From 36d22d82aa202bb199967e9512281e9a53db42c9 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 7 Apr 2024 21:33:14 +0200
Subject: Adding upstream version 115.7.0esr.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 security/manager/pki/components.conf               |  21 +
 security/manager/pki/moz.build                     |  34 +
 security/manager/pki/nsIASN1Tree.idl               |  24 +
 security/manager/pki/nsNSSDialogHelper.cpp         |  45 ++
 security/manager/pki/nsNSSDialogHelper.h           |  39 ++
 security/manager/pki/nsNSSDialogs.cpp              | 314 +++++++++
 security/manager/pki/nsNSSDialogs.h                |  40 ++
 .../manager/pki/resources/content/certManager.css  |  34 +
 .../manager/pki/resources/content/certManager.js   | 769 +++++++++++++++++++++
 .../pki/resources/content/certManager.xhtml        | 330 +++++++++
 .../pki/resources/content/changepassword.js        | 212 ++++++
 .../pki/resources/content/changepassword.xhtml     |  77 +++
 .../manager/pki/resources/content/clientauthask.js | 178 +++++
 .../pki/resources/content/clientauthask.xhtml      |  55 ++
 .../manager/pki/resources/content/deletecert.css   |  19 +
 .../manager/pki/resources/content/deletecert.js    | 121 ++++
 .../manager/pki/resources/content/deletecert.xhtml |  33 +
 .../pki/resources/content/device_manager.js        | 433 ++++++++++++
 .../pki/resources/content/device_manager.xhtml     | 113 +++
 .../manager/pki/resources/content/downloadcert.js  |  83 +++
 .../pki/resources/content/downloadcert.xhtml       |  66 ++
 .../manager/pki/resources/content/editcacert.js    |  52 ++
 .../manager/pki/resources/content/editcacert.xhtml |  35 +
 .../pki/resources/content/exceptionDialog.css      |  35 +
 .../pki/resources/content/exceptionDialog.js       | 334 +++++++++
 .../pki/resources/content/exceptionDialog.xhtml    |  88 +++
 .../manager/pki/resources/content/load_device.js   |  75 ++
 .../pki/resources/content/load_device.xhtml        |  55 ++
 security/manager/pki/resources/content/pippki.js   | 300 ++++++++
 .../manager/pki/resources/content/resetpassword.js |  28 +
 .../pki/resources/content/resetpassword.xhtml      |  49 ++
 .../pki/resources/content/setp12password.js        | 127 ++++
 .../pki/resources/content/setp12password.xhtml     |  56 ++
 security/manager/pki/resources/jar.mn              |  32 +
 security/manager/pki/resources/moz.build           |   7 +
 35 files changed, 4313 insertions(+)
 create mode 100644 security/manager/pki/components.conf
 create mode 100644 security/manager/pki/moz.build
 create mode 100644 security/manager/pki/nsIASN1Tree.idl
 create mode 100644 security/manager/pki/nsNSSDialogHelper.cpp
 create mode 100644 security/manager/pki/nsNSSDialogHelper.h
 create mode 100644 security/manager/pki/nsNSSDialogs.cpp
 create mode 100644 security/manager/pki/nsNSSDialogs.h
 create mode 100644 security/manager/pki/resources/content/certManager.css
 create mode 100644 security/manager/pki/resources/content/certManager.js
 create mode 100644 security/manager/pki/resources/content/certManager.xhtml
 create mode 100644 security/manager/pki/resources/content/changepassword.js
 create mode 100644 security/manager/pki/resources/content/changepassword.xhtml
 create mode 100644 security/manager/pki/resources/content/clientauthask.js
 create mode 100644 security/manager/pki/resources/content/clientauthask.xhtml
 create mode 100644 security/manager/pki/resources/content/deletecert.css
 create mode 100644 security/manager/pki/resources/content/deletecert.js
 create mode 100644 security/manager/pki/resources/content/deletecert.xhtml
 create mode 100644 security/manager/pki/resources/content/device_manager.js
 create mode 100644 security/manager/pki/resources/content/device_manager.xhtml
 create mode 100644 security/manager/pki/resources/content/downloadcert.js
 create mode 100644 security/manager/pki/resources/content/downloadcert.xhtml
 create mode 100644 security/manager/pki/resources/content/editcacert.js
 create mode 100644 security/manager/pki/resources/content/editcacert.xhtml
 create mode 100644 security/manager/pki/resources/content/exceptionDialog.css
 create mode 100644 security/manager/pki/resources/content/exceptionDialog.js
 create mode 100644 security/manager/pki/resources/content/exceptionDialog.xhtml
 create mode 100644 security/manager/pki/resources/content/load_device.js
 create mode 100644 security/manager/pki/resources/content/load_device.xhtml
 create mode 100644 security/manager/pki/resources/content/pippki.js
 create mode 100644 security/manager/pki/resources/content/resetpassword.js
 create mode 100644 security/manager/pki/resources/content/resetpassword.xhtml
 create mode 100644 security/manager/pki/resources/content/setp12password.js
 create mode 100644 security/manager/pki/resources/content/setp12password.xhtml
 create mode 100644 security/manager/pki/resources/jar.mn
 create mode 100644 security/manager/pki/resources/moz.build

(limited to 'security/manager/pki')

diff --git a/security/manager/pki/components.conf b/security/manager/pki/components.conf
new file mode 100644
index 0000000000..e381806925
--- /dev/null
+++ b/security/manager/pki/components.conf
@@ -0,0 +1,21 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+Classes = [
+    {
+        'cid': '{518e071f-1dd2-11b2-937e-c45f14def778}',
+        'contract_ids': [
+            '@mozilla.org/nsCertificateDialogs;1',
+            '@mozilla.org/nsClientAuthDialogs;1',
+            '@mozilla.org/nsGeneratingKeypairInfoDialogs;1',
+            '@mozilla.org/nsTokenDialogs;1',
+            '@mozilla.org/nsTokenPasswordDialogs;1',
+        ],
+        'type': 'nsNSSDialogs',
+        'headers': ['/security/manager/pki/nsNSSDialogs.h'],
+        'init_method': 'Init',
+    },
+]
diff --git a/security/manager/pki/moz.build b/security/manager/pki/moz.build
new file mode 100644
index 0000000000..5f0bf95738
--- /dev/null
+++ b/security/manager/pki/moz.build
@@ -0,0 +1,34 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+DIRS += ["resources"]
+
+UNIFIED_SOURCES += [
+    "nsNSSDialogHelper.cpp",
+    "nsNSSDialogs.cpp",
+]
+
+XPCOM_MANIFESTS += [
+    "components.conf",
+]
+
+LOCAL_INCLUDES += [
+    "!/dist/public/nss",
+]
+
+FINAL_LIBRARY = "xul"
+
+if CONFIG["CC_TYPE"] in ("clang", "gcc"):
+    CXXFLAGS += [
+        "-Wextra",
+        # -Wextra enables this warning, but it's too noisy to be useful.
+        "-Wno-missing-field-initializers",
+    ]
+
+    # Gecko headers aren't warning-free enough for us to enable these warnings.
+    CXXFLAGS += [
+        "-Wno-unused-parameter",
+    ]
diff --git a/security/manager/pki/nsIASN1Tree.idl b/security/manager/pki/nsIASN1Tree.idl
new file mode 100644
index 0000000000..b44362e5b2
--- /dev/null
+++ b/security/manager/pki/nsIASN1Tree.idl
@@ -0,0 +1,24 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+#include "nsITreeView.idl"
+#include "nsIX509Cert.idl"
+
+[scriptable, uuid(de142307-7b88-4e0a-b232-250f310e25d8)]
+interface nsIASN1Tree : nsITreeView {
+  [must_use]
+  void loadASN1Structure(in nsIASN1Object asn1Object);
+
+  [must_use]
+  AString getDisplayData(in unsigned long index);
+};
+
+%{C++
+
+#define NS_ASN1TREE_CONTRACTID "@mozilla.org/security/nsASN1Tree;1"
+
+%}
diff --git a/security/manager/pki/nsNSSDialogHelper.cpp b/security/manager/pki/nsNSSDialogHelper.cpp
new file mode 100644
index 0000000000..18691aa6e9
--- /dev/null
+++ b/security/manager/pki/nsNSSDialogHelper.cpp
@@ -0,0 +1,45 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsNSSDialogHelper.h"
+
+#include "mozIDOMWindow.h"
+#include "mozilla/dom/ScriptSettings.h"
+#include "nsCOMPtr.h"
+#include "nsIWindowWatcher.h"
+#include "nsServiceManagerUtils.h"
+
+static const char kOpenDialogParam[] = "centerscreen,chrome,modal,titlebar";
+static const char kOpenWindowParam[] = "centerscreen,chrome,titlebar";
+
+nsresult nsNSSDialogHelper::openDialog(mozIDOMWindowProxy* window,
+                                       const char* url, nsISupports* params,
+                                       bool modal) {
+  nsresult rv;
+  nsCOMPtr<nsIWindowWatcher> windowWatcher =
+      do_GetService(NS_WINDOWWATCHER_CONTRACTID, &rv);
+  if (NS_FAILED(rv)) return rv;
+
+  nsCOMPtr<mozIDOMWindowProxy> parent = window;
+
+  if (!parent) {
+    windowWatcher->GetActiveWindow(getter_AddRefs(parent));
+  }
+
+  // We're loading XUL into this window, and it's happening on behalf of the
+  // system, not on behalf of content. Make sure the initial about:blank window
+  // gets a system principal, otherwise we'll bork when trying to wrap the
+  // nsIKeyGenThread |arguments| property into the unprivileged scoope.
+  MOZ_ASSERT(!strncmp("chrome://", url, strlen("chrome://")));
+  mozilla::dom::AutoNoJSAPI nojsapi;
+
+  nsCOMPtr<mozIDOMWindowProxy> newWindow;
+  rv = windowWatcher->OpenWindow(
+      parent, nsDependentCString(url), "_blank"_ns,
+      nsDependentCString(modal ? kOpenDialogParam : kOpenWindowParam), params,
+      getter_AddRefs(newWindow));
+  return rv;
+}
diff --git a/security/manager/pki/nsNSSDialogHelper.h b/security/manager/pki/nsNSSDialogHelper.h
new file mode 100644
index 0000000000..a7f3d5e474
--- /dev/null
+++ b/security/manager/pki/nsNSSDialogHelper.h
@@ -0,0 +1,39 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsNSSDialogHelper_h
+#define nsNSSDialogHelper_h
+
+#include "nsError.h"
+
+class mozIDOMWindowProxy;
+class nsISupports;
+
+/**
+ * Helper class that uses the window watcher service to open a standard dialog,
+ * with or without a parent context.
+ */
+class nsNSSDialogHelper {
+ public:
+  /**
+   * Opens a XUL dialog.
+   *
+   * @param window
+   *        Parent window of the dialog, or nullptr to signal no parent.
+   * @param url
+   *        URL to the XUL dialog.
+   * @param params
+   *        Parameters to pass to the dialog. Same semantics as the
+   *        nsIWindowWatcher.openWindow() |aArguments| parameter.
+   * @param modal
+   *        true if the dialog should be modal, false otherwise.
+   * @return The result of opening the dialog.
+   */
+  static nsresult openDialog(mozIDOMWindowProxy* window, const char* url,
+                             nsISupports* params, bool modal = true);
+};
+
+#endif  // nsNSSDialogHelper_h
diff --git a/security/manager/pki/nsNSSDialogs.cpp b/security/manager/pki/nsNSSDialogs.cpp
new file mode 100644
index 0000000000..b1c1a939d5
--- /dev/null
+++ b/security/manager/pki/nsNSSDialogs.cpp
@@ -0,0 +1,314 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * Dialog services for PIP.
+ */
+
+#include "nsNSSDialogs.h"
+
+#include "mozIDOMWindow.h"
+#include "nsArray.h"
+#include "nsComponentManagerUtils.h"
+#include "nsEmbedCID.h"
+#include "nsHashPropertyBag.h"
+#include "nsIDialogParamBlock.h"
+#include "nsIInterfaceRequestor.h"
+#include "nsIInterfaceRequestorUtils.h"
+#include "nsIPK11Token.h"
+#include "nsIPromptService.h"
+#include "nsIWindowWatcher.h"
+#include "nsIX509CertDB.h"
+#include "nsIX509Cert.h"
+#include "nsNSSDialogHelper.h"
+#include "nsPromiseFlatString.h"
+#include "nsServiceManagerUtils.h"
+#include "nsString.h"
+#include "nsVariant.h"
+
+#define PIPSTRING_BUNDLE_URL "chrome://pippki/locale/pippki.properties"
+
+nsNSSDialogs::nsNSSDialogs() = default;
+
+nsNSSDialogs::~nsNSSDialogs() = default;
+
+NS_IMPL_ISUPPORTS(nsNSSDialogs, nsITokenPasswordDialogs, nsICertificateDialogs,
+                  nsIClientAuthDialogs)
+
+nsresult nsNSSDialogs::Init() {
+  nsresult rv;
+
+  nsCOMPtr<nsIStringBundleService> service =
+      do_GetService(NS_STRINGBUNDLE_CONTRACTID, &rv);
+  if (NS_FAILED(rv)) return rv;
+
+  rv = service->CreateBundle(PIPSTRING_BUNDLE_URL,
+                             getter_AddRefs(mPIPStringBundle));
+  return rv;
+}
+
+NS_IMETHODIMP
+nsNSSDialogs::SetPassword(nsIInterfaceRequestor* ctx, nsIPK11Token* token,
+                          /*out*/ bool* canceled) {
+  // |ctx| is allowed to be null.
+  NS_ENSURE_ARG(canceled);
+
+  *canceled = false;
+
+  // Get the parent window for the dialog
+  nsCOMPtr<mozIDOMWindowProxy> parent = do_GetInterface(ctx);
+
+  nsCOMPtr<nsIDialogParamBlock> block =
+      do_CreateInstance(NS_DIALOGPARAMBLOCK_CONTRACTID);
+  if (!block) return NS_ERROR_FAILURE;
+
+  nsCOMPtr<nsIMutableArray> objects = nsArrayBase::Create();
+  if (!objects) {
+    return NS_ERROR_FAILURE;
+  }
+  nsresult rv = objects->AppendElement(token);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+  rv = block->SetObjects(objects);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  rv = nsNSSDialogHelper::openDialog(
+      parent, "chrome://pippki/content/changepassword.xhtml", block);
+
+  if (NS_FAILED(rv)) return rv;
+
+  int32_t status;
+
+  rv = block->GetInt(1, &status);
+  if (NS_FAILED(rv)) return rv;
+
+  *canceled = (status == 0);
+
+  return rv;
+}
+
+NS_IMETHODIMP
+nsNSSDialogs::ConfirmDownloadCACert(nsIInterfaceRequestor* ctx,
+                                    nsIX509Cert* cert,
+                                    /*out*/ uint32_t* trust,
+                                    /*out*/ bool* importConfirmed) {
+  // |ctx| is allowed to be null.
+  NS_ENSURE_ARG(cert);
+  NS_ENSURE_ARG(trust);
+  NS_ENSURE_ARG(importConfirmed);
+
+  nsCOMPtr<nsIMutableArray> argArray = nsArrayBase::Create();
+  if (!argArray) {
+    return NS_ERROR_FAILURE;
+  }
+
+  nsresult rv = argArray->AppendElement(cert);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  nsCOMPtr<nsIWritablePropertyBag2> retVals = new nsHashPropertyBag();
+  rv = argArray->AppendElement(retVals);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  // Get the parent window for the dialog
+  nsCOMPtr<mozIDOMWindowProxy> parent = do_GetInterface(ctx);
+  rv = nsNSSDialogHelper::openDialog(
+      parent, "chrome://pippki/content/downloadcert.xhtml", argArray);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  rv = retVals->GetPropertyAsBool(u"importConfirmed"_ns, importConfirmed);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  *trust = nsIX509CertDB::UNTRUSTED;
+  if (!*importConfirmed) {
+    return NS_OK;
+  }
+
+  bool trustForSSL = false;
+  rv = retVals->GetPropertyAsBool(u"trustForSSL"_ns, &trustForSSL);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+  bool trustForEmail = false;
+  rv = retVals->GetPropertyAsBool(u"trustForEmail"_ns, &trustForEmail);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  *trust |= trustForSSL ? nsIX509CertDB::TRUSTED_SSL : 0;
+  *trust |= trustForEmail ? nsIX509CertDB::TRUSTED_EMAIL : 0;
+
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSDialogs::ChooseCertificate(const nsACString& hostname, int32_t port,
+                                const nsACString& organization,
+                                const nsACString& issuerOrg, nsIArray* certList,
+                                /*out*/ uint32_t* selectedIndex,
+                                /*out*/ bool* rememberClientAuthCertificate,
+                                /*out*/ bool* certificateChosen) {
+  NS_ENSURE_ARG_POINTER(certList);
+  NS_ENSURE_ARG_POINTER(selectedIndex);
+  NS_ENSURE_ARG_POINTER(rememberClientAuthCertificate);
+  NS_ENSURE_ARG_POINTER(certificateChosen);
+
+  *certificateChosen = false;
+  *rememberClientAuthCertificate = false;
+
+  nsCOMPtr<nsIMutableArray> argArray = nsArrayBase::Create();
+  if (!argArray) {
+    return NS_ERROR_FAILURE;
+  }
+
+  nsCOMPtr<nsIWritableVariant> hostnameVariant = new nsVariant();
+  nsresult rv = hostnameVariant->SetAsAUTF8String(hostname);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+  rv = argArray->AppendElement(hostnameVariant);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  nsCOMPtr<nsIWritableVariant> organizationVariant = new nsVariant();
+  rv = organizationVariant->SetAsAUTF8String(organization);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+  rv = argArray->AppendElement(organizationVariant);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  nsCOMPtr<nsIWritableVariant> issuerOrgVariant = new nsVariant();
+  rv = issuerOrgVariant->SetAsAUTF8String(issuerOrg);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+  rv = argArray->AppendElement(issuerOrgVariant);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  nsCOMPtr<nsIWritableVariant> portVariant = new nsVariant();
+  rv = portVariant->SetAsInt32(port);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+  rv = argArray->AppendElement(portVariant);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  rv = argArray->AppendElement(certList);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  nsCOMPtr<nsIWritablePropertyBag2> retVals = new nsHashPropertyBag();
+  rv = argArray->AppendElement(retVals);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  rv = nsNSSDialogHelper::openDialog(
+      nullptr, "chrome://pippki/content/clientauthask.xhtml", argArray);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  rv = retVals->GetPropertyAsBool(u"rememberSelection"_ns,
+                                  rememberClientAuthCertificate);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  rv = retVals->GetPropertyAsBool(u"certChosen"_ns, certificateChosen);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+  if (*certificateChosen) {
+    rv = retVals->GetPropertyAsUint32(u"selectedIndex"_ns, selectedIndex);
+    if (NS_FAILED(rv)) {
+      return rv;
+    }
+  }
+
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSDialogs::SetPKCS12FilePassword(nsIInterfaceRequestor* ctx,
+                                    /*out*/ nsAString& password,
+                                    /*out*/ bool* confirmedPassword) {
+  // |ctx| is allowed to be null.
