Alexander Scheel · Alexander Scheel · Alexander Scheel · Alexander Scheel · Alexander Scheel · Alexander Scheel
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -14,6 +14,11 @@ if (DEFINED ENV{CHECK_DEPRECATION})
    list(APPEND JSS_JAVAC_FLAGS "-Xlint:deprecation")
 endif()

+if (DEFINED ENV{FIPS_ENABLED})
+    set(FIPS_ENABLED_ENV TRUE)
+endif()
+option(FIPS_ENABLED "When enabled, disable certain tests which don't work in FIPS mode. This should only be specified when the host system is in FIPS mode." ${FIPS_ENABLED_ENV})
+
 # Build a debug build by default when no type is specified on the command line
 if(NOT (DEFINED CMAKE_BUILD_TYPE))
    set(CMAKE_BUILD_TYPE "Debug")

--- a/cmake/JSSConfig.cmake
+++ b/cmake/JSSConfig.cmake
@@ -2,7 +2,7 @@ macro(jss_config)
    # Set the current JSS release number. Arguments are:
    #   MAJOR MINOR PATCH BETA
    # When BETA is zero, it isn't a beta release.
-    jss_config_version(4 6 0 0)
+    jss_config_version(4 6 1 0)

    # Configure output directories
    jss_config_outputs()
@@ -174,6 +174,11 @@ macro(jss_config_ldflags)
    list(APPEND JSS_LD_FLAGS "-lpthread")
    list(APPEND JSS_LD_FLAGS "-ldl")

+    separate_arguments(PASSED_LD_FLAGS UNIX_COMMAND "${CMAKE_SHARED_LINKER_FLAGS}")
+    foreach(PASSED_LD_FLAG ${PASSED_LD_FLAGS})
+        list(INSERT JSS_LD_FLAGS 0 "${PASSED_LD_FLAG}")
+    endforeach()
+
    # This set of flags is specific to building the libjss library.
    list(APPEND JSS_LIBRARY_FLAGS "-shared")
    list(APPEND JSS_LIBRARY_FLAGS "-Wl,-z,defs")
@@ -181,6 +186,9 @@ macro(jss_config_ldflags)
    list(APPEND JSS_LIBRARY_FLAGS "-Wl,${JSS_SO}")

    set(JSS_VERSION_SCRIPT "-Wl,--version-script,${PROJECT_SOURCE_DIR}/lib/jss.map")
+
+    message(STATUS "JSS LD FLAGS: ${JSS_LD_FLAGS}")
+    message(STATUS "JSS LIBRARY FLAGS: ${JSS_LIBRARY_FLAGS}")
 endmacro()

 macro(jss_config_java)
@@ -235,7 +243,7 @@ macro(jss_config_java)
        message(WARNING "Test dependency sfl4j-jdk14.jar not found by find_jar! Tests might not run properly.")
    endif()

-    if(JUINT4_JAR STREQUAL "JUNIT4_JAR-NOTFOUND")
+    if(JUNIT4_JAR STREQUAL "JUNIT4_JAR-NOTFOUND")
        message(FATAL_ERROR "Test dependency junit4.jar not found by find_jar! Tests will not compile.")
    endif()


--- a/cmake/JSSTests.cmake
+++ b/cmake/JSSTests.cmake
@@ -91,11 +91,6 @@ macro(jss_tests)
        NAME "JSS_Test_Buffer"
        COMMAND "org.mozilla.jss.tests.TestBuffer"
    )
-    jss_test_java(
-        NAME "JSS_Test_BufferPRFD"
-        COMMAND "org.mozilla.jss.tests.TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}"
-        DEPENDS "List_CA_certs"
-    )
    if ((${Java_VERSION_MAJOR} EQUAL 1) AND (${Java_VERSION_MINOR} LESS 9))
        jss_test_java(
            NAME "Test_PKCS11Constants.java_for_Sun_compatibility"
@@ -180,21 +175,11 @@ macro(jss_tests)
        COMMAND "org.mozilla.jss.tests.SSLClientAuth" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}" "${JSS_TEST_PORT_CLIENTAUTH}" "50"
        DEPENDS "List_CA_certs"
    )
-    jss_test_exec(
-        NAME "TestBufferPRFD"
-        COMMAND "${BIN_OUTPUT_DIR}/TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}"
-        DEPENDS "List_CA_certs" "generate_c_TestBufferPRFD"
-    )
    jss_test_java(
        NAME "Key_Generation"
        COMMAND "org.mozilla.jss.tests.TestKeyGen" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
        DEPENDS "Setup_DBs"
    )
-    jss_test_java(
-        NAME "Key_Factory"
-        COMMAND "org.mozilla.jss.tests.KeyFactoryTest" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
-        DEPENDS "Setup_DBs"
-    )
    jss_test_java(
        NAME "Digest"
        COMMAND "org.mozilla.jss.tests.DigestTest" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
@@ -202,12 +187,7 @@ macro(jss_tests)
    )
    jss_test_java(
        NAME "HMAC"
-        COMMAND "org.mozilla.jss.tests.HMACTest" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
-        DEPENDS "Setup_DBs"
-    )
-    jss_test_java(
-        NAME "HMAC_Unwrap"
-        COMMAND "org.mozilla.jss.tests.HmacTest" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
+        COMMAND "org.mozilla.jss.tests.CrossHMACTest" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
        DEPENDS "Setup_DBs"
    )
    jss_test_java(
@@ -250,84 +230,111 @@ macro(jss_tests)
        COMMAND "org.mozilla.jss.tests.SymKeyGen" "${RESULTS_NSSDB_OUTPUT_DIR}"
        DEPENDS "Setup_DBs"
    )
-    jss_test_java(
-        NAME "Mozilla_JSS_Secret_Key_Generation"
-        COMMAND "org.mozilla.jss.tests.JCASymKeyGen" "${RESULTS_NSSDB_OUTPUT_DIR}"
-        DEPENDS "Setup_DBs"
-    )
    jss_test_java(
        NAME "JSSProvider"
        COMMAND "org.mozilla.jss.tests.JSSProvider" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
        DEPENDS "List_CA_certs"
    )

