Backed out changeset 2164277367cc (bug 1317947) for causing timeouts in devtools tests on a CLOSED TREE
authorCarsten "Tomcat" Book <cbook@mozilla.com>
Thu, 19 Jan 2017 10:08:33 +0100
changeset 330050 3112cbcca0f41c1fff13a287d71a61267111edbb
parent 330049 082be147ff94724672c59bb62ef47d8c086cd191
child 330051 fabf199ceca6940003982d6b66e588460dad86aa
child 330159 a3978751f45108ff1ae002ecebdc0fa23fc52b84
push id85881
push usercbook@mozilla.com
push dateThu, 19 Jan 2017 09:09:16 +0000
treeherdermozilla-inbound@3112cbcca0f4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs1317947
milestone53.0a1
backs out2164277367ccce620b9105aa9e8c2ea21fb3e22f
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out changeset 2164277367cc (bug 1317947) for causing timeouts in devtools tests on a CLOSED TREE
security/nss/TAG-INFO
security/nss/automation/taskcluster/docker-aarch64/Dockerfile
security/nss/automation/taskcluster/docker-aarch64/bin/checkout.sh
security/nss/automation/taskcluster/docker-aarch64/setup.sh
security/nss/automation/taskcluster/docker-fuzz/Dockerfile
security/nss/automation/taskcluster/docker-fuzz/setup.sh
security/nss/automation/taskcluster/docker/Dockerfile
security/nss/automation/taskcluster/docker/setup.sh
security/nss/automation/taskcluster/graph/src/extend.js
security/nss/automation/taskcluster/graph/src/try_syntax.js
security/nss/automation/taskcluster/scripts/build.sh
security/nss/automation/taskcluster/scripts/build_gyp.sh
security/nss/automation/taskcluster/scripts/extend_task_graph.sh
security/nss/automation/taskcluster/scripts/fuzz.sh
security/nss/automation/taskcluster/scripts/gen_certs.sh
security/nss/automation/taskcluster/scripts/run_clang_format.sh
security/nss/automation/taskcluster/scripts/run_scan_build.sh
security/nss/automation/taskcluster/scripts/run_tests.sh
security/nss/automation/taskcluster/scripts/tools.sh
security/nss/build.sh
security/nss/cmd/platlibs.gypi
security/nss/coreconf/config.gypi
security/nss/coreconf/coreconf.dep
security/nss/coreconf/fuzz.sh
security/nss/coreconf/nspr.sh
security/nss/coreconf/sanitizers.sh
security/nss/fuzz/cert_target.cc
security/nss/fuzz/clone_libfuzzer.sh
security/nss/fuzz/fuzz.gyp
security/nss/fuzz/initialize.cc
security/nss/fuzz/nssfuzz.cc
security/nss/fuzz/pkcs8_target.cc
security/nss/fuzz/quickder_targets.cc
security/nss/fuzz/registry.h
security/nss/fuzz/shared.h
security/nss/fuzz/spki_target.cc
security/nss/gtests/common/common.gyp
security/nss/gtests/common/gtest.gypi
security/nss/gtests/freebl_gtest/freebl_gtest.gyp
security/nss/gtests/freebl_gtest/mpi_unittest.cc
security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc
security/nss/gtests/nss_bogo_shim/nss_bogo_shim.gyp
security/nss/gtests/ssl_gtest/manifest.mn
security/nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc
security/nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
security/nss/gtests/ssl_gtest/ssl_gather_unittest.cc
security/nss/gtests/ssl_gtest/ssl_gtest.gyp
security/nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc
security/nss/lib/ckfw/builtins/certdata.txt
security/nss/lib/ckfw/builtins/nssckbi.h
security/nss/lib/cryptohi/dsautil.c
security/nss/lib/dev/devslot.c
security/nss/lib/freebl/Makefile
security/nss/lib/freebl/ec.c
security/nss/lib/freebl/ecl/README
security/nss/lib/freebl/ecl/tests/ec_naft.c
security/nss/lib/freebl/ecl/tests/ecp_test.c
security/nss/lib/freebl/freebl.gyp
security/nss/lib/freebl/os2_rand.c
security/nss/lib/freebl/sysrand.c
security/nss/lib/freebl/unix_rand.c
security/nss/lib/softoken/pkcs11c.c
security/nss/lib/ssl/SSLerrs.h
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/ssl3gthr.c
security/nss/lib/ssl/ssldef.c
security/nss/lib/ssl/sslerr.h
security/nss/lib/ssl/sslimpl.h
security/nss/lib/ssl/tls13con.c
security/nss/lib/ssl/tls13exthandle.c
security/nss/lib/util/nssutil.def
security/nss/lib/util/secasn1.h
security/nss/lib/util/secasn1d.c
security/nss/nss-tool/.clang-format
security/nss/nss-tool/common/argparse.cc
security/nss/nss-tool/common/argparse.h
security/nss/nss-tool/common/scoped_ptrs.h
security/nss/nss-tool/db/dbtool.cc
security/nss/nss-tool/db/dbtool.h
security/nss/nss-tool/nss_tool.cc
security/nss/nss-tool/nss_tool.gyp
security/nss/nss.gyp
security/nss/readme.md
security/nss/tests/all.sh
security/nss/tests/bogo/bogo.sh
security/nss/tests/interop/interop.sh
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-ea43fcc316e1
+6353ce63e18f
deleted file mode 100644
--- a/security/nss/automation/taskcluster/docker-aarch64/Dockerfile
+++ /dev/null
@@ -1,27 +0,0 @@
-FROM aarch64/ubuntu:xenial-20161213
-MAINTAINER Franziskus Kiefer <franziskuskiefer@gmail.com>
-
-RUN useradd -d /home/worker -s /bin/bash -m worker
-WORKDIR /home/worker
-
-# Add build and test scripts.
-ADD bin /home/worker/bin
-RUN chmod +x /home/worker/bin/*
-
-# Install dependencies.
-ADD setup.sh /tmp/setup.sh
-RUN bash /tmp/setup.sh
-
-# Env variables.
-ENV HOME /home/worker
-ENV SHELL /bin/bash
-ENV USER worker
-ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
-ENV LANG en_US.UTF-8
-ENV LC_ALL en_US.UTF-8
-ENV HOST localhost
-ENV DOMSUF localdomain
-
-# Set a default command for debugging.
-CMD ["/bin/bash", "--login"]
deleted file mode 100755
--- a/security/nss/automation/taskcluster/docker-aarch64/bin/checkout.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-if [ $(id -u) = 0 ]; then
-    # Drop privileges by re-running this script.
-    exec su worker $0
-fi
-
-# Default values for testing.
-REVISION=${NSS_HEAD_REVISION:-default}
-REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
-
-# Clone NSS.
-for i in 0 2 5; do
-    sleep $i
-    hg clone -r $REVISION $REPOSITORY nss && exit 0
-    rm -rf nss
-done
-exit 1
deleted file mode 100755
--- a/security/nss/automation/taskcluster/docker-aarch64/setup.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-export DEBIAN_FRONTEND=noninteractive
-
-# Update.
-apt-get -y update
-apt-get -y dist-upgrade
-
-apt_packages=()
-apt_packages+=('build-essential')
-apt_packages+=('ca-certificates')
-apt_packages+=('curl')
-apt_packages+=('zlib1g-dev')
-apt_packages+=('gyp')
-apt_packages+=('ninja-build')
-apt_packages+=('mercurial')
-
-# Install packages.
-apt-get install -y --no-install-recommends ${apt_packages[@]}
-
-locale-gen en_US.UTF-8
-dpkg-reconfigure locales
-
-# Cleanup.
-rm -rf ~/.ccache ~/.cache
-apt-get autoremove -y
-apt-get clean
-apt-get autoclean
-rm $0
--- a/security/nss/automation/taskcluster/docker-fuzz/Dockerfile
+++ b/security/nss/automation/taskcluster/docker-fuzz/Dockerfile
@@ -7,27 +7,21 @@ WORKDIR /home/worker
 # Add build and test scripts.
 ADD bin /home/worker/bin
 RUN chmod +x /home/worker/bin/*
 
 # Install dependencies.
 ADD setup.sh /tmp/setup.sh
 RUN bash /tmp/setup.sh
 
-# Change user.
-USER worker
-
 # Env variables.
 ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
 ENV LOGNAME worker
 ENV HOSTNAME taskcluster-worker
 ENV LANG en_US.UTF-8
 ENV LC_ALL en_US.UTF-8
 ENV HOST localhost
 ENV DOMSUF localdomain
 
-# LLVM 4.0
-ENV PATH "${PATH}:/home/worker/third_party/llvm-build/Release+Asserts/bin/"
-
 # Set a default command for debugging.
 CMD ["/bin/bash", "--login"]
--- a/security/nss/automation/taskcluster/docker-fuzz/setup.sh
+++ b/security/nss/automation/taskcluster/docker-fuzz/setup.sh
@@ -14,32 +14,40 @@ apt_packages+=('build-essential')
 apt_packages+=('ca-certificates')
 apt_packages+=('curl')
 apt_packages+=('git')
 apt_packages+=('gyp')
 apt_packages+=('ninja-build')
 apt_packages+=('pkg-config')
 apt_packages+=('zlib1g-dev')
 
+# ct-verif and sanitizers
+apt_packages+=('valgrind')
+
 # Latest Mercurial.
 apt_packages+=('mercurial')
 apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
 echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
 
 # Install packages.
 apt-get -y update
 apt-get install -y --no-install-recommends ${apt_packages[@]}
 
 # Install LLVM/clang-4.0.
 mkdir clang-tmp
 git clone -n --depth 1 https://chromium.googlesource.com/chromium/src/tools/clang clang-tmp/clang
 git -C clang-tmp/clang checkout HEAD scripts/update.py
 clang-tmp/clang/scripts/update.py
 rm -fr clang-tmp
 
+# Link to LLVM binaries.
+for b in clang clang++ llvm-symbolizer; do
+  ln -s /home/worker/third_party/llvm-build/Release+Asserts/bin/$b /usr/local/bin/$b
+done
+
 locale-gen en_US.UTF-8
 dpkg-reconfigure locales
 
 # Cleanup.
 rm -rf ~/.ccache ~/.cache
 apt-get autoremove -y
 apt-get clean
 apt-get autoclean
--- a/security/nss/automation/taskcluster/docker/Dockerfile
+++ b/security/nss/automation/taskcluster/docker/Dockerfile
@@ -7,27 +7,21 @@ WORKDIR /home/worker
 # Add build and test scripts.
 ADD bin /home/worker/bin
 RUN chmod +x /home/worker/bin/*
 
 # Install dependencies.
 ADD setup.sh /tmp/setup.sh
 RUN bash /tmp/setup.sh
 
-# Change user.
-USER worker
-
 # Env variables.
 ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
 ENV LOGNAME worker
 ENV HOSTNAME taskcluster-worker
 ENV LANG en_US.UTF-8
 ENV LC_ALL en_US.UTF-8
 ENV HOST localhost
 ENV DOMSUF localdomain
 
-# Rust + Go
-ENV PATH "${PATH}:/home/worker/.cargo/bin/:/usr/lib/go-1.6/bin"
-
 # Set a default command for debugging.
 CMD ["/bin/bash", "--login"]
--- a/security/nss/automation/taskcluster/docker/setup.sh
+++ b/security/nss/automation/taskcluster/docker/setup.sh
@@ -44,21 +44,17 @@ echo "deb http://ppa.launchpad.net/ubunt
 # Install packages.
 apt-get -y update
 apt-get install -y --no-install-recommends ${apt_packages[@]}
 
 # 32-bit builds
 ln -s /usr/include/x86_64-linux-gnu/zconf.h /usr/include
 
 # Install clang-3.9 into /usr/local/.
-# FIXME: verify signature
-curl -L http://releases.llvm.org/3.9.0/clang+llvm-3.9.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz | tar xJv -C /usr/local --strip-components=1
-
-# Install latest Rust (stable).
-su worker -c "curl https://sh.rustup.rs -sSf | sh -s -- -y"
+curl http://llvm.org/releases/3.9.0/clang+llvm-3.9.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz | tar xJv -C /usr/local --strip-components=1
 
 locale-gen en_US.UTF-8
 dpkg-reconfigure locales
 
 # Cleanup.
 rm -rf ~/.ccache ~/.cache
 apt-get autoremove -y
 apt-get clean
--- a/security/nss/automation/taskcluster/graph/src/extend.js
+++ b/security/nss/automation/taskcluster/graph/src/extend.js
@@ -25,33 +25,28 @@ queue.filter(task => {
 
     // Remove extra builds w/o libpkix for non-linux64-debug.
     if (task.symbol == "noLibpkix" &&
         (task.platform != "linux64" || task.collection != "debug")) {
       return false;
     }
   }
 
-  if (task.tests == "bogo" || task.tests == "interop") {
-    // No windows
+  if (task.tests == "bogo") {
+    // No BoGo tests on Windows.
     if (task.platform == "windows2012-64") {
       return false;
     }
 
-    // No ARM
+    // No BoGo tests on ARM.
     if (task.collection == "arm-debug") {
       return false;
     }
   }
 
-  // Temporarily disable SSL tests on ARM.
-  if (task.tests == "ssl" && task.collection == "arm-debug") {
-    return false;
-  }
-
   // GYP builds with -Ddisable_libpkix=1 by default.
   if ((task.collection == "gyp" || task.collection == "gyp-asan") &&
       task.tests == "chains") {
     return false;
   }
 
   return true;
 });
@@ -363,17 +358,17 @@ async function scheduleTestBuilds() {
   };
 
   // Build base definition.
   let build = merge({
     command: [
       "/bin/bash",
       "-c",
       "bin/checkout.sh && " +
-      "nss/automation/taskcluster/scripts/build_gyp.sh -g -v --test --ct-verif"
+      "nss/automation/taskcluster/scripts/build_gyp.sh -g -v --test"
     ],
     artifacts: {
       public: {
         expires: 24 * 7,
         type: "directory",
         path: "/home/worker/artifacts"
       }
     },
@@ -472,19 +467,16 @@ function scheduleTests(task_build, task_
   let no_cert_base = merge(test_base, {parent: task_build});
   queue.scheduleTask(merge(no_cert_base, {
     name: "Gtests", symbol: "Gtest", tests: "ssl_gtests gtests", cycle: "standard"
   }));
   queue.scheduleTask(merge(no_cert_base, {
     name: "Bogo tests", symbol: "Bogo", tests: "bogo", cycle: "standard"
   }));
   queue.scheduleTask(merge(no_cert_base, {
-    name: "Interop tests", symbol: "Interop", tests: "interop", cycle: "standard"
-  }));
-  queue.scheduleTask(merge(no_cert_base, {
     name: "Chains tests", symbol: "Chains", tests: "chains"
   }));
   queue.scheduleTask(merge(no_cert_base, {
     name: "Cipher tests", symbol: "Cipher", tests: "cipher"
   }));
   queue.scheduleTask(merge(no_cert_base, {
     name: "EC tests", symbol: "EC", tests: "ec"
   }));
--- a/security/nss/automation/taskcluster/graph/src/try_syntax.js
+++ b/security/nss/automation/taskcluster/graph/src/try_syntax.js
@@ -29,17 +29,17 @@ function parseOptions(opts) {
   // If the given value is nonsense or "none" default to all platforms.
   if (platforms.length == 0 && opts.platform != "none") {
     platforms = allPlatforms;
   }
 
   // Parse unit tests.
   let aliases = {"gtests": "gtest"};
   let allUnitTests = ["bogo", "crmf", "chains", "cipher", "db", "ec", "fips",
-                      "gtest", "interop", "lowhash", "merge", "sdr", "smime", "tools",
+                      "gtest", "lowhash", "merge", "sdr", "smime", "tools",
                       "ssl", "mpi", "scert", "spki"];
   let unittests = intersect(opts.unittests.split(/\s*,\s*/).map(t => {
     return aliases[t] || t;
   }), allUnitTests);
 
   // If the given value is "all" run all tests.
   // If it's nonsense then don't run any tests.
   if (opts.unittests == "all") {
--- a/security/nss/automation/taskcluster/scripts/build.sh
+++ b/security/nss/automation/taskcluster/scripts/build.sh
@@ -1,13 +1,18 @@
 #!/usr/bin/env bash
 
-source $(dirname "$0")/tools.sh
+source $(dirname $0)/tools.sh
+
+if [[ $(id -u) -eq 0 ]]; then
+    # Drop privileges by re-running this script.
+    exec su worker $0
+fi
 
 # Clone NSPR if needed.
-hg_clone https://hg.mozilla.org/projects/nspr ./nspr default
+hg_clone https://hg.mozilla.org/projects/nspr nspr default
 
 # Build.
 make -C nss nss_build_all
 
 # Package.
 mkdir artifacts
 tar cvfjh artifacts/dist.tar.bz2 dist
--- a/security/nss/automation/taskcluster/scripts/build_gyp.sh
+++ b/security/nss/automation/taskcluster/scripts/build_gyp.sh
@@ -1,13 +1,18 @@
 #!/usr/bin/env bash
 
-source $(dirname "$0")/tools.sh
+source $(dirname $0)/tools.sh
+
+if [[ $(id -u) -eq 0 ]]; then
+    # Drop privileges by re-running this script.
+    exec su worker -c "$0 $*"
+fi
 
 # Clone NSPR if needed.
-hg_clone https://hg.mozilla.org/projects/nspr ./nspr default
+hg_clone https://hg.mozilla.org/projects/nspr nspr default
 
 # Build.
-nss/build.sh -g -v "$@"
+nss/build.sh ${*--g -v}
 
 # Package.
 mkdir artifacts
 tar cvfjh artifacts/dist.tar.bz2 dist
--- a/security/nss/automation/taskcluster/scripts/extend_task_graph.sh
+++ b/security/nss/automation/taskcluster/scripts/extend_task_graph.sh
@@ -1,11 +1,16 @@
 #!/usr/bin/env bash
 
-source $(dirname "$0")/tools.sh
+set -v -e -x
+
+if [ $(id -u) = 0 ]; then
+    # Drop privileges by re-running this script.
+    exec su worker $0
+fi
 
 mkdir -p /home/worker/artifacts
 
 # Install Node.JS dependencies.
 cd nss/automation/taskcluster/graph/ && npm install
 
 # Extend the task graph.
 node lib/index.js
--- a/security/nss/automation/taskcluster/scripts/fuzz.sh
+++ b/security/nss/automation/taskcluster/scripts/fuzz.sh
@@ -1,21 +1,20 @@
 #!/usr/bin/env bash
 
-source $(dirname "$0")/tools.sh
+source $(dirname $0)/tools.sh
 
-type="$1"
-shift
+if [ $(id -u) = 0 ]; then
+    # Drop privileges by re-running this script.
+    exec su worker -c "$0 $*"
+fi
 
 # Fetch artifact if needed.
 fetch_dist
 
 # Clone corpus.
 ./nss/fuzz/clone_corpus.sh
 
-# Ensure we have a directory.
-mkdir -p nss/fuzz/corpus/$type
-
 # Fetch objdir name.
 objdir=$(cat dist/latest)
 
 # Run nssfuzz.
-LD_LIBRARY_PATH=$LD_LIBRARY_PATH:dist/$objdir/lib dist/$objdir/bin/nssfuzz-"$type" "$@"
+LD_LIBRARY_PATH=$LD_LIBRARY_PATH:dist/$objdir/lib dist/$objdir/bin/nssfuzz $*
--- a/security/nss/automation/taskcluster/scripts/gen_certs.sh
+++ b/security/nss/automation/taskcluster/scripts/gen_certs.sh
@@ -1,11 +1,21 @@
 #!/usr/bin/env bash
 
-source $(dirname "$0")/tools.sh
+set -v -e -x
+
+source $(dirname $0)/tools.sh
+
+if [ $(id -u) = 0 ]; then
+    # Stupid Docker.
+    echo "127.0.0.1 localhost.localdomain" >> /etc/hosts
+
+    # Drop privileges by re-running this script.
+    exec su worker $0
+fi
 
 # Fetch artifact if needed.
 fetch_dist
 
 # Generate certificates.
 NSS_TESTS=cert NSS_CYCLES="standard pkix sharedb" $(dirname $0)/run_tests.sh
 
 # Reset test counter so that test runs pick up our certificates.
--- a/security/nss/automation/taskcluster/scripts/run_clang_format.sh
+++ b/security/nss/automation/taskcluster/scripts/run_clang_format.sh
@@ -1,11 +1,16 @@
 #!/usr/bin/env bash
 
-source $(dirname "$0")/tools.sh
+set -v -e -x
+
+if [ $(id -u) -eq 0 ]; then
+    # Drop privileges by re-running this script.
+    exec su worker $0 "$@"
+fi
 
 # Apply clang-format on the provided folder and verify that this doesn't change any file.
 # If any file differs after formatting, the script eventually exits with 1.
 # Any differences between formatted and unformatted files is printed to stdout to give a hint what's wrong.
 
 # Includes a default set of directories.
 
 if [ $# -gt 0 ]; then
@@ -36,17 +41,16 @@ else
          "$top/lib/sysinit" \
          "$top/lib/util" \
          "$top/gtests/common" \
          "$top/gtests/der_gtest" \
          "$top/gtests/freebl_gtest" \
          "$top/gtests/pk11_gtest" \
          "$top/gtests/ssl_gtest" \
          "$top/gtests/util_gtest" \
-         "$top/nss-tool" \
     )
 fi
 
 for dir in "${dirs[@]}"; do
     find "$dir" -type f \( -name '*.[ch]' -o -name '*.cc' \) -exec clang-format -i {} \+
 done
 
 TMPFILE=$(mktemp /tmp/$(basename $0).XXXXXX)
--- a/security/nss/automation/taskcluster/scripts/run_scan_build.sh
+++ b/security/nss/automation/taskcluster/scripts/run_scan_build.sh
@@ -1,15 +1,20 @@
 #!/usr/bin/env bash
 
-source $(dirname "$0")/tools.sh
+source $(dirname $0)/tools.sh
+
+if [ $(id -u) = 0 ]; then
+    # Drop privileges by re-running this script.
+    exec su worker $0 $@
+fi
 
 # Clone NSPR if needed.
 if [ ! -d "nspr" ]; then
-    hg_clone https://hg.mozilla.org/projects/nspr ./nspr default
+    hg_clone https://hg.mozilla.org/projects/nspr nspr default
 fi
 
 # Build.
 cd nss
 make nss_build_all
 
 # What we want to scan.
 # key: directory to scan
--- a/security/nss/automation/taskcluster/scripts/run_tests.sh
+++ b/security/nss/automation/taskcluster/scripts/run_tests.sh
@@ -1,9 +1,17 @@
 #!/usr/bin/env bash
 
-source $(dirname "$0")/tools.sh
+source $(dirname $0)/tools.sh
+
+if [ $(id -u) = 0 ]; then
+    # Stupid Docker.
+    echo "127.0.0.1 localhost.localdomain" >> /etc/hosts
+
+    # Drop privileges by re-running this script.
+    exec su worker $0
+fi
 
 # Fetch artifact if needed.
 fetch_dist
 
 # Run tests.
 cd nss/tests && ./all.sh
--- a/security/nss/automation/taskcluster/scripts/tools.sh
+++ b/security/nss/automation/taskcluster/scripts/tools.sh
@@ -1,27 +1,17 @@
 #!/usr/bin/env bash
 
 set -v -e -x
 
-if [[ $(id -u) -eq 0 ]]; then
-    # Drop privileges by re-running this script.
-    # Note: this mangles arguments, better to avoid running scripts as root.
-    exec su worker -c "$0 $*"
-fi
-
 # Usage: hg_clone repo dir [revision=@]
 hg_clone() {
     repo=$1
     dir=$2
     rev=${3:-@}
-    if [ -d "$dir" ]; then
-        hg pull -R "$dir" -ur "$rev" "$repo" && return
-        rm -rf "$dir"
-    fi
     for i in 0 2 5; do
         sleep $i
         hg clone -r "$rev" "$repo" "$dir" && return
         rm -rf "$dir"
     done
     exit 1
 }
 
--- a/security/nss/build.sh
+++ b/security/nss/build.sh
@@ -1,213 +1,221 @@
 #!/usr/bin/env bash
 # This script builds NSS with gyp and ninja.
 #
 # This build system is still under development.  It does not yet support all
 # the features or platforms that NSS supports.
 
 set -e
 
-cwd=$(cd $(dirname $0); pwd -P)
-source "$cwd"/coreconf/nspr.sh
-source "$cwd"/coreconf/sanitizers.sh
+source $(dirname $0)/coreconf/nspr.sh
 
 # Usage info
-show_help()
-{
-    cat << EOF
-Usage: ${0##*/} [-hcv] [-j <n>] [--nspr] [--gyp|-g] [--opt|-o] [-m32]
-                [--test] [--fuzz] [--pprof] [--scan-build[=output]]
-                [--asan] [--ubsan] [--msan] [--sancov[=edge|bb|func|...]]
+show_help() {
+cat << EOF
+
+Usage: ${0##*/} [-hcgv] [-j <n>] [--test] [--fuzz] [--scan-build[=output]]
+                [-m32] [--opt|-o] [--asan] [--ubsan] [--sancov[=edge|bb|func|...]]
+                [--pprof] [--msan]
 
 This script builds NSS with gyp and ninja.
 
 This build system is still under development.  It does not yet support all
 the features or platforms that NSS supports.
 
 NSS build tool options:
 
-    -h               display this help and exit
-    -c               clean before build
-    -v               verbose build
-    -j <n>           run at most <n> concurrent jobs
-    --nspr           force a rebuild of NSPR
-    --gyp|-g         force a rerun of gyp
-    --opt|-o         do an opt build
-    -m32             do a 32-bit build on a 64-bit system
-    --test           ignore map files and export everything we have
-    --fuzz           enable fuzzing mode. this always enables test builds
-    --pprof          build with gperftool support
-    --ct-verif       build with valgrind for ct-verif
-    --scan-build     run the build with scan-build (scan-build has to be in the path)
-                     --scan-build=/out/path sets the output path for scan-build
-    --asan           do an asan build
-    --ubsan          do an ubsan build
-                     --ubsan=bool,shift,... sets specific UB sanitizers
-    --msan           do an msan build
-    --sancov         do sanitize coverage builds
-                     --sancov=func sets coverage to function level for example
-    --disable-tests  don't build tests and corresponding cmdline utils
+    -h            display this help and exit
+    -c            clean before build
+    -g            force a rebuild of gyp (and NSPR, because why not)
+    -j <n>        run at most <n> concurrent jobs
+    -v            verbose build
+    -m32          do a 32-bit build on a 64-bit system
+    --test        ignore map files and export everything we have
+    --fuzz        enable fuzzing mode. this always enables test builds
+    --scan-build  run the build with scan-build (scan-build has to be in the path)
+                  --scan-build=/out/path sets the output path for scan-build
+    --opt|-o      do an opt build
+    --asan        do an asan build
+    --ubsan       do an ubsan build
+                  --ubsan=bool,shift,... sets specific UB sanitizers
+    --msan        do an msan build
+    --sancov      do sanitize coverage builds
+                  --sancov=func sets coverage to function level for example
+    --pprof       build with gperftool support
 EOF
 }
 
-run_verbose()
-{
-    if [ "$verbose" = 1 ]; then
-        echo "$@"
-        exec 3>&1
-    else
-        exec 3>/dev/null
-    fi
-    "$@" 1>&3 2>&3
-    exec 3>&-
-}
-
 if [ -n "$CCC" ] && [ -z "$CXX" ]; then
     export CXX="$CCC"
 fi
 
 opt_build=0
 build_64=0
 clean=0
 rebuild_gyp=0
-rebuild_nspr=0
 target=Debug
 verbose=0
 fuzz=0
+ubsan_default=bool,signed-integer-overflow,shift,vptr
 
-gyp_params=(--depth="$cwd" --generator-output=".")
-nspr_params=()
-ninja_params=()
+# parse parameters to store in config
+params=$(echo "$*" | perl -pe 's/-c|-v|-g|-j [0-9]*|-h//g' | perl -pe 's/^\s*(.*?)\s*$/\1/')
+params=$(echo "$params $CC $CCC" | tr " " "\n" | perl -pe 's/^\s*$//')
+params=$(echo "${params[*]}" | sort)
+
+cwd=$(cd $(dirname $0); pwd -P)
+dist_dir="$cwd/../dist"
 
 # try to guess sensible defaults
-arch=$(python "$cwd"/coreconf/detect_host_arch.py)
+arch=$(python "$cwd/coreconf/detect_host_arch.py")
 if [ "$arch" = "x64" -o "$arch" = "aarch64" ]; then
     build_64=1
 fi
 
+gyp_params=()
+ninja_params=()
+scanbuild=()
+
+sancov_default()
+{
+    clang_version=$($CC --version | grep -oE 'clang version (3\.9\.|4\.)')
+    if [ -z "$clang_version" ]; then
+        echo "Need at least clang-3.9 (better 4.0) for sancov." 1>&2
+        exit 1
+    fi
+
+    if [ "$clang_version" = "clang version 3.9." ]; then
+        echo edge,indirect-calls,8bit-counters
+    else
+        echo trace-pc-guard
+    fi
+}
+
+enable_fuzz()
+{
+    fuzz=1
+    nspr_sanitizer asan
+    nspr_sanitizer ubsan $ubsan_default
+    nspr_sanitizer sancov $(sancov_default)
+    gyp_params+=(-Duse_asan=1)
+    gyp_params+=(-Duse_ubsan=$ubsan_default)
+    gyp_params+=(-Duse_sancov=$(sancov_default))
+
+    # Adding debug symbols even for opt builds.
+    nspr_opt+=(--enable-debug-symbols)
+}
+
 # parse command line arguments
 while [ $# -gt 0 ]; do
     case $1 in
         -c) clean=1 ;;
-        --gyp|-g) rebuild_gyp=1 ;;
-        --nspr) nspr_clean; rebuild_nspr=1 ;;
+        -g) rebuild_gyp=1 ;;
         -j) ninja_params+=(-j "$2"); shift ;;
         -v) ninja_params+=(-v); verbose=1 ;;
         --test) gyp_params+=(-Dtest_build=1) ;;
-        --fuzz) fuzz=1 ;;
-        --scan-build) enable_scanbuild  ;;
-        --scan-build=?*) enable_scanbuild "${1#*=}" ;;
+        --fuzz) gyp_params+=(-Dtest_build=1 -Dfuzz=1); enable_fuzz ;;
+        --scan-build) scanbuild=(scan-build) ;;
+        --scan-build=?*) scanbuild=(scan-build -o "${1#*=}") ;;
         --opt|-o) opt_build=1 ;;
         -m32|--m32) build_64=0 ;;
-        --asan) enable_sanitizer asan ;;
-        --msan) enable_sanitizer msan ;;
-        --ubsan) enable_ubsan ;;
-        --ubsan=?*) enable_ubsan "${1#*=}" ;;
-        --sancov) enable_sancov ;;
-        --sancov=?*) enable_sancov "${1#*=}" ;;
+        --asan) gyp_params+=(-Duse_asan=1); nspr_sanitizer asan ;;
+        --ubsan) gyp_params+=(-Duse_ubsan=$ubsan_default); nspr_sanitizer ubsan $ubsan_default ;;
+        --ubsan=?*) gyp_params+=(-Duse_ubsan="${1#*=}"); nspr_sanitizer ubsan "${1#*=}" ;;
+        --sancov) gyp_params+=(-Duse_sancov=$(sancov_default)); nspr_sanitizer sancov $(sancov_default) ;;
+        --sancov=?*) gyp_params+=(-Duse_sancov="${1#*=}"); nspr_sanitizer sancov "${1#*=}" ;;
         --pprof) gyp_params+=(-Duse_pprof=1) ;;
-        --ct-verif) gyp_params+=(-Dct_verif=1) ;;
-        --disable-tests) gyp_params+=(-Ddisable_tests=1) ;;
-        *) show_help; exit 2 ;;
+        --msan) gyp_params+=(-Duse_msan=1); nspr_sanitizer msan ;;
+        *) show_help; exit ;;
     esac
     shift
 done
 
-if [ "$opt_build" = 1 ]; then
+if [ "$opt_build" = "1" ]; then
     target=Release
+    nspr_opt+=(--disable-debug --enable-optimize)
 else
     target=Debug
 fi
-if [ "$build_64" = 1 ]; then
-    nspr_params+=(--enable-64bit)
+if [ "$build_64" == "1" ]; then
+    nspr_opt+=(--enable-64bit)
 else
     gyp_params+=(-Dtarget_arch=ia32)
 fi
-if [ "$fuzz" = 1 ]; then
-    source "$cwd"/coreconf/fuzz.sh
+
+# clone fuzzing stuff
+if [ "$fuzz" = "1" ]; then
+    [ $verbose = 0 ] && exec 3>/dev/null || exec 3>&1
+
+    echo "[1/2] Cloning libFuzzer files ..."
+    $cwd/fuzz/clone_libfuzzer.sh 1>&3 2>&3
+
+    echo "[2/2] Cloning fuzzing corpus ..."
+    $cwd/fuzz/clone_corpus.sh 1>&3 2>&3
+
+    exec 3>&-
+fi
+
+# check if we have to rebuild gyp
+if [ "$params" != "$(cat $cwd/out/config 2>/dev/null)" -o "$rebuild_gyp" == 1 -o "$clean" == 1 ]; then
+    rebuild_gyp=1
+    rm -rf "$cwd/../nspr/$target" # force NSPR to rebuild
 fi
 
 # set paths
-target_dir="$cwd"/out/$target
-mkdir -p "$target_dir"
-dist_dir="$cwd"/../dist
-dist_dir=$(mkdir -p "$dist_dir"; cd "$dist_dir"; pwd -P)
-gyp_params+=(-Dnss_dist_dir="$dist_dir")
+target_dir="$cwd/out/$target"
+
+# get the realpath of $dist_dir
+dist_dir=$(mkdir -p $dist_dir; cd $dist_dir; pwd -P)
+
+# get object directory
+obj_dir="$dist_dir/$target"
+gyp_params+=(-Dnss_dist_dir=$dist_dir)
+gyp_params+=(-Dnss_dist_obj_dir=$obj_dir)
+gyp_params+=(-Dnspr_lib_dir=$obj_dir/lib)
+gyp_params+=(-Dnspr_include_dir=$obj_dir/include/nspr)
 
 # -c = clean first
 if [ "$clean" = 1 ]; then
-    nspr_clean
-    rm -rf "$cwd"/out
+    rm -rf "$cwd/out"
+    rm -rf "$cwd/../nspr/$target"
     rm -rf "$dist_dir"
 fi
 
-# This saves a canonical representation of arguments that we are passing to gyp
-# or the NSPR build so that we can work out if a rebuild is needed.
-# Caveat: This can fail for arguments that are position-dependent.
-# e.g., "-e 2 -f 1" and "-e 1 -f 2" canonicalize the same.
-check_config()
-{
-    local newconf="$1".new oldconf="$1"
-    shift
-    mkdir -p $(dirname "$newconf")
-    echo CC="$CC" >"$newconf"
-    echo CCC="$CCC" >>"$newconf"
-    for i in "$@"; do echo $i; done | sort >>"$newconf"
+# save the chosen target
+mkdir -p $dist_dir
+echo $target > $dist_dir/latest
 
-    # Note: The following diff fails if $oldconf isn't there as well, which
-    # happens if we don't have a previous successful build.
-    ! diff -q "$newconf" "$oldconf" >/dev/null 2>&1
-}
-
-gyp_config="$cwd"/out/gyp_config
-nspr_config="$cwd"/out/$target/nspr_config
-
-# If we don't have a build directory make sure that we rebuild.
-if [ ! -d "$target_dir" ]; then
-    rebuild_nspr=1
-    rebuild_gyp=1
-elif [ ! -d "$dist_dir"/$target ]; then
-    rebuild_nspr=1
-fi
+# pass on CC and CCC
+if [ "${#scanbuild[@]}" -gt 0 ]; then
+    if [ -n "$CC" ]; then
+       scanbuild+=(--use-cc="$CC")
+    fi
+    if [ -n "$CCC" ]; then
+       scanbuild+=(--use-c++="$CCC")
+    fi
+ fi
 
-if check_config "$nspr_config" "${nspr_params[@]}" \
-                 nspr_cflags="$nspr_cflags" \
-                 nspr_cxxflags="$nspr_cxxflags" \
-                 nspr_ldflags="$nspr_ldflags"; then
-    rebuild_nspr=1
-fi
-
-if check_config "$gyp_config" "${gyp_params[@]}"; then
-    rebuild_gyp=1
-fi
-
-# save the chosen target
-mkdir -p "$dist_dir"
-echo $target > "$dist_dir"/latest
+# These steps can take a while, so don't overdo them.
+# Force a redo with -g.
+if [ "$rebuild_gyp" = 1 -o ! -d "$target_dir" ]; then
+    build_nspr $verbose
 
-if [ "$rebuild_nspr" = 1 ]; then
-    nspr_build "${nspr_params[@]}"
-    mv -f "$nspr_config".new "$nspr_config"
-fi
-if [ "$rebuild_gyp" = 1 ]; then
+    # Run gyp.
+    [ $verbose = 1 ] && set -v -x
+    "${scanbuild[@]}" gyp -f ninja "${gyp_params[@]}" --depth="$cwd" \
+      --generator-output="." "$cwd/nss.gyp"
+    [ $verbose = 1 ] && set +v +x
 
-    # These extra arguments aren't used in determining whether to rebuild.
-    obj_dir="$dist_dir"/$target
-    gyp_params+=(-Dnss_dist_obj_dir=$obj_dir)
-    gyp_params+=(-Dnspr_lib_dir=$obj_dir/lib)
-    gyp_params+=(-Dnspr_include_dir=$obj_dir/include/nspr)
-
-    run_verbose run_scanbuild gyp -f ninja "${gyp_params[@]}" "$cwd"/nss.gyp
-
-    mv -f "$gyp_config".new "$gyp_config"
+    # Store used parameters for next run.
+    echo "$params" > "$cwd/out/config"
 fi
 
