--- a/security/nss/lib/cryptohi/seckey.c
+++ b/security/nss/lib/cryptohi/seckey.c
@@ -320,21 +320,29 @@ seckey_UpdateCertPQGChain(CERTCertificat
     if (count > CERT_MAX_CERT_CHAIN) {
 	return SECFailure;
     }
 
     oid = SECOID_FindOID(&subjectCert->subjectPublicKeyInfo.algorithm.algorithm);            
     if (oid != NULL) {  
         tag = oid->offset;
              
-        /* Check if cert has a DSA public key. If not, return
-         * success since no PQG params need to be updated.  */
+        /* Check if cert has a DSA or EC public key. If not, return
+         * success since no PQG params need to be updated.
+	 *
+	 * Question: do we really need to do this for EC keys. They don't have
+	 * PQG parameters, but they do have parameters. The question is does
+	 * the child cert inherit thost parameters for EC from the parent, or
+	 * do we always include those parameters in each cert.
+	 */
 
 	if ( (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
              (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
+             (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST) &&
+             (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST) &&
              (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
              (tag != SEC_OID_SDN702_DSA_SIGNATURE) &&
              (tag != SEC_OID_ANSIX962_EC_PUBLIC_KEY) ) {
             
             return SECSuccess;
         }
     } else {
         return SECFailure;  /* return failure if oid is NULL */  
@@ -367,16 +375,18 @@ seckey_UpdateCertPQGChain(CERTCertificat
     if (oid != NULL) {  
         tag = oid->offset;
              
         /* Check if issuer cert has a DSA public key. If not,
          * return failure.   */
 
 	if ( (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
              (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
+             (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST) &&
+             (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST) &&
              (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
              (tag != SEC_OID_SDN702_DSA_SIGNATURE) &&
              (tag != SEC_OID_ANSIX962_EC_PUBLIC_KEY) ) {            
             rv = SECFailure;
             goto loser;
         }
     } else {
         rv = SECFailure;  /* return failure if oid is NULL */  
@@ -995,17 +1005,17 @@ SECKEY_SignatureLen(const SECKEYPublicKe
     unsigned char b0;
     unsigned size;
 
     switch (pubk->keyType) {
     case rsaKey:
     	b0 = pubk->u.rsa.modulus.data[0];
     	return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
     case dsaKey:
-    	return DSA_SIGNATURE_LEN;
+	return pubk->u.dsa.params.subPrime.len * 2;
     case ecKey:
 	/* Get the base point order length in bits and adjust */
 	size =	SECKEY_ECParamsToBasePointOrderLen(
 		&pubk->u.ec.DEREncodedParams);
 	return ((size + 7)/8) * 2;
     default:
 	break;
     }