Adding upstream version 86.0.1.upstream/86.0.1upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

23 files changed, 1057 insertions, 0 deletions

diff --git a/third_party/rust/nss_sys/.cargo-checksum.json b/third_party/rust/nss_sys/.cargo-checksum.json
new file mode 100644
index 0000000000..8484be5a97
--- /dev/null
+++ b/third_party/rust/nss_sys/.cargo-checksum.json
@@ -0,0 +1 @@
+{"files":{"Cargo.toml":"cc96e2500ca486bae9fc333900297184c3608a89bdd78fe7790095aa34564c9f","README.md":"ba37bdd9c7c8f0a49448b814451816967b9e2068328e692ce06775b3e4ff9c7f","build.rs":"b541496d108a9e85545b9ee28c84790aa5b361805f691a082403233588423fd0","src/bindings/blapit.rs":"0be43d1c57ac35f490012d0916b8cbcee3e3d911d8eccfd139f328b9623a10ee","src/bindings/keyhi.rs":"cdf9c3735343a718f86cfe5f822530dc7c7e4fc2c36e2a11797d9054dd0bfd05","src/bindings/keythi.rs":"ea9a1a8c33c3f2b8b78bd58d8d627d9f8d8c22ee4e1cd26c78701106bf0db69f","src/bindings/mod.rs":"0ace07c6f0d9c2faafe879c23be7d1f6c0ffdf6a42a9e715319cd5fbb17d84c5","src/bindings/nss.rs":"13533f85d2bdfe778a7612d49684d9d375f6063ea4b6c2f56b7d2f705a08a85f","src/bindings/pk11pub.rs":"d2266bb3586e2bf66c93761317b29955bf55e923e16a7a98f13f64d89a692512","src/bindings/pkcs11n.rs":"bc1ba0d903891d5331aeb6b1921fde7c2cd31cbbe75338e145b5aaff5c94c147","src/bindings/pkcs11t.rs":"0114bbabe8bed71585975be5e1b232f28c1b85461001d2fc1b49e8abf93f8b8a","src/bindings/plarena.rs":"8de09e3c378df457988729ca4d58e1ef1f2883dfa68e62acb79a55fb19a9d6f5","src/bindings/prerror.rs":"b7bda8a6511c43f59351a17f4311ceb272231a55473895b999a34e3a3ff76722","src/bindings/prtypes.rs":"5afd17e4d24880609320f8cc5a9c06f57ac766524ca5f6cbc5edc65195974c6e","src/bindings/secasn1t.rs":"5a79f0a4057fb934786ef9407c7b134c7bc2f3560f9af0d58dd27ede62c66391","src/bindings/seccomon.rs":"556b45de49b496983ed4d4ef57650d6acdbba68e557711a684f89c5dbdc30c83","src/bindings/secitem.rs":"7a1593f87dcbb4d9ef462fda9932486d169bea9f12b4ed83e3a7102d0b33127e","src/bindings/secmodt.rs":"f1c002df25b598e6fbed5285c98c0d8cfe4188254ca31f829cb993d321a4f6d0","src/bindings/secoid.rs":"1a1e3d8106c26d081daa56b22f6214b6b2456e14f6d5b34db77bb428e7dc4525","src/bindings/secoidt.rs":"d3841fa00100d081fd355ef65d8ff10e2341440715c937017d795fc7efd0d31d","src/bindings/secport.rs":"6b9c691f7a80467ad2db76e2168d9dceee781e5edaadd48b76e66852f632db12","src/lib.rs":"3081488f34b747cbe852e6692389db5df3dae65b180558aa7af9bf6ae809faa2"},"package":null}
\ No newline at end of file
diff --git a/third_party/rust/nss_sys/Cargo.toml b/third_party/rust/nss_sys/Cargo.toml
new file mode 100644
index 0000000000..2b44696962
--- /dev/null
+++ b/third_party/rust/nss_sys/Cargo.toml
@@ -0,0 +1,19 @@
+[package]
+name = "nss_sys"
+version = "0.1.0"
+authors = ["application-services@mozilla.com"]
+edition = "2018"
+license = "MPL-2.0"
+
+[lib]
+crate-type = ["lib"]
+
+[dependencies]
+libsqlite3-sys = { version = "0.20.1", features = ["bundled"] }
+
+[build-dependencies]
+nss_build_common = {path = "../nss_build_common"}
+
+[features]
+default = []
+gecko = []
diff --git a/third_party/rust/nss_sys/README.md b/third_party/rust/nss_sys/README.md
new file mode 100644
index 0000000000..b10255b8bb
--- /dev/null
+++ b/third_party/rust/nss_sys/README.md
@@ -0,0 +1,3 @@
+## nss_sys
+
+Low-level NSS bindings for Rust. They are verified using the `systest` crate in the parent directory.
diff --git a/third_party/rust/nss_sys/build.rs b/third_party/rust/nss_sys/build.rs
new file mode 100644
index 0000000000..bbdec0e662
--- /dev/null
+++ b/third_party/rust/nss_sys/build.rs
@@ -0,0 +1,7 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+fn main() {
+    nss_build_common::link_nss().unwrap();
+}
diff --git a/third_party/rust/nss_sys/src/bindings/blapit.rs b/third_party/rust/nss_sys/src/bindings/blapit.rs
new file mode 100644
index 0000000000..4eb4243b66
--- /dev/null
+++ b/third_party/rust/nss_sys/src/bindings/blapit.rs
@@ -0,0 +1,9 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+pub const EC_POINT_FORM_UNCOMPRESSED: u32 = 4;
+pub const SHA256_LENGTH: u32 = 32;
+pub const SHA384_LENGTH: u32 = 48;
+pub const HASH_LENGTH_MAX: u32 = 64;
+pub const AES_BLOCK_SIZE: u32 = 16;
diff --git a/third_party/rust/nss_sys/src/bindings/keyhi.rs b/third_party/rust/nss_sys/src/bindings/keyhi.rs
new file mode 100644
index 0000000000..4078928f6b
--- /dev/null
+++ b/third_party/rust/nss_sys/src/bindings/keyhi.rs
@@ -0,0 +1,12 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+use crate::*;
+
+extern "C" {
+    pub fn SECKEY_CopyPublicKey(pubKey: *const SECKEYPublicKey) -> *mut SECKEYPublicKey;
+    pub fn SECKEY_ConvertToPublicKey(privateKey: *mut SECKEYPrivateKey) -> *mut SECKEYPublicKey;
+    pub fn SECKEY_DestroyPrivateKey(key: *mut SECKEYPrivateKey);
+    pub fn SECKEY_DestroyPublicKey(key: *mut SECKEYPublicKey);
+}
diff --git a/third_party/rust/nss_sys/src/bindings/keythi.rs b/third_party/rust/nss_sys/src/bindings/keythi.rs
new file mode 100644
index 0000000000..6995e995c1
--- /dev/null
+++ b/third_party/rust/nss_sys/src/bindings/keythi.rs
@@ -0,0 +1,140 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+use crate::*;
+use std::os::raw::{c_int, c_uchar, c_void};
+
+pub type SECKEYPublicKey = SECKEYPublicKeyStr;
+#[repr(C)]
+pub struct SECKEYPublicKeyStr {
+    pub arena: *mut PLArenaPool,
+    pub keyType: u32, /* KeyType */
+    pub pkcs11Slot: *mut PK11SlotInfo,
+    pub pkcs11ID: CK_OBJECT_HANDLE,
+    pub u: SECKEYPublicKeyStr_u,
+}
+
+#[repr(C)]
+pub union SECKEYPublicKeyStr_u {
+    pub rsa: SECKEYRSAPublicKey,
+    pub dsa: SECKEYDSAPublicKey,
+    pub dh: SECKEYDHPublicKey,