+  NS_ENSURE_ARG(confirmedPassword);
+
+  // Get the parent window for the dialog
+  nsCOMPtr<mozIDOMWindowProxy> parent = do_GetInterface(ctx);
+  nsCOMPtr<nsIWritablePropertyBag2> retVals = new nsHashPropertyBag();
+  nsresult rv = nsNSSDialogHelper::openDialog(
+      parent, "chrome://pippki/content/setp12password.xhtml", retVals);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  rv = retVals->GetPropertyAsBool(u"confirmedPassword"_ns, confirmedPassword);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  if (!*confirmedPassword) {
+    return NS_OK;
+  }
+
+  return retVals->GetPropertyAsAString(u"password"_ns, password);
+}
+
+NS_IMETHODIMP
+nsNSSDialogs::GetPKCS12FilePassword(nsIInterfaceRequestor* ctx,
+                                    nsAString& _password, bool* _retval) {
+  *_retval = false;
+
+  nsCOMPtr<nsIPromptService> promptSvc(
+      do_GetService(NS_PROMPTSERVICE_CONTRACTID));
+  if (!promptSvc) {
+    return NS_ERROR_FAILURE;
+  }
+
+  nsAutoString msg;
+  nsresult rv =
+      mPIPStringBundle->GetStringFromName("getPKCS12FilePasswordMessage", msg);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  // Get the parent window for the dialog
+  nsCOMPtr<mozIDOMWindowProxy> parent = do_GetInterface(ctx);
+  char16_t* pwTemp = nullptr;
+  rv = promptSvc->PromptPassword(parent, nullptr, msg.get(), &pwTemp, _retval);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  if (*_retval) {
+    _password.Assign(pwTemp);
+    free(pwTemp);
+  }
+
+  return NS_OK;
+}
diff --git a/security/manager/pki/nsNSSDialogs.h b/security/manager/pki/nsNSSDialogs.h
new file mode 100644
index 0000000000..3c687ac667
--- /dev/null
+++ b/security/manager/pki/nsNSSDialogs.h
@@ -0,0 +1,40 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsNSSDialogs_h
+#define nsNSSDialogs_h
+
+#include "nsCOMPtr.h"
+#include "nsICertificateDialogs.h"
+#include "nsIClientAuthDialogs.h"
+#include "nsIStringBundle.h"
+#include "nsITokenPasswordDialogs.h"
+
+#define NS_NSSDIALOGS_CID                            \
+  {                                                  \
+    0x518e071f, 0x1dd2, 0x11b2, {                    \
+      0x93, 0x7e, 0xc4, 0x5f, 0x14, 0xde, 0xf7, 0x78 \
+    }                                                \
+  }
+
+class nsNSSDialogs : public nsICertificateDialogs,
+                     public nsIClientAuthDialogs,
+                     public nsITokenPasswordDialogs {
+ public:
+  NS_DECL_THREADSAFE_ISUPPORTS
+  NS_DECL_NSITOKENPASSWORDDIALOGS
+  NS_DECL_NSICERTIFICATEDIALOGS
+  NS_DECL_NSICLIENTAUTHDIALOGS
+  nsNSSDialogs();
+
+  nsresult Init();
+
+ protected:
+  virtual ~nsNSSDialogs();
+  nsCOMPtr<nsIStringBundle> mPIPStringBundle;
+};
+
+#endif  // nsNSSDialogs_h
diff --git a/security/manager/pki/resources/content/certManager.css b/security/manager/pki/resources/content/certManager.css
new file mode 100644
index 0000000000..9259472771
--- /dev/null
+++ b/security/manager/pki/resources/content/certManager.css
@@ -0,0 +1,34 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* Good enough support for equalsize=always for the cert manager use cases.
+ * You probably shouldn't use this as-is elsewhere, this selector is somewhat
+ * slow, it relies on stuff having display: flex, and you probably can use
+ * something simpler if you need this */
+[equalsize="always"] > * {
+  flex: 1;
+  contain: inline-size;
+}
+
+treecol {
+  flex: 1 auto;
+  width: 0; /* Don't let intrinsic sizes affect our minimum size. */
+}
+
+#certmanager {
+  /* This prevents horizontal scrollbars due to <tree> and non-XUL layout
+   * interactions */
+  padding: 0;
+}
+
+/* This matches the <tree> height from dialog.css */
+richlistbox {
+  min-height: 15em;
+  contain: size;
+}
+
+richlistbox,
+richlistitem {
+  min-height: 30px;
+}
diff --git a/security/manager/pki/resources/content/certManager.js b/security/manager/pki/resources/content/certManager.js
new file mode 100644
index 0000000000..00bb29f307
--- /dev/null
+++ b/security/manager/pki/resources/content/certManager.js
@@ -0,0 +1,769 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/* import-globals-from pippki.js */
+"use strict";
+
+const gCertFileTypes = "*.p7b; *.crt; *.cert; *.cer; *.pem; *.der";
+
+var { NetUtil } = ChromeUtils.import("resource://gre/modules/NetUtil.jsm");
+
+var key;
+
+var certdialogs = Cc["@mozilla.org/nsCertificateDialogs;1"].getService(
+  Ci.nsICertificateDialogs
+);
+
+/**
+ * List of certs currently selected in the active tab.
+ *
+ * @type {nsIX509Cert[]}
+ */
+var selected_certs = [];
+var selected_tree_items = [];
+var selected_index = [];
+var certdb;
+
+/**
+ * Cert tree for the "Authorities" tab.
+ *
+ * @type {nsICertTree}
+ */
+var caTreeView;
+/**
+ * Cert tree for the "Servers" tab.
+ *
+ * @type {nsICertTree}
+ */
+var serverTreeView;
+
+var overrideService;
+
+function createRichlistItem(item) {
+  let innerHbox = document.createXULElement("hbox");
+  innerHbox.setAttribute("align", "center");
+  innerHbox.setAttribute("flex", "1");
+
+  let row = document.createXULElement("label");
+  row.setAttribute("flex", "1");
+  row.setAttribute("crop", "end");
+  row.setAttribute("style", "margin-inline-start: 15px;");
+  if ("raw" in item) {
+    row.setAttribute("value", item.raw);
+  } else {
+    document.l10n.setAttributes(row, item.l10nid);
+  }
+  row.setAttribute("ordinal", "1");
+  innerHbox.appendChild(row);
+
+  return innerHbox;
+}
+
+var serverRichList = {
+  richlist: undefined,
+
+  buildRichList() {
+    let overrides = overrideService.getOverrides().map(item => {
+      return {
+        hostPort: item.hostPort,
+        asciiHost: item.asciiHost,
+        port: item.port,
+        originAttributes: item.originAttributes,
+        fingerprint: item.fingerprint,
+      };
+    });
+    overrides.sort((a, b) => {
+      let criteria = ["hostPort", "fingerprint"];
+      for (let c of criteria) {
+        let res = a[c].localeCompare(b[c]);
+        if (res !== 0) {
+          return res;
+        }
+      }
+      return 0;
+    });
+
+    this.richlist.textContent = "";
+    this.richlist.clearSelection();
+
+    let frag = document.createDocumentFragment();
+    for (let override of overrides) {
+      let richlistitem = this._richBoxAddItem(override);
+      frag.appendChild(richlistitem);
+    }
+    this.richlist.appendChild(frag);
+
+    this._setButtonState();
+    this.richlist.addEventListener("select", () => this._setButtonState());
+  },
+
+  _richBoxAddItem(item) {
+    let richlistitem = document.createXULElement("richlistitem");
+
+    richlistitem.setAttribute("host", item.asciiHost);
+    richlistitem.setAttribute("port", item.port);
+    richlistitem.setAttribute("hostPort", item.hostPort);
+    richlistitem.setAttribute("fingerprint", item.fingerprint);
+    richlistitem.setAttribute(
+      "originAttributes",
+      JSON.stringify(item.originAttributes)
+    );
+
+    let hbox = document.createXULElement("hbox");
+    hbox.setAttribute("flex", "1");
+    hbox.setAttribute("equalsize", "always");
+
+    hbox.appendChild(createRichlistItem({ raw: item.hostPort }));
+    hbox.appendChild(createRichlistItem({ raw: item.fingerprint }));
+
+    richlistitem.appendChild(hbox);
+
+    return richlistitem;
+  },
+
+  deleteSelectedRichListItem() {
+    let selectedItem = this.richlist.selectedItem;
+    if (!selectedItem) {
+      return;
+    }
+
+    let retVals = {
+      deleteConfirmed: false,
+    };
+    window.browsingContext.topChromeWindow.openDialog(
+      "chrome://pippki/content/deletecert.xhtml",
+      "",
+      "chrome,centerscreen,modal",
+      "websites_tab",
+      [
+        {
+          hostPort: selectedItem.attributes.hostPort.value,
+        },
+      ],
+      retVals
+    );
+
+    if (retVals.deleteConfirmed) {
+      overrideService.clearValidityOverride(
+        selectedItem.attributes.host.value,
+        selectedItem.attributes.port.value,
+        JSON.parse(selectedItem.attributes.originAttributes.value)
+      );
+      this.buildRichList();
+    }
+  },
+
+  addException() {
+    let retval = {
+      exceptionAdded: false,
+    };
+    window.browsingContext.topChromeWindow.openDialog(
+      "chrome://pippki/content/exceptionDialog.xhtml",
+      "",
+      "chrome,centerscreen,modal",
+      retval
+    );
+    if (retval.exceptionAdded) {
+      this.buildRichList();
+    }
+  },
+
+  _setButtonState() {
+    let websiteDeleteButton = document.getElementById("websites_deleteButton");
+    websiteDeleteButton.disabled = this.richlist.selectedIndex < 0;
+  },
+};
+/**
+ * Cert tree for the "People" tab.
+ *
+ * @type {nsICertTree}
+ */
+var emailTreeView;
+/**
+ * Cert tree for the "Your Certificates" tab.
+ *
+ * @type {nsICertTree}
+ */
+var userTreeView;
+
+var clientAuthRememberService;
+
+var rememberedDecisionsRichList = {
+  richlist: undefined,
+
+  buildRichList() {
+    let rememberedDecisions = clientAuthRememberService.getDecisions();
+
+    let oldItems = this.richlist.querySelectorAll("richlistitem");
+    for (let item of oldItems) {
+      item.remove();
+    }
+
+    let frag = document.createDocumentFragment();
+    for (let decision of rememberedDecisions) {
+      let richlistitem = this._richBoxAddItem(decision);
+      frag.appendChild(richlistitem);
+    }
+    this.richlist.appendChild(frag);
+
+    this.richlist.addEventListener("select", () => this.setButtonState());
+  },
+
+  _richBoxAddItem(item) {
+    let richlistitem = document.createXULElement("richlistitem");
+
+    richlistitem.setAttribute("entryKey", item.entryKey);
+    richlistitem.setAttribute("dbKey", item.dbKey);
+
+    let hbox = document.createXULElement("hbox");
+    hbox.setAttribute("flex", "1");
+    hbox.setAttribute("equalsize", "always");
+
+    hbox.appendChild(createRichlistItem({ raw: item.asciiHost }));
+    if (item.dbKey == "") {
+      hbox.appendChild(
+        createRichlistItem({ l10nid: "send-no-client-certificate" })
+      );
+
+      hbox.appendChild(createRichlistItem({ raw: "" }));
+    } else {
+      let tmpCert = certdb.findCertByDBKey(item.dbKey);
+      // The certificate corresponding to this item's dbKey may not be
+      // available (for example, if it was stored on a token that's been
+      // removed, or if it was deleted).
+      if (tmpCert) {
+        hbox.appendChild(createRichlistItem({ raw: tmpCert.commonName }));
+        hbox.appendChild(createRichlistItem({ raw: tmpCert.serialNumber }));
+      } else {
+        hbox.appendChild(
+          createRichlistItem({ l10nid: "certificate-not-available" })
+        );
+        hbox.appendChild(
+          createRichlistItem({ l10nid: "certificate-not-available" })
+        );
+      }
+    }
+
+    richlistitem.appendChild(hbox);
+
+    return richlistitem;
+  },
+
+  deleteSelectedRichListItem() {
+    let selectedItem = this.richlist.selectedItem;
+    let index = this.richlist.selectedIndex;
+    if (index < 0) {
+      return;
+    }
+
+    clientAuthRememberService.forgetRememberedDecision(
+      selectedItem.attributes.entryKey.value
+    );
+
+    this.buildRichList();
+    this.setButtonState();
+  },
+
+  viewSelectedRichListItem() {
+    let selectedItem = this.richlist.selectedItem;
+    let index = this.richlist.selectedIndex;
+    if (index < 0) {
+      return;
+    }
+
+    if (selectedItem.attributes.dbKey.value != "") {
+      let cert = certdb.findCertByDBKey(selectedItem.attributes.dbKey.value);
+      viewCertHelper(window, cert);
+    }
+  },
+
+  setButtonState() {
+    let rememberedDeleteButton = document.getElementById(
+      "remembered_deleteButton"
+    );
+    let rememberedViewButton = document.getElementById("remembered_viewButton");
+
+    rememberedDeleteButton.disabled = this.richlist.selectedIndex < 0;
+    rememberedViewButton.disabled =
+      this.richlist.selectedItem == null
+        ? true
+        : this.richlist.selectedItem.attributes.dbKey.value == "";
+  },
+};
+
+function LoadCerts() {
+  certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  var certcache = certdb.getCerts();
+
+  caTreeView = Cc["@mozilla.org/security/nsCertTree;1"].createInstance(
+    Ci.nsICertTree
+  );
+  caTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.CA_CERT);
+  document.getElementById("ca-tree").view = caTreeView;
+
+  emailTreeView = Cc["@mozilla.org/security/nsCertTree;1"].createInstance(
+    Ci.nsICertTree
+  );
+  emailTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.EMAIL_CERT);
+  document.getElementById("email-tree").view = emailTreeView;
+
+  userTreeView = Cc["@mozilla.org/security/nsCertTree;1"].createInstance(
+    Ci.nsICertTree
+  );
+  userTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.USER_CERT);
+  document.getElementById("user-tree").view = userTreeView;
+
+  clientAuthRememberService = Cc[
+    "@mozilla.org/security/clientAuthRememberService;1"
+  ].getService(Ci.nsIClientAuthRememberService);
+
+  overrideService = Cc["@mozilla.org/security/certoverride;1"].getService(
+    Ci.nsICertOverrideService
+  );
+
+  rememberedDecisionsRichList.richlist =
+    document.getElementById("rememberedList");
+  serverRichList.richlist = document.getElementById("serverList");
+
+  rememberedDecisionsRichList.buildRichList();
+  serverRichList.buildRichList();
+
+  rememberedDecisionsRichList.setButtonState();
+
+  enableBackupAllButton();
+}
+
+function enableBackupAllButton() {
+  let backupAllButton = document.getElementById("mine_backupAllButton");
+  backupAllButton.disabled = userTreeView.rowCount < 1;
+}
+
+function getSelectedCerts() {
+  var ca_tab = document.getElementById("ca_tab");
+  var mine_tab = document.getElementById("mine_tab");
+  var others_tab = document.getElementById("others_tab");
+  var items = null;
+  if (ca_tab.selected) {
+    items = caTreeView.selection;
+  } else if (mine_tab.selected) {
+    items = userTreeView.selection;
+  } else if (others_tab.selected) {
+    items = emailTreeView.selection;
+  }
+  selected_certs = [];
+  var cert = null;
+  var nr = 0;
+  if (items != null) {
+    nr = items.getRangeCount();
+  }
+  if (nr > 0) {
+    for (let i = 0; i < nr; i++) {
+      var o1 = {};
+      var o2 = {};
+      items.getRangeAt(i, o1, o2);
+      var min = o1.value;
+      var max = o2.value;
+      for (let j = min; j <= max; j++) {
+        if (ca_tab.selected) {
+          cert = caTreeView.getCert(j);
+        } else if (mine_tab.selected) {
+          cert = userTreeView.getCert(j);
+        } else if (others_tab.selected) {
+          cert = emailTreeView.getCert(j);
+        }
+        if (cert) {
+          var sc = selected_certs.length;
+          selected_certs[sc] = cert;
+          selected_index[sc] = j;
+        }
+      }
+    }
+  }
+}
+
+function getSelectedTreeItems() {
+  var ca_tab = document.getElementById("ca_tab");
+  var mine_tab = document.getElementById("mine_tab");
+  var others_tab = document.getElementById("others_tab");
+  var items = null;
+  if (ca_tab.selected) {
+    items = caTreeView.selection;
+  } else if (mine_tab.selected) {
+    items = userTreeView.selection;
+  } else if (others_tab.selected) {
+    items = emailTreeView.selection;
+  }
+  selected_certs = [];
+  selected_tree_items = [];
+  selected_index = [];
+  var tree_item = null;
+  var nr = 0;
+  if (items != null) {
+    nr = items.getRangeCount();
+  }
+  if (nr > 0) {
+    for (let i = 0; i < nr; i++) {
+      var o1 = {};
+      var o2 = {};
+      items.getRangeAt(i, o1, o2);
+      var min = o1.value;
+      var max = o2.value;
+      for (let j = min; j <= max; j++) {
+        if (ca_tab.selected) {
+          tree_item = caTreeView.getTreeItem(j);
+        } else if (mine_tab.selected) {
+          tree_item = userTreeView.getTreeItem(j);
+        } else if (others_tab.selected) {
+          tree_item = emailTreeView.getTreeItem(j);
+        }
+        if (tree_item) {
+          var sc = selected_tree_items.length;
+          selected_tree_items[sc] = tree_item;
+          selected_index[sc] = j;
+        }
+      }
+    }
+  }
+}
+
+/**
+ * Returns true if nothing in the given cert tree is selected or if the
+ * selection includes a container. Returns false otherwise.
