Bug 1137470, landing NSS_3_18_RC0 minus bug 1132496, r=nss-confcall
authorKai Engert <kaie@kuix.de>
Sat, 07 Mar 2015 14:49:00 +0100
changeset 232386 3ec78ec97624dff4b1ed5d68e57baae9c0a9697f
parent 232385 16f240fd86de0d4a8ed8d8e146e109541ad4bc4b
child 232387 3fef33215d39e3c54c7ce8559523ac9ec2259970
push id56534
push userkaie@kuix.de
push dateSat, 07 Mar 2015 13:49:11 +0000
treeherdermozilla-inbound@3ec78ec97624 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnss-confcall
bugs1137470, 1132496
milestone39.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1137470, landing NSS_3_18_RC0 minus bug 1132496, r=nss-confcall
security/nss/TAG-INFO
security/nss/coreconf/coreconf.dep
security/nss/external_tests/ssl_gtest/databuffer.h
security/nss/external_tests/ssl_gtest/manifest.mn
security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
security/nss/external_tests/ssl_gtest/test_io.cc
security/nss/external_tests/ssl_gtest/test_io.h
security/nss/external_tests/ssl_gtest/tls_agent.cc
security/nss/external_tests/ssl_gtest/tls_agent.h
security/nss/external_tests/ssl_gtest/tls_connect.cc
security/nss/external_tests/ssl_gtest/tls_connect.h
security/nss/external_tests/ssl_gtest/tls_filter.cc
security/nss/external_tests/ssl_gtest/tls_filter.h
security/nss/external_tests/ssl_gtest/tls_parser.cc
security/nss/external_tests/ssl_gtest/tls_parser.h
security/nss/lib/nss/nss.def
security/nss/lib/nss/nss.h
security/nss/lib/pk11wrap/pk11cert.c
security/nss/lib/pk11wrap/pk11pub.h
security/nss/lib/pkcs12/p12local.c
security/nss/lib/pki/tdcache.c
security/nss/lib/softoken/softkver.h
security/nss/lib/ssl/sslsock.c
security/nss/lib/util/nssutil.h
security/patches/reverted-bug-1132496.patch
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_18_BETA7
+NSS_3_18_RC0
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/external_tests/ssl_gtest/databuffer.h
+++ b/security/nss/external_tests/ssl_gtest/databuffer.h
@@ -2,38 +2,147 @@
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef databuffer_h__
 #define databuffer_h__
 
+#include <algorithm>
+#include <cassert>
+#include <cstring>
+#include <iomanip>
+#include <iostream>
+
+namespace nss_test {
+
 class DataBuffer {
  public:
   DataBuffer() : data_(nullptr), len_(0) {}
   DataBuffer(const uint8_t *data, size_t len) : data_(nullptr), len_(0) {
     Assign(data, len);
   }
+  explicit DataBuffer(const DataBuffer& other) : data_(nullptr), len_(0) {
+    Assign(other.data(), other.len());
+  }
   ~DataBuffer() { delete[] data_; }
 
-  void Assign(const uint8_t *data, size_t len) {
-    Allocate(len);
-    memcpy(static_cast<void *>(data_), static_cast<const void *>(data), len);
+  DataBuffer& operator=(const DataBuffer& other) {
+    if (&other != this) {
+      Assign(other.data(), other.len());
+    }
+    return *this;
   }
 
   void Allocate(size_t len) {
     delete[] data_;
-    data_ = new unsigned char[len ? len : 1];  // Don't depend on new [0].
+    data_ = new uint8_t[len ? len : 1];  // Don't depend on new [0].
     len_ = len;
   }
 
+  void Truncate(size_t len) {
+    len_ = std::min(len_, len);
+  }
+
+  void Assign(const uint8_t* data, size_t len) {
+    Allocate(len);
+    memcpy(static_cast<void *>(data_), static_cast<const void *>(data), len);
+  }
+
+  // Write will do a new allocation and expand the size of the buffer if needed.
+  void Write(size_t index, const uint8_t* val, size_t count) {
+    if (index + count > len_) {
+      size_t newlen = index + count;
+      uint8_t* tmp = new uint8_t[newlen]; // Always > 0.
+      memcpy(static_cast<void*>(tmp),
+             static_cast<const void*>(data_), len_);
+      if (index > len_) {
+        memset(static_cast<void*>(tmp + len_), 0, index - len_);
+      }
+      delete[] data_;
+      data_ = tmp;
+      len_ = newlen;
+    }
+    memcpy(static_cast<void*>(data_ + index),
+           static_cast<const void*>(val), count);
+  }
+
+  void Write(size_t index, const DataBuffer& buf) {
+    Write(index, buf.data(), buf.len());
+  }
+
+  // Write an integer, also performing host-to-network order conversion.
+  void Write(size_t index, uint32_t val, size_t count) {
+    assert(count <= sizeof(uint32_t));
+    uint32_t nvalue = htonl(val);
+    auto* addr = reinterpret_cast<const uint8_t*>(&nvalue);
+    Write(index, addr + sizeof(uint32_t) - count, count);
+  }
+
+  // Starting at |index|, remove |remove| bytes and replace them with the
+  // contents of |buf|.
+  void Splice(const DataBuffer& buf, size_t index, size_t remove = 0) {
+    Splice(buf.data(), buf.len(), index, remove);
+  }
+
+  void Splice(const uint8_t* ins, size_t ins_len, size_t index, size_t remove = 0) {
+    uint8_t* old_value = data_;
+    size_t old_len = len_;
+
+    // The amount of stuff remaining from the tail of the old.
+    size_t tail_len = old_len - std::min(old_len, index + remove);
+    // The new length: the head of the old, the new, and the tail of the old.
+    len_ = index + ins_len + tail_len;
+    data_ = new uint8_t[len_ ? len_ : 1];
+
+    // The head of the old.
+    Write(0, old_value, std::min(old_len, index));
+    // Maybe a gap.
+    if (index > old_len) {
+      memset(old_value + index, 0, index - old_len);
+    }
+    // The new.
+    Write(index, ins, ins_len);
+    // The tail of the old.
+    if (tail_len > 0) {
+      Write(index + ins_len,
+            old_value + index + remove, tail_len);
+    }
+
+    delete[] old_value;
+  }
+
+  void Append(const DataBuffer& buf) { Splice(buf, len_); }
+
   const uint8_t *data() const { return data_; }
-  uint8_t *data() { return data_; }
+  uint8_t* data() { return data_; }
   size_t len() const { return len_; }
-  const bool empty() const { return len_ != 0; }
+  bool empty() const { return len_ == 0; }
 
  private:
-  uint8_t *data_;
+  uint8_t* data_;
   size_t len_;
 };
 
+#ifdef DEBUG
+static const size_t kMaxBufferPrint = 10000;
+#else
+static const size_t kMaxBufferPrint = 32;
 #endif
+
+inline std::ostream& operator<<(std::ostream& stream, const DataBuffer& buf) {
+  stream << "[" << buf.len() << "] ";
+  for (size_t i = 0; i < buf.len(); ++i) {
+    if (i >= kMaxBufferPrint) {
+      stream << "...";
+      break;
+    }
+    stream << std::hex << std::setfill('0') << std::setw(2)
+           << static_cast<unsigned>(buf.data()[i]);
+  }
+  stream << std::dec;
+  return stream;
+}
+
+} // namespace nss_test
+
+#endif
--- a/security/nss/external_tests/ssl_gtest/manifest.mn
+++ b/security/nss/external_tests/ssl_gtest/manifest.mn
@@ -1,20 +1,23 @@
-# 
+#
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 CORE_DEPTH = ../..
 DEPTH      = ../..
 MODULE = nss
 
 CPPSRCS = \
       ssl_loopback_unittest.cc \
       ssl_gtest.cc \
       test_io.cc \
+      tls_agent.cc \
+      tls_connect.cc \
+      tls_filter.cc \
       tls_parser.cc \
       $(NULL)
 
 INCLUDES += -I$(CORE_DEPTH)/external_tests/google_test/gtest/include
 
 REQUIRES = nspr nss libdbm gtest
 
 PROGRAM = ssl_gtest
--- a/security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
+++ b/security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
@@ -1,604 +1,50 @@
-#include "prio.h"
-#include "prerror.h"
-#include "prlog.h"
-#include "pk11func.h"
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
 #include "ssl.h"
-#include "sslerr.h"
 #include "sslproto.h"
-#include "keyhi.h"
 
 #include <memory>
 
-#include "test_io.h"
 #include "tls_parser.h"
-
-#define GTEST_HAS_RTTI 0
-#include "gtest/gtest.h"
-#include "gtest_utils.h"
-
-extern std::string g_working_dir_path;
+#include "tls_filter.h"
+#include "tls_connect.h"
 
 namespace nss_test {
 
-enum SessionResumptionMode {
-  RESUME_NONE = 0,
-  RESUME_SESSIONID = 1,
-  RESUME_TICKET = 2,
-  RESUME_BOTH = RESUME_SESSIONID | RESUME_TICKET
-};
-
-#define LOG(a) std::cerr << name_ << ": " << a << std::endl;
-
-// Inspector that parses out DTLS records and passes
-// them on.
-class TlsRecordInspector : public Inspector {
- public:
-  virtual void Inspect(DummyPrSocket* adapter, const void* data, size_t len) {
-    TlsRecordParser parser(static_cast<const unsigned char*>(data), len);
-
-    uint8_t content_type;
-    std::auto_ptr<DataBuffer> buf;
-    while (parser.NextRecord(&content_type, &buf)) {
-      OnRecord(adapter, content_type, buf->data(), buf->len());
-    }
-  }
-
-  virtual void OnRecord(DummyPrSocket* adapter, uint8_t content_type,
-                        const unsigned char* record, size_t len) = 0;
-};
-
-// Inspector that injects arbitrary packets based on
-// DTLS records of various types.
-class TlsInspectorInjector : public TlsRecordInspector {
- public:
-  TlsInspectorInjector(uint8_t packet_type, uint8_t handshake_type,
-                       const unsigned char* data, size_t len)
-      : packet_type_(packet_type),
-        handshake_type_(handshake_type),
-        injected_(false),
-        data_(data, len) {}
-
-  virtual void OnRecord(DummyPrSocket* adapter, uint8_t content_type,
-                        const unsigned char* data, size_t len) {
-    // Only inject once.
-    if (injected_) {
-      return;
-    }
-
-    // Check that the first byte is as requested.
-    if (content_type != packet_type_) {
-      return;
-    }
-
-    if (handshake_type_ != 0xff) {
-      // Check that the packet is plausibly long enough.
-      if (len < 1) {
-        return;
-      }
-
-      // Check that the handshake type is as requested.
-      if (data[0] != handshake_type_) {
-        return;
-      }
-    }
-
-    adapter->WriteDirect(data_.data(), data_.len());
-  }
-
- private:
-  uint8_t packet_type_;
-  uint8_t handshake_type_;
-  bool injected_;
-  DataBuffer data_;
-};
-
-// Make a copy of the first instance of a message.
-class TlsInspectorRecordHandshakeMessage : public TlsRecordInspector {
- public:
-  TlsInspectorRecordHandshakeMessage(uint8_t handshake_type)
-      : handshake_type_(handshake_type), buffer_() {}
-
-  virtual void OnRecord(DummyPrSocket* adapter, uint8_t content_type,
-                        const unsigned char* data, size_t len) {
-    // Only do this once.
-    if (buffer_.len()) {
-      return;
-    }
-
-    // Check that the first byte is as requested.
-    if (content_type != kTlsHandshakeType) {
-      return;
-    }
-
-    TlsParser parser(data, len);
-    while (parser.remaining()) {
-      unsigned char message_type;
-      // Read the content type.
-      if (!parser.Read(&message_type)) {
-        // Malformed.
-        return;
-      }
-
-      // Read the record length.
-      uint32_t length;
-      if (!parser.Read(&length, 3)) {
-        // Malformed.
-        return;
-      }
-
-      if (adapter->mode() == DGRAM) {
-        // DTLS
-        uint32_t message_seq;
-        if (!parser.Read(&message_seq, 2)) {
-          return;
-        }
-
-        uint32_t fragment_offset;
-        if (!parser.Read(&fragment_offset, 3)) {
-          return;
-        }
-
-        uint32_t fragment_length;
-        if (!parser.Read(&fragment_length, 3)) {
-          return;
-        }
-
-        if ((fragment_offset != 0) || (fragment_length != length)) {
-          // This shouldn't happen because all current tests where we
-          // are using this code don't fragment.
-          return;
-        }
-      }
-
-      unsigned char* dest = nullptr;
-
-      if (message_type == handshake_type_) {
-        buffer_.Allocate(length);
-        dest = buffer_.data();
-      }
-
-      if (!parser.Read(dest, length)) {
-        // Malformed
-        return;
-      }
-
-      if (dest) return;
-    }
-  }
-
-  const DataBuffer& buffer() { return buffer_; }
-
- private:
-  uint8_t handshake_type_;
-  DataBuffer buffer_;
-};
-
 class TlsServerKeyExchangeECDHE {
  public:
-  bool Parse(const unsigned char* data, size_t len) {
-    TlsParser parser(data, len);
+  bool Parse(const DataBuffer& buffer) {
+    TlsParser parser(buffer);
 
     uint8_t curve_type;
     if (!parser.Read(&curve_type)) {
       return false;
     }
 
     if (curve_type != 3) {  // named_curve
       return false;
     }
 
     uint32_t named_curve;
     if (!parser.Read(&named_curve, 2)) {
       return false;
     }
 
