Update NSS to NSS 3.14 pre-release snapshot 2012-06-28 01:00:00 PDT.

mozilla/security/nss/lib/util/utilpars.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/*
- * The following handles the loading, unloading and management of
- * various PCKS #11 modules
+/* 
+ * The following code handles the storage of PKCS 11 modules used by the
+ * NSS. This file is written to abstract away how the modules are
+ * stored so we can decide that later.
  */
-
+#include "secport.h"
+#include "prprf.h" 
+#include "prenv.h"
+#include "utilpars.h"
+#include "utilmodt.h"
 
 /*
- * this header file contains routines for parsing PKCS #11 module spec
- * strings. It contains 'C' code and should only be included in one module.
- * Currently it is included in both softoken and the wrapper.
+ * return the expected matching quote value for the one specified
  */
-#include <ctype.h>
-#include "pkcs11.h"
-#include "seccomon.h"
-#include "prprf.h"
-#include "secmodt.h"
-#include "pk11init.h"
-
-#define SECMOD_ARG_LIBRARY_PARAMETER "library="
-#define SECMOD_ARG_NAME_PARAMETER "name="
-#define SECMOD_ARG_MODULE_PARAMETER "parameters="
-#define SECMOD_ARG_NSS_PARAMETER "NSS="
-#define SECMOD_ARG_FORTEZZA_FLAG "FORTEZZA"
-#define SECMOD_ARG_ESCAPE '\\'
-
-struct secmodargSlotFlagTable {
-    char *name;
-    int len;
-    unsigned long value;
-};
-
-#define SECMOD_DEFAULT_CIPHER_ORDER 0
-#define SECMOD_DEFAULT_TRUST_ORDER 50
-
-
-#define SECMOD_ARG_ENTRY(arg,flag) \
-{ #arg , sizeof(#arg)-1, flag }
-static struct secmodargSlotFlagTable secmod_argSlotFlagTable[] = {
-        SECMOD_ARG_ENTRY(RSA,SECMOD_RSA_FLAG),
-        SECMOD_ARG_ENTRY(DSA,SECMOD_RSA_FLAG),
-        SECMOD_ARG_ENTRY(RC2,SECMOD_RC4_FLAG),
-        SECMOD_ARG_ENTRY(RC4,SECMOD_RC2_FLAG),
-        SECMOD_ARG_ENTRY(DES,SECMOD_DES_FLAG),
-        SECMOD_ARG_ENTRY(DH,SECMOD_DH_FLAG),
-        SECMOD_ARG_ENTRY(FORTEZZA,SECMOD_FORTEZZA_FLAG),
-        SECMOD_ARG_ENTRY(RC5,SECMOD_RC5_FLAG),
-        SECMOD_ARG_ENTRY(SHA1,SECMOD_SHA1_FLAG),
-        SECMOD_ARG_ENTRY(MD5,SECMOD_MD5_FLAG),
-        SECMOD_ARG_ENTRY(MD2,SECMOD_MD2_FLAG),
-        SECMOD_ARG_ENTRY(SSL,SECMOD_SSL_FLAG),
-        SECMOD_ARG_ENTRY(TLS,SECMOD_TLS_FLAG),
-        SECMOD_ARG_ENTRY(AES,SECMOD_AES_FLAG),
-        SECMOD_ARG_ENTRY(Camellia,SECMOD_CAMELLIA_FLAG),
-        SECMOD_ARG_ENTRY(SEED,SECMOD_SEED_FLAG),
-        SECMOD_ARG_ENTRY(PublicCerts,SECMOD_FRIENDLY_FLAG),
-        SECMOD_ARG_ENTRY(RANDOM,SECMOD_RANDOM_FLAG),
-        SECMOD_ARG_ENTRY(Disable, PK11_DISABLE_FLAG),
-};
-
-#define SECMOD_HANDLE_STRING_ARG(param,target,value,command) \
-    if (PORT_Strncasecmp(param,value,sizeof(value)-1) == 0) { \
-        param += sizeof(value)-1; \
-        if (target) PORT_Free(target); \
-        target = secmod_argFetchValue(param,&next); \
-        param += next; \
-        command ;\
-    } else  
-
-#define SECMOD_HANDLE_FINAL_ARG(param) \
-    { param = secmod_argSkipParameter(param); } param = secmod_argStrip(param);
-        
-
-static int secmod_argSlotFlagTableSize = 
-        sizeof(secmod_argSlotFlagTable)/sizeof(secmod_argSlotFlagTable[0]);
-
-
-static PRBool secmod_argGetPair(char c) {
+PRBool NSSUTIL_ArgGetPair(char c) {
     switch (c) {
     case '\'': return c;
     case '\"': return c;
     case '<': return '>';
     case '{': return '}';
     case '[': return ']';
     case '(': return ')';
     default: break;
     }
     return ' ';
 }
 
-static PRBool secmod_argIsBlank(char c) {
+PRBool NSSUTIL_ArgIsBlank(char c) {
    return isspace((unsigned char )c);
 }
 
-static PRBool secmod_argIsEscape(char c) {
+PRBool NSSUTIL_ArgIsEscape(char c) {
     return c == '\\';
 }
 
-static PRBool secmod_argIsQuote(char c) {
+PRBool NSSUTIL_ArgIsQuote(char c) {
     switch (c) {
     case '\'':
     case '\"':
     case '<':
     case '{': /* } end curly to keep vi bracket matching working */
     case '(': /* ) */
     case '[': /* ] */ return PR_TRUE;
     default: break;
     }
     return PR_FALSE;
 }
 
-static PRBool secmod_argHasChar(char *v, char c)
-{
-   for ( ;*v; v++) {
-        if (*v == c) return PR_TRUE;
-   }
-   return PR_FALSE;
-}
-
-static PRBool secmod_argHasBlanks(char *v)
-{
-   for ( ;*v; v++) {
-        if (secmod_argIsBlank(*v)) return PR_TRUE;
-   }
-   return PR_FALSE;
-}
-
-static char *secmod_argStrip(char *c) {
-   while (*c && secmod_argIsBlank(*c)) c++;
+char *NSSUTIL_ArgStrip(char *c) {
+   while (*c && NSSUTIL_ArgIsBlank(*c)) c++;
    return c;
 }
 
-static char *
-secmod_argFindEnd(char *string) {
+/*
+ * find the end of the current tag/value pair. string should be pointing just
+ * after the equal sign. Handles quoted characters.
+ */
+char *
+NSSUTIL_ArgFindEnd(char *string) {
     char endChar = ' ';
     PRBool lastEscape = PR_FALSE;
 