-    # FIPS-related tests
-    jss_test_java(
-        NAME "Enable_FipsMODE"
-        COMMAND "org.mozilla.jss.tests.FipsTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "enable"
-        DEPENDS "Setup_FIPS_DBs"
-    )
-    jss_test_java(
-        NAME "check_FipsMODE"
-        COMMAND "org.mozilla.jss.tests.FipsTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "chkfips"
-        DEPENDS "Enable_FipsMODE"
-    )
-    jss_test_java(
-        NAME "SSLClientAuth_FIPSMODE"
-        COMMAND "org.mozilla.jss.tests.SSLClientAuth" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}" "${JSS_TEST_PORT_CLIENTAUTH_FIPS}" "60"
-        DEPENDS "Enable_FipsMODE"
-    )
-    jss_test_java(
-        NAME "HMAC_FIPSMODE"
-        COMMAND "org.mozilla.jss.tests.HMACTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
-        DEPENDS "Enable_FipsMODE"
-    )
-    jss_test_java(
-        NAME "KeyWrapping_FIPSMODE"
-        COMMAND "org.mozilla.jss.tests.JCAKeyWrap" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
-        DEPENDS "Enable_FipsMODE"
-    )
-    jss_test_java(
-        NAME "Mozilla_JSS_JCA_Signature_FIPSMODE"
-        COMMAND "org.mozilla.jss.tests.JCASigTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
-        DEPENDS "Enable_FipsMODE"
-    )
-    jss_test_java(
-        NAME "JSS_Signature_test_FipsMODE"
-        COMMAND "org.mozilla.jss.tests.SigTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
-        DEPENDS "Enable_FipsMODE"
-    )
+    if(NOT FIPS_ENABLED)
+        jss_test_java(
+            NAME "Key_Factory"
+            COMMAND "org.mozilla.jss.tests.KeyFactoryTest" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
+            DEPENDS "Setup_DBs"
+        )
+        jss_test_java(
+            NAME "HMAC_Unwrap"
+            COMMAND "org.mozilla.jss.tests.HmacTest" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
+            DEPENDS "Setup_DBs"
+        )
+        jss_test_java(
+            NAME "Mozilla_JSS_Secret_Key_Generation"
+            COMMAND "org.mozilla.jss.tests.JCASymKeyGen" "${RESULTS_NSSDB_OUTPUT_DIR}"
+            DEPENDS "Setup_DBs"
+        )

-    # Since we need to disable FIPS mode _after_ all FIPS-mode tests have
-    # run, we have to add a strict dependency from Disable_FipsMODE onto all
-    # FIPS-related checks.
-    jss_test_java(
-        NAME "Disable_FipsMODE"
-        COMMAND "org.mozilla.jss.tests.FipsTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "disable"
-        DEPENDS "check_FipsMODE" "SSLClientAuth_FIPSMODE" "HMAC_FIPSMODE" "KeyWrapping_FIPSMODE" "Mozilla_JSS_JCA_Signature_FIPSMODE" "JSS_Signature_test_FipsMODE"
-    )
+        # SSL Engine related tests
+        jss_test_exec(
+            NAME "TestBufferPRFD_RSA"
+            COMMAND "${BIN_OUTPUT_DIR}/TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}" "Server_RSA"
+            DEPENDS "List_CA_certs" "generate_c_TestBufferPRFD"
+        )
+        jss_test_exec(
+            NAME "TestBufferPRFD_ECDSA"
+            COMMAND "${BIN_OUTPUT_DIR}/TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}" "Server_ECDSA"
+            DEPENDS "List_CA_certs" "generate_c_TestBufferPRFD"
+        )
+        jss_test_java(
+            NAME "JSS_Test_BufferPRFD"
+            COMMAND "org.mozilla.jss.tests.TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}"
+            DEPENDS "List_CA_certs"
+        )
+
+        # FIPS-related tests
+        jss_test_java(
+            NAME "Enable_FipsMODE"
+            COMMAND "org.mozilla.jss.tests.FipsTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "enable"
+            DEPENDS "Setup_FIPS_DBs"
+        )
+        jss_test_java(
+            NAME "check_FipsMODE"
+            COMMAND "org.mozilla.jss.tests.FipsTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "chkfips"
+            DEPENDS "Enable_FipsMODE"
+        )
+        jss_test_java(
+            NAME "SSLClientAuth_FIPSMODE"
+            COMMAND "org.mozilla.jss.tests.SSLClientAuth" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}" "${JSS_TEST_PORT_CLIENTAUTH_FIPS}" "60"
+            DEPENDS "Enable_FipsMODE"
+        )
+        jss_test_java(
+            NAME "HMAC_FIPSMODE"
+            COMMAND "org.mozilla.jss.tests.CrossHMACTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
+            DEPENDS "Enable_FipsMODE"
+        )
+        jss_test_java(
+            NAME "KeyWrapping_FIPSMODE"
+            COMMAND "org.mozilla.jss.tests.JCAKeyWrap" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
+            DEPENDS "Enable_FipsMODE"
+        )
+        jss_test_java(
+            NAME "Mozilla_JSS_JCA_Signature_FIPSMODE"
+            COMMAND "org.mozilla.jss.tests.JCASigTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
+            DEPENDS "Enable_FipsMODE"
+        )
+        jss_test_java(
+            NAME "JSS_Signature_test_FipsMODE"
+            COMMAND "org.mozilla.jss.tests.SigTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
+            DEPENDS "Enable_FipsMODE"
+        )
+
+        # Since we need to disable FIPS mode _after_ all FIPS-mode tests have
+        # run, we have to add a strict dependency from Disable_FipsMODE onto all
+        # FIPS-related checks.
+        jss_test_java(
+            NAME "Disable_FipsMODE"
+            COMMAND "org.mozilla.jss.tests.FipsTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "disable"
+            DEPENDS "check_FipsMODE" "SSLClientAuth_FIPSMODE" "HMAC_FIPSMODE" "KeyWrapping_FIPSMODE" "Mozilla_JSS_JCA_Signature_FIPSMODE" "JSS_Signature_test_FipsMODE"
+        )
+    endif()