+    pub kea: SECKEYKEAPublicKey,
+    pub fortezza: SECKEYFortezzaPublicKey,
+    pub ec: SECKEYECPublicKey,
+}
+
+pub type SECKEYPrivateKey = SECKEYPrivateKeyStr;
+#[repr(C)]
+pub struct SECKEYPrivateKeyStr {
+    pub arena: *mut PLArenaPool,
+    pub keyType: u32, /* KeyType */
+    pub pkcs11Slot: *mut PK11SlotInfo,
+    pub pkcs11ID: CK_OBJECT_HANDLE,
+    pub pkcs11IsTemp: PRBool,
+    pub wincx: *mut c_void,
+    pub staticflags: PRUint32,
+}
+
+#[repr(u32)]
+pub enum KeyType {
+    nullKey = 0,
+    rsaKey = 1,
+    dsaKey = 2,
+    fortezzaKey = 3,
+    dhKey = 4,
+    keaKey = 5,
+    ecKey = 6,
+    rsaPssKey = 7,
+    rsaOaepKey = 8,
+}
+
+pub type SECKEYRSAPublicKey = SECKEYRSAPublicKeyStr;
+#[repr(C)]
+#[derive(Copy, Clone)]
+pub struct SECKEYRSAPublicKeyStr {
+    pub arena: *mut PLArenaPool,
+    pub modulus: SECItem,
+    pub publicExponent: SECItem,
+}
+
+pub type SECKEYDSAPublicKey = SECKEYDSAPublicKeyStr;
+#[repr(C)]
+#[derive(Copy, Clone)]
+pub struct SECKEYDSAPublicKeyStr {
+    pub params: SECKEYPQGParams,
+    pub publicValue: SECItem,
+}
+
+pub type SECKEYPQGParams = SECKEYPQGParamsStr;
+#[repr(C)]
+#[derive(Copy, Clone)]
+pub struct SECKEYPQGParamsStr {
+    pub arena: *mut PLArenaPool,
+    pub prime: SECItem,
+    pub subPrime: SECItem,
+    pub base: SECItem,
+}
+
+pub type SECKEYDHPublicKey = SECKEYDHPublicKeyStr;
+#[repr(C)]
+#[derive(Copy, Clone)]
+pub struct SECKEYDHPublicKeyStr {
+    pub arena: *mut PLArenaPool,
+    pub prime: SECItem,
+    pub base: SECItem,
+    pub publicValue: SECItem,
+}
+
+pub type SECKEYKEAPublicKey = SECKEYKEAPublicKeyStr;
+#[repr(C)]
+#[derive(Copy, Clone)]
+pub struct SECKEYKEAPublicKeyStr {
+    pub params: SECKEYKEAParams,
+    pub publicValue: SECItem,
+}
+
+pub type SECKEYKEAParams = SECKEYKEAParamsStr;
+#[repr(C)]
+#[derive(Copy, Clone)]
+pub struct SECKEYKEAParamsStr {
+    pub arena: *mut PLArenaPool,
+    pub hash: SECItem,
+}
+
+pub type SECKEYFortezzaPublicKey = SECKEYFortezzaPublicKeyStr;
+#[repr(C)]
+#[derive(Copy, Clone)]
+pub struct SECKEYFortezzaPublicKeyStr {
+    pub KEAversion: c_int,
+    pub DSSversion: c_int,
+    pub KMID: [c_uchar; 8usize],
+    pub clearance: SECItem,
+    pub KEApriviledge: SECItem,
+    pub DSSpriviledge: SECItem,
+    pub KEAKey: SECItem,
+    pub DSSKey: SECItem,
+    pub params: SECKEYPQGParams,
+    pub keaParams: SECKEYPQGParams,
+}
+
+pub type SECKEYECPublicKey = SECKEYECPublicKeyStr;
+#[repr(C)]
+#[derive(Copy, Clone)]
+pub struct SECKEYECPublicKeyStr {
+    pub DEREncodedParams: SECKEYECParams,
+    pub size: c_int,
+    pub publicValue: SECItem,
+    pub encoding: u32, /* ECPointEncoding */
+}
+
+pub type SECKEYECParams = SECItem;
+
+#[repr(u32)]
+#[derive(Copy, Clone)]
+pub enum ECPointEncoding {
+    ECPoint_Uncompressed = 0,
+    ECPoint_XOnly = 1,
+    ECPoint_Undefined = 2,
+}
diff --git a/third_party/rust/nss_sys/src/bindings/mod.rs b/third_party/rust/nss_sys/src/bindings/mod.rs
new file mode 100644
index 0000000000..194dc34b5e
--- /dev/null
+++ b/third_party/rust/nss_sys/src/bindings/mod.rs
@@ -0,0 +1,38 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+mod blapit;
+pub use blapit::*;
+mod keyhi;
+pub use keyhi::*;
+mod keythi;
+pub use keythi::*;
+mod nss;
+pub use nss::*;
+mod pk11pub;
+pub use pk11pub::*;
+mod pkcs11n;
+pub use pkcs11n::*;
+mod pkcs11t;
+pub use pkcs11t::*;
+mod plarena;
+pub use plarena::*;
+mod prerror;
+pub use prerror::*;
+mod prtypes;
+pub use prtypes::*;
+mod secasn1t;
+pub use secasn1t::*;
+mod seccomon;
+pub use seccomon::*;
+mod secitem;
+pub use secitem::*;
+mod secmodt;
+pub use secmodt::*;
+mod secoid;
+pub use secoid::*;
+mod secoidt;
+pub use secoidt::*;
+mod secport;
+pub use secport::*;
diff --git a/third_party/rust/nss_sys/src/bindings/nss.rs b/third_party/rust/nss_sys/src/bindings/nss.rs
new file mode 100644
index 0000000000..2ac7fc16e5
--- /dev/null
+++ b/third_party/rust/nss_sys/src/bindings/nss.rs
@@ -0,0 +1,28 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+use crate::*;
+use std::os::raw::c_char;
+
+extern "C" {
+    pub fn NSS_VersionCheck(importedVersion: *const c_char) -> PRBool;
+    pub fn NSS_InitContext(
+        configdir: *const c_char,
+        certPrefix: *const c_char,
+        keyPrefix: *const c_char,
+        secmodName: *const c_char,
+        initParams: *mut NSSInitParameters,
+        flags: PRUint32,
+    ) -> *mut NSSInitContext;
+}
+
+pub const NSS_INIT_READONLY: u32 = 1;
+pub const NSS_INIT_NOCERTDB: u32 = 2;
+pub const NSS_INIT_NOMODDB: u32 = 4;
+pub const NSS_INIT_FORCEOPEN: u32 = 8;
+pub const NSS_INIT_OPTIMIZESPACE: u32 = 32;
+
+// Opaque types
+pub type NSSInitContext = u8;
+pub type NSSInitParameters = [u64; 10usize];
diff --git a/third_party/rust/nss_sys/src/bindings/pk11pub.rs b/third_party/rust/nss_sys/src/bindings/pk11pub.rs
new file mode 100644
index 0000000000..b3d1e7c882
--- /dev/null
+++ b/third_party/rust/nss_sys/src/bindings/pk11pub.rs
@@ -0,0 +1,138 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+pub use crate::*;
+use std::os::raw::{c_int, c_uchar, c_uint, c_void};
+
+extern "C" {
+    pub fn PK11_FreeSlot(slot: *mut PK11SlotInfo);
+    pub fn PK11_GetInternalSlot() -> *mut PK11SlotInfo;
+    pub fn PK11_GenerateRandom(data: *mut c_uchar, len: c_int) -> SECStatus;
+    pub fn PK11_FreeSymKey(key: *mut PK11SymKey);
+    pub fn PK11_ImportSymKey(
+        slot: *mut PK11SlotInfo,
+        type_: CK_MECHANISM_TYPE,
+        origin: u32, /* PK11Origin */
+        operation: CK_ATTRIBUTE_TYPE,
+        key: *mut SECItem,
