Bug 858231: Upgrade to NSS 3.15 BETA 2. r=wtc.
authorWan-Teh Chang <wtc@google.com>
Mon, 29 Apr 2013 16:21:02 -0700
changeset 130280 08e868f22c9814d6cfe85ac9da4c051dd0d0f43a
parent 130279 e963546ec749bff1ebdc1342702edb801c2b1f12
child 130281 c2739865269d94a2a2a05a5b3345f40d975e1b61
push id27279
push userwtc@google.com
push dateMon, 29 Apr 2013 23:21:12 +0000
treeherdermozilla-inbound@08e868f22c98 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerswtc
bugs858231
milestone23.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 858231: Upgrade to NSS 3.15 BETA 2. r=wtc.
security/nss/Makefile
security/nss/TAG-INFO
security/nss/cmd/certutil/certutil.c
security/nss/cmd/lib/basicutil.c
security/nss/cmd/lib/basicutil.h
security/nss/cmd/lib/secutil.c
security/nss/cmd/pk11gcmtest/Makefile
security/nss/coreconf/coreconf.dep
security/nss/doc/certutil.xml
security/nss/doc/cmsutil.xml
security/nss/doc/crlutil.xml
security/nss/doc/derdump.xml
security/nss/doc/modutil.xml
security/nss/doc/pk12util.xml
security/nss/doc/pp.xml
security/nss/doc/signtool.xml
security/nss/doc/signver.xml
security/nss/doc/ssltap.xml
security/nss/doc/vfychain.xml
security/nss/doc/vfyserv.xml
security/nss/lib/certdb/alg1485.c
security/nss/lib/ckfw/builtins/certdata.txt
security/nss/lib/ckfw/builtins/nssckbi.h
security/nss/lib/freebl/blapit.h
security/nss/lib/freebl/ecl/ecp_192.c
security/nss/lib/freebl/ecl/ecp_224.c
security/nss/lib/freebl/ecl/ecp_384.c
security/nss/lib/freebl/ecl/ecp_521.c
security/nss/lib/pkcs7/certread.c
security/nss/lib/softoken/pkcs11.c
security/nss/lib/ssl/derive.c
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/ssl3ecc.c
security/nss/lib/ssl/sslimpl.h
security/nss/lib/ssl/sslsnce.c
security/nss/lib/util/secoid.c
security/nss/lib/util/secoidt.h
security/nss/manifest.mn
security/nss/tests/libpkix/certs/make-ca-u50-u51
--- a/security/nss/Makefile
+++ b/security/nss/Makefile
@@ -39,25 +39,19 @@ include $(CORE_DEPTH)/coreconf/rules.mk
 #######################################################################
 
 
 
 #######################################################################
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
 
-nss_build_all: build_coreconf build_nspr all
-
-nss_clean_all: clobber_coreconf clobber_nspr clobber
+nss_build_all: build_nspr all
 
-build_coreconf:
-	$(MAKE) -C $(CORE_DEPTH)/coreconf
-
-clobber_coreconf:
-	$(MAKE) -C $(CORE_DEPTH)/coreconf clobber
+nss_clean_all: clobber_nspr clobber
 
 NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/config.status
 NSPR_CONFIGURE = $(CORE_DEPTH)/../nspr/configure
 
 #
 # Translate coreconf build options to NSPR configure options.
 #
 
@@ -97,17 +91,17 @@ endif
 endif
 ifeq ($(USEABSPATH),"YES")
 NSPR_PREFIX = $(shell pwd)/../dist/$(OBJDIR_NAME)
 else
 NSPR_PREFIX = $$(topsrcdir)/../dist/$(OBJDIR_NAME)
 endif
 
 $(NSPR_CONFIG_STATUS): $(NSPR_CONFIGURE)
-	$(NSINSTALL) -D $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
+	mkdir -p $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
 	cd $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) ; \
 	$(NSPR_COMPILERS) sh ../configure \
 	$(NSPR_CONFIGURE_OPTS) \
 	--with-dist-prefix='$(NSPR_PREFIX)' \
 	--with-dist-includedir='$(NSPR_PREFIX)/include'
 
 build_nspr: $(NSPR_CONFIG_STATUS)
 	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
@@ -116,36 +110,13 @@ clobber_nspr: $(NSPR_CONFIG_STATUS)
 	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) clobber
 
 build_docs:
 	$(MAKE) -C $(CORE_DEPTH)/doc
 
 clean_docs:
 	$(MAKE) -C $(CORE_DEPTH)/doc clean
 
-moz_import::
-ifeq (,$(filter-out WIN%,$(OS_TARGET)))
-	$(NSINSTALL) -D $(DIST)/include/nspr
-	cp $(DIST)/../include/nspr/*.h $(DIST)/include/nspr
-	cp $(DIST)/../include/* $(DIST)/include
-ifdef BUILD_OPT
-	cp $(DIST)/../WIN32_O.OBJ/lib/* $(DIST)/lib
-else
-	cp $(DIST)/../WIN32_D.OBJ/lib/* $(DIST)/lib
-endif
-	mv $(DIST)/lib/dbm32.lib $(DIST)/lib/dbm.lib
-else
-ifeq ($(OS_TARGET),OS2)
-	cp -rf $(DIST)/../include $(DIST)
-	cp -rf $(DIST)/../lib $(DIST)
-	cp -f $(DIST)/lib/libmozdbm_s.$(LIB_SUFFIX) $(DIST)/lib/libdbm.$(LIB_SUFFIX)
-else
-	$(NSINSTALL) -L ../../dist include $(DIST)
-	$(NSINSTALL) -L ../../dist lib $(DIST)
-	cp $(DIST)/lib/libmozdbm_s.$(LIB_SUFFIX) $(DIST)/lib/libdbm.$(LIB_SUFFIX)
-endif
-endif
-
-nss_RelEng_bld: build_coreconf import all
+nss_RelEng_bld: import all
 
 package:
 	$(MAKE) -C pkg publish
 
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_15_BETA1
+NSS_3_15_BETA2
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -957,16 +957,18 @@ PrintSyntax(char *progName)
         "\t\t [-1 | --keyUsage [keyUsageKeyword,..]] [-2] [-3] [-4]\n"
         "\t\t [-5 | --nsCertType [nsCertTypeKeyword,...]]\n"
         "\t\t [-6 | --extKeyUsage [extKeyUsageKeyword,...]] [-7 emailAddrs]\n"
         "\t\t [-8 dns-names] [-a]\n",
 	progName);
     FPS "\t%s -D -n cert-name [-d certdir] [-P dbprefix]\n", progName);
     FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n", 
 	progName);
+    FPS "\t%s -F -n nickname [-d certdir] [-P dbprefix]\n", 
+	progName);
     FPS "\t%s -G -n key-name [-h token-name] [-k rsa] [-g key-size] [-y exp]\n" 
 	"\t\t [-f pwfile] [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
     FPS "\t%s -G [-h token-name] -k dsa [-q pqgfile -g key-size] [-f pwfile]\n"
 	"\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
 #ifdef NSS_ENABLE_ECC
     FPS "\t%s -G [-h token-name] -k ec -q curve [-f pwfile]\n"
 	"\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
     FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|ec|rsa|all]\n", 
@@ -1216,16 +1218,34 @@ static void luD(enum usage_level ul, con
     FPS "%-20s Cert database directory (default is ~/.netscape)\n",
         "   -d certdir");
     FPS "%-20s Cert & Key database prefix\n",
         "   -P dbprefix");
     FPS "\n");
 
 }
 
+static void luF(enum usage_level ul, const char *command)
+{
+    int is_my_command = (command && 0 == strcmp(command, "F"));
+    if (ul == usage_all || !command || is_my_command)
+    FPS "%-15s Delete a key from the database\n",
+        "-F");
+    if (ul == usage_selected && !is_my_command)
+        return;
+    FPS "%-20s The nickname of the key to delete\n",
+        "   -n cert-name");
+    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
+        "   -d certdir");
+    FPS "%-20s Cert & Key database prefix\n",
+        "   -P dbprefix");
+    FPS "\n");
+
+}
+
 static void luU(enum usage_level ul, const char *command)
 {
     int is_my_command = (command && 0 == strcmp(command, "U"));
     if (ul == usage_all || !command || is_my_command)
     FPS "%-15s List all modules\n", /*, or print out a single named module\n",*/
         "-U");
     if (ul == usage_selected && !is_my_command)
         return;
@@ -1603,16 +1623,17 @@ static void luS(enum usage_level ul, con
 static void LongUsage(char *progName, enum usage_level ul, const char *command)
 {
     luA(ul, command);
     luB(ul, command);
     luE(ul, command);
     luC(ul, command);
     luG(ul, command);
     luD(ul, command);
+    luF(ul, command);
     luU(ul, command);
     luK(ul, command);
     luL(ul, command);
     luM(ul, command);
     luN(ul, command);
     luT(ul, command);
     luO(ul, command);
     luR(ul, command);
--- a/security/nss/cmd/lib/basicutil.c
+++ b/security/nss/cmd/lib/basicutil.c
@@ -38,17 +38,18 @@ SECU_EnableWrap(PRBool enable)
 
 PRBool
 SECU_GetWrapEnabled(void)
 {
     return wrapEnabled;
 }
 
 void 
-SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...)
+SECU_PrintErrMsg(FILE *out, int level, const char *progName, const char *msg,
+                 ...)
 {
     va_list args;
     PRErrorCode err = PORT_GetError();
     const char * errString = PORT_ErrorToString(err);
 
     va_start(args, msg);
 
     SECU_Indent(out, level);
@@ -58,36 +59,42 @@ SECU_PrintErrMsg(FILE *out, int level, c
 	fprintf(out, ": %s\n", errString);
     else
 	fprintf(out, ": error %d\n", (int)err);
 
     va_end(args);
 }
 
 void 
-SECU_PrintError(char *progName, char *msg, ...)
+SECU_PrintError(const char *progName, const char *msg, ...)
 {
     va_list args;
     PRErrorCode err = PORT_GetError();
-    const char * errString = PORT_ErrorToString(err);
+    const char * errName = PR_ErrorToName(err);
+    const char * errString = PR_ErrorToString(err, 0);
 
     va_start(args, msg);
 
     fprintf(stderr, "%s: ", progName);
     vfprintf(stderr, msg, args);
+
+    if (errName != NULL) {
+	fprintf(stderr, ": %s", errName);
+    } else {
+	fprintf(stderr, ": error %d", (int)err);
+    }
+
     if (errString != NULL && PORT_Strlen(errString) > 0)
 	fprintf(stderr, ": %s\n", errString);
-    else
-	fprintf(stderr, ": error %d\n", (int)err);
 
     va_end(args);
 }
 
 void
-SECU_PrintSystemError(char *progName, char *msg, ...)
+SECU_PrintSystemError(const char *progName, const char *msg, ...)
 {
     va_list args;
 
     va_start(args, msg);
     fprintf(stderr, "%s: ", progName);
     vfprintf(stderr, msg, args);
     fprintf(stderr, ": %s\n", strerror(errno));
     va_end(args);
@@ -609,17 +616,17 @@ SECU_GetOptionArg(const secuCommand *cmd
 	if (cmd->options[optionNum].activated)
 		return PL_strdup(cmd->options[optionNum].arg);
 	else
 		return NULL;
 }
 
 
 void 
-SECU_PrintPRandOSError(char *progName) 
+SECU_PrintPRandOSError(const char *progName) 
 {
     char buffer[513];
     PRInt32     errLen = PR_GetErrorTextLength();
     if (errLen > 0 && errLen < sizeof buffer) {
         PR_GetErrorText(buffer);
     }
     SECU_PrintError(progName, "function failed");
     if (errLen > 0 && errLen < sizeof buffer) {
--- a/security/nss/cmd/lib/basicutil.h
+++ b/security/nss/cmd/lib/basicutil.h
@@ -18,23 +18,24 @@
 #ifdef SECUTIL_NEW
 typedef int (*SECU_PPFunc)(PRFileDesc *out, SECItem *item, 
                            char *msg, int level);
 #else
 typedef int (*SECU_PPFunc)(FILE *out, SECItem *item, char *msg, int level);
 #endif
 
 /* print out an error message */
-extern void SECU_PrintError(char *progName, char *msg, ...);
+extern void SECU_PrintError(const char *progName, const char *msg, ...);
 
 /* print out a system error message */
-extern void SECU_PrintSystemError(char *progName, char *msg, ...);
+extern void SECU_PrintSystemError(const char *progName, const char *msg, ...);
 
 /* print a formatted error message */
-extern void SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...);
+extern void SECU_PrintErrMsg(FILE *out, int level, const char *progName,
+                             const char *msg, ...);
 
 /* Read the contents of a file into a SECItem */
 extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src);
 extern SECStatus SECU_TextFileToItem(SECItem *dst, PRFileDesc *src);
 
 /* Indent based on "level" */
 extern void SECU_Indent(FILE *out, int level);
 
@@ -63,17 +64,17 @@ extern SECStatus SECU_PKCS11Init(PRBool 
 /* Dump contents of signed data */
 extern int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m, 
                                 int level, SECU_PPFunc inner);
 
 extern void SECU_PrintString(FILE *out, const SECItem *si, const char *m,
                              int level);
 extern void SECU_PrintAny(FILE *out, const SECItem *i, const char *m, int level);
 
-extern void SECU_PrintPRandOSError(char *progName);
+extern void SECU_PrintPRandOSError(const char *progName);
 
 /* Caller ensures that dst is at least item->len*2+1 bytes long */
 void
 SECU_SECItemToHex(const SECItem * item, char * dst);
 
 /* Requires 0x prefix. Case-insensitive. Will do in-place replacement if
  * successful */
 SECStatus
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -499,56 +499,65 @@ SECU_ReadDERFromFile(SECItem *der, PRFil
     SECStatus rv;
     if (ascii) {
 	/* First convert ascii to binary */
 	SECItem filedata;
 	char *asc, *body;
 
 	/* Read in ascii data */
 	rv = SECU_FileToItem(&filedata, inFile);
+	if (rv != SECSuccess)
+	    return rv;
 	asc = (char *)filedata.data;
 	if (!asc) {
 	    fprintf(stderr, "unable to read data from input file\n");
 	    return SECFailure;
 	}
 
 	/* check for headers and trailers and remove them */
 	if ((body = strstr(asc, "-----BEGIN")) != NULL) {
 	    char *trailer = NULL;
 	    asc = body;
 	    body = PORT_Strchr(body, '\n');
 	    if (!body)
 		body = PORT_Strchr(asc, '\r'); /* maybe this is a MAC file */
 	    if (body)
 		trailer = strstr(++body, "-----END");
-	    if (trailer != NULL) {
+	    if (trailer != NULL)
 		*trailer = '\0';
-	    } else {
+	    if (!body || !trailer) {
 		fprintf(stderr, "input has header but no trailer\n");
 		PORT_Free(filedata.data);
 		return SECFailure;
 	    }
 	} else {
-	    body = asc;
+	    /* need one additional byte for zero terminator */
+	    rv = SECITEM_ReallocItem(NULL, &filedata, filedata.len, filedata.len+1);
+	    if (rv != SECSuccess) {
+		PORT_Free(filedata.data);
+		return rv;
+	    }
+	    body = (char*)filedata.data;
+	    body[filedata.len-1] = '\0';
 	}
      
 	/* Convert to binary */
 	rv = ATOB_ConvertAsciiToItem(der, body);
-	if (rv) {
+	if (rv != SECSuccess) {
 	    fprintf(stderr, "error converting ascii to binary (%s)\n",
 		    SECU_Strerror(PORT_GetError()));
 	    PORT_Free(filedata.data);
 	    return SECFailure;
 	}
 
 	PORT_Free(filedata.data);
     } else {
 	/* Read in binary der */
 	rv = SECU_FileToItem(der, inFile);
-	if (rv) {
+	if (rv != SECSuccess) {
 	    fprintf(stderr, "error converting der (%s)\n", 
 		    SECU_Strerror(PORT_GetError()));
 	    return SECFailure;
 	}
     }
     return SECSuccess;
 }
 
old mode 100644
new mode 100755
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/doc/certutil.xml
+++ b/security/nss/doc/certutil.xml
@@ -16,17 +16,17 @@
 
   <refmeta>
     <refentrytitle>CERTUTIL</refentrytitle>
     <manvolnum>1</manvolnum>
   </refmeta>
 
   <refnamediv>
     <refname>certutil</refname>
-    <refpurpose>Manage keys and certificate in the the NSS database.</refpurpose>
+    <refpurpose>Manage keys and certificate in both NSS databases and other NSS tokens</refpurpose>
   </refnamediv>
 
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>certutil</command>
       <arg><replaceable>options</replaceable></arg>
       <arg>[<replaceable>arguments</replaceable>]</arg>
     </cmdsynopsis>
@@ -36,31 +36,30 @@
     <title>STATUS</title>
     <para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
     </para>
   </refsection>
 
 <refsection id="description">
     <title>Description</title>
 
-    <para>The Certificate Database Tool, <command>certutil</command>, is a command-line utility that manages certs and keys in both NSS databases and other NSS tokens (such as smart cards). It can specifically list, generate, modify, or delete certificates within the database, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</para>
-    <para>The key and certificate management process generally includes certificate issuance once keys and certificates have been created in the key database. This document discusses certificate and key database management. For information security module database management, see the <command>modutil</command> manpage.</para>
+    <para>The Certificate Database Tool, <command>certutil</command>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</para>
+    <para>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <command>modutil</command> manpage.</para>
 
   </refsection>
   
   <refsection id="options">
-    <title>Options and Arguments</title>
-	<para>Running <command>certutil</command> always requires one and only one option to specify the type of certificate operation. Each option may take arguments, anywhere from none to multiple arguments. Run the command option and <option>-H</option> to see the arguments available for each command option.</para>
+    <title>Command Options and Arguments</title>
+	<para>Running <command>certutil</command> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <option>-H</option> will list all the command options and their relevant arguments.</para>
    	<para><command>Command Options</command></para> 
-   	<para>Command options are typically upper case. </para>
     <variablelist>
 
       <varlistentry>
         <term>-A </term>
-        <listitem><para>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default. </para></listitem>
+        <listitem><para>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-B</term>
         <listitem><para>Run a series of commands from the specified batch file. This requires the <option>-i</option> argument.</para></listitem>
       </varlistentry>
     
       <varlistentry>
@@ -84,22 +83,22 @@
 <option>-d</option> argument. Use the <option>-k</option> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <option>-k</option> argument, the option looks for an RSA key matching the specified nickname. 
 </para>
 <para>
 When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D. Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname. </para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-G </term>
-        <listitem><para>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</para></listitem>
+        <listitem><para>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-H </term>
-        <listitem><para>Display a list of the command options and arguments used by the Certificate Database Tool.</para></listitem>
+        <listitem><para>Display a list of the command options and arguments.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-K </term>
         <listitem><para>List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -120,17 +119,17 @@ Use the -h tokenname argument to specify
 
       <varlistentry>
         <term>-O </term>
         <listitem><para>Print the certificate chain.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-R</term>
-        <listitem><para>Create a certificate request file  that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument.
+        <listitem><para>Create a certificate request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument.
 
 Use the -a argument to specify ASCII output.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-S </term>
         <listitem><para>Create an individual certificate and add it to a certificate database.</para></listitem>
       </varlistentry>
@@ -152,17 +151,17 @@ Use the -a argument to specify ASCII out
 
       <varlistentry>
         <term>-W </term>
         <listitem><para>Change the password to a key database.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>--merge</term>
-        <listitem><para>Merge a source database into the target database. This is used to merge legacy NSS databases (<filename>cert8.db</filename> and <filename>key3.db</filename>) into the newer SQLite databases (<filename>cert9.db</filename> and <filename>key4.db</filename>).</para></listitem>
+        <listitem><para>Merge two databases into one.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>--upgrade-merge</term>
         <listitem><para>Upgrade an old database and merge it into a new database. This is used to migrate legacy NSS databases (<filename>cert8.db</filename> and <filename>key3.db</filename>) into the newer SQLite databases (<filename>cert9.db</filename> and <filename>key4.db</filename>).</para></listitem>
       </varlistentry>
 	</variablelist>
 
@@ -189,23 +188,23 @@ If this option is not used, the validity
  Use the exact nickname or alias of the CA certificate, or use the CA's email address. Bracket the issuer string 
  with quotation marks if it contains spaces. </para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-d [prefix]directory</term>
         <listitem>
           <para>Specify the database directory containing the certificate and key database files.</para>
-          <para><command>certutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para>
+          <para><command>certutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para>
           <para>NSS recognizes the following prefixes:</para>
           <itemizedlist>
-            <listitem><para><command>sql: explicitly requests the newer database</command></para></listitem>
-	        <listitem><para><command>dbm: explicitly requests the older database</command></para></listitem>
-	        <listitem><para><command>extern: explicitly reserved for future use</command></para></listitem>
+            <listitem><para><command>sql: requests the newer database</command></para></listitem>
+	    <listitem><para><command>dbm: requests the legacy database</command></para></listitem>
           </itemizedlist>
+          <para>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-e </term>
         <listitem><para>Check a certificate's signature during the process of validating a certificate.</para></listitem>
       </varlistentry>
 
@@ -219,59 +218,46 @@ If this option is not used, the validity
       <varlistentry>
         <term>-g keysize</term>
         <listitem><para>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 8192 bits. The default is 1024 bits. Any size between the minimum and maximum is allowed.</para></listitem>
       </varlistentry>
 
 
       <varlistentry>
         <term>-h tokenname</term>
-        <listitem><para>Specify the name of a token to use or act on. Unless specified otherwise the default token is an internal slot.</para></listitem>
+        <listitem><para>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</para></listitem>
       </varlistentry>
 
      <varlistentry>
         <term>-i input_file</term>
         <listitem><para>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</para></listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-k rsa|dsa|ec|all</term>
-        <listitem><para>Specify the type of a key. The valid options are RSA, DSA, ECC, or all. The default value is rsa. Specifying the type of key can avoid mistakes caused by duplicate nicknames.</para></listitem>
-      </varlistentry>
-
-      <varlistentry>
         <term>-k key-type-or-id</term>
         <listitem>
-          <para>Specify the type or specific ID of a key. </para>
+          <para>Specify the type or specific ID of a key.</para>
           <para>
-           The valid key type options are RSA, DSA, ECC, or all. The default 
-           value is rsa. Specifying the type of key can avoid mistakes caused by
-           duplicate nicknames. Giving a key type generates a new key pair; 
-           giving the ID of an existing key reuses that key pair (which is 
-           required to renew certificates).
-          </para>
-          <para>
-           The valid key type options are RSA, DSA, ECC, or all. The default 
+           The valid key type options are rsa, dsa, ec, or all. The default 
            value is rsa. Specifying the type of key can avoid mistakes caused by
            duplicate nicknames. Giving a key type generates a new key pair; 
            giving the ID of an existing key reuses that key pair (which is 
            required to renew certificates).
           </para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-l </term>
         <listitem><para>Display detailed information when validating a certificate with the -V option.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-m serial-number</term>
-        <listitem><para>Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is 
-           provided a default serial number is made from the current time. Serial numbers are limited to integers </para></listitem>
+        <listitem><para>Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is provided a default serial number is made from the current time. Serial numbers are limited to integers </para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-n nickname</term>
         <listitem><para>Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -352,17 +338,17 @@ of the attribute codes:
 	</listitem>
 	<listitem>
 	<para>
 		<command>T</command> - Trusted CA (implies c)
 	</para>
 	</listitem>
 	<listitem>
 	<para>
-		<command>C</command> - rusted CA for client authentication (ssl server only)
+		<command>C</command> - trusted CA for client authentication (ssl server only)
 	</para>
 	</listitem>
 	<listitem>
 	<para>
 		<command>u</command> - user
 	</para>
 	</listitem>
 	</itemizedlist>
@@ -742,76 +728,51 @@ of the attribute codes:
 	</listitem>
 	</itemizedlist>
 	<para>
 		The new certificate request can be output in ASCII format (<option>-a</option>) or can be written to a specified file (<option>-o</option>).
 	</para>
 	<para>
 		For example:
 	</para>
-<programlisting>$ certutil -R -k ec -q nistb409 -g 512 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d sql:/home/my/sharednssdb -p 650-555-0123 -a -o cert.cer
+<programlisting>$ certutil -R -k rsa -g 1024 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d sql:$HOME/nssdb -p 650-555-0123 -a -o cert.cer
 
 Generating key.  This may take a few moments...
 
