Bug 1808725 - land NSS NSS_3_88_BETA1 UPGRADE_NSS_RELEASE, r=nss-reviewers,jschanck

Differential Revision: https://phabricator.services.mozilla.com/D167294

build/moz.configure/nss.configure

@@ -9,7 +9,7 @@ system_lib_option("--with-system-nss", help="Use system NSS")
 imply_option("--with-system-nspr", True, when="--with-system-nss")
 
 nss_pkg = pkg_check_modules(
-    "NSS", "nss >= 3.87", when="--with-system-nss", config=False
+    "NSS", "nss >= 3.88", when="--with-system-nss", config=False
 )
 
 set_config("MOZ_SYSTEM_NSS", True, when="--with-system-nss")

security/nss/TAG-INFO

@@ -1 +1 @@
-NSS_3_87_RTM
+NSS_3_88_BETA1

security/nss/automation/abi-check/previous-nss-release

@@ -1 +1 @@
-NSS_3_86_BRANCH
+NSS_3_87_BRANCH

security/nss/automation/taskcluster/docker-acvp/Dockerfile

@@ -0,0 +1,49 @@
+# Minimal image with clang-format 3.9.
+FROM rust:1.64
+LABEL maintainer="iaroslav.gridin@tuni.fi"
+
+# for new clang/llvm
+RUN echo "deb http://ftp.debian.org/debian/ sid main" > /etc/apt/sources.list.d/sid.list \
+ && apt-get update \
+ && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    locales \
+    python-dev-is-python3 \
+    mercurial \
+    python3-pip \
+    python-setuptools \
+    build-essential \
+    cargo \
+    rustc \
+    git \
+    gyp \
+    clang-15 \
+    llvm-15 \
+    ninja-build \
+    binutils \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
+
+ENV SHELL /bin/bash
+ENV USER worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
+ENV HOSTNAME taskcluster-worker
+ENV LANG en_US.UTF-8
+ENV LC_ALL $LANG
+ENV HOST localhost
+ENV DOMSUF localdomain
+
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+USER $USER
+
+# Set a default command for debugging.
+CMD ["/bin/bash", "--login"]

security/nss/automation/taskcluster/docker-acvp/bin/checkout.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+if [ $(id -u) = 0 ]; then
+    # Drop privileges by re-running this script.
+    exec su worker $0
+fi
+
+# Default values for testing.
+REVISION=${NSS_HEAD_REVISION:-default}
+REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
+
+# Clone NSS.
+hg clone -r $REVISION $REPOSITORY nss
+
+# Clone NSPR if needed.
+hg clone -r default https://hg.mozilla.org/projects/nspr
+
+if [[ -f nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then
+  pushd nspr
+  cat ../nss/nspr.patch | patch -p1
+  popd
+fi
+

security/nss/automation/taskcluster/docker-acvp/bin/run.sh

@@ -0,0 +1,26 @@
+#!/bin/bash -eu
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+################################################################################
+export NSS_PATH=$PWD NSS_SOURCES_PATH=$PWD/nss
+export LD_LIBRARY_PATH=$PWD/dist/Debug/lib/
+export RUST_LOG=warn
+export RUSTFLAGS="-C instrument-coverage"
+cd nss
+CC=clang-15 CXX=clang++-15 ./build.sh -g -v --sourcecov --static --disable-tests
+
+git clone --depth=1 https://gitlab.com/nisec/nss-project/acvp-rust.git
+cd acvp-rust
+cargo build
+TESTRUN="cargo run --bin test -- --profdata-command llvm-profdata-15"
+echo "AES-GCM:"
+$TESTRUN acvp-rust/samples/aes-gcm.json symmetric nss
+echo "ECDSA:"
+$TESTRUN acvp-rust/samples/ecdsa.json ecdsa nss
+echo "RSA:"
+$TESTRUN acvp-rust/samples/rsa.json rsa nss
+echo "SHA-256:"
+$TESTRUN acvp-rust/samples/sha256.json sha nss

security/nss/automation/taskcluster/graph/src/extend.js

@@ -20,6 +20,12 @@ const LINUX_INTEROP_IMAGE = {
   path: "automation/taskcluster/docker-interop"
 };
 
+const ACVP_IMAGE = {
+  name: "acvp",
+  path: "automation/taskcluster/docker-acvp"
+};
+
+
 const CLANG_FORMAT_IMAGE = {
   name: "clang-format",
   path: "automation/taskcluster/docker-clang-format"
@@ -1136,6 +1142,18 @@ async function scheduleTools() {
     ]
   }));
 
+  queue.scheduleTask(merge(base, {
+    symbol: "acvp",
+    name: "acvp",
+    image: ACVP_IMAGE,
+    command: [
+      "/bin/bash",
+      "-c",
+      "bin/checkout.sh && bin/run.sh"
+    ]
+  }));
+
+
   queue.scheduleTask(merge(base, {
     symbol: "scan-build",
     name: "scan-build",

security/nss/cmd/bltest/tests/rsa_pss/README

@@ -0,0 +1 @@
+The test vectors in this folder are used to test the RSA-PSS code. The tests 0-17 use the SHA-1 hash function, the tests 18-19 use the SHA-256 hash function, the tests 20-21 use the SHA-384 hash function. 

security/nss/cmd/bltest/tests/rsa_pss/ciphertext18

@@ -0,0 +1 @@
+lIqC19k21FCCvK9St7rh1YBrWugJI76xgKSh7XuuV0/AH6lIukcqCkODU5zIza9sRz6VluOKEvNOkscaqkCjbPVVQeNa/II0iwjcRG/XNgj1J9vNi9Lt+UiKRcO/YMoAz+UmqJTL9nbKVJEbAX3ckjDnMZZ/XzQJS87WyUFw7Ak=

security/nss/cmd/bltest/tests/rsa_pss/ciphertext19

@@ -0,0 +1 @@
+oNSdYElIrvVdpPuXWr+eDKcy2DaBoRPdCitzmoorhd2e3nc0V1VSjun5/x/UxUojVe11tcVzDhXXmZFDLT1DEF1ZIq4BUBg9Og0bHXsd93BAC8P1M15I3O1Tsw8fs711XfRy2ONarnyUF+yI2pMSvI95eKB/tPaOVyWVgkgwpm5LssAoRjxP0zE/OIVMH+jIvVeg+gf1uVh7QncCv7VuCgEOViH4mjd05Zydc6YMwbjeH5AZM778l38eZtz6Vg50x1yB/0r09KKDc9D7awIbPSU3GiDy2fbmfPIyBqwNvtZbVd1rEdCUEJiSvXOhW7Fle9FSYekTyH3Rfr/R0GKiTQ==

security/nss/cmd/bltest/tests/rsa_pss/ciphertext20

@@ -0,0 +1 @@
+L3Ad3lcyjzUFWRLBB6V8LvizEEbKA9+gBKarSAG8LViCtuoJJ5jrXTv8BMdV121JJIFNMF6YsHPa+o7n1tMwVasRCiLirvP9yORL/2THHhcNxX+AO1kpvz6IdgTueior3zRjutR3wzrwxYaJSo8WlCYSlSoDLJt4wt5aw1eOh1U=

security/nss/cmd/bltest/tests/rsa_pss/ciphertext21

@@ -0,0 +1 @@
+l3HCE9I9e21NAXYVhsvJySQVu2+pfHP+0e82Vr7ke7htBg21AsG/jWd+JpEhpVwNyA2cqDBLDQZn4YigM6HX+AqhEXxcMeFccGleb3NF5qXwtmuaFQBJyuU9/gXFEip3mldECMuLdZono0zdDgiCpz/Ep3x43aD/RzVK/tLKSbSyUROw3bKifpaSIAMYPeJ1iA2AMv2c1ON1oaKjb0GUH5bv/ZHF0uCbuShoxJHu8aYrYkeL3y1b8RQRO/e/mjpGNNZTGZTCEa6UFv7GdBO5bYZBFsfgAMkCyut74aDSNTpyr68gfGY4XXglKwpXUFw6/pkOWOG6GB+m5g0ULSrBqg==