-    uint32_t point_length;
-    if (!parser.Read(&point_length, 1)) {
-      return false;
-    }
-
-    public_key_.Allocate(point_length);
-    if (!parser.Read(public_key_.data(), point_length)) {
-      return false;
-    }
-
-    return true;
+    return parser.ReadVariable(&public_key_, 1);
   }
 
   DataBuffer public_key_;
 };
 
-class TlsAgent : public PollTarget {
- public:
-  enum Role { CLIENT, SERVER };
-  enum State { INIT, CONNECTING, CONNECTED, ERROR };
-
-  TlsAgent(const std::string& name, Role role, Mode mode)
-      : name_(name),
-        mode_(mode),
-        pr_fd_(nullptr),
-        adapter_(nullptr),
-        ssl_fd_(nullptr),
-        role_(role),
-        state_(INIT) {
-      memset(&info_, 0, sizeof(info_));
-      memset(&csinfo_, 0, sizeof(csinfo_));
-  }
-
-  ~TlsAgent() {
-    if (pr_fd_) {
-      PR_Close(pr_fd_);
-    }
-
-    if (ssl_fd_) {
-      PR_Close(ssl_fd_);
-    }
-  }
-
-  bool Init() {
-    pr_fd_ = DummyPrSocket::CreateFD(name_, mode_);
-    if (!pr_fd_) return false;
-
-    adapter_ = DummyPrSocket::GetAdapter(pr_fd_);
-    if (!adapter_) return false;
-
-    return true;
-  }
-
-  void SetPeer(TlsAgent* peer) { adapter_->SetPeer(peer->adapter_); }
-
-  void SetInspector(Inspector* inspector) { adapter_->SetInspector(inspector); }
-
-  void StartConnect() {
-    ASSERT_TRUE(EnsureTlsSetup());
-
-    SECStatus rv;
-    rv = SSL_ResetHandshake(ssl_fd_, role_ == SERVER ? PR_TRUE : PR_FALSE);
-    ASSERT_EQ(SECSuccess, rv);
-    SetState(CONNECTING);
-  }
-
-  void EnableSomeECDHECiphers() {
-    ASSERT_TRUE(EnsureTlsSetup());
-
-    const uint32_t EnabledCiphers[] = {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-                                       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA};
-
-    for (size_t i = 0; i < PR_ARRAY_SIZE(EnabledCiphers); ++i) {
-      SECStatus rv = SSL_CipherPrefSet(ssl_fd_, EnabledCiphers[i], PR_TRUE);
-      ASSERT_EQ(SECSuccess, rv);
-    }
-  }
-
-  bool EnsureTlsSetup() {
-    // Don't set up twice
-    if (ssl_fd_) return true;
-
-    if (adapter_->mode() == STREAM) {
-      ssl_fd_ = SSL_ImportFD(nullptr, pr_fd_);
-    } else {
-      ssl_fd_ = DTLS_ImportFD(nullptr, pr_fd_);
-    }
-
-    EXPECT_NE(nullptr, ssl_fd_);
-    if (!ssl_fd_) return false;
-    pr_fd_ = nullptr;
-
-    if (role_ == SERVER) {
-      CERTCertificate* cert = PK11_FindCertFromNickname(name_.c_str(), nullptr);
-      EXPECT_NE(nullptr, cert);
-      if (!cert) return false;
-
-      SECKEYPrivateKey* priv = PK11_FindKeyByAnyCert(cert, nullptr);
-      EXPECT_NE(nullptr, priv);
-      if (!priv) return false;  // Leak cert.
-
-      SECStatus rv = SSL_ConfigSecureServer(ssl_fd_, cert, priv, kt_rsa);
-      EXPECT_EQ(SECSuccess, rv);
-      if (rv != SECSuccess) return false;  // Leak cert and key.
-
-      SECKEY_DestroyPrivateKey(priv);
-      CERT_DestroyCertificate(cert);
-    } else {
-      SECStatus rv = SSL_SetURL(ssl_fd_, "server");
-      EXPECT_EQ(SECSuccess, rv);
-      if (rv != SECSuccess) return false;
-    }
-
-    SECStatus rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook,
-                                           reinterpret_cast<void*>(this));
-    EXPECT_EQ(SECSuccess, rv);
-    if (rv != SECSuccess) return false;
-
-    return true;
-  }
-
-  void SetVersionRange(uint16_t minver, uint16_t maxver) {
-    SSLVersionRange range = {minver, maxver};
-    ASSERT_EQ(SECSuccess, SSL_VersionRangeSet(ssl_fd_, &range));
-  }
-
-  State state() const { return state_; }
-
-  const char* state_str() const { return state_str(state()); }
-
-  const char* state_str(State state) const { return states[state]; }
-
-  PRFileDesc* ssl_fd() { return ssl_fd_; }
-
-  bool version(uint16_t* version) const {
-    if (state_ != CONNECTED) return false;
-
-    *version = info_.protocolVersion;
-
-    return true;
-  }
-
-  bool cipher_suite(int16_t* cipher_suite) const {
-    if (state_ != CONNECTED) return false;
-
-    *cipher_suite = info_.cipherSuite;
-    return true;
-  }
-
-  std::string cipher_suite_name() const {
-    if (state_ != CONNECTED) return "UNKNOWN";
-
-    return csinfo_.cipherSuiteName;
-  }
-
-  void CheckKEAType(SSLKEAType type) const {
-    ASSERT_EQ(CONNECTED, state_);
-    ASSERT_EQ(type, csinfo_.keaType);
-  }
-
-  void CheckVersion(uint16_t version) const {
-    ASSERT_EQ(CONNECTED, state_);
-    ASSERT_EQ(version, info_.protocolVersion);
-  }
-
-
-  void Handshake() {
-    SECStatus rv = SSL_ForceHandshake(ssl_fd_);
-    if (rv == SECSuccess) {
-      LOG("Handshake success");
-      SECStatus rv = SSL_GetChannelInfo(ssl_fd_, &info_, sizeof(info_));
-      ASSERT_EQ(SECSuccess, rv);
-
-      rv = SSL_GetCipherSuiteInfo(info_.cipherSuite, &csinfo_, sizeof(csinfo_));
-      ASSERT_EQ(SECSuccess, rv);
-
-      SetState(CONNECTED);
-      return;
-    }
-
-    int32_t err = PR_GetError();
-    switch (err) {
-      case PR_WOULD_BLOCK_ERROR:
-        LOG("Would have blocked");
-        // TODO(ekr@rtfm.com): set DTLS timeouts
-        Poller::Instance()->Wait(READABLE_EVENT, adapter_, this,
-                                 &TlsAgent::ReadableCallback);
-        return;
-        break;
-
-      // TODO(ekr@rtfm.com): needs special case for DTLS
-      case SSL_ERROR_RX_MALFORMED_HANDSHAKE:
-      default:
-        LOG("Handshake failed with error " << err);
-        SetState(ERROR);
-        return;
-    }
-  }
-
-  std::vector<uint8_t> GetSessionId() {
-    return std::vector<uint8_t>(info_.sessionID,
-                                info_.sessionID + info_.sessionIDLength);
-  }
-
-  void ConfigureSessionCache(SessionResumptionMode mode) {
-    ASSERT_TRUE(EnsureTlsSetup());
-
-    SECStatus rv = SSL_OptionSet(ssl_fd_,
-                                 SSL_NO_CACHE,
-                                 mode & RESUME_SESSIONID ?
-                                 PR_FALSE : PR_TRUE);
-    ASSERT_EQ(SECSuccess, rv);
-
-    rv = SSL_OptionSet(ssl_fd_,
-                       SSL_ENABLE_SESSION_TICKETS,
-                       mode & RESUME_TICKET ?
-                       PR_TRUE : PR_FALSE);
-    ASSERT_EQ(SECSuccess, rv);
-  }
-
- private:
-  const static char* states[];
-
-  void SetState(State state) {
-    if (state_ == state) return;
-
-    LOG("Changing state from " << state_str(state_) << " to "
-                               << state_str(state));
-    state_ = state;
-  }
-
-  // Dummy auth certificate hook.
-  static SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd,
-                                       PRBool checksig, PRBool isServer) {
-    return SECSuccess;
-  }
-
-  static void ReadableCallback(PollTarget* self, Event event) {
-    TlsAgent* agent = static_cast<TlsAgent*>(self);
-    agent->ReadableCallback_int(event);
-  }
-
-  void ReadableCallback_int(Event event) {
-    LOG("Readable");
-    Handshake();
-  }
-
-  const std::string name_;
-  Mode mode_;
-  PRFileDesc* pr_fd_;
-  DummyPrSocket* adapter_;
-  PRFileDesc* ssl_fd_;
-  Role role_;
-  State state_;
-  SSLChannelInfo info_;
-  SSLCipherSuiteInfo csinfo_;
-};
-
-const char* TlsAgent::states[] = {"INIT", "CONNECTING", "CONNECTED", "ERROR"};
-
-class TlsConnectTestBase : public ::testing::Test {
- public:
-  TlsConnectTestBase(Mode mode)
-      : mode_(mode),
-        client_(new TlsAgent("client", TlsAgent::CLIENT, mode_)),
-        server_(new TlsAgent("server", TlsAgent::SERVER, mode_)) {}
-
-  ~TlsConnectTestBase() {
-    delete client_;
-    delete server_;
-  }
-
-  void SetUp() {
-    // Configure a fresh session cache.
-    SSL_ConfigServerSessionIDCache(1024, 0, 0, g_working_dir_path.c_str());
-
-    // Clear statistics.
-    SSL3Statistics* stats = SSL_GetStatistics();
-    memset(stats, 0, sizeof(*stats));
-
-    Init();
-  }
-
-  void TearDown() {
-    client_ = nullptr;
-    server_ = nullptr;
-
-    SSL_ClearSessionCache();
-    SSL_ShutdownServerSessionIDCache();
-  }
-
-  void Init() {
-    ASSERT_TRUE(client_->Init());
-    ASSERT_TRUE(server_->Init());
-
-    client_->SetPeer(server_);
-    server_->SetPeer(client_);
-  }
-
-  void Reset() {
-    delete client_;
-    delete server_;
-
-    client_ = new TlsAgent("client", TlsAgent::CLIENT, mode_);
-    server_ = new TlsAgent("server", TlsAgent::SERVER, mode_);
-
-    Init();
-  }
-
-  void EnsureTlsSetup() {
-    ASSERT_TRUE(client_->EnsureTlsSetup());
-    ASSERT_TRUE(server_->EnsureTlsSetup());
-  }
-
-  void Connect() {
-    server_->StartConnect();  // Server
-    client_->StartConnect();  // Client
-    client_->Handshake();
-    server_->Handshake();
-
-    ASSERT_TRUE_WAIT(client_->state() != TlsAgent::CONNECTING &&
-                         server_->state() != TlsAgent::CONNECTING,
-                     5000);
-    ASSERT_EQ(TlsAgent::CONNECTED, server_->state());
-
-    int16_t cipher_suite1, cipher_suite2;
-    bool ret = client_->cipher_suite(&cipher_suite1);
-    ASSERT_TRUE(ret);
-    ret = server_->cipher_suite(&cipher_suite2);
-    ASSERT_TRUE(ret);
-    ASSERT_EQ(cipher_suite1, cipher_suite2);
-
-    std::cerr << "Connected with cipher suite " << client_->cipher_suite_name()
-              << std::endl;
-
-    // Check and store session ids.
-    std::vector<uint8_t> sid_c1 = client_->GetSessionId();
-    ASSERT_EQ(32, sid_c1.size());
-    std::vector<uint8_t> sid_s1 = server_->GetSessionId();
-    ASSERT_EQ(32, sid_s1.size());
-    ASSERT_EQ(sid_c1, sid_s1);
-    session_ids_.push_back(sid_c1);
-  }
-
-  void EnableSomeECDHECiphers() {
-    client_->EnableSomeECDHECiphers();
-    server_->EnableSomeECDHECiphers();
-  }
-
-  void ConfigureSessionCache(SessionResumptionMode client,
-                             SessionResumptionMode server) {
-    client_->ConfigureSessionCache(client);
-    server_->ConfigureSessionCache(server);
-  }
-
-  void CheckResumption(SessionResumptionMode expected) {
-    ASSERT_NE(RESUME_BOTH, expected);
-
-    int resume_ct = expected != 0;
-    int stateless_ct = (expected & RESUME_TICKET) ? 1 : 0;
-
-    SSL3Statistics* stats = SSL_GetStatistics();
-    ASSERT_EQ(resume_ct, stats->hch_sid_cache_hits);
-    ASSERT_EQ(resume_ct, stats->hsh_sid_cache_hits);
-
-    ASSERT_EQ(stateless_ct, stats->hch_sid_stateless_resumes);
-    ASSERT_EQ(stateless_ct, stats->hsh_sid_stateless_resumes);
-
-    if (resume_ct) {
-      // Check that the last two session ids match.
-      ASSERT_GE(2, session_ids_.size());
-      ASSERT_EQ(session_ids_[session_ids_.size()-1],
-                session_ids_[session_ids_.size()-2]);
-    }
-  }
-
- protected:
-  Mode mode_;
-  TlsAgent* client_;
-  TlsAgent* server_;
-  std::vector<std::vector<uint8_t>> session_ids_;
-};
-
-class TlsConnectTest : public TlsConnectTestBase {
- public:
-  TlsConnectTest() : TlsConnectTestBase(STREAM) {}
-};
-
-class DtlsConnectTest : public TlsConnectTestBase {
- public:
-  DtlsConnectTest() : TlsConnectTestBase(DGRAM) {}
-};
-
-class TlsConnectGeneric : public TlsConnectTestBase,
-                          public ::testing::WithParamInterface<std::string> {
- public:
-  TlsConnectGeneric()
-      : TlsConnectTestBase((GetParam() == "TLS") ? STREAM : DGRAM) {
-    std::cerr << "Variant: " << GetParam() << std::endl;
-  }
-};
-
 TEST_P(TlsConnectGeneric, SetupOnly) {}
 
