MSVC won't let you initialize a pointer in a data structure with the

address of an external variable that comes from another DLL. This is a fundamental difference between WIN32 DLLs and Unix DSOs. So, for every SEC_ASN1Template inside of libnss3 that is referenced by other templates outside of libnss3, a new "chooser" function was created that returns the address of that template. For WIN32, the templates outside of libnss3 access libnss3's templates by the chooser function rather than by direct reference. Some simple macros allow Unix to continue to use direct references, avoiding the extra function calls. With these changes, all.sh (qa script) passes all tests on NT with DLLs. Modified Files: cmd/checkcert/checkcert.c cmd/lib/secutil.c lib/asn1/asn1t.h lib/certdb/certdb.c lib/certdb/certt.h lib/certdb/crl.c lib/certhigh/certreq.c lib/crmf/asn1cmn.c lib/crmf/crmfcont.c lib/crmf/crmftmpl.c lib/cryptohi/secsign.c lib/nss/nss.def lib/pkcs12/p12local.c lib/pkcs12/p12tmpl.c lib/pkcs7/certread.c lib/pkcs7/p7decode.c lib/pkcs7/p7local.c lib/smime/cmsasn1.c lib/smime/cmsattr.c lib/smime/cmspubkey.c lib/smime/cmssigdata.c lib/smime/smimeutil.c lib/softoken/keydb.c lib/softoken/keydbt.h lib/util/secalgid.c lib/util/secasn1.h lib/util/secasn1d.c lib/util/secasn1t.h lib/util/secasn1u.c lib/util/secdig.c lib/util/secdig.h lib/util/secoid.h
2001-01-07 08:13:13 +00:00 · 2001-01-07 08:13:13 +00:00 · eea673c43a
--- a/security/nss/cmd/checkcert/checkcert.c
+++ b/security/nss/cmd/checkcert/checkcert.c
@ -406,7 +406,8 @@ int main(int argc, char **argv)
 	    fprintf(stderr,"%s: can't allocate issuer signed data!", progName);
 	    exit(1);
 	}
-	rv = SEC_ASN1DecodeItem(arena, issuerCertSD, CERT_SignedDataTemplate,
+	rv = SEC_ASN1DecodeItem(arena, issuerCertSD, 
+	                        SEC_ASN1_GET(CERT_SignedDataTemplate),
 				&derIssuerCert);
 	if (rv) {
 	    fprintf(stderr, "%s: Issuer cert isn't X509 SIGNED Data?\n",
@ -418,7 +419,8 @@ int main(int argc, char **argv)
 	    printf("%s: can't allocate space for issuer cert.", progName);
 	    exit(1);
 	}
-	rv = SEC_ASN1DecodeItem(arena, issuerCert, CERT_CertificateTemplate,
+	rv = SEC_ASN1DecodeItem(arena, issuerCert, 
+	                    SEC_ASN1_GET(CERT_CertificateTemplate),
 			    &issuerCertSD->data);
 	if (rv) {
 	    printf("%s: Does not appear to be an X509 Certificate.\n",
@ -433,7 +435,8 @@ int main(int argc, char **argv)
 	exit(1);
    }
    
-    rv = SEC_ASN1DecodeItem(arena, signedData, CERT_SignedDataTemplate, 
+    rv = SEC_ASN1DecodeItem(arena, signedData, 
+                            SEC_ASN1_GET(CERT_SignedDataTemplate), 
 			    &derCert);
    if (rv) {
 	fprintf(stderr, "%s: Does not appear to be X509 SIGNED Data.\n",
@ -451,7 +454,8 @@ int main(int argc, char **argv)
 	exit(1);
    }
    
-    rv = SEC_ASN1DecodeItem(arena, cert, CERT_CertificateTemplate, 
+    rv = SEC_ASN1DecodeItem(arena, cert, 
+                        SEC_ASN1_GET(CERT_CertificateTemplate), 
 			&signedData->data);
    if (rv) {
 	fprintf(stderr, "%s: Does not appear to be an X509 Certificate.\n",
@ -540,8 +544,8 @@ int main(int argc, char **argv)
 	exit(1);
    }
    
-    rv = SEC_ASN1DecodeItem(arena, rsapubkey, SECKEY_RSAPublicKeyTemplate,
-			    &spk);
+    rv = SEC_ASN1DecodeItem(arena, rsapubkey, 
+                            SEC_ASN1_GET(SECKEY_RSAPublicKeyTemplate), &spk);
    if (rv) {
 	printf("PROBLEM: subjectPublicKey is not a DER PKCS1 RSAPublicKey.\n");
    } else {
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@ -1047,14 +1047,16 @@ secu_PrintSubjectPublicKeyInfo(FILE *out, PRArenaPool *arena,
    DER_ConvertBitString(&i->subjectPublicKey);
    switch(SECOID_FindOIDTag(&i->algorithm.algorithm)) {
      case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	rv = SEC_ASN1DecodeItem(arena, pk, SECKEY_RSAPublicKeyTemplate,
+	rv = SEC_ASN1DecodeItem(arena, pk, 
+	                        SEC_ASN1_GET(SECKEY_RSAPublicKeyTemplate),
 				&i->subjectPublicKey);
 	if (rv)
 	    return rv;
 	secu_PrintRSAPublicKey(out, pk, "RSA Public Key", level +1);
 	break;
      case SEC_OID_ANSIX9_DSA_SIGNATURE:
-	rv = SEC_ASN1DecodeItem(arena, pk, SECKEY_DSAPublicKeyTemplate,
+	rv = SEC_ASN1DecodeItem(arena, pk, 
+	                        SEC_ASN1_GET(SECKEY_DSAPublicKeyTemplate),
 				&i->subjectPublicKey);
 	if (rv)
 	    return rv;
@ -1077,7 +1079,8 @@ secu_PrintX509InvalidDate(FILE *out, SECItem *value, char *msg, int level)
    char *formattedTime = NULL;

    decodedValue.data = NULL;
-    rv = SEC_ASN1DecodeItem (NULL, &decodedValue, SEC_GeneralizedTimeTemplate,
+    rv = SEC_ASN1DecodeItem (NULL, &decodedValue, 
+			    SEC_ASN1_GET(SEC_GeneralizedTimeTemplate),
 			    value);
    if (rv == SECSuccess) {
 	rv = DER_GeneralizedTimeToTime(&invalidTime, &decodedValue);
@ -1106,10 +1109,6 @@ PrintExtKeyUsageExten  (FILE *out, SECItem *value, char *msg, int level)
    return SECFailure;
  }

-  if( (SECItem **)NULL == op ) {
-    return SECFailure;
-  }
-
  for( op = os->oids; *op; op++ ) {
    SECOidData *od = SECOID_FindOID(*op);
    
@ -1511,7 +1510,8 @@ SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level)
    if (!arena)
 	return SEC_ERROR_NO_MEMORY;

-    rv = SEC_ASN1DecodeItem(arena, cr, CERT_CertificateRequestTemplate, der);
+    rv = SEC_ASN1DecodeItem(arena, cr, 
+                            SEC_ASN1_GET(CERT_CertificateRequestTemplate), der);
    if (rv) {
 	PORT_FreeArena(arena, PR_FALSE);
 	return rv;
@ -1550,7 +1550,8 @@ SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level)
    if (!arena)
 	return SEC_ERROR_NO_MEMORY;

-    rv = SEC_ASN1DecodeItem(arena, c, CERT_CertificateTemplate, der);
+    rv = SEC_ASN1DecodeItem(arena, c, 
+                            SEC_ASN1_GET(CERT_CertificateTemplate), der);
    if (rv) {
 	PORT_FreeArena(arena, PR_FALSE);
 	return rv;
@ -1592,7 +1593,8 @@ SECU_PrintPublicKey(FILE *out, SECItem *der, char *m, int level)
    if (!arena)
 	return SEC_ERROR_NO_MEMORY;

-    rv = SEC_ASN1DecodeItem(arena, &key, SECKEY_RSAPublicKeyTemplate, der);
+    rv = SEC_ASN1DecodeItem(arena, &key, 
+                            SEC_ASN1_GET(SECKEY_RSAPublicKeyTemplate), der);
    if (rv) {
 	PORT_FreeArena(arena, PR_FALSE);
 	return rv;
@ -1617,8 +1619,8 @@ SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level)
    if (!arena)
 	return SEC_ERROR_NO_MEMORY;

-    rv = SEC_ASN1DecodeItem(arena, &key, SECKEY_EncryptedPrivateKeyInfoTemplate,
-			    der);
+    rv = SEC_ASN1DecodeItem(arena, &key, 
+		SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate), der);
    if (rv) {
 	PORT_FreeArena(arena, PR_TRUE);
 	return rv;
@ -2013,7 +2015,7 @@ SECU_PrintCrl (FILE *out, SECItem *der, char *m, int level)
 	    break;
 	}

-	rv = SEC_ASN1DecodeItem(arena, c, CERT_CrlTemplate, der);
+	rv = SEC_ASN1DecodeItem(arena, c, SEC_ASN1_GET(CERT_CrlTemplate), der);
 	if (rv != SECSuccess)
 	    break;
 	SECU_PrintCRLInfo (out, c, m, level);
@ -2211,7 +2213,8 @@ int SECU_PrintSignedData(FILE *out, SECItem *der, char *m,
    if (!arena)
 	return SEC_ERROR_NO_MEMORY;

-    rv = SEC_ASN1DecodeItem(arena, sd, CERT_SignedDataTemplate, der);
+    rv = SEC_ASN1DecodeItem(arena, sd, SEC_ASN1_GET(CERT_SignedDataTemplate), 
+                            der);
    if (rv) {
 	PORT_FreeArena(arena, PR_FALSE);
 	return rv;
--- a/security/nss/lib/asn1/asn1t.h
+++ b/security/nss/lib/asn1/asn1t.h
@ -35,7 +35,7 @@
 #define ASN1T_H

 #ifdef DEBUG
-static const char ASN1T_CVS_ID[] = "@(#) $RCSfile: asn1t.h,v $ $Revision: 1.1 $ $Date: 2000/03/31 19:55:30 $ $Name:  $";
+static const char ASN1T_CVS_ID[] = "@(#) $RCSfile: asn1t.h,v $ $Revision: 1.2 $ $Date: 2001/01/07 08:12:46 $ $Name:  $";
 #endif /* DEBUG */

 /*
@ -144,7 +144,7 @@ typedef SEC_ASN1Template nssASN1Template;
 #define nssASN1_SET_OF                 SEC_ASN1_SET_OF      
 #define nssASN1_ANY_CONTENTS           SEC_ASN1_ANY_CONTENTS

-typedef SEC_ChooseASN1TemplateFunc nssASN1ChooseTemplateFunction;
+typedef SEC_ASN1TemplateChooserPtr nssASN1ChooseTemplateFunction;

 typedef SEC_ASN1DecoderContext nssASN1Decoder;
 typedef SEC_ASN1EncoderContext nssASN1Encoder;
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@ -34,7 +34,7 @@
 /*
 * Certificate handling code
 *
- * $Id: certdb.c,v 1.4 2001/01/03 19:48:57 larryh%netscape.com Exp $
+ * $Id: certdb.c,v 1.5 2001/01/07 08:12:48 nelsonb%netscape.com Exp $
 */

 #include "nssilock.h"
@ -207,7 +207,7 @@ const SEC_ASN1Template CERT_CertKeyTemplate[] = {
    { 0 }
 };

-
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CertificateTemplate)