+        wincx: *mut c_void,
+    ) -> *mut PK11SymKey;
+    pub fn PK11_Derive(
+        baseKey: *mut PK11SymKey,
+        mechanism: CK_MECHANISM_TYPE,
+        param: *mut SECItem,
+        target: CK_MECHANISM_TYPE,
+        operation: CK_ATTRIBUTE_TYPE,
+        keySize: c_int,
+    ) -> *mut PK11SymKey;
+    pub fn PK11_PubDeriveWithKDF(
+        privKey: *mut SECKEYPrivateKey,
+        pubKey: *mut SECKEYPublicKey,
+        isSender: PRBool,
+        randomA: *mut SECItem,
+        randomB: *mut SECItem,
+        derive: CK_MECHANISM_TYPE,
+        target: CK_MECHANISM_TYPE,
+        operation: CK_ATTRIBUTE_TYPE,
+        keySize: c_int,
+        kdf: CK_ULONG,
+        sharedData: *mut SECItem,
+        wincx: *mut c_void,
+    ) -> *mut PK11SymKey;
+    pub fn PK11_ExtractKeyValue(symKey: *mut PK11SymKey) -> SECStatus;
+    pub fn PK11_GetKeyData(symKey: *mut PK11SymKey) -> *mut SECItem;
+    pub fn PK11_GenerateKeyPair(
+        slot: *mut PK11SlotInfo,
+        type_: CK_MECHANISM_TYPE,
+        param: *mut c_void,
+        pubk: *mut *mut SECKEYPublicKey,
+        isPerm: PRBool,
+        isSensitive: PRBool,
+        wincx: *mut c_void,
+    ) -> *mut SECKEYPrivateKey;
+    pub fn PK11_FindKeyByKeyID(
+        slot: *mut PK11SlotInfo,
+        keyID: *mut SECItem,
+        wincx: *mut c_void,
+    ) -> *mut SECKEYPrivateKey;
+    pub fn PK11_Decrypt(
+        symkey: *mut PK11SymKey,
+        mechanism: CK_MECHANISM_TYPE,
+        param: *mut SECItem,
+        out: *mut c_uchar,
+        outLen: *mut c_uint,
+        maxLen: c_uint,
+        enc: *const c_uchar,
+        encLen: c_uint,
+    ) -> SECStatus;
+    pub fn PK11_Encrypt(
+        symKey: *mut PK11SymKey,
+        mechanism: CK_MECHANISM_TYPE,
+        param: *mut SECItem,
+        out: *mut c_uchar,
+        outLen: *mut c_uint,
+        maxLen: c_uint,
+        data: *const c_uchar,
+        dataLen: c_uint,
+    ) -> SECStatus;
+    pub fn PK11_VerifyWithMechanism(
+        key: *mut SECKEYPublicKey,
+        mechanism: CK_MECHANISM_TYPE,
+        param: *const SECItem,
+        sig: *const SECItem,
+        hash: *const SECItem,
+        wincx: *mut c_void,
+    ) -> SECStatus;
+    pub fn PK11_MapSignKeyType(keyType: u32 /* KeyType */) -> CK_MECHANISM_TYPE;
+    pub fn PK11_DestroyContext(context: *mut PK11Context, freeit: PRBool);
+    pub fn PK11_CreateContextBySymKey(
+        type_: CK_MECHANISM_TYPE,
+        operation: CK_ATTRIBUTE_TYPE,
+        symKey: *mut PK11SymKey,
+        param: *mut SECItem,
+    ) -> *mut PK11Context;
+    pub fn PK11_DigestBegin(cx: *mut PK11Context) -> SECStatus;
+    pub fn PK11_HashBuf(
+        hashAlg: u32, /* SECOidTag */
+        out: *mut c_uchar,
+        in_: *const c_uchar,
+        len: PRInt32,
+    ) -> SECStatus;
+    pub fn PK11_DigestOp(context: *mut PK11Context, in_: *const c_uchar, len: c_uint) -> SECStatus;
+    pub fn PK11_DigestFinal(
+        context: *mut PK11Context,
+        data: *mut c_uchar,
+        outLen: *mut c_uint,
+        length: c_uint,
+    ) -> SECStatus;
+    pub fn PK11_DestroyGenericObject(object: *mut PK11GenericObject) -> SECStatus;
+    pub fn PK11_CreateGenericObject(
+        slot: *mut PK11SlotInfo,
+        pTemplate: *const CK_ATTRIBUTE,
+        count: c_int,
+        token: PRBool,
+    ) -> *mut PK11GenericObject;
+    pub fn PK11_ReadRawAttribute(
+        type_: u32, /* PK11ObjectType */
+        object: *mut c_void,
+        attr: CK_ATTRIBUTE_TYPE,
+        item: *mut SECItem,
+    ) -> SECStatus;
+    pub fn PK11_CreatePBEV2AlgorithmID(
+        pbeAlgTag: u32,    /* SECOidTag */
+        cipherAlgTag: u32, /* SECOidTag */
+        prfAlgTag: u32,    /* SECOidTag */
+        keyLength: c_int,
+        iteration: c_int,
+        salt: *mut SECItem,
+    ) -> *mut SECAlgorithmID;
+
+    pub fn PK11_PBEKeyGen(
+        slot: *mut PK11SlotInfo,
+        algid: *mut SECAlgorithmID,
+        pwitem: *mut SECItem,
+        faulty3DES: PRBool,
+        wincx: *mut c_void,
+    ) -> *mut PK11SymKey;
+}
diff --git a/third_party/rust/nss_sys/src/bindings/pkcs11n.rs b/third_party/rust/nss_sys/src/bindings/pkcs11n.rs
new file mode 100644
index 0000000000..3d1818931d
--- /dev/null
+++ b/third_party/rust/nss_sys/src/bindings/pkcs11n.rs
@@ -0,0 +1,32 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+pub use crate::*;
+
+// https://searchfox.org/nss/rev/4d480919bbf204df5e199b9fdedec8f2a6295778/lib/util/pkcs11n.h#27
+pub const NSSCK_VENDOR_NSS: u32 = 0x4E534350;
+
+pub const CKM_NSS: u32 = CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS;
+pub const CKM_NSS_HKDF_SHA256: u32 = CKM_NSS + 4;
+pub const CKM_NSS_HKDF_SHA384: u32 = CKM_NSS + 5;
+
+pub type CK_GCM_PARAMS = CK_GCM_PARAMS_V3;
+#[repr(C)]
+pub struct CK_GCM_PARAMS_V3 {
+    pub pIv: CK_BYTE_PTR,
+    pub ulIvLen: CK_ULONG,
+    pub ulIvBits: CK_ULONG,
+    pub pAAD: CK_BYTE_PTR,
+    pub ulAADLen: CK_ULONG,
+    pub ulTagBits: CK_ULONG,
+}
+#[repr(C)]
+pub struct CK_NSS_HKDFParams {
+    pub bExtract: CK_BBOOL,
+    pub pSalt: CK_BYTE_PTR,
+    pub ulSaltLen: CK_ULONG,
+    pub bExpand: CK_BBOOL,
+    pub pInfo: CK_BYTE_PTR,
+    pub ulInfoLen: CK_ULONG,
+}
diff --git a/third_party/rust/nss_sys/src/bindings/pkcs11t.rs b/third_party/rust/nss_sys/src/bindings/pkcs11t.rs
new file mode 100644
index 0000000000..01cea5e1f9
--- /dev/null
+++ b/third_party/rust/nss_sys/src/bindings/pkcs11t.rs
@@ -0,0 +1,51 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+use std::os::raw::{c_uchar, c_ulong, c_void};
+