security/nss/cmd/bltest/tests/rsa_pss/hash18

@@ -0,0 +1 @@
+sha256

security/nss/cmd/bltest/tests/rsa_pss/hash19

@@ -0,0 +1 @@
+sha256

security/nss/cmd/bltest/tests/rsa_pss/hash20

@@ -0,0 +1 @@
+sha384

security/nss/cmd/bltest/tests/rsa_pss/hash21

@@ -0,0 +1 @@
+sha384

security/nss/cmd/bltest/tests/rsa_pss/key18

@@ -0,0 +1 @@
+AAAAAQAAAACApW5KDnAQF1iaUYfcfqhB0Vby7A42rVKkTf6x5h962ZHYxRBW/+2xYrTA8oOhKoijlN/1JqtykcuzB86r/OCx39XNlQgJbVsri2311nHvY3fAkhyyPCcKcOJZjm/4nRnxBazC0/DLNfKSgOE4a29kxO8i4eHyDQzoz/siSb2aITcAAAADAQABAAAAgDOlBCqQsn1PVFHKm7vQtEdxoQGviENArvmIXypLvpLolKckrDxWjI+XhTrQfAJmyMajygkp8ejxEjGIRCn8TZrlX+6JahDOcHw+1+c05Ecno5V0UBpTJoMQnCq6yrooPDG0vS9Tw+4341LO40+eUDvYDAYirXnG3O6INUfGo7MlAAAAQOfolCcgqHdRcnOjVgU+oqG8DJSqctVcboYpay38lnlIwKcsvMyn6ss1cG4Jod9VoVNb2bPMNBYLO23NPtqOZEMAAABAtp3KHPfU1+yB51uQ/MqHSrzeEj/ScAGAqpBHm25I3o1n7ST58Z2FuidYdPVCzSDccj5pYzZKH5QlRSsmmmeZ/QAAAEAo+hOThlW+H4oVnLrKWnLqGQwwCJ4ZzSdKVW82xPbhn1VLNMB3eQQnu92N0+3iRIMo84XYGzDo5Dsv/6Anhhl5AAAAQBqLOPOY+nEgSYmNf7ee4Kd2aHkSmc36Ce/A5Qessh7XQwHvW/1IvkVerrbhZ4JVgnWAqOTo4UFR0VEKgqPy5ykAAABAJxVqukEm0kqB86Uoy/sn9WiG+ECp9uhuF6RLlP6TGVhLjiL93h5aLjvYqluo2FhBlOshkKz4MrhH8To9JKefTQ==

security/nss/cmd/bltest/tests/rsa_pss/key19

@@ -0,0 +1 @@
+AAAAAQAAAAEApd2GesTLAvkLlFfUjBSncO+ZHFbDnA7GX9Ea+ok3zqV7m+esc7RcABdhW4LWIuMYdTtgJ8D9FXvhL4CQ/uKnrc0O73WfiLpJl8ekLVjJqhLLma4AH+UhwTu1QxRFqNWuT15MfpSKwifTYEBx8g5XfpBfvrFd+vBtHeWuYlPWOmohILMaXaXavJVQYA4g8n03OeJieSX+o8xQnyHf8E5u6kVJxUDWgJ/5MH7t6R//WHM9g4WiN9bTcFoz45GQCZIHDfet8TV89+NwDONmfeg/F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGuBQAAAAMBAAEAAAEALS/1Z7P+dOBhkbf97W3hEikMZwaSQw1ZaRhAR9ojTJaT3u0Wc+1ClTnJadNywE1rR+D1uM7ghD5cIoNdvTsFoJl5hK5gWLEbxJB8v2fthPqa4lLfsNDNSeYY4139/lm8o93WbDPOu8d61EGqaV4T4yS1GPAcYPWoXJlK0XnyprX76TQCsRdnvgG/BzRE1rod0rylvQdNSl+uNTGtEwPYSzDYlzGMu7oE4DwuZt5tkfgvluodS7VKWq4QLVlGV/XJeJVTUSspbeop2AIxljV+PjpulY8548I0QDjqYEsx7cbw9/9ucYGlfJKCaiaPhnaOlvh4Vi/HHYXWnkSGEvcEjwAAAIDP1QKD/u65f28I1zy8ezg2+Cu81JlHn15vdv38uLOMT3Hcnoi9am92Nxr9ZdKvGGKzKvs0qV9xuLEyBD/+vjqVK691kkSBSMA/nGmx1o5M5c8yyGuvRv7TAcoatAMGmzL0VrkfcYmKsIHNjEJS71JxkVyXlLjylYUdp1EPmctz6wAAAIDMTpDSobOgZdOy0fWo/OMbVER1Zk6rVh0pcbmft774ROjsHzYLjCrINZaSlx6mo49yP8whH128sXeg/axRZKHU/3+7ToKZhjU8uYNlmhSM3UIMfTG6OCLqkKMr5GwDDowX4foK03hZ4GsKpvo7IW2cvmwOIjOXacCmFZE+XacZzwAAAIAcLR/DL2vEAE/YXf3g+7+aTDj5x8TkHeoaqII0ogHNkvO32lJlg6mK2FuzYPuYO3EeI0SdVh0XeNelFUhry/R7Rsnp4aOh93AA776wmor+R+W4V82pnLFtf/+bcS471gypbZx5c9YW1Gk0qcBQKBwAQ5nO/x233aeHZqipucsIcwAAAIDLOzwEyqWMYL59my3rs+OWQ/T1c5e+CCNqHp6vqnBlNuccOs/gHMZR8jyeBYWP7hO7aor8R99O3JpLowvOy3PQFXhSMn7niQFcLo3ue58FoPMayU62FzFkdAxclRR81fO1riy0qDeH8B2Ksx8nwtDuot2KEauQarogfEPG7hJTMQAAAIAS9rLPE3SnNvrQVhYFD5arS2HRF3x/nVJaKfPRgOd2Z+mdmavwUl0HWGYPN1JlWw8luN+EMdmo/3fBbBKgpRIqnwv3z9WiZqNcFZ+ZEgi5Axb/RE8+C2vQ6TuKeiRI6Vfj3abPzyJmsQYBOsRoCNOziHs7ADRLqslTC0znCPwytg==

security/nss/cmd/bltest/tests/rsa_pss/key20

@@ -0,0 +1 @@
+AAAAAQAAAACApW5KDnAQF1iaUYfcfqhB0Vby7A42rVKkTf6x5h962ZHYxRBW/+2xYrTA8oOhKoijlN/1JqtykcuzB86r/OCx39XNlQgJbVsri2311nHvY3fAkhyyPCcKcOJZjm/4nRnxBazC0/DLNfKSgOE4a29kxO8i4eHyDQzoz/siSb2aITcAAAADAQABAAAAgDOlBCqQsn1PVFHKm7vQtEdxoQGviENArvmIXypLvpLolKckrDxWjI+XhTrQfAJmyMajygkp8ejxEjGIRCn8TZrlX+6JahDOcHw+1+c05Ecno5V0UBpTJoMQnCq6yrooPDG0vS9Tw+4341LO40+eUDvYDAYirXnG3O6INUfGo7MlAAAAQOfolCcgqHdRcnOjVgU+oqG8DJSqctVcboYpay38lnlIwKcsvMyn6ss1cG4Jod9VoVNb2bPMNBYLO23NPtqOZEMAAABAtp3KHPfU1+yB51uQ/MqHSrzeEj/ScAGAqpBHm25I3o1n7ST58Z2FuidYdPVCzSDccj5pYzZKH5QlRSsmmmeZ/QAAAEAo+hOThlW+H4oVnLrKWnLqGQwwCJ4ZzSdKVW82xPbhn1VLNMB3eQQnu92N0+3iRIMo84XYGzDo5Dsv/6Anhhl5AAAAQBqLOPOY+nEgSYmNf7ee4Kd2aHkSmc36Ce/A5Qessh7XQwHvW/1IvkVerrbhZ4JVgnWAqOTo4UFR0VEKgqPy5ykAAABAJxVqukEm0kqB86Uoy/sn9WiG+ECp9uhuF6RLlP6TGVhLjiL93h5aLjvYqluo2FhBlOshkKz4MrhH8To9JKefTQ==

security/nss/cmd/bltest/tests/rsa_pss/key21

@@ -0,0 +1 @@
+AAAAAQAAAAEApd2GesTLAvkLlFfUjBSncO+ZHFbDnA7GX9Ea+ok3zqV7m+esc7RcABdhW4LWIuMYdTtgJ8D9FXvhL4CQ/uKnrc0O73WfiLpJl8ekLVjJqhLLma4AH+UhwTu1QxRFqNWuT15MfpSKwifTYEBx8g5XfpBfvrFd+vBtHeWuYlPWOmohILMaXaXavJVQYA4g8n03OeJieSX+o8xQnyHf8E5u6kVJxUDWgJ/5MH7t6R//WHM9g4WiN9bTcFoz45GQCZIHDfet8TV89+NwDONmfeg/F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGuBQAAAAMBAAEAAAEALS/1Z7P+dOBhkbf97W3hEikMZwaSQw1ZaRhAR9ojTJaT3u0Wc+1ClTnJadNywE1rR+D1uM7ghD5cIoNdvTsFoJl5hK5gWLEbxJB8v2fthPqa4lLfsNDNSeYY4139/lm8o93WbDPOu8d61EGqaV4T4yS1GPAcYPWoXJlK0XnyprX76TQCsRdnvgG/BzRE1rod0rylvQdNSl+uNTGtEwPYSzDYlzGMu7oE4DwuZt5tkfgvluodS7VKWq4QLVlGV/XJeJVTUSspbeop2AIxljV+PjpulY8548I0QDjqYEsx7cbw9/9ucYGlfJKCaiaPhnaOlvh4Vi/HHYXWnkSGEvcEjwAAAIDP1QKD/u65f28I1zy8ezg2+Cu81JlHn15vdv38uLOMT3Hcnoi9am92Nxr9ZdKvGGKzKvs0qV9xuLEyBD/+vjqVK691kkSBSMA/nGmx1o5M5c8yyGuvRv7TAcoatAMGmzL0VrkfcYmKsIHNjEJS71JxkVyXlLjylYUdp1EPmctz6wAAAIDMTpDSobOgZdOy0fWo/OMbVER1Zk6rVh0pcbmft774ROjsHzYLjCrINZaSlx6mo49yP8whH128sXeg/axRZKHU/3+7ToKZhjU8uYNlmhSM3UIMfTG6OCLqkKMr5GwDDowX4foK03hZ4GsKpvo7IW2cvmwOIjOXacCmFZE+XacZzwAAAIAcLR/DL2vEAE/YXf3g+7+aTDj5x8TkHeoaqII0ogHNkvO32lJlg6mK2FuzYPuYO3EeI0SdVh0XeNelFUhry/R7Rsnp4aOh93AA776wmor+R+W4V82pnLFtf/+bcS471gypbZx5c9YW1Gk0qcBQKBwAQ5nO/x233aeHZqipucsIcwAAAIDLOzwEyqWMYL59my3rs+OWQ/T1c5e+CCNqHp6vqnBlNuccOs/gHMZR8jyeBYWP7hO7aor8R99O3JpLowvOy3PQFXhSMn7niQFcLo3ue58FoPMayU62FzFkdAxclRR81fO1riy0qDeH8B2Ksx8nwtDuot2KEauQarogfEPG7hJTMQAAAIAS9rLPE3SnNvrQVhYFD5arS2HRF3x/nVJaKfPRgOd2Z+mdmavwUl0HWGYPN1JlWw8luN+EMdmo/3fBbBKgpRIqnwv3z9WiZqNcFZ+ZEgi5Axb/RE8+C2vQ6TuKeiRI6Vfj3abPzyJmsQYBOsRoCNOziHs7ADRLqslTC0znCPwytg==