    jss_test_java(
        NAME "JUnit_GenericValueConverterTest"
        COMMAND "org.junit.runner.JUnitCore" "org.mozilla.jss.tests.GenericValueConverterTest"
-        DEPENDS "Disable_FipsMODE"
    )
    jss_test_java(
        NAME "JUnit_IA5StringConverterTest"
        COMMAND "org.junit.runner.JUnitCore" "org.mozilla.jss.tests.IA5StringConverterTest"
-        DEPENDS "Disable_FipsMODE"
    )
    jss_test_java(
        NAME "JUnit_PrintableConverterTest"
        COMMAND "org.junit.runner.JUnitCore" "org.mozilla.jss.tests.PrintableConverterTest"
-        DEPENDS "Disable_FipsMODE"
    )


    # For compliance with several
    add_custom_target(
-      check
-      DEPENDS test
+        check
+        DEPENDS test
    )
 endmacro()


--- a/debian/changelog
+++ b/debian/changelog
+jss (4.6.1-1) unstable; urgency=medium
+
+  * New upstream release.
+  * rules: Print test output on failure.
+
+ -- Timo Aaltonen <tjaalton@debian.org>  Mon, 09 Sep 2019 23:47:49 +0300
+
 jss (4.6.0-1) unstable; urgency=medium

  * New upstream release.

--- a/debian/rules
+++ b/debian/rules
@@ -12,7 +12,7 @@ override_dh_auto_configure:
 		-DJAVA_LIB_INSTALL_DIR=/usr/share/java

 override_dh_auto_build:
-	cd build && make all test javadoc
+	cd build && make all javadoc

 override_dh_auto_clean:

@@ -35,7 +35,7 @@ override_dh_auto_install:
 		$(CURDIR)/debian/tmp/usr/share/java/jss4.jar

 override_dh_auto_test:
-
+	cd build && ctest --output-on-failure

 # For maintainer use only, generate a tarball:
 gentarball: UV=$(shell dpkg-parsechangelog|awk '/^Version:/ {print $$2}'|sed 's/-.*$$//')

--- a/jss.spec
+++ b/jss.spec
@@ -6,7 +6,7 @@ Summary:        Java Security Services (JSS)
 URL:            http://www.dogtagpki.org/wiki/JSS
 License:        MPLv1.1 or GPLv2+ or LGPLv2+

-Version:        4.6.0
+Version:        4.6.1
 Release:        1%{?_timestamp}%{?_commit_id}%{?dist}
 # global         _phase -a1

@@ -106,6 +106,9 @@ export BUILD_OPT=1
 CFLAGS="-g $RPM_OPT_FLAGS"
 export CFLAGS

+# Check if we're in FIPS mode
+modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1
+
 # The Makefile is not thread-safe
 rm -rf build && mkdir -p build && cd build
 %cmake \

--- a/lib/jss.map
+++ b/lib/jss.map
@@ -348,7 +348,8 @@ Java_org_mozilla_jss_nss_PR_NewTCPSocket;
 Java_org_mozilla_jss_nss_PR_NewBufferPRFD;
 Java_org_mozilla_jss_nss_PR_Shutdown;
 Java_org_mozilla_jss_nss_PR_GetError;
-Java_org_mozilla_jss_nss_PR_GetErrorText;
+Java_org_mozilla_jss_nss_PR_GetErrorTextNative;
+Java_org_mozilla_jss_nss_PR_ErrorToNameNative;
 Java_org_mozilla_jss_nss_PR_getPRShutdownRcv;
 Java_org_mozilla_jss_nss_PR_getPRShutdownSend;
 Java_org_mozilla_jss_nss_PR_getPRShutdownBoth;
@@ -369,7 +370,10 @@ Java_org_mozilla_jss_nss_SSL_SecurityStatus;
 Java_org_mozilla_jss_nss_SSL_ResetHandshake;
 Java_org_mozilla_jss_nss_SSL_ForceHandshake;
 Java_org_mozilla_jss_nss_SSL_ConfigSecureServer;
+Java_org_mozilla_jss_nss_SSL_ConfigServerCert;
 Java_org_mozilla_jss_nss_SSL_ConfigServerSessionIDCache;
+Java_org_mozilla_jss_nss_SSL_PeerCertificate;
+Java_org_mozilla_jss_nss_SSL_PeerCertificateChain;
 Java_org_mozilla_jss_nss_SSL_getSSLRequestCertificate;
 Java_org_mozilla_jss_nss_SSL_getSSLRequireCertificate;
 Java_org_mozilla_jss_nss_SSL_getSSLSECSuccess;

--- a/org/mozilla/jss/JSSProvider.java
+++ b/org/mozilla/jss/JSSProvider.java
@@ -236,6 +236,10 @@ public final class JSSProvider extends java.security.Provider {
        put("Mac.HmacSHA512",
            "org.mozilla.jss.provider.javax.crypto.JSSMacSpi$HmacSHA512");
        put("Alg.Alias.Mac.Hmac-SHA512", "HmacSHA512");
+        put("Alg.Alias.Mac.SHA-1-HMAC", "HmacSHA1");
+        put("Alg.Alias.Mac.SHA-256-HMAC", "HmacSHA256");
+        put("Alg.Alias.Mac.SHA-384-HMAC", "HmacSHA384");
+        put("Alg.Alias.Mac.SHA-512-HMAC", "HmacSHA512");