+pub const CK_TRUE: CK_BBOOL = 1;
+pub const CK_FALSE: CK_BBOOL = 0;
+pub type CK_BYTE = c_uchar;
+pub type CK_BBOOL = CK_BYTE;
+pub type CK_ULONG = c_ulong;
+pub type CK_BYTE_PTR = *mut CK_BYTE;
+pub type CK_VOID_PTR = *mut c_void;
+pub type CK_OBJECT_HANDLE = CK_ULONG;
+pub type CK_OBJECT_CLASS = CK_ULONG;
+pub type CK_KEY_TYPE = CK_ULONG;
+pub type CK_ATTRIBUTE_TYPE = CK_ULONG;
+#[repr(C)]
+#[derive(Clone, Copy)]
+pub struct CK_ATTRIBUTE {
+    pub type_: CK_ATTRIBUTE_TYPE,
+    pub pValue: CK_VOID_PTR,
+    pub ulValueLen: CK_ULONG,
+}
+pub type CK_MECHANISM_TYPE = CK_ULONG;
+
+pub const CK_INVALID_HANDLE: u32 = 0;
+pub const CKO_PRIVATE_KEY: u32 = 3;
+pub const CKK_EC: u32 = 3;
+pub const CKA_CLASS: u32 = 0;
+pub const CKA_TOKEN: u32 = 1;
+pub const CKA_PRIVATE: u32 = 2;
+pub const CKA_VALUE: u32 = 17;
+pub const CKA_KEY_TYPE: u32 = 256;
+pub const CKA_ID: u32 = 258;
+pub const CKA_SENSITIVE: u32 = 259;
+pub const CKA_ENCRYPT: u32 = 260;
+pub const CKA_WRAP: u32 = 262;
+pub const CKA_SIGN: u32 = 264;
+pub const CKA_EC_PARAMS: u32 = 384;
+pub const CKA_EC_POINT: u32 = 385;
+// https://searchfox.org/nss/rev/4d480919bbf204df5e199b9fdedec8f2a6295778/lib/util/pkcs11t.h#1244
+pub const CKM_VENDOR_DEFINED: u32 = 0x80000000;
+pub const CKM_SHA256_HMAC: u32 = 593;
+pub const CKM_SHA384_HMAC: u32 = 609;
+pub const CKM_SHA512_HMAC: u32 = 625;
+pub const CKM_EC_KEY_PAIR_GEN: u32 = 4160;
+pub const CKM_ECDH1_DERIVE: u32 = 4176;
+pub const CKM_AES_CBC_PAD: u32 = 4229;
+pub const CKM_AES_GCM: u32 = 4231;
+pub const CKD_NULL: u32 = 1;
diff --git a/third_party/rust/nss_sys/src/bindings/plarena.rs b/third_party/rust/nss_sys/src/bindings/plarena.rs
new file mode 100644
index 0000000000..38b8c95557
--- /dev/null
+++ b/third_party/rust/nss_sys/src/bindings/plarena.rs
@@ -0,0 +1,22 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+pub use crate::*;
+#[repr(C)]
+#[derive(Copy, Clone)]
+pub struct PLArena {
+    pub next: *mut PLArena,
+    pub base: PRUword,
+    pub limit: PRUword,
+    pub avail: PRUword,
+}
+
+#[repr(C)]
+#[derive(Copy, Clone)]
+pub struct PLArenaPool {
+    pub first: PLArena,
+    pub current: *mut PLArena,
+    pub arenasize: PRUint32,
+    pub mask: PRUword,
+}
diff --git a/third_party/rust/nss_sys/src/bindings/prerror.rs b/third_party/rust/nss_sys/src/bindings/prerror.rs
new file mode 100644
index 0000000000..0e435a352c
--- /dev/null
+++ b/third_party/rust/nss_sys/src/bindings/prerror.rs
@@ -0,0 +1,14 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+pub use crate::*;
+use std::os::raw::c_char;
+
+extern "C" {
+    pub fn PR_GetError() -> PRErrorCode;
+    pub fn PR_GetErrorTextLength() -> PRInt32;
+    pub fn PR_GetErrorText(text: *mut c_char) -> PRInt32;
+}
+
+pub type PRErrorCode = PRInt32;
diff --git a/third_party/rust/nss_sys/src/bindings/prtypes.rs b/third_party/rust/nss_sys/src/bindings/prtypes.rs
new file mode 100644
index 0000000000..f87e3c252f
--- /dev/null
+++ b/third_party/rust/nss_sys/src/bindings/prtypes.rs
@@ -0,0 +1,13 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+use std::os::raw::{c_int, c_uint};
+
+pub type PRIntn = c_int;
+pub type PRBool = PRIntn;
+pub type PRUword = usize;
+pub type PRInt32 = c_int;
+pub type PRUint32 = c_uint;
+pub const PR_FALSE: PRBool = 0;
+pub const PR_TRUE: PRBool = 1;
diff --git a/third_party/rust/nss_sys/src/bindings/secasn1t.rs b/third_party/rust/nss_sys/src/bindings/secasn1t.rs
new file mode 100644
index 0000000000..6dac2e163a
--- /dev/null
+++ b/third_party/rust/nss_sys/src/bindings/secasn1t.rs
@@ -0,0 +1,5 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+pub const SEC_ASN1_OBJECT_ID: u32 = 6;
diff --git a/third_party/rust/nss_sys/src/bindings/seccomon.rs b/third_party/rust/nss_sys/src/bindings/seccomon.rs
new file mode 100644
index 0000000000..14da5a81b5
--- /dev/null
+++ b/third_party/rust/nss_sys/src/bindings/seccomon.rs
@@ -0,0 +1,43 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+use std::os::raw::{c_uchar, c_uint};
+
+#[repr(u32)]
+pub enum SECItemType {
+    siBuffer = 0,
+    siClearDataBuffer = 1,
+    siCipherDataBuffer = 2,
+    siDERCertBuffer = 3,
+    siEncodedCertBuffer = 4,
+    siDERNameBuffer = 5,
+    siEncodedNameBuffer = 6,
+    siAsciiNameString = 7,
+    siAsciiString = 8,
+    siDEROID = 9,
+    siUnsignedInteger = 10,
+    siUTCTime = 11,
+    siGeneralizedTime = 12,
+    siVisibleString = 13,
+    siUTF8String = 14,
+    siBMPString = 15,
+}
+
+pub type SECItem = SECItemStr;
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
+pub struct SECItemStr {
+    pub type_: u32, /* SECItemType */
+    pub data: *mut c_uchar,
+    pub len: c_uint,
+}
+
+#[repr(i32)]
+#[derive(PartialEq)]
+pub enum _SECStatus {
+    SECWouldBlock = -2,
+    SECFailure = -1,
+    SECSuccess = 0,
+}
+pub use _SECStatus as SECStatus;
diff --git a/third_party/rust/nss_sys/src/bindings/secitem.rs b/third_party/rust/nss_sys/src/bindings/secitem.rs
new file mode 100644
index 0000000000..00e6db37e9
--- /dev/null
+++ b/third_party/rust/nss_sys/src/bindings/secitem.rs
@@ -0,0 +1,9 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+pub use crate::*;
+
+extern "C" {
+    pub fn SECITEM_FreeItem(zap: *mut SECItem, freeit: PRBool);
+}
diff --git a/third_party/rust/nss_sys/src/bindings/secmodt.rs b/third_party/rust/nss_sys/src/bindings/secmodt.rs
new file mode 100644
index 0000000000..1e7cac71dc
--- /dev/null
+++ b/third_party/rust/nss_sys/src/bindings/secmodt.rs
@@ -0,0 +1,33 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// Opaque pointers as these types are giant.