+ *
+ * @param {nsICertTree} certTree
+ * @returns {boolean}
+ */
+function nothingOrContainerSelected(certTree) {
+  var certTreeSelection = certTree.selection;
+  var numSelectionRanges = certTreeSelection.getRangeCount();
+
+  if (numSelectionRanges == 0) {
+    return true;
+  }
+
+  for (var i = 0; i < numSelectionRanges; i++) {
+    var o1 = {};
+    var o2 = {};
+    certTreeSelection.getRangeAt(i, o1, o2);
+    var minIndex = o1.value;
+    var maxIndex = o2.value;
+    for (var j = minIndex; j <= maxIndex; j++) {
+      if (certTree.isContainer(j)) {
+        return true;
+      }
+    }
+  }
+
+  return false;
+}
+
+async function promptError(aErrorCode) {
+  if (aErrorCode != Ci.nsIX509CertDB.Success) {
+    let msgName = "pkcs12-unknown-err";
+    switch (aErrorCode) {
+      case Ci.nsIX509CertDB.ERROR_PKCS12_NOSMARTCARD_EXPORT:
+        msgName = "pkcs12-info-no-smartcard-backup";
+        break;
+      case Ci.nsIX509CertDB.ERROR_PKCS12_RESTORE_FAILED:
+        msgName = "pkcs12-unknown-err-restore";
+        break;
+      case Ci.nsIX509CertDB.ERROR_PKCS12_BACKUP_FAILED:
+        msgName = "pkcs12-unknown-err-backup";
+        break;
+      case Ci.nsIX509CertDB.ERROR_PKCS12_CERT_COLLISION:
+      case Ci.nsIX509CertDB.ERROR_PKCS12_DUPLICATE_DATA:
+        msgName = "pkcs12-dup-data";
+        break;
+      case Ci.nsIX509CertDB.ERROR_BAD_PASSWORD:
+        msgName = "pk11-bad-password";
+        break;
+      case Ci.nsIX509CertDB.ERROR_DECODE_ERROR:
+        msgName = "pkcs12-decode-err";
+        break;
+      default:
+        break;
+    }
+    let [message] = await document.l10n.formatValues([{ id: msgName }]);
+    let prompter = Services.ww.getNewPrompter(window);
+    prompter.alert(null, message);
+  }
+}
+
+/**
+ * Enables or disables buttons corresponding to a cert tree depending on what
+ * is selected in the cert tree.
+ *
+ * @param {nsICertTree} certTree
+ * @param {Array} idList A list of string identifiers for button elements to
+ *    enable or disable.
+ */
+function enableButtonsForCertTree(certTree, idList) {
+  let disableButtons = nothingOrContainerSelected(certTree);
+
+  for (let id of idList) {
+    document.getElementById(id).setAttribute("disabled", disableButtons);
+  }
+}
+
+function ca_enableButtons() {
+  let idList = [
+    "ca_viewButton",
+    "ca_editButton",
+    "ca_exportButton",
+    "ca_deleteButton",
+  ];
+  enableButtonsForCertTree(caTreeView, idList);
+}
+
+function mine_enableButtons() {
+  let idList = ["mine_viewButton", "mine_backupButton", "mine_deleteButton"];
+  enableButtonsForCertTree(userTreeView, idList);
+}
+
+function email_enableButtons() {
+  let idList = ["email_viewButton", "email_exportButton", "email_deleteButton"];
+  enableButtonsForCertTree(emailTreeView, idList);
+}
+
+async function backupCerts() {
+  getSelectedCerts();
+  var numcerts = selected_certs.length;
+  if (numcerts == 0) {
+    return;
+  }
+
+  var fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker);
+  let [backupFileDialog, filePkcs12Spec] = await document.l10n.formatValues([
+    { id: "choose-p12-backup-file-dialog" },
+    { id: "file-browse-pkcs12-spec" },
+  ]);
+  fp.init(window, backupFileDialog, Ci.nsIFilePicker.modeSave);
+  fp.appendFilter(filePkcs12Spec, "*.p12");
+  fp.appendFilters(Ci.nsIFilePicker.filterAll);
+  fp.defaultExtension = "p12";
+  fp.open(rv => {
+    if (
+      rv == Ci.nsIFilePicker.returnOK ||
+      rv == Ci.nsIFilePicker.returnReplace
+    ) {
+      let password = {};
+      if (certdialogs.setPKCS12FilePassword(window, password)) {
+        let errorCode = certdb.exportPKCS12File(
+          fp.file,
+          selected_certs,
+          password.value
+        );
+        promptError(errorCode);
+      }
+    }
+  });
+}
+
+function backupAllCerts() {
+  // Select all rows, then call doBackup()
+  userTreeView.selection.selectAll();
+  backupCerts();
+}
+
+function editCerts() {
+  getSelectedCerts();
+
+  for (let cert of selected_certs) {
+    window.browsingContext.topChromeWindow.openDialog(
+      "chrome://pippki/content/editcacert.xhtml",
+      "",
+      "chrome,centerscreen,modal",
+      cert
+    );
+  }
+}
+
+async function restoreCerts() {
+  var fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker);
+  let [restoreFileDialog, filePkcs12Spec, fileCertSpec] =
+    await document.l10n.formatValues([
+      { id: "choose-p12-restore-file-dialog" },
+      { id: "file-browse-pkcs12-spec" },
+      { id: "file-browse-certificate-spec" },
+    ]);
+  fp.init(window, restoreFileDialog, Ci.nsIFilePicker.modeOpen);
+  fp.appendFilter(filePkcs12Spec, "*.p12; *.pfx");
+  fp.appendFilter(fileCertSpec, gCertFileTypes);
+  fp.appendFilters(Ci.nsIFilePicker.filterAll);
+  fp.open(rv => {
+    if (rv != Ci.nsIFilePicker.returnOK) {
+      return;
+    }
+
+    // If this is an X509 user certificate, import it as one.
+
+    var isX509FileType = false;
+    var fileTypesList = gCertFileTypes.slice(1).split("; *");
+    for (var type of fileTypesList) {
+      if (fp.file.path.endsWith(type)) {
+        isX509FileType = true;
+        break;
+      }
+    }
+
+    if (isX509FileType) {
+      let fstream = Cc[
+        "@mozilla.org/network/file-input-stream;1"
+      ].createInstance(Ci.nsIFileInputStream);
+      fstream.init(fp.file, -1, 0, 0);
+      let dataString = NetUtil.readInputStreamToString(
+        fstream,
+        fstream.available()
+      );
+      let dataArray = [];
+      for (let i = 0; i < dataString.length; i++) {
+        dataArray.push(dataString.charCodeAt(i));
+      }
+      fstream.close();
+      let prompter = Services.ww.getNewPrompter(window);
+      let interfaceRequestor = {
+        getInterface() {
+          return prompter;
+        },
+      };
+      certdb.importUserCertificate(
+        dataArray,
+        dataArray.length,
+        interfaceRequestor
+      );
+    } else {
+      // Otherwise, assume it's a PKCS12 file and import it that way.
+      let password = {};
+      let errorCode = Ci.nsIX509CertDB.ERROR_BAD_PASSWORD;
+      while (
+        errorCode == Ci.nsIX509CertDB.ERROR_BAD_PASSWORD &&
+        certdialogs.getPKCS12FilePassword(window, password)
+      ) {
+        errorCode = certdb.importPKCS12File(fp.file, password.value);
+        if (
+          errorCode == Ci.nsIX509CertDB.ERROR_BAD_PASSWORD &&
+          !password.value.length
+        ) {
+          // It didn't like empty string password, try no password.
+          errorCode = certdb.importPKCS12File(fp.file, null);
+        }
+        promptError(errorCode);
+      }
+    }
+
+    var certcache = certdb.getCerts();
+    userTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.USER_CERT);
+    userTreeView.selection.clearSelection();
+    caTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.CA_CERT);
+    caTreeView.selection.clearSelection();
+    enableBackupAllButton();
+  });
+}
+
+async function exportCerts() {
+  getSelectedCerts();
+
+  for (let cert of selected_certs) {
+    await exportToFile(window, cert);
+  }
+}
+
+/**
+ * Deletes the selected certs in the active tab.
+ */
+function deleteCerts() {
+  getSelectedTreeItems();
+  let numcerts = selected_tree_items.length;
+  if (numcerts == 0) {
+    return;
+  }
+
+  const treeViewMap = {
+    mine_tab: userTreeView,
+    ca_tab: caTreeView,
+    others_tab: emailTreeView,
+  };
+  let selTab = document.getElementById("certMgrTabbox").selectedItem;
+  let selTabID = selTab.getAttribute("id");
+
+  if (!(selTabID in treeViewMap)) {
+    return;
+  }
+
+  let retVals = {
+    deleteConfirmed: false,
+  };
+  window.browsingContext.topChromeWindow.openDialog(
+    "chrome://pippki/content/deletecert.xhtml",
+    "",
+    "chrome,centerscreen,modal",
+    selTabID,
+    selected_tree_items,
+    retVals
+  );
+
+  if (retVals.deleteConfirmed) {
+    let treeView = treeViewMap[selTabID];
+
+    for (let t = numcerts - 1; t >= 0; t--) {
+      treeView.deleteEntryObject(selected_index[t]);
+    }
+
+    selected_tree_items = [];
+    selected_index = [];
+    treeView.selection.clearSelection();
+    if (selTabID == "mine_tab") {
+      enableBackupAllButton();
+    }
+  }
+}
+
+function viewCerts() {
+  getSelectedCerts();
+
+  for (let cert of selected_certs) {
+    viewCertHelper(window, cert);
+  }
+}
+
+async function addCACerts() {
+  var fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker);
+  let [importCa, fileCertSpec] = await document.l10n.formatValues([
+    { id: "import-ca-certs-prompt" },
+    { id: "file-browse-certificate-spec" },
+  ]);
+  fp.init(window, importCa, Ci.nsIFilePicker.modeOpen);
+  fp.appendFilter(fileCertSpec, gCertFileTypes);
+  fp.appendFilters(Ci.nsIFilePicker.filterAll);
+  fp.open(rv => {
+    if (rv == Ci.nsIFilePicker.returnOK) {
+      certdb.importCertsFromFile(fp.file, Ci.nsIX509Cert.CA_CERT);
+      let certcache = certdb.getCerts();
+      caTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.CA_CERT);
+      caTreeView.selection.clearSelection();
+    }
+  });
+}
+
+async function addEmailCert() {
+  var fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker);
+  let [importEmail, fileCertSpec] = await document.l10n.formatValues([
+    { id: "import-email-cert-prompt" },
+    { id: "file-browse-certificate-spec" },
+  ]);
+  fp.init(window, importEmail, Ci.nsIFilePicker.modeOpen);
+  fp.appendFilter(fileCertSpec, gCertFileTypes);
+  fp.appendFilters(Ci.nsIFilePicker.filterAll);
+  fp.open(rv => {
+    if (rv == Ci.nsIFilePicker.returnOK) {
+      certdb.importCertsFromFile(fp.file, Ci.nsIX509Cert.EMAIL_CERT);
+      var certcache = certdb.getCerts();
+      emailTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.EMAIL_CERT);
+      emailTreeView.selection.clearSelection();
+      caTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.CA_CERT);
+      caTreeView.selection.clearSelection();
+    }
+  });
+}
diff --git a/security/manager/pki/resources/content/certManager.xhtml b/security/manager/pki/resources/content/certManager.xhtml
new file mode 100644
index 0000000000..9cf0543d78
--- /dev/null
+++ b/security/manager/pki/resources/content/certManager.xhtml
@@ -0,0 +1,330 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+   - License, v. 2.0. If a copy of the MPL was not distributed with this
+   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<?xml-stylesheet href="chrome://global/skin/global.css" type="text/css"?>
+<?xml-stylesheet href="chrome://pippki/content/certManager.css" type="text/css"?>
+
+<!DOCTYPE window>
+
+<window
+  windowtype="mozilla:certmanager"
+  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+  xmlns:html="http://www.w3.org/1999/xhtml"
+  data-l10n-id="certmgr-title"
+  onload="LoadCerts();"
+  persist="screenX screenY width height"
+>
+  <dialog id="certmanager" buttons="accept">
+    <linkset>
+      <html:link
+        rel="localization"
+        href="security/certificates/certManager.ftl"
+      />
+    </linkset>
+
+    <script src="chrome://pippki/content/pippki.js" />
+    <script src="chrome://pippki/content/certManager.js" />
+
+    <tabbox id="certmanagertabs" flex="1" persist="selectedIndex">
+      <tabs id="certMgrTabbox">
+        <tab id="mine_tab" data-l10n-id="certmgr-tab-mine" />
+        <tab id="remembered_tab" data-l10n-id="certmgr-tab-remembered" />
+        <tab id="others_tab" data-l10n-id="certmgr-tab-people" />
+        <tab id="websites_tab" data-l10n-id="certmgr-tab-servers" />
+        <tab id="ca_tab" data-l10n-id="certmgr-tab-ca" selected="true" />
+      </tabs>
+      <tabpanels flex="1">
+        <vbox id="myCerts" flex="1">
+          <description data-l10n-id="certmgr-mine"></description>
+          <separator class="thin" />
+          <tree
+            id="user-tree"
+            flex="1"
+            enableColumnDrag="true"
+            onselect="mine_enableButtons()"
+          >
+            <treecols>
+              <!--
+              The below code may suggest that 'ordinal' is still a supported XUL
+              XUL attribute. It is not. This is a crutch so that we can
+              continue persisting the CSS order property,
+              which is the appropriate replacement for the ordinal attribute
+              but cannot yet be easily persisted. The code that synchronizes
+              the attribute with the CSS lives in
+              toolkit/content/widget/tree.js and is specific to tree elements.
+            -->
+              <treecol
+                id="certcol"
+                data-l10n-id="certmgr-cert-name"
+                primary="true"
+                persist="hidden width ordinal"
+              />
+              <splitter class="tree-splitter" />
+              <treecol
+                id="tokencol"
+                data-l10n-id="certmgr-token-name"
+                persist="hidden width ordinal"
+              />
+              <splitter class="tree-splitter" />
+              <treecol
+                id="serialnumcol"
+                data-l10n-id="certmgr-serial"
+                persist="hidden width ordinal"
+              />
+              <splitter class="tree-splitter" />
+              <treecol
+                id="issuedcol"
+                data-l10n-id="certmgr-begins-label"
+                hidden="true"
+                persist="hidden width ordinal"
+              />
+              <splitter class="tree-splitter" />
+              <treecol
+                id="expiredcol"
+                data-l10n-id="certmgr-expires-label"
+                persist="hidden width ordinal"
+              />
+            </treecols>
+            <treechildren ondblclick="viewCerts();" />
+          </tree>
+
+          <separator class="thin" />
+
+          <hbox>
+            <button
+              id="mine_viewButton"
+              class="normal"
+              data-l10n-id="certmgr-view"
+              disabled="true"
+              oncommand="viewCerts();"
+            />
+            <button
+              id="mine_backupButton"
+              class="normal"
+              data-l10n-id="certmgr-backup"
+              disabled="true"
+              oncommand="backupCerts();"
+            />
+            <button
+              id="mine_backupAllButton"
+              class="normal"
+              data-l10n-id="certmgr-backup-all"
+              oncommand="backupAllCerts();"
+            />
+            <button
+              id="mine_restoreButton"
+              class="normal"
+              data-l10n-id="certmgr-restore"
+              oncommand="restoreCerts();"
+            />
+            <button
+              id="mine_deleteButton"
+              class="normal"
+              data-l10n-id="certmgr-delete"
+              disabled="true"
+              oncommand="deleteCerts();"
+            />
+          </hbox>
+        </vbox>
+        <vbox id="rememberedCerts" flex="1">
+          <description data-l10n-id="certmgr-remembered"></description>
+          <separator class="thin" />
+
+          <listheader equalsize="always">
+            <treecol
+              id="hostcol"
+              data-l10n-id="certmgr-cert-host"
+              primary="true"
+              persist="hidden width ordinal"
+            />
+            <treecol
+              id="certcol"
+              data-l10n-id="certmgr-cert-name"
+              primary="true"
+              persist="hidden width ordinal"
+            />
+            <treecol
+              id="serialnumcol"
+              data-l10n-id="certmgr-serial"
+              persist="hidden width ordinal"
+            />
+          </listheader>
+          <richlistbox id="rememberedList" flex="1" selected="false" />
+
+          <separator class="thin" />
+
+          <hbox>
+            <button
+              id="remembered_deleteButton"
+              class="normal"
+              data-l10n-id="certmgr-delete"
+              oncommand="rememberedDecisionsRichList.deleteSelectedRichListItem()"
+            />
+
+            <button
+              id="remembered_viewButton"
+              class="normal"
+              data-l10n-id="certmgr-view"
+              oncommand="rememberedDecisionsRichList.viewSelectedRichListItem()"
+            />
+          </hbox>
+        </vbox>
+        <vbox id="othersCerts" flex="1">
+          <description data-l10n-id="certmgr-people"></description>
+          <separator class="thin" />
+          <tree id="email-tree" flex="1" onselect="email_enableButtons()">
+            <treecols>
+              <treecol
+                id="certcol"
+                data-l10n-id="certmgr-cert-name"
+                primary="true"
+              />
+              <splitter class="tree-splitter" />
+              <treecol id="emailcol" data-l10n-id="certmgr-email" />
+              <splitter class="tree-splitter" />
+              <treecol id="expiredcol" data-l10n-id="certmgr-expires-label" />
+            </treecols>
+            <treechildren flex="1" ondblclick="viewCerts();" />
+          </tree>
+
+          <separator class="thin" />
+
+          <hbox>
+            <button
+              id="email_viewButton"
+              data-l10n-id="certmgr-view"
+              disabled="true"
+              oncommand="viewCerts();"
+            />
+            <button
+              id="email_addButton"
+              data-l10n-id="certmgr-restore"
+              oncommand="addEmailCert();"
+            />
+            <button
+              id="email_exportButton"
+              data-l10n-id="certmgr-export"
+              disabled="true"
+              oncommand="exportCerts();"
+            />
+            <button
+              id="email_deleteButton"
+              data-l10n-id="certmgr-delete"
+              disabled="true"
+              oncommand="deleteCerts();"
+            />
+          </hbox>
+        </vbox>
+
+        <vbox id="webCerts" flex="1">
+          <description data-l10n-id="certmgr-server"></description>
+          <separator class="thin" />
+
+          <listheader equalsize="always">
+            <treecol
+              id="sitecol"
+              data-l10n-id="certmgr-cert-server"
+              primary="true"
+            />
+            <treecol
+              id="sha256col"
+              data-l10n-id="certmgr-fingerprint-sha-256"
+            />
+          </listheader>
+          <richlistbox
+            ondblclick="serverRichList.viewSelectedRichListItem();"
+            id="serverList"
+            flex="1"
+            selected="false"
+          />
+
+          <separator class="thin" />
+
+          <hbox>
+            <button
+              id="websites_deleteButton"
+              data-l10n-id="certmgr-delete"
+              oncommand="serverRichList.deleteSelectedRichListItem();"
+            />
+            <button
+              id="websites_exceptionButton"
+              data-l10n-id="certmgr-add-exception"
+              oncommand="serverRichList.addException();"
+            />
+          </hbox>
+        </vbox>
+        <vbox id="CACerts" flex="1">
+          <description data-l10n-id="certmgr-ca"></description>
+          <separator class="thin" />
+          <tree
+            id="ca-tree"
+            flex="1"
+            enableColumnDrag="true"
+            onselect="ca_enableButtons()"
+          >
+            <treecols>
+              <!--
+              The below code may suggest that 'ordinal' is still a supported XUL
+              XUL attribute. It is not. This is a crutch so that we can
+              continue persisting the CSS order property,
+              which is the appropriate replacement for the ordinal attribute
+              but cannot yet be easily persisted. The code that synchronizes
+              the attribute with the CSS lives in
+              toolkit/content/widget/tree.js and is specific to tree elements.