 SECStatus
 CERT_KeyFromIssuerAndSN(PRArenaPool *arena, SECItem *issuer, SECItem *sn,
--- a/security/nss/lib/certdb/certt.h
+++ b/security/nss/lib/certdb/certt.h
@ -33,7 +33,7 @@
 /*
 * certt.h - public data structures for the certificate library
 *
- * $Id: certt.h,v 1.2 2001/01/03 19:49:02 larryh%netscape.com Exp $
+ * $Id: certt.h,v 1.3 2001/01/07 08:12:48 nelsonb%netscape.com Exp $
 */
 #ifndef _CERTT_H_
 #define _CERTT_H_
@ -801,4 +801,14 @@ extern const SEC_ASN1Template CERT_CrlTemplate[];
 extern const SEC_ASN1Template CERT_AttributeTemplate[];
 extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];

+/* These functions simply return the address of the above-declared templates.
+** This is necessary for Windows DLLs.  Sigh.
+*/
+SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate);
+SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate);
+SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate);
+SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate);
+SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate);
+SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate);
+
 #endif /* _CERTT_H_ */
--- a/security/nss/lib/certdb/crl.c
+++ b/security/nss/lib/certdb/crl.c
@ -34,7 +34,7 @@
 /*
 * Moved from secpkcs7.c
 *
- * $Id: crl.c,v 1.1 2000/03/31 19:42:37 relyea%netscape.com Exp $
+ * $Id: crl.c,v 1.2 2001/01/07 08:12:49 nelsonb%netscape.com Exp $
 */

 #include "cert.h"
@ -385,3 +385,11 @@ loser:
    
    return(0);
 }
+
+/* These functions simply return the address of the above-declared templates.
+** This is necessary for Windows DLLs.  Sigh.
+*/
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_IssuerAndSNTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CrlTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SetOfSignedCrlTemplate)
+
--- a/security/nss/lib/certhigh/certreq.c
+++ b/security/nss/lib/certhigh/certreq.c
@ -67,6 +67,8 @@ const SEC_ASN1Template CERT_CertificateRequestTemplate[] = {
    { 0 }
 };

+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CertificateRequestTemplate)
+
 CERTCertificate *
 CERT_CreateCertificate(unsigned long serialNumber,
 		      CERTName *issuer,
--- a/security/nss/lib/crmf/asn1cmn.c
+++ b/security/nss/lib/crmf/asn1cmn.c
@ -34,6 +34,10 @@
 #include "cmmf.h"
 #include "cmmfi.h"

+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+SEC_ASN1_MKSUB(SEC_AnyTemplate)
+SEC_ASN1_MKSUB(SEC_IntegerTemplate)
+
 static const SEC_ASN1Template CMMFCertResponseTemplate[] = {
    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFCertResponse)},
    { SEC_ASN1_INTEGER, offsetof(CMMFCertResponse, certReqId)},
@ -58,9 +62,9 @@ const SEC_ASN1Template CMMFCertifiedKeyPairTemplate[] = {
    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 0,
      offsetof(CMMFCertifiedKeyPair, privateKey),
      CRMFEncryptedValueTemplate},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
      offsetof (CMMFCertifiedKeyPair, derPublicationInfo),
-      SEC_AnyTemplate},
+      SEC_ASN1_SUB(SEC_AnyTemplate) },
    { 0 }
 };

@ -86,8 +90,10 @@ const SEC_ASN1Template CMMFRandTemplate[] = {
 };

 const SEC_ASN1Template CMMFPOPODecKeyRespContentTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, offsetof(CMMFPOPODecKeyRespContent, responses),
-      SEC_IntegerTemplate, sizeof(CMMFPOPODecKeyRespContent)},
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, 
+      offsetof(CMMFPOPODecKeyRespContent, responses),
+      SEC_ASN1_SUB(SEC_IntegerTemplate), 
+      sizeof(CMMFPOPODecKeyRespContent)},
    { 0 }
 };

@ -118,8 +124,9 @@ const SEC_ASN1Template CMMFCertRepContentTemplate[] = {

 static const SEC_ASN1Template CMMFChallengeTemplate[] = {
    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFChallenge)},
-    { SEC_ASN1_POINTER | SEC_ASN1_OPTIONAL, offsetof(CMMFChallenge, owf),
-      SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_POINTER | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN, 
+      offsetof(CMMFChallenge, owf),
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
    { SEC_ASN1_OCTET_STRING, offsetof(CMMFChallenge, witness) },
    { SEC_ASN1_ANY, offsetof(CMMFChallenge, senderDER) },
    { SEC_ASN1_OCTET_STRING, offsetof(CMMFChallenge, key) },
--- a/security/nss/lib/crmf/crmfcont.c
+++ b/security/nss/lib/crmf/crmfcont.c
@ -616,7 +616,8 @@ crmf_decode_params(SECItem *inParams)
    SECStatus  rv;
    
    params = PORT_ZNew(SECItem);
-    rv = SEC_ASN1DecodeItem(NULL, params, SEC_OctetStringTemplate,
+    rv = SEC_ASN1DecodeItem(NULL, params, 
+                            SEC_ASN1_GET(SEC_OctetStringTemplate),
 			    inParams);
    if (rv != SECSuccess) {
        SECITEM_FreeItem(params, PR_TRUE);
@ -814,7 +815,7 @@ crmf_create_encrypted_value_wrapped_privkey(SECKEYPrivateKey   *inPrivKey,
    }

    dummy = SEC_ASN1EncodeItem(NULL, &encodedParam, iv, 
-			       SEC_OctetStringTemplate);
+                               SEC_ASN1_GET(SEC_OctetStringTemplate));
    if (dummy != &encodedParam) {
        SECITEM_FreeItem(dummy, PR_TRUE);
 	goto loser;
--- a/security/nss/lib/crmf/crmftmpl.c
+++ b/security/nss/lib/crmf/crmftmpl.c
@ -37,6 +37,12 @@
 #include "secoid.h"
 #include "secasn1.h"

+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+SEC_ASN1_MKSUB(SEC_AnyTemplate)
+SEC_ASN1_MKSUB(SEC_BitStringTemplate)
+SEC_ASN1_MKSUB(SEC_IntegerTemplate)
+SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
+SEC_ASN1_MKSUB(SEC_UTCTimeTemplate)

 /* 
 * It's all implicit tagging.
@ -68,13 +74,13 @@ static const SEC_ASN1Template CRMFSequenceOfCertExtensionTemplate[] = {
 static const SEC_ASN1Template CRMFOptionalValidityTemplate[] = {
    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (CRMFOptionalValidity) },
    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 
-      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 0, 
+      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN | 0, 
      offsetof (CRMFOptionalValidity, notBefore),
-      SEC_UTCTimeTemplate},
+      SEC_ASN1_SUB(SEC_UTCTimeTemplate) },
    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 
-      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 1, 
+      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN | 1, 
      offsetof (CRMFOptionalValidity, notAfter),
-      SEC_UTCTimeTemplate},
+      SEC_ASN1_SUB(SEC_UTCTimeTemplate) },
    { 0 }
 };

@ -85,12 +91,16 @@ static const SEC_ASN1Template crmfPointerToNameTemplate[] = {

 static const SEC_ASN1Template CRMFCertTemplateTemplate[] = {
   { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFCertTemplate) },
-   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
-     offsetof(CRMFCertTemplate, version), SEC_IntegerTemplate },
-   { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 1 ,
-     offsetof (CRMFCertTemplate, serialNumber), SEC_IntegerTemplate },
-   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 2, 
-     offsetof (CRMFCertTemplate, signingAlg), SECOID_AlgorithmIDTemplate },
+   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, 
+     offsetof(CRMFCertTemplate, version), 
+     SEC_ASN1_SUB(SEC_IntegerTemplate) },
+   { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN | 1 ,
+     offsetof (CRMFCertTemplate, serialNumber), 
+     SEC_ASN1_SUB(SEC_IntegerTemplate) },
+   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
+     SEC_ASN1_XTRN | 2, 
+     offsetof (CRMFCertTemplate, signingAlg), 
+     SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
     SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 3, 
     offsetof (CRMFCertTemplate, issuer), crmfPointerToNameTemplate },
@ -103,10 +113,12 @@ static const SEC_ASN1Template CRMFCertTemplateTemplate[] = {
   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 6, 
     offsetof (CRMFCertTemplate, publicKey), 
     CERT_SubjectPublicKeyInfoTemplate }, 
-   { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 7,
-     offsetof (CRMFCertTemplate, issuerUID), SEC_BitStringTemplate },
-   { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 8,
-     offsetof (CRMFCertTemplate, subjectUID), SEC_BitStringTemplate },
+   { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN | 7,
+     offsetof (CRMFCertTemplate, issuerUID), 
+     SEC_ASN1_SUB(SEC_BitStringTemplate) },
+   { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN | 8,
+     offsetof (CRMFCertTemplate, subjectUID), 
+     SEC_ASN1_SUB(SEC_BitStringTemplate) },
   { SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | 
     SEC_ASN1_CONTEXT_SPECIFIC | 9, 
     offsetof (CRMFCertTemplate, extensions), 
@ -172,12 +184,15 @@ const SEC_ASN1Template CRMFRAVerifiedTemplate[] = {
 /* This template will need to add POPOSigningKeyInput eventually, maybe*/
 static const SEC_ASN1Template crmfPOPOSigningKeyTemplate[] = {
    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFPOPOSigningKey) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-      offsetof(CRMFPOPOSigningKey, derInput), SEC_AnyTemplate},
-    { SEC_ASN1_POINTER, offsetof(CRMFPOPOSigningKey, algorithmIdentifier),
-      SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_BIT_STRING, offsetof(CRMFPOPOSigningKey, signature),
-      SEC_BitStringTemplate},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+      offsetof(CRMFPOPOSigningKey, derInput), 
+      SEC_ASN1_SUB(SEC_AnyTemplate) },
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN, 
+      offsetof(CRMFPOPOSigningKey, algorithmIdentifier),
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_BIT_STRING | SEC_ASN1_XTRN, 
+      offsetof(CRMFPOPOSigningKey, signature),
+      SEC_ASN1_SUB(SEC_BitStringTemplate) },
    { 0 }
 };