        /////////////////////////////////////////////////////////////

--- a/org/mozilla/jss/crypto/Algorithm.c
+++ b/org/mozilla/jss/crypto/Algorithm.c
@@ -94,8 +94,11 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = {
 /* 64 */    {SEC_OID_AES_256_CBC, SEC_OID_TAG},
 /* the CKM_AES_KEY_WRAP_* have different defs than CKM_NSS_AES_KEY_WRAP_*  */
 /* 65 */    {CKM_AES_KEY_WRAP, PK11_MECH},
-/* 66 */    {CKM_AES_KEY_WRAP_PAD, PK11_MECH}
-/* REMEMBER TO UPDATE NUM_ALGS!!! */
+/* 66 */    {CKM_AES_KEY_WRAP_PAD, PK11_MECH},
+/* 67 */    {CKM_SHA256_HMAC, PK11_MECH},
+/* 68 */    {CKM_SHA384_HMAC, PK11_MECH},
+/* 69 */    {CKM_SHA512_HMAC, PK11_MECH}
+/* REMEMBER TO UPDATE NUM_ALGS!!! (in Algorithm.h) */
 };

 /***********************************************************************

--- a/org/mozilla/jss/crypto/Algorithm.h
+++ b/org/mozilla/jss/crypto/Algorithm.h
@@ -24,7 +24,7 @@ typedef struct JSS_AlgInfoStr {
    JSS_AlgType type;
 } JSS_AlgInfo;

-#define NUM_ALGS 67
+#define NUM_ALGS 70

 extern JSS_AlgInfo JSS_AlgTable[];
 extern CK_ULONG JSS_symkeyUsage[];

--- a/org/mozilla/jss/crypto/Algorithm.java
+++ b/org/mozilla/jss/crypto/Algorithm.java
@@ -127,6 +127,10 @@ public class Algorithm {
        return false;
    }

+    public PKCS11Algorithm getEnum() {
+        return PKCS11Algorithm.valueOfIndex(this.oidIndex);
+    }
+
    /**
     * Index into the SECOidTag array in Algorithm.c.
     */
@@ -144,91 +148,97 @@ public class Algorithm {
        new OBJECT_IDENTIFIER( new long[] { 1, 2, 840, 10045 } );

    // Algorithm indices.  These must be kept in sync with the
-    // algorithm array in Algorithm.c.
-    protected static final short SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION=0;
-    protected static final short SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION=1;
-    protected static final short SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION=2;
-    protected static final short SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST=3;
-    protected static final short SEC_OID_PKCS1_RSA_ENCRYPTION=4;
-    protected static final short CKM_RSA_PKCS_KEY_PAIR_GEN=5;
-    protected static final short CKM_DSA_KEY_PAIR_GEN=6;
-    protected static final short SEC_OID_ANSIX9_DSA_SIGNATURE=7;
-    protected static final short SEC_OID_RC4=8;
-    protected static final short SEC_OID_DES_ECB=9;
-    protected static final short SEC_OID_DES_CBC=10;
-    protected static final short CKM_DES_CBC_PAD=11;
-    protected static final short CKM_DES3_ECB=12;
-    protected static final short SEC_OID_DES_EDE3_CBC=13;
-    protected static final short CKM_DES3_CBC_PAD=14;
-    protected static final short CKM_DES_KEY_GEN=15;
-    protected static final short CKM_DES3_KEY_GEN=16;
-    protected static final short CKM_RC4_KEY_GEN=17;
-
-    protected static final short SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC=18;
-    protected static final short SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC=19;
-    protected static final short SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC=20;
-    protected static final short
+    // algorithm array in Algorithm.c. Any PKCS11 Algorithms must be added
+    // to the org.mozilla.jss.crypto.PKCS11Algorithm enum.
+    protected static final int SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION=0;
+    protected static final int SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION=1;
+    protected static final int SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION=2;
+    protected static final int SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST=3;
+    protected static final int SEC_OID_PKCS1_RSA_ENCRYPTION=4;
+    protected static final int CKM_RSA_PKCS_KEY_PAIR_GEN=5;
+    protected static final int CKM_DSA_KEY_PAIR_GEN=6;
+    protected static final int SEC_OID_ANSIX9_DSA_SIGNATURE=7;
+    protected static final int SEC_OID_RC4=8;
+    protected static final int SEC_OID_DES_ECB=9;
+    protected static final int SEC_OID_DES_CBC=10;
+    protected static final int CKM_DES_CBC_PAD=11;
+    protected static final int CKM_DES3_ECB=12;
+    protected static final int SEC_OID_DES_EDE3_CBC=13;
+    protected static final int CKM_DES3_CBC_PAD=14;
+    protected static final int CKM_DES_KEY_GEN=15;
+    protected static final int CKM_DES3_KEY_GEN=16;
+    protected static final int CKM_RC4_KEY_GEN=17;
+
+    protected static final int SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC=18;
+    protected static final int SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC=19;
+    protected static final int SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC=20;
+    protected static final int
        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4=21;
-    protected static final short
+    protected static final int
        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4=22;
-    protected static final short
+    protected static final int
        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC=23;
-    protected static final short SEC_OID_MD2=24;
-    protected static final short SEC_OID_MD5=25;
-    protected static final short SEC_OID_SHA1=26;
-    protected static final short CKM_SHA_1_HMAC=27;
-    protected static final short
+    protected static final int SEC_OID_MD2=24;
+    protected static final int SEC_OID_MD5=25;
+    protected static final int SEC_OID_SHA1=26;
+    protected static final int CKM_SHA_1_HMAC=27;
+    protected static final int
        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC=28;
-    protected static final short
+    protected static final int
        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC=29;
-    protected static final short SEC_OID_RC2_CBC=30;
-    protected static final short CKM_PBA_SHA1_WITH_SHA1_HMAC=31;
+    protected static final int SEC_OID_RC2_CBC=30;
+    protected static final int CKM_PBA_SHA1_WITH_SHA1_HMAC=31;