-
-Certificate request generated by Netscape 
-Phone: 650-555-0123
-Common Name: John Smith
-Email: (not ed)
-Organization: Example Corp
-State: California
-Country: US
-
------BEGIN NEW CERTIFICATE REQUEST-----
-MIIBIDCBywIBADBmMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEW
-MBQGA1UEBxMNTW91bnRhaW4gVmlldzEVMBMGA1UEChMMRXhhbXBsZSBDb3JwMRMw
-EQYDVQQDEwpKb2huIFNtaXRoMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMVUpDOZ
-KmHnOx7reP8Cc0Lk+fFWEuYIDX9W5K/BioQOKvEjXyQZhit9aThzBVMoSf1Y1S8J
-CzdUbCg1+IbnXaECAwEAAaAAMA0GCSqGSIb3DQEBBQUAA0EAryqZvpYrUtQ486Ny
-qmtyQNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB
-1hP9Gg==
------END NEW CERTIFICATE REQUEST-----</programlisting>
+</programlisting>
 
 	<para><command>Creating a Certificate</command></para>
 	<para>
 		A valid certificate must be issued by a trusted CA. This can be done by specifying a CA certificate (<option>-c</option>) that is stored in the certificate database. If a CA key pair is not available, you can create a self-signed certificate using the <option>-x</option> argument with the <option>-S</option> command option.
 	</para>
 <programlisting>$ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer |-x] -t trustargs -d [sql:]directory [-m serial-number] [-v valid-months] [-w offset-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA] [--extSKID]</programlisting>
 	<para>
-		The series of numbers and <option>--ext*</option> options set certificate extensions that can be added to the certificate when it is generated by the CA.
+		The series of numbers and <option>--ext*</option> options set certificate extensions that can be added to the certificate when it is generated by the CA. Interactive prompts will result.
 	</para>
 	<para>
 		For example, this creates a self-signed certificate:
 	</para>
 <programlisting>$ certutil -S -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m 3650</programlisting>
 	<para>
+The interative prompts for key usage and whether any extensions are critical and responses have been ommitted for brevity.
+	</para>
+	<para>
 		From there, new certificates can reference the self-signed certificate:
 	</para>
 <programlisting>$ certutil -S -s "CN=My Server Cert" -n my-server-cert -c "my-ca-cert" -t "u,u,u" -1 -5 -6 -8 -m 730</programlisting>
 
 	<para><command>Generating a Certificate from a Certificate Request</command></para>
 	<para>
 		When a certificate request is created, a certificate can be generated by using the request and then referencing a certificate authority signing certificate (the <emphasis>issuer</emphasis> specified in the <option>-c</option> argument). The issuing certificate must be in the certificate database in the specified directory.
 	</para>
 <programlisting>certutil -C -c issuer -i cert-request-file -o output-file [-m serial-number] [-v valid-months] [-w offset-months] -d [sql:]directory [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names]</programlisting>
 	<para>
 		For example:
 	</para>
-<programlisting>$ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d sql:/home/my/sharednssdb -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com</programlisting>
-
-
-	<para><command>Generating Key Pairs</command></para>
-	<para>
-		Key pairs are generated automatically with a certificate request or certificate, but they can also be generated independently using the <option>-G</option> command option. 
-	</para>
-<programlisting>certutil -G -d [sql:]directory | -h tokenname -k key-type -g key-size [-y exponent-value] -q pqgfile|curve-name</programlisting>
-	<para>
-		For example:
-	</para>
-<programlisting>$ certutil -G -h lunasa -k ec -g 256 -q sect193r2</programlisting>
+<programlisting>$ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d sql:$HOME/nssdb -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com</programlisting>
 
 	<para><command>Listing Certificates</command></para>
 	<para>
 		The <option>-L</option> command option lists all of the certificates listed in the certificate database. The path to the directory (<option>-d</option>) is required.
 	</para>
 <programlisting>$ certutil -L -d sql:/home/my/sharednssdb
 
 Certificate Nickname                                         Trust Attributes
@@ -819,49 +780,106 @@ Certificate Nickname                    
 
 CA Administrator of Instance pki-ca1's Example Domain ID     u,u,u
 TPS Administrator's Example Domain ID                        u,u,u
 Google Internet Authority                                    ,,   
 Certificate Authority - Example Domain                       CT,C,C</programlisting>
 	<para>
 		Using additional arguments with <option>-L</option> can return and print the information for a single, specific certificate. For example, the <option>-n</option> argument passes the certificate name, while the <option>-a</option> argument prints the certificate in ASCII format:
 	</para>
-<programlisting>$ certutil -L -d sql:/home/my/sharednssdb -a -n "Certificate Authority - Example Domain"
-
+<programlisting>
+$ certutil -L -d sql:$HOME/nssdb -a -n my-ca-cert
 -----BEGIN CERTIFICATE-----
-MIIDmTCCAoGgAwIBAgIBATANBgkqhkiG9w0BAQUFADA5MRcwFQYDVQQKEw5FeGFt
-cGxlIERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEw
-MDQyOTIxNTY1OFoXDTEyMDQxODIxNTY1OFowOTEXMBUGA1UEChMORXhhbXBsZSBE
-b21haW4xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAO/bqUli2KwqXFKmMMG93KN1SANzNTXA/Vlf
-Tmrih3hQgjvR1ktIY9aG6cB7DSKWmtHp/+p4PUCMqL4ZrSGt901qxkePyZ2dYmM2
-RnelK+SEUIPiUtoZaDhNdiYsE/yuDE8vQWj0vHCVL0w72qFUcSQ/WZT7FCrnUIUI
-udeWnoPSUn70gLhcj/lvxl7K9BHyD4Sq5CzktwYtFWLiiwV+ZY/Fl6JgbGaQyQB2
-bP4iRMfloGqsxGuB1evWVDF1haGpFDSPgMnEPSLg3/3dXn+HDJbZ29EU8/xKzQEb
-3V0AHKbu80zGllLEt2Zx/WDIrgJEN9yMfgKFpcmL+BvIRsmh0VsCAwEAAaOBqzCB
-qDAfBgNVHSMEGDAWgBQATgxHQyRUfKIZtdp55bZlFr+tFzAPBgNVHRMBAf8EBTAD
-AQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUAE4MR0MkVHyiGbXaeeW2ZRa/
-rRcwRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUFBzABhilodHRwOi8vbG9jYWxob3N0
-LmxvY2FsZG9tYWluOjkxODAvY2Evb2NzcDANBgkqhkiG9w0BAQUFAAOCAQEAi8Gk
-L3XO43u7/TDOeEsWPmq+jZsDZ3GZ85Ajt3KROLWeKVZZZa2E2Hnsvf2uXbk5amKe
-lRxdSeRH9g85pv4KY7Z8xZ71NrI3+K3uwmnqkc6t0hhYb1mw/gx8OAAoluQx3biX
-JBDxjI73Cf7XUopplHBjjiwyGIJUO8BEZJ5L+TF4P38MJz1snLtzZpEAX5bl0U76
-bfu/tZFWBbE8YAWYtkCtMcalBPj6jn2WD3M01kGozW4mmbvsj1cRB9HnsGsqyHCu
-U0ujlL1H/RWcjn607+CTeKH9jLMUqCIqPJNOa+kq/6F7NhNRRiuzASIbZc30BZ5a
-nI7q5n1USM3eWQlVXw==
------END CERTIFICATE-----</programlisting>
+MIIB1DCCAT2gAwIBAgICDkIwDQYJKoZIhvcNAQEFBQAwFTETMBEGA1UEAxMKRXhh
+bXBsZSBDQTAeFw0xMzAzMTMxOTEwMjlaFw0xMzA2MTMxOTEwMjlaMBUxEzARBgNV
+BAMTCkV4YW1wbGUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ4Kzqvz
+JyBVgFqDXRYSyTBNw1DrxUU/3GvWA/ngjAwHEv0Cul/6sO/gsCvnABHiH6unns6x
+XRzPORlC2WY3gkk7vmlsLvYpyecNazAi/NAwVnU/66HOsaoVFWE+gBQo99UrN2yk
+0BiK/GMFlLm5dXQROgA9ZKKyFdI0LIXtf6SbAgMBAAGjMzAxMBEGCWCGSAGG+EIB
+AQQEAwIHADAMBgNVHRMEBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B
+AQUFAAOBgQA6chkzkACN281d1jKMrc+RHG2UMaQyxiteaLVZO+Ro1nnRUvseDf09
+XKYFwPMJjWCihVku6bw/ihZfuMHhxK22Nue6inNQ6eDu7WmrqL8z3iUrQwxs+WiF
+ob2rb8XRVVJkzXdXxlk4uo3UtNvw8sAz7sWD71qxKaIHU5q49zijfg==
+-----END CERTIFICATE-----
+</programlisting>
+<pa>For a humam-readable display</para>
+<programlisting>$ certutil -L -d sql:$HOME/nssdb -n my-ca-cert
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3650 (0xe42)
+        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
+        Issuer: "CN=Example CA"
+        Validity:
+            Not Before: Wed Mar 13 19:10:29 2013
+            Not After : Thu Jun 13 19:10:29 2013
+        Subject: "CN=Example CA"
+        Subject Public Key Info:
+            Public Key Algorithm: PKCS #1 RSA Encryption
+            RSA Public Key:
+                Modulus:
+                    9e:0a:ce:ab:f3:27:20:55:80:5a:83:5d:16:12:c9:30:
+                    4d:c3:50:eb:c5:45:3f:dc:6b:d6:03:f9:e0:8c:0c:07:
+                    12:fd:02:ba:5f:fa:b0:ef:e0:b0:2b:e7:00:11:e2:1f:
+                    ab:a7:9e:ce:b1:5d:1c:cf:39:19:42:d9:66:37:82:49:
+                    3b:be:69:6c:2e:f6:29:c9:e7:0d:6b:30:22:fc:d0:30:
+                    56:75:3f:eb:a1:ce:b1:aa:15:15:61:3e:80:14:28:f7:
+                    d5:2b:37:6c:a4:d0:18:8a:fc:63:05:94:b9:b9:75:74:
+                    11:3a:00:3d:64:a2:b2:15:d2:34:2c:85:ed:7f:a4:9b
+                Exponent: 65537 (0x10001)
+        Signed Extensions:
+            Name: Certificate Type
+            Data: none
+
+            Name: Certificate Basic Constraints
+            Data: Is a CA with no maximum path length.
+
+            Name: Certificate Key Usage
+            Critical: True
+            Usages: Certificate Signing
+
+    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
+    Signature:
+        3a:72:19:33:90:00:8d:db:cd:5d:d6:32:8c:ad:cf:91:
+        1c:6d:94:31:a4:32:c6:2b:5e:68:b5:59:3b:e4:68:d6:
+        79:d1:52:fb:1e:0d:fd:3d:5c:a6:05:c0:f3:09:8d:60:
+        a2:85:59:2e:e9:bc:3f:8a:16:5f:b8:c1:e1:c4:ad:b6:
+        36:e7:ba:8a:73:50:e9:e0:ee:ed:69:ab:a8:bf:33:de:
+        25:2b:43:0c:6c:f9:68:85:a1:bd:ab:6f:c5:d1:55:52:
+        64:cd:77:57:c6:59:38:ba:8d:d4:b4:db:f0:f2:c0:33:
+        ee:c5:83:ef:5a:b1:29:a2:07:53:9a:b8:f7:38:a3:7e
+    Fingerprint (MD5):
+        86:D8:A5:8B:8A:26:BE:9E:17:A8:7B:66:10:6B:27:80
+    Fingerprint (SHA1):
+        48:78:09:EF:C5:D4:0C:BD:D2:64:45:59:EB:03:13:15:F7:A9:D6:F7
+
+    Certificate Trust Flags:
+        SSL Flags:
+            Valid CA
+            Trusted CA
+            User
+        Email Flags:
+            Valid CA
+            Trusted CA
+            User
+        Object Signing Flags:
+            Valid CA
+            Trusted CA
+            User
+
+</programlisting>
 
 	<para><command>Listing Keys</command></para>
 	<para>
 		Keys are the original material used to encrypt certificate data. The keys generated for certificates are stored separately, in the key database. 
 	</para>
 	<para>
 		To list all keys in the database, use the <option>-K</option> command option and the (required) <option>-d</option> argument to give the path to the directory.
 	</para>
-<programlisting>$ certutil -K -d sql:/home/my/sharednssdb
+<programlisting>$ certutil -K -d sql:$HOME/nssdb
 certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services                  "
 &lt; 0> rsa      455a6673bde9375c2887ec8bf8016b3f9f35861d   Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
 &lt; 1> rsa      40defeeb522ade11090eacebaaf1196a172127df   Example Domain Administrator Cert
 &lt; 2> rsa      1d0b06f44f6c03842f7d4f4a1dc78b3bcd1b85a5   John Smith user cert</programlisting>
 	<para>
 		There are ways to narrow the keys listed in the search results:
 	</para>
 	<itemizedlist>
@@ -1008,31 +1026,31 @@ The last versions of these <emphasis>leg
 	</listitem>
 </itemizedlist>
 
 <para>BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has 
 some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS
 requires more flexibility to provide a truly shared security database.</para>
 
 <para>In 2009, NSS introduced a new set of databases that are SQLite databases rather than 
-BerkleyDB. These new databases provide more accessibility and performance:</para>
+BerkeleyDB. These new databases provide more accessibility and performance:</para>
 <itemizedlist>
 	<listitem>
 		<para>
 			cert9.db for certificates
 		</para>
 	</listitem>
 	<listitem>
 		<para>
 			key4.db for keys
 		</para>
 	</listitem>
 	<listitem>
 		<para>
-			pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory
+			pkcs11.txt, a listing of all of the PKCS #11 modules, contained in a new subdirectory in the security databases directory
 		</para>
 	</listitem>
 </itemizedlist>
 
 <para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
 
 <para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases follow the more common legacy type. 
 Using the SQLite databases must be manually specified by using the <command>sql:</command> prefix with the given security directory. For example:</para>
@@ -1105,24 +1123,22 @@ Using the SQLite databases must be manua
 	<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
 	<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
 	<para>IRC: Freenode at #dogtag-pki</para>
   </refsection>
 
 <!-- fill in your name first; keep the other names for reference -->
   <refsection id="authors">
     <title>Authors</title>
-    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
+    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
     <para>
 	Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
     </para>
   </refsection>
 
 <!-- don't change -->
   <refsection id="license">
     <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, version 1.1,
-        and/or the GNU General Public License, version 2 or later,
-        and/or the GNU Lesser General Public License, version 2.1 or later.
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
     </para>
   </refsection>
 
 </refentry>
--- a/security/nss/doc/cmsutil.xml
+++ b/security/nss/doc/cmsutil.xml
@@ -255,24 +255,22 @@ cmsutil -S [-i infile] [-o outfile] [-d 
 	<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
 	<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
 	<para>IRC: Freenode at #dogtag-pki</para>
   </refsection>
 
 <!-- fill in your name first; keep the other names for reference -->
   <refsection id="authors">
     <title>Authors</title>
-    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
+    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
     <para>
 	Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
     </para>
   </refsection>
 
 <!-- don't change -->
   <refsection id="license">
     <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, version 1.1,
-        and/or the GNU General Public License, version 2 or later,
-        and/or the GNU Lesser General Public License, version 2.1 or later.
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
     </para>
   </refsection>
 
 </refentry>
--- a/security/nss/doc/crlutil.xml
+++ b/security/nss/doc/crlutil.xml
@@ -513,24 +513,22 @@ crlutil -G|-M -c crl-gen-file -n nicknam
 	<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
 	<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
 	<para>IRC: Freenode at #dogtag-pki</para>
   </refsection>
 
 <!-- fill in your name first; keep the other names for reference -->
   <refsection id="authors">
     <title>Authors</title>
-    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
+    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
     <para>
 	Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
     </para>
   </refsection>
 
 <!-- don't change -->
   <refsection id="license">
     <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, version 1.1,
-        and/or the GNU General Public License, version 2 or later,
-        and/or the GNU Lesser General Public License, version 2.1 or later.
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
     </para>
   </refsection>
 
 </refentry>
--- a/security/nss/doc/derdump.xml
+++ b/security/nss/doc/derdump.xml
@@ -75,24 +75,22 @@
 	<para>For information specifically about NSS, the NSS project wiki is located at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">Mozilla NSS site</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
 	<para>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</para>
 	<para>IRC: Freenode at #dogtag-pki</para>
   </refsection>
 
 <!-- fill in your name first; keep the other names for reference -->
   <refsection id="authors">
     <title>Authors</title>
-    <para>The NSS tools were written and maintained by developers with Netscape and now with Red Hat.</para>
+    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
     <para>
 	Authors: Gerhardus Geldenhuis &lt;gerhardus.geldenhuis@gmail.com>. Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com&gt;
     </para>
   </refsection>
 
 <!-- don't change -->
   <refsection id="license">
     <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, version 1.1,
-        and/or the GNU General Public License, version 2 or later,
-        and/or the GNU Lesser General Public License, version 2.1 or later.
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
     </para>
   </refsection>
 
 </refentry>
--- a/security/nss/doc/modutil.xml
+++ b/security/nss/doc/modutil.xml
@@ -738,24 +738,22 @@ Using the SQLite databases must be manua
 	<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
 	<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
 	<para>IRC: Freenode at #dogtag-pki</para>
   </refsection>
 
 <!-- fill in your name first; keep the other names for reference -->
   <refsection id="authors">
     <title>Authors</title>
-    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
+    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
     <para>
 	Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
     </para>
   </refsection>
 
 <!-- don't change -->
   <refsection id="license">
     <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, version 1.1,
-        and/or the GNU General Public License, version 2 or later,
-        and/or the GNU Lesser General Public License, version 2.1 or later.
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
     </para>
   </refsection>
 
 </refentry>
--- a/security/nss/doc/pk12util.xml
+++ b/security/nss/doc/pk12util.xml
@@ -493,24 +493,22 @@ Using the SQLite databases must be manua
 	<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
 	<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
 	<para>IRC: Freenode at #dogtag-pki</para>
   </refsection>
 
 <!-- fill in your name first; keep the other names for reference -->
   <refsection id="authors">
     <title>Authors</title>
-    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
+    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
     <para>
 	Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
     </para>
   </refsection>
 
 <!-- don't change -->
   <refsection id="license">
     <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, version 1.1,
-        and/or the GNU General Public License, version 2 or later,
-        and/or the GNU Lesser General Public License, version 2.1 or later.
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
     </para>
   </refsection>
 
 </refentry>
--- a/security/nss/doc/pp.xml
+++ b/security/nss/doc/pp.xml
@@ -79,33 +79,31 @@
         </listitem>
       </varlistentry>
 
     </variablelist>
   </refsection>
 
   <refsection id="resources">
     <title>Additional Resources</title>
-    <para>NSS is maintained in conjunction with PKI and security-related projects through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <ulink url="http://pki.fedoraproject.org/wiki/">PKI Wiki</ulink>. </para>
+    <para>NSS is maintained in conjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <ulink url="http://pki.fedoraproject.org/wiki/">PKI Wiki</ulink>. </para>
 	<para>For information specifically about NSS, the NSS project wiki is located at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">Mozilla NSS site</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
 	<para>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</para>
 	<para>IRC: Freenode at #dogtag-pki</para>
   </refsection>
 
 <!-- fill in your name first; keep the other names for reference -->
   <refsection id="authors">
     <title>Authors</title>
-    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
+    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
     <para>
 	Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
     </para>
   </refsection>
 
 <!-- don't change -->
   <refsection id="license">
     <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, version 1.1,
-        and/or the GNU General Public License, version 2 or later,
-        and/or the GNU Lesser General Public License, version 2.1 or later.
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
     </para>
   </refsection>
 
 </refentry>
--- a/security/nss/doc/signtool.xml
+++ b/security/nss/doc/signtool.xml
@@ -657,24 +657,22 @@ token: Communicator Certificate DB
 	<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
 	<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
 	<para>IRC: Freenode at #dogtag-pki</para>
   </refsection>
 
 <!-- fill in your name first; keep the other names for reference -->
   <refsection id="authors">
     <title>Authors</title>
-    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
+    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
     <para>
 	Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
     </para>
   </refsection>
 
 <!-- don't change -->
   <refsection id="license">
     <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, version 1.1,
-        and/or the GNU General Public License, version 2 or later,
-        and/or the GNU Lesser General Public License, version 2.1 or later.
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
     </para>
   </refsection>
 
 </refentry>
--- a/security/nss/doc/signver.xml
+++ b/security/nss/doc/signver.xml
@@ -209,24 +209,22 @@ Using the SQLite databases must be manua
 	<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
 	<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
 	<para>IRC: Freenode at #dogtag-pki</para>
   </refsection>
 
 <!-- fill in your name first; keep the other names for reference -->
   <refsection id="authors">
     <title>Authors</title>
-    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
+    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
     <para>
 	Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
     </para>
   </refsection>
 
 <!-- don't change -->
   <refsection id="license">
     <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, version 1.1,
-        and/or the GNU General Public License, version 2 or later,
-        and/or the GNU Lesser General Public License, version 2.1 or later.
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
     </para>
   </refsection>
 
 </refentry>
--- a/security/nss/doc/ssltap.xml
+++ b/security/nss/doc/ssltap.xml
@@ -562,24 +562,22 @@ the default BadCert callback, the one yo
 	<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
 	<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
 	<para>IRC: Freenode at #dogtag-pki</para>
   </refsection>
 
 <!-- fill in your name first; keep the other names for reference -->
   <refsection id="authors">
     <title>Authors</title>
-    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
+    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
     <para>
 	Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
     </para>
   </refsection>
 
 <!-- don't change -->
   <refsection id="license">
     <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, version 1.1,
-        and/or the GNU General Public License, version 2 or later,
-        and/or the GNU Lesser General Public License, version 2.1 or later.
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
     </para>
   </refsection>
 
 </refentry>
--- a/security/nss/doc/vfychain.xml
+++ b/security/nss/doc/vfychain.xml
@@ -211,24 +211,22 @@
 	<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
 	<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
 	<para>IRC: Freenode at #dogtag-pki</para>
   </refsection>
 
 <!-- fill in your name first; keep the other names for reference -->
   <refsection id="authors">
     <title>Authors</title>
-    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
+    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
     <para>
 	Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
     </para>
   </refsection>
 
 <!-- don't change -->
   <refsection id="license">
     <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, version 1.1,
-        and/or the GNU General Public License, version 2 or later,
-        and/or the GNU Lesser General Public License, version 2.1 or later.
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
     </para>
   </refsection>
 
 </refentry>
--- a/security/nss/doc/vfyserv.xml
+++ b/security/nss/doc/vfyserv.xml
@@ -64,24 +64,22 @@
 	<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
 	<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
 	<para>IRC: Freenode at #dogtag-pki</para>
   </refsection>
 
 <!-- fill in your name first; keep the other names for reference -->
   <refsection id="authors">
     <title>Authors</title>
-    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
+    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
     <para>
 	Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
     </para>
   </refsection>
 
 <!-- don't change -->
   <refsection id="license">
     <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, version 1.1,
-        and/or the GNU General Public License, version 2 or later,
-        and/or the GNU Lesser General Public License, version 2.1 or later.
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
     </para>
   </refsection>
 
 </refentry>
--- a/security/nss/lib/certdb/alg1485.c
+++ b/security/nss/lib/certdb/alg1485.c
@@ -78,16 +78,19 @@ static const NameToKind name2kinds[] = {
     { "incorporationLocality", 128, SEC_OID_EV_INCORPORATION_LOCALITY,
                                                         SEC_ASN1_DS},
     { "incorporationState",    128, SEC_OID_EV_INCORPORATION_STATE,
                                                         SEC_ASN1_DS},
     { "incorporationCountry",    2, SEC_OID_EV_INCORPORATION_COUNTRY,
                                                     SEC_ASN1_PRINTABLE_STRING},
     { "businessCategory",       64, SEC_OID_BUSINESS_CATEGORY, SEC_ASN1_DS},
 
