Sign 3 sets of changes are here:

1) Provide accessor functions for the PK11_DefaultArray so that modutil
does not have to link statically to access it.

2) Try setting the attribute on an object before we go to the work of copying
it (Function Only used in Java).

3) Optimize searching for the more common types of attributes.

security/nss/lib/pk11wrap/pk11func.h

@@ -574,6 +574,14 @@ PK11_RawPBEKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *params,
 SECItem *
 PK11_GetPBEIV(SECAlgorithmID *algid, SECItem *pwitem);
 
+/**********************************************************************
+ * Functions to manage secmod flags
+ **********************************************************************/
+PK11DefaultArrayEntry * PK11_GetDefaultArray(int *);
+SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *, PK11DefaultArrayEntry *,
+							PRBool );
+
+
 /**********************************************************************
  * New fucntions which are already depricated....
  **********************************************************************/

security/nss/lib/pk11wrap/pk11skey.c

@@ -5023,8 +5023,23 @@ finish:
 PK11SymKey*
 PK11_CopySymKeyForSigning(PK11SymKey *originalKey, CK_MECHANISM_TYPE mech)
 {
-    return pk11_CopyToSlot(PK11_GetSlotFromKey(originalKey), mech, CKA_SIGN,
-			originalKey);
+    CK_RV crv;
+    CK_ATTRIBUTE setTemplate;
+    CK_BBOOL ckTrue = CK_TRUE; 
+    PK11SlotInfo *slot = originalKey->slot;
+
+    /* first just try to set this key up for signing */
+    PK11_SETATTRS(&setTemplate, CKA_SIGN, &ckTrue, sizeof(ckTrue));
+    pk11_EnterKeyMonitor(originalKey);
+    crv = PK11_GETTAB(slot)-> C_SetAttributeValue(originalKey->session, 
+				originalKey->objectID, &setTemplate, 1);
+    pk11_ExitKeyMonitor(originalKey);
+    if (crv == CKR_OK) {
+	return PK11_ReferenceSymKey(originalKey);
+    }
+
+    /* nope, doesn't like it, use the pk11 copy object command */
+    return pk11_CopyToSlot(slot, mech, CKA_SIGN, originalKey);
 }
 
 char *

security/nss/lib/pk11wrap/pk11slot.c

@@ -90,6 +90,15 @@ PK11DefaultArrayEntry PK11_DefaultArray[] = {
 const int num_pk11_default_mechanisms = 
                 sizeof(PK11_DefaultArray) / sizeof(PK11_DefaultArray[0]);
 
+PK11DefaultArrayEntry *
+PK11_GetDefaultArray(int *size)
+{
+    if (size) {
+	*size = num_pk11_default_mechanisms;
+    }
+    return PK11_DefaultArray;
+}
+
 /*
  * These  slotlists are lists of modules which provide default support for
  *  a given algorithm or mechanism.
@@ -1670,6 +1679,7 @@ PK11_ReadMechanismList(PK11SlotInfo *slot)
 {
     CK_ULONG count;
     CK_RV crv;
+    int i;
 
     if (slot->mechanismList) {
 	PORT_Free(slot->mechanismList);
@@ -1701,6 +1711,14 @@ PK11_ReadMechanismList(PK11SlotInfo *slot)
 	return SECSuccess;
     }
     slot->mechanismCount = count;
+    PORT_Memset(slot->mechanismBits, 0, sizeof(slot->mechanismBits));
+
+    for (i=0; i < count; i++) {
+	CK_MECHANISM_TYPE mech = slot->mechanismList[i];
+	if (mech < 0x7ff) {
+	    slot->mechanismBits[mech & 0xff] |= 1 << (mech >> 8);
+	}
+    }
     return SECSuccess;
 }
 
@@ -2457,6 +2475,12 @@ PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type)
 	return slot->hasRandom;
     }
 
+    /* for most mechanism, bypass the linear lookup */
+    if (type < 0x7ff) {
+	return (slot->mechanismBits[type & 0xff] & (1 << (type >> 8)))  ?
+		PR_TRUE : PR_FALSE;
+    }
+	   
     for (i=0; i < (int) slot->mechanismCount; i++) {
 	if (slot->mechanismList[i] == type) return PR_TRUE;
     }

security/nss/lib/pk11wrap/secmodti.h

@@ -135,6 +135,8 @@ struct PK11SlotInfoStr {
     unsigned int lastState;
     /* for Stan */
     NSSToken *nssToken;
+    /* fast mechanism lookup */
+    char mechanismBits[256];
 };
 
 /* Symetric Key structure. Reference Counted */