 # Run ninja.
-if hash ninja 2>/dev/null; then
-    ninja=ninja
-elif hash ninja-build 2>/dev/null; then
-    ninja=ninja-build
+if which ninja >/dev/null 2>&1; then
+    ninja=(ninja)
+elif which ninja-build >/dev/null 2>&1; then
+    ninja=(ninja-build)
 else
     echo "Please install ninja" 1>&2
     exit 1
 fi
-run_scanbuild $ninja -C "$target_dir" "${ninja_params[@]}"
+"${scanbuild[@]}" $ninja -C "$target_dir" "${ninja_params[@]}"
--- a/security/nss/cmd/platlibs.gypi
+++ b/security/nss/cmd/platlibs.gypi
@@ -27,16 +27,18 @@
           '<(DEPTH)/lib/cryptohi/cryptohi.gyp:cryptohi',
           '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap',
           '<(DEPTH)/lib/softoken/softoken.gyp:softokn',
           '<(DEPTH)/lib/certdb/certdb.gyp:certdb',
           '<(DEPTH)/lib/pki/pki.gyp:nsspki',
           '<(DEPTH)/lib/dev/dev.gyp:nssdev',
           '<(DEPTH)/lib/base/base.gyp:nssb',
           '<(DEPTH)/lib/freebl/freebl.gyp:freebl',
+          '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap',
+          '<(DEPTH)/lib/certhigh/certhigh.gyp:certhi',
           '<(DEPTH)/lib/sqlite/sqlite.gyp:sqlite3',
         ],
         'conditions': [
           [ 'disable_dbm==0', {
             'dependencies': [
               '<(DEPTH)/lib/dbm/src/src.gyp:dbm',
               '<(DEPTH)/lib/softoken/legacydb/legacydb.gyp:nssdbm',
             ],
--- a/security/nss/coreconf/config.gypi
+++ b/security/nss/coreconf/config.gypi
@@ -47,16 +47,17 @@
           #TODO
           'moz_debug_flags%': '',
           'dll_prefix': '',
           'dll_suffix': 'dll',
         }, {
           'use_system_zlib%': 1,
           'nspr_libs%': ['-lplds4', '-lplc4', '-lnspr4'],
           'zlib_libs%': ['-lz'],
+          'optimize_flags%': '-O2',
           'dll_prefix': 'lib',
           'conditions': [
             ['OS=="mac"', {
               'moz_debug_flags%': '-gdwarf-2 -gfull',
               'dll_suffix': 'dylib',
             }, {
               'moz_debug_flags%': '-gdwarf-2',
               'dll_suffix': 'so',
@@ -100,28 +101,25 @@
     'use_asan%': 0,
     'use_ubsan%': 0,
     'use_msan%': 0,
     'use_sancov%': 0,
     'test_build%': 0,
     'fuzz%': 0,
     'sign_libs%': 1,
     'use_pprof%': 0,
-    'ct_verif%': 0,
     'nss_public_dist_dir%': '<(nss_dist_dir)/public',
     'nss_private_dist_dir%': '<(nss_dist_dir)/private',
   },
   'target_defaults': {
     # Settings specific to targets should go here.
     # This is mostly for linking to libraries.
     'variables': {
       'mapfile%': '',
       'test_build%': 0,
-      'debug_optimization_level%': '0',
-      'release_optimization_level%': '2',
     },
     'standalone_static_library': 0,
     'include_dirs': [
       '<(nspr_include_dir)',
       '<(nss_dist_dir)/private/<(module)',
     ],
     'conditions': [
       [ 'OS!="android" and OS!="mac" and OS!="win"', {
@@ -130,21 +128,16 @@
         ],
       }],
       [ 'OS=="linux"', {
         'libraries': [
           '-ldl',
           '-lc',
         ],
       }],
-      [ 'use_asan==1 or use_ubsan!=0 or fuzz==1', {
-        'variables': {
-          'debug_optimization_level%': '1',
-        },
-      }],
     ],
     'target_conditions': [
       # If we want to properly export a static library, and copy it to lib,
       # we need to mark it as a 'standalone_static_library'. Otherwise,
       # the relative paths in the thin archive will break linking.
       [ '_type=="shared_library"', {
         'product_dir': '<(nss_dist_obj_dir)/lib'
       }, '_type=="executable"', {
@@ -348,16 +341,22 @@
               '<!@(<(python) <(DEPTH)/coreconf/werror.py)',
             ],
           }],
           [ 'fuzz==1', {
             'cflags': [
               '-Wno-unused-function',
             ]
           }],
+          [ 'fuzz==1 or use_asan==1 or use_ubsan!=0', {
+            'cflags': ['-O1'],
+            'xcode_settings': {
+              'GCC_OPTIMIZATION_LEVEL': '1', # -O1
+            }
+          }],
           [ 'use_asan==1', {
             'variables': {
               'asan_flags': '<!(<(python) <(DEPTH)/coreconf/sanitizers.py asan)',
               'no_ldflags': '<!(<(python) <(DEPTH)/coreconf/sanitizers.py ld)',
             },
             'cflags': ['<@(asan_flags)'],
             'ldflags': ['<@(asan_flags)'],
             'ldflags!': ['<@(no_ldflags)'],
@@ -468,16 +467,17 @@
                     'ImageHasSafeExceptionHandlers': 'false',
                   },
                   'VCCLCompilerTool': {
                     'PreprocessorDefinitions': [
                       'WIN32',
                     ],
                   },
                 },
+
               }],
               [ 'target_arch=="x64"', {
                 'msvs_configuration_platform': 'x64',
                 'msvs_settings': {
                   'VCLinkerTool': {
                     'TargetMachine': '17', # x86-64
                   },
                   'VCCLCompilerTool': {
@@ -510,48 +510,48 @@
             'cflags': [
               '-g',
               '<(moz_debug_flags)',
             ],
           }]
         ],
         #TODO: DEBUG_$USER
         'defines': ['DEBUG'],
-        'cflags': [ '-O<(debug_optimization_level)' ],
         'xcode_settings': {
           'COPY_PHASE_STRIP': 'NO',
-          'GCC_OPTIMIZATION_LEVEL': '<(debug_optimization_level)',
+          'GCC_OPTIMIZATION_LEVEL': '0',
           'GCC_GENERATE_DEBUGGING_SYMBOLS': 'YES',
         },
         'msvs_settings': {
           'VCCLCompilerTool': {
-            'Optimization': '<(debug_optimization_level)',
+            'Optimization': '0',
             'BasicRuntimeChecks': '3',
             'RuntimeLibrary': '2', # /MD
           },
           'VCLinkerTool': {
             'LinkIncremental': '1',
           },
           'VCResourceCompilerTool': {
             'PreprocessorDefinitions': ['DEBUG'],
           },
         },
       },
       # Common settings for release should go here.
       'Release': {
         'inherit_from': ['Common'],
-        'defines': ['NDEBUG'],
-        'cflags': [ '-O<(release_optimization_level)' ],
+        'defines': [
+          'NDEBUG',
+        ],
         'xcode_settings': {
           'DEAD_CODE_STRIPPING': 'YES',  # -Wl,-dead_strip
-          'GCC_OPTIMIZATION_LEVEL': '<(release_optimization_level)',
+          'GCC_OPTIMIZATION_LEVEL': '2', # -O2
         },
         'msvs_settings': {
           'VCCLCompilerTool': {
-            'Optimization': '<(release_optimization_level)',
+            'Optimization': '2', # /Os
             'RuntimeLibrary': '2', # /MD
           },
           'VCLinkerTool': {
             'LinkIncremental': '1',
           },
         },
       },
       'conditions': [
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
deleted file mode 100644
--- a/security/nss/coreconf/fuzz.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/usr/bin/env bash
-# This file is used by build.sh to setup fuzzing.
-
-gyp_params+=(-Dtest_build=1 -Dfuzz=1)
-enable_sanitizer asan
-enable_ubsan
-enable_sancov
-
-# Add debug symbols even for opt builds.
-nspr_params+=(--enable-debug-symbols)
-
-echo "fuzz [1/2] Cloning libFuzzer files ..."
-run_verbose "$cwd"/fuzz/clone_libfuzzer.sh
-
-echo "fuzz [2/2] Cloning fuzzing corpus ..."
-run_verbose  "$cwd"/fuzz/clone_corpus.sh
--- a/security/nss/coreconf/nspr.sh
+++ b/security/nss/coreconf/nspr.sh
@@ -1,52 +1,53 @@
 #!/usr/bin/env bash
 # This script builds NSPR for NSS.
 #
 # This build system is still under development.  It does not yet support all
 # the features or platforms that the regular NSPR build supports.
 
 # variables
+nspr_opt=()
 nspr_cflags=
 nspr_cxxflags=
 nspr_ldflags=
 
 # Try to avoid bmake on OS X and BSD systems
 if hash gmake 2>/dev/null; then
     make() { command gmake "$@"; }
 fi
 
 nspr_sanitizer()
 {
-    local extra=$(python $cwd/coreconf/sanitizers.py "$@")
-    nspr_cflags="$nspr_cflags $extra"
-    nspr_cxxflags="$nspr_cxxflags $extra"
-    nspr_ldflags="$nspr_ldflags $extra"
+    nspr_cflags="$nspr_cflags $(python $cwd/coreconf/sanitizers.py $1 $2)"
+    nspr_cxxflags="$nspr_cxxflags $(python $cwd/coreconf/sanitizers.py $1 $2)"
+    nspr_ldflags="$nspr_ldflags $(python $cwd/coreconf/sanitizers.py $1 $2)"
+}
+
+verbose()
+{
+    CFLAGS=$nspr_cflags CXXFLAGS=$nspr_cxxflags LDFLAGS=$nspr_ldflags \
+      CC=$CC CXX=$CCC ../configure "${nspr_opt[@]}" --prefix="$obj_dir"
+    make -C "$cwd/../nspr/$target"
+    make -C "$cwd/../nspr/$target" install
 }
 
-nspr_build()
+silent()
 {
-    local nspr_dir="$cwd"/../nspr/$target
-    mkdir -p "$nspr_dir"
-
-    # These NSPR options are directory-specific, so they don't need to be
-    # included in nspr_opt and changing them doesn't force a rebuild of NSPR.
-    extra_params=(--prefix="$dist_dir"/$target)
-    if [ "$opt_build" = 1 ]; then
-        extra_params+=(--disable-debug --enable-optimize)
-    fi
-
-    echo "NSPR [1/3] configure ..."
-    pushd "$nspr_dir" >/dev/null
-    CFLAGS="$nspr_cflags" CXXFLAGS="$nspr_cxxflags" \
-          LDFLAGS="$nspr_ldflags" CC="$CC" CXX="$CCC" \
-          run_verbose ../configure "${extra_params[@]}" "$@"
-    popd >/dev/null
-    echo "NSPR [2/3] make ..."
-    run_verbose make -C "$nspr_dir"
-    echo "NSPR [3/3] install ..."
-    run_verbose make -C "$nspr_dir" install
+    echo "[1/3] configure NSPR ..."
+    CFLAGS=$nspr_cflags CXXFLAGS=$nspr_cxxflags LDFLAGS=$nspr_ldflags \
+      CC=$CC CXX=$CCC ../configure "${nspr_opt[@]}" --prefix="$obj_dir" 1> /dev/null
+    echo "[2/3] make NSPR ..."
+    make -C "$cwd/../nspr/$target" 1> /dev/null
+    echo "[3/3] install NSPR ..."
+    make -C "$cwd/../nspr/$target" install 1> /dev/null
 }
 
-nspr_clean()
+build_nspr()
 {
-    rm -rf "$cwd"/../nspr/$target
+    mkdir -p "$cwd/../nspr/$target"
+    cd "$cwd/../nspr/$target"
+    if [ "$1" == 1 ]; then
+        verbose
+    else
+        silent
+    fi
 }
deleted file mode 100644
--- a/security/nss/coreconf/sanitizers.sh
+++ /dev/null
@@ -1,67 +0,0 @@
-#!/usr/bin/env bash
-# This file is used by build.sh to setup sanitizers.
-
-# This tracks what sanitizers are enabled, and their options.
-declare -A sanitizers
-enable_sanitizer()
-{
-    local san="$1"
-    [ -n "${sanitizers[$san]}" ] && return
-    sanitizers[$san]="${2:-1}"
-    gyp_params+=(-Duse_"$san"="${2:-1}")
-    nspr_sanitizer "$san" "$2"
-}
-
-enable_sancov()
-{
-    local clang_version=$($CC --version | grep -oE 'clang version (3\.9\.|4\.)')
-    if [ -z "$clang_version" ]; then
-        echo "Need at least clang-3.9 (better 4.0) for sancov." 1>&2
-        exit 1
-    fi
-
-    local sancov
-    if [ -n "$1" ]; then
-        sancov="$1"
-    elif [ "$clang_version" = "clang version 3.9." ]; then
-        sancov=edge,indirect-calls,8bit-counters
-    else
-        sancov=trace-pc-guard,trace-cmp
-    fi
-    enable_sanitizer sancov "$sancov"
-}
-
-enable_ubsan()
-{
-    local ubsan
-    if [ -n "$1" ]; then
-        ubsan="$1"
-    else
-        ubsan=bool,signed-integer-overflow,shift,vptr
-    fi
-    enable_sanitizer ubsan "$ubsan"
-}
-
-# Not strictly a sanitizer, but the pattern fits
-scanbuild=()
-enable_scanbuild()
-{
-    [ "${#scanbuild[@]}" -gt 0 ] && return
-
-    scanbuild=(scan-build)
-    if [ -n "$1" ]; then
-        scanbuild+=(-o "$1")
-    fi
-    # pass on CC and CCC to scanbuild
-    if [ -n "$CC" ]; then
-        scanbuild+=(--use-cc="$CC")
-    fi
-    if [ -n "$CCC" ]; then
-        scanbuild+=(--use-c++="$CCC")
-    fi
-}
-
-run_scanbuild()
-{
-    "${scanbuild[@]}" "$@"
-}
deleted file mode 100644
--- a/security/nss/fuzz/cert_target.cc
+++ /dev/null
@@ -1,18 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "FuzzerInternal.h"
-#include "FuzzerRandom.h"
-#include "asn1_mutators.h"
-#include "shared.h"
-
-extern const uint16_t DEFAULT_MAX_LENGTH = 3072U;
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-  CERTCertificate cert;
-  QuickDERDecode(&cert, SEC_SignedCertificateTemplate, Data, Size);
-  return 0;
-}
-
-ADD_CUSTOM_MUTATORS({&ASN1MutatorFlipConstructed, &ASN1MutatorChangeType})
--- a/security/nss/fuzz/clone_libfuzzer.sh
+++ b/security/nss/fuzz/clone_libfuzzer.sh
@@ -1,46 +1,22 @@
 #!/bin/sh
 
 d=$(dirname $0)
-$d/git-copy.sh https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer 33c20f597a2e312611d52677ff0fdd9335b485b7 $d/libFuzzer
+$d/git-copy.sh https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer 1b543d6e5073b56be214394890c9193979a3d7e1 $d/libFuzzer
 
-# [https://llvm.org/bugs/show_bug.cgi?id=31318]
-# This prevents a known buffer overrun that won't be fixed as the affected code
-# will go away in the near future. Until that is we have to patch it as we seem
-# to constantly run into it.
 cat <<EOF | patch -p0 -d $d
-diff --git libFuzzer/FuzzerLoop.cpp libFuzzer/FuzzerLoop.cpp
---- libFuzzer/FuzzerLoop.cpp
-+++ libFuzzer/FuzzerLoop.cpp
-@@ -472,6 +472,9 @@
-   uint8_t dummy;
-   ExecuteCallback(&dummy, 0);
-
-+  // Number of counters might have changed.
-+  PrepareCounters(&MaxCoverage);
-+
-   for (const auto &U : *InitialCorpus) {
-     if (size_t NumFeatures = RunOne(U)) {
-       CheckExitOnSrcPosOrItem();
-EOF
+diff --git libFuzzer/FuzzerMutate.cpp libFuzzer/FuzzerMutate.cpp
+--- libFuzzer/FuzzerMutate.cpp
++++ libFuzzer/FuzzerMutate.cpp
+@@ -53,10 +53,9 @@
+     DefaultMutators.push_back(
+         {&MutationDispatcher::Mutate_AddWordFromTORC, "CMP"});
 
-# Latest Libfuzzer uses __sanitizer_dump_coverage(), a symbol to be introduced
-# with LLVM 4.0. To keep our code working with LLVM 3.x to simplify development
-# of fuzzers we'll just provide it ourselves.
-cat <<EOF | patch -p0 -d $d
-diff --git libFuzzer/FuzzerTracePC.cpp libFuzzer/FuzzerTracePC.cpp
---- libFuzzer/FuzzerTracePC.cpp
-+++ libFuzzer/FuzzerTracePC.cpp
-@@ -24,6 +24,12 @@
- #include <set>
- #include <sstream>
++  Mutators = DefaultMutators;
+   if (EF->LLVMFuzzerCustomMutator)
+     Mutators.push_back({&MutationDispatcher::Mutate_Custom, "Custom"});
+-  else
+-    Mutators = DefaultMutators;
 
-+#if defined(__clang_major__) && (__clang_major__ == 3)
-+void __sanitizer_dump_coverage(const uintptr_t *pcs, uintptr_t len) {
-+  // SanCov in LLVM 4.x will provide this symbol. Make 3.x work.
-+}
-+#endif
-+
- namespace fuzzer {
-
- TracePC TPC;
+   if (EF->LLVMFuzzerCustomCrossOver)
+     Mutators.push_back(
 EOF
--- a/security/nss/fuzz/fuzz.gyp
+++ b/security/nss/fuzz/fuzz.gyp
@@ -10,97 +10,73 @@
     {
       'target_name': 'libFuzzer',
       'type': 'static_library',
       'sources': [
         'libFuzzer/FuzzerCrossOver.cpp',
         'libFuzzer/FuzzerDriver.cpp',
         'libFuzzer/FuzzerExtFunctionsDlsym.cpp',
         'libFuzzer/FuzzerExtFunctionsWeak.cpp',
-        'libFuzzer/FuzzerExtFunctionsWeakAlias.cpp',
         'libFuzzer/FuzzerIO.cpp',
-        'libFuzzer/FuzzerIOPosix.cpp',
-        'libFuzzer/FuzzerIOWindows.cpp',
         'libFuzzer/FuzzerLoop.cpp',
-        'libFuzzer/FuzzerMain.cpp',
-        'libFuzzer/FuzzerMerge.cpp',
         'libFuzzer/FuzzerMutate.cpp',
         'libFuzzer/FuzzerSHA1.cpp',
         'libFuzzer/FuzzerTracePC.cpp',
         'libFuzzer/FuzzerTraceState.cpp',
         'libFuzzer/FuzzerUtil.cpp',
         'libFuzzer/FuzzerUtilDarwin.cpp',
         'libFuzzer/FuzzerUtilLinux.cpp',
-        'libFuzzer/FuzzerUtilPosix.cpp',
-        'libFuzzer/FuzzerUtilWindows.cpp',
+      ],
+      'cflags': [
+        '-O2',
+      ],
+      'cflags!': [
+        '-O1',
       ],
-      'direct_dependent_settings': {
-        'include_dirs': [
-          'libFuzzer',
+      'cflags/': [
+        ['exclude', '-fsanitize'],
+      ],
+      'xcode_settings': {
+        'GCC_OPTIMIZATION_LEVEL': '2', # -O2
+        'OTHER_CFLAGS/': [
+          ['exclude', '-fsanitize'],
         ],
-      }
+      },
     },
     {
-      'target_name': 'nssfuzz-cert',
+      'target_name': 'nssfuzz',
       'type': 'executable',
       'sources': [
         'asn1_mutators.cc',
-        'cert_target.cc',
-        'initialize.cc',
-      ],
-      'dependencies': [
-        '<(DEPTH)/exports.gyp:nss_exports',
-        'libFuzzer',
-      ],
-    },
-    {
-      'target_name': 'nssfuzz-pkcs8',
-      'type': 'executable',
-      'sources': [
-        'asn1_mutators.cc',
-        'initialize.cc',
+        'nssfuzz.cc',
         'pkcs8_target.cc',
+        'quickder_targets.cc',
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
         'libFuzzer',
       ],
-    },
-    {
-      'target_name': 'nssfuzz-spki',
-      'type': 'executable',
-      'sources': [
-        'asn1_mutators.cc',
-        'spki_target.cc',
-        'initialize.cc',
+      'cflags': [
+        '-O2',
+      ],
+      'cflags!': [
+        '-O1',
       ],
-      'dependencies': [
-        '<(DEPTH)/exports.gyp:nss_exports',
-        'libFuzzer',
+      'cflags/': [
+        ['exclude', '-fsanitize-coverage'],
       ],
-    },
-    {
-      'target_name': 'nssfuzz',
-      'type': 'none',
-      'dependencies': [
-        'nssfuzz-cert',
-        'nssfuzz-pkcs8',
-        'nssfuzz-spki',
-      ]
+      'xcode_settings': {
+        'GCC_OPTIMIZATION_LEVEL': '2', # -O2
+        'OTHER_CFLAGS/': [
+          ['exclude', '-fsanitize-coverage'],
+        ],
+      },
     }
   ],
   'target_defaults': {
-    'variables': {
-      'debug_optimization_level': '2',
-    },
-    'cflags/': [
-      ['exclude', '-fsanitize-coverage'],
+    'include_dirs': [
+      'libFuzzer',
     ],
-    'xcode_settings': {
-      'OTHER_CFLAGS/': [
-        ['exclude', '-fsanitize-coverage'],
-      ],
-    },
   },
   'variables': {
     'module': 'nss',
   }
 }
deleted file mode 100644
--- a/security/nss/fuzz/initialize.cc
+++ /dev/null
@@ -1,54 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include <string.h>
-#include <algorithm>
-#include <iostream>
-#include <vector>
-
-#include "assert.h"
-
-extern const uint16_t DEFAULT_MAX_LENGTH;
-
-const uint16_t MERGE_MAX_LENGTH = 50000U;
-
-extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {
-  std::vector<std::string> args(*argv, *argv + *argc);
-
-  auto hasMaxLenArg = [](std::string &a) { return a.find("-max_len=") == 0; };
-
-  // Nothing to do if a max_len argument is given.
-  if (any_of(args.begin(), args.end(), hasMaxLenArg)) {
-    return 0;
-  }
-
-  auto hasMergeArg = [](std::string &a) { return a.find("-merge=1") == 0; };
-
-  uint16_t max_length = DEFAULT_MAX_LENGTH;
-
-  // Set specific max_len when merging.
-  if (any_of(args.begin(), args.end(), hasMergeArg)) {
-    max_length = MERGE_MAX_LENGTH;
-  }
-
-  std::cerr << "INFO: MaxLen: " << max_length << std::endl;
-  std::string param = "-max_len=" + std::to_string(max_length);
-
-  // Copy original arguments.
-  char **new_args = new char *[*argc + 1];
-  for (int i = 0; i < *argc; i++) {
-    new_args[i] = (*argv)[i];
-  }
-
-  // Append corpus max length.
-  size_t param_len = param.size() + 1;
-  new_args[*argc] = new char[param_len];
-  memcpy(new_args[*argc], param.c_str(), param_len);
-
-  // Update arguments.
-  (*argc)++;
-  *argv = new_args;
-
-  return 0;
-}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/nssfuzz.cc
@@ -0,0 +1,163 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <iomanip>
+#include <iostream>
+
+#include "FuzzerInternal.h"
+#include "FuzzerMutate.h"
+#include "FuzzerRandom.h"
+#include "registry.h"
+#include "shared.h"
+
+using namespace std;
+
+static vector<Mutator> gMutators;
+
+class Args {
+ public:
+  Args(int argc, char **argv) : args_(argv, argv + argc) {}
+
+  string &operator[](const int idx) { return args_[idx]; }
+
+  bool Has(const string &arg) {
+    return any_of(args_.begin(), args_.end(),
+                  [&arg](string &a) { return a.find(arg) == 0; });
+  }
+
+  void Append(const string &arg) { args_.push_back(arg); }
+
+  void Remove(const int index) {
+    assert(index < count());
+    args_.erase(args_.begin() + index);
+  }
+
+  vector<char *> argv() {
+    vector<char *> out;
+    out.resize(count());
+
+    transform(args_.begin(), args_.end(), out.begin(),
+              [](string &a) { return const_cast<char *>(a.c_str()); });
+
+    return out;
+  }
+
+  size_t count() { return args_.size(); }
+
+ private:
+  vector<string> args_;
+};
+
+void printUsage(Args &args) {
+  size_t sep = args[0].rfind("/") + 1;
+  string progName = args[0].substr(sep);
+
+  cerr << progName << " - Various libFuzzer targets for NSS" << endl << endl;
+  cerr << "Usage: " << progName << " <target> <libFuzzer options>" << endl
+       << endl;
+  cerr << "Valid targets:" << endl;
+
+  vector<string> names = Registry::Names();
+
+  // Find length of the longest name.
+  size_t name_w =
+      max_element(names.begin(), names.end(), [](string &a, string &b) {
+        return a.size() < b.size();
+      })->size();
+
+  // Find length of the longest description.
+  auto max = max_element(names.begin(), names.end(), [](string &a, string &b) {
+    return Registry::Desc(a).size() < Registry::Desc(b).size();
+  });
+  size_t desc_w = Registry::Desc(*max).size();
+
+  // Print list of targets.
+  for (string name : names) {
+    cerr << "  " << left << setw(name_w) << name << " - " << setw(desc_w)
+         << Registry::Desc(name)
+         << " [default max_len=" << Registry::MaxLen(name) << "]" << endl;
+  }
+
+  // Some usage examples.
+  cerr << endl << "Run fuzzer with a given corpus directory:" << endl;
+  cerr << "  " << progName << " <target> /path/to/corpus" << endl;
+
+  cerr << endl << "Run fuzzer with a single test input:" << endl;
+  cerr << "  " << progName
+       << " <target> ./crash-14d4355b971092e39572bc306a135ddf9f923e19" << endl;
+
+  cerr << endl
+       << "Specify the number of cores you wish to dedicate to fuzzing:"
+       << endl;
+  cerr << "  " << progName << " <target> -jobs=8 -workers=8 /path/to/corpus"
+       << endl;
+
+  cerr << endl << "Override the maximum length of a test input:" << endl;
+  cerr << "  " << progName << " <target> -max_len=2048 /path/to/corpus" << endl;
+
+  cerr << endl
+       << "Minimize a given corpus and put the result into 'new_corpus':"
+       << endl;
+  cerr << "  " << progName
+       << " <target> -merge=1 -max_len=50000 ./new_corpus /path/to/corpus"
+       << endl;
+
+  cerr << endl << "Merge new test inputs into a corpus:" << endl;
+  cerr
+      << "  " << progName
+      << " <target> -merge=1 -max_len=50000 /path/to/corpus ./inputs1 ./inputs2"
+      << endl;
+
+  cerr << endl << "Print libFuzzer usage information:" << endl;
+  cerr << "  " << progName << " <target> -help=1" << endl << endl;
+
+  cerr << "Check out the docs at http://llvm.org/docs/LibFuzzer.html" << endl;
+}
+
+int main(int argc, char **argv) {
+  Args args(argc, argv);
+
+  if (args.count() < 2 || !Registry::Has(args[1])) {
+    printUsage(args);
+    return 1;
+  }
+
+  string targetName(args[1]);
+
+  // Add target mutators.
+  auto mutators = Registry::Mutators(targetName);
+  gMutators.insert(gMutators.end(), mutators.begin(), mutators.end());
+
+  // Remove the target argument when -workers=x or -jobs=y is NOT given.
+  // If both are given, libFuzzer will spawn multiple processes for the target.
+  if (!args.Has("-workers=") || !args.Has("-jobs=")) {
+    args.Remove(1);
+  }
+
+  // Set default max_len arg, if none given and we're not merging.
+  if (!args.Has("-max_len=") && !args.Has("-merge=1")) {
+    uint16_t maxLen = Registry::MaxLen(targetName);
+    args.Append("-max_len=" + to_string(maxLen));
+  }
+
+  // Hand control to the libFuzzer driver.
+  vector<char *> args_new(args.argv());
+  argc = args_new.size();
+  argv = args_new.data();
+
+  return fuzzer::FuzzerDriver(&argc, &argv, Registry::Func(targetName));
+}
+
+extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size,
+                                          size_t MaxSize, unsigned int Seed) {
+  if (gMutators.empty()) {
+    return 0;
+  }
+
+  // Forward to a pseudorandom mutator.
+  fuzzer::Random R(Seed);
+  return gMutators.at(R(gMutators.size()))(Data, Size, MaxSize, Seed);
+}
--- a/security/nss/fuzz/pkcs8_target.cc
+++ b/security/nss/fuzz/pkcs8_target.cc
@@ -1,27 +1,25 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+#include <assert.h>
+#include <stdint.h>
 #include <memory>
-#include <vector>
 
 #include "keyhi.h"
 #include "pk11pub.h"
 
-#include "FuzzerInternal.h"
-#include "FuzzerRandom.h"
-#include "asn1_mutators.h"
-#include "assert.h"
+#include "registry.h"
 #include "shared.h"
 
-extern const uint16_t DEFAULT_MAX_LENGTH = 2048U;
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+extern "C" int pkcs8_fuzzing_target(const uint8_t *Data, size_t Size) {
   SECItem data = {siBuffer, (unsigned char *)Data, (unsigned int)Size};
 
   static std::unique_ptr<NSSDatabase> db(new NSSDatabase());
   assert(db != nullptr);
 
   PK11SlotInfo *slot = PK11_GetInternalSlot();
   assert(slot != nullptr);
 
@@ -31,9 +29,10 @@ extern "C" int LLVMFuzzerTestOneInput(co
                                                nullptr) == SECSuccess) {
     SECKEY_DestroyPrivateKey(key);
   }
 
   PK11_FreeSlot(slot);
   return 0;
 }
 
-ADD_CUSTOM_MUTATORS({&ASN1MutatorFlipConstructed, &ASN1MutatorChangeType})
+REGISTER_FUZZING_TARGET("pkcs8", pkcs8_fuzzing_target, 2048, "PKCS#8 Import",
+                        {})
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/quickder_targets.cc
@@ -0,0 +1,38 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <stdint.h>
+
+#include "asn1_mutators.h"
+#include "cert.h"
+#include "registry.h"
+
+void QuickDERDecode(void *dst, const SEC_ASN1Template *tpl, const uint8_t *buf,
+                    size_t len) {
+  PORTCheapArenaPool pool;
+  SECItem data = {siBuffer, const_cast<unsigned char *>(buf),
+                  static_cast<unsigned int>(len)};
+
+  PORT_InitCheapArena(&pool, DER_DEFAULT_CHUNKSIZE);
+  (void)SEC_QuickDERDecodeItem(&pool.arena, dst, tpl, &data);
+  PORT_DestroyCheapArena(&pool);
+}
+
+extern "C" int cert_fuzzing_target(const uint8_t *Data, size_t Size) {
+  CERTCertificate cert;
+  QuickDERDecode(&cert, SEC_SignedCertificateTemplate, Data, Size);
+  return 0;
+}
+
+REGISTER_FUZZING_TARGET("cert", cert_fuzzing_target, 3072, "Certificate Import",
+                        {&ASN1MutatorFlipConstructed, &ASN1MutatorChangeType})
+
+extern "C" int spki_fuzzing_target(const uint8_t *Data, size_t Size) {
+  CERTSubjectPublicKeyInfo spki;
+  QuickDERDecode(&spki, CERT_SubjectPublicKeyInfoTemplate, Data, Size);
+  return 0;
+}
+
+REGISTER_FUZZING_TARGET("spki", spki_fuzzing_target, 1024, "SPKI Import",
+                        {&ASN1MutatorFlipConstructed, &ASN1MutatorChangeType})
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/registry.h
@@ -0,0 +1,79 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef registry_h__
+#define registry_h__
+
+#include <map>
+#include "FuzzerInternal.h"
+#include "nss.h"
+
+using namespace fuzzer;
+using namespace std;
+
+typedef decltype(LLVMFuzzerCustomMutator)* Mutator;
+
+class Registry {
+ public:
+  static void Add(string name, UserCallback func, uint16_t max_len, string desc,
+                  vector<Mutator> mutators = {}) {
+    assert(!Has(name));
+    GetInstance().targets_[name] = TargetData(func, max_len, desc, mutators);
+  }
+
+  static bool Has(string name) {
+    return GetInstance().targets_.count(name) > 0;
+  }
+
+  static UserCallback Func(string name) {
+    assert(Has(name));
+    return get<0>(Get(name));
+  }
+
+  static uint16_t MaxLen(string name) {
+    assert(Has(name));
+    return get<1>(Get(name));
+  }
+
+  static string& Desc(string name) {
+    assert(Has(name));
+    return get<2>(Get(name));
+  }
+
+  static vector<Mutator>& Mutators(string name) {
+    assert(Has(name));
+    return get<3>(Get(name));
+  }
+
+  static vector<string> Names() {
+    vector<string> names;
+    for (auto& it : GetInstance().targets_) {
+      names.push_back(it.first);
+    }
+    return names;
+  }
+
+ private:
+  typedef tuple<UserCallback, uint16_t, string, vector<Mutator>> TargetData;
+
+  static Registry& GetInstance() {
+    static Registry registry;
+    return registry;
+  }
+
+  static TargetData& Get(string name) { return GetInstance().targets_[name]; }
+
+  Registry() {}
+
+  map<string, TargetData> targets_;
+};
+
+#define REGISTER_FUZZING_TARGET(name, func, max_len, desc, ...) \
+  static void __attribute__((constructor)) Register_##func() {  \
+    Registry::Add(name, func, max_len, desc, __VA_ARGS__);      \
+  }
+
+#endif  // registry_h__
--- a/security/nss/fuzz/shared.h
+++ b/security/nss/fuzz/shared.h
@@ -2,48 +2,17 @@
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef shared_h__
 #define shared_h__
 
-#include "cert.h"
 #include "nss.h"
 
 class NSSDatabase {
  public:
   NSSDatabase() { NSS_NoDB_Init(nullptr); }
   ~NSSDatabase() { NSS_Shutdown(); }
 };
 
-void QuickDERDecode(void *dst, const SEC_ASN1Template *tpl, const uint8_t *buf,
-                    size_t len) {
-  PORTCheapArenaPool pool;
-  SECItem data = {siBuffer, const_cast<unsigned char *>(buf),
-                  static_cast<unsigned int>(len)};
-
-  PORT_InitCheapArena(&pool, DER_DEFAULT_CHUNKSIZE);
-  (void)SEC_QuickDERDecodeItem(&pool.arena, dst, tpl, &data);
-  PORT_DestroyCheapArena(&pool);
-}
-
-size_t CustomMutate(std::vector<decltype(LLVMFuzzerCustomMutator) *> mutators,
-                    uint8_t *Data, size_t Size, size_t MaxSize,
-                    unsigned int Seed) {
-  fuzzer::Random R(Seed);
-
-  if (R.RandBool()) {
-    auto idx = R(mutators.size());
-    return mutators.at(idx)(Data, Size, MaxSize, Seed);
-  }
-
-  return LLVMFuzzerMutate(Data, Size, MaxSize);
-}
-
-#define ADD_CUSTOM_MUTATORS(...)                                       \
-  extern "C" size_t LLVMFuzzerCustomMutator(                           \
-      uint8_t *Data, size_t Size, size_t MaxSize, unsigned int Seed) { \
-    return CustomMutate(__VA_ARGS__, Data, Size, MaxSize, Seed);       \
-  }
-
 #endif  // shared_h__
deleted file mode 100644
--- a/security/nss/fuzz/spki_target.cc
+++ /dev/null
@@ -1,18 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "FuzzerInternal.h"
-#include "FuzzerRandom.h"
-#include "asn1_mutators.h"
-#include "shared.h"
-
-extern const uint16_t DEFAULT_MAX_LENGTH = 1024U;
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-  CERTSubjectPublicKeyInfo spki;
-  QuickDERDecode(&spki, CERT_SubjectPublicKeyInfoTemplate, Data, Size);
-  return 0;
-}
-
-ADD_CUSTOM_MUTATORS({&ASN1MutatorFlipConstructed, &ASN1MutatorChangeType})
new file mode 100644
--- /dev/null
+++ b/security/nss/gtests/common/common.gyp
@@ -0,0 +1,35 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+  'includes': [
+    '../../coreconf/config.gypi',
+    'gtest.gypi',
+  ],
+  'targets': [
+    {
+      'target_name': 'gtests',
+      'type': 'executable',
+      'sources': [
+        'gtests.cc'
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        '<(DEPTH)/lib/nss/nss.gyp:nss3',
+        '<(DEPTH)/lib/util/util.gyp:nssutil3',
+        '<(DEPTH)/lib/smime/smime.gyp:smime3',
+        '<(DEPTH)/gtests/google_test/google_test.gyp:gtest',
+        '<(DEPTH)/cmd/lib/lib.gyp:sectool'
+      ]
+    }
+  ],
+  'target_defaults': {
+    'include_dirs': [
+      '../../gtests/google_test/gtest/include',
+      '../../gtests/common'
+    ],
+  },
+  'variables': {
+    'module': 'nss'
+  }
+}
--- a/security/nss/gtests/common/gtest.gypi
+++ b/security/nss/gtests/common/gtest.gypi
@@ -1,12 +1,15 @@
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 {
+  'includes': [
+    '../../coreconf/config.gypi'
+  ],
   'target_defaults': {
     'conditions': [
       ['OS=="win"', {
         'libraries': [
           '-lws2_32',
         ],
       }],
       ['OS=="android"', {
--- a/security/nss/gtests/freebl_gtest/freebl_gtest.gyp
+++ b/security/nss/gtests/freebl_gtest/freebl_gtest.gyp
@@ -14,22 +14,18 @@
         'mpi_unittest.cc',
         '<(DEPTH)/gtests/common/gtests.cc'
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
         '<(DEPTH)/lib/freebl/freebl.gyp:<(freebl_name)',
         '<(DEPTH)/gtests/google_test/google_test.gyp:gtest',
       ],
-      'conditions': [
-        [ 'ct_verif==1', {
-          'defines': [
-            'CT_VERIF',
-          ],
-        }],
+      'defines': [
+        'CT_VERIF',
       ],
     }
   ],
   'target_defaults': {
     'include_dirs': [
       '<(DEPTH)/gtests/google_test/gtest/include',
       '<(DEPTH)/gtests/common',
       '<(DEPTH)/lib/freebl/mpi',
--- a/security/nss/gtests/freebl_gtest/mpi_unittest.cc
+++ b/security/nss/gtests/freebl_gtest/mpi_unittest.cc
@@ -78,20 +78,18 @@ TEST_F(MPITest, MpiCmpConstTest) {
           "FF0FFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551"),
       16);
   mp_read_radix(
       &c,
       const_cast<char *>(
           "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632550"),
       16);
 
-#ifdef CT_VERIF
   mp_taint(&b);
   mp_taint(&c);
-#endif
 
   uint32_t runs = 5000000;
   uint32_t time_b = 0, time_c = 0;
   for (uint32_t i = 0; i < runs; ++i) {
     struct timespec start, end;
     gettime(&start);
     int r = mp_cmp(&a, &b);
     gettime(&end);
--- a/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc
+++ b/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc
@@ -7,26 +7,30 @@
 
 #include <cstdlib>
 #include <iostream>
 #include <memory>
 #include "nspr.h"
 #include "nss.h"
 #include "prio.h"
 #include "prnetdb.h"
-#include "secerr.h"
 #include "ssl.h"
-#include "ssl3prot.h"
 #include "sslerr.h"
 #include "sslproto.h"
+#include "ssl3prot.h"
 
 #include "nsskeys.h"
 
-static const char* kVersionDisableFlags[] = {"no-ssl3", "no-tls1", "no-tls11",
-                                             "no-tls12", "no-tls13"};
+static const char* kVersionDisableFlags[] = {
+  "no-ssl3",
+  "no-tls1",
+  "no-tls11",
+  "no-tls12",
+  "no-tls13"
+};
 
 bool exitCodeUnimplemented = false;
 
 std::string FormatError(PRErrorCode code) {
   return std::string(":") + PORT_ErrorToName(code) + ":" + ":" +
          PORT_ErrorToString(code);
 }
 
@@ -145,44 +149,45 @@ class TestAgent {
         if (rv != SECSuccess) return false;
       }
     }
 
     return true;
   }
 
   static bool ConvertFromWireVersion(SSLProtocolVariant variant,
-                                     int wire_version, uint16_t* lib_version) {
+                                     int wire_version,
+                                     uint16_t* lib_version) {
     // These default values are used when {min,max}-version isn't given.
     if (wire_version == 0 || wire_version == 0xffff) {
       *lib_version = static_cast<uint16_t>(wire_version);
       return true;
     }
 