+pub type PK11SlotInfo = u8;
+pub type PK11SymKey = u8;
+pub type PK11Context = u8;
+
+#[repr(u32)]
+pub enum PK11Origin {
+    PK11_OriginNULL = 0,
+    PK11_OriginDerive = 1,
+    PK11_OriginGenerated = 2,
+    PK11_OriginFortezzaHack = 3,
+    PK11_OriginUnwrap = 4,
+}
+
+#[repr(u32)]
+pub enum PK11ObjectType {
+    PK11_TypeGeneric = 0,
+    PK11_TypePrivKey = 1,
+    PK11_TypePubKey = 2,
+    PK11_TypeCert = 3,
+    PK11_TypeSymKey = 4,
+}
+
+// #[repr(C)]
+// #[derive(Copy, Clone)]
+// pub struct PK11GenericObjectStr {
+//     _unused: [u8; 0],
+// }
+pub type PK11GenericObject = u8;
diff --git a/third_party/rust/nss_sys/src/bindings/secoid.rs b/third_party/rust/nss_sys/src/bindings/secoid.rs
new file mode 100644
index 0000000000..398900278b
--- /dev/null
+++ b/third_party/rust/nss_sys/src/bindings/secoid.rs
@@ -0,0 +1,10 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+pub use crate::*;
+
+extern "C" {
+    pub fn SECOID_FindOIDByTag(tagnum: u32 /* SECOidTag */) -> *mut SECOidData;
+    pub fn SECOID_DestroyAlgorithmID(aid: *mut SECAlgorithmID, freeit: PRBool);
+}
diff --git a/third_party/rust/nss_sys/src/bindings/secoidt.rs b/third_party/rust/nss_sys/src/bindings/secoidt.rs
new file mode 100644
index 0000000000..7e1dcaa9f9
--- /dev/null
+++ b/third_party/rust/nss_sys/src/bindings/secoidt.rs
@@ -0,0 +1,401 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+pub use crate::*;
+use std::os::raw::{c_char, c_ulong};
+
+#[repr(C)]
+#[derive(Copy, Clone)]
+pub struct SECAlgorithmIDStr {
+    pub algorithm: SECItem,
+    pub parameters: SECItem,
+}
+
+pub type SECAlgorithmID = SECAlgorithmIDStr;
+
+#[repr(C)]
+#[derive(Copy, Clone)]
+pub struct SECOidDataStr {
+    pub oid: SECItem,
+    pub offset: u32, /* SECOidTag */
+    pub desc: *const c_char,
+    pub mechanism: c_ulong,
+    pub supportedExtension: u32, /* SECSupportExtenTag */
+}
+pub type SECOidData = SECOidDataStr;
+
+pub enum SECSupportExtenTag {
+    INVALID_CERT_EXTENSION = 0,
+    UNSUPPORTED_CERT_EXTENSION = 1,
+    SUPPORTED_CERT_EXTENSION = 2,
+}
+
+#[repr(u32)]
+pub enum SECOidTag {
+    SEC_OID_UNKNOWN = 0,
+    SEC_OID_MD2 = 1,
+    SEC_OID_MD4 = 2,
+    SEC_OID_MD5 = 3,
+    SEC_OID_SHA1 = 4,
+    SEC_OID_RC2_CBC = 5,
+    SEC_OID_RC4 = 6,
+    SEC_OID_DES_EDE3_CBC = 7,
+    SEC_OID_RC5_CBC_PAD = 8,
+    SEC_OID_DES_ECB = 9,
+    SEC_OID_DES_CBC = 10,
+    SEC_OID_DES_OFB = 11,
+    SEC_OID_DES_CFB = 12,
+    SEC_OID_DES_MAC = 13,
+    SEC_OID_DES_EDE = 14,
+    SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE = 15,
+    SEC_OID_PKCS1_RSA_ENCRYPTION = 16,
+    SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION = 17,
+    SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION = 18,
+    SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION = 19,
+    SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION = 20,
+    SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC = 21,
+    SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC = 22,
+    SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC = 23,
+    SEC_OID_PKCS7 = 24,
+    SEC_OID_PKCS7_DATA = 25,
+    SEC_OID_PKCS7_SIGNED_DATA = 26,
+    SEC_OID_PKCS7_ENVELOPED_DATA = 27,
+    SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA = 28,
+    SEC_OID_PKCS7_DIGESTED_DATA = 29,
+    SEC_OID_PKCS7_ENCRYPTED_DATA = 30,
+    SEC_OID_PKCS9_EMAIL_ADDRESS = 31,
+    SEC_OID_PKCS9_UNSTRUCTURED_NAME = 32,
+    SEC_OID_PKCS9_CONTENT_TYPE = 33,
+    SEC_OID_PKCS9_MESSAGE_DIGEST = 34,
+    SEC_OID_PKCS9_SIGNING_TIME = 35,
+    SEC_OID_PKCS9_COUNTER_SIGNATURE = 36,
+    SEC_OID_PKCS9_CHALLENGE_PASSWORD = 37,
+    SEC_OID_PKCS9_UNSTRUCTURED_ADDRESS = 38,
+    SEC_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES = 39,
+    SEC_OID_PKCS9_SMIME_CAPABILITIES = 40,
+    SEC_OID_AVA_COMMON_NAME = 41,
+    SEC_OID_AVA_COUNTRY_NAME = 42,
+    SEC_OID_AVA_LOCALITY = 43,
+    SEC_OID_AVA_STATE_OR_PROVINCE = 44,
+    SEC_OID_AVA_ORGANIZATION_NAME = 45,
+    SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME = 46,
+    SEC_OID_AVA_DN_QUALIFIER = 47,
+    SEC_OID_AVA_DC = 48,
+    SEC_OID_NS_TYPE_GIF = 49,
+    SEC_OID_NS_TYPE_JPEG = 50,
+    SEC_OID_NS_TYPE_URL = 51,
+    SEC_OID_NS_TYPE_HTML = 52,
+    SEC_OID_NS_TYPE_CERT_SEQUENCE = 53,
+    SEC_OID_MISSI_KEA_DSS_OLD = 54,
+    SEC_OID_MISSI_DSS_OLD = 55,
+    SEC_OID_MISSI_KEA_DSS = 56,
+    SEC_OID_MISSI_DSS = 57,
+    SEC_OID_MISSI_KEA = 58,
+    SEC_OID_MISSI_ALT_KEA = 59,
+    SEC_OID_NS_CERT_EXT_NETSCAPE_OK = 60,
+    SEC_OID_NS_CERT_EXT_ISSUER_LOGO = 61,
+    SEC_OID_NS_CERT_EXT_SUBJECT_LOGO = 62,
+    SEC_OID_NS_CERT_EXT_CERT_TYPE = 63,
+    SEC_OID_NS_CERT_EXT_BASE_URL = 64,
+    SEC_OID_NS_CERT_EXT_REVOCATION_URL = 65,