+            -->
+              <treecol
+                id="certcol"
+                data-l10n-id="certmgr-cert-name"
+                primary="true"
+                persist="hidden width ordinal"
+              />
+              <splitter class="tree-splitter" />
+              <treecol
+                id="tokencol"
+                data-l10n-id="certmgr-token-name"
+                persist="hidden width ordinal"
+              />
+            </treecols>
+            <treechildren ondblclick="viewCerts();" />
+          </tree>
+
+          <separator class="thin" />
+
+          <hbox>
+            <button
+              id="ca_viewButton"
+              data-l10n-id="certmgr-view"
+              disabled="true"
+              oncommand="viewCerts();"
+            />
+            <button
+              id="ca_editButton"
+              data-l10n-id="certmgr-edit"
+              disabled="true"
+              oncommand="editCerts();"
+            />
+            <button
+              id="ca_addButton"
+              data-l10n-id="certmgr-restore"
+              oncommand="addCACerts();"
+            />
+            <button
+              id="ca_exportButton"
+              data-l10n-id="certmgr-export"
+              disabled="true"
+              oncommand="exportCerts();"
+            />
+            <button
+              id="ca_deleteButton"
+              data-l10n-id="certmgr-delete-builtin"
+              disabled="true"
+              oncommand="deleteCerts();"
+            />
+          </hbox>
+        </vbox>
+      </tabpanels>
+    </tabbox>
+  </dialog>
+</window>
diff --git a/security/manager/pki/resources/content/changepassword.js b/security/manager/pki/resources/content/changepassword.js
new file mode 100644
index 0000000000..e3d6b118bf
--- /dev/null
+++ b/security/manager/pki/resources/content/changepassword.js
@@ -0,0 +1,212 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+const { XPCOMUtils } = ChromeUtils.importESModule(
+  "resource://gre/modules/XPCOMUtils.sys.mjs"
+);
+
+XPCOMUtils.defineLazyGetter(
+  this,
+  "l10n",
+  () => new Localization(["security/pippki/pippki.ftl"], true)
+);
+
+var params;
+var token;
+var pw1;
+
+function doPrompt(messageL10nId) {
+  let msg = l10n.formatValueSync(messageL10nId);
+  Services.prompt.alert(window, null, msg);
+}
+
+function onLoad() {
+  document.getElementById("set_password").getButton("accept").disabled = true;
+  document.addEventListener("dialogaccept", setPassword);
+
+  pw1 = document.getElementById("pw1");
+  params = window.arguments[0].QueryInterface(Ci.nsIDialogParamBlock);
+  token = params.objects.GetElementAt(0).QueryInterface(Ci.nsIPK11Token);
+
+  document.l10n.setAttributes(
+    document.getElementById("tokenName"),
+    "change-password-token",
+    { tokenName: token.tokenName }
+  );
+  process();
+}
+
+function process() {
+  let bundle = document.getElementById("pippki_bundle");
+  let oldpwbox = document.getElementById("oldpw");
+  let msgBox = document.getElementById("message");
+  // If the token is unitialized, don't use the old password box.
+  // Otherwise, do.
+  if ((token.needsLogin() && token.needsUserInit) || !token.needsLogin()) {
+    oldpwbox.hidden = true;
+    msgBox.setAttribute("value", bundle.getString("password_not_set"));
+    msgBox.hidden = false;
+
+    if (!token.needsLogin()) {
+      oldpwbox.setAttribute("inited", "empty");
+    } else {
+      oldpwbox.setAttribute("inited", "true");
+    }
+
+    // Select first password field
+    document.getElementById("pw1").focus();
+  } else {
+    // Select old password field
+    oldpwbox.hidden = false;
+    msgBox.hidden = true;
+    oldpwbox.setAttribute("inited", "false");
+    oldpwbox.focus();
+  }
+
+  // Return value 0 means "canceled"
+  params.SetInt(1, 0);
+
+  checkPasswords();
+}
+
+function setPassword(event) {
+  var oldpwbox = document.getElementById("oldpw");
+  var initpw = oldpwbox.getAttribute("inited");
+
+  var success = false;
+
+  if (initpw == "false" || initpw == "empty") {
+    try {
+      var oldpw = "";
+      var passok = 0;
+
+      if (initpw == "empty") {
+        passok = 1;
+      } else {
+        oldpw = oldpwbox.value;
+        passok = token.checkPassword(oldpw);
+      }
+
+      if (passok) {
+        if (initpw == "empty" && pw1.value == "") {
+          // checkPasswords() should have prevented this path from being reached.
+        } else {
+          if (pw1.value == "") {
+            var secmoddb = Cc[
+              "@mozilla.org/security/pkcs11moduledb;1"
+            ].getService(Ci.nsIPKCS11ModuleDB);
+            if (secmoddb.isFIPSEnabled) {
+              // empty passwords are not allowed in FIPS mode
+              doPrompt("pippki-pw-change2empty-in-fips-mode");
+              passok = 0;
+            }
+          }
+          if (passok) {
+            token.changePassword(oldpw, pw1.value);
+            if (pw1.value == "") {
+              doPrompt("pippki-pw-erased-ok");
+            } else {
+              doPrompt("pippki-pw-change-ok");
+            }
+            success = true;
+          }
+        }
+      } else {
+        oldpwbox.focus();
+        oldpwbox.setAttribute("value", "");
+        doPrompt("pippki-incorrect-pw");
+      }
+    } catch (e) {
+      doPrompt("pippki-failed-pw-change");
+    }
+  } else {
+    token.initPassword(pw1.value);
+    if (pw1.value == "") {
+      doPrompt("pippki-pw-not-wanted");
+    }
+    success = true;
+  }
+
+  if (success && params) {
+    // Return value 1 means "successfully executed ok"
+    params.SetInt(1, 1);
+  }
+
+  // Terminate dialog
+  if (!success) {
+    event.preventDefault();
+  }
+}
+
+function setPasswordStrength() {
+  // We weigh the quality of the password by checking the number of:
+  //  - Characters
+  //  - Numbers
+  //  - Non-alphanumeric chars
+  //  - Upper and lower case characters
+
+  let pw = document.getElementById("pw1").value;
+
+  let pwlength = pw.length;
+  if (pwlength > 5) {
+    pwlength = 5;
+  }
+
+  let numnumeric = pw.replace(/[0-9]/g, "");
+  let numeric = pw.length - numnumeric.length;
+  if (numeric > 3) {
+    numeric = 3;
+  }
+
+  let symbols = pw.replace(/\W/g, "");
+  let numsymbols = pw.length - symbols.length;
+  if (numsymbols > 3) {
+    numsymbols = 3;
+  }
+
+  let numupper = pw.replace(/[A-Z]/g, "");
+  let upper = pw.length - numupper.length;
+  if (upper > 3) {
+    upper = 3;
+  }
+
+  let pwstrength =
+    pwlength * 10 - 20 + numeric * 10 + numsymbols * 15 + upper * 10;
+
+  // Clamp strength to [0, 100].
+  if (pwstrength < 0) {
+    pwstrength = 0;
+  }
+  if (pwstrength > 100) {
+    pwstrength = 100;
+  }
+
+  let meter = document.getElementById("pwmeter");
+  meter.setAttribute("value", pwstrength);
+}
+
+function checkPasswords() {
+  let pw1 = document.getElementById("pw1").value;
+  let pw2 = document.getElementById("pw2").value;
+
+  var oldpwbox = document.getElementById("oldpw");
+  if (oldpwbox) {
+    var initpw = oldpwbox.getAttribute("inited");
+
+    if (initpw == "empty" && pw1 == "") {
+      // The token has already been initialized, therefore this dialog
+      // was called with the intention to change the password.
+      // The token currently uses an empty password.
+      // We will not allow changing the password from empty to empty.
+      document
+        .getElementById("set_password")
+        .getButton("accept").disabled = true;
+      return;
+    }
+  }
+
+  document.getElementById("set_password").getButton("accept").disabled =
+    pw1 != pw2;
+}
diff --git a/security/manager/pki/resources/content/changepassword.xhtml b/security/manager/pki/resources/content/changepassword.xhtml
new file mode 100644
index 0000000000..8ed7e5e6a2
--- /dev/null
+++ b/security/manager/pki/resources/content/changepassword.xhtml
@@ -0,0 +1,77 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+   - License, v. 2.0. If a copy of the MPL was not distributed with this
+   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<?xml-stylesheet href="chrome://global/skin/global.css" type="text/css"?>
+
+<!DOCTYPE window>
+
+<window
+  data-l10n-id="change-device-password-window"
+  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+  xmlns:html="http://www.w3.org/1999/xhtml"
+  onload="onLoad();"
+>
+  <dialog id="set_password" buttons="accept,cancel">
+    <linkset>
+      <html:link rel="localization" href="security/pippki/pippki.ftl" />
+    </linkset>
+
+    <stringbundle
+      id="pippki_bundle"
+      src="chrome://pippki/locale/pippki.properties"
+    />
+
+    <script src="chrome://global/content/globalOverlay.js" />
+    <script src="chrome://global/content/editMenuOverlay.js" />
+
+    <script src="chrome://pippki/content/changepassword.js" />
+
+    <hbox align="center">
+      <label
+        id="tokenName"
+        data-l10n-id="change-password-token"
+        data-l10n-args='{"tokenName":""}'
+      />
+    </hbox>
+
+    <separator />
+
+    <vbox>
+      <hbox class="input-row">
+        <label flex="1" data-l10n-id="change-password-old" />
+        <html:input id="oldpw" type="password" />
+        <!-- This textbox is inserted as a workaround to the fact that making the 'type'
+         & 'disabled' property of the 'oldpw' textbox toggle between ['password' &
+         'false'] and ['text' & 'true'] - as would be necessary if the menu has more
+         than one tokens, some initialized and some not - does not work properly. So,
+         either the textbox 'oldpw' or the textbox 'message' would be displayed,
+         depending on the state of the token selected
+     -->
+        <html:input id="message" disabled="true" />
+      </hbox>
+      <hbox class="input-row">
+        <label flex="1" data-l10n-id="change-password-new" />
+        <html:input
+          id="pw1"
+          type="password"
+          oninput="setPasswordStrength(); checkPasswords();"
+        />
+      </hbox>
+      <hbox class="input-row">
+        <label flex="1" data-l10n-id="change-password-reenter" />
+        <html:input id="pw2" type="password" oninput="checkPasswords();" />
+      </hbox>
+    </vbox>
+
+    <vbox style="margin: 6px">
+      <label
+        for="pwmeter"
+        style="display: flex"
+        data-l10n-id="password-quality-meter"
+      />
+      <html:progress id="pwmeter" value="0" max="100" />
+    </vbox>
+  </dialog>
+</window>
diff --git a/security/manager/pki/resources/content/clientauthask.js b/security/manager/pki/resources/content/clientauthask.js
new file mode 100644
index 0000000000..782b0d7204
--- /dev/null
+++ b/security/manager/pki/resources/content/clientauthask.js
@@ -0,0 +1,178 @@
+/* -*- tab-width: 2; indent-tabs-mode: nil; js-indent-level: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/* import-globals-from pippki.js */
+"use strict";
+
+const { parse, pemToDER } = ChromeUtils.importESModule(
+  "chrome://global/content/certviewer/certDecoder.mjs"
+);
+
+/**
+ * @file Implements the functionality of clientauthask.xhtml: a dialog that allows
+ *       a user pick a client certificate for TLS client authentication.
+ * @param {string} window.arguments.0
+ *           The hostname of the server requesting client authentication.
+ * @param {string} window.arguments.1
+ *           The Organization of the server cert.
+ * @param {string} window.arguments.2
+ *           The Organization of the issuer of the server cert.
+ * @param {number} window.arguments.3
+ *           The port of the server.
+ * @param {nsISupports} window.arguments.4
+ *           List of certificates the user can choose from, queryable to
+ *           nsIArray<nsIX509Cert>.
+ * @param {nsISupports} window.arguments.5
+ *           Object to set the return values of calling the dialog on, queryable
+ *           to the underlying type of ClientAuthAskReturnValues.
+ */
+
+/**
+ * @typedef ClientAuthAskReturnValues
+ * @type {nsIWritablePropertyBag2}
+ * @property {boolean} certChosen
+ *           Set to true if the user chose a cert and accepted the dialog, false
+ *           otherwise.
+ * @property {boolean} rememberSelection
+ *           Set to true if the user wanted their cert selection to be
+ *           remembered, false otherwise.
+ * @property {number} selectedIndex
+ *           The index the chosen cert is at for the given cert list. Undefined
+ *           value if |certChosen| is not true.
+ */
+
+/**
+ * The pippki <stringbundle> element.
+ *
+ * @type {stringbundle}
+ * @see {@link toolkit/content/widgets/stringbundle.js}
+ */
+var bundle;
+/**
+ * The array of certs the user can choose from.
+ *
+ * @type {nsIArray<nsIX509Cert>}
+ */
+var certArray;
+/**
+ * The checkbox storing whether the user wants to remember the selected cert.
+ *
+ * @type {HTMLInputElement} Element checkbox, has to have |checked| property.
+ */
+var rememberBox;
+
+async function onLoad() {
+  bundle = document.getElementById("pippki_bundle");
+  let rememberSetting = Services.prefs.getBoolPref(
+    "security.remember_cert_checkbox_default_setting"
+  );
+
+  rememberBox = document.getElementById("rememberBox");
+  rememberBox.label = bundle.getString("clientAuthRemember");
+  rememberBox.checked = rememberSetting;
+
+  let hostname = window.arguments[0];
+  let org = window.arguments[1];
+  let issuerOrg = window.arguments[2];
+  let port = window.arguments[3];
+  let formattedOrg = bundle.getFormattedString("clientAuthMessage1", [org]);
+  let formattedIssuerOrg = bundle.getFormattedString("clientAuthMessage2", [
+    issuerOrg,
+  ]);
+  let formattedHostnameAndPort = bundle.getFormattedString(
+    "clientAuthHostnameAndPort",
+    [hostname, port.toString()]
+  );
+  setText("hostname", formattedHostnameAndPort);
+  setText("organization", formattedOrg);
+  setText("issuer", formattedIssuerOrg);
+
+  let selectElement = document.getElementById("nicknames");
+  certArray = window.arguments[4].QueryInterface(Ci.nsIArray);
+  for (let i = 0; i < certArray.length; i++) {
+    let menuItemNode = document.createXULElement("menuitem");
+    let cert = certArray.queryElementAt(i, Ci.nsIX509Cert);
+    let nickAndSerial = bundle.getFormattedString("clientAuthNickAndSerial", [
+      cert.displayName,
+      cert.serialNumber,
+    ]);
+    menuItemNode.setAttribute("value", i);
+    menuItemNode.setAttribute("label", nickAndSerial); // This is displayed.
+    selectElement.menupopup.appendChild(menuItemNode);
+    if (i == 0) {
+      selectElement.selectedItem = menuItemNode;
+    }
+  }
+
+  await setDetails();
+  document.addEventListener("dialogaccept", doOK);
+  document.addEventListener("dialogcancel", doCancel);
+
+  Services.obs.notifyObservers(
+    document.getElementById("certAuthAsk"),
+    "cert-dialog-loaded"
+  );
+}
+
+/**
+ * Populates the details section with information concerning the selected cert.