security/nss/cmd/bltest/tests/rsa_pss/maskhash18

@@ -0,0 +1 @@
+sha256

security/nss/cmd/bltest/tests/rsa_pss/maskhash19

@@ -0,0 +1 @@
+sha256

security/nss/cmd/bltest/tests/rsa_pss/maskhash20

@@ -0,0 +1 @@
+sha384

security/nss/cmd/bltest/tests/rsa_pss/maskhash21

@@ -0,0 +1 @@
+sha384

security/nss/cmd/bltest/tests/rsa_pss/numtests

@@ -1 +1 @@
-18
+22

security/nss/cmd/bltest/tests/rsa_pss/plaintext18

@@ -0,0 +1 @@
+sHTPDreX8OBy2HI7TTylTgcp23MHZaDCzD2EvH2a2eU=

security/nss/cmd/bltest/tests/rsa_pss/plaintext19

@@ -0,0 +1 @@
++7ollkbnkxPBlmn44TwIqunTc/mhZKZBSEw+8sVi6Do=

security/nss/cmd/bltest/tests/rsa_pss/plaintext20

@@ -0,0 +1 @@
+X5EfOb/yrZEPkVDoFO8tcT+SoSb12FF81pFkh496bjQxOsTR+JB0117SKnMlETrs

security/nss/cmd/bltest/tests/rsa_pss/plaintext21

@@ -0,0 +1 @@
+9c/VD/5YZylCA6IiXXail2FiXvTM0eE0kDpqyGwqBaROdiYWxPXGIKjoueke7jpB

security/nss/cmd/bltest/tests/rsa_pss/seed18

@@ -0,0 +1 @@
+GFt1LMXU6mtkIJwKMP+Nm3l2Z9CJ1KUVKpjF9WZ+5WY=

security/nss/cmd/bltest/tests/rsa_pss/seed19

@@ -0,0 +1 @@
+xa78saDnF7JsnT1IOUVcvZvd1wXaiWMZdQ80MB41H3s=

security/nss/cmd/bltest/tests/rsa_pss/seed20

@@ -0,0 +1 @@
+taPFMNUYb279NTjWAWJUeFKsN3c4aRO0B2zcV4VfXlZenae7NRFD1GV+kivVIBk3

security/nss/cmd/bltest/tests/rsa_pss/seed21

@@ -0,0 +1 @@
+kegGyCeVFDJ2DtrL/DKfeTFjodxhcehNAjtluf09+2WS0uD3Lce3V9Knl4I1VlBS

security/nss/cmd/lowhashtest/Makefile

@@ -28,9 +28,6 @@ include $(CORE_DEPTH)/coreconf/config.mk
 #######################################################################
 
 
-include ../platlibs.mk
-
-
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
@@ -50,12 +47,7 @@ EXTRA_LIBS += \
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
 	-L$(NSSUTIL_LIB_DIR) \
-	-lnssutil3 \
 	-lfreebl3 \
-	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
-	-lnspr4 \
 	$(NULL)
 
 #######################################################################

security/nss/cmd/lowhashtest/lowhashtest.c

@@ -2,19 +2,85 @@
 #include <string.h>
 #include <assert.h>
 
-#include "nspr.h"
-
 /* nss headers */
-#include "prtypes.h"
-#include "plgetopt.h"
 #include "hasht.h"
 #include "nsslowhash.h"
 #include "secport.h"
-#include "hasht.h"
-#include "basicutil.h"
 
 static char *progName = NULL;
 
+/* can't call NSPR or NSSUtil directly, so just include
+ * our own versions of SECU_ functions in basicutil.c.
+ * We need this test program to link without those functions
+ * so we can test that everyting works in a freebl only
+ * environment */
+const char *hex = "0123456789abcdef";
+
+const char printable[257] = {
+    "................"  /* 0x */
+    "................"  /* 1x */
+    " !\"#$%&'()*+,-./" /* 2x */
+    "0123456789:;<=>?"  /* 3x */
+    "@ABCDEFGHIJKLMNO"  /* 4x */
+    "PQRSTUVWXYZ[\\]^_" /* 5x */
+    "`abcdefghijklmno"  /* 6x */
+    "pqrstuvwxyz{|}~."  /* 7x */
+    "................"  /* 8x */
+    "................"  /* 9x */
+    "................"  /* ax */
+    "................"  /* bx */
+    "................"  /* cx */
+    "................"  /* dx */
+    "................"  /* ex */
+    "................"  /* fx */
+};
+
+static void
+SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len)
+{
+    const unsigned char *cp = (const unsigned char *)vp;
+    char buf[80];
+    char *bp;
+    char *ap;
+
+    fprintf(out, "%s [Len: %d]\n", msg, len);
+    memset(buf, ' ', sizeof buf);
+    bp = buf;
+    ap = buf + 50;
+    while (--len >= 0) {
+        unsigned char ch = *cp++;
+        *bp++ = hex[(ch >> 4) & 0xf];
+        *bp++ = hex[ch & 0xf];
+        *bp++ = ' ';
+        *ap++ = printable[ch];
+        if (ap - buf >= 66) {
+            *ap = 0;
+            fprintf(out, "   %s\n", buf);
+            memset(buf, ' ', sizeof buf);
+            bp = buf;
+            ap = buf + 50;
+        }
+    }
+    if (bp > buf) {
+        *ap = 0;
+        fprintf(out, "   %s\n", buf);
+    }
+}
+
+/* simple version o print error */
+static void
+SECU_PrintError(const char *prog, const char *string)
+{
+    fprintf(stderr, "%s: %s", prog, string);
+}
+
+/* simple version o print error */
+static void
+SECU_PrintError3(const char *prog, const char *string, const char *string2)
+{
+    fprintf(stderr, "%s: %s %s\n", prog, string, string2);
+}
+
 static int
 test_long_message(NSSLOWInitContext *initCtx,
                   HASH_HashType algoType, unsigned int hashLen,
@@ -28,7 +94,7 @@ test_long_message(NSSLOWInitContext *initCtx,
      * buffer and call update 1,000 times.
      */
     unsigned char buf[1000];
-    (void)PORT_Memset(buf, 'a', sizeof(buf));
+    (void)memset(buf, 'a', sizeof(buf));
 
     ctx = NSSLOWHASH_NewContext(initCtx, algoType);
     if (ctx == NULL) {
@@ -42,8 +108,8 @@ test_long_message(NSSLOWInitContext *initCtx,
     }
 
     NSSLOWHASH_End(ctx, results, &len, hashLen);
-    PR_ASSERT(len == hashLen);
-    PR_ASSERT(PORT_Memcmp(expected, results, hashLen) == 0);
+    assert(len == hashLen);
+    assert(PORT_Memcmp(expected, results, hashLen) == 0);
     if (PORT_Memcmp(expected, results, len) != 0) {
         SECU_PrintError(progName, "Hash mismatch\n");
         SECU_PrintBuf(stdout, "Expected: ", expected, hashLen);
@@ -140,8 +206,8 @@ testMessageDigest(NSSLOWInitContext *initCtx,
     NSSLOWHASH_Begin(ctx);
     NSSLOWHASH_Update(ctx, message, PORT_Strlen((const char *)message));
     NSSLOWHASH_End(ctx, results, &len, hashLen);
-    PR_ASSERT(len == hashLen);
-    PR_ASSERT(PORT_Memcmp(expected, results, len) == 0);
+    assert(len == hashLen);
+    assert(PORT_Memcmp(expected, results, len) == 0);
 
     if (PORT_Memcmp(expected, results, len) != 0) {
         SECU_PrintError(progName, "Hash mismatch\n");
@@ -425,7 +491,7 @@ main(int argc, char **argv)
     } else if (strcmp(argv[1], "SHA512") == 0) {
         rv += testSHA512(initCtx);
     } else {
-        SECU_PrintError(progName, "Unsupported hash type %s\n", argv[0]);
+        SECU_PrintError3(progName, "Unsupported hash type", argv[0]);
         Usage();
     }
 

security/nss/cmd/lowhashtest/manifest.mn

@@ -6,7 +6,7 @@ CORE_DEPTH = ../..
 