-    if (secmod_argIsQuote(*string)) {
-        endChar = secmod_argGetPair(*string);
+    if (NSSUTIL_ArgIsQuote(*string)) {
+        endChar = NSSUTIL_ArgGetPair(*string);
         string++;
     }
 
     for (;*string; string++) {
         if (lastEscape) {
             lastEscape = PR_FALSE;
             continue;
         }
-        if (secmod_argIsEscape(*string) && !lastEscape) {
+        if (NSSUTIL_ArgIsEscape(*string) && !lastEscape) {
             lastEscape = PR_TRUE;
             continue;
         } 
-        if ((endChar == ' ') && secmod_argIsBlank(*string)) break;
+        if ((endChar == ' ') && NSSUTIL_ArgIsBlank(*string)) break;
         if (*string == endChar) {
             break;
         }
     }
 
     return string;
 }
 
-static char *
-secmod_argFetchValue(char *string, int *pcount)
+/*
+ * get the value pointed to by string. string should be pointing just beyond
+ * the equal sign.
+ */
+char *
+NSSUTIL_ArgFetchValue(char *string, int *pcount)
 {
-    char *end = secmod_argFindEnd(string);
+    char *end = NSSUTIL_ArgFindEnd(string);
     char *retString, *copyString;
     PRBool lastEscape = PR_FALSE;
     int len;
 
     len = end - string;
     if (len == 0) {
         *pcount = 0;
         return NULL;
     }
 
     copyString = retString = (char *)PORT_Alloc(len+1);
 
     if (*end) len++;
     *pcount = len;
     if (retString == NULL) return NULL;
 
 
-    if (secmod_argIsQuote(*string)) string++;
+    if (NSSUTIL_ArgIsQuote(*string)) string++;
     for (; string < end; string++) {
-        if (secmod_argIsEscape(*string) && !lastEscape) {
+        if (NSSUTIL_ArgIsEscape(*string) && !lastEscape) {
             lastEscape = PR_TRUE;
             continue;
         }
         lastEscape = PR_FALSE;
         *copyString++ = *string;
     }
     *copyString = 0;
     return retString;
 }
 
-static char *
-secmod_argSkipParameter(char *string) 
+/*
+ * point to the next parameter in string
+ */
+char *
+NSSUTIL_ArgSkipParameter(char *string) 
 {
      char *end;
      /* look for the end of the <name>= */
      for (;*string; string++) {
         if (*string == '=') { string++; break; }
-        if (secmod_argIsBlank(*string)) return(string); 
+        if (NSSUTIL_ArgIsBlank(*string)) return(string); 
      }
 
-     end = secmod_argFindEnd(string);
+     end = NSSUTIL_ArgFindEnd(string);
      if (*end) end++;
      return end;
 }
 
-
-static SECStatus
-secmod_argParseModuleSpec(char *modulespec, char **lib, char **mod, 
-                                        char **parameters, char **nss)
-{
-    int next;
-    modulespec = secmod_argStrip(modulespec);
-
-    *lib = *mod = *parameters = *nss = 0;
-
-    while (*modulespec) {
-        SECMOD_HANDLE_STRING_ARG(modulespec,*lib,SECMOD_ARG_LIBRARY_PARAMETER,;)
-        SECMOD_HANDLE_STRING_ARG(modulespec,*mod,SECMOD_ARG_NAME_PARAMETER,;)
-        SECMOD_HANDLE_STRING_ARG(modulespec,*parameters,
-                                                SECMOD_ARG_MODULE_PARAMETER,;)
-        SECMOD_HANDLE_STRING_ARG(modulespec,*nss,SECMOD_ARG_NSS_PARAMETER,;)
-        SECMOD_HANDLE_FINAL_ARG(modulespec)
-   }
-   return SECSuccess;
-}
-
-
-static char *
-secmod_argGetParamValue(char *paramName,char *parameters)
+/*
+ * get the value from that tag value pair.
+ */
+char *
+NSSUTIL_ArgGetParamValue(char *paramName,char *parameters)
 {
     char searchValue[256];
     int paramLen = strlen(paramName);
     char *returnValue = NULL;
     int next;
 
     if ((parameters == NULL) || (*parameters == 0)) return NULL;
 
     PORT_Assert(paramLen+2 < sizeof(searchValue));
 
     PORT_Strcpy(searchValue,paramName);
     PORT_Strcat(searchValue,"=");
     while (*parameters) {
         if (PORT_Strncasecmp(parameters,searchValue,paramLen+1) == 0) {
             parameters += paramLen+1;
-            returnValue = secmod_argFetchValue(parameters,&next);
+            returnValue = NSSUTIL_ArgFetchValue(parameters,&next);
             break;
         } else {
-            parameters = secmod_argSkipParameter(parameters);
+            parameters = NSSUTIL_ArgSkipParameter(parameters);
         }
-        parameters = secmod_argStrip(parameters);
+        parameters = NSSUTIL_ArgStrip(parameters);
    }
    return returnValue;
 }
-    
-
-static char *
-secmod_argNextFlag(char *flags)
+  
+/*
+ * find the next flag in the parameter list
+ */  
+char *
+NSSUTIL_ArgNextFlag(char *flags)
 {
     for (; *flags ; flags++) {
         if (*flags == ',') {
             flags++;
             break;
         }
     }
     return flags;
 }
 
-static PRBool
-secmod_argHasFlag(char *label, char *flag, char *parameters)
+/*
+ * return true if the flag is set in the label parameter.
+ */
+PRBool
+NSSUTIL_ArgHasFlag(char *label, char *flag, char *parameters)
 {
     char *flags,*index;
     int len = strlen(flag);
     PRBool found = PR_FALSE;
 
-    flags = secmod_argGetParamValue(label,parameters);
+    flags = NSSUTIL_ArgGetParamValue(label,parameters);
     if (flags == NULL) return PR_FALSE;
 
-    for (index=flags; *index; index=secmod_argNextFlag(index)) {
+    for (index=flags; *index; index=NSSUTIL_ArgNextFlag(index)) {
         if (PORT_Strncasecmp(index,flag,len) == 0) {
             found=PR_TRUE;
             break;
         }
     }
     PORT_Free(flags);
     return found;
 }
 
-static void
-secmod_argSetNewCipherFlags(unsigned long *newCiphers,char *cipherList)
-{
-    newCiphers[0] = newCiphers[1] = 0;
-    if ((cipherList == NULL) || (*cipherList == 0)) return;
-
-    for (;*cipherList; cipherList=secmod_argNextFlag(cipherList)) {
-        if (PORT_Strncasecmp(cipherList,SECMOD_ARG_FORTEZZA_FLAG,
-                                sizeof(SECMOD_ARG_FORTEZZA_FLAG)-1) == 0) {
-            newCiphers[0] |= SECMOD_FORTEZZA_FLAG;
-        } 
-
-        /* add additional flags here as necessary */
-        /* direct bit mapping escape */
-        if (*cipherList == 0) {
-           if (cipherList[1] == 'l') {
-                newCiphers[1] |= atoi(&cipherList[2]);
-           } else {
-                newCiphers[0] |= atoi(&cipherList[2]);
-           }
-        }
-    }
-}
-
-
 /*
  * decode a number. handle octal (leading '0'), hex (leading '0x') or decimal
  */
-static long
-secmod_argDecodeNumber(char *num)
+long
+NSSUTIL_ArgDecodeNumber(char *num)
 {
     int radix = 10;
     unsigned long value = 0;
     long retValue = 0;
     int sign = 1;
     int digit;
 
     if (num == NULL) return retValue;
 