 TEST_P(TlsConnectGeneric, Connect) {
   Connect();
 
   // Check that we negotiated the expected version.
   if (mode_ == STREAM) {
     client_->CheckVersion(SSL_LIBRARY_VERSION_TLS_1_0);
@@ -724,78 +170,91 @@ TEST_P(TlsConnectGeneric, ConnectTLS_1_2
   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
                            SSL_LIBRARY_VERSION_TLS_1_2);
   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
                            SSL_LIBRARY_VERSION_TLS_1_2);
   Connect();
   client_->CheckVersion(SSL_LIBRARY_VERSION_TLS_1_2);
 }
 
+TEST_P(TlsConnectGeneric, ConnectAlpn) {
+  EnableAlpn();
+  Connect();
+  client_->CheckAlpn(SSL_NEXT_PROTO_SELECTED, "a");
+  server_->CheckAlpn(SSL_NEXT_PROTO_NEGOTIATED, "a");
+}
+
+TEST_F(DtlsConnectTest, ConnectSrtp) {
+  EnableSrtp();
+  Connect();
+  CheckSrtp();
+}
+
 TEST_F(TlsConnectTest, ConnectECDHE) {
   EnableSomeECDHECiphers();
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
 }
 
 TEST_F(TlsConnectTest, ConnectECDHETwiceReuseKey) {
   EnableSomeECDHECiphers();
   TlsInspectorRecordHandshakeMessage* i1 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
-  server_->SetInspector(i1);
+  server_->SetPacketFilter(i1);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
   TlsServerKeyExchangeECDHE dhe1;
-  ASSERT_TRUE(dhe1.Parse(i1->buffer().data(), i1->buffer().len()));
+  ASSERT_TRUE(dhe1.Parse(i1->buffer()));
 
   // Restart
   Reset();
   TlsInspectorRecordHandshakeMessage* i2 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
-  server_->SetInspector(i2);
+  server_->SetPacketFilter(i2);
   EnableSomeECDHECiphers();
   ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
 
   TlsServerKeyExchangeECDHE dhe2;
-  ASSERT_TRUE(dhe2.Parse(i2->buffer().data(), i2->buffer().len()));
+  ASSERT_TRUE(dhe2.Parse(i2->buffer()));
 
   // Make sure they are the same.
   ASSERT_EQ(dhe1.public_key_.len(), dhe2.public_key_.len());
   ASSERT_TRUE(!memcmp(dhe1.public_key_.data(), dhe2.public_key_.data(),
                       dhe1.public_key_.len()));
 }
 
 TEST_F(TlsConnectTest, ConnectECDHETwiceNewKey) {
   EnableSomeECDHECiphers();
   SECStatus rv =
       SSL_OptionSet(server_->ssl_fd(), SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
   ASSERT_EQ(SECSuccess, rv);
   TlsInspectorRecordHandshakeMessage* i1 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
-  server_->SetInspector(i1);
+  server_->SetPacketFilter(i1);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
   TlsServerKeyExchangeECDHE dhe1;
-  ASSERT_TRUE(dhe1.Parse(i1->buffer().data(), i1->buffer().len()));
+  ASSERT_TRUE(dhe1.Parse(i1->buffer()));
 
   // Restart
   Reset();
   EnableSomeECDHECiphers();
   rv = SSL_OptionSet(server_->ssl_fd(), SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
   ASSERT_EQ(SECSuccess, rv);
   TlsInspectorRecordHandshakeMessage* i2 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
-  server_->SetInspector(i2);
+  server_->SetPacketFilter(i2);
   ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
 
   TlsServerKeyExchangeECDHE dhe2;
-  ASSERT_TRUE(dhe2.Parse(i2->buffer().data(), i2->buffer().len()));
+  ASSERT_TRUE(dhe2.Parse(i2->buffer()));
 
   // Make sure they are different.
   ASSERT_FALSE((dhe1.public_key_.len() == dhe2.public_key_.len()) &&
                (!memcmp(dhe1.public_key_.data(), dhe2.public_key_.data(),
                         dhe1.public_key_.len())));
 }
 
 INSTANTIATE_TEST_CASE_P(Variants, TlsConnectGeneric,
--- a/security/nss/external_tests/ssl_gtest/test_io.cc
+++ b/security/nss/external_tests/ssl_gtest/test_io.cc
@@ -1,50 +1,53 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#include <assert.h>
+#include "test_io.h"
 
+#include <algorithm>
+#include <cassert>
 #include <iostream>
 #include <memory>
 
 #include "prerror.h"
-#include "prio.h"
 #include "prlog.h"
 #include "prthread.h"
 
-#include "test_io.h"
+#include "databuffer.h"
 
 namespace nss_test {
 
 static PRDescIdentity test_fd_identity = PR_INVALID_IO_LAYER;
 
-#define UNIMPLEMENTED()                                                 \
-  fprintf(stderr, "Call to unimplemented function %s\n", __FUNCTION__); \
-  PR_ASSERT(PR_FALSE);                                                  \
+#define UNIMPLEMENTED()                          \
+  std::cerr << "Call to unimplemented function " \
+            << __FUNCTION__ << std::endl;        \
+  PR_ASSERT(PR_FALSE);                           \
   PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0)
 
 #define LOG(a) std::cerr << name_ << ": " << a << std::endl;
 
-struct Packet {
-  Packet() : data_(nullptr), len_(0), offset_(0) {}
+class Packet : public DataBuffer {
+ public:
+  Packet(const DataBuffer& buf) : DataBuffer(buf), offset_(0) {}
 
-  void Assign(const void *data, int32_t len) {
-    data_ = new uint8_t[len];
-    memcpy(data_, data, len);
-    len_ = len;
+  void Advance(size_t delta) {
+    PR_ASSERT(offset_ + delta <= len());
+    offset_ = std::min(len(), offset_ + delta);
   }
 
-  ~Packet() { delete data_; }
-  uint8_t *data_;
-  int32_t len_;
-  int32_t offset_;
+  size_t offset() const { return offset_; }
+  size_t remaining() const { return len() - offset_; }
+
+ private:
+  size_t offset_;
 };
 
 // Implementation of NSPR methods
 static PRStatus DummyClose(PRFileDesc *f) {
   f->secret = nullptr;
   return PR_SUCCESS;
 }
 
@@ -241,16 +244,26 @@ static PRStatus DummyConnectContinue(PRF
   return PR_FAILURE;
 }
 
 static int32_t DummyReserved(PRFileDesc *f) {
   UNIMPLEMENTED();
   return -1;
 }
 
+DummyPrSocket::~DummyPrSocket() {
+  delete filter_;
+  while (!input_.empty())
+  {
+    Packet* front = input_.front();
+    input_.pop();
+    delete front;
+  }
+}
+
 static const struct PRIOMethods DummyMethods = {
     PR_DESC_LAYERED,  DummyClose,           DummyRead,
     DummyWrite,       DummyAvailable,       DummyAvailable64,
     DummySync,        DummySeek,            DummySeek64,
     DummyFileInfo,    DummyFileInfo64,      DummyWritev,
     DummyConnect,     DummyAccept,          DummyBind,
     DummyListen,      DummyShutdown,        DummyRecv,
     DummySend,        DummyRecvfrom,        DummySendto,
@@ -270,19 +283,18 @@ PRFileDesc *DummyPrSocket::CreateFD(cons
 
   return fd;
 }
 
 DummyPrSocket *DummyPrSocket::GetAdapter(PRFileDesc *fd) {
   return reinterpret_cast<DummyPrSocket *>(fd->secret);
 }
 
-void DummyPrSocket::PacketReceived(const void *data, int32_t len) {
-  input_.push(new Packet());
-  input_.back()->Assign(data, len);
+void DummyPrSocket::PacketReceived(const DataBuffer& packet) {
+  input_.push(new Packet(packet));
 }
 
 int32_t DummyPrSocket::Read(void *data, int32_t len) {
   PR_ASSERT(mode_ == STREAM);
 
   if (mode_ != STREAM) {
     PR_SetError(PR_INVALID_METHOD_ERROR, 0);
     return -1;
@@ -290,68 +302,80 @@ int32_t DummyPrSocket::Read(void *data, 
 
   if (input_.empty()) {
     LOG("Read --> wouldblock " << len);
     PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
     return -1;
   }
 
   Packet *front = input_.front();
-  int32_t to_read = std::min(len, front->len_ - front->offset_);
-  memcpy(data, front->data_ + front->offset_, to_read);
-  front->offset_ += to_read;
+  size_t to_read = std::min(static_cast<size_t>(len),
+                            front->len() - front->offset());
+  memcpy(data, static_cast<const void*>(front->data() + front->offset()),
+         to_read);
+  front->Advance(to_read);
 
-  if (front->offset_ == front->len_) {
+  if (!front->remaining()) {
     input_.pop();
     delete front;
   }
 
-  return to_read;
+  return static_cast<int32_t>(to_read);
 }
 
 int32_t DummyPrSocket::Recv(void *buf, int32_t buflen) {
   if (input_.empty()) {
     PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
     return -1;
   }
 
   Packet *front = input_.front();
-  if (buflen < front->len_) {
+  if (buflen < front->len()) {
     PR_ASSERT(false);
     PR_SetError(PR_BUFFER_OVERFLOW_ERROR, 0);
     return -1;
   }
 
-  int32_t count = front->len_;
-  memcpy(buf, front->data_, count);
+  size_t count = front->len();
+  memcpy(buf, front->data(), count);
 
   input_.pop();
   delete front;
 
-  return count;
+  return static_cast<int32_t>(count);
 }
 
 int32_t DummyPrSocket::Write(const void *buf, int32_t length) {
-  if (inspector_) {
-    inspector_->Inspect(this, buf, length);
+  DataBuffer packet(static_cast<const uint8_t*>(buf),
+                    static_cast<size_t>(length));
+  if (filter_) {
+    DataBuffer filtered;
+    if (filter_->Filter(packet, &filtered)) {
+      if (WriteDirect(filtered) != filtered.len()) {
+        PR_SetError(PR_IO_ERROR, 0);
+        return -1;
+      }
+      LOG("Wrote: " << packet);
+      // libssl can't handle if this reports something other than the length of
+      // what was passed in (or less, but we're not doing partial writes).
+      return packet.len();
+    }
   }
 
-  return WriteDirect(buf, length);
+  return WriteDirect(packet);
 }
 
-int32_t DummyPrSocket::WriteDirect(const void *buf, int32_t length) {
+int32_t DummyPrSocket::WriteDirect(const DataBuffer& packet) {
   if (!peer_) {
     PR_SetError(PR_IO_ERROR, 0);
     return -1;
   }
 
-  LOG("Wrote " << length);
-
-  peer_->PacketReceived(buf, length);
-  return length;
+  peer_->PacketReceived(packet);
+  return static_cast<int32_t>(packet.len()); // ignore truncation
 }
 
 Poller *Poller::instance;
 
 Poller *Poller::Instance() {
   if (!instance) instance = new Poller();
 
   return instance;
--- a/security/nss/external_tests/ssl_gtest/test_io.h
+++ b/security/nss/external_tests/ssl_gtest/test_io.h
@@ -8,67 +8,74 @@
 #define test_io_h_
 
 #include <string.h>
 #include <map>
 #include <memory>
 #include <queue>
 #include <string>
 
+#include "prio.h"
+
 namespace nss_test {
 
-struct Packet;
+class DataBuffer;
+class Packet;
 class DummyPrSocket;  // Fwd decl.
 