+    SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL = 66,
+    SEC_OID_NS_CERT_EXT_CA_CRL_URL = 67,
+    SEC_OID_NS_CERT_EXT_CA_CERT_URL = 68,
+    SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL = 69,
+    SEC_OID_NS_CERT_EXT_CA_POLICY_URL = 70,
+    SEC_OID_NS_CERT_EXT_HOMEPAGE_URL = 71,
+    SEC_OID_NS_CERT_EXT_ENTITY_LOGO = 72,
+    SEC_OID_NS_CERT_EXT_USER_PICTURE = 73,
+    SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME = 74,
+    SEC_OID_NS_CERT_EXT_COMMENT = 75,
+    SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL = 76,
+    SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME = 77,
+    SEC_OID_NS_KEY_USAGE_GOVT_APPROVED = 78,
+    SEC_OID_X509_SUBJECT_DIRECTORY_ATTR = 79,
+    SEC_OID_X509_SUBJECT_KEY_ID = 80,
+    SEC_OID_X509_KEY_USAGE = 81,
+    SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD = 82,
+    SEC_OID_X509_SUBJECT_ALT_NAME = 83,
+    SEC_OID_X509_ISSUER_ALT_NAME = 84,
+    SEC_OID_X509_BASIC_CONSTRAINTS = 85,
+    SEC_OID_X509_NAME_CONSTRAINTS = 86,
+    SEC_OID_X509_CRL_DIST_POINTS = 87,
+    SEC_OID_X509_CERTIFICATE_POLICIES = 88,
+    SEC_OID_X509_POLICY_MAPPINGS = 89,
+    SEC_OID_X509_POLICY_CONSTRAINTS = 90,
+    SEC_OID_X509_AUTH_KEY_ID = 91,
+    SEC_OID_X509_EXT_KEY_USAGE = 92,
+    SEC_OID_X509_AUTH_INFO_ACCESS = 93,
+    SEC_OID_X509_CRL_NUMBER = 94,
+    SEC_OID_X509_REASON_CODE = 95,
+    SEC_OID_X509_INVALID_DATE = 96,
+    SEC_OID_X500_RSA_ENCRYPTION = 97,
+    SEC_OID_RFC1274_UID = 98,
+    SEC_OID_RFC1274_MAIL = 99,
+    SEC_OID_PKCS12 = 100,
+    SEC_OID_PKCS12_MODE_IDS = 101,
+    SEC_OID_PKCS12_ESPVK_IDS = 102,
+    SEC_OID_PKCS12_BAG_IDS = 103,
+    SEC_OID_PKCS12_CERT_BAG_IDS = 104,
+    SEC_OID_PKCS12_OIDS = 105,
+    SEC_OID_PKCS12_PBE_IDS = 106,
+    SEC_OID_PKCS12_SIGNATURE_IDS = 107,
+    SEC_OID_PKCS12_ENVELOPING_IDS = 108,
+    SEC_OID_PKCS12_PKCS8_KEY_SHROUDING = 109,
+    SEC_OID_PKCS12_KEY_BAG_ID = 110,
+    SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID = 111,
+    SEC_OID_PKCS12_SECRET_BAG_ID = 112,
+    SEC_OID_PKCS12_X509_CERT_CRL_BAG = 113,
+    SEC_OID_PKCS12_SDSI_CERT_BAG = 114,
+    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4 = 115,
+    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4 = 116,
+    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC = 117,
+    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC = 118,
+    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC = 119,
+    SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_128_BIT_RC4 = 120,
+    SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_40_BIT_RC4 = 121,
+    SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_TRIPLE_DES = 122,
+    SEC_OID_PKCS12_RSA_SIGNATURE_WITH_SHA1_DIGEST = 123,
+    SEC_OID_ANSIX9_DSA_SIGNATURE = 124,
+    SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST = 125,
+    SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST = 126,
+    SEC_OID_VERISIGN_USER_NOTICES = 127,
+    SEC_OID_PKIX_CPS_POINTER_QUALIFIER = 128,
+    SEC_OID_PKIX_USER_NOTICE_QUALIFIER = 129,
+    SEC_OID_PKIX_OCSP = 130,
+    SEC_OID_PKIX_OCSP_BASIC_RESPONSE = 131,
+    SEC_OID_PKIX_OCSP_NONCE = 132,
+    SEC_OID_PKIX_OCSP_CRL = 133,
+    SEC_OID_PKIX_OCSP_RESPONSE = 134,
+    SEC_OID_PKIX_OCSP_NO_CHECK = 135,
+    SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF = 136,
+    SEC_OID_PKIX_OCSP_SERVICE_LOCATOR = 137,
+    SEC_OID_PKIX_REGCTRL_REGTOKEN = 138,
+    SEC_OID_PKIX_REGCTRL_AUTHENTICATOR = 139,
+    SEC_OID_PKIX_REGCTRL_PKIPUBINFO = 140,
+    SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS = 141,
+    SEC_OID_PKIX_REGCTRL_OLD_CERT_ID = 142,
+    SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY = 143,
+    SEC_OID_PKIX_REGINFO_UTF8_PAIRS = 144,
+    SEC_OID_PKIX_REGINFO_CERT_REQUEST = 145,
+    SEC_OID_EXT_KEY_USAGE_SERVER_AUTH = 146,
+    SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH = 147,
+    SEC_OID_EXT_KEY_USAGE_CODE_SIGN = 148,
+    SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT = 149,
+    SEC_OID_EXT_KEY_USAGE_TIME_STAMP = 150,
+    SEC_OID_OCSP_RESPONDER = 151,
+    SEC_OID_NETSCAPE_SMIME_KEA = 152,
+    SEC_OID_FORTEZZA_SKIPJACK = 153,
+    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4 = 154,
+    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4 = 155,
+    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC = 156,
+    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC = 157,
+    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC = 158,
+    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC = 159,
+    SEC_OID_PKCS12_SAFE_CONTENTS_ID = 160,
+    SEC_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG_ID = 161,