+/* values defined in X.520 */
+    { "name",           64, SEC_OID_AVA_NAME,           SEC_ASN1_DS},
+
     { 0,               256, SEC_OID_UNKNOWN,            0},
 };
 
 /* Table facilitates conversion of ASCII hex to binary. */
 static const PRInt16 x2b[256] = {
 /* #0x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
 /* #1x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
 /* #2x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -651,19 +651,19 @@ CKA_ISSUER MULTILINE_OCTAL
 \044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141
 \154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
 \164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010
 \104\123\124\103\101\040\105\061
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\066\160\025\226
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Digital Signature Trust Co. Global CA 3"
 #
 CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
@@ -760,19 +760,19 @@ CKA_ISSUER MULTILINE_OCTAL
 \044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141
 \154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
 \164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010
 \104\123\124\103\101\040\105\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\066\156\323\316
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Verisign Class 3 Public Primary Certification Authority"
 #
 CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
@@ -2642,16 +2642,23 @@ END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Entrust.net Premium 2048 Secure Server CA"
 #
+# Issuer: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
+# Serial Number: 946069240 (0x3863def8)
+# Subject: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
+# Not Valid Before: Fri Dec 24 17:50:51 1999
+# Not Valid After : Tue Jul 24 14:15:12 2029
+# Fingerprint (MD5): EE:29:31:BC:32:7E:9A:E6:E8:B5:F7:51:B4:34:71:90
+# Fingerprint (SHA1): 50:30:06:09:1D:97:D4:F5:AE:39:F7:CB:E7:92:7D:7D:65:2D:34:31
 CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "Entrust.net Premium 2048 Secure Server CA"
 CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
 CKA_SUBJECT MULTILINE_OCTAL
 \060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156
@@ -2678,35 +2685,35 @@ CKA_ISSUER MULTILINE_OCTAL
 \003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105
 \156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164
 \145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164
 \162\165\163\164\056\156\145\164\040\103\145\162\164\151\146\151
 \143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
 \040\050\062\060\064\070\051
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\070\143\271\146
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\134\060\202\003\104\240\003\002\001\002\002\004\070
-\143\271\146\060\015\006\011\052\206\110\206\367\015\001\001\005
+\002\004\070\143\336\370
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\052\060\202\003\022\240\003\002\001\002\002\004\070
+\143\336\370\060\015\006\011\052\206\110\206\367\015\001\001\005
 \005\000\060\201\264\061\024\060\022\006\003\125\004\012\023\013
 \105\156\164\162\165\163\164\056\156\145\164\061\100\060\076\006
 \003\125\004\013\024\067\167\167\167\056\145\156\164\162\165\163
 \164\056\156\145\164\057\103\120\123\137\062\060\064\070\040\151
 \156\143\157\162\160\056\040\142\171\040\162\145\146\056\040\050
 \154\151\155\151\164\163\040\154\151\141\142\056\051\061\045\060
 \043\006\003\125\004\013\023\034\050\143\051\040\061\071\071\071
 \040\105\156\164\162\165\163\164\056\156\145\164\040\114\151\155
 \151\164\145\144\061\063\060\061\006\003\125\004\003\023\052\105
 \156\164\162\165\163\164\056\156\145\164\040\103\145\162\164\151
 \146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
 \164\171\040\050\062\060\064\070\051\060\036\027\015\071\071\061
-\062\062\064\061\067\065\060\065\061\132\027\015\061\071\061\062
-\062\064\061\070\062\060\065\061\132\060\201\264\061\024\060\022
+\062\062\064\061\067\065\060\065\061\132\027\015\062\071\060\067
+\062\064\061\064\061\065\061\062\132\060\201\264\061\024\060\022
 \006\003\125\004\012\023\013\105\156\164\162\165\163\164\056\156
 \145\164\061\100\060\076\006\003\125\004\013\024\067\167\167\167
 \056\145\156\164\162\165\163\164\056\156\145\164\057\103\120\123
 \137\062\060\064\070\040\151\156\143\157\162\160\056\040\142\171
 \040\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151
 \141\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050
 \143\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056
 \156\145\164\040\114\151\155\151\164\145\144\061\063\060\061\006
@@ -2726,72 +2733,76 @@ CKA_VALUE MULTILINE_OCTAL
 \111\031\375\300\250\275\211\243\147\057\306\237\274\161\031\140
 \270\055\351\054\311\220\166\146\173\224\342\257\170\326\145\123
 \135\074\326\234\262\317\051\003\371\057\244\120\262\324\110\316
 \005\062\125\212\375\262\144\114\016\344\230\007\165\333\177\337
 \271\010\125\140\205\060\051\371\173\110\244\151\206\343\065\077
 \036\206\135\172\172\025\275\357\000\216\025\042\124\027\000\220
 \046\223\274\016\111\150\221\277\370\107\323\235\225\102\301\016
 \115\337\157\046\317\303\030\041\142\146\103\160\326\325\300\007
-\341\002\003\001\000\001\243\164\060\162\060\021\006\011\140\206
-\110\001\206\370\102\001\001\004\004\003\002\000\007\060\037\006
-\003\125\035\043\004\030\060\026\200\024\125\344\201\321\021\200
-\276\330\211\271\010\243\061\371\241\044\011\026\271\160\060\035
-\006\003\125\035\016\004\026\004\024\125\344\201\321\021\200\276
-\330\211\271\010\243\061\371\241\044\011\026\271\160\060\035\006
-\011\052\206\110\206\366\175\007\101\000\004\020\060\016\033\010
-\126\065\056\060\072\064\056\060\003\002\004\220\060\015\006\011
-\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001\000
-\131\107\254\041\204\212\027\311\234\211\123\036\272\200\205\032
-\306\074\116\076\261\234\266\174\306\222\135\030\144\002\343\323
-\006\010\021\141\174\143\343\053\235\061\003\160\166\322\243\050
-\240\364\273\232\143\163\355\155\345\052\333\355\024\251\053\306
-\066\021\320\053\353\007\213\245\332\236\134\031\235\126\022\365
-\124\051\310\005\355\262\022\052\215\364\003\033\377\347\222\020
-\207\260\072\265\303\235\005\067\022\243\307\364\025\271\325\244
-\071\026\233\123\072\043\221\361\250\202\242\152\210\150\301\171
-\002\042\274\252\246\326\256\337\260\024\137\270\207\320\335\174
-\177\173\377\257\034\317\346\333\007\255\136\333\205\235\320\053
-\015\063\333\004\321\346\111\100\023\053\166\373\076\351\234\211
-\017\025\316\030\260\205\170\041\117\153\117\016\372\066\147\315
-\007\362\377\010\320\342\336\331\277\052\257\270\207\206\041\074
-\004\312\267\224\150\177\317\074\351\230\327\070\377\354\300\331
-\120\360\056\113\130\256\106\157\320\056\303\140\332\162\125\162
-\275\114\105\236\141\272\277\204\201\222\003\321\322\151\174\305
-END
-
-# Trust for Certificate "Entrust.net Premium 2048 Secure Server CA"
+\341\002\003\001\000\001\243\102\060\100\060\016\006\003\125\035
+\017\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035
+\023\001\001\377\004\005\060\003\001\001\377\060\035\006\003\125
+\035\016\004\026\004\024\125\344\201\321\021\200\276\330\211\271
+\010\243\061\371\241\044\011\026\271\160\060\015\006\011\052\206
+\110\206\367\015\001\001\005\005\000\003\202\001\001\000\073\233
+\217\126\233\060\347\123\231\174\172\171\247\115\227\327\031\225
+\220\373\006\037\312\063\174\106\143\217\226\146\044\372\100\033
+\041\047\312\346\162\163\362\117\376\061\231\375\310\014\114\150
+\123\306\200\202\023\230\372\266\255\332\135\075\361\316\156\366
+\025\021\224\202\014\356\077\225\257\021\253\017\327\057\336\037
+\003\217\127\054\036\311\273\232\032\104\225\353\030\117\246\037
+\315\175\127\020\057\233\004\011\132\204\265\156\330\035\072\341
+\326\236\321\154\171\136\171\034\024\305\343\320\114\223\073\145
+\074\355\337\075\276\246\345\225\032\303\265\031\303\275\136\133
+\273\377\043\357\150\031\313\022\223\047\134\003\055\157\060\320
+\036\266\032\254\336\132\367\321\252\250\047\246\376\171\201\304
+\171\231\063\127\272\022\260\251\340\102\154\223\312\126\336\376
+\155\204\013\010\213\176\215\352\327\230\041\306\363\347\074\171
+\057\136\234\321\114\025\215\341\354\042\067\314\232\103\013\227
+\334\200\220\215\263\147\233\157\110\010\025\126\317\277\361\053
+\174\136\232\166\351\131\220\305\174\203\065\021\145\121
+END
+
+# Trust for "Entrust.net Premium 2048 Secure Server CA"
+# Issuer: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
+# Serial Number: 946069240 (0x3863def8)
+# Subject: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
+# Not Valid Before: Fri Dec 24 17:50:51 1999
+# Not Valid After : Tue Jul 24 14:15:12 2029
+# Fingerprint (MD5): EE:29:31:BC:32:7E:9A:E6:E8:B5:F7:51:B4:34:71:90
+# Fingerprint (SHA1): 50:30:06:09:1D:97:D4:F5:AE:39:F7:CB:E7:92:7D:7D:65:2D:34:31
 CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "Entrust.net Premium 2048 Secure Server CA"
 CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\200\035\142\320\173\104\235\134\134\003\134\230\352\141\372\104
-\074\052\130\376
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\272\041\352\040\326\335\333\217\301\127\213\100\255\241\374\374
+\120\060\006\011\035\227\324\365\256\071\367\313\347\222\175\175
+\145\055\064\061
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\356\051\061\274\062\176\232\346\350\265\367\121\264\064\161\220
 END
 CKA_ISSUER MULTILINE_OCTAL
 \060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156
 \164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125
 \004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056
 \156\145\164\057\103\120\123\137\062\060\064\070\040\151\156\143
 \157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151
 \155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006
 \003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105
 \156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164
 \145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164
 \162\165\163\164\056\156\145\164\040\103\145\162\164\151\146\151
 \143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
 \040\050\062\060\064\070\051
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\070\143\271\146
+\002\004\070\143\336\370
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Baltimore CyberTrust Root"
@@ -3111,125 +3122,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\004
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "Equifax Secure eBusiness CA 2"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Equifax Secure eBusiness CA 2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141
-\170\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004
-\013\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162
-\145\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141
-\170\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004
-\013\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162
-\145\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\067\160\317\265
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\040\060\202\002\211\240\003\002\001\002\002\004\067
-\160\317\265\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\116\061\013\060\011\006\003\125\004\006\023\002\125
-\123\061\027\060\025\006\003\125\004\012\023\016\105\161\165\151
-\146\141\170\040\123\145\143\165\162\145\061\046\060\044\006\003
-\125\004\013\023\035\105\161\165\151\146\141\170\040\123\145\143
-\165\162\145\040\145\102\165\163\151\156\145\163\163\040\103\101
-\055\062\060\036\027\015\071\071\060\066\062\063\061\062\061\064
-\064\065\132\027\015\061\071\060\066\062\063\061\062\061\064\064
-\065\132\060\116\061\013\060\011\006\003\125\004\006\023\002\125
-\123\061\027\060\025\006\003\125\004\012\023\016\105\161\165\151
-\146\141\170\040\123\145\143\165\162\145\061\046\060\044\006\003
-\125\004\013\023\035\105\161\165\151\146\141\170\040\123\145\143
-\165\162\145\040\145\102\165\163\151\156\145\163\163\040\103\101
-\055\062\060\201\237\060\015\006\011\052\206\110\206\367\015\001
-\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000\344
-\071\071\223\036\122\006\033\050\066\370\262\243\051\305\355\216
-\262\021\275\376\353\347\264\164\302\217\377\005\347\331\235\006
-\277\022\310\077\016\362\326\321\044\262\021\336\321\163\011\212
-\324\261\054\230\011\015\036\120\106\262\203\246\105\215\142\150
-\273\205\033\040\160\062\252\100\315\246\226\137\304\161\067\077
-\004\363\267\101\044\071\007\032\036\056\141\130\240\022\013\345
-\245\337\305\253\352\067\161\314\034\310\067\072\271\227\122\247
-\254\305\152\044\224\116\234\173\317\300\152\326\337\041\275\002
-\003\001\000\001\243\202\001\011\060\202\001\005\060\160\006\003
-\125\035\037\004\151\060\147\060\145\240\143\240\141\244\137\060
-\135\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027
-\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141\170
-\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004\013
-\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162\145
-\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062\061
-\015\060\013\006\003\125\004\003\023\004\103\122\114\061\060\032
-\006\003\125\035\020\004\023\060\021\201\017\062\060\061\071\060
-\066\062\063\061\062\061\064\064\065\132\060\013\006\003\125\035
-\017\004\004\003\002\001\006\060\037\006\003\125\035\043\004\030
-\060\026\200\024\120\236\013\352\257\136\271\040\110\246\120\152
-\313\375\330\040\172\247\202\166\060\035\006\003\125\035\016\004
-\026\004\024\120\236\013\352\257\136\271\040\110\246\120\152\313
-\375\330\040\172\247\202\166\060\014\006\003\125\035\023\004\005
-\060\003\001\001\377\060\032\006\011\052\206\110\206\366\175\007
-\101\000\004\015\060\013\033\005\126\063\056\060\143\003\002\006
-\300\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
-\003\201\201\000\014\206\202\255\350\116\032\365\216\211\047\342
-\065\130\075\051\264\007\217\066\120\225\277\156\301\236\353\304
-\220\262\205\250\273\267\102\340\017\007\071\337\373\236\220\262
-\321\301\076\123\237\003\104\260\176\113\364\157\344\174\037\347
-\342\261\344\270\232\357\303\275\316\336\013\062\064\331\336\050
-\355\063\153\304\324\327\075\022\130\253\175\011\055\313\160\365
-\023\212\224\241\047\244\326\160\305\155\224\265\311\175\235\240
-\322\306\010\111\331\146\233\246\323\364\013\334\305\046\127\341
-\221\060\352\315
-END
-
-# Trust for Certificate "Equifax Secure eBusiness CA 2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Equifax Secure eBusiness CA 2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\071\117\366\205\013\006\276\122\345\030\126\314\020\341\200\350
-\202\263\205\314
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\252\277\277\144\227\332\230\035\157\306\010\072\225\160\063\312
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141
-\170\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004
-\013\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162
-\145\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\067\160\317\265
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "AddTrust Low-Value Services Root"
 #
 CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "AddTrust Low-Value Services Root"
 CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
@@ -17764,19 +17666,19 @@ CKA_ISSUER MULTILINE_OCTAL
 \103\145\156\164\145\162\040\125\156\151\166\145\162\163\141\154
 \040\103\101\061\050\060\046\006\003\125\004\003\023\037\124\103
 \040\124\162\165\163\164\103\145\156\164\145\162\040\125\156\151
 \166\145\162\163\141\154\040\103\101\040\111\111\111
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\016\143\045\000\001\000\002\024\215\063\025\002\344\154\364
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
 #
 CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
@@ -21791,17 +21693,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
 \171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Explicitly Distrust DigiNotar Root CA"
 #
 CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
@@ -24778,8 +24680,1540 @@ CKA_ISSUER MULTILINE_OCTAL
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\002\010\144
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "TURKTRUST Certificate Services Provider Root 2007"
+#
+# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
+# Serial Number: 1 (0x1)
+# Subject: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
+# Not Valid Before: Tue Dec 25 18:37:19 2007
+# Not Valid After : Fri Dec 22 18:37:19 2017
+# Fingerprint (MD5): 2B:70:20:56:86:82:A0:18:C8:07:53:12:28:70:21:72
+# Fingerprint (SHA1): F1:7F:6F:B6:31:DC:99:E3:A3:C8:7F:FE:1C:F1:81:10:88:D9:60:33
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TURKTRUST Certificate Services Provider Root 2007"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\277\061\077\060\075\006\003\125\004\003\014\066\124\303
+\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
+\156\151\153\040\123\145\162\164\151\146\151\153\141\040\110\151
+\172\155\145\164\040\123\141\304\237\154\141\171\304\261\143\304
+\261\163\304\261\061\013\060\011\006\003\125\004\006\023\002\124
+\122\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141
+\162\141\061\136\060\134\006\003\125\004\012\014\125\124\303\234
+\122\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260
+\154\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151
+\305\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151
+\040\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236
+\056\040\050\143\051\040\101\162\141\154\304\261\153\040\062\060
+\060\067
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\277\061\077\060\075\006\003\125\004\003\014\066\124\303
+\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
+\156\151\153\040\123\145\162\164\151\146\151\153\141\040\110\151
+\172\155\145\164\040\123\141\304\237\154\141\171\304\261\143\304
+\261\163\304\261\061\013\060\011\006\003\125\004\006\023\002\124
+\122\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141
+\162\141\061\136\060\134\006\003\125\004\012\014\125\124\303\234
+\122\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260
+\154\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151
+\305\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151
+\040\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236
+\056\040\050\143\051\040\101\162\141\154\304\261\153\040\062\060
+\060\067
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\075\060\202\003\045\240\003\002\001\002\002\001\001
+\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+\201\277\061\077\060\075\006\003\125\004\003\014\066\124\303\234
+\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157\156
+\151\153\040\123\145\162\164\151\146\151\153\141\040\110\151\172
+\155\145\164\040\123\141\304\237\154\141\171\304\261\143\304\261
+\163\304\261\061\013\060\011\006\003\125\004\006\023\002\124\122
+\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
+\141\061\136\060\134\006\003\125\004\012\014\125\124\303\234\122
+\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154
+\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305
+\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040
+\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056
+\040\050\143\051\040\101\162\141\154\304\261\153\040\062\060\060
+\067\060\036\027\015\060\067\061\062\062\065\061\070\063\067\061
+\071\132\027\015\061\067\061\062\062\062\061\070\063\067\061\071
+\132\060\201\277\061\077\060\075\006\003\125\004\003\014\066\124
+\303\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162
+\157\156\151\153\040\123\145\162\164\151\146\151\153\141\040\110
+\151\172\155\145\164\040\123\141\304\237\154\141\171\304\261\143
+\304\261\163\304\261\061\013\060\011\006\003\125\004\006\023\002
+\124\122\061\017\060\015\006\003\125\004\007\014\006\101\156\153
+\141\162\141\061\136\060\134\006\003\125\004\012\014\125\124\303
+\234\122\113\124\122\125\123\124\040\102\151\154\147\151\040\304
+\260\154\145\164\151\305\237\151\155\040\166\145\040\102\151\154
+\151\305\237\151\155\040\107\303\274\166\145\156\154\151\304\237
+\151\040\110\151\172\155\145\164\154\145\162\151\040\101\056\305
+\236\056\040\050\143\051\040\101\162\141\154\304\261\153\040\062
+\060\060\067\060\202\001\042\060\015\006\011\052\206\110\206\367
+\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002
+\202\001\001\000\253\267\076\012\214\310\245\130\025\346\212\357
+\047\075\112\264\350\045\323\315\063\302\040\334\031\356\210\077
+\115\142\360\335\023\167\217\141\251\052\265\324\362\271\061\130
+\051\073\057\077\152\234\157\163\166\045\356\064\040\200\356\352
+\267\360\304\012\315\053\206\224\311\343\140\261\104\122\262\132
+\051\264\221\227\203\330\267\246\024\057\051\111\242\363\005\006
+\373\264\117\332\241\154\232\146\237\360\103\011\312\352\162\217
+\353\000\327\065\071\327\126\027\107\027\060\364\276\277\077\302
+\150\257\066\100\301\251\364\251\247\350\020\153\010\212\367\206
+\036\334\232\052\025\006\366\243\360\364\340\307\024\324\121\177
+\317\264\333\155\257\107\226\027\233\167\161\330\247\161\235\044
+\014\366\224\077\205\061\022\117\272\356\116\202\270\271\076\217
+\043\067\136\314\242\252\165\367\030\157\011\323\256\247\124\050
+\064\373\341\340\073\140\175\240\276\171\211\206\310\237\055\371
+\012\113\304\120\242\347\375\171\026\307\172\013\030\317\316\114
+\357\175\326\007\157\230\361\257\261\301\172\327\201\065\270\252
+\027\264\340\313\002\003\001\000\001\243\102\060\100\060\035\006
+\003\125\035\016\004\026\004\024\051\305\220\253\045\257\021\344
+\141\277\243\377\210\141\221\346\016\376\234\201\060\016\006\003
+\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003
+\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006
+\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001
+\000\020\015\332\370\072\354\050\321\024\225\202\261\022\054\121
+\172\101\045\066\114\237\354\077\037\204\235\145\124\134\250\026
+\002\100\372\156\032\067\204\357\162\235\206\012\125\235\126\050
+\254\146\054\320\072\126\223\064\007\045\255\010\260\217\310\017
+\011\131\312\235\230\034\345\124\370\271\105\177\152\227\157\210
+\150\115\112\006\046\067\210\002\016\266\306\326\162\231\316\153
+\167\332\142\061\244\126\037\256\137\215\167\332\135\366\210\374
+\032\331\236\265\201\360\062\270\343\210\320\234\363\152\240\271
+\233\024\131\065\066\117\317\363\216\136\135\027\255\025\225\330
+\335\262\325\025\156\000\116\263\113\317\146\224\344\340\315\265
+\005\332\143\127\213\345\263\252\333\300\056\034\220\104\333\032
+\135\030\244\356\276\004\133\231\325\161\137\125\145\144\142\325
+\242\233\004\131\206\310\142\167\347\174\202\105\152\075\027\277
+\354\235\165\014\256\243\157\132\323\057\230\066\364\360\365\031
+\253\021\135\310\246\343\052\130\152\102\011\303\275\222\046\146
+\062\015\135\010\125\164\377\214\230\320\012\246\204\152\321\071
+\175
+END
+
+# Trust for "TURKTRUST Certificate Services Provider Root 2007"
+# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
+# Serial Number: 1 (0x1)
+# Subject: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
+# Not Valid Before: Tue Dec 25 18:37:19 2007
+# Not Valid After : Fri Dec 22 18:37:19 2017
+# Fingerprint (MD5): 2B:70:20:56:86:82:A0:18:C8:07:53:12:28:70:21:72
+# Fingerprint (SHA1): F1:7F:6F:B6:31:DC:99:E3:A3:C8:7F:FE:1C:F1:81:10:88:D9:60:33
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TURKTRUST Certificate Services Provider Root 2007"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\361\177\157\266\061\334\231\343\243\310\177\376\034\361\201\020
+\210\331\140\063
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\053\160\040\126\206\202\240\030\310\007\123\022\050\160\041\162
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\277\061\077\060\075\006\003\125\004\003\014\066\124\303
+\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
+\156\151\153\040\123\145\162\164\151\146\151\153\141\040\110\151
+\172\155\145\164\040\123\141\304\237\154\141\171\304\261\143\304
+\261\163\304\261\061\013\060\011\006\003\125\004\006\023\002\124
+\122\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141
+\162\141\061\136\060\134\006\003\125\004\012\014\125\124\303\234
+\122\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260
+\154\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151
+\305\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151
+\040\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236
+\056\040\050\143\051\040\101\162\141\154\304\261\153\040\062\060
+\060\067
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "D-TRUST Root Class 3 CA 2 2009"
+#
+# Issuer: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
+# Serial Number: 623603 (0x983f3)
+# Subject: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
+# Not Valid Before: Thu Nov 05 08:35:58 2009
+# Not Valid After : Mon Nov 05 08:35:58 2029
+# Fingerprint (MD5): CD:E0:25:69:8D:47:AC:9C:89:35:90:F7:FD:51:3D:2F
+# Fingerprint (SHA1): 58:E8:AB:B0:36:15:33:FB:80:F7:9B:1B:6D:29:D3:FF:8D:5F:00:F0
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "D-TRUST Root Class 3 CA 2 2009"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\115\061\013\060\011\006\003\125\004\006\023\002\104\105\061
+\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163
+\164\040\107\155\142\110\061\047\060\045\006\003\125\004\003\014
+\036\104\055\124\122\125\123\124\040\122\157\157\164\040\103\154
+\141\163\163\040\063\040\103\101\040\062\040\062\060\060\071
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\115\061\013\060\011\006\003\125\004\006\023\002\104\105\061
+\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163
+\164\040\107\155\142\110\061\047\060\045\006\003\125\004\003\014
+\036\104\055\124\122\125\123\124\040\122\157\157\164\040\103\154
+\141\163\163\040\063\040\103\101\040\062\040\062\060\060\071
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\003\011\203\363
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\063\060\202\003\033\240\003\002\001\002\002\003\011
+\203\363\060\015\006\011\052\206\110\206\367\015\001\001\013\005
+\000\060\115\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165
+\163\164\040\107\155\142\110\061\047\060\045\006\003\125\004\003
+\014\036\104\055\124\122\125\123\124\040\122\157\157\164\040\103
+\154\141\163\163\040\063\040\103\101\040\062\040\062\060\060\071
+\060\036\027\015\060\071\061\061\060\065\060\070\063\065\065\070
+\132\027\015\062\071\061\061\060\065\060\070\063\065\065\070\132
+\060\115\061\013\060\011\006\003\125\004\006\023\002\104\105\061
+\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163
+\164\040\107\155\142\110\061\047\060\045\006\003\125\004\003\014
+\036\104\055\124\122\125\123\124\040\122\157\157\164\040\103\154
+\141\163\163\040\063\040\103\101\040\062\040\062\060\060\071\060
+\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001
+\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000
+\323\262\112\317\172\107\357\165\233\043\372\072\057\326\120\105
+\211\065\072\306\153\333\376\333\000\150\250\340\003\021\035\067
+\120\010\237\115\112\150\224\065\263\123\321\224\143\247\040\126
+\257\336\121\170\354\052\075\363\110\110\120\076\012\337\106\125
+\213\047\155\303\020\115\015\221\122\103\330\207\340\135\116\066
+\265\041\312\137\071\100\004\137\133\176\314\243\306\053\251\100
+\036\331\066\204\326\110\363\222\036\064\106\040\044\301\244\121
+\216\112\032\357\120\077\151\135\031\177\105\303\307\001\217\121
+\311\043\350\162\256\264\274\126\011\177\022\313\034\261\257\051
+\220\012\311\125\314\017\323\264\032\355\107\065\132\112\355\234
+\163\004\041\320\252\275\014\023\265\000\312\046\154\304\153\014
+\224\132\225\224\332\120\232\361\377\245\053\146\061\244\311\070
+\240\337\035\037\270\011\056\363\247\350\147\122\253\225\037\340
+\106\076\330\244\303\312\132\305\061\200\350\110\232\237\224\151
+\376\031\335\330\163\174\201\312\226\336\216\355\263\062\005\145
+\204\064\346\346\375\127\020\265\137\166\277\057\260\020\015\305
+\002\003\001\000\001\243\202\001\032\060\202\001\026\060\017\006
+\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\035
+\006\003\125\035\016\004\026\004\024\375\332\024\304\237\060\336
+\041\275\036\102\071\374\253\143\043\111\340\361\204\060\016\006
+\003\125\035\017\001\001\377\004\004\003\002\001\006\060\201\323
+\006\003\125\035\037\004\201\313\060\201\310\060\201\200\240\176
+\240\174\206\172\154\144\141\160\072\057\057\144\151\162\145\143
+\164\157\162\171\056\144\055\164\162\165\163\164\056\156\145\164
+\057\103\116\075\104\055\124\122\125\123\124\045\062\060\122\157
+\157\164\045\062\060\103\154\141\163\163\045\062\060\063\045\062
+\060\103\101\045\062\060\062\045\062\060\062\060\060\071\054\117
+\075\104\055\124\162\165\163\164\045\062\060\107\155\142\110\054
+\103\075\104\105\077\143\145\162\164\151\146\151\143\141\164\145
+\162\145\166\157\143\141\164\151\157\156\154\151\163\164\060\103
+\240\101\240\077\206\075\150\164\164\160\072\057\057\167\167\167
+\056\144\055\164\162\165\163\164\056\156\145\164\057\143\162\154
+\057\144\055\164\162\165\163\164\137\162\157\157\164\137\143\154
+\141\163\163\137\063\137\143\141\137\062\137\062\060\060\071\056
+\143\162\154\060\015\006\011\052\206\110\206\367\015\001\001\013
+\005\000\003\202\001\001\000\177\227\333\060\310\337\244\234\175
+\041\172\200\160\316\024\022\151\210\024\225\140\104\001\254\262
+\351\060\117\233\120\302\146\330\176\215\060\265\160\061\351\342
+\151\307\363\160\333\040\025\206\320\015\360\276\254\001\165\204
+\316\176\237\115\277\267\140\073\234\363\312\035\342\136\150\330
+\243\235\227\345\100\140\322\066\041\376\320\264\270\027\332\164
+\243\177\324\337\260\230\002\254\157\153\153\054\045\044\162\241
+\145\356\045\132\345\346\062\347\362\337\253\111\372\363\220\151
+\043\333\004\331\347\134\130\374\145\324\227\276\314\374\056\012
+\314\045\052\065\004\370\140\221\025\165\075\101\377\043\037\031
+\310\154\353\202\123\004\246\344\114\042\115\215\214\272\316\133
+\163\354\144\124\120\155\321\234\125\373\151\303\066\303\214\274
+\074\205\246\153\012\046\015\340\223\230\140\256\176\306\044\227
+\212\141\137\221\216\146\222\011\207\066\315\213\233\055\076\366
+\121\324\120\324\131\050\275\203\362\314\050\173\123\206\155\330
+\046\210\160\327\352\221\315\076\271\312\300\220\156\132\306\136
+\164\145\327\134\376\243\342
+END
+
+# Trust for "D-TRUST Root Class 3 CA 2 2009"
+# Issuer: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
+# Serial Number: 623603 (0x983f3)
+# Subject: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
+# Not Valid Before: Thu Nov 05 08:35:58 2009
+# Not Valid After : Mon Nov 05 08:35:58 2029
+# Fingerprint (MD5): CD:E0:25:69:8D:47:AC:9C:89:35:90:F7:FD:51:3D:2F
+# Fingerprint (SHA1): 58:E8:AB:B0:36:15:33:FB:80:F7:9B:1B:6D:29:D3:FF:8D:5F:00:F0
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "D-TRUST Root Class 3 CA 2 2009"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\130\350\253\260\066\025\063\373\200\367\233\033\155\051\323\377
+\215\137\000\360
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\315\340\045\151\215\107\254\234\211\065\220\367\375\121\075\057
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\115\061\013\060\011\006\003\125\004\006\023\002\104\105\061
+\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163
+\164\040\107\155\142\110\061\047\060\045\006\003\125\004\003\014
+\036\104\055\124\122\125\123\124\040\122\157\157\164\040\103\154
+\141\163\163\040\063\040\103\101\040\062\040\062\060\060\071
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\003\011\203\363
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "D-TRUST Root Class 3 CA 2 EV 2009"
+#
+# Issuer: CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE
+# Serial Number: 623604 (0x983f4)
+# Subject: CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE
+# Not Valid Before: Thu Nov 05 08:50:46 2009
+# Not Valid After : Mon Nov 05 08:50:46 2029
+# Fingerprint (MD5): AA:C6:43:2C:5E:2D:CD:C4:34:C0:50:4F:11:02:4F:B6
+# Fingerprint (SHA1): 96:C9:1B:0B:95:B4:10:98:42:FA:D0:D8:22:79:FE:60:FA:B9:16:83
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "D-TRUST Root Class 3 CA 2 EV 2009"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\120\061\013\060\011\006\003\125\004\006\023\002\104\105\061
+\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163
+\164\040\107\155\142\110\061\052\060\050\006\003\125\004\003\014
+\041\104\055\124\122\125\123\124\040\122\157\157\164\040\103\154
+\141\163\163\040\063\040\103\101\040\062\040\105\126\040\062\060
+\060\071
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\120\061\013\060\011\006\003\125\004\006\023\002\104\105\061