@ -189,58 +204,62 @@ const SEC_ASN1Template CRMFPOPOSigningKeyTemplate[] = {
 };

 const SEC_ASN1Template CRMFThisMessageTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 0,
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
      0,
-      SEC_BitStringTemplate},
+      SEC_ASN1_SUB(SEC_BitStringTemplate) },
    { 0 }
 };

 const SEC_ASN1Template CRMFSubsequentMessageTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 1,
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
      0, 
-      SEC_IntegerTemplate},
+      SEC_ASN1_SUB(SEC_IntegerTemplate) },
    { 0 }
 };

 const SEC_ASN1Template CRMFDHMACTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 0,
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
      0,
-      SEC_BitStringTemplate},
+      SEC_ASN1_SUB(SEC_BitStringTemplate) },
    { 0 }
 };

 const SEC_ASN1Template CRMFPOPOKeyEnciphermentTemplate[] = {
    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 
-      SEC_ASN1_CONTEXT_SPECIFIC | 2,
+      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2,
      0,
-      SEC_AnyTemplate},
+      SEC_ASN1_SUB(SEC_AnyTemplate) },
    { 0 }
 };

 const SEC_ASN1Template CRMFPOPOKeyAgreementTemplate[] = {
    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 
-      SEC_ASN1_CONTEXT_SPECIFIC | 3,
+      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 3,
      0,
-      SEC_AnyTemplate},
+      SEC_ASN1_SUB(SEC_AnyTemplate)},
    { 0 }
 };

 const SEC_ASN1Template CRMFEncryptedValueTemplate[] = {
    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFEncryptedValue)},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 0,
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
+      SEC_ASN1_XTRN | 0,
      offsetof(CRMFEncryptedValue, intendedAlg), 
-      SECOID_AlgorithmIDTemplate},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 1,
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
+      SEC_ASN1_XTRN | 1,
      offsetof (CRMFEncryptedValue, symmAlg), 
-      SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 2, 
-      offsetof(CRMFEncryptedValue, encSymmKey), SEC_BitStringTemplate},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 3,
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN | 2, 
+      offsetof(CRMFEncryptedValue, encSymmKey), 
+      SEC_ASN1_SUB(SEC_BitStringTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
+      SEC_ASN1_XTRN | 3,
      offsetof(CRMFEncryptedValue, keyAlg), 
-      SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 4,
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 4,
      offsetof(CRMFEncryptedValue, valueHint),
-      SEC_OctetStringTemplate},
+      SEC_ASN1_SUB(SEC_OctetStringTemplate) },
    { SEC_ASN1_BIT_STRING, offsetof(CRMFEncryptedValue, encValue) },
    { 0 }
 };
--- a/security/nss/lib/cryptohi/secsign.c
+++ b/security/nss/lib/cryptohi/secsign.c
@ -32,7 +32,7 @@
 * may use your version of this file under either the MPL or the
 * GPL.
 *
- * $Id: secsign.c,v 1.2 2001/01/05 01:38:09 nelsonb%netscape.com Exp $
+ * $Id: secsign.c,v 1.3 2001/01/07 08:12:57 nelsonb%netscape.com Exp $
 */

 #include <stdio.h>
@ -381,6 +381,9 @@ const SEC_ASN1Template CERT_SignedDataTemplate[] =
    { 0, }
 };

+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SignedDataTemplate)
+
+
 SECStatus
 SEC_DerSignData(PRArenaPool *arena, SECItem *result, 
 	unsigned char *buf, int len, SECKEYPrivateKey *pk, SECOidTag algID)
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@ -339,34 +339,59 @@ VFY_VerifyDigest;
 ;+#
 ;+# Data objects
 ;+#
-;+# This isnt right, but it's better than we have now...
-CERT_CrlTemplate DATA ;
-CERT_SignedDataTemplate DATA ;
-CERT_CertificateTemplate DATA ;
-CERT_CertificateRequestTemplate DATA ;
-CERT_IssuerAndSNTemplate DATA ;
-CERT_SetOfSignedCrlTemplate DATA ;
-SECAnyTemplate DATA ;
-SECKEY_DSAPublicKeyTemplate DATA ;
-SECKEY_EncryptedPrivateKeyInfoTemplate DATA ;
-SECKEY_PointerToEncryptedPrivateKeyInfoTemplate DATA ;
-SECKEY_PointerToPrivateKeyInfoTemplate DATA ;
-SECKEY_PrivateKeyInfoTemplate DATA ;
-SECKEY_RSAPublicKeyTemplate DATA ;
-SECOID_AlgorithmIDTemplate DATA ;
-SEC_AnyTemplate DATA ;
-SEC_BMPStringTemplate DATA ;
-SEC_BitStringTemplate DATA ;
-SEC_GeneralizedTimeTemplate DATA ;
-SEC_IA5StringTemplate DATA ;
-SEC_IntegerTemplate DATA ;
-SEC_ObjectIDTemplate DATA ;
-SEC_OctetStringTemplate DATA ;
-SEC_PointerToAnyTemplate DATA ;
-SEC_PointerToOctetStringTemplate DATA ;
-SEC_SetOfAnyTemplate DATA ;
-SEC_UTCTimeTemplate DATA ;
-sgn_DigestInfoTemplate DATA ;
+;+# Don't export these DATA symbols on Windows because they don't work right.
+;;CERT_CrlTemplate DATA ;
+;;CERT_SignedDataTemplate DATA ;
+;;CERT_CertificateTemplate DATA ;
+;;CERT_CertificateRequestTemplate DATA ;
+;;CERT_IssuerAndSNTemplate DATA ;
+;;CERT_SetOfSignedCrlTemplate DATA ;
+;;SECKEY_DSAPublicKeyTemplate DATA ;
+;;SECKEY_EncryptedPrivateKeyInfoTemplate DATA ;
+;;SECKEY_PointerToEncryptedPrivateKeyInfoTemplate DATA ;
+;;SECKEY_PointerToPrivateKeyInfoTemplate DATA ;
+;;SECKEY_PrivateKeyInfoTemplate DATA ;
+;;SECKEY_RSAPublicKeyTemplate DATA ;
+;;SECOID_AlgorithmIDTemplate DATA ;
+;;SEC_AnyTemplate DATA ;
+;;SEC_BMPStringTemplate DATA ;
+;;SEC_BitStringTemplate DATA ;
+;;SEC_GeneralizedTimeTemplate DATA ;
+;;SEC_IA5StringTemplate DATA ;
+;;SEC_IntegerTemplate DATA ;
+;;SEC_ObjectIDTemplate DATA ;
+;;SEC_OctetStringTemplate DATA ;
+;;SEC_PointerToAnyTemplate DATA ;
+;;SEC_PointerToOctetStringTemplate DATA ;
+;;SEC_SetOfAnyTemplate DATA ;
+;;SEC_UTCTimeTemplate DATA ;
+;;sgn_DigestInfoTemplate DATA ;
+NSS_Get_CERT_CrlTemplate;
+NSS_Get_CERT_SignedDataTemplate;
+NSS_Get_CERT_CertificateTemplate;
+NSS_Get_CERT_CertificateRequestTemplate;
+NSS_Get_CERT_IssuerAndSNTemplate;
+NSS_Get_CERT_SetOfSignedCrlTemplate;
+NSS_Get_SECKEY_DSAPublicKeyTemplate;
+NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate;
+NSS_Get_SECKEY_PointerToEncryptedPrivateKeyInfoTemplate;
+NSS_Get_SECKEY_PointerToPrivateKeyInfoTemplate;
+NSS_Get_SECKEY_PrivateKeyInfoTemplate;
+NSS_Get_SECKEY_RSAPublicKeyTemplate;
+NSS_Get_SECOID_AlgorithmIDTemplate;
+NSS_Get_SEC_AnyTemplate;
+NSS_Get_SEC_BMPStringTemplate;
+NSS_Get_SEC_BitStringTemplate;
+NSS_Get_SEC_GeneralizedTimeTemplate;
+NSS_Get_SEC_IA5StringTemplate;
+NSS_Get_SEC_IntegerTemplate;
+NSS_Get_SEC_ObjectIDTemplate;
+NSS_Get_SEC_OctetStringTemplate;
+NSS_Get_SEC_PointerToAnyTemplate;
+NSS_Get_SEC_PointerToOctetStringTemplate;
+NSS_Get_SEC_SetOfAnyTemplate;
+NSS_Get_SEC_UTCTimeTemplate;
+NSS_Get_sgn_DigestInfoTemplate;
 ;+# commands
 CERT_DecodeBasicConstraintValue;
 CERT_DecodeOidSequence;
--- a/security/nss/lib/pkcs12/p12local.c
+++ b/security/nss/lib/pkcs12/p12local.c
@ -46,6 +46,9 @@

 #define SALT_LENGTH	16

+SEC_ASN1_MKSUB(SECKEY_PrivateKeyInfoTemplate)
+SEC_ASN1_MKSUB(sgn_DigestInfoTemplate)
+
 /* helper functions */
 /* returns proper bag type template based upon object type tag */
 const SEC_ASN1Template *
@ -69,7 +72,7 @@ sec_pkcs12_choose_bag_type_old(void *src_or_dest, PRBool encoding)

    switch (oiddata->offset) {
 	default:
-	    theTemplate = SEC_PointerToAnyTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
 	    break;
 	case SEC_OID_PKCS12_KEY_BAG_ID:
 	    theTemplate = SEC_PointerToPKCS12KeyBagTemplate;
@ -105,7 +108,7 @@ sec_pkcs12_choose_bag_type(void *src_or_dest, PRBool encoding)

    switch (oiddata->offset) {
 	default:
-	    theTemplate = SEC_AnyTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
 	    break;
 	case SEC_OID_PKCS12_KEY_BAG_ID:
 	    theTemplate = SEC_PKCS12PrivateKeyBagTemplate;
@ -141,7 +144,7 @@ sec_pkcs12_choose_cert_crl_type_old(void *src_or_dest, PRBool encoding)

    switch (oiddata->offset) {
 	default:
-	    theTemplate = SEC_PointerToAnyTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
 	    break;
 	case SEC_OID_PKCS12_X509_CERT_CRL_BAG:
 	    theTemplate = SEC_PointerToPKCS12X509CertCRLTemplate_OLD;
@ -173,7 +176,7 @@ sec_pkcs12_choose_cert_crl_type(void *src_or_dest, PRBool encoding)

    switch (oiddata->offset) {
 	default:
-	    theTemplate = SEC_PointerToAnyTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
 	    break;
 	case SEC_OID_PKCS12_X509_CERT_CRL_BAG:
 	    theTemplate = SEC_PointerToPKCS12X509CertCRLTemplate;
@ -206,11 +209,11 @@ sec_pkcs12_choose_shroud_type(void *src_or_dest, PRBool encoding)

    switch (oiddata->offset) {
 	default:
-	    theTemplate = SEC_PointerToAnyTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
 	    break;
 	case SEC_OID_PKCS12_PKCS8_KEY_SHROUDING:
 	   theTemplate = 
-		SECKEY_PointerToEncryptedPrivateKeyInfoTemplate;
+		SEC_ASN1_GET(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate);
 	    break;
    }
    return theTemplate;
@ -939,7 +942,7 @@ sec_pkcs12_convert_item_to_unicode(PRArenaPool *arena, SECItem *dest,
 }

 /* pkcs 12 templates */
-static SEC_ChooseASN1TemplateFunc sec_pkcs12_shroud_chooser =
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_shroud_chooser =
    sec_pkcs12_choose_shroud_type;

 const SEC_ASN1Template SEC_PKCS12CodedSafeBagTemplate[] =
@ -1001,8 +1004,9 @@ const SEC_ASN1Template SEC_PKCS12PVKAdditionalDataTemplate[] =
 const SEC_ASN1Template SEC_PKCS12PVKSupportingDataTemplate_OLD[] =
 {
    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PVKSupportingData) },
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12PVKSupportingData, assocCerts),
-	sgn_DigestInfoTemplate },
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN , 
+        offsetof(SEC_PKCS12PVKSupportingData, assocCerts),
+	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, 
 	offsetof(SEC_PKCS12PVKSupportingData, regenerable) },
    { SEC_ASN1_PRINTABLE_STRING, 
@ -1015,8 +1019,9 @@ const SEC_ASN1Template SEC_PKCS12PVKSupportingDataTemplate_OLD[] =
 const SEC_ASN1Template SEC_PKCS12PVKSupportingDataTemplate[] =
 {
    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PVKSupportingData) },
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12PVKSupportingData, assocCerts),
-	sgn_DigestInfoTemplate },
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN , 
+        offsetof(SEC_PKCS12PVKSupportingData, assocCerts),
+	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, 
 	offsetof(SEC_PKCS12PVKSupportingData, regenerable) },
    { SEC_ASN1_BMP_STRING, 
@ -1050,10 +1055,10 @@ const SEC_ASN1Template SEC_PKCS12BaggageTemplate_OLD[] =
 	SEC_PKCS12ESPVKItemTemplate_OLD },
 };