 // Allow us to inspect a packet before it is written.
-class Inspector {
+class PacketFilter {
  public:
-  virtual ~Inspector() {}
+  virtual ~PacketFilter() {}
 
-  virtual void Inspect(DummyPrSocket* adapter, const void* data,
-                       size_t len) = 0;
+  // The packet filter takes input and has the option of mutating it.
+  //
+  // A filter that modifies the data places the modified data in *output and
+  // returns true.  A filter that does not modify data returns false, in which
+  // case the value in *output is ignored.
+  virtual bool Filter(const DataBuffer& input, DataBuffer* output) = 0;
 };
 
 enum Mode { STREAM, DGRAM };
 
 class DummyPrSocket {
  public:
-  ~DummyPrSocket() { delete inspector_; }
+  ~DummyPrSocket();
 
   static PRFileDesc* CreateFD(const std::string& name,
                               Mode mode);  // Returns an FD.
   static DummyPrSocket* GetAdapter(PRFileDesc* fd);
 
   void SetPeer(DummyPrSocket* peer) { peer_ = peer; }
 
-  void SetInspector(Inspector* inspector) { inspector_ = inspector; }
+  void SetPacketFilter(PacketFilter* filter) { filter_ = filter; }
 
-  void PacketReceived(const void* data, int32_t len);
+  void PacketReceived(const DataBuffer& data);
   int32_t Read(void* data, int32_t len);
   int32_t Recv(void* buf, int32_t buflen);
   int32_t Write(const void* buf, int32_t length);
-  int32_t WriteDirect(const void* buf, int32_t length);
+  int32_t WriteDirect(const DataBuffer& data);
 
   Mode mode() const { return mode_; }
-  bool readable() { return !input_.empty(); }
+  bool readable() const { return !input_.empty(); }
   bool writable() { return true; }
 
  private:
   DummyPrSocket(const std::string& name, Mode mode)
       : name_(name),
         mode_(mode),
         peer_(nullptr),
         input_(),
-        inspector_(nullptr) {}
+        filter_(nullptr) {}
 
   const std::string name_;
   Mode mode_;
   DummyPrSocket* peer_;
   std::queue<Packet*> input_;
-  Inspector* inspector_;
+  PacketFilter* filter_;
 };
 
 // Marker interface.
 class PollTarget {};
 
 enum Event { READABLE_EVENT, TIMER_EVENT /* Must be last */ };
 
