only)"
+    elif [ "$ectype" = "SNI" ]; then
+        continue
+    elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
+	servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
+	pwd=`echo $cparam | grep nss`
+	user=`echo $cparam | grep TestUser`
+	_cparam=$cparam
+	case $servarg in
+	    1) if [ -z "$pwd" -o -z "$user" ]; then
+                 rev_modvalue=0
+               else
+	         rev_modvalue=254
+               fi
+               ;;
+	    2) rev_modvalue=254 ;;
+	    3) if [ -z "$pwd" -o -z "$user" ]; then
+		rev_modvalue=0
+		else
+		rev_modvalue=1
+		fi
+		;;
+	    4) rev_modvalue=1 ;;
+	esac
+	TEMP_NUM=0
+	while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
+	  do
+	  CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
+	  TEMP_NUM=`expr $TEMP_NUM + 1`
+	  USER_NICKNAME="TestUser${CURR_SER_NUM}"
+	  cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+	  start_selfserv
+
+	  echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+	  echo "        ${cparam}  < ${REQUEST_FILE}"
+	  rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+	  ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+	      -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
+	      >${TMP}/$HOST.tmp.$$  2>&1
+	  ret=$?
+	  cat ${TMP}/$HOST.tmp.$$
+	  rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+	  if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
+	      modvalue=$rev_modvalue
+              testAddMsg="revoked"
+	  else
+              testAddMsg="not revoked"
+	      modvalue=$value
+	  fi
+
+	  html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \
+		"produced a returncode of $ret, expected is $modvalue"
+	  kill_selfserv
+	done
+    fi
+  done
+
+  html "</TABLE><BR>"
+}
+
+############################## ssl_cov #################################
+# local shell function to perform SSL Policy tests
+########################################################################
+ssl_policy()
+{
+  #verbose="-v"
+  html_head "SSL POLICY $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+  testname=""
+  sparam="$CIPHER_SUITES"
+
+  if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then
+      return;
+  fi
+
+  echo "Saving pkcs11.txt"
+  cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav
+
+  start_selfserv # Launch the server
+
+  VMIN="ssl3"
+  VMAX="tls1.2"
+
+  exec < ${SSLPOLICY}
+  while read value ectype testmax param policy testname
+  do
+      VMIN="ssl3"
+
+      if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+          echo "$SCRIPTNAME: skipping  $testname (ECC only)"
+      elif [ "`echo $value | cut -b 1`" != "#" ] ; then
+          echo "$SCRIPTNAME: running $testname ----------------------------"
+          VMAX="ssl3"
+          if [ "$testmax" = "TLS10" ]; then
+              VMAX="tls1.0"
+          fi
+          if [ "$testmax" = "TLS11" ]; then
+              VMAX="tls1.1"
+          fi
+          if [ "$testmax" = "TLS12" ]; then
+              VMAX="tls1.2"
+          fi
+
+          # load the policy
+          policy=`echo ${policy} | sed -e 's;_; ;g'`
+
+          cat  > ${P_R_CLIENTDIR}/pkcs11.txt << ++EOF++
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='./client' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+++EOF++
+          echo "config=${policy}" >> ${P_R_CLIENTDIR}/pkcs11.txt
+          echo "" >> ${P_R_CLIENTDIR}/pkcs11.txt
+          echo "library=${DIST}/${OBJDIR}/lib/libnssckbi.so" >> ${P_R_CLIENTDIR}/pkcs11.txt >> ${P_R_CLIENTDIR}/pkcs11.txt
+          cat  >> ${P_R_CLIENTDIR}/pkcs11.txt << ++EOF++
+name=RootCerts
+NSS=trustOrder=100
+++EOF++
+
+          echo "******************************Testing with: "
+	  cat ${P_R_CLIENTDIR}/pkcs11.txt
+          echo "******************************"
+
+          echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+          echo "        -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
+
+          rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+          ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+                  -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
+                  >${TMP}/$HOST.tmp.$$  2>&1
+          ret=$?
+          cat ${TMP}/$HOST.tmp.$$
+          rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+
+          #workaround for bug #402058
+          [ $ret -ne 0 ] && ret=1
+          [ ${value} -ne 0 ] && value=1
+
+          html_msg $ret ${value} "${testname}" \
+                   "produced a returncode of $ret, expected is ${value}"
+      fi
+  done
+  cp ${P_R_CLIENTDIR}/pkcs11.txt.sav ${P_R_CLIENTDIR}/pkcs11.txt
+
+  kill_selfserv
+  html "</TABLE><BR>"
+}
+############################# is_revoked ###############################
+# local shell function to check if certificate is revoked
+########################################################################
+is_revoked() {
+    certNum=$1
+    currLoadedGrp=$2
+
+    found=0
+    ownerGrp=1
+    while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ]
+      do
+      currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}`
+      currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}`
+      currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1`
+      if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then
+          found=1
+      else
+          ownerGrp=`expr $ownerGrp + 1`
+      fi
+    done
+    if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then
+        return 1
+    fi
+    if [ $found -eq 0 ]; then
+        return 1
+    fi
+    unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}`
+    if [ $certNum -eq $unrevokedGrpCert ]; then
+        return 1
+    fi
+    return 0
+}
+
+########################### load_group_crl #############################
+# local shell function to load CRL
+########################################################################
+load_group_crl() {
+    #verbose="-v"
+    group=$1
+    ectype=$2
+
+    OUTFILE_TMP=${TMP}/$HOST.tmp.$$
+    grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}`
+    grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}`
+    grpEnd=`expr $grpBegin + $grpRange - 1`
+
+    if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then
+        ret=1
+        return 1;
+    fi
+
+    # Add -ec suffix for ECC
+    if [ "$ectype" = "ECC" ] ; then
+      ecsuffix="-ec"
+      eccomment="ECC "
+    else
+      ecsuffix=""
+      eccomment=""
+    fi
+
+    if [ "$RELOAD_CRL" != "" ]; then
+        if [ $group -eq 1 ]; then
+            echo "==================== Resetting to group 1 crl ==================="
+            kill_selfserv
+            start_selfserv
+            is_selfserv_alive
+        fi
+        echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd ============="
+
+        echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+        echo "          -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}"
+        echo "Request:"
+        echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}"
+        echo ""
+        echo "RELOAD time $i"
+
+        REQF=${R_CLIENTDIR}.crlreq
+        cat > ${REQF} <<_EOF_REQUEST_
+GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}
+
+_EOF_REQUEST_
+
+        ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f  \
+            -d ${R_CLIENTDIR} $verbose -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \
+            >${OUTFILE_TMP}  2>&1 < ${REQF}
+
+        cat ${OUTFILE_TMP}
+        grep "CRL ReCache Error" ${OUTFILE_TMP}
+        if [ $? -eq 0 ]; then
+            ret=1
+            return 1
+        fi
+    else
+        echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv ====="
+
+        kill_selfserv
+        CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd"
+        crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \
+             -p ../tests.pw.928
+        ret=$?
+        if [ "$ret" -eq 0 ]; then
+	    html_passed "${CU_ACTION}"
+            return 1
+        fi
+        start_selfserv
+    fi
+    is_selfserv_alive
+    ret=$?
+    echo "================= CRL Reloaded ============="
+}
+
+
+########################### ssl_crl_cache ##############################
+# local shell function to perform SSL test for crl cache functionality
+# with/out revoked certs
+########################################################################
+ssl_crl_cache()
+{
+  #verbose="-v"
+  html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING"
+  SSLAUTH_TMP=${TMP}/authin.tl.tmp
+  SERV_ARG=-r_-r
+  rm -f ${SSLAUTH_TMP}
+  echo ${SSLAUTH_TMP}
+
+  grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
+  echo $?
+  while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]
+    do
+    sparam=$SERV_ARG
+    start_selfserv
+    exec < ${SSLAUTH_TMP}
+    while read ectype value sparam cparam testname
+      do
+      [ "$ectype" = "" ] && continue
+      if [ "$ectype" = "ECC" -a  -n "$NSS_DISABLE_ECC" ] ; then
+        echo "$SCRIPTNAME: skipping  $testname (ECC only)"
+      elif [ "$ectype" = "SNI" ]; then
+          continue
+      else
+        servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
+        pwd=`echo $cparam | grep nss`
+        user=`echo $cparam | grep TestUser`
+        _cparam=$cparam
+        case $servarg in
+            1) if [ -z "$pwd" -o -z "$user" ]; then
+                rev_modvalue=0
+                else
+                rev_modvalue=254
+                fi
+                ;;
+            2) rev_modvalue=254 ;;
+
+            3) if [ -z "$pwd" -o -z "$user" ]; then
+                rev_modvalue=0
+                else
+                rev_modvalue=1
+                fi
+                ;;
+            4) rev_modvalue=1 ;;
+	  esac
+        TEMP_NUM=0
+        LOADED_GRP=1
+        while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ]
+          do
+          while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ]
+            do
+            CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}`
+            TEMP_NUM=`expr $TEMP_NUM + 1`
+            USER_NICKNAME="TestUser${CURR_SER_NUM}"
+            cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+
+            echo "Server Args: $SERV_ARG"
+            echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+            echo "        ${cparam}  < ${REQUEST_FILE}"
+            rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+            ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+	        -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
+                >${TMP}/$HOST.tmp.$$  2>&1
+            ret=$?
+            cat ${TMP}/$HOST.tmp.$$
+            rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+            is_revoked ${CURR_SER_NUM} ${LOADED_GRP}
+            isRevoked=$?
+            if [ $isRevoked -eq 0 ]; then
+                modvalue=$rev_modvalue
+                testAddMsg="revoked"
+            else
+                modvalue=$value
+                testAddMsg="not revoked"
+            fi
+
+            is_selfserv_alive
+            ss_status=$?
+            if [ "$ss_status" -ne 0 ]; then
+                html_msg $ret $modvalue \
+                    "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
+                    "produced a returncode of $ret, expected is $modvalue. " \
+                    "selfserv is not alive!"