 #ifdef TLS_1_3_DRAFT_VERSION
     if (wire_version == (0x7f00 | TLS_1_3_DRAFT_VERSION)) {
       // N.B. SSL_LIBRARY_VERSION_DTLS_1_3_WIRE == SSL_LIBRARY_VERSION_TLS_1_3
       wire_version = SSL_LIBRARY_VERSION_TLS_1_3;
     }
 #endif
 
     if (variant == ssl_variant_datagram) {
       switch (wire_version) {
-        case SSL_LIBRARY_VERSION_DTLS_1_0_WIRE:
-          *lib_version = SSL_LIBRARY_VERSION_DTLS_1_0;
-          break;
-        case SSL_LIBRARY_VERSION_DTLS_1_2_WIRE:
-          *lib_version = SSL_LIBRARY_VERSION_DTLS_1_2;
-          break;
-        case SSL_LIBRARY_VERSION_DTLS_1_3_WIRE:
-          *lib_version = SSL_LIBRARY_VERSION_DTLS_1_3;
-          break;
-        default:
-          std::cerr << "Unrecognized DTLS version " << wire_version << ".\n";
-          return false;
+      case SSL_LIBRARY_VERSION_DTLS_1_0_WIRE:
+        *lib_version = SSL_LIBRARY_VERSION_DTLS_1_0;
+        break;
+      case SSL_LIBRARY_VERSION_DTLS_1_2_WIRE:
+        *lib_version = SSL_LIBRARY_VERSION_DTLS_1_2;
+        break;
+      case SSL_LIBRARY_VERSION_DTLS_1_3_WIRE:
+        *lib_version = SSL_LIBRARY_VERSION_DTLS_1_3;
+        break;
+      default:
+        std::cerr << "Unrecognized DTLS version " << wire_version << ".\n";
+        return false;
       }
     } else {
       if (wire_version < SSL_LIBRARY_VERSION_3_0 ||
           wire_version > SSL_LIBRARY_VERSION_TLS_1_3) {
         std::cerr << "Unrecognized TLS version " << wire_version << ".\n";
         return false;
       }
       *lib_version = static_cast<uint16_t>(wire_version);
@@ -210,17 +215,17 @@ class TestAgent {
     min_allowed = std::max(min_allowed, supported.min);
     max_allowed = std::min(max_allowed, supported.max);
 
     bool found_min = false;
     bool found_max = false;
     // Ignore -no-ssl3, because SSLv3 is never supported.
     for (size_t i = 1; i < PR_ARRAY_SIZE(kVersionDisableFlags); ++i) {
       auto version =
-          static_cast<uint16_t>(SSL_LIBRARY_VERSION_TLS_1_0 + (i - 1));
+        static_cast<uint16_t>(SSL_LIBRARY_VERSION_TLS_1_0 + (i - 1));
       if (variant == ssl_variant_datagram) {
         // In DTLS mode, the -no-tlsN flags refer to DTLS versions,
         // but NSS wants the corresponding TLS versions.
         if (version == SSL_LIBRARY_VERSION_TLS_1_1) {
           // DTLS 1.1 doesn't exist.
           continue;
         }
         if (version == SSL_LIBRARY_VERSION_TLS_1_0) {
@@ -338,88 +343,37 @@ class TestAgent {
       int32_t len = rv;
       for (int32_t i = 0; i < len; ++i) {
         block[i] ^= 0xff;
       }
 
       rv = PR_Write(ssl_fd_, block, len);
       if (rv != len) {
         std::cerr << "Write failure\n";
-        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
         return SECFailure;
       }
     }
     return SECSuccess;
   }
 
-  // Write bytes to the other side then read them back and check
-  // that they were correctly XORed as in ReadWrite.
-  SECStatus WriteRead() {
-    static const uint8_t ch = 'E';
-
-    // We do 600-byte blocks to provide mis-alignment of the
-    // reader and writer.
-    uint8_t block[600];
-    memset(block, ch, sizeof(block));
-    int32_t rv = PR_Write(ssl_fd_, block, sizeof(block));
-    if (rv != sizeof(block)) {
-      std::cerr << "Write failure\n";
-      PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-      return SECFailure;
-    }
-
-    size_t left = sizeof(block);
-    while (left) {
-      int32_t rv = PR_Read(ssl_fd_, block, left);
-      if (rv < 0) {
-        std::cerr << "Failure reading\n";
-        return SECFailure;
-      }
-      if (rv == 0) {
-        PORT_SetError(SEC_ERROR_INPUT_LEN);
-        return SECFailure;
-      }
-
-      int32_t len = rv;
-      for (int32_t i = 0; i < len; ++i) {
-        if (block[i] != (ch ^ 0xff)) {
-          PORT_SetError(SEC_ERROR_BAD_DATA);
-          return SECFailure;
-        }
-      }
-      left -= len;
-    }
-    return SECSuccess;
-  }
-
   SECStatus DoExchange() {
     SECStatus rv = Handshake();
     if (rv != SECSuccess) {
       PRErrorCode err = PR_GetError();
       std::cerr << "Handshake failed with error=" << err << FormatError(err)
                 << std::endl;
       return SECFailure;
     }
 
-    if (cfg_.get<bool>("write-then-read")) {
-      rv = WriteRead();
-      if (rv != SECSuccess) {
-        PRErrorCode err = PR_GetError();
-        std::cerr << "WriteRead failed with error=" << FormatError(err)
-                  << std::endl;
-        return SECFailure;
-      }
-    } else {
-      rv = ReadWrite();
-      if (rv != SECSuccess) {
-        PRErrorCode err = PR_GetError();
-        std::cerr << "ReadWrite failed with error=" << FormatError(err)
-                  << std::endl;
-        return SECFailure;
-      }
+    rv = ReadWrite();
+    if (rv != SECSuccess) {
+      PRErrorCode err = PR_GetError();
+      std::cerr << "ReadWrite failed with error=" << FormatError(err)
+                << std::endl;
+      return SECFailure;
     }
 
     return SECSuccess;
   }
 
  private:
   const Config& cfg_;
   PRFileDesc* pr_fd_;
@@ -436,32 +390,32 @@ std::unique_ptr<const Config> ReadConfig
   cfg->AddEntry<int>("resume-count", 0);
   cfg->AddEntry<std::string>("key-file", "");
   cfg->AddEntry<std::string>("cert-file", "");
   cfg->AddEntry<int>("min-version", 0);
   cfg->AddEntry<int>("max-version", 0xffff);
   for (auto flag : kVersionDisableFlags) {
     cfg->AddEntry<bool>(flag, false);
   }
-  cfg->AddEntry<bool>("write-then-read", false);
 
   auto rv = cfg->ParseArgs(argc, argv);
   switch (rv) {
     case Config::kOK:
       break;
     case Config::kUnknownFlag:
       exitCodeUnimplemented = true;
     default:
       return nullptr;
   }
 
   // Needed to change to std::unique_ptr<const Config>
   return std::move(cfg);
 }
 
+
 bool RunCycle(std::unique_ptr<const Config>& cfg) {
   std::unique_ptr<TestAgent> agent(TestAgent::Create(*cfg));
   return agent && agent->DoExchange() == SECSuccess;
 }
 
 int GetExitCode(bool success) {
   if (exitCodeUnimplemented) {
     return 89;
--- a/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.gyp
+++ b/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.gyp
@@ -30,16 +30,19 @@
         '<(DEPTH)/lib/cryptohi/cryptohi.gyp:cryptohi',
         '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap',
         '<(DEPTH)/lib/softoken/softoken.gyp:softokn',
         '<(DEPTH)/lib/certdb/certdb.gyp:certdb',
         '<(DEPTH)/lib/pki/pki.gyp:nsspki',
         '<(DEPTH)/lib/dev/dev.gyp:nssdev',
         '<(DEPTH)/lib/base/base.gyp:nssb',
         '<(DEPTH)/lib/freebl/freebl.gyp:freebl',
+        '<(DEPTH)/lib/nss/nss.gyp:nss_static',
+        '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap',
+        '<(DEPTH)/lib/certhigh/certhigh.gyp:certhi',
         '<(DEPTH)/lib/zlib/zlib.gyp:nss_zlib'
       ],
       'conditions': [
         [ 'disable_dbm==0', {
           'dependencies': [
             '<(DEPTH)/lib/dbm/src/src.gyp:dbm',
           ],
         }],
--- a/security/nss/gtests/ssl_gtest/manifest.mn
+++ b/security/nss/gtests/ssl_gtest/manifest.mn
@@ -21,17 +21,16 @@ CPPSRCS = \
       ssl_dhe_unittest.cc \
       ssl_drop_unittest.cc \
       ssl_ecdh_unittest.cc \
       ssl_ems_unittest.cc \
       ssl_exporter_unittest.cc \
       ssl_extension_unittest.cc \
       ssl_fragment_unittest.cc \
       ssl_fuzz_unittest.cc \
-      ssl_gather_unittest.cc \
       ssl_gtest.cc \
       ssl_hrr_unittest.cc \
       ssl_loopback_unittest.cc \
       ssl_record_unittest.cc \
       ssl_resumption_unittest.cc \
       ssl_skip_unittest.cc \
       ssl_staticrsa_unittest.cc \
       ssl_v2_client_hello_unittest.cc \
--- a/security/nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc
@@ -222,17 +222,17 @@ TEST_P(TlsConnectTls13, TestTls13ZeroRtt
   // We will send the early data xtn without sending actual early data. Thus
   // a 1.2 server shouldn't fail until the client sends an alert because the
   // client sends end_of_early_data only after reading the server's flight.
   client_->Set0RttEnabled(true);
 
   client_->Handshake();
   server_->Handshake();
   ASSERT_TRUE_WAIT(
-      (client_->error_code() == SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA), 2000);
+      (client_->error_code() == SSL_ERROR_RX_MALFORMED_SERVER_HELLO), 2000);
 
   // DTLS will timeout as we bump the epoch when installing the early app data
   // cipher suite. Thus the encrypted alert will be ignored.
   if (mode_ == STREAM) {
     // The client sends an encrypted alert message.
     ASSERT_TRUE_WAIT(
         (server_->error_code() == SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA),
         2000);
@@ -261,17 +261,17 @@ TEST_P(TlsConnectTls13, TestTls13ZeroRtt
   // Send the early data xtn in the CH, followed by early app data. The server
   // will fail right after sending its flight, when receiving the early data.
   client_->Set0RttEnabled(true);
   ZeroRttSendReceive(true, false);
 
   client_->Handshake();
   server_->Handshake();
   ASSERT_TRUE_WAIT(
-      (client_->error_code() == SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA), 2000);
+      (client_->error_code() == SSL_ERROR_RX_MALFORMED_SERVER_HELLO), 2000);
 
   // DTLS will timeout as we bump the epoch when installing the early app data
   // cipher suite. Thus the encrypted alert will be ignored.
   if (mode_ == STREAM) {
     // The server sends an alert when receiving the early app data record.
     ASSERT_TRUE_WAIT(
         (server_->error_code() == SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA),
         2000);
--- a/security/nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
@@ -186,68 +186,16 @@ TEST_P(TlsConnectGenericPre13, P384Prior
   server_model_->ConfigNamedGroups(groups);
 
   Connect();
 
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
             ssl_sig_rsa_pss_sha256);
 }
 
-class TlsKeyExchangeGroupCapture : public TlsHandshakeFilter {
- public:
-  TlsKeyExchangeGroupCapture() : group_(ssl_grp_none) {}
-
-  SSLNamedGroup group() const { return group_; }
-
- protected:
-  virtual PacketFilter::Action FilterHandshake(const HandshakeHeader &header,
-                                               const DataBuffer &input,
-                                               DataBuffer *output) {
-    if (header.handshake_type() != kTlsHandshakeServerKeyExchange) {
-      return KEEP;
-    }
-
-    uint32_t value = 0;
-    EXPECT_TRUE(input.Read(0, 1, &value));
-    EXPECT_EQ(3U, value) << "curve type has to be 3";
-
-    EXPECT_TRUE(input.Read(1, 2, &value));
-    group_ = static_cast<SSLNamedGroup>(value);
-
-    return KEEP;
-  }
-
- private:
-  SSLNamedGroup group_;
-};
-
-// If we strip the client's supported groups extension, the server should assume
-// P-256 is supported by the client (<= 1.2 only).
-TEST_P(TlsConnectGenericPre13, DropSupportedGroupExtensionP256) {
-  EnsureTlsSetup();
-  client_->SetPacketFilter(new TlsExtensionDropper(ssl_supported_groups_xtn));
-  auto group_capture = new TlsKeyExchangeGroupCapture();
-  server_->SetPacketFilter(group_capture);
-
-  ConnectExpectFail();
-  client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
-  server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
-
-  EXPECT_EQ(ssl_grp_ec_secp256r1, group_capture->group());
-}
-
-// Supported groups is mandatory in TLS 1.3.
-TEST_P(TlsConnectTls13, DropSupportedGroupExtension) {
-  EnsureTlsSetup();
-  client_->SetPacketFilter(new TlsExtensionDropper(ssl_supported_groups_xtn));
-  ConnectExpectFail();
-  client_->CheckErrorCode(SSL_ERROR_MISSING_EXTENSION_ALERT);
-  server_->CheckErrorCode(SSL_ERROR_MISSING_SUPPORTED_GROUPS_EXTENSION);
-}
-
 // If we only have a lame group, we fall back to static RSA.
 TEST_P(TlsConnectGenericPre13, UseLameGroup) {
   const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp192r1};
   client_->ConfigNamedGroups(groups);
   server_->ConfigNamedGroups(groups);
   Connect();
   CheckKeys(ssl_kea_rsa, ssl_grp_none, ssl_auth_rsa_decrypt, ssl_sig_none);
 }
deleted file mode 100644
--- a/security/nss/gtests/ssl_gtest/ssl_gather_unittest.cc
+++ /dev/null
@@ -1,153 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "gtest_utils.h"
-#include "tls_connect.h"
-
-namespace nss_test {
-
-class GatherV2ClientHelloTest : public TlsConnectTestBase {
- public:
-  GatherV2ClientHelloTest() : TlsConnectTestBase(STREAM, 0) {}
-
-  void ConnectExpectMalformedClientHello(const DataBuffer &data) {
-    EnsureTlsSetup();
-
-    auto alert_recorder = new TlsAlertRecorder();
-    server_->SetPacketFilter(alert_recorder);
-
-    client_->SendDirect(data);
-    server_->StartConnect();
-    server_->Handshake();
-    ASSERT_TRUE_WAIT(
-        (server_->error_code() == SSL_ERROR_RX_MALFORMED_CLIENT_HELLO), 2000);
-
-    EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
-    EXPECT_EQ(illegal_parameter, alert_recorder->description());
-  }
-};
-
-// Gather a 5-byte v3 record, with a zero fragment length. The empty handshake
-// message should be ignored, and the connection will succeed afterwards.
-TEST_F(TlsConnectTest, GatherEmptyV3Record) {
-  DataBuffer buffer;
-
-  size_t idx = 0;
-  idx = buffer.Write(idx, 0x16, 1);    // handshake
-  idx = buffer.Write(idx, 0x0301, 2);  // record_version
-  (void)buffer.Write(idx, 0U, 2);      // length=0
-
-  EnsureTlsSetup();
-  client_->SendDirect(buffer);
-  Connect();
-}
-
-// Gather a 5-byte v3 record, with a fragment length exceeding the maximum.
-TEST_F(TlsConnectTest, GatherExcessiveV3Record) {
-  DataBuffer buffer;
-
-  size_t idx = 0;
-  idx = buffer.Write(idx, 0x16, 1);                            // handshake
-  idx = buffer.Write(idx, 0x0301, 2);                          // record_version
-  (void)buffer.Write(idx, MAX_FRAGMENT_LENGTH + 2048 + 1, 2);  // length=max+1
-
-  EnsureTlsSetup();
-  auto alert_recorder = new TlsAlertRecorder();
-  server_->SetPacketFilter(alert_recorder);
-  client_->SendDirect(buffer);
-  server_->StartConnect();
-  server_->Handshake();
-  ASSERT_TRUE_WAIT((server_->error_code() == SSL_ERROR_RX_RECORD_TOO_LONG),
-                   2000);
-
-  EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
-  EXPECT_EQ(record_overflow, alert_recorder->description());
-}
-
-// Gather a 3-byte v2 header, with a fragment length of 2.
-TEST_F(GatherV2ClientHelloTest, GatherV2RecordLongHeader) {
-  DataBuffer buffer;
-
-  size_t idx = 0;
-  idx = buffer.Write(idx, 0x0002, 2);  // length=2 (long header)
-  idx = buffer.Write(idx, 0U, 1);      // padding=0
-  (void)buffer.Write(idx, 0U, 2);      // data
-
-  ConnectExpectMalformedClientHello(buffer);
-}
-
-// Gather a 3-byte v2 header, with a fragment length of 1.
-TEST_F(GatherV2ClientHelloTest, GatherV2RecordLongHeader2) {
-  DataBuffer buffer;
-
-  size_t idx = 0;
-  idx = buffer.Write(idx, 0x0001, 2);  // length=1 (long header)
-  idx = buffer.Write(idx, 0U, 1);      // padding=0
-  idx = buffer.Write(idx, 0U, 1);      // data
-  (void)buffer.Write(idx, 0U, 1);      // surplus (need 5 bytes total)
-
-  ConnectExpectMalformedClientHello(buffer);
-}
-
-// Gather a 3-byte v2 header, with a zero fragment length.
-TEST_F(GatherV2ClientHelloTest, GatherEmptyV2RecordLongHeader) {
-  DataBuffer buffer;
-
-  size_t idx = 0;
-  idx = buffer.Write(idx, 0U, 2);  // length=0 (long header)
-  idx = buffer.Write(idx, 0U, 1);  // padding=0
-  (void)buffer.Write(idx, 0U, 2);  // surplus (need 5 bytes total)
-
-  ConnectExpectMalformedClientHello(buffer);
-}
-
-// Gather a 2-byte v2 header, with a fragment length of 3.
-TEST_F(GatherV2ClientHelloTest, GatherV2RecordShortHeader) {
-  DataBuffer buffer;
-
-  size_t idx = 0;
-  idx = buffer.Write(idx, 0x8003, 2);  // length=3 (short header)
-  (void)buffer.Write(idx, 0U, 3);      // data
-
-  ConnectExpectMalformedClientHello(buffer);
-}
-
-// Gather a 2-byte v2 header, with a fragment length of 2.
-TEST_F(GatherV2ClientHelloTest, GatherEmptyV2RecordShortHeader2) {
-  DataBuffer buffer;
-
-  size_t idx = 0;
-  idx = buffer.Write(idx, 0x8002, 2);  // length=2 (short header)
-  idx = buffer.Write(idx, 0U, 2);      // data
-  (void)buffer.Write(idx, 0U, 1);      // surplus (need 5 bytes total)
-
-  ConnectExpectMalformedClientHello(buffer);
-}
-
-// Gather a 2-byte v2 header, with a fragment length of 1.
-TEST_F(GatherV2ClientHelloTest, GatherEmptyV2RecordShortHeader3) {
-  DataBuffer buffer;
-
-  size_t idx = 0;
-  idx = buffer.Write(idx, 0x8001, 2);  // length=1 (short header)
-  idx = buffer.Write(idx, 0U, 1);      // data
-  (void)buffer.Write(idx, 0U, 2);      // surplus (need 5 bytes total)
-
-  ConnectExpectMalformedClientHello(buffer);
-}
-
-// Gather a 2-byte v2 header, with a zero fragment length.
-TEST_F(GatherV2ClientHelloTest, GatherEmptyV2RecordShortHeader) {
-  DataBuffer buffer;
-
-  size_t idx = 0;
-  idx = buffer.Write(idx, 0x8000, 2);  // length=0 (short header)
-  (void)buffer.Write(idx, 0U, 3);      // surplus (need 5 bytes total)
-
-  ConnectExpectMalformedClientHello(buffer);
-}
-
-}  // namespace nss_test
--- a/security/nss/gtests/ssl_gtest/ssl_gtest.gyp
+++ b/security/nss/gtests/ssl_gtest/ssl_gtest.gyp
@@ -21,17 +21,16 @@
         'ssl_dhe_unittest.cc',
         'ssl_drop_unittest.cc',
         'ssl_ecdh_unittest.cc',
         'ssl_ems_unittest.cc',
         'ssl_exporter_unittest.cc',
         'ssl_extension_unittest.cc',
         'ssl_fuzz_unittest.cc',
         'ssl_fragment_unittest.cc',
-        'ssl_gather_unittest.cc',
         'ssl_gtest.cc',
         'ssl_hrr_unittest.cc',
         'ssl_loopback_unittest.cc',
         'ssl_record_unittest.cc',
         'ssl_resumption_unittest.cc',
         'ssl_skip_unittest.cc',
         'ssl_staticrsa_unittest.cc',
         'ssl_v2_client_hello_unittest.cc',
--- a/security/nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc
@@ -197,38 +197,16 @@ class SSLv2ClientHelloTest : public SSLv
 };
 
 // Test negotiating TLS 1.0 - 1.2.
 TEST_P(SSLv2ClientHelloTest, Connect) {
   SetAvailableCipherSuite(TLS_DHE_RSA_WITH_AES_128_CBC_SHA);
   Connect();
 }
 
-// Sending a v2 ClientHello after a no-op v3 record must fail.
-TEST_P(SSLv2ClientHelloTest, ConnectAfterEmptyV3Record) {
-  DataBuffer buffer;
-
-  size_t idx = 0;
-  idx = buffer.Write(idx, 0x16, 1);    // handshake
-  idx = buffer.Write(idx, 0x0301, 2);  // record_version
-  (void)buffer.Write(idx, 0U, 2);      // length=0
-
-  SetAvailableCipherSuite(TLS_DHE_RSA_WITH_AES_128_CBC_SHA);
-  EnsureTlsSetup();
-  client_->SendDirect(buffer);
-
-  // Need padding so the connection doesn't just time out. With a v2
-  // ClientHello parsed as a v3 record we will use the record version
-  // as the record length.
-  SetPadding(255);
-
-  ConnectExpectFail();
-  EXPECT_EQ(SSL_ERROR_BAD_CLIENT, server_->error_code());
-}
-
 // Test negotiating TLS 1.3.
 TEST_F(SSLv2ClientHelloTestF, Connect13) {
   EnsureTlsSetup();
   SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_3);
   ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
 
