Index: mozilla/security/nss/cmd/lib/secutil.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/cmd/lib/secutil.c,v
retrieving revision 1.99
diff -p -u -8 -r1.99 secutil.c
--- mozilla/security/nss/cmd/lib/secutil.c	28 Mar 2010 19:46:06 -0000	1.99
+++ mozilla/security/nss/cmd/lib/secutil.c	23 Jul 2010 03:13:54 -0000
@@ -1511,16 +1511,80 @@ const SEC_ASN1Template secuPBEV2Params[]
     { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
         SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
     { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg),
         SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
     { 0 }
 };
 
 void
+secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level)
+{
+    PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    SECStatus rv;
+    SECKEYRSAPSSParams param;
+    SECAlgorithmID maskHashAlg;
+
+    if (m) {
+	SECU_Indent(out, level);
+	fprintf (out, "%s:\n", m);
+    }
+
+    if (!pool) {
+	SECU_Indent(out, level);
+	fprintf(out, "Out of memory\n");
+	return;
+    }
+
+    PORT_Memset(&param, 0, sizeof param);
+
+    rv = SEC_QuickDERDecodeItem(pool, &param,
+				SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate),
+				value);
+    if (rv == SECSuccess) {
+	if (!param.hashAlg) {
+	    SECU_Indent(out, level+1);
+	    fprintf(out, "Hash algorithm: default, SHA-1\n");
+	} else {
+	    SECU_PrintObjectID(out, &param.hashAlg->algorithm,
+			       "Hash algorithm", level+1);
+	}
+	if (!param.maskAlg) {
+	    SECU_Indent(out, level+1);
+	    fprintf(out, "Mask algorithm: default, MGF1\n");
+	    SECU_Indent(out, level+1);
+	    fprintf(out, "Mask hash algorithm: default, SHA-1\n");
+	} else {
+	    SECU_PrintObjectID(out, &param.maskAlg->algorithm,
+			       "Mask algorithm", level+1);
+	    rv = SEC_QuickDERDecodeItem(pool, &maskHashAlg,
+		     SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
+		     &param.maskAlg->parameters);
+	    if (rv == SECSuccess) {
+		SECU_PrintObjectID(out, &maskHashAlg.algorithm,
+				   "Mask hash algorithm", level+1);
+	    } else {
+		SECU_Indent(out, level+1);
+		fprintf(out, "Invalid mask generation algorithm parameters\n");
+	    }
+	}
+	if (!param.saltLength.data) {
+	    SECU_Indent(out, level+1);
+	    fprintf(out, "Salt length: default, %i (0x%2X)\n", 20, 20);
+	} else {
+	    SECU_PrintInteger(out, &param.saltLength, "Salt Length", level+1);
+	}
+    } else {
+	SECU_Indent(out, level+1);
+	fprintf(out, "Invalid RSA-PSS parameters\n");
+    }
+    PORT_FreeArena(pool, PR_FALSE);
+}
+
+void
 secu_PrintKDF2Params(FILE *out, SECItem *value, char *m, int level)
 {
     PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     SECStatus rv;
     secuPBEParams param;
 
     if (m) {
 	SECU_Indent(out, level);
@@ -1620,17 +1684,21 @@ SECU_PrintAlgorithmID(FILE *out, SECAlgo
 	    secu_PrintPKCS5V2Params(out, &a->parameters, "MAC", level+1);
 	    break;
 	default:
 	    secu_PrintPBEParams(out, &a->parameters, "Parameters", level+1);
 	    break;
 	}
 	return;
     }
-	
+
+    if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
+	secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level+1);
+	return;
+    }
 
     if (a->parameters.len == 0
 	|| (a->parameters.len == 2
 	    && PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) {
 	/* No arguments or NULL argument */
     } else {
 	/* Print args to algorithm */
 	SECU_PrintAsHex(out, &a->parameters, "Args", level+1);
Index: mozilla/security/nss/lib/cryptohi/keythi.h
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/cryptohi/keythi.h,v
retrieving revision 1.13
diff -p -u -8 -r1.13 keythi.h
--- mozilla/security/nss/lib/cryptohi/keythi.h	23 Jun 2010 02:13:56 -0000	1.13
+++ mozilla/security/nss/lib/cryptohi/keythi.h	23 Jul 2010 03:13:55 -0000
@@ -38,17 +38,17 @@
 #define _KEYTHI_H_ 1
 
 #include "plarena.h"
 #include "pkcs11t.h"
 #include "secmodt.h"
 #include "prclist.h"
 
 /*
-** RFC 4055 specifies three different RSA key types.
+** RFC 4055 Section 1.2 specifies three different RSA key types.
 **
 ** rsaKey maps to keys with SEC_OID_PKCS1_RSA_ENCRYPTION and can be used for
 ** both encryption and signatures with old (PKCS #1 v1.5) and new (PKCS #1
 ** v2.1) padding schemes.
 **
 ** rsaPssKey maps to keys with SEC_OID_PKCS1_RSA_PSS_SIGNATURE and may only
 ** be used for signatures with PSS padding (PKCS #1 v2.1).
 **
@@ -69,40 +69,52 @@ typedef enum { 
 } KeyType;
 