+\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163
+\164\040\107\155\142\110\061\052\060\050\006\003\125\004\003\014
+\041\104\055\124\122\125\123\124\040\122\157\157\164\040\103\154
+\141\163\163\040\063\040\103\101\040\062\040\105\126\040\062\060
+\060\071
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\003\011\203\364
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\103\060\202\003\053\240\003\002\001\002\002\003\011
+\203\364\060\015\006\011\052\206\110\206\367\015\001\001\013\005
+\000\060\120\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165
+\163\164\040\107\155\142\110\061\052\060\050\006\003\125\004\003
+\014\041\104\055\124\122\125\123\124\040\122\157\157\164\040\103
+\154\141\163\163\040\063\040\103\101\040\062\040\105\126\040\062
+\060\060\071\060\036\027\015\060\071\061\061\060\065\060\070\065
+\060\064\066\132\027\015\062\071\061\061\060\065\060\070\065\060
+\064\066\132\060\120\061\013\060\011\006\003\125\004\006\023\002
+\104\105\061\025\060\023\006\003\125\004\012\014\014\104\055\124
+\162\165\163\164\040\107\155\142\110\061\052\060\050\006\003\125
+\004\003\014\041\104\055\124\122\125\123\124\040\122\157\157\164
+\040\103\154\141\163\163\040\063\040\103\101\040\062\040\105\126
+\040\062\060\060\071\060\202\001\042\060\015\006\011\052\206\110
+\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001
+\012\002\202\001\001\000\231\361\204\064\160\272\057\267\060\240
+\216\275\174\004\317\276\142\274\231\375\202\227\322\172\012\147
+\226\070\011\366\020\116\225\042\163\231\215\332\025\055\347\005
+\374\031\163\042\267\216\230\000\274\074\075\254\241\154\373\326
+\171\045\113\255\360\314\144\332\210\076\051\270\017\011\323\064
+\335\063\365\142\321\341\315\031\351\356\030\117\114\130\256\342
+\036\326\014\133\025\132\330\072\270\304\030\144\036\343\063\262
+\265\211\167\116\014\277\331\224\153\023\227\157\022\243\376\231
+\251\004\314\025\354\140\150\066\355\010\173\267\365\277\223\355
+\146\061\203\214\306\161\064\207\116\027\352\257\213\221\215\034
+\126\101\256\042\067\136\067\362\035\331\321\055\015\057\151\121
+\247\276\146\246\212\072\052\275\307\032\261\341\024\360\276\072
+\035\271\317\133\261\152\376\264\261\106\040\242\373\036\073\160
+\357\223\230\175\214\163\226\362\305\357\205\160\255\051\046\374
+\036\004\076\034\240\330\017\313\122\203\142\174\356\213\123\225
+\220\251\127\242\352\141\005\330\371\115\304\047\372\156\255\355
+\371\327\121\367\153\245\002\003\001\000\001\243\202\001\044\060
+\202\001\040\060\017\006\003\125\035\023\001\001\377\004\005\060
+\003\001\001\377\060\035\006\003\125\035\016\004\026\004\024\323
+\224\212\114\142\023\052\031\056\314\257\162\212\175\066\327\232
+\034\334\147\060\016\006\003\125\035\017\001\001\377\004\004\003
+\002\001\006\060\201\335\006\003\125\035\037\004\201\325\060\201
+\322\060\201\207\240\201\204\240\201\201\206\177\154\144\141\160
+\072\057\057\144\151\162\145\143\164\157\162\171\056\144\055\164
+\162\165\163\164\056\156\145\164\057\103\116\075\104\055\124\122
+\125\123\124\045\062\060\122\157\157\164\045\062\060\103\154\141
+\163\163\045\062\060\063\045\062\060\103\101\045\062\060\062\045
+\062\060\105\126\045\062\060\062\060\060\071\054\117\075\104\055
+\124\162\165\163\164\045\062\060\107\155\142\110\054\103\075\104
+\105\077\143\145\162\164\151\146\151\143\141\164\145\162\145\166
+\157\143\141\164\151\157\156\154\151\163\164\060\106\240\104\240
+\102\206\100\150\164\164\160\072\057\057\167\167\167\056\144\055
+\164\162\165\163\164\056\156\145\164\057\143\162\154\057\144\055
+\164\162\165\163\164\137\162\157\157\164\137\143\154\141\163\163
+\137\063\137\143\141\137\062\137\145\166\137\062\060\060\071\056
+\143\162\154\060\015\006\011\052\206\110\206\367\015\001\001\013
+\005\000\003\202\001\001\000\064\355\173\132\074\244\224\210\357
+\032\021\165\007\057\263\376\074\372\036\121\046\353\207\366\051
+\336\340\361\324\306\044\011\351\301\317\125\033\264\060\331\316
+\032\376\006\121\246\025\244\055\357\262\113\277\040\050\045\111
+\321\246\066\167\064\350\144\337\122\261\021\307\163\172\315\071
+\236\302\255\214\161\041\362\132\153\257\337\074\116\125\257\262
+\204\145\024\211\271\167\313\052\061\276\317\243\155\317\157\110
+\224\062\106\157\347\161\214\240\246\204\031\067\007\362\003\105
+\011\053\206\165\174\337\137\151\127\000\333\156\330\246\162\042
+\113\120\324\165\230\126\337\267\030\377\103\103\120\256\172\104
+\173\360\171\121\327\103\075\247\323\201\323\360\311\117\271\332
+\306\227\206\320\202\303\344\102\155\376\260\342\144\116\016\046
+\347\100\064\046\265\010\211\327\010\143\143\070\047\165\036\063
+\352\156\250\335\237\231\117\164\115\201\211\200\113\335\232\227
+\051\134\057\276\201\101\271\214\377\352\175\140\006\236\315\327
+\075\323\056\243\025\274\250\346\046\345\157\303\334\270\003\041
+\352\237\026\361\054\124\265
+END
+
+# Trust for "D-TRUST Root Class 3 CA 2 EV 2009"
+# Issuer: CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE
+# Serial Number: 623604 (0x983f4)
+# Subject: CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE
+# Not Valid Before: Thu Nov 05 08:50:46 2009
+# Not Valid After : Mon Nov 05 08:50:46 2029
+# Fingerprint (MD5): AA:C6:43:2C:5E:2D:CD:C4:34:C0:50:4F:11:02:4F:B6
+# Fingerprint (SHA1): 96:C9:1B:0B:95:B4:10:98:42:FA:D0:D8:22:79:FE:60:FA:B9:16:83
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "D-TRUST Root Class 3 CA 2 EV 2009"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\226\311\033\013\225\264\020\230\102\372\320\330\042\171\376\140
+\372\271\026\203
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\252\306\103\054\136\055\315\304\064\300\120\117\021\002\117\266
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\120\061\013\060\011\006\003\125\004\006\023\002\104\105\061
+\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163
+\164\040\107\155\142\110\061\052\060\050\006\003\125\004\003\014
+\041\104\055\124\122\125\123\124\040\122\157\157\164\040\103\154
+\141\163\163\040\063\040\103\101\040\062\040\105\126\040\062\060
+\060\071
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\003\011\203\364
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "PSCProcert"
+#
+# Issuer: E=acraiz@suscerte.gob.ve,OU=Superintendencia de Servicios de Certificacion Electronica,O=Sistema Nacional de Certificacion Electronica,ST=Distrito Capital,L=Caracas,C=VE,CN=Autoridad de Certificacion Raiz del Estado Venezolano
+# Serial Number: 11 (0xb)
+# Subject: CN=PSCProcert,C=VE,O=Sistema Nacional de Certificacion Electronica,OU=Proveedor de Certificados PROCERT,ST=Miranda,L=Chacao,E=contacto@procert.net.ve
+# Not Valid Before: Tue Dec 28 16:51:00 2010
+# Not Valid After : Fri Dec 25 23:59:59 2020
+# Fingerprint (MD5): E6:24:E9:12:01:AE:0C:DE:8E:85:C4:CE:A3:12:DD:EC
+# Fingerprint (SHA1): 70:C1:8D:74:B4:28:81:0A:E4:FD:A5:75:D7:01:9F:99:B0:3D:50:74
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "PSCProcert"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\321\061\046\060\044\006\011\052\206\110\206\367\015\001
+\011\001\026\027\143\157\156\164\141\143\164\157\100\160\162\157
+\143\145\162\164\056\156\145\164\056\166\145\061\017\060\015\006
+\003\125\004\007\023\006\103\150\141\143\141\157\061\020\060\016
+\006\003\125\004\010\023\007\115\151\162\141\156\144\141\061\052
+\060\050\006\003\125\004\013\023\041\120\162\157\166\145\145\144
+\157\162\040\144\145\040\103\145\162\164\151\146\151\143\141\144
+\157\163\040\120\122\117\103\105\122\124\061\066\060\064\006\003
+\125\004\012\023\055\123\151\163\164\145\155\141\040\116\141\143
+\151\157\156\141\154\040\144\145\040\103\145\162\164\151\146\151
+\143\141\143\151\157\156\040\105\154\145\143\164\162\157\156\151
+\143\141\061\013\060\011\006\003\125\004\006\023\002\126\105\061
+\023\060\021\006\003\125\004\003\023\012\120\123\103\120\162\157
+\143\145\162\164
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\202\001\036\061\076\060\074\006\003\125\004\003\023\065\101
+\165\164\157\162\151\144\141\144\040\144\145\040\103\145\162\164
+\151\146\151\143\141\143\151\157\156\040\122\141\151\172\040\144
+\145\154\040\105\163\164\141\144\157\040\126\145\156\145\172\157
+\154\141\156\157\061\013\060\011\006\003\125\004\006\023\002\126
+\105\061\020\060\016\006\003\125\004\007\023\007\103\141\162\141
+\143\141\163\061\031\060\027\006\003\125\004\010\023\020\104\151
+\163\164\162\151\164\157\040\103\141\160\151\164\141\154\061\066
+\060\064\006\003\125\004\012\023\055\123\151\163\164\145\155\141
+\040\116\141\143\151\157\156\141\154\040\144\145\040\103\145\162
+\164\151\146\151\143\141\143\151\157\156\040\105\154\145\143\164
+\162\157\156\151\143\141\061\103\060\101\006\003\125\004\013\023
+\072\123\165\160\145\162\151\156\164\145\156\144\145\156\143\151
+\141\040\144\145\040\123\145\162\166\151\143\151\157\163\040\144
+\145\040\103\145\162\164\151\146\151\143\141\143\151\157\156\040
+\105\154\145\143\164\162\157\156\151\143\141\061\045\060\043\006
+\011\052\206\110\206\367\015\001\011\001\026\026\141\143\162\141
+\151\172\100\163\165\163\143\145\162\164\145\056\147\157\142\056
+\166\145
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\013
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\011\206\060\202\007\156\240\003\002\001\002\002\001\013
+\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060
+\202\001\036\061\076\060\074\006\003\125\004\003\023\065\101\165
+\164\157\162\151\144\141\144\040\144\145\040\103\145\162\164\151
+\146\151\143\141\143\151\157\156\040\122\141\151\172\040\144\145
+\154\040\105\163\164\141\144\157\040\126\145\156\145\172\157\154
+\141\156\157\061\013\060\011\006\003\125\004\006\023\002\126\105
+\061\020\060\016\006\003\125\004\007\023\007\103\141\162\141\143
+\141\163\061\031\060\027\006\003\125\004\010\023\020\104\151\163
+\164\162\151\164\157\040\103\141\160\151\164\141\154\061\066\060
+\064\006\003\125\004\012\023\055\123\151\163\164\145\155\141\040
+\116\141\143\151\157\156\141\154\040\144\145\040\103\145\162\164
+\151\146\151\143\141\143\151\157\156\040\105\154\145\143\164\162
+\157\156\151\143\141\061\103\060\101\006\003\125\004\013\023\072
+\123\165\160\145\162\151\156\164\145\156\144\145\156\143\151\141
+\040\144\145\040\123\145\162\166\151\143\151\157\163\040\144\145
+\040\103\145\162\164\151\146\151\143\141\143\151\157\156\040\105
+\154\145\143\164\162\157\156\151\143\141\061\045\060\043\006\011
+\052\206\110\206\367\015\001\011\001\026\026\141\143\162\141\151
+\172\100\163\165\163\143\145\162\164\145\056\147\157\142\056\166
+\145\060\036\027\015\061\060\061\062\062\070\061\066\065\061\060
+\060\132\027\015\062\060\061\062\062\065\062\063\065\071\065\071
+\132\060\201\321\061\046\060\044\006\011\052\206\110\206\367\015
+\001\011\001\026\027\143\157\156\164\141\143\164\157\100\160\162
+\157\143\145\162\164\056\156\145\164\056\166\145\061\017\060\015
+\006\003\125\004\007\023\006\103\150\141\143\141\157\061\020\060
+\016\006\003\125\004\010\023\007\115\151\162\141\156\144\141\061
+\052\060\050\006\003\125\004\013\023\041\120\162\157\166\145\145
+\144\157\162\040\144\145\040\103\145\162\164\151\146\151\143\141
+\144\157\163\040\120\122\117\103\105\122\124\061\066\060\064\006
+\003\125\004\012\023\055\123\151\163\164\145\155\141\040\116\141
+\143\151\157\156\141\154\040\144\145\040\103\145\162\164\151\146
+\151\143\141\143\151\157\156\040\105\154\145\143\164\162\157\156
+\151\143\141\061\013\060\011\006\003\125\004\006\023\002\126\105
+\061\023\060\021\006\003\125\004\003\023\012\120\123\103\120\162
+\157\143\145\162\164\060\202\002\042\060\015\006\011\052\206\110
+\206\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002
+\012\002\202\002\001\000\325\267\364\243\224\063\241\106\251\125
+\141\111\015\250\207\163\136\221\055\160\301\006\032\224\332\075
+\354\025\102\301\365\214\256\152\027\361\212\255\374\200\225\352
+\203\104\242\133\172\125\316\117\247\245\325\272\270\037\240\047
+\300\120\123\076\215\271\300\016\270\025\334\326\154\370\236\370
+\004\045\337\200\217\020\205\335\175\057\173\200\335\127\000\144
+\043\370\156\311\276\225\117\341\165\354\340\176\136\225\315\261
+\357\276\172\102\330\311\054\323\353\032\032\042\213\267\177\006
+\211\345\074\365\022\300\273\323\013\231\137\220\174\216\055\057
+\167\063\222\112\041\106\250\251\010\254\361\366\021\002\331\225
+\026\236\215\057\226\346\002\335\165\302\024\052\132\326\311\175
+\045\302\301\374\252\147\205\342\354\276\321\174\074\372\257\325
+\156\377\123\101\324\365\062\070\261\342\137\304\371\216\020\357
+\006\251\002\211\377\343\014\156\227\340\337\235\333\041\320\364
+\076\010\151\154\330\324\344\066\370\203\266\262\066\217\234\357
+\072\067\026\175\277\242\151\327\073\133\162\320\257\252\077\134
+\146\223\254\012\042\141\266\322\240\231\310\124\223\135\250\266
+\321\275\135\012\136\167\224\242\055\300\202\216\274\312\003\052
+\064\256\163\361\324\265\014\275\276\147\233\124\353\341\372\240
+\132\354\070\176\076\301\314\242\307\104\061\165\352\077\345\007
+\322\253\241\045\226\366\346\344\240\135\067\030\071\141\000\063
+\135\106\324\000\304\264\312\074\361\242\243\076\363\072\377\151
+\060\056\100\335\366\237\234\046\311\226\067\255\347\071\242\277
+\352\151\333\125\042\225\123\052\224\265\337\255\026\070\201\165
+\146\343\307\054\033\223\234\252\214\243\312\331\154\074\027\155
+\234\334\174\123\340\040\047\103\066\371\022\341\074\134\275\146
+\277\242\151\043\070\270\231\140\231\016\126\123\072\234\176\024
+\214\260\006\157\361\206\166\220\257\375\257\376\220\306\217\237
+\177\213\222\043\234\347\025\166\217\325\213\224\023\162\151\373
+\053\141\143\210\357\346\244\136\346\243\027\152\130\107\313\161
+\117\024\013\136\310\002\010\046\242\313\351\257\153\212\031\307
+\313\024\126\365\341\332\265\331\374\277\163\070\332\371\347\257
+\156\244\067\342\007\047\002\003\001\000\001\243\202\003\027\060
+\202\003\023\060\022\006\003\125\035\023\001\001\377\004\010\060
+\006\001\001\377\002\001\001\060\067\006\003\125\035\022\004\060
+\060\056\202\017\163\165\163\143\145\162\164\145\056\147\157\142
+\056\166\145\240\033\006\005\140\206\136\002\002\240\022\014\020
+\122\111\106\055\107\055\062\060\060\060\064\060\063\066\055\060
+\060\035\006\003\125\035\016\004\026\004\024\101\017\031\070\252
+\231\177\102\013\244\327\047\230\124\242\027\114\055\121\124\060
+\202\001\120\006\003\125\035\043\004\202\001\107\060\202\001\103
+\200\024\255\273\042\035\306\340\322\001\250\375\166\120\122\223
+\355\230\301\115\256\323\241\202\001\046\244\202\001\042\060\202
+\001\036\061\076\060\074\006\003\125\004\003\023\065\101\165\164
+\157\162\151\144\141\144\040\144\145\040\103\145\162\164\151\146
+\151\143\141\143\151\157\156\040\122\141\151\172\040\144\145\154
+\040\105\163\164\141\144\157\040\126\145\156\145\172\157\154\141
+\156\157\061\013\060\011\006\003\125\004\006\023\002\126\105\061
+\020\060\016\006\003\125\004\007\023\007\103\141\162\141\143\141
+\163\061\031\060\027\006\003\125\004\010\023\020\104\151\163\164
+\162\151\164\157\040\103\141\160\151\164\141\154\061\066\060\064
+\006\003\125\004\012\023\055\123\151\163\164\145\155\141\040\116
+\141\143\151\157\156\141\154\040\144\145\040\103\145\162\164\151
+\146\151\143\141\143\151\157\156\040\105\154\145\143\164\162\157
+\156\151\143\141\061\103\060\101\006\003\125\004\013\023\072\123
+\165\160\145\162\151\156\164\145\156\144\145\156\143\151\141\040
+\144\145\040\123\145\162\166\151\143\151\157\163\040\144\145\040
+\103\145\162\164\151\146\151\143\141\143\151\157\156\040\105\154
+\145\143\164\162\157\156\151\143\141\061\045\060\043\006\011\052
+\206\110\206\367\015\001\011\001\026\026\141\143\162\141\151\172
+\100\163\165\163\143\145\162\164\145\056\147\157\142\056\166\145
+\202\001\012\060\016\006\003\125\035\017\001\001\377\004\004\003
+\002\001\006\060\115\006\003\125\035\021\004\106\060\104\202\016
+\160\162\157\143\145\162\164\056\156\145\164\056\166\145\240\025
+\006\005\140\206\136\002\001\240\014\014\012\120\123\103\055\060
+\060\060\060\060\062\240\033\006\005\140\206\136\002\002\240\022
+\014\020\122\111\106\055\112\055\063\061\066\063\065\063\067\063
+\055\067\060\166\006\003\125\035\037\004\157\060\155\060\106\240
+\104\240\102\206\100\150\164\164\160\072\057\057\167\167\167\056
+\163\165\163\143\145\162\164\145\056\147\157\142\056\166\145\057
+\154\143\162\057\103\105\122\124\111\106\111\103\101\104\117\055
+\122\101\111\132\055\123\110\101\063\070\064\103\122\114\104\105
+\122\056\143\162\154\060\043\240\041\240\037\206\035\154\144\141
+\160\072\057\057\141\143\162\141\151\172\056\163\165\163\143\145
+\162\164\145\056\147\157\142\056\166\145\060\067\006\010\053\006
+\001\005\005\007\001\001\004\053\060\051\060\047\006\010\053\006
+\001\005\005\007\060\001\206\033\150\164\164\160\072\057\057\157
+\143\163\160\056\163\165\163\143\145\162\164\145\056\147\157\142
+\056\166\145\060\101\006\003\125\035\040\004\072\060\070\060\066
+\006\006\140\206\136\003\001\002\060\054\060\052\006\010\053\006
+\001\005\005\007\002\001\026\036\150\164\164\160\072\057\057\167
+\167\167\056\163\165\163\143\145\162\164\145\056\147\157\142\056
+\166\145\057\144\160\143\060\015\006\011\052\206\110\206\367\015
+\001\001\013\005\000\003\202\002\001\000\053\131\353\042\231\273
+\204\252\117\336\220\306\321\206\161\043\236\113\003\221\107\160
+\273\300\222\140\354\340\324\347\155\306\323\355\147\203\167\122
+\325\362\345\167\247\066\262\343\124\276\331\273\012\233\021\357
+\141\364\306\231\063\231\365\257\000\071\215\203\277\246\275\065
+\176\054\134\061\064\157\154\333\363\144\001\230\252\224\054\101
+\335\025\206\312\153\051\116\026\300\111\374\327\203\110\023\007
+\121\204\061\122\210\273\206\027\307\153\057\212\040\255\305\013
+\217\160\076\052\273\033\161\217\271\244\240\375\330\225\331\257
+\131\277\045\053\230\351\143\223\057\140\036\304\252\370\167\365
+\213\154\057\355\176\056\265\117\100\015\356\274\127\167\347\331
+\266\324\077\225\047\072\040\325\345\256\253\154\065\237\301\241
+\035\131\334\204\201\356\115\007\342\110\266\236\113\225\055\101
+\261\341\350\336\176\057\005\036\150\356\277\273\220\145\072\310
+\356\352\261\030\067\034\142\223\244\240\061\354\161\154\221\346
+\244\171\211\132\024\247\024\120\005\114\244\000\127\060\054\301
+\265\141\226\334\076\036\204\257\071\102\317\345\320\054\261\044
+\274\337\100\303\355\177\143\112\275\341\117\022\144\206\225\363
+\260\347\310\267\341\123\275\222\346\363\014\226\271\353\350\346
+\222\355\247\201\011\024\013\374\225\172\317\217\326\064\117\066
+\022\334\136\321\064\165\306\106\200\057\225\004\214\307\206\304
+\250\046\211\250\077\031\233\201\273\121\244\112\206\253\013\021
+\017\261\256\143\123\155\050\352\335\063\126\070\034\262\255\200
+\323\327\162\275\232\154\231\143\350\000\273\101\166\005\267\133
+\231\030\212\303\270\022\134\126\317\126\014\175\350\342\317\355
+\274\164\107\373\356\323\027\116\042\117\126\377\120\363\056\346
+\071\246\202\326\161\312\336\267\325\272\150\010\355\231\314\375
+\242\222\313\151\270\235\371\012\244\246\076\117\223\050\052\141
+\154\007\046\000\377\226\137\150\206\270\270\316\312\125\340\253
+\261\075\177\230\327\063\016\132\075\330\170\302\304\140\057\307
+\142\360\141\221\322\070\260\366\236\125\333\100\200\005\022\063
+\316\035\222\233\321\151\263\377\277\361\222\012\141\065\077\335
+\376\206\364\274\340\032\161\263\142\246
+END
+
+# Trust for "PSCProcert"
+# Issuer: E=acraiz@suscerte.gob.ve,OU=Superintendencia de Servicios de Certificacion Electronica,O=Sistema Nacional de Certificacion Electronica,ST=Distrito Capital,L=Caracas,C=VE,CN=Autoridad de Certificacion Raiz del Estado Venezolano
+# Serial Number: 11 (0xb)
+# Subject: CN=PSCProcert,C=VE,O=Sistema Nacional de Certificacion Electronica,OU=Proveedor de Certificados PROCERT,ST=Miranda,L=Chacao,E=contacto@procert.net.ve
+# Not Valid Before: Tue Dec 28 16:51:00 2010
+# Not Valid After : Fri Dec 25 23:59:59 2020
+# Fingerprint (MD5): E6:24:E9:12:01:AE:0C:DE:8E:85:C4:CE:A3:12:DD:EC
+# Fingerprint (SHA1): 70:C1:8D:74:B4:28:81:0A:E4:FD:A5:75:D7:01:9F:99:B0:3D:50:74
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "PSCProcert"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\160\301\215\164\264\050\201\012\344\375\245\165\327\001\237\231
+\260\075\120\164
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\346\044\351\022\001\256\014\336\216\205\304\316\243\022\335\354
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\202\001\036\061\076\060\074\006\003\125\004\003\023\065\101
+\165\164\157\162\151\144\141\144\040\144\145\040\103\145\162\164
+\151\146\151\143\141\143\151\157\156\040\122\141\151\172\040\144
+\145\154\040\105\163\164\141\144\157\040\126\145\156\145\172\157
+\154\141\156\157\061\013\060\011\006\003\125\004\006\023\002\126
+\105\061\020\060\016\006\003\125\004\007\023\007\103\141\162\141
+\143\141\163\061\031\060\027\006\003\125\004\010\023\020\104\151
+\163\164\162\151\164\157\040\103\141\160\151\164\141\154\061\066
+\060\064\006\003\125\004\012\023\055\123\151\163\164\145\155\141
+\040\116\141\143\151\157\156\141\154\040\144\145\040\103\145\162
+\164\151\146\151\143\141\143\151\157\156\040\105\154\145\143\164
+\162\157\156\151\143\141\061\103\060\101\006\003\125\004\013\023
+\072\123\165\160\145\162\151\156\164\145\156\144\145\156\143\151
+\141\040\144\145\040\123\145\162\166\151\143\151\157\163\040\144
+\145\040\103\145\162\164\151\146\151\143\141\143\151\157\156\040
+\105\154\145\143\164\162\157\156\151\143\141\061\045\060\043\006
+\011\052\206\110\206\367\015\001\011\001\026\026\141\143\162\141
+\151\172\100\163\165\163\143\145\162\164\145\056\147\157\142\056
+\166\145
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\013
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "China Internet Network Information Center EV Certificates Root"
+#
+# Issuer: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
+# Serial Number: 1218379777 (0x489f0001)
+# Subject: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
+# Not Valid Before: Tue Aug 31 07:11:25 2010
+# Not Valid After : Sat Aug 31 07:11:25 2030
+# Fingerprint (MD5): 55:5D:63:00:97:BD:6A:97:F5:67:AB:4B:FB:6E:63:15
+# Fingerprint (SHA1): 4F:99:AA:93:FB:2B:D1:37:26:A1:99:4A:CE:7F:F0:05:F2:93:5D:1E
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "China Internet Network Information Center EV Certificates Root"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\116
+\061\062\060\060\006\003\125\004\012\014\051\103\150\151\156\141
+\040\111\156\164\145\162\156\145\164\040\116\145\164\167\157\162
+\153\040\111\156\146\157\162\155\141\164\151\157\156\040\103\145
+\156\164\145\162\061\107\060\105\006\003\125\004\003\014\076\103
+\150\151\156\141\040\111\156\164\145\162\156\145\164\040\116\145
+\164\167\157\162\153\040\111\156\146\157\162\155\141\164\151\157
+\156\040\103\145\156\164\145\162\040\105\126\040\103\145\162\164
+\151\146\151\143\141\164\145\163\040\122\157\157\164
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\116
+\061\062\060\060\006\003\125\004\012\014\051\103\150\151\156\141
+\040\111\156\164\145\162\156\145\164\040\116\145\164\167\157\162
+\153\040\111\156\146\157\162\155\141\164\151\157\156\040\103\145
+\156\164\145\162\061\107\060\105\006\003\125\004\003\014\076\103
+\150\151\156\141\040\111\156\164\145\162\156\145\164\040\116\145
+\164\167\157\162\153\040\111\156\146\157\162\155\141\164\151\157
+\156\040\103\145\156\164\145\162\040\105\126\040\103\145\162\164
+\151\146\151\143\141\164\145\163\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\110\237\000\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\367\060\202\002\337\240\003\002\001\002\002\004\110
+\237\000\001\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\060\201\212\061\013\060\011\006\003\125\004\006\023\002
+\103\116\061\062\060\060\006\003\125\004\012\014\051\103\150\151
+\156\141\040\111\156\164\145\162\156\145\164\040\116\145\164\167
+\157\162\153\040\111\156\146\157\162\155\141\164\151\157\156\040
+\103\145\156\164\145\162\061\107\060\105\006\003\125\004\003\014
+\076\103\150\151\156\141\040\111\156\164\145\162\156\145\164\040
+\116\145\164\167\157\162\153\040\111\156\146\157\162\155\141\164
+\151\157\156\040\103\145\156\164\145\162\040\105\126\040\103\145
+\162\164\151\146\151\143\141\164\145\163\040\122\157\157\164\060
+\036\027\015\061\060\060\070\063\061\060\067\061\061\062\065\132
+\027\015\063\060\060\070\063\061\060\067\061\061\062\065\132\060
+\201\212\061\013\060\011\006\003\125\004\006\023\002\103\116\061
+\062\060\060\006\003\125\004\012\014\051\103\150\151\156\141\040
+\111\156\164\145\162\156\145\164\040\116\145\164\167\157\162\153
+\040\111\156\146\157\162\155\141\164\151\157\156\040\103\145\156
+\164\145\162\061\107\060\105\006\003\125\004\003\014\076\103\150
+\151\156\141\040\111\156\164\145\162\156\145\164\040\116\145\164
+\167\157\162\153\040\111\156\146\157\162\155\141\164\151\157\156
+\040\103\145\156\164\145\162\040\105\126\040\103\145\162\164\151
+\146\151\143\141\164\145\163\040\122\157\157\164\060\202\001\042
+\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
+\202\001\017\000\060\202\001\012\002\202\001\001\000\233\176\163
+\356\275\073\170\252\144\103\101\365\120\337\224\362\056\262\215
+\112\216\106\124\322\041\022\310\071\062\102\006\351\203\325\237
+\122\355\345\147\003\073\124\301\214\231\231\314\351\300\017\377
+\015\331\204\021\262\270\321\313\133\334\036\371\150\061\144\341
+\233\372\164\353\150\271\040\225\367\306\017\215\107\254\132\006
+\335\141\253\342\354\330\237\027\055\234\312\074\065\227\125\161
+\315\103\205\261\107\026\365\054\123\200\166\317\323\000\144\275
+\100\231\335\314\330\333\304\237\326\023\137\101\203\213\371\015
+\207\222\126\064\154\032\020\013\027\325\132\034\227\130\204\074
+\204\032\056\134\221\064\156\031\137\177\027\151\305\145\357\153
+\041\306\325\120\072\277\141\271\005\215\357\157\064\072\262\157
+\024\143\277\026\073\233\251\052\375\267\053\070\146\006\305\054
+\342\252\147\036\105\247\215\004\146\102\366\217\053\357\210\040
+\151\217\062\214\024\163\332\053\206\221\143\042\232\362\247\333
+\316\211\213\253\135\307\024\301\133\060\152\037\261\267\236\056
+\201\001\002\355\317\226\136\143\333\250\346\070\267\002\003\001
+\000\001\243\143\060\141\060\037\006\003\125\035\043\004\030\060
+\026\200\024\174\162\113\071\307\300\333\142\245\117\233\252\030
+\064\222\242\312\203\202\131\060\017\006\003\125\035\023\001\001
+\377\004\005\060\003\001\001\377\060\016\006\003\125\035\017\001
+\001\377\004\004\003\002\001\006\060\035\006\003\125\035\016\004
+\026\004\024\174\162\113\071\307\300\333\142\245\117\233\252\030
+\064\222\242\312\203\202\131\060\015\006\011\052\206\110\206\367
+\015\001\001\005\005\000\003\202\001\001\000\052\303\307\103\067
+\217\335\255\244\262\014\356\334\024\155\217\050\244\230\111\313
+\014\200\352\363\355\043\146\165\175\305\323\041\147\171\321\163
+\305\265\003\267\130\254\014\124\057\306\126\023\017\061\332\006
+\347\145\073\035\157\066\333\310\035\371\375\200\006\312\243\075
+\146\026\250\235\114\026\175\300\225\106\265\121\344\342\037\327
+\352\006\115\143\215\226\214\357\347\063\127\102\072\353\214\301
+\171\310\115\166\175\336\366\261\267\201\340\240\371\241\170\106
+\027\032\126\230\360\116\075\253\034\355\354\071\334\007\110\367
+\143\376\006\256\302\244\134\152\133\062\210\305\307\063\205\254
+\146\102\107\302\130\044\231\341\345\076\345\165\054\216\103\326
+\135\074\170\036\250\225\202\051\120\321\321\026\272\357\301\276
+\172\331\264\330\314\036\114\106\341\167\261\061\253\275\052\310
+\316\217\156\241\135\177\003\165\064\344\255\211\105\124\136\276
+\256\050\245\273\077\170\171\353\163\263\012\015\375\276\311\367
+\126\254\366\267\355\057\233\041\051\307\070\266\225\304\004\362
+\303\055\375\024\052\220\231\271\007\314\237
+END
+
+# Trust for "China Internet Network Information Center EV Certificates Root"
+# Issuer: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
+# Serial Number: 1218379777 (0x489f0001)
+# Subject: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
+# Not Valid Before: Tue Aug 31 07:11:25 2010
+# Not Valid After : Sat Aug 31 07:11:25 2030
+# Fingerprint (MD5): 55:5D:63:00:97:BD:6A:97:F5:67:AB:4B:FB:6E:63:15
+# Fingerprint (SHA1): 4F:99:AA:93:FB:2B:D1:37:26:A1:99:4A:CE:7F:F0:05:F2:93:5D:1E
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "China Internet Network Information Center EV Certificates Root"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\117\231\252\223\373\053\321\067\046\241\231\112\316\177\360\005
+\362\223\135\036
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\125\135\143\000\227\275\152\227\365\147\253\113\373\156\143\025
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\116
+\061\062\060\060\006\003\125\004\012\014\051\103\150\151\156\141
+\040\111\156\164\145\162\156\145\164\040\116\145\164\167\157\162
+\153\040\111\156\146\157\162\155\141\164\151\157\156\040\103\145
+\156\164\145\162\061\107\060\105\006\003\125\004\003\014\076\103
+\150\151\156\141\040\111\156\164\145\162\156\145\164\040\116\145
+\164\167\157\162\153\040\111\156\146\157\162\155\141\164\151\157
+\156\040\103\145\156\164\145\162\040\105\126\040\103\145\162\164
+\151\146\151\143\141\164\145\163\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\110\237\000\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "Swisscom Root CA 2"
+#
+# Issuer: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
+# Serial Number:1e:9e:28:e8:48:f2:e5:ef:c3:7c:4a:1e:5a:18:67:b6
+# Subject: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
+# Not Valid Before: Fri Jun 24 08:38:14 2011
+# Not Valid After : Wed Jun 25 07:38:14 2031
+# Fingerprint (MD5): 5B:04:69:EC:A5:83:94:63:18:A7:86:D0:E4:F2:6E:19
+# Fingerprint (SHA1): 77:47:4F:C6:30:E4:0F:4C:47:64:3F:84:BA:B8:C6:95:4A:8A:41:EC
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Swisscom Root CA 2"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\144\061\013\060\011\006\003\125\004\006\023\002\143\150\061
+\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143
+\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147
+\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145
+\040\123\145\162\166\151\143\145\163\061\033\060\031\006\003\125
+\004\003\023\022\123\167\151\163\163\143\157\155\040\122\157\157
+\164\040\103\101\040\062
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\144\061\013\060\011\006\003\125\004\006\023\002\143\150\061
+\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143
+\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147
+\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145
+\040\123\145\162\166\151\143\145\163\061\033\060\031\006\003\125
+\004\003\023\022\123\167\151\163\163\143\157\155\040\122\157\157
+\164\040\103\101\040\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\036\236\050\350\110\362\345\357\303\174\112\036\132\030
+\147\266
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\331\060\202\003\301\240\003\002\001\002\002\020\036
+\236\050\350\110\362\345\357\303\174\112\036\132\030\147\266\060
+\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\144
+\061\013\060\011\006\003\125\004\006\023\002\143\150\061\021\060
+\017\006\003\125\004\012\023\010\123\167\151\163\163\143\157\155
+\061\045\060\043\006\003\125\004\013\023\034\104\151\147\151\164
+\141\154\040\103\145\162\164\151\146\151\143\141\164\145\040\123
+\145\162\166\151\143\145\163\061\033\060\031\006\003\125\004\003
+\023\022\123\167\151\163\163\143\157\155\040\122\157\157\164\040
+\103\101\040\062\060\036\027\015\061\061\060\066\062\064\060\070
+\063\070\061\064\132\027\015\063\061\060\066\062\065\060\067\063
+\070\061\064\132\060\144\061\013\060\011\006\003\125\004\006\023
+\002\143\150\061\021\060\017\006\003\125\004\012\023\010\123\167
+\151\163\163\143\157\155\061\045\060\043\006\003\125\004\013\023
+\034\104\151\147\151\164\141\154\040\103\145\162\164\151\146\151
+\143\141\164\145\040\123\145\162\166\151\143\145\163\061\033\060
+\031\006\003\125\004\003\023\022\123\167\151\163\163\143\157\155
+\040\122\157\157\164\040\103\101\040\062\060\202\002\042\060\015
+\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002
+\017\000\060\202\002\012\002\202\002\001\000\225\102\116\204\235
+\121\346\323\011\350\162\132\043\151\333\170\160\216\026\361\053
+\217\015\003\316\223\314\056\000\010\173\253\063\214\364\351\100
+\346\027\114\253\236\270\107\024\062\167\062\335\050\014\336\030
+\113\137\166\237\370\071\073\374\116\211\330\174\305\147\357\253
+\322\271\064\137\153\072\363\144\066\316\302\260\317\023\150\312
+\310\313\353\265\342\075\056\041\337\352\054\324\340\371\160\226
+\114\377\152\130\230\267\027\344\033\122\345\176\007\000\035\137
+\332\346\076\225\004\267\151\210\071\241\101\140\045\141\113\225
