Adding upstream version 115.8.0esr.upstream/115.8.0esr

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

8 files changed, 1699 insertions, 0 deletions

diff --git a/security/nss/cmd/libpkix/testutil/Makefile b/security/nss/cmd/libpkix/testutil/Makefile
new file mode 100644
index 0000000000..cc9d235938
--- /dev/null
+++ b/security/nss/cmd/libpkix/testutil/Makefile
@@ -0,0 +1,50 @@
+#! gmake
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+include $(PKIX_DEPTH)/config.mk
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include $(PLAT_DEPTH)/platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include $(PLAT_DEPTH)/platrules.mk
+
+
diff --git a/security/nss/cmd/libpkix/testutil/config.mk b/security/nss/cmd/libpkix/testutil/config.mk
new file mode 100644
index 0000000000..f1f6674f90
--- /dev/null
+++ b/security/nss/cmd/libpkix/testutil/config.mk
@@ -0,0 +1,8 @@
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# don't build the static library
+LIBRARY =
+RES =
diff --git a/security/nss/cmd/libpkix/testutil/manifest.mn b/security/nss/cmd/libpkix/testutil/manifest.mn
new file mode 100644
index 0000000000..184085b1b1
--- /dev/null
+++ b/security/nss/cmd/libpkix/testutil/manifest.mn
@@ -0,0 +1,27 @@
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+PKIX_DEPTH = ..
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+PLAT_DEPTH = $(PKIX_DEPTH)/..
+
+MODULE = nss
+
+PRIVATE_EXPORTS = \
+	testutil_nss.h \
+	testutil.h \
+	$(NULL)
+
+CSRCS = \
+	testutil_nss.c \
+	testutil.c \
+	$(NULL)
+
+LIBRARY_NAME = pkixtooltestutil
+SHARED_LIBRARY = $(NULL)
+
+SOURCE_LIB_DIR = $(PKIX_DEPTH)/$(OBJDIR)
+
+NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/testutil/pkixutil.def b/security/nss/cmd/libpkix/testutil/pkixutil.def
new file mode 100644
index 0000000000..407d40a318
--- /dev/null
+++ b/security/nss/cmd/libpkix/testutil/pkixutil.def
@@ -0,0 +1,48 @@
+;+#
+;+# This Source Code Form is subject to the terms of the Mozilla Public
+;+# License, v. 2.0. If a copy of the MPL was not distributed with this
+;+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+#   1. For all unix platforms, the string ";-"  means "remove this line"
+;+#   2. For all unix platforms, the string " DATA " will be removed from any 
+;+#	line on which it occurs.
+;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+#      On AIX, lines containing ";+" will be removed.  
+;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+#   5. For all unix platforms, after the above processing has taken place,
+;+#    all characters after the first ";" on the line will be removed.  
+;+#    And for AIX, the first ";" will also be removed.
+;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+#   directives are hidden behind ";", ";+", and ";-"
+;+
+;+NSS_3.12 {               # NSS 3.12 release
+;+    global:
+LIBRARY pkixutil ;-
+EXPORTS	;-
+createBuildResult;
+createCRL;
+createCert;
+createCertChain;
+createCertChainPlus;
+createDate;
+createGeneralName;
+createProcessingParams;
+createTrustAnchor;
+createValidateParams;
+createValidateResult;
+endTests;
+startTests;
+subTest;
+testDuplicateHelper;
+testEqualsHelper;
+testError;
+testErrorUndo;
+testHashcodeHelper;
+testToStringHelper;
+PKIX_Cert2ASCII;
+PKIX_Error2ASCII;
+PKIX_String2ASCII;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/cmd/libpkix/testutil/testutil.c b/security/nss/cmd/libpkix/testutil/testutil.c
new file mode 100644
index 0000000000..0f438ba430
--- /dev/null
+++ b/security/nss/cmd/libpkix/testutil/testutil.c
@@ -0,0 +1,576 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * testutil.c
+ *
+ * Utility error handling functions
+ *
+ */
+
+#include "testutil.h"
+
+/*
+ * static global variable to keep track of total number of errors for
+ * a particular test suite (eg. all the OID tests)
+ */
+static int errCount = 0;
+
+/*
+ * FUNCTION: startTests
+ * DESCRIPTION:
+ *
+ *  Prints standard message for starting the test suite with the name pointed
+ *  to by "testName". This function should be called in the beginning of every
+ *  test suite.
+ *
+ * PARAMETERS:
+ *  "testName"
+ *      Address of string representing name of test suite.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "errCount"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns nothing.
+ */
+void
+startTests(char *testName)
+{
+    (void)printf("*START OF TESTS FOR %s:\n", testName);
+    errCount = 0;
+}
+
+/*
+ * FUNCTION: endTests
+ * DESCRIPTION:
+ *
+ *  Prints standard message for ending the test suite with the name pointed
+ *  to by "testName", followed by a success/failure message. This function
+ *  should be called at the end of every test suite.
+ *
+ * PARAMETERS:
+ *  "testName"
+ *      Address of string representing name of test suite.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "errCount"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns nothing.
+ */
+void
+endTests(char *testName)
+{
+    char plural = ' ';
+
+    (void)printf("*END OF TESTS FOR %s: ", testName);
+    if (errCount > 0) {
+        if (errCount > 1)
+            plural = 's';
+        (void)printf("%d SUBTEST%c FAILED.\n\n", errCount, plural);
+    } else {
+        (void)printf("ALL TESTS COMPLETED SUCCESSFULLY.\n\n");
+    }
+}
+
+/*
+ * FUNCTION: subTest
+ * DESCRIPTION:
+ *
+ *  Prints standard message for starting the subtest with the name pointed to
+ *  by "subTestName". This function should be called at the beginning of each
+ *  subtest.
+ *
+ * PARAMETERS:
+ *  "subTestName"
+ *      Address of string representing name of subTest.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns nothing.
+ */
+void
+subTest(char *subTestName)
+{
+    (void)printf("TESTING: %s ...\n", subTestName);
+}
+
+/*
+ * FUNCTION: testErrorUndo
+ * DESCRIPTION:
+ *
+ *  Decrements the global variable "errCount" and prints a test failure
+ *  expected message followed by the string pointed to by "msg". This function
+ *  should be called when an expected error condition is encountered in the
+ *  tests. Calling this function *correct* the previous errCount increment.
+ *  It should only be called ONCE per subtest.
+ *
+ * PARAMETERS:
+ *  "msg"
+ *      Address of text of error message.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "errCount"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns nothing.