+            else
+                html_msg $ret $modvalue \
+                    "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
+                    "produced a returncode of $ret, expected is $modvalue"
+            fi
+          done
+          LOADED_GRP=`expr $LOADED_GRP + 1`
+          TEMP_NUM=0
+          if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then
+              load_group_crl $LOADED_GRP $ectype
+              html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \
+                  "produced a returncode of $ret, expected is 0"
+          fi
+        done
+        # Restart selfserv to roll back to two initial group 1 crls
+        # TestCA CRL and TestCA-ec CRL
+        kill_selfserv
+        start_selfserv
+      fi
+    done
+    kill_selfserv
+    SERV_ARG="${SERV_ARG}_-r"
+    rm -f ${SSLAUTH_TMP}
+    grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus  > ${SSLAUTH_TMP}
+  done
+  TEMPFILES=${SSLAUTH_TMP}
+  html "</TABLE><BR>"
+}
+
+
+############################## ssl_cleanup #############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+ssl_cleanup()
+{
+  rm $SERVERPID 2>/dev/null
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+############################## ssl_run #################################
+# local shell function to run coverage, authentication and stress tests
+########################################################################
+ssl_run()
+{
+    for SSL_RUN in ${NSS_SSL_RUN}
+    do
+        case "${SSL_RUN}" in
+        "stapling")
+            if [ -nz "$NSS_DISABLE_LIBPKIX" ]; then
+              ssl_stapling
+            fi
+            ;;
+        "signed_cert_timestamps")
+            ssl_signed_cert_timestamps
+            ;;
+        "cov")
+            ssl_cov
+            ;;
+        "auth")
+            ssl_auth
+            ;;
+        "stress")
+            ssl_stress
+            ;;
+         esac
+    done
+}
+
+############################ ssl_run_all ###############################
+# local shell function to run both standard and extended ssl tests
+########################################################################
+ssl_run_all()
+{
+    ORIG_SERVERDIR=$SERVERDIR
+    ORIG_CLIENTDIR=$CLIENTDIR
+    ORIG_R_SERVERDIR=$R_SERVERDIR
+    ORIG_R_CLIENTDIR=$R_CLIENTDIR
+    ORIG_P_R_SERVERDIR=$P_R_SERVERDIR
+    ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR
+
+    USER_NICKNAME=TestUser
+    NORM_EXT=""
+    cd ${CLIENTDIR}
+
+    ssl_run
+
+    SERVERDIR=$EXT_SERVERDIR
+    CLIENTDIR=$EXT_CLIENTDIR
+    R_SERVERDIR=$R_EXT_SERVERDIR
+    R_CLIENTDIR=$R_EXT_CLIENTDIR
+    P_R_SERVERDIR=$P_R_EXT_SERVERDIR
+    P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR
+
+    USER_NICKNAME=ExtendedSSLUser
+    NORM_EXT="Extended Test"
+    cd ${CLIENTDIR}
+
+    ssl_run
+
+    # the next round of ssl tests will only run if these vars are reset
+    SERVERDIR=$ORIG_SERVERDIR
+    CLIENTDIR=$ORIG_CLIENTDIR
+    R_SERVERDIR=$ORIG_R_SERVERDIR
+    R_CLIENTDIR=$ORIG_R_CLIENTDIR
+    P_R_SERVERDIR=$ORIG_P_R_SERVERDIR
+    P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR
+
+    USER_NICKNAME=TestUser
+    NORM_EXT=
+    cd ${QADIR}/ssl
+}
+
+############################ ssl_set_fips ##############################
+# local shell function to set FIPS mode on/off
+########################################################################
+ssl_set_fips()
+{
+    CLTSRV=$1
+    ONOFF=$2
+
+    if [ ${CLTSRV} = "server" ]; then
+        DBDIRS="${SERVERDIR} ${EXT_SERVERDIR}"
+    else
+        DBDIRS="${CLIENTDIR} ${EXT_CLIENTDIR}"
+    fi
+
+    if [ "${ONOFF}" = "on" ]; then
+        FIPSMODE=true
+        RET_EXP=0
+    else
+        FIPSMODE=false
+        RET_EXP=1
+    fi
+
+    html_head "SSL - FIPS mode ${ONOFF} for ${CLTSRV}"
+
+    for DBDIR in ${DBDIRS}
+    do
+        EXT_OPT=
+        echo ${DBDIR} | grep ext > /dev/null
+        if [ $? -eq 0 ]; then
+            EXT_OPT="extended "
+        fi
+
+        echo "${SCRIPTNAME}: Turning FIPS ${ONOFF} for the ${EXT_OPT} ${CLTSRV}"
+
+        echo "modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force"
+        ${BINDIR}/modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1
+        RET=$?
+        html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \
+                 "produced a returncode of ${RET}, expected is 0"
+
+        echo "modutil -dbdir ${DBDIR} -list"
+        DBLIST=`${BINDIR}/modutil -dbdir ${DBDIR} -list 2>&1`
+        RET=$?
+        html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \
+                 "produced a returncode of ${RET}, expected is 0"
+
+        echo "${DBLIST}" | grep "FIPS PKCS #11"
+        RET=$?
+        html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \
+                 "produced a returncode of ${RET}, expected is ${RET_EXP}"
+    done
+
+    html "</TABLE><BR>"
+}
+
+############################ ssl_set_fips ##############################
+# local shell function to run all tests set in NSS_SSL_TESTS variable
+########################################################################
+ssl_run_tests()
+{
+    for SSL_TEST in ${NSS_SSL_TESTS}
+    do
+        case "${SSL_TEST}" in
+        "policy")
+            if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
+	        ssl_policy
+            fi
+            ;;
+        "crl")
+            ssl_crl_ssl
+            ssl_crl_cache
+            ;;
+        "iopr")
+            ssl_iopr_run
+            ;;
+        *)
+            SERVER_MODE=`echo "${SSL_TEST}" | cut -d_ -f1`
+            CLIENT_MODE=`echo "${SSL_TEST}" | cut -d_ -f2`
+
+            case "${SERVER_MODE}" in
+            "normal")
+                SERVER_OPTIONS=
+                ;;
+            "fips")
+                SERVER_OPTIONS=
+                ssl_set_fips server on
+                ;;
+            *)
+                echo "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}"
+                continue
+                ;;
+            esac
+
+            case "${CLIENT_MODE}" in
+            "normal")
+                CLIENT_OPTIONS=
+                ;;
+            "fips")
+                SERVER_OPTIONS=
+                ssl_set_fips client on
+                ;;
+            *)
+                echo "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}"
+                continue
+                ;;
+            esac
+
+            ssl_run_all
+
+            if [ "${SERVER_MODE}" = "fips" ]; then
+                ssl_set_fips server off
+            fi
+
+            if [ "${CLIENT_MODE}" = "fips" ]; then
+                ssl_set_fips client off
+            fi
+            ;;
+        esac
+    done
+}
+
+################################# main #################################
+
+ssl_init
+ssl_run_tests
+ssl_cleanup
+
diff --git a/security/nss/tests/ssl/ssl_dist_stress.sh b/security/nss/tests/ssl/ssl_dist_stress.sh
new file mode 100755
index 000000000..a67dfcbac
--- /dev/null
+++ b/security/nss/tests/ssl/ssl_dist_stress.sh
@@ -0,0 +1,313 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/ssl/ssl_dist_stress.sh
+#
+# Script to test NSS SSL - distributed stresstest - this script needs to 
+# source the regular ssl.sh (for shellfunctions, certs and variables 
+# initialisation)
+# create certs
+# start server
+# start itself via rsh on different systems to connect back to the server
+# 
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## ssl_ds_init #############################
+# local shell function to initialize this script
+########################################################################
+ssl_ds_init()
+{
+  if [ -z "$GLOB_MIN_CERT" ] ; then
+      GLOB_MIN_CERT=0
+  fi
+  if [ -z "$GLOB_MAX_CERT" ] ; then
+      GLOB_MAX_CERT=200
+  fi
+  IP_PARAM=""
+  CD_QADIR_SSL=""
+
+
+  if [ -n "$1" ] ; then
+      ssl_ds_eval_opts $*
+  fi
+  SCRIPTNAME=ssl_dist_stress.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+  
+  ssl_init  # let some other script do the hard work (initialize, generate certs, ...
+
+  SCRIPTNAME=ssl_dist_stress.sh
+  echo "$SCRIPTNAME: SSL distributed stress tests ==============================="
+
+}
+
+######################### ssl_ds_usage #################################
+# local shell function to explain the usage
+########################################################################
+ssl_ds_usage()
+{
+  echo "Usage: `basename $1`"
+  echo "        -host hostname "
+  echo "           ...host who runs the server, for distributed stress test"
+  echo "        -stress "
+  echo "           ...runs the server sider of the distributed stress test"
+  echo "        -dir unixdirectory "
+  echo "           ...lets the server side of the distributed stress test"
+  echo "              know where to find the scritp to start on the remote side"
+  echo "        -certnum start-end"
+  echo "           ... provides the range of certs for distributed stress test"
+  echo "               for example -certnum 10-20 will connect 10 times"
+  echo "               no blanks in the range string (not 10 - 20)"
+  echo "               valid range ${GLOB_MIN_CERT}-${GLOB_MAX_CERT}"
+  echo "        -? ...prints this text"
+  exit 1 #does not need to be Exit, very early in script
+}
+
+######################### ssl_ds_eval_opts #############################
+# local shell function to deal with options and parameters
+########################################################################
+ssl_ds_eval_opts()
+{
+    #use $0 not $SCRIPTNAM<E, too early, SCRIPTNAME not yet set
+
+  while [ -n "$1" ]
+  do
+    case $1 in
+        -host)
+            BUILD_OPT=1
+            export BUILD_OPT
+            DO_REM_ST="TRUE"
+            shift
+            SERVERHOST=$1
+            HOST=$1
+            if [ -z $SERVERHOST ] ; then
+                echo "$0 `uname -n`: -host requires hostname"
+                ssl_ds_usage
+            fi
+            echo "$0 `uname -n`: host $HOST ($1)"
+            ;;
+        -certn*)
+            shift
+            rangeOK=`echo $1  | sed -e 's/[0-9][0-9]*-[0-9][0-9]*/OK/'`
+            MIN_CERT=`echo $1 | sed -e 's/-[0-9][0-9]*//' -e 's/^00*//'`
+            MAX_CERT=`echo $1 | sed -e 's/[0-9][0-9]*-//' -e 's/^00*//'`
+            if [ -z "$rangeOK" -o "$rangeOK" != "OK" -o \
+                         -z "$MIN_CERT" -o -z "$MAX_CERT" -o \
+                        "$MIN_CERT" -gt "$MAX_CERT" -o \
+                        "$MIN_CERT" -lt "$GLOB_MIN_CERT" -o \
+                        "$MAX_CERT" -gt "$GLOB_MAX_CERT" ] ; then
+                echo "$0 `uname -n`: -certn range not valid"
+                ssl_ds_usage
+            fi
+            echo "$0 `uname -n`: will use certs from $MIN_CERT to $MAX_CERT"
+            ;;
+        -server|-stress|-dist*st*)
+            BUILD_OPT=1
+            export BUILD_OPT
+            DO_DIST_ST="TRUE"
+            ;;
+        -dir|-unixdir|-uxdir|-qadir)
+            shift
+            UX_DIR=$1
+	    #FIXME - we need a default unixdir
+            if [ -z "$UX_DIR" ] ; then # -o ! -d "$UX_DIR" ] ; then can't do, Win doesn't know...