+    SEC_OID_PKCS12_V1_KEY_BAG_ID = 162,
+    SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID = 163,
+    SEC_OID_PKCS12_V1_CERT_BAG_ID = 164,
+    SEC_OID_PKCS12_V1_CRL_BAG_ID = 165,
+    SEC_OID_PKCS12_V1_SECRET_BAG_ID = 166,
+    SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID = 167,
+    SEC_OID_PKCS9_X509_CERT = 168,
+    SEC_OID_PKCS9_SDSI_CERT = 169,
+    SEC_OID_PKCS9_X509_CRL = 170,
+    SEC_OID_PKCS9_FRIENDLY_NAME = 171,
+    SEC_OID_PKCS9_LOCAL_KEY_ID = 172,
+    SEC_OID_BOGUS_KEY_USAGE = 173,
+    SEC_OID_X942_DIFFIE_HELMAN_KEY = 174,
+    SEC_OID_NETSCAPE_NICKNAME = 175,
+    SEC_OID_NETSCAPE_RECOVERY_REQUEST = 176,
+    SEC_OID_CERT_RENEWAL_LOCATOR = 177,
+    SEC_OID_NS_CERT_EXT_SCOPE_OF_USE = 178,
+    SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN = 179,
+    SEC_OID_CMS_3DES_KEY_WRAP = 180,
+    SEC_OID_CMS_RC2_KEY_WRAP = 181,
+    SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE = 182,
+    SEC_OID_AES_128_ECB = 183,
+    SEC_OID_AES_128_CBC = 184,
+    SEC_OID_AES_192_ECB = 185,
+    SEC_OID_AES_192_CBC = 186,
+    SEC_OID_AES_256_ECB = 187,
+    SEC_OID_AES_256_CBC = 188,
+    SEC_OID_SDN702_DSA_SIGNATURE = 189,
+    SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE = 190,
+    SEC_OID_SHA256 = 191,
+    SEC_OID_SHA384 = 192,
+    SEC_OID_SHA512 = 193,
+    SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION = 194,
+    SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION = 195,
+    SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION = 196,
+    SEC_OID_AES_128_KEY_WRAP = 197,
+    SEC_OID_AES_192_KEY_WRAP = 198,
+    SEC_OID_AES_256_KEY_WRAP = 199,
+    SEC_OID_ANSIX962_EC_PUBLIC_KEY = 200,
+    SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE = 201,
+    SEC_OID_ANSIX962_EC_PRIME192V1 = 202,
+    SEC_OID_ANSIX962_EC_PRIME192V2 = 203,
+    SEC_OID_ANSIX962_EC_PRIME192V3 = 204,
+    SEC_OID_ANSIX962_EC_PRIME239V1 = 205,
+    SEC_OID_ANSIX962_EC_PRIME239V2 = 206,
+    SEC_OID_ANSIX962_EC_PRIME239V3 = 207,
+    SEC_OID_SECG_EC_SECP256R1 = 208,
+    SEC_OID_SECG_EC_SECP112R1 = 209,
+    SEC_OID_SECG_EC_SECP112R2 = 210,
+    SEC_OID_SECG_EC_SECP128R1 = 211,
+    SEC_OID_SECG_EC_SECP128R2 = 212,
+    SEC_OID_SECG_EC_SECP160K1 = 213,
+    SEC_OID_SECG_EC_SECP160R1 = 214,
+    SEC_OID_SECG_EC_SECP160R2 = 215,
+    SEC_OID_SECG_EC_SECP192K1 = 216,
+    SEC_OID_SECG_EC_SECP224K1 = 217,
+    SEC_OID_SECG_EC_SECP224R1 = 218,
+    SEC_OID_SECG_EC_SECP256K1 = 219,
+    SEC_OID_SECG_EC_SECP384R1 = 220,
+    SEC_OID_SECG_EC_SECP521R1 = 221,
+    SEC_OID_ANSIX962_EC_C2PNB163V1 = 222,
+    SEC_OID_ANSIX962_EC_C2PNB163V2 = 223,
+    SEC_OID_ANSIX962_EC_C2PNB163V3 = 224,
+    SEC_OID_ANSIX962_EC_C2PNB176V1 = 225,
+    SEC_OID_ANSIX962_EC_C2TNB191V1 = 226,
+    SEC_OID_ANSIX962_EC_C2TNB191V2 = 227,
+    SEC_OID_ANSIX962_EC_C2TNB191V3 = 228,
+    SEC_OID_ANSIX962_EC_C2ONB191V4 = 229,
+    SEC_OID_ANSIX962_EC_C2ONB191V5 = 230,
+    SEC_OID_ANSIX962_EC_C2PNB208W1 = 231,
+    SEC_OID_ANSIX962_EC_C2TNB239V1 = 232,
+    SEC_OID_ANSIX962_EC_C2TNB239V2 = 233,
+    SEC_OID_ANSIX962_EC_C2TNB239V3 = 234,
+    SEC_OID_ANSIX962_EC_C2ONB239V4 = 235,
+    SEC_OID_ANSIX962_EC_C2ONB239V5 = 236,
+    SEC_OID_ANSIX962_EC_C2PNB272W1 = 237,
+    SEC_OID_ANSIX962_EC_C2PNB304W1 = 238,
+    SEC_OID_ANSIX962_EC_C2TNB359V1 = 239,
+    SEC_OID_ANSIX962_EC_C2PNB368W1 = 240,
+    SEC_OID_ANSIX962_EC_C2TNB431R1 = 241,
+    SEC_OID_SECG_EC_SECT113R1 = 242,
+    SEC_OID_SECG_EC_SECT113R2 = 243,
+    SEC_OID_SECG_EC_SECT131R1 = 244,
+    SEC_OID_SECG_EC_SECT131R2 = 245,
+    SEC_OID_SECG_EC_SECT163K1 = 246,
+    SEC_OID_SECG_EC_SECT163R1 = 247,
+    SEC_OID_SECG_EC_SECT163R2 = 248,
+    SEC_OID_SECG_EC_SECT193R1 = 249,
+    SEC_OID_SECG_EC_SECT193R2 = 250,
+    SEC_OID_SECG_EC_SECT233K1 = 251,
+    SEC_OID_SECG_EC_SECT233R1 = 252,
+    SEC_OID_SECG_EC_SECT239K1 = 253,
+    SEC_OID_SECG_EC_SECT283K1 = 254,
+    SEC_OID_SECG_EC_SECT283R1 = 255,
+    SEC_OID_SECG_EC_SECT409K1 = 256,
+    SEC_OID_SECG_EC_SECT409R1 = 257,
+    SEC_OID_SECG_EC_SECT571K1 = 258,
+    SEC_OID_SECG_EC_SECT571R1 = 259,
+    SEC_OID_NETSCAPE_AOLSCREENNAME = 260,
+    SEC_OID_AVA_SURNAME = 261,
+    SEC_OID_AVA_SERIAL_NUMBER = 262,
+    SEC_OID_AVA_STREET_ADDRESS = 263,
+    SEC_OID_AVA_TITLE = 264,
+    SEC_OID_AVA_POSTAL_ADDRESS = 265,
+    SEC_OID_AVA_POSTAL_CODE = 266,
+    SEC_OID_AVA_POST_OFFICE_BOX = 267,
+    SEC_OID_AVA_GIVEN_NAME = 268,
+    SEC_OID_AVA_INITIALS = 269,
+    SEC_OID_AVA_GENERATION_QUALIFIER = 270,
+    SEC_OID_AVA_HOUSE_IDENTIFIER = 271,
+    SEC_OID_AVA_PSEUDONYM = 272,
+    SEC_OID_PKIX_CA_ISSUERS = 273,
+    SEC_OID_PKCS9_EXTENSION_REQUEST = 274,
+    SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST = 275,