+ */
+void
+testErrorUndo(char *msg)
+{
+    --errCount;
+    (void)printf("TEST FAILURE *** EXPECTED *** :%s\n", msg);
+}
+
+/*
+ * FUNCTION: testError
+ * DESCRIPTION:
+ *
+ *  Increments the global variable "errCount" and prints a standard test
+ *  failure message followed by the string pointed to by "msg". This function
+ *  should be called when an unexpected error condition is encountered in the
+ *  tests. It should only be called ONCE per subtest.
+ *
+ * PARAMETERS:
+ *  "msg"
+ *      Address of text of error message.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "errCount"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns nothing.
+ */
+void
+testError(char *msg)
+{
+    ++errCount;
+    (void)printf("TEST FAILURE: %s\n", msg);
+}
+
+/*
+ * FUNCTION: PKIX_String2ASCII
+ * DESCRIPTION:
+ *
+ *  Converts String object pointed to by "string" to its ASCII representation
+ *  and returns the converted value. Returns NULL upon failure.
+ *
+ *  XXX Might want to use ESCASCII_DEBUG to show control characters, etc.
+ *
+ * PARAMETERS:
+ *  "string"
+ *      Address of String to be converted to ASCII. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns the ASCII representation of "string" upon success;
+ *  NULL upon failure.
+ */
+char *
+PKIX_String2ASCII(PKIX_PL_String *string, void *plContext)
+{
+    PKIX_UInt32 length;
+    char *asciiString = NULL;
+    PKIX_Error *errorResult;
+
+    errorResult = PKIX_PL_String_GetEncoded(string,
+                                            PKIX_ESCASCII,
+                                            (void **)&asciiString,
+                                            &length,
+                                            plContext);
+
+    if (errorResult)
+        goto cleanup;
+
+cleanup:
+
+    if (errorResult) {
+        return (NULL);
+    }
+
+    return (asciiString);
+}
+
+/*
+ * FUNCTION: PKIX_Error2ASCII
+ * DESCRIPTION:
+ *
+ *  Converts Error pointed to by "error" to its ASCII representation and
+ *  returns the converted value. Returns NULL upon failure.
+ *
+ * PARAMETERS:
+ *  "error"
+ *      Address of Error to be converted to ASCII. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns the ASCII representation of "error" upon success;
+ *  NULL upon failure.
+ */
+char *
+PKIX_Error2ASCII(PKIX_Error *error, void *plContext)
+{
+    PKIX_UInt32 length;
+    char *asciiString = NULL;
+    PKIX_PL_String *pkixString = NULL;
+    PKIX_Error *errorResult = NULL;
+
+    errorResult = PKIX_PL_Object_ToString((PKIX_PL_Object *)error, &pkixString, plContext);
+    if (errorResult)
+        goto cleanup;
+
+    errorResult = PKIX_PL_String_GetEncoded(pkixString,
+                                            PKIX_ESCASCII,
+                                            (void **)&asciiString,
+                                            &length,
+                                            plContext);
+
+cleanup:
+
+    if (pkixString) {
+        if (PKIX_PL_Object_DecRef((PKIX_PL_Object *)pkixString, plContext)) {
+            return (NULL);
+        }
+    }
+
+    if (errorResult) {
+        return (NULL);
+    }
+
+    return (asciiString);
+}
+
+/*
+ * FUNCTION: PKIX_Object2ASCII
+ * DESCRIPTION:
+ *
+ *  Converts Object pointed to by "object" to its ASCII representation and
+ *  returns the converted value. Returns NULL upon failure.
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of Object to be converted to ASCII. Must be non-NULL.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns the ASCII representation of "object" upon success;
+ *  NULL upon failure.
+ */
+char *
+PKIX_Object2ASCII(PKIX_PL_Object *object)
+{
+    PKIX_UInt32 length;
+    char *asciiString = NULL;
+    PKIX_PL_String *pkixString = NULL;
+    PKIX_Error *errorResult = NULL;
+
+    errorResult = PKIX_PL_Object_ToString(object, &pkixString, NULL);
+    if (errorResult)
+        goto cleanup;
+
+    errorResult = PKIX_PL_String_GetEncoded(pkixString, PKIX_ESCASCII, (void **)&asciiString, &length, NULL);
+
+cleanup:
+
+    if (pkixString) {
+        if (PKIX_PL_Object_DecRef((PKIX_PL_Object *)pkixString, NULL)) {
+            return (NULL);
+        }
+    }
+
+    if (errorResult) {
+        return (NULL);
+    }
+
+    return (asciiString);
+}
+
+/*
+ * FUNCTION: PKIX_Cert2ASCII
+ * DESCRIPTION:
+ *
+ *  Converts Cert pointed to by "cert" to its partial ASCII representation and
+ *  returns the converted value. Returns NULL upon failure.
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert to be converted to ASCII. Must be non-NULL.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns the partial ASCII representation of "cert" upon success;
+ *  NULL upon failure.
+ */
+char *
+PKIX_Cert2ASCII(PKIX_PL_Cert *cert)
+{
+    PKIX_PL_X500Name *issuer = NULL;
+    void *issuerAscii = NULL;
+    PKIX_PL_X500Name *subject = NULL;
+    void *subjectAscii = NULL;
+    void *asciiString = NULL;
+    PKIX_Error *errorResult = NULL;
+    PKIX_UInt32 numChars;
+
+    /* Issuer */
+    errorResult = PKIX_PL_Cert_GetIssuer(cert, &issuer, NULL);
+    if (errorResult)
+        goto cleanup;
+
+    issuerAscii = PKIX_Object2ASCII((PKIX_PL_Object *)issuer);
+
+    /* Subject */
+    errorResult = PKIX_PL_Cert_GetSubject(cert, &subject, NULL);
+    if (errorResult)
+        goto cleanup;
+
+    if (subject) {
+        subjectAscii = PKIX_Object2ASCII((PKIX_PL_Object *)subject);
+    }
+
+    errorResult = PKIX_PL_Malloc(200, &asciiString, NULL);
+    if (errorResult)
+        goto cleanup;
+
+    numChars =
+        PR_snprintf(asciiString,
+                    200,
+                    "Issuer=%s\nSubject=%s\n",
+                    issuerAscii,
+                    subjectAscii);
+
+    if (!numChars)
+        goto cleanup;
+
+cleanup:
+
+    if (issuer) {
+        if (PKIX_PL_Object_DecRef((PKIX_PL_Object *)issuer, NULL)) {
+            return (NULL);
+        }
+    }
+
+    if (subject) {
+        if (PKIX_PL_Object_DecRef((PKIX_PL_Object *)subject, NULL)) {
+            return (NULL);
+        }
+    }
+
+    if (PKIX_PL_Free((PKIX_PL_Object *)issuerAscii, NULL)) {
+        return (NULL);
+    }
+
+    if (PKIX_PL_Free((PKIX_PL_Object *)subjectAscii, NULL)) {
+        return (NULL);
+    }
+
+    if (errorResult) {
+        return (NULL);
+    }
+
+    return (asciiString);
+}
+
+/*
+ * FUNCTION: testHashcodeHelper
+ * DESCRIPTION:
+ *
+ *  Computes the hashcode of the Object pointed to by "goodObject" and the
+ *  Object pointed to by "otherObject" and compares them. If the result of the
+ *  comparison is not the desired match as specified by "match", an error
+ *  message is generated.