+\071\150\142\034\261\013\005\211\300\066\202\024\041\077\256\333
+\241\375\274\157\034\140\206\266\123\224\111\271\053\106\305\117
+\000\053\277\241\273\313\077\340\307\127\034\127\350\326\151\370
+\301\044\122\235\210\125\335\302\207\056\164\043\320\024\375\052
+\107\132\273\246\235\375\224\344\321\212\245\137\206\143\166\205
+\313\257\377\111\050\374\200\355\114\171\322\273\344\300\357\001
+\356\120\101\010\065\043\160\053\251\026\264\214\156\205\351\266
+\021\317\061\335\123\046\033\337\055\132\112\002\100\374\304\300
+\266\351\061\032\010\050\345\140\303\037\304\220\216\020\142\140
+\104\015\354\012\276\125\030\161\054\245\364\262\274\025\142\377
+\034\343\276\035\332\036\127\263\074\176\315\202\035\221\343\113
+\353\054\122\064\260\212\375\022\116\226\260\353\160\177\236\071
+\367\146\102\261\253\254\122\332\166\100\127\173\052\275\350\156
+\003\262\013\200\205\210\235\014\307\302\167\260\232\232\127\364
+\270\372\023\134\150\223\072\147\244\227\320\033\231\267\206\062
+\113\140\330\316\357\320\014\177\225\237\157\207\117\207\212\216
+\137\010\174\252\133\374\132\276\241\221\237\125\175\116\260\013
+\151\314\260\224\250\247\207\362\323\112\120\334\137\162\260\026
+\165\036\313\264\030\142\232\260\247\071\252\233\237\146\330\215
+\246\154\226\025\343\346\362\370\361\203\142\154\273\125\351\141
+\223\243\075\365\261\127\213\117\043\260\233\345\224\152\057\337
+\214\337\225\121\051\140\241\013\051\344\134\125\130\267\250\374
+\231\356\045\115\114\016\263\323\114\217\204\350\051\017\375\020
+\124\002\205\310\371\345\303\213\317\347\017\002\003\001\000\001
+\243\201\206\060\201\203\060\016\006\003\125\035\017\001\001\377
+\004\004\003\002\001\206\060\035\006\003\125\035\041\004\026\060
+\024\060\022\006\007\140\205\164\001\123\002\001\006\007\140\205
+\164\001\123\002\001\060\022\006\003\125\035\023\001\001\377\004
+\010\060\006\001\001\377\002\001\007\060\035\006\003\125\035\016
+\004\026\004\024\115\046\040\042\211\113\323\325\244\012\241\157
+\336\342\022\201\305\361\074\056\060\037\006\003\125\035\043\004
+\030\060\026\200\024\115\046\040\042\211\113\323\325\244\012\241
+\157\336\342\022\201\305\361\074\056\060\015\006\011\052\206\110
+\206\367\015\001\001\013\005\000\003\202\002\001\000\062\012\262
+\244\033\313\175\276\202\127\211\271\152\177\363\364\301\056\021
+\175\270\031\076\171\267\250\250\162\067\146\233\032\355\254\023
+\073\016\277\142\360\234\337\236\173\241\123\110\016\101\172\312
+\040\247\027\033\266\170\354\100\221\363\102\255\020\303\134\357
+\377\140\131\177\315\205\243\213\075\110\034\045\002\074\147\175
+\365\062\351\057\060\345\175\245\172\070\320\363\146\052\146\036
+\215\063\203\212\157\174\156\250\132\165\232\270\327\332\130\110
+\104\107\250\114\372\114\111\012\112\302\022\067\250\100\014\303
+\310\341\320\127\015\227\062\225\307\072\237\227\323\127\370\013
+\336\345\162\363\243\333\377\265\330\131\262\163\335\115\052\161
+\262\272\111\365\313\034\325\365\171\310\231\263\374\301\114\164
+\343\264\275\051\067\025\004\050\036\336\105\106\160\354\257\272
+\170\016\212\052\316\000\171\334\300\137\031\147\054\153\113\357
+\150\150\013\103\343\254\301\142\011\357\246\335\145\141\240\257
+\204\125\110\221\122\034\306\045\221\052\320\301\042\043\141\131
+\257\105\021\205\035\001\044\064\217\317\263\377\027\162\040\023
+\302\200\252\041\054\161\071\016\320\217\134\301\323\321\216\042
+\162\106\114\035\226\256\117\161\261\341\005\051\226\131\364\273
+\236\165\075\317\015\067\015\142\333\046\214\143\251\043\337\147
+\006\074\174\072\332\064\102\341\146\264\106\004\336\306\226\230
+\017\113\110\172\044\062\165\221\237\254\367\150\351\052\271\125
+\145\316\135\141\323\047\160\330\067\376\237\271\257\240\056\126
+\267\243\145\121\355\073\253\024\277\114\121\003\350\137\212\005
+\233\356\212\156\234\357\277\150\372\310\332\013\343\102\311\320
+\027\024\234\267\112\340\257\223\047\041\125\046\265\144\057\215
+\361\377\246\100\005\205\005\134\312\007\031\134\013\023\050\114
+\130\177\302\245\357\105\332\140\323\256\145\141\235\123\203\164
+\302\256\362\134\302\026\355\222\076\204\076\163\140\210\274\166
+\364\054\317\320\175\175\323\270\136\321\221\022\020\351\315\335
+\312\045\343\325\355\231\057\276\165\201\113\044\371\105\106\224
+\311\051\041\123\234\046\105\252\023\027\344\347\315\170\342\071
+\301\053\022\236\246\236\033\305\346\016\331\061\331
+END
+
+# Trust for "Swisscom Root CA 2"
+# Issuer: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
+# Serial Number:1e:9e:28:e8:48:f2:e5:ef:c3:7c:4a:1e:5a:18:67:b6
+# Subject: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
+# Not Valid Before: Fri Jun 24 08:38:14 2011
+# Not Valid After : Wed Jun 25 07:38:14 2031
+# Fingerprint (MD5): 5B:04:69:EC:A5:83:94:63:18:A7:86:D0:E4:F2:6E:19
+# Fingerprint (SHA1): 77:47:4F:C6:30:E4:0F:4C:47:64:3F:84:BA:B8:C6:95:4A:8A:41:EC
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Swisscom Root CA 2"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\167\107\117\306\060\344\017\114\107\144\077\204\272\270\306\225
+\112\212\101\354
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\133\004\151\354\245\203\224\143\030\247\206\320\344\362\156\031
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\144\061\013\060\011\006\003\125\004\006\023\002\143\150\061
+\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143
+\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147
+\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145
+\040\123\145\162\166\151\143\145\163\061\033\060\031\006\003\125
+\004\003\023\022\123\167\151\163\163\143\157\155\040\122\157\157
+\164\040\103\101\040\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\036\236\050\350\110\362\345\357\303\174\112\036\132\030
+\147\266
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "Swisscom Root EV CA 2"
+#
+# Issuer: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
+# Serial Number:00:f2:fa:64:e2:74:63:d3:8d:fd:10:1d:04:1f:76:ca:58
+# Subject: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
+# Not Valid Before: Fri Jun 24 09:45:08 2011
+# Not Valid After : Wed Jun 25 08:45:08 2031
+# Fingerprint (MD5): 7B:30:34:9F:DD:0A:4B:6B:35:CA:31:51:28:5D:AE:EC
+# Fingerprint (SHA1): E7:A1:90:29:D3:D5:52:DC:0D:0F:C6:92:D3:EA:88:0D:15:2E:1A:6B
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Swisscom Root EV CA 2"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\147\061\013\060\011\006\003\125\004\006\023\002\143\150\061
+\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143
+\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147
+\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145
+\040\123\145\162\166\151\143\145\163\061\036\060\034\006\003\125
+\004\003\023\025\123\167\151\163\163\143\157\155\040\122\157\157
+\164\040\105\126\040\103\101\040\062
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\147\061\013\060\011\006\003\125\004\006\023\002\143\150\061
+\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143
+\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147
+\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145
+\040\123\145\162\166\151\143\145\163\061\036\060\034\006\003\125
+\004\003\023\025\123\167\151\163\163\143\157\155\040\122\157\157
+\164\040\105\126\040\103\101\040\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\021\000\362\372\144\342\164\143\323\215\375\020\035\004\037
+\166\312\130
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\340\060\202\003\310\240\003\002\001\002\002\021\000
+\362\372\144\342\164\143\323\215\375\020\035\004\037\166\312\130
+\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060
+\147\061\013\060\011\006\003\125\004\006\023\002\143\150\061\021
+\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143\157
+\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147\151
+\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145\040
+\123\145\162\166\151\143\145\163\061\036\060\034\006\003\125\004
+\003\023\025\123\167\151\163\163\143\157\155\040\122\157\157\164
+\040\105\126\040\103\101\040\062\060\036\027\015\061\061\060\066
+\062\064\060\071\064\065\060\070\132\027\015\063\061\060\066\062
+\065\060\070\064\065\060\070\132\060\147\061\013\060\011\006\003
+\125\004\006\023\002\143\150\061\021\060\017\006\003\125\004\012
+\023\010\123\167\151\163\163\143\157\155\061\045\060\043\006\003
+\125\004\013\023\034\104\151\147\151\164\141\154\040\103\145\162
+\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145
+\163\061\036\060\034\006\003\125\004\003\023\025\123\167\151\163
+\163\143\157\155\040\122\157\157\164\040\105\126\040\103\101\040
+\062\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001
+\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002
+\001\000\304\367\035\057\127\352\127\154\367\160\135\143\260\161
+\122\011\140\104\050\063\243\172\116\012\372\330\352\154\213\121
+\026\032\125\256\124\046\304\314\105\007\101\117\020\171\177\161
+\322\172\116\077\070\116\263\000\306\225\312\133\315\301\052\203
+\327\047\037\061\016\043\026\267\045\313\034\264\271\200\062\136
+\032\235\223\361\350\074\140\054\247\136\127\031\130\121\136\274
+\054\126\013\270\330\357\213\202\264\074\270\302\044\250\023\307
+\240\041\066\033\172\127\051\050\247\056\277\161\045\220\363\104
+\203\151\120\244\344\341\033\142\031\224\011\243\363\303\274\357
+\364\275\354\333\023\235\317\235\110\011\122\147\300\067\051\021
+\036\373\322\021\247\205\030\164\171\344\117\205\024\353\122\067
+\342\261\105\330\314\015\103\177\256\023\322\153\053\077\247\302
+\342\250\155\166\133\103\237\276\264\235\263\046\206\073\037\177
+\345\362\350\146\050\026\045\320\113\227\070\247\344\317\011\321
+\066\303\013\276\332\073\104\130\215\276\361\236\011\153\076\363
+\062\307\053\207\306\354\136\234\366\207\145\255\063\051\304\057
+\211\331\271\313\311\003\235\373\154\224\121\227\020\033\206\013
+\032\033\077\366\002\176\173\324\305\121\144\050\235\365\323\254
+\203\201\210\323\164\264\131\235\301\353\141\063\132\105\321\313
+\071\320\006\152\123\140\035\257\366\373\151\274\152\334\001\317
+\275\371\217\331\275\133\301\072\137\216\332\017\113\251\233\235
+\052\050\153\032\012\174\074\253\042\013\345\167\055\161\366\202
+\065\201\256\370\173\201\346\352\376\254\364\032\233\164\134\350
+\217\044\366\135\235\106\304\054\322\036\053\041\152\203\047\147
+\125\112\244\343\310\062\227\146\220\162\332\343\324\144\056\137
+\343\241\152\366\140\324\347\065\315\312\304\150\215\327\161\310
+\323\044\063\163\261\154\371\152\341\050\333\137\306\075\350\276
+\125\346\067\033\355\044\331\017\031\217\137\143\030\130\120\201
+\121\145\157\362\237\176\152\004\347\064\044\161\272\166\113\130
+\036\031\275\025\140\105\252\014\022\100\001\235\020\342\307\070
+\007\162\012\145\300\266\273\045\051\332\026\236\213\065\213\141
+\355\345\161\127\203\265\074\161\237\343\117\277\176\036\201\237
+\101\227\002\003\001\000\001\243\201\206\060\201\203\060\016\006
+\003\125\035\017\001\001\377\004\004\003\002\001\206\060\035\006
+\003\125\035\041\004\026\060\024\060\022\006\007\140\205\164\001
+\123\002\002\006\007\140\205\164\001\123\002\002\060\022\006\003
+\125\035\023\001\001\377\004\010\060\006\001\001\377\002\001\003
+\060\035\006\003\125\035\016\004\026\004\024\105\331\245\201\156
+\075\210\115\215\161\322\106\301\156\105\036\363\304\200\235\060
+\037\006\003\125\035\043\004\030\060\026\200\024\105\331\245\201
+\156\075\210\115\215\161\322\106\301\156\105\036\363\304\200\235
+\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003
+\202\002\001\000\224\072\163\006\237\122\113\060\134\324\376\261
+\134\045\371\327\216\157\365\207\144\237\355\024\216\270\004\216
+\050\113\217\252\173\216\071\264\331\130\366\173\241\065\012\241
+\235\212\367\143\345\353\275\071\202\324\343\172\055\157\337\023
+\074\272\376\176\126\230\013\363\124\237\315\104\116\156\074\341
+\076\025\277\006\046\235\344\360\220\266\324\302\236\060\056\037
+\357\307\172\304\120\307\352\173\332\120\313\172\046\313\000\264
+\132\253\265\223\037\200\211\204\004\225\215\215\177\011\223\277
+\324\250\250\344\143\155\331\144\344\270\051\132\010\277\120\341
+\204\017\125\173\137\010\042\033\365\275\231\036\024\366\316\364
+\130\020\202\263\012\075\031\301\277\133\253\252\231\330\362\061
+\275\345\070\146\334\130\005\307\355\143\032\056\012\227\174\207
+\223\053\262\212\343\361\354\030\345\165\266\051\207\347\334\213
+\032\176\264\330\311\323\212\027\154\175\051\104\276\212\252\365
+\176\072\056\150\061\223\271\152\332\232\340\333\351\056\245\204
+\315\034\012\270\112\010\371\234\361\141\046\230\223\267\173\146
+\354\221\136\335\121\077\333\163\017\255\004\130\011\335\004\002
+\225\012\076\323\166\337\246\020\036\200\075\350\315\244\144\321
+\063\307\222\307\342\116\104\343\011\311\116\302\135\207\016\022
+\236\277\017\311\005\020\336\172\243\261\074\362\077\245\252\047
+\171\255\061\175\037\375\374\031\151\305\335\271\077\174\315\306
+\264\302\060\036\176\156\222\327\177\141\166\132\217\353\225\115
+\274\021\156\041\174\131\067\231\320\006\274\371\006\155\062\026
+\245\331\151\250\341\334\074\200\036\140\121\334\327\124\041\036
+\312\142\167\117\372\330\217\263\053\072\015\170\162\311\150\101
+\132\107\112\302\243\353\032\327\012\253\074\062\125\310\012\021
+\234\337\164\326\360\100\025\035\310\271\217\265\066\305\257\370
+\042\270\312\035\363\326\266\031\017\237\141\145\152\352\164\310
+\174\217\303\117\135\145\202\037\331\015\211\332\165\162\373\357
+\361\107\147\023\263\310\321\031\210\047\046\232\231\171\177\036
+\344\054\077\173\356\361\336\115\213\226\227\303\325\077\174\033
+\043\355\244\263\035\026\162\103\113\040\341\131\176\302\350\255
+\046\277\242\367
+END
+
+# Trust for "Swisscom Root EV CA 2"
+# Issuer: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
+# Serial Number:00:f2:fa:64:e2:74:63:d3:8d:fd:10:1d:04:1f:76:ca:58
+# Subject: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
+# Not Valid Before: Fri Jun 24 09:45:08 2011
+# Not Valid After : Wed Jun 25 08:45:08 2031
+# Fingerprint (MD5): 7B:30:34:9F:DD:0A:4B:6B:35:CA:31:51:28:5D:AE:EC
+# Fingerprint (SHA1): E7:A1:90:29:D3:D5:52:DC:0D:0F:C6:92:D3:EA:88:0D:15:2E:1A:6B
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Swisscom Root EV CA 2"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\347\241\220\051\323\325\122\334\015\017\306\222\323\352\210\015
+\025\056\032\153
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\173\060\064\237\335\012\113\153\065\312\061\121\050\135\256\354
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\147\061\013\060\011\006\003\125\004\006\023\002\143\150\061
+\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143
+\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147
+\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145
+\040\123\145\162\166\151\143\145\163\061\036\060\034\006\003\125
+\004\003\023\025\123\167\151\163\163\143\157\155\040\122\157\157
+\164\040\105\126\040\103\101\040\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\021\000\362\372\144\342\164\143\323\215\375\020\035\004\037
+\166\312\130
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "CA Disig Root R1"
+#
+# Issuer: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
+# Serial Number:00:c3:03:9a:ee:50:90:6e:28
+# Subject: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
+# Not Valid Before: Thu Jul 19 09:06:56 2012
+# Not Valid After : Sat Jul 19 09:06:56 2042
+# Fingerprint (MD5): BE:EC:11:93:9A:F5:69:21:BC:D7:C1:C0:67:89:CC:2A
+# Fingerprint (SHA1): 8E:1C:74:F8:A6:20:B9:E5:8A:F4:61:FA:EC:2B:47:56:51:1A:52:C6
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "CA Disig Root R1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\122\061\013\060\011\006\003\125\004\006\023\002\123\113\061
+\023\060\021\006\003\125\004\007\023\012\102\162\141\164\151\163
+\154\141\166\141\061\023\060\021\006\003\125\004\012\023\012\104
+\151\163\151\147\040\141\056\163\056\061\031\060\027\006\003\125
+\004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157
+\164\040\122\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\122\061\013\060\011\006\003\125\004\006\023\002\123\113\061
+\023\060\021\006\003\125\004\007\023\012\102\162\141\164\151\163
+\154\141\166\141\061\023\060\021\006\003\125\004\012\023\012\104
+\151\163\151\147\040\141\056\163\056\061\031\060\027\006\003\125
+\004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157
+\164\040\122\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\011\000\303\003\232\356\120\220\156\050
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\151\060\202\003\121\240\003\002\001\002\002\011\000
+\303\003\232\356\120\220\156\050\060\015\006\011\052\206\110\206
+\367\015\001\001\005\005\000\060\122\061\013\060\011\006\003\125
+\004\006\023\002\123\113\061\023\060\021\006\003\125\004\007\023
+\012\102\162\141\164\151\163\154\141\166\141\061\023\060\021\006
+\003\125\004\012\023\012\104\151\163\151\147\040\141\056\163\056
+\061\031\060\027\006\003\125\004\003\023\020\103\101\040\104\151
+\163\151\147\040\122\157\157\164\040\122\061\060\036\027\015\061
+\062\060\067\061\071\060\071\060\066\065\066\132\027\015\064\062
+\060\067\061\071\060\071\060\066\065\066\132\060\122\061\013\060
+\011\006\003\125\004\006\023\002\123\113\061\023\060\021\006\003
+\125\004\007\023\012\102\162\141\164\151\163\154\141\166\141\061
+\023\060\021\006\003\125\004\012\023\012\104\151\163\151\147\040
+\141\056\163\056\061\031\060\027\006\003\125\004\003\023\020\103
+\101\040\104\151\163\151\147\040\122\157\157\164\040\122\061\060
+\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001\001
+\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001\000
+\252\303\170\367\334\230\243\247\132\136\167\030\262\335\004\144
+\017\143\375\233\226\011\200\325\350\252\245\342\234\046\224\072
+\350\231\163\214\235\337\327\337\203\363\170\117\100\341\177\322
+\247\322\345\312\023\223\347\355\306\167\137\066\265\224\257\350
+\070\216\333\233\345\174\273\314\215\353\165\163\341\044\315\346
+\247\055\031\056\330\326\212\153\024\353\010\142\012\330\334\263
+\000\115\303\043\174\137\103\010\043\062\022\334\355\014\255\300
+\175\017\245\172\102\331\132\160\331\277\247\327\001\034\366\233
+\253\216\267\112\206\170\240\036\126\061\256\357\202\012\200\101
+\367\033\311\256\253\062\046\324\054\153\355\175\153\344\342\136
+\042\012\105\313\204\061\115\254\376\333\321\107\272\371\140\227
+\071\261\145\307\336\373\231\344\012\042\261\055\115\345\110\046
+\151\253\342\252\363\373\374\222\051\062\351\263\076\115\037\047
+\241\315\216\271\027\373\045\076\311\156\363\167\332\015\022\366
+\135\307\273\066\020\325\124\326\363\340\342\107\110\346\336\024
+\332\141\122\257\046\264\365\161\117\311\327\322\006\337\143\312
+\377\041\350\131\006\340\010\325\204\025\123\367\103\345\174\305
+\240\211\230\153\163\306\150\316\145\336\275\177\005\367\261\356
+\366\127\241\140\225\305\314\352\223\072\276\231\256\233\002\243
+\255\311\026\265\316\335\136\231\170\176\032\071\176\262\300\005
+\244\300\202\245\243\107\236\214\352\134\266\274\147\333\346\052
+\115\322\004\334\243\256\105\367\274\213\234\034\247\326\325\003
+\334\010\313\056\026\312\134\100\063\350\147\303\056\347\246\104
+\352\021\105\034\065\145\055\036\105\141\044\033\202\056\245\235
+\063\135\145\370\101\371\056\313\224\077\037\243\014\061\044\104
+\355\307\136\255\120\272\306\101\233\254\360\027\145\300\370\135
+\157\133\240\012\064\074\356\327\352\210\237\230\371\257\116\044
+\372\227\262\144\166\332\253\364\355\343\303\140\357\325\371\002
+\310\055\237\203\257\147\151\006\247\061\125\325\317\113\157\377
+\004\005\307\130\254\137\026\033\345\322\243\353\061\333\037\063
+\025\115\320\362\245\123\365\313\341\075\116\150\055\330\022\335
+\252\362\346\115\233\111\345\305\050\241\272\260\132\306\240\265
+\002\003\001\000\001\243\102\060\100\060\017\006\003\125\035\023
+\001\001\377\004\005\060\003\001\001\377\060\016\006\003\125\035
+\017\001\001\377\004\004\003\002\001\006\060\035\006\003\125\035
+\016\004\026\004\024\211\012\264\070\223\032\346\253\356\233\221
+\030\371\365\074\076\065\320\323\202\060\015\006\011\052\206\110
+\206\367\015\001\001\005\005\000\003\202\002\001\000\062\213\366
+\235\112\311\276\024\345\214\254\070\312\072\011\324\033\316\206
+\263\335\353\324\272\050\276\022\256\105\054\004\164\254\023\121
+\305\130\030\146\115\202\332\325\334\223\300\047\341\276\174\237
+\122\236\022\126\366\325\234\251\364\165\234\372\067\022\217\034
+\223\354\127\376\007\017\253\325\022\367\017\256\141\136\126\200
+\111\365\374\060\365\233\117\037\101\057\034\204\323\211\307\342
+\332\002\166\355\011\317\154\301\270\034\203\034\026\372\224\315
+\175\240\310\030\322\310\235\156\365\275\151\324\155\075\065\350
+\036\242\117\140\327\007\051\374\262\243\244\235\156\025\222\126
+\031\114\012\260\351\174\322\031\115\102\106\354\275\375\366\127
+\133\335\230\176\244\115\314\162\003\203\130\135\357\223\072\101
+\172\143\252\174\072\250\365\254\244\321\335\242\055\266\052\374
+\237\001\216\342\020\261\304\312\344\147\333\125\045\031\077\375
+\350\066\176\263\341\341\201\257\021\026\213\120\227\140\031\202
+\000\300\153\115\163\270\321\023\007\076\352\266\061\117\360\102
+\232\155\342\021\164\345\224\254\215\204\225\074\041\257\305\332
+\107\310\337\071\142\142\313\133\120\013\327\201\100\005\234\233
+\355\272\266\213\036\004\157\226\040\071\355\244\175\051\333\110
+\316\202\334\324\002\215\035\004\061\132\307\113\360\154\141\122
+\327\264\121\302\201\154\315\341\373\247\241\322\222\166\317\261
+\017\067\130\244\362\122\161\147\077\014\210\170\200\211\301\310
+\265\037\222\143\276\247\172\212\126\054\032\250\246\234\265\135
+\263\143\320\023\040\241\353\221\154\320\215\175\257\337\013\344
+\027\271\206\236\070\261\224\014\130\214\340\125\252\073\143\155
+\232\211\140\270\144\052\222\306\067\364\176\103\103\267\163\350
+\001\347\177\227\017\327\362\173\031\375\032\327\217\311\372\205
+\153\172\235\236\211\266\246\050\231\223\210\100\367\076\315\121
+\243\312\352\357\171\107\041\265\376\062\342\307\303\121\157\276
+\200\164\360\244\303\072\362\117\351\137\337\031\012\362\073\023
+\103\254\061\244\263\347\353\374\030\326\001\251\363\052\217\066
+\016\353\264\261\274\267\114\311\153\277\241\363\331\364\355\342
+\360\343\355\144\236\075\057\226\122\117\200\123\213
+END
+
+# Trust for "CA Disig Root R1"
+# Issuer: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
+# Serial Number:00:c3:03:9a:ee:50:90:6e:28
+# Subject: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
+# Not Valid Before: Thu Jul 19 09:06:56 2012
+# Not Valid After : Sat Jul 19 09:06:56 2042
+# Fingerprint (MD5): BE:EC:11:93:9A:F5:69:21:BC:D7:C1:C0:67:89:CC:2A
+# Fingerprint (SHA1): 8E:1C:74:F8:A6:20:B9:E5:8A:F4:61:FA:EC:2B:47:56:51:1A:52:C6
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "CA Disig Root R1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\216\034\164\370\246\040\271\345\212\364\141\372\354\053\107\126
+\121\032\122\306
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\276\354\021\223\232\365\151\041\274\327\301\300\147\211\314\052
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\122\061\013\060\011\006\003\125\004\006\023\002\123\113\061
+\023\060\021\006\003\125\004\007\023\012\102\162\141\164\151\163
+\154\141\166\141\061\023\060\021\006\003\125\004\012\023\012\104
+\151\163\151\147\040\141\056\163\056\061\031\060\027\006\003\125
+\004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157
+\164\040\122\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\011\000\303\003\232\356\120\220\156\050
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "CA Disig Root R2"
+#
+# Issuer: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK
+# Serial Number:00:92:b8:88:db:b0:8a:c1:63
+# Subject: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK
+# Not Valid Before: Thu Jul 19 09:15:30 2012
+# Not Valid After : Sat Jul 19 09:15:30 2042
+# Fingerprint (MD5): 26:01:FB:D8:27:A7:17:9A:45:54:38:1A:43:01:3B:03
+# Fingerprint (SHA1): B5:61:EB:EA:A4:DE:E4:25:4B:69:1A:98:A5:57:47:C2:34:C7:D9:71
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "CA Disig Root R2"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\122\061\013\060\011\006\003\125\004\006\023\002\123\113\061
+\023\060\021\006\003\125\004\007\023\012\102\162\141\164\151\163
+\154\141\166\141\061\023\060\021\006\003\125\004\012\023\012\104
+\151\163\151\147\040\141\056\163\056\061\031\060\027\006\003\125
+\004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157
+\164\040\122\062
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\122\061\013\060\011\006\003\125\004\006\023\002\123\113\061
+\023\060\021\006\003\125\004\007\023\012\102\162\141\164\151\163
+\154\141\166\141\061\023\060\021\006\003\125\004\012\023\012\104
+\151\163\151\147\040\141\056\163\056\061\031\060\027\006\003\125
+\004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157
+\164\040\122\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\011\000\222\270\210\333\260\212\301\143
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\151\060\202\003\121\240\003\002\001\002\002\011\000
+\222\270\210\333\260\212\301\143\060\015\006\011\052\206\110\206
+\367\015\001\001\013\005\000\060\122\061\013\060\011\006\003\125
+\004\006\023\002\123\113\061\023\060\021\006\003\125\004\007\023
+\012\102\162\141\164\151\163\154\141\166\141\061\023\060\021\006
+\003\125\004\012\023\012\104\151\163\151\147\040\141\056\163\056
+\061\031\060\027\006\003\125\004\003\023\020\103\101\040\104\151
+\163\151\147\040\122\157\157\164\040\122\062\060\036\027\015\061
+\062\060\067\061\071\060\071\061\065\063\060\132\027\015\064\062
+\060\067\061\071\060\071\061\065\063\060\132\060\122\061\013\060
+\011\006\003\125\004\006\023\002\123\113\061\023\060\021\006\003
+\125\004\007\023\012\102\162\141\164\151\163\154\141\166\141\061
+\023\060\021\006\003\125\004\012\023\012\104\151\163\151\147\040
+\141\056\163\056\061\031\060\027\006\003\125\004\003\023\020\103
+\101\040\104\151\163\151\147\040\122\157\157\164\040\122\062\060
+\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001\001
+\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001\000
+\242\243\304\000\011\326\205\135\055\155\024\366\302\303\163\236
+\065\302\161\125\176\201\373\253\106\120\340\301\174\111\170\346
+\253\171\130\074\332\377\174\034\237\330\227\002\170\076\153\101
+\004\351\101\275\276\003\054\105\366\057\144\324\253\135\243\107
+\075\144\233\351\150\232\306\314\033\077\272\276\262\213\064\002
+\056\230\125\031\374\214\157\252\137\332\114\316\115\003\041\243
+\330\322\064\223\126\226\313\114\014\000\026\074\137\032\315\310
+\307\154\246\255\323\061\247\274\350\345\341\146\326\322\373\003
+\264\101\145\311\020\256\016\005\143\306\200\152\151\060\375\322
+\356\220\357\015\047\337\237\225\163\364\341\045\332\154\026\336
+\101\070\064\352\213\374\321\350\004\024\141\055\101\176\254\307
+\167\116\313\121\124\373\136\222\030\033\004\132\150\306\311\304
+\372\267\023\240\230\267\021\053\267\326\127\314\174\236\027\321
+\313\045\376\206\116\044\056\126\014\170\115\236\001\022\246\053
+\247\001\145\156\174\142\035\204\204\337\352\300\153\265\245\052
+\225\203\303\123\021\014\163\035\013\262\106\220\321\102\072\316
+\100\156\225\255\377\306\224\255\156\227\204\216\175\157\236\212
+\200\015\111\155\163\342\173\222\036\303\363\301\363\353\056\005
+\157\331\033\317\067\166\004\310\264\132\344\027\247\313\335\166
+\037\320\031\166\350\054\005\263\326\234\064\330\226\334\141\207
+\221\005\344\104\010\063\301\332\271\010\145\324\256\262\066\015
+\353\272\070\272\014\345\233\236\353\215\146\335\231\317\326\211
+\101\366\004\222\212\051\051\155\153\072\034\347\165\175\002\161
+\016\363\300\347\275\313\031\335\235\140\262\302\146\140\266\261
+\004\356\311\346\206\271\232\146\100\250\347\021\355\201\105\003
+\213\366\147\131\350\301\006\021\275\335\317\200\002\117\145\100
+\170\134\107\120\310\233\346\037\201\173\344\104\250\133\205\232
+\342\336\132\325\307\371\072\104\146\113\344\062\124\174\344\154
+\234\263\016\075\027\242\262\064\022\326\176\262\250\111\273\321
+\172\050\100\276\242\026\037\337\344\067\037\021\163\373\220\012
+\145\103\242\015\174\370\006\001\125\063\175\260\015\270\364\365
+\256\245\102\127\174\066\021\214\173\136\304\003\235\214\171\235
+\002\003\001\000\001\243\102\060\100\060\017\006\003\125\035\023
+\001\001\377\004\005\060\003\001\001\377\060\016\006\003\125\035
+\017\001\001\377\004\004\003\002\001\006\060\035\006\003\125\035
+\016\004\026\004\024\265\231\370\257\260\224\365\343\040\326\012
+\255\316\116\126\244\056\156\102\355\060\015\006\011\052\206\110
+\206\367\015\001\001\013\005\000\003\202\002\001\000\046\006\136
+\160\347\145\063\310\202\156\331\234\027\072\033\172\146\262\001
+\366\170\073\151\136\057\352\377\116\371\050\303\230\052\141\114
+\264\044\022\212\175\155\021\024\367\234\265\312\346\274\236\047
+\216\114\031\310\251\275\172\300\327\066\016\155\205\162\156\250
+\306\242\155\366\372\163\143\177\274\156\171\010\034\235\212\237
+\032\212\123\246\330\273\331\065\125\261\021\305\251\003\263\126
+\073\271\204\223\042\136\176\301\366\022\122\213\352\054\147\274
+\376\066\114\365\270\317\321\263\111\222\073\323\051\016\231\033
+\226\367\141\270\073\304\053\266\170\154\264\043\157\360\375\323
+\262\136\165\037\231\225\250\254\366\332\341\305\061\173\373\321
+\106\263\322\274\147\264\142\124\272\011\367\143\260\223\242\232
+\371\351\122\056\213\140\022\253\374\365\140\126\357\020\134\213
+\304\032\102\334\203\133\144\016\313\265\274\326\117\301\174\074
+\156\215\023\155\373\173\353\060\320\334\115\257\305\325\266\245
+\114\133\161\311\350\061\276\350\070\006\110\241\032\342\352\322
+\336\022\071\130\032\377\200\016\202\165\346\267\311\007\154\016
+\357\377\070\361\230\161\304\267\177\016\025\320\045\151\275\042
+\235\053\355\005\366\106\107\254\355\300\360\324\073\342\354\356
+\226\133\220\023\116\036\126\072\353\260\357\226\273\226\043\021
+\272\362\103\206\164\144\225\310\050\165\337\035\065\272\322\067
+\203\070\123\070\066\073\317\154\351\371\153\016\320\373\004\350
+\117\167\327\145\001\170\206\014\172\076\041\142\361\177\143\161
+\014\311\237\104\333\250\047\242\165\276\156\201\076\327\300\353
+\033\230\017\160\134\064\262\212\314\300\205\030\353\156\172\263
+\367\132\241\007\277\251\102\222\363\140\042\227\344\024\241\007
+\233\116\166\300\216\175\375\244\045\307\107\355\377\037\163\254
+\314\303\245\351\157\012\216\233\145\302\120\205\265\243\240\123
+\022\314\125\207\141\363\201\256\020\106\141\275\104\041\270\302
+\075\164\317\176\044\065\372\034\007\016\233\075\042\312\357\061
+\057\214\254\022\275\357\100\050\374\051\147\237\262\023\117\146
+\044\304\123\031\351\036\051\025\357\346\155\260\177\055\147\375
+\363\154\033\165\106\243\345\112\027\351\244\327\013
+END
+
+# Trust for "CA Disig Root R2"
+# Issuer: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK
+# Serial Number:00:92:b8:88:db:b0:8a:c1:63
+# Subject: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK
+# Not Valid Before: Thu Jul 19 09:15:30 2012
+# Not Valid After : Sat Jul 19 09:15:30 2042
+# Fingerprint (MD5): 26:01:FB:D8:27:A7:17:9A:45:54:38:1A:43:01:3B:03
+# Fingerprint (SHA1): B5:61:EB:EA:A4:DE:E4:25:4B:69:1A:98:A5:57:47:C2:34:C7:D9:71
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "CA Disig Root R2"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\265\141\353\352\244\336\344\045\113\151\032\230\245\127\107\302
+\064\307\331\161
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\046\001\373\330\047\247\027\232\105\124\070\032\103\001\073\003
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\122\061\013\060\011\006\003\125\004\006\023\002\123\113\061
+\023\060\021\006\003\125\004\007\023\012\102\162\141\164\151\163
+\154\141\166\141\061\023\060\021\006\003\125\004\012\023\012\104
+\151\163\151\147\040\141\056\163\056\061\031\060\027\006\003\125
+\004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157
+\164\040\122\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\011\000\222\270\210\333\260\212\301\143
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--- a/security/nss/lib/ckfw/builtins/nssckbi.h
+++ b/security/nss/lib/ckfw/builtins/nssckbi.h
@@ -40,18 +40,18 @@
  *     ...
  *   - NSS 3.29 branch: 250-255
  *
  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
  * whether we may use its full range (0-255) or only 0-99 because
  * of the comment in the CK_VERSION type definition.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 93
-#define NSS_BUILTINS_LIBRARY_VERSION "1.93"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 94
+#define NSS_BUILTINS_LIBRARY_VERSION "1.94"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
 #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
 