+    SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST = 276,
+    SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE = 277,
+    SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE = 278,
+    SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE = 279,
+    SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE = 280,
+    SEC_OID_X509_HOLD_INSTRUCTION_CODE = 281,
+    SEC_OID_X509_DELTA_CRL_INDICATOR = 282,
+    SEC_OID_X509_ISSUING_DISTRIBUTION_POINT = 283,
+    SEC_OID_X509_CERT_ISSUER = 284,
+    SEC_OID_X509_FRESHEST_CRL = 285,
+    SEC_OID_X509_INHIBIT_ANY_POLICY = 286,
+    SEC_OID_X509_SUBJECT_INFO_ACCESS = 287,
+    SEC_OID_CAMELLIA_128_CBC = 288,
+    SEC_OID_CAMELLIA_192_CBC = 289,
+    SEC_OID_CAMELLIA_256_CBC = 290,
+    SEC_OID_PKCS5_PBKDF2 = 291,
+    SEC_OID_PKCS5_PBES2 = 292,
+    SEC_OID_PKCS5_PBMAC1 = 293,
+    SEC_OID_HMAC_SHA1 = 294,
+    SEC_OID_HMAC_SHA224 = 295,
+    SEC_OID_HMAC_SHA256 = 296,
+    SEC_OID_HMAC_SHA384 = 297,
+    SEC_OID_HMAC_SHA512 = 298,
+    SEC_OID_PKIX_TIMESTAMPING = 299,
+    SEC_OID_PKIX_CA_REPOSITORY = 300,
+    SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE = 301,
+    SEC_OID_SEED_CBC = 302,
+    SEC_OID_X509_ANY_POLICY = 303,
+    SEC_OID_PKCS1_RSA_OAEP_ENCRYPTION = 304,
+    SEC_OID_PKCS1_MGF1 = 305,
+    SEC_OID_PKCS1_PSPECIFIED = 306,
+    SEC_OID_PKCS1_RSA_PSS_SIGNATURE = 307,
+    SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION = 308,
+    SEC_OID_SHA224 = 309,
+    SEC_OID_EV_INCORPORATION_LOCALITY = 310,
+    SEC_OID_EV_INCORPORATION_STATE = 311,
+    SEC_OID_EV_INCORPORATION_COUNTRY = 312,
+    SEC_OID_BUSINESS_CATEGORY = 313,
+    SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST = 314,
+    SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST = 315,
+    SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING = 316,
+    SEC_OID_AVA_NAME = 317,
+    SEC_OID_AES_128_GCM = 318,
+    SEC_OID_AES_192_GCM = 319,
+    SEC_OID_AES_256_GCM = 320,
+    SEC_OID_IDEA_CBC = 321,
+    SEC_OID_RC2_40_CBC = 322,
+    SEC_OID_DES_40_CBC = 323,
+    SEC_OID_RC4_40 = 324,
+    SEC_OID_RC4_56 = 325,
+    SEC_OID_NULL_CIPHER = 326,
+    SEC_OID_HMAC_MD5 = 327,
+    SEC_OID_TLS_RSA = 328,
+    SEC_OID_TLS_DHE_RSA = 329,
+    SEC_OID_TLS_DHE_DSS = 330,
+    SEC_OID_TLS_DH_RSA = 331,
+    SEC_OID_TLS_DH_DSS = 332,
+    SEC_OID_TLS_DH_ANON = 333,
+    SEC_OID_TLS_ECDHE_ECDSA = 334,
+    SEC_OID_TLS_ECDHE_RSA = 335,
+    SEC_OID_TLS_ECDH_ECDSA = 336,
+    SEC_OID_TLS_ECDH_RSA = 337,
+    SEC_OID_TLS_ECDH_ANON = 338,
+    SEC_OID_TLS_RSA_EXPORT = 339,
+    SEC_OID_TLS_DHE_RSA_EXPORT = 340,
+    SEC_OID_TLS_DHE_DSS_EXPORT = 341,
+    SEC_OID_TLS_DH_RSA_EXPORT = 342,
+    SEC_OID_TLS_DH_DSS_EXPORT = 343,
+    SEC_OID_TLS_DH_ANON_EXPORT = 344,
+    SEC_OID_APPLY_SSL_POLICY = 345,
+    SEC_OID_CHACHA20_POLY1305 = 346,
+    SEC_OID_TLS_ECDHE_PSK = 347,
+    SEC_OID_TLS_DHE_PSK = 348,
+    SEC_OID_TLS_FFDHE_2048 = 349,
+    SEC_OID_TLS_FFDHE_3072 = 350,
+    SEC_OID_TLS_FFDHE_4096 = 351,
+    SEC_OID_TLS_FFDHE_6144 = 352,
+    SEC_OID_TLS_FFDHE_8192 = 353,
+    SEC_OID_TLS_DHE_CUSTOM = 354,
+    SEC_OID_CURVE25519 = 355,
+    SEC_OID_TLS13_KEA_ANY = 356,
+    SEC_OID_X509_ANY_EXT_KEY_USAGE = 357,
+    SEC_OID_EXT_KEY_USAGE_IPSEC_IKE = 358,
+    SEC_OID_IPSEC_IKE_END = 359,
+    SEC_OID_IPSEC_IKE_INTERMEDIATE = 360,
+    SEC_OID_EXT_KEY_USAGE_IPSEC_END = 361,
+    SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL = 362,
+    SEC_OID_EXT_KEY_USAGE_IPSEC_USER = 363,
+    SEC_OID_TOTAL = 364,
+}
diff --git a/third_party/rust/nss_sys/src/bindings/secport.rs b/third_party/rust/nss_sys/src/bindings/secport.rs
new file mode 100644
index 0000000000..9d67ecb4ca
--- /dev/null
+++ b/third_party/rust/nss_sys/src/bindings/secport.rs
@@ -0,0 +1,13 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+use crate::*;
+use std::os::raw::{c_int, c_void};
+
+pub type size_t = usize;
+
+extern "C" {
+    pub fn PORT_FreeArena(arena: *mut PLArenaPool, zero: PRBool);
+    pub fn NSS_SecureMemcmp(a: *const c_void, b: *const c_void, n: size_t) -> c_int;
+}
diff --git a/third_party/rust/nss_sys/src/lib.rs b/third_party/rust/nss_sys/src/lib.rs
new file mode 100644
index 0000000000..261d67bbbc
--- /dev/null
+++ b/third_party/rust/nss_sys/src/lib.rs
@@ -0,0 +1,16 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#![allow(unknown_lints)]
+#![warn(rust_2018_idioms)]
+#![allow(non_camel_case_types, non_upper_case_globals, non_snake_case)]
+
+mod bindings;
+pub use bindings::*;
+
+// So we link against the SQLite lib imported by parent crates
+// such as places and logins.
+#[allow(unused_extern_crates)]
+#[cfg(any(not(feature = "gecko"), __appsvc_ci_hack))]
+extern crate libsqlite3_sys;