+ *
+ * PARAMETERS:
+ *  "goodObject"
+ *      Address of an object. Must be non-NULL.
+ *  "otherObject"
+ *      Address of another object. Must be non-NULL.
+ *  "match"
+ *      Boolean value representing the desired comparison result.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns nothing.
+ */
+void
+testHashcodeHelper(
+    PKIX_PL_Object *goodObject,
+    PKIX_PL_Object *otherObject,
+    PKIX_Boolean match,
+    void *plContext)
+{
+
+    PKIX_UInt32 goodHash;
+    PKIX_UInt32 otherHash;
+    PKIX_Boolean cmpResult;
+    PKIX_TEST_STD_VARS();
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Hashcode((PKIX_PL_Object *)goodObject, &goodHash, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Hashcode((PKIX_PL_Object *)otherObject, &otherHash, plContext));
+
+    cmpResult = (goodHash == otherHash);
+
+    if ((match && !cmpResult) || (!match && cmpResult)) {
+        testError("unexpected mismatch");
+        (void)printf("Hash1:\t%d\n", goodHash);
+        (void)printf("Hash2:\t%d\n", otherHash);
+    }
+
+cleanup:
+
+    PKIX_TEST_RETURN();
+}
+
+/*
+ * FUNCTION: testToStringHelper
+ * DESCRIPTION:
+ *
+ *  Calls toString on the Object pointed to by "goodObject" and compares the
+ *  result to the string pointed to by "expected". If the results are not
+ *  equal, an error message is generated.
+ *
+ * PARAMETERS:
+ *  "goodObject"
+ *      Address of Object. Must be non-NULL.
+ *  "expected"
+ *      Address of the desired string.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns nothing.
+ */
+void
+testToStringHelper(
+    PKIX_PL_Object *goodObject,
+    char *expected,
+    void *plContext)
+{
+    PKIX_PL_String *stringRep = NULL;
+    char *actual = NULL;
+    PKIX_TEST_STD_VARS();
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString(goodObject, &stringRep, plContext));
+
+    actual = PKIX_String2ASCII(stringRep, plContext);
+    if (actual == NULL) {
+        pkixTestErrorMsg = "PKIX_String2ASCII Failed";
+        goto cleanup;
+    }
+
+    /*
+         * If you are having trouble matching the string, uncomment the
+         * PL_strstr function to figure out what's going on.
+         */
+
+    /*
+            if (PL_strstr(actual, expected) == NULL){
+                testError("PL_strstr failed");
+            }
+        */
+
+    if (PL_strcmp(actual, expected) != 0) {
+        testError("unexpected mismatch");
+        (void)printf("Actual value:\t%s\n", actual);
+        (void)printf("Expected value:\t%s\n", expected);
+    }
+
+cleanup:
+
+    PKIX_PL_Free(actual, plContext);
+
+    PKIX_TEST_DECREF_AC(stringRep);
+
+    PKIX_TEST_RETURN();
+}
+
+/*
+ * FUNCTION: testEqualsHelper
+ * DESCRIPTION:
+ *
+ *  Checks if the Object pointed to by "goodObject" is Equal to the Object
+ *  pointed to by "otherObject". If the result of the check is not the desired
+ *  match as specified by "match", an error message is generated.
+ *
+ * PARAMETERS:
+ *  "goodObject"
+ *      Address of an Object. Must be non-NULL.
+ *  "otherObject"
+ *      Address of another Object. Must be non-NULL.
+ *  "match"
+ *      Boolean value representing the desired comparison result.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns nothing.
+ */
+void
+testEqualsHelper(
+    PKIX_PL_Object *goodObject,
+    PKIX_PL_Object *otherObject,
+    PKIX_Boolean match,
+    void *plContext)
+{
+
+    PKIX_Boolean cmpResult;
+    PKIX_TEST_STD_VARS();
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals(goodObject, otherObject, &cmpResult, plContext));
+
+    if ((match && !cmpResult) || (!match && cmpResult)) {
+        testError("unexpected mismatch");
+        (void)printf("Actual value:\t%d\n", cmpResult);
+        (void)printf("Expected value:\t%d\n", match);
+    }
+
+cleanup:
+
+    PKIX_TEST_RETURN();
+}
+
+/*
+ * FUNCTION: testDuplicateHelper
+ * DESCRIPTION:
+ *  Checks if the Object pointed to by "object" is equal to its duplicate.
+ *  If the result of the check is not equality, an error message is generated.
+ * PARAMETERS:
+ *  "object"
+ *      Address of Object. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns nothing.
+ */
+void
+testDuplicateHelper(PKIX_PL_Object *object, void *plContext)
+{
+    PKIX_PL_Object *newObject = NULL;
+    PKIX_Boolean cmpResult;
+
+    PKIX_TEST_STD_VARS();
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate(object, &newObject, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals(object, newObject, &cmpResult, plContext));
+
+    if (!cmpResult) {
+        testError("unexpected mismatch");
+        (void)printf("Actual value:\t%d\n", cmpResult);
+        (void)printf("Expected value:\t%d\n", PKIX_TRUE);
+    }
+
+cleanup:
+
+    PKIX_TEST_DECREF_AC(newObject);
+
+    PKIX_TEST_RETURN();
+}
diff --git a/security/nss/cmd/libpkix/testutil/testutil.h b/security/nss/cmd/libpkix/testutil/testutil.h
new file mode 100644
index 0000000000..9c594fa038
--- /dev/null
+++ b/security/nss/cmd/libpkix/testutil/testutil.h
@@ -0,0 +1,292 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * testutil.h
+ *
+ * Utility functions for handling test errors
+ *
+ */
+
+#ifndef _TESTUTIL_H
+#define _TESTUTIL_H
+
+#include "pkix.h"
+#include "plstr.h"
+#include "prprf.h"
+#include "prlong.h"
+#include "pkix_pl_common.h"
+#include "secutil.h"
+#include <stdio.h>
+#include <ctype.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * In order to have a consistent format for displaying test information,
+ * all tests are REQUIRED to use the functions provided by this library
+ * (libtestutil.a) for displaying their information.