    // AES
-    protected static final short CKM_AES_KEY_GEN=32;
-    protected static final short CKM_AES_ECB=33;
-    protected static final short CKM_AES_CBC=34;
-    protected static final short CKM_AES_CBC_PAD=35;
-    protected static final short CKM_RC2_CBC_PAD=36;
-    protected static final short CKM_RC2_KEY_GEN=37;
+    protected static final int CKM_AES_KEY_GEN=32;
+    protected static final int CKM_AES_ECB=33;
+    protected static final int CKM_AES_CBC=34;
+    protected static final int CKM_AES_CBC_PAD=35;
+    protected static final int CKM_RC2_CBC_PAD=36;
+    protected static final int CKM_RC2_KEY_GEN=37;
    //FIPS 180-2
-    protected static final short SEC_OID_SHA256=38;
-    protected static final short SEC_OID_SHA384=39;
-    protected static final short SEC_OID_SHA512=40;
-    protected static final short SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION=41;
-    protected static final short SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION=42;
-    protected static final short SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION=43;
-    protected static final short SEC_OID_ANSIX962_EC_PUBLIC_KEY=44;
-    protected static final short SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE=45;
-    protected static final short CKM_EC_KEY_PAIR_GEN=46;
-    protected static final short SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE=47;
-    protected static final short SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE=48;
-    protected static final short SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE=49;
-
-    protected static final short SEC_OID_HMAC_SHA256=50;
-    protected static final short SEC_OID_HMAC_SHA384=51;
-    protected static final short SEC_OID_HMAC_SHA512=52;
+    protected static final int SEC_OID_SHA256=38;
+    protected static final int SEC_OID_SHA384=39;
+    protected static final int SEC_OID_SHA512=40;
+    protected static final int SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION=41;
+    protected static final int SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION=42;
+    protected static final int SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION=43;
+    protected static final int SEC_OID_ANSIX962_EC_PUBLIC_KEY=44;
+    protected static final int SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE=45;
+    protected static final int CKM_EC_KEY_PAIR_GEN=46;
+    protected static final int SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE=47;
+    protected static final int SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE=48;
+    protected static final int SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE=49;
+
+    protected static final int SEC_OID_HMAC_SHA256=50;
+    protected static final int SEC_OID_HMAC_SHA384=51;
+    protected static final int SEC_OID_HMAC_SHA512=52;

    //PKCS5 V2
-    protected static final short SEC_OID_PKCS5_PBKDF2=53;
-    protected static final short SEC_OID_PKCS5_PBES2=54;
-    protected static final short SEC_OID_PKCS5_PBMAC1=55;
-    protected static final short SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=56;
+    protected static final int SEC_OID_PKCS5_PBKDF2=53;
+    protected static final int SEC_OID_PKCS5_PBES2=54;
+    protected static final int SEC_OID_PKCS5_PBMAC1=55;
+    protected static final int SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=56;

    // NSS AES KeyWrap
-    protected static final short CKM_NSS_AES_KEY_WRAP=57;
-    protected static final short CKM_NSS_AES_KEY_WRAP_PAD=58;
+    protected static final int CKM_NSS_AES_KEY_WRAP=57;
+    protected static final int CKM_NSS_AES_KEY_WRAP_PAD=58;

    // AES Encryption Algorithms
-    protected static final short SEC_OID_AES_128_ECB = 59;
-    protected static final short SEC_OID_AES_128_CBC = 60;
-    protected static final short SEC_OID_AES_192_ECB = 61;
-    protected static final short SEC_OID_AES_192_CBC = 62;
-    protected static final short SEC_OID_AES_256_ECB = 63;
-    protected static final short SEC_OID_AES_256_CBC = 64;
+    protected static final int SEC_OID_AES_128_ECB = 59;
+    protected static final int SEC_OID_AES_128_CBC = 60;
+    protected static final int SEC_OID_AES_192_ECB = 61;
+    protected static final int SEC_OID_AES_192_CBC = 62;
+    protected static final int SEC_OID_AES_256_ECB = 63;
+    protected static final int SEC_OID_AES_256_CBC = 64;

    // PKCS#11 AES KeyWrap
    // These underlying defs are currently different from the NSS AES KeyWrap
-    protected static final short CKM_AES_KEY_WRAP=65;
-    protected static final short CKM_AES_KEY_WRAP_PAD=66;
+    protected static final int CKM_AES_KEY_WRAP=65;
+    protected static final int CKM_AES_KEY_WRAP_PAD=66;
+
+    // PKCS#11 SHA2 HMAC
+    protected static final int CKM_SHA256_HMAC=67;
+    protected static final int CKM_SHA384_HMAC=68;
+    protected static final int CKM_SHA512_HMAC=69;
 }
--- a/org/mozilla/jss/crypto/Cipher.java
+++ b/org/mozilla/jss/crypto/Cipher.java
@@ -22,6 +22,11 @@ import org.mozilla.jss.util.Assert;
 * call to <code>doFinal</code>.
 */
 public abstract class Cipher {
+    // Note: Cipher can't extend javax.crypto.Cipher because it is part of the
+    // provider mechanism. In particular, it isn't an abstract class, many of
+    // the methods are marked final, and it expects to instantiate a CipherSpi
+    // class instead of be directly created like things which override our
+    // Cipher class expect (e.g., PK11Cipher). This is why JSSCipherSpi exists.

    /**
     * Initializes a encryption context with a symmetric key.

--- a/org/mozilla/jss/crypto/KeyGenAlgorithm.java
+++ b/org/mozilla/jss/crypto/KeyGenAlgorithm.java
@@ -108,6 +108,30 @@ public class KeyGenAlgorithm extends Algorithm {
            "PBA/SHA1/HMAC", new FixedKeyStrengthValidator(160),
            null, PBEKeyGenParams.class );

+    public static final KeyGenAlgorithm
+    SHA1_HMAC = new KeyGenAlgorithm(
+        CKM_SHA_1_HMAC,
+            "SHA1/HMAC", new FixedKeyStrengthValidator(160),
+            null, null );
+
+    public static final KeyGenAlgorithm
+    SHA256_HMAC = new KeyGenAlgorithm(
+        CKM_SHA256_HMAC,
+            "SHA256/HMAC", new FixedKeyStrengthValidator(256),
+            null, null );
+
+    public static final KeyGenAlgorithm
+    SHA384_HMAC = new KeyGenAlgorithm(
+        CKM_SHA384_HMAC,
+            "SHA384/HMAC", new FixedKeyStrengthValidator(384),
+            null, null );
+
+    public static final KeyGenAlgorithm
+    SHA512_HMAC = new KeyGenAlgorithm(
+        CKM_SHA512_HMAC,
+            "SHA512/HMAC", new FixedKeyStrengthValidator(512),
+            null, null );
+
    //////////////////////////////////////////////////////////////
    public static final KeyGenAlgorithm
    AES = new KeyGenAlgorithm(CKM_AES_KEY_GEN, "AES",