-static SEC_ChooseASN1TemplateFunc sec_pkcs12_bag_chooser =
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_bag_chooser =
 	sec_pkcs12_choose_bag_type;

-static SEC_ChooseASN1TemplateFunc sec_pkcs12_bag_chooser_old =
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_bag_chooser_old =
 	sec_pkcs12_choose_bag_type_old;

 const SEC_ASN1Template SEC_PKCS12SafeBagTemplate_OLD[] =
@ -1098,8 +1103,9 @@ const SEC_ASN1Template SEC_PKCS12PrivateKeyTemplate[] =
    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PrivateKey) },
    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12PrivateKey, pvkData),
 	SEC_PKCS12PVKSupportingDataTemplate },
-    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12PrivateKey, pkcs8data),
-	SECKEY_PrivateKeyInfoTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, 
+        offsetof(SEC_PKCS12PrivateKey, pkcs8data),
+	SEC_ASN1_SUB(SECKEY_PrivateKeyInfoTemplate) },
    { 0 }
 };

@ -1116,8 +1122,9 @@ const SEC_ASN1Template SEC_PKCS12X509CertCRLTemplate_OLD[] =
    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12X509CertCRL) },
    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12X509CertCRL, certOrCRL),
 	sec_PKCS7ContentInfoTemplate },
-    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12X509CertCRL, thumbprint),
-	sgn_DigestInfoTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN , 
+        offsetof(SEC_PKCS12X509CertCRL, thumbprint),
+	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
    { 0 }
 };

@ -1136,10 +1143,10 @@ const SEC_ASN1Template SEC_PKCS12SDSICertTemplate[] =
    { 0 }
 };

-static SEC_ChooseASN1TemplateFunc sec_pkcs12_cert_crl_chooser_old =
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_cert_crl_chooser_old =
 	sec_pkcs12_choose_cert_crl_type_old;

-static SEC_ChooseASN1TemplateFunc sec_pkcs12_cert_crl_chooser =
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_cert_crl_chooser =
 	sec_pkcs12_choose_cert_crl_type;

 const SEC_ASN1Template SEC_PKCS12CertAndCRLTemplate_OLD[] =
@ -1218,8 +1225,8 @@ const SEC_ASN1Template SEC_PKCS12SecretBagTemplate[] =
 const SEC_ASN1Template SEC_PKCS12MacDataTemplate[] =
 {
    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PFXItem) },
-    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12MacData, safeMac),
-	sgn_DigestInfoTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN , offsetof(SEC_PKCS12MacData, safeMac),
+	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
    { SEC_ASN1_BIT_STRING, offsetof(SEC_PKCS12MacData, macSalt) },
    { 0 }
 };
@ -1240,8 +1247,9 @@ const SEC_ASN1Template SEC_PKCS12PFXItemTemplate_OLD[] =
 {
    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PFXItem) },
    { SEC_ASN1_OPTIONAL |
-	SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
-	offsetof(SEC_PKCS12PFXItem, old_safeMac), sgn_DigestInfoTemplate },
+	SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, 
+	offsetof(SEC_PKCS12PFXItem, old_safeMac), 
+	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
    { SEC_ASN1_OPTIONAL | SEC_ASN1_BIT_STRING,
 	offsetof(SEC_PKCS12PFXItem, old_macSalt) },
    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
--- a/security/nss/lib/pkcs12/p12tmpl.c
+++ b/security/nss/lib/pkcs12/p12tmpl.c
@ -41,6 +41,9 @@
 #include "secasn1.h"
 #include "p12t.h"

+SEC_ASN1_MKSUB(SEC_AnyTemplate)
+SEC_ASN1_MKSUB(sgn_DigestInfoTemplate)
+
 static const SEC_ASN1Template *
 sec_pkcs12_choose_safe_bag_type(void *src_or_dest, PRBool encoding)
 {
@ -56,15 +59,15 @@ sec_pkcs12_choose_safe_bag_type(void *src_or_dest, PRBool encoding)

    oiddata = SECOID_FindOID(&safeBag->safeBagType);
    if(oiddata == NULL) {
-	return SEC_AnyTemplate;
+	return SEC_ASN1_GET(SEC_AnyTemplate);
    }

    switch (oiddata->offset) {
 	default:
-	    theTemplate = SEC_AnyTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
 	    break;
 	case SEC_OID_PKCS12_V1_KEY_BAG_ID:
-	    theTemplate = SECKEY_PointerToPrivateKeyInfoTemplate;
+	    theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate);
 	    break;
 	case SEC_OID_PKCS12_V1_CERT_BAG_ID:
 	    theTemplate = sec_PKCS12PointerToCertBagTemplate;
@ -76,13 +79,14 @@ sec_pkcs12_choose_safe_bag_type(void *src_or_dest, PRBool encoding)
 	    theTemplate = sec_PKCS12PointerToSecretBagTemplate;
 	    break;
 	case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
-	    theTemplate = SECKEY_PointerToEncryptedPrivateKeyInfoTemplate;
+	    theTemplate = 
+	        SEC_ASN1_GET(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate);
 	    break;
 	case SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID:
 	    if(encoding) {
 		theTemplate = sec_PKCS12PointerToSafeContentsTemplate;
 	    } else {
-		theTemplate = SEC_PointerToAnyTemplate;
+		theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
 	    }
 	    break;
    }
@ -104,15 +108,15 @@ sec_pkcs12_choose_crl_bag_type(void *src_or_dest, PRBool encoding)

    oiddata = SECOID_FindOID(&crlbag->bagID);
    if(oiddata == NULL) {
-	return SEC_AnyTemplate;
+	return SEC_ASN1_GET(SEC_AnyTemplate);
    }

    switch (oiddata->offset) {
 	default:
-	    theTemplate = SEC_AnyTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
 	    break;
 	case SEC_OID_PKCS9_X509_CRL:
-	    theTemplate = SEC_OctetStringTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate);
 	    break;
    }
    return theTemplate;
@ -133,18 +137,18 @@ sec_pkcs12_choose_cert_bag_type(void *src_or_dest, PRBool encoding)

    oiddata = SECOID_FindOID(&certbag->bagID);
    if(oiddata == NULL) {
-	return SEC_AnyTemplate;
+	return SEC_ASN1_GET(SEC_AnyTemplate);
    }

    switch (oiddata->offset) {
 	default:
-	    theTemplate = SEC_AnyTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
 	    break;
 	case SEC_OID_PKCS9_X509_CERT:
-	    theTemplate = SEC_OctetStringTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate);
 	    break;
 	case SEC_OID_PKCS9_SDSI_CERT:
-	    theTemplate = SEC_IA5StringTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_IA5StringTemplate);
 	    break;
    }
    return theTemplate;
@ -165,21 +169,21 @@ sec_pkcs12_choose_attr_type(void *src_or_dest, PRBool encoding)

    oiddata = SECOID_FindOID(&attr->attrType);
    if(oiddata == NULL) {
-	return SEC_AnyTemplate;
+	return SEC_ASN1_GET(SEC_AnyTemplate);
    }

    switch (oiddata->offset) {
 	default:
-	    theTemplate = SEC_AnyTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
 	    break;
 	case SEC_OID_PKCS9_FRIENDLY_NAME:
-	    theTemplate = SEC_BMPStringTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_BMPStringTemplate);
 	    break;
 	case SEC_OID_PKCS9_LOCAL_KEY_ID:
-	    theTemplate = SEC_OctetStringTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate);
 	    break;
 	case SEC_OID_PKCS12_KEY_USAGE:
-	    theTemplate = SEC_BitStringTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_BitStringTemplate);
 	    break;
    }

@ -191,16 +195,16 @@ const SEC_ASN1Template sec_PKCS12PointerToContentInfoTemplate[] = {
    { SEC_ASN1_POINTER | SEC_ASN1_MAY_STREAM, 0, sec_PKCS7ContentInfoTemplate }
 };

-static SEC_ChooseASN1TemplateFunc sec_pkcs12_crl_bag_chooser =
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_crl_bag_chooser =
    sec_pkcs12_choose_crl_bag_type;

-static SEC_ChooseASN1TemplateFunc sec_pkcs12_cert_bag_chooser =
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_cert_bag_chooser =
    sec_pkcs12_choose_cert_bag_type;

-static SEC_ChooseASN1TemplateFunc sec_pkcs12_safe_bag_chooser =
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_safe_bag_chooser =
    sec_pkcs12_choose_safe_bag_type;

-static SEC_ChooseASN1TemplateFunc sec_pkcs12_attr_chooser =
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_attr_chooser =
    sec_pkcs12_choose_attr_type;

 const SEC_ASN1Template sec_PKCS12PointerToCertBagTemplate[] = {
@ -233,16 +237,17 @@ const SEC_ASN1Template sec_PKCS12PFXItemTemplate[] = {

 const SEC_ASN1Template sec_PKCS12MacDataTemplate[] = {
    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(sec_PKCS12MacData) },
-    { SEC_ASN1_INLINE, offsetof(sec_PKCS12MacData, safeMac),
-	sgn_DigestInfoTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN , offsetof(sec_PKCS12MacData, safeMac),
+	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
    { SEC_ASN1_OCTET_STRING, offsetof(sec_PKCS12MacData, macSalt) },
    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER, offsetof(sec_PKCS12MacData, iter) },
    { 0 }
 };

 const SEC_ASN1Template sec_PKCS12AuthenticatedSafeTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM, 
-	offsetof(sec_PKCS12AuthenticatedSafe, encodedSafes), SEC_AnyTemplate }
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM | SEC_ASN1_XTRN , 
+	offsetof(sec_PKCS12AuthenticatedSafe, encodedSafes), 
+	SEC_ASN1_SUB(SEC_AnyTemplate) }
 };

 const SEC_ASN1Template sec_PKCS12SafeBagTemplate[] = {
@ -265,8 +270,8 @@ const SEC_ASN1Template sec_PKCS12SafeContentsTemplate[] = {
 };

 const SEC_ASN1Template sec_PKCS12SequenceOfAnyTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM, 0,
-	SEC_AnyTemplate }
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM | SEC_ASN1_XTRN , 0,
+	SEC_ASN1_SUB(SEC_AnyTemplate) }
 };

 const SEC_ASN1Template sec_PKCS12NestedSafeContentsDecodeTemplate[] = {
@ -276,9 +281,9 @@ const SEC_ASN1Template sec_PKCS12NestedSafeContentsDecodeTemplate[] = {
 };

 const SEC_ASN1Template sec_PKCS12SafeContentsDecodeTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM, 
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM | SEC_ASN1_XTRN , 
 	offsetof(sec_PKCS12SafeContents, encodedSafeBags),
-	SEC_AnyTemplate }
+	SEC_ASN1_SUB(SEC_AnyTemplate) }
 };

 const SEC_ASN1Template sec_PKCS12CRLBagTemplate[] = {
--- a/security/nss/lib/pkcs7/certread.c
+++ b/security/nss/lib/pkcs7/certread.c
@ -39,6 +39,8 @@
 #include "secasn1.h"
 #include "secoid.h"

+SEC_ASN1_MKSUB(SEC_AnyTemplate);
+
 SECStatus
 SEC_ReadPKCS7Certs(SECItem *pkcs7Item, CERTImportCertificateFunc f, void *arg)
 {
@ -83,8 +85,7 @@ done:
 }

 const SEC_ASN1Template SEC_CertSequenceTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF,
-	  0, SECAnyTemplate }
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
 };