 MODULE = nss
 
-REQUIRES = seccmd dbm softoken
+REQUIRES = 
 
 INCLUDES += -I$(CORE_DEPTH)/nss/lib/freebl
 
@@ -16,4 +16,3 @@ CSRCS = \
 	lowhashtest.c \
 	$(NULL)
 
-USE_STATIC_LIBS = 1

security/nss/coreconf/coreconf.dep

@@ -10,3 +10,4 @@
  */
 
 #error "Do not include this header file."
+

security/nss/coreconf/fuzz.sh

@@ -23,18 +23,13 @@ if [ "$fuzz_oss" = 1 ]; then
   gyp_params+=(-Dno_zdefs=1 -Dfuzz_oss=1)
 else
   enable_sanitizer asan
+  enable_sanitizer fuzzer
   # Ubsan only builds on x64 for the moment.
   if [ "$target_arch" = "x64" ]; then
     enable_ubsan
   fi
-  enable_sancov
 fi
 
 if [ "$fuzz_tls" = 1 ]; then
   gyp_params+=(-Dfuzz_tls=1)
 fi
-
-if [ ! -f "/usr/lib/libFuzzingEngine.a" ]; then
-  echo "Cloning libFuzzer files ..."
-  run_verbose "$cwd"/fuzz/config/clone_libfuzzer.sh
-fi

security/nss/coreconf/sanitizers.py

@@ -5,7 +5,7 @@ import sys
 
 def main():
     if len(sys.argv) < 2:
-        raise Exception('Specify either "asan", "msan", "sancov", "sourcecov" or "ubsan" as argument.')
+        raise Exception('Specify either "asan", "fuzzer", "msan", "sancov", "sourcecov" or "ubsan" as argument.')
 
     sanitizer = sys.argv[1]
     if sanitizer == "ubsan":
@@ -29,8 +29,11 @@ def main():
     if sanitizer == "sourcecov":
         print('-fprofile-instr-generate -fcoverage-mapping', end='')
         return
+    if sanitizer == "fuzzer":
+        print('-fsanitize=fuzzer-no-link ', end='')
+        return
 
-    raise Exception('Specify either "asan", "msan", "sancov", "sourcecov" or "ubsan" as argument.')
+    raise Exception('Specify either "asan", "fuzzer", "msan", "sancov", "sourcecov" or "ubsan" as argument.')
 
 if __name__ == '__main__':
     main()

security/nss/doc/rst/build.rst

@@ -20,7 +20,7 @@ Building NSS
 
 .. container::
 
-   NSS needs a C and C++ compiler.  It has minimal dependencies, including only
+   NSS needs a C and C++ compiler.  It has minimal dependencies, including only
    standard C and C++ libraries, plus `zlib <https://www.zlib.net/>`__.
    For building, you also need `make <https://www.gnu.org/software/make/>`__.
    Ideally, also install `gyp-next <https://github.com/nodejs/gyp-next>`__ and `ninja
@@ -34,14 +34,14 @@ Building NSS
 
    **On Linux:**
 
-   .. code:: notranslate
+   .. code::
 
       sudo apt install mercurial git ninja-build python3-pip
       python3 -m pip install gyp-next
 
    **On MacOS:**
 
-   .. code:: notranslate
+   .. code::
 
       brew install mercurial git ninja python3-pip
       python3 -m pip install gyp-next
@@ -51,13 +51,13 @@ Building NSS
    The Homebrew Python installation has the necessary symlink but may require
    explicit adding to the PATH variable, for example like this:
 
-   .. code:: notranslate
+   .. code::
 
       export PATH="/opt/homebrew/opt/python/libexec/bin:$PATH"
 
    **On Windows:**
 
-   .. code:: notranslate
+   .. code::
 
       <TODO>
 
@@ -96,7 +96,7 @@ Building NSS
    check out the latest sources for NSS and NSPR--which may not be part of a
    stable release--use the following commands:
 
-   .. code:: notranslate
+   .. code::
 
       hg clone https://hg.mozilla.org/projects/nspr
       hg clone https://hg.mozilla.org/projects/nss
@@ -107,7 +107,7 @@ Building NSS
 
    To download the source using ``git-cinnabar`` instead:
 
-   .. code:: notranslate
+   .. code::
 
       git clone hg::https://hg.mozilla.org/projects/nspr
       git clone hg::https://hg.mozilla.org/projects/nss
@@ -120,7 +120,7 @@ Building NSS
 
    Build NSS and NSPR using our build script from the ``nss`` directory:
 
-   .. code:: notranslate
+   .. code::
 
       cd nss
       ./build.sh
@@ -143,7 +143,7 @@ Building NSS
    Alternatively, there is a ``make`` target, which produces a similar
    result. This supports some alternative options, but can be a lot slower.
 
-   .. code:: notranslate
+   .. code::
 
       USE_64=1 make -j
 
@@ -181,10 +181,10 @@ Building NSS
 
 .. container::
 
-   NSS contains extensive unit tests.  Scripts to run these are found in the ``tests`` directory. 
+   NSS contains extensive unit tests.  Scripts to run these are found in the ``tests`` directory. 
    Run the standard suite by:
 
-   .. code:: notranslate
+   .. code::
 
       HOST=localhost DOMSUF=localdomain USE_64=1 ./tests/all.sh
 
@@ -204,7 +204,7 @@ Building NSS
    If you don't have a domain suffix you can add an entry to ``/etc/hosts`` (on
    Windows,\ ``c:\Windows\System32\drivers\etc\hosts``) as follows:
 
-   .. code:: notranslate
+   .. code::
 
       127.0.0.1 localhost.localdomain
 
@@ -221,7 +221,7 @@ Building NSS
 
    Running all tests can take a considerable amount of time.
 
-   Test output is stored in ``tests_results/security/$HOST.$NUMBER/``.  The file
+   Test output is stored in ``tests_results/security/$HOST.$NUMBER/``.  The file
    ``results.html`` summarizes the results, ``output.log`` captures all the test
    output.
 

security/nss/doc/rst/build_artifacts.rst

@@ -63,7 +63,7 @@ Build artifacts
    libraries:
 
    ======= ======== ===============================
-           Windows  Unix
+           Windows  Unix
    static  ``.lib`` ``.a``
    dynamic ``.dll`` ``.so`` or ``.dylib`` or ``.sl``
    ======= ======== ===============================

security/nss/doc/rst/legacy/blank_function/index.rst

@@ -12,7 +12,7 @@ Function_Name
 
 .. container::
 
-   .. code:: notranslate
+   .. code::
 
       #include <headers.h>
       ReturnType Function_Name(

security/nss/doc/rst/legacy/building/index.rst

@@ -19,12 +19,12 @@ Building NSS
 
 .. container::
 
-   NSS needs a C and C++ compiler.  It has minimal dependencies, including only standard C and C++
+   NSS needs a C and C++ compiler.  It has minimal dependencies, including only standard C and C++
    libraries, plus `zlib <https://www.zlib.net/>`__.
 
-   For building, you also need `make <https://www.gnu.org/software/make/>`__.  Ideally, also install
+   For building, you also need `make <https://www.gnu.org/software/make/>`__.  Ideally, also install
    `gyp <https://gyp.gsrc.io/>`__ and `ninja <https://ninja-build.org/>`__ and put them on your
-   path.  This is recommended, as the build is faster and more reliable.
+   path.  This is recommended, as the build is faster and more reliable.
 