+ *
+ * A test using this library begins with a call to startTests with the test
+ * name as the arg (which is used only for formatting). Before the first
+ * subtest, a call to subTest should be made with the subtest name as the arg
+ * (again, for formatting). If the subTest is successful, then no action
+ * is needed. However, if the subTest is not successful, then a call
+ * to testError should be made with a descriptive error message as the arg.
+ * Note that a subTest MUST NOT call testError more than once.
+ * Finally, a call to endTests is made with the test name as the arg (for
+ * formatting). Note that most of these macros assume that a variable named
+ * "plContext" of type (void *) has been defined by the test. As such, it
+ * is essential that the test satisfy this condition.
+ */
+
+/*
+ * PKIX_TEST_STD_VARS should be called at the beginning of every function
+ * that uses PKIX_TEST_RETURN (e.g. subTests), but it should be called only
+ * AFTER declaring local variables (so we don't get compiler warnings about
+ * declarations after statements). PKIX_TEST_STD_VARS declares and initializes
+ * several variables needed by the other test macros.
+ */
+#define PKIX_TEST_STD_VARS()                \
+    PKIX_Error *pkixTestErrorResult = NULL; \
+    char *pkixTestErrorMsg = NULL;
+
+/*
+ * PKIX_TEST_EXPECT_NO_ERROR should be used to wrap a standard PKIX function
+ * call (one which returns a pointer to PKIX_Error) that is expected to return
+ * NULL (i.e. to succeed). If "pkixTestErrorResult" is not NULL,
+ * "goto cleanup" is executed, where a testError call is made if there were
+ * unexpected results. This macro MUST NOT be called after the "cleanup" label.
+ *
+ * Example Usage: PKIX_TEST_EXPECT_NO_ERROR(pkixFunc_expected_to_succeed(...));
+ */
+
+#define PKIX_TEST_EXPECT_NO_ERROR(func) \
+    do {                                \
+        pkixTestErrorResult = (func);   \
+        if (pkixTestErrorResult) {      \
+            goto cleanup;               \
+        }                               \
+    } while (0)
+
+/*
+ * PKIX_TEST_EXPECT_ERROR should be used to wrap a standard PKIX function call
+ * (one which returns a pointer to PKIX_Error) that is expected to return
+ * a non-NULL value (i.e. to fail). If "pkixTestErrorResult" is NULL,
+ * "pkixTestErrorMsg" is set to a standard string and "goto cleanup"
+ * is executed, where a testError call is made if there were unexpected
+ * results. This macro MUST NOT be called after the "cleanup" label.
+ *
+ * Example Usage:  PKIX_TEST_EXPECT_ERROR(pkixFunc_expected_to_fail(...));
+ */
+
+#define PKIX_TEST_EXPECT_ERROR(func)                 \
+    do {                                             \
+        pkixTestErrorResult = (func);                \
+        if (!pkixTestErrorResult) {                  \
+            pkixTestErrorMsg =                       \
+                "Should have thrown an error here."; \
+            goto cleanup;                            \
+        }                                            \
+        PKIX_TEST_DECREF_BC(pkixTestErrorResult);    \
+    } while (0)
+
+/*
+ * PKIX_TEST_DECREF_BC is a convenience macro which should only be called
+ * BEFORE the "cleanup" label ("BC"). If the input parameter is non-NULL, it
+ * DecRefs the input parameter and wraps the function with
+ * PKIX_TEST_EXPECT_NO_ERROR, which executes "goto cleanup" upon error.
+ * This macro MUST NOT be called after the "cleanup" label.
+ */
+
+#define PKIX_TEST_DECREF_BC(obj)                                                                  \
+    do {                                                                                          \
+        if (obj) {                                                                                \
+            PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_DecRef((PKIX_PL_Object *)(obj), plContext)); \
+            obj = NULL;                                                                           \
+        }                                                                                         \
+    } while (0)
+
+/*
+ * PKIX_TEST_DECREF_AC is a convenience macro which should only be called
+ * AFTER the "cleanup" label ("AC"). If the input parameter is non-NULL, it
+ * DecRefs the input parameter. A pkixTestTempResult variable is used to prevent
+ * incorrectly overwriting pkixTestErrorResult with NULL.
+ * In the case DecRef succeeds, pkixTestTempResult will be NULL, and we won't
+ * overwrite a previously set pkixTestErrorResult (if any). If DecRef fails,
+ * then we do want to overwrite a previously set pkixTestErrorResult since a
+ * DecRef failure is fatal and may be indicative of memory corruption.
+ */
+
+#define PKIX_TEST_DECREF_AC(obj)                                           \
+    do {                                                                   \
+        if (obj) {                                                         \
+            PKIX_Error *pkixTestTempResult = NULL;                         \
+            pkixTestTempResult =                                           \
+                PKIX_PL_Object_DecRef((PKIX_PL_Object *)(obj), plContext); \
+            if (pkixTestTempResult)                                        \
+                pkixTestErrorResult = pkixTestTempResult;                  \
+            obj = NULL;                                                    \
+        }                                                                  \
+    } while (0)
+
+/*
+ * PKIX_TEST_RETURN must always be AFTER the "cleanup" label. It does nothing
+ * if everything went as expected. However, if there were unexpected results,
+ * PKIX_TEST_RETURN calls testError, which displays a standard failure message
+ * and increments the number of subtests that have failed. In the case
+ * of an unexpected error, testError is called using the error's description
+ * as an input and the error is DecRef'd. In the case of unexpected success
+ * testError is called with a standard string.