 /* These version numbers detail the semantic changes to ckbi itself 
  * (new PKCS #11 objects), etc. */
 #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
--- a/security/nss/lib/freebl/blapit.h
+++ b/security/nss/lib/freebl/blapit.h
@@ -76,16 +76,24 @@ typedef int __BLAPI_DEPRECATED __attribu
 /* XXX We shouldn't have to hard code this limit. For
  * now, this is the quickest way to support ECDSA signature
  * processing (ECDSA signature lengths depend on curve
  * size). This limit is sufficient for curves upto
  * 576 bits.
  */
 #define MAX_ECKEY_LEN 	        72	/* Bytes */
 
+#ifdef NSS_ECC_MORE_THAN_SUITE_B
+#define EC_MAX_KEY		571     /* in bits */
+#define EC_MIN_KEY		112     /* in bits */
+#else
+#define EC_MAX_KEY		521     /* in bits */
+#define EC_MIN_KEY		256     /* in bits */
+#endif
+
 /* EC point compression format */
 #define EC_POINT_FORM_COMPRESSED_Y0    0x02
 #define EC_POINT_FORM_COMPRESSED_Y1    0x03
 #define EC_POINT_FORM_UNCOMPRESSED     0x04
 #define EC_POINT_FORM_HYBRID_Y0        0x06
 #define EC_POINT_FORM_HYBRID_Y1        0x07
 