 `Windows <#windows>`__
 ~~~~~~~~~~~~~~~~~~~~~~
@@ -50,7 +50,7 @@ Building NSS
    latest sources for NSS and NSPR--which may not be part of a stable release--use the following
    commands:
 
-   .. code:: notranslate
+   .. code::
 
       hg clone https://hg.mozilla.org/projects/nspr
       hg clone https://hg.mozilla.org/projects/nss
@@ -64,7 +64,7 @@ Building NSS
 
    Build NSS using our build script:
 
-   .. code:: notranslate
+   .. code::
 
       nss/build.sh
 
@@ -78,9 +78,9 @@ Building NSS
 .. container::
 
    Alternatively, there is a ``make`` target called "nss_build_all", which produces a similar
-   result.  This supports some alternative options, but can be a lot slower.
+   result.  This supports some alternative options, but can be a lot slower.
 
-   .. code:: notranslate
+   .. code::
 
       make -C nss nss_build_all USE_64=1
 
@@ -113,10 +113,10 @@ Building NSS
 
 .. container::
 
-   NSS contains extensive unit tests.  Scripts to run these are found in the ``tests`` directory. 
+   NSS contains extensive unit tests.  Scripts to run these are found in the ``tests`` directory. 
    Run the standard suite by:
 
-   .. code:: notranslate
+   .. code::
 
       HOST=localhost DOMSUF=localdomain USE_64=1 nss/tests/all.sh
 
@@ -135,7 +135,7 @@ Building NSS
    If you don't have a domain suffix you can add an entry to ``/etc/hosts`` (on
    Windows,\ ``c:\Windows\System32\drivers\etc\hosts``) as follows:
 
-   .. code:: notranslate
+   .. code::
 
       127.0.0.1 localhost.localdomain
 
@@ -152,7 +152,7 @@ Building NSS
 
    Running all tests can take a considerable amount of time.
 
-   Test output is stored in ``tests_results/security/$HOST.$NUMBER/``.  The file ``results.html``
+   Test output is stored in ``tests_results/security/$HOST.$NUMBER/``.  The file ``results.html``
    summarizes the results, ``output.log`` captures all the test output.
 
    Other subdirectories of ``nss/tests`` contain scripts that run a subset of the full suite. Those

security/nss/doc/rst/legacy/cert_findcertbydercert/index.rst

@@ -12,7 +12,7 @@ CERT_FindCertByDERCert
 
 .. container::
 
-   .. code:: notranslate
+   .. code::
 
       #include <cert.h>
       CERTCertificate *CERT_FindCertByDERCert(
@@ -38,7 +38,7 @@ CERT_FindCertByDERCert
 
 .. container::
 
-   This function looks in the ?NSSCryptoContext? and the ?NSSTrustDomain? to find the certificate
+   This function looks in the ?NSSCryptoContext? and the ?NSSTrustDomain? to find the certificate
    that matches the DER-encoded certificate. A match is found when the issuer and serial number of
    the DER-encoded certificate are found on a certificate in the certificate database.
 

security/nss/doc/rst/legacy/cert_findcertbyissuerandsn/index.rst

@@ -12,7 +12,7 @@ CERT_FindCertByIssuerAndSN
 
 .. container::
 
-   .. code:: notranslate
+   .. code::
 
       #include <cert.h>
       CERTCertificate *CERT_FindCertByIssuerAndSN (
@@ -58,7 +58,7 @@ CERT_FindCertByIssuerAndSN
 
 .. container::
 
-   .. code:: notranslate
+   .. code::
 
       CERTIssuerAndSN issuerSN;
       issuerSN.derIssuer.data = caName->data;

security/nss/doc/rst/legacy/certificate_download_specification/index.rst

@@ -43,9 +43,9 @@ NSS Certificate Download Specification
       :ref:`mozilla_projects_nss_certificate_download_specification#object_identifiers`). The
       ``content`` field is the following ASN.1 structure:
 
-   .. code:: eval
+   .. code::
 
-         CertificateSequence ::= SEQUENCE OF Certificate
+         CertificateSequence ::= SEQUENCE OF Certificate
 
    See the section below on
    :ref:`mozilla_projects_nss_certificate_download_specification#importing_certificate_chains` for
@@ -61,7 +61,7 @@ NSS Certificate Download Specification
    Any of the above :ref:`mozilla_projects_nss_certificate_download_specification#binary_formats`
    can also be imported in text form. The text form begins with the following line:
 
-   .. code:: eval
+   .. code::
 
          -----BEGIN CERTIFICATE-----
 
@@ -71,7 +71,7 @@ NSS Certificate Download Specification
    1113 <https://datatracker.ietf.org/doc/html/rfc1113>`__. Following the data should be the
    following line:
 
-   .. code:: eval
+   .. code::
 
          -----END CERTIFICATE-----
 
@@ -168,19 +168,19 @@ NSS Certificate Download Specification
 
    The base of all Netscape object ids is:
 
-   .. code:: eval
+   .. code::
 
-         netscape OBJECT IDENTIFIER ::= { 2 16 840 1 113730 }
+         netscape OBJECT IDENTIFIER ::= { 2 16 840 1 113730 }
 
    The hexadecimal byte value of this OID when DER encoded is:
 
-   .. code:: eval
+   .. code::
 
          0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42
 
    The following OIDs are mentioned in this document:
 
-   .. code:: eval
+   .. code::
 
-         netscape-data-type     OBJECT IDENTIFIER :: = { netscape 2 }
-         netscape-cert-sequence OBJECT IDENTIFIER :: = { netscape-data-type 5 }
+         netscape-data-type     OBJECT IDENTIFIER :: = { netscape 2 }
+         netscape-cert-sequence OBJECT IDENTIFIER :: = { netscape-data-type 5 }

security/nss/doc/rst/legacy/certverify_log/index.rst

@@ -15,7 +15,7 @@ NSS CERTVerify Log
 
    To create a log:
 
-   .. code:: eval
+   .. code::
 
       #include "secport.h"
       #include "certt.h"
@@ -34,7 +34,7 @@ NSS CERTVerify Log
 
    Each entry is a CERTVerifyLogNode. Defined in certt.h:
 
-   .. code:: eval
+   .. code::
 
       /*
        * This structure is used to keep a log of errors when verifying

security/nss/doc/rst/legacy/code_coverage/index.rst

@@ -58,7 +58,7 @@ NSS Code Coverage
    -  Example: Not tested (0/?/878).
 
       -  0 - tested blocks in file (always 0).
-      -   ? - total blocks in file (there is no trivial method to get this number without TCOV).
+      -   ? - total blocks in file (there is no trivial method to get this number without TCOV).
       -  878 - total lines in file (by wc -l command).
 
    .. rubric:: Numbers in total count

security/nss/doc/rst/legacy/fips_mode_-_an_explanation/index.rst

@@ -5,9 +5,9 @@ FIPS Mode - an explanation
 
 .. container::
 
-   NSS has a "FIPS Mode" that can be enabled when NSS is compiled in a specific way. (Note: Mozilla
+   NSS has a "FIPS Mode" that can be enabled when NSS is compiled in a specific way. (Note: Mozilla
    does not distribute a "FIPS Mode"-ready NSS with Firefox.) This page attempts to provide an
-   informal explanation of what it is, who would use it, and why. 
+   informal explanation of what it is, who would use it, and why. 
 
 .. _what's_a_fips:
 
@@ -17,69 +17,69 @@ FIPS Mode - an explanation
 .. container::
 
    The United States government defines many (several hundred) "Federal Information Processing
-   Standard" (FIPS) documents.  (FIPS sounds plural, but is singular; one FIPS document is a FIPS,
-   not a FIP.)  FIPS documents define rules, regulations, and standards for many aspects of handling
-   of information by computers and by people.  They apply to all US government employees and
-   personnel, including soldiers in the armed forces.  Generally speaking, any use of a computer by
-   US government personnel must conform to all the relevant FIPS regulations.  If you're a
-   US government worker, and you want to use a Mozilla software product such as Firefox, or any
+   Standard" (FIPS) documents.  (FIPS sounds plural, but is singular; one FIPS document is a FIPS,
+   not a FIP.)  FIPS documents define rules, regulations, and standards for many aspects of handling
+   of information by computers and by people.  They apply to all US government employees and
+   personnel, including soldiers in the armed forces.  Generally speaking, any use of a computer by
+   US government personnel must conform to all the relevant FIPS regulations.  If you're a
+   US government worker, and you want to use a Mozilla software product such as Firefox, or any
    product that uses NSS, you will want to use it in a way that is fully conformant with all the
-   relevant FIPS regulations.  Some other governments have also adopted many of the FIPS
-   regulations, so their applicability is somewhat wider than just the US government's personnel.
+   relevant FIPS regulations.  Some other governments have also adopted many of the FIPS
+   regulations, so their applicability is somewhat wider than just the US government's personnel.
 
 .. _what_is_fips_mode:
 
-`What is "FIPS Mode"? <#what_is_fips_mode>`__
+`What is "FIPS Mode"? <#what_is_fips_mode>`__
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 .. container::
 
-   One of the FIPS regulations, FIPS 140, governs the use of encryption and cryptographic services. 
-   It requires that ALL cryptography done by US government personnel MUST be done in "devices" that
+   One of the FIPS regulations, FIPS 140, governs the use of encryption and cryptographic services. 
+   It requires that ALL cryptography done by US government personnel MUST be done in "devices" that
    have been independently tested, and certified by NIST, to meet the extensive requirements of that
-   document.  These devices may be hardware or software, but either way, they must function and
-   behave as prescribed.  So, in order for Mozilla Firefox and Thunderbird to be usable by people
+   document.  These devices may be hardware or software, but either way, they must function and
+   behave as prescribed.  So, in order for Mozilla Firefox and Thunderbird to be usable by people
    who are subject to the FIPS regulations, Mozilla's cryptographic software must be able to operate
-   in a mode that is fully compliant with FIPS 140.  To that end, Mozilla products can function in a
-   "FIPS Mode", which is really "FIPS 140 Mode", when paired with a compliant copy of NSS.  (Note,
-   the current version of FIPS 140 is revision 2, a.k.a. FIPS 140-2.  FIPS 140-3 is being devised by
-   NIST now for adoption in the future.)  Users who are subject to the FIPS regulations must ensure
-   that they have Mozilla's FIPS Mode enabled when they use Mozilla software, in order to be fully
-   conformant.  Instructions for how to configure Firefox into FIPS mode may be found on
+   in a mode that is fully compliant with FIPS 140.  To that end, Mozilla products can function in a
+   "FIPS Mode", which is really "FIPS 140 Mode", when paired with a compliant copy of NSS.  (Note,
+   the current version of FIPS 140 is revision 2, a.k.a. FIPS 140-2.  FIPS 140-3 is being devised by
+   NIST now for adoption in the future.)  Users who are subject to the FIPS regulations must ensure
+   that they have Mozilla's FIPS Mode enabled when they use Mozilla software, in order to be fully
+   conformant.  Instructions for how to configure Firefox into FIPS mode may be found on
    `support.mozilla.com <https://support.mozilla.com/en-US/kb/Configuring+Firefox+for+FIPS+140-2>`__.
 
 .. _is_nss_fips-140_compliant:
 
-`Is NSS FIPS-140 compliant? <#is_nss_fips-140_compliant>`__
+`Is NSS FIPS-140 compliant? <#is_nss_fips-140_compliant>`__
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 .. container::
 
    Mozilla's NSS cryptographic software has been tested by government-approved independent testing
-   labs and certified by NIST as being FIPS 140 compliant *when operated in FIPS mode* on 4 previous
-   occasions.  As of this writing, NSS is now being retested to be recertified for the fifth time. 
-   NSS was the first open source cryptographic library to be FIPS certified.  
+   labs and certified by NIST as being FIPS 140 compliant *when operated in FIPS mode* on 4 previous
+   occasions.  As of this writing, NSS is now being retested to be recertified for the fifth time. 
+   NSS was the first open source cryptographic library to be FIPS certified.  
 
 .. _what_is_fips_mode_all_about:
 
-`What is FIPS Mode all about?  <#what_is_fips_mode_all_about>`__
+`What is FIPS Mode all about?  <#what_is_fips_mode_all_about>`__
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 .. container::
 
-   A FIPS-140 compliant application must do ALL of its cryptography in a FIPS-140 certified
-   "device".  Whether it is hardware or software, that device will have all the cryptographic
-   engines in it, and also will stores keys and perhaps certificates inside.  The device must have a
+   A FIPS-140 compliant application must do ALL of its cryptography in a FIPS-140 certified