+ */
+async function setDetails() {
+  let index = parseInt(document.getElementById("nicknames").value);
+  let cert = certArray.queryElementAt(index, Ci.nsIX509Cert);
+
+  const formatter = new Intl.DateTimeFormat(undefined, {
+    dateStyle: "medium",
+    timeStyle: "long",
+  });
+  let detailLines = [
+    bundle.getFormattedString("clientAuthIssuedTo", [cert.subjectName]),
+    bundle.getFormattedString("clientAuthSerial", [cert.serialNumber]),
+    bundle.getFormattedString("clientAuthValidityPeriod", [
+      formatter.format(new Date(cert.validity.notBefore / 1000)),
+      formatter.format(new Date(cert.validity.notAfter / 1000)),
+    ]),
+  ];
+  let parsedCert = await parse(pemToDER(cert.getBase64DERString()));
+  let keyUsages = parsedCert.ext.keyUsages;
+  if (keyUsages && keyUsages.purposes.length) {
+    detailLines.push(
+      bundle.getFormattedString("clientAuthKeyUsages", [keyUsages.purposes])
+    );
+  }
+  let emailAddresses = cert.getEmailAddresses();
+  if (emailAddresses.length) {
+    let joinedAddresses = emailAddresses.join(", ");
+    detailLines.push(
+      bundle.getFormattedString("clientAuthEmailAddresses", [joinedAddresses])
+    );
+  }
+  detailLines.push(
+    bundle.getFormattedString("clientAuthIssuedBy", [cert.issuerName])
+  );
+  detailLines.push(
+    bundle.getFormattedString("clientAuthStoredOn", [cert.tokenName])
+  );
+
+  document.getElementById("details").value = detailLines.join("\n");
+}
+
+async function onCertSelected() {
+  await setDetails();
+}
+
+function doOK() {
+  let retVals = window.arguments[5].QueryInterface(Ci.nsIWritablePropertyBag2);
+  retVals.setPropertyAsBool("certChosen", true);
+  let index = parseInt(document.getElementById("nicknames").value);
+  retVals.setPropertyAsUint32("selectedIndex", index);
+  retVals.setPropertyAsBool("rememberSelection", rememberBox.checked);
+}
+
+function doCancel() {
+  let retVals = window.arguments[5].QueryInterface(Ci.nsIWritablePropertyBag2);
+  retVals.setPropertyAsBool("certChosen", false);
+  retVals.setPropertyAsBool("rememberSelection", rememberBox.checked);
+}
diff --git a/security/manager/pki/resources/content/clientauthask.xhtml b/security/manager/pki/resources/content/clientauthask.xhtml
new file mode 100644
index 0000000000..f182372ed2
--- /dev/null
+++ b/security/manager/pki/resources/content/clientauthask.xhtml
@@ -0,0 +1,55 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+   - License, v. 2.0. If a copy of the MPL was not distributed with this
+   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<?xml-stylesheet href="chrome://global/skin/global.css" type="text/css"?>
+
+<!DOCTYPE window>
+
+<window
+  data-l10n-id="client-auth-window"
+  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+  xmlns:html="http://www.w3.org/1999/xhtml"
+  onload="onLoad();"
+>
+  <dialog id="certAuthAsk" buttons="accept,cancel">
+    <linkset>
+      <html:link rel="localization" href="security/pippki/pippki.ftl" />
+    </linkset>
+
+    <stringbundleset id="stringbundleset">
+      <stringbundle
+        id="pippki_bundle"
+        src="chrome://pippki/locale/pippki.properties"
+      />
+    </stringbundleset>
+
+    <script src="chrome://pippki/content/pippki.js" />
+    <script src="chrome://pippki/content/clientauthask.js" />
+    <script src="chrome://global/content/globalOverlay.js" />
+    <script src="chrome://global/content/editMenuOverlay.js" />
+
+    <description
+      style="font-weight: bold"
+      data-l10n-id="client-auth-site-description"
+    ></description>
+    <description id="hostname" />
+    <description id="organization" />
+    <description id="issuer" />
+
+    <description
+      style="font-weight: bold"
+      data-l10n-id="client-auth-choose-cert"
+    ></description>
+    <!-- The items in this menulist must never be sorted,
+     but remain in the order filled by the application
+-->
+    <menulist id="nicknames" oncommand="onCertSelected();" native="true">
+      <menupopup />
+    </menulist>
+    <description data-l10n-id="client-auth-cert-details"></description>
+    <html:textarea readonly="readonly" id="details" style="height: 11em" />
+    <checkbox id="rememberBox" checked="true" native="true" />
+  </dialog>
+</window>
diff --git a/security/manager/pki/resources/content/deletecert.css b/security/manager/pki/resources/content/deletecert.css
new file mode 100644
index 0000000000..4607f0a44a
--- /dev/null
+++ b/security/manager/pki/resources/content/deletecert.css
@@ -0,0 +1,19 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+dialog::part(content-box) {
+  flex: 1;
+}
+
+#confirm,
+#impact {
+  /* We don't want these to impact the horizontal size of the dialog */
+  contain: inline-size;
+}
+
+#certlist {
+  flex: 1;
+  min-height: 8em;
+  min-width: 35em;
+}
diff --git a/security/manager/pki/resources/content/deletecert.js b/security/manager/pki/resources/content/deletecert.js
new file mode 100644
index 0000000000..7d926863ed
--- /dev/null
+++ b/security/manager/pki/resources/content/deletecert.js
@@ -0,0 +1,121 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/* import-globals-from pippki.js */
+"use strict";
+
+/**
+ * @file Implements the functionality of deletecert.xhtml: a dialog that allows a
+ *       user to confirm whether to delete certain certificates.
+ * @param {string} window.arguments.0
+ *           One of the tab IDs listed in certManager.xhtml.
+ * @param {object[]} window.arguments.1
+ *           An array of objects representing the certs to delete.
+ *           Each must have a 'cert' property or a 'hostPort' property.
+ * @param {DeleteCertReturnValues} window.arguments.2
+ *           Object holding the return values of calling the dialog.
+ */
+
+/**
+ * @typedef DeleteCertReturnValues
+ * @type {object}
+ * @property {boolean} deleteConfirmed
+ *           Set to true if the user confirmed deletion of the given certs,
+ *           false otherwise.
+ */
+
+/**
+ * Returns the element to represent the given cert to delete.
+ *
+ * @param {object} certToDelete
+ *        The item to represent.
+ * @returns {Element}
+ *          A element of each cert tree item.
+ */
+function getLabelForCertToDelete(certToDelete) {
+  let element = document.createXULElement("label");
+  let cert = certToDelete.cert;
+  if (!cert) {
+    element.setAttribute("value", certToDelete.hostPort);
+    return element;
+  }
+
+  const attributes = [
+    cert.commonName,
+    cert.organizationalUnit,
+    cert.organization,
+    cert.subjectName,
+  ];
+  for (let attribute of attributes) {
+    if (attribute) {
+      element.setAttribute("value", attribute);
+      return element;
+    }
+  }
+
+  document.l10n.setAttributes(element, "cert-with-serial", {
+    serialNumber: cert.serialNumber,
+  });
+  return element;
+}
+
+/**
+ * onload() handler.
+ */
+function onLoad() {
+  let typeFlag = window.arguments[0];
+  let confirm = document.getElementById("confirm");
+  let impact = document.getElementById("impact");
+  let prefixForType;
+  switch (typeFlag) {
+    case "mine_tab":
+      prefixForType = "delete-user-cert-";
+      break;
+    case "websites_tab":
+      prefixForType = "delete-ssl-override-";
+      break;
+    case "ca_tab":
+      prefixForType = "delete-ca-cert-";
+      break;
+    case "others_tab":
+      prefixForType = "delete-email-cert-";
+      break;
+    default:
+      return;
+  }
+
+  document.l10n.setAttributes(
+    document.documentElement,
+    prefixForType + "title"
+  );
+  document.l10n.setAttributes(confirm, prefixForType + "confirm");
+  document.l10n.setAttributes(impact, prefixForType + "impact");
+
+  document.addEventListener("dialogaccept", onDialogAccept);
+  document.addEventListener("dialogcancel", onDialogCancel);
+
+  let box = document.getElementById("certlist");
+  let certsToDelete = window.arguments[1];
+  for (let certToDelete of certsToDelete) {
+    let listItem = document.createXULElement("richlistitem");
+    let label = getLabelForCertToDelete(certToDelete);
+    listItem.appendChild(label);
+    box.appendChild(listItem);
+  }
+}
+
+/**
+ * ondialogaccept() handler.
+ */
+function onDialogAccept() {
+  let retVals = window.arguments[2];
+  retVals.deleteConfirmed = true;
+}
+
+/**
+ * ondialogcancel() handler.
+ */
+function onDialogCancel() {
+  let retVals = window.arguments[2];
+  retVals.deleteConfirmed = false;
+}
diff --git a/security/manager/pki/resources/content/deletecert.xhtml b/security/manager/pki/resources/content/deletecert.xhtml
new file mode 100644
index 0000000000..44f4248399
--- /dev/null
+++ b/security/manager/pki/resources/content/deletecert.xhtml
@@ -0,0 +1,33 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+   - License, v. 2.0. If a copy of the MPL was not distributed with this
+   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<?xml-stylesheet href="chrome://global/skin/global.css" type="text/css"?>
+<?xml-stylesheet href="chrome://pippki/content/deletecert.css" type="text/css"?>
+
+<!DOCTYPE window>
+
+<window
+  data-l10n-id="certmgr-delete-cert2"
+  data-l10n-attrs="style"
+  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+  xmlns:html="http://www.w3.org/1999/xhtml"
+  onload="onLoad();"
+>
+  <dialog id="deleteCertificate" buttons="accept,cancel">
+    <linkset>
+      <html:link
+        rel="localization"
+        href="security/certificates/certManager.ftl"
+      />
+    </linkset>
+
+    <script src="pippki.js" />
+    <script src="chrome://pippki/content/deletecert.js" />
+
+    <description id="confirm" />
+    <richlistbox id="certlist" class="box-padded" />
+    <description id="impact" />
+  </dialog>
+</window>
diff --git a/security/manager/pki/resources/content/device_manager.js b/security/manager/pki/resources/content/device_manager.js
new file mode 100644
index 0000000000..deb58d2ff3
--- /dev/null
+++ b/security/manager/pki/resources/content/device_manager.js
@@ -0,0 +1,433 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+const { XPCOMUtils } = ChromeUtils.importESModule(
+  "resource://gre/modules/XPCOMUtils.sys.mjs"
+);
+
+var secmoddb;
+var skip_enable_buttons = false;
+
+/* Do the initial load of all PKCS# modules and list them. */
+function LoadModules() {
+  secmoddb = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+    Ci.nsIPKCS11ModuleDB
+  );
+  RefreshDeviceList();
+}
+
+async function doPrompt(l10n_id) {
+  let [msg] = await document.l10n.formatValues([{ id: l10n_id }]);
+  Services.prompt.alert(window, null, msg);
+}
+
+async function doConfirm(l10n_id) {
+  let [msg] = await document.l10n.formatValues([{ id: l10n_id }]);
+  return Services.prompt.confirm(window, null, msg);
+}
+
+function RefreshDeviceList() {
+  for (let module of secmoddb.listModules()) {
+    let slots = module.listSlots();
+    AddModule(module, slots);
+  }
+
+  // Set the text on the FIPS button.
+  SetFIPSButton();
+}
+
+function SetFIPSButton() {
+  var fipsButton = document.getElementById("fipsbutton");
+  if (secmoddb.isFIPSEnabled) {
+    document.l10n.setAttributes(fipsButton, "devmgr-button-disable-fips");
+  } else {
+    document.l10n.setAttributes(fipsButton, "devmgr-button-enable-fips");
+  }
+
+  var can_toggle = secmoddb.canToggleFIPS;
+  if (can_toggle) {
+    fipsButton.removeAttribute("disabled");
+  } else {
+    fipsButton.setAttribute("disabled", "true");
+  }
+}
+
+/* Add a module to the tree.  slots is the array of slots in the module,
+ * to be represented as children.
+ */
+function AddModule(module, slots) {
+  var tree = document.getElementById("device_list");
+  var item = document.createXULElement("treeitem");
+  var row = document.createXULElement("treerow");
+  var cell = document.createXULElement("treecell");
+  cell.setAttribute("label", module.name);
+  row.appendChild(cell);
+  item.appendChild(row);
+  var parent = document.createXULElement("treechildren");
+  for (let slot of slots) {
+    var child_item = document.createXULElement("treeitem");
+    var child_row = document.createXULElement("treerow");
+    var child_cell = document.createXULElement("treecell");
+    child_cell.setAttribute("label", slot.name);
+    child_row.appendChild(child_cell);
+    child_item.appendChild(child_row);
+    child_item.setAttribute("pk11kind", "slot");
+    // 'slot' is an attribute on any HTML element, hence 'slotObject' instead.
+    child_item.slotObject = slot;
+    parent.appendChild(child_item);
+  }
+  item.appendChild(parent);
+  item.setAttribute("pk11kind", "module");
+  item.module = module;
+  item.setAttribute("open", "true");
+  item.setAttribute("container", "true");
+  tree.appendChild(item);
+}
+
+var selected_slot;
+var selected_module;
+
+/* get the slot selected by the user (can only be one-at-a-time) */
+function getSelectedItem() {
+  let tree = document.getElementById("device_tree");
+  if (tree.currentIndex < 0) {
+    return;
+  }
+  let item = tree.view.getItemAtIndex(tree.currentIndex);
+  selected_slot = null;
+  selected_module = null;
+  if (item) {
+    let kind = item.getAttribute("pk11kind");
+    if (kind == "slot") {
+      selected_slot = item.slotObject;
+    } else {
+      // (kind == "module")
+      selected_module = item.module;
+    }
+  }
+}
+
+function enableButtons() {
+  if (skip_enable_buttons) {
+    return;
+  }
+
+  var login_toggle = "true";
+  var logout_toggle = "true";
+  var pw_toggle = "true";
+  var unload_toggle = "true";
+  getSelectedItem();
+  if (selected_module) {
+    unload_toggle = "false";
+    showModuleInfo();
+  } else if (selected_slot) {
+    // here's the workaround - login functions are all with token,
+    // so grab the token type
+    var selected_token = selected_slot.getToken();
+    if (selected_token != null) {
+      if (selected_token.needsLogin() || !selected_token.needsUserInit) {
+        pw_toggle = "false";
+        if (selected_token.needsLogin()) {
+          if (selected_token.isLoggedIn()) {
+            logout_toggle = "false";
+          } else {
+            login_toggle = "false";
+          }
+        }
+      }
+
+      if (
+        !Services.policies.isAllowed("createMasterPassword") &&
+        selected_token.isInternalKeyToken &&
+        !selected_token.hasPassword
+      ) {
+        pw_toggle = "true";
+      }
+    }
+    showSlotInfo();
+  }
+  document
+    .getElementById("login_button")
+    .setAttribute("disabled", login_toggle);
+  document
+    .getElementById("logout_button")
+    .setAttribute("disabled", logout_toggle);
+  document
+    .getElementById("change_pw_button")
+    .setAttribute("disabled", pw_toggle);
+  document
+    .getElementById("unload_button")
+    .setAttribute("disabled", unload_toggle);
+}
+
+// clear the display of information for the slot
+function ClearInfoList() {
+  let infoList = document.getElementById("info_list");
+  while (infoList.hasChildNodes()) {
+    infoList.firstChild.remove();
+  }
+}
+
+function ClearDeviceList() {
+  ClearInfoList();
+
+  skip_enable_buttons = true;
+  var tree = document.getElementById("device_tree");
+  tree.view.selection.clearSelection();
+  skip_enable_buttons = false;
+
+  // Remove the existing listed modules so that a refresh doesn't display the
+  // module that just changed.
+  let deviceList = document.getElementById("device_list");
+  while (deviceList.hasChildNodes()) {
+    deviceList.firstChild.remove();
+  }
+}
+
+// show a list of info about a slot
+function showSlotInfo() {
+  var present = true;
+  ClearInfoList();
+  switch (selected_slot.status) {
+    case Ci.nsIPKCS11Slot.SLOT_DISABLED:
+      AddInfoRow(
+        "devinfo-status",
+        { l10nID: "devinfo-status-disabled" },
+        "tok_status"
+      );
+      present = false;
+      break;
+    case Ci.nsIPKCS11Slot.SLOT_NOT_PRESENT:
+      AddInfoRow(
+        "devinfo-status",
+        { l10nID: "devinfo-status-not-present" },
+        "tok_status"
+      );
+      present = false;
+      break;
+    case Ci.nsIPKCS11Slot.SLOT_UNINITIALIZED:
+      AddInfoRow(
+        "devinfo-status",
+        { l10nID: "devinfo-status-uninitialized" },
+        "tok_status"
+      );
+      break;
+    case Ci.nsIPKCS11Slot.SLOT_NOT_LOGGED_IN:
+      AddInfoRow(
+        "devinfo-status",
+        { l10nID: "devinfo-status-not-logged-in" },
+        "tok_status"
+      );
+      break;
+    case Ci.nsIPKCS11Slot.SLOT_LOGGED_IN:
+      AddInfoRow(
+        "devinfo-status",
+        { l10nID: "devinfo-status-logged-in" },
+        "tok_status"
+      );
+      break;
+    case Ci.nsIPKCS11Slot.SLOT_READY:
+      AddInfoRow(
+        "devinfo-status",
+        { l10nID: "devinfo-status-ready" },
+        "tok_status"
+      );
+      break;
+    default:
+      return;
+  }
+  AddInfoRow("devinfo-desc", { label: selected_slot.desc }, "slot_desc");
+  AddInfoRow("devinfo-man-id", { label: selected_slot.manID }, "slot_manID");
+  AddInfoRow(
+    "devinfo-hwversion",
+    { label: selected_slot.HWVersion },
+    "slot_hwv"
+  );
+  AddInfoRow(
+    "devinfo-fwversion",
+    { label: selected_slot.FWVersion },
+    "slot_fwv"
+  );
+  if (present) {
+    showTokenInfo();
+  }
+}
+
+function showModuleInfo() {
+  ClearInfoList();
+  AddInfoRow("devinfo-modname", { label: selected_module.name }, "module_name");
+  AddInfoRow(
+    "devinfo-modpath",
+    { label: selected_module.libName },
+    "module_path"
+  );
+}
+
+// add a row to the info list, as [col1 col2] (ex.: ["status" "logged in"])
+function AddInfoRow(l10nID, col2, cell_id) {
+  var tree = document.getElementById("info_list");
+  var item = document.createXULElement("treeitem");
+  var row = document.createXULElement("treerow");
+  var cell1 = document.createXULElement("treecell");
+  document.l10n.setAttributes(cell1, l10nID);
+  cell1.setAttribute("crop", "never");
+  row.appendChild(cell1);
+  var cell2 = document.createXULElement("treecell");
+  if (col2.l10nID) {
+    document.l10n.setAttributes(cell2, col2.l10nID);
+  } else {
+    cell2.setAttribute("label", col2.label);
+  }
+  cell2.setAttribute("crop", "never");
+  cell2.setAttribute("id", cell_id);
+  row.appendChild(cell2);
+  item.appendChild(row);
+  tree.appendChild(item);
+}
+
+// log in to a slot
+function doLogin() {
+  getSelectedItem();
+  // here's the workaround - login functions are with token
+  var selected_token = selected_slot.getToken();
+  try {
+    selected_token.login(false);
+    var tok_status = document.getElementById("tok_status");
+    if (selected_token.isLoggedIn()) {
+      document.l10n.setAttributes(tok_status, "devinfo-status-logged-in");
+    } else {
+      document.l10n.setAttributes(tok_status, "devinfo-status-not-logged-in");
+    }
+  } catch (e) {
+    doPrompt("login-failed");
+  }
+  enableButtons();
+}
+
+// log out of a slot
+function doLogout() {
+  getSelectedItem();
+  // here's the workaround - login functions are with token
+  var selected_token = selected_slot.getToken();
+  try {
+    selected_token.logoutAndDropAuthenticatedResources();
+    var tok_status = document.getElementById("tok_status");
+    if (selected_token.isLoggedIn()) {
+      document.l10n.setAttributes(tok_status, "devinfo-status-logged-in");
+    } else {
+      document.l10n.setAttributes(tok_status, "devinfo-status-not-logged-in");
+    }
+  } catch (e) {}
+  enableButtons();
+}
+
+// load a new device
+function doLoad() {
+  window.browsingContext.topChromeWindow.open(
+    "load_device.xhtml",
+    "loaddevice",
+    "chrome,centerscreen,modal"
+  );
+  ClearDeviceList();
+  RefreshDeviceList();
+}
+
+async function deleteSelected() {
+  getSelectedItem();
+  if (selected_module && (await doConfirm("del-module-warning"))) {
+    try {
+      secmoddb.deleteModule(selected_module.name);
+    } catch (e) {
+      doPrompt("del-module-error");
+      return false;
+    }
+    selected_module = null;
+    return true;
+  }
+  return false;
+}
+
+async function doUnload() {
+  if (await deleteSelected()) {
+    ClearDeviceList();
+    RefreshDeviceList();
+  }
+}
+
+function changePassword() {
+  getSelectedItem();
+  let params = Cc["@mozilla.org/embedcomp/dialogparam;1"].createInstance(
+    Ci.nsIDialogParamBlock
+  );
+  let objects = Cc["@mozilla.org/array;1"].createInstance(Ci.nsIMutableArray);
+  objects.appendElement(selected_slot.getToken());
+  params.objects = objects;
+  window.browsingContext.topChromeWindow.openDialog(
+    "changepassword.xhtml",
+    "",
+    "chrome,centerscreen,modal",
+    params
+  );
+  showSlotInfo();
+  enableButtons();
+}
+
+// -------------------------------------   Old code
+
+function showTokenInfo() {
+  var selected_token = selected_slot.getToken();
+  AddInfoRow("devinfo-label", { label: selected_token.tokenName }, "tok_label");
+  AddInfoRow(
+    "devinfo-man-id",
+    { label: selected_token.tokenManID },
+    "tok_manID"
+  );
+  AddInfoRow(
+    "devinfo-serialnum",
+    { label: selected_token.tokenSerialNumber },
+    "tok_sNum"
+  );
+  AddInfoRow(
+    "devinfo-hwversion",
+    { label: selected_token.tokenHWVersion },
+    "tok_hwv"
+  );
+  AddInfoRow(
+    "devinfo-fwversion",
+    { label: selected_token.tokenFWVersion },
+    "tok_fwv"
+  );
+}
+
+function toggleFIPS() {
+  if (!secmoddb.isFIPSEnabled) {
+    // A restriction of FIPS mode is, the password must be set
+    // In FIPS mode the password must be non-empty.
