diff -up ./nss/lib/ckfw/pem/ckpem.h.compile_Werror ./nss/lib/ckfw/pem/ckpem.h
--- ./nss/lib/ckfw/pem/ckpem.h.compile_Werror	2014-01-23 06:28:18.000000000 -0800
+++ ./nss/lib/ckfw/pem/ckpem.h	2015-11-13 12:07:29.219887390 -0800
@@ -233,6 +233,9 @@ struct pemLOWKEYPrivateKeyStr {
 };
 typedef struct pemLOWKEYPrivateKeyStr pemLOWKEYPrivateKey;
 
+/* NOTE: Discrepancy with the the way callers use of the return value as a count
+ * Fix this when we sync. up with the cleanup work being done at nss-pem project.
+ */
 SECStatus ReadDERFromFile(SECItem ***derlist, char *filename, PRBool ascii, int *cipher, char **ivstring, PRBool certsonly);
 const NSSItem * pem_FetchAttribute ( pemInternalObject *io, CK_ATTRIBUTE_TYPE type);
 void pem_PopulateModulusExponent(pemInternalObject *io);
diff -up ./nss/lib/ckfw/pem/pinst.c.compile_Werror ./nss/lib/ckfw/pem/pinst.c
--- ./nss/lib/ckfw/pem/pinst.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
+++ ./nss/lib/ckfw/pem/pinst.c	2015-11-13 12:07:29.219887390 -0800
@@ -472,7 +472,9 @@ AddCertificate(char *certfile, char *key
     char *ivstring = NULL;
     int cipher;
 
-    nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
+    /* TODO: Fix discrepancy between our usage of the return value as
+     * as an int (a count) and the declaration as a SECStatus. */
+    nobjs = (int) ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
     if (nobjs <= 0) {
         nss_ZFreeIf(objs);
         return CKR_GENERAL_ERROR;
@@ -515,8 +517,10 @@ AddCertificate(char *certfile, char *key
         if (keyfile) {          /* add the private key */
             SECItem **keyobjs = NULL;
             int kobjs = 0;
+            /* TODO: Fix discrepancy between our usage of the return value as
+             * as an int and the declaration as a SECStatus. */
             kobjs =
-                ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
+                (int) ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
                                 &ivstring, PR_FALSE);
             if (kobjs < 1) {
                 error = CKR_GENERAL_ERROR;
diff -up ./nss/lib/ckfw/pem/pobject.c.compile_Werror ./nss/lib/ckfw/pem/pobject.c
--- ./nss/lib/ckfw/pem/pobject.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
+++ ./nss/lib/ckfw/pem/pobject.c	2015-11-13 12:07:29.220887368 -0800
@@ -630,6 +630,11 @@ pem_DestroyInternalObject
         if (io->u.key.ivstring)
             free(io->u.key.ivstring);
         break;
+    case pemAll:
+        /* pemAll is not used, keep the compiler happy
+         * TODO: investigate a proper solution
+         */
+        return;
     }
 
     if (NULL != gobj)
@@ -1044,7 +1049,9 @@ pem_CreateObject
     int nobjs = 0;
     int i;
     int objid;
+#if 0
     pemToken *token;
+#endif
     int cipher;
     char *ivstring = NULL;
     pemInternalObject *listObj = NULL;
@@ -1073,7 +1080,9 @@ pem_CreateObject
     }
     slotID = nssCKFWSlot_GetSlotID(fwSlot);
 
+#if 0
     token = (pemToken *) mdToken->etc;
+#endif
 
     /*
      * only create keys and certs.
@@ -1114,7 +1123,11 @@ pem_CreateObject
     }
 
     if (objClass == CKO_CERTIFICATE) {
-        nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
+        /* TODO: Fix discrepancy between our usage of the return value as
+         * as an int and the declaration as a SECStatus. Typecasting as a
+         * temporary workaround.
+         */
+        nobjs = (int) ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
         if (nobjs < 1)
             goto loser;
 
diff -up ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror ./nss/lib/ckfw/pem/rsawrapr.c
--- ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
+++ ./nss/lib/ckfw/pem/rsawrapr.c	2015-11-13 12:07:29.220887368 -0800
@@ -93,6 +93,8 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey
     return 0;
 }
 
+/* unused functions */
+#if 0
 static SHA1Context *SHA1_CloneContext(SHA1Context * original)
 {
     SHA1Context *clone = NULL;
@@ -215,6 +217,7 @@ oaep_xor_with_h2(unsigned char *salt, un
 
     return SECSuccess;
 }
+#endif /* unused functions */
 
 /*
  * Format one block of data for public/private key encryption using
diff -up ./nss/lib/ckfw/pem/util.c.compile_Werror ./nss/lib/ckfw/pem/util.c
--- ./nss/lib/ckfw/pem/util.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
+++ ./nss/lib/ckfw/pem/util.c	2015-11-13 12:22:52.282196306 -0800
@@ -131,7 +131,8 @@ static SECStatus FileToItem(SECItem * ds
     return SECFailure;
 }
 
-int
+/* FIX: Returns a SECStatus yet callers take result as a count */
+SECStatus
 ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii,
 		int *cipher, char **ivstring, PRBool certsonly)
 {
@@ -237,7 +238,12 @@ ReadDERFromFile(SECItem *** derlist, cha
 		    goto loser;
 		}
                 if ((certsonly && !key) || (!certsonly && key)) {
+		    error = CKR_OK;
 		    PUT_Object(der, error);
+		    if (error != CKR_OK) {
+			free(der);
+			goto loser;
+		    }
                 } else {
                     free(der->data);
                     free(der);
@@ -255,7 +261,12 @@ ReadDERFromFile(SECItem *** derlist, cha
 	    }
 
 	    /* NOTE: This code path has never been tested. */
+	    error = CKR_OK;
 	    PUT_Object(der, error);
+	    if (error != CKR_OK) {
+		free(der);
+		goto loser;
+	    }
 	}
 
 	nss_ZFreeIf(filedata.data);