Index: security/nss/cmd/lib/secutil.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/cmd/lib/secutil.c,v
retrieving revision 1.99
diff -u -p -8 -r1.99 secutil.c
--- security/nss/cmd/lib/secutil.c	28 Mar 2010 19:46:06 -0000	1.99
+++ security/nss/cmd/lib/secutil.c	12 Jul 2010 17:54:13 -0000
@@ -1511,16 +1511,77 @@ const SEC_ASN1Template secuPBEV2Params[]
     { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
         SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
     { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg),
         SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
     { 0 }
 };
 
 void
+secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level)
+{
+    PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    SECStatus rv;
+    SECRSAPSSParams param;
+    SECAlgorithmID maskHashAlg;
+
+    if (m) {
+	SECU_Indent(out, level);
+	fprintf (out, "%s:\n", m);
+    }
+
+    if (!pool) {
+	SECU_Indent(out, level);
+	fprintf(out, "Out of memory\n");
+	return;
+    }
+
+    PORT_Memset(&param, 0, sizeof param);
+
+    rv = SEC_QuickDERDecodeItem(pool, &param,
+	     SEC_ASN1_GET(SEC_RSAPSSParamsTemplate), value);
+    if (rv == SECSuccess) {
+	if (!param.hashAlg) {
+	    SECU_Indent(out,level+1);
+	    fprintf(out, "Hash algorithm: default, SHA-1\n");
+	} else
+	    SECU_PrintObjectID(out, &param.hashAlg->algorithm,
+		"Hash algorithm", level+1);
+	if (!param.maskAlg) {
+	    SECU_Indent(out,level+1);
+	    fprintf(out, "Mask algorithm: default, MGF1\n");
+	    SECU_Indent(out,level+1);
+	    fprintf(out, "Mask Hash algorithm: default, SHA-1\n");
+	} else {
+	    SECU_PrintObjectID(out, &param.maskAlg->algorithm,
+		"Mask algorithm", level+1);
+	    rv = SEC_QuickDERDecodeItem(pool, &maskHashAlg,
+		     SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
+		     &param.maskAlg->parameters);
+	    if (rv == SECSuccess)
+		SECU_PrintObjectID(out, &maskHashAlg.algorithm,
+		    "Mask hash algorithm", level+1);
+	    else {
+		SECU_Indent(out,level+1);
+		fprintf(out, "Invalid Mask Generation Algorithm parameters\n");
+	    }
+	}
+	if (!param.saltLength.data) {
+	    SECU_Indent(out,level+1);
+	    fprintf(out, "Salt Length: default, %i (0x%2X)\n", 20, 20);
+	} else
+	    SECU_PrintInteger(out, &param.saltLength, "Salt Length", level+1);
+    } else {
+	SECU_Indent(out,level+1);
+	fprintf(out, "Invalid PSS parameters\n");
+    }
+    PORT_FreeArena(pool, PR_FALSE);
+}
+
+void
 secu_PrintKDF2Params(FILE *out, SECItem *value, char *m, int level)
 {
     PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     SECStatus rv;
     secuPBEParams param;
 
     if (m) {
 	SECU_Indent(out, level);
@@ -1620,16 +1681,20 @@ SECU_PrintAlgorithmID(FILE *out, SECAlgo
 	    secu_PrintPKCS5V2Params(out, &a->parameters, "MAC", level+1);
 	    break;
 	default:
 	    secu_PrintPBEParams(out, &a->parameters, "Parameters", level+1);
 	    break;
 	}
 	return;
     }
+
+    if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
+	secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level+1);
+    }
 	
 
     if (a->parameters.len == 0
 	|| (a->parameters.len == 2
 	    && PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) {
 	/* No arguments or NULL argument */
     } else {
 	/* Print args to algorithm */
Index: security/nss/lib/certdb/certdb.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/certdb/certdb.c,v
retrieving revision 1.104
diff -u -p -8 -r1.104 certdb.c
--- security/nss/lib/certdb/certdb.c	25 Apr 2010 00:44:55 -0000	1.104
+++ security/nss/lib/certdb/certdb.c	12 Jul 2010 17:54:16 -0000
@@ -234,20 +234,46 @@ const SEC_ASN1Template CERT_CertKeyTempl
 	  offsetof(CERTCertKey,serialNumber) },
     { SEC_ASN1_SKIP },		/* signature algorithm */
     { SEC_ASN1_ANY,
 	  offsetof(CERTCertKey,derIssuer) },
     { SEC_ASN1_SKIP_REST },
     { 0 }
 };
 
+/*
+ * Parameters for SEC_OID_PKCS1_RSA_PSS_SIGNATURE
+ */
+const SEC_ASN1Template SEC_RSAPSSParamsTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECRSAPSSParams) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+        SEC_ASN1_XTRN | SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+        offsetof(SECRSAPSSParams, hashAlg),
+        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+        SEC_ASN1_XTRN | SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+        offsetof(SECRSAPSSParams, maskAlg),
+        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+        SEC_ASN1_XTRN | SEC_ASN1_CONTEXT_SPECIFIC | 2,
+        offsetof(SECRSAPSSParams, saltLength),
+        SEC_ASN1_SUB(SEC_IntegerTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+        SEC_ASN1_XTRN | SEC_ASN1_CONTEXT_SPECIFIC | 3,
+        offsetof(SECRSAPSSParams, trailerField),
+        SEC_ASN1_SUB(SEC_IntegerTemplate) },
+    { 0 }
+};
+
 SEC_ASN1_CHOOSER_IMPLEMENT(CERT_TimeChoiceTemplate)
 SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CertificateTemplate)
 SEC_ASN1_CHOOSER_IMPLEMENT(SEC_SignedCertificateTemplate)
 SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SequenceOfCertExtensionTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_RSAPSSParamsTemplate)
 