 /*
--- a/security/nss/lib/freebl/ecl/ecp_192.c
+++ b/security/nss/lib/freebl/ecl/ecp_192.c
@@ -1,24 +1,23 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "ecp.h"
 #include "mpi.h"
 #include "mplogic.h"
 #include "mpi-priv.h"
-#include <stdlib.h>
 
 #define ECP192_DIGITS ECL_CURVE_DIGITS(192)
 
 /* Fast modular reduction for p192 = 2^192 - 2^64 - 1.  a can be r. Uses
  * algorithm 7 from Brown, Hankerson, Lopez, Menezes. Software
  * Implementation of the NIST Elliptic Curves over Prime Fields. */
-mp_err
+static mp_err
 ec_GFp_nistp192_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
 {
 	mp_err res = MP_OKAY;
 	mp_size a_used = MP_USED(a);
 	mp_digit r3;
 #ifndef MPI_AMD64_ADD 
 	mp_digit carry;
 #endif
@@ -249,17 +248,17 @@ ec_GFp_nistp192_mod(const mp_int *a, mp_
 	return res;
 }
 
 #ifndef ECL_THIRTY_TWO_BIT
 /* Compute the sum of 192 bit curves. Do the work in-line since the
  * number of words are so small, we don't want to overhead of mp function
  * calls.  Uses optimized modular reduction for p192. 
  */
-mp_err
+static mp_err
 ec_GFp_nistp192_add(const mp_int *a, const mp_int *b, mp_int *r, 
 			const GFMethod *meth)
 {
 	mp_err res = MP_OKAY;
 	mp_digit a0 = 0, a1 = 0, a2 = 0;
 	mp_digit r0 = 0, r1 = 0, r2 = 0;
 	mp_digit carry;
 
@@ -330,17 +329,17 @@ ec_GFp_nistp192_add(const mp_int *a, con
   CLEANUP:
 	return res;
 }
 
 /* Compute the diff of 192 bit curves. Do the work in-line since the
  * number of words are so small, we don't want to overhead of mp function
  * calls.  Uses optimized modular reduction for p192. 
  */
-mp_err
+static mp_err
 ec_GFp_nistp192_sub(const mp_int *a, const mp_int *b, mp_int *r, 
 			const GFMethod *meth)
 {
 	mp_err res = MP_OKAY;
 	mp_digit b0 = 0, b1 = 0, b2 = 0;
 	mp_digit r0 = 0, r1 = 0, r2 = 0;
 	mp_digit borrow;
 
@@ -409,45 +408,45 @@ ec_GFp_nistp192_sub(const mp_int *a, con
 	return res;
 }
 
 #endif
 
 /* Compute the square of polynomial a, reduce modulo p192. Store the
  * result in r.  r could be a.  Uses optimized modular reduction for p192. 
  */
-mp_err
+static mp_err
 ec_GFp_nistp192_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
 {
 	mp_err res = MP_OKAY;
 
 	MP_CHECKOK(mp_sqr(a, r));
 	MP_CHECKOK(ec_GFp_nistp192_mod(r, r, meth));
   CLEANUP:
 	return res;
 }
 
 /* Compute the product of two polynomials a and b, reduce modulo p192.
  * Store the result in r.  r could be a or b; a could be b.  Uses
  * optimized modular reduction for p192. */
-mp_err
+static mp_err
 ec_GFp_nistp192_mul(const mp_int *a, const mp_int *b, mp_int *r,
 					const GFMethod *meth)
 {
 	mp_err res = MP_OKAY;
 
 	MP_CHECKOK(mp_mul(a, b, r));
 	MP_CHECKOK(ec_GFp_nistp192_mod(r, r, meth));
   CLEANUP:
 	return res;
 }
 
 /* Divides two field elements. If a is NULL, then returns the inverse of
  * b. */
-mp_err
+static mp_err
 ec_GFp_nistp192_div(const mp_int *a, const mp_int *b, mp_int *r,
 		   const GFMethod *meth)
 {
 	mp_err res = MP_OKAY;
 	mp_int t;
 
 	/* If a is NULL, then return the inverse of b, otherwise return a/b. */
 	if (a == NULL) {
--- a/security/nss/lib/freebl/ecl/ecp_224.c
+++ b/security/nss/lib/freebl/ecl/ecp_224.c
@@ -1,24 +1,23 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "ecp.h"
 #include "mpi.h"
 #include "mplogic.h"
 #include "mpi-priv.h"
-#include <stdlib.h>
 
 #define ECP224_DIGITS ECL_CURVE_DIGITS(224)
 
 /* Fast modular reduction for p224 = 2^224 - 2^96 + 1.  a can be r. Uses
  * algorithm 7 from Brown, Hankerson, Lopez, Menezes. Software
  * Implementation of the NIST Elliptic Curves over Prime Fields. */
-mp_err
+static mp_err
 ec_GFp_nistp224_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
 {
 	mp_err res = MP_OKAY;
 	mp_size a_used = MP_USED(a);
 
 	int    r3b;
 	mp_digit carry;
 #ifdef ECL_THIRTY_TWO_BIT
@@ -270,45 +269,45 @@ ec_GFp_nistp224_mod(const mp_int *a, mp_
 
   CLEANUP:
 	return res;
 }
 
 /* Compute the square of polynomial a, reduce modulo p224. Store the
  * result in r.  r could be a.  Uses optimized modular reduction for p224. 
  */
-mp_err
+static mp_err
 ec_GFp_nistp224_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
 {
 	mp_err res = MP_OKAY;
 
 	MP_CHECKOK(mp_sqr(a, r));
 	MP_CHECKOK(ec_GFp_nistp224_mod(r, r, meth));
   CLEANUP:
 	return res;
 }
 
 /* Compute the product of two polynomials a and b, reduce modulo p224.
  * Store the result in r.  r could be a or b; a could be b.  Uses
  * optimized modular reduction for p224. */
-mp_err
+static mp_err
 ec_GFp_nistp224_mul(const mp_int *a, const mp_int *b, mp_int *r,
 					const GFMethod *meth)
 {
 	mp_err res = MP_OKAY;
 
 	MP_CHECKOK(mp_mul(a, b, r));
 	MP_CHECKOK(ec_GFp_nistp224_mod(r, r, meth));
   CLEANUP:
 	return res;
 }
 
 /* Divides two field elements. If a is NULL, then returns the inverse of
  * b. */
-mp_err
+static mp_err
 ec_GFp_nistp224_div(const mp_int *a, const mp_int *b, mp_int *r,
 		   const GFMethod *meth)
 {
 	mp_err res = MP_OKAY;
 	mp_int t;
 
 	/* If a is NULL, then return the inverse of b, otherwise return a/b. */
 	if (a == NULL) {
--- a/security/nss/lib/freebl/ecl/ecp_384.c
+++ b/security/nss/lib/freebl/ecl/ecp_384.c
@@ -1,22 +1,21 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "ecp.h"
 #include "mpi.h"
 #include "mplogic.h"
 #include "mpi-priv.h"
-#include <stdlib.h>
 
 /* Fast modular reduction for p384 = 2^384 - 2^128 - 2^96 + 2^32 - 1.  a can be r. 
  * Uses algorithm 2.30 from Hankerson, Menezes, Vanstone. Guide to 
  * Elliptic Curve Cryptography. */
-mp_err
+static mp_err
 ec_GFp_nistp384_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
 {
 	mp_err res = MP_OKAY;
 	int a_bits = mpl_significant_bits(a);
 	int i;
 
 	/* m1, m2 are statically-allocated mp_int of exactly the size we need */
 	mp_int m[10];
@@ -214,31 +213,31 @@ ec_GFp_nistp384_mod(const mp_int *a, mp_
 
   CLEANUP:
 	return res;
 }
 
 /* Compute the square of polynomial a, reduce modulo p384. Store the
  * result in r.  r could be a.  Uses optimized modular reduction for p384. 
  */
-mp_err
+static mp_err
 ec_GFp_nistp384_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
 {
 	mp_err res = MP_OKAY;
 
 	MP_CHECKOK(mp_sqr(a, r));
 	MP_CHECKOK(ec_GFp_nistp384_mod(r, r, meth));
   CLEANUP:
 	return res;
 }
 
 /* Compute the product of two polynomials a and b, reduce modulo p384.
  * Store the result in r.  r could be a or b; a could be b.  Uses
  * optimized modular reduction for p384. */
-mp_err
+static mp_err
 ec_GFp_nistp384_mul(const mp_int *a, const mp_int *b, mp_int *r,
 					const GFMethod *meth)
 {
 	mp_err res = MP_OKAY;
 
 	MP_CHECKOK(mp_mul(a, b, r));
 	MP_CHECKOK(ec_GFp_nistp384_mod(r, r, meth));
   CLEANUP:
--- a/security/nss/lib/freebl/ecl/ecp_521.c
+++ b/security/nss/lib/freebl/ecl/ecp_521.c
@@ -1,24 +1,23 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "ecp.h"
 #include "mpi.h"
 #include "mplogic.h"
 #include "mpi-priv.h"
-#include <stdlib.h>
 
 #define ECP521_DIGITS ECL_CURVE_DIGITS(521)
 
 /* Fast modular reduction for p521 = 2^521 - 1.  a can be r. Uses
  * algorithm 2.31 from Hankerson, Menezes, Vanstone. Guide to 
  * Elliptic Curve Cryptography. */
-mp_err
+static mp_err
 ec_GFp_nistp521_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
 {
 	mp_err res = MP_OKAY;
 	int a_bits = mpl_significant_bits(a);
 	int i;
 
 	/* m1, m2 are statically-allocated mp_int of exactly the size we need */
 	mp_int m1;
@@ -67,45 +66,45 @@ ec_GFp_nistp521_mod(const mp_int *a, mp_
 
   CLEANUP:
 	return res;
 }
 
 /* Compute the square of polynomial a, reduce modulo p521. Store the
  * result in r.  r could be a.  Uses optimized modular reduction for p521. 
  */
-mp_err
+static mp_err
 ec_GFp_nistp521_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
 {
 	mp_err res = MP_OKAY;
 
 	MP_CHECKOK(mp_sqr(a, r));
 	MP_CHECKOK(ec_GFp_nistp521_mod(r, r, meth));
   CLEANUP:
 	return res;
 }
 
 /* Compute the product of two polynomials a and b, reduce modulo p521.
  * Store the result in r.  r could be a or b; a could be b.  Uses
  * optimized modular reduction for p521. */
-mp_err
+static mp_err
 ec_GFp_nistp521_mul(const mp_int *a, const mp_int *b, mp_int *r,
 					const GFMethod *meth)
 {
 	mp_err res = MP_OKAY;
 
 	MP_CHECKOK(mp_mul(a, b, r));
 	MP_CHECKOK(ec_GFp_nistp521_mod(r, r, meth));
   CLEANUP:
 	return res;
 }
 
 /* Divides two field elements. If a is NULL, then returns the inverse of
  * b. */
-mp_err
+static mp_err
 ec_GFp_nistp521_div(const mp_int *a, const mp_int *b, mp_int *r,
 		   const GFMethod *meth)
 {
 	mp_err res = MP_OKAY;
 	mp_int t;
 
 	/* If a is NULL, then return the inverse of b, otherwise return a/b. */
 	if (a == NULL) {
--- a/security/nss/lib/pkcs7/certread.c
+++ b/security/nss/lib/pkcs7/certread.c
@@ -1,98 +1,208 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "cert.h"
-#include "secpkcs7.h"
 #include "base64.h"
 #include "secitem.h"
 #include "secder.h"
 #include "secasn1.h"
 #include "secoid.h"
 #include "secerr.h"
 
 SEC_ASN1_MKSUB(SEC_AnyTemplate)
+SEC_ASN1_MKSUB(SEC_SetOfAnyTemplate)
 