+                echo "$0 `uname -n`: -dir requires directoryname "
+                ssl_ds_usage
+            fi
+            CD_QADIR_SSL="cd $UX_DIR"
+            ;;
+        -ip*)
+            shift
+            IP_ADDRESS=$1
+            if [ -z "$IP_ADDRESS" ] ; then
+                echo "$0 `uname -n`: -ip requires ip-address "
+                ssl_ds_usage
+            fi
+            USE_IP=TRUE
+            IP_PARAM="-ip $IP_ADDRESS"
+            ;;
+        -h|-help|"-?"|*)
+            ssl_ds_usage
+            ;;
+    esac
+    shift
+  done
+}
+
+############################## ssl_ds_rem_stress #######################
+# local shell function to perform the client part of the SSL stress test
+########################################################################
+
+ssl_ds_rem_stress()
+{
+  testname="SSL remote part of Stress test (`uname -n`)"
+  echo "$SCRIPTNAME `uname -n`: $testname"
+
+  #cp -r "${CLIENTDIR}" /tmp/ssl_ds.$$ #FIXME
+  #cd /tmp/ssl_ds.$$
+  #verbose="-v"
+
+  cd ${CLIENTDIR}
+
+  CONTINUE=$MAX_CERT
+  while [ $CONTINUE -ge $MIN_CERT ]
+  do
+      echo "strsclnt -D -p ${PORT} -d ${P_R_CLIENTDIR} -w nss -c 1 $verbose  "
+      echo "         -n TestUser$CONTINUE ${HOSTADDR} #`uname -n`"
+      ${BINDIR}/strsclnt -D -p ${PORT} -d . -w nss -c 1 $verbose  \
+               -n "TestUser$CONTINUE" ${HOSTADDR} &
+               #${HOSTADDR} &
+      CONTINUE=`expr $CONTINUE - 1 `
+      #sleep 4 #give process time to start up
+  done
+
+  html_msg 0 0 "${testname}" #FIXME
+}
+
+######################### ssl_ds_dist_stress ###########################
+# local shell function to perform the server part of the new, distributed 
+# SSL stress test
+########################################################################
+
+ssl_ds_dist_stress()
+{
+  max_clientlist=" 
+               box-200
+               washer-200
+               dryer-200
+               hornet-50
+               shabadoo-50
+               y2sun2-10
+               galileo-10
+               shame-10
+               axilla-10
+               columbus-10
+               smarch-10
+               nugget-10
+               charm-10
+               hp64-10
+               biggayal-10
+               orville-10
+               kwyjibo-10
+               hbombaix-10
+               raven-10
+               jordan-10
+               phaedrus-10
+               louie-10
+               trex-10
+               compaqtor-10"
+
+  #clientlist=" huey-2 dewey-2 hornet-2 shabadoo-2" #FIXME ADJUST
+  clientlist="  box-200 washer-200 huey-200 dewey-200 hornet-200 shabadoo-200 louie-200"
+  #clientlist="  box-2 huey-2 "
+  #clientlist="washer-200 huey-200 dewey-200 hornet-200 "
+
+  html_head "SSL Distributed Stress Test"
+
+  testname="SSL distributed Stress test"
+
+  echo cd "${CLIENTDIR}"
+  cd "${CLIENTDIR}"
+  if [ -z "CD_QADIR_SSL" ] ; then
+      CD_QADIR_SSL="cd $QADIR/ssl"
+  else
+      cp -r $HOSTDIR $HOSTDIR/../../../../../booboo_Solaris8/mozilla/tests_results/security
+  fi
+
+  #sparam=" -t 128 -D -r "
+  sparam=" -t 16 -D -r -r -y "
+  start_selfserv
+
+  for c in $clientlist
+  do
+      client=`echo $c | sed -e "s/-.*//"`
+      number=`echo $c | sed -e "s/.*-//"`
+      CLIENT_OK="TRUE"
+      echo $client
+      ping $client >/dev/null || CLIENT_OK="FALSE"
+      if [ "$CLIENT_OK" = "FALSE" ] ; then
+          echo "$SCRIPTNAME `uname -n`: $client can't be reached - skipping"
+      else
+          get_certrange $number
+          echo "$SCRIPTNAME `uname -n`: $RSH $client -l svbld \\ "
+          echo "       \" $CD_QADIR_SSL ;ssl_dist_stress.sh \\"
+          echo "            -host $HOST -certnum $CERTRANGE $IP_PARAM \" "
+          $RSH $client -l svbld \
+               " $CD_QADIR_SSL;ssl_dist_stress.sh -host $HOST -certnum $CERTRANGE $IP_PARAM " &
+      fi
+  done
+
+  echo cd "${CLIENTDIR}"
+  cd "${CLIENTDIR}"
+
+  sleep 500 # give the clients time to finish #FIXME ADJUST
+ 
+  echo "GET /stop HTTP/1.0\n\n" > stdin.txt #check to make sure it has /r/n
+  echo "tstclnt -h $HOSTADDR -p  8443 -d ${P_R_CLIENTDIR} -n TestUser0 "
+  echo "        -w nss -f < stdin.txt"
+  ${BINDIR}/tstclnt -h $HOSTADDR -p  8443 -d ${P_R_CLIENTDIR} -n TestUser0 \
+	  -w nss -f < stdin.txt
+  
+  html_msg 0 0 "${testname}"
+  html "</TABLE><BR>"
+}
+
+############################ get_certrange #############################
+# local shell function to find the range of certs that the next remote 
+# client is supposed to use (only for server side of the dist stress test
+########################################################################
+get_certrange()
+{
+  rangeOK=`echo $1  | sed -e 's/[0-9][0-9]*/OK/'`
+  if [ -z "$rangeOK" -o "$rangeOK" != "OK" -o $1 = "OK" ] ; then
+      range=10
+      echo "$SCRIPTNAME `uname -n`: $1 is not a valid number of certs "
+      echo "        defaulting to 10 for $client"
+  else
+      range=$1
+      if [ $range -gt $GLOB_MAX_CERT ] ; then
+          range=$GLOB_MAX_CERT
+      fi
+  fi
+  if [ -z "$FROM_CERT" ] ; then    # start new on top of the cert stack
+      FROM_CERT=$GLOB_MAX_CERT
+  elif [ `expr $FROM_CERT - $range + 1 ` -lt  0 ] ; then 
+          FROM_CERT=$GLOB_MAX_CERT # dont let it fall below 0 on the TO_CERT
+
+  fi
+  TO_CERT=`expr $FROM_CERT - $range + 1 `
+  if [ $TO_CERT -lt 0 ] ; then     # it's not that I'm bad in math, I just 
+      TO_CERT=0                    # don't trust expr...
+  fi
+  CERTRANGE="${TO_CERT}-${FROM_CERT}"
+  FROM_CERT=`expr ${TO_CERT} - 1 ` #start the next  client one below 
+}
+
+
+################## main #################################################
+
+DO_DIST_ST="TRUE"
+. ./ssl.sh
+ssl_ds_init $*
+if [ -n  "$DO_REM_ST" -a "$DO_REM_ST" = "TRUE" ] ; then
+    ssl_ds_rem_stress
+    exit 0 #no cleanup on purpose
+elif [ -n  "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
+    ssl_ds_dist_stress
+fi
+ssl_cleanup
diff --git a/security/nss/tests/ssl/sslauth.txt b/security/nss/tests/ssl/sslauth.txt
new file mode 100644
index 000000000..82d1ddea4
--- /dev/null
+++ b/security/nss/tests/ssl/sslauth.txt
@@ -0,0 +1,76 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file defines the tests for client auth.
+#
+#        expected
+# Enable  return  server     client                         Test Case name
+#  ECC     value  params     params
+# ------- ------  ------     ------                         ---------------
+  noECC     0       -r           -V_ssl3:tls1.2_-w_nss_-n_none           TLS Request don't require client auth (client does not provide auth)
+  noECC     0       -r           -V_ssl3:tls1.2_-w_bogus_-n_TestUser     TLS Request don't require client auth (bad password)
+  noECC     0       -r           -V_ssl3:tls1.2_-w_nss_-n_TestUser       TLS Request don't require client auth (client auth)
+  noECC    254      -r_-r        -V_ssl3:tls1.2_-w_nss_-n_none           TLS Require client auth (client does not provide auth)
+  noECC    254      -r_-r        -V_ssl3:tls1.2_-w_bogus_-n_TestUser     TLS Require client auth (bad password)
+  noECC     0       -r_-r        -V_ssl3:tls1.2_-w_nss_-n_TestUser_      TLS Require client auth (client auth)
+  noECC     0       -r           -V_ssl3:ssl3_-w_nss_-n_none        SSL3 Request don't require client auth (client does not provide auth)
+  noECC     0       -r           -V_ssl3:ssl3_-n_TestUser_-w_bogus  SSL3 Request don't require client auth (bad password)
+  noECC     0       -r           -V_ssl3:ssl3_-n_TestUser_-w_nss    SSL3 Request don't require client auth (client auth)
+  noECC    254      -r_-r        -V_ssl3:ssl3_-w_nss_-n_none        SSL3 Require client auth (client does not provide auth)
+  noECC    254      -r_-r        -V_ssl3:ssl3_-n_TestUser_-w_bogus  SSL3 Require client auth (bad password)
+  noECC     0       -r_-r        -V_ssl3:ssl3_-n_TestUser_-w_nss    SSL3 Require client auth (client auth)
+  noECC     0       -r_-r_-r     -V_ssl3:tls1.2_-w_nss_-n_none        TLS Request don't require client auth on 2nd hs (client does not provide auth)
+  noECC     0       -r_-r_-r     -V_ssl3:tls1.2_-w_bogus_-n_TestUser  TLS Request don't require client auth on 2nd hs (bad password)
+  noECC     0       -r_-r_-r     -V_ssl3:tls1.2_-w_nss_-n_TestUser    TLS Request don't require client auth on 2nd hs (client auth)
+  noECC     1       -r_-r_-r_-r  -V_ssl3:tls1.2_-w_nss_-n_none        TLS Require client auth on 2nd hs (client does not provide auth)
+  noECC     1       -r_-r_-r_-r  -V_ssl3:tls1.2_-w_bogus_-n_TestUser  TLS Require client auth on 2nd hs (bad password)
+  noECC     0       -r_-r_-r_-r  -V_ssl3:tls1.2_-w_nss_-n_TestUser    TLS Require client auth on 2nd hs (client auth)
+  noECC     0       -r_-r_-r     -V_ssl3:tls1.0_-w_nss_-n_none        TLS 1.0 Request don't require client auth on 2nd hs (client does not provide auth)
+  noECC     0       -r_-r_-r     -V_ssl3:tls1.0_-w_bogus_-n_TestUser  TLS 1.0 Request don't require client auth on 2nd hs (bad password)
+  noECC     0       -r_-r_-r     -V_ssl3:tls1.0_-w_nss_-n_TestUser    TLS 1.0 Request don't require client auth on 2nd hs (client auth)
+  noECC     1       -r_-r_-r_-r  -V_ssl3:tls1.0_-w_nss_-n_none        TLS 1.0 Require client auth on 2nd hs (client does not provide auth)
+  noECC     1       -r_-r_-r_-r  -V_ssl3:tls1.0_-w_bogus_-n_TestUser  TLS 1.0 Require client auth on 2nd hs (bad password)
