--- mozilla/security/nss/lib/ckfw/pem/pinst.c.736410	2010-11-25 11:51:52.000000000 -0800
+++ mozilla/security/nss/lib/ckfw/pem/pinst.c	2011-09-13 16:59:49.325215540 -0700
@@ -364,39 +364,37 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objCla
         size += PEM_ITEM_CHUNK;
     }
     gobj[count] = io;
     count++;
     pem_nobjs++;
 
     io->refCount ++;
     return io;
 }
 
 CK_RV
 AddCertificate(char *certfile, char *keyfile, PRBool cacert,
                CK_SLOT_ID slotID)
 {
     pemInternalObject *o;
-    SECItem certDER;
     CK_RV error = 0;
     int objid, i;
     int nobjs = 0;
     SECItem **objs = NULL;
     char *ivstring = NULL;
     int cipher;
 
-    certDER.data = NULL;
     nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
     if (nobjs <= 0) {
         nss_ZFreeIf(objs);
         return CKR_GENERAL_ERROR;
     }
 
     /* For now load as many certs as are in the file for CAs only */
     if (cacert) {
         for (i = 0; i < nobjs; i++) {
             char nickname[1024];
             objid = pem_nobjs + 1;
 
             snprintf(nickname, 1024, "%s - %d", certfile, i);
 
             o = AddObjectIfNeeded(CKO_CERTIFICATE, pemCert, objs[i], NULL,
@@ -456,72 +454,76 @@ AddCertificate(char *certfile, char *key
   loser:
     nss_ZFreeIf(objs);
     nss_ZFreeIf(o);
     return error;
 }
 
 CK_RV
 pem_Initialize
 (
     NSSCKMDInstance * mdInstance,
     NSSCKFWInstance * fwInstance,
     NSSUTF8 * configurationData
 )
 {
     CK_RV rv;
-    /* parse the initialization string and initialize CRLInstances */
+    /* parse the initialization string */
     char **certstrings = NULL;
+    char *modparms = NULL;
     PRInt32 numcerts = 0;
     PRBool status, error = PR_FALSE;
     int i;
+    CK_C_INITIALIZE_ARGS_PTR modArgs = NULL;
+
+    if (!fwInstance) return CKR_ARGUMENTS_BAD;
+
+    modArgs = NSSCKFWInstance_GetInitArgs(fwInstance);
+    if (modArgs &&
+       ((modArgs->flags & CKF_OS_LOCKING_OK) || (modArgs->CreateMutex != 0))) {
+        return CKR_CANT_LOCK;
+    }
 
     if (pemInitialized) {
         return CKR_OK;
     }
+
     RNG_RNGInit();
 
     open_log();
 
     plog("pem_Initialize\n");
 
-    unsigned char *modparms = NULL;
-    if (!fwInstance) {
-        return CKR_ARGUMENTS_BAD;
-    }
-
-    CK_C_INITIALIZE_ARGS_PTR modArgs =
-        NSSCKFWInstance_GetInitArgs(fwInstance);
     if (!modArgs || !modArgs->LibraryParameters) {
         goto done;
     }
-    modparms = (unsigned char *) modArgs->LibraryParameters;
+    modparms = (char *) modArgs->LibraryParameters;
     plog("Initialized with %s\n", modparms);
 
     /*
      * The initialization string format is a space-delimited file of
      * pairs of paths which are delimited by a semi-colon. The first
      * entry of the pair is the path to the certificate file. The
      * second is the path to the key file.
      *
      * CA certificates do not need the semi-colon.
      *
      * Example:
      *  /etc/certs/server.pem;/etc/certs/server.key /etc/certs/ca.pem
      *
      */
     status =
-        pem_ParseString((const char *) modparms, ' ', &numcerts,
+        pem_ParseString(modparms, ' ', &numcerts,
                         &certstrings);
     if (status == PR_FALSE) {
         return CKR_ARGUMENTS_BAD;
     }
 
     for (i = 0; i < numcerts && error != PR_TRUE; i++) {
         char *cert = certstrings[i];
         PRInt32 attrcount = 0;
         char **certattrs = NULL;
         status = pem_ParseString(cert, ';', &attrcount, &certattrs);
         if (status == PR_FALSE) {
             error = PR_TRUE;
             break;
         }