+    // This is different from what we allow in NON-Fips mode.
+
+    var tokendb = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+      Ci.nsIPK11TokenDB
+    );
+    var internal_token = tokendb.getInternalKeyToken(); // nsIPK11Token
+    if (!internal_token.hasPassword) {
+      // Token has either no or an empty password.
+      doPrompt("fips-nonempty-primary-password-required");
+      return;
+    }
+  }
+
+  try {
+    secmoddb.toggleFIPSMode();
+  } catch (e) {
+    doPrompt("unable-to-toggle-fips");
+    return;
+  }
+
+  // Remove the existing listed modules so that a refresh doesn't display the
+  // module that just changed.
+  ClearDeviceList();
+
+  RefreshDeviceList();
+}
diff --git a/security/manager/pki/resources/content/device_manager.xhtml b/security/manager/pki/resources/content/device_manager.xhtml
new file mode 100644
index 0000000000..145aa98c3d
--- /dev/null
+++ b/security/manager/pki/resources/content/device_manager.xhtml
@@ -0,0 +1,113 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+   - License, v. 2.0. If a copy of the MPL was not distributed with this
+   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<?xml-stylesheet href="chrome://global/skin/global.css" type="text/css"?>
+
+<!DOCTYPE dialog>
+
+<window
+  windowtype="mozilla:devicemanager"
+  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+  xmlns:html="http://www.w3.org/1999/xhtml"
+  data-l10n-id="devmgr-window"
+  data-l10n-attrs="style"
+  persist="screenX screenY width height"
+  onload="LoadModules();"
+>
+  <dialog id="devicemanager" buttons="accept">
+    <linkset>
+      <html:link
+        rel="localization"
+        href="security/certificates/deviceManager.ftl"
+      />
+    </linkset>
+
+    <script src="chrome://pippki/content/device_manager.js" />
+
+    <hbox flex="1" style="margin: 5px">
+      <!-- List of devices -->
+      <tree
+        id="device_tree"
+        seltype="single"
+        onselect="enableButtons();"
+        hidecolumnpicker="true"
+        flex="1"
+        style="min-width: 15em"
+      >
+        <treecols>
+          <treecol
+            id="deviceCol"
+            flex="1"
+            primary="true"
+            data-l10n-id="devmgr-devlist"
+          />
+        </treecols>
+        <treechildren id="device_list" />
+      </tree>
+      <!-- / List of devices -->
+      <!-- Device status -->
+      <tree
+        id="info_tree"
+        seltype="single"
+        hidecolumnpicker="true"
+        style="flex: 3 3; min-width: 10em"
+      >
+        <treecols>
+          <treecol
+            id="title1Col"
+            style="flex: 5 5 auto"
+            primary="true"
+            data-l10n-id="devmgr-header-details"
+          />
+          <treecol
+            id="title2Col"
+            style="flex: 7 7 auto"
+            data-l10n-id="devmgr-header-value"
+          />
+        </treecols>
+        <treechildren id="info_list" />
+      </tree>
+      <!-- / Device status -->
+      <vbox>
+        <!-- Buttons for manipulating devices -->
+        <button
+          id="login_button"
+          data-l10n-id="devmgr-button-login"
+          oncommand="doLogin();"
+          disabled="true"
+        />
+        <button
+          id="logout_button"
+          data-l10n-id="devmgr-button-logout"
+          oncommand="doLogout();"
+          disabled="true"
+        />
+        <button
+          id="change_pw_button"
+          data-l10n-id="devmgr-button-changepw"
+          oncommand="changePassword();"
+          disabled="true"
+        />
+        <button
+          id="load_button"
+          data-l10n-id="devmgr-button-load"
+          oncommand="doLoad();"
+        />
+        <button
+          id="unload_button"
+          data-l10n-id="devmgr-button-unload"
+          oncommand="doUnload();"
+          disabled="true"
+        />
+        <button
+          id="fipsbutton"
+          data-l10n-id="devmgr-button-enable-fips"
+          oncommand="toggleFIPS();"
+        />
+      </vbox>
+      <!-- / Buttons for manipulating devices -->
+    </hbox>
+  </dialog>
+</window>
diff --git a/security/manager/pki/resources/content/downloadcert.js b/security/manager/pki/resources/content/downloadcert.js
new file mode 100644
index 0000000000..8451997441
--- /dev/null
+++ b/security/manager/pki/resources/content/downloadcert.js
@@ -0,0 +1,83 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/* import-globals-from pippki.js */
+"use strict";
+
+/**
+ * @file Implements the functionality of downloadcert.xhtml: a dialog that allows
+ *       a user to confirm whether to import a certificate, and if so what trust
+ *       to give it.
+ * @param {nsISupports} window.arguments.0
+ *           Certificate to confirm import of, queryable to nsIX509Cert.
+ * @param {nsISupports} window.arguments.1
+ *           Object to set the return values of calling the dialog on, queryable
+ *           to the underlying type of DownloadCertReturnValues.
+ */
+
+/**
+ * @typedef DownloadCertReturnValues
+ * @type {nsIWritablePropertyBag2}
+ * @property {boolean} importConfirmed
+ *           Set to true if the user confirmed import of the cert and accepted
+ *           the dialog, false otherwise.
+ * @property {boolean} trustForSSL
+ *           Set to true if the cert should be trusted for SSL, false otherwise.
+ *           Undefined value if |importConfirmed| is not true.
+ * @property {boolean} trustForEmail
+ *           Set to true if the cert should be trusted for e-mail, false
+ *           otherwise. Undefined value if |importConfirmed| is not true.
+ */
+
+/**
+ * The cert to potentially import.
+ *
+ * @type {nsIX509Cert}
+ */
+var gCert;
+
+/**
+ * onload() handler.
+ */
+function onLoad() {
+  gCert = window.arguments[0].QueryInterface(Ci.nsIX509Cert);
+
+  document.addEventListener("dialogaccept", onDialogAccept);
+  document.addEventListener("dialogcancel", onDialogCancel);
+
+  let bundle = document.getElementById("pippki_bundle");
+  let caName = gCert.commonName;
+  if (!caName.length) {
+    caName = bundle.getString("unnamedCA");
+  }
+
+  setText("trustHeader", bundle.getFormattedString("newCAMessage1", [caName]));
+}
+
+/**
+ * Handler for the "View Cert" button.
+ */
+function viewCert() {
+  viewCertHelper(window, gCert, "window");
+}
+
+/**
+ * ondialogaccept() handler.
+ */
+function onDialogAccept() {
+  let checkSSL = document.getElementById("trustSSL");
+  let checkEmail = document.getElementById("trustEmail");
+
+  let retVals = window.arguments[1].QueryInterface(Ci.nsIWritablePropertyBag2);
+  retVals.setPropertyAsBool("importConfirmed", true);
+  retVals.setPropertyAsBool("trustForSSL", checkSSL.checked);
+  retVals.setPropertyAsBool("trustForEmail", checkEmail.checked);
+}
+
+/**
+ * ondialogcancel() handler.
+ */
+function onDialogCancel() {
+  let retVals = window.arguments[1].QueryInterface(Ci.nsIWritablePropertyBag2);
+  retVals.setPropertyAsBool("importConfirmed", false);
+}
diff --git a/security/manager/pki/resources/content/downloadcert.xhtml b/security/manager/pki/resources/content/downloadcert.xhtml
new file mode 100644
index 0000000000..cf85c01faf
--- /dev/null
+++ b/security/manager/pki/resources/content/downloadcert.xhtml
@@ -0,0 +1,66 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+   - License, v. 2.0. If a copy of the MPL was not distributed with this
+   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<?xml-stylesheet href="chrome://global/skin/global.css" type="text/css"?>
+
+<!DOCTYPE window>
+
+<window
+  data-l10n-id="download-cert-window2"
+  data-l10n-attrs="title, style"
+  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+  xmlns:html="http://www.w3.org/1999/xhtml"
+  onload="onLoad();"
+>
+  <dialog id="download_cert" buttons="accept,cancel">
+    <linkset>
+      <html:link rel="localization" href="security/pippki/pippki.ftl" />
+    </linkset>
+
+    <stringbundle
+      id="pippki_bundle"
+      src="chrome://pippki/locale/pippki.properties"
+    />
+
+    <script src="chrome://pippki/content/pippki.js" />
+    <script src="chrome://pippki/content/downloadcert.js" />
+
+    <!--  Let 'em know what they're doing -->
+    <vbox>
+      <description data-l10n-id="download-cert-message"></description>
+    </vbox>
+
+    <separator />
+
+    <!--  checkboxes for trust bits
+     -  "do you want to?"
+     -  * trust for SSL
+     -  * trust for email
+    -->
+    <vbox>
+      <description id="trustHeader" />
+      <checkbox data-l10n-id="download-cert-trust-ssl" id="trustSSL" />
+      <checkbox data-l10n-id="download-cert-trust-email" id="trustEmail" />
+    </vbox>
+
+    <separator />
+
+    <vbox>
+      <description data-l10n-id="download-cert-message-desc"></description>
+      <separator />
+      <hbox>
+        <button
+          id="viewC-button"
+          data-l10n-id="download-cert-view-cert"
+          oncommand="viewCert();"
+        />
+        <description
+          style="margin: 4px"
+          data-l10n-id="download-cert-view-text"
+        ></description>
+      </hbox>
+    </vbox>
+  </dialog>
+</window>
diff --git a/security/manager/pki/resources/content/editcacert.js b/security/manager/pki/resources/content/editcacert.js
new file mode 100644
index 0000000000..ecb6b3e3ce
--- /dev/null
+++ b/security/manager/pki/resources/content/editcacert.js
@@ -0,0 +1,52 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/* import-globals-from pippki.js */
+"use strict";
+
+var gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+/**
+ * Cert to edit the trust of.
+ *
+ * @type {nsIX509Cert}
+ */
+var gCert = window.arguments[0];
+
+document.addEventListener("DOMContentLoaded", init);
+
+function init() {
+  document.addEventListener("dialogaccept", onDialogAccept);
+
+  let sslCheckbox = document.getElementById("trustSSL");
+  sslCheckbox.checked = gCertDB.isCertTrusted(
+    gCert,
+    Ci.nsIX509Cert.CA_CERT,
+    Ci.nsIX509CertDB.TRUSTED_SSL
+  );
+
+  let emailCheckbox = document.getElementById("trustEmail");
+  emailCheckbox.checked = gCertDB.isCertTrusted(
+    gCert,
+    Ci.nsIX509Cert.CA_CERT,
+    Ci.nsIX509CertDB.TRUSTED_EMAIL
+  );
+
+  let certMsg = document.getElementById("certmsg");
+  document.l10n.setAttributes(certMsg, "edit-trust-ca", {
+    certName: gCert.commonName,
+  });
+}
+
+/**
+ * ondialogaccept() handler.
+ */
+function onDialogAccept() {
+  let sslCheckbox = document.getElementById("trustSSL");
+  let emailCheckbox = document.getElementById("trustEmail");
+  let trustSSL = sslCheckbox.checked ? Ci.nsIX509CertDB.TRUSTED_SSL : 0;
+  let trustEmail = emailCheckbox.checked ? Ci.nsIX509CertDB.TRUSTED_EMAIL : 0;
+
+  gCertDB.setCertTrust(gCert, Ci.nsIX509Cert.CA_CERT, trustSSL | trustEmail);
+}
diff --git a/security/manager/pki/resources/content/editcacert.xhtml b/security/manager/pki/resources/content/editcacert.xhtml
new file mode 100644
index 0000000000..2d4dabb367
--- /dev/null
+++ b/security/manager/pki/resources/content/editcacert.xhtml
@@ -0,0 +1,35 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+   - License, v. 2.0. If a copy of the MPL was not distributed with this
+   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<?xml-stylesheet href="chrome://global/skin/global.css" type="text/css"?>
+
+<!DOCTYPE window>
+
+<window
+  data-l10n-id="certmgr-edit-ca-cert2"
+  data-l10n-attrs="style"
+  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+  xmlns:html="http://www.w3.org/1999/xhtml"
+>
+  <dialog id="editCaCert" buttons="accept,cancel">
+    <linkset>
+      <html:link
+        rel="localization"
+        href="security/certificates/certManager.ftl"
+      />
+    </linkset>
+
+    <script src="chrome://pippki/content/pippki.js" />
+    <script src="chrome://pippki/content/editcacert.js" />
+
+    <description id="certmsg" />
+    <separator />
+    <description data-l10n-id="certmgr-edit-cert-edit-trust" />
+    <vbox align="start">
+      <checkbox data-l10n-id="certmgr-edit-cert-trust-ssl" id="trustSSL" />
+      <checkbox data-l10n-id="certmgr-edit-cert-trust-email" id="trustEmail" />
+    </vbox>
+  </dialog>
+</window>
diff --git a/security/manager/pki/resources/content/exceptionDialog.css b/security/manager/pki/resources/content/exceptionDialog.css
new file mode 100644
index 0000000000..b2c8eb7a7b
--- /dev/null
+++ b/security/manager/pki/resources/content/exceptionDialog.css
@@ -0,0 +1,35 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+:root {
+  max-width: 40em;
+  min-width: 35em;
+}
+
+#warningSupplemental,
+.description {
+  font-weight: bold;
+}
+
+.longDescription {
+  padding-bottom: 1em;
+}
+
+#warningText,
+#warningSupplemental,
+#headerDescription,
+.longDescription {
+  /* Don't let these affect the min horizontal size of the dialog */
+  contain: inline-size;
+  white-space: pre-wrap;
+}
+
+.description:empty,
+.longDescription:empty {
+  display: none;
+}
+
+#locationTextBox {
+  flex: 1;
+}
diff --git a/security/manager/pki/resources/content/exceptionDialog.js b/security/manager/pki/resources/content/exceptionDialog.js
new file mode 100644
index 0000000000..1953cce8fa
--- /dev/null
+++ b/security/manager/pki/resources/content/exceptionDialog.js
@@ -0,0 +1,334 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/* import-globals-from pippki.js */
+"use strict";
+
+var gDialog;
+var gSecInfo;
+var gCert;
+var gChecking;
+var gBroken;
+var gNeedReset;
+
+const { PrivateBrowsingUtils } = ChromeUtils.importESModule(
+  "resource://gre/modules/PrivateBrowsingUtils.sys.mjs"
+);
+
+function initExceptionDialog() {
+  gNeedReset = false;
+  gDialog = document.getElementById("exceptiondialog");
+  let warningText = document.getElementById("warningText");
+  document.l10n.setAttributes(warningText, "add-exception-branded-warning");
+  let confirmButton = gDialog.getButton("extra1");
+  let l10nUpdatedElements = [confirmButton, warningText];
+  confirmButton.disabled = true;
+
+  var args = window.arguments;
+  if (args && args[0]) {
+    if (args[0].location) {
+      // We were pre-seeded with a location.
+      document.getElementById("locationTextBox").value = args[0].location;
+      document.getElementById("checkCertButton").disabled = false;
+
+      if (args[0].securityInfo) {
+        gSecInfo = args[0].securityInfo;
+        gCert = gSecInfo.serverCert;
+        gBroken = true;
+        l10nUpdatedElements = l10nUpdatedElements.concat(updateCertStatus());
+      } else if (args[0].prefetchCert) {
+        // We can optionally pre-fetch the certificate too.  Don't do this
+        // synchronously, since it would prevent the window from appearing
+        // until the fetch is completed, which could be multiple seconds.
+        // Instead, let's use a timer to spawn the actual fetch, but update
+        // the dialog to "checking..." state right away, so that the UI
+        // is appropriately responsive.  Bug 453855
+        document.getElementById("checkCertButton").disabled = true;
+        gChecking = true;
+        l10nUpdatedElements = l10nUpdatedElements.concat(updateCertStatus());
+
+        window.setTimeout(checkCert, 0);
+      }
+    }
+
+    // Set out parameter to false by default
+    args[0].exceptionAdded = false;
+  }
+
+  for (let id of [
+    "warningSupplemental",
+    "certLocationLabel",
+    "checkCertButton",
+    "statusDescription",
+    "statusLongDescription",
+    "viewCertButton",
+    "permanent",
+  ]) {
+    let element = document.getElementById(id);
+    l10nUpdatedElements.push(element);
+  }
+
+  document.l10n
+    .translateElements(l10nUpdatedElements)
+    .then(() => window.sizeToContent());
+
+  document.addEventListener("dialogextra1", addException);
+  document.addEventListener("dialogextra2", checkCert);
+}
+
+/**
+ * Helper function for checkCert. Set as the onerror/onload callbacks for an
+ * XMLHttpRequest. Sets gSecInfo, gCert, gBroken, and gChecking according to
+ * the load information from the request. Probably should not be used directly.
+ *
+ * @param {XMLHttpRequest} req
+ *        The XMLHttpRequest created and sent by checkCert.