+ */
+#define PKIX_TEST_RETURN()                                                   \
+    {                                                                        \
+        if (pkixTestErrorMsg) {                                              \
+            testError(pkixTestErrorMsg);                                     \
+        } else if (pkixTestErrorResult) {                                    \
+            pkixTestErrorMsg =                                               \
+                PKIX_Error2ASCII(pkixTestErrorResult, plContext);            \
+            if (pkixTestErrorMsg) {                                          \
+                testError(pkixTestErrorMsg);                                 \
+                PKIX_PL_Free((PKIX_PL_Object *)pkixTestErrorMsg,             \
+                             plContext);                                     \
+            } else {                                                         \
+                testError("PKIX_Error2ASCII Failed");                        \
+            }                                                                \
+            if (pkixTestErrorResult != PKIX_ALLOC_ERROR()) {                 \
+                PKIX_PL_Object_DecRef((PKIX_PL_Object *)pkixTestErrorResult, \
+                                      plContext);                            \
+                pkixTestErrorResult = NULL;                                  \
+            }                                                                \
+        }                                                                    \
+    }
+
+/*
+ * PKIX_TEST_EQ_HASH_TOSTR_DUP is a convenience macro which executes the
+ * standard set of operations that test the Equals, Hashcode, ToString, and
+ * Duplicate functions of an object type. The goodObj, equalObj, and diffObj
+ * are as the names suggest. The expAscii parameter is the expected result of
+ * calling ToString on the goodObj. If expAscii is NULL, then ToString will
+ * not be called on the goodObj. The checkDuplicate parameter is treated as
+ * a Boolean to indicate whether the Duplicate function should be tested. If
+ * checkDuplicate is NULL, then Duplicate will not be called on the goodObj.
+ * The type is the name of the function's family. For example, if the type is
+ * Cert, this macro will call PKIX_PL_Cert_Equals, PKIX_PL_Cert_Hashcode, and
+ * PKIX_PL_Cert_ToString.
+ *
+ * Note: If goodObj uses the default Equals and Hashcode functions, then
+ * for goodObj and equalObj to be equal, they must have the same pointer value.
+ */
+#define PKIX_TEST_EQ_HASH_TOSTR_DUP(goodObj, equalObj, diffObj,        \
+                                    expAscii, type, checkDuplicate)    \
+    do {                                                               \
+        subTest("PKIX_PL_" #type "_Equals   <match>");                 \
+        testEqualsHelper((PKIX_PL_Object *)(goodObj),                  \
+                         (PKIX_PL_Object *)(equalObj),                 \
+                         PKIX_TRUE,                                    \
+                         plContext);                                   \
+        subTest("PKIX_PL_" #type "_Hashcode <match>");                 \
+        testHashcodeHelper((PKIX_PL_Object *)(goodObj),                \
+                           (PKIX_PL_Object *)(equalObj),               \
+                           PKIX_TRUE,                                  \
+                           plContext);                                 \
+        subTest("PKIX_PL_" #type "_Equals   <non-match>");             \
+        testEqualsHelper((PKIX_PL_Object *)(goodObj),                  \
+                         (PKIX_PL_Object *)(diffObj),                  \
+                         PKIX_FALSE,                                   \
+                         plContext);                                   \
+        subTest("PKIX_PL_" #type "_Hashcode <non-match>");             \
+        testHashcodeHelper((PKIX_PL_Object *)(goodObj),                \
+                           (PKIX_PL_Object *)(diffObj),                \
+                           PKIX_FALSE,                                 \
+                           plContext);                                 \
+        if (expAscii) {                                                \
+            subTest("PKIX_PL_" #type "_ToString");                     \
+            testToStringHelper((PKIX_PL_Object *)(goodObj),            \
+                               (expAscii),                             \
+                               plContext);                             \
+        }                                                              \
+        if (checkDuplicate) {                                          \
+            subTest("PKIX_PL_" #type "_Duplicate");                    \
+            testDuplicateHelper((PKIX_PL_Object *)goodObj, plContext); \
+        }                                                              \
+    } while (0)
+
+/*
+ * PKIX_TEST_DECREF_BC is a convenience macro which should only be called
+ * BEFORE the "cleanup" label ("BC"). If the input parameter is non-NULL, it
+ * DecRefs the input parameter and wraps the function with
+ * PKIX_TEST_EXPECT_NO_ERROR, which executes "goto cleanup" upon error.
+ * This macro MUST NOT be called after the "cleanup" label.
+ */
+
+#define PKIX_TEST_ABORT_ON_NULL(obj) \
+    do {                             \
+        if (!obj) {                  \
+            goto cleanup;            \
+        }                            \
+    } while (0)
+
+#define PKIX_TEST_ARENAS_ARG(arena) \
+    (arena ? (PORT_Strcmp(arena, "arenas") ? PKIX_FALSE : (j++, PKIX_TRUE)) : PKIX_FALSE)
+
+#define PKIX_TEST_ERROR_RECEIVED (pkixTestErrorMsg || pkixTestErrorResult)
+
+/* see source file for function documentation */
+
+void startTests(char *testName);
+
+void endTests(char *testName);
+
+void subTest(char *subTestName);
+
+void testError(char *msg);
+
+extern PKIX_Error *
+_ErrorCheck(PKIX_Error *errorResult);
+
+extern PKIX_Error *
+_OutputError(PKIX_Error *errorResult);
+
+char *PKIX_String2ASCII(PKIX_PL_String *string, void *plContext);
+