+  noECC     0       -r_-r_-r_-r  -V_ssl3:tls1.0_-w_nss_-n_TestUser    TLS 1.0 Require client auth on 2nd hs (client auth)
+  noECC     0       -r_-r_-r     -V_ssl3:ssl3_-w_nss_-n_none     SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
+  noECC     0       -r_-r_-r     -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
+  noECC     0       -r_-r_-r     -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
+  noECC     1       -r_-r_-r_-r  -V_ssl3:ssl3_-w_nss_-n_none     SSL3 Require client auth on 2nd hs (client does not provide auth)
+  noECC     1       -r_-r_-r_-r  -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password)
+  noECC     0       -r_-r_-r_-r  -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth)
+#
+# Use EC cert for client authentication
+#
+   ECC      0       -r           -V_ssl3:tls1.2_-w_bogus_-n_TestUser-ec     TLS Request don't require client auth (EC) (bad password)
+   ECC      0       -r           -V_ssl3:tls1.2_-w_nss_-n_TestUser-ec       TLS Request don't require client auth (EC) (client auth)
+   ECC     254      -r_-r        -V_ssl3:tls1.2_-w_bogus_-n_TestUser-ec     TLS Require client auth (EC) (bad password)
+   ECC      0       -r_-r        -V_ssl3:tls1.2_-w_nss_-n_TestUser-ec_      TLS Require client auth (EC) (client auth)
+   ECC      0       -r           -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus  SSL3 Request don't require client auth (EC) (bad password)
+   ECC      0       -r           -V_ssl3:ssl3_-n_TestUser-ec_-w_nss    SSL3 Request don't require client auth (EC) (client auth)
+   ECC     254      -r_-r        -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus  SSL3 Require client auth (EC) (bad password)
+   ECC      0       -r_-r        -V_ssl3:ssl3_-n_TestUser-ec_-w_nss    SSL3 Require client auth (EC) (client auth)
+   ECC      0       -r_-r_-r     -V_ssl3:tls1.2_-w_bogus_-n_TestUser-ec  TLS Request don't require client auth on 2nd hs (EC) (bad password)
+   ECC      0       -r_-r_-r     -V_ssl3:tls1.2_-w_nss_-n_TestUser-ec    TLS Request don't require client auth on 2nd hs (EC) (client auth)
+   ECC      1       -r_-r_-r_-r  -V_ssl3:tls1.2_-w_bogus_-n_TestUser-ec  TLS Require client auth on 2nd hs (EC) (bad password)
+   ECC      0       -r_-r_-r_-r  -V_ssl3:tls1.2_-w_nss_-n_TestUser-ec_   TLS Require client auth on 2nd hs (EC) (client auth)
+   ECC      0       -r_-r_-r     -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec  TLS 1.0 Request don't require client auth on 2nd hs (EC) (bad password)
+   ECC      0       -r_-r_-r     -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec    TLS 1.0 Request don't require client auth on 2nd hs (EC) (client auth)
+   ECC      1       -r_-r_-r_-r  -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec  TLS 1.0 Require client auth on 2nd hs (EC) (bad password)
+   ECC      0       -r_-r_-r_-r  -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec_   TLS 1.0 Require client auth on 2nd hs (EC) (client auth)
+   ECC      0       -r_-r_-r     -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
+   ECC      0       -r_-r_-r     -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
+   ECC      1       -r_-r_-r_-r  -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password)
+   ECC      0       -r_-r_-r_-r  -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)
+#
+# SNI Tests
+#
+  SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:tls1.2_-w_nss_-n_TestUser                          TLS Server hello response without SNI
+  SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI
+  SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom    TLS Server response with alert
+  SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:ssl3_-w_nss_-n_TestUser                  SSL3 Server hello response without SNI
+  SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom  SSL3 Server hello response with SNI: SSL don't have SH extensions
+  SNI     0       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser                          TLS Server hello response without SNI
+  SNI     0       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI
+  SNI     1       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS
+  SNI     1       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
+  SNI     1       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom    TLS Server response with alert
diff --git a/security/nss/tests/ssl/sslcov.txt b/security/nss/tests/ssl/sslcov.txt
new file mode 100644
index 000000000..1eb7f47de
--- /dev/null
+++ b/security/nss/tests/ssl/sslcov.txt
@@ -0,0 +1,143 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file enables test coverage of the various SSL ciphers
+#
+# Enable Enable Cipher Test Name 
+#  EC     TLS
+#
+  noECC  SSL3   c    SSL3_RSA_WITH_RC4_128_MD5
+  noECC  SSL3   d    SSL3_RSA_WITH_3DES_EDE_CBC_SHA
+  noECC  SSL3   e    SSL3_RSA_WITH_DES_CBC_SHA
+  noECC  SSL3   i    SSL3_RSA_WITH_NULL_MD5
+  noECC  SSL3   n    SSL3_RSA_WITH_RC4_128_SHA
+  noECC  SSL3   v    SSL3_RSA_WITH_AES_128_CBC_SHA
+  noECC  SSL3   y    SSL3_RSA_WITH_AES_256_CBC_SHA
+  noECC  SSL3   z    SSL3_RSA_WITH_NULL_SHA
+  noECC  TLS12 :009F  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+  noECC  TLS12 :00A3  TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
+  noECC  TLS12 :009D  TLS_RSA_WITH_AES_256_GCM_SHA384
+#  noECC  SSL3  :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+#  noECC  SSL3  :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+#
+  noECC  TLS10   c    TLS_RSA_WITH_RC4_128_MD5
+  noECC  TLS10   d    TLS_RSA_WITH_3DES_EDE_CBC_SHA
+  noECC  TLS10   e    TLS_RSA_WITH_DES_CBC_SHA
+  noECC  TLS10   i    TLS_RSA_WITH_NULL_MD5
+  noECC  TLS10   n    TLS_RSA_WITH_RC4_128_SHA
+  noECC  TLS10   v    TLS_RSA_WITH_AES_128_CBC_SHA
+  noECC  TLS10   y    TLS_RSA_WITH_AES_256_CBC_SHA
+  noECC  TLS10   z    TLS_RSA_WITH_NULL_SHA
+#  noECC  TLS10 :0041  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+#  noECC  TLS10 :0084  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+#
+#
+  noECC  TLS11   c    TLS11_RSA_WITH_RC4_128_MD5
+  noECC  TLS11   d    TLS11_RSA_WITH_3DES_EDE_CBC_SHA
+  noECC  TLS11   e    TLS11_RSA_WITH_DES_CBC_SHA
+  noECC  TLS11   i    TLS11_RSA_WITH_NULL_MD5
+  noECC  TLS11   n    TLS11_RSA_WITH_RC4_128_SHA
+  noECC  TLS11   v    TLS11_RSA_WITH_AES_128_CBC_SHA
+  noECC  TLS11   y    TLS11_RSA_WITH_AES_256_CBC_SHA
+  noECC  TLS11   z    TLS11_RSA_WITH_NULL_SHA
+#
+  noECC  TLS12   c    TLS12_RSA_WITH_RC4_128_MD5
+  noECC  TLS12   d    TLS12_RSA_WITH_3DES_EDE_CBC_SHA
+  noECC  TLS12   e    TLS12_RSA_WITH_DES_CBC_SHA
+  noECC  TLS12   i    TLS12_RSA_WITH_NULL_MD5
+  noECC  TLS12   n    TLS12_RSA_WITH_RC4_128_SHA
+  noECC  TLS12   v    TLS12_RSA_WITH_AES_128_CBC_SHA
+  noECC  TLS12   y    TLS12_RSA_WITH_AES_256_CBC_SHA
+  noECC  TLS12   z    TLS12_RSA_WITH_NULL_SHA
+  noECC  TLS12 :0016  TLS12_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+  noECC  TLS12 :0032  TLS12_DHE_DSS_WITH_AES_128_CBC_SHA
+  noECC  TLS12 :0033  TLS12_DHE_RSA_WITH_AES_128_CBC_SHA
+  noECC  TLS12 :0038  TLS12_DHE_DSS_WITH_AES_256_CBC_SHA
+  noECC  TLS12 :0039  TLS12_DHE_RSA_WITH_AES_256_CBC_SHA
+  noECC  TLS12 :003B  TLS12_RSA_WITH_NULL_SHA256
+  noECC  TLS12 :003C  TLS12_RSA_WITH_AES_128_CBC_SHA256
+  noECC  TLS12 :003D  TLS12_RSA_WITH_AES_256_CBC_SHA256
+  noECC  TLS12 :0040  TLS12_DHE_DSS_WITH_AES_128_CBC_SHA256
+  noECC  TLS12 :0067  TLS12_DHE_RSA_WITH_AES_128_CBC_SHA256
+  noECC  TLS12 :006A  TLS12_DHE_DSS_WITH_AES_256_CBC_SHA256
+  noECC  TLS12 :006B  TLS12_DHE_RSA_WITH_AES_256_CBC_SHA256
+  noECC  TLS12 :009C  TLS12_RSA_WITH_AES_128_GCM_SHA256
+  noECC  TLS12 :009E  TLS12_DHE_RSA_WITH_AES_128_GCM_SHA256
+  noECC  TLS12 :00A2  TLS12_DHE_DSS_WITH_AES_128_GCM_SHA256
+  noECC  TLS12 :CCAA  TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+#
+# ECC ciphers (TLS)
+#
+   ECC   TLS10  :C001 TLS_ECDH_ECDSA_WITH_NULL_SHA
+   ECC   TLS10  :C002 TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+   ECC   TLS10  :C003 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS10  :C004 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+   ECC   TLS10  :C005 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+   ECC   TLS10  :C006 TLS_ECDHE_ECDSA_WITH_NULL_SHA
+   ECC   TLS10  :C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
+   ECC   TLS10  :C008 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS10  :C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+   ECC   TLS10  :C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+   ECC   TLS10  :C00B TLS_ECDH_RSA_WITH_NULL_SHA
+   ECC   TLS10  :C00C TLS_ECDH_RSA_WITH_RC4_128_SHA
+   ECC   TLS10  :C00D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS10  :C00E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+   ECC   TLS10  :C00F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+   ECC   TLS10  :C010 TLS_ECDHE_RSA_WITH_NULL_SHA
+   ECC   TLS10  :C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA
+   ECC   TLS10  :C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS10  :C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+   ECC   TLS10  :C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+#
+   ECC   TLS11  :C001 TLS11_ECDH_ECDSA_WITH_NULL_SHA
