diff -up nss/lib/pk11wrap/pk11pars.c.check_policy_file nss/lib/pk11wrap/pk11pars.c

--- nss/lib/pk11wrap/pk11pars.c.check_policy_file	2017-02-28 10:49:53.811343156 +0100

+++ nss/lib/pk11wrap/pk11pars.c	2017-02-28 10:59:41.178647490 +0100

@@ -109,6 +109,7 @@ secmod_NewModule(void)

                                                  *other flags are set */

 #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02

 #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04

+#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08

 /* private flags for internal (field in SECMODModule). */

 /* The meaing of these flags is as follows:

@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar

         if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) {

             flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;

         }

+	if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {

+	    flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;

+	}

         /* additional moduleDB flags could be added here in the future */

         mod->isModuleDB = (PRBool)flags;

     }

@@ -744,6 +748,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule

 }

 PRBool

+secmod_PolicyOnly(SECMODModule *mod)

+{

+   char flags = (char) mod->isModuleDB;

+

+   return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;

+}

+

+PRBool

 secmod_IsInternalKeySlot(SECMODModule *mod)

 {

     char flags = (char)mod->internal;

@@ -1661,6 +1673,12 @@ SECMOD_LoadModule(char *modulespec, SECM

     if (!module) {

         goto loser;

     }

+

+    /* a policy only stanza doesn't actually get 'loaded'. policy has already

+     * been parsed as a side effect of the CreateModuleEx call */

+    if (secmod_PolicyOnly(module)) {

+	return module;

+    }

     if (parent) {

         module->parent = SECMOD_ReferenceModule(parent);

         if (module->internal && secmod_IsInternalKeySlot(parent)) {