+char *PKIX_Error2ASCII(PKIX_Error *error, void *plContext);
+
+char *PKIX_Object2ASCII(PKIX_PL_Object *object);
+
+char *PKIX_Cert2ASCII(PKIX_PL_Cert *cert);
+
+void
+testHashcodeHelper(
+    PKIX_PL_Object *goodObject,
+    PKIX_PL_Object *otherObject,
+    PKIX_Boolean match,
+    void *plContext);
+
+void
+testToStringHelper(
+    PKIX_PL_Object *goodObject,
+    char *expected,
+    void *plContext);
+
+void
+testEqualsHelper(
+    PKIX_PL_Object *goodObject,
+    PKIX_PL_Object *otherObject,
+    PKIX_Boolean match,
+    void *plContext);
+
+void
+testDuplicateHelper(
+    PKIX_PL_Object *object,
+    void *plContext);
+void
+testErrorUndo(char *msg);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* TESTUTIL_H */
diff --git a/security/nss/cmd/libpkix/testutil/testutil_nss.c b/security/nss/cmd/libpkix/testutil/testutil_nss.c
new file mode 100644
index 0000000000..3417d0ab7c
--- /dev/null
+++ b/security/nss/cmd/libpkix/testutil/testutil_nss.c
@@ -0,0 +1,579 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * testutil_nss.c
+ *
+ * NSS-specific utility functions for handling test errors
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stddef.h>
+
+#include "pkix_pl_generalname.h"
+#include "pkix_pl_cert.h"
+#include "pkix.h"
+#include "testutil.h"
+#include "prlong.h"
+#include "plstr.h"
+#include "prthread.h"
+#include "secutil.h"
+#include "nspr.h"
+#include "prtypes.h"
+#include "prtime.h"
+#include "pk11func.h"
+#include "secasn1.h"
+#include "cert.h"
+#include "cryptohi.h"
+#include "secoid.h"
+#include "certdb.h"
+#include "secitem.h"
+#include "keythi.h"
+#include "nss.h"
+
+static char *
+catDirName(char *dir, char *name, void *plContext)
+{
+    char *pathName = NULL;
+    PKIX_UInt32 nameLen;
+    PKIX_UInt32 dirLen;
+
+    PKIX_TEST_STD_VARS();
+
+    nameLen = PL_strlen(name);
+    dirLen = PL_strlen(dir);
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc(dirLen + nameLen + 2,
+                                             (void **)&pathName,
+                                             plContext));
+
+    PL_strcpy(pathName, dir);
+    PL_strcat(pathName, "/");
+    PL_strcat(pathName, name);
+    printf("pathName = %s\n", pathName);
+
+cleanup:
+
+    PKIX_TEST_RETURN();
+
+    return (pathName);
+}
+
+PKIX_PL_Cert *
+createCert(
+    char *dirName,
+    char *certFileName,
+    void *plContext)
+{
+    PKIX_PL_ByteArray *byteArray = NULL;
+    void *buf = NULL;
+    PRFileDesc *certFile = NULL;
+    PKIX_UInt32 len;
+    SECItem certDER;
+    SECStatus rv;
+    /* default: NULL cert (failure case) */
+    PKIX_PL_Cert *cert = NULL;
+    char *pathName = NULL;
+
+    PKIX_TEST_STD_VARS();
+
+    certDER.data = NULL;
+
+    pathName = catDirName(dirName, certFileName, plContext);
+    certFile = PR_Open(pathName, PR_RDONLY, 0);
+
+    if (!certFile) {
+        pkixTestErrorMsg = "Unable to open cert file";
+        goto cleanup;
+    } else {
+        rv = SECU_ReadDERFromFile(&certDER, certFile, PR_FALSE, PR_FALSE);
+        if (!rv) {
+            buf = (void *)certDER.data;
+            len = certDER.len;
+
+            PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create(buf, len, &byteArray, plContext));
+
+            PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create(byteArray, &cert, plContext));
+
+            SECITEM_FreeItem(&certDER, PR_FALSE);
+        } else {
+            pkixTestErrorMsg = "Unable to read DER from cert file";
+            goto cleanup;
+        }
+    }
+
+cleanup:
+
+    pkixTestErrorResult = PKIX_PL_Free(pathName, plContext);
+
+    if (certFile) {
+        PR_Close(certFile);
+    }
+
+    if (PKIX_TEST_ERROR_RECEIVED) {
+        SECITEM_FreeItem(&certDER, PR_FALSE);
+    }
+
+    PKIX_TEST_DECREF_AC(byteArray);
+
+    PKIX_TEST_RETURN();
+
+    return (cert);
+}
+
+PKIX_PL_CRL *
+createCRL(
+    char *dirName,
+    char *crlFileName,
+    void *plContext)
+{
+    PKIX_PL_ByteArray *byteArray = NULL;
+    PKIX_PL_CRL *crl = NULL;
+    PKIX_Error *error = NULL;
+    PRFileDesc *inFile = NULL;
+    SECItem crlDER;
+    void *buf = NULL;
+    PKIX_UInt32 len;
+    SECStatus rv;
+    char *pathName = NULL;
+
+    PKIX_TEST_STD_VARS();
+
+    crlDER.data = NULL;
+
+    pathName = catDirName(dirName, crlFileName, plContext);
+    inFile = PR_Open(pathName, PR_RDONLY, 0);
+
+    if (!inFile) {
+        pkixTestErrorMsg = "Unable to open crl file";
+        goto cleanup;
+    } else {
+        rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
+        if (!rv) {
+            buf = (void *)crlDER.data;
+            len = crlDER.len;
+
+            error = PKIX_PL_ByteArray_Create(buf, len, &byteArray, plContext);
+
+            if (error) {
+                pkixTestErrorMsg =
+                    "PKIX_PL_ByteArray_Create failed";
+                goto cleanup;
+            }
+
+            error = PKIX_PL_CRL_Create(byteArray, &crl, plContext);
+            if (error) {
+                pkixTestErrorMsg = "PKIX_PL_Crl_Create failed";
+                goto cleanup;
+            }
+
+            SECITEM_FreeItem(&crlDER, PR_FALSE);
+        } else {
+            pkixTestErrorMsg = "Unable to read DER from crl file";
+            goto cleanup;
+        }
+    }
+
+cleanup:
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(pathName, plContext));
+
+    if (inFile) {
+        PR_Close(inFile);
+    }
+
+    if (error) {
+        SECITEM_FreeItem(&crlDER, PR_FALSE);
+    }
+
+    PKIX_TEST_DECREF_AC(byteArray);
+
+    PKIX_TEST_RETURN();
+
+    return (crl);
+}
+
+PKIX_TrustAnchor *
+createTrustAnchor(
+    char *dirName,
+    char *certFileName,
+    PKIX_Boolean useCert,
+    void *plContext)
+{
+    PKIX_TrustAnchor *anchor = NULL;
+    PKIX_PL_Cert *cert = NULL;
+    PKIX_PL_X500Name *name = NULL;
+    PKIX_PL_PublicKey *pubKey = NULL;
+    PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+
+    PKIX_TEST_STD_VARS();
+
+    cert = createCert(dirName, certFileName, plContext);
+
+    if (useCert) {
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(cert, &anchor, plContext));
+    } else {
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(cert, &name, plContext));
+
+        if (name == NULL) {
+            goto cleanup;