 typedef void (*PollCallback)(PollTarget*, Event);
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/ssl_gtest/tls_agent.cc
@@ -0,0 +1,208 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "tls_agent.h"
+
+#include "pk11func.h"
+#include "ssl.h"
+#include "sslerr.h"
+#include "sslproto.h"
+#include "keyhi.h"
+
+#define GTEST_HAS_RTTI 0
+#include "gtest/gtest.h"
+
+namespace nss_test {
+
+const char* TlsAgent::states[] = {"INIT", "CONNECTING", "CONNECTED", "ERROR"};
+
+bool TlsAgent::EnsureTlsSetup() {
+  // Don't set up twice
+  if (ssl_fd_) return true;
+
+  if (adapter_->mode() == STREAM) {
+    ssl_fd_ = SSL_ImportFD(nullptr, pr_fd_);
+  } else {
+    ssl_fd_ = DTLS_ImportFD(nullptr, pr_fd_);
+  }
+
+  EXPECT_NE(nullptr, ssl_fd_);
+  if (!ssl_fd_) return false;
+  pr_fd_ = nullptr;
+
+  if (role_ == SERVER) {
+    CERTCertificate* cert = PK11_FindCertFromNickname(name_.c_str(), nullptr);
+    EXPECT_NE(nullptr, cert);
+    if (!cert) return false;
+
+    SECKEYPrivateKey* priv = PK11_FindKeyByAnyCert(cert, nullptr);
+    EXPECT_NE(nullptr, priv);
+    if (!priv) return false;  // Leak cert.
+
+    SECStatus rv = SSL_ConfigSecureServer(ssl_fd_, cert, priv, kt_rsa);
+    EXPECT_EQ(SECSuccess, rv);
+    if (rv != SECSuccess) return false;  // Leak cert and key.
+
+    SECKEY_DestroyPrivateKey(priv);
+    CERT_DestroyCertificate(cert);
+
+    rv = SSL_SNISocketConfigHook(ssl_fd_, SniHook,
+                                 reinterpret_cast<void*>(this));
+    EXPECT_EQ(SECSuccess, rv);  // don't abort, just fail
+  } else {
+    SECStatus rv = SSL_SetURL(ssl_fd_, "server");
+    EXPECT_EQ(SECSuccess, rv);
+    if (rv != SECSuccess) return false;
+  }
+
+  SECStatus rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook,
+                                         reinterpret_cast<void*>(this));
+  EXPECT_EQ(SECSuccess, rv);
+  if (rv != SECSuccess) return false;
+
+  return true;
+}
+
+void TlsAgent::StartConnect() {
+  ASSERT_TRUE(EnsureTlsSetup());
+
+  SECStatus rv;
+  rv = SSL_ResetHandshake(ssl_fd_, role_ == SERVER ? PR_TRUE : PR_FALSE);
+  ASSERT_EQ(SECSuccess, rv);
+  SetState(CONNECTING);
+}
+
+void TlsAgent::EnableSomeECDHECiphers() {
+  ASSERT_TRUE(EnsureTlsSetup());
+
+  const uint32_t EnabledCiphers[] = {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+                                     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA};
+
+  for (size_t i = 0; i < PR_ARRAY_SIZE(EnabledCiphers); ++i) {
+    SECStatus rv = SSL_CipherPrefSet(ssl_fd_, EnabledCiphers[i], PR_TRUE);
+    ASSERT_EQ(SECSuccess, rv);
+  }
+}
+
+void TlsAgent::SetSessionTicketsEnabled(bool en) {
+  ASSERT_TRUE(EnsureTlsSetup());
+
+  SECStatus rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_SESSION_TICKETS,
+                               en ? PR_TRUE : PR_FALSE);
+  ASSERT_EQ(SECSuccess, rv);
+}
+
+void TlsAgent::SetSessionCacheEnabled(bool en) {
+  ASSERT_TRUE(EnsureTlsSetup());
+
+  SECStatus rv = SSL_OptionSet(ssl_fd_, SSL_NO_CACHE,
+                               en ? PR_FALSE : PR_TRUE);
+  ASSERT_EQ(SECSuccess, rv);
+}
+
+void TlsAgent::SetVersionRange(uint16_t minver, uint16_t maxver) {
+  SSLVersionRange range = {minver, maxver};
+  ASSERT_EQ(SECSuccess, SSL_VersionRangeSet(ssl_fd_, &range));
+}
+
+void TlsAgent::CheckKEAType(SSLKEAType type) const {
+  ASSERT_EQ(CONNECTED, state_);
+  ASSERT_EQ(type, csinfo_.keaType);
+}
+
+void TlsAgent::CheckVersion(uint16_t version) const {
+  ASSERT_EQ(CONNECTED, state_);
+  ASSERT_EQ(version, info_.protocolVersion);
+}
+
+void TlsAgent::EnableAlpn(const uint8_t* val, size_t len) {
+  ASSERT_TRUE(EnsureTlsSetup());
+
+  ASSERT_EQ(SECSuccess, SSL_OptionSet(ssl_fd_, SSL_ENABLE_ALPN, PR_TRUE));
+  ASSERT_EQ(SECSuccess, SSL_SetNextProtoNego(ssl_fd_, val, len));
+}
+
+void TlsAgent::CheckAlpn(SSLNextProtoState expected_state,
+                         const std::string& expected) {
+  SSLNextProtoState state;
+  char chosen[10];
+  unsigned int chosen_len;
+  SECStatus rv = SSL_GetNextProto(ssl_fd_, &state,
+                                  reinterpret_cast<unsigned char*>(chosen),
+                                  &chosen_len, sizeof(chosen));
+  ASSERT_EQ(SECSuccess, rv);
+  ASSERT_EQ(expected_state, state);
+  ASSERT_EQ(expected, std::string(chosen, chosen_len));
+}
+
+void TlsAgent::EnableSrtp() {
+  ASSERT_TRUE(EnsureTlsSetup());
+  const uint16_t ciphers[] = {
+    SRTP_AES128_CM_HMAC_SHA1_80, SRTP_AES128_CM_HMAC_SHA1_32
+  };
+  ASSERT_EQ(SECSuccess, SSL_SetSRTPCiphers(ssl_fd_, ciphers,
+                                           PR_ARRAY_SIZE(ciphers)));
+
+}
+
+void TlsAgent::CheckSrtp() {
+  uint16_t actual;
+  ASSERT_EQ(SECSuccess, SSL_GetSRTPCipher(ssl_fd_, &actual));
+  ASSERT_EQ(SRTP_AES128_CM_HMAC_SHA1_80, actual);
+}
+
+
+void TlsAgent::Handshake() {
+  SECStatus rv = SSL_ForceHandshake(ssl_fd_);
+  if (rv == SECSuccess) {
+    LOG("Handshake success");
+    SECStatus rv = SSL_GetChannelInfo(ssl_fd_, &info_, sizeof(info_));
+    ASSERT_EQ(SECSuccess, rv);
+
+    rv = SSL_GetCipherSuiteInfo(info_.cipherSuite, &csinfo_, sizeof(csinfo_));
+    ASSERT_EQ(SECSuccess, rv);
+
+    SetState(CONNECTED);
+    return;
+  }
+
+  int32_t err = PR_GetError();
+  switch (err) {
+    case PR_WOULD_BLOCK_ERROR:
+      LOG("Would have blocked");
+      // TODO(ekr@rtfm.com): set DTLS timeouts
+      Poller::Instance()->Wait(READABLE_EVENT, adapter_, this,
+                               &TlsAgent::ReadableCallback);
+      return;
+      break;
+
+      // TODO(ekr@rtfm.com): needs special case for DTLS
+    case SSL_ERROR_RX_MALFORMED_HANDSHAKE:
+    default:
+      LOG("Handshake failed with error " << err);
+      SetState(ERROR);
+      return;
+  }
+}
+
+void TlsAgent::ConfigureSessionCache(SessionResumptionMode mode) {
+  ASSERT_TRUE(EnsureTlsSetup());
+
+  SECStatus rv = SSL_OptionSet(ssl_fd_,
+                               SSL_NO_CACHE,
+                               mode & RESUME_SESSIONID ?
+                               PR_FALSE : PR_TRUE);
+  ASSERT_EQ(SECSuccess, rv);
+
+  rv = SSL_OptionSet(ssl_fd_,
+                     SSL_ENABLE_SESSION_TICKETS,
+                     mode & RESUME_TICKET ?
+                     PR_TRUE : PR_FALSE);
+  ASSERT_EQ(SECSuccess, rv);
+}
+
+
+} // namespace nss_test
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/ssl_gtest/tls_agent.h
@@ -0,0 +1,170 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef tls_agent_h_
+#define tls_agent_h_
+
+#include "prio.h"
+#include "ssl.h"
+
+#include <iostream>
+
+#include "test_io.h"
+
+namespace nss_test {
+
+#define LOG(msg) std::cerr << name_ << ": " << msg << std::endl
+
+enum SessionResumptionMode {
+  RESUME_NONE = 0,
+  RESUME_SESSIONID = 1,
+  RESUME_TICKET = 2,
+  RESUME_BOTH = RESUME_SESSIONID | RESUME_TICKET
+};
+
+class TlsAgent : public PollTarget {
+ public:
+  enum Role { CLIENT, SERVER };
+  enum State { INIT, CONNECTING, CONNECTED, ERROR };
+
+  TlsAgent(const std::string& name, Role role, Mode mode)
+      : name_(name),
+        mode_(mode),
+        pr_fd_(nullptr),
+        adapter_(nullptr),
+        ssl_fd_(nullptr),
+        role_(role),
+        state_(INIT) {
+      memset(&info_, 0, sizeof(info_));
+      memset(&csinfo_, 0, sizeof(csinfo_));
+  }
+
+  ~TlsAgent() {
+    if (pr_fd_) {
+      PR_Close(pr_fd_);
+    }
+
+    if (ssl_fd_) {
+      PR_Close(ssl_fd_);
+    }
+  }
+
+  bool Init() {
+    pr_fd_ = DummyPrSocket::CreateFD(name_, mode_);
+    if (!pr_fd_) return false;
+
+    adapter_ = DummyPrSocket::GetAdapter(pr_fd_);
+    if (!adapter_) return false;
+
+    return true;
+  }
+
+  void SetPeer(TlsAgent* peer) { adapter_->SetPeer(peer->adapter_); }
+
+  void SetPacketFilter(PacketFilter* filter) {
+    adapter_->SetPacketFilter(filter);
+  }
+
+
+  void StartConnect();
+  void CheckKEAType(SSLKEAType type) const;
+  void CheckVersion(uint16_t version) const;
+
+  void Handshake();
+  void EnableSomeECDHECiphers();
+  bool EnsureTlsSetup();
+
+  void ConfigureSessionCache(SessionResumptionMode mode);
+  void SetSessionTicketsEnabled(bool en);
+  void SetSessionCacheEnabled(bool en);
+  void SetVersionRange(uint16_t minver, uint16_t maxver);
+  void EnableAlpn(const uint8_t* val, size_t len);
+  void CheckAlpn(SSLNextProtoState expected_state,
+                 const std::string& expected);
+  void EnableSrtp();
+  void CheckSrtp();
+
+  State state() const { return state_; }
+
+  const char* state_str() const { return state_str(state()); }
+
+  const char* state_str(State state) const { return states[state]; }
+
+  PRFileDesc* ssl_fd() { return ssl_fd_; }
+
+  bool version(uint16_t* version) const {
+    if (state_ != CONNECTED) return false;
+
+    *version = info_.protocolVersion;
+
+    return true;
+  }
+
+  bool cipher_suite(int16_t* cipher_suite) const {
+    if (state_ != CONNECTED) return false;
+
+    *cipher_suite = info_.cipherSuite;
+    return true;
+  }
+
+  std::string cipher_suite_name() const {
+    if (state_ != CONNECTED) return "UNKNOWN";
+
+    return csinfo_.cipherSuiteName;
+  }
+
+  std::vector<uint8_t> session_id() const {
+    return std::vector<uint8_t>(info_.sessionID,
+                                info_.sessionID + info_.sessionIDLength);
+  }
+
+ private:
+  const static char* states[];
+
+  void SetState(State state) {
+    if (state_ == state) return;
+
+    LOG("Changing state from " << state_str(state_) << " to "
+                               << state_str(state));
+    state_ = state;
+  }
+
+  // Dummy auth certificate hook.
+  static SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd,
+                                       PRBool checksig, PRBool isServer) {
+    return SECSuccess;
+  }
+
+  static void ReadableCallback(PollTarget* self, Event event) {
+    TlsAgent* agent = static_cast<TlsAgent*>(self);
+    agent->ReadableCallback_int();
+  }
+
+  void ReadableCallback_int() {
+    LOG("Readable");
+    Handshake();
+  }
+
+  static PRInt32 SniHook(PRFileDesc *fd, const SECItem *srvNameArr,
+                         PRUint32 srvNameArrSize,
+                         void *arg) {
+    return SSL_SNI_CURRENT_CONFIG_IS_USED;
+  }
+
+  const std::string name_;
+  Mode mode_;
+  PRFileDesc* pr_fd_;
+  DummyPrSocket* adapter_;
+  PRFileDesc* ssl_fd_;
+  Role role_;
+  State state_;
+  SSLChannelInfo info_;
+  SSLCipherSuiteInfo csinfo_;
+};
+
+}  // namespace nss_test
+
+#endif
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/ssl_gtest/tls_connect.cc
@@ -0,0 +1,170 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "tls_connect.h"
+
+#include <iostream>
+
+#include "gtest_utils.h"
+
+extern std::string g_working_dir_path;
+
+namespace nss_test {
+
+TlsConnectTestBase::TlsConnectTestBase(Mode mode)
+      : mode_(mode),
+        client_(new TlsAgent("client", TlsAgent::CLIENT, mode_)),
+        server_(new TlsAgent("server", TlsAgent::SERVER, mode_)) {}
+
+TlsConnectTestBase::~TlsConnectTestBase() {
+  delete client_;
+  delete server_;
+}
+
+void TlsConnectTestBase::SetUp() {
+  // Configure a fresh session cache.
+  SSL_ConfigServerSessionIDCache(1024, 0, 0, g_working_dir_path.c_str());
+
+  // Clear statistics.
+  SSL3Statistics* stats = SSL_GetStatistics();
+  memset(stats, 0, sizeof(*stats));
+
+  Init();
+}
+
+void TlsConnectTestBase::TearDown() {
+  client_ = nullptr;
+  server_ = nullptr;
+
+  SSL_ClearSessionCache();
+  SSL_ShutdownServerSessionIDCache();
+}
+
+void TlsConnectTestBase::Init() {
+  ASSERT_TRUE(client_->Init());
+  ASSERT_TRUE(server_->Init());
+
+  client_->SetPeer(server_);
+  server_->SetPeer(client_);
+}
+
+void TlsConnectTestBase::Reset() {
+  delete client_;
+  delete server_;
+
+  client_ = new TlsAgent("client", TlsAgent::CLIENT, mode_);
+  server_ = new TlsAgent("server", TlsAgent::SERVER, mode_);
+
+  Init();
+}
+
+void TlsConnectTestBase::EnsureTlsSetup() {
+  ASSERT_TRUE(client_->EnsureTlsSetup());
+  ASSERT_TRUE(server_->EnsureTlsSetup());
+}
+
+void TlsConnectTestBase::Handshake() {
+  server_->StartConnect();
+  client_->StartConnect();
+  client_->Handshake();
+  server_->Handshake();
+
+  ASSERT_TRUE_WAIT(client_->state() != TlsAgent::CONNECTING &&
+                   server_->state() != TlsAgent::CONNECTING,
+                   5000);
+}
+
+void TlsConnectTestBase::Connect() {
+  Handshake();
+
+  ASSERT_EQ(TlsAgent::CONNECTED, client_->state());
+  ASSERT_EQ(TlsAgent::CONNECTED, server_->state());
+
+  int16_t cipher_suite1, cipher_suite2;
+  bool ret = client_->cipher_suite(&cipher_suite1);
+  ASSERT_TRUE(ret);
+  ret = server_->cipher_suite(&cipher_suite2);
+  ASSERT_TRUE(ret);
+  ASSERT_EQ(cipher_suite1, cipher_suite2);
+
+  std::cerr << "Connected with cipher suite " << client_->cipher_suite_name()
+            << std::endl;
+
+  // Check and store session ids.
+  std::vector<uint8_t> sid_c1 = client_->session_id();
+  ASSERT_EQ(32, sid_c1.size());
+  std::vector<uint8_t> sid_s1 = server_->session_id();
+  ASSERT_EQ(32, sid_s1.size());
+  ASSERT_EQ(sid_c1, sid_s1);
+  session_ids_.push_back(sid_c1);
+}
+
+void TlsConnectTestBase::ConnectExpectFail() {
+  Handshake();
+
+  ASSERT_EQ(TlsAgent::ERROR, client_->state());
+  ASSERT_EQ(TlsAgent::ERROR, server_->state());
+}
+
+void TlsConnectTestBase::EnableSomeECDHECiphers() {
+  client_->EnableSomeECDHECiphers();
+  server_->EnableSomeECDHECiphers();
+}
+
+
+void TlsConnectTestBase::ConfigureSessionCache(SessionResumptionMode client,
+                                               SessionResumptionMode server) {
+  client_->ConfigureSessionCache(client);
+  server_->ConfigureSessionCache(server);
+}
+
+void TlsConnectTestBase::CheckResumption(SessionResumptionMode expected) {
+  ASSERT_NE(RESUME_BOTH, expected);
+
+  int resume_ct = expected ? 1 : 0;
+  int stateless_ct = (expected & RESUME_TICKET) ? 1 : 0;
+
+  SSL3Statistics* stats = SSL_GetStatistics();
+  ASSERT_EQ(resume_ct, stats->hch_sid_cache_hits);
+  ASSERT_EQ(resume_ct, stats->hsh_sid_cache_hits);
+
+  ASSERT_EQ(stateless_ct, stats->hch_sid_stateless_resumes);
+  ASSERT_EQ(stateless_ct, stats->hsh_sid_stateless_resumes);
+
+  if (resume_ct) {
+    // Check that the last two session ids match.
+    ASSERT_GE(2, session_ids_.size());
+    ASSERT_EQ(session_ids_[session_ids_.size()-1],
+              session_ids_[session_ids_.size()-2]);
+  }
+}
+
+void TlsConnectTestBase::EnableAlpn() {
+  // A simple value of "a", "b".  Note that the preferred value of "a" is placed
+  // at the end, because the NSS API follows the now defunct NPN specification,
+  // which places the preferred (and default) entry at the end of the list.
+  // NSS will move this final entry to the front when used with ALPN.
+  static const uint8_t val[] = { 0x01, 0x62, 0x01, 0x61 };
+  client_->EnableAlpn(val, sizeof(val));
+  server_->EnableAlpn(val, sizeof(val));
+}
+
+void TlsConnectTestBase::EnableSrtp() {
+  client_->EnableSrtp();
+  server_->EnableSrtp();
+}
+
+void TlsConnectTestBase::CheckSrtp() {
+  client_->CheckSrtp();
+  server_->CheckSrtp();
+}
+
+TlsConnectGeneric::TlsConnectGeneric()
+    : TlsConnectTestBase((GetParam() == "TLS") ? STREAM : DGRAM) {
+  std::cerr << "Variant: " << GetParam() << std::endl;
+}
+
+} // namespace nss_test
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/ssl_gtest/tls_connect.h
@@ -0,0 +1,79 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef tls_connect_h_
+#define tls_connect_h_
+
+#include "sslt.h"
+
+#include "tls_agent.h"
+
+#define GTEST_HAS_RTTI 0
+#include "gtest/gtest.h"
+
+namespace nss_test {
+
+// A generic TLS connection test base.
+class TlsConnectTestBase : public ::testing::Test {
+ public:
+  TlsConnectTestBase(Mode mode);
+  virtual ~TlsConnectTestBase();
+
+  void SetUp();
+  void TearDown();
+
+  // Initialize client and server.
+  void Init();
+  // Re-initialize client and server.
+  void Reset();
+  // Make sure TLS is configured for a connection.
+  void EnsureTlsSetup();
+
+  // Run the handshake.
+  void Handshake();
+  // Connect and check that it works.
+  void Connect();
+  // Connect and expect it to fail.
+  void ConnectExpectFail();
+
+  void EnableSomeECDHECiphers();
+  void ConfigureSessionCache(SessionResumptionMode client,
+                             SessionResumptionMode server);
+  void CheckResumption(SessionResumptionMode expected);
+  void EnableAlpn();
+  void EnableSrtp();
+  void CheckSrtp();
+
+ protected:
+  Mode mode_;
+  TlsAgent* client_;
+  TlsAgent* server_;
+  std::vector<std::vector<uint8_t>> session_ids_;
+};
+
+// A TLS-only test base.
+class TlsConnectTest : public TlsConnectTestBase {
+ public:
+  TlsConnectTest() : TlsConnectTestBase(STREAM) {}
+};
+
+// A DTLS-only test base.
+class DtlsConnectTest : public TlsConnectTestBase {
+ public:
+  DtlsConnectTest() : TlsConnectTestBase(DGRAM) {}
+};
+
+// A generic test class that can be either STREAM or DGRAM.  This is configured
+// in ssl_loopback_unittest.cc.  All uses of this should use TEST_P().
+class TlsConnectGeneric : public TlsConnectTestBase,
+                          public ::testing::WithParamInterface<std::string> {
+ public:
+  TlsConnectGeneric();
+};
+
+} // namespace nss_test
+
+#endif
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/ssl_gtest/tls_filter.cc
@@ -0,0 +1,226 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "tls_filter.h"
+
+#include <iostream>
+
+namespace nss_test {
+
+bool TlsRecordFilter::Filter(const DataBuffer& input, DataBuffer* output) {
+  bool changed = false;
+  size_t output_offset = 0U;
+  output->Allocate(input.len());
+
+  TlsParser parser(input);
+  while (parser.remaining()) {
+    size_t start = parser.consumed();
+    uint8_t content_type;
+    if (!parser.Read(&content_type)) {
+      return false;
+    }
+    uint32_t version;
+    if (!parser.Read(&version, 2)) {
+      return false;
+    }
+
+    if (IsDtls(version)) {
+      if (!parser.Skip(8)) {
+        return false;
+      }
+    }
+    size_t header_len = parser.consumed() - start;
+    output->Write(output_offset, input.data() + start, header_len);
+
+    DataBuffer record;
+    if (!parser.ReadVariable(&record, 2)) {
+      return false;
+    }
+
+    // Move the offset in the output forward.  ApplyFilter() returns the index
+    // of the end of the record it wrote to the output, so we need to skip
+    // over the content type and version for the value passed to it.
+    output_offset = ApplyFilter(content_type, version, record, output,
+                                output_offset + header_len,
+                                &changed);
+  }
+  output->Truncate(output_offset);
+
+  // Record how many packets we actually touched.
+  if (changed) {
+    ++count_;
+  }
+
+  return changed;
+}
+
+size_t TlsRecordFilter::ApplyFilter(uint8_t content_type, uint16_t version,
+                                    const DataBuffer& record,
+                                    DataBuffer* output,
+                                    size_t offset, bool* changed) {
+  const DataBuffer* source = &record;
+  DataBuffer filtered;
+  if (FilterRecord(content_type, version, record, &filtered) &&
+      filtered.len() < 0x10000) {
+    *changed = true;
+    std::cerr << "record old: " << record << std::endl;
+    std::cerr << "record old: " << filtered << std::endl;
+    source = &filtered;
+  }
+
+  output->Write(offset, source->len(), 2);
+  output->Write(offset + 2, *source);
+  return offset + 2 + source->len();
+}
+
+bool TlsHandshakeFilter::FilterRecord(uint8_t content_type, uint16_t version,
+                                      const DataBuffer& input,
+                                      DataBuffer* output) {
+  // Check that the first byte is as requested.
+  if (content_type != kTlsHandshakeType) {
+    return false;
+  }
+
+  bool changed = false;
+  size_t output_offset = 0U;
+  output->Allocate(input.len()); // Preallocate a little.
+
+  TlsParser parser(input);
+  while (parser.remaining()) {
+    size_t start = parser.consumed();
+    uint8_t handshake_type;
+    if (!parser.Read(&handshake_type)) {
+      return false; // malformed
+    }
+    uint32_t length;
+    if (!parser.Read(&length, 3)) {
+      return false; // malformed
+    }
+
+    if (IsDtls(version) && !CheckDtls(parser, length)) {
+      return false;
+    }
+
+    size_t header_len = parser.consumed() - start;
+    output->Write(output_offset, input.data() + start, header_len);
+
+    DataBuffer handshake;
+    if (!parser.Read(&handshake, length)) {
+      return false;
+    }
+
+    // Move the offset in the output forward.  ApplyFilter() returns the index
+    // of the end of the message it wrote to the output, so we need to identify
+    // offsets from the start of the message for length and the handshake
+    // message.
+    output_offset = ApplyFilter(version, handshake_type, handshake,
+                                output, output_offset + 1,
+                                output_offset + header_len,
+                                &changed);
+  }
+  output->Truncate(output_offset);
+  return changed;
+}
+
+bool TlsHandshakeFilter::CheckDtls(TlsParser& parser, size_t length) {
+  // Read and check DTLS parameters
+  if (!parser.Skip(2)) { // sequence number
+    return false;
+  }
+
+  uint32_t fragment_offset;
+  if (!parser.Read(&fragment_offset, 3)) {
+    return false;
+  }
+
+  uint32_t fragment_length;
+  if (!parser.Read(&fragment_length, 3)) {
+    return false;
+  }
+
+  // All current tests where we are using this code don't fragment.
+  return (fragment_offset == 0 && fragment_length == length);
+}
+
+size_t TlsHandshakeFilter::ApplyFilter(
+    uint16_t version, uint8_t handshake_type, const DataBuffer& handshake,
+    DataBuffer* output, size_t length_offset, size_t value_offset,
+    bool* changed) {
+  const DataBuffer* source = &handshake;
+  DataBuffer filtered;
+  if (FilterHandshake(version, handshake_type, handshake, &filtered) &&
+      filtered.len() < 0x1000000) {
+    *changed = true;
+    std::cerr << "handshake old: " << handshake << std::endl;
+    std::cerr << "handshake new: " << filtered << std::endl;
+    source = &filtered;
+  }
+
+  // Back up and overwrite the (two) length field(s): the handshake message
+  // length and the DTLS fragment length.
+  output->Write(length_offset, source->len(), 3);
+  if (IsDtls(version)) {
+    output->Write(length_offset + 8, source->len(), 3);
+  }
+  output->Write(value_offset, *source);
+  return value_offset + source->len();
+}
+
+bool TlsInspectorRecordHandshakeMessage::FilterHandshake(
+    uint16_t version, uint8_t handshake_type,
+    const DataBuffer& input, DataBuffer* output) {
+  // Only do this once.
+  if (buffer_.len()) {
+    return false;
+  }
+
+  if (handshake_type == handshake_type_) {
+    buffer_ = input;
+  }
+  return false;
+}
+
+bool TlsAlertRecorder::FilterRecord(uint8_t content_type, uint16_t version,
+                                    const DataBuffer& input, DataBuffer* output) {
+  if (level_ == kTlsAlertFatal) { // already fatal
+    return false;
+  }
+  if (content_type != kTlsAlertType) {
+    return false;
+  }
+
+  TlsParser parser(input);
+  uint8_t lvl;
+  if (!parser.Read(&lvl)) {
+    return false;
+  }
+  if (lvl == kTlsAlertWarning) { // not strong enough
+    return false;
+  }
+  level_ = lvl;
+  (void)parser.Read(&description_);
+  return false;
+}
+
+ChainedPacketFilter::~ChainedPacketFilter() {
+  for (auto it = filters_.begin(); it != filters_.end(); ++it) {
+    delete *it;
+  }
+}
+
+bool ChainedPacketFilter::Filter(const DataBuffer& input, DataBuffer* output) {
+  DataBuffer in(input);
+  bool changed = false;
+  for (auto it = filters_.begin(); it != filters_.end(); ++it) {
+    if ((*it)->Filter(in, output)) {
+      in = *output;
+      changed = true;
+    }
+  }
+  return changed;
+}
+
+}  // namespace nss_test
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/ssl_gtest/tls_filter.h
@@ -0,0 +1,113 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef tls_filter_h_
+#define tls_filter_h_
+
+#include <memory>
+#include <vector>
+
+#include "test_io.h"
+#include "tls_parser.h"
+
+namespace nss_test {
+
+// Abstract filter that operates on entire (D)TLS records.
+class TlsRecordFilter : public PacketFilter {
+ public:
+  TlsRecordFilter() : count_(0) {}
+
+  virtual bool Filter(const DataBuffer& input, DataBuffer* output);
+
+  // Report how many packets were altered by the filter.
+  size_t filtered_packets() const { return count_; }
+
+ protected:
+  virtual bool FilterRecord(uint8_t content_type, uint16_t version,
+                            const DataBuffer& data, DataBuffer* changed) = 0;
+ private:
+  size_t ApplyFilter(uint8_t content_type, uint16_t version,
+                     const DataBuffer& record, DataBuffer* output,
+                     size_t offset, bool* changed);
+
+  size_t count_;
+};
+
+// Abstract filter that operates on handshake messages rather than records.
+// This assumes that the handshake messages are written in a block as entire
+// records and that they don't span records or anything crazy like that.
+class TlsHandshakeFilter : public TlsRecordFilter {
+ public:
+  TlsHandshakeFilter() {}
+
+ protected:
+  virtual bool FilterRecord(uint8_t content_type, uint16_t version,
+                            const DataBuffer& input, DataBuffer* output);
+  virtual bool FilterHandshake(uint16_t version, uint8_t handshake_type,
+                               const DataBuffer& input, DataBuffer* output) = 0;
+
+ private:
+  bool CheckDtls(TlsParser& parser, size_t length);
+  size_t ApplyFilter(uint16_t version, uint8_t handshake_type,
+                     const DataBuffer& record, DataBuffer* output,
+                     size_t length_offset, size_t value_offset, bool* changed);
+};
+
+// Make a copy of the first instance of a handshake message.
+class TlsInspectorRecordHandshakeMessage : public TlsHandshakeFilter {
+ public:
+  TlsInspectorRecordHandshakeMessage(uint8_t handshake_type)
+      : handshake_type_(handshake_type), buffer_() {}
+
+  virtual bool FilterHandshake(uint16_t version, uint8_t handshake_type,
+                               const DataBuffer& input, DataBuffer* output);
+
+  const DataBuffer& buffer() const { return buffer_; }
+
+ private:
+  uint8_t handshake_type_;
+  DataBuffer buffer_;
+};
+
+// Records an alert.  If an alert has already been recorded, it won't save the
+// new alert unless the old alert is a warning and the new one is fatal.
+class TlsAlertRecorder : public TlsRecordFilter {
+ public:
+  TlsAlertRecorder() : level_(255), description_(255) {}
+
+  virtual bool FilterRecord(uint8_t content_type, uint16_t version,
+                            const DataBuffer& input, DataBuffer* output);
+
+  uint8_t level() const { return level_; }
+  uint8_t description() const { return description_; }
+
+ private:
+  uint8_t level_;
+  uint8_t description_;
+};
+
+// Runs multiple packet filters in series.
+class ChainedPacketFilter : public PacketFilter {
+ public:
+  ChainedPacketFilter() {}
+  ChainedPacketFilter(const std::vector<PacketFilter*> filters)
+      : filters_(filters.begin(), filters.end()) {}
+  virtual ~ChainedPacketFilter();
+
+  virtual bool Filter(const DataBuffer& input, DataBuffer* output);
+
+  // Takes ownership of the filter.
+  void Add(PacketFilter* filter) {
+    filters_.push_back(filter);
+  }
+
+ private:
+  std::vector<PacketFilter*> filters_;
+};
+
+}  // namespace nss_test
+
+#endif
--- a/security/nss/external_tests/ssl_gtest/tls_parser.cc
+++ b/security/nss/external_tests/ssl_gtest/tls_parser.cc
@@ -1,57 +1,71 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "tls_parser.h"
 