+   "device".  Whether it is hardware or software, that device will have all the cryptographic
+   engines in it, and also will stores keys and perhaps certificates inside.  The device must have a
    way for users to authenticate to it (to "login" to it), to prove to it that they are authorized
-   to use the cryptographic engines and keys it contains.  It may not do ANY cryptographic
+   to use the cryptographic engines and keys it contains.  It may not do ANY cryptographic
    operations that involve the use of cryptographic keys, nor allow ANY of the keys or certificates
-   it holds to be seen or used, except when a user has successfully authenticated to it.  If users
-   authenticate to it with a password, it must ensure that their passwords are strong passwords.  It
-   must implement the US government standard algorithms (also specified in other FIPS documents)
+   it holds to be seen or used, except when a user has successfully authenticated to it.  If users
+   authenticate to it with a password, it must ensure that their passwords are strong passwords.  It
+   must implement the US government standard algorithms (also specified in other FIPS documents)
    such as AES, triple-DES, SHA-1 and SHA-256, that are needed to do whatever job the application
-   wants it to perform.  It must generate or derive cryptographic keys and store them internally. 
+   wants it to perform.  It must generate or derive cryptographic keys and store them internally. 
    Except for "public keys", it must not allow any keys to leave it (to get outside of it) unless
-   they are encrypted ("wrapped") in a special way.  This makes it difficult to move keys from one
+   they are encrypted ("wrapped") in a special way.  This makes it difficult to move keys from one
    device to another, and consequently, all crypto engines and key storage must be in a single
    device rather than being split up into several devices.
 
@@ -90,28 +90,28 @@ FIPS Mode - an explanation
 
 .. container::
 
-   These requirements have several implications for users.  In FIPS Mode, every user must have a
+   These requirements have several implications for users.  In FIPS Mode, every user must have a
    good strong "master password", and must enter it each time they start or restart Firefox before
-   they can visit any web sites that use cryptography (https).  Firefox can only use the latest
-   version of SSL, known as "TLS", and not the older SSL 2 or SSL 3.0 protocols, and Firefox can
-   only talk to those servers that use FIPS standard encryption algorithms such as AES or
-   triple-DES.  Servers that can only use non-FIPS-approved encryption, such as RC4, cannot be used
-   in FIPS mode.  
+   they can visit any web sites that use cryptography (https).  Firefox can only use the latest
+   version of SSL, known as "TLS", and not the older SSL 2 or SSL 3.0 protocols, and Firefox can
+   only talk to those servers that use FIPS standard encryption algorithms such as AES or
+   triple-DES.  Servers that can only use non-FIPS-approved encryption, such as RC4, cannot be used
+   in FIPS mode.  
 
 .. _how_is_fips_mode_different_from_normal_non-fips_mode:
 
-`How is FIPS Mode different from normal non-FIPS Mode? <#how_is_fips_mode_different_from_normal_non-fips_mode>`__
+`How is FIPS Mode different from normal non-FIPS Mode? <#how_is_fips_mode_different_from_normal_non-fips_mode>`__
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 .. container::
 
    In normal non-FIPS Mode, the "master password" is optional and is allowed to be a weak short
-   password.  The user is only required to enter his master password to use his own private keys (if
-   he has any) or to access his stored web-site passwords.  The user is not required to enter the
+   password.  The user is only required to enter his master password to use his own private keys (if
+   he has any) or to access his stored web-site passwords.  The user is not required to enter the
    master password to visit ordinary https servers, nor to view certificates he has previously
-   stored.  In non-FIPS mode, NSS is willing and able to use popular non-FIPS approved cryptographic
-   algorithms, such as RC4 and MD5, to communicate with older https servers.  NSS divides its
-   operations up into two "devices" rather than just one.  One device does all the operations that
+   stored.  In non-FIPS mode, NSS is willing and able to use popular non-FIPS approved cryptographic
+   algorithms, such as RC4 and MD5, to communicate with older https servers.  NSS divides its
+   operations up into two "devices" rather than just one.  One device does all the operations that
    may be done without needing to authenticate, and the other device stores the user's certificates
    and private keys and performs operations that use those private keys.
 
@@ -122,7 +122,7 @@ FIPS Mode - an explanation
 
 .. container::
 
-   Instructions for how to configure Firefox into FIPS mode may be found on
+   Instructions for how to configure Firefox into FIPS mode may be found on
    `support.mozilla.com <https://support.mozilla.com/en-US/kb/Configuring+Firefox+for+FIPS+140-2>`__.
    Some third-parties distribute Firefox ready for FIPS mode, `a partial list can be found at the
    NSS

security/nss/doc/rst/legacy/http_delegation/index.rst

@@ -20,7 +20,7 @@ HTTP delegation
    an OSCP responder.
 
    This NSS feature is currently targeted to first appear in NSS version 3.11.1. More details can be
-   found in `bug 152426 <https://bugzilla.mozilla.org/show_bug.cgi?id=152426>`__.
+   found in `bug 152426 <https://bugzilla.mozilla.org/show_bug.cgi?id=152426>`__.
 
    In order to use the HTTP Delegation feature in your NSS-based application, you need to implement
    several callback functions. Your callback functions might be a full implementation of a HTTP
@@ -32,7 +32,7 @@ HTTP delegation
    with SEC_Http.
 
    To find an example implementation, you may look at
-   `bug 111384 <https://bugzilla.mozilla.org/show_bug.cgi?id=111384>`__, which tracks the
+   `bug 111384 <https://bugzilla.mozilla.org/show_bug.cgi?id=111384>`__, which tracks the
    implementation in Mozilla client applications.
 
 .. _instructions_for_specifying_an_ocsp_proxy:

security/nss/doc/rst/legacy/http_delegation_clone/index.rst

@@ -20,7 +20,7 @@ HTTP delegation
    an OSCP responder.
 
    This NSS feature is currently targeted to first appear in NSS version 3.11.1. More details can be
-   found in `bug 152426 <https://bugzilla.mozilla.org/show_bug.cgi?id=152426>`__.
+   found in `bug 152426 <https://bugzilla.mozilla.org/show_bug.cgi?id=152426>`__.
 
    In order to use the HTTP Delegation feature in your NSS-based application, you need to implement
    several callback functions. Your callback functions might be a full implementation of a HTTP
@@ -32,7 +32,7 @@ HTTP delegation
    with SEC_Http.
 
    To find an example implementation, you may look at
-   `bug 111384 <https://bugzilla.mozilla.org/show_bug.cgi?id=111384>`__, which tracks the
+   `bug 111384 <https://bugzilla.mozilla.org/show_bug.cgi?id=111384>`__, which tracks the
    implementation in Mozilla client applications.
 
 .. _instructions_for_specifying_an_ocsp_proxy:

security/nss/doc/rst/legacy/introduction_to_network_security_services/index.rst

@@ -53,7 +53,7 @@ Introduction to Network Security Services
    Windows and Unix use different naming conventions for static and dynamic libraries:
 
    ======= ======== ==================
-           Windows  Unix
+           Windows  Unix
    static  ``.lib`` ``.a``
    dynamic ``.dll`` ``.so`` or ``.sl``
    ======= ======== ==================

security/nss/doc/rst/legacy/jss/4.3.1_release_notes/index.rst

@@ -30,11 +30,11 @@
 
 .. container::
 
-    A list of bug fixes and enhancement requests were implemented in this release can be obtained by
+    A list of bug fixes and enhancement requests were implemented in this release can be obtained by
    running this `bugzilla
    query <http://bugzilla.mozilla.org/buglist.cgi?product=JSS&target_milestone=4.3.1&target_milestone=4.3.1&bug_status=RESOLVED&resolution=FIXED>`__
 
-   **JSS 4.3.1 requires :ref:`mozilla_projects_nss_3_12_5_release_notes` or higher.**
+   **JSS 4.3.1 requires :ref:`mozilla_projects_nss_3_12_5_release_notes` or higher.**
 
    .. rubric:: SSL3 & TLS Renegotiation Vulnerability
       :name: ssl3_tls_renegotiation_vulnerability
@@ -44,7 +44,7 @@
    vulnerability.
 
    All SSL/TLS renegotiation is disabled by default in NSS 3.12.5 and therefore will be disabled by
-   default with JSS 4.3.1. This will cause programs that attempt to perform renegotiation to
+   default with JSS 4.3.1. This will cause programs that attempt to perform renegotiation to
    experience failures where they formerly experienced successes, and is necessary for them to not
    be vulnerable, until such time as a new safe renegotiation scheme is standardized by the IETF.
 
@@ -71,11 +71,11 @@
    .. rubric:: Explicitly set the key usage for the generated private key
       :name: explicitly_set_the_key_usage_for_the_generated_private_key
 
-   |  In PKCS #11, each keypair can be marked with the operations it will
-   |  be used to perform. Some tokens require that a key be marked for
-   |  an operation before the key can be used to perform that operation;
-   |  other tokens don't care. NSS/JSS provides a way to specify a set of
-   |  flags and a corresponding mask for these flags.
+   |  In PKCS #11, each keypair can be marked with the operations it will
+   |  be used to perform. Some tokens require that a key be marked for
+   |  an operation before the key can be used to perform that operation;
+   |  other tokens don't care. NSS/JSS provides a way to specify a set of
+   |  flags and a corresponding mask for these flags.
 
    -  see generateECKeyPairWithOpFlags
    -  see generateRSAKeyPairWithOpFlags
@@ -92,10 +92,10 @@
    -  The CVS tag for the JSS 4.3.1 release is ``JSS_4_3_1_RTM``.
    -  Source tarballs are available from
       `ftp://ftp.mozilla.org/pub/mozilla.or...-4.3.1.tar.bz2 <ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_3_1_RTM/src/jss-4.3.1.tar.bz2>`__
-   -  Binary releases are no longer available on mozilla. JSS is a JNI library we provide the
+   -  Binary releases are no longer available on mozilla. JSS is a JNI library we provide the
       jss4.jar but expect you to build the JSS's matching JNI shared library. We provide the
-      jss4.jar in case you do not want to obtain your own JCE code signing certificate. JSS is a
-      JCE provider and therefore the jss4.jar must be signed.
+      jss4.jar in case you do not want to obtain your own JCE code signing certificate. JSS is a
+      JCE provider and therefore the jss4.jar must be signed.
       `ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_3_1_RTM <ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_3_1_RTM/>`__.
 
 `Documentation <#documentation>`__
@@ -111,8 +111,8 @@
    -  Read the instructions on `using JSS </using_jss.html>`__.
    -  Source may be viewed with a browser (via the MXR tool) at
       http://mxr.mozilla.org/mozilla/source/security/jss/
-   -  The RUN TIME behavior of JSS can be affected by the
-      :ref:`mozilla_projects_nss_reference_nss_environment_variables`. 
+   -  The RUN TIME behavior of JSS can be affected by the
+      :ref:`mozilla_projects_nss_reference_nss_environment_variables`. 
 
 .. _platform_information:
 
@@ -145,7 +145,7 @@
 
    -  For a list of reported bugs that have not yet been fixed, `click
       here. <http://bugzilla.mozilla.org/buglist.cgi?bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&&product=JSS>`__
-      Note that some bugs may have been fixed since JSS 4.3.1 was released. 
+      Note that some bugs may have been fixed since JSS 4.3.1 was released. 
 
 `Compatibility <#compatibility>`__
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -158,7 +158,7 @@
       JAR file must be used with the JSS shared library from the exact same release.
    -  To obtain the version info from the jar file use,
       "System.out.println(org.mozilla.jss.CryptoManager.JAR_JSS_VERSION)" and to check the shared
-      library: strings libjss4.so \| grep -i header  
+      library: strings libjss4.so \| grep -i header  
 
 `Feedback <#feedback>`__
 ~~~~~~~~~~~~~~~~~~~~~~~~
@@ -167,7 +167,7 @@
 