-    num = secmod_argStrip(num);
+    num = NSSUTIL_ArgStrip(num);
 
     if (*num == '-') {
         sign = -1;
         num++;
     }
 
     if (*num == '0') {
         radix = 8;
         num++;
         if ((*num == 'x') || (*num == 'X')) {
@@ skipping 14 matching lines @@
             break;
         }
         if (digit >= radix) break;
         value = value*radix + digit;
     }
 
     retValue = ((int) value) * sign;
     return retValue;
 }
 
-static long
-secmod_argReadLong(char *label,char *params, long defValue, PRBool *isdefault)
-{
-    char *value;
-    long retValue;
-    if (isdefault) *isdefault = PR_FALSE; 
-
-    value = secmod_argGetParamValue(label,params);
-    if (value == NULL) {
-        if (isdefault) *isdefault = PR_TRUE;
-        return defValue;
-    }
-    retValue = secmod_argDecodeNumber(value);
-    if (value) PORT_Free(value);
-
-    return retValue;
-}
-
-
-static unsigned long
-secmod_argSlotFlags(char *label,char *params)
-{
-    char *flags,*index;
-    unsigned long retValue = 0;
-    int i;
-    PRBool all = PR_FALSE;
-
-    flags = secmod_argGetParamValue(label,params);
-    if (flags == NULL) return 0;
-
-    if (PORT_Strcasecmp(flags,"all") == 0) all = PR_TRUE;
-
-    for (index=flags; *index; index=secmod_argNextFlag(index)) {
-        for (i=0; i < secmod_argSlotFlagTableSize; i++) {
-            if (all || (PORT_Strncasecmp(index, secmod_argSlotFlagTable[i].name,
-                                secmod_argSlotFlagTable[i].len) == 0)) {
-                retValue |= secmod_argSlotFlagTable[i].value;
-            }
-        }
-    }
-    PORT_Free(flags);
-    return retValue;
-}
-
-
-static void
-secmod_argDecodeSingleSlotInfo(char *name, char *params, 
-                               PK11PreSlotInfo *slotInfo)
-{
-    char *askpw;
-
-    slotInfo->slotID=secmod_argDecodeNumber(name);
-    slotInfo->defaultFlags=secmod_argSlotFlags("slotFlags",params);
-    slotInfo->timeout=secmod_argReadLong("timeout",params, 0, NULL);
-
-    askpw = secmod_argGetParamValue("askpw",params);
-    slotInfo->askpw = 0;
-
-    if (askpw) {
-        if (PORT_Strcasecmp(askpw,"every") == 0) {
-            slotInfo->askpw = -1;
-        } else if (PORT_Strcasecmp(askpw,"timeout") == 0) {
-            slotInfo->askpw = 1;
-        } 
-        PORT_Free(askpw);
-        slotInfo->defaultFlags |= PK11_OWN_PW_DEFAULTS;
-    }
-    slotInfo->hasRootCerts = secmod_argHasFlag("rootFlags", "hasRootCerts", 
-                                               params);
-    slotInfo->hasRootTrust = secmod_argHasFlag("rootFlags", "hasRootTrust", 
-                                               params);
-}
-
-static char *
-secmod_argGetName(char *inString, int *next) 
+/*
+ * parameters are tag value pairs. This function returns the tag or label (the
+ * value before the equal size.
+ */
+char *
+NSSUTIL_ArgGetLabel(char *inString, int *next) 
 {
     char *name=NULL;
     char *string;
     int len;
 
-    /* look for the end of the <name>= */
+    /* look for the end of the <label>= */
     for (string = inString;*string; string++) {
         if (*string == '=') { break; }
-        if (secmod_argIsBlank(*string)) break;
+        if (NSSUTIL_ArgIsBlank(*string)) break;
     }
 
     len = string - inString;
 
     *next = len; 
     if (*string == '=') (*next) += 1;
     if (len > 0) {
         name = PORT_Alloc(len+1);
         PORT_Strncpy(name,inString,len);
         name[len] = 0;
     }
     return name;
 }
 
-static PK11PreSlotInfo *
-secmod_argParseSlotInfo(PRArenaPool *arena, char *slotParams, int *retCount)
+/*
+ * read an argument at a Long integer
+ */
+long
+NSSUTIL_ArgReadLong(char *label,char *params, long defValue, PRBool *isdefault)
 {
-    char *slotIndex;
-    PK11PreSlotInfo *slotInfo = NULL;
-    int i=0,count = 0,next;
+    char *value;
+    long retValue;
+    if (isdefault) *isdefault = PR_FALSE; 
 
-    *retCount = 0;
-    if ((slotParams == NULL) || (*slotParams == 0))  return NULL;
+    value = NSSUTIL_ArgGetParamValue(label,params);
+    if (value == NULL) {
+        if (isdefault) *isdefault = PR_TRUE;
+        return defValue;
+    }
+    retValue = NSSUTIL_ArgDecodeNumber(value);
+    if (value) PORT_Free(value);
 
-    /* first count the number of slots */
-    for (slotIndex = secmod_argStrip(slotParams); *slotIndex; 
-         slotIndex = secmod_argStrip(secmod_argSkipParameter(slotIndex))) {
-        count++;
+    return retValue;
+}
+
+
+/*
+ * prepare a string to be quoted with 'quote' marks. We do that by adding
+ * appropriate escapes.
+ */
+static int
+nssutil_escapeQuotesSize(const char *string, char quote, PRBool addquotes)
+{
+    int escapes = 0, size = 0;
+    const char *src;
+
+    size= addquotes ? 2 : 0;
+    for (src=string; *src ; src++) {
+        if ((*src == quote) || (*src == '\\')) escapes++;
+        size++;
+    }
+    return size+escapes+1;
+
+}
+
+static char *
+nssutil_escapeQuotes(const char *string, char quote, PRBool addquotes)
+{
+    char *newString = 0;
+    int size = 0;
+    const char *src;
+    char *dest;
+
+    size = nssutil_escapeQuotesSize(string, quote, addquotes);
+
+    dest = newString = PORT_ZAlloc(size+2); 
+    if (newString == NULL) {
+        return NULL;
     }
 
-    /* get the data structures */
-    if (arena) {
-        slotInfo = (PK11PreSlotInfo *) 
-                        PORT_ArenaAlloc(arena,count*sizeof(PK11PreSlotInfo));
-        PORT_Memset(slotInfo,0,count*sizeof(PK11PreSlotInfo));
-    } else {
-        slotInfo = (PK11PreSlotInfo *) 
-                        PORT_ZAlloc(count*sizeof(PK11PreSlotInfo));
+    if (addquotes) *dest++=quote;
+    for (src=string; *src; src++,dest++) {
+        if ((*src == '\\') || (*src == quote)) {
+            *dest++ = '\\';
+        }
+        *dest = *src;
     }
-    if (slotInfo == NULL) return NULL;
+    if (addquotes) *dest=quote;
 
-    for (slotIndex = secmod_argStrip(slotParams), i = 0; 
-                                        *slotIndex && i < count ; ) {
-        char *name;
-        name = secmod_argGetName(slotIndex,&next);
-        slotIndex += next;
-
-        if (!secmod_argIsBlank(*slotIndex)) {
-            char *args = secmod_argFetchValue(slotIndex,&next);
-            slotIndex += next;
-            if (args) {
-                secmod_argDecodeSingleSlotInfo(name,args,&slotInfo[i]);
-                i++;
-                PORT_Free(args);
-            }
-        }
-        if (name) PORT_Free(name);
-        slotIndex = secmod_argStrip(slotIndex);
-    }
-    *retCount = i;
-    return slotInfo;
+    return newString;
 }
 