-// Process DTLS Records
-#define CHECK_LENGTH(expected)                \
-  do {                                        \
-    if (remaining() < expected) return false; \
-  } while (0)
+namespace nss_test {
 
-bool TlsParser::Read(unsigned char* val) {
+bool TlsParser::Read(uint8_t* val) {
   if (remaining() < 1) {
     return false;
   }
   *val = *ptr();
   consume(1);
   return true;
 }
 
-bool TlsParser::Read(unsigned char* val, size_t len) {
+bool TlsParser::Read(uint32_t* val, size_t size) {
+  if (size > sizeof(uint32_t)) {
+    return false;
+  }
+
+  uint32_t v = 0;
+  for (size_t i = 0; i < size; ++i) {
+    uint8_t tmp;
+    if (!Read(&tmp)) {
+      return false;
+    }
+
+    v = (v << 8) | tmp;
+  }
+
+  *val = v;
+  return true;
+}
+
+bool TlsParser::Read(DataBuffer* val, size_t len) {
   if (remaining() < len) {
     return false;
   }
 
-  if (val) {
-    memcpy(val, ptr(), len);
-  }
+  val->Assign(ptr(), len);
   consume(len);
-
   return true;
 }
 
-bool TlsRecordParser::NextRecord(uint8_t* ct,
-                                 std::auto_ptr<DataBuffer>* buffer) {
-  if (!remaining()) return false;
-
-  CHECK_LENGTH(5U);
-  const uint8_t* ctp = reinterpret_cast<const uint8_t*>(ptr());
-  consume(3);  // ct + version
+bool TlsParser::ReadVariable(DataBuffer* val, size_t len_size) {
+  uint32_t len;
+  if (!Read(&len, len_size)) {
+    return false;
+  }
+  return Read(val, len);
+}
 
-  const uint16_t* tmp = reinterpret_cast<const uint16_t*>(ptr());
-  size_t length = ntohs(*tmp);
-  consume(2);
-
-  CHECK_LENGTH(length);
-  DataBuffer* db = new DataBuffer(ptr(), length);
-  consume(length);
-
-  *ct = *ctp;
-  buffer->reset(db);
-
+bool TlsParser::Skip(size_t len) {
+  if (len > remaining()) { return false; }
+  consume(len);
   return true;
 }
+
+bool TlsParser::SkipVariable(size_t len_size) {
+  uint32_t len;
+  if (!Read(&len, len_size)) {
+    return false;
+  }
+  return Skip(len);
+}
+
+} // namespace nss_test
--- a/security/nss/external_tests/ssl_gtest/tls_parser.h
+++ b/security/nss/external_tests/ssl_gtest/tls_parser.h
@@ -3,81 +3,95 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef tls_parser_h_
 #define tls_parser_h_
 
 #include <memory>
-#include <stdint.h>
-#include <string.h>
+#include <cstdint>
+#include <cstring>
 #include <arpa/inet.h>
 #include "databuffer.h"
 
+namespace nss_test {
+
 const uint8_t kTlsChangeCipherSpecType = 0x14;
+const uint8_t kTlsAlertType = 0x15;
 const uint8_t kTlsHandshakeType = 0x16;
 
+const uint8_t kTlsHandshakeClientHello = 0x01;
+const uint8_t kTlsHandshakeServerHello = 0x02;
 const uint8_t kTlsHandshakeCertificate = 0x0b;
 const uint8_t kTlsHandshakeServerKeyExchange = 0x0c;
 
+const uint8_t kTlsAlertWarning = 1;
+const uint8_t kTlsAlertFatal = 2;
+
+const uint8_t kTlsAlertHandshakeFailure = 0x28;
+const uint8_t kTlsAlertIllegalParameter = 0x2f;
+const uint8_t kTlsAlertDecodeError = 0x32;
+const uint8_t kTlsAlertUnsupportedExtension = 0x6e;
+const uint8_t kTlsAlertNoApplicationProtocol = 0x78;
+
 const uint8_t kTlsFakeChangeCipherSpec[] = {
     kTlsChangeCipherSpecType,        // Type
     0xfe,                     0xff,  // Version
     0x00,                     0x00, 0x00, 0x00,
     0x00,                     0x00, 0x00, 0x10,  // Fictitious sequence #
     0x00,                     0x01,              // Length
     0x01                                         // Value
 };
 
+inline bool IsDtls(uint16_t version) {
+  return (version & 0x8000) == 0x8000;
+}
+
+inline uint16_t NormalizeTlsVersion(uint16_t version) {
+  if (version == 0xfeff) {
+    return 0x0302; // special: DTLS 1.0 == TLS 1.1
+  }
+  if (IsDtls(version)) {
+    return (version ^ 0xffff) + 0x0201;
+  }
+  return version;
+}
+
+inline void WriteVariable(DataBuffer* target, size_t index,
+                          const DataBuffer& buf, size_t len_size) {
+  target->Write(index, static_cast<uint32_t>(buf.len()), len_size);
+  target->Write(index + len_size, buf.data(), buf.len());
+}
+
 class TlsParser {
  public:
-  TlsParser(const unsigned char *data, size_t len)
+  TlsParser(const uint8_t* data, size_t len)
       : buffer_(data, len), offset_(0) {}
-
-  bool Read(unsigned char *val);
-
-  // Read an integral type of specified width.
-  bool Read(uint32_t *val, size_t len) {
-    if (len > sizeof(uint32_t)) return false;
-
-    *val = 0;
+  explicit TlsParser(const DataBuffer& buf)
+      : buffer_(buf), offset_(0) {}
 
-    for (size_t i = 0; i < len; ++i) {
-      unsigned char tmp;
-
-      (*val) <<= 8;
-      if (!Read(&tmp)) return false;
+  bool Read(uint8_t* val);
+  // Read an integral type of specified width.
+  bool Read(uint32_t* val, size_t size);
+  // Reads len bytes into dest buffer, overwriting it.
+  bool Read(DataBuffer* dest, size_t len);
+  // Reads bytes into dest buffer, overwriting it.  The number of bytes is
+  // determined by reading from len_size bytes from the stream first.
+  bool ReadVariable(DataBuffer* dest, size_t len_size);
 
-      *val += tmp;
-    }
+  bool Skip(size_t len);
+  bool SkipVariable(size_t len_size);
 
-    return true;
-  }
-
-  bool Read(unsigned char *val, size_t len);
+  size_t consumed() const { return offset_; }
   size_t remaining() const { return buffer_.len() - offset_; }
 
  private:
   void consume(size_t len) { offset_ += len; }
-  const uint8_t *ptr() const { return buffer_.data() + offset_; }
+  const uint8_t* ptr() const { return buffer_.data() + offset_; }
 
   DataBuffer buffer_;
   size_t offset_;
 };
 