--- a/org/mozilla/jss/crypto/PKCS11Algorithm.java
+++ b/org/mozilla/jss/crypto/PKCS11Algorithm.java
+package org.mozilla.jss.crypto;
+
+import org.mozilla.jss.pkcs11.PKCS11Constants;
+import org.mozilla.jss.crypto.Algorithm;
+
+public enum PKCS11Algorithm {
+    CKM_AES_CBC (Algorithm.CKM_AES_CBC, PKCS11Constants.CKM_AES_CBC),
+    CKM_AES_CBC_PAD (Algorithm.CKM_AES_CBC_PAD, PKCS11Constants.CKM_AES_CBC_PAD),
+    CKM_AES_ECB (Algorithm.CKM_AES_ECB, PKCS11Constants.CKM_AES_ECB),
+    CKM_AES_KEY_GEN (Algorithm.CKM_AES_KEY_GEN, PKCS11Constants.CKM_AES_KEY_GEN),
+    CKM_DES3_CBC_PAD (Algorithm.CKM_DES3_CBC_PAD, PKCS11Constants.CKM_DES3_CBC_PAD),
+    CKM_DES3_ECB (Algorithm.CKM_DES3_ECB, PKCS11Constants.CKM_DES3_ECB),
+    CKM_DES3_KEY_GEN (Algorithm.CKM_DES3_KEY_GEN, PKCS11Constants.CKM_DES3_KEY_GEN),
+    CKM_DES_CBC_PAD (Algorithm.CKM_DES_CBC_PAD, PKCS11Constants.CKM_DES_CBC_PAD),
+    CKM_DES_KEY_GEN (Algorithm.CKM_DES_KEY_GEN, PKCS11Constants.CKM_DES_KEY_GEN),
+    CKM_DSA_KEY_PAIR_GEN (Algorithm.CKM_DSA_KEY_PAIR_GEN, PKCS11Constants.CKM_DSA_KEY_PAIR_GEN),
+    CKM_EC_KEY_PAIR_GEN (Algorithm.CKM_EC_KEY_PAIR_GEN, PKCS11Constants.CKM_EC_KEY_PAIR_GEN),
+    CKM_NSS_AES_KEY_WRAP (Algorithm.CKM_NSS_AES_KEY_WRAP, PKCS11Constants.CKM_NSS_AES_KEY_WRAP),
+    CKM_NSS_AES_KEY_WRAP_PAD (Algorithm.CKM_NSS_AES_KEY_WRAP_PAD, PKCS11Constants.CKM_NSS_AES_KEY_WRAP_PAD),
+    CKM_PBA_SHA1_WITH_SHA1_HMAC (Algorithm.CKM_PBA_SHA1_WITH_SHA1_HMAC, PKCS11Constants.CKM_PBA_SHA1_WITH_SHA1_HMAC),
+    CKM_RC2_CBC_PAD (Algorithm.CKM_RC2_CBC_PAD, PKCS11Constants.CKM_RC2_CBC_PAD),
+    CKM_RC2_KEY_GEN (Algorithm.CKM_RC2_KEY_GEN, PKCS11Constants.CKM_RC2_KEY_GEN),
+    CKM_RC4_KEY_GEN (Algorithm.CKM_RC4_KEY_GEN, PKCS11Constants.CKM_RC4_KEY_GEN),
+    CKM_RSA_PKCS_KEY_PAIR_GEN (Algorithm.CKM_RSA_PKCS_KEY_PAIR_GEN, PKCS11Constants.CKM_RSA_PKCS_KEY_PAIR_GEN),
+    CKM_SHA_1_HMAC (Algorithm.CKM_SHA_1_HMAC, PKCS11Constants.CKM_SHA_1_HMAC);
+
+    // Value from Algorithm's constant -- this is an index into Algorithm's
+    // table.
+    private int alg_index;
+
+    // Value from PKCS11Constants -- this is a constant defined in PKCS #11.
+    private long pk11_value;
+
+    private PKCS11Algorithm(int alg_index, long pk11_value) {
+        this.alg_index = alg_index;
+        this.pk11_value = pk11_value;
+    }
+
+    public int getIndex() {
+        return alg_index;
+    }
+
+    public long getValue() {
+        return pk11_value;
+    }
+
+    public static PKCS11Algorithm valueOfIndex(int index) {
+        for (PKCS11Algorithm alg : PKCS11Algorithm.values()) {
+            if (alg.alg_index == index) {
+                return alg;
+            }
+        }
+        return null;
+    }
+
+    public static PKCS11Algorithm valueOfConstant(long constant) {
+        for (PKCS11Algorithm alg : PKCS11Algorithm.values()) {
+            if (alg.pk11_value == constant) {
+                return alg;
+            }
+        }
+        return null;
+    }
+}
--- a/org/mozilla/jss/crypto/SymmetricKey.java
+++ b/org/mozilla/jss/crypto/SymmetricKey.java
@@ -6,7 +6,7 @@ package org.mozilla.jss.crypto;
 import java.security.NoSuchAlgorithmException;
 import java.util.Hashtable;