+   ECC   TLS11  :C002 TLS11_ECDH_ECDSA_WITH_RC4_128_SHA
+   ECC   TLS11  :C003 TLS11_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS11  :C004 TLS11_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+   ECC   TLS11  :C005 TLS11_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+   ECC   TLS11  :C006 TLS11_ECDHE_ECDSA_WITH_NULL_SHA
+   ECC   TLS11  :C007 TLS11_ECDHE_ECDSA_WITH_RC4_128_SHA
+   ECC   TLS11  :C008 TLS11_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS11  :C009 TLS11_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+   ECC   TLS11  :C00A TLS11_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+   ECC   TLS11  :C00B TLS11_ECDH_RSA_WITH_NULL_SHA
+   ECC   TLS11  :C00C TLS11_ECDH_RSA_WITH_RC4_128_SHA
+   ECC   TLS11  :C00D TLS11_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS11  :C00E TLS11_ECDH_RSA_WITH_AES_128_CBC_SHA
+   ECC   TLS11  :C00F TLS11_ECDH_RSA_WITH_AES_256_CBC_SHA
+   ECC   TLS11  :C010 TLS11_ECDHE_RSA_WITH_NULL_SHA
+   ECC   TLS11  :C011 TLS11_ECDHE_RSA_WITH_RC4_128_SHA
+   ECC   TLS11  :C012 TLS11_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS11  :C013 TLS11_ECDHE_RSA_WITH_AES_128_CBC_SHA
+   ECC   TLS11  :C014 TLS11_ECDHE_RSA_WITH_AES_256_CBC_SHA
+#
+   ECC   TLS12  :C001 TLS12_ECDH_ECDSA_WITH_NULL_SHA
+   ECC   TLS12  :C002 TLS12_ECDH_ECDSA_WITH_RC4_128_SHA
+   ECC   TLS12  :C003 TLS12_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS12  :C004 TLS12_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+   ECC   TLS12  :C005 TLS12_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+   ECC   TLS12  :C006 TLS12_ECDHE_ECDSA_WITH_NULL_SHA
+   ECC   TLS12  :C007 TLS12_ECDHE_ECDSA_WITH_RC4_128_SHA
+   ECC   TLS12  :C008 TLS12_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS12  :C009 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+   ECC   TLS12  :C00A TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+   ECC   TLS12  :C00B TLS12_ECDH_RSA_WITH_NULL_SHA
+   ECC   TLS12  :C00C TLS12_ECDH_RSA_WITH_RC4_128_SHA
+   ECC   TLS12  :C00D TLS12_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS12  :C00E TLS12_ECDH_RSA_WITH_AES_128_CBC_SHA
+   ECC   TLS12  :C00F TLS12_ECDH_RSA_WITH_AES_256_CBC_SHA
+   ECC   TLS12  :C010 TLS12_ECDHE_RSA_WITH_NULL_SHA
+   ECC   TLS12  :C011 TLS12_ECDHE_RSA_WITH_RC4_128_SHA
+   ECC   TLS12  :C012 TLS12_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+   ECC   TLS12  :C013 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA
+   ECC   TLS12  :C014 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA
+   ECC   TLS12  :C023 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+   ECC   TLS12  :C024 TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+   ECC   TLS12  :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+   ECC   TLS12  :C028 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+   ECC   TLS12  :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+   ECC   TLS12  :C02C TLS12_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+   ECC   TLS12  :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+   ECC   TLS12  :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+   ECC   TLS12  :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+   ECC   TLS12  :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
diff --git a/security/nss/tests/ssl/sslpolicy.txt b/security/nss/tests/ssl/sslpolicy.txt
new file mode 100644
index 000000000..82c15d2af
--- /dev/null
+++ b/security/nss/tests/ssl/sslpolicy.txt
@@ -0,0 +1,174 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file enables policy testing
+#
+# The policy string is set to the config= line in the pkcs11.txt
+# it currently has 2 keywords:
+#
+# disallow= turn off the use of this algorithm by policy.
+# allow= allow this algorithm to by used if selected by policy.
+#
+# The syntax is disallow=algorithm{/uses}:algorithm{/uses}
+# where {} signifies an optional element
+#
+# valid algorithms are:
+# ECC curves:
+#	PRIME192V1
+#	PRIME192V2
+#	PRIME192V3
+#	PRIME239V1
+#	PRIME239V2
+#	PRIME239V3
+#	PRIME256V1
+#	SECP112R1
+#	SECP112R2
+#	SECP128R1
+#	SECP128R2
+#	SECP160K1
+#	SECP160R1
+#	SECP160R2
+#	SECP192K1
+#	SECP192R1
+#	SECP224K1
+#	SECP256K1
+#	SECP256R1
+#	SECP384R1
+#	SECP521R1
+#	C2PNB163V1
+#	C2PNB163V2
+#	C2PNB163V3
+#	C2PNB176V1
+#	C2TNB191V1
+#	C2TNB191V2
+#	C2TNB191V3
+#	C2ONB191V4
+#	C2ONB191V5
+#	C2PNB208W1
+#	C2TNB239V1
+#	C2TNB239V2
+#	C2TNB239V3
+#	C2ONB239V4
+#	C2ONB239V5
+#	C2PNB272W1
+#	C2PNB304W1
+#	C2TNB359V1
+#	C2PNB368W1
+#	C2TNB431R1
+#	SECT113R1
+#	SECT131R1
+#	SECT131R1
+#	SECT131R2
+#	SECT163K1
+#	SECT163R1
+#	SECT163R2
+#	SECT193R1
+#	SECT193R2
+#	SECT233K1
+#	SECT233R1
+#	SECT239K1
+#	SECT283K1
+#	SECT283R1
+#	SECT409K1
+#	SECT409R1
+#	SECT571K1
+#	SECT571R1
+# Hashes:
+#	MD2
+#	MD4
+#	MD5
+#	SHA1
+#	SHA224
+#	SHA256
+#	SHA384
+#	SHA512
+# MACs:
+#	HMAC-SHA1
+#	HMAC-SHA224
+#	HMAC-SHA256
+#	HMAC-SHA384
+#	HMAC-SHA512
+#	HMAC-MD5
+# Ciphers:
+#	AES128-CBC
+#	AES192-CBC
+#	AES256-CBC
+#	AES128-GCM
+#	AES192-GCM
+#	AES256-GCM
+#	CAMELLIA128-CBC
+#	CAMELLIA192-CBC
+#	CAMELLIA256-CBC
+#	SEED-CBC
+#	DES-EDE3-CBC
+#	DES-40-CBC
+#	DES-CBC
+#	NULL-CIPHER
+#	RC2
+#	RC4
+#	IDEA
+# Key exchange
+#	RSA
+#	RSA-EXPORT
+#	DHE-RSA
+#	DHE-DSS
+#	DH-RSA
+#	DH-DSS
+#	ECDHE-ECDSA
+#	ECDHE-RSA
+#	ECDH-ECDSA
+#	ECDH-RSA
+# SSL Versions
+#	SSL2.0
+#	SSL3.0
+#	TLS1.0
+#	TLS1.1
+#	TLS1.2
+#	DTLS1.1
+#	DTLS1.2
+# Include all of the above:
+#       ALL
+#-----------------------------------------------
+# Uses are:
+#    ssl
+#    ssl-key-exchange
+#    key-exchange (includes ssl-key-exchange)
+#    cert-signature
+#    signature (includes cert-signature)
+#    all (includes all of the above)
+#-----------------------------------------------
+# In addition there are the following options:
+#     min-rsa
+#     min-dh
+#     min-dsa
+#  they have the following syntax:
+#  allow=min-rsa=512:min-dh=1024
+#
+# Exp Enable Enable Cipher Config Policy      Test Name
+# Ret  EC     TLS
+# turn on single cipher 
+  0 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy
+  0 noECC  SSL3   d    disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/cert-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy
+  0 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly
+  1 noECC  SSL3   d    disallow=all Disallow All Explicitly.
+# turn off signature only
+  1 noECC  SSL3   d    disallow=sha256 Disallow SHA256 Signatures Explicitly.
+  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow.
+  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly.
+# turn off single cipher 
+  1 noECC  SSL3   d    disallow=des-ede3-cbc Disallow Cipher Explicitly
+  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow.
+  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly.
+# turn off H-Mac
+  1 noECC  SSL3   d    disallow=hmac-sha1 Disallow HMAC Explicitly
+  1 noECC  SSL3   d    disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow.
+  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly.
+# turn off key exchange 
+  1 noECC  SSL3   d    disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly.
+  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow.
+  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchnage Signatures Implicitly.
+# turn off  version
+  1 noECC  SSL3   d    allow=tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Exlicitly
+  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow.
+  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly.
diff --git a/security/nss/tests/ssl/sslreq.dat b/security/nss/tests/ssl/sslreq.dat
new file mode 100644
index 000000000..2f7ad7736
--- /dev/null
+++ b/security/nss/tests/ssl/sslreq.dat
@@ -0,0 +1,2 @@
+GET / HTTP/1.0

+

diff --git a/security/nss/tests/ssl/sslreq.txt b/security/nss/tests/ssl/sslreq.txt
new file mode 100644
index 000000000..c1da607c0
--- /dev/null
+++ b/security/nss/tests/ssl/sslreq.txt
@@ -0,0 +1,2 @@
+GET / HTTP/1.0
+
diff --git a/security/nss/tests/ssl/sslstress.txt b/security/nss/tests/ssl/sslstress.txt
new file mode 100644
index 000000000..e9defc502
--- /dev/null
+++ b/security/nss/tests/ssl/sslstress.txt
@@ -0,0 +1,87 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file defines the stress tests for SSL/TLS.
+#
+#        expected
+# Enable  return  server     client                         Test Case name
+#  ECC    value   params     params
+# ------- ------  ------     ------                         ---------------
+  noECC     0      _         -c_1000_-C_c_-V_ssl3:ssl3               Stress SSL3 RC4 128 with MD5
+  noECC     0      _         -c_1000_-C_c                  Stress TLS  RC4 128 with MD5
+  noECC     0      _         -c_1000_-C_c_-g               Stress TLS  RC4 128 with MD5 (false start)
+  noECC     0      -u        -V_ssl3:tls1.2_-c_1000_-C_c_-u            Stress TLS  RC4 128 with MD5 (session ticket)
+  noECC     0      -z        -V_ssl3:tls1.2_-c_1000_-C_c_-z            Stress TLS  RC4 128 with MD5 (compression)
+  noECC     0      -u_-z     -V_ssl3:tls1.2_-c_1000_-C_c_-u_-z         Stress TLS  RC4 128 with MD5 (session ticket, compression)
+  noECC     0      -u_-z     -V_ssl3:tls1.2_-c_1000_-C_c_-u_-z_-g      Stress TLS  RC4 128 with MD5 (session ticket, compression, false start)
+  SNI       0      -u_-a_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI)
+
+#
+# add client auth versions here...