-SECStatus
+typedef struct ContentInfoStr ContentInfo;
+typedef struct DegenerateSignedDataStr DegenerateSignedData;
+
+struct ContentInfoStr {
+    SECOidTag contentTypeTag;   /* local; not part of encoding */
+    SECItem contentType;
+    union {
+        SECItem *data;
+        DegenerateSignedData *signedData;
+    } content;
+};
+
+struct DegenerateSignedDataStr {
+    SECItem version;
+    SECItem **digestAlgorithms;
+    ContentInfo contentInfo;
+    SECItem **certificates;
+    SECItem **crls;
+    SECItem **signerInfos;
+};
+
+static const SEC_ASN1Template *
+choose_content_template(void *src_or_dest, PRBool encoding);
+
+static const SEC_ASN1TemplateChooserPtr template_chooser
+        = choose_content_template;
+
+static const SEC_ASN1Template ContentInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+          0, NULL, sizeof(ContentInfo) },
+    { SEC_ASN1_OBJECT_ID,
+          offsetof(ContentInfo,contentType) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_DYNAMIC |
+      SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+          offsetof(ContentInfo,content),
+          &template_chooser },
+    { 0 }
+};
+
+static const SEC_ASN1Template DegenerateSignedDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+          0, NULL, sizeof(DegenerateSignedData) },
+    { SEC_ASN1_INTEGER,
+          offsetof(DegenerateSignedData,version) },
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN,
+          offsetof(DegenerateSignedData,digestAlgorithms),
+          SEC_ASN1_SUB(SEC_AnyTemplate) },
+    { SEC_ASN1_INLINE,
+          offsetof(DegenerateSignedData,contentInfo),
+          ContentInfoTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 0,
+          offsetof(DegenerateSignedData,certificates),
+          SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 1,
+          offsetof(DegenerateSignedData,crls),
+          SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN,
+          offsetof(DegenerateSignedData,signerInfos),
+          SEC_ASN1_SUB(SEC_AnyTemplate) },
+    { 0 }
+};
+
+static const SEC_ASN1Template PointerToDegenerateSignedDataTemplate[] = {
+    { SEC_ASN1_POINTER, 0, DegenerateSignedDataTemplate }
+};
+
+static SECOidTag
+GetContentTypeTag(ContentInfo *cinfo)
+{
+    if (cinfo->contentTypeTag == SEC_OID_UNKNOWN)
+        cinfo->contentTypeTag = SECOID_FindOIDTag(&cinfo->contentType);
+    return cinfo->contentTypeTag;
+}
+
+static const SEC_ASN1Template *
+choose_content_template(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    ContentInfo *cinfo;
+    SECOidTag kind;
+
+    PORT_Assert(src_or_dest != NULL);
+    if (src_or_dest == NULL)
+        return NULL;
+
+    cinfo = (ContentInfo*)src_or_dest;
+    kind = GetContentTypeTag(cinfo);
+    switch (kind) {
+      default:
+        theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+        break;
+      case SEC_OID_PKCS7_DATA:
+        theTemplate = SEC_ASN1_GET(SEC_PointerToOctetStringTemplate);
+        break;
+      case SEC_OID_PKCS7_SIGNED_DATA:
+        theTemplate = PointerToDegenerateSignedDataTemplate;
+        break;
+    }
+    return theTemplate;
+}
+
+static SECStatus
 SEC_ReadPKCS7Certs(SECItem *pkcs7Item, CERTImportCertificateFunc f, void *arg)
 {
-    SEC_PKCS7ContentInfo *contentInfo = NULL;
+    ContentInfo contentInfo;
     SECStatus rv;
     SECItem **certs;
     int count;
+    PRArenaPool *arena;
 
-    contentInfo = SEC_PKCS7DecodeItem(pkcs7Item, NULL, NULL, NULL, NULL, NULL, 
-				      NULL, NULL);
-    if ( contentInfo == NULL ) {
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	return SECFailure;
+    }
+
+    PORT_Memset(&contentInfo, 0, sizeof(contentInfo));
+    rv = SEC_ASN1DecodeItem(arena, &contentInfo, ContentInfoTemplate,
+			    pkcs7Item);
+    if ( rv != SECSuccess ) {
 	goto loser;
     }
 
-    if ( SEC_PKCS7ContentType (contentInfo) != SEC_OID_PKCS7_SIGNED_DATA ) {
+    if ( GetContentTypeTag(&contentInfo) != SEC_OID_PKCS7_SIGNED_DATA ) {
 	goto loser;
     }
 
-    certs = contentInfo->content.signedData->rawCerts;
+    certs = contentInfo.content.signedData->certificates;
     if ( certs ) {
 	count = 0;
 	
 	while ( *certs ) {
 	    count++;
 	    certs++;
 	}
-	rv = (* f)(arg, contentInfo->content.signedData->rawCerts, count);
+	rv = (* f)(arg, contentInfo.content.signedData->certificates, count);
     }
     
     rv = SECSuccess;
     
     goto done;
 loser:
     rv = SECFailure;
     
 done:
-    if ( contentInfo ) {
-	SEC_PKCS7DestroyContentInfo(contentInfo);
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
     }
 
     return(rv);
 }
 
 const SEC_ASN1Template SEC_CertSequenceTemplate[] = {
     { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
 };
 
-SECStatus
+static SECStatus
 SEC_ReadCertSequence(SECItem *certsItem, CERTImportCertificateFunc f, void *arg)
 {
     SECStatus rv;
     SECItem **certs;
     int count;
     SECItem **rawCerts = NULL;
     PRArenaPool *arena;
-    SEC_PKCS7ContentInfo *contentInfo = NULL;
+    ContentInfo contentInfo;
 
     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
+    if ( arena == NULL ) {
 	return SECFailure;
     }
 
-    contentInfo = SEC_PKCS7DecodeItem(certsItem, NULL, NULL, NULL, NULL, NULL, 
-				      NULL, NULL);
-    if ( contentInfo == NULL ) {
+    PORT_Memset(&contentInfo, 0, sizeof(contentInfo));
+    rv = SEC_ASN1DecodeItem(arena, &contentInfo, ContentInfoTemplate,
+			    certsItem);
+    if ( rv != SECSuccess ) {
 	goto loser;
     }
 
-    if ( SEC_PKCS7ContentType (contentInfo) != SEC_OID_NS_TYPE_CERT_SEQUENCE ) {
+    if ( GetContentTypeTag(&contentInfo) != SEC_OID_NS_TYPE_CERT_SEQUENCE ) {
 	goto loser;
     }
 
-
     rv = SEC_QuickDERDecodeItem(arena, &rawCerts, SEC_CertSequenceTemplate,
-		    contentInfo->content.data);
+		    contentInfo.content.data);
 
     if (rv != SECSuccess) {
 	goto loser;
     }
 
     certs = rawCerts;
     if ( certs ) {
 	count = 0;
@@ -106,20 +216,16 @@ SEC_ReadCertSequence(SECItem *certsItem,
     
     rv = SECSuccess;
     
     goto done;
 loser:
     rv = SECFailure;
     
 done:
-    if ( contentInfo ) {
-	SEC_PKCS7DestroyContentInfo(contentInfo);
-    }
-
     if ( arena ) {
 	PORT_FreeArena(arena, PR_FALSE);
     }
     
     return(rv);
 }
 
 CERTCertificate *
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -299,20 +299,24 @@ static const struct mechanismList mechan
      /* -------------------- Diffie Hellman Operations --------------------- */
      /* no diffie hellman yet */
      {CKM_DH_PKCS_KEY_PAIR_GEN,	{DH_MIN_P_BITS, DH_MAX_P_BITS, 
 				 CKF_GENERATE_KEY_PAIR}, PR_TRUE}, 
      {CKM_DH_PKCS_DERIVE,	{DH_MIN_P_BITS, DH_MAX_P_BITS,
 				 CKF_DERIVE}, 	PR_TRUE}, 
 #ifdef NSS_ENABLE_ECC
      /* -------------------- Elliptic Curve Operations --------------------- */
-     {CKM_EC_KEY_PAIR_GEN,      {112, 571, CKF_GENERATE_KEY_PAIR|CKF_EC_BPNU}, PR_TRUE}, 
-     {CKM_ECDH1_DERIVE,         {112, 571, CKF_DERIVE|CKF_EC_BPNU}, PR_TRUE}, 
-     {CKM_ECDSA,                {112, 571, CKF_SN_VR|CKF_EC_BPNU}, PR_TRUE}, 
-     {CKM_ECDSA_SHA1,           {112, 571, CKF_SN_VR|CKF_EC_BPNU}, PR_TRUE}, 
+     {CKM_EC_KEY_PAIR_GEN,      {EC_MIN_KEY, EC_MAX_KEY, 
+				 CKF_GENERATE_KEY_PAIR|CKF_EC_BPNU}, PR_TRUE}, 
+     {CKM_ECDH1_DERIVE,         {EC_MIN_KEY, EC_MAX_KEY,
+				 CKF_DERIVE|CKF_EC_BPNU}, PR_TRUE}, 
+     {CKM_ECDSA,                {EC_MIN_KEY, EC_MAX_KEY,
+				 CKF_SN_VR|CKF_EC_BPNU}, PR_TRUE}, 
+     {CKM_ECDSA_SHA1,           {EC_MIN_KEY, EC_MAX_KEY,
+				 CKF_SN_VR|CKF_EC_BPNU}, PR_TRUE}, 
 #endif /* NSS_ENABLE_ECC */
      /* ------------------------- RC2 Operations --------------------------- */
      {CKM_RC2_KEY_GEN,		{1, 128, CKF_GENERATE},		PR_TRUE},
      {CKM_RC2_ECB,		{1, 128, CKF_EN_DE_WR_UN},	PR_TRUE},
      {CKM_RC2_CBC,		{1, 128, CKF_EN_DE_WR_UN},	PR_TRUE},
      {CKM_RC2_MAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
      {CKM_RC2_MAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
      {CKM_RC2_CBC_PAD,		{1, 128, CKF_EN_DE_WR_UN},	PR_TRUE},
--- a/security/nss/lib/ssl/derive.c
+++ b/security/nss/lib/ssl/derive.c
@@ -759,18 +759,19 @@ SSL_CanBypass(CERTCertificate *cert, SEC
 
 		signatureKeyStrength =
 		    SSL_RSASTRENGTH_TO_ECSTRENGTH(serverKeyStrengthInBits);
 
 		if ( requiredECCbits > signatureKeyStrength ) 
 		     requiredECCbits = signatureKeyStrength;
 
 		ec_curve =
-		    ssl3_GetCurveWithECKeyStrength(SSL3_SUPPORTED_CURVES_MASK,
-						   requiredECCbits);
+		    ssl3_GetCurveWithECKeyStrength(
+					ssl3_GetSupportedECCCurveMask(NULL),
+				  	requiredECCbits);
 		rv = ssl3_ECName2Params(NULL, ec_curve, &ecParams);
 		if (rv == SECFailure) {
 		    break;
 		}
 		pecParams = &ecParams;
 	    }
 
 	    if (testecdhe) {
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -10464,17 +10464,17 @@ ssl3_InitState(sslSocket *ss)
     ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0];
     ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1];
     ss->ssl3.hs.sendingSCSV = PR_FALSE;
     ssl3_InitCipherSpec(ss, ss->ssl3.crSpec);
     ssl3_InitCipherSpec(ss, ss->ssl3.prSpec);
 
     ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello;
 #ifdef NSS_ENABLE_ECC
-    ss->ssl3.hs.negotiatedECCurves = SSL3_SUPPORTED_CURVES_MASK;
+    ss->ssl3.hs.negotiatedECCurves = ssl3_GetSupportedECCCurveMask(ss);
 #endif
     ssl_ReleaseSpecWriteLock(ss);
 
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
 
     if (IS_DTLS(ss)) {
 	ss->ssl3.hs.sendMessageSeq = 0;
 	ss->ssl3.hs.recvMessageSeq = 0;
--- a/security/nss/lib/ssl/ssl3ecc.c
+++ b/security/nss/lib/ssl/ssl3ecc.c
@@ -955,84 +955,135 @@ ssl3_FilterECCipherSuitesByServerCerts(s
 }
 
 /* Ask: is ANY ECC cipher suite enabled on this socket? */
 /* Order(N^2).  Yuk.  Also, this ignores export policy. */
 PRBool
 ssl3_IsECCEnabled(sslSocket * ss)
 {
     const ssl3CipherSuite * suite;
+    PK11SlotInfo *slot;
 
+    /* make sure we can do ECC */
+    slot = PK11_GetBestSlot(CKM_ECDH1_DERIVE,  ss->pkcs11PinArg);
+    if (!slot) {
+	return PR_FALSE;
+    }
+    PK11_FreeSlot(slot);
+
+    /* make sure an ECC cipher is enabled */
     for (suite = ecSuites; *suite; ++suite) {
 	PRBool    enabled = PR_FALSE;
 	SECStatus rv      = ssl3_CipherPrefGet(ss, *suite, &enabled);
 
 	PORT_Assert(rv == SECSuccess); /* else is coding error */
 	if (rv == SECSuccess && enabled)
 	    return PR_TRUE;
     }
     return PR_FALSE;
 }
 
 #define BE(n) 0, n
 
-#ifndef NSS_ECC_MORE_THAN_SUITE_B
 /* Prefabricated TLS client hello extension, Elliptic Curves List,
  * offers only 3 curves, the Suite B curves, 23-25 
  */
-static const PRUint8 EClist[12] = {
+static const PRUint8 suiteBECList[12] = {
     BE(10),         /* Extension type */
     BE( 8),         /* octets that follow ( 3 pairs + 1 length pair) */
     BE( 6),         /* octets that follow ( 3 pairs) */
     BE(23), BE(24), BE(25)
 };
-#else
+
 /* Prefabricated TLS client hello extension, Elliptic Curves List,
  * offers curves 1-25.
  */
-static const PRUint8 EClist[56] = {
+static const PRUint8 tlsECList[56] = {
     BE(10),         /* Extension type */
     BE(52),         /* octets that follow (25 pairs + 1 length pair) */
     BE(50),         /* octets that follow (25 pairs) */
             BE( 1), BE( 2), BE( 3), BE( 4), BE( 5), BE( 6), BE( 7), 
     BE( 8), BE( 9), BE(10), BE(11), BE(12), BE(13), BE(14), BE(15), 
     BE(16), BE(17), BE(18), BE(19), BE(20), BE(21), BE(22), BE(23), 
     BE(24), BE(25)
 };
-#endif
 
 static const PRUint8 ECPtFmt[6] = {
     BE(11),         /* Extension type */
     BE( 2),         /* octets that follow */
              1,     /* octets that follow */
                  0  /* uncompressed type only */
 };
 
+/* This function already presumes we can do ECC, ssl_IsECCEnabled must be
+ * called before this function. It looks to see if we have a token which
+ * is capable of doing smaller than SuiteB curves. If the token can, we
+ * presume the token can do the whole SSL suite of curves. If it can't we
+ * presume the token that allowed ECC to be enabled can only do suite B
+ * curves. */
+static PRBool
+ssl3_SuiteBOnly(sslSocket *ss)
+{
+    /* look to see if we can handle certs less than 163 bits */
+    PK11SlotInfo *slot =
+	PK11_GetBestSlotWithAttributes(CKM_ECDH1_DERIVE, 0, 163,
+					ss ? ss->pkcs11PinArg : NULL);
+
+    if (!slot) {
+	/* nope, presume we can only do suite B */
+	return PR_TRUE;
+    }
+    /* we can, presume we can do all curves */
+    PK11_FreeSlot(slot);
+    return PR_FALSE;
+}
+
 /* Send our "canned" (precompiled) Supported Elliptic Curves extension,
  * which says that we support all TLS-defined named curves.
  */
 PRInt32
 ssl3_SendSupportedCurvesXtn(
 			sslSocket * ss,
 			PRBool      append,
 			PRUint32    maxBytes)
 {
+    int ECListSize = 0;
+    const PRUint8 *ECList = NULL;
+
     if (!ss || !ssl3_IsECCEnabled(ss))
     	return 0;
-    if (append && maxBytes >= (sizeof EClist)) {
-	SECStatus rv = ssl3_AppendHandshake(ss, EClist, (sizeof EClist));
+
+    if (ssl3_SuiteBOnly(ss)) {
+	ECListSize = sizeof (suiteBECList);
+	ECList = suiteBECList;
+    } else {
+	ECListSize = sizeof (tlsECList);
+	ECList = tlsECList;
+    }
+ 
+    if (append && maxBytes >= ECListSize) {
+	SECStatus rv = ssl3_AppendHandshake(ss, ECList, ECListSize);
 	if (rv != SECSuccess)
 	    return -1;
 	if (!ss->sec.isServer) {
 	    TLSExtensionData *xtnData = &ss->xtnData;
 	    xtnData->advertised[xtnData->numAdvertised++] =
 		ssl_elliptic_curves_xtn;
 	}
     }
-    return (sizeof EClist);
+    return ECListSize;
+}
+
+PRInt32
+ssl3_GetSupportedECCCurveMask(sslSocket *ss)
+{
+    if (ssl3_SuiteBOnly(ss)) {
+	return SSL3_SUITE_B_SUPPORTED_CURVES_MASK;
+    }
+    return SSL3_ALL_SUPPORTED_CURVES_MASK;
 }
 
 /* Send our "canned" (precompiled) Supported Point Formats extension,
  * which says that we only support uncompressed points.
  */
 PRInt32
 ssl3_SendSupportedPointFormatsXtn(
 			sslSocket * ss,
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -136,21 +136,19 @@ typedef enum { SSLAppOpRead = 0,
 #define SSL_NUM_WRAP_MECHS              16
 
 /* This makes the cert cache entry exactly 4k. */
 #define SSL_MAX_CACHED_CERT_LEN		4060
 
 #define NUM_MIXERS                      9
 
 /* Mask of the 25 named curves we support. */
-#ifndef NSS_ECC_MORE_THAN_SUITE_B
-#define SSL3_SUPPORTED_CURVES_MASK 0x3800000	/* only 3 curves, suite B*/
-#else
-#define SSL3_SUPPORTED_CURVES_MASK 0x3fffffe
-#endif
+#define SSL3_ALL_SUPPORTED_CURVES_MASK 0x3fffffe
+/* only 3 curves, suite B*/
+#define SSL3_SUITE_B_SUPPORTED_CURVES_MASK 0x3800000
 
 #ifndef BPB
 #define BPB 8 /* Bits Per Byte */
 #endif
 
 #define EXPORT_RSA_KEY_LENGTH 64	/* bytes */
 
 #define INITIAL_DTLS_TIMEOUT_MS   1000  /* Default value from RFC 4347 = 1s*/
@@ -1488,16 +1486,18 @@ int ssl3_GatherCompleteHandshake(sslSock
  */
 extern SECStatus ssl3_CreateRSAStepDownKeys(sslSocket *ss);
 
 #ifdef NSS_ENABLE_ECC
 extern void      ssl3_FilterECCipherSuitesByServerCerts(sslSocket *ss);
 extern PRBool    ssl3_IsECCEnabled(sslSocket *ss);
 extern SECStatus ssl3_DisableECCSuites(sslSocket * ss, 
                                        const ssl3CipherSuite * suite);
+extern PRInt32   ssl3_GetSupportedECCCurveMask(sslSocket *ss);
+
 
 /* Macro for finding a curve equivalent in strength to RSA key's */
 #define SSL_RSASTRENGTH_TO_ECSTRENGTH(s) \
         ((s <= 1024) ? 160 \
 	  : ((s <= 2048) ? 224 \
 	    : ((s <= 3072) ? 256 \
 	      : ((s <= 7168) ? 384 : 521 ) ) ) )
 
--- a/security/nss/lib/ssl/sslsnce.c
+++ b/security/nss/lib/ssl/sslsnce.c
@@ -2022,17 +2022,17 @@ ssl_GetSessionTicketKeysPKCS11(SECKEYPri
 
 PRBool
 ssl_GetSessionTicketKeys(unsigned char *keyName, unsigned char *encKey,
                          unsigned char *macKey)
 {
     PRBool rv = PR_FALSE;
     PRUint32 now = 0;
     cacheDesc *cache = &globalCache;
-    uint8 ticketMacKey[AES_256_KEY_LENGTH], ticketEncKey[SHA256_LENGTH];
+    uint8 ticketMacKey[SHA256_LENGTH], ticketEncKey[AES_256_KEY_LENGTH];
     uint8 ticketKeyNameSuffixLocal[SESS_TICKET_KEY_VAR_NAME_LEN];
     uint8 *ticketMacKeyPtr, *ticketEncKeyPtr, *ticketKeyNameSuffix;
     PRBool cacheIsEnabled = PR_TRUE;
 
     if (!cache->cacheMem) { /* cache is uninitialized */
         cacheIsEnabled = PR_FALSE;
         ticketKeyNameSuffix = ticketKeyNameSuffixLocal;
         ticketEncKeyPtr = ticketEncKey;
--- a/security/nss/lib/util/secoid.c
+++ b/security/nss/lib/util/secoid.c
@@ -267,16 +267,17 @@ CONST_OID x520StateOrProvinceName[]     
 CONST_OID x520StreetAddress[]                   = { X520_ATTRIBUTE_TYPE, 9 };
 CONST_OID x520OrgName[]                         = { X520_ATTRIBUTE_TYPE, 10 };
 CONST_OID x520OrgUnitName[]                     = { X520_ATTRIBUTE_TYPE, 11 };
 CONST_OID x520Title[]                           = { X520_ATTRIBUTE_TYPE, 12 };
 CONST_OID x520BusinessCategory[]                = { X520_ATTRIBUTE_TYPE, 15 };
 CONST_OID x520PostalAddress[]                   = { X520_ATTRIBUTE_TYPE, 16 };
 CONST_OID x520PostalCode[]                      = { X520_ATTRIBUTE_TYPE, 17 };
 CONST_OID x520PostOfficeBox[]                   = { X520_ATTRIBUTE_TYPE, 18 };
+CONST_OID x520Name[]                            = { X520_ATTRIBUTE_TYPE, 41 };
 CONST_OID x520GivenName[]                       = { X520_ATTRIBUTE_TYPE, 42 };
 CONST_OID x520Initials[]                        = { X520_ATTRIBUTE_TYPE, 43 };
 CONST_OID x520GenerationQualifier[]             = { X520_ATTRIBUTE_TYPE, 44 };
 CONST_OID x520DnQualifier[]                     = { X520_ATTRIBUTE_TYPE, 46 };
 CONST_OID x520HouseIdentifier[]                 = { X520_ATTRIBUTE_TYPE, 51 };
 CONST_OID x520Pseudonym[]                       = { X520_ATTRIBUTE_TYPE, 65 };
 
 CONST_OID nsTypeGIF[]          			= { NETSCAPE_DATA_TYPE, 0x01 };
@@ -1640,17 +1641,19 @@ const static SECOidData oids[SEC_OID_TOT
 	CKM_INVALID_MECHANISM /* not yet defined */, INVALID_CERT_EXTENSION),
     OD( nistDSASignaturewithSHA256Digest,
 	SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST,
 	"DSA with SHA-256 Signature",
 	CKM_INVALID_MECHANISM /* not yet defined */, INVALID_CERT_EXTENSION),
     OD( msExtendedKeyUsageTrustListSigning, 
         SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING,
         "Microsoft Trust List Signing",
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION )
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520Name, SEC_OID_AVA_NAME,
+    	"X520 Name",    CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION )
 };
 
 /* PRIVATE EXTENDED SECOID Table
  * This table is private. Its structure is opaque to the outside.
  * It is indexed by the same SECOidTag as the oids table above.
  * Every member of this struct must have accessor functions (set, get)
  * and those functions must operate by value, not by reference.
  * The addresses of the contents of this table must not be exposed 
--- a/security/nss/lib/util/secoidt.h
+++ b/security/nss/lib/util/secoidt.h
@@ -437,16 +437,19 @@ typedef enum {
     SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST     = 315,
 
     /* Microsoft Trust List Signing
      * szOID_KP_CTL_USAGE_SIGNING 
      * where KP stands for Key Purpose
      */
     SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING    = 316,
 
+    /* The 'name' attribute type in X.520 */
+    SEC_OID_AVA_NAME                        = 317,
+
     SEC_OID_TOTAL
 } SECOidTag;
 
 #define SEC_OID_SECG_EC_SECP192R1 SEC_OID_ANSIX962_EC_PRIME192V1
 #define SEC_OID_SECG_EC_SECP256R1 SEC_OID_ANSIX962_EC_PRIME256V1
 #define SEC_OID_PKCS12_KEY_USAGE  SEC_OID_X509_KEY_USAGE
 
 /* fake OID for DSS sign/verify */
--- a/security/nss/manifest.mn
+++ b/security/nss/manifest.mn
@@ -5,11 +5,9 @@
 CORE_DEPTH = .
 DEPTH      = .
 
 IMPORTS =	nspr20/v4.8 \
 		$(NULL)
 
 RELEASE = nss
 
-DIRS = lib cmd
-
-
+DIRS = coreconf lib cmd
old mode 100644
new mode 100755