 SECStatus
--- a/security/nss/lib/pkcs7/p7decode.c
+++ b/security/nss/lib/pkcs7/p7decode.c
@ -34,7 +34,7 @@
 /*
 * PKCS7 decoding, verification.
 *
- * $Id: p7decode.c,v 1.2 2001/01/05 01:38:16 nelsonb%netscape.com Exp $
+ * $Id: p7decode.c,v 1.3 2001/01/07 08:13:04 nelsonb%netscape.com Exp $
 */

 #include "p7local.h"
@ -55,6 +55,7 @@
 #include "prtime.h"
 #include "secerr.h"
 #include "sechash.h"	/* for HASH_GetHashObject() */
+#include "secder.h"

 struct sec_pkcs7_decoder_worker {
    int depth;
@ -582,8 +583,8 @@ sec_pkcs7_decoder_get_recipient_key (SEC_PKCS7DecoderContext *p7dcx,
 		  if (keaParams.bulkKeySize.len > 0)
 		  {
 		      p7dcx->error = SEC_ASN1DecodeItem(NULL, &bulkLength,
-							SEC_IntegerTemplate,
-							&keaParams.bulkKeySize);
+					SEC_ASN1_GET(SEC_IntegerTemplate),
+					&keaParams.bulkKeySize);
 		  }
 		  
 		  if (p7dcx->error != SECSuccess)
--- a/security/nss/lib/pkcs7/p7local.c
+++ b/security/nss/lib/pkcs7/p7local.c
@ -37,7 +37,7 @@
 * encoding/creation side *and* the decoding/decryption side.  Anything
 * else should be static routines in the appropriate file.
 *
- * $Id: p7local.c,v 1.1 2000/03/31 19:16:06 relyea%netscape.com Exp $
+ * $Id: p7local.c,v 1.2 2001/01/07 08:13:04 nelsonb%netscape.com Exp $
 */

 #include "p7local.h"
@ -76,6 +76,12 @@ struct sec_pkcs7_cipher_object {
    unsigned char pending_buf[BLOCK_SIZE];
 };

+SEC_ASN1_MKSUB(CERT_IssuerAndSNTemplate)
+SEC_ASN1_MKSUB(CERT_SetOfSignedCrlTemplate)
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
+SEC_ASN1_MKSUB(SEC_SetOfAnyTemplate)
+
 /*
 * Create a cipher object to do decryption,  based on the given bulk
 * encryption key and algorithm identifier (which may include an iv).
@ -900,7 +906,7 @@ sec_attr_choose_attr_value_template(void *src_or_dest, PRBool encoding)
    attribute = (SEC_PKCS7Attribute*)src_or_dest;

    if (encoding && attribute->encoded)
-	return SEC_AnyTemplate;
+	return SEC_ASN1_GET(SEC_AnyTemplate);

    oiddata = attribute->typeTag;
    if (oiddata == NULL) {
@ -910,30 +916,30 @@ sec_attr_choose_attr_value_template(void *src_or_dest, PRBool encoding)

    if (oiddata == NULL) {
 	encoded = PR_TRUE;
-	theTemplate = SEC_AnyTemplate;
+	theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
    } else {
 	switch (oiddata->offset) {
 	  default:
 	    encoded = PR_TRUE;
-	    theTemplate = SEC_AnyTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
 	    break;
 	  case SEC_OID_PKCS9_EMAIL_ADDRESS:
 	  case SEC_OID_RFC1274_MAIL:
 	  case SEC_OID_PKCS9_UNSTRUCTURED_NAME:
 	    encoded = PR_FALSE;
-	    theTemplate = SEC_IA5StringTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_IA5StringTemplate);
 	    break;
 	  case SEC_OID_PKCS9_CONTENT_TYPE:
 	    encoded = PR_FALSE;
-	    theTemplate = SEC_ObjectIDTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_ObjectIDTemplate);
 	    break;
 	  case SEC_OID_PKCS9_MESSAGE_DIGEST:
 	    encoded = PR_FALSE;
-	    theTemplate = SEC_OctetStringTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate);
 	    break;
 	  case SEC_OID_PKCS9_SIGNING_TIME:
 	    encoded = PR_FALSE;
-	    theTemplate = SEC_UTCTimeTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_UTCTimeTemplate);
 	    break;
 	  /* XXX Want other types here, too */
 	}
@ -958,7 +964,7 @@ sec_attr_choose_attr_value_template(void *src_or_dest, PRBool encoding)
    return theTemplate;
 }

-static SEC_ChooseASN1TemplateFunc sec_attr_chooser
+static const SEC_ASN1TemplateChooserPtr sec_attr_chooser
 	= sec_attr_choose_attr_value_template;

 static const SEC_ASN1Template sec_pkcs7_attribute_template[] = {
@ -1146,7 +1152,7 @@ sec_PKCS7ReorderAttributes (SEC_PKCS7Attribute **attrs)
 static const SEC_ASN1Template *
 sec_pkcs7_choose_content_template(void *src_or_dest, PRBool encoding);

-static SEC_ChooseASN1TemplateFunc sec_pkcs7_chooser
+static const SEC_ASN1TemplateChooserPtr sec_pkcs7_chooser
 	= sec_pkcs7_choose_content_template;

 const SEC_ASN1Template sec_PKCS7ContentInfoTemplate[] = {
@ -1168,18 +1174,18 @@ static const SEC_ASN1Template SEC_PKCS7SignerInfoTemplate[] = {
 	  0, NULL, sizeof(SEC_PKCS7SignerInfo) },
    { SEC_ASN1_INTEGER,
 	  offsetof(SEC_PKCS7SignerInfo,version) },
-    { SEC_ASN1_POINTER,
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
 	  offsetof(SEC_PKCS7SignerInfo,issuerAndSN),
-	  CERT_IssuerAndSNTemplate },
-    { SEC_ASN1_INLINE,
+	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
 	  offsetof(SEC_PKCS7SignerInfo,digestAlg),
-	  SECOID_AlgorithmIDTemplate },
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
 	  offsetof(SEC_PKCS7SignerInfo,authAttr),
 	  sec_pkcs7_set_of_attribute_template },
-    { SEC_ASN1_INLINE,
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
 	  offsetof(SEC_PKCS7SignerInfo,digestEncAlg),
-	  SECOID_AlgorithmIDTemplate },
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
    { SEC_ASN1_OCTET_STRING,
 	  offsetof(SEC_PKCS7SignerInfo,encDigest) },
    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
@ -1193,18 +1199,20 @@ static const SEC_ASN1Template SEC_PKCS7SignedDataTemplate[] = {
 	  0, NULL, sizeof(SEC_PKCS7SignedData) },
    { SEC_ASN1_INTEGER,
 	  offsetof(SEC_PKCS7SignedData,version) },
-    { SEC_ASN1_SET_OF,
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN,
 	  offsetof(SEC_PKCS7SignedData,digestAlgorithms),
-	  SECOID_AlgorithmIDTemplate },
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
    { SEC_ASN1_INLINE,
 	  offsetof(SEC_PKCS7SignedData,contentInfo),
 	  sec_PKCS7ContentInfoTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC  |
+      SEC_ASN1_XTRN | 0,
 	  offsetof(SEC_PKCS7SignedData,rawCerts),
-	  SEC_SetOfAnyTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	  SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC  |
+      SEC_ASN1_XTRN | 1,
 	  offsetof(SEC_PKCS7SignedData,crls),
-	  CERT_SetOfSignedCrlTemplate },
+	  SEC_ASN1_SUB(CERT_SetOfSignedCrlTemplate) },
    { SEC_ASN1_SET_OF,
 	  offsetof(SEC_PKCS7SignedData,signerInfos),
 	  SEC_PKCS7SignerInfoTemplate },
@ -1220,12 +1228,12 @@ static const SEC_ASN1Template SEC_PKCS7RecipientInfoTemplate[] = {
 	  0, NULL, sizeof(SEC_PKCS7RecipientInfo) },
    { SEC_ASN1_INTEGER,
 	  offsetof(SEC_PKCS7RecipientInfo,version) },
-    { SEC_ASN1_POINTER,
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
 	  offsetof(SEC_PKCS7RecipientInfo,issuerAndSN),
-	  CERT_IssuerAndSNTemplate },
-    { SEC_ASN1_INLINE,
+	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
 	  offsetof(SEC_PKCS7RecipientInfo,keyEncAlg),
-	  SECOID_AlgorithmIDTemplate },
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
    { SEC_ASN1_OCTET_STRING,
 	  offsetof(SEC_PKCS7RecipientInfo,encKey) },
    { 0 }
@ -1236,12 +1244,13 @@ static const SEC_ASN1Template SEC_PKCS7EncryptedContentInfoTemplate[] = {
 	  0, NULL, sizeof(SEC_PKCS7EncryptedContentInfo) },
    { SEC_ASN1_OBJECT_ID,
 	  offsetof(SEC_PKCS7EncryptedContentInfo,contentType) },
-    { SEC_ASN1_INLINE,
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
 	  offsetof(SEC_PKCS7EncryptedContentInfo,contentEncAlg),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_MAY_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_MAY_STREAM | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 0,
 	  offsetof(SEC_PKCS7EncryptedContentInfo,encContent),
-	  SEC_OctetStringTemplate },
+	  SEC_ASN1_SUB(SEC_OctetStringTemplate) },
    { 0 }
 };

@ -1271,18 +1280,20 @@ static const SEC_ASN1Template SEC_PKCS7SignedAndEnvelopedDataTemplate[] = {
    { SEC_ASN1_SET_OF,
 	  offsetof(SEC_PKCS7SignedAndEnvelopedData,recipientInfos),
 	  SEC_PKCS7RecipientInfoTemplate },
-    { SEC_ASN1_SET_OF,
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN,
 	  offsetof(SEC_PKCS7SignedAndEnvelopedData,digestAlgorithms),
-	  SECOID_AlgorithmIDTemplate },
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
    { SEC_ASN1_INLINE,
 	  offsetof(SEC_PKCS7SignedAndEnvelopedData,encContentInfo),
 	  SEC_PKCS7EncryptedContentInfoTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 0,
 	  offsetof(SEC_PKCS7SignedAndEnvelopedData,rawCerts),
-	  SEC_SetOfAnyTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	  SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 1,
 	  offsetof(SEC_PKCS7SignedAndEnvelopedData,crls),
-	  CERT_SetOfSignedCrlTemplate },
+	  SEC_ASN1_SUB(CERT_SetOfSignedCrlTemplate) },
    { SEC_ASN1_SET_OF,
 	  offsetof(SEC_PKCS7SignedAndEnvelopedData,signerInfos),
 	  SEC_PKCS7SignerInfoTemplate },
@ -1299,9 +1310,9 @@ static const SEC_ASN1Template SEC_PKCS7DigestedDataTemplate[] = {
 	  0, NULL, sizeof(SEC_PKCS7DigestedData) },
    { SEC_ASN1_INTEGER,
 	  offsetof(SEC_PKCS7DigestedData,version) },
-    { SEC_ASN1_INLINE,
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
 	  offsetof(SEC_PKCS7DigestedData,digestAlg),
-	  SECOID_AlgorithmIDTemplate },
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
    { SEC_ASN1_INLINE,
 	  offsetof(SEC_PKCS7DigestedData,contentInfo),
 	  sec_PKCS7ContentInfoTemplate },
@ -1401,10 +1412,10 @@ sec_pkcs7_choose_content_template(void *src_or_dest, PRBool encoding)
    kind = SEC_PKCS7ContentType (cinfo);
    switch (kind) {
      default:
-	theTemplate = SEC_PointerToAnyTemplate;
+	theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
 	break;
      case SEC_OID_PKCS7_DATA:
-	theTemplate = SEC_PointerToOctetStringTemplate;
+	theTemplate = SEC_ASN1_GET(SEC_PointerToOctetStringTemplate);
 	break;
      case SEC_OID_PKCS7_SIGNED_DATA:
 	theTemplate = SEC_PointerToPKCS7SignedDataTemplate;
--- a/security/nss/lib/smime/cmsasn1.c
+++ b/security/nss/lib/smime/cmsasn1.c
@ -34,7 +34,7 @@
 /*
 * CMS ASN.1 templates
 *
- * $Id: cmsasn1.c,v 1.4 2000/06/20 16:28:57 chrisk%netscape.com Exp $
+ * $Id: cmsasn1.c,v 1.5 2001/01/07 08:13:07 nelsonb%netscape.com Exp $
 */