 /*
 ** Template Definitions
 **/
 
 SEC_BEGIN_PROTOS
 extern const SEC_ASN1Template SECKEY_RSAPublicKeyTemplate[];
+extern const SEC_ASN1Template SECKEY_RSAPSSParamsTemplate[];
 extern const SEC_ASN1Template SECKEY_DSAPublicKeyTemplate[];
 extern const SEC_ASN1Template SECKEY_DHPublicKeyTemplate[];
 extern const SEC_ASN1Template SECKEY_DHParamKeyTemplate[];
 extern const SEC_ASN1Template SECKEY_PQGParamsTemplate[];
 extern const SEC_ASN1Template SECKEY_DSAPrivateKeyExportTemplate[];
 
 /* Windows DLL accessor functions */
-extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_DSAPublicKeyTemplate;
-extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_RSAPublicKeyTemplate;
+SEC_ASN1_CHOOSER_DECLARE(SECKEY_DSAPublicKeyTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SECKEY_RSAPublicKeyTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SECKEY_RSAPSSParamsTemplate)
 SEC_END_PROTOS
 
 
 /*
 ** RSA Public Key structures
 ** member names from PKCS#1, section 7.1 
 */
 
 struct SECKEYRSAPublicKeyStr {
     PLArenaPool * arena;
     SECItem modulus;
     SECItem publicExponent;
 };
 typedef struct SECKEYRSAPublicKeyStr SECKEYRSAPublicKey;
 
+/* 
+** RSA-PSS parameters
+*/
+struct SECKEYRSAPSSParamsStr {
+    SECAlgorithmID *hashAlg;
+    SECAlgorithmID *maskAlg;
+    SECItem saltLength;
+    SECItem trailerField;
+};
+typedef struct SECKEYRSAPSSParamsStr SECKEYRSAPSSParams;
 
 /*
 ** DSA Public Key and related structures
 */
 
 struct SECKEYPQGParamsStr {
     PLArenaPool *arena;
     SECItem prime;    /* p */
Index: mozilla/security/nss/lib/cryptohi/seckey.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/cryptohi/seckey.c,v
retrieving revision 1.54
diff -p -u -8 -r1.54 seckey.c
--- mozilla/security/nss/lib/cryptohi/seckey.c	23 Jun 2010 02:13:56 -0000	1.54
+++ mozilla/security/nss/lib/cryptohi/seckey.c	23 Jul 2010 03:13:55 -0000
@@ -73,16 +73,39 @@ const SEC_ASN1Template CERT_PublicKeyAnd
 
 const SEC_ASN1Template SECKEY_RSAPublicKeyTemplate[] = {
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPublicKey) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.rsa.modulus), },
     { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.rsa.publicExponent), },
     { 0, }
 };
 
+/* Parameters for SEC_OID_PKCS1_RSA_PSS_SIGNATURE */
+const SEC_ASN1Template SECKEY_RSAPSSParamsTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYRSAPSSParams) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+          SEC_ASN1_XTRN | SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+          offsetof(SECKEYRSAPSSParams, hashAlg),
+          SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+          SEC_ASN1_XTRN | SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+          offsetof(SECKEYRSAPSSParams, maskAlg),
+          SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+          SEC_ASN1_XTRN | SEC_ASN1_CONTEXT_SPECIFIC | 2,
+          offsetof(SECKEYRSAPSSParams, saltLength),
+          SEC_ASN1_SUB(SEC_IntegerTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+          SEC_ASN1_XTRN | SEC_ASN1_CONTEXT_SPECIFIC | 3,
+          offsetof(SECKEYRSAPSSParams, trailerField),
+          SEC_ASN1_SUB(SEC_IntegerTemplate) },
+    { 0 }
+};
+
 const SEC_ASN1Template SECKEY_DSAPublicKeyTemplate[] = {
     { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dsa.publicValue), },
     { 0, }
 };
 
 const SEC_ASN1Template SECKEY_PQGParamsTemplate[] = {
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPQGParams) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,prime) },
@@ -143,16 +166,17 @@ const SEC_ASN1Template SECKEY_KEAPublicK
 
 const SEC_ASN1Template SECKEY_KEAParamsTemplate[] = {
     { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPublicKey,u.kea.params.hash), }, 
     { 0, }
 };
 
 SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_DSAPublicKeyTemplate)
 SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_RSAPublicKeyTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_RSAPSSParamsTemplate)
 SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SubjectPublicKeyInfoTemplate)
 
 /*
  * See bugzilla bug 125359
  * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
  * all of the templates above that en/decode into integers must be converted
  * from ASN.1's signed integer type.  This is done by marking either the
  * source or destination (encoding or decoding, respectively) type as
Index: mozilla/security/nss/lib/nss/nss.def
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/nss/nss.def,v
retrieving revision 1.206
diff -p -u -8 -r1.206 nss.def
--- mozilla/security/nss/lib/nss/nss.def	30 Apr 2010 07:47:47 -0000	1.206
+++ mozilla/security/nss/lib/nss/nss.def	23 Jul 2010 03:13:55 -0000
@@ -998,8 +998,15 @@ CERT_DupDistNames;
 ;+       *;
 ;+};
 ;+NSS_3.12.7 { 	# NSS 3.12.7 release
 ;+    global:
 CERT_GetConstrainedCertificateNames;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.13 { 	# NSS 3.13 release
+;+    global:
+;;SECKEY_RSAPSSParamsTemplate DATA ;
+NSS_Get_SECKEY_RSAPSSParamsTemplate;
+;+    local:
+;+       *;
+;+};