-public interface SymmetricKey {
+public interface SymmetricKey extends javax.crypto.SecretKey {

    public static final Type DES = Type.DES;
    public static final Type DES3 = Type.DES3;
@@ -63,6 +63,14 @@ public interface SymmetricKey {
        public static final Type RC4 = new Type("RC4", KeyGenAlgorithm.RC4);
        public static final Type RC2 = new Type("RC2", KeyGenAlgorithm.RC2);
        public static final Type SHA1_HMAC = new Type("SHA1_HMAC",
+            KeyGenAlgorithm.SHA1_HMAC);
+        public static final Type SHA256_HMAC = new Type("SHA256_HMAC",
+            KeyGenAlgorithm.SHA256_HMAC);
+        public static final Type SHA384_HMAC = new Type("SHA384_HMAC",
+            KeyGenAlgorithm.SHA384_HMAC);
+        public static final Type SHA512_HMAC = new Type("SHA512_HMAC",
+            KeyGenAlgorithm.SHA512_HMAC);
+        public static final Type PBA_SHA1_HMAC = new Type("PBA_SHA1_HMAC",
            KeyGenAlgorithm.PBA_SHA1_HMAC);
        public static final Type AES = new Type("AES", KeyGenAlgorithm.AES);


--- a/org/mozilla/jss/nss/PR.c
+++ b/org/mozilla/jss/nss/PR.c
@@ -268,7 +268,7 @@ Java_org_mozilla_jss_nss_PR_GetError(JNIEnv *env, jclass clazz)
 }

 JNIEXPORT jbyteArray JNICALL
-Java_org_mozilla_jss_nss_PR_GetErrorText(JNIEnv *env, jclass clazz)
+Java_org_mozilla_jss_nss_PR_GetErrorTextNative(JNIEnv *env, jclass clazz)
 {
    ssize_t error_size;
    char *error_text = NULL;
@@ -292,6 +292,25 @@ Java_org_mozilla_jss_nss_PR_GetErrorText(JNIEnv *env, jclass clazz)
    return result;
 }

+JNIEXPORT jbyteArray JNICALL
+Java_org_mozilla_jss_nss_PR_ErrorToNameNative(JNIEnv *env, jclass clazz, jint error_code)
+{
+    size_t error_size;
+    const char *error_name = NULL;
+    jbyteArray result = NULL;
+
+    PR_ASSERT(env != NULL);
+
+    error_name = PR_ErrorToName(error_code);
+    if (error_name == NULL) {
+        return NULL;
+    }
+
+    error_size = strlen(error_name);
+    result = JSS_ToByteArray(env, error_name, error_size);
+    return result;
+}
+
 JNIEXPORT int JNICALL
 Java_org_mozilla_jss_nss_PR_getPRShutdownRcv(JNIEnv *env, jclass clazz)
 {

--- a/org/mozilla/jss/nss/PR.java
+++ b/org/mozilla/jss/nss/PR.java
@@ -129,7 +129,31 @@ public class PR {
     *
     * See also: PR_GetErrorText in /usr/include/nspr4/prio.h
     */
-    public static native byte[] GetErrorText();
+    public static String GetErrorText() {
+        byte[] text = GetErrorTextNative();
+        if (text == null) {
+            return "";
+        }
+
+        return new String(text);
+    }
+    private static native byte[] GetErrorTextNative();
+
+    /**
+     * Get the constant name of the current PR error. This is cleared on each
+     * NSPR call.
+     *
+     * See also: PR_ErrorToName in /usr/include/nspr4/prio.h
+     */
+    public static String ErrorToName(int code) {
+        byte[] name = ErrorToNameNative(code);
+        if (name == null) {
+            return "";
+        }
+
+        return new String(name);
+    }
+    private static native byte[] ErrorToNameNative(int code);

    /* Internal methods for querying constants. */
    private static native int getPRShutdownRcv();

--- a/org/mozilla/jss/nss/SSL.c
+++ b/org/mozilla/jss/nss/SSL.c
 #include <nspr.h>
 #include <nss.h>
 #include <ssl.h>
+#include <sslerr.h>
 #include <limits.h>
 #include <stdint.h>
 #include <jni.h>
@@ -318,6 +319,31 @@ Java_org_mozilla_jss_nss_SSL_ConfigSecureServer(JNIEnv *env, jclass clazz,
    return SSL_ConfigSecureServer(real_fd, real_cert, real_key, kea);
 }

+JNIEXPORT int JNICALL
+Java_org_mozilla_jss_nss_SSL_ConfigServerCert(JNIEnv *env, jclass clazz,
+    jobject fd, jobject cert, jobject key)
+{
+    PRFileDesc *real_fd = NULL;
+    CERTCertificate *real_cert = NULL;
+    SECKEYPrivateKey *real_key = NULL;
+
+    PR_ASSERT(env != NULL && fd != NULL);
+
+    if (JSS_PR_getPRFileDesc(env, fd, &real_fd) != PR_SUCCESS) {
+        return SECFailure;
+    }
+
+    if (JSS_PK11_getCertPtr(env, cert, &real_cert) != PR_SUCCESS) {
+        return SECFailure;
+    }
+
+    if (JSS_PK11_getPrivKeyPtr(env, key, &real_key) != PR_SUCCESS) {
+        return SECFailure;
+    }
+
+    return SSL_ConfigServerCert(real_fd, real_cert, real_key, NULL, 0);
+}
+
 JNIEXPORT int JNICALL
 Java_org_mozilla_jss_nss_SSL_ConfigServerSessionIDCache(JNIEnv *env, jclass clazz,
    jint maxCacheEntries, jlong timeout, jlong ssl3_timeout, jstring directory)
@@ -336,6 +362,54 @@ Java_org_mozilla_jss_nss_SSL_ConfigServerSessionIDCache(JNIEnv *env, jclass claz
    return ret;
 }