+ * @param {Event} evt
+ *        The load or error event.
+ */
+function grabCert(req, evt) {
+  if (req.channel && req.channel.securityInfo) {
+    gSecInfo = req.channel.securityInfo;
+    gCert = gSecInfo ? gSecInfo.serverCert : null;
+  }
+  gBroken = evt.type == "error";
+  gChecking = false;
+  document.l10n
+    .translateElements(updateCertStatus())
+    .then(() => window.sizeToContent());
+}
+
+/**
+ * Attempt to download the certificate for the location specified, and populate
+ * the Certificate Status section with the result.
+ */
+async function checkCert() {
+  gCert = null;
+  gSecInfo = null;
+  gChecking = true;
+  gBroken = false;
+  await document.l10n.translateElements(updateCertStatus());
+  window.sizeToContent();
+
+  let uri = getURI();
+
+  if (uri) {
+    let req = new XMLHttpRequest();
+    req.open("GET", uri.prePath);
+    req.onerror = grabCert.bind(this, req);
+    req.onload = grabCert.bind(this, req);
+    req.send(null);
+  } else {
+    gChecking = false;
+    await document.l10n.translateElements(updateCertStatus());
+    window.sizeToContent();
+  }
+}
+
+/**
+ * Build and return a URI, based on the information supplied in the
+ * Certificate Location fields
+ *
+ * @returns {nsIURI}
+ *          URI constructed from the information supplied on success, null
+ *          otherwise.
+ */
+function getURI() {
+  // Use fixup service instead of just ioservice's newURI since it's quite
+  // likely that the host will be supplied without a protocol prefix, resulting
+  // in malformed uri exceptions being thrown.
+  let locationTextBox = document.getElementById("locationTextBox");
+  let { preferredURI: uri } = Services.uriFixup.getFixupURIInfo(
+    locationTextBox.value
+  );
+
+  if (!uri) {
+    return null;
+  }
+
+  let mutator = uri.mutate();
+  if (uri.scheme == "http") {
+    mutator.setScheme("https");
+  }
+
+  if (uri.port == -1) {
+    mutator.setPort(443);
+  }
+
+  return mutator.finalize();
+}
+
+function resetDialog() {
+  document.getElementById("viewCertButton").disabled = true;
+  document.getElementById("permanent").disabled = true;
+  gDialog.getButton("extra1").disabled = true;
+  setText("headerDescription", "");
+  setText("statusDescription", "");
+  setText("statusLongDescription", "");
+  setText("status2Description", "");
+  setText("status2LongDescription", "");
+  setText("status3Description", "");
+  setText("status3LongDescription", "");
+  window.sizeToContent();
+}
+
+/**
+ * Called by input textboxes to manage UI state
+ */
+function handleTextChange() {
+  var checkCertButton = document.getElementById("checkCertButton");
+  checkCertButton.disabled = !document.getElementById("locationTextBox").value;
+  if (gNeedReset) {
+    gNeedReset = false;
+    resetDialog();
+  }
+}
+
+function updateCertStatus() {
+  var shortDesc, longDesc;
+  let l10nUpdatedElements = [];
+  if (gCert) {
+    if (gBroken) {
+      var mms = "add-exception-domain-mismatch-short";
+      var mml = "add-exception-domain-mismatch-long";
+      var exs = "add-exception-expired-short";
+      var exl = "add-exception-expired-long";
+      var uts = "add-exception-unverified-or-bad-signature-short";
+      var utl = "add-exception-unverified-or-bad-signature-long";
+      if (
+        gSecInfo.overridableErrorCategory ==
+        Ci.nsITransportSecurityInfo.ERROR_TRUST
+      ) {
+        shortDesc = uts;
+        longDesc = utl;
+      } else if (
+        gSecInfo.overridableErrorCategory ==
+        Ci.nsITransportSecurityInfo.ERROR_DOMAIN
+      ) {
+        shortDesc = mms;
+        longDesc = mml;
+      } else if (
+        gSecInfo.overridableErrorCategory ==
+        Ci.nsITransportSecurityInfo.ERROR_TIME
+      ) {
+        shortDesc = exs;
+        longDesc = exl;
+      }
+      // In these cases, we do want to enable the "Add Exception" button
+      gDialog.getButton("extra1").disabled = false;
+
+      // If the Private Browsing service is available and the mode is active,
+      // don't store permanent exceptions, since they would persist after
+      // private browsing mode was disabled.
+      var inPrivateBrowsing = inPrivateBrowsingMode();
+      var pe = document.getElementById("permanent");
+      pe.disabled = inPrivateBrowsing;
+      pe.checked = !inPrivateBrowsing;
+
+      let headerDescription = document.getElementById("headerDescription");
+      document.l10n.setAttributes(
+        headerDescription,
+        "add-exception-invalid-header"
+      );
+      l10nUpdatedElements.push(headerDescription);
+    } else {
+      shortDesc = "add-exception-valid-short";
+      longDesc = "add-exception-valid-long";
+      gDialog.getButton("extra1").disabled = true;
+      document.getElementById("permanent").disabled = true;
+    }
+
+    // We're done checking the certificate, so allow the user to check it again.
+    document.getElementById("checkCertButton").disabled = false;
+    document.getElementById("viewCertButton").disabled = false;
+
+    // Notify observers about the availability of the certificate
+    Services.obs.notifyObservers(null, "cert-exception-ui-ready");
+  } else if (gChecking) {
+    shortDesc = "add-exception-checking-short";
+    longDesc = "add-exception-checking-long";
+    // We're checking the certificate, so we disable the Get Certificate
+    // button to make sure that the user can't interrupt the process and
+    // trigger another certificate fetch.
+    document.getElementById("checkCertButton").disabled = true;
+    document.getElementById("viewCertButton").disabled = true;
+    gDialog.getButton("extra1").disabled = true;
+    document.getElementById("permanent").disabled = true;
+  } else {
+    shortDesc = "add-exception-no-cert-short";
+    longDesc = "add-exception-no-cert-long";
+    // We're done checking the certificate, so allow the user to check it again.
+    document.getElementById("checkCertButton").disabled = false;
+    document.getElementById("viewCertButton").disabled = true;
+    gDialog.getButton("extra1").disabled = true;
+    document.getElementById("permanent").disabled = true;
+  }
+  let statusDescription = document.getElementById("statusDescription");
+  let statusLongDescription = document.getElementById("statusLongDescription");
+  document.l10n.setAttributes(statusDescription, shortDesc);
+  document.l10n.setAttributes(statusLongDescription, longDesc);
+  l10nUpdatedElements.push(statusDescription);
+  l10nUpdatedElements.push(statusLongDescription);
+
+  gNeedReset = true;
+  return l10nUpdatedElements;
+}
+
+/**
+ * Handle user request to display certificate details
+ */
+function viewCertButtonClick() {
+  if (gCert) {
+    viewCertHelper(this, gCert);
+  }
+}
+
+/**
+ * Handle user request to add an exception for the specified cert
+ */
+function addException() {
+  if (!gCert || !gSecInfo) {
+    return;
+  }
+
+  var overrideService = Cc["@mozilla.org/security/certoverride;1"].getService(
+    Ci.nsICertOverrideService
+  );
+  var flags = 0;
+  if (gSecInfo.isUntrusted) {
+    flags |= overrideService.ERROR_UNTRUSTED;
+  }
+  if (gSecInfo.isDomainMismatch) {
+    flags |= overrideService.ERROR_MISMATCH;
+  }
+  if (gSecInfo.isNotValidAtThisTime) {
+    flags |= overrideService.ERROR_TIME;
+  }
+
+  var permanentCheckbox = document.getElementById("permanent");
+  var shouldStorePermanently =
+    permanentCheckbox.checked && !inPrivateBrowsingMode();
+  var uri = getURI();
+  overrideService.rememberValidityOverride(
+    uri.asciiHost,
+    uri.port,
+    {},
+    gCert,
+    flags,
+    !shouldStorePermanently
+  );
+
+  let args = window.arguments;
+  if (args && args[0]) {
+    args[0].exceptionAdded = true;
+  }
+
+  gDialog.acceptDialog();
+}
+
+/**
+ * @returns {boolean} Whether this dialog is in private browsing mode.
+ */
+function inPrivateBrowsingMode() {
+  return PrivateBrowsingUtils.isWindowPrivate(window);
+}
diff --git a/security/manager/pki/resources/content/exceptionDialog.xhtml b/security/manager/pki/resources/content/exceptionDialog.xhtml
new file mode 100644
index 0000000000..56be4bc5cb
--- /dev/null
+++ b/security/manager/pki/resources/content/exceptionDialog.xhtml
@@ -0,0 +1,88 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+   - License, v. 2.0. If a copy of the MPL was not distributed with this
+   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<?xml-stylesheet href="chrome://global/skin/global.css" type="text/css"?>
+<?xml-stylesheet href="chrome://pippki/content/exceptionDialog.css" type="text/css"?>
+
+<!DOCTYPE window>
+
+<window windowtype="mozilla:exceptiondialog"
+        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+        xmlns:html="http://www.w3.org/1999/xhtml"
+        data-l10n-id="exception-mgr"
+        onload="initExceptionDialog();">
+<dialog id="exceptiondialog"
+        buttonidextra1="exception-mgr-extra-button"
+        buttons="cancel,extra1,extra2"
+        defaultButton="extra2">
+
+  <linkset>
+    <html:link rel="localization" href="branding/brand.ftl"/>
+    <html:link rel="localization" href="security/certificates/certManager.ftl"/>
+  </linkset>
+
+  <script src="chrome://global/content/globalOverlay.js"/>
+  <script src="chrome://global/content/editMenuOverlay.js"/>
+
+  <script src="chrome://pippki/content/pippki.js"/>
+  <script src="chrome://pippki/content/exceptionDialog.js"/>
+
+  <hbox>
+    <vbox>
+#ifdef MOZ_WIDGET_GTK
+      <image src="moz-icon://stock/gtk-dialog-warning?size=dialog"/>
+#else
+      <image src="chrome://global/skin/icons/warning-large.png"/>
+#endif
+      <spacer flex="1"/>
+    </vbox>
+    <vbox flex="1">
+      <!-- Note that because of the styling, there must be no whitespace within
+      the description tags -->
+      <description id="warningText"/>
+      <description id="warningSupplemental"
+                   data-l10n-id="exception-mgr-supplemental-warning"/>
+    </vbox>
+  </hbox>
+
+  <hbox align="center">
+    <label control="locationTextBox"
+           id="certLocationLabel"
+           data-l10n-id="exception-mgr-cert-location-url"/>
+    <html:input id="locationTextBox"
+                oninput="handleTextChange();"
+                value="https://"
+                class="uri-element"/>
+    <button id="checkCertButton"
+            disabled="true"
+            dlgtype="extra2"
+            data-l10n-id="exception-mgr-cert-location-download"/>
+  </hbox>
+
+  <hbox align="center">
+    <description id="headerDescription"
+                 flex="1"/>
+    <button id="viewCertButton"
+            data-l10n-id="exception-mgr-cert-status-view-cert"
+            disabled="true"
+            oncommand="viewCertButtonClick();"/>
+  </hbox>
+  <description id="statusDescription"
+               class="description"/>
+  <description id="statusLongDescription"
+               class="longDescription"/>
+  <description id="status2Description"
+               class="description"/>
+  <description id="status2LongDescription"
+               class="longDescription"/>
+  <description id="status3Description"
+               class="description"/>
+  <description id="status3LongDescription"
+               class="longDescription"/>
+  <checkbox id="permanent"
+            disabled="true"
+            data-l10n-id="exception-mgr-permanent"/>
+</dialog>
+</window>
diff --git a/security/manager/pki/resources/content/load_device.js b/security/manager/pki/resources/content/load_device.js
new file mode 100644
index 0000000000..0f77e1f1bd
--- /dev/null
+++ b/security/manager/pki/resources/content/load_device.js
@@ -0,0 +1,75 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/* import-globals-from pippki.js */
+"use strict";
+
+document.addEventListener("dialogaccept", onDialogAccept);
+
+/**
+ * @file Implements the functionality of load_device.xhtml: a dialog that allows
+ *       a PKCS #11 module to be loaded into Firefox.
+ */
+
+async function onBrowseBtnPress() {
+  let fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker);
+  let [loadPK11ModuleFilePickerTitle] = await document.l10n.formatValues([
+    { id: "load-pk11-module-file-picker-title" },
+  ]);
+  fp.init(window, loadPK11ModuleFilePickerTitle, Ci.nsIFilePicker.modeOpen);
+  fp.appendFilters(Ci.nsIFilePicker.filterAll);
+  fp.open(rv => {
+    if (rv == Ci.nsIFilePicker.returnOK) {
+      document.getElementById("device_path").value = fp.file.path;
+    }
+
+    // This notification gets sent solely for test purposes. It should not be
+    // used by production code.
+    Services.obs.notifyObservers(window, "LoadPKCS11Module:FilePickHandled");
+  });
+}
+
+/**
+ * ondialogaccept() handler.
+ *
+ * @param {object} event
+ *        The event causing this handler function to be called.
+ */
+function onDialogAccept(event) {
+  let nameBox = document.getElementById("device_name");
+  let pathBox = document.getElementById("device_path");
+  let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+    Ci.nsIPKCS11ModuleDB
+  );
+
+  try {
+    pkcs11ModuleDB.addModule(nameBox.value, pathBox.value, 0, 0);
+  } catch (e) {
+    addModuleFailure("add-module-failure");
+    event.preventDefault();
+  }
+}
+
+async function addModuleFailure(l10nID) {
+  let [AddModuleFailure] = await document.l10n.formatValues([{ id: l10nID }]);
+  alertPromptService(null, AddModuleFailure);
+}
+
+function validateModuleName() {
+  let name = document.getElementById("device_name").value;
+  let helpText = document.getElementById("helpText");
+  helpText.value = "";
+  let dialogNode = document.querySelector("dialog");
+  dialogNode.removeAttribute("buttondisabledaccept");
+  if (name == "") {
+    document.l10n.setAttributes(helpText, "load-module-help-empty-module-name");
+    dialogNode.setAttribute("buttondisabledaccept", true);
+  }
+  if (name == "Root Certs") {
+    document.l10n.setAttributes(
+      helpText,
+      "load-module-help-root-certs-module-name"
+    );
+    dialogNode.setAttribute("buttondisabledaccept", true);
+  }
+}
diff --git a/security/manager/pki/resources/content/load_device.xhtml b/security/manager/pki/resources/content/load_device.xhtml
new file mode 100644
index 0000000000..440b8b1f6b
--- /dev/null
+++ b/security/manager/pki/resources/content/load_device.xhtml
@@ -0,0 +1,55 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+   - License, v. 2.0. If a copy of the MPL was not distributed with this
+   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<?xml-stylesheet href="chrome://global/skin/global.css" type="text/css"?>
+
+<!DOCTYPE window>
+
+<window
+  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+  xmlns:html="http://www.w3.org/1999/xhtml"
+  data-l10n-id="load-device"
+>
+  <dialog id="loaddevice" buttons="accept,cancel">
+    <linkset>
+      <html:link
+        rel="localization"
+        href="security/certificates/deviceManager.ftl"
+      />
+    </linkset>
+
+    <script src="chrome://global/content/globalOverlay.js" />
+    <script src="chrome://global/content/editMenuOverlay.js" />
+
+    <script src="chrome://pippki/content/pippki.js" />
+    <script src="chrome://pippki/content/load_device.js" />
+
+    <html:style>
+      #device_name, #device_path { flex: 1; }
+    </html:style>
+
+    <description data-l10n-id="load-device-info"></description>
+    <hbox align="center">
+      <label data-l10n-id="load-device-modname" control="device_name" />
+      <html:input
+        id="device_name"
+        data-l10n-id="load-device-modname-default"
+        data-l10n-attrs="value"
+        onchange="validateModuleName();"
+      />
+    </hbox>
+    <hbox align="center">
+      <label data-l10n-id="load-device-filename" control="device_path" />
+      <html:input id="device_path" />
+      <button
+        id="browse"
+        flex="1"
+        data-l10n-id="load-device-browse"
+        oncommand="onBrowseBtnPress();"
+      />
+    </hbox>
+    <label id="helpText" value="" />
+  </dialog>
+</window>
diff --git a/security/manager/pki/resources/content/pippki.js b/security/manager/pki/resources/content/pippki.js
new file mode 100644
index 0000000000..8094074281
--- /dev/null
+++ b/security/manager/pki/resources/content/pippki.js
@@ -0,0 +1,300 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+/*
+ * These are helper functions to be included
+ * pippki UI js files.
+ */
+
+function setText(id, value) {
+  let element = document.getElementById(id);
+  if (!element) {
+    return;
+  }
+  if (element.hasChildNodes()) {
+    element.firstChild.remove();
+  }
+  element.appendChild(document.createTextNode(value));
+}
+
+async function viewCertHelper(parent, cert, openingOption = "tab") {
+  if (!cert) {
+    return;
+  }
+
+  let win = Services.wm.getMostRecentBrowserWindow();
+  let results = await asyncDetermineUsages(cert);
+  let chain = getBestChain(results);
+  if (!chain) {
+    chain = [cert];
+  }
+  let certs = chain.map(elem => encodeURIComponent(elem.getBase64DERString()));
+  let certsStringURL = certs.map(elem => `cert=${elem}`);
+  certsStringURL = certsStringURL.join("&");
+  let url = `about:certificate?${certsStringURL}`;
+  let opened = win.switchToTabHavingURI(url, false, {});
+  if (!opened) {
+    win.openTrustedLinkIn(url, openingOption);
+  }
+}
+
+function getPKCS7Array(certArray) {
+  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  let pkcs7String = certdb.asPKCS7Blob(certArray);
+  let pkcs7Array = new Uint8Array(pkcs7String.length);
+  for (let i = 0; i < pkcs7Array.length; i++) {
+    pkcs7Array[i] = pkcs7String.charCodeAt(i);
+  }
+  return pkcs7Array;
+}
+
+function getPEMString(cert) {
+  var derb64 = cert.getBase64DERString();
+  // Wrap the Base64 string into lines of 64 characters with CRLF line breaks
+  // (as specified in RFC 1421).
+  var wrapped = derb64.replace(/(\S{64}(?!$))/g, "$1\r\n");
+  return (
+    "-----BEGIN CERTIFICATE-----\r\n" +
+    wrapped +
+    "\r\n-----END CERTIFICATE-----\r\n"
+  );
+}
+
+function alertPromptService(title, message) {
+  // XXX Bug 1425832 - Using Services.prompt here causes tests to report memory
+  // leaks.