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(cert, &pubKey, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(cert, &nameConstraints, NULL));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithNameKeyPair(name, pubKey, nameConstraints, &anchor, plContext));
+    }
+
+cleanup:
+
+    if (PKIX_TEST_ERROR_RECEIVED) {
+        PKIX_TEST_DECREF_AC(anchor);
+    }
+
+    PKIX_TEST_DECREF_AC(cert);
+    PKIX_TEST_DECREF_AC(name);
+    PKIX_TEST_DECREF_AC(pubKey);
+    PKIX_TEST_DECREF_AC(nameConstraints);
+
+    PKIX_TEST_RETURN();
+
+    return (anchor);
+}
+
+PKIX_List *
+createCertChain(
+    char *dirName,
+    char *firstCertFileName,
+    char *secondCertFileName,
+    void *plContext)
+{
+    PKIX_PL_Cert *firstCert = NULL;
+    PKIX_PL_Cert *secondCert = NULL;
+    PKIX_List *certList = NULL;
+
+    PKIX_TEST_STD_VARS();
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certList, plContext));
+
+    firstCert = createCert(dirName, firstCertFileName, plContext);
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certList, (PKIX_PL_Object *)firstCert, plContext));
+
+    if (secondCertFileName) {
+        secondCert = createCert(dirName, secondCertFileName, plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certList, (PKIX_PL_Object *)secondCert, plContext));
+    }
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable(certList, plContext));
+
+cleanup:
+
+    if (PKIX_TEST_ERROR_RECEIVED) {
+        PKIX_TEST_DECREF_AC(certList);
+    }
+
+    PKIX_TEST_DECREF_AC(firstCert);
+    PKIX_TEST_DECREF_AC(secondCert);
+
+    PKIX_TEST_RETURN();
+
+    return (certList);
+}
+
+PKIX_List *
+createCertChainPlus(
+    char *dirName,
+    char *certNames[],
+    PKIX_PL_Cert *certs[],
+    PKIX_UInt32 numCerts,
+    void *plContext)
+{
+    PKIX_List *certList = NULL;
+    PKIX_UInt32 i;
+
+    PKIX_TEST_STD_VARS();
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certList, plContext));
+
+    for (i = 0; i < numCerts; i++) {
+
+        certs[i] = createCert(dirName, certNames[i], plContext);
+
+        /* Create Cert may fail */
+        if (certs[i] == NULL) {
+            PKIX_TEST_DECREF_BC(certList);
+            goto cleanup;
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certList,
+                                                       (PKIX_PL_Object *)certs[i],
+                                                       plContext));
+    }
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable(certList, plContext));
+
+cleanup:
+
+    if (PKIX_TEST_ERROR_RECEIVED) {
+        PKIX_TEST_DECREF_AC(certList);
+    }
+
+    for (i = 0; i < numCerts; i++) {
+        PKIX_TEST_DECREF_AC(certs[i]);
+    }
+
+    PKIX_TEST_RETURN();
+
+    return (certList);
+}
+
+PKIX_PL_Date *
+createDate(
+    char *asciiDate,
+    void *plContext)
+{
+    PKIX_PL_Date *date = NULL;
+    PKIX_PL_String *plString = NULL;
+
+    PKIX_TEST_STD_VARS();
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, asciiDate, 0, &plString, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Date_Create_UTCTime(plString, &date, plContext));
+
+cleanup:
+
+    PKIX_TEST_DECREF_AC(plString);
+
+    PKIX_TEST_RETURN();
+
+    return (date);
+}
+
+PKIX_ProcessingParams *
+createProcessingParams(
+    char *dirName,
+    char *firstAnchorFileName,
+    char *secondAnchorFileName,
+    char *dateAscii,
+    PKIX_List *initialPolicies, /* List of PKIX_PL_OID */
+    PKIX_Boolean isCrlEnabled,
+    void *plContext)
+{
+
+    PKIX_TrustAnchor *firstAnchor = NULL;
+    PKIX_TrustAnchor *secondAnchor = NULL;
+    PKIX_List *anchorsList = NULL;
+    PKIX_ProcessingParams *procParams = NULL;
+    PKIX_PL_String *dateString = NULL;
+    PKIX_PL_Date *testDate = NULL;
+
+    PKIX_TEST_STD_VARS();
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchorsList, plContext));
+
+    firstAnchor = createTrustAnchor(dirName, firstAnchorFileName, PKIX_FALSE, plContext);
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchorsList,
+                                                   (PKIX_PL_Object *)firstAnchor,
+                                                   plContext));
+
+    if (secondAnchorFileName) {
+        secondAnchor =
+            createTrustAnchor(dirName, secondAnchorFileName, PKIX_FALSE, plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchorsList,
+                                                       (PKIX_PL_Object *)secondAnchor,
+                                                       plContext));
+    }
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchorsList, &procParams, plContext));
+
+    if (dateAscii) {
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII,
+                                                        dateAscii,
+                                                        0,
+                                                        &dateString,
+                                                        plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Date_Create_UTCTime(dateString, &testDate, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetDate(procParams, testDate, plContext));
+    }
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetInitialPolicies(procParams, initialPolicies, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled(procParams, isCrlEnabled, plContext));
+
+cleanup:
+
+    if (PKIX_TEST_ERROR_RECEIVED) {
+        PKIX_TEST_DECREF_AC(procParams);
+    }
+
+    PKIX_TEST_DECREF_AC(dateString);
+    PKIX_TEST_DECREF_AC(testDate);
+    PKIX_TEST_DECREF_AC(anchorsList);
+    PKIX_TEST_DECREF_AC(firstAnchor);
+    PKIX_TEST_DECREF_AC(secondAnchor);
+
+    PKIX_TEST_RETURN();
+
+    return (procParams);
+}
+
+PKIX_ValidateParams *
+createValidateParams(
+    char *dirName,
+    char *firstAnchorFileName,
+    char *secondAnchorFileName,
+    char *dateAscii,
+    PKIX_List *initialPolicies, /* List of PKIX_PL_OID */
+    PKIX_Boolean initialPolicyMappingInhibit,
+    PKIX_Boolean initialAnyPolicyInhibit,
+    PKIX_Boolean initialExplicitPolicy,
+    PKIX_Boolean isCrlEnabled,
+    PKIX_List *chain,
+    void *plContext)
+{
+
+    PKIX_ProcessingParams *procParams = NULL;
+    PKIX_ValidateParams *valParams = NULL;
+
+    PKIX_TEST_STD_VARS();
+
+    procParams =