-static char *secmod_nullString = "";
+int
+NSSUTIL_EscapeSize(const char *string, char quote)
+{
+     return nssutil_escapeQuotesSize(string, quote, PR_FALSE);
+}
+
+char *
+NSSUTIL_Escape(const char *string, char quote)
+{
+    return nssutil_escapeQuotes(string, quote, PR_FALSE);
+}
+
+
+int
+NSSUTIL_QuoteSize(const char *string, char quote)
+{
+     return nssutil_escapeQuotesSize(string, quote, PR_TRUE);
+}
+
+char *
+NSSUTIL_Quote(const char *string, char quote)
+{
+    return nssutil_escapeQuotes(string, quote, PR_TRUE);
+}
+
+int
+NSSUTIL_DoubleEscapeSize(const char *string, char quote1, char quote2)
+{
+    int escapes = 0, size = 0;
+    const char *src;
+    for (src=string; *src ; src++) {
+        if (*src == '\\')   escapes+=3; /* \\\\ */
+        if (*src == quote1) escapes+=2; /* \\quote1 */
+        if (*src == quote2) escapes++;   /* \quote2 */
+        size++;
+    }
+
+    return escapes+size+1;
+}
+
+char *
+NSSUTIL_DoubleEscape(const char *string, char quote1, char quote2)
+{
+    char *round1 = NULL;
+    char *retValue = NULL;
+    if (string == NULL) {
+        goto done;
+    }
+    round1 = nssutil_escapeQuotes(string, quote1, PR_FALSE);
+    if (round1) {
+        retValue = nssutil_escapeQuotes(round1, quote2, PR_FALSE);
+        PORT_Free(round1);
+    }
+
+done:
+    if (retValue == NULL) {
+        retValue = PORT_Strdup("");
+    }
+    return retValue;
+}
+
+
+/************************************************************************
+ * These functions are used in contructing strings.
+ * NOTE: they will always return a string, but sometimes it will return
+ * a specific NULL string. These strings must be freed with util_freePair.
+ */
+
+/* string to return on error... */
+static char *nssutil_nullString = "";
 
 static char *
-secmod_formatValue(PRArenaPool *arena, char *value, char quote)
+nssutil_formatValue(PRArenaPool *arena, char *value, char quote)
 {
     char *vp,*vp2,*retval;
     int size = 0, escapes = 0;
 
     for (vp=value; *vp ;vp++) {
-        if ((*vp == quote) || (*vp == SECMOD_ARG_ESCAPE)) escapes++;
+        if ((*vp == quote) || (*vp == NSSUTIL_ARG_ESCAPE)) escapes++;
         size++;
     }
     if (arena) {
         retval = PORT_ArenaZAlloc(arena,size+escapes+1);
     } else {
         retval = PORT_ZAlloc(size+escapes+1);
     }
     if (retval == NULL) return NULL;
     vp2 = retval;
     for (vp=value; *vp; vp++) {
-        if ((*vp == quote) || (*vp == SECMOD_ARG_ESCAPE)) 
-                                *vp2++ = SECMOD_ARG_ESCAPE;
+        if ((*vp == quote) || (*vp == NSSUTIL_ARG_ESCAPE)) 
+                                *vp2++ = NSSUTIL_ARG_ESCAPE;
         *vp2++ = *vp;
     }
     return retval;
 }
-    
-static char *secmod_formatPair(char *name,char *value, char quote)
+
+
+static PRBool nssutil_argHasChar(char *v, char c)
+{
+   for ( ;*v; v++) {
+        if (*v == c) return PR_TRUE;
+   }
+   return PR_FALSE;
+}
+
+static PRBool nssutil_argHasBlanks(char *v)
+{
+   for ( ;*v; v++) {
+        if (NSSUTIL_ArgIsBlank(*v)) return PR_TRUE;
+   }
+   return PR_FALSE;
+}
+
+static char *
+nssutil_formatPair(char *name, char *value, char quote)
 {
     char openQuote = quote;
-    char closeQuote = secmod_argGetPair(quote);
+    char closeQuote = NSSUTIL_ArgGetPair(quote);
     char *newValue = NULL;
     char *returnValue;
     PRBool need_quote = PR_FALSE;
 
-    if (!value || (*value == 0)) return secmod_nullString;
+    if (!value || (*value == 0)) return nssutil_nullString;
 
-    if (secmod_argHasBlanks(value) || secmod_argIsQuote(value[0]))
+    if (nssutil_argHasBlanks(value) || NSSUTIL_ArgIsQuote(value[0]))
                                                          need_quote=PR_TRUE;
 
-    if ((need_quote && secmod_argHasChar(value,closeQuote))
-                                 || secmod_argHasChar(value,SECMOD_ARG_ESCAPE)) {
-        value = newValue = secmod_formatValue(NULL, value,quote);
-        if (newValue == NULL) return secmod_nullString;
+    if ((need_quote && nssutil_argHasChar(value,closeQuote))
+                        || nssutil_argHasChar(value,NSSUTIL_ARG_ESCAPE)) {
+        value = newValue = nssutil_formatValue(NULL, value,quote);
+        if (newValue == NULL) return nssutil_nullString;
     }
     if (need_quote) {
         returnValue = PR_smprintf("%s=%c%s%c",name,openQuote,value,closeQuote);
     } else {
         returnValue = PR_smprintf("%s=%s",name,value);
     }
-    if (returnValue == NULL) returnValue = secmod_nullString;
+    if (returnValue == NULL) returnValue = nssutil_nullString;
 
     if (newValue) PORT_Free(newValue);
 
     return returnValue;
 }
 
-static char *secmod_formatIntPair(char *name, unsigned long value, 
+static char *nssutil_formatIntPair(char *name, unsigned long value, 
                                   unsigned long def)
 {
     char *returnValue;
 
-    if (value == def) return secmod_nullString;
+    if (value == def) return nssutil_nullString;
 
     returnValue = PR_smprintf("%s=%d",name,value);
 
     return returnValue;
 }
 
 static void
-secmod_freePair(char *pair)
+nssutil_freePair(char *pair)
 {
-    if (pair && pair != secmod_nullString) {
+    if (pair && pair != nssutil_nullString) {
         PR_smprintf_free(pair);
     }
 }
 
-#define MAX_FLAG_SIZE  sizeof("internal")+sizeof("FIPS")+sizeof("moduleDB")+\
-                                sizeof("moduleDBOnly")+sizeof("critical")
-static char *
-secmod_mkNSSFlags(PRBool internal, PRBool isFIPS,
-                PRBool isModuleDB, PRBool isModuleDBOnly, PRBool isCritical)
+
+/************************************************************************
+ * Parse the Slot specific parameters in the NSS params.
+ */
+
+struct nssutilArgSlotFlagTable {
+    char *name;
+    int len;
+    unsigned long value;
+};
+
+#define NSSUTIL_ARG_ENTRY(arg,flag) \
+{ #arg , sizeof(#arg)-1, flag }
+static struct nssutilArgSlotFlagTable nssutil_argSlotFlagTable[] = {
+        NSSUTIL_ARG_ENTRY(RSA,SECMOD_RSA_FLAG),
+        NSSUTIL_ARG_ENTRY(DSA,SECMOD_RSA_FLAG),
+        NSSUTIL_ARG_ENTRY(RC2,SECMOD_RC4_FLAG),
+        NSSUTIL_ARG_ENTRY(RC4,SECMOD_RC2_FLAG),
+        NSSUTIL_ARG_ENTRY(DES,SECMOD_DES_FLAG),
+        NSSUTIL_ARG_ENTRY(DH,SECMOD_DH_FLAG),
+        NSSUTIL_ARG_ENTRY(FORTEZZA,SECMOD_FORTEZZA_FLAG),
+        NSSUTIL_ARG_ENTRY(RC5,SECMOD_RC5_FLAG),
+        NSSUTIL_ARG_ENTRY(SHA1,SECMOD_SHA1_FLAG),
+        NSSUTIL_ARG_ENTRY(MD5,SECMOD_MD5_FLAG),
+        NSSUTIL_ARG_ENTRY(MD2,SECMOD_MD2_FLAG),
+        NSSUTIL_ARG_ENTRY(SSL,SECMOD_SSL_FLAG),
+        NSSUTIL_ARG_ENTRY(TLS,SECMOD_TLS_FLAG),
+        NSSUTIL_ARG_ENTRY(AES,SECMOD_AES_FLAG),
+        NSSUTIL_ARG_ENTRY(Camellia,SECMOD_CAMELLIA_FLAG),
+        NSSUTIL_ARG_ENTRY(SEED,SECMOD_SEED_FLAG),
+        NSSUTIL_ARG_ENTRY(PublicCerts,SECMOD_FRIENDLY_FLAG),
+        NSSUTIL_ARG_ENTRY(RANDOM,SECMOD_RANDOM_FLAG),
+        NSSUTIL_ARG_ENTRY(Disable, SECMOD_DISABLE_FLAG),
+};
+
+static int nssutil_argSlotFlagTableSize = 
+        sizeof(nssutil_argSlotFlagTable)/sizeof(nssutil_argSlotFlagTable[0]);
+
+
+/* turn the slot flags into a bit mask */
+unsigned long
+NSSUTIL_ArgParseSlotFlags(char *label,char *params)
 {
-    char *flags = (char *)PORT_ZAlloc(MAX_FLAG_SIZE);
-    PRBool first = PR_TRUE;
+    char *flags,*index;
+    unsigned long retValue = 0;
+    int i;
+    PRBool all = PR_FALSE;
 
-    PORT_Memset(flags,0,MAX_FLAG_SIZE);
-    if (internal) {
-        PORT_Strcat(flags,"internal");
-        first = PR_FALSE;
-    }
-    if (isFIPS) {
-        if (!first) PORT_Strcat(flags,",");
-        PORT_Strcat(flags,"FIPS");
-        first = PR_FALSE;
-    }
-    if (isModuleDB) {
-        if (!first) PORT_Strcat(flags,",");
-        PORT_Strcat(flags,"moduleDB");
-        first = PR_FALSE;
-    }
-    if (isModuleDBOnly) {
-        if (!first) PORT_Strcat(flags,",");
-        PORT_Strcat(flags,"moduleDBOnly");
-        first = PR_FALSE;
-    }
-    if (isCritical) {
-        if (!first) PORT_Strcat(flags,",");
-        PORT_Strcat(flags,"critical");
-        first = PR_FALSE;
-    }
-    return flags;
-}
+    flags = NSSUTIL_ArgGetParamValue(label,params);
+    if (flags == NULL) return 0;
 
-static char *
-secmod_mkCipherFlags(unsigned long ssl0, unsigned long ssl1)
-{
-    char *cipher = NULL;
-    int i;
+    if (PORT_Strcasecmp(flags,"all") == 0) all = PR_TRUE;
 
-    for (i=0; i < sizeof(ssl0)*8; i++) {
-        if (ssl0 & (1<<i)) {
-            char *string;
-            if ((1<<i) == SECMOD_FORTEZZA_FLAG) {
-                string = PR_smprintf("%s","FORTEZZA");
-            } else {
-                string = PR_smprintf("0h0x%08x",1<<i);
-            }
-            if (cipher) {
-                char *tmp;
-                tmp = PR_smprintf("%s,%s",cipher,string);
-                PR_smprintf_free(cipher);
-                PR_smprintf_free(string);
-                cipher = tmp;
-            } else {
-                cipher = string;
+    for (index=flags; *index; index=NSSUTIL_ArgNextFlag(index)) {
+        for (i=0; i < nssutil_argSlotFlagTableSize; i++) {
+            if (all || 
+                (PORT_Strncasecmp(index, nssutil_argSlotFlagTable[i].name,
+                                nssutil_argSlotFlagTable[i].len) == 0)) {
+                retValue |= nssutil_argSlotFlagTable[i].value;
             }
         }
     }
-    for (i=0; i < sizeof(ssl0)*8; i++) {
-        if (ssl1 & (1<<i)) {
-            if (cipher) {
-                char *tmp;
-                tmp = PR_smprintf("%s,0l0x%08x",cipher,1<<i);
-                PR_smprintf_free(cipher);
-                cipher = tmp;
-            } else {
-                cipher = PR_smprintf("0l0x%08x",1<<i);
+    PORT_Free(flags);
+    return retValue;
+}
+
+
+/* parse a single slot specific parameter */
+static void
+nssutil_argDecodeSingleSlotInfo(char *name, char *params, 
+                               struct NSSUTILPreSlotInfoStr *slotInfo)
+{
+    char *askpw;
+
+    slotInfo->slotID=NSSUTIL_ArgDecodeNumber(name);
+    slotInfo->defaultFlags=NSSUTIL_ArgParseSlotFlags("slotFlags",params);
+    slotInfo->timeout=NSSUTIL_ArgReadLong("timeout",params, 0, NULL);
+
+    askpw = NSSUTIL_ArgGetParamValue("askpw",params);
+    slotInfo->askpw = 0;
+
+    if (askpw) {
+        if (PORT_Strcasecmp(askpw,"every") == 0) {
+            slotInfo->askpw = -1;
+        } else if (PORT_Strcasecmp(askpw,"timeout") == 0) {
+            slotInfo->askpw = 1;
+        } 
+        PORT_Free(askpw);
+        slotInfo->defaultFlags |= PK11_OWN_PW_DEFAULTS;
+    }
+    slotInfo->hasRootCerts = NSSUTIL_ArgHasFlag("rootFlags", "hasRootCerts", 
+                                               params);
+    slotInfo->hasRootTrust = NSSUTIL_ArgHasFlag("rootFlags", "hasRootTrust", 
+                                               params);
+}
+
+/* parse all the slot specific parameters. */
+struct NSSUTILPreSlotInfoStr *
+NSSUTIL_ArgParseSlotInfo(PRArenaPool *arena, char *slotParams, int *retCount)
+{
+    char *slotIndex;
+    struct NSSUTILPreSlotInfoStr *slotInfo = NULL;
+    int i=0,count = 0,next;
+
+    *retCount = 0;
+    if ((slotParams == NULL) || (*slotParams == 0))  return NULL;
+
+    /* first count the number of slots */
+    for (slotIndex = NSSUTIL_ArgStrip(slotParams); *slotIndex; 
+         slotIndex = NSSUTIL_ArgStrip(NSSUTIL_ArgSkipParameter(slotIndex))) {
+        count++;
+    }
+
+    /* get the data structures */
+    if (arena) {
+        slotInfo = PORT_ArenaZNewArray(arena,
+                                struct NSSUTILPreSlotInfoStr, count); 
+    } else {
+        slotInfo = PORT_ZNewArray(struct NSSUTILPreSlotInfoStr, count);
+    }
+    if (slotInfo == NULL) return NULL;
+
+    for (slotIndex = NSSUTIL_ArgStrip(slotParams), i = 0; 
+                                        *slotIndex && i < count ; ) {
+        char *name;
+        name = NSSUTIL_ArgGetLabel(slotIndex,&next);
+        slotIndex += next;
+
+        if (!NSSUTIL_ArgIsBlank(*slotIndex)) {
+            char *args = NSSUTIL_ArgFetchValue(slotIndex,&next);
+            slotIndex += next;
+            if (args) {
+                nssutil_argDecodeSingleSlotInfo(name,args,&slotInfo[i]);
+                i++;
+                PORT_Free(args);
             }
         }
+        if (name) PORT_Free(name);
+        slotIndex = NSSUTIL_ArgStrip(slotIndex);
     }
-
-    return cipher;
+    *retCount = i;
+    return slotInfo;
 }
 
+/************************************************************************
+ * make a new slot specific parameter 
+ */
+/* first make the slot flags */
 static char *
-secmod_mkSlotFlags(unsigned long defaultFlags)
+nssutil_mkSlotFlags(unsigned long defaultFlags)
 {
     char *flags=NULL;
     int i,j;
 
     for (i=0; i < sizeof(defaultFlags)*8; i++) {
         if (defaultFlags & (1<<i)) {
             char *string = NULL;
 
-            for (j=0; j < secmod_argSlotFlagTableSize; j++) {
-                if (secmod_argSlotFlagTable[j].value == ( 1UL << i )) {
-                    string = secmod_argSlotFlagTable[j].name;
+            for (j=0; j < nssutil_argSlotFlagTableSize; j++) {
+                if (nssutil_argSlotFlagTable[j].value == ( 1UL << i )) {
+                    string = nssutil_argSlotFlagTable[j].name;
                     break;
                 }
             }
             if (string) {
                 if (flags) {
                     char *tmp;
                     tmp = PR_smprintf("%s,%s",flags,string);
                     PR_smprintf_free(flags);
                     flags = tmp;
                 } else {
                     flags = PR_smprintf("%s",string);
                 }
             }
         }
     }
 
     return flags;
 }
 
-#define SECMOD_MAX_ROOT_FLAG_SIZE  sizeof("hasRootCerts")+sizeof("hasRootTrust")
-
+/* now make the root flags */
+#define NSSUTIL_MAX_ROOT_FLAG_SIZE  sizeof("hasRootCerts")+sizeof("hasRootTrust")
 static char *
-secmod_mkRootFlags(PRBool hasRootCerts, PRBool hasRootTrust)
+nssutil_mkRootFlags(PRBool hasRootCerts, PRBool hasRootTrust)
 {
-    char *flags= (char *)PORT_ZAlloc(SECMOD_MAX_ROOT_FLAG_SIZE);
+    char *flags= (char *)PORT_ZAlloc(NSSUTIL_MAX_ROOT_FLAG_SIZE);
     PRBool first = PR_TRUE;
 
-    PORT_Memset(flags,0,SECMOD_MAX_ROOT_FLAG_SIZE);
+    PORT_Memset(flags,0,NSSUTIL_MAX_ROOT_FLAG_SIZE);
     if (hasRootCerts) {
         PORT_Strcat(flags,"hasRootCerts");
         first = PR_FALSE;
     }
     if (hasRootTrust) {
         if (!first) PORT_Strcat(flags,",");
         PORT_Strcat(flags,"hasRootTrust");
         first = PR_FALSE;
     }
     return flags;
 }
 
-static char *
-secmod_mkSlotString(unsigned long slotID, unsigned long defaultFlags,
+/* now make a full slot string */
+char *
+NSSUTIL_MkSlotString(unsigned long slotID, unsigned long defaultFlags,
                   unsigned long timeout, unsigned char askpw_in,
                   PRBool hasRootCerts, PRBool hasRootTrust) {
     char *askpw,*flags,*rootFlags,*slotString;
     char *flagPair,*rootFlagsPair;
         
     switch (askpw_in) {
     case 0xff:
         askpw = "every";
         break;
     case 1:
         askpw = "timeout";
         break;
     default:
         askpw = "any";
         break;
     }
-    flags = secmod_mkSlotFlags(defaultFlags);
-    rootFlags = secmod_mkRootFlags(hasRootCerts,hasRootTrust);
-    flagPair=secmod_formatPair("slotFlags",flags,'\'');
-    rootFlagsPair=secmod_formatPair("rootFlags",rootFlags,'\'');
+    flags = nssutil_mkSlotFlags(defaultFlags);
+    rootFlags = nssutil_mkRootFlags(hasRootCerts,hasRootTrust);
+    flagPair = nssutil_formatPair("slotFlags",flags,'\'');
+    rootFlagsPair = nssutil_formatPair("rootFlags",rootFlags,'\'');
     if (flags) PR_smprintf_free(flags);
     if (rootFlags) PORT_Free(rootFlags);
     if (defaultFlags & PK11_OWN_PW_DEFAULTS) {
         slotString = PR_smprintf("0x%08lx=[%s askpw=%s timeout=%d %s]",
                                 (PRUint32)slotID,flagPair,askpw,timeout,
                                 rootFlagsPair);
     } else {
         slotString = PR_smprintf("0x%08lx=[%s %s]",
                                 (PRUint32)slotID,flagPair,rootFlagsPair);
     }
-    secmod_freePair(flagPair);
-    secmod_freePair(rootFlagsPair);
+    nssutil_freePair(flagPair);
+    nssutil_freePair(rootFlagsPair);
     return slotString;
 }
 
+
+/************************************************************************
+ * Parse Full module specs into: library, commonName, module parameters,
+ * and NSS specifi parameters.
+ */
+SECStatus
+NSSUTIL_ArgParseModuleSpec(char *modulespec, char **lib, char **mod, 
+                                        char **parameters, char **nss)
+{
+    int next;
+    modulespec = NSSUTIL_ArgStrip(modulespec);
+
+    *lib = *mod = *parameters = *nss = 0;
+
+    while (*modulespec) {
+        NSSUTIL_HANDLE_STRING_ARG(modulespec,*lib,"library=",;)
+        NSSUTIL_HANDLE_STRING_ARG(modulespec,*mod,"name=",;)
+        NSSUTIL_HANDLE_STRING_ARG(modulespec,*parameters,"parameters=",;)
+        NSSUTIL_HANDLE_STRING_ARG(modulespec,*nss,"nss=",;)
+        NSSUTIL_HANDLE_FINAL_ARG(modulespec)
+   }
+   return SECSuccess;
+}
+
+/************************************************************************
+ * make a new module spec from it's components */
+char *
+NSSUTIL_MkModuleSpec(char *dllName, char *commonName, char *parameters, 
+                                                                char *NSS)
+{
+    char *moduleSpec;
+    char *lib,*name,*param,*nss;
+
+    /*
+     * now the final spec
+     */
+    lib = nssutil_formatPair("library",dllName,'\"');
+    name = nssutil_formatPair("name",commonName,'\"');
+    param = nssutil_formatPair("parameters",parameters,'\"');
+    nss = nssutil_formatPair("NSS",NSS,'\"');
+    moduleSpec = PR_smprintf("%s %s %s %s", lib,name,param,nss);
+    nssutil_freePair(lib);
+    nssutil_freePair(name);
+    nssutil_freePair(param);
+    nssutil_freePair(nss);
+    return (moduleSpec);
+}
+
+
+#define NSSUTIL_ARG_FORTEZZA_FLAG "FORTEZZA"
+/******************************************************************************
+ * Parse the cipher flags from the NSS parameter
+ */
+void
+NSSUTIL_ArgParseCipherFlags(unsigned long *newCiphers,char *cipherList)
+{
+    newCiphers[0] = newCiphers[1] = 0;
+    if ((cipherList == NULL) || (*cipherList == 0)) return;
+
+    for (;*cipherList; cipherList=NSSUTIL_ArgNextFlag(cipherList)) {
+        if (PORT_Strncasecmp(cipherList,NSSUTIL_ARG_FORTEZZA_FLAG,
+                                sizeof(NSSUTIL_ARG_FORTEZZA_FLAG)-1) == 0) {
+            newCiphers[0] |= SECMOD_FORTEZZA_FLAG;
+        } 
+
+        /* add additional flags here as necessary */
+        /* direct bit mapping escape */
+        if (*cipherList == 0) {
+           if (cipherList[1] == 'l') {
+                newCiphers[1] |= atoi(&cipherList[2]);
+           } else {
+                newCiphers[0] |= atoi(&cipherList[2]);
+           }
+        }
+    }
+}
+
+
+/*********************************************************************
+ * make NSS parameter...
+ */
+/* First make NSS specific flags */
+#define MAX_FLAG_SIZE  sizeof("internal")+sizeof("FIPS")+sizeof("moduleDB")+\
+                                sizeof("moduleDBOnly")+sizeof("critical")
 static char *
-secmod_mkNSS(char **slotStrings, int slotCount, PRBool internal, PRBool isFIPS,
-          PRBool isModuleDB,  PRBool isModuleDBOnly, PRBool isCritical, 
-          unsigned long trustOrder, unsigned long cipherOrder,
-                                unsigned long ssl0, unsigned long ssl1) {
+nssutil_mkNSSFlags(PRBool internal, PRBool isFIPS,
+                PRBool isModuleDB, PRBool isModuleDBOnly, PRBool isCritical)
+{
+    char *flags = (char *)PORT_ZAlloc(MAX_FLAG_SIZE);
+    PRBool first = PR_TRUE;
+
+    PORT_Memset(flags,0,MAX_FLAG_SIZE);
+    if (internal) {
+        PORT_Strcat(flags,"internal");
+        first = PR_FALSE;
+    }
+    if (isFIPS) {
+        if (!first) PORT_Strcat(flags,",");
+        PORT_Strcat(flags,"FIPS");
+        first = PR_FALSE;
+    }
+    if (isModuleDB) {
+        if (!first) PORT_Strcat(flags,",");
+        PORT_Strcat(flags,"moduleDB");
+        first = PR_FALSE;
+    }
+    if (isModuleDBOnly) {
+        if (!first) PORT_Strcat(flags,",");
+        PORT_Strcat(flags,"moduleDBOnly");
+        first = PR_FALSE;
+    }
+    if (isCritical) {
+        if (!first) PORT_Strcat(flags,",");
+        PORT_Strcat(flags,"critical");
+        first = PR_FALSE;
+    }
+    return flags;
+}
+
+
+/* construct the NSS cipher flags */
+static char *
+nssutil_mkCipherFlags(unsigned long ssl0, unsigned long ssl1)
+{
+    char *cipher = NULL;
+    int i;
+
+    for (i=0; i < sizeof(ssl0)*8; i++) {
+        if (ssl0 & (1<<i)) {
+            char *string;
+            if ((1<<i) == SECMOD_FORTEZZA_FLAG) {
+                string = PR_smprintf("%s",NSSUTIL_ARG_FORTEZZA_FLAG);
+            } else {
+                string = PR_smprintf("0h0x%08x",1<<i);
+            }
+            if (cipher) {
+                char *tmp;
+                tmp = PR_smprintf("%s,%s",cipher,string);
+                PR_smprintf_free(cipher);
+                PR_smprintf_free(string);
+                cipher = tmp;
+            } else {
+                cipher = string;
+            }
+        }
+    }
+    for (i=0; i < sizeof(ssl0)*8; i++) {
+        if (ssl1 & (1<<i)) {
+            if (cipher) {
+                char *tmp;
+                tmp = PR_smprintf("%s,0l0x%08x",cipher,1<<i);
+                PR_smprintf_free(cipher);
+                cipher = tmp;
+            } else {
+                cipher = PR_smprintf("0l0x%08x",1<<i);
+            }
+        }
+    }
+
+    return cipher;
+}
+
+/* Assemble a full NSS string. */
+char *
+NSSUTIL_MkNSSString(char **slotStrings, int slotCount, PRBool internal, 
+          PRBool isFIPS, PRBool isModuleDB,  PRBool isModuleDBOnly, 
+          PRBool isCritical, unsigned long trustOrder, 
+          unsigned long cipherOrder, unsigned long ssl0, unsigned long ssl1)
+{
     int slotLen, i;
     char *slotParams, *ciphers, *nss, *nssFlags, *tmp;
     char *trustOrderPair,*cipherOrderPair,*slotPair,*cipherPair,*flagPair;
 
 
     /* now let's build up the string
      * first the slot infos
      */
     slotLen=0;
     for (i=0; i < (int)slotCount; i++) {
         slotLen += PORT_Strlen(slotStrings[i])+1;
     }
     slotLen += 1; /* space for the final NULL */
 
     slotParams = (char *)PORT_ZAlloc(slotLen);
     PORT_Memset(slotParams,0,slotLen);
     for (i=0; i < (int)slotCount; i++) {
         PORT_Strcat(slotParams,slotStrings[i]);
         PORT_Strcat(slotParams," ");
         PR_smprintf_free(slotStrings[i]);
         slotStrings[i]=NULL;
     }
     
     /*
      * now the NSS structure
      */
-    nssFlags = secmod_mkNSSFlags(internal,isFIPS,isModuleDB,isModuleDBOnly,
+    nssFlags = nssutil_mkNSSFlags(internal,isFIPS,isModuleDB,isModuleDBOnly,
                                                         isCritical); 
         /* for now only the internal module is critical */
-    ciphers = secmod_mkCipherFlags(ssl0, ssl1);
+    ciphers = nssutil_mkCipherFlags(ssl0, ssl1);
 
-    trustOrderPair=secmod_formatIntPair("trustOrder",trustOrder,
-                                        SECMOD_DEFAULT_TRUST_ORDER);
-    cipherOrderPair=secmod_formatIntPair("cipherOrder",cipherOrder,
-                                        SECMOD_DEFAULT_CIPHER_ORDER);
-    slotPair=secmod_formatPair("slotParams",slotParams,'{'); /* } */
+    trustOrderPair = nssutil_formatIntPair("trustOrder",trustOrder,
+                                        NSSUTIL_DEFAULT_TRUST_ORDER);
+    cipherOrderPair = nssutil_formatIntPair("cipherOrder",cipherOrder,
+                                        NSSUTIL_DEFAULT_CIPHER_ORDER);
+    slotPair=nssutil_formatPair("slotParams",slotParams,'{'); /* } */
     if (slotParams) PORT_Free(slotParams);
-    cipherPair=secmod_formatPair("ciphers",ciphers,'\'');
+    cipherPair=nssutil_formatPair("ciphers",ciphers,'\'');
     if (ciphers) PR_smprintf_free(ciphers);
-    flagPair=secmod_formatPair("Flags",nssFlags,'\'');
+    flagPair=nssutil_formatPair("Flags",nssFlags,'\'');
     if (nssFlags) PORT_Free(nssFlags);
     nss = PR_smprintf("%s %s %s %s %s",trustOrderPair,
                         cipherOrderPair,slotPair,cipherPair,flagPair);
-    secmod_freePair(trustOrderPair);
-    secmod_freePair(cipherOrderPair);
-    secmod_freePair(slotPair);
-    secmod_freePair(cipherPair);
-    secmod_freePair(flagPair);
-    tmp = secmod_argStrip(nss);
+    nssutil_freePair(trustOrderPair);
+    nssutil_freePair(cipherOrderPair);
+    nssutil_freePair(slotPair);
+    nssutil_freePair(cipherPair);
+    nssutil_freePair(flagPair);
+    tmp = NSSUTIL_ArgStrip(nss);
     if (*tmp == '\0') {
         PR_smprintf_free(nss);
         nss = NULL;
     }
     return nss;
 }
 
-static char *
-secmod_mkNewModuleSpec(char *dllName, char *commonName, char *parameters, 
-                                                                char *NSS) {
-    char *moduleSpec;
-    char *lib,*name,*param,*nss;
+/*****************************************************************************
+ *
+ * Private calls for use by softoken and utilmod.c
+ */
 
-    /*
-     * now the final spec
-     */
-    lib = secmod_formatPair("library",dllName,'\"');
-    name = secmod_formatPair("name",commonName,'\"');
-    param = secmod_formatPair("parameters",parameters,'\"');
-    nss = secmod_formatPair("NSS",NSS,'\"');
-    moduleSpec = PR_smprintf("%s %s %s %s", lib,name,param,nss);
-    secmod_freePair(lib);
-    secmod_freePair(name);
-    secmod_freePair(param);
-    secmod_freePair(nss);
-    return (moduleSpec);
+#define SQLDB "sql:"
+#define EXTERNDB "extern:"
+#define LEGACY "dbm:"
+#define MULTIACCESS "multiaccess:"
+#define SECMOD_DB "secmod.db"
+const char *
+_NSSUTIL_EvaluateConfigDir(const char *configdir, 
+                           NSSDBType *pdbType, char **appName)
+{
+    NSSDBType dbType;
+    *appName = NULL;
+/* force the default */
+#ifdef NSS_DISABLE_DBM
+    dbType = NSS_DB_TYPE_SQL;
+#else
+    dbType = NSS_DB_TYPE_LEGACY;
+#endif
+    if (PORT_Strncmp(configdir, MULTIACCESS, sizeof(MULTIACCESS)-1) == 0) {
+        char *cdir;
+        dbType = NSS_DB_TYPE_MULTIACCESS;
+
+        *appName = PORT_Strdup(configdir+sizeof(MULTIACCESS)-1);
+        if (*appName == NULL) {
+            return configdir;
+        }
+        cdir = *appName;
+        while (*cdir && *cdir != ':') {
+            cdir++;
+        }
+        if (*cdir == ':') {
+           *cdir = 0;
+           cdir++;
+        }
+        configdir = cdir;
+    } else if (PORT_Strncmp(configdir, SQLDB, sizeof(SQLDB)-1) == 0) {
+        dbType = NSS_DB_TYPE_SQL;
+        configdir = configdir + sizeof(SQLDB) -1;
+    } else if (PORT_Strncmp(configdir, EXTERNDB, sizeof(EXTERNDB)-1) == 0) {
+        dbType = NSS_DB_TYPE_EXTERN;
+        configdir = configdir + sizeof(EXTERNDB) -1;
+    } else if (PORT_Strncmp(configdir, LEGACY, sizeof(LEGACY)-1) == 0) {
+        dbType = NSS_DB_TYPE_LEGACY;
+        configdir = configdir + sizeof(LEGACY) -1;
+    } else {
+        /* look up the default from the environment */
+        char *defaultType = PR_GetEnv("NSS_DEFAULT_DB_TYPE");
+        if (defaultType != NULL) {
+            if (PORT_Strncmp(defaultType, SQLDB, sizeof(SQLDB)-2) == 0) {
+                dbType = NSS_DB_TYPE_SQL;
+            } else if (PORT_Strncmp(defaultType,EXTERNDB,sizeof(EXTERNDB)-2)==0) {
+                dbType = NSS_DB_TYPE_EXTERN;
+            } else if (PORT_Strncmp(defaultType, LEGACY, sizeof(LEGACY)-2) == 0) {
+                dbType = NSS_DB_TYPE_LEGACY;
+            }
+        }
+    }
+    /* if the caller has already set a type, don't change it */
+    if (*pdbType == NSS_DB_TYPE_NONE) {
+        *pdbType = dbType;
+    }
+    return configdir;
 }
 
+char *
+_NSSUTIL_GetSecmodName(char *param, NSSDBType *dbType, char **appName,
+                   char **filename, PRBool *rw)
+{
+    int next;
+    char *configdir = NULL;
+    char *secmodName = NULL;
+    char *value = NULL;
+    char *save_params = param;
+    const char *lconfigdir;
+    param = NSSUTIL_ArgStrip(param);
+        
+
+    while (*param) {
+        NSSUTIL_HANDLE_STRING_ARG(param,configdir,"configDir=",;)
+        NSSUTIL_HANDLE_STRING_ARG(param,secmodName,"secmod=",;)
+        NSSUTIL_HANDLE_FINAL_ARG(param)
+   }
+
+   *rw = PR_TRUE;
+   if (NSSUTIL_ArgHasFlag("flags","readOnly",save_params)) {
+        *rw = PR_FALSE;
+   }
+
+   if (!secmodName || *secmodName == '\0') {
+        if (secmodName) PORT_Free(secmodName);
+        secmodName = PORT_Strdup(SECMOD_DB);
+   }
+
+   *filename = secmodName;
+   lconfigdir = _NSSUTIL_EvaluateConfigDir(configdir, dbType, appName);
+
+   if (NSSUTIL_ArgHasFlag("flags","noModDB",save_params)) {
+        /* there isn't a module db, don't load the legacy support */
+        *dbType = NSS_DB_TYPE_SQL;
+        *rw = PR_FALSE;
+   }
+
+   /* only use the renamed secmod for legacy databases */
+   if ((*dbType != NSS_DB_TYPE_LEGACY) && 
+        (*dbType != NSS_DB_TYPE_MULTIACCESS)) {
+        secmodName="pkcs11.txt";
+   }
+
+   if (lconfigdir) {
+        value = PR_smprintf("%s" NSSUTIL_PATH_SEPARATOR "%s",
+                        lconfigdir,secmodName);
+   } else {
+        value = PR_smprintf("%s",secmodName);
+   }
+   if (configdir) PORT_Free(configdir);
+   return value;
+}
+
+