+#
+  noECC     0      -r_-r     -c_100_-C_c_-V_ssl3:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
+  noECC     0      -r_-r     -c_100_-C_c_-N_-n_TestUser    Stress TLS RC4 128 with MD5 (no reuse, client auth)
+  noECC     0      -r_-r_-u  -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
+  noECC     0      -r_-r_-z  -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth)
+  noECC     0      -r_-r_-z  -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start)
+  noECC     0   -r_-r_-u_-z  -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth)
+  noECC     0   -r_-r_-u_-z  -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start)
+  SNI       0   -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host)
+  SNI       0   -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host)
+
+#
+# ############################ ECC ciphers ############################
+#
+   ECC      0      -c_:C009  -V_ssl3:tls1.2_-c_100_-C_:C009_-N  Stress TLS  ECDHE-ECDSA AES 128 CBC with SHA (no reuse)
+   ECC      0      -c_:C023  -V_ssl3:tls1.2_-c_100_-C_:C023_-N  Stress TLS  ECDHE-ECDSA AES 128 CBC with SHA256 (no reuse)
+   ECC      0      -c_:C02B  -V_ssl3:tls1.2_-c_100_-C_:C02B_-N  Stress TLS  ECDHE-ECDSA AES 128 GCM (no reuse)
+   ECC      0      -c_:C004  -V_ssl3:tls1.2_-c_100_-C_:C004_-N  Stress TLS  ECDH-ECDSA  AES 128 CBC with SHA (no reuse)
+   ECC      0      -c_:C00E  -V_ssl3:tls1.2_-c_100_-C_:C00E_-N  Stress TLS  ECDH-RSA    AES 128 CBC with SHA (no reuse)
+   ECC      0      -c_:C013  -V_ssl3:tls1.2_-c_1000_-C_:C013    Stress TLS  ECDHE-RSA   AES 128 CBC with SHA
+   ECC      0      -c_:C027  -V_ssl3:tls1.2_-c_1000_-C_:C027    Stress TLS  ECDHE-RSA   AES 128 CBC with SHA256
+   ECC      0      -c_:C02F  -V_ssl3:tls1.2_-c_1000_-C_:C02F    Stress TLS  ECDHE-RSA   AES 128 GCM
+   ECC      0   -c_:C004_-u  -V_ssl3:tls1.2_-c_1000_-C_:C004_-u Stress TLS  ECDH-ECDSA  AES 128 CBC with SHA (session ticket)
+   ECC      0   -c_:C009_-u  -V_ssl3:tls1.2_-c_100_-C_:C009_-u  Stress TLS  ECDHE-ECDSA AES 128 CBC with SHA (session ticket)
+#
+# add client auth versions here...
+#
+   ECC      0      -r_-r_-c_:C009  -V_ssl3:tls1.2_-c_10_-C_:C009_-N_-n_TestUser-ec Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse, client auth)
+   ECC      0      -r_-r_-c_:C013  -V_ssl3:tls1.2_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA (client auth)
+   ECC      0      -r_-r_-c_:C004  -V_ssl3:tls1.2_-c_10_-C_:C004_-N_-n_TestUser-ec Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse, client auth)
+   ECC      0      -r_-r_-c_:C00E  -V_ssl3:tls1.2_-c_10_-C_:C00E_-N_-n_TestUser-ecmixed Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
+   ECC      0      -r_-r_-c_:C013  -V_ssl3:tls1.2_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA(client auth)
+   ECC      0      -r_-r_-c_:C013_-u -V_ssl3:tls1.2_-c_100_-C_:C013_-n_TestUser-ec_-u Stress TLS ECDHE-RSA AES 128 CBC with SHA(session ticket, client auth)
+
+#
+# ############################ DHE ciphers ############################
+#
+   noECC    0      -c_:0016  -V_ssl3:tls1.2_-c_100_-C_:0016_-N  Stress TLS DHE_RSA_WITH_3DES_EDE_CBC_SHA (no reuse)
+   noECC    0      -c_:0033  -V_ssl3:tls1.2_-c_1000_-C_:0033    Stress TLS DHE_RSA_WITH_AES_128_CBC_SHA
+
+
+   noECC    0      -c_:0039  -V_ssl3:tls1.2_-c_100_-C_:0039_-N  Stress TLS DHE_RSA_WITH_AES_256_CBC_SHA (no reuse)
+   noECC    0      -c_:0040  -V_ssl3:tls1.2_-c_100_-C_:0040_-N  Stress TLS DHE_DSS_WITH_AES_128_CBC_SHA256 (no reuse)
+
+#  noECC    0   -c_:0038_-u  -V_ssl3:tls1.2_-c_1000_-C_:0038_-u Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA (session ticket)
+# use the above session ticket test, once session tickets with DHE_DSS are working
+   noECC    0      -c_:0038  -V_ssl3:tls1.2_-c_1000_-C_:0038_-N Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA (no reuse)
+
+#  noECC    0      -c_:006A  -V_ssl3:tls1.2_-c_1000_-C_:006A    Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA256
+# use the above reuse test, once the session cache with DHE_DSS is working
+   noECC    0      -c_:006A  -V_ssl3:tls1.2_-c_1000_-C_:006A_-N Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA256 (no reuse
+
+   noECC    0      -c_:006B  -V_ssl3:tls1.2_-c_100_-C_:006B_-N  Stress TLS DHE_RSA_WITH_AES_256_CBC_SHA256 (no reuse)
+   noECC    0      -c_:009E  -V_ssl3:tls1.2_-c_100_-C_:009E_-N  Stress TLS DHE_RSA_WITH_AES_128_GCM_SHA256 (no reuse)
+   noECC    0      -c_:009F  -V_ssl3:tls1.2_-c_100_-C_:009F_-N  Stress TLS DHE_RSA_WITH_AES_256_GCM_SHA384 (no reuse)
+#
+# add client auth versions here...
+#
+   noECC    0      -r_-r_-c_:0032  -V_ssl3:tls1.2_-c_100_-C_:0032_-N_-n_TestUser-dsa     Stress TLS DHE_DSS_WITH_AES_128_CBC_SHA (no reuse, client auth)
+   noECC    0      -r_-r_-c_:0067  -V_ssl3:tls1.2_-c_1000_-C_:0067_-n_TestUser-dsamixed  Stress TLS DHE_RSA_WITH_AES_128_CBC_SHA256 (client auth)
+
+#  noECC    0   -r_-r_-c_:00A2_-u  -V_ssl3:tls1.2_-c_1000_-C_:00A2_-n_TestUser-dsa_-u       Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (session ticket, client auth)
+#  noECC    0   -r_-r_-c_:00A3_-u  -V_ssl3:tls1.2_-c_1000_-C_:00A3_-n_TestUser-dsa_-u       Stress TLS DHE_DSS_WITH_AES_256_GCM_SHA384 (session ticket, client auth)
+# use the above session ticket test, once session tickets with DHE_DSS are working
+   noECC    0   -r_-r_-c_:00A2_-u  -V_ssl3:tls1.2_-c_1000_-C_:00A2_-N_-n_TestUser-dsa    Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (no reuse, client auth)
+   noECC    0   -r_-r_-c_:00A3_-u  -V_ssl3:tls1.2_-c_1000_-C_:00A3_-N_-n_TestUser-dsa    Stress TLS DHE_DSS_WITH_AES_256_GCM_SHA384 (no reuse, client auth)
diff --git a/security/nss/tests/ssl_gtests/ssl_gtests.sh b/security/nss/tests/ssl_gtests/ssl_gtests.sh
new file mode 100755
index 000000000..9768c5ed9
--- /dev/null
+++ b/security/nss/tests/ssl_gtests/ssl_gtests.sh
@@ -0,0 +1,159 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# tests/ssl_gtests/ssl_gtests.sh
+#
+# Script to drive the ssl gtest unit tests
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+# Generate input to certutil
+certscript() {
+  while [ $# -gt 0 ]; do
+    case $1 in
+      sign) echo 0 ;;
+      kex) echo 2 ;;
+      ca) echo 5;echo 6 ;;
+    esac; shift
+  done;
+  echo 9
+  echo n
+  echo ${ca:-n}
+  echo
+  echo n
+}
+
+# $1: name
+# $2: type
+# $3+: usages: sign or kex
+make_cert() {
+  name=$1
+  type=$2
+  case $type in
+    dsa) type_args='-g 1024' ;;
+    rsa) type_args='-g 1024' ;;
+    rsa2048) type_args='-g 2048';type=rsa ;;
+    rsapss) type_args='-g 1024 --pss';type=rsa ;;
+    p256) type_args='-q nistp256';type=ec ;;
+    p384) type_args='-q secp384r1';type=ec ;;
+    p521) type_args='-q secp521r1';type=ec ;;
+    rsa_ca) type_args='-g 1024';trust='CT,CT,CT';ca=y;type=rsa ;;
+    rsa_chain) type_args='-g 1024';sign='-c rsa_ca';type=rsa;;
+    ecdh_rsa) type_args='-q nistp256';sign='-c rsa_ca';type=ec ;;
+  esac
+  shift 2
+  counter=$(($counter + 1))
+  certscript $@ | ${BINDIR}/certutil -S \
+    -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \
+    -n $name -s "CN=$name" -t ${trust:-,,} ${sign:--x} -m $counter \
+    -w -2 -v 120 -k $type $type_args -Z SHA256 -1 -2
+  html_msg $? 0 "create certificate: $@"
+}
+
+ssl_gtest_certs() {
+  mkdir -p "${SSLGTESTDIR}"
+  cd "${SSLGTESTDIR}"
+
+  PROFILEDIR=`pwd`
+  if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+    PROFILEDIR=`cygpath -m "${PROFILEDIR}"`
+  fi
+
+  ${BINDIR}/certutil -N -d "${PROFILEDIR}" --empty-password 2>&1
+  html_msg $? 0 "create ssl_gtest database"
+
+  counter=0
+  make_cert client rsa sign
+  make_cert rsa rsa sign kex
+  make_cert rsa2048 rsa2048 sign kex
+  make_cert rsa_sign rsa sign
+  make_cert rsa_pss rsapss sign
+  make_cert rsa_decrypt rsa kex
+  make_cert ecdsa256 p256 sign
+  make_cert ecdsa384 p384 sign
+  make_cert ecdsa521 p521 sign
+  make_cert ecdh_ecdsa p256 kex
+  make_cert rsa_ca rsa_ca ca
+  make_cert rsa_chain rsa_chain sign
+  make_cert ecdh_rsa ecdh_rsa kex
+  make_cert dsa dsa sign
+}
+
+############################## ssl_gtest_init ##########################
+# local shell function to initialize this script
+########################################################################
+ssl_gtest_init()
+{
+  SCRIPTNAME=ssl_gtest.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+
+  SCRIPTNAME=ssl_gtest.sh
+  html_head SSL Gtests
+
+  if [ ! -d "${SSLGTESTDIR}" ]; then
+    ssl_gtest_certs
+  fi
+
+  cd "${SSLGTESTDIR}"
+}
+
+########################## ssl_gtest_start #########################
+# Local function to actually start the test
+####################################################################
+ssl_gtest_start()
+{
+  if [ ! -f ${BINDIR}/ssl_gtest ]; then
+    html_unknown "Skipping ssl_gtest (not built)"
+    return
+  fi
+
+  SSLGTESTREPORT="${SSLGTESTDIR}/report.xml"
+  PARSED_REPORT="${SSLGTESTDIR}/report.parsed"
+  echo "executing ssl_gtest"
+  ${BINDIR}/ssl_gtest -d "${SSLGTESTDIR}" --gtest_output=xml:"${SSLGTESTREPORT}" \
+                                          --gtest_filter="${GTESTFILTER-*}"
+  html_msg $? 0 "ssl_gtest run successfully"
+  echo "executing sed to parse the xml report"
+  sed -f ${COMMON}/parsegtestreport.sed "${SSLGTESTREPORT}" > "${PARSED_REPORT}"
+  echo "processing the parsed report"
+  cat "${PARSED_REPORT}" | while read result name; do
+    if [ "$result" = "notrun" ]; then
+      echo "$name" SKIPPED
+    elif [ "$result" = "run" ]; then
+      html_passed_ignore_core "$name"
+    else
+      html_failed_ignore_core "$name"
+    fi
+  done
+}
+
+ssl_gtest_cleanup()
+{
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+cd "$(dirname "$0")"
+ssl_gtest_init
+ssl_gtest_start
+ssl_gtest_cleanup
diff --git a/security/nss/tests/tools/sign.html b/security/nss/tests/tools/sign.html
new file mode 100644
index 000000000..1ec9f7b79
--- /dev/null
+++ b/security/nss/tests/tools/sign.html
@@ -0,0 +1,8 @@
+<html>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+   - License, v. 2.0. If a copy of the MPL was not distributed with this
+   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+<body>
+Sign this javascriptless page.