-class TlsRecordParser {
- public:
-  TlsRecordParser(const unsigned char *data, size_t len)
-      : buffer_(data, len), offset_(0) {}
-
-  bool NextRecord(uint8_t *ct, std::auto_ptr<DataBuffer> *buffer);
-
- private:
-  size_t remaining() const { return buffer_.len() - offset_; }
-  const uint8_t *ptr() const { return buffer_.data() + offset_; }
-  void consume(size_t len) { offset_ += len; }
-
-  DataBuffer buffer_;
-  size_t offset_;
-};
+} // namespace nss_test
 
 #endif
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -1059,14 +1059,15 @@ CERT_AddExtensionByOID;
 CERT_GetGeneralNameTypeFromString;
 PK11_PubEncrypt;
 PK11_PrivDecrypt;
 ;+    local:
 ;+       *;
 ;+};
 ;+NSS_3.18 { 	# NSS 3.18 release
 ;+    global:
+__PK11_SetCertificateNickname;
 CERT_FindCertURLExtension;
 SEC_CheckCrlTimes;
 SEC_GetCrlTimes;
 ;+    local:
 ;+       *;
 ;+};
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -28,22 +28,22 @@
 
 /*
  * NSS's major version, minor version, patch level, build number, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION  "3.18" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
+#define NSS_VERSION  "3.18" _NSS_ECC_STRING _NSS_CUSTOMIZED
 #define NSS_VMAJOR   3
 #define NSS_VMINOR   18
 #define NSS_VPATCH   0
 #define NSS_VBUILD   0
-#define NSS_BETA     PR_TRUE
+#define NSS_BETA     PR_FALSE
 
 #ifndef RC_INVOKED
 
 #include "seccomon.h"
 
 typedef struct NSSInitParametersStr NSSInitParameters;
 
 /*
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -2677,8 +2677,30 @@ PK11_GetAllSlotsForCert(CERTCertificate 
 	PK11_FreeSlotList(slotList);
 	PORT_SetError(SEC_ERROR_NO_TOKEN);
 	slotList = NULL;
     }
 
     nssCryptokiObjectArray_Destroy(instances);
     return slotList;
 }
+
+/*
+ * Using __PK11_SetCertificateNickname is *DANGEROUS*.
+ *
+ * The API will update the NSS database, but it *will NOT* update the in-memory data.
+ * As a result, after calling this API, there will be INCONSISTENCY between
+ * in-memory data and the database.
+ *
+ * Use of the API should be limited to short-lived tools, which will exit immediately
+ * after using this API.
+ *
+ * If you ignore this warning, your process is TAINTED and will most likely misbehave.
+ */
+SECStatus
+__PK11_SetCertificateNickname(CERTCertificate *cert, const char *nickname)
+{
+    /* Can't set nickname of temp cert. */
+    if (!cert->slot || cert->pkcs11ID == CK_INVALID_HANDLE) {
+        return SEC_ERROR_INVALID_ARGS;
+    }
+    return PK11_SetObjectNickname(cert->slot, cert->pkcs11ID, nickname);
+}
--- a/security/nss/lib/pk11wrap/pk11pub.h
+++ b/security/nss/lib/pk11wrap/pk11pub.h
@@ -454,16 +454,31 @@ char * PK11_GetSymKeyNickname(PK11SymKey
 char * PK11_GetPrivateKeyNickname(SECKEYPrivateKey *privKey);
 char * PK11_GetPublicKeyNickname(SECKEYPublicKey *pubKey);
 SECStatus PK11_SetSymKeyNickname(PK11SymKey *symKey, const char *nickname);
 SECStatus PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey, 
 							const char *nickname);
 SECStatus PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey, 
 							const char *nickname);
 
+/*
+ * Using __PK11_SetCertificateNickname is *DANGEROUS*.
+ *
+ * The API will update the NSS database, but it *will NOT* update the in-memory data.
+ * As a result, after calling this API, there will be INCONSISTENCY between
+ * in-memory data and the database.
+ *
+ * Use of the API should be limited to short-lived tools, which will exit immediately
+ * after using this API.
+ *
+ * If you ignore this warning, your process is TAINTED and will most likely misbehave.
+ */
+SECStatus __PK11_SetCertificateNickname(CERTCertificate *cert,
+                                      const char *nickname);
+
 /* size to hold key in bytes */
 unsigned int PK11_GetKeyLength(PK11SymKey *key);
 /* size of actual secret parts of key in bits */
 /* algid is because RC4 strength is determined by the effective bits as well
  * as the key bits */
 unsigned int PK11_GetKeyStrength(PK11SymKey *key,SECAlgorithmID *algid);
 SECStatus PK11_ExtractKeyValue(PK11SymKey *symKey);
 SECItem * PK11_GetKeyData(PK11SymKey *symKey);
--- a/security/nss/lib/pkcs12/p12local.c
+++ b/security/nss/lib/pkcs12/p12local.c
@@ -923,17 +923,18 @@ sec_pkcs12_convert_item_to_unicode(PLAre
 	if(!arena) {
 	    PORT_Free(dest->data);
 	    dest->data = NULL;
 	    dest->len = 0;
 	}
 	return PR_FALSE;
     }
 
-    if((dest->data[dest->len-1] || dest->data[dest->len-2]) && zeroTerm) {
+    if ((dest->len >= 2) &&
+	(dest->data[dest->len-1] || dest->data[dest->len-2]) && zeroTerm) {
 	if(dest->len + 2 > 3 * src->len) {
 	    if(arena) {
 		dest->data = (unsigned char*)PORT_ArenaGrow(arena, 
 						     dest->data, dest->len,
 						     dest->len + 2);
 	    } else {
 		dest->data = (unsigned char*)PORT_Realloc(dest->data, 
 							  dest->len + 2);
--- a/security/nss/lib/pki/tdcache.c
+++ b/security/nss/lib/pki/tdcache.c
@@ -432,27 +432,31 @@ nssTrustDomain_RemoveTokenCertsFromCache
 	return PR_FAILURE;
     }
     dtor.cache = td->cache;
     dtor.token = token;
     dtor.certs = certs;
     dtor.numCerts = 0;
     dtor.arrSize = arrSize;
     PZ_Lock(td->cache->lock);
-    nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, (void *)&dtor);
+    nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, &dtor);
     for (i=0; i<dtor.numCerts; i++) {
 	if (dtor.certs[i]->object.numInstances == 0) {
 	    nssTrustDomain_RemoveCertFromCacheLOCKED(td, dtor.certs[i]);
 	    dtor.certs[i] = NULL;  /* skip this cert in the second for loop */
+	} else {
+	    /* make sure it doesn't disappear on us before we finish */
+	    nssCertificate_AddRef(dtor.certs[i]);
 	}
     }
     PZ_Unlock(td->cache->lock);
     for (i=0; i<dtor.numCerts; i++) {
 	if (dtor.certs[i]) {
 	    STAN_ForceCERTCertificateUpdate(dtor.certs[i]);
+	    nssCertificate_Destroy(dtor.certs[i]);
 	}
     }
     nss_ZFreeIf(dtor.certs);
     return PR_SUCCESS;
 }
 
 NSS_IMPLEMENT PRStatus
 nssTrustDomain_UpdateCachedTokenCerts (
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -20,16 +20,16 @@
 
 /*
  * Softoken's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION  "3.18" SOFTOKEN_ECC_STRING " Beta"
+#define SOFTOKEN_VERSION  "3.18" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR   3
 #define SOFTOKEN_VMINOR   18
 #define SOFTOKEN_VPATCH   0
 #define SOFTOKEN_VBUILD   0
-#define SOFTOKEN_BETA     PR_TRUE
+#define SOFTOKEN_BETA     PR_FALSE
 
 #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -85,22 +85,22 @@ static sslOptions ssl_defaults = {
     PR_FALSE    /* enableFallbackSCSV */
 };
 
 /*
  * default range of enabled SSL/TLS protocols
  */
 static SSLVersionRange versions_defaults_stream = {
     SSL_LIBRARY_VERSION_3_0,
-    SSL_LIBRARY_VERSION_TLS_1_0
+    SSL_LIBRARY_VERSION_TLS_1_2
 };
 
 static SSLVersionRange versions_defaults_datagram = {
     SSL_LIBRARY_VERSION_TLS_1_1,
-    SSL_LIBRARY_VERSION_TLS_1_1
+    SSL_LIBRARY_VERSION_TLS_1_2
 };
 
 #define VERSIONS_DEFAULTS(variant) \
     (variant == ssl_variant_stream ? &versions_defaults_stream : \
                                      &versions_defaults_datagram)
 
 sslSessionIDLookupFunc  ssl_sid_lookup;
 sslSessionIDCacheFunc   ssl_sid_cache;
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -14,22 +14,22 @@
 
 /*
  * NSS utilities's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION  "3.18 Beta"
+#define NSSUTIL_VERSION  "3.18"
 #define NSSUTIL_VMAJOR   3
 #define NSSUTIL_VMINOR   18
 #define NSSUTIL_VPATCH   0
 #define NSSUTIL_VBUILD   0
-#define NSSUTIL_BETA     PR_TRUE
+#define NSSUTIL_BETA     PR_FALSE
 
 SEC_BEGIN_PROTOS
 
 /*
  * Returns a const string of the UTIL library version.
  */
 extern const char *NSSUTIL_GetVersion(void);
 