+  // eslint-disable-next-line mozilla/use-services
+  var ps = Cc["@mozilla.org/prompter;1"].getService(Ci.nsIPromptService);
+  ps.alert(window, title, message);
+}
+
+const DEFAULT_CERT_EXTENSION = "crt";
+
+/**
+ * Generates a filename for a cert suitable to set as the |defaultString|
+ * attribute on an Ci.nsIFilePicker.
+ *
+ * @param {nsIX509Cert} cert
+ *        The cert to generate a filename for.
+ * @returns {string}
+ *          Generated filename.
+ */
+function certToFilename(cert) {
+  let filename = cert.displayName;
+
+  // Remove unneeded and/or unsafe characters.
+  filename = filename
+    .replace(/\s/g, "")
+    .replace(/\./g, "_")
+    .replace(/\\/g, "")
+    .replace(/\//g, "");
+
+  // Ci.nsIFilePicker.defaultExtension is more of a suggestion to some
+  // implementations, so we include the extension in the file name as well. This
+  // is what the documentation for Ci.nsIFilePicker.defaultString says we should do
+  // anyways.
+  return `${filename}.${DEFAULT_CERT_EXTENSION}`;
+}
+
+async function exportToFile(parent, cert) {
+  if (!cert) {
+    return;
+  }
+
+  let results = await asyncDetermineUsages(cert);
+  let chain = getBestChain(results);
+  if (!chain) {
+    chain = [cert];
+  }
+
+  let formats = {
+    base64: "*.crt; *.pem",
+    "base64-chain": "*.crt; *.pem",
+    der: "*.der",
+    pkcs7: "*.p7c",
+    "pkcs7-chain": "*.p7c",
+  };
+  let [saveCertAs, ...formatLabels] = await document.l10n.formatValues(
+    ["save-cert-as", ...Object.keys(formats).map(f => "cert-format-" + f)].map(
+      id => ({ id })
+    )
+  );
+
+  var fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker);
+  fp.init(parent, saveCertAs, Ci.nsIFilePicker.modeSave);
+  fp.defaultString = certToFilename(cert);
+  fp.defaultExtension = DEFAULT_CERT_EXTENSION;
+  for (let format of Object.values(formats)) {
+    fp.appendFilter(formatLabels.shift(), format);
+  }
+  fp.appendFilters(Ci.nsIFilePicker.filterAll);
+  let filePickerResult = await new Promise(resolve => {
+    fp.open(resolve);
+  });
+
+  if (
+    filePickerResult != Ci.nsIFilePicker.returnOK &&
+    filePickerResult != Ci.nsIFilePicker.returnReplace
+  ) {
+    return;
+  }
+
+  var content = "";
+  switch (fp.filterIndex) {
+    case 1:
+      content = getPEMString(cert);
+      for (let i = 1; i < chain.length; i++) {
+        content += getPEMString(chain[i]);
+      }
+      break;
+    case 2:
+      // IOUtils.write requires a typed array.
+      // nsIX509Cert.getRawDER() returns an array (not a typed array), so we
+      // convert it here.
+      content = Uint8Array.from(cert.getRawDER());
+      break;
+    case 3:
+      // getPKCS7Array returns a typed array already, so no conversion is
+      // necessary.
+      content = getPKCS7Array([cert]);
+      break;
+    case 4:
+      content = getPKCS7Array(chain);
+      break;
+    case 0:
+    default:
+      content = getPEMString(cert);
+      break;
+  }
+
+  if (typeof content === "string") {
+    content = new TextEncoder().encode(content);
+  }
+
+  try {
+    await IOUtils.write(fp.file.path, content);
+  } catch (ex) {
+    let title = await document.l10n.formatValue("write-file-failure");
+    alertPromptService(title, ex.toString());
+  }
+  if (Cu.isInAutomation) {
+    Services.obs.notifyObservers(null, "cert-export-finished");
+  }
+}
+
+const PRErrorCodeSuccess = 0;
+
+// Certificate usages we care about in the certificate viewer.
+const certificateUsageSSLClient = 0x0001;
+const certificateUsageSSLServer = 0x0002;
+const certificateUsageSSLCA = 0x0008;
+const certificateUsageEmailSigner = 0x0010;
+const certificateUsageEmailRecipient = 0x0020;
+
+// A map from the name of a certificate usage to the value of the usage.
+// Useful for printing debugging information and for enumerating all supported
+// usages.
+const certificateUsages = {
+  certificateUsageSSLClient,
+  certificateUsageSSLServer,
+  certificateUsageSSLCA,
+  certificateUsageEmailSigner,
+  certificateUsageEmailRecipient,
+};
+
+/**
+ * Returns a promise that will resolve with a results array consisting of what
+ * usages the given certificate successfully verified for.
+ *
+ * @param {nsIX509Cert} cert
+ *        The certificate to determine valid usages for.
+ * @returns {Promise}
+ *        A promise that will resolve with the results of the verifications.
+ */
+function asyncDetermineUsages(cert) {
+  let promises = [];
+  let now = Date.now() / 1000;
+  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  Object.keys(certificateUsages).forEach(usageString => {
+    promises.push(
+      new Promise((resolve, reject) => {
+        let usage = certificateUsages[usageString];
+        certdb.asyncVerifyCertAtTime(
+          cert,
+          usage,
+          0,
+          null,
+          now,
+          (aPRErrorCode, aVerifiedChain, aHasEVPolicy) => {
+            resolve({
+              usageString,
+              errorCode: aPRErrorCode,
+              chain: aVerifiedChain,
+            });
+          }
+        );
+      })
+    );
+  });
+  return Promise.all(promises);
+}
+
+/**
+ * Given a results array, returns the "best" verified certificate chain. Since
+ * the primary use case is for TLS server certificates in Firefox, such a
+ * verified chain will be returned if present. Otherwise, the priority is: TLS
+ * client certificate, email signer, email recipient, CA. Returns null if no
+ * usage verified successfully.
+ *
+ * @param {Array} results
+ *        An array of results from `asyncDetermineUsages`. See `displayUsages`.
+ * @returns {Array} An array of `nsIX509Cert` representing the verified
+ *          certificate chain for the given usage, or null if there is none.
+ */
+function getBestChain(results) {
+  let usages = [
+    certificateUsageSSLServer,
+    certificateUsageSSLClient,
+    certificateUsageEmailSigner,
+    certificateUsageEmailRecipient,
+    certificateUsageSSLCA,
+  ];
+  for (let usage of usages) {
+    let chain = getChainForUsage(results, usage);
+    if (chain) {
+      return chain;
+    }
+  }
+  return null;
+}
+
+/**
+ * Given a results array, returns the chain corresponding to the desired usage,
+ * if verifying for that usage succeeded. Returns null otherwise.
+ *
+ * @param {Array} results
+ *        An array of results from `asyncDetermineUsages`. See `displayUsages`.
+ * @param {number} usage
+ *        A numerical value corresponding to a usage. See `certificateUsages`.
+ * @returns {Array} An array of `nsIX509Cert` representing the verified
+ *          certificate chain for the given usage, or null if there is none.
+ */
+function getChainForUsage(results, usage) {
+  for (let result of results) {
+    if (
+      certificateUsages[result.usageString] == usage &&
+      result.errorCode == PRErrorCodeSuccess
+    ) {
+      return result.chain;
+    }
+  }
+  return null;
+}
diff --git a/security/manager/pki/resources/content/resetpassword.js b/security/manager/pki/resources/content/resetpassword.js
new file mode 100644
index 0000000000..30db349794
--- /dev/null
+++ b/security/manager/pki/resources/content/resetpassword.js
@@ -0,0 +1,28 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/* import-globals-from pippki.js */
+"use strict";
+
+document.addEventListener("dialogaccept", resetPassword);
+
+function resetPassword() {
+  var pk11db = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+    Ci.nsIPK11TokenDB
+  );
+  var token = pk11db.getInternalKeyToken();
+  token.reset();
+
+  try {
+    Services.logins.removeAllUserFacingLogins();
+  } catch (e) {}
+
+  let l10n = new Localization(["security/pippki/pippki.ftl"], true);
+  if (l10n) {
+    Services.prompt.alert(
+      window,
+      l10n.formatValueSync("pippki-reset-password-confirmation-title"),
+      l10n.formatValueSync("pippki-reset-password-confirmation-message")
+    );
+  }
+}
diff --git a/security/manager/pki/resources/content/resetpassword.xhtml b/security/manager/pki/resources/content/resetpassword.xhtml
new file mode 100644
index 0000000000..d83fa05bd6
--- /dev/null
+++ b/security/manager/pki/resources/content/resetpassword.xhtml
@@ -0,0 +1,49 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+   - License, v. 2.0. If a copy of the MPL was not distributed with this
+   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<?xml-stylesheet href="chrome://global/skin/global.css" type="text/css"?>
+
+<!DOCTYPE window>
+
+<window
+  data-l10n-id="reset-primary-password-window2"
+  data-l10n-attrs="title, style"
+  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+  xmlns:html="http://www.w3.org/1999/xhtml"
+>
+  <dialog
+    id="reset_password"
+    buttons="accept,cancel"
+    buttonidaccept="reset-password-button-label"
+    defaultButton="cancel"
+  >
+    <linkset>
+      <html:link rel="localization" href="security/pippki/pippki.ftl" />
+    </linkset>
+
+    <stringbundle
+      id="pippki_bundle"
+      src="chrome://pippki/locale/pippki.properties"
+    />
+
+    <script src="chrome://pippki/content/pippki.js" />
+    <script src="chrome://pippki/content/resetpassword.js" />
+
+    <hbox flex="1">
+      <vbox>
+        <image class="alert-icon" style="margin: 5px" />
+      </vbox>
+      <vbox style="margin: 5px" flex="1">
+        <hbox flex="1">
+          <vbox flex="1">
+            <description
+              data-l10n-id="reset-primary-password-text"
+            ></description>
+          </vbox>
+        </hbox>
+      </vbox>
+    </hbox>
+  </dialog>
+</window>
diff --git a/security/manager/pki/resources/content/setp12password.js b/security/manager/pki/resources/content/setp12password.js
new file mode 100644
index 0000000000..14200c36ce
--- /dev/null
+++ b/security/manager/pki/resources/content/setp12password.js
@@ -0,0 +1,127 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+/**
+ * @file Implements the functionality of setp12password.xhtml: a dialog that lets
+ *       the user confirm the password to set on a PKCS #12 file.
+ * @param {nsISupports} window.arguments.0
+ *           Object to set the return values of calling the dialog on, queryable
+ *           to the underlying type of SetP12PasswordReturnValues.
+ */
+
+/**
+ * @typedef SetP12PasswordReturnValues
+ * @type {nsIWritablePropertyBag2}
+ * @property {boolean} confirmedPassword
+ *           Set to true if the user entered two matching passwords and
+ *           confirmed the dialog.
+ * @property {string} password
+ *           The password the user entered. Undefined value if
+ *           |confirmedPassword| is not true.
+ */
+
+/**
+ * onload() handler.
+ */
+function onLoad() {
+  // Ensure the first password textbox has focus.
+  document.getElementById("pw1").focus();
+  document.addEventListener("dialogaccept", onDialogAccept);
+  document.addEventListener("dialogcancel", onDialogCancel);
+}
+
+/**
+ * ondialogaccept() handler.
+ */
+function onDialogAccept() {
+  let password = document.getElementById("pw1").value;
+
+  let retVals = window.arguments[0].QueryInterface(Ci.nsIWritablePropertyBag2);
+  retVals.setPropertyAsBool("confirmedPassword", true);
+  retVals.setPropertyAsAString("password", password);
+}
+
+/**
+ * ondialogcancel() handler.
+ */
+function onDialogCancel() {
+  let retVals = window.arguments[0].QueryInterface(Ci.nsIWritablePropertyBag2);
+  retVals.setPropertyAsBool("confirmedPassword", false);
+}
+
+/**
+ * Calculates the strength of the given password, suitable for use in updating
+ * a progress bar that represents said strength.
+ *
+ * The strength of the password is calculated by checking the number of:
+ *   - Characters
+ *   - Numbers
+ *   - Non-alphanumeric chars
+ *   - Upper case characters
+ *
+ * @param {string} password
+ *        The password to calculate the strength of.
+ * @returns {number}
+ *          The strength of the password in the range [0, 100].
+ */
+function getPasswordStrength(password) {
+  let lengthStrength = password.length;
+  if (lengthStrength > 5) {
+    lengthStrength = 5;
+  }
+
+  let nonNumericChars = password.replace(/[0-9]/g, "");
+  let numericStrength = password.length - nonNumericChars.length;
+  if (numericStrength > 3) {
+    numericStrength = 3;
+  }
+
+  let nonSymbolChars = password.replace(/\W/g, "");
+  let symbolStrength = password.length - nonSymbolChars.length;
+  if (symbolStrength > 3) {
+    symbolStrength = 3;
+  }
+
+  let nonUpperAlphaChars = password.replace(/[A-Z]/g, "");
+  let upperAlphaStrength = password.length - nonUpperAlphaChars.length;
+  if (upperAlphaStrength > 3) {
+    upperAlphaStrength = 3;
+  }
+
+  let strength =
+    lengthStrength * 10 -
+    20 +
+    numericStrength * 10 +
+    symbolStrength * 15 +
+    upperAlphaStrength * 10;
+  if (strength < 0) {
+    strength = 0;
+  }
+  if (strength > 100) {
+    strength = 100;
+  }
+
+  return strength;
+}
+
+/**
+ * oninput() handler for both password textboxes.
+ *
+ * @param {boolean} recalculatePasswordStrength
+ *                  Whether to recalculate the strength of the first password.
+ */
+function onPasswordInput(recalculatePasswordStrength) {
+  let pw1 = document.getElementById("pw1").value;
+
+  if (recalculatePasswordStrength) {
+    document.getElementById("pwmeter").value = getPasswordStrength(pw1);
+  }
+
+  // Disable the accept button if the two passwords don't match, and enable it
+  // if the passwords do match.
+  let pw2 = document.getElementById("pw2").value;
+  document.getElementById("setp12password").getButton("accept").disabled =
+    pw1 != pw2;
+}
diff --git a/security/manager/pki/resources/content/setp12password.xhtml b/security/manager/pki/resources/content/setp12password.xhtml
new file mode 100644
index 0000000000..f4ba567c0e
--- /dev/null
+++ b/security/manager/pki/resources/content/setp12password.xhtml
@@ -0,0 +1,56 @@
+<?xml version="1.0"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+   - License, v. 2.0. If a copy of the MPL was not distributed with this
+   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<?xml-stylesheet href="chrome://global/skin/global.css" type="text/css"?>
+
+<!DOCTYPE window>
+
+<window
+  data-l10n-id="set-password-window"
+  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+  xmlns:html="http://www.w3.org/1999/xhtml"
+  style="width: 48em"
+  onload="onLoad();"
+>
+  <dialog id="setp12password" buttons="accept,cancel">
+    <linkset>
+      <html:link rel="localization" href="security/pippki/pippki.ftl" />
+    </linkset>
+
+    <script src="chrome://global/content/globalOverlay.js" />
+    <script src="chrome://global/content/editMenuOverlay.js" />
+
+    <script src="chrome://pippki/content/setp12password.js" />
+
+    <description data-l10n-id="set-password-message"></description>
+    <separator />
+    <vbox>
+      <hbox class="input-row">
+        <label flex="1" data-l10n-id="set-password-backup-pw" />
+        <html:input id="pw1" type="password" oninput="onPasswordInput(true);" />
+      </hbox>
+      <hbox class="input-row">
+        <label flex="1" data-l10n-id="set-password-repeat-backup-pw" />
+        <html:input
+          id="pw2"
+          type="password"
+          oninput="onPasswordInput(false);"
+        />
+      </hbox>
+    </vbox>
+    <separator />
+    <description data-l10n-id="set-password-reminder"></description>
+    <separator />
+
+    <vbox style="margin: 6px">
+      <html:label
+        for="pwmeter"
+        style="display: flex"
+        data-l10n-id="password-quality-meter"
+      ></html:label>
+      <html:progress id="pwmeter" value="0" max="100" />
+    </vbox>
+  </dialog>
+</window>
diff --git a/security/manager/pki/resources/jar.mn b/security/manager/pki/resources/jar.mn
new file mode 100644
index 0000000000..a855664601
--- /dev/null
+++ b/security/manager/pki/resources/jar.mn
@@ -0,0 +1,32 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+pippki.jar:
+% content pippki %content/pippki/
+    content/pippki/certManager.js            (content/certManager.js)
+    content/pippki/certManager.css           (content/certManager.css)
+    content/pippki/certManager.xhtml           (content/certManager.xhtml)
+    content/pippki/changepassword.js         (content/changepassword.js)
+    content/pippki/changepassword.xhtml        (content/changepassword.xhtml)
+    content/pippki/clientauthask.js          (content/clientauthask.js)
+    content/pippki/clientauthask.xhtml         (content/clientauthask.xhtml)
+    content/pippki/deletecert.js             (content/deletecert.js)
+    content/pippki/deletecert.css            (content/deletecert.css)
+    content/pippki/deletecert.xhtml            (content/deletecert.xhtml)
+    content/pippki/device_manager.js         (content/device_manager.js)
+    content/pippki/device_manager.xhtml        (content/device_manager.xhtml)
+    content/pippki/downloadcert.js           (content/downloadcert.js)
+    content/pippki/downloadcert.xhtml          (content/downloadcert.xhtml)
+    content/pippki/editcacert.js             (content/editcacert.js)
+    content/pippki/editcacert.xhtml          (content/editcacert.xhtml)
+    content/pippki/exceptionDialog.css       (content/exceptionDialog.css)
+    content/pippki/exceptionDialog.js        (content/exceptionDialog.js)
+*   content/pippki/exceptionDialog.xhtml       (content/exceptionDialog.xhtml)
+    content/pippki/load_device.js            (content/load_device.js)
+    content/pippki/load_device.xhtml           (content/load_device.xhtml)
+    content/pippki/pippki.js                 (content/pippki.js)
+    content/pippki/resetpassword.js          (content/resetpassword.js)
+    content/pippki/resetpassword.xhtml         (content/resetpassword.xhtml)
+    content/pippki/setp12password.js         (content/setp12password.js)
+    content/pippki/setp12password.xhtml        (content/setp12password.xhtml)
diff --git a/security/manager/pki/resources/moz.build b/security/manager/pki/resources/moz.build
new file mode 100644
index 0000000000..d988c0ff9b
--- /dev/null
+++ b/security/manager/pki/resources/moz.build
@@ -0,0 +1,7 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+JAR_MANIFESTS += ["jar.mn"]
-- 
cgit v1.2.3