+</body>
+</html>
diff --git a/security/nss/tests/tools/signjs.html b/security/nss/tests/tools/signjs.html
new file mode 100644
index 000000000..ba22925bd
--- /dev/null
+++ b/security/nss/tests/tools/signjs.html
@@ -0,0 +1,11 @@
+<html>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+   - License, v. 2.0. If a copy of the MPL was not distributed with this
+   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+<body>
+<script language="JavaScript">
+document.write("<h3>Sign this javascript</h3>");
+</script>
+Here's some plain content.
+</body>
+</html>
diff --git a/security/nss/tests/tools/tools.sh b/security/nss/tests/tools/tools.sh
new file mode 100644
index 000000000..26abf3e4e
--- /dev/null
+++ b/security/nss/tests/tools/tools.sh
@@ -0,0 +1,498 @@
+#! /bin/bash  
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/tools/tools.sh
+#
+# Script to test basic functionality of NSS tools 
+#
+# needs to work on all Unix and Windows platforms
+#
+# tests implemented:
+#    pk12util
+#    signtool
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+########################################################################
+
+  export pkcs12v2pbeWithSha1And128BitRc4=\
+"PKCS #12 V2 PBE With SHA-1 and 128 Bit RC4"
+
+  export pkcs12v2pbeWithSha1And40BitRc4=\
+"PKCS #12 V2 PBE With SHA-1 and 40 Bit RC4"
+
+  export pkcs12v2pbeWithSha1AndTripleDESCBC=\
+"PKCS #12 V2 PBE With SHA-1 and Triple DES-CBC"
+
+  export pkcs12v2pbeWithSha1And128BitRc2Cbc=\
+"PKCS #12 V2 PBE With SHA-1 and 128 Bit RC2 CBC"
+
+  export pkcs12v2pbeWithSha1And40BitRc2Cbc=\
+"PKCS #12 V2 PBE With SHA-1 and 40 Bit RC2 CBC"
+
+  export pkcs12v2pbeWithMd2AndDESCBC=\
+"PKCS #5 Password Based Encryption with MD2 and DES-CBC"
+
+  export pkcs12v2pbeWithMd5AndDESCBC=\
+"PKCS #5 Password Based Encryption with MD5 and DES-CBC"
+
+  export pkcs12v2pbeWithSha1AndDESCBC=\
+"PKCS #5 Password Based Encryption with SHA-1 and DES-CBC"
+  
+  export pkcs5pbeWithMD2AndDEScbc=\
+"PKCS #5 Password Based Encryption with MD2 and DES-CBC"
+
+  export pkcs5pbeWithMD5AndDEScbc=\
+"PKCS #5 Password Based Encryption with MD5 and DES-CBC"
+
+  export pkcs5pbeWithSha1AndDEScbc=\
+"PKCS #5 Password Based Encryption with SHA-1 and DES-CBC"
+
+############################## tools_init ##############################
+# local shell function to initialize this script 
+########################################################################
+tools_init()
+{
+  SCRIPTNAME=tools.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ../cert
+      . ./cert.sh
+  fi
+  SCRIPTNAME=tools.sh
+
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
+      html_head "Tools Tests with ECC"
+  else
+      html_head "Tools Tests"
+  fi
+
+  grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
+      Exit 15 "Fatal - S/MIME of cert.sh needs to pass first"
+  }
+
+  TOOLSDIR=${HOSTDIR}/tools
+  COPYDIR=${TOOLSDIR}/copydir
+  SIGNDIR=${TOOLSDIR}/signdir
+
+  R_TOOLSDIR=../tools
+  R_COPYDIR=../tools/copydir
+  R_SIGNDIR=../tools/signdir
+  P_R_COPYDIR=${R_COPYDIR}
+  P_R_SIGNDIR=${R_SIGNDIR}
+  if [ -n "${MULTIACCESS_DBM}" ]; then
+      P_R_COPYDIR="multiaccess:Tools.$version"
+      P_R_SIGNDIR="multiaccess:Tools.sign.$version"
+  fi
+
+  mkdir -p ${TOOLSDIR}
+  mkdir -p ${COPYDIR}
+  mkdir -p ${SIGNDIR}
+  cp ${ALICEDIR}/* ${SIGNDIR}/
+  mkdir -p ${TOOLSDIR}/html
+  cp ${QADIR}/tools/sign*.html ${TOOLSDIR}/html
+
+  cd ${TOOLSDIR}
+}
+
+########################## list_p12_file ###############################
+# List the key and cert in the specified p12 file
+########################################################################
+list_p12_file()
+{
+  echo "$SCRIPTNAME: Listing Alice's pk12 file"
+  echo "pk12util -l ${1} -w ${R_PWFILE}"
+    
+  ${BINDIR}/pk12util -l ${1} -w ${R_PWFILE} 2>&1
+  ret=$?
+  html_msg $ret 0 "Listing ${1} (pk12util -l)"
+  check_tmpfile
+}
+
+########################################################################
+# Import the key and cert from the specified p12 file
+########################################################################
+import_p12_file()
+{
+  echo "$SCRIPTNAME: Importing Alice's pk12 ${1} file"
+  echo "pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
+    
+  ${BINDIR}/pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
+  ret=$?
+  html_msg $ret 0 "Importing ${1} (pk12util -i)"
+  check_tmpfile
+}
+
+########################################################################
+# Export the key and cert to a p12 file using default ciphers
+########################################################################
+export_with_default_ciphers() 
+{
+  echo "$SCRIPTNAME: Exporting Alice's key & cert with [default:default] (pk12util -o)"
+  echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+  echo "         -k ${R_PWFILE} -w ${R_PWFILE}"
+  ${BINDIR}/pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} \
+                       -k ${R_PWFILE} -w ${R_PWFILE} 2>&1  
+  ret=$?  
+  html_msg $ret 0 "Exporting Alices's key & cert with [default:default] (pk12util -o)"
+  check_tmpfile
+  return $ret
+}
+
+########################################################################
+# Exports key/cert to a p12 file, the key encryption cipher is specified
+# and the cert encryption cipher is blank for default.
+########################################################################
+export_with_key_cipher() 
+{
+  # $1 key encryption cipher   
+  echo "$SCRIPTNAME: Exporting with [${1}:default]"
+  echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+  echo "         -k ${R_PWFILE} -w ${R_PWFILE} -c ${1}"
+  ${BINDIR}/pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} \
+                     -k ${R_PWFILE} -w ${R_PWFILE} -c "${1}" 2>&1  
+  ret=$?  
+  html_msg $ret 0 "Exporting with [${1}:default] (pk12util -o)"
+  check_tmpfile
+  return $ret
+}
+
+########################################################################
+# Exports key/cert to a p12 file, the key encryption cipher is left
+# empty for default and the cert encryption cipher is specified.
+########################################################################
+export_with_cert_cipher() 
+{
+  # $1 certificate encryption cipher
+  echo "$SCRIPTNAME: Exporting with [default:${1}]"
+  echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+  echo "         -k ${R_PWFILE} -w ${R_PWFILE} -C ${1}"
+  ${BINDIR}/pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} \
+                     -k ${R_PWFILE} -w ${R_PWFILE} -C "${1}" 2>&1  
+  ret=$?  
+  html_msg $ret 0 "Exporting with [default:${1}] (pk12util -o)"
+  check_tmpfile
+  return $ret
+}
+
+########################################################################
+# Exports key/cert to a p12 file, both the key encryption cipher and
+# the cert encryption cipher are specified.
+########################################################################
+export_with_both_key_and_cert_cipher()
+{
+  # $1 key encryption cipher or ""
+  # $2 certificate encryption cipher or ""
+  
+  echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+  echo "         -k ${R_PWFILE} -w ${R_PWFILE} -c ${1} -C ${2}"     
+  ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
+                       -k ${R_PWFILE} -w ${R_PWFILE} \
+                       -c "${1}" -C "${2}" 2>&1  
+  ret=$?    
+  html_msg $ret 0 "Exporting with [${1}:${2}] (pk12util -o)"
+  check_tmpfile
+  return $ret
+}
+
+########################################################################
+# Exports key and cert to a p12 file, both the key encryption cipher 
+# and the cert encryption cipher are specified. The key and cert are
+# imported and the p12 file is listed
+########################################################################
+export_list_import()
+{
+  # $1 key encryption cipher
+  # $2 certificate encryption cipher
+    
+  if [ "${1}" != "DEFAULT" -a "${2}" != "DEFAULT" ]; then
+      export_with_both_key_and_cert_cipher "${1}" "${2}"
+  elif [ "${1}" != "DEFAULT" -a "${2}" = "DEFAULT" ]; then
+      export_with_key_cipher "${1}"
+  elif [ "${1}" = "DEFAULT" -a "${2}" != "DEFAULT" ]; then
+      export_with_cert_cipher "${2}"
+  else
+      export_with_default_ciphers
+  fi
+    
+  list_p12_file Alice.p12
+  import_p12_file Alice.p12
+}
+
+########################################################################
+# Export using the pkcs5pbe ciphers for key and certificate encryption.