 #include "cmslocal.h"
@ -50,6 +50,14 @@

 extern const SEC_ASN1Template nss_cms_set_of_attribute_template[];

+SEC_ASN1_MKSUB(CERT_IssuerAndSNTemplate)
+SEC_ASN1_MKSUB(CERT_SetOfSignedCrlTemplate)
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+SEC_ASN1_MKSUB(SEC_BitStringTemplate)
+SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
+SEC_ASN1_MKSUB(SEC_PointerToOctetStringTemplate)
+SEC_ASN1_MKSUB(SEC_SetOfAnyTemplate)
+
 /* -----------------------------------------------------------------------------
 * MESSAGE
 * (uses NSSCMSContentInfo)
@ -59,7 +67,7 @@ extern const SEC_ASN1Template nss_cms_set_of_attribute_template[];
 static const SEC_ASN1Template *
 nss_cms_choose_content_template(void *src_or_dest, PRBool encoding);

-static SEC_ChooseASN1TemplateFunc nss_cms_chooser
+static const SEC_ASN1TemplateChooserPtr nss_cms_chooser
 	= nss_cms_choose_content_template;

 const SEC_ASN1Template NSSCMSMessageTemplate[] = {
@ -88,9 +96,9 @@ static const SEC_ASN1Template NSSCMSEncapsulatedContentInfoTemplate[] = {
    { SEC_ASN1_OBJECT_ID,
 	  offsetof(NSSCMSContentInfo,contentType) },
    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_MAY_STREAM |
-	SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
 	  offsetof(NSSCMSContentInfo,rawContent),
-	  SEC_PointerToOctetStringTemplate },
+	  SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) },
    { 0 }
 };

@ -99,12 +107,13 @@ static const SEC_ASN1Template NSSCMSEncryptedContentInfoTemplate[] = {
 	  0, NULL, sizeof(NSSCMSContentInfo) },
    { SEC_ASN1_OBJECT_ID,
 	  offsetof(NSSCMSContentInfo,contentType) },
-    { SEC_ASN1_INLINE,
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
 	  offsetof(NSSCMSContentInfo,contentEncAlg),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_POINTER | SEC_ASN1_MAY_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_POINTER | SEC_ASN1_MAY_STREAM | 
+      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
 	  offsetof(NSSCMSContentInfo,rawContent),
-	  SEC_OctetStringTemplate },
+	  SEC_ASN1_SUB(SEC_OctetStringTemplate) },
    { 0 }
 };

@ -119,18 +128,20 @@ const SEC_ASN1Template NSSCMSSignedDataTemplate[] = {
 	  0, NULL, sizeof(NSSCMSSignedData) },
    { SEC_ASN1_INTEGER,
 	  offsetof(NSSCMSSignedData,version) },
-    { SEC_ASN1_SET_OF,
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN,
 	  offsetof(NSSCMSSignedData,digestAlgorithms),
-	  SECOID_AlgorithmIDTemplate },
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
    { SEC_ASN1_INLINE,
 	  offsetof(NSSCMSSignedData,contentInfo),
 	  NSSCMSEncapsulatedContentInfoTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 0,
 	  offsetof(NSSCMSSignedData,rawCerts),
-	  SEC_SetOfAnyTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	  SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 1,
 	  offsetof(NSSCMSSignedData,crls),
-	  CERT_SetOfSignedCrlTemplate },
+	  SEC_ASN1_SUB(CERT_SetOfSignedCrlTemplate) },
    { SEC_ASN1_SET_OF,
 	  offsetof(NSSCMSSignedData,signerInfos),
 	  NSSCMSSignerInfoTemplate },
@ -149,13 +160,13 @@ static const SEC_ASN1Template NSSCMSSignerIdentifierTemplate[] = {
    { SEC_ASN1_CHOICE,
 	  offsetof(NSSCMSSignerIdentifier,identifierType), NULL,
 	  sizeof(NSSCMSSignerIdentifier) },
-    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
 	  offsetof(NSSCMSSignerIdentifier,id.subjectKeyID),
-	  SEC_OctetStringTemplate,
+	  SEC_ASN1_SUB(SEC_OctetStringTemplate) ,
 	  NSSCMSRecipientID_SubjectKeyID },
-    { SEC_ASN1_POINTER,
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
 	  offsetof(NSSCMSSignerIdentifier,id.issuerAndSN),
-	  CERT_IssuerAndSNTemplate,
+	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate),
 	  NSSCMSRecipientID_IssuerSN },
    { 0 }
 };
@ -172,15 +183,15 @@ const SEC_ASN1Template NSSCMSSignerInfoTemplate[] = {
    { SEC_ASN1_INLINE,
 	  offsetof(NSSCMSSignerInfo,signerIdentifier),
 	  NSSCMSSignerIdentifierTemplate },
-    { SEC_ASN1_INLINE,
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
 	  offsetof(NSSCMSSignerInfo,digestAlg),
-	  SECOID_AlgorithmIDTemplate },
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
 	  offsetof(NSSCMSSignerInfo,authAttr),
 	  nss_cms_set_of_attribute_template },
-    { SEC_ASN1_INLINE,
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
 	  offsetof(NSSCMSSignerInfo,digestEncAlg),
-	  SECOID_AlgorithmIDTemplate },
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
    { SEC_ASN1_OCTET_STRING,
 	  offsetof(NSSCMSSignerInfo,encDigest) },
    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
@ -196,12 +207,14 @@ const SEC_ASN1Template NSSCMSSignerInfoTemplate[] = {
 static const SEC_ASN1Template NSSCMSOriginatorInfoTemplate[] = {
    { SEC_ASN1_SEQUENCE,
 	  0, NULL, sizeof(NSSCMSOriginatorInfo) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 0,
 	  offsetof(NSSCMSOriginatorInfo,rawCerts),
-	  SEC_SetOfAnyTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	  SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 1,
 	  offsetof(NSSCMSOriginatorInfo,crls),
-	  CERT_SetOfSignedCrlTemplate },
+	  SEC_ASN1_SUB(CERT_SetOfSignedCrlTemplate) },
    { 0 }
 };

@ -241,13 +254,14 @@ static const SEC_ASN1Template NSSCMSRecipientIdentifierTemplate[] = {
    { SEC_ASN1_CHOICE,
 	  offsetof(NSSCMSRecipientIdentifier,identifierType), NULL,
 	  sizeof(NSSCMSRecipientIdentifier) },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 0,
 	  offsetof(NSSCMSRecipientIdentifier,id.subjectKeyID),
-	  SEC_PointerToOctetStringTemplate,
+	  SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) ,
 	  NSSCMSRecipientID_SubjectKeyID },
-    { SEC_ASN1_POINTER,
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
 	  offsetof(NSSCMSRecipientIdentifier,id.issuerAndSN),
-	  CERT_IssuerAndSNTemplate,
+	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate),
 	  NSSCMSRecipientID_IssuerSN },
    { 0 }
 };
@ -261,9 +275,9 @@ static const SEC_ASN1Template NSSCMSKeyTransRecipientInfoTemplate[] = {
    { SEC_ASN1_INLINE,
 	  offsetof(NSSCMSKeyTransRecipientInfo,recipientIdentifier),
 	  NSSCMSRecipientIdentifierTemplate },
-    { SEC_ASN1_INLINE,
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
 	  offsetof(NSSCMSKeyTransRecipientInfo,keyEncAlg),
-	  SECOID_AlgorithmIDTemplate },
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
    { SEC_ASN1_OCTET_STRING,
 	  offsetof(NSSCMSKeyTransRecipientInfo,encKey) },
    { 0 }
@ -276,12 +290,12 @@ static const SEC_ASN1Template NSSCMSKeyTransRecipientInfoTemplate[] = {
 static const SEC_ASN1Template NSSCMSOriginatorPublicKeyTemplate[] = {
    { SEC_ASN1_SEQUENCE,
 	  0, NULL, sizeof(NSSCMSOriginatorPublicKey) },
-    { SEC_ASN1_INLINE,
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
 	  offsetof(NSSCMSOriginatorPublicKey,algorithmIdentifier),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_INLINE,
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
 	  offsetof(NSSCMSOriginatorPublicKey,publicKey),
-	  SEC_BitStringTemplate },
+	  SEC_ASN1_SUB(SEC_BitStringTemplate) },
    { 0 }
 };

@ -290,13 +304,14 @@ static const SEC_ASN1Template NSSCMSOriginatorIdentifierOrKeyTemplate[] = {
    { SEC_ASN1_CHOICE,
 	  offsetof(NSSCMSOriginatorIdentifierOrKey,identifierType), NULL,
 	  sizeof(NSSCMSOriginatorIdentifierOrKey) },
-    { SEC_ASN1_POINTER,
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
 	  offsetof(NSSCMSOriginatorIdentifierOrKey,id.issuerAndSN),
-	  CERT_IssuerAndSNTemplate,
+	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate),
 	  NSSCMSOriginatorIDOrKey_IssuerSN },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 1,
 	  offsetof(NSSCMSOriginatorIdentifierOrKey,id.subjectKeyID),
-	  SEC_PointerToOctetStringTemplate,
+	  SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) ,
 	  NSSCMSOriginatorIDOrKey_SubjectKeyID },
    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
 	  offsetof(NSSCMSOriginatorIdentifierOrKey,id.originatorPublicKey),
@ -322,9 +337,9 @@ static const SEC_ASN1Template NSSCMSKeyAgreeRecipientIdentifierTemplate[] = {
    { SEC_ASN1_CHOICE,
 	  offsetof(NSSCMSKeyAgreeRecipientIdentifier,identifierType), NULL,
 	  sizeof(NSSCMSKeyAgreeRecipientIdentifier) },
-    { SEC_ASN1_POINTER,
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
 	  offsetof(NSSCMSKeyAgreeRecipientIdentifier,id.issuerAndSN),
-	  CERT_IssuerAndSNTemplate,
+	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate),
 	  NSSCMSKeyAgreeRecipientID_IssuerSN },
    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
 	  offsetof(NSSCMSKeyAgreeRecipientIdentifier,id.recipientKeyIdentifier),
@ -339,9 +354,9 @@ static const SEC_ASN1Template NSSCMSRecipientEncryptedKeyTemplate[] = {
    { SEC_ASN1_INLINE,
 	  offsetof(NSSCMSRecipientEncryptedKey,recipientIdentifier),
 	  NSSCMSKeyAgreeRecipientIdentifierTemplate },
-    { SEC_ASN1_INLINE,
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
 	  offsetof(NSSCMSRecipientEncryptedKey,encKey),
-	  SEC_BitStringTemplate },
+	  SEC_ASN1_SUB(SEC_BitStringTemplate) },
    { 0 }
 };