   std::vector<uint16_t> cipher_suites = {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256};
   SetAvailableCipherSuites(cipher_suites);
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -2000,16 +2000,142 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\105\153\120\124
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
+# Certificate "RSA Security 2048 v3"
+#
+# Issuer: OU=RSA Security 2048 V3,O=RSA Security Inc
+# Serial Number:0a:01:01:01:00:00:02:7c:00:00:00:0a:00:00:00:02
+# Subject: OU=RSA Security 2048 V3,O=RSA Security Inc
+# Not Valid Before: Thu Feb 22 20:39:23 2001
+# Not Valid After : Sun Feb 22 20:39:23 2026
+# Fingerprint (MD5): 77:0D:19:B1:21:FD:00:42:9C:3E:0C:A5:DD:0B:02:8E
+# Fingerprint (SHA1): 25:01:90:19:CF:FB:D9:99:1C:B7:68:25:74:8D:94:5F:30:93:95:42
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "RSA Security 2048 v3"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\072\061\031\060\027\006\003\125\004\012\023\020\122\123\101
+\040\123\145\143\165\162\151\164\171\040\111\156\143\061\035\060
+\033\006\003\125\004\013\023\024\122\123\101\040\123\145\143\165
+\162\151\164\171\040\062\060\064\070\040\126\063
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\072\061\031\060\027\006\003\125\004\012\023\020\122\123\101
+\040\123\145\143\165\162\151\164\171\040\111\156\143\061\035\060
+\033\006\003\125\004\013\023\024\122\123\101\040\123\145\143\165
+\162\151\164\171\040\062\060\064\070\040\126\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\012\001\001\001\000\000\002\174\000\000\000\012\000\000
+\000\002
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\141\060\202\002\111\240\003\002\001\002\002\020\012
+\001\001\001\000\000\002\174\000\000\000\012\000\000\000\002\060
+\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\072
+\061\031\060\027\006\003\125\004\012\023\020\122\123\101\040\123
+\145\143\165\162\151\164\171\040\111\156\143\061\035\060\033\006
+\003\125\004\013\023\024\122\123\101\040\123\145\143\165\162\151
+\164\171\040\062\060\064\070\040\126\063\060\036\027\015\060\061
+\060\062\062\062\062\060\063\071\062\063\132\027\015\062\066\060
+\062\062\062\062\060\063\071\062\063\132\060\072\061\031\060\027
+\006\003\125\004\012\023\020\122\123\101\040\123\145\143\165\162
+\151\164\171\040\111\156\143\061\035\060\033\006\003\125\004\013
+\023\024\122\123\101\040\123\145\143\165\162\151\164\171\040\062
+\060\064\070\040\126\063\060\202\001\042\060\015\006\011\052\206
+\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202
+\001\012\002\202\001\001\000\267\217\125\161\322\200\335\173\151
+\171\247\360\030\120\062\074\142\147\366\012\225\007\335\346\033
+\363\236\331\322\101\124\153\255\237\174\276\031\315\373\106\253
+\101\150\036\030\352\125\310\057\221\170\211\050\373\047\051\140
+\377\337\217\214\073\311\111\233\265\244\224\316\001\352\076\265
+\143\173\177\046\375\031\335\300\041\275\204\321\055\117\106\303
+\116\334\330\067\071\073\050\257\313\235\032\352\053\257\041\245
+\301\043\042\270\270\033\132\023\207\127\203\321\360\040\347\350
+\117\043\102\260\000\245\175\211\351\351\141\163\224\230\161\046
+\274\055\152\340\367\115\360\361\266\052\070\061\201\015\051\341
+\000\301\121\017\114\122\370\004\132\252\175\162\323\270\207\052
+\273\143\020\003\052\263\241\117\015\132\136\106\267\075\016\365
+\164\354\231\237\371\075\044\201\210\246\335\140\124\350\225\066
+\075\306\011\223\232\243\022\200\000\125\231\031\107\275\320\245
+\174\303\272\373\037\367\365\017\370\254\271\265\364\067\230\023
+\030\336\205\133\267\014\202\073\207\157\225\071\130\060\332\156
+\001\150\027\042\314\300\013\002\003\001\000\001\243\143\060\141
+\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001
+\377\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001
+\006\060\037\006\003\125\035\043\004\030\060\026\200\024\007\303
+\121\060\244\252\351\105\256\065\044\372\377\044\054\063\320\261
+\235\214\060\035\006\003\125\035\016\004\026\004\024\007\303\121
+\060\244\252\351\105\256\065\044\372\377\044\054\063\320\261\235
+\214\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
+\003\202\001\001\000\137\076\206\166\156\270\065\074\116\066\034
+\036\171\230\277\375\325\022\021\171\122\016\356\061\211\274\335
+\177\371\321\306\025\041\350\212\001\124\015\072\373\124\271\326
+\143\324\261\252\226\115\242\102\115\324\123\037\213\020\336\177
+\145\276\140\023\047\161\210\244\163\343\204\143\321\244\125\341
+\120\223\346\033\016\171\320\147\274\106\310\277\077\027\015\225
+\346\306\220\151\336\347\264\057\336\225\175\320\022\077\075\076
+\177\115\077\024\150\365\021\120\325\301\364\220\245\010\035\061
+\140\377\140\214\043\124\012\257\376\241\156\305\321\172\052\150
+\170\317\036\202\012\040\264\037\255\345\205\262\152\150\165\116
+\255\045\067\224\205\276\275\241\324\352\267\014\113\074\235\350
+\022\000\360\137\254\015\341\254\160\143\163\367\177\171\237\062
+\045\102\164\005\200\050\277\275\301\044\226\130\025\261\027\041
+\351\211\113\333\007\210\147\364\025\255\160\076\057\115\205\073
+\302\267\333\376\230\150\043\211\341\164\017\336\364\305\204\143
+\051\033\314\313\007\311\000\244\251\327\302\042\117\147\327\167
+\354\040\005\141\336
+END
+
+# Trust for Certificate "RSA Security 2048 v3"
+# Issuer: OU=RSA Security 2048 V3,O=RSA Security Inc
+# Serial Number:0a:01:01:01:00:00:02:7c:00:00:00:0a:00:00:00:02
+# Subject: OU=RSA Security 2048 V3,O=RSA Security Inc
+# Not Valid Before: Thu Feb 22 20:39:23 2001
+# Not Valid After : Sun Feb 22 20:39:23 2026
+# Fingerprint (MD5): 77:0D:19:B1:21:FD:00:42:9C:3E:0C:A5:DD:0B:02:8E
+# Fingerprint (SHA1): 25:01:90:19:CF:FB:D9:99:1C:B7:68:25:74:8D:94:5F:30:93:95:42
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "RSA Security 2048 v3"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\045\001\220\031\317\373\331\231\034\267\150\045\164\215\224\137
+\060\223\225\102
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\167\015\031\261\041\375\000\102\234\076\014\245\335\013\002\216
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\072\061\031\060\027\006\003\125\004\012\023\020\122\123\101
+\040\123\145\143\165\162\151\164\171\040\111\156\143\061\035\060
+\033\006\003\125\004\013\023\024\122\123\101\040\123\145\143\165
+\162\151\164\171\040\062\060\064\070\040\126\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\012\001\001\001\000\000\002\174\000\000\000\012\000\000
+\000\002
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
 # Certificate "GeoTrust Global CA"
 #
 # Issuer: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
 # Serial Number: 144470 (0x23456)
 # Subject: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
 # Not Valid Before: Tue May 21 04:00:00 2002
 # Not Valid After : Sat May 21 04:00:00 2022
 # Fingerprint (MD5): F7:75:AB:29:FB:51:4E:B7:77:5E:FF:05:3C:99:8E:F5
@@ -10498,16 +10624,142 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\021
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
+# Certificate "Buypass Class 2 CA 1"
+#
+# Issuer: CN=Buypass Class 2 CA 1,O=Buypass AS-983163327,C=NO
+# Serial Number: 1 (0x1)
+# Subject: CN=Buypass Class 2 CA 1,O=Buypass AS-983163327,C=NO
+# Not Valid Before: Fri Oct 13 10:25:09 2006
+# Not Valid After : Thu Oct 13 10:25:09 2016
+# Fingerprint (MD5): B8:08:9A:F0:03:CC:1B:0D:C8:6C:0B:76:A1:75:64:23
+# Fingerprint (SHA1): A0:A1:AB:90:C9:FC:84:7B:3B:12:61:E8:97:7D:5F:D3:22:61:D3:CC
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Buypass Class 2 CA 1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\113\061\013\060\011\006\003\125\004\006\023\002\116\117\061
+\035\060\033\006\003\125\004\012\014\024\102\165\171\160\141\163
+\163\040\101\123\055\071\070\063\061\066\063\063\062\067\061\035
+\060\033\006\003\125\004\003\014\024\102\165\171\160\141\163\163
+\040\103\154\141\163\163\040\062\040\103\101\040\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\113\061\013\060\011\006\003\125\004\006\023\002\116\117\061
+\035\060\033\006\003\125\004\012\014\024\102\165\171\160\141\163
+\163\040\101\123\055\071\070\063\061\066\063\063\062\067\061\035
+\060\033\006\003\125\004\003\014\024\102\165\171\160\141\163\163
+\040\103\154\141\163\163\040\062\040\103\101\040\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\123\060\202\002\073\240\003\002\001\002\002\001\001
+\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+\113\061\013\060\011\006\003\125\004\006\023\002\116\117\061\035
+\060\033\006\003\125\004\012\014\024\102\165\171\160\141\163\163
+\040\101\123\055\071\070\063\061\066\063\063\062\067\061\035\060
+\033\006\003\125\004\003\014\024\102\165\171\160\141\163\163\040
+\103\154\141\163\163\040\062\040\103\101\040\061\060\036\027\015
+\060\066\061\060\061\063\061\060\062\065\060\071\132\027\015\061
+\066\061\060\061\063\061\060\062\065\060\071\132\060\113\061\013
+\060\011\006\003\125\004\006\023\002\116\117\061\035\060\033\006
+\003\125\004\012\014\024\102\165\171\160\141\163\163\040\101\123
+\055\071\070\063\061\066\063\063\062\067\061\035\060\033\006\003
+\125\004\003\014\024\102\165\171\160\141\163\163\040\103\154\141
+\163\163\040\062\040\103\101\040\061\060\202\001\042\060\015\006
+\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017
+\000\060\202\001\012\002\202\001\001\000\213\074\007\105\330\366
+\337\346\307\312\272\215\103\305\107\215\260\132\301\070\333\222
+\204\034\257\023\324\017\157\066\106\040\304\056\314\161\160\064
+\242\064\323\067\056\330\335\072\167\057\300\353\051\350\134\322
+\265\251\221\064\207\042\131\376\314\333\347\231\257\226\301\250
+\307\100\335\245\025\214\156\310\174\227\003\313\346\040\362\327
+\227\137\061\241\057\067\322\276\356\276\251\255\250\114\236\041
+\146\103\073\250\274\363\011\243\070\325\131\044\301\302\107\166
+\261\210\134\202\073\273\053\246\004\327\214\007\217\315\325\101
+\035\360\256\270\051\054\224\122\140\064\224\073\332\340\070\321
+\235\063\076\025\364\223\062\305\000\332\265\051\146\016\072\170
+\017\041\122\137\002\345\222\173\045\323\222\036\057\025\235\201
+\344\235\216\350\357\211\316\024\114\124\035\034\201\022\115\160
+\250\276\020\005\027\176\037\321\270\127\125\355\315\273\122\302
+\260\036\170\302\115\066\150\313\126\046\301\122\301\275\166\367
+\130\325\162\176\037\104\166\273\000\211\035\026\235\121\065\357
+\115\302\126\357\153\340\214\073\015\351\002\003\001\000\001\243
+\102\060\100\060\017\006\003\125\035\023\001\001\377\004\005\060
+\003\001\001\377\060\035\006\003\125\035\016\004\026\004\024\077
+\215\232\131\213\374\173\173\234\243\257\070\260\071\355\220\161
+\200\326\310\060\016\006\003\125\035\017\001\001\377\004\004\003
+\002\001\006\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\003\202\001\001\000\025\032\176\023\212\271\350\007\243
+\113\047\062\262\100\221\362\041\321\144\205\276\143\152\322\317
+\201\302\025\325\172\176\014\051\254\067\036\034\174\166\122\225
+\332\265\177\043\241\051\167\145\311\062\235\250\056\126\253\140
+\166\316\026\264\215\177\170\300\325\231\121\203\177\136\331\276
+\014\250\120\355\042\307\255\005\114\166\373\355\356\036\107\144
+\366\367\047\175\134\050\017\105\305\134\142\136\246\232\221\221
+\267\123\027\056\334\255\140\235\226\144\071\275\147\150\262\256
+\005\313\115\347\137\037\127\206\325\040\234\050\373\157\023\070
+\365\366\021\222\366\175\231\136\037\014\350\253\104\044\051\162
+\100\075\066\122\257\214\130\220\163\301\354\141\054\171\241\354
+\207\265\077\332\115\331\041\000\060\336\220\332\016\323\032\110
+\251\076\205\013\024\213\214\274\101\236\152\367\016\160\300\065
+\367\071\242\135\146\320\173\131\237\250\107\022\232\047\043\244
+\055\216\047\203\222\040\241\327\025\177\361\056\030\356\364\110
+\177\057\177\361\241\030\265\241\013\224\240\142\040\062\234\035
+\366\324\357\277\114\210\150
+END
+
+# Trust for Certificate "Buypass Class 2 CA 1"
+# Issuer: CN=Buypass Class 2 CA 1,O=Buypass AS-983163327,C=NO
+# Serial Number: 1 (0x1)
+# Subject: CN=Buypass Class 2 CA 1,O=Buypass AS-983163327,C=NO
+# Not Valid Before: Fri Oct 13 10:25:09 2006
+# Not Valid After : Thu Oct 13 10:25:09 2016
+# Fingerprint (MD5): B8:08:9A:F0:03:CC:1B:0D:C8:6C:0B:76:A1:75:64:23
+# Fingerprint (SHA1): A0:A1:AB:90:C9:FC:84:7B:3B:12:61:E8:97:7D:5F:D3:22:61:D3:CC
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Buypass Class 2 CA 1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\240\241\253\220\311\374\204\173\073\022\141\350\227\175\137\323
+\042\141\323\314
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\270\010\232\360\003\314\033\015\310\154\013\166\241\165\144\043
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\113\061\013\060\011\006\003\125\004\006\023\002\116\117\061
+\035\060\033\006\003\125\004\012\014\024\102\165\171\160\141\163
+\163\040\101\123\055\071\070\063\061\066\063\063\062\067\061\035
+\060\033\006\003\125\004\003\014\024\102\165\171\160\141\163\163
+\040\103\154\141\163\163\040\062\040\103\101\040\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
 # Certificate "certSIGN ROOT CA"
 #
 # Issuer: OU=certSIGN ROOT CA,O=certSIGN,C=RO
 # Serial Number:20:06:05:16:70:02
 # Subject: OU=certSIGN ROOT CA,O=certSIGN,C=RO
 # Not Valid Before: Tue Jul 04 17:20:04 2006
 # Not Valid After : Fri Jul 04 17:20:04 2031
 # Fingerprint (MD5): 18:98:C0:D6:E9:3A:FC:F9:B0:F5:0C:F7:4B:01:44:17
@@ -16539,16 +16791,199 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
+# Certificate "Root CA Generalitat Valenciana"
+#
+# Issuer: CN=Root CA Generalitat Valenciana,OU=PKIGVA,O=Generalitat Valenciana,C=ES
+# Serial Number: 994436456 (0x3b45e568)
+# Subject: CN=Root CA Generalitat Valenciana,OU=PKIGVA,O=Generalitat Valenciana,C=ES
+# Not Valid Before: Fri Jul 06 16:22:47 2001
+# Not Valid After : Thu Jul 01 15:22:47 2021
+# Fingerprint (MD5): 2C:8C:17:5E:B1:54:AB:93:17:B5:36:5A:DB:D1:C6:F2
+# Fingerprint (SHA1): A0:73:E5:C5:BD:43:61:0D:86:4C:21:13:0A:85:58:57:CC:9C:EA:46
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Root CA Generalitat Valenciana"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\150\061\013\060\011\006\003\125\004\006\023\002\105\123\061
+\037\060\035\006\003\125\004\012\023\026\107\145\156\145\162\141
+\154\151\164\141\164\040\126\141\154\145\156\143\151\141\156\141
+\061\017\060\015\006\003\125\004\013\023\006\120\113\111\107\126
+\101\061\047\060\045\006\003\125\004\003\023\036\122\157\157\164
+\040\103\101\040\107\145\156\145\162\141\154\151\164\141\164\040
+\126\141\154\145\156\143\151\141\156\141
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\150\061\013\060\011\006\003\125\004\006\023\002\105\123\061
+\037\060\035\006\003\125\004\012\023\026\107\145\156\145\162\141
+\154\151\164\141\164\040\126\141\154\145\156\143\151\141\156\141
+\061\017\060\015\006\003\125\004\013\023\006\120\113\111\107\126
+\101\061\047\060\045\006\003\125\004\003\023\036\122\157\157\164
+\040\103\101\040\107\145\156\145\162\141\154\151\164\141\164\040
+\126\141\154\145\156\143\151\141\156\141
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\073\105\345\150
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\006\213\060\202\005\163\240\003\002\001\002\002\004\073
+\105\345\150\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\060\150\061\013\060\011\006\003\125\004\006\023\002\105
+\123\061\037\060\035\006\003\125\004\012\023\026\107\145\156\145
+\162\141\154\151\164\141\164\040\126\141\154\145\156\143\151\141
+\156\141\061\017\060\015\006\003\125\004\013\023\006\120\113\111
+\107\126\101\061\047\060\045\006\003\125\004\003\023\036\122\157
+\157\164\040\103\101\040\107\145\156\145\162\141\154\151\164\141
+\164\040\126\141\154\145\156\143\151\141\156\141\060\036\027\015
+\060\061\060\067\060\066\061\066\062\062\064\067\132\027\015\062
+\061\060\067\060\061\061\065\062\062\064\067\132\060\150\061\013
+\060\011\006\003\125\004\006\023\002\105\123\061\037\060\035\006
+\003\125\004\012\023\026\107\145\156\145\162\141\154\151\164\141
+\164\040\126\141\154\145\156\143\151\141\156\141\061\017\060\015
+\006\003\125\004\013\023\006\120\113\111\107\126\101\061\047\060
+\045\006\003\125\004\003\023\036\122\157\157\164\040\103\101\040
+\107\145\156\145\162\141\154\151\164\141\164\040\126\141\154\145
+\156\143\151\141\156\141\060\202\001\042\060\015\006\011\052\206
+\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202
+\001\012\002\202\001\001\000\306\052\253\127\021\067\057\042\212
+\312\003\164\035\312\355\055\242\013\274\063\122\100\046\107\276
+\132\151\246\073\162\066\027\114\350\337\270\273\057\166\341\100
+\106\164\145\002\220\122\010\264\377\250\214\301\340\307\211\126
+\020\071\063\357\150\264\137\137\332\155\043\241\211\136\042\243
+\112\006\360\047\360\127\271\370\351\116\062\167\012\077\101\144
+\363\353\145\356\166\376\124\252\175\035\040\256\363\327\164\302
+\012\137\365\010\050\122\010\314\125\135\322\017\333\232\201\245
+\273\241\263\301\224\315\124\340\062\165\061\221\032\142\262\336
+\165\342\317\117\211\331\221\220\017\101\033\264\132\112\167\275
+\147\203\340\223\347\136\247\014\347\201\323\364\122\254\123\262
+\003\307\104\046\373\171\345\313\064\140\120\020\173\033\333\153
+\327\107\253\137\174\150\312\156\235\101\003\020\356\153\231\173
+\136\045\250\302\253\344\300\363\134\234\343\276\316\061\114\144
+\036\136\200\242\365\203\176\014\326\312\214\125\216\276\340\276
+\111\007\017\243\044\101\172\130\035\204\352\130\022\310\341\267
+\355\357\223\336\224\010\061\002\003\001\000\001\243\202\003\073
+\060\202\003\067\060\062\006\010\053\006\001\005\005\007\001\001
+\004\046\060\044\060\042\006\010\053\006\001\005\005\007\060\001
+\206\026\150\164\164\160\072\057\057\157\143\163\160\056\160\153
+\151\056\147\166\141\056\145\163\060\022\006\003\125\035\023\001
+\001\377\004\010\060\006\001\001\377\002\001\002\060\202\002\064
+\006\003\125\035\040\004\202\002\053\060\202\002\047\060\202\002
+\043\006\012\053\006\001\004\001\277\125\002\001\000\060\202\002
+\023\060\202\001\350\006\010\053\006\001\005\005\007\002\002\060
+\202\001\332\036\202\001\326\000\101\000\165\000\164\000\157\000
+\162\000\151\000\144\000\141\000\144\000\040\000\144\000\145\000
+\040\000\103\000\145\000\162\000\164\000\151\000\146\000\151\000
+\143\000\141\000\143\000\151\000\363\000\156\000\040\000\122\000
+\141\000\355\000\172\000\040\000\144\000\145\000\040\000\154\000
+\141\000\040\000\107\000\145\000\156\000\145\000\162\000\141\000
+\154\000\151\000\164\000\141\000\164\000\040\000\126\000\141\000
+\154\000\145\000\156\000\143\000\151\000\141\000\156\000\141\000
+\056\000\015\000\012\000\114\000\141\000\040\000\104\000\145\000
+\143\000\154\000\141\000\162\000\141\000\143\000\151\000\363\000
+\156\000\040\000\144\000\145\000\040\000\120\000\162\000\341\000
+\143\000\164\000\151\000\143\000\141\000\163\000\040\000\144\000
+\145\000\040\000\103\000\145\000\162\000\164\000\151\000\146\000
+\151\000\143\000\141\000\143\000\151\000\363\000\156\000\040\000
+\161\000\165\000\145\000\040\000\162\000\151\000\147\000\145\000
+\040\000\145\000\154\000\040\000\146\000\165\000\156\000\143\000
+\151\000\157\000\156\000\141\000\155\000\151\000\145\000\156\000
+\164\000\157\000\040\000\144\000\145\000\040\000\154\000\141\000
+\040\000\160\000\162\000\145\000\163\000\145\000\156\000\164\000
+\145\000\040\000\101\000\165\000\164\000\157\000\162\000\151\000
+\144\000\141\000\144\000\040\000\144\000\145\000\040\000\103\000
+\145\000\162\000\164\000\151\000\146\000\151\000\143\000\141\000
+\143\000\151\000\363\000\156\000\040\000\163\000\145\000\040\000
+\145\000\156\000\143\000\165\000\145\000\156\000\164\000\162\000
+\141\000\040\000\145\000\156\000\040\000\154\000\141\000\040\000
+\144\000\151\000\162\000\145\000\143\000\143\000\151\000\363\000
+\156\000\040\000\167\000\145\000\142\000\040\000\150\000\164\000
+\164\000\160\000\072\000\057\000\057\000\167\000\167\000\167\000
+\056\000\160\000\153\000\151\000\056\000\147\000\166\000\141\000
+\056\000\145\000\163\000\057\000\143\000\160\000\163\060\045\006
+\010\053\006\001\005\005\007\002\001\026\031\150\164\164\160\072
+\057\057\167\167\167\056\160\153\151\056\147\166\141\056\145\163
+\057\143\160\163\060\035\006\003\125\035\016\004\026\004\024\173
+\065\323\100\322\034\170\031\146\357\164\020\050\334\076\117\262
+\170\004\374\060\201\225\006\003\125\035\043\004\201\215\060\201
+\212\200\024\173\065\323\100\322\034\170\031\146\357\164\020\050
+\334\076\117\262\170\004\374\241\154\244\152\060\150\061\013\060
+\011\006\003\125\004\006\023\002\105\123\061\037\060\035\006\003
+\125\004\012\023\026\107\145\156\145\162\141\154\151\164\141\164
+\040\126\141\154\145\156\143\151\141\156\141\061\017\060\015\006
+\003\125\004\013\023\006\120\113\111\107\126\101\061\047\060\045
+\006\003\125\004\003\023\036\122\157\157\164\040\103\101\040\107
+\145\156\145\162\141\154\151\164\141\164\040\126\141\154\145\156
+\143\151\141\156\141\202\004\073\105\345\150\060\015\006\011\052
+\206\110\206\367\015\001\001\005\005\000\003\202\001\001\000\044
+\141\116\365\265\310\102\002\052\263\134\165\255\305\155\312\347
+\224\077\245\150\225\210\301\124\300\020\151\242\022\057\030\077
+\045\120\250\174\112\352\306\011\331\364\165\306\100\332\257\120
+\235\075\245\026\273\155\061\306\307\163\012\110\376\040\162\355
+\157\314\350\203\141\026\106\220\001\225\113\175\216\232\122\011
+\057\366\157\034\344\241\161\317\214\052\132\027\163\203\107\115
+\017\066\373\004\115\111\121\342\024\311\144\141\373\324\024\340
+\364\236\267\064\217\012\046\275\227\134\364\171\072\112\060\031
+\314\255\117\240\230\212\264\061\227\052\342\163\155\176\170\270
+\370\210\211\117\261\042\221\144\113\365\120\336\003\333\345\305
+\166\347\023\146\165\176\145\373\001\237\223\207\210\235\371\106
+\127\174\115\140\257\230\163\023\043\244\040\221\201\372\320\141
+\146\270\175\321\257\326\157\036\154\075\351\021\375\251\371\202
+\042\206\231\063\161\132\352\031\127\075\221\315\251\300\243\156
+\007\023\246\311\355\370\150\243\236\303\132\162\011\207\050\321
+\304\163\304\163\030\137\120\165\026\061\237\267\350\174\303
+END
+
+# Trust for Certificate "Root CA Generalitat Valenciana"
+# Issuer: CN=Root CA Generalitat Valenciana,OU=PKIGVA,O=Generalitat Valenciana,C=ES
+# Serial Number: 994436456 (0x3b45e568)
+# Subject: CN=Root CA Generalitat Valenciana,OU=PKIGVA,O=Generalitat Valenciana,C=ES
+# Not Valid Before: Fri Jul 06 16:22:47 2001
+# Not Valid After : Thu Jul 01 15:22:47 2021
+# Fingerprint (MD5): 2C:8C:17:5E:B1:54:AB:93:17:B5:36:5A:DB:D1:C6:F2
+# Fingerprint (SHA1): A0:73:E5:C5:BD:43:61:0D:86:4C:21:13:0A:85:58:57:CC:9C:EA:46
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Root CA Generalitat Valenciana"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\240\163\345\305\275\103\141\015\206\114\041\023\012\205\130\127
+\314\234\352\106
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\054\214\027\136\261\124\253\223\027\265\066\132\333\321\306\362
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\150\061\013\060\011\006\003\125\004\006\023\002\105\123\061
+\037\060\035\006\003\125\004\012\023\026\107\145\156\145\162\141
+\154\151\164\141\164\040\126\141\154\145\156\143\151\141\156\141
+\061\017\060\015\006\003\125\004\013\023\006\120\113\111\107\126
+\101\061\047\060\045\006\003\125\004\003\023\036\122\157\157\164
+\040\103\101\040\107\145\156\145\162\141\154\151\164\141\164\040
+\126\141\154\145\156\143\151\141\156\141
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\073\105\345\150
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
 # Certificate "TWCA Root Certification Authority"
 #
 # Issuer: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
 # Serial Number: 1 (0x1)
 # Subject: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
 # Not Valid Before: Thu Aug 28 07:24:33 2008
 # Not Valid After : Tue Dec 31 15:59:59 2030
 # Fingerprint (MD5): AA:08:8F:F6:F9:7B:B7:F2:B1:A7:1E:9B:EA:EA:BD:79
@@ -28470,1387 +28905,8 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\000\202\020\317\260\322\100\343\131\104\143\340\273\143
 \202\213\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "AC RAIZ FNMT-RCM"
-#
-# Issuer: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES
-# Serial Number:5d:93:8d:30:67:36:c8:06:1d:1a:c7:54:84:69:07
-# Subject: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES
-# Not Valid Before: Wed Oct 29 15:59:56 2008
-# Not Valid After : Tue Jan 01 00:00:00 2030
-# Fingerprint (SHA-256): EB:C5:57:0C:29:01:8C:4D:67:B1:AA:12:7B:AF:12:F7:03:B4:61:1E:BC:17:B7:DA:B5:57:38:94:17:9B:93:FA
-# Fingerprint (SHA1): EC:50:35:07:B2:15:C4:95:62:19:E2:A8:9A:5B:42:99:2C:4C:2C:20
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AC RAIZ FNMT-RCM"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\073\061\013\060\011\006\003\125\004\006\023\002\105\123\061
-\021\060\017\006\003\125\004\012\014\010\106\116\115\124\055\122
-\103\115\061\031\060\027\006\003\125\004\013\014\020\101\103\040
-\122\101\111\132\040\106\116\115\124\055\122\103\115
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\073\061\013\060\011\006\003\125\004\006\023\002\105\123\061
-\021\060\017\006\003\125\004\012\014\010\106\116\115\124\055\122
-\103\115\061\031\060\027\006\003\125\004\013\014\020\101\103\040
-\122\101\111\132\040\106\116\115\124\055\122\103\115
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\017\135\223\215\060\147\066\310\006\035\032\307\124\204\151
-\007
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\203\060\202\003\153\240\003\002\001\002\002\017\135
-\223\215\060\147\066\310\006\035\032\307\124\204\151\007\060\015
-\006\011\052\206\110\206\367\015\001\001\013\005\000\060\073\061
-\013\060\011\006\003\125\004\006\023\002\105\123\061\021\060\017
-\006\003\125\004\012\014\010\106\116\115\124\055\122\103\115\061
-\031\060\027\006\003\125\004\013\014\020\101\103\040\122\101\111
-\132\040\106\116\115\124\055\122\103\115\060\036\027\015\060\070
-\061\060\062\071\061\065\065\071\065\066\132\027\015\063\060\060
-\061\060\061\060\060\060\060\060\060\132\060\073\061\013\060\011
-\006\003\125\004\006\023\002\105\123\061\021\060\017\006\003\125
-\004\012\014\010\106\116\115\124\055\122\103\115\061\031\060\027
-\006\003\125\004\013\014\020\101\103\040\122\101\111\132\040\106
-\116\115\124\055\122\103\115\060\202\002\042\060\015\006\011\052
-\206\110\206\367\015\001\001\001\005\000\003\202\002\017\000\060
-\202\002\012\002\202\002\001\000\272\161\200\172\114\206\156\177
-\310\023\155\300\306\175\034\000\227\217\054\014\043\273\020\232
-\100\251\032\267\207\210\370\233\126\152\373\346\173\216\213\222
-\216\247\045\135\131\021\333\066\056\267\121\027\037\251\010\037
-\004\027\044\130\252\067\112\030\337\345\071\324\127\375\327\301
-\054\221\001\221\342\042\324\003\300\130\374\167\107\354\217\076
-\164\103\272\254\064\215\115\070\166\147\216\260\310\157\060\063
-\130\161\134\264\365\153\156\324\001\120\270\023\176\154\112\243
-\111\321\040\031\356\274\300\051\030\145\247\336\376\357\335\012
-\220\041\347\032\147\222\102\020\230\137\117\060\274\076\034\105
-\264\020\327\150\100\024\300\100\372\347\167\027\172\346\013\217
-\145\133\074\331\232\122\333\265\275\236\106\317\075\353\221\005
-\002\300\226\262\166\114\115\020\226\073\222\372\234\177\017\231
-\337\276\043\065\105\036\002\134\376\265\250\233\231\045\332\136
-\363\042\303\071\365\344\052\056\323\306\037\304\154\252\305\034
-\152\001\005\112\057\322\305\301\250\064\046\135\146\245\322\002
-\041\371\030\267\006\365\116\231\157\250\253\114\121\350\317\120
-\030\305\167\310\071\011\054\111\222\062\231\250\273\027\027\171
-\260\132\305\346\243\304\131\145\107\065\203\136\251\350\065\013
-\231\273\344\315\040\306\233\112\006\071\265\150\374\042\272\356
-\125\214\053\116\352\363\261\343\374\266\231\232\325\102\372\161
-\115\010\317\207\036\152\161\175\371\323\264\351\245\161\201\173
-\302\116\107\226\245\366\166\205\243\050\217\351\200\156\201\123
-\245\155\137\270\110\371\302\371\066\246\056\111\377\270\226\302
-\214\007\263\233\210\130\374\353\033\034\336\055\160\342\227\222
-\060\241\211\343\274\125\250\047\326\113\355\220\255\213\372\143
-\045\131\055\250\065\335\312\227\063\274\345\315\307\235\321\354
-\357\136\016\112\220\006\046\143\255\271\331\065\055\007\272\166
-\145\054\254\127\217\175\364\007\224\327\201\002\226\135\243\007
-\111\325\172\320\127\371\033\347\123\106\165\252\260\171\102\313
-\150\161\010\351\140\275\071\151\316\364\257\303\126\100\307\255
-\122\242\011\344\157\206\107\212\037\353\050\047\135\203\040\257
-\004\311\154\126\232\213\106\365\002\003\001\000\001\243\201\203
-\060\201\200\060\017\006\003\125\035\023\001\001\377\004\005\060
-\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004
-\003\002\001\006\060\035\006\003\125\035\016\004\026\004\024\367
-\175\305\375\304\350\232\033\167\144\247\365\035\240\314\277\207
-\140\232\155\060\076\006\003\125\035\040\004\067\060\065\060\063
-\006\004\125\035\040\000\060\053\060\051\006\010\053\006\001\005
-\005\007\002\001\026\035\150\164\164\160\072\057\057\167\167\167
-\056\143\145\162\164\056\146\156\155\164\056\145\163\057\144\160
-\143\163\057\060\015\006\011\052\206\110\206\367\015\001\001\013
-\005\000\003\202\002\001\000\007\220\112\337\363\043\116\360\303
-\234\121\145\233\234\042\242\212\014\205\363\163\051\153\115\376
-\001\342\251\014\143\001\277\004\147\245\235\230\137\375\001\023
-\372\354\232\142\351\206\376\266\142\322\156\114\224\373\300\165
-\105\174\145\014\370\262\067\317\254\017\317\215\157\371\031\367
-\217\354\036\362\160\236\360\312\270\357\267\377\166\067\166\133
-\366\156\210\363\257\142\062\042\223\015\072\152\216\024\146\014
-\055\123\164\127\145\036\325\262\335\043\201\073\245\146\043\047
-\147\011\217\341\167\252\103\315\145\121\010\355\121\130\376\346
-\071\371\313\107\204\244\025\361\166\273\244\356\244\073\304\137
-\357\262\063\226\021\030\267\311\145\276\030\341\243\244\334\372
-\030\371\323\274\023\233\071\172\064\272\323\101\373\372\062\212
-\052\267\053\206\013\151\203\070\276\315\212\056\013\160\255\215
-\046\222\356\036\365\001\053\012\331\326\227\233\156\340\250\031
-\034\072\041\213\014\036\100\255\003\347\335\146\176\365\271\040
-\015\003\350\226\371\202\105\324\071\340\240\000\135\327\230\346
-\175\236\147\163\303\232\052\367\253\213\241\072\024\357\064\274
-\122\016\211\230\232\004\100\204\035\176\105\151\223\127\316\353
-\316\370\120\174\117\034\156\004\103\233\371\326\073\043\030\351
-\352\216\321\115\106\215\361\073\344\152\312\272\373\043\267\233
-\372\231\001\051\132\130\132\055\343\371\324\155\016\046\255\301
-\156\064\274\062\370\014\005\372\145\243\333\073\067\203\042\351
-\326\334\162\063\375\135\362\040\275\166\074\043\332\050\367\371
-\033\353\131\144\325\334\137\162\176\040\374\315\211\265\220\147
-\115\142\172\077\116\255\035\303\071\376\172\364\050\026\337\101
-\366\110\200\005\327\017\121\171\254\020\253\324\354\003\146\346
-\152\260\272\061\222\102\100\152\276\072\323\162\341\152\067\125
-\274\254\035\225\267\151\141\362\103\221\164\346\240\323\012\044
-\106\241\010\257\326\332\105\031\226\324\123\035\133\204\171\360
-\300\367\107\357\213\217\305\006\256\235\114\142\235\377\106\004
-\370\323\311\266\020\045\100\165\376\026\252\311\112\140\206\057
-\272\357\060\167\344\124\342\270\204\231\130\200\252\023\213\121
-\072\117\110\366\213\266\263
-END
-
-# Trust for "AC RAIZ FNMT-RCM"
-# Issuer: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES
-# Serial Number:5d:93:8d:30:67:36:c8:06:1d:1a:c7:54:84:69:07
-# Subject: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES
-# Not Valid Before: Wed Oct 29 15:59:56 2008
-# Not Valid After : Tue Jan 01 00:00:00 2030
-# Fingerprint (SHA-256): EB:C5:57:0C:29:01:8C:4D:67:B1:AA:12:7B:AF:12:F7:03:B4:61:1E:BC:17:B7:DA:B5:57:38:94:17:9B:93:FA
-# Fingerprint (SHA1): EC:50:35:07:B2:15:C4:95:62:19:E2:A8:9A:5B:42:99:2C:4C:2C:20
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AC RAIZ FNMT-RCM"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\354\120\065\007\262\025\304\225\142\031\342\250\232\133\102\231
-\054\114\054\040
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\342\011\004\264\323\275\321\240\024\375\032\322\107\304\127\035
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\073\061\013\060\011\006\003\125\004\006\023\002\105\123\061
-\021\060\017\006\003\125\004\012\014\010\106\116\115\124\055\122
-\103\115\061\031\060\027\006\003\125\004\013\014\020\101\103\040
-\122\101\111\132\040\106\116\115\124\055\122\103\115
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\017\135\223\215\060\147\066\310\006\035\032\307\124\204\151
-\007
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Amazon Root CA 1"
-#
-# Issuer: CN=Amazon Root CA 1,O=Amazon,C=US
-# Serial Number:06:6c:9f:cf:99:bf:8c:0a:39:e2:f0:78:8a:43:e6:96:36:5b:ca
-# Subject: CN=Amazon Root CA 1,O=Amazon,C=US
-# Not Valid Before: Tue May 26 00:00:00 2015
-# Not Valid After : Sun Jan 17 00:00:00 2038
-# Fingerprint (SHA-256): 8E:CD:E6:88:4F:3D:87:B1:12:5B:A3:1A:C3:FC:B1:3D:70:16:DE:7F:57:CC:90:4F:E1:CB:97:C6:AE:98:19:6E
-# Fingerprint (SHA1): 8D:A7:F9:65:EC:5E:FC:37:91:0F:1C:6E:59:FD:C1:CC:6A:6E:DE:16
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Amazon Root CA 1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\071\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\017\060\015\006\003\125\004\012\023\006\101\155\141\172\157\156
-\061\031\060\027\006\003\125\004\003\023\020\101\155\141\172\157
-\156\040\122\157\157\164\040\103\101\040\061
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\071\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\017\060\015\006\003\125\004\012\023\006\101\155\141\172\157\156
-\061\031\060\027\006\003\125\004\003\023\020\101\155\141\172\157
-\156\040\122\157\157\164\040\103\101\040\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\023\006\154\237\317\231\277\214\012\071\342\360\170\212\103
-\346\226\066\133\312
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\101\060\202\002\051\240\003\002\001\002\002\023\006
-\154\237\317\231\277\214\012\071\342\360\170\212\103\346\226\066
-\133\312\060\015\006\011\052\206\110\206\367\015\001\001\013\005
-\000\060\071\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\017\060\015\006\003\125\004\012\023\006\101\155\141\172\157
-\156\061\031\060\027\006\003\125\004\003\023\020\101\155\141\172
-\157\156\040\122\157\157\164\040\103\101\040\061\060\036\027\015
-\061\065\060\065\062\066\060\060\060\060\060\060\132\027\015\063
-\070\060\061\061\067\060\060\060\060\060\060\132\060\071\061\013
-\060\011\006\003\125\004\006\023\002\125\123\061\017\060\015\006
-\003\125\004\012\023\006\101\155\141\172\157\156\061\031\060\027
-\006\003\125\004\003\023\020\101\155\141\172\157\156\040\122\157
-\157\164\040\103\101\040\061\060\202\001\042\060\015\006\011\052
-\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060
-\202\001\012\002\202\001\001\000\262\170\200\161\312\170\325\343
-\161\257\107\200\120\164\175\156\330\327\210\166\364\231\150\367
-\130\041\140\371\164\204\001\057\254\002\055\206\323\240\103\172
-\116\262\244\320\066\272\001\276\215\333\110\310\007\027\066\114
-\364\356\210\043\307\076\353\067\365\265\031\370\111\150\260\336
-\327\271\166\070\035\141\236\244\376\202\066\245\345\112\126\344
-\105\341\371\375\264\026\372\164\332\234\233\065\071\057\372\260
-\040\120\006\154\172\320\200\262\246\371\257\354\107\031\217\120
-\070\007\334\242\207\071\130\370\272\325\251\371\110\147\060\226
-\356\224\170\136\157\211\243\121\300\060\206\146\241\105\146\272
-\124\353\243\303\221\371\110\334\377\321\350\060\055\175\055\164
-\160\065\327\210\044\367\236\304\131\156\273\163\207\027\362\062
-\106\050\270\103\372\267\035\252\312\264\362\237\044\016\055\113
-\367\161\134\136\151\377\352\225\002\313\070\212\256\120\070\157
-\333\373\055\142\033\305\307\036\124\341\167\340\147\310\017\234
-\207\043\326\077\100\040\177\040\200\304\200\114\076\073\044\046
-\216\004\256\154\232\310\252\015\002\003\001\000\001\243\102\060
-\100\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001
-\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003\002
-\001\206\060\035\006\003\125\035\016\004\026\004\024\204\030\314
-\205\064\354\274\014\224\224\056\010\131\234\307\262\020\116\012
-\010\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000
-\003\202\001\001\000\230\362\067\132\101\220\241\032\305\166\121
-\050\040\066\043\016\256\346\050\273\252\370\224\256\110\244\060
-\177\033\374\044\215\113\264\310\241\227\366\266\361\172\160\310
-\123\223\314\010\050\343\230\045\317\043\244\371\336\041\323\174
-\205\011\255\116\232\165\072\302\013\152\211\170\166\104\107\030
-\145\154\215\101\216\073\177\232\313\364\265\247\120\327\005\054
-\067\350\003\113\255\351\141\240\002\156\365\362\360\305\262\355
-\133\267\334\372\224\134\167\236\023\245\177\122\255\225\362\370
-\223\073\336\213\134\133\312\132\122\133\140\257\024\367\113\357
-\243\373\237\100\225\155\061\124\374\102\323\307\106\037\043\255
-\331\017\110\160\232\331\165\170\161\321\162\103\064\165\156\127
-\131\302\002\134\046\140\051\317\043\031\026\216\210\103\245\324
-\344\313\010\373\043\021\103\350\103\051\162\142\241\251\135\136
-\010\324\220\256\270\330\316\024\302\320\125\362\206\366\304\223
-\103\167\146\141\300\271\350\101\327\227\170\140\003\156\112\162
-\256\245\321\175\272\020\236\206\154\033\212\271\131\063\370\353
-\304\220\276\361\271
-END
-
-# Trust for "Amazon Root CA 1"
-# Issuer: CN=Amazon Root CA 1,O=Amazon,C=US
-# Serial Number:06:6c:9f:cf:99:bf:8c:0a:39:e2:f0:78:8a:43:e6:96:36:5b:ca
-# Subject: CN=Amazon Root CA 1,O=Amazon,C=US
-# Not Valid Before: Tue May 26 00:00:00 2015
-# Not Valid After : Sun Jan 17 00:00:00 2038
-# Fingerprint (SHA-256): 8E:CD:E6:88:4F:3D:87:B1:12:5B:A3:1A:C3:FC:B1:3D:70:16:DE:7F:57:CC:90:4F:E1:CB:97:C6:AE:98:19:6E
-# Fingerprint (SHA1): 8D:A7:F9:65:EC:5E:FC:37:91:0F:1C:6E:59:FD:C1:CC:6A:6E:DE:16
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Amazon Root CA 1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\215\247\371\145\354\136\374\067\221\017\034\156\131\375\301\314
-\152\156\336\026
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\103\306\277\256\354\376\255\057\030\306\210\150\060\374\310\346
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\071\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\017\060\015\006\003\125\004\012\023\006\101\155\141\172\157\156
-\061\031\060\027\006\003\125\004\003\023\020\101\155\141\172\157
-\156\040\122\157\157\164\040\103\101\040\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\023\006\154\237\317\231\277\214\012\071\342\360\170\212\103
-\346\226\066\133\312
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Amazon Root CA 2"
-#
-# Issuer: CN=Amazon Root CA 2,O=Amazon,C=US
-# Serial Number:06:6c:9f:d2:96:35:86:9f:0a:0f:e5:86:78:f8:5b:26:bb:8a:37
-# Subject: CN=Amazon Root CA 2,O=Amazon,C=US
-# Not Valid Before: Tue May 26 00:00:00 2015
-# Not Valid After : Sat May 26 00:00:00 2040
-# Fingerprint (SHA-256): 1B:A5:B2:AA:8C:65:40:1A:82:96:01:18:F8:0B:EC:4F:62:30:4D:83:CE:C4:71:3A:19:C3:9C:01:1E:A4:6D:B4
-# Fingerprint (SHA1): 5A:8C:EF:45:D7:A6:98:59:76:7A:8C:8B:44:96:B5:78:CF:47:4B:1A
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Amazon Root CA 2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\071\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\017\060\015\006\003\125\004\012\023\006\101\155\141\172\157\156
-\061\031\060\027\006\003\125\004\003\023\020\101\155\141\172\157
-\156\040\122\157\157\164\040\103\101\040\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\071\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\017\060\015\006\003\125\004\012\023\006\101\155\141\172\157\156
-\061\031\060\027\006\003\125\004\003\023\020\101\155\141\172\157
-\156\040\122\157\157\164\040\103\101\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\023\006\154\237\322\226\065\206\237\012\017\345\206\170\370
-\133\046\273\212\067
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\101\060\202\003\051\240\003\002\001\002\002\023\006
-\154\237\322\226\065\206\237\012\017\345\206\170\370\133\046\273
-\212\067\060\015\006\011\052\206\110\206\367\015\001\001\014\005
-\000\060\071\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\017\060\015\006\003\125\004\012\023\006\101\155\141\172\157
-\156\061\031\060\027\006\003\125\004\003\023\020\101\155\141\172
-\157\156\040\122\157\157\164\040\103\101\040\062\060\036\027\015
-\061\065\060\065\062\066\060\060\060\060\060\060\132\027\015\064
-\060\060\065\062\066\060\060\060\060\060\060\132\060\071\061\013
-\060\011\006\003\125\004\006\023\002\125\123\061\017\060\015\006
-\003\125\004\012\023\006\101\155\141\172\157\156\061\031\060\027
-\006\003\125\004\003\023\020\101\155\141\172\157\156\040\122\157
-\157\164\040\103\101\040\062\060\202\002\042\060\015\006\011\052
-\206\110\206\367\015\001\001\001\005\000\003\202\002\017\000\060
-\202\002\012\002\202\002\001\000\255\226\237\055\234\112\114\112
-\201\171\121\231\354\212\313\153\140\121\023\274\115\155\006\374
-\260\010\215\335\031\020\152\307\046\014\065\330\300\157\040\204
-\351\224\261\233\205\003\303\133\333\112\350\310\370\220\166\331
-\133\117\343\114\350\006\066\115\314\232\254\075\014\220\053\222
-\324\006\031\140\254\067\104\171\205\201\202\255\132\067\340\015
-\314\235\246\114\122\166\352\103\235\267\004\321\120\366\125\340
-\325\322\246\111\205\351\067\351\312\176\256\134\225\115\110\232
-\077\256\040\132\155\210\225\331\064\270\122\032\103\220\260\277
-\154\005\271\266\170\267\352\320\344\072\074\022\123\142\377\112
-\362\173\276\065\005\251\022\064\343\363\144\164\142\054\075\000
-\111\132\050\376\062\104\273\207\335\145\047\002\161\073\332\112
-\367\037\332\315\367\041\125\220\117\017\354\256\202\341\237\153
-\331\105\323\273\360\137\207\355\074\054\071\206\332\077\336\354
-\162\125\353\171\243\255\333\335\174\260\272\034\316\374\336\117
-\065\166\317\017\370\170\037\152\066\121\106\047\141\133\351\236
-\317\360\242\125\175\174\045\212\157\057\264\305\317\204\056\053
-\375\015\121\020\154\373\137\033\274\033\176\305\256\073\230\001
-\061\222\377\013\127\364\232\262\271\127\351\253\357\015\166\321
-\360\356\364\316\206\247\340\156\351\264\151\241\337\151\366\063
-\306\151\056\227\023\236\245\207\260\127\020\201\067\311\123\263
-\273\177\366\222\321\234\320\030\364\222\156\332\203\117\246\143
-\231\114\245\373\136\357\041\144\172\040\137\154\144\205\025\313
-\067\351\142\014\013\052\026\334\001\056\062\332\076\113\365\236
-\072\366\027\100\224\357\236\221\010\206\372\276\143\250\132\063
-\354\313\164\103\225\371\154\151\122\066\307\051\157\374\125\003
-\134\037\373\237\275\107\353\347\111\107\225\013\116\211\042\011
-\111\340\365\141\036\361\277\056\212\162\156\200\131\377\127\072
-\371\165\062\243\116\137\354\355\050\142\331\115\163\362\314\201
-\027\140\355\315\353\334\333\247\312\305\176\002\275\362\124\010
-\124\375\264\055\011\054\027\124\112\230\321\124\341\121\147\010
-\322\355\156\176\157\077\322\055\201\131\051\146\313\220\071\225
-\021\036\164\047\376\335\353\257\002\003\001\000\001\243\102\060
-\100\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001
-\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003\002
-\001\206\060\035\006\003\125\035\016\004\026\004\024\260\014\360
-\114\060\364\005\130\002\110\375\063\345\122\257\113\204\343\146
-\122\060\015\006\011\052\206\110\206\367\015\001\001\014\005\000
-\003\202\002\001\000\252\250\200\217\016\170\243\340\242\324\315
-\346\365\230\172\073\352\000\003\260\227\016\223\274\132\250\366
-\054\214\162\207\251\261\374\177\163\375\143\161\170\245\207\131
-\317\060\341\015\020\262\023\132\155\202\365\152\346\200\237\240
-\005\013\150\344\107\153\307\152\337\266\375\167\062\162\345\030
-\372\011\364\240\223\054\135\322\214\165\205\166\145\220\014\003
-\171\267\061\043\143\255\170\203\011\206\150\204\312\377\371\317
-\046\232\222\171\347\315\113\305\347\141\247\027\313\363\251\022
-\223\223\153\247\350\057\123\222\304\140\130\260\314\002\121\030
-\133\205\215\142\131\143\266\255\264\336\232\373\046\367\000\047
-\300\135\125\067\164\231\311\120\177\343\131\056\104\343\054\045
-\356\354\114\062\167\264\237\032\351\113\135\040\305\332\375\034
-\207\026\306\103\350\324\273\046\232\105\160\136\251\013\067\123
-\342\106\173\047\375\340\106\362\211\267\314\102\266\313\050\046
-\156\331\245\311\072\310\101\023\140\367\120\214\025\256\262\155
-\032\025\032\127\170\346\222\052\331\145\220\202\077\154\002\257
-\256\022\072\047\226\066\004\327\035\242\200\143\251\233\361\345
-\272\264\174\024\260\116\311\261\037\164\137\070\366\121\352\233
-\372\054\242\021\324\251\055\047\032\105\261\257\262\116\161\015
-\300\130\106\326\151\006\313\123\313\263\376\153\101\315\101\176
-\175\114\017\174\162\171\172\131\315\136\112\016\254\233\251\230
-\163\171\174\264\364\314\271\270\007\014\262\164\134\270\307\157
-\210\241\220\247\364\252\371\277\147\072\364\032\025\142\036\267
-\237\276\075\261\051\257\147\241\022\362\130\020\031\123\003\060
-\033\270\032\211\366\234\275\227\003\216\243\011\363\035\213\041
-\361\264\337\344\034\321\237\145\002\006\352\134\326\023\263\204
-\357\242\245\134\214\167\051\247\150\300\153\256\100\322\250\264
-\352\315\360\215\113\070\234\031\232\033\050\124\270\211\220\357
-\312\165\201\076\036\362\144\044\307\030\257\116\377\107\236\007
-\366\065\145\244\323\012\126\377\365\027\144\154\357\250\042\045
-\111\223\266\337\000\027\332\130\176\135\356\305\033\260\321\321
-\137\041\020\307\371\363\272\002\012\047\007\305\361\326\307\323
-\340\373\011\140\154
-END
-
-# Trust for "Amazon Root CA 2"
-# Issuer: CN=Amazon Root CA 2,O=Amazon,C=US
-# Serial Number:06:6c:9f:d2:96:35:86:9f:0a:0f:e5:86:78:f8:5b:26:bb:8a:37
-# Subject: CN=Amazon Root CA 2,O=Amazon,C=US
-# Not Valid Before: Tue May 26 00:00:00 2015
-# Not Valid After : Sat May 26 00:00:00 2040
-# Fingerprint (SHA-256): 1B:A5:B2:AA:8C:65:40:1A:82:96:01:18:F8:0B:EC:4F:62:30:4D:83:CE:C4:71:3A:19:C3:9C:01:1E:A4:6D:B4
-# Fingerprint (SHA1): 5A:8C:EF:45:D7:A6:98:59:76:7A:8C:8B:44:96:B5:78:CF:47:4B:1A
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Amazon Root CA 2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\132\214\357\105\327\246\230\131\166\172\214\213\104\226\265\170
-\317\107\113\032
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\310\345\215\316\250\102\342\172\300\052\134\174\236\046\277\146
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\071\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\017\060\015\006\003\125\004\012\023\006\101\155\141\172\157\156
-\061\031\060\027\006\003\125\004\003\023\020\101\155\141\172\157
-\156\040\122\157\157\164\040\103\101\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\023\006\154\237\322\226\065\206\237\012\017\345\206\170\370
-\133\046\273\212\067
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Amazon Root CA 3"
-#
-# Issuer: CN=Amazon Root CA 3,O=Amazon,C=US
-# Serial Number:06:6c:9f:d5:74:97:36:66:3f:3b:0b:9a:d9:e8:9e:76:03:f2:4a
-# Subject: CN=Amazon Root CA 3,O=Amazon,C=US
-# Not Valid Before: Tue May 26 00:00:00 2015
-# Not Valid After : Sat May 26 00:00:00 2040
-# Fingerprint (SHA-256): 18:CE:6C:FE:7B:F1:4E:60:B2:E3:47:B8:DF:E8:68:CB:31:D0:2E:BB:3A:DA:27:15:69:F5:03:43:B4:6D:B3:A4
-# Fingerprint (SHA1): 0D:44:DD:8C:3C:8C:1A:1A:58:75:64:81:E9:0F:2E:2A:FF:B3:D2:6E
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Amazon Root CA 3"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\071\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\017\060\015\006\003\125\004\012\023\006\101\155\141\172\157\156
-\061\031\060\027\006\003\125\004\003\023\020\101\155\141\172\157
-\156\040\122\157\157\164\040\103\101\040\063
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\071\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\017\060\015\006\003\125\004\012\023\006\101\155\141\172\157\156
-\061\031\060\027\006\003\125\004\003\023\020\101\155\141\172\157
-\156\040\122\157\157\164\040\103\101\040\063
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\023\006\154\237\325\164\227\066\146\077\073\013\232\331\350
-\236\166\003\362\112
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\001\266\060\202\001\133\240\003\002\001\002\002\023\006
-\154\237\325\164\227\066\146\077\073\013\232\331\350\236\166\003
-\362\112\060\012\006\010\052\206\110\316\075\004\003\002\060\071
-\061\013\060\011\006\003\125\004\006\023\002\125\123\061\017\060
-\015\006\003\125\004\012\023\006\101\155\141\172\157\156\061\031
-\060\027\006\003\125\004\003\023\020\101\155\141\172\157\156\040
-\122\157\157\164\040\103\101\040\063\060\036\027\015\061\065\060
-\065\062\066\060\060\060\060\060\060\132\027\015\064\060\060\065
-\062\066\060\060\060\060\060\060\132\060\071\061\013\060\011\006
-\003\125\004\006\023\002\125\123\061\017\060\015\006\003\125\004
-\012\023\006\101\155\141\172\157\156\061\031\060\027\006\003\125
-\004\003\023\020\101\155\141\172\157\156\040\122\157\157\164\040
-\103\101\040\063\060\131\060\023\006\007\052\206\110\316\075\002
-\001\006\010\052\206\110\316\075\003\001\007\003\102\000\004\051
-\227\247\306\101\177\300\015\233\350\001\033\126\306\362\122\245
-\272\055\262\022\350\322\056\327\372\311\305\330\252\155\037\163
-\201\073\073\230\153\071\174\063\245\305\116\206\216\200\027\150
-\142\105\127\175\104\130\035\263\067\345\147\010\353\146\336\243
-\102\060\100\060\017\006\003\125\035\023\001\001\377\004\005\060
-\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004
-\003\002\001\206\060\035\006\003\125\035\016\004\026\004\024\253
-\266\333\327\006\236\067\254\060\206\007\221\160\307\234\304\031
-\261\170\300\060\012\006\010\052\206\110\316\075\004\003\002\003
-\111\000\060\106\002\041\000\340\205\222\243\027\267\215\371\053
-\006\245\223\254\032\230\150\141\162\372\341\241\320\373\034\170
-\140\246\103\231\305\270\304\002\041\000\234\002\357\361\224\234
-\263\226\371\353\306\052\370\266\054\376\072\220\024\026\327\214
-\143\044\110\034\337\060\175\325\150\073
-END
-
-# Trust for "Amazon Root CA 3"
-# Issuer: CN=Amazon Root CA 3,O=Amazon,C=US
-# Serial Number:06:6c:9f:d5:74:97:36:66:3f:3b:0b:9a:d9:e8:9e:76:03:f2:4a
-# Subject: CN=Amazon Root CA 3,O=Amazon,C=US
-# Not Valid Before: Tue May 26 00:00:00 2015
-# Not Valid After : Sat May 26 00:00:00 2040
-# Fingerprint (SHA-256): 18:CE:6C:FE:7B:F1:4E:60:B2:E3:47:B8:DF:E8:68:CB:31:D0:2E:BB:3A:DA:27:15:69:F5:03:43:B4:6D:B3:A4
-# Fingerprint (SHA1): 0D:44:DD:8C:3C:8C:1A:1A:58:75:64:81:E9:0F:2E:2A:FF:B3:D2:6E
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Amazon Root CA 3"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\015\104\335\214\074\214\032\032\130\165\144\201\351\017\056\052
-\377\263\322\156
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\240\324\357\013\367\265\330\111\225\052\354\365\304\374\201\207
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\071\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\017\060\015\006\003\125\004\012\023\006\101\155\141\172\157\156
-\061\031\060\027\006\003\125\004\003\023\020\101\155\141\172\157
-\156\040\122\157\157\164\040\103\101\040\063
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\023\006\154\237\325\164\227\066\146\077\073\013\232\331\350
-\236\166\003\362\112
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Amazon Root CA 4"
-#
-# Issuer: CN=Amazon Root CA 4,O=Amazon,C=US
-# Serial Number:06:6c:9f:d7:c1:bb:10:4c:29:43:e5:71:7b:7b:2c:c8:1a:c1:0e
-# Subject: CN=Amazon Root CA 4,O=Amazon,C=US
-# Not Valid Before: Tue May 26 00:00:00 2015
-# Not Valid After : Sat May 26 00:00:00 2040
-# Fingerprint (SHA-256): E3:5D:28:41:9E:D0:20:25:CF:A6:90:38:CD:62:39:62:45:8D:A5:C6:95:FB:DE:A3:C2:2B:0B:FB:25:89:70:92
-# Fingerprint (SHA1): F6:10:84:07:D6:F8:BB:67:98:0C:C2:E2:44:C2:EB:AE:1C:EF:63:BE
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Amazon Root CA 4"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\071\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\017\060\015\006\003\125\004\012\023\006\101\155\141\172\157\156
-\061\031\060\027\006\003\125\004\003\023\020\101\155\141\172\157
-\156\040\122\157\157\164\040\103\101\040\064
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\071\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\017\060\015\006\003\125\004\012\023\006\101\155\141\172\157\156
-\061\031\060\027\006\003\125\004\003\023\020\101\155\141\172\157
-\156\040\122\157\157\164\040\103\101\040\064
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\023\006\154\237\327\301\273\020\114\051\103\345\161\173\173
-\054\310\032\301\016
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\001\362\060\202\001\170\240\003\002\001\002\002\023\006
-\154\237\327\301\273\020\114\051\103\345\161\173\173\054\310\032
-\301\016\060\012\006\010\052\206\110\316\075\004\003\003\060\071
-\061\013\060\011\006\003\125\004\006\023\002\125\123\061\017\060
-\015\006\003\125\004\012\023\006\101\155\141\172\157\156\061\031
-\060\027\006\003\125\004\003\023\020\101\155\141\172\157\156\040
-\122\157\157\164\040\103\101\040\064\060\036\027\015\061\065\060
-\065\062\066\060\060\060\060\060\060\132\027\015\064\060\060\065
-\062\066\060\060\060\060\060\060\132\060\071\061\013\060\011\006
-\003\125\004\006\023\002\125\123\061\017\060\015\006\003\125\004
-\012\023\006\101\155\141\172\157\156\061\031\060\027\006\003\125
-\004\003\023\020\101\155\141\172\157\156\040\122\157\157\164\040
-\103\101\040\064\060\166\060\020\006\007\052\206\110\316\075\002
-\001\006\005\053\201\004\000\042\003\142\000\004\322\253\212\067
-\117\243\123\015\376\301\212\173\113\250\173\106\113\143\260\142
-\366\055\033\333\010\161\041\322\000\350\143\275\232\047\373\360
-\071\156\135\352\075\245\311\201\252\243\133\040\230\105\135\026
-\333\375\350\020\155\343\234\340\343\275\137\204\142\363\160\144
-\063\240\313\044\057\160\272\210\241\052\240\165\370\201\256\142
-\006\304\201\333\071\156\051\260\036\372\056\134\243\102\060\100
-\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001
-\377\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001
-\206\060\035\006\003\125\035\016\004\026\004\024\323\354\307\072
-\145\156\314\341\332\166\232\126\373\234\363\206\155\127\345\201
-\060\012\006\010\052\206\110\316\075\004\003\003\003\150\000\060
-\145\002\060\072\213\041\361\275\176\021\255\320\357\130\226\057
-\326\353\235\176\220\215\053\317\146\125\303\054\343\050\251\160
-\012\107\016\360\067\131\022\377\055\231\224\050\116\052\117\065
-\115\063\132\002\061\000\352\165\000\116\073\304\072\224\022\221
-\311\130\106\235\041\023\162\247\210\234\212\344\114\112\333\226
-\324\254\213\153\153\111\022\123\063\255\327\344\276\044\374\265
-\012\166\324\245\274\020
-END
-
-# Trust for "Amazon Root CA 4"
-# Issuer: CN=Amazon Root CA 4,O=Amazon,C=US
-# Serial Number:06:6c:9f:d7:c1:bb:10:4c:29:43:e5:71:7b:7b:2c:c8:1a:c1:0e
-# Subject: CN=Amazon Root CA 4,O=Amazon,C=US
-# Not Valid Before: Tue May 26 00:00:00 2015
-# Not Valid After : Sat May 26 00:00:00 2040
-# Fingerprint (SHA-256): E3:5D:28:41:9E:D0:20:25:CF:A6:90:38:CD:62:39:62:45:8D:A5:C6:95:FB:DE:A3:C2:2B:0B:FB:25:89:70:92
-# Fingerprint (SHA1): F6:10:84:07:D6:F8:BB:67:98:0C:C2:E2:44:C2:EB:AE:1C:EF:63:BE
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Amazon Root CA 4"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\366\020\204\007\326\370\273\147\230\014\302\342\104\302\353\256
-\034\357\143\276
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\211\274\047\325\353\027\215\006\152\151\325\375\211\107\264\315
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\071\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\017\060\015\006\003\125\004\012\023\006\101\155\141\172\157\156
-\061\031\060\027\006\003\125\004\003\023\020\101\155\141\172\157
-\156\040\122\157\157\164\040\103\101\040\064
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\023\006\154\237\327\301\273\020\114\051\103\345\161\173\173
-\054\310\032\301\016
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "LuxTrust Global Root 2"
-#
-# Issuer: CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU
-# Serial Number:0a:7e:a6:df:4b:44:9e:da:6a:24:85:9e:e6:b8:15:d3:16:7f:bb:b1
-# Subject: CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU
-# Not Valid Before: Thu Mar 05 13:21:57 2015
-# Not Valid After : Mon Mar 05 13:21:57 2035
-# Fingerprint (SHA-256): 54:45:5F:71:29:C2:0B:14:47:C4:18:F9:97:16:8F:24:C5:8F:C5:02:3B:F5:DA:5B:E2:EB:6E:1D:D8:90:2E:D5
-# Fingerprint (SHA1): 1E:0E:56:19:0A:D1:8B:25:98:B2:04:44:FF:66:8A:04:17:99:5F:3F
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "LuxTrust Global Root 2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\106\061\013\060\011\006\003\125\004\006\023\002\114\125\061
-\026\060\024\006\003\125\004\012\014\015\114\165\170\124\162\165
-\163\164\040\123\056\101\056\061\037\060\035\006\003\125\004\003
-\014\026\114\165\170\124\162\165\163\164\040\107\154\157\142\141
-\154\040\122\157\157\164\040\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\106\061\013\060\011\006\003\125\004\006\023\002\114\125\061
-\026\060\024\006\003\125\004\012\014\015\114\165\170\124\162\165
-\163\164\040\123\056\101\056\061\037\060\035\006\003\125\004\003
-\014\026\114\165\170\124\162\165\163\164\040\107\154\157\142\141
-\154\040\122\157\157\164\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\024\012\176\246\337\113\104\236\332\152\044\205\236\346\270
-\025\323\026\177\273\261
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\303\060\202\003\253\240\003\002\001\002\002\024\012
-\176\246\337\113\104\236\332\152\044\205\236\346\270\025\323\026
-\177\273\261\060\015\006\011\052\206\110\206\367\015\001\001\013
-\005\000\060\106\061\013\060\011\006\003\125\004\006\023\002\114
-\125\061\026\060\024\006\003\125\004\012\014\015\114\165\170\124
-\162\165\163\164\040\123\056\101\056\061\037\060\035\006\003\125
-\004\003\014\026\114\165\170\124\162\165\163\164\040\107\154\157
-\142\141\154\040\122\157\157\164\040\062\060\036\027\015\061\065
-\060\063\060\065\061\063\062\061\065\067\132\027\015\063\065\060
-\063\060\065\061\063\062\061\065\067\132\060\106\061\013\060\011
-\006\003\125\004\006\023\002\114\125\061\026\060\024\006\003\125
-\004\012\014\015\114\165\170\124\162\165\163\164\040\123\056\101
-\056\061\037\060\035\006\003\125\004\003\014\026\114\165\170\124
-\162\165\163\164\040\107\154\157\142\141\154\040\122\157\157\164
-\040\062\060\202\002\042\060\015\006\011\052\206\110\206\367\015
-\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202
-\002\001\000\327\205\227\277\021\230\351\360\142\203\114\074\207
-\371\123\152\067\013\362\017\074\207\316\157\334\046\051\275\305
-\211\272\311\203\075\367\356\312\133\306\155\111\163\264\311\106
-\243\033\064\023\077\301\211\105\127\364\331\261\373\066\145\113
-\373\010\342\110\161\021\310\156\073\236\235\337\211\145\067\246
-\205\366\073\104\030\266\306\067\060\142\104\222\227\151\175\102
-\060\044\344\015\014\211\153\143\336\305\341\337\116\251\024\154
-\123\340\141\316\366\027\057\035\074\275\346\042\114\035\223\365
-\020\304\241\166\354\152\336\305\154\337\226\264\126\100\102\300
-\142\222\060\241\055\025\224\240\322\040\006\011\156\152\155\345
-\353\267\276\324\360\361\025\174\213\346\116\272\023\314\113\047
-\136\231\074\027\135\217\201\177\063\075\117\323\077\033\354\134
-\077\360\074\114\165\156\362\246\325\235\332\055\007\143\002\306
-\162\351\224\274\114\111\225\117\210\122\310\333\350\151\202\370
-\314\064\133\042\360\206\247\211\275\110\012\155\146\201\155\310
-\310\144\373\001\341\364\341\336\331\236\335\333\133\324\052\231
-\046\025\033\036\114\222\051\202\236\325\222\201\222\101\160\031
-\367\244\345\223\113\274\167\147\061\335\034\375\061\160\015\027
-\231\014\371\014\071\031\052\027\265\060\161\125\325\017\256\130
-\341\075\057\064\233\317\237\366\170\205\302\223\172\162\076\146
-\217\234\026\021\140\217\236\211\157\147\276\340\107\132\073\014
-\232\147\213\317\106\306\256\070\243\362\247\274\346\326\205\153
-\063\044\160\042\113\313\010\233\273\310\370\002\051\035\276\040
-\014\106\277\153\207\233\263\052\146\102\065\106\154\252\272\255
-\371\230\173\351\120\125\024\061\277\261\332\055\355\200\255\150
-\044\373\151\253\330\161\023\060\346\147\263\207\100\375\211\176
-\362\103\321\021\337\057\145\057\144\316\137\024\271\261\277\061
-\275\207\170\132\131\145\210\252\374\131\062\110\206\326\114\271
-\051\113\225\323\166\363\167\045\155\102\034\070\203\115\375\243
-\137\233\177\055\254\171\033\016\102\061\227\143\244\373\212\151
-\325\042\015\064\220\060\056\250\264\340\155\266\224\254\274\213
-\116\327\160\374\305\070\216\144\045\341\115\071\220\316\311\207
-\204\130\161\002\003\001\000\001\243\201\250\060\201\245\060\017
-\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060
-\102\006\003\125\035\040\004\073\060\071\060\067\006\007\053\201
-\053\001\001\001\012\060\054\060\052\006\010\053\006\001\005\005
-\007\002\001\026\036\150\164\164\160\163\072\057\057\162\145\160
-\157\163\151\164\157\162\171\056\154\165\170\164\162\165\163\164
-\056\154\165\060\016\006\003\125\035\017\001\001\377\004\004\003
-\002\001\006\060\037\006\003\125\035\043\004\030\060\026\200\024
-\377\030\050\166\371\110\005\054\241\256\361\053\033\053\262\123
-\370\113\174\263\060\035\006\003\125\035\016\004\026\004\024\377
-\030\050\166\371\110\005\054\241\256\361\053\033\053\262\123\370
-\113\174\263\060\015\006\011\052\206\110\206\367\015\001\001\013
-\005\000\003\202\002\001\000\152\031\024\355\156\171\301\054\207
-\324\015\160\176\327\366\170\311\013\004\116\304\261\316\223\160
-\376\260\124\300\062\315\231\060\144\027\277\017\345\342\063\375
-\007\066\100\162\016\032\266\152\131\326\000\345\150\040\335\056
-\162\015\037\152\144\061\040\204\175\111\246\132\067\353\105\311
-\205\365\324\307\027\231\007\346\233\125\344\014\350\251\264\316
-\214\133\265\021\134\317\212\016\015\326\254\167\201\376\062\234
-\044\236\162\316\124\363\320\157\242\126\326\354\303\067\054\145
-\130\276\127\000\032\362\065\372\353\173\061\135\302\301\022\075
-\226\201\210\226\211\301\131\134\172\346\177\160\064\347\203\342
-\261\341\341\270\130\357\324\225\344\140\234\360\226\227\162\214
-\353\204\002\056\145\217\244\267\322\177\147\335\310\323\236\134
-\252\251\244\240\045\024\006\233\354\117\176\055\013\177\035\165
-\361\063\330\355\316\270\165\155\076\133\271\230\035\061\015\126
-\330\103\017\060\221\262\004\153\335\126\276\225\200\125\147\276
-\330\315\203\331\030\356\056\017\206\055\222\236\160\023\354\336
-\121\311\103\170\002\245\115\310\371\137\304\221\130\106\026\167
-\132\164\252\100\274\007\237\060\271\261\367\022\027\335\343\377
-\044\100\035\172\152\321\117\030\012\252\220\035\353\100\036\337
-\241\036\104\222\020\232\362\215\341\321\113\106\236\350\105\102
-\227\352\105\231\363\354\146\325\002\372\362\246\112\044\252\336
-\316\271\312\371\077\223\157\371\243\272\352\245\076\231\255\375
-\377\173\231\365\145\356\360\131\050\147\327\220\225\244\023\204
-\251\204\301\350\316\316\165\223\143\032\274\074\352\325\144\037
-\055\052\022\071\306\303\132\062\355\107\221\026\016\274\070\301
-\120\336\217\312\052\220\064\034\356\101\224\234\136\031\056\370
-\105\111\231\164\221\260\004\157\343\004\132\261\253\052\253\376
-\307\320\226\266\332\341\112\144\006\156\140\115\275\102\116\377
-\170\332\044\312\033\264\327\226\071\154\256\361\016\252\247\175
-\110\213\040\114\317\144\326\270\227\106\260\116\321\052\126\072
-\240\223\275\257\200\044\340\012\176\347\312\325\312\350\205\125
-\334\066\052\341\224\150\223\307\146\162\104\017\200\041\062\154
-\045\307\043\200\203\012\353
-END
-
-# Trust for "LuxTrust Global Root 2"
-# Issuer: CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU
-# Serial Number:0a:7e:a6:df:4b:44:9e:da:6a:24:85:9e:e6:b8:15:d3:16:7f:bb:b1
-# Subject: CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU
-# Not Valid Before: Thu Mar 05 13:21:57 2015
-# Not Valid After : Mon Mar 05 13:21:57 2035
-# Fingerprint (SHA-256): 54:45:5F:71:29:C2:0B:14:47:C4:18:F9:97:16:8F:24:C5:8F:C5:02:3B:F5:DA:5B:E2:EB:6E:1D:D8:90:2E:D5
-# Fingerprint (SHA1): 1E:0E:56:19:0A:D1:8B:25:98:B2:04:44:FF:66:8A:04:17:99:5F:3F
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "LuxTrust Global Root 2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\036\016\126\031\012\321\213\045\230\262\004\104\377\146\212\004
-\027\231\137\077
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\262\341\011\000\141\257\367\361\221\157\304\255\215\136\073\174
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\106\061\013\060\011\006\003\125\004\006\023\002\114\125\061
-\026\060\024\006\003\125\004\012\014\015\114\165\170\124\162\165
-\163\164\040\123\056\101\056\061\037\060\035\006\003\125\004\003
-\014\026\114\165\170\124\162\165\163\164\040\107\154\157\142\141
-\154\040\122\157\157\164\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\024\012\176\246\337\113\104\236\332\152\044\205\236\346\270
-\025\323\026\177\273\261
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Symantec Class 1 Public Primary Certification Authority - G6"
-#
-# Issuer: CN=Symantec Class 1 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
-# Serial Number:24:32:75:f2:1d:2f:d2:09:33:f7:b4:6a:ca:d0:f3:98
-# Subject: CN=Symantec Class 1 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
-# Not Valid Before: Tue Oct 18 00:00:00 2011
-# Not Valid After : Tue Dec 01 23:59:59 2037
-# Fingerprint (SHA-256): 9D:19:0B:2E:31:45:66:68:5B:E8:A8:89:E2:7A:A8:C7:D7:AE:1D:8A:AD:DB:A3:C1:EC:F9:D2:48:63:CD:34:B9
-# Fingerprint (SHA1): 51:7F:61:1E:29:91:6B:53:82:FB:72:E7:44:D9:8D:C3:CC:53:6D:64
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Symantec Class 1 Public Primary Certification Authority - G6"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\224\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\035\060\033\006\003\125\004\012\023\024\123\171\155\141\156
-\164\145\143\040\103\157\162\160\157\162\141\164\151\157\156\061
-\037\060\035\006\003\125\004\013\023\026\123\171\155\141\156\164
-\145\143\040\124\162\165\163\164\040\116\145\164\167\157\162\153
-\061\105\060\103\006\003\125\004\003\023\074\123\171\155\141\156
-\164\145\143\040\103\154\141\163\163\040\061\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\066
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\224\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\035\060\033\006\003\125\004\012\023\024\123\171\155\141\156
-\164\145\143\040\103\157\162\160\157\162\141\164\151\157\156\061
-\037\060\035\006\003\125\004\013\023\026\123\171\155\141\156\164
-\145\143\040\124\162\165\163\164\040\116\145\164\167\157\162\153
-\061\105\060\103\006\003\125\004\003\023\074\123\171\155\141\156
-\164\145\143\040\103\154\141\163\163\040\061\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\066
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\044\062\165\362\035\057\322\011\063\367\264\152\312\320
-\363\230
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\366\060\202\002\336\240\003\002\001\002\002\020\044
-\062\165\362\035\057\322\011\063\367\264\152\312\320\363\230\060
-\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\201
-\224\061\013\060\011\006\003\125\004\006\023\002\125\123\061\035
-\060\033\006\003\125\004\012\023\024\123\171\155\141\156\164\145
-\143\040\103\157\162\160\157\162\141\164\151\157\156\061\037\060
-\035\006\003\125\004\013\023\026\123\171\155\141\156\164\145\143
-\040\124\162\165\163\164\040\116\145\164\167\157\162\153\061\105
-\060\103\006\003\125\004\003\023\074\123\171\155\141\156\164\145
-\143\040\103\154\141\163\163\040\061\040\120\165\142\154\151\143
-\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151
-\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
-\040\055\040\107\066\060\036\027\015\061\061\061\060\061\070\060
-\060\060\060\060\060\132\027\015\063\067\061\062\060\061\062\063
-\065\071\065\071\132\060\201\224\061\013\060\011\006\003\125\004
-\006\023\002\125\123\061\035\060\033\006\003\125\004\012\023\024
-\123\171\155\141\156\164\145\143\040\103\157\162\160\157\162\141
-\164\151\157\156\061\037\060\035\006\003\125\004\013\023\026\123
-\171\155\141\156\164\145\143\040\124\162\165\163\164\040\116\145
-\164\167\157\162\153\061\105\060\103\006\003\125\004\003\023\074
-\123\171\155\141\156\164\145\143\040\103\154\141\163\163\040\061
-\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171\040\055\040\107\066\060\202\001\042
-\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
-\202\001\017\000\060\202\001\012\002\202\001\001\000\307\071\327
-\111\144\251\231\202\042\114\352\105\331\007\026\343\173\364\203
-\350\231\163\372\153\261\066\340\232\167\240\100\302\201\215\001
-\307\314\214\275\217\175\367\171\343\172\114\003\115\331\373\375
-\207\070\050\054\335\232\213\124\010\333\147\373\033\214\376\050
-\222\057\276\267\262\110\247\201\241\330\136\210\303\314\071\100
-\101\132\321\334\345\332\020\237\057\332\001\115\375\056\106\174
-\371\056\047\012\151\067\356\221\243\033\152\314\104\277\033\307
-\303\324\021\262\120\140\227\011\275\056\042\365\101\204\146\237
-\315\100\246\251\000\200\301\037\225\222\237\336\363\110\357\333
-\035\167\141\374\177\337\356\226\244\162\320\266\076\377\170\047
-\257\313\222\025\151\010\333\143\020\342\346\227\254\156\334\254
-\366\242\316\036\107\231\271\211\267\022\346\241\324\315\131\021
-\147\303\157\205\330\102\116\050\276\131\125\131\004\225\253\217
-\067\200\277\015\360\374\037\072\144\061\130\201\170\327\342\065
-\366\040\077\051\270\217\026\156\076\110\334\265\114\007\341\362
-\032\352\176\012\171\326\250\275\353\135\206\053\115\002\003\001
-\000\001\243\102\060\100\060\016\006\003\125\035\017\001\001\377
-\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377
-\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026
-\004\024\063\101\350\310\071\022\025\223\110\362\226\062\056\132
-\365\332\224\137\123\140\060\015\006\011\052\206\110\206\367\015
-\001\001\013\005\000\003\202\001\001\000\025\343\163\127\261\027
-\266\137\111\151\104\246\366\136\172\147\254\322\336\165\111\253
-\376\045\125\307\072\311\104\025\020\156\277\061\153\313\331\007
-\223\177\034\205\143\000\343\062\022\340\314\313\373\071\154\217
-\342\123\342\074\100\063\331\244\214\107\346\255\130\373\211\257
-\343\336\206\051\126\064\054\105\270\022\372\104\211\156\055\024
-\045\050\044\001\145\326\352\122\254\005\156\126\022\011\075\320
-\164\364\327\275\006\312\250\072\215\126\102\372\215\162\076\164
-\361\003\162\337\207\033\136\016\172\125\226\054\070\267\230\205
-\315\115\063\104\311\224\217\132\061\060\067\113\243\072\022\263
-\347\066\321\041\150\113\055\070\346\123\256\034\045\126\010\126
-\003\147\204\235\306\303\316\044\142\307\114\066\317\260\006\104
-\267\365\137\002\335\331\124\351\057\220\116\172\310\116\203\100
-\014\232\227\074\067\277\277\354\366\360\264\205\167\050\301\013
-\310\147\202\020\027\070\242\267\006\352\233\277\072\370\351\043
-\007\277\164\340\230\070\025\125\170\356\162\000\134\031\243\364
-\322\063\340\377\275\321\124\071\051\017
-END
-
-# Trust for "Symantec Class 1 Public Primary Certification Authority - G6"
-# Issuer: CN=Symantec Class 1 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
-# Serial Number:24:32:75:f2:1d:2f:d2:09:33:f7:b4:6a:ca:d0:f3:98
-# Subject: CN=Symantec Class 1 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
-# Not Valid Before: Tue Oct 18 00:00:00 2011
-# Not Valid After : Tue Dec 01 23:59:59 2037
-# Fingerprint (SHA-256): 9D:19:0B:2E:31:45:66:68:5B:E8:A8:89:E2:7A:A8:C7:D7:AE:1D:8A:AD:DB:A3:C1:EC:F9:D2:48:63:CD:34:B9
-# Fingerprint (SHA1): 51:7F:61:1E:29:91:6B:53:82:FB:72:E7:44:D9:8D:C3:CC:53:6D:64
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Symantec Class 1 Public Primary Certification Authority - G6"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\121\177\141\036\051\221\153\123\202\373\162\347\104\331\215\303
-\314\123\155\144
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\057\250\264\332\366\144\113\036\202\371\106\075\124\032\174\260
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\224\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\035\060\033\006\003\125\004\012\023\024\123\171\155\141\156
-\164\145\143\040\103\157\162\160\157\162\141\164\151\157\156\061
-\037\060\035\006\003\125\004\013\023\026\123\171\155\141\156\164
-\145\143\040\124\162\165\163\164\040\116\145\164\167\157\162\153
-\061\105\060\103\006\003\125\004\003\023\074\123\171\155\141\156
-\164\145\143\040\103\154\141\163\163\040\061\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\066
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\044\062\165\362\035\057\322\011\063\367\264\152\312\320
-\363\230
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Symantec Class 2 Public Primary Certification Authority - G6"
-#
-# Issuer: CN=Symantec Class 2 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
-# Serial Number:64:82:9e:fc:37:1e:74:5d:fc:97:ff:97:c8:b1:ff:41
-# Subject: CN=Symantec Class 2 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
-# Not Valid Before: Tue Oct 18 00:00:00 2011
-# Not Valid After : Tue Dec 01 23:59:59 2037
-# Fingerprint (SHA-256): CB:62:7D:18:B5:8A:D5:6D:DE:33:1A:30:45:6B:C6:5C:60:1A:4E:9B:18:DE:DC:EA:08:E7:DA:AA:07:81:5F:F0
-# Fingerprint (SHA1): 40:B3:31:A0:E9:BF:E8:55:BC:39:93:CA:70:4F:4E:C2:51:D4:1D:8F
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Symantec Class 2 Public Primary Certification Authority - G6"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\224\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\035\060\033\006\003\125\004\012\023\024\123\171\155\141\156
-\164\145\143\040\103\157\162\160\157\162\141\164\151\157\156\061
-\037\060\035\006\003\125\004\013\023\026\123\171\155\141\156\164
-\145\143\040\124\162\165\163\164\040\116\145\164\167\157\162\153
-\061\105\060\103\006\003\125\004\003\023\074\123\171\155\141\156
-\164\145\143\040\103\154\141\163\163\040\062\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\066
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\224\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\035\060\033\006\003\125\004\012\023\024\123\171\155\141\156
-\164\145\143\040\103\157\162\160\157\162\141\164\151\157\156\061
-\037\060\035\006\003\125\004\013\023\026\123\171\155\141\156\164
-\145\143\040\124\162\165\163\164\040\116\145\164\167\157\162\153
-\061\105\060\103\006\003\125\004\003\023\074\123\171\155\141\156
-\164\145\143\040\103\154\141\163\163\040\062\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\066
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\144\202\236\374\067\036\164\135\374\227\377\227\310\261
-\377\101
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\366\060\202\002\336\240\003\002\001\002\002\020\144
-\202\236\374\067\036\164\135\374\227\377\227\310\261\377\101\060
-\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\201
-\224\061\013\060\011\006\003\125\004\006\023\002\125\123\061\035
-\060\033\006\003\125\004\012\023\024\123\171\155\141\156\164\145
-\143\040\103\157\162\160\157\162\141\164\151\157\156\061\037\060
-\035\006\003\125\004\013\023\026\123\171\155\141\156\164\145\143
-\040\124\162\165\163\164\040\116\145\164\167\157\162\153\061\105
-\060\103\006\003\125\004\003\023\074\123\171\155\141\156\164\145
-\143\040\103\154\141\163\163\040\062\040\120\165\142\154\151\143
-\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151
-\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
-\040\055\040\107\066\060\036\027\015\061\061\061\060\061\070\060
-\060\060\060\060\060\132\027\015\063\067\061\062\060\061\062\063
-\065\071\065\071\132\060\201\224\061\013\060\011\006\003\125\004
-\006\023\002\125\123\061\035\060\033\006\003\125\004\012\023\024
-\123\171\155\141\156\164\145\143\040\103\157\162\160\157\162\141
-\164\151\157\156\061\037\060\035\006\003\125\004\013\023\026\123
-\171\155\141\156\164\145\143\040\124\162\165\163\164\040\116\145
-\164\167\157\162\153\061\105\060\103\006\003\125\004\003\023\074
-\123\171\155\141\156\164\145\143\040\103\154\141\163\163\040\062
-\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171\040\055\040\107\066\060\202\001\042
-\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
-\202\001\017\000\060\202\001\012\002\202\001\001\000\315\314\351
-\005\310\143\205\313\077\100\143\027\275\030\372\065\346\004\147
-\127\145\230\051\244\117\311\134\217\017\064\322\370\332\250\023
-\142\252\270\036\120\147\170\260\026\114\240\071\251\025\172\256
-\355\322\242\300\360\220\067\051\030\046\134\350\015\074\266\154
-\111\077\301\340\334\331\113\266\024\031\013\246\323\226\341\326
-\011\343\031\046\034\371\037\145\113\371\032\103\034\000\203\326
-\320\252\111\242\324\333\346\142\070\272\120\024\103\155\371\061
-\370\126\026\331\070\002\221\317\353\154\335\273\071\116\231\341
-\060\147\105\361\324\360\215\303\337\376\362\070\007\041\175\000
-\136\126\104\263\344\140\275\221\053\234\253\133\004\162\017\262
-\050\331\162\253\005\040\102\045\251\133\003\152\040\020\314\061
-\360\053\332\065\054\320\373\232\227\116\360\202\113\053\330\137
-\066\243\013\055\257\143\015\035\045\177\241\156\134\142\241\215
-\050\076\241\374\034\040\370\001\057\272\125\232\021\260\031\322
-\310\120\171\153\016\152\005\327\252\004\066\262\243\362\341\137
-\167\247\167\234\345\036\334\351\337\152\301\145\135\002\003\001
-\000\001\243\102\060\100\060\016\006\003\125\035\017\001\001\377
-\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377
-\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026
-\004\024\207\214\040\225\310\230\112\321\326\200\006\112\220\064
-\104\337\034\115\277\260\060\015\006\011\052\206\110\206\367\015
-\001\001\013\005\000\003\202\001\001\000\201\216\262\245\146\226
-\267\041\245\266\357\157\043\132\137\333\201\305\102\245\170\301
-\151\375\364\074\327\371\134\153\160\162\032\374\132\227\115\000
-\200\210\210\202\212\303\161\015\216\305\211\233\054\355\215\013
-\322\162\124\365\175\324\134\103\127\351\363\256\245\002\021\366
-\166\053\201\127\335\175\332\164\060\375\124\107\366\340\026\156
-\246\264\012\110\346\347\165\007\017\051\031\071\316\171\364\266
-\154\305\137\231\325\037\113\372\337\155\054\074\015\124\200\160
-\360\210\013\200\317\306\150\242\270\035\160\331\166\214\374\356
-\245\311\317\255\035\317\231\045\127\132\142\105\313\026\153\275
-\111\315\245\243\214\151\171\045\256\270\114\154\213\100\146\113
-\026\077\317\002\032\335\341\154\153\007\141\152\166\025\051\231
-\177\033\335\210\200\301\277\265\217\163\305\246\226\043\204\246
-\050\206\044\063\152\001\056\127\163\045\266\136\277\217\346\035
-\141\250\100\051\147\035\207\233\035\177\233\237\231\315\061\326
-\124\276\142\273\071\254\150\022\110\221\040\245\313\261\335\376
-\157\374\132\344\202\125\131\257\061\251
-END
-
-# Trust for "Symantec Class 2 Public Primary Certification Authority - G6"
-# Issuer: CN=Symantec Class 2 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
-# Serial Number:64:82:9e:fc:37:1e:74:5d:fc:97:ff:97:c8:b1:ff:41
-# Subject: CN=Symantec Class 2 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
-# Not Valid Before: Tue Oct 18 00:00:00 2011
-# Not Valid After : Tue Dec 01 23:59:59 2037
-# Fingerprint (SHA-256): CB:62:7D:18:B5:8A:D5:6D:DE:33:1A:30:45:6B:C6:5C:60:1A:4E:9B:18:DE:DC:EA:08:E7:DA:AA:07:81:5F:F0
-# Fingerprint (SHA1): 40:B3:31:A0:E9:BF:E8:55:BC:39:93:CA:70:4F:4E:C2:51:D4:1D:8F
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Symantec Class 2 Public Primary Certification Authority - G6"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\100\263\061\240\351\277\350\125\274\071\223\312\160\117\116\302
-\121\324\035\217
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\175\013\203\345\373\174\255\007\117\040\251\265\337\143\355\171
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\224\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\035\060\033\006\003\125\004\012\023\024\123\171\155\141\156
-\164\145\143\040\103\157\162\160\157\162\141\164\151\157\156\061
-\037\060\035\006\003\125\004\013\023\026\123\171\155\141\156\164
-\145\143\040\124\162\165\163\164\040\116\145\164\167\157\162\153
-\061\105\060\103\006\003\125\004\003\023\074\123\171\155\141\156
-\164\145\143\040\103\154\141\163\163\040\062\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\066
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\144\202\236\374\067\036\164\135\374\227\377\227\310\261
-\377\101
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Symantec Class 1 Public Primary Certification Authority - G4"
-#
-# Issuer: CN=Symantec Class 1 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
-# Serial Number:21:6e:33:a5:cb:d3:88:a4:6f:29:07:b4:27:3c:c4:d8
-# Subject: CN=Symantec Class 1 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
-# Not Valid Before: Wed Oct 05 00:00:00 2011
-# Not Valid After : Mon Jan 18 23:59:59 2038
-# Fingerprint (SHA-256): 36:3F:3C:84:9E:AB:03:B0:A2:A0:F6:36:D7:B8:6D:04:D3:AC:7F:CF:E2:6A:0A:91:21:AB:97:95:F6:E1:76:DF
-# Fingerprint (SHA1): 84:F2:E3:DD:83:13:3E:A9:1D:19:52:7F:02:D7:29:BF:C1:5F:E6:67
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Symantec Class 1 Public Primary Certification Authority - G4"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\224\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\035\060\033\006\003\125\004\012\023\024\123\171\155\141\156
-\164\145\143\040\103\157\162\160\157\162\141\164\151\157\156\061
-\037\060\035\006\003\125\004\013\023\026\123\171\155\141\156\164
-\145\143\040\124\162\165\163\164\040\116\145\164\167\157\162\153
-\061\105\060\103\006\003\125\004\003\023\074\123\171\155\141\156
-\164\145\143\040\103\154\141\163\163\040\061\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\064
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\224\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\035\060\033\006\003\125\004\012\023\024\123\171\155\141\156
-\164\145\143\040\103\157\162\160\157\162\141\164\151\157\156\061
-\037\060\035\006\003\125\004\013\023\026\123\171\155\141\156\164
-\145\143\040\124\162\165\163\164\040\116\145\164\167\157\162\153
-\061\105\060\103\006\003\125\004\003\023\074\123\171\155\141\156
-\164\145\143\040\103\154\141\163\163\040\061\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\064
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\041\156\063\245\313\323\210\244\157\051\007\264\047\074
-\304\330
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\250\060\202\002\055\240\003\002\001\002\002\020\041
-\156\063\245\313\323\210\244\157\051\007\264\047\074\304\330\060
-\012\006\010\052\206\110\316\075\004\003\003\060\201\224\061\013
-\060\011\006\003\125\004\006\023\002\125\123\061\035\060\033\006
-\003\125\004\012\023\024\123\171\155\141\156\164\145\143\040\103
-\157\162\160\157\162\141\164\151\157\156\061\037\060\035\006\003
-\125\004\013\023\026\123\171\155\141\156\164\145\143\040\124\162
-\165\163\164\040\116\145\164\167\157\162\153\061\105\060\103\006
-\003\125\004\003\023\074\123\171\155\141\156\164\145\143\040\103
-\154\141\163\163\040\061\040\120\165\142\154\151\143\040\120\162
-\151\155\141\162\171\040\103\145\162\164\151\146\151\143\141\164
-\151\157\156\040\101\165\164\150\157\162\151\164\171\040\055\040
-\107\064\060\036\027\015\061\061\061\060\060\065\060\060\060\060
-\060\060\132\027\015\063\070\060\061\061\070\062\063\065\071\065
-\071\132\060\201\224\061\013\060\011\006\003\125\004\006\023\002
-\125\123\061\035\060\033\006\003\125\004\012\023\024\123\171\155
-\141\156\164\145\143\040\103\157\162\160\157\162\141\164\151\157
-\156\061\037\060\035\006\003\125\004\013\023\026\123\171\155\141
-\156\164\145\143\040\124\162\165\163\164\040\116\145\164\167\157
-\162\153\061\105\060\103\006\003\125\004\003\023\074\123\171\155
-\141\156\164\145\143\040\103\154\141\163\163\040\061\040\120\165
-\142\154\151\143\040\120\162\151\155\141\162\171\040\103\145\162
-\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
-\162\151\164\171\040\055\040\107\064\060\166\060\020\006\007\052
-\206\110\316\075\002\001\006\005\053\201\004\000\042\003\142\000
-\004\327\146\265\033\333\256\263\140\356\106\352\210\143\165\073
-\052\224\155\363\137\022\366\343\017\236\266\012\024\123\110\122
-\310\334\072\263\313\110\040\046\022\116\372\211\204\324\337\221
-\344\051\175\050\001\331\333\030\103\151\241\037\265\323\206\026
-\334\307\177\147\043\337\337\061\061\203\003\065\160\261\113\267
-\310\027\273\121\313\334\224\027\333\352\011\073\166\022\336\252
-\265\243\102\060\100\060\016\006\003\125\035\017\001\001\377\004
-\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377\004
-\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026\004
-\024\145\300\215\045\365\014\272\227\167\220\077\236\056\340\132
-\365\316\325\341\344\060\012\006\010\052\206\110\316\075\004\003
-\003\003\151\000\060\146\002\061\000\245\256\343\106\123\370\230
-\066\343\042\372\056\050\111\015\356\060\176\063\363\354\077\161
-\136\314\125\211\170\231\254\262\375\334\034\134\063\216\051\271
-\153\027\310\021\150\265\334\203\007\002\061\000\234\310\104\332
-\151\302\066\303\124\031\020\205\002\332\235\107\357\101\347\154
-\046\235\011\075\367\155\220\321\005\104\057\260\274\203\223\150
-\362\014\105\111\071\277\231\004\034\323\020\240
-END
-
-# Trust for "Symantec Class 1 Public Primary Certification Authority - G4"
-# Issuer: CN=Symantec Class 1 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
-# Serial Number:21:6e:33:a5:cb:d3:88:a4:6f:29:07:b4:27:3c:c4:d8
-# Subject: CN=Symantec Class 1 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
-# Not Valid Before: Wed Oct 05 00:00:00 2011
-# Not Valid After : Mon Jan 18 23:59:59 2038
-# Fingerprint (SHA-256): 36:3F:3C:84:9E:AB:03:B0:A2:A0:F6:36:D7:B8:6D:04:D3:AC:7F:CF:E2:6A:0A:91:21:AB:97:95:F6:E1:76:DF
-# Fingerprint (SHA1): 84:F2:E3:DD:83:13:3E:A9:1D:19:52:7F:02:D7:29:BF:C1:5F:E6:67
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Symantec Class 1 Public Primary Certification Authority - G4"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\204\362\343\335\203\023\076\251\035\031\122\177\002\327\051\277
-\301\137\346\147
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\004\345\200\077\125\377\131\207\244\062\322\025\245\345\252\346
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\224\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\035\060\033\006\003\125\004\012\023\024\123\171\155\141\156
-\164\145\143\040\103\157\162\160\157\162\141\164\151\157\156\061
-\037\060\035\006\003\125\004\013\023\026\123\171\155\141\156\164
-\145\143\040\124\162\165\163\164\040\116\145\164\167\157\162\153
-\061\105\060\103\006\003\125\004\003\023\074\123\171\155\141\156
-\164\145\143\040\103\154\141\163\163\040\061\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\064
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\041\156\063\245\313\323\210\244\157\051\007\264\047\074
-\304\330
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Symantec Class 2 Public Primary Certification Authority - G4"
-#
-# Issuer: CN=Symantec Class 2 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
-# Serial Number:34:17:65:12:40:3b:b7:56:80:2d:80:cb:79:55:a6:1e
-# Subject: CN=Symantec Class 2 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
-# Not Valid Before: Wed Oct 05 00:00:00 2011
-# Not Valid After : Mon Jan 18 23:59:59 2038
-# Fingerprint (SHA-256): FE:86:3D:08:22:FE:7A:23:53:FA:48:4D:59:24:E8:75:65:6D:3D:C9:FB:58:77:1F:6F:61:6F:9D:57:1B:C5:92
-# Fingerprint (SHA1): 67:24:90:2E:48:01:B0:22:96:40:10:46:B4:B1:67:2C:A9:75:FD:2B
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Symantec Class 2 Public Primary Certification Authority - G4"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\224\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\035\060\033\006\003\125\004\012\023\024\123\171\155\141\156
-\164\145\143\040\103\157\162\160\157\162\141\164\151\157\156\061
-\037\060\035\006\003\125\004\013\023\026\123\171\155\141\156\164
-\145\143\040\124\162\165\163\164\040\116\145\164\167\157\162\153
-\061\105\060\103\006\003\125\004\003\023\074\123\171\155\141\156
-\164\145\143\040\103\154\141\163\163\040\062\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\064
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\224\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\035\060\033\006\003\125\004\012\023\024\123\171\155\141\156
-\164\145\143\040\103\157\162\160\157\162\141\164\151\157\156\061
-\037\060\035\006\003\125\004\013\023\026\123\171\155\141\156\164
-\145\143\040\124\162\165\163\164\040\116\145\164\167\157\162\153
-\061\105\060\103\006\003\125\004\003\023\074\123\171\155\141\156
-\164\145\143\040\103\154\141\163\163\040\062\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\064
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\064\027\145\022\100\073\267\126\200\055\200\313\171\125
-\246\036
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\250\060\202\002\055\240\003\002\001\002\002\020\064
-\027\145\022\100\073\267\126\200\055\200\313\171\125\246\036\060
-\012\006\010\052\206\110\316\075\004\003\003\060\201\224\061\013
-\060\011\006\003\125\004\006\023\002\125\123\061\035\060\033\006
-\003\125\004\012\023\024\123\171\155\141\156\164\145\143\040\103
-\157\162\160\157\162\141\164\151\157\156\061\037\060\035\006\003
-\125\004\013\023\026\123\171\155\141\156\164\145\143\040\124\162
-\165\163\164\040\116\145\164\167\157\162\153\061\105\060\103\006
-\003\125\004\003\023\074\123\171\155\141\156\164\145\143\040\103
-\154\141\163\163\040\062\040\120\165\142\154\151\143\040\120\162
-\151\155\141\162\171\040\103\145\162\164\151\146\151\143\141\164
-\151\157\156\040\101\165\164\150\157\162\151\164\171\040\055\040
-\107\064\060\036\027\015\061\061\061\060\060\065\060\060\060\060
-\060\060\132\027\015\063\070\060\061\061\070\062\063\065\071\065
-\071\132\060\201\224\061\013\060\011\006\003\125\004\006\023\002
-\125\123\061\035\060\033\006\003\125\004\012\023\024\123\171\155
-\141\156\164\145\143\040\103\157\162\160\157\162\141\164\151\157
-\156\061\037\060\035\006\003\125\004\013\023\026\123\171\155\141
-\156\164\145\143\040\124\162\165\163\164\040\116\145\164\167\157
-\162\153\061\105\060\103\006\003\125\004\003\023\074\123\171\155
-\141\156\164\145\143\040\103\154\141\163\163\040\062\040\120\165
-\142\154\151\143\040\120\162\151\155\141\162\171\040\103\145\162
-\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
-\162\151\164\171\040\055\040\107\064\060\166\060\020\006\007\052
-\206\110\316\075\002\001\006\005\053\201\004\000\042\003\142\000
-\004\321\331\112\216\114\015\204\112\121\272\174\357\323\314\372
-\072\232\265\247\143\023\075\001\340\111\076\372\301\107\311\222
-\263\072\327\376\157\234\367\232\072\017\365\016\012\012\303\077
-\310\347\022\024\216\325\325\155\230\054\263\161\062\012\353\052
-\275\366\327\152\040\013\147\105\234\322\262\277\123\042\146\011
-\135\333\021\363\361\005\063\130\243\342\270\317\174\315\202\233
-\275\243\102\060\100\060\016\006\003\125\035\017\001\001\377\004
-\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377\004
-\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026\004
-\024\075\062\363\072\251\014\220\204\371\242\214\151\006\141\124
-\057\207\162\376\005\060\012\006\010\052\206\110\316\075\004\003
-\003\003\151\000\060\146\002\061\000\310\246\251\257\101\177\265
-\311\021\102\026\150\151\114\134\270\047\030\266\230\361\300\177
-\220\155\207\323\214\106\027\360\076\117\374\352\260\010\304\172
-\113\274\010\057\307\342\247\157\145\002\061\000\326\131\336\206
-\316\137\016\312\124\325\306\320\025\016\374\213\224\162\324\216
-\000\130\123\317\176\261\113\015\345\120\206\353\236\153\337\377
-\051\246\330\107\331\240\226\030\333\362\105\263
-END
-
-# Trust for "Symantec Class 2 Public Primary Certification Authority - G4"
-# Issuer: CN=Symantec Class 2 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
-# Serial Number:34:17:65:12:40:3b:b7:56:80:2d:80:cb:79:55:a6:1e
-# Subject: CN=Symantec Class 2 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
-# Not Valid Before: Wed Oct 05 00:00:00 2011
-# Not Valid After : Mon Jan 18 23:59:59 2038
-# Fingerprint (SHA-256): FE:86:3D:08:22:FE:7A:23:53:FA:48:4D:59:24:E8:75:65:6D:3D:C9:FB:58:77:1F:6F:61:6F:9D:57:1B:C5:92
-# Fingerprint (SHA1): 67:24:90:2E:48:01:B0:22:96:40:10:46:B4:B1:67:2C:A9:75:FD:2B
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Symantec Class 2 Public Primary Certification Authority - G4"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\147\044\220\056\110\001\260\042\226\100\020\106\264\261\147\054
-\251\165\375\053
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\160\325\060\361\332\224\227\324\327\164\337\276\355\150\336\226
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\224\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\035\060\033\006\003\125\004\012\023\024\123\171\155\141\156
-\164\145\143\040\103\157\162\160\157\162\141\164\151\157\156\061
-\037\060\035\006\003\125\004\013\023\026\123\171\155\141\156\164
-\145\143\040\124\162\165\163\164\040\116\145\164\167\157\162\153
-\061\105\060\103\006\003\125\004\003\023\074\123\171\155\141\156
-\164\145\143\040\103\154\141\163\163\040\062\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\064
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\064\027\145\022\100\073\267\126\200\055\200\313\171\125
-\246\036
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--- a/security/nss/lib/ckfw/builtins/nssckbi.h
+++ b/security/nss/lib/ckfw/builtins/nssckbi.h
@@ -40,18 +40,18 @@
  *     ...
  *   - NSS 3.29 branch: 250-255
  *
  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
  * whether we may use its full range (0-255) or only 0-99 because
  * of the comment in the CK_VERSION type definition.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 11
-#define NSS_BUILTINS_LIBRARY_VERSION "2.11"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 10
+#define NSS_BUILTINS_LIBRARY_VERSION "2.10"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
 #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
 
 /* These version numbers detail the semantic changes to ckbi itself
  * (new PKCS #11 objects), etc. */
 #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
--- a/security/nss/lib/cryptohi/dsautil.c
+++ b/security/nss/lib/cryptohi/dsautil.c
@@ -161,38 +161,34 @@ common_EncodeDerSig(SECItem *dest, SECIt
 ** buffer containing the "raw" signature, which is len bytes of r,
 ** followed by len bytes of s. For DSA, len is the length of q.
 ** For ECDSA, len depends on the key size used to create the signature.
 */
 static SECItem *
 common_DecodeDerSig(const SECItem *item, unsigned int len)
 {
     SECItem *result = NULL;
-    PORTCheapArenaPool arena;
     SECStatus status;
     DSA_ASN1Signature sig;
     SECItem dst;
 
     PORT_Memset(&sig, 0, sizeof(sig));
 
-    /* Make enough room for r + s. */
-    PORT_InitCheapArena(&arena, PR_MAX(2 * MAX_ECKEY_LEN, DSA_MAX_SIGNATURE_LEN));
-
     result = PORT_ZNew(SECItem);
     if (result == NULL)
         goto loser;
 
     result->len = 2 * len;
     result->data = (unsigned char *)PORT_Alloc(2 * len);
     if (result->data == NULL)
         goto loser;
 
     sig.r.type = siUnsignedInteger;
     sig.s.type = siUnsignedInteger;
-    status = SEC_QuickDERDecodeItem(&arena.arena, &sig, DSA_SignatureTemplate, item);
+    status = SEC_ASN1DecodeItem(NULL, &sig, DSA_SignatureTemplate, item);
     if (status != SECSuccess)
         goto loser;
 
     /* Convert sig.r and sig.s from variable  length signed integers to
     ** fixed length unsigned integers.
     */
     dst.data = result->data;
     dst.len = len;
@@ -201,17 +197,20 @@ common_DecodeDerSig(const SECItem *item,
         goto loser;
 
     dst.data += len;
     status = DSAU_ConvertSignedToFixedUnsigned(&dst, &sig.s);
     if (status != SECSuccess)
         goto loser;
 
 done:
-    PORT_DestroyCheapArena(&arena);
+    if (sig.r.data != NULL)
+        PORT_Free(sig.r.data);
+    if (sig.s.data != NULL)
+        PORT_Free(sig.s.data);
 
     return result;
 
 loser:
     if (result != NULL) {
         SECITEM_FreeItem(result, PR_TRUE);
         result = NULL;
     }
--- a/security/nss/lib/dev/devslot.c
+++ b/security/nss/lib/dev/devslot.c
@@ -86,28 +86,29 @@ nssSlot_GetTokenName(
 NSS_IMPLEMENT void
 nssSlot_ResetDelay(
     NSSSlot *slot)
 {
     slot->lastTokenPing = 0;
 }
 
 static PRBool
-within_token_delay_period(const NSSSlot *slot)
+within_token_delay_period(NSSSlot *slot)
 {
     PRIntervalTime time, lastTime;
     /* Set the delay time for checking the token presence */
     if (s_token_delay_time == 0) {
         s_token_delay_time = PR_SecondsToInterval(NSSSLOT_TOKEN_DELAY_TIME);
     }
     time = PR_IntervalNow();
     lastTime = slot->lastTokenPing;
     if ((lastTime) && ((time - lastTime) < s_token_delay_time)) {
         return PR_TRUE;
     }
+    slot->lastTokenPing = time;
     return PR_FALSE;
 }
 
 NSS_IMPLEMENT PRBool
 nssSlot_IsTokenPresent(
     NSSSlot *slot)
 {
     CK_RV ckrv;
@@ -130,25 +131,23 @@ nssSlot_IsTokenPresent(
     if (!epv) {
         return PR_FALSE;
     }
     nssSlot_EnterMonitor(slot);
     ckrv = CKAPI(epv)->C_GetSlotInfo(slot->slotID, &slotInfo);
     nssSlot_ExitMonitor(slot);
     if (ckrv != CKR_OK) {
         slot->token->base.name[0] = 0; /* XXX */
-        slot->lastTokenPing = PR_IntervalNow();
         return PR_FALSE;
     }
     slot->ckFlags = slotInfo.flags;
     /* check for the presence of the token */
     if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) {
         if (!slot->token) {
             /* token was never present */
-            slot->lastTokenPing = PR_IntervalNow();
             return PR_FALSE;
         }
         session = nssToken_GetDefaultSession(slot->token);
         if (session) {
             nssSession_EnterMonitor(session);
             /* token is not present */
             if (session->handle != CK_INVALID_SESSION) {
                 /* session is valid, close and invalidate it */
@@ -161,17 +160,16 @@ nssSlot_IsTokenPresent(
         if (slot->token->base.name[0] != 0) {
             /* notify the high-level cache that the token is removed */
             slot->token->base.name[0] = 0; /* XXX */
             nssToken_NotifyCertsNotVisible(slot->token);
         }
         slot->token->base.name[0] = 0; /* XXX */
         /* clear the token cache */
         nssToken_Remove(slot->token);
-        slot->lastTokenPing = PR_IntervalNow();
         return PR_FALSE;
     }
     /* token is present, use the session info to determine if the card
      * has been removed and reinserted.
      */
     session = nssToken_GetDefaultSession(slot->token);
     if (session) {
         PRBool isPresent = PR_FALSE;
@@ -184,37 +182,32 @@ nssSlot_IsTokenPresent(
                 CKAPI(epv)
                     ->C_CloseSession(session->handle);
                 session->handle = CK_INVALID_SESSION;
             }
         }
         isPresent = session->handle != CK_INVALID_SESSION;
         nssSession_ExitMonitor(session);
         /* token not removed, finished */
-        if (isPresent) {
-            slot->lastTokenPing = PR_IntervalNow();
+        if (isPresent)
             return PR_TRUE;
-        }
     }
     /* the token has been removed, and reinserted, or the slot contains
      * a token it doesn't recognize. invalidate all the old
      * information we had on this token, if we can't refresh, clear
      * the present flag */
     nssToken_NotifyCertsNotVisible(slot->token);
     nssToken_Remove(slot->token);
     /* token has been removed, need to refresh with new session */
     nssrv = nssSlot_Refresh(slot);
     if (nssrv != PR_SUCCESS) {
         slot->token->base.name[0] = 0; /* XXX */
         slot->ckFlags &= ~CKF_TOKEN_PRESENT;
-        /* TODO: insert a barrier here to avoid reordering of the assingments */
-        slot->lastTokenPing = PR_IntervalNow();
         return PR_FALSE;
     }
-    slot->lastTokenPing = PR_IntervalNow();
     return PR_TRUE;
 }
 
 NSS_IMPLEMENT void *
 nssSlot_GetCryptokiEPV(
     NSSSlot *slot)
 {
     return slot->epv;
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@@ -596,17 +596,17 @@ ECL_USERS = ec.c
 
 ECL_OBJS = $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(ECL_SRCS:.c=$(OBJ_SUFFIX)) $(ECL_ASM_SRCS:$(ASM_SUFFIX)=$(OBJ_SUFFIX)))
 ECL_OBJS += $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(ECL_USERS:.c=$(OBJ_SUFFIX)))
 
 $(ECL_OBJS): $(ECL_HDRS)
 
 
 
-$(OBJDIR)/sysrand$(OBJ_SUFFIX): sysrand.c unix_rand.c win_rand.c
+$(OBJDIR)/sysrand$(OBJ_SUFFIX): sysrand.c unix_rand.c win_rand.c os2_rand.c
 
 $(OBJDIR)/$(PROG_PREFIX)mpprime$(OBJ_SUFFIX): primes.c
 
 $(OBJDIR)/ldvector$(OBJ_SUFFIX) $(OBJDIR)/loader$(OBJ_SUFFIX) : loader.h
 
 ifeq ($(SYSV_SPARC),1)
 
 $(OBJDIR)/mpv_sparcv8.o $(OBJDIR)/mpv_sparcv8x.o $(OBJDIR)/montmulfv8.o : $(OBJDIR)/%.o : %.s
--- a/security/nss/lib/freebl/ec.c
+++ b/security/nss/lib/freebl/ec.c
@@ -561,40 +561,35 @@ ECDH_Derive(SECItem *publicValue,
 #endif
 
     if (!publicValue || !ecParams || !privateValue || !derivedSecret ||
         !ecParams->name) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
-    /*
-     * Make sure the point is on the requested curve to avoid
-     * certain small subgroup attacks.
-     */
-    if (EC_ValidatePublicKey(ecParams, publicValue) != SECSuccess) {
-        PORT_SetError(SEC_ERROR_BAD_KEY);
-        return SECFailure;
-    }
-
     /* Perform curve specific multiplication using ECMethod */
     if (ecParams->fieldID.type == ec_field_plain) {
         const ECMethod *method;
         memset(derivedSecret, 0, sizeof(*derivedSecret));
         derivedSecret = SECITEM_AllocItem(NULL, derivedSecret, ecParams->pointSize);
         if (derivedSecret == NULL) {
             PORT_SetError(SEC_ERROR_NO_MEMORY);
             return SECFailure;
         }
         method = ec_get_method_from_name(ecParams->name);
         if (method == NULL || method->validate == NULL ||
             method->mul == NULL) {
             PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
             return SECFailure;
         }
+        if (method->validate(publicValue) != SECSuccess) {
+            PORT_SetError(SEC_ERROR_BAD_KEY);
+            return SECFailure;
+        }
         return method->mul(derivedSecret, privateValue, publicValue);
     }
 
     /*
      * We fail if the public value is the point at infinity, since
      * this produces predictable results.
      */
     if (ec_point_at_infinity(publicValue)) {
@@ -1002,24 +997,19 @@ ECDSA_VerifyDigest(ECPublicKey *key, con
     olen = ecParams->order.len;
     if (signature->len == 0 || signature->len % 2 != 0 ||
         signature->len > 2 * olen) {
         PORT_SetError(SEC_ERROR_INPUT_LEN);
         goto cleanup;
     }
     slen = signature->len / 2;
 
-    /*
-     * The incoming point has been verified in sftk_handlePublicKeyObject.
-     */
-
     SECITEM_AllocItem(NULL, &pointC, ecParams->pointSize);
-    if (pointC.data == NULL) {
+    if (pointC.data == NULL)
         goto cleanup;
-    }
 
     CHECK_MPI_OK(mp_init(&r_));
     CHECK_MPI_OK(mp_init(&s_));
     CHECK_MPI_OK(mp_init(&c));
     CHECK_MPI_OK(mp_init(&u1));
     CHECK_MPI_OK(mp_init(&u2));
     CHECK_MPI_OK(mp_init(&x1));
     CHECK_MPI_OK(mp_init(&v));
--- a/security/nss/lib/freebl/ecl/README
+++ b/security/nss/lib/freebl/ecl/README
@@ -85,16 +85,30 @@ y=Y/Z^3).
 ecp_jm.c provides point arithmetic using Modified Jacobian
 coordinates and mixed Modified_Jacobian-affine coordinates.
 (Modified Jacobian coordinates represent a point (x, y)
 as (X, Y, Z, a*Z^4), where x=X/Z^2, y=Y/Z^3, and a is
 the linear coefficient in the curve defining equation).
 
 ecp_192.c and ecp_224.c provide optimized field arithmetic.
 
+Point Arithmetic over Binary Polynomial Fields
+----------------------------------------------
+
+ec2_aff.c provides point arithmetic using affine coordinates.
+
+ec2_proj.c provides point arithmetic using projective coordinates.
+(Projective coordinates represent a point (x, y) as (X, Y, Z), where
+x=X/Z, y=Y/Z^2).
+
+ec2_mont.c provides point multiplication using Montgomery projective
+coordinates.
+
+ec2_163.c, ec2_193.c, and ec2_233.c provide optimized field arithmetic.
+
 Field Arithmetic
 ----------------
 
 ecl_gf.c provides constructors for field objects (GFMethod) with the
 functions GFMethod_cons*. It also provides wrappers around the basic
 field operations.
 
 Prime Field Arithmetic
@@ -107,16 +121,28 @@ functions from the mpi library and adds 
 It also provides the function to construct a GFMethod object using
 Montgomery multiplication.
 
 ecp_192.c and ecp_224.c provide optimized modular reduction for the
 fields defined by nistp192 and nistp224 primes.
 
 ecl_gf.c provides wrappers around the basic field operations.
 
+Binary Polynomial Field Arithmetic
+----------------------------------
+
+../mpi/mp_gf2m.c provides basic binary polynomial field arithmetic,
+including addition, multiplication, squaring, mod, and division, as well
+as conversion ob polynomial representations between bitstring and int[].
+
+ec2_163.c, ec2_193.c, and ec2_233.c provide optimized field mod, mul,
+and sqr operations.
+
+ecl_gf.c provides wrappers around the basic field operations.
+
 Field Encoding
 --------------
 
 By default, field elements are encoded in their basic form. It is
 possible to use an alternative encoding, however. For example, it is
 possible to Montgomery representation of prime field elements and
 take advantage of the fast modular multiplication that Montgomery
 representation provides. The process of converting from basic form to
@@ -156,8 +182,86 @@ multiplication using Jacobian coordinate
 (Wiring in function ECGroup_consGFp_mont in ecl.c.)
 
 Curves over prime fields that have optimized modular reduction (i.e.,
 secp160r1, nistp192, and nistp224) do not use Montgomery field
 arithmetic. Instead, they use basic field arithmetic with their
 optimized reduction (as in ecp_192.c and ecp_224.c). They
 use the same point multiplication and simultaneous point multiplication
 algorithms as other curves over prime fields.
+
+Curves over binary polynomial fields by default use generic field
+arithmetic with montgomery point multiplication and basic kP + lQ
+computation (multiply, multiply, and add). (Wiring in function
+ECGroup_cons_GF2m in ecl.c.)
+
+Curves over binary polynomial fields that have optimized field
+arithmetic (i.e., any 163-, 193, or 233-bit field) use their optimized
+field arithmetic. They use the same point multiplication and
+simultaneous point multiplication algorithms as other curves over binary
+fields.
+
+Example
+-------
+
+We provide an example for plugging in an optimized implementation for
+the Koblitz curve nistk163.
+
+Suppose the file ec2_k163.c contains the optimized implementation. In
+particular it contains a point multiplication function:
+
+	mp_err ec_GF2m_nistk163_pt_mul(const mp_int *n, const mp_int *px, 
+		const mp_int *py, mp_int *rx, mp_int *ry, const ECGroup *group);
+
+Since only a pt_mul function is provided, the generic pt_add function
+will be used.
+
+There are two options for handling the optimized field arithmetic used
+by the ..._pt_mul function. Say the optimized field arithmetic includes
+the following functions:
+
+	mp_err ec_GF2m_nistk163_add(const mp_int *a, const mp_int *b,
+		mp_int *r, const GFMethod *meth);
+	mp_err ec_GF2m_nistk163_mul(const mp_int *a, const mp_int *b,
+		mp_int *r, const GFMethod *meth);
+	mp_err ec_GF2m_nistk163_sqr(const mp_int *a, const mp_int *b,
+		mp_int *r, const GFMethod *meth);
+	mp_err ec_GF2m_nistk163_div(const mp_int *a, const mp_int *b,
+		mp_int *r, const GFMethod *meth);
+
+First, the optimized field arithmetic could simply be called directly
+by the ..._pt_mul function. This would be accomplished by changing
+the ecgroup_fromNameAndHex function in ecl.c to include the following
+statements:
+
+	if (name == ECCurve_NIST_K163) {
+		group = ECGroup_consGF2m(&irr, NULL, &curvea, &curveb, &genx,
+			&geny, &order, params->cofactor);
+		if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
+		MP_CHECKOK( ec_group_set_nistk163(group) );
+	}
+
+and including in ec2_k163.c the following function:
+
+	mp_err ec_group_set_nistk163(ECGroup *group) {
+		group->point_mul = &ec_GF2m_nistk163_pt_mul;
+		return MP_OKAY;
+	}
+
+As a result, ec_GF2m_pt_add and similar functions would use the
+basic binary polynomial field arithmetic ec_GF2m_add, ec_GF2m_mul,
+ec_GF2m_sqr, and ec_GF2m_div.
+
+Alternatively, the optimized field arithmetic could be wired into the
+group's GFMethod. This would be accomplished by putting the following
+function in ec2_k163.c:
+
+	mp_err ec_group_set_nistk163(ECGroup *group) {
+		group->meth->field_add = &ec_GF2m_nistk163_add;
+		group->meth->field_mul = &ec_GF2m_nistk163_mul;
+		group->meth->field_sqr = &ec_GF2m_nistk163_sqr;
+		group->meth->field_div = &ec_GF2m_nistk163_div;
+		group->point_mul = &ec_GF2m_nistk163_pt_mul;
+		return MP_OKAY;
+	}
+
+For an example of functions that use special field encodings, take a
+look at ecp_mont.c.
new file mode 100644
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/tests/ec_naft.c
@@ -0,0 +1,121 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "mpi.h"
+#include "mplogic.h"
+#include "ecl.h"
+#include "ecp.h"
+#include "ecl-priv.h"
+
+#include <sys/types.h>
+#include <stdio.h>
+#include <time.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+
+/* Returns 2^e as an integer. This is meant to be used for small powers of
+ * two. */
+int ec_twoTo(int e);
+
+/* Number of bits of scalar to test */
+#define BITSIZE 160
+
+/* Time k repetitions of operation op. */
+#define M_TimeOperation(op, k)                                                        \
+    {                                                                                 \
+        double dStart, dNow, dUserTime;                                               \
+        struct rusage ru;                                                             \
+        int i;                                                                        \
+        getrusage(RUSAGE_SELF, &ru);                                                  \
+        dStart = (double)ru.ru_utime.tv_sec + (double)ru.ru_utime.tv_usec * 0.000001; \
+        for (i = 0; i < k; i++) {                                                     \
+            {                                                                         \
+                op;                                                                   \
+            }                                                                         \
+        };                                                                            \
+        getrusage(RUSAGE_SELF, &ru);                                                  \
+        dNow = (double)ru.ru_utime.tv_sec + (double)ru.ru_utime.tv_usec * 0.000001;   \
+        dUserTime = dNow - dStart;                                                    \
+        if (dUserTime)                                                                \
+            printf("    %-45s\n      k: %6i, t: %6.2f sec\n", #op, k, dUserTime);     \
+    }
+
+/* Tests wNAF computation. Non-adjacent-form is discussed in the paper: D.
+ * Hankerson, J. Hernandez and A. Menezes, "Software implementation of
+ * elliptic curve cryptography over binary fields", Proc. CHES 2000. */
+
+mp_err
+main(void)
+{
+    signed char naf[BITSIZE + 1];
+    ECGroup *group = NULL;
+    mp_int k;
+    mp_int *scalar;
+    int i, count;
+    int res;
+    int w = 5;
+    char s[1000];
+
+    /* Get a 160 bit scalar to compute wNAF from */
+    group = ECGroup_fromName(ECCurve_SECG_PRIME_160R1);
+    scalar = &group->genx;
+
+    /* Compute wNAF representation of scalar */
+    ec_compute_wNAF(naf, BITSIZE, scalar, w);
+
+    /* Verify correctness of representation */
+    mp_init(&k); /* init k to 0 */
+
+    for (i = BITSIZE; i >= 0; i--) {
+        mp_add(&k, &k, &k);
+        /* digits in mp_???_d are unsigned */
+        if (naf[i] >= 0) {
+            mp_add_d(&k, naf[i], &k);
+        } else {
+            mp_sub_d(&k, -naf[i], &k);
+        }
+    }
+
+    if (mp_cmp(&k, scalar) != 0) {
+        printf("Error:  incorrect NAF value.\n");
+        MP_CHECKOK(mp_toradix(&k, s, 16));
+        printf("NAF value   %s\n", s);
+        MP_CHECKOK(mp_toradix(scalar, s, 16));
+        printf("original value   %s\n", s);
+        goto CLEANUP;
+    }
+
+    /* Verify digits of representation are valid */
+    for (i = 0; i <= BITSIZE; i++) {
+        if (naf[i] % 2 == 0 && naf[i] != 0) {
+            printf("Error:  Even non-zero digit found.\n");
+            goto CLEANUP;
+        }
+        if (naf[i] < -(ec_twoTo(w - 1)) || naf[i] >= ec_twoTo(w - 1)) {
+            printf("Error:  Magnitude of naf digit too large.\n");
+            goto CLEANUP;
+        }
+    }
+
+    /* Verify sparsity of representation */
+    count = w - 1;
+    for (i = 0; i <= BITSIZE; i++) {
+        if (naf[i] != 0) {
+            if (count < w - 1) {
+                printf("Error:  Sparsity failed.\n");
+                goto CLEANUP;
+            }
+            count = 0;
+        } else
+            count++;
+    }
+
+    /* Check timing */
+    M_TimeOperation(ec_compute_wNAF(naf, BITSIZE, scalar, w), 10000);
+
+    printf("Test passed.\n");
+CLEANUP:
+    ECGroup_free(group);
+    return MP_OKAY;
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/tests/ecp_test.c
@@ -0,0 +1,409 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "mpi.h"
+#include "mplogic.h"
+#include "mpprime.h"
+#include "ecl.h"
+#include "ecl-curve.h"
+#include "ecp.h"
+#include <stdio.h>
+#include <strings.h>
+#include <assert.h>
+
+#include <time.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+
+/* Time k repetitions of operation op. */
+#define M_TimeOperation(op, k)                                                        \
+    {                                                                                 \
+        double dStart, dNow, dUserTime;                                               \
+        struct rusage ru;                                                             \
+        int i;                                                                        \
+        getrusage(RUSAGE_SELF, &ru);                                                  \
+        dStart = (double)ru.ru_utime.tv_sec + (double)ru.ru_utime.tv_usec * 0.000001; \
+        for (i = 0; i < k; i++) {                                                     \
+            {                                                                         \
+                op;                                                                   \
+            }                                                                         \
+        };                                                                            \
+        getrusage(RUSAGE_SELF, &ru);                                                  \
+        dNow = (double)ru.ru_utime.tv_sec + (double)ru.ru_utime.tv_usec * 0.000001;   \
+        dUserTime = dNow - dStart;                                                    \
+        if (dUserTime)                                                                \
+            printf("    %-45s k: %6i, t: %6.2f sec\n", #op, k, dUserTime);            \
+    }
+
+/* Test curve using generic field arithmetic. */
+#define ECTEST_GENERIC_GFP(name_c, name)                             \
+    printf("Testing %s using generic implementation...\n", name_c);  \
+    params = EC_GetNamedCurveParams(name);                           \
+    if (params == NULL) {                                            \
+        printf("  Error: could not construct params.\n");            \
+        res = MP_NO;                                                 \
+        goto CLEANUP;                                                \
+    }                                                                \
+    ECGroup_free(group);                                             \
+    group = ECGroup_fromHex(params);                                 \
+    if (group == NULL) {                                             \
+        printf("  Error: could not construct group.\n");             \
+        res = MP_NO;                                                 \
+        goto CLEANUP;                                                \
+    }                                                                \
+    MP_CHECKOK(ectest_curve_GFp(group, ectestPrint, ectestTime, 1)); \
+    printf("... okay.\n");
+
+/* Test curve using specific field arithmetic. */
+#define ECTEST_NAMED_GFP(name_c, name)                                   \
+    printf("Testing %s using specific implementation...\n", name_c);     \
+    ECGroup_free(group);                                                 \
+    group = ECGroup_fromName(name);                                      \
+    if (group == NULL) {                                                 \
+        printf("  Warning: could not construct group.\n");               \
+        printf("... failed; continuing with remaining tests.\n");        \
+    } else {                                                             \
+        MP_CHECKOK(ectest_curve_GFp(group, ectestPrint, ectestTime, 0)); \
+        printf("... okay.\n");                                           \
+    }
+
+/* Performs basic tests of elliptic curve cryptography over prime fields.
+ * If tests fail, then it prints an error message, aborts, and returns an
+ * error code. Otherwise, returns 0. */
+int
+ectest_curve_GFp(ECGroup *group, int ectestPrint, int ectestTime,
+                 int generic)
+{
+
+    mp_int one, order_1, gx, gy, rx, ry, n;
+    int size;
+    mp_err res;
+    char s[1000];
+
+    /* initialize values */
+    MP_CHECKOK(mp_init(&one));
+    MP_CHECKOK(mp_init(&order_1));
+    MP_CHECKOK(mp_init(&gx));
+    MP_CHECKOK(mp_init(&gy));
+    MP_CHECKOK(mp_init(&rx));
+    MP_CHECKOK(mp_init(&ry));
+    MP_CHECKOK(mp_init(&n));
+
+    MP_CHECKOK(mp_set_int(&one, 1));
+    MP_CHECKOK(mp_sub(&group->order, &one, &order_1));
+
+    /* encode base point */
+    if (group->meth->field_dec) {
+        MP_CHECKOK(group->meth->field_dec(&group->genx, &gx, group->meth));
+        MP_CHECKOK(group->meth->field_dec(&group->geny, &gy, group->meth));
+    } else {
+        MP_CHECKOK(mp_copy(&group->genx, &gx));
+        MP_CHECKOK(mp_copy(&group->geny, &gy));
+    }
+    if (ectestPrint) {
+        /* output base point */
+        printf("  base point P:\n");
+        MP_CHECKOK(mp_toradix(&gx, s, 16));
+        printf("    %s\n", s);
+        MP_CHECKOK(mp_toradix(&gy, s, 16));
+        printf("    %s\n", s);
+        if (group->meth->field_enc) {
+            printf("  base point P (encoded):\n");
+            MP_CHECKOK(mp_toradix(&group->genx, s, 16));
+            printf("    %s\n", s);
+            MP_CHECKOK(mp_toradix(&group->geny, s, 16));
+            printf("    %s\n", s);
+        }
+    }
+
+#ifdef ECL_ENABLE_GFP_PT_MUL_AFF
+    /* multiply base point by order - 1 and check for negative of base
+     * point */
+    MP_CHECKOK(ec_GFp_pt_mul_aff(&order_1, &group->genx, &group->geny, &rx, &ry, group));
+    if (ectestPrint) {
+        printf("  (order-1)*P (affine):\n");
+        MP_CHECKOK(mp_toradix(&rx, s, 16));
+        printf("    %s\n", s);
+        MP_CHECKOK(mp_toradix(&ry, s, 16));
+        printf("    %s\n", s);
+    }
+    MP_CHECKOK(group->meth->field_neg(&ry, &ry, group->meth));
+    if ((mp_cmp(&rx, &group->genx) != 0) || (mp_cmp(&ry, &group->geny) != 0)) {
+        printf("  Error: invalid result (expected (- base point)).\n");
+        res = MP_NO;
+        goto CLEANUP;
+    }
+#endif
+
+#ifdef ECL_ENABLE_GFP_PT_MUL_AFF
+    /* multiply base point by order - 1 and check for negative of base
+     * point */
+    MP_CHECKOK(ec_GFp_pt_mul_jac(&order_1, &group->genx, &group->geny, &rx, &ry, group));
+    if (ectestPrint) {
+        printf("  (order-1)*P (jacobian):\n");
+        MP_CHECKOK(mp_toradix(&rx, s, 16));
+        printf("    %s\n", s);
+        MP_CHECKOK(mp_toradix(&ry, s, 16));
+        printf("    %s\n", s);
+    }
+    MP_CHECKOK(group->meth->field_neg(&ry, &ry, group->meth));
+    if ((mp_cmp(&rx, &group->genx) != 0) || (mp_cmp(&ry, &group->geny) != 0)) {
+        printf("  Error: invalid result (expected (- base point)).\n");
+        res = MP_NO;
+        goto CLEANUP;
+    }
+#endif
+
+    /* multiply base point by order - 1 and check for negative of base
+     * point */
+    MP_CHECKOK(ECPoint_mul(group, &order_1, NULL, NULL, &rx, &ry));
+    if (ectestPrint) {
+        printf("  (order-1)*P (ECPoint_mul):\n");
+        MP_CHECKOK(mp_toradix(&rx, s, 16));
+        printf("    %s\n", s);
+        MP_CHECKOK(mp_toradix(&ry, s, 16));
+        printf("    %s\n", s);
+    }
+    MP_CHECKOK(mp_submod(&group->meth->irr, &ry, &group->meth->irr, &ry));
+    if ((mp_cmp(&rx, &gx) != 0) || (mp_cmp(&ry, &gy) != 0)) {
+        printf("  Error: invalid result (expected (- base point)).\n");
+        res = MP_NO;
+        goto CLEANUP;
+    }
+
+    /* multiply base point by order - 1 and check for negative of base
+     * point */
+    MP_CHECKOK(ECPoint_mul(group, &order_1, &gx, &gy, &rx, &ry));
+    if (ectestPrint) {
+        printf("  (order-1)*P (ECPoint_mul):\n");
+        MP_CHECKOK(mp_toradix(&rx, s, 16));
+        printf("    %s\n", s);
+        MP_CHECKOK(mp_toradix(&ry, s, 16));
+        printf("    %s\n", s);
+    }
+    MP_CHECKOK(mp_submod(&group->meth->irr, &ry, &group->meth->irr, &ry));
+    if ((mp_cmp(&rx, &gx) != 0) || (mp_cmp(&ry, &gy) != 0)) {
+        printf("  Error: invalid result (expected (- base point)).\n");
+        res = MP_NO;
+        goto CLEANUP;
+    }
+
+#ifdef ECL_ENABLE_GFP_PT_MUL_AFF
+    /* multiply base point by order and check for point at infinity */
+    MP_CHECKOK(ec_GFp_pt_mul_aff(&group->order, &group->genx, &group->geny, &rx, &ry,
+                                 group));
+    if (ectestPrint) {
+        printf("  (order)*P (affine):\n");
+        MP_CHECKOK(mp_toradix(&rx, s, 16));
+        printf("    %s\n", s);
+        MP_CHECKOK(mp_toradix(&ry, s, 16));
+        printf("    %s\n", s);
+    }
+    if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) {
+        printf("  Error: invalid result (expected point at infinity).\n");
+        res = MP_NO;
+        goto CLEANUP;
+    }
+#endif
+
+#ifdef ECL_ENABLE_GFP_PT_MUL_JAC
+    /* multiply base point by order and check for point at infinity */
+    MP_CHECKOK(ec_GFp_pt_mul_jac(&group->order, &group->genx, &group->geny, &rx, &ry,
+                                 group));
+    if (ectestPrint) {
+        printf("  (order)*P (jacobian):\n");
+        MP_CHECKOK(mp_toradix(&rx, s, 16));
+        printf("    %s\n", s);
+        MP_CHECKOK(mp_toradix(&ry, s, 16));
+        printf("    %s\n", s);
+    }
+    if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) {
+        printf("  Error: invalid result (expected point at infinity).\n");
+        res = MP_NO;
+        goto CLEANUP;
+    }
+#endif
+
+    /* multiply base point by order and check for point at infinity */
+    MP_CHECKOK(ECPoint_mul(group, &group->order, NULL, NULL, &rx, &ry));
+    if (ectestPrint) {
+        printf("  (order)*P (ECPoint_mul):\n");
+        MP_CHECKOK(mp_toradix(&rx, s, 16));
+        printf("    %s\n", s);
+        MP_CHECKOK(mp_toradix(&ry, s, 16));
+        printf("    %s\n", s);
+    }
+    if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) {
+        printf("  Error: invalid result (expected point at infinity).\n");
+        res = MP_NO;
+        goto CLEANUP;
+    }
+
+    /* multiply base point by order and check for point at infinity */
+    MP_CHECKOK(ECPoint_mul(group, &group->order, &gx, &gy, &rx, &ry));
+    if (ectestPrint) {
+        printf("  (order)*P (ECPoint_mul):\n");
+        MP_CHECKOK(mp_toradix(&rx, s, 16));
+        printf("    %s\n", s);
+        MP_CHECKOK(mp_toradix(&ry, s, 16));
+        printf("    %s\n", s);
+    }
+    if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) {
+        printf("  Error: invalid result (expected point at infinity).\n");
+        res = MP_NO;
+        goto CLEANUP;
+    }
+
+    /* check that (order-1)P + (order-1)P + P == (order-1)P */
+    MP_CHECKOK(ECPoints_mul(group, &order_1, &order_1, &gx, &gy, &rx, &ry));
+    MP_CHECKOK(ECPoints_mul(group, &one, &one, &rx, &ry, &rx, &ry));
+    if (ectestPrint) {
+        printf("  (order-1)*P + (order-1)*P + P == (order-1)*P (ECPoints_mul):\n");
+        MP_CHECKOK(mp_toradix(&rx, s, 16));
+        printf("    %s\n", s);
+        MP_CHECKOK(mp_toradix(&ry, s, 16));
+        printf("    %s\n", s);
+    }
+    MP_CHECKOK(mp_submod(&group->meth->irr, &ry, &group->meth->irr, &ry));
+    if ((mp_cmp(&rx, &gx) != 0) || (mp_cmp(&ry, &gy) != 0)) {
+        printf("  Error: invalid result (expected (- base point)).\n");
+        res = MP_NO;
+        goto CLEANUP;
+    }
+
+    /* test validate_point function */
+    if (ECPoint_validate(group, &gx, &gy) != MP_YES) {
+        printf("  Error: validate point on base point failed.\n");
+        res = MP_NO;
+        goto CLEANUP;
+    }
+    MP_CHECKOK(mp_add_d(&gy, 1, &ry));
+    if (ECPoint_validate(group, &gx, &ry) != MP_NO) {
+        printf("  Error: validate point on invalid point passed.\n");
+        res = MP_NO;
+        goto CLEANUP;
+    }
+
+    if (ectestTime) {
+        /* compute random scalar */
+        size = mpl_significant_bits(&group->meth->irr);
+        if (size < MP_OKAY) {
+            goto CLEANUP;
+        }
+        MP_CHECKOK(mpp_random_size(&n, (size + ECL_BITS - 1) / ECL_BITS));
+        MP_CHECKOK(group->meth->field_mod(&n, &n, group->meth));
+        /* timed test */
+        if (generic) {
+#ifdef ECL_ENABLE_GFP_PT_MUL_AFF
+            M_TimeOperation(MP_CHECKOK(ec_GFp_pt_mul_aff(&n, &group->genx, &group->geny, &rx, &ry,
+                                                         group)),
+                            100);
+#endif
+            M_TimeOperation(MP_CHECKOK(ECPoint_mul(group, &n, NULL, NULL, &rx, &ry)),
+                            100);
+            M_TimeOperation(MP_CHECKOK(ECPoints_mul(group, &n, &n, &gx, &gy, &rx, &ry)), 100);
+        } else {
+            M_TimeOperation(MP_CHECKOK(ECPoint_mul(group, &n, NULL, NULL, &rx, &ry)),
+                            100);
+            M_TimeOperation(MP_CHECKOK(ECPoint_mul(group, &n, &gx, &gy, &rx, &ry)),
+                            100);
+            M_TimeOperation(MP_CHECKOK(ECPoints_mul(group, &n, &n, &gx, &gy, &rx, &ry)), 100);
+        }
+    }
+
+CLEANUP:
+    mp_clear(&one);
+    mp_clear(&order_1);
+    mp_clear(&gx);
+    mp_clear(&gy);
+    mp_clear(&rx);
+    mp_clear(&ry);
+    mp_clear(&n);
+    if (res != MP_OKAY) {
+        printf("  Error: exiting with error value %i\n", res);
+    }
+    return res;
+}
+
+/* Prints help information. */
+void
+printUsage()
+{
+    printf("Usage: ecp_test [--print] [--time]\n");
+    printf("    --print     Print out results of each point arithmetic test.\n");
+    printf("    --time      Benchmark point operations and print results.\n");
+}
+
+/* Performs tests of elliptic curve cryptography over prime fields If
+ * tests fail, then it prints an error message, aborts, and returns an
+ * error code. Otherwise, returns 0. */
+int
+main(int argv, char **argc)
+{
+
+    int ectestTime = 0;
+    int ectestPrint = 0;
+    int i;
+    ECGroup *group = NULL;
+    ECCurveParams *params = NULL;
+    mp_err res;
+
+    /* read command-line arguments */
+    for (i = 1; i < argv; i++) {
+        if ((strcasecmp(argc[i], "time") == 0) || (strcasecmp(argc[i], "-time") == 0) || (strcasecmp(argc[i], "--time") == 0)) {
+            ectestTime = 1;
+        } else if ((strcasecmp(argc[i], "print") == 0) || (strcasecmp(argc[i], "-print") == 0) || (strcasecmp(argc[i], "--print") == 0)) {
+            ectestPrint = 1;
+        } else {
+            printUsage();
+            return 0;
+        }
+    }
+
+    /* generic arithmetic tests */
+    ECTEST_GENERIC_GFP("SECP-160R1", ECCurve_SECG_PRIME_160R1);
+
+    /* specific arithmetic tests */
+    ECTEST_NAMED_GFP("NIST-P192", ECCurve_NIST_P192);
+    ECTEST_NAMED_GFP("NIST-P224", ECCurve_NIST_P224);
+    ECTEST_NAMED_GFP("NIST-P256", ECCurve_NIST_P256);
+    ECTEST_NAMED_GFP("NIST-P384", ECCurve_NIST_P384);
+    ECTEST_NAMED_GFP("NIST-P521", ECCurve_NIST_P521);
+    ECTEST_NAMED_GFP("ANSI X9.62 PRIME192v1", ECCurve_X9_62_PRIME_192V1);
+    ECTEST_NAMED_GFP("ANSI X9.62 PRIME192v2", ECCurve_X9_62_PRIME_192V2);
+    ECTEST_NAMED_GFP("ANSI X9.62 PRIME192v3", ECCurve_X9_62_PRIME_192V3);
+    ECTEST_NAMED_GFP("ANSI X9.62 PRIME239v1", ECCurve_X9_62_PRIME_239V1);
+    ECTEST_NAMED_GFP("ANSI X9.62 PRIME239v2", ECCurve_X9_62_PRIME_239V2);
+    ECTEST_NAMED_GFP("ANSI X9.62 PRIME239v3", ECCurve_X9_62_PRIME_239V3);
+    ECTEST_NAMED_GFP("ANSI X9.62 PRIME256v1", ECCurve_X9_62_PRIME_256V1);
+    ECTEST_NAMED_GFP("SECP-112R1", ECCurve_SECG_PRIME_112R1);
+    ECTEST_NAMED_GFP("SECP-112R2", ECCurve_SECG_PRIME_112R2);
+    ECTEST_NAMED_GFP("SECP-128R1", ECCurve_SECG_PRIME_128R1);
+    ECTEST_NAMED_GFP("SECP-128R2", ECCurve_SECG_PRIME_128R2);
+    ECTEST_NAMED_GFP("SECP-160K1", ECCurve_SECG_PRIME_160K1);
+    ECTEST_NAMED_GFP("SECP-160R1", ECCurve_SECG_PRIME_160R1);
+    ECTEST_NAMED_GFP("SECP-160R2", ECCurve_SECG_PRIME_160R2);
+    ECTEST_NAMED_GFP("SECP-192K1", ECCurve_SECG_PRIME_192K1);
+    ECTEST_NAMED_GFP("SECP-192R1", ECCurve_SECG_PRIME_192R1);
+    ECTEST_NAMED_GFP("SECP-224K1", ECCurve_SECG_PRIME_224K1);
+    ECTEST_NAMED_GFP("SECP-224R1", ECCurve_SECG_PRIME_224R1);
+    ECTEST_NAMED_GFP("SECP-256K1", ECCurve_SECG_PRIME_256K1);
+    ECTEST_NAMED_GFP("SECP-256R1", ECCurve_SECG_PRIME_256R1);
+    ECTEST_NAMED_GFP("SECP-384R1", ECCurve_SECG_PRIME_384R1);
+    ECTEST_NAMED_GFP("SECP-521R1", ECCurve_SECG_PRIME_521R1);
+    ECTEST_NAMED_GFP("WTLS-6 (112)", ECCurve_WTLS_6);
+    ECTEST_NAMED_GFP("WTLS-7 (160)", ECCurve_WTLS_7);
+    ECTEST_NAMED_GFP("WTLS-8 (112)", ECCurve_WTLS_8);
+    ECTEST_NAMED_GFP("WTLS-9 (160)", ECCurve_WTLS_9);
+    ECTEST_NAMED_GFP("WTLS-12 (224)", ECCurve_WTLS_12);
+    ECTEST_NAMED_GFP("Curve25519", ECCurve25519);
+
+CLEANUP:
+    EC_FreeCurveParams(params);
+    ECGroup_free(group);
+    if (res != MP_OKAY) {
+        printf("Error: exiting with error value %i\n", res);
+    }
+    return res;
+}
--- a/security/nss/lib/freebl/freebl.gyp
+++ b/security/nss/lib/freebl/freebl.gyp
@@ -99,20 +99,16 @@
             'stubs.c',
           ],
           'conditions': [
             [ 'test_build==1', {
               'dependencies': [
                 '<(DEPTH)/lib/util/util.gyp:nssutil3',
               ],
             }],
-          ]
-        }],
-        [ 'OS=="linux" or OS=="android"', {
-          'conditions': [
             [ 'target_arch=="x64"', {
               'sources': [
                 'arcfour-amd64-gas.s',
                 'intel-aes.s',
                 'intel-gcm.s',
                 'mpi/mpi_amd64.c',
                 'mpi/mpi_amd64_gas.s',
                 'mpi/mp_comba.c',
@@ -141,17 +137,17 @@
             }],
             [ 'target_arch=="arm"', {
               'sources': [
                 'mpi/mpi_arm.c',
               ],
             }],
           ],
         }, {
-          # not Linux or Android
+          # not Linux
           'conditions': [
             [ 'moz_fold_libs==0', {
               'dependencies': [
                 '../util/util.gyp:nssutil3',
               ],
             }, {
               'libraries': [
                 '<(moz_folded_library_name)',
@@ -228,17 +224,17 @@
         [ 'fuzz==1', {
           'sources': [
             'det_rng.c',
           ],
           'defines': [
             'UNSAFE_FUZZER_MODE',
           ],
         }],
-        [ 'ct_verif==1', {
+        [ 'test_build==1', {
           'defines': [
             'CT_VERIF',
           ],
         }],
         [ 'OS=="mac"', {
           'conditions': [
             [ 'target_arch=="ia32"', {
               'sources': [
@@ -373,20 +369,16 @@
           'FREEBL_LOWHASH',
         ],
         'conditions': [
           [ 'test_build==0', {
             'defines': [
               'FREEBL_NO_DEPEND',
             ],
           }],
-        ],
-      }],
-      [ 'OS=="linux" or OS=="android"', {
-        'conditions': [
           [ 'target_arch=="x64"', {
             'defines': [
               'MP_IS_LITTLE_ENDIAN',
               'NSS_BEVAND_ARCFOUR',
               'MPI_AMD64',
               'MP_ASSEMBLY_MULTIPLY',
               'NSS_USE_COMBA',
             ],
@@ -409,17 +401,17 @@
           [ 'target_arch=="arm"', {
             'defines': [
               'MP_ASSEMBLY_MULTIPLY',
               'MP_ASSEMBLY_SQUARE',
               'MP_USE_UINT_DIGIT',
               'SHA_NO_LONG_LONG',
             ],
           }],
-          [ 'target_arch=="arm64" or target_arch=="aarch64"', {
+          [ 'target_arch=="arm64"', {
             'defines': [
               'NSS_USE_64',
             ],
           }],
         ],
       }],
     ],
   },
new file mode 100644
--- /dev/null
+++ b/security/nss/lib/freebl/os2_rand.c
@@ -0,0 +1,334 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#define INCL_DOS
+#define INCL_DOSERRORS
+#include <os2.h>
+#include "secrng.h"
+#include "prerror.h"
+#include <stdlib.h>
+#include <time.h>
+#include <stdio.h>
+#include <sys/stat.h>
+
+static BOOL
+clockTickTime(unsigned long *phigh, unsigned long *plow)
+{
+    APIRET rc = NO_ERROR;
+    QWORD qword = { 0, 0 };
+
+    rc = DosTmrQueryTime(&qword);
+    if (rc != NO_ERROR)
+        return FALSE;
+
+    *phigh = qword.ulHi;
+    *plow = qword.ulLo;
+
+    return TRUE;
+}
+
+size_t
+RNG_GetNoise(void *buf, size_t maxbuf)
+{
+    unsigned long high = 0;
+    unsigned long low = 0;
+    clock_t val = 0;
+    int n = 0;
+    int nBytes = 0;
+    time_t sTime;
+
+    if (maxbuf <= 0)
+        return 0;
+
+    clockTickTime(&high, &low);
+
+    /* get the maximally changing bits first */
+    nBytes = sizeof(low) > maxbuf ? maxbuf : sizeof(low);
+    memcpy(buf, &low, nBytes);
+    n += nBytes;
+    maxbuf -= nBytes;
+
+    if (maxbuf <= 0)
+        return n;
+
+    nBytes = sizeof(high) > maxbuf ? maxbuf : sizeof(high);
+    memcpy(((char *)buf) + n, &high, nBytes);
+    n += nBytes;
+    maxbuf -= nBytes;
+
+    if (maxbuf <= 0)
+        return n;
+
+    /* get the number of milliseconds that have elapsed since application started */
+    val = clock();
+
+    nBytes = sizeof(val) > maxbuf ? maxbuf : sizeof(val);
+    memcpy(((char *)buf) + n, &val, nBytes);
+    n += nBytes;
+    maxbuf -= nBytes;
+
+    if (maxbuf <= 0)
+        return n;
+
+    /* get the time in seconds since midnight Jan 1, 1970 */
+    time(&sTime);
+    nBytes = sizeof(sTime) > maxbuf ? maxbuf : sizeof(sTime);
+    memcpy(((char *)buf) + n, &sTime, nBytes);
+    n += nBytes;
+
+    return n;
+}
+
+static BOOL
+EnumSystemFiles(void (*func)(const char *))
+{
+    APIRET rc;
+    ULONG sysInfo = 0;
+    char bootLetter[2];
+    char sysDir[_MAX_PATH] = "";
+    char filename[_MAX_PATH];
+    HDIR hdir = HDIR_CREATE;
+    ULONG numFiles = 1;
+    FILEFINDBUF3 fileBuf = { 0 };
+    ULONG buflen = sizeof(FILEFINDBUF3);
+
+    if (DosQuerySysInfo(QSV_BOOT_DRIVE, QSV_BOOT_DRIVE, (PVOID)&sysInfo,
+                        sizeof(ULONG)) == NO_ERROR) {
+        bootLetter[0] = sysInfo + 'A' - 1;
+        bootLetter[1] = '\0';
+        strcpy(sysDir, bootLetter);
+        strcpy(sysDir + 1, ":\\OS2\\");
+
+        strcpy(filename, sysDir);
+        strcat(filename, "*.*");
+    }
+
+    rc = DosFindFirst(filename, &hdir, FILE_NORMAL, &fileBuf, buflen,
+                      &numFiles, FIL_STANDARD);
+    if (rc == NO_ERROR) {
+        do {
+            // pass the full pathname to the callback
+            sprintf(filename, "%s%s", sysDir, fileBuf.achName);
+            (*func)(filename);
+
+            numFiles = 1;
+            rc = DosFindNext(hdir, &fileBuf, buflen, &numFiles);
+            if (rc != NO_ERROR && rc != ERROR_NO_MORE_FILES)
+                printf("DosFindNext errod code = %d\n", rc);
+        } while (rc == NO_ERROR);
+
+        rc = DosFindClose(hdir);
+        if (rc != NO_ERROR)
+            printf("DosFindClose error code = %d", rc);
+    } else
+        printf("DosFindFirst error code = %d", rc);
+
+    return TRUE;
+}
+
+static int dwNumFiles, dwReadEvery, dwFileToRead = 0;
+
+static void
+CountFiles(const char *file)
+{
+    dwNumFiles++;
+}
+
+static void
+ReadFiles(const char *file)
+{
+    if ((dwNumFiles % dwReadEvery) == 0)
+        RNG_FileForRNG(file);
+
+    dwNumFiles++;
+}
+
+static void
+ReadSingleFile(const char *filename)
+{
+    unsigned char buffer[1024];
+    FILE *file;
+
+    file = fopen((char *)filename, "rb");
+    if (file != NULL) {
+        while (fread(buffer, 1, sizeof(buffer), file) > 0)
+            ;
+        fclose(file);
+    }
+}
+
+static void
+ReadOneFile(const char *file)
+{
+    if (dwNumFiles == dwFileToRead) {
+        ReadSingleFile(file);
+    }
+
+    dwNumFiles++;
+}
+
+static void
+ReadSystemFiles(void)
+{
+    // first count the number of files
+    dwNumFiles = 0;
+    if (!EnumSystemFiles(CountFiles))
+        return;
+
+    RNG_RandomUpdate(&dwNumFiles, sizeof(dwNumFiles));
+
+    // now read 10 files
+    if (dwNumFiles == 0)
+        return;
+
+    dwReadEvery = dwNumFiles / 10;
+    if (dwReadEvery == 0)
+        dwReadEvery = 1; // less than 10 files
+
+    dwNumFiles = 0;
+    EnumSystemFiles(ReadFiles);
+}
+
+void
+RNG_SystemInfoForRNG(void)
+{
+    unsigned long *plong = 0;
+    PTIB ptib;
+    PPIB ppib;
+    APIRET rc = NO_ERROR;
+    DATETIME dt;
+    COUNTRYCODE cc = { 0 };
+    COUNTRYINFO ci = { 0 };
+    unsigned long actual = 0;
+    char path[_MAX_PATH] = "";
+    char fullpath[_MAX_PATH] = "";
+    unsigned long pathlength = sizeof(path);
+    FSALLOCATE fsallocate;
+    FILESTATUS3 fstatus;
+    unsigned long defaultdrive = 0;
+    unsigned long logicaldrives = 0;
+    unsigned long sysInfo[QSV_MAX] = { 0 };
+    char buffer[20];
+    int nBytes = 0;
+
+    nBytes = RNG_GetNoise(buffer, sizeof(buffer));
+    RNG_RandomUpdate(buffer, nBytes);
+
+    /* allocate memory and use address and memory */
+    plong = (unsigned long *)malloc(sizeof(*plong));
+    RNG_RandomUpdate(&plong, sizeof(plong));
+    RNG_RandomUpdate(plong, sizeof(*plong));
+    free(plong);
+
+    /* process info */
+    rc = DosGetInfoBlocks(&ptib, &ppib);
+    if (rc == NO_ERROR) {
+        RNG_RandomUpdate(ptib, sizeof(*ptib));
+        RNG_RandomUpdate(ppib, sizeof(*ppib));
+    }
+
+    /* time */
+    rc = DosGetDateTime(&dt);
+    if (rc == NO_ERROR) {
+        RNG_RandomUpdate(&dt, sizeof(dt));
+    }
+
+    /* country */
+    rc = DosQueryCtryInfo(sizeof(ci), &cc, &ci, &actual);
+    if (rc == NO_ERROR) {
+        RNG_RandomUpdate(&cc, sizeof(cc));
+        RNG_RandomUpdate(&ci, sizeof(ci));
+        RNG_RandomUpdate(&actual, sizeof(actual));
+    }
+
+    /* current directory */
+    rc = DosQueryCurrentDir(0, path, &pathlength);
+    strcat(fullpath, "\\");
+    strcat(fullpath, path);
+    if (rc == NO_ERROR) {
+        RNG_RandomUpdate(fullpath, strlen(fullpath));
+        // path info
+        rc = DosQueryPathInfo(fullpath, FIL_STANDARD, &fstatus, sizeof(fstatus));
+        if (rc == NO_ERROR) {
+            RNG_RandomUpdate(&fstatus, sizeof(fstatus));
+        }
+    }
+
+    /* file system info */
+    rc = DosQueryFSInfo(0, FSIL_ALLOC, &fsallocate, sizeof(fsallocate));
+    if (rc == NO_ERROR) {
+        RNG_RandomUpdate(&fsallocate, sizeof(fsallocate));
+    }
+
+    /* drive info */
+    rc = DosQueryCurrentDisk(&defaultdrive, &logicaldrives);
+    if (rc == NO_ERROR) {
+        RNG_RandomUpdate(&defaultdrive, sizeof(defaultdrive));
+        RNG_RandomUpdate(&logicaldrives, sizeof(logicaldrives));
+    }
+
+    /* system info */
+    rc = DosQuerySysInfo(1L, QSV_MAX, (PVOID)&sysInfo, sizeof(ULONG) * QSV_MAX);
+    if (rc == NO_ERROR) {
+        RNG_RandomUpdate(&sysInfo, sizeof(sysInfo));
+    }
+
+    // now let's do some files
+    ReadSystemFiles();
+
+    /* more noise */
+    nBytes = RNG_GetNoise(buffer, sizeof(buffer));
+    RNG_RandomUpdate(buffer, nBytes);
+}
+
+void
+RNG_FileForRNG(const char *filename)
+{
+    struct stat stat_buf;
+    unsigned char buffer[1024];
+    FILE *file = 0;
+    int nBytes = 0;
+    static int totalFileBytes = 0;
+
+    if (stat((char *)filename, &stat_buf) < 0)
+        return;
+
+    RNG_RandomUpdate((unsigned char *)&stat_buf, sizeof(stat_buf));
+
+    file = fopen((char *)filename, "r");
+    if (file != NULL) {
+        for (;;) {
+            size_t bytes = fread(buffer, 1, sizeof(buffer), file);
+
+            if (bytes == 0)
+                break;
+
+            RNG_RandomUpdate(buffer, bytes);
+            totalFileBytes += bytes;
+            if (totalFileBytes > 250000)
+                break;
+        }
+        fclose(file);
+    }
+
+    nBytes = RNG_GetNoise(buffer, 20);
+    RNG_RandomUpdate(buffer, nBytes);
+}
+
+static void
+rng_systemJitter(void)
+{
+    dwNumFiles = 0;
+    EnumSystemFiles(ReadOneFile);
+    dwFileToRead++;
+    if (dwFileToRead >= dwNumFiles) {
+        dwFileToRead = 0;
+    }
+}
+
+size_t
+RNG_SystemRNG(void *dest, size_t maxLen)
+{
+    return rng_systemFromNoise(dest, maxLen);
+}
--- a/security/nss/lib/freebl/sysrand.c
+++ b/security/nss/lib/freebl/sysrand.c
@@ -3,14 +3,47 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 
 #include "seccomon.h"
 
+#ifndef XP_WIN
+static size_t rng_systemFromNoise(unsigned char *dest, size_t maxLen);
+#endif
+
 #if defined(XP_UNIX) || defined(XP_BEOS)
 #include "unix_rand.c"
 #endif
 #ifdef XP_WIN
 #include "win_rand.c"
 #endif
+#ifdef XP_OS2
+#include "os2_rand.c"
+#endif
+
+#ifndef XP_WIN
+/*
+ * Normal RNG_SystemRNG() isn't available, use the system noise to collect
+ * the required amount of entropy.
+ */
+static size_t
+rng_systemFromNoise(unsigned char *dest, size_t maxLen)
+{
+    size_t retBytes = maxLen;
+
+    while (maxLen) {
+        size_t nbytes = RNG_GetNoise(dest, maxLen);
+
+        PORT_Assert(nbytes != 0);
+
+        dest += nbytes;
+        maxLen -= nbytes;
+
+        /* some hw op to try to introduce more entropy into the next
+         * RNG_GetNoise call */
+        rng_systemJitter();
+    }
+    return retBytes;
+}
+#endif
--- a/security/nss/lib/freebl/unix_rand.c
+++ b/security/nss/lib/freebl/unix_rand.c
@@ -889,19 +889,16 @@ RNG_SystemInfoForRNG(void)
     /* Give in system information */
     if (gethostname(buf, sizeof(buf)) == 0) {
         RNG_RandomUpdate(buf, strlen(buf));
     }
     GiveSystemInfo();
 
     /* grab some data from system's PRNG before any other files. */
     bytes = RNG_FileUpdate("/dev/urandom", SYSTEM_RNG_SEED_COUNT);
-    if (!bytes) {
-        PORT_SetError(SEC_ERROR_NEED_RANDOM);
-    }
 
     /* If the user points us to a random file, pass it through the rng */
     randfile = PR_GetEnvSecure("NSRANDFILE");
     if ((randfile != NULL) && (randfile[0] != '\0')) {
         char *randCountString = PR_GetEnvSecure("NSRANDCOUNT");
         int randCount = randCountString ? atoi(randCountString) : 0;
         if (randCount != 0) {
             RNG_FileUpdate(randfile, randCount);
@@ -1020,16 +1017,30 @@ RNG_FileUpdate(const char *fileName, siz
 }
 
 void
 RNG_FileForRNG(const char *fileName)
 {
     RNG_FileUpdate(fileName, TOTAL_FILE_LIMIT);
 }
 
+void
+ReadSingleFile(const char *fileName)
+{
+    FILE *file;
+    unsigned char buffer[BUFSIZ];
+
+    file = fopen(fileName, "rb");
+    if (file != NULL) {
+        while (fread(buffer, 1, sizeof(buffer), file) > 0)
+            ;
+        fclose(file);
+    }
+}
+
 #define _POSIX_PTHREAD_SEMANTICS
 #include <dirent.h>
 
 PRBool
 ReadFileOK(char *dir, char *file)
 {
     struct stat stat_buf;
     char filename[PATH_MAX];
@@ -1039,29 +1050,111 @@ ReadFileOK(char *dir, char *file)
         return PR_FALSE; /* name too long, can't read it anyway */
     }
 
     if (stat(filename, &stat_buf) < 0)
         return PR_FALSE; /* can't stat, probably can't read it then as well */
     return S_ISREG(stat_buf.st_mode) ? PR_TRUE : PR_FALSE;
 }
 
+/*
+ * read one file out of either /etc or the user's home directory.
+ * fileToRead tells which file to read.
+ *
+ * return 1 if it's time to reset the fileToRead (no more files to read).
+ */
+static int
+ReadOneFile(int fileToRead)
+{
+    char *dir = "/etc";
+    DIR *fd = opendir(dir);
+    int resetCount = 0;
+    struct dirent *entry;
+#if defined(__sun)
+    char firstName[256];
+#else
+    char firstName[NAME_MAX + 1];
+#endif
+    const char *name = NULL;
+    int i;
+
+    if (fd == NULL) {
+        dir = PR_GetEnvSecure("HOME");
+        if (dir) {
+            fd = opendir(dir);
+        }
+    }
+    if (fd == NULL) {
+        return 1;
+    }
+
+    firstName[0] = '\0';
+    for (i = 0; i <= fileToRead; i++) {
+        do {
+            /* readdir() isn't guaranteed to be thread safe on every platform;
+             * this code assumes the same directory isn't read concurrently.
+             * This usage is confirmed safe on Linux, see bug 1254334. */
+            entry = readdir(fd);
+        } while (entry != NULL && !ReadFileOK(dir, &entry->d_name[0]));
+        if (entry == NULL) {
+            resetCount = 1; /* read to the end, start again at the beginning */
+            if (firstName[0]) {
+                /* ran out of entries in the directory, use the first one */
+                name = firstName;
+            }
+            break;
+        }
+        name = entry->d_name;
+        if (i == 0) {
+            /* copy the name of the first in case we run out of entries */
+            PORT_Assert(PORT_Strlen(name) < sizeof(firstName));
+            PORT_Strncpy(firstName, name, sizeof(firstName) - 1);
+            firstName[sizeof(firstName) - 1] = '\0';
+        }
+    }
+
+    if (name) {
+        char filename[PATH_MAX];
+        int count = snprintf(filename, sizeof(filename), "%s/%s", dir, name);
+        if (count >= 1) {
+            ReadSingleFile(filename);
+        }
+    }
+
+    closedir(fd);
+    return resetCount;
+}
+
+/*
+ * do something to try to introduce more noise into the 'GetNoise' call
+ */
+static void
+rng_systemJitter(void)
+{
+    static int fileToRead = 1;
+
+    if (ReadOneFile(fileToRead)) {
+        fileToRead = 1;
+    } else {
+        fileToRead++;
+    }
+}
+
 size_t
 RNG_SystemRNG(void *dest, size_t maxLen)
 {
     FILE *file;
     int fd;
     int bytes;
     size_t fileBytes = 0;
     unsigned char *buffer = dest;
 
     file = fopen("/dev/urandom", "r");
     if (file == NULL) {
-        PORT_SetError(SEC_ERROR_NEED_RANDOM);
-        return 0;
+        return rng_systemFromNoise(dest, maxLen);
     }
     /* Read from the underlying file descriptor directly to bypass stdio
      * buffering and avoid reading more bytes than we need from /dev/urandom.
      * NOTE: we can't use fread with unbuffered I/O because fread may return
      * EOF in unbuffered I/O mode on Android.
      */
     fd = fileno(file);
     /* 'file' was just opened, so this should not fail. */
--- a/security/nss/lib/softoken/pkcs11c.c
+++ b/security/nss/lib/softoken/pkcs11c.c
@@ -7262,16 +7262,24 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
                 if (rv != SECSuccess) {
                     goto ec_loser;
                 }
                 ecPoint = newPoint;
             }
 
             if (mechanism == CKM_ECDH1_COFACTOR_DERIVE) {
                 withCofactor = PR_TRUE;
+            } else {
+                /* When not using cofactor derivation, one should
+                 * validate the public key to avoid small subgroup
+                 * attacks.
+                 */
+                if (EC_ValidatePublicKey(&privKey->u.ec.ecParams, &ecPoint) != SECSuccess) {
+                    goto ec_loser;
+                }
             }
 
             rv = ECDH_Derive(&ecPoint, &privKey->u.ec.ecParams, &ecScalar,
                              withCofactor, &tmp);
             PORT_Free(ecScalar.data);
             ecScalar.data = NULL;
             if (privKey != sourceKey->objectInfo) {
                 nsslowkey_DestroyPrivateKey(privKey);
--- a/security/nss/lib/ssl/SSLerrs.h
+++ b/security/nss/lib/ssl/SSLerrs.h
@@ -500,11 +500,8 @@ ER3(SSL_ERROR_BAD_2ND_CLIENT_HELLO, (SSL
 ER3(SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION, (SSL_ERROR_BASE + 157),
     "SSL expected a signature algorithms extension.")
 
 ER3(SSL_ERROR_MALFORMED_PSK_KEY_EXCHANGE_MODES, (SSL_ERROR_BASE + 158),
     "SSL received a malformed PSK key exchange modes extension.")
 
 ER3(SSL_ERROR_MISSING_PSK_KEY_EXCHANGE_MODES, (SSL_ERROR_BASE + 159),
     "SSL expected a PSK key exchange modes extension.")
-
-ER3(SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA, (SSL_ERROR_BASE + 160),
-    "SSL got a pre-TLS 1.3 version even though we sent early data.")
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -1039,19 +1039,18 @@ Null_Cipher(void *ctx, unsigned char *ou
             const unsigned char *input, int inputLen)
 {
     if (inputLen > maxOutputLen) {
         *outputLen = 0; /* Match PK11_CipherOp in setting outputLen */
         PORT_SetError(SEC_ERROR_OUTPUT_LEN);
         return SECFailure;
     }
     *outputLen = inputLen;
-    if (inputLen > 0 && input != output) {
+    if (input != output)
         PORT_Memcpy(output, input, inputLen);
-    }
     return SECSuccess;
 }
 
 /*
  * SSL3 Utility functions
  */
 
 /* allowLargerPeerVersion controls whether the function will select the
@@ -3117,30 +3116,24 @@ ssl3_HandleNoCertificate(sslSocket *ss)
 **              ssl3_HandleRecord   <-
 **
 */
 SECStatus
 SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc)
 {
     PRUint8 bytes[2];
     SECStatus rv;
-    PRBool needHsLock = !ssl_HaveSSL3HandshakeLock(ss);
-
-    /* Check that if I need the HS lock I also need the Xmit lock */
-    PORT_Assert(!needHsLock || !ssl_HaveXmitBufLock(ss));
 
     SSL_TRC(3, ("%d: SSL3[%d]: send alert record, level=%d desc=%d",
                 SSL_GETPID(), ss->fd, level, desc));
 
     bytes[0] = level;
     bytes[1] = desc;
 
-    if (needHsLock) {
-        ssl_GetSSL3HandshakeLock(ss);
-    }
+    ssl_GetSSL3HandshakeLock(ss);
     if (level == alert_fatal) {
         if (!ss->opt.noCache && ss->sec.ci.sid) {
             ss->sec.uncache(ss->sec.ci.sid);
         }
     }
     ssl_GetXmitBufLock(ss);
     rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
     if (rv == SECSuccess) {
@@ -3148,19 +3141,17 @@ SSL3_SendAlert(sslSocket *ss, SSL3AlertL
         sent = ssl3_SendRecord(ss, NULL, content_alert, bytes, 2,
                                (desc == no_certificate) ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0);
         rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
     }
     if (level == alert_fatal) {
         ss->ssl3.fatalAlertSent = PR_TRUE;
     }
     ssl_ReleaseXmitBufLock(ss);
-    if (needHsLock) {
-        ssl_ReleaseSSL3HandshakeLock(ss);
-    }
+    ssl_ReleaseSSL3HandshakeLock(ss);
     return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */
 }
 
 /*
  * Send illegal_parameter alert.  Set generic error number.
  */
 static SECStatus
 ssl3_IllegalParameter(sslSocket *ss)
@@ -6650,29 +6641,22 @@ ssl3_HandleServerHello(sslSocket *ss, SS
 
     rv = ssl_ClientReadVersion(ss, &b, &length, &ss->version);
     if (rv != SECSuccess) {
         goto loser; /* alert has been sent */
     }
 
     /* The server didn't pick 1.3 although we either received a
      * HelloRetryRequest, or we prepared to send early app data. */
-    if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
-        if (ss->ssl3.hs.helloRetry) {
-            /* SSL3_SendAlert() will uncache the SID. */
-            desc = illegal_parameter;
-            errCode = SSL_ERROR_RX_MALFORMED_SERVER_HELLO;
-            goto alert_loser;
-        }
-        if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent) {
-            /* SSL3_SendAlert() will uncache the SID. */
-            desc = illegal_parameter;
-            errCode = SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA;
-            goto alert_loser;
-        }
+    if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3 &&
+        (ss->ssl3.hs.helloRetry || ss->ssl3.hs.zeroRttState == ssl_0rtt_sent)) {
+        /* SSL3_SendAlert() will uncache the SID. */
+        desc = illegal_parameter;
+        errCode = SSL_ERROR_RX_MALFORMED_SERVER_HELLO;
+        goto alert_loser;
     }
 
     /* Check that the server negotiated the same version as it did
      * in the first handshake. This isn't really the best place for
      * us to be getting this version number, but it's what we have.
      * (1294697). */
     if (ss->firstHsDone && (ss->version != ss->ssl3.crSpec->version)) {
         desc = illegal_parameter;
@@ -8226,30 +8210,16 @@ alert_loser:
 }
 
 SECStatus
 ssl3_SelectServerCert(sslSocket *ss)
 {
     const ssl3KEADef *kea_def = ss->ssl3.hs.kea_def;
     PRCList *cursor;
 
-    /* If the client didn't include the supported groups extension, assume just
-     * P-256 support and disable all the other ECDHE groups.  This also affects
-     * ECDHE group selection, but this function is called first. */
-    if (!ssl3_ExtensionNegotiated(ss, ssl_supported_groups_xtn)) {
-        unsigned int i;
-        for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) {
-            if (ss->namedGroupPreferences[i] &&
-                ss->namedGroupPreferences[i]->keaType == ssl_kea_ecdh &&
-                ss->namedGroupPreferences[i]->name != ssl_grp_ec_secp256r1) {
-                ss->namedGroupPreferences[i] = NULL;
-            }
-        }
-    }
-
     /* This picks the first certificate that has:
      * a) the right authentication method, and
      * b) the right named curve (EC only)
      *
      * We might want to do some sort of ranking here later.  For now, it's all
      * based on what order they are configured in. */
     for (cursor = PR_NEXT_LINK(&ss->serverCerts);
          cursor != &ss->serverCerts;
--- a/security/nss/lib/ssl/ssl3gthr.c
+++ b/security/nss/lib/ssl/ssl3gthr.c
@@ -27,17 +27,16 @@ ssl3_InitGather(sslGather *gs)
 {
     SECStatus status;
 
     gs->state = GS_INIT;
     gs->writeOffset = 0;
     gs->readOffset = 0;
     gs->dtlsPacketOffset = 0;
     gs->dtlsPacket.len = 0;
-    gs->rejectV2Records = PR_FALSE;
     status = sslBuffer_Grow(&gs->buf, 4096);
     return status;
 }
 