    -  Bugs discovered should be reported by filing a bug report with
       `bugzilla <http://bugzilla.mozilla.org/enter_bug.cgi?product=JSS>`__.
-   -  You can also give feedback directly to the developers on the Mozilla Cryptography forums...
+   -  You can also give feedback directly to the developers on the Mozilla Cryptography forums...
 
       -  `Mailing list <https://lists.mozilla.org/listinfo/dev-tech-crypto>`__
       -  `Newsgroup <http://groups.google.com/group/mozilla.dev.tech.crypto>`__

security/nss/doc/rst/legacy/jss/4_3_releasenotes/index.rst

@@ -21,7 +21,7 @@
    -  libpkix: an RFC 3280 Compliant Certificate Path Validation Library
    -  PKCS11 needsLogin method
    -  support HmacSHA256, HmacSHA384, and HmacSHA512
-   -  support for all NSS 3.12 initialization options
+   -  support for all NSS 3.12 initialization options
 
    JSS 4.3 is `tri-licensed <https://www.mozilla.org/MPL>`__ under MPL 1.1/GPL 2.0/LGPL 2.1.
 
@@ -32,24 +32,24 @@
 
 .. container::
 
-    A list of bug fixes and enhancement requests were implemented in this release can be obtained by
+    A list of bug fixes and enhancement requests were implemented in this release can be obtained by
    running this `bugzilla
    query <http://bugzilla.mozilla.org/buglist.cgi?product=JSS&target_milestone=4.2.5&target_milestone=4.3&bug_status=RESOLVED&resolution=FIXED>`__
 
-   **JSS 4.3 requires**\ `NSS
+   **JSS 4.3 requires**\ `NSS
    3.12 <https://www.mozilla.org/projects/security/pki/nss/nss-3.12/nss-3.12-release-notes.html>`__\ **or
    higher.**
 
    -  New `SQLite-Based Shareable Certificate and Key
       Databases <https://wiki.mozilla.org/NSS_Shared_DB>`__ by prepending the string "sql:" to the
       directory path passed to configdir parameter for Crypomanager.initialize method or using the
-      NSS environment variable :ref:`mozilla_projects_nss_reference_nss_environment_variables`.
+      NSS environment variable :ref:`mozilla_projects_nss_reference_nss_environment_variables`.
    -  Libpkix: an RFC 3280 Compliant Certificate Path Validation Library (see
       `PKIXVerify <http://mxr.mozilla.org/mozilla/ident?i=PKIXVerify>`__)
    -  PK11Token.needsLogin method (see needsLogin)
    -  support HmacSHA256, HmacSHA384, and HmacSHA512 (see
       `HMACTest.java <http://mxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/tests/HMACTest.java>`__)
-   -  support for all NSS 3.12 initialization options (see InitializationValues)
+   -  support for all NSS 3.12 initialization options (see InitializationValues)
    -  New SSL error codes (see https://mxr.mozilla.org/security/sour...util/SSLerrs.h)
 
       -  SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT
@@ -92,10 +92,10 @@
    -  The CVS tag for the JSS 4.3 release is ``JSS_4_3_RTM``.
    -  Source tarballs are available from
       https://archive.mozilla.org/pub/security/jss/releases/JSS_4_3_RTM/src/jss-4.3.tar.bz2
-   -  Binary releases are no longer available on mozilla. JSS is a JNI library we provide the
+   -  Binary releases are no longer available on mozilla. JSS is a JNI library we provide the
       jss4.jar but expect you to build the JSS's matching JNI shared library. We provide the
-      jss4.jar in case you do not want to obtain your own JCE code signing certificate. JSS is a
-      JCE provider and therefore the jss4.jar must be signed.
+      jss4.jar in case you do not want to obtain your own JCE code signing certificate. JSS is a
+      JCE provider and therefore the jss4.jar must be signed.
       https://archive.mozilla.org/pub/security/jss/releases/JSS_4_3_RTM/
 
    --------------
@@ -113,8 +113,8 @@
    -  Read the instructions on `using JSS </using_jss.html>`__.
    -  Source may be viewed with a browser (via the MXR tool) at
       http://mxr.mozilla.org/mozilla/source/security/jss/
-   -  The RUN TIME behavior of JSS can be affected by the
-      :ref:`mozilla_projects_nss_reference_nss_environment_variables`. 
+   -  The RUN TIME behavior of JSS can be affected by the
+      :ref:`mozilla_projects_nss_reference_nss_environment_variables`. 
 