@ -354,12 +369,12 @@ static const SEC_ASN1Template NSSCMSKeyAgreeRecipientInfoTemplate[] = {
 	  offsetof(NSSCMSKeyAgreeRecipientInfo,originatorIdentifierOrKey),
 	  NSSCMSOriginatorIdentifierOrKeyTemplate },
    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
-						    SEC_ASN1_CONTEXT_SPECIFIC | 1,
+      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
 	  offsetof(NSSCMSKeyAgreeRecipientInfo,ukm),
-	  SEC_OctetStringTemplate },
-    { SEC_ASN1_INLINE,
+	  SEC_ASN1_SUB(SEC_OctetStringTemplate) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
 	  offsetof(NSSCMSKeyAgreeRecipientInfo,keyEncAlg),
-	  SECOID_AlgorithmIDTemplate },
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
    { SEC_ASN1_SEQUENCE_OF,
 	  offsetof(NSSCMSKeyAgreeRecipientInfo,recipientEncryptedKeys),
 	  NSSCMSRecipientEncryptedKeyTemplate },
@ -390,9 +405,9 @@ static const SEC_ASN1Template NSSCMSKEKRecipientInfoTemplate[] = {
    { SEC_ASN1_INLINE,
 	  offsetof(NSSCMSKEKRecipientInfo,kekIdentifier),
 	  NSSCMSKEKIdentifierTemplate },
-    { SEC_ASN1_INLINE,
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
 	  offsetof(NSSCMSKEKRecipientInfo,keyEncAlg),
-	  SECOID_AlgorithmIDTemplate },
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
    { SEC_ASN1_OCTET_STRING,
 	  offsetof(NSSCMSKEKRecipientInfo,encKey) },
    { 0 }
@ -429,9 +444,9 @@ const SEC_ASN1Template NSSCMSDigestedDataTemplate[] = {
 	  0, NULL, sizeof(NSSCMSDigestedData) },
    { SEC_ASN1_INTEGER,
 	  offsetof(NSSCMSDigestedData,version) },
-    { SEC_ASN1_INLINE,
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
 	  offsetof(NSSCMSDigestedData,digestAlg),
-	  SECOID_AlgorithmIDTemplate },
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
    { SEC_ASN1_INLINE,
 	  offsetof(NSSCMSDigestedData,contentInfo),
 	  NSSCMSEncapsulatedContentInfoTemplate },
@ -538,10 +553,10 @@ nss_cms_choose_content_template(void *src_or_dest, PRBool encoding)
    cinfo = (NSSCMSContentInfo *)src_or_dest;
    switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
    default:
-	theTemplate = SEC_PointerToAnyTemplate;
+	theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
 	break;
    case SEC_OID_PKCS7_DATA:
-	theTemplate = SEC_PointerToOctetStringTemplate;
+	theTemplate = SEC_ASN1_GET(SEC_PointerToOctetStringTemplate);
 	break;
    case SEC_OID_PKCS7_SIGNED_DATA:
 	theTemplate = NSS_PointerToCMSSignedDataTemplate;
--- a/security/nss/lib/smime/cmsattr.c
+++ b/security/nss/lib/smime/cmsattr.c
@ -34,7 +34,7 @@
 /*
 * CMS attributes.
 *
- * $Id: cmsattr.c,v 1.3 2000/06/20 16:28:57 chrisk%netscape.com Exp $
+ * $Id: cmsattr.c,v 1.4 2001/01/07 08:13:07 nelsonb%netscape.com Exp $
 */

 #include "cmslocal.h"
@ -219,7 +219,7 @@ cms_attr_choose_attr_value_template(void *src_or_dest, PRBool encoding)

    if (encoding && attribute->encoded)
 	/* we're encoding, and the attribute value is already encoded. */
-	return SEC_AnyTemplate;
+	return SEC_ASN1_GET(SEC_AnyTemplate);

    /* get attribute's typeTag */
    oiddata = attribute->typeTag;
@ -231,7 +231,7 @@ cms_attr_choose_attr_value_template(void *src_or_dest, PRBool encoding)
    if (oiddata == NULL) {
 	/* still no OID tag? OID is unknown then. en/decode value as ANY. */
 	encoded = PR_TRUE;
-	theTemplate = SEC_AnyTemplate;
+	theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
    } else {
 	switch (oiddata->offset) {
 	SEC_OID_PKCS9_SMIME_CAPABILITIES:
@ -240,26 +240,26 @@ cms_attr_choose_attr_value_template(void *src_or_dest, PRBool encoding)
 	default:
 	    /* same goes for OIDs that are not handled here */
 	    encoded = PR_TRUE;
-	    theTemplate = SEC_AnyTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
 	    break;
 	    /* otherwise choose proper template */
 	case SEC_OID_PKCS9_EMAIL_ADDRESS:
 	case SEC_OID_RFC1274_MAIL:
 	case SEC_OID_PKCS9_UNSTRUCTURED_NAME:
 	    encoded = PR_FALSE;
-	    theTemplate = SEC_IA5StringTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_IA5StringTemplate);
 	    break;
 	case SEC_OID_PKCS9_CONTENT_TYPE:
 	    encoded = PR_FALSE;
-	    theTemplate = SEC_ObjectIDTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_ObjectIDTemplate);
 	    break;
 	case SEC_OID_PKCS9_MESSAGE_DIGEST:
 	    encoded = PR_FALSE;
-	    theTemplate = SEC_OctetStringTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate);
 	    break;
 	case SEC_OID_PKCS9_SIGNING_TIME:
 	    encoded = PR_FALSE;
-	    theTemplate = SEC_UTCTimeTemplate;
+	    theTemplate = SEC_ASN1_GET(SEC_UTCTimeTemplate);
 	    break;
 	  /* XXX Want other types here, too */
 	}
@ -284,7 +284,7 @@ cms_attr_choose_attr_value_template(void *src_or_dest, PRBool encoding)
    return theTemplate;
 }

-static SEC_ChooseASN1TemplateFunc cms_attr_chooser
+static const SEC_ASN1TemplateChooserPtr cms_attr_chooser
 	= cms_attr_choose_attr_value_template;

 const SEC_ASN1Template nss_cms_attribute_template[] = {
--- a/security/nss/lib/smime/cmspubkey.c
+++ b/security/nss/lib/smime/cmspubkey.c
@ -34,7 +34,7 @@
 /*
 * CMS public key crypto
 *
- * $Id: cmspubkey.c,v 1.2 2000/06/13 21:56:30 chrisk%netscape.com Exp $
+ * $Id: cmspubkey.c,v 1.3 2001/01/07 08:13:07 nelsonb%netscape.com Exp $
 */

 #include "cmslocal.h"
@ -342,8 +342,8 @@ NSS_CMSUtil_DecryptSymKey_MISSI(SECKEYPrivateKey *privkey, SECItem *encKey, SECA
 	   bulk key size is different than the encrypted key size */
 	if (keaParams.bulkKeySize.len > 0) {
 	    err = SEC_ASN1DecodeItem(NULL, &bulkLength,
-					      SEC_IntegerTemplate,
-					      &keaParams.bulkKeySize);
+				     SEC_ASN1_GET(SEC_IntegerTemplate),
+				     &keaParams.bulkKeySize);
 	    if (err != SECSuccess)
 		goto loser;
 	}
--- a/security/nss/lib/smime/cmssigdata.c
+++ b/security/nss/lib/smime/cmssigdata.c
@ -34,7 +34,7 @@
 /*
 * CMS signedData methods.
 *
- * $Id: cmssigdata.c,v 1.10 2000/10/06 23:26:10 nelsonb%netscape.com Exp $
+ * $Id: cmssigdata.c,v 1.11 2001/01/07 08:13:07 nelsonb%netscape.com Exp $
 */

 #include "cmslocal.h"
@ -181,7 +181,8 @@ NSS_CMSSignedData_Encode_BeforeStart(NSSCMSSignedData *sigd)
 	return SECFailure;

    /* this is a SET OF, so we need to sort them guys */
-    rv = NSS_CMSArray_SortByDER((void **)sigd->digestAlgorithms, SECOID_AlgorithmIDTemplate,
+    rv = NSS_CMSArray_SortByDER((void **)sigd->digestAlgorithms, 
+                                SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
 				(void **)sigd->digests);
    if (rv != SECSuccess)
 	return SECFailure;
--- a/security/nss/lib/smime/smimeutil.c
+++ b/security/nss/lib/smime/smimeutil.c
@ -34,7 +34,7 @@
 /*
 * Stuff specific to S/MIME policy and interoperability.
 *
- * $Id: smimeutil.c,v 1.4 2000/06/20 16:28:57 chrisk%netscape.com Exp $
+ * $Id: smimeutil.c,v 1.5 2001/01/07 08:13:07 nelsonb%netscape.com Exp $
 */

 #include "secmime.h"
@ -48,6 +48,9 @@
 #include "secerr.h"
 #include "cms.h"

+SEC_ASN1_MKSUB(CERT_IssuerAndSNTemplate)
+SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
+
 /* various integer's ASN.1 encoding */
 static unsigned char asn1_int40[] = { SEC_ASN1_INTEGER, 0x01, 0x28 };
 static unsigned char asn1_int64[] = { SEC_ASN1_INTEGER, 0x01, 0x40 };
@ -108,17 +111,17 @@ static const SEC_ASN1Template smime_encryptionkeypref_template[] = {
    { SEC_ASN1_CHOICE,
 	  offsetof(NSSSMIMEEncryptionKeyPreference,selector), NULL,
 	  sizeof(NSSSMIMEEncryptionKeyPreference) },
-    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
 	  offsetof(NSSSMIMEEncryptionKeyPreference,id.issuerAndSN),
-	  CERT_IssuerAndSNTemplate,
+	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate),
 	  NSSSMIMEEncryptionKeyPref_IssuerSN },
    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 1,
 	  offsetof(NSSSMIMEEncryptionKeyPreference,id.recipientKeyID),
 	  NSSCMSRecipientKeyIdentifierTemplate,
 	  NSSSMIMEEncryptionKeyPref_IssuerSN },
-    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 2,
+    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2,
 	  offsetof(NSSSMIMEEncryptionKeyPreference,id.subjectKeyID),
-	  SEC_OctetStringTemplate,
+	  SEC_ASN1_SUB(SEC_OctetStringTemplate),
 	  NSSSMIMEEncryptionKeyPref_SubjectKeyID },
    { 0, }
 };
--- a/security/nss/lib/softoken/keydb.c
+++ b/security/nss/lib/softoken/keydb.c
@ -32,7 +32,7 @@
 *
 * Private Key Database code
 *
- * $Id: keydb.c,v 1.3 2000/10/01 17:13:34 wtc%netscape.com Exp $
+ * $Id: keydb.c,v 1.4 2001/01/07 08:13:09 nelsonb%netscape.com Exp $
 */