+        createProcessingParams(dirName,
+                               firstAnchorFileName,
+                               secondAnchorFileName,
+                               dateAscii,
+                               NULL,
+                               isCrlEnabled,
+                               plContext);
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetInitialPolicies(procParams, initialPolicies, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetPolicyMappingInhibited(procParams, initialPolicyMappingInhibit, NULL));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetAnyPolicyInhibited(procParams, initialAnyPolicyInhibit, NULL));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetExplicitPolicyRequired(procParams, initialExplicitPolicy, NULL));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create(procParams, chain, &valParams, plContext));
+
+cleanup:
+
+    if (PKIX_TEST_ERROR_RECEIVED) {
+        PKIX_TEST_DECREF_AC(valParams);
+    }
+
+    PKIX_TEST_DECREF_AC(procParams);
+
+    PKIX_TEST_RETURN();
+
+    return (valParams);
+}
+
+PKIX_ValidateResult *
+createValidateResult(
+    char *dirName,
+    char *anchorFileName,
+    char *pubKeyCertFileName,
+    void *plContext)
+{
+
+    PKIX_TrustAnchor *anchor = NULL;
+    PKIX_ValidateResult *valResult = NULL;
+    PKIX_PL_Cert *cert = NULL;
+    PKIX_PL_PublicKey *pubKey = NULL;
+
+    PKIX_TEST_STD_VARS();
+
+    anchor = createTrustAnchor(dirName, anchorFileName, PKIX_FALSE, plContext);
+    cert = createCert(dirName, pubKeyCertFileName, plContext);
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(cert, &pubKey, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(pkix_ValidateResult_Create(pubKey, anchor, NULL, &valResult, plContext));
+
+cleanup:
+
+    if (PKIX_TEST_ERROR_RECEIVED) {
+        PKIX_TEST_DECREF_AC(valResult);
+    }
+
+    PKIX_TEST_DECREF_AC(anchor);
+    PKIX_TEST_DECREF_AC(cert);
+    PKIX_TEST_DECREF_AC(pubKey);
+
+    PKIX_TEST_RETURN();
+
+    return (valResult);
+}
+
+PKIX_PL_GeneralName *
+createGeneralName(
+    PKIX_UInt32 nameType,
+    char *asciiName,
+    void *plContext)
+{
+
+    PKIX_PL_GeneralName *generalName = NULL;
+    PKIX_PL_String *plString = NULL;
+
+    PKIX_TEST_STD_VARS();
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, asciiName, 0, &plString, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_GeneralName_Create(nameType, plString, &generalName, plContext));
+
+cleanup:
+
+    PKIX_TEST_DECREF_AC(plString);
+
+    PKIX_TEST_RETURN();
+
+    return (generalName);
+}
+
+PKIX_BuildResult *
+createBuildResult(
+    char *dirName,
+    char *anchorFileName,
+    char *pubKeyCertFileName,
+    char *firstChainCertFileName,
+    char *secondChainCertFileName,
+    void *plContext)
+{
+    PKIX_BuildResult *buildResult = NULL;
+    PKIX_ValidateResult *valResult = NULL;
+    PKIX_List *certChain = NULL;
+
+    PKIX_TEST_STD_VARS();
+
+    valResult = createValidateResult(dirName, anchorFileName, pubKeyCertFileName, plContext);
+    certChain = createCertChain(dirName,
+                                firstChainCertFileName,
+                                secondChainCertFileName,
+                                plContext);
+
+    PKIX_TEST_EXPECT_NO_ERROR(pkix_BuildResult_Create(valResult, certChain, &buildResult, plContext));
+
+cleanup:
+
+    if (PKIX_TEST_ERROR_RECEIVED) {
+        PKIX_TEST_DECREF_AC(buildResult);
+    }
+
+    PKIX_TEST_DECREF_AC(valResult);
+    PKIX_TEST_DECREF_AC(certChain);
+
+    PKIX_TEST_RETURN();
+
+    return (buildResult);
+}
diff --git a/security/nss/cmd/libpkix/testutil/testutil_nss.h b/security/nss/cmd/libpkix/testutil/testutil_nss.h
new file mode 100644
index 0000000000..e1f24af89d
--- /dev/null
+++ b/security/nss/cmd/libpkix/testutil/testutil_nss.h
@@ -0,0 +1,119 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * testutil_nss.h
+ *
+ * NSS-specific utility functions for handling test errors
+ *
+ */
+
+#ifndef _TESTUTIL_NSS_H
+#define _TESTUTIL_NSS_H
+
+#include "pkix_tools.h"
+#include "plstr.h"
+#include "prprf.h"
+#include "prlong.h"
+#include "secutil.h"
+#include <stdio.h>
+#include <ctype.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "pkix_pl_generalname.h"
+
+/* see source file for function documentation */
+
+PKIX_PL_Cert *
+createCert(
+    char *dirName,
+    char *certFile,
+    void *plContext);
+
+PKIX_PL_CRL *
+createCRL(
+    char *dirName,
+    char *crlFileName,
+    void *plContext);
+
+PKIX_TrustAnchor *
+createTrustAnchor(
+    char *dirName,
+    char *taFileName,
+    PKIX_Boolean useCert,
+    void *plContext);
+
+PKIX_List *
+createCertChain(
+    char *dirName,
+    char *firstCertFileName,
+    char *secondCertFileName,
+    void *plContext);
+
+PKIX_List *
+createCertChainPlus(
+    char *dirName,
+    char *certNames[],
+    PKIX_PL_Cert *certs[],
+    PKIX_UInt32 numCerts,
+    void *plContext);
+
+PKIX_PL_Date *
+createDate(
+    char *asciiDate,
+    void *plContext);
+
+PKIX_ProcessingParams *
+createProcessingParams(
+    char *dirName,
+    char *firstAnchorFileName,
+    char *secondAnchorFileName,
+    char *dateAscii,
+    PKIX_List *initialPolicies, /* List of PKIX_PL_OID */
+    PKIX_Boolean isCrlEnabled,
+    void *plContext);
+
+PKIX_ValidateParams *
+createValidateParams(
+    char *dirName,
+    char *firstAnchorFileName,
+    char *secondAnchorFileName,
+    char *dateAscii,
+    PKIX_List *initialPolicies, /* List of PKIX_PL_OID */
+    PKIX_Boolean initialPolicyMappingInhibit,
+    PKIX_Boolean initialAnyPolicyInhibit,
+    PKIX_Boolean initialExplicitPolicy,
+    PKIX_Boolean isCrlEnabled,
+    PKIX_List *chain,
+    void *plContext);
+
+PKIX_ValidateResult *
+createValidateResult(
+    char *dirName,
+    char *anchorFileName,
+    char *pubKeyCertFileName,
+    void *plContext);
+
+PKIX_BuildResult *
+createBuildResult(
+    char *dirName,
+    char *anchorFileName,
+    char *pubKeyCertFileName,
+    char *firstChainCertFileName,
+    char *secondChainCertFileName,
+    void *plContext);
+
+PKIX_PL_GeneralName *
+createGeneralName(
+    PKIX_UInt32 nameType,
+    char *asciiName,
+    void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* TESTUTIL_NSS_H */