 .. _platform_information:
 
@@ -142,7 +142,7 @@
 
    -  For a list of reported bugs that have not yet been fixed, `click
       here. <http://bugzilla.mozilla.org/buglist.cgi?bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&&product=JSS>`__
-      Note that some bugs may have been fixed since JSS 4.3 was released. 
+      Note that some bugs may have been fixed since JSS 4.3 was released. 
 
    --------------
 
@@ -157,7 +157,7 @@
       file must be used with the JSS shared library from the exact same release.
    -  To obtain the version info from the jar file use,
       "System.out.println(org.mozilla.jss.CryptoManager.JAR_JSS_VERSION)" and to check the shared
-      library: strings libjss4.so \| grep -i header  
+      library: strings libjss4.so \| grep -i header  
 
    --------------
 
@@ -168,7 +168,7 @@
 
    -  Bugs discovered should be reported by filing a bug report with
       `bugzilla <http://bugzilla.mozilla.org/enter_bug.cgi?product=JSS>`__.
-   -  You can also give feedback directly to the developers on the Mozilla Cryptography forums...
+   -  You can also give feedback directly to the developers on the Mozilla Cryptography forums...
 
       -  `Mailing list <https://lists.mozilla.org/listinfo/dev-tech-crypto>`__
       -  `Newsgroup <http://groups.google.com/group/mozilla.dev.tech.crypto>`__

security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.3.x/index.rst

@@ -27,70 +27,70 @@ Build instructions for JSS 4.3.x
 
    #. Switch to the appropriate directory and check out JSS from the root of your source tree.
 
-      .. code:: notranslate
+      .. code::
 
          cvs co -r JSS_4_3_1_RTM mozilla/security/jss
 
       or
 
-      .. code:: notranslate
+      .. code::
 
          cvs co -r JSS_4_3_RTM mozilla/security/jss
 
    #. Setup environment variables needed for compiling Java source. The ``JAVA_HOME`` variable
       indicates the directory containing your Java SDK installation. Note, on Windows platforms it
-      is best to have JAVA_HOME set to a directory path that doest not have spaces. 
+      is best to have JAVA_HOME set to a directory path that doest not have spaces. 
 
       **Unix**
 
-      .. code:: notranslate
+      .. code::
 
          setenv JAVA_HOME /usr/local/jdk1.5.0 (or wherever your JDK is installed)
 
       **Windows**
 
-      .. code:: notranslate
+      .. code::
 
          set JAVA_HOME=c:\programs\jdk1.5.0 (or wherever your JDK is installed)
 
       **Windows (Cygnus)**
 
-      .. code:: notranslate
+      .. code::
 
          JAVA_HOME=/cygdrive/c/programs/jdk1.5.0 (or wherever your JDK is installed)
          export JAVA_HOME
 
       | **Windows build Configurations WINNT vs WIN95**
 
-      .. code:: notranslate
+      .. code::
 
          As of NSS 3.15.4, NSPR/NSS/JSS build generates a "WIN95" configuration by default on Windows.
          We recommend most applications use the "WIN95" configuration. If you want JSS to be used
          with your applet and the Firefox browser than you must build WIN95. (See JSS FAQ)
          The "WIN95" configuration supports all versions of Windows. The "WIN95" name is historical;
          it should have been named "WIN32".
-         To generate a "WINNT" configuration, set OS_TARGET=WINNT and build NSPR/NSS/JSS WIN95. 
+         To generate a "WINNT" configuration, set OS_TARGET=WINNT and build NSPR/NSS/JSS WIN95.
 
       | Mac OS X
       | It has been recently reported that special build instructions are necessary to succeed
         building JSS on OSX. Please
-        see `HOWTO_successfully_compile_JSS_and_NSS_for_32_and_64_bits_on_OSX_10.6_(10.6.7) </HOWTO_successfully_compile_JSS_and_NSS_for_32_and_64_bits_on_OSX_10.6_(10.6.7)>`__
+        see `HOWTO_successfully_compile_JSS_and_NSS_for_32_and_64_bits_on_OSX_10.6_(10.6.7) </HOWTO_successfully_compile_JSS_and_NSS_for_32_and_64_bits_on_OSX_10.6_(10.6.7)>`__
         for contributed instructions.
-      |  
+      |  
 
    #. Build JSS.
 
-         .. code:: notranslate
+         .. code::
 
             cd mozilla/security/jss
             gmake
 
    #. Sign the JSS jar.
 
-         .. code:: notranslate
+         .. code::
 
             If you're intention is to modify and build the JSS source you
-            need to Apply for your own  JCE code-signing certificate 
+            need to Apply for your own  JCE code-signing certificate
 
             If you made no changes and your goal is to build JSS you can use the
             signed binary release of the jss4.jar from ftp.mozilla.org.

security/nss/doc/rst/legacy/jss/index.rst

@@ -28,15 +28,15 @@ JSS
 
       -  http://www.dogtagpki.org/wiki/JSS
 
-      **NOTE:  As much of the JSS documentation is sorely out-of-date, updated information will be a
+      **NOTE:  As much of the JSS documentation is sorely out-of-date, updated information will be a
       work in progress, and many portions of any legacy documentation will be re-written over the
-      course of time.  Stay tuned!**
+      course of time.  Stay tuned!**
 
       Legacy JSS information can still be found at:
 
       -  SOURCE: https://hg.mozilla.org/projects/jss
-      -  ISSUES:   https://bugzilla.mozilla.org/buglist.cgi?product=JSS
-      -  WIKI:        :ref:`mozilla_projects_nss_jss`
+      -  ISSUES:   https://bugzilla.mozilla.org/buglist.cgi?product=JSS
+      -  WIKI:        :ref:`mozilla_projects_nss_jss`
 
    Network Security Services for Java (JSS) is a Java interface to
    `NSS <https://developer.mozilla.org/en-US/docs/NSS>`__. JSS supports most of the security
@@ -96,7 +96,7 @@ JSS
    |    the SSL handshake.                           |                                                 |
    |                                                 | -  `Security <https:                            |
    | For information on downloading NSS releases,    | //developer.mozilla.org/en-US/docs/Security>`__ |
-   | see `NSS sources building                       |                                                 |
+   | see `NSS sources building                       |                                                 |
    | testing <NSS_Sources_Building_Te                |                                                 |
    | sting>`__\ `. <NSS_Sources_Building_Testing>`__ |                                                 |
    |                                                 |                                                 |

security/nss/doc/rst/legacy/jss/jss_faq/index.rst

@@ -160,7 +160,7 @@ JSS FAQ
          passed, and then can do anything extra that it wants to do before making a final decision.
       #. SSLClientCertificateSelectionCallback is analogous to SSL_GetClientAuthDataHook.
 
-   | 
+   |
    | **Can I have multiple JSS instances reading separate db's?**
 
    -  No, you can only have one initialized instance of JSS for each database.
@@ -182,7 +182,7 @@ JSS FAQ
    **How do I convert org.mozilla.jss.crypto.X509Certificate to
    org.mozilla.jss.pkix.cert.Certificate?**
 
-   -  .. code:: notranslate
+   -  .. code::
 
          import java.io.ByteArrayInputStream;
 
@@ -208,7 +208,7 @@ JSS FAQ
       CryptoManager.getTokenByName(), but a better way is to call
       CryptoManager.getInternalKeyStorageToken(), which works no matter what the token is named. In
       general, a key is a handle to an underlying object on a PKCS #11 token, not merely a Java
-      object residing in memory. Symmetric Key usage:  basically encrypt/decrypt is for data and
+      object residing in memory. Symmetric Key usage:  basically encrypt/decrypt is for data and
       wrap/unwrap is for keys.
 
    J\ **SS 3.2 has JCA support. When will JSS have JSSE support?**

security/nss/doc/rst/legacy/jss/jss_provider_notes/index.rst

@@ -109,7 +109,7 @@ JSS Provider Notes
       The following example shows how you can specify which token is used for various JCA
       operations:
 
-      .. code:: notranslate
+      .. code::
 
          // Lookup PKCS #11 tokens
          CryptoManager manager = CryptoManager.getInstance();

security/nss/doc/rst/legacy/jss/mozilla-jss_jca_provider_notes/index.rst

@@ -106,7 +106,7 @@ Mozilla-JSS JCA Provider notes
 
    The following example shows how you can specify which token is used for various JCA operations:
 
-   .. code:: notranslate
+   .. code::
 
       // Lookup PKCS #11 tokens
       CryptoManager manager = CryptoManager.getInstance();

security/nss/doc/rst/legacy/jss/using_jss/index.rst

@@ -87,7 +87,7 @@ Using JSS
       3.11.
 
       ================== ========= ==============
-      Component Versions           
+      Component Versions
       JSS Version        Component Tested Version
       JSS 4.2            NSPR      4.6.4
       \                  NSS       3.11.4
@@ -116,13 +116,13 @@ Using JSS
       You can put this directory in your classpath to run applications locally; or, you can package
       the class files into a JAR file for easier distribution:
 
-         .. code:: notranslate
+         .. code::
 
             cd mozilla/dist/classes[_dbg]
             zip -r ../jss42.jar .
 
       If you are downloading binaries, get jss42.jar
-      from http://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/.
+      from http://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/.
 
 .. _setup_your_runtime_environment: