mozpkix should live in NSS and replace the old pkix libraries. In this first step the mozpkix code gets moved to NSS and linked statically into Firefox.

This patch adds mozpkix to NSS and builds it as a static library, which is then used in PSM. There are two static libs: `mozpkix` and `mozpkix-test`. The latter is needed for PSM gtests. Currently the static mozpkix libraries always built with gyp. If we want to build mozpkix only for Firefox, we could do that. The re-naming of `Time.h` to `PkixTime.h` is necessary because it would conflict with `time.h` on Windows. I have of course a separate patch for NSS but this gives the entire picture. If there are no fundamental objections, I'll upload the two separate patches for NSS and Firefox.

This patch copies mozpkix from mozilla-central to NSS with all its history (thanks to hg convert). It'll need changes to the NSS repository to get this landed (we don't allow more than one root currenlty and I have to get someone to allow this new root).

This moves mozpkix to the right locations and builds it as part of NSS. This patch also uses `std::unique_ptr` everywhere instead of `ScopedPtr`. Depends on D2719.

Running clang-format on everything to make this pass NSS CI.

Delete mozpkix code from the Firefox repo. Depends on D2721.

This patch deletes the mozpkix code from the Firefox repo. Depends on D2721

Use mozpkix static lib from NSS in Firefox. Depends on D2722

Comment on attachment 8997438 [details] Bug 1479787 - clang-format [:keeler] (use needinfo) has approved the revision. https://phabricator.services.mozilla.com/D2721

Comment on attachment 8997439 [details] Bug 1479787 - delete mozpkix [:keeler] (use needinfo) has approved the revision. https://phabricator.services.mozilla.com/D2722

Comment on attachment 8997442 [details] Bug 1479787 - use NSS mozpkix in Firefox [:keeler] (use needinfo) has approved the revision. https://phabricator.services.mozilla.com/D2725

Comment on attachment 8997436 [details] Bug 1479787 - build mozpkix as part of NSS [:keeler] (use needinfo) has approved the revision. https://phabricator.services.mozilla.com/D2720

Comment on attachment 8997435 [details] Bug 1479787 - merge mozpkix from mozilla-central to NSS [:keeler] (use needinfo) has approved the revision. https://phabricator.services.mozilla.com/D2719

Comment on attachment 8997435 [details] Bug 1479787 - merge mozpkix from mozilla-central to NSS Martin Thomson [:mt:] has approved the revision. https://phabricator.services.mozilla.com/D2719

Comment on attachment 8997436 [details] Bug 1479787 - build mozpkix as part of NSS Martin Thomson [:mt:] has approved the revision. https://phabricator.services.mozilla.com/D2720

Comment on attachment 8997438 [details] Bug 1479787 - clang-format Martin Thomson [:mt:] has approved the revision. https://phabricator.services.mozilla.com/D2721

Comment on attachment 8997442 [details] Bug 1479787 - use NSS mozpkix in Firefox Martin Thomson [:mt:] has approved the revision. https://phabricator.services.mozilla.com/D2725

Comment on attachment 8997439 [details] Bug 1479787 - delete mozpkix Martin Thomson [:mt:] has approved the revision. https://phabricator.services.mozilla.com/D2722

As Mike noticed correctly the patch in D2725 breaks builds with system NSS. Since the Firefox build system doesn't allow us to pick things out of the NSS build I introduced a new way to build NSS (`--mozpkix-only`) and use that when building Firefox with system NSS. Unfortunately this is never tested anywhere so we'll have to wait for distros to pick this up and see what happens. Depends on D2725.

This patch adds an option to build only mozpkix against the system NSS. Note that mozpkix includes `<nss/xxx.h>` now as we can't add include directories through gyp to the Firefox build. Depends on D2720.

Comment on attachment 8998215 [details] Bug 1479787 - mozpkix-only build [:keeler] (use needinfo) has approved the revision. https://phabricator.services.mozilla.com/D2861

Comment on attachment 8998215 [details] Bug 1479787 - mozpkix-only build Martin Thomson [:mt:] has approved the revision.

Comment on attachment 8998213 [details] Bug 1479787 - build mozpkix when system NSS is used Martin Thomson [:mt:] has approved the revision.

So, I was trying to setup a build on try for Firefox + system NSS, using the in-tree NSS. But... the gyp build system doesn't create nss-config, which breaks --with-system-nss (incidentally, there is no `install` rule either, and the dist directory does not have a hierarchy that would match /usr or /usr/local). I don't feel like using the make build system...

Un-assigning Franziskus as he's out until October.

NSS changes: https://hg.mozilla.org/projects/nss/rev/94bcc2706b98 https://hg.mozilla.org/projects/nss/rev/403437c461fd https://hg.mozilla.org/projects/nss/rev/1dc240df02b1

This is a combined patch of the m-c changes for movin mozpkix to NSS. This requires to land NSS tip in m-c first (e.g. python2 client.py update_nss). * delete mozpkix (D2722) * use NSS mozpkix in Firefox (D2725) * build mozpkix when system NSS is used (2860)

Comment on attachment 9013247 [details] Bug 1479787 - use mozpkix from NSS and delete from m-c Mike Hommey [:glandium] has approved the revision.

Pushed by franziskuskiefer@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/fd2a0cc4b40a delete mozpkix, r=mt,keeler https://hg.mozilla.org/integration/mozilla-inbound/rev/432a98e50d2b use NSS mozpkix in Firefox, r=mt,keeler,glandium

https://hg.mozilla.org/mozilla-central/rev/fd2a0cc4b40a https://hg.mozilla.org/mozilla-central/rev/432a98e50d2b

Pushed by mozilla@jorgk.com: https://hg.mozilla.org/comm-central/rev/b9846bdfa088 Port bug 1479787 - Use NSS mozpkix instead of pkix (analysis by Rob Lemley). rs=bustage-fix