 SECStatus
 CERT_KeyFromIssuerAndSN(PRArenaPool *arena, SECItem *issuer, SECItem *sn,
 			SECItem *key)
 {
     key->len = sn->len + issuer->len;
 
     if ((sn->data == NULL) || (issuer->data == NULL)) {
Index: security/nss/lib/certdb/certt.h
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/certdb/certt.h,v
retrieving revision 1.54
diff -u -p -8 -r1.54 certt.h
--- security/nss/lib/certdb/certt.h	18 Jun 2010 00:34:22 -0000	1.54
+++ security/nss/lib/certdb/certt.h	12 Jul 2010 17:54:18 -0000
@@ -95,16 +95,17 @@ typedef struct CERTSignedDataStr        
 typedef struct CERTStatusConfigStr               CERTStatusConfig;
 typedef struct CERTSubjectListStr                CERTSubjectList;
 typedef struct CERTSubjectNodeStr                CERTSubjectNode;
 typedef struct CERTSubjectPublicKeyInfoStr       CERTSubjectPublicKeyInfo;
 typedef struct CERTValidityStr                   CERTValidity;
 typedef struct CERTVerifyLogStr                  CERTVerifyLog;
 typedef struct CERTVerifyLogNodeStr              CERTVerifyLogNode;
 typedef struct CRLDistributionPointStr           CRLDistributionPoint;
+typedef struct SECRSAPSSParamsStr                SECRSAPSSParams;
 
 /* CRL extensions type */
 typedef unsigned long CERTCrlNumber;
 
 /*
 ** An X.500 AVA object
 */
 struct CERTAVAStr {
@@ -1262,16 +1263,26 @@ typedef enum CertStrictnessLevels {
 #define CERT_ENABLE_HTTP_FETCH          2
 
 /* This functin pointer type may be used for any function that takes
  * a CERTCertificate * and returns an allocated string, which must be
  * freed by a call to PORT_Free.
  */
 typedef char * (*CERT_StringFromCertFcn)(CERTCertificate *cert);
 
+/* 
+ *RSA-PSS Parameters
+ */
+struct SECRSAPSSParamsStr {
+    SECAlgorithmID *hashAlg;
+    SECAlgorithmID *maskAlg;
+    SECItem saltLength;
+    SECItem trailerField;
+};
+
 /* XXX Lisa thinks the template declarations belong in cert.h, not here? */
 
 #include "secasn1t.h"	/* way down here because I expect template stuff to
 			 * move out of here anyway */
 
 SEC_BEGIN_PROTOS
 
 extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
@@ -1288,16 +1299,17 @@ extern const SEC_ASN1Template SEC_CertSe
 
 extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
 extern const SEC_ASN1Template CERT_NameTemplate[];
 extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
 extern const SEC_ASN1Template CERT_RDNTemplate[];
 extern const SEC_ASN1Template CERT_SignedDataTemplate[];
 extern const SEC_ASN1Template CERT_CrlTemplate[];
 extern const SEC_ASN1Template CERT_SignedCrlTemplate[];
+extern const SEC_ASN1Template SEC_RSAPSSParamsTemplate[];
 
 /*
 ** XXX should the attribute stuff be centralized for all of ns/security?
 */
 extern const SEC_ASN1Template CERT_AttributeTemplate[];
 extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];
 
 /* These functions simply return the address of the above-declared templates.
@@ -1310,12 +1322,13 @@ SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndS
 SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
 SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate)
 SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
 SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
 SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
 SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
 SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate)
 SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_RSAPSSParamsTemplate)
 
 SEC_END_PROTOS
 
 #endif /* _CERTT_H_ */
Index: security/nss/lib/nss/nss.def
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/nss/nss.def,v
retrieving revision 1.206
diff -u -p -8 -r1.206 nss.def
--- security/nss/lib/nss/nss.def	30 Apr 2010 07:47:47 -0000	1.206
+++ security/nss/lib/nss/nss.def	12 Jul 2010 17:54:19 -0000
@@ -994,12 +994,14 @@ SECMOD_GetSkipFirstFlag;
 CERT_CacheOCSPResponseFromSideChannel;
 CERT_DistNamesFromCertList;
 CERT_DupDistNames;
 ;+    local:
 ;+       *;
 ;+};
 ;+NSS_3.12.7 { 	# NSS 3.12.7 release
 ;+    global:
+;;SEC_RSAPSSParamsTemplate DATA ;
+NSS_Get_SEC_RSAPSSParamsTemplate;
 CERT_GetConstrainedCertificateNames;
 ;+    local:
 ;+       *;
 ;+};