+JNIEXPORT jobject JNICALL
+Java_org_mozilla_jss_nss_SSL_PeerCertificate(JNIEnv *env, jclass clazz,
+    jobject fd)
+{
+    PRFileDesc *real_fd = NULL;
+    CERTCertificate *cert = NULL;
+
+    PR_ASSERT(env != NULL && fd != NULL);
+
+    if (JSS_PR_getPRFileDesc(env, fd, &real_fd) != PR_SUCCESS) {
+        return NULL;
+    }
+
+    cert = SSL_PeerCertificate(real_fd);
+    if (cert == NULL) {
+        return NULL;
+    }
+
+    return JSS_PK11_wrapCert(env, &cert);
+}
+
+JNIEXPORT jobjectArray JNICALL
+Java_org_mozilla_jss_nss_SSL_PeerCertificateChain(JNIEnv *env, jclass clazz,
+    jobject fd)
+{
+    PRFileDesc *real_fd = NULL;
+    CERTCertList *chain = NULL;
+
+    PR_ASSERT(env != NULL && fd != NULL);
+
+    if (JSS_PR_getPRFileDesc(env, fd, &real_fd) != PR_SUCCESS) {
+        return NULL;
+    }
+
+    chain = SSL_PeerCertificateChain(real_fd);
+    int error = PORT_GetError();
+
+    if (chain == NULL && error == SSL_ERROR_NO_CERTIFICATE) {
+        return NULL;
+    } else if (chain == NULL /* && error != SSL_ERROR_NO_CERTIFICATE */) {
+        JSS_throwMsgPrErrArg(env, SECURITY_EXCEPTION,
+            "Unable to construct peer certificate chain.", error);
+        return NULL;
+    }
+
+    return JSS_PK11_wrapCertChain(env, &chain);
+}
+
 JNIEXPORT jint JNICALL
 Java_org_mozilla_jss_nss_SSL_getSSLRequestCertificate(JNIEnv *env, jclass clazz)
 {

--- a/org/mozilla/jss/nss/SSL.java
+++ b/org/mozilla/jss/nss/SSL.java
@@ -142,11 +142,22 @@ public class SSL {
    /**
     * Configure the certificate and private key for a server socket.
     *
+     * @deprecated replaced with ConfigServerCert
     * See also: SSL_ConfigSecureServer in /usr/include/nss3/ssl.h
     */
+    @Deprecated
    public static native int ConfigSecureServer(PRFDProxy fd, PK11Cert cert,
        PK11PrivKey key, int kea);

+    /**
+     * Configure the certificate and private key for a server socket. This
+     * form assumes no additional data is passed.
+     *
+     * See also: SSL_ConfigServerCert in /usr/include/nss3/ssl.h
+     */
+    public static native int ConfigServerCert(PRFDProxy fd, PK11Cert cert,
+        PK11PrivKey key);
+
    /**
     * Configure the server's session cache.
     *
@@ -155,6 +166,20 @@ public class SSL {
    public static native int ConfigServerSessionIDCache(int maxCacheEntries,
        long timeout, long ssl3_timeout, String directory);

+    /**
+     * Introspect the peer's certificate.
+     *
+     * See also: SSL_PeerCertificate in /usr/include/nss3/ssl.h
+     */
+    public static native PK11Cert PeerCertificate(PRFDProxy fd);
+
+    /**
+     * Introspect the peer's certificate chain.
+     *
+     * See also: SSL_PeerCertificateChain in /usr/include/nss3/ssl.h
+     */
+    public static native PK11Cert[] PeerCertificateChain(PRFDProxy fd) throws Exception;
+
    /* Internal methods for querying constants. */
    private static native int getSSLRequestCertificate();
    private static native int getSSLRequireCertificate();

--- a/org/mozilla/jss/pkcs11/PK11Cert.c
+++ b/org/mozilla/jss/pkcs11/PK11Cert.c
@@ -467,6 +467,80 @@ JSS_PK11_wrapCert(JNIEnv *env, CERTCertificate **cert)
 	return JSS_PK11_wrapCertAndSlot(env, cert, &slot);
 }

+static ssize_t
+CERT_LIST_COUNT(CERTCertList *chain) {
+    ssize_t count = -1;
+    CERTCertListNode *node = NULL;
+
+    if (chain == NULL) {
+        return count;
+    }
+
+    for (node = CERT_LIST_HEAD(chain);
+            !CERT_LIST_END(node, chain);
+            node = CERT_LIST_NEXT(node)) {
+        count += 1;
+    }
+
+    return count + 1;
+}
+
+/****************************************************************
+ *
+ * J S S _ P K 1 1 _ w r a p C e r t C h a i n
+ *
+ * Builds an array of PK11Cert objects from a CERTCertList.
+ * ppChain: Pointer to pointer to CERTCertList.  The CERTCertList
+ *      will be wrapped in a Java certificate.  If this fails, it
+ *      will be deleted.  In any case, the caller should never worry about,
+ *      or use, this CERTCertList again. To enforce this, *ppChain
+ *      will be set to NULL whether the functions fails or succeeds.
+ * Returns: a new Java PK11Cert[] object, or NULL if an exception was thrown.
+ */
+jobjectArray
+JSS_PK11_wrapCertChain(JNIEnv *env, CERTCertList **chain)
+{
+    jobjectArray result = NULL;
+    jobject wrappedCert = NULL;
+    CERTCertListNode *node = NULL;
+    ssize_t count = 0;
+
+    if (chain == NULL || *chain == NULL) {
+        goto done;
+    }
+
+    // Since we can't easily resize our jobjectArray once created, walk the
+    // chain and count its length.
+    count = CERT_LIST_COUNT(*chain);
+    if (count <= 0) {
+        goto done;
+    }
+
+    // Allocate our result structure.
+    result = (*env)->NewObjectArray(env, count,
+                                    (*env)->FindClass(env, CERT_CLASS_NAME),
+                                    NULL);
+    count = 0;
+
+    for (node = CERT_LIST_HEAD((*chain));
+            !CERT_LIST_END(node, (*chain));
+            node = CERT_LIST_NEXT(node)) {
+        // Wrap the certificate and insert it into the array.
+        wrappedCert = JSS_PK11_wrapCert(env, &node->cert);
+        (*env)->SetObjectArrayElement(env, result, count, wrappedCert);
+        count += 1;
+    }
+
+
+done:
+    if (chain) {
+        CERT_DestroyCertList(*chain);
+        *chain = NULL;
+    }
+
+    return result;
+}
+
 /**********************************************************************
 * PK11Cert.getOwningToken
 */