 #include "keylow.h"
@ -2308,3 +2308,14 @@ done:

    return (errors == 0 ? SECSuccess : SECFailure);
 }
+
+/* These functions simply return the address of the above-declared templates.
+** This is necessary for Windows DLLs.  Sigh.
+*/
+SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_PrivateKeyInfoTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_PointerToPrivateKeyInfoTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_EncryptedPrivateKeyInfoTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_DSAPublicKeyTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_RSAPublicKeyTemplate)
+
--- a/security/nss/lib/softoken/keydbt.h
+++ b/security/nss/lib/softoken/keydbt.h
@ -32,7 +32,7 @@
 *
 * keydbt.h - private data structures for the private key library
 *
- * $Id: keydbt.h,v 1.1 2000/03/31 19:26:00 relyea%netscape.com Exp $
+ * $Id: keydbt.h,v 1.2 2001/01/07 08:13:10 nelsonb%netscape.com Exp $
 */

 #ifndef _KEYDBT_H_
@ -86,4 +86,14 @@ extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
 extern const SEC_ASN1Template SECKEY_PQGParamsTemplate[];
 extern const SEC_ASN1Template SECKEY_AttributeTemplate[];

+/* These functions simply return the address of the above-declared templates.
+** This is necessary for Windows DLLs.  Sigh.
+*/
+extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PrivateKeyInfoTemplate;
+extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToPrivateKeyInfoTemplate;
+extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate;
+extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToEncryptedPrivateKeyInfoTemplate;
+extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_DSAPublicKeyTemplate;
+extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_RSAPublicKeyTemplate;
+
 #endif /* _KEYDBT_H_ */
--- a/security/nss/lib/util/secalgid.c
+++ b/security/nss/lib/util/secalgid.c
@ -167,3 +167,7 @@ SECOID_CompareAlgorithmID(SECAlgorithmID *a, SECAlgorithmID *b)
    rv = SECITEM_CompareItem(&a->parameters, &b->parameters);
    return rv;
 }
+
+/* This functions simply returns the address of the above-declared template. */
+SEC_ASN1_CHOOSER_IMPLEMENT(SECOID_AlgorithmIDTemplate)
+
--- a/security/nss/lib/util/secasn1.h
+++ b/security/nss/lib/util/secasn1.h
@ -36,7 +36,7 @@
 * Encoding Rules).  The routines are found in and used extensively by the
 * security library, but exported for other use.
 *
- * $Id: secasn1.h,v 1.2 2000/05/22 15:24:19 chrisk%netscape.com Exp $
+ * $Id: secasn1.h,v 1.3 2001/01/07 08:13:12 nelsonb%netscape.com Exp $
 */

 #ifndef _SECASN1_H_
@ -260,5 +260,22 @@ extern const SEC_ASN1Template SEC_SetOfVisibleStringTemplate[];
 */
 extern const SEC_ASN1Template SEC_SkipTemplate[];

+/* These functions simply return the address of the above-declared templates.
+** This is necessary for Windows DLLs.  Sigh.
+*/
+SEC_ASN1_CHOOSER_DECLARE(SEC_AnyTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_BMPStringTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_BitStringTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_GeneralizedTimeTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_IA5StringTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_IntegerTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_ObjectIDTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_OctetStringTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_UTCTimeTemplate)
+
+SEC_ASN1_CHOOSER_DECLARE(SEC_PointerToAnyTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_PointerToOctetStringTemplate)
+
+SEC_ASN1_CHOOSER_DECLARE(SEC_SetOfAnyTemplate)

 #endif /* _SECASN1_H_ */
--- a/security/nss/lib/util/secasn1d.c
+++ b/security/nss/lib/util/secasn1d.c
@ -35,7 +35,7 @@
 * Support for DEcoding ASN.1 data based on BER/DER (Basic/Distinguished
 * Encoding Rules).
 *
- * $Id: secasn1d.c,v 1.4 2000/06/20 13:24:01 chrisk%netscape.com Exp $
+ * $Id: secasn1d.c,v 1.5 2001/01/07 08:13:12 nelsonb%netscape.com Exp $
 */

 #include "secasn1.h"
@ -2932,3 +2932,21 @@ const SEC_ASN1Template SEC_SetOfVisibleStringTemplate[] = {
 const SEC_ASN1Template SEC_SkipTemplate[] = {
    { SEC_ASN1_SKIP }
 };
+
+
+/* These functions simply return the address of the above-declared templates.
+** This is necessary for Windows DLLs.  Sigh.
+*/
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_AnyTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_BMPStringTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_BitStringTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_IA5StringTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_GeneralizedTimeTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_IntegerTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_ObjectIDTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_OctetStringTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_UTCTimeTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_PointerToAnyTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_PointerToOctetStringTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_SetOfAnyTemplate)
+
--- a/security/nss/lib/util/secasn1t.h
+++ b/security/nss/lib/util/secasn1t.h
@ -35,7 +35,7 @@
 * Types for encoding/decoding of ASN.1 using BER/DER (Basic/Distinguished
 * Encoding Rules).
 *
- * $Id: secasn1t.h,v 1.1 2000/03/31 19:39:06 relyea%netscape.com Exp $
+ * $Id: secasn1t.h,v 1.2 2001/01/07 08:13:12 nelsonb%netscape.com Exp $
 */

 #ifndef _SECASN1T_H_
@ -184,13 +184,34 @@ typedef struct sec_ASN1Template_struct {
 #define SEC_ASN1_SET_OF		(SEC_ASN1_GROUP | SEC_ASN1_SET)
 #define SEC_ASN1_ANY_CONTENTS	(SEC_ASN1_ANY | SEC_ASN1_INNER)

+
 /*
 ** Function used for SEC_ASN1_DYNAMIC.
 ** "arg" is a pointer to the structure being encoded/decoded
 ** "enc", when true, means that we are encoding (false means decoding)
 */
-typedef const SEC_ASN1Template * (* SEC_ChooseASN1TemplateFunc)(void *arg,
-								PRBool enc);
+typedef const SEC_ASN1Template * SEC_ASN1TemplateChooser(void *arg, PRBool enc);
+typedef SEC_ASN1TemplateChooser * SEC_ASN1TemplateChooserPtr;
+
+#if defined(_WIN32)
+#define SEC_ASN1_GET(x)        NSS_Get_##x(NULL, PR_FALSE)
+#define SEC_ASN1_SUB(x)        &p_NSS_Get_##x
+#define SEC_ASN1_XTRN          SEC_ASN1_DYNAMIC
+#define SEC_ASN1_MKSUB(x) \
+static const SEC_ASN1TemplateChooserPtr p_NSS_Get_##x = &NSS_Get_##x;
+#else
+#define SEC_ASN1_GET(x)        x
+#define SEC_ASN1_SUB(x)        x
+#define SEC_ASN1_XTRN          0
+#define SEC_ASN1_MKSUB(x) 
+#endif
+
+#define SEC_ASN1_CHOOSER_DECLARE(x) \
+extern SEC_ASN1TemplateChooser NSS_Get_##x;
+
+#define SEC_ASN1_CHOOSER_IMPLEMENT(x) \
+const SEC_ASN1Template * NSS_Get_##x(void * arg, PRBool enc) \
+{ return x; }

 /*
 ** Opaque object used by the decoder to store state.
--- a/security/nss/lib/util/secasn1u.c
+++ b/security/nss/lib/util/secasn1u.c
@ -34,7 +34,7 @@
 /*
 * Utility routines to complement the ASN.1 encoding and decoding functions.
 *
- * $Id: secasn1u.c,v 1.1 2000/03/31 19:39:16 relyea%netscape.com Exp $
+ * $Id: secasn1u.c,v 1.2 2001/01/07 08:13:12 nelsonb%netscape.com Exp $
 */

 #include "secasn1.h"
@ -85,22 +85,22 @@ const SEC_ASN1Template *
 SEC_ASN1GetSubtemplate (const SEC_ASN1Template *theTemplate, void *thing,
 			PRBool encoding)
 {
-    const SEC_ASN1Template *subt;
+    const SEC_ASN1Template *subt = NULL;

    PORT_Assert (theTemplate->sub != NULL);
-    if (theTemplate->kind & SEC_ASN1_DYNAMIC) {
-	SEC_ChooseASN1TemplateFunc chooser, *chooserp;
+    if (theTemplate->sub != NULL) {
+	if (theTemplate->kind & SEC_ASN1_DYNAMIC) {
+	    SEC_ASN1TemplateChooserPtr chooserp;

-	chooserp = (SEC_ChooseASN1TemplateFunc *) theTemplate->sub;
-	if (chooserp == NULL || *chooserp == NULL)
-	    return NULL;
-	chooser = *chooserp;
-	if (thing != NULL)
-	    thing = (char *)thing - theTemplate->offset;
-	subt = (* chooser)(thing, encoding);
-    } else {
-	subt = (SEC_ASN1Template*)theTemplate->sub;
+	    chooserp = *(SEC_ASN1TemplateChooserPtr *) theTemplate->sub;
+	    if (chooserp) {
+		if (thing != NULL)
+		    thing = (char *)thing - theTemplate->offset;
+		subt = (* chooserp)(thing, encoding);
+	    }
+	} else {
+	    subt = (SEC_ASN1Template*)theTemplate->sub;
+	}
    }
-
    return subt;
 }
--- a/security/nss/lib/util/secdig.c
+++ b/security/nss/lib/util/secdig.c
@ -30,7 +30,7 @@
 * may use your version of this file under either the MPL or the
 * GPL.
 *
- * $Id: secdig.c,v 1.1 2000/03/31 19:39:35 relyea%netscape.com Exp $
+ * $Id: secdig.c,v 1.2 2001/01/07 08:13:12 nelsonb%netscape.com Exp $
 */
 #include "secdig.h"

@ -66,6 +66,8 @@ const SEC_ASN1Template sgn_DigestInfoTemplate[] = {
    { 0 }
 };

+SEC_ASN1_CHOOSER_IMPLEMENT(sgn_DigestInfoTemplate)
+
 /*
 * XXX Want to have a SGN_DecodeDigestInfo, like:
 *	SGNDigestInfo *SGN_DecodeDigestInfo(SECItem *didata);
--- a/security/nss/lib/util/secdig.h
+++ b/security/nss/lib/util/secdig.h
@ -32,7 +32,7 @@
 * may use your version of this file under either the MPL or the
 * GPL.
 *
- * $Id: secdig.h,v 1.1 2000/03/31 19:39:43 relyea%netscape.com Exp $
+ * $Id: secdig.h,v 1.2 2001/01/07 08:13:12 nelsonb%netscape.com Exp $
 */

 #ifndef _SECDIG_H_
@ -46,6 +46,9 @@


 extern const SEC_ASN1Template sgn_DigestInfoTemplate[];
+
+SEC_ASN1_CHOOSER_DECLARE(sgn_DigestInfoTemplate)
+
 extern DERTemplate SGNDigestInfoTemplate[];


--- a/security/nss/lib/util/secoid.h
+++ b/security/nss/lib/util/secoid.h
@ -36,7 +36,7 @@
 /*
 * secoid.h - public data structures and prototypes for ASN.1 OID functions
 *
- * $Id: secoid.h,v 1.1 2000/03/31 19:40:33 relyea%netscape.com Exp $
+ * $Id: secoid.h,v 1.2 2001/01/07 08:13:13 nelsonb%netscape.com Exp $
 */

 #include "plarena.h"
@ -47,6 +47,9 @@

 extern const SEC_ASN1Template SECOID_AlgorithmIDTemplate[];

+/* This functions simply returns the address of the above-declared template. */
+SEC_ASN1_CHOOSER_DECLARE(SECOID_AlgorithmIDTemplate)
+
 SEC_BEGIN_PROTOS

 /*