 /* Caller must hold RecvBufLock. */
 void
 ssl3_DestroyGather(sslGather *gs)
 {
@@ -143,21 +142,18 @@ ssl3_GatherData(sslSocket *ss, sslGather
         if (gs->remainder > 0) {
             continue;
         }
 
         /* have received entire record header, or entire record. */
         switch (gs->state) {
             case GS_HEADER:
                 /* Check for SSLv2 handshakes. Always assume SSLv3 on clients,
-                 * support SSLv2 handshakes only when ssl2gs != NULL.
-                 * Always assume v3 after we received the first record. */
-                if (!ssl2gs ||
-                    ss->gs.rejectV2Records ||
-                    ssl3_isLikelyV3Hello(gs->hdr)) {
+                 * support SSLv2 handshakes only when ssl2gs != NULL. */
+                if (!ssl2gs || ssl3_isLikelyV3Hello(gs->hdr)) {
                     /* Should have a non-SSLv2 record header in gs->hdr. Extract
                      * the length of the following encrypted data, and then
                      * read in the rest of the record into gs->inbuf. */
                     if (ss->ssl3.hs.shortHeaders) {
                         PRUint16 len = (gs->hdr[0] << 8) | gs->hdr[1];
                         if (!(len & 0x8000)) {
                             SSL_DBG(("%d: SSL3[%d]: incorrectly formatted header"));
                             SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
@@ -182,17 +178,17 @@ ssl3_GatherData(sslSocket *ss, sslGather
                         ssl2gs->padding = gs->hdr[2];
                         v2HdrLength++;
                     }
                 }
 
                 /* This is the max length for an encrypted SSLv3+ fragment. */
                 if (!v2HdrLength &&
                     gs->remainder > (MAX_FRAGMENT_LENGTH + 2048)) {
-                    SSL3_SendAlert(ss, alert_fatal, record_overflow);
+                    SSL3_SendAlert(ss, alert_fatal, unexpected_message);
                     gs->state = GS_INIT;
                     PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
                     return SECFailure;
                 }
 
                 gs->state = GS_DATA;
                 gs->offset = 0;
                 gs->inbuf.len = 0;
@@ -204,49 +200,30 @@ ssl3_GatherData(sslSocket *ss, sslGather
                     }
                     lbp = gs->inbuf.buf;
                 }
 
                 /* When we encounter an SSLv2 hello we've read 2 or 3 bytes too
                  * many into the gs->hdr[] buffer. Copy them over into inbuf so
                  * that we can properly process the hello record later. */
                 if (v2HdrLength) {
-                    /* Reject v2 records that don't even carry enough data to
-                     * resemble a valid ClientHello header. */
-                    if (gs->remainder < SSL_HL_CLIENT_HELLO_HBYTES) {
-                        SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
-                        PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
-                        return SECFailure;
-                    }
-
-                    PORT_Assert(lbp);
                     gs->inbuf.len = 5 - v2HdrLength;
                     PORT_Memcpy(lbp, gs->hdr + v2HdrLength, gs->inbuf.len);
                     gs->remainder -= gs->inbuf.len;
                     lbp += gs->inbuf.len;
                 }
 
-                if (gs->remainder > 0) {
-                    break; /* End this case.  Continue around the loop. */
-                }
-
-            /* FALL THROUGH if (gs->remainder == 0) as we just received
-                 * an empty record and there's really no point in calling
-                 * ssl_DefRecv() with buf=NULL and len=0. */
+                break; /* End this case.  Continue around the loop. */
 
             case GS_DATA:
                 /*
                 ** SSL3 record has been completely received.
                 */
                 SSL_TRC(10, ("%d: SSL[%d]: got record of %d bytes",
                              SSL_GETPID(), ss->fd, gs->inbuf.len));
-
-                /* reject any v2 records from now on */
-                ss->gs.rejectV2Records = PR_TRUE;
-
                 gs->state = GS_INIT;
                 return 1;
         }
     }
 
     return rv;
 }
 
--- a/security/nss/lib/ssl/ssldef.c
+++ b/security/nss/lib/ssl/ssldef.c
@@ -61,18 +61,16 @@ ssl_DefShutdown(sslSocket *ss, int how)
 }
 
 int
 ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags)
 {
     PRFileDesc *lower = ss->fd->lower;
     int rv;
 
-    PORT_Assert(buf && len > 0);
-
     rv = lower->methods->recv(lower, (void *)buf, len, flags, ss->rTimeout);
     if (rv < 0) {
         DEFINE_ERROR
         MAP_ERROR(PR_SOCKET_SHUTDOWN_ERROR, PR_CONNECT_RESET_ERROR)
     } else if (rv > len) {
         PORT_Assert(rv <= len);
         PORT_SetError(PR_BUFFER_OVERFLOW_ERROR);
         rv = SECFailure;
--- a/security/nss/lib/ssl/sslerr.h
+++ b/security/nss/lib/ssl/sslerr.h
@@ -239,16 +239,15 @@ typedef enum {
     SSL_ERROR_MISSING_SUPPORTED_GROUPS_EXTENSION = (SSL_ERROR_BASE + 152),
     SSL_ERROR_TOO_MANY_RECORDS = (SSL_ERROR_BASE + 153),
     SSL_ERROR_RX_UNEXPECTED_HELLO_RETRY_REQUEST = (SSL_ERROR_BASE + 154),
     SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST = (SSL_ERROR_BASE + 155),
     SSL_ERROR_BAD_2ND_CLIENT_HELLO = (SSL_ERROR_BASE + 156),
     SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION = (SSL_ERROR_BASE + 157),
     SSL_ERROR_MALFORMED_PSK_KEY_EXCHANGE_MODES = (SSL_ERROR_BASE + 158),
     SSL_ERROR_MISSING_PSK_KEY_EXCHANGE_MODES = (SSL_ERROR_BASE + 159),
-    SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA = (SSL_ERROR_BASE + 160),
     SSL_ERROR_END_OF_LIST   /* let the c compiler determine the value of this. */
 } SSLErrorCodes;
 #endif /* NO_SECURITY_ERROR_ENUM */
 
 /* clang-format on */
 
 #endif /* __SSL_ERR_H_ */
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -365,20 +365,16 @@ struct sslGatherStr {
     */
     unsigned char hdr[13];
 
     /* Buffer for DTLS data read off the wire as a single datagram */
     sslBuffer dtlsPacket;
 
     /* the start of the buffered DTLS record in dtlsPacket */
     unsigned int dtlsPacketOffset;
-
-    /* tracks whether we've seen a v3-type record before and must reject
-     * any further v2-type records. */
-    PRBool rejectV2Records;
 };
 
 /* sslGather.state */
 #define GS_INIT 0
 #define GS_HEADER 1
 #define GS_DATA 2
 
 /*
--- a/security/nss/lib/ssl/tls13con.c
+++ b/security/nss/lib/ssl/tls13con.c
@@ -127,17 +127,17 @@ const char kHkdfPurposeIv[] = "iv";
 
 const SSL3ProtocolVersion kTlsRecordVersion = SSL_LIBRARY_VERSION_TLS_1_0;
 const SSL3ProtocolVersion kDtlsRecordVersion = SSL_LIBRARY_VERSION_TLS_1_1;
 
 /* Belt and suspenders in case we ever add a TLS 1.4. */
 PR_STATIC_ASSERT(SSL_LIBRARY_VERSION_MAX_SUPPORTED <=
                  SSL_LIBRARY_VERSION_TLS_1_3);
 
-/* Use this instead of FATAL_ERROR when no alert shall be sent. */
+/* Use this instead of FATAL_ERROR when an alert isn't possible. */
 #define LOG_ERROR(ss, prError)                                                     \
     do {                                                                           \
         SSL_TRC(3, ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)",                 \
                     SSL_GETPID(), ss->fd, prError, __func__, __FILE__, __LINE__)); \
         PORT_SetError(prError);                                                    \
     } while (0)
 
 /* Log an error and generate an alert because something is irreparably wrong. */
--- a/security/nss/lib/ssl/tls13exthandle.c
+++ b/security/nss/lib/ssl/tls13exthandle.c
@@ -251,20 +251,21 @@ loser:
  * share is processed in tls13_HandleServerKeyShare(). */
 SECStatus
 tls13_ClientHandleKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data)
 {
     SECStatus rv;
     PORT_Assert(PR_CLIST_IS_EMPTY(&xtnData->remoteKeyShares));
 
     PORT_Assert(!ss->sec.isServer);
-
-    /* The server must not send this extension when negotiating < TLS 1.3. */
     if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
-        PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION);
+        /* This can't happen because the extension processing
+         * code filters out TLS 1.3 extensions when not in
+         * TLS 1.3 mode. */
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension",
                 SSL_GETPID(), ss->fd));
 
     rv = tls13_HandleKeyShareEntry(ss, xtnData, data);
     if (rv != SECSuccess) {
@@ -685,20 +686,19 @@ tls13_ClientHandlePreSharedKeyXtn(const 
                                   SECItem *data)
 {
     PRUint32 index;
     SECStatus rv;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle pre_shared_key extension",
                 SSL_GETPID(), ss->fd));
 
-    /* The server must not send this extension when negotiating < TLS 1.3. */
+    /* If we are doing < TLS 1.3, then ignore this. */
     if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
-        PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION);
-        return SECFailure;
+        return SECSuccess;
     }
 
     rv = ssl3_ExtConsumeHandshakeNumber(ss, &index, 2, &data->data, &data->len);
     if (rv != SECSuccess)
         return SECFailure;
 
     /* This should be the end of the extension. */
     if (data->len) {
@@ -811,17 +811,17 @@ tls13_ServerSendEarlyDataXtn(const sslSo
 /* This will only be called if we also offered the extension. */
 SECStatus
 tls13_ClientHandleEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type,
                                SECItem *data)
 {
     SSL_TRC(3, ("%d: TLS13[%d]: handle early_data extension",
                 SSL_GETPID(), ss->fd));
 
-    /* The server must not send this extension when negotiating < TLS 1.3. */
+    /* If we are doing < TLS 1.3, then ignore this. */
     if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
         PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION);
         return SECFailure;
     }
 
     if (data->len) {
         PORT_SetError(SSL_ERROR_MALFORMED_EARLY_DATA);
         return SECFailure;
@@ -838,17 +838,17 @@ tls13_ClientHandleTicketEarlyDataInfoXtn
                                          SECItem *data)
 {
     PRUint32 utmp;
     SECStatus rv;
 
     SSL_TRC(3, ("%d: TLS13[%d]: handle early_data_info extension",
                 SSL_GETPID(), ss->fd));
 
-    /* The server must not send this extension when negotiating < TLS 1.3. */
+    /* If we are doing < TLS 1.3, then ignore this. */
     if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
         PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION);
         return SECFailure;
     }
 
     rv = ssl3_ExtConsumeHandshake(ss, &utmp, sizeof(utmp),
                                   &data->data, &data->len);
     if (rv != SECSuccess) {
@@ -1122,20 +1122,19 @@ tls13_SendShortHeaderXtn(const sslSocket
 SECStatus
 tls13_HandleShortHeaderXtn(
     const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type,
     SECItem *data)
 {
     SSL_TRC(3, ("%d: TLS13[%d]: handle early_data extension",
                 SSL_GETPID(), ss->fd));
 
-    /* The server must not send this extension when negotiating < TLS 1.3. */
+    /* If we are doing < TLS 1.3, then ignore this. */
     if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
-        PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION);
-        return SECFailure;
+        return SECSuccess;
     }
 
     /* Presently this is incompatible with 0-RTT. We will fix if
      * it becomes more than an experiment. */
     if (ss->opt.enable0RttData) {
         return SECSuccess;
     }
 
--- a/security/nss/lib/util/nssutil.def
+++ b/security/nss/lib/util/nssutil.def
@@ -285,14 +285,8 @@ NSSUTIL_ArgParseModuleSpecEx;
 ;+};
 ;+NSSUTIL_3.24 {       # NSS Utilities 3.24 release
 ;+    global:
 PORT_InitCheapArena;
 PORT_DestroyCheapArena;
 ;+    local:
 ;+       *;
 ;+};
-;+NSSUTIL_3.25 {         # NSS Utilities 3.25 release
-;+    global:
-SEC_ASN1DecoderSetMaximumElementSize;
-;+    local:
-;+       *;
-;+};
--- a/security/nss/lib/util/secasn1.h
+++ b/security/nss/lib/util/secasn1.h
@@ -49,28 +49,16 @@ extern void SEC_ASN1DecoderSetFilterProc
 extern void SEC_ASN1DecoderClearFilterProc(SEC_ASN1DecoderContext *cx);
 
 extern void SEC_ASN1DecoderSetNotifyProc(SEC_ASN1DecoderContext *cx,
                                          SEC_ASN1NotifyProc fn,
                                          void *arg);
 
 extern void SEC_ASN1DecoderClearNotifyProc(SEC_ASN1DecoderContext *cx);
 
-/* Sets the maximum size that should be allocated for a single ASN.1
- * element. Set to 0 to indicate there is no limit.
- *
- * Note: This does not set the maximum size overall that may be allocated
- * while parsing, nor does it guarantee that the decoder won't allocate
- * more than |max_size| while parsing an individual element; rather, it
- * merely guarantees that any individual allocation for returned data
- * should not exceed |max_size|.
-*/
-extern void SEC_ASN1DecoderSetMaximumElementSize(SEC_ASN1DecoderContext *cx,
-                                                 unsigned long max_size);
-
 extern SECStatus SEC_ASN1Decode(PLArenaPool *pool, void *dest,
                                 const SEC_ASN1Template *t,
                                 const char *buf, long len);
 
 /* Both classic ASN.1 and QuickDER have a feature that removes leading zeroes
    out of SEC_ASN1_INTEGER if the caller sets siUnsignedInteger in the type
    field of the target SECItem prior to calling the decoder. Otherwise, the
    type field is ignored and untouched. For SECItem that are dynamically
--- a/security/nss/lib/util/secasn1d.c
+++ b/security/nss/lib/util/secasn1d.c
@@ -287,27 +287,16 @@ struct sec_DecoderContext_struct {
      * give us a pool pointer?
      */
     void *their_mark; /* free on error */
 #endif
 
     sec_asn1d_state *current;
     sec_asn1d_parse_status status;
 
-    /* The maximum size the caller is willing to allow a single element
-     * to be before returning an error.
-     *
-     * In the case of an indefinite length element, this is the sum total
-     * of all child elements.
-     *
-     * In the case of a definite length element, this represents the maximum
-     * size of the top-level element.
-     */
-    unsigned long max_element_size;
-
     SEC_ASN1NotifyProc notify_proc; /* call before/after handling field */
     void *notify_arg;               /* argument to notify_proc */
     PRBool during_notify;           /* true during call to notify_proc */
 
     SEC_ASN1WriteProc filter_proc; /* pass field bytes to this  */
     void *filter_arg;              /* argument to that function */
     PRBool filter_only;            /* do not allocate/store fields */
 };
@@ -1294,23 +1283,16 @@ sec_asn1d_prepare_for_contents(sec_asn1d
                  */
                 if (state->subitems_head != NULL) {
                     PORT_Assert(state->underlying_kind == SEC_ASN1_ANY);
                     for (subitem = state->subitems_head;
                          subitem != NULL; subitem = subitem->next)
                         alloc_len += subitem->len;
                 }
 
-                if (state->top->max_element_size > 0 &&
-                    alloc_len > state->top->max_element_size) {
-                    PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-                    state->top->status = decodeError;
-                    return;
-                }
-
                 item->data = (unsigned char *)sec_asn1d_zalloc(poolp, alloc_len);
                 if (item->data == NULL) {
                     state->top->status = decodeError;
                     break;
                 }
 
                 len = 0;
                 for (subitem = state->subitems_head;
@@ -1409,23 +1391,16 @@ sec_asn1d_prepare_for_contents(sec_asn1d
         default:
             /*
              * We are allocating for a simple leaf item.
              */
             if (state->contents_length) {
                 if (state->dest != NULL) {
                     item = (SECItem *)(state->dest);
                     item->len = 0;
-                    if (state->top->max_element_size > 0 &&
-                        state->contents_length > state->top->max_element_size) {
-                        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-                        state->top->status = decodeError;
-                        return;
-                    }
-
                     if (state->top->filter_only) {
                         item->data = NULL;
                     } else {
                         item->data = (unsigned char *)
                             sec_asn1d_zalloc(state->top->their_pool,
                                              state->contents_length);
                         if (item->data == NULL) {
                             state->top->status = decodeError;
@@ -2243,23 +2218,16 @@ sec_asn1d_concat_substrings(sec_asn1d_st
              * ANY that is *not* also an INNER.  Because we zero-allocate
              * below, all we need to do is increase the length here.
              */
             if (state->underlying_kind == SEC_ASN1_ANY && state->indefinite)
                 item_len += 2;
             alloc_len = item_len;
         }
 
-        if (state->top->max_element_size > 0 &&
-            alloc_len > state->top->max_element_size) {
-            PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-            state->top->status = decodeError;
-            return;
-        }
-
         item = (SECItem *)(state->dest);
         PORT_Assert(item != NULL);
         PORT_Assert(item->data == NULL);
         item->data = (unsigned char *)sec_asn1d_zalloc(state->top->their_pool,
                                                        alloc_len);
         if (item->data == NULL) {
             state->top->status = decodeError;
             return;
@@ -2753,17 +2721,17 @@ SEC_ASN1DecoderUpdate(SEC_ASN1DecoderCon
 
     while (cx->status == keepGoing) {
         state = cx->current;
         what = SEC_ASN1_Contents;
         consumed = 0;
 #ifdef DEBUG_ASN1D_STATES
         printf("\nPLACE = %s, next byte = 0x%02x, %08x[%d]\n",
                (state->place >= 0 && state->place <= notInUse) ? place_names[state->place] : "(undefined)",
-               len ? (unsigned int)((unsigned char *)buf)[consumed] : 0,
+               (unsigned int)((unsigned char *)buf)[consumed],
                buf, consumed);
         dump_states(cx);
 #endif /* DEBUG_ASN1D_STATES */
         switch (state->place) {
             case beforeIdentifier:
                 consumed = sec_asn1d_parse_identifier(state, buf, len);
                 what = SEC_ASN1_Identifier;
                 break;
@@ -3069,23 +3037,16 @@ SEC_ASN1DecoderSetNotifyProc(SEC_ASN1Dec
 void
 SEC_ASN1DecoderClearNotifyProc(SEC_ASN1DecoderContext *cx)
 {
     cx->notify_proc = NULL;
     cx->notify_arg = NULL; /* not necessary; just being clean */
 }
 
 void
-SEC_ASN1DecoderSetMaximumElementSize(SEC_ASN1DecoderContext *cx,
-                                     unsigned long max_size)
-{
-    cx->max_element_size = max_size;
-}
-
-void
 SEC_ASN1DecoderAbort(SEC_ASN1DecoderContext *cx, int error)
 {
     PORT_Assert(cx);
     PORT_SetError(error);
     cx->status = decodeError;
 }
 
 SECStatus
@@ -3095,20 +3056,16 @@ SEC_ASN1Decode(PLArenaPool *poolp, void 
 {
     SEC_ASN1DecoderContext *dcx;
     SECStatus urv, frv;
 
     dcx = SEC_ASN1DecoderStart(poolp, dest, theTemplate);
     if (dcx == NULL)
         return SECFailure;
 
-    /* In one-shot mode, there's no possibility of streaming data beyond the
-     * length of len */
-    SEC_ASN1DecoderSetMaximumElementSize(dcx, len);
-
     urv = SEC_ASN1DecoderUpdate(dcx, buf, len);
     frv = SEC_ASN1DecoderFinish(dcx);
 
     if (urv != SECSuccess)
         return urv;
 
     return frv;
 }
deleted file mode 100644
--- a/security/nss/nss-tool/.clang-format
+++ /dev/null
@@ -1,4 +0,0 @@
----
-Language: Cpp
-BasedOnStyle: Google
-...
deleted file mode 100644
--- a/security/nss/nss-tool/common/argparse.cc
+++ /dev/null
@@ -1,23 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "argparse.h"
-
-ArgParser::ArgParser(const std::vector<std::string>& arguments) {
-  for (size_t i = 0; i < arguments.size(); i++) {
-    std::string arg = arguments.at(i);
-    if (arg.find("--") == 0) {
-      // look for an option argument
-      if (i + 1 < arguments.size() && arguments.at(i + 1).find("--") != 0) {
-        programArgs_[arg] = arguments.at(i + 1);
-        i++;
-      } else {
-        programArgs_[arg] = "";
-      }
-    } else {
-      // positional argument (e.g. required argument)
-      positionalArgs_.push_back(arg);
-    }
-  }
-}
deleted file mode 100644
--- a/security/nss/nss-tool/common/argparse.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef argparse_h__
-#define argparse_h__
-
-#include <string>
-#include <unordered_map>
-#include <vector>
-
-class ArgParser {
- public:
-  ArgParser(const std::vector<std::string>& arguments);
-
-  bool Has(std::string arg) { return programArgs_.count(arg) > 0; }
-
-  std::string Get(std::string arg) { return programArgs_[arg]; }
-
-  size_t GetPositionalArgumentCount() { return positionalArgs_.size(); }
-  std::string GetPositionalArgument(size_t pos) {
-    return positionalArgs_.at(pos);
-  }
-
- private:
-  std::unordered_map<std::string, std::string> programArgs_;
-  std::vector<std::string> positionalArgs_;
-};
-
-#endif  // argparse_h__
deleted file mode 100644
--- a/security/nss/nss-tool/common/scoped_ptrs.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef scoped_ptrs_h__
-#define scoped_ptrs_h__
-
-#include <memory>
-#include "cert.h"
-#include "keyhi.h"
-#include "pk11pub.h"
-
-struct ScopedDelete {
-  void operator()(CERTCertificate* cert) { CERT_DestroyCertificate(cert); }
-  void operator()(CERTCertificateList* list) {
-    CERT_DestroyCertificateList(list);
-  }
-  void operator()(CERTSubjectPublicKeyInfo* spki) {
-    SECKEY_DestroySubjectPublicKeyInfo(spki);
-  }
-  void operator()(PK11SlotInfo* slot) { PK11_FreeSlot(slot); }
-  void operator()(PK11SymKey* key) { PK11_FreeSymKey(key); }
-  void operator()(SECAlgorithmID* id) { SECOID_DestroyAlgorithmID(id, true); }
-  void operator()(SECItem* item) { SECITEM_FreeItem(item, true); }
-  void operator()(SECKEYPublicKey* key) { SECKEY_DestroyPublicKey(key); }
-  void operator()(SECKEYPrivateKey* key) { SECKEY_DestroyPrivateKey(key); }
-
-  void operator()(CERTCertList* list) { CERT_DestroyCertList(list); }
-};
-
-template <class T>
-struct ScopedMaybeDelete {
-  void operator()(T* ptr) {
-    if (ptr) {
-      ScopedDelete del;
-      del(ptr);
-    }
-  }
-};
-
-#define SCOPED(x) typedef std::unique_ptr<x, ScopedMaybeDelete<x> > Scoped##x
-
-SCOPED(CERTCertificate);
-SCOPED(CERTCertificateList);
-SCOPED(CERTSubjectPublicKeyInfo);
-SCOPED(PK11SlotInfo);
-SCOPED(PK11SymKey);
-SCOPED(SECAlgorithmID);
-SCOPED(SECItem);
-SCOPED(SECKEYPublicKey);
-SCOPED(SECKEYPrivateKey);
-
-SCOPED(CERTCertList);
-
-#undef SCOPED
-
-#endif
deleted file mode 100644
--- a/security/nss/nss-tool/db/dbtool.cc
+++ /dev/null
@@ -1,138 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "dbtool.h"
-#include "argparse.h"
-#include "scoped_ptrs.h"
-
-#include <iomanip>
-#include <iostream>
-#include <memory>
-#include <sstream>
-
-#include <cert.h>
-#include <certdb.h>
-#include <nss.h>
-#include <prio.h>
-
-static std::string PrintFlags(unsigned int flags) {
-  std::stringstream ss;
-  if ((flags & CERTDB_VALID_CA) && !(flags & CERTDB_TRUSTED_CA) &&
-      !(flags & CERTDB_TRUSTED_CLIENT_CA)) {
-    ss << "c";
-  }
-  if ((flags & CERTDB_TERMINAL_RECORD) && !(flags & CERTDB_TRUSTED)) {
-    ss << "p";
-  }
-  if (flags & CERTDB_TRUSTED_CA) {
-    ss << "C";
-  }
-  if (flags & CERTDB_TRUSTED_CLIENT_CA) {
-    ss << "T";
-  }
-  if (flags & CERTDB_TRUSTED) {
-    ss << "P";
-  }
-  if (flags & CERTDB_USER) {
-    ss << "u";
-  }
-  if (flags & CERTDB_SEND_WARN) {
-    ss << "w";
-  }
-  if (flags & CERTDB_INVISIBLE_CA) {
-    ss << "I";
-  }
-  if (flags & CERTDB_GOVT_APPROVED_CA) {
-    ss << "G";
-  }
-  return ss.str();
-}
-
-void DBTool::Usage() {
-  std::cerr << "Usage: nss db [--path <directory>] --list-certs" << std::endl;
-}
-
-bool DBTool::Run(const std::vector<std::string> &arguments) {
-  ArgParser parser(arguments);
-
-  std::string initDir(".");
-  if (parser.Has("--path")) {
-    initDir = parser.Get("--path");
-    if (PR_Access(initDir.c_str(), PR_ACCESS_READ_OK) != PR_SUCCESS) {
-      std::cerr << "Directory '" << initDir
-                << "' does not exists or you don't have permissions!"
-                << std::endl;
-      return false;
-    }
-  }
-
-  if (!parser.Has("--list-certs")) {
-    return false;
-  }
-  std::cout << "Using database directory: " << initDir << std::endl
-            << std::endl;
-
-  // init NSS
-  const char *certPrefix = "";  // certutil -P option  --- can leave this empty
-  SECStatus rv =
-      NSS_Initialize(initDir.c_str(), certPrefix, certPrefix, "secmod.db", 0);
-  if (rv != SECSuccess) {
-    std::cerr << "NSS init failed!" << std::endl;
-    return false;
-  }
-
-  ListCertificates();
-
-  // shutdown nss
-  if (NSS_Shutdown() != SECSuccess) {
-    std::cerr << "NSS Shutdown failed!" << std::endl;
-    return false;
-  }
-
-  return true;
-}
-
-void DBTool::ListCertificates() {
-  ScopedCERTCertList list(PK11_ListCerts(PK11CertListAll, nullptr));
-  CERTCertListNode *node;
-
-  std::cout << std::setw(60) << std::left << "Certificate Nickname"
-            << " "
-            << "Trust Attributes" << std::endl;
-  std::cout << std::setw(60) << std::left << ""
-            << " "
-            << "SSL,S/MIME,JAR/XPI" << std::endl
-            << std::endl;
-
-  for (node = CERT_LIST_HEAD(list); !CERT_LIST_END(node, list);
-       node = CERT_LIST_NEXT(node)) {
-    CERTCertificate *cert = node->cert;
-
-    std::string name("(unknown)");
-    char *appData = static_cast<char *>(node->appData);
-    if (appData && strlen(appData) > 0) {
-      name = appData;
-    } else if (cert->nickname && strlen(cert->nickname) > 0) {
-      name = cert->nickname;
-    } else if (cert->emailAddr && strlen(cert->emailAddr) > 0) {
-      name = cert->emailAddr;
-    }
-
-    CERTCertTrust trust;
-    std::string trusts;
-    if (CERT_GetCertTrust(cert, &trust) == SECSuccess) {
-      std::stringstream ss;
-      ss << PrintFlags(trust.sslFlags);
-      ss << ",";
-      ss << PrintFlags(trust.emailFlags);
-      ss << ",";
-      ss << PrintFlags(trust.objectSigningFlags);
-      trusts = ss.str();
-    } else {
-      trusts = ",,";
-    }
-    std::cout << std::setw(60) << std::left << name << " " << trusts
-              << std::endl;
-  }
-}
deleted file mode 100644
--- a/security/nss/nss-tool/db/dbtool.h
+++ /dev/null
@@ -1,21 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef dbtool_h__
-#define dbtool_h__
-
-#include <string>
-#include <vector>
-
-class DBTool {
- public:
-  bool Run(const std::vector<std::string>& arguments);
-
-  void Usage();
-
- private:
-  void ListCertificates();
-};
-
-#endif  // dbtool_h__
deleted file mode 100644
--- a/security/nss/nss-tool/nss_tool.cc
+++ /dev/null
@@ -1,43 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include <iostream>
-#include <string>
-#include <vector>
-
-#include <prinit.h>
-
-#include "argparse.h"
-#include "db/dbtool.h"
-
-static void Usage() {
-  std::cerr << "Usage: nss <command> <subcommand> [options]" << std::endl;
-  std::cerr << "       nss db [--path <directory>] --list-certs" << std::endl;
-}
-
-int main(int argc, char **argv) {
-  if (argc < 2) {
-    Usage();
-    return 1;
-  }
-
-  if (std::string(argv[1]) != "db") {
-    Usage();
-    return 1;
-  }
-
-  int exit_code = 0;
-  PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-
-  std::vector<std::string> arguments(argv + 2, argv + argc);
-  DBTool tool;
-  if (!tool.Run(arguments)) {
-    tool.Usage();
-    exit_code = 1;
-  }
-
-  PR_Cleanup();
-
-  return exit_code;
-}
deleted file mode 100644
--- a/security/nss/nss-tool/nss_tool.gyp
+++ /dev/null
@@ -1,27 +0,0 @@
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-{
-  'includes' : [
-    '../coreconf/config.gypi',
-    '../cmd/platlibs.gypi',
-  ],
-  'targets' : [
-    {
-      'target_name' : 'nss',
-      'type' : 'executable',
-      'sources' : [
-        'nss_tool.cc',
-        'common/argparse.cc',
-        'db/dbtool.cc',
-      ],
-      'include_dirs': [
-        'common',
-      ],
-      'dependencies' : [
-        '<(DEPTH)/exports.gyp:dbm_exports',
-        '<(DEPTH)/exports.gyp:nss_exports'
-      ],
-    }
-  ],
-}
--- a/security/nss/nss.gyp
+++ b/security/nss/nss.gyp
@@ -115,17 +115,16 @@
           'dependencies': [
             'cmd/crlutil/crlutil.gyp:crlutil',
             'cmd/pwdecrypt/pwdecrypt.gyp:pwdecrypt',
             'cmd/signtool/signtool.gyp:signtool',
             'cmd/signver/signver.gyp:signver',
             'cmd/smimetools/smimetools.gyp:cmsutil',
             'cmd/ssltap/ssltap.gyp:ssltap',
             'cmd/symkeyutil/symkeyutil.gyp:symkeyutil',
-            'nss-tool/nss_tool.gyp:nss',
           ],
         }],
       ],
     },
   ],
   'conditions': [
     [ 'disable_tests==0', {
       'targets': [
@@ -173,16 +172,17 @@
             'cmd/tests/tests.gyp:encodeinttest',
             'cmd/tests/tests.gyp:nonspr10',
             'cmd/tests/tests.gyp:remtest',
             'cmd/tests/tests.gyp:secmodtest',
             'cmd/tstclnt/tstclnt.gyp:tstclnt',
             'cmd/vfychain/vfychain.gyp:vfychain',
             'cmd/vfyserv/vfyserv.gyp:vfyserv',
             'gtests/google_test/google_test.gyp:gtest1',
+            'gtests/common/common.gyp:gtests',
             'gtests/der_gtest/der_gtest.gyp:der_gtest',
             'gtests/pk11_gtest/pk11_gtest.gyp:pk11_gtest',
             'gtests/ssl_gtest/ssl_gtest.gyp:ssl_gtest',
             'gtests/util_gtest/util_gtest.gyp:util_gtest',
             'gtests/nss_bogo_shim/nss_bogo_shim.gyp:nss_bogo_shim'
           ],
           'conditions': [
             [ 'OS=="linux"', {
--- a/security/nss/readme.md
+++ b/security/nss/readme.md
@@ -1,14 +1,14 @@
 # Network Security Services
 
 Network Security Services (NSS) is a set of libraries designed to support
 cross-platform development of security-enabled client and server
-applications. NSS supports SSL v3-TLS 1.2 (experimental TLS 1.3), PKCS #5, PKCS#7,
-PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security
+applications. NSS supports SSL v3-TLS 1.2 (experimental TLS 1.3), PKCS #5, PKCS
+#7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security
 standards.
 
 ## Getting started
 
 In order to get started create a new directory on that you will be uses as your
 local work area, and check out NSS and NSPR. (Note that there's no git mirror of
 NSPR and you require mercurial to get the latest NSPR source.)
 
@@ -35,46 +35,44 @@ After changing into the NSS directory a 
 
 Once the build is done the build output is found in the directory
 `../dist/*.OBJ`, where `*` will be a name dynamically derived from your system's
 architecture. Exported header files can be found in the `include` directory,
 library files in directory `lib`, and tools in directory `bin`. In order to run
 the tools, set your system environment to use the libraries of your build from
 the "lib" directory, e.g., using the `LD_LIBRARY_PATH` or `DYLD_LIBRARY_PATH`.
 
-    Usage: ${0##*/} [-hcv] [-j <n>] [--nspr] [--gyp|-g] [--opt|-o] [-m32]
-                    [--test] [--fuzz] [--pprof] [--scan-build[=output]]
-                    [--asan] [--ubsan] [--msan] [--sancov[=edge|bb|func|...]]
+    Usage: build.sh [-hcgv] [-j <n>] [--test] [--fuzz] [--scan-build[=output]]
+                    [-m32] [--opt|-o] [--asan] [--ubsan] [--sancov[=edge|bb|func]]
+                    [--pprof] [--msan]
 
     This script builds NSS with gyp and ninja.
 
     This build system is still under development.  It does not yet support all
     the features or platforms that NSS supports.
 
     NSS build tool options:
 
         -h            display this help and exit
         -c            clean before build
-        -v            verbose build
+        -g            force a rebuild of gyp (and NSPR, because why not)
         -j <n>        run at most <n> concurrent jobs
-        --nspr        force a rebuild of NSPR
-        --gyp|-g      force a rerun of gyp
-        --opt|-o      do an opt build
+        -v            verbose build
         -m32          do a 32-bit build on a 64-bit system
         --test        ignore map files and export everything we have
         --fuzz        enable fuzzing mode. this always enables test builds
-        --pprof       build with gperftool support
         --scan-build  run the build with scan-build (scan-build has to be in the path)
                       --scan-build=/out/path sets the output path for scan-build
+        --opt|-o      do an opt build
         --asan        do an asan build
         --ubsan       do an ubsan build
-                      --ubsan=bool,shift,... sets specific UB sanitizers
         --msan        do an msan build
         --sancov      do sanitize coverage builds
                       --sancov=func sets coverage to function level for example
+        --pprof       build with gperftool support
 
 
 ## Building NSS (legacy build system)
 
 After changing into the NSS directory a typical build of 32-bit NSS is done as
 follows:
 
     make nss_build_all
--- a/security/nss/tests/all.sh
+++ b/security/nss/tests/all.sh
@@ -34,18 +34,16 @@
 #   chains.sh    - PKIX cert chains tests
 #   dbupgrade.sh - upgrade databases to new shareable version (used
 #                  only in upgrade test cycle)
 #   memleak.sh   - memory leak testing (optional)
 #   ssl_gtests.sh- Gtest based unit tests for ssl
 #   gtests.sh    - Gtest based unit tests for everything else
 #   bogo.sh      - Bogo interop tests (disabled by default)
 #                  https://boringssl.googlesource.com/boringssl/+/master/ssl/test/PORTING.md
-#   interop.sh   - Interoperability tests (disabled by default)
-#                  https://github.com/ekr/tls_interop
 #
 # NSS testing is now devided to 4 cycles:
 # ---------------------------------------
 #   standard     - run test suites with defaults settings
 #   pkix         - run test suites with PKIX enabled
 #   upgradedb    - upgrade existing certificate databases to shareable
 #                  format (creates them if doesn't exist yet) and run
 #                  test suites with those databases
--- a/security/nss/tests/bogo/bogo.sh
+++ b/security/nss/tests/bogo/bogo.sh
@@ -34,16 +34,19 @@ bogo_init()
 
 bogo_cleanup()
 {
   html "</TABLE><BR>"
   cd ${QADIR}
   . common/cleanup.sh
 }
 
+# Need to add go to the PATH.
+export PATH=$PATH:/usr/lib/go-1.6/bin
+
 cd "$(dirname "$0")"
 SOURCE_DIR="$PWD"/../..
 bogo_init
 (cd "$BORING"/ssl/test/runner;
  GOPATH="$PWD" go test -pipe -shim-path "${BINDIR}"/nss_bogo_shim \
 	 -loose-errors -allow-unimplemented \
 	 -shim-config "${SOURCE_DIR}/gtests/nss_bogo_shim/config.json") \
 	 2>bogo.errors | tee bogo.log
deleted file mode 100755
--- a/security/nss/tests/interop/interop.sh
+++ /dev/null
@@ -1,68 +0,0 @@
-#!/bin/bash
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-########################################################################
-#
-# tests/interop/interop.sh
-#
-# Script to drive our cross-stack interop tests
-#
-########################################################################
-
-interop_init()
-{
-  SCRIPTNAME="interop.sh"
-  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then
-    cd ../common
-    . ./init.sh
-  fi
-
-  mkdir -p "${HOSTDIR}/interop"
-  cd "${HOSTDIR}/interop"
-  INTEROP=${INTEROP:=tls_interop}
-  if [ ! -d "$INTEROP" ]; then
-    git clone -q https://github.com/mozilla/tls-interop "$INTEROP"
-  fi
-
-  # We use the BoringSSL keyfiles
-  BORING=${BORING:=boringssl}
-  if [ ! -d "$BORING" ]; then
-    git clone -q https://boringssl.googlesource.com/boringssl "$BORING"
-    git -C "$BORING" checkout -q ea80f9d5df4c302de391e999395e1c87f9c786b3
-  fi
-
-  SCRIPTNAME="interop.sh"
-  html_head "interop test"
-}
-
-interop_cleanup()
-{
-  html "</TABLE><BR>"
-  cd ${QADIR}
-  . common/cleanup.sh
-}
-
-# Function so we can easily add other stacks
-interop_run()
-{
-  test_name=$1
-  client=$2
-  server=$3
-
-  (cd "$INTEROP";
-   cargo run -- --client ${client} --server ${server} --rootdir ../${BORING}/ssl/test/runner/ --test-cases cases.json) 2>interop-${test_name}.errors | tee interop-${test_name}.log
-  html_msg "${PIPESTATUS[0]}" 0 "Interop" "Run successfully"
-  grep -i 'FAILED\|Assertion failure' interop-${test_name}.errors
-  html_msg $? 1 "Interop" "No failures"
-}
-
-cd "$(dirname "$0")"
-SOURCE_DIR="$PWD"/../..
-interop_init
-NSS_SHIM="${BINDIR}"/nss_bogo_shim
-BORING_SHIM="../${BORING}"/build/ssl/test/bssl_shim
-interop_run "nss_nss" ${NSS_SHIM} ${NSS_SHIM}
-interop_cleanup