diff --git a/mozilla/security/nss/lib/base/list.c b/mozilla/security/nss/lib/base/list.c
index b88a2d08704..e05476a9953 100644
--- a/mozilla/security/nss/lib/base/list.c
+++ b/mozilla/security/nss/lib/base/list.c
@@ -32,7 +32,7 @@
  */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: list.c,v $ $Revision: 1.9 $ $Date: 2001-11-29 19:34:00 $ $Name: not supported by cvs2svn $";
+static const char CVS_ID[] = "@(#) $RCSfile: list.c,v $ $Revision: 1.10 $ $Date: 2001-12-12 00:07:22 $ $Name: not supported by cvs2svn $";
 #endif /* DEBUG */
 
 /*
@@ -63,6 +63,7 @@ struct nssListStr {
 };
 
 struct nssListIteratorStr {
+    PZLock *lock;
     nssList *list;
     nssListElement *current;
 };
@@ -316,26 +317,56 @@ nssList_GetArray(nssList *list, void **rvArray, PRUint32 maxElements)
     return PR_SUCCESS;
 }
 
+NSS_IMPLEMENT nssList *
+nssList_Clone(nssList *list)
+{
+    nssList *rvList;
+    nssListElement *node;
+    rvList = nssList_Create(list->arena, (list->lock != NULL));
+    if (!rvList) {
+	return NULL;
+    }
+    NSSLIST_LOCK_IF(list);
+    if (list->count > 0) {
+	node = list->head;
+	while (PR_TRUE) {
+	    nssList_Add(rvList, node->data);
+	    node = (nssListElement *)PR_NEXT_LINK(&node->link);
+	    if (node == list->head) {
+		break;
+	    }
+	}
+    }
+    NSSLIST_UNLOCK_IF(list);
+    return rvList;
+}
+
 NSS_IMPLEMENT nssListIterator *
 nssList_CreateIterator(nssList *list)
 {
     nssListIterator *rvIterator;
     rvIterator = nss_ZNEW(list->arena, nssListIterator);
-    rvIterator->list = list;
-    rvIterator->current = list->head;
+    rvIterator->list = nssList_Clone(list);
+    rvIterator->current = rvIterator->list->head;
+    if (list->lock) {
+	rvIterator->lock = PZ_NewLock(nssILockOther);
+    }
     return rvIterator;
 }
 
 NSS_IMPLEMENT void
 nssListIterator_Destroy(nssListIterator *iter)
 {
+    if (iter->lock) {
+	(void)PZ_DestroyLock(iter->lock);
+    }
     nss_ZFreeIf(iter);
 }
 
 NSS_IMPLEMENT void *
 nssListIterator_Start(nssListIterator *iter)
 {
-    NSSLIST_LOCK_IF(iter->list);
+    NSSLIST_LOCK_IF(iter);
     if (iter->list->count == 0) {
 	return NULL;
     }
@@ -369,6 +400,6 @@ NSS_IMPLEMENT PRStatus
 nssListIterator_Finish(nssListIterator *iter)
 {
     iter->current = iter->list->head;
-    return (iter->list->lock) ? PZ_Unlock(iter->list->lock) : PR_SUCCESS;
+    return (iter->lock) ? PZ_Unlock(iter->lock) : PR_SUCCESS;
 }
 
diff --git a/mozilla/security/nss/lib/pki/pki3hack.c b/mozilla/security/nss/lib/pki/pki3hack.c
index 4064c538f64..827dac7fb0c 100644
--- a/mozilla/security/nss/lib/pki/pki3hack.c
+++ b/mozilla/security/nss/lib/pki/pki3hack.c
@@ -32,7 +32,7 @@
  */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.10 $ $Date: 2001-12-11 23:47:16 $ $Name: not supported by cvs2svn $";
+static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.11 $ $Date: 2001-12-12 00:07:25 $ $Name: not supported by cvs2svn $";
 #endif /* DEBUG */
 
 /*
@@ -392,9 +392,12 @@ nssTrust_GetCERTCertTrustForCert(NSSCertificate *c, CERTCertificate *cc)
     NSSToken *tok;
     NSSTrust *tokenTrust;
     NSSTrust *t = NULL;
-    for (tok  = (NSSToken *)nssListIterator_Start(td->tokens);
+    nssListIterator *tokens;
+    tokens = nssList_CreateIterator(td->tokenList);
+    if (!tokens) return NULL;
+    for (tok  = (NSSToken *)nssListIterator_Start(tokens);
          tok != (NSSToken *)NULL;
-         tok  = (NSSToken *)nssListIterator_Next(td->tokens))
+         tok  = (NSSToken *)nssListIterator_Next(tokens))
     {
 	tokenTrust = nssToken_FindTrustForCert(tok, NULL, c, 
 	                                       nssTokenSearchType_AllObjects);
@@ -419,7 +422,8 @@ nssTrust_GetCERTCertTrustForCert(NSSCertificate *c, CERTCertificate *cc)
 	    }
 	}
     }
-    nssListIterator_Finish(td->tokens);
+    nssListIterator_Finish(tokens);
+    nssListIterator_Destroy(tokens);
     if (!t) {
 	return NULL;
     }
@@ -600,6 +604,7 @@ STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust)
     NSSToken *tok;
     NSSTrustDomain *td;
     NSSTrust nssTrust;
+    nssListIterator *tokens;
     PRBool moving_object;
     /* Set the CERTCertificate's trust */
     cc->trust = trust;
@@ -617,13 +622,16 @@ STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust)
     nssTrust.codeSigning = get_stan_trust(trust->objectSigningFlags, PR_FALSE);
     td = STAN_GetDefaultTrustDomain();
     if (PK11_IsReadOnly(cc->slot)) {
-	for (tok  = (NSSToken *)nssListIterator_Start(td->tokens);
+	tokens = nssList_CreateIterator(td->tokenList);
+	if (!tokens) return PR_FAILURE;
+	for (tok  = (NSSToken *)nssListIterator_Start(tokens);
 	     tok != (NSSToken *)NULL;
-	     tok  = (NSSToken *)nssListIterator_Next(td->tokens))
+	     tok  = (NSSToken *)nssListIterator_Next(tokens))
 	{
 	    if (!PK11_IsReadOnly(tok->pk11slot)) break;
 	}
-	nssListIterator_Finish(td->tokens);
+	nssListIterator_Finish(tokens);
+	nssListIterator_Destroy(tokens);
 	moving_object = PR_TRUE;
     } else {
 	/* by default, store trust on same token as cert if writeable */