+# List the contents of and import from the p12 file.
+########################################################################
+tools_p12_export_list_import_all_pkcs5pbe_ciphers()
+{  
+  # specify each on key and cert cipher
+  for key_cipher in "${pkcs5pbeWithMD2AndDEScbc}" \
+                    "${pkcs5pbeWithMD5AndDEScbc}" \
+                    "${pkcs5pbeWithSha1AndDEScbc}"\
+                    "DEFAULT"; do
+      for cert_cipher in "${pkcs5pbeWithMD2AndDEScbc}" \
+                         "${pkcs5pbeWithMD5AndDEScbc}" \
+                         "${pkcs5pbeWithSha1AndDEScbc}" \
+                         "DEFAULT"\
+                         "null"; do
+            export_list_import "${key_cipher}" "${cert_cipher}"
+      done       
+  done
+}
+
+########################################################################
+# Export using the pkcs5v2 ciphers for key and certificate encryption.
+# List the contents of and import from the p12 file.
+########################################################################
+tools_p12_export_list_import_all_pkcs5v2_ciphers()
+{
+  # These should pass
+  for key_cipher in\
+    RC2-CBC \
+    DES-EDE3-CBC \
+    AES-128-CBC \
+    AES-192-CBC \
+    AES-256-CBC \
+    CAMELLIA-128-CBC \
+    CAMELLIA-192-CBC \
+    CAMELLIA-256-CBC; do
+
+#---------------------------------------------------------------
+# Bug 452464 - pk12util -o fails when -C option specifies AES or
+# Camellia ciphers
+# FIXME Restore these to the list
+#    AES-128-CBC, \
+#    AES-192-CBC, \
+#    AES-256-CBC, \
+#    CAMELLIA-128-CBC, \
+#    CAMELLIA-192-CBC, \
+#    CAMELLIA-256-CBC, \
+#  when 452464 is fixed
+#---------------------------------------------------------------  
+    for cert_cipher in \
+      RC2-CBC \
+      DES-EDE3-CBC \
+      null; do
+	  export_list_import ${key_cipher} ${cert_cipher}
+	done
+  done
+}
+
+########################################################################
+# Export using the pkcs12v2pbe ciphers for key and certificate encryption.
+# List the contents of and import from the p12 file.
+########################################################################
+tools_p12_export_list_import_all_pkcs12v2pbe_ciphers()
+{ 
+#---------------------------------------------------------------
+# Bug 452471 - pk12util -o fails when -c option specifies pkcs12v2 PBE ciphers
+# FIXME - Restore these to the list 
+#                "${pkcs12v2pbeWithSha1And128BitRc4}" \
+#                "${pkcs12v2pbeWithSha1And40BitRc4}" \
+#	             "${pkcs12v2pbeWithSha1AndTripleDESCBC}" \
+#                "${pkcs12v2pbeWithSha1And128BitRc2Cbc}" \
+#                "${pkcs12v2pbeWithSha1And40BitRc2Cbc}" \
+#                "${pkcs12v2pbeWithMd2AndDESCBC}" \
+#                "${pkcs12v2pbeWithMd5AndDESCBC}" \
+#                "${pkcs12v2pbeWithSha1AndDESCBC}" \
+#                "DEFAULT"; do
+# when 452471 is fixed
+#---------------------------------------------------------------
+#  for key_cipher in \
+    key_cipher="DEFAULT"
+    for cert_cipher in "${pkcs12v2pbeWithSha1And128BitRc4}" \
+                  "${pkcs12v2pbeWithSha1And40BitRc4}" \
+                  "${pkcs12v2pbeWithSha1AndTripleDESCBC}" \
+                  "${pkcs12v2pbeWithSha1And128BitRc2Cbc}" \
+                  "${pkcs12v2pbeWithSha1And40BitRc2Cbc}" \
+                  "${pkcs12v2pbeWithMd2AndDESCBC}" \
+                  "${pkcs12v2pbeWithMd5AndDESCBC}" \
+                  "${pkcs12v2pbeWithSha1AndDESCBC}" \
+                  "DEFAULT"\
+                  "null"; do        
+	  export_list_import "${key_cipher}" "${key_cipher}" 
+	done
+  #done
+}
+
+#########################################################################
+# Export with no encryption on key should fail but on cert should pass
+#########################################################################
+tools_p12_export_with_null_ciphers()
+{
+  # use null as the key encryption algorithm default for the cert one
+  # should fail
+  
+  echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+  echo "         -k ${R_PWFILE} -w ${R_PWFILE} -c null"     
+  ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
+                       -k ${R_PWFILE} -w ${R_PWFILE} \
+                       -c null 2>&1  
+  ret=$?
+  html_msg $ret 30 "Exporting with [null:default] (pk12util -o)"
+  check_tmpfile
+
+  # use default as the key encryption algorithm null for the cert one
+  # should pass
+  
+  echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+  echo "         -k ${R_PWFILE} -w ${R_PWFILE} -C null"     
+  ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
+                       -k ${R_PWFILE} -w ${R_PWFILE} \
+                       -C null 2>&1  
+  ret=$?
+  html_msg $ret 0 "Exporting with [default:null] (pk12util -o)"
+  check_tmpfile
+ 
+}
+
+#########################################################################
+# Exports using the default key and certificate encryption ciphers.
+# Imports from  and lists the contents of the p12 file.
+# Repeats the test with ECC if enabled.
+########################################################################
+tools_p12_export_list_import_with_default_ciphers()
+{
+  echo "$SCRIPTNAME: Exporting Alice's email cert & key - default ciphers"
+  
+  export_list_import "DEFAULT" "DEFAULT"
+
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
+      echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------"
+      echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\"
+      echo "         -w ${R_PWFILE}"
+      ${BINDIR}/pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \
+           -w ${R_PWFILE} 2>&1 
+      ret=$?
+      html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)"
+      check_tmpfile
+
+      echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------"
+      echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
+      ${BINDIR}/pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
+      ret=$?
+      html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)"
+      check_tmpfile
+
+      echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------"
+      echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}"
+      ${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1
+      ret=$?
+      html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)"
+      check_tmpfile
+  fi
+}
+
+############################## tools_p12 ###############################
+# local shell function to test basic functionality of pk12util
+########################################################################
+tools_p12()
+{
+  tools_p12_export_list_import_with_default_ciphers
+  tools_p12_export_list_import_all_pkcs5v2_ciphers
+  tools_p12_export_list_import_all_pkcs5pbe_ciphers
+  tools_p12_export_list_import_all_pkcs12v2pbe_ciphers
+  tools_p12_export_with_null_ciphers
+}
+
+############################## tools_sign ##############################
+# local shell function pk12util uses a hardcoded tmp file, if this exists
+# and is owned by another user we don't get reasonable errormessages 
+########################################################################
+check_tmpfile()
+{
+  if [ $ret != "0" -a -f /tmp/Pk12uTemp ] ; then
+      echo "Error: pk12util temp file exists. Please remove this file and"
+      echo "       rerun the test (/tmp/Pk12uTemp) "
+  fi
+}
+
+############################## tools_sign ##############################
+# local shell function to test basic functionality of signtool
+########################################################################
+tools_sign()
+{
+  echo "$SCRIPTNAME: Create objsign cert -------------------------------"
+  echo "signtool -G \"objectsigner\" -d ${P_R_SIGNDIR} -p \"nss\""
+  ${BINDIR}/signtool -G "objsigner" -d ${P_R_SIGNDIR} -p "nss" 2>&1 <<SIGNSCRIPT
+y
+TEST
+MOZ
+NSS
+NY
+US
+liz
+liz@moz.org
+SIGNSCRIPT
+  html_msg $? 0 "Create objsign cert (signtool -G)"
+
+  echo "$SCRIPTNAME: Signing a jar of files ----------------------------"
+  echo "signtool -Z nojs.jar -d ${P_R_SIGNDIR} -p \"nss\" -k objsigner \\"
+  echo "         ${R_TOOLSDIR}/html"
+  ${BINDIR}/signtool -Z nojs.jar -d ${P_R_SIGNDIR} -p "nss" -k objsigner \
+           ${R_TOOLSDIR}/html
+  html_msg $? 0 "Signing a jar of files (signtool -Z)"
+
+  echo "$SCRIPTNAME: Listing signed files in jar ----------------------"
+  echo "signtool -v nojs.jar -d ${P_R_SIGNDIR} -p nss -k objsigner"
+  ${BINDIR}/signtool -v nojs.jar -d ${P_R_SIGNDIR} -p nss -k objsigner
+  html_msg $? 0 "Listing signed files in jar (signtool -v)"
+
+  echo "$SCRIPTNAME: Show who signed jar ------------------------------"
+  echo "signtool -w nojs.jar -d ${P_R_SIGNDIR}"
+  ${BINDIR}/signtool -w nojs.jar -d ${P_R_SIGNDIR}
+  html_msg $? 0 "Show who signed jar (signtool -w)"
+
+  echo "$SCRIPTNAME: Signing a xpi of files ----------------------------"
+  echo "signtool -Z nojs.xpi -X -d ${P_R_SIGNDIR} -p \"nss\" -k objsigner \\"
+  echo "         ${R_TOOLSDIR}/html"
+  ${BINDIR}/signtool -Z nojs.xpi -X -d ${P_R_SIGNDIR} -p "nss" -k objsigner \
+           ${R_TOOLSDIR}/html
+  html_msg $? 0 "Signing a xpi of files (signtool -Z -X)"
+
+  echo "$SCRIPTNAME: Listing signed files in xpi ----------------------"
+  echo "signtool -v nojs.xpi -d ${P_R_SIGNDIR} -p nss -k objsigner"
+  ${BINDIR}/signtool -v nojs.xpi -d ${P_R_SIGNDIR} -p nss -k objsigner
+  html_msg $? 0 "Listing signed files in xpi (signtool -v)"
+
+  echo "$SCRIPTNAME: Show who signed xpi ------------------------------"
+  echo "signtool -w nojs.xpi -d ${P_R_SIGNDIR}"
+  ${BINDIR}/signtool -w nojs.xpi -d ${P_R_SIGNDIR}
+  html_msg $? 0 "Show who signed xpi (signtool -w)"
+
+}
+
+############################## tools_cleanup ###########################
+# local shell function to finish this script (no exit since it might be 
+# sourced)
+########################################################################
+tools_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+
+tools_init
+tools_p12
+tools_sign
+tools_cleanup
+
+