new file mode 100644
--- /dev/null
+++ b/security/patches/reverted-bug-1132496.patch
@@ -0,0 +1,1384 @@
+
+# HG changeset patch
+# User Kai Engert <kaie@kuix.de>
+# Date 1424971034 -3600
+# Node ID 484e72583add151908d4e34ff9b2f811df719f54
+# Parent  483fbe78c2b2707a53185e63ab37d72af4883aa5
+Bug 1132496 - February 2015 batch of root CA changes, r=rrelyea
+
+diff --git a/lib/ckfw/builtins/certdata.txt b/lib/ckfw/builtins/certdata.txt
+--- a/lib/ckfw/builtins/certdata.txt
++++ b/lib/ckfw/builtins/certdata.txt
+@@ -182,19 +182,19 @@ CKA_ISSUER MULTILINE_OCTAL
+ \020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141
+ \170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151
+ \146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151
+ \146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171
+ END
+ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \002\004\065\336\364\317
+ END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+ # Distrust "Distrust a pb.com certificate that does not comply with the baseline requirements."
+ # Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
+ # Serial Number: 1407252 (0x157914)
+ # Subject: CN=*.pb.com,OU=Meters,O=Pitney Bowes,L=Danbury,ST=Connecticut,C=US
+ # Not Valid Before: Mon Feb 01 14:54:04 2010
+ # Not Valid After : Tue Sep 30 00:00:00 2014
+@@ -2452,19 +2452,19 @@ CKA_ISSUER MULTILINE_OCTAL
+ \170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060
+ \053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040
+ \123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102
+ \165\163\151\156\145\163\163\040\103\101\055\061
+ END
+ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \002\001\001
+ END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+ #
+ # Certificate "Equifax Secure eBusiness CA 1"
+ #
+ # Issuer: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
+ # Serial Number: 4 (0x4)
+ # Subject: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
+@@ -13169,19 +13169,19 @@ CKA_ISSUER MULTILINE_OCTAL
+ \103\145\156\164\145\162\040\103\154\141\163\163\040\063\040\103
+ \101\061\045\060\043\006\003\125\004\003\023\034\124\103\040\124
+ \162\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163
+ \040\063\040\103\101\040\111\111
+ END
+ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \002\016\112\107\000\001\000\002\345\240\135\326\077\000\121\277
+ END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+ #
+ # Certificate "TC TrustCenter Universal CA I"
+ #
+ # Issuer: CN=TC TrustCenter Universal CA I,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
+ # Serial Number:1d:a2:00:01:00:02:ec:b7:60:80:78:8d:b6:06
+ # Subject: CN=TC TrustCenter Universal CA I,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
+@@ -30315,8 +30315,1278 @@ END
+ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \002\020\057\000\156\315\027\160\146\347\137\243\202\012\171\037
+ \005\256
+ END
+ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "Staat der Nederlanden Root CA - G3"
++#
++# Issuer: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
++# Serial Number: 10003001 (0x98a239)
++# Subject: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
++# Not Valid Before: Thu Nov 14 11:28:42 2013
++# Not Valid After : Mon Nov 13 23:00:00 2028
++# Fingerprint (SHA-256): 3C:4F:B0:B9:5A:B8:B3:00:32:F4:32:B8:6F:53:5F:E1:72:C1:85:D0:FD:39:86:58:37:CF:36:18:7F:A6:F4:28
++# Fingerprint (SHA1): D8:EB:6B:41:51:92:59:E0:F3:E7:85:00:C0:3D:B6:88:97:C9:EE:FC
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "Staat der Nederlanden Root CA - G3"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
++\036\060\034\006\003\125\004\012\014\025\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061
++\053\060\051\006\003\125\004\003\014\042\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
++\122\157\157\164\040\103\101\040\055\040\107\063
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
++\036\060\034\006\003\125\004\012\014\025\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061
++\053\060\051\006\003\125\004\003\014\042\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
++\122\157\157\164\040\103\101\040\055\040\107\063
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\004\000\230\242\071
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\005\164\060\202\003\134\240\003\002\001\002\002\004\000
++\230\242\071\060\015\006\011\052\206\110\206\367\015\001\001\013
++\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\116
++\114\061\036\060\034\006\003\125\004\012\014\025\123\164\141\141
++\164\040\144\145\162\040\116\145\144\145\162\154\141\156\144\145
++\156\061\053\060\051\006\003\125\004\003\014\042\123\164\141\141
++\164\040\144\145\162\040\116\145\144\145\162\154\141\156\144\145
++\156\040\122\157\157\164\040\103\101\040\055\040\107\063\060\036
++\027\015\061\063\061\061\061\064\061\061\062\070\064\062\132\027
++\015\062\070\061\061\061\063\062\063\060\060\060\060\132\060\132
++\061\013\060\011\006\003\125\004\006\023\002\116\114\061\036\060
++\034\006\003\125\004\012\014\025\123\164\141\141\164\040\144\145
++\162\040\116\145\144\145\162\154\141\156\144\145\156\061\053\060
++\051\006\003\125\004\003\014\042\123\164\141\141\164\040\144\145
++\162\040\116\145\144\145\162\154\141\156\144\145\156\040\122\157
++\157\164\040\103\101\040\055\040\107\063\060\202\002\042\060\015
++\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002
++\017\000\060\202\002\012\002\202\002\001\000\276\062\242\124\017
++\160\373\054\134\131\353\154\304\244\121\350\205\052\263\314\112
++\064\362\260\137\363\016\307\034\075\123\036\210\010\150\330\157
++\075\255\302\236\314\202\147\007\047\207\150\161\072\237\165\226
++\042\106\005\260\355\255\307\133\236\052\336\234\374\072\306\225
++\247\365\027\147\030\347\057\111\010\014\134\317\346\314\064\355
++\170\373\120\261\334\153\062\360\242\376\266\074\344\354\132\227
++\307\077\036\160\010\060\240\334\305\263\155\157\320\202\162\021
++\253\322\201\150\131\202\027\267\170\222\140\372\314\336\077\204
++\353\215\070\063\220\012\162\043\372\065\314\046\161\061\321\162
++\050\222\331\133\043\155\146\265\155\007\102\353\246\063\316\222
++\333\300\366\154\143\170\315\312\116\075\265\345\122\233\361\276
++\073\346\124\140\260\146\036\011\253\007\376\124\211\021\102\321
++\367\044\272\140\170\032\230\367\311\021\375\026\301\065\032\124
++\165\357\103\323\345\256\116\316\347\173\303\306\116\141\121\113
++\253\232\105\113\241\037\101\275\110\123\025\161\144\013\206\263
++\345\056\276\316\244\033\301\051\204\242\265\313\010\043\166\103
++\042\044\037\027\004\324\156\234\306\374\177\053\146\032\354\212
++\345\326\317\115\365\143\011\267\025\071\326\173\254\353\343\174
++\351\116\374\165\102\310\355\130\225\014\006\102\242\234\367\344
++\160\263\337\162\157\132\067\100\211\330\205\244\327\361\013\336
++\103\031\324\112\130\054\214\212\071\236\277\204\207\361\026\073
++\066\014\351\323\264\312\154\031\101\122\011\241\035\260\152\277
++\202\357\160\121\041\062\334\005\166\214\313\367\144\344\003\120
++\257\214\221\147\253\305\362\356\130\330\336\276\367\347\061\317
++\154\311\073\161\301\325\210\265\145\274\300\350\027\027\007\022
++\265\134\322\253\040\223\264\346\202\203\160\066\305\315\243\215
++\255\213\354\243\301\103\207\346\103\342\064\276\225\213\065\355
++\007\071\332\250\035\172\237\066\236\022\260\014\145\022\220\025
++\140\331\046\100\104\343\126\140\245\020\324\152\074\375\101\334
++\016\132\107\266\357\227\141\165\117\331\376\307\262\035\324\355
++\135\111\263\251\152\313\146\204\023\325\134\240\334\337\156\167
++\006\321\161\165\310\127\157\257\017\167\133\002\003\001\000\001
++\243\102\060\100\060\017\006\003\125\035\023\001\001\377\004\005
++\060\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004
++\004\003\002\001\006\060\035\006\003\125\035\016\004\026\004\024
++\124\255\372\307\222\127\256\312\065\234\056\022\373\344\272\135
++\040\334\224\127\060\015\006\011\052\206\110\206\367\015\001\001
++\013\005\000\003\202\002\001\000\060\231\235\005\062\310\136\016
++\073\230\001\072\212\244\347\007\367\172\370\347\232\337\120\103
++\123\227\052\075\312\074\107\230\056\341\025\173\361\222\363\141
++\332\220\045\026\145\300\237\124\135\016\003\073\133\167\002\234
++\204\266\015\230\137\064\335\073\143\302\303\050\201\302\234\051
++\056\051\342\310\303\001\362\063\352\052\252\314\011\010\367\145
++\147\306\315\337\323\266\053\247\275\314\321\016\160\137\270\043
++\321\313\221\116\012\364\310\172\345\331\143\066\301\324\337\374
++\042\227\367\140\135\352\051\057\130\262\275\130\275\215\226\117
++\020\165\277\110\173\075\121\207\241\074\164\042\302\374\007\177
++\200\334\304\254\376\152\301\160\060\260\351\216\151\342\054\151
++\201\224\011\272\335\376\115\300\203\214\224\130\300\106\040\257
++\234\037\002\370\065\125\111\057\106\324\300\360\240\226\002\017
++\063\305\161\363\236\043\175\224\267\375\072\323\011\203\006\041
++\375\140\075\256\062\300\322\356\215\246\360\347\264\202\174\012
++\314\160\311\171\200\370\376\114\367\065\204\031\212\061\373\012
++\331\327\177\233\360\242\232\153\303\005\112\355\101\140\024\060
++\321\252\021\102\156\323\043\002\004\013\306\145\335\335\122\167
++\332\201\153\262\250\372\001\070\271\226\352\052\154\147\227\211
++\224\236\274\341\124\325\344\152\170\357\112\275\053\232\075\100
++\176\306\300\165\322\156\373\150\060\354\354\213\235\371\111\065
++\232\032\054\331\263\225\071\325\036\222\367\246\271\145\057\345
++\075\155\072\110\114\010\334\344\050\022\050\276\175\065\134\352
++\340\026\176\023\033\152\327\076\327\236\374\055\165\262\301\024
++\325\043\003\333\133\157\013\076\170\057\015\336\063\215\026\267
++\110\347\203\232\201\017\173\301\103\115\125\004\027\070\112\121
++\325\131\242\211\164\323\237\276\036\113\327\306\155\267\210\044
++\157\140\221\244\202\205\133\126\101\274\320\104\253\152\023\276
++\321\054\130\267\022\063\130\262\067\143\334\023\365\224\035\077
++\100\121\365\117\365\072\355\310\305\353\302\036\035\026\225\172
++\307\176\102\161\223\156\113\025\267\060\337\252\355\127\205\110
++\254\035\152\335\071\151\344\341\171\170\276\316\005\277\241\014
++\367\200\173\041\147\047\060\131
++END
++
++# Trust for "Staat der Nederlanden Root CA - G3"
++# Issuer: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
++# Serial Number: 10003001 (0x98a239)
++# Subject: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
++# Not Valid Before: Thu Nov 14 11:28:42 2013
++# Not Valid After : Mon Nov 13 23:00:00 2028
++# Fingerprint (SHA-256): 3C:4F:B0:B9:5A:B8:B3:00:32:F4:32:B8:6F:53:5F:E1:72:C1:85:D0:FD:39:86:58:37:CF:36:18:7F:A6:F4:28
++# Fingerprint (SHA1): D8:EB:6B:41:51:92:59:E0:F3:E7:85:00:C0:3D:B6:88:97:C9:EE:FC
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "Staat der Nederlanden Root CA - G3"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\330\353\153\101\121\222\131\340\363\347\205\000\300\075\266\210
++\227\311\356\374
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\013\106\147\007\333\020\057\031\214\065\120\140\321\013\364\067
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
++\036\060\034\006\003\125\004\012\014\025\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061
++\053\060\051\006\003\125\004\003\014\042\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
++\122\157\157\164\040\103\101\040\055\040\107\063
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\004\000\230\242\071
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "Staat der Nederlanden EV Root CA"
++#
++# Issuer: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
++# Serial Number: 10000013 (0x98968d)
++# Subject: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
++# Not Valid Before: Wed Dec 08 11:19:29 2010
++# Not Valid After : Thu Dec 08 11:10:28 2022
++# Fingerprint (SHA-256): 4D:24:91:41:4C:FE:95:67:46:EC:4C:EF:A6:CF:6F:72:E2:8A:13:29:43:2F:9D:8A:90:7A:C4:CB:5D:AD:C1:5A
++# Fingerprint (SHA1): 76:E2:7E:C1:4F:DB:82:C1:C0:A6:75:B5:05:BE:3D:29:B4:ED:DB:BB
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "Staat der Nederlanden EV Root CA"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\130\061\013\060\011\006\003\125\004\006\023\002\116\114\061
++\036\060\034\006\003\125\004\012\014\025\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061
++\051\060\047\006\003\125\004\003\014\040\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
++\105\126\040\122\157\157\164\040\103\101
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\130\061\013\060\011\006\003\125\004\006\023\002\116\114\061
++\036\060\034\006\003\125\004\012\014\025\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061
++\051\060\047\006\003\125\004\003\014\040\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
++\105\126\040\122\157\157\164\040\103\101
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\004\000\230\226\215
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\005\160\060\202\003\130\240\003\002\001\002\002\004\000
++\230\226\215\060\015\006\011\052\206\110\206\367\015\001\001\013
++\005\000\060\130\061\013\060\011\006\003\125\004\006\023\002\116
++\114\061\036\060\034\006\003\125\004\012\014\025\123\164\141\141
++\164\040\144\145\162\040\116\145\144\145\162\154\141\156\144\145
++\156\061\051\060\047\006\003\125\004\003\014\040\123\164\141\141
++\164\040\144\145\162\040\116\145\144\145\162\154\141\156\144\145
++\156\040\105\126\040\122\157\157\164\040\103\101\060\036\027\015
++\061\060\061\062\060\070\061\061\061\071\062\071\132\027\015\062
++\062\061\062\060\070\061\061\061\060\062\070\132\060\130\061\013
++\060\011\006\003\125\004\006\023\002\116\114\061\036\060\034\006
++\003\125\004\012\014\025\123\164\141\141\164\040\144\145\162\040
++\116\145\144\145\162\154\141\156\144\145\156\061\051\060\047\006
++\003\125\004\003\014\040\123\164\141\141\164\040\144\145\162\040
++\116\145\144\145\162\154\141\156\144\145\156\040\105\126\040\122
++\157\157\164\040\103\101\060\202\002\042\060\015\006\011\052\206
++\110\206\367\015\001\001\001\005\000\003\202\002\017\000\060\202
++\002\012\002\202\002\001\000\343\307\176\211\371\044\113\072\322
++\063\203\065\054\151\354\334\011\244\343\121\250\045\053\171\270
++\010\075\340\221\272\204\205\306\205\244\312\346\311\056\123\244
++\311\044\036\375\125\146\161\135\054\305\140\150\004\267\331\302
++\122\046\070\210\244\326\073\100\246\302\315\077\315\230\223\263
++\124\024\130\226\125\325\120\376\206\255\244\143\177\134\207\366
++\216\346\047\222\147\027\222\002\003\054\334\326\146\164\355\335
++\147\377\301\141\215\143\117\017\233\155\027\060\046\357\253\322
++\037\020\240\371\305\177\026\151\201\003\107\355\036\150\215\162
++\241\115\262\046\306\272\154\137\155\326\257\321\261\023\216\251
++\255\363\136\151\165\046\030\076\101\053\041\177\356\213\135\007
++\006\235\103\304\051\012\053\374\052\076\206\313\074\203\072\371
++\311\015\332\305\231\342\274\170\101\063\166\341\277\057\135\345
++\244\230\120\014\025\335\340\372\234\177\070\150\320\262\246\172
++\247\321\061\275\176\212\130\047\103\263\272\063\221\323\247\230
++\025\134\232\346\323\017\165\331\374\101\230\227\076\252\045\333
++\217\222\056\260\173\014\137\361\143\251\067\371\233\165\151\114
++\050\046\045\332\325\362\022\160\105\125\343\337\163\136\067\365
++\041\154\220\216\065\132\311\323\043\353\323\300\276\170\254\102
++\050\130\146\245\106\155\160\002\327\020\371\113\124\374\135\206
++\112\207\317\177\312\105\254\021\132\265\040\121\215\057\210\107
++\227\071\300\317\272\300\102\001\100\231\110\041\013\153\247\322
++\375\226\325\321\276\106\235\111\340\013\246\240\042\116\070\320
++\301\074\060\274\160\217\054\165\314\320\305\214\121\073\075\224
++\010\144\046\141\175\271\303\145\217\024\234\041\320\252\375\027
++\162\003\217\275\233\214\346\136\123\236\271\235\357\202\273\341
++\274\342\162\101\133\041\224\323\105\067\224\321\337\011\071\135
++\347\043\252\232\035\312\155\250\012\206\205\212\202\276\102\007
++\326\362\070\202\163\332\207\133\345\074\323\236\076\247\073\236
++\364\003\263\371\361\175\023\164\002\377\273\241\345\372\000\171
++\034\246\146\101\210\134\140\127\246\056\011\304\272\375\232\317
++\247\037\100\303\273\314\132\012\125\113\073\070\166\121\270\143
++\213\204\224\026\346\126\363\002\003\001\000\001\243\102\060\100
++\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001
++\377\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001
++\006\060\035\006\003\125\035\016\004\026\004\024\376\253\000\220
++\230\236\044\374\251\314\032\212\373\047\270\277\060\156\250\073
++\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003
++\202\002\001\000\317\167\054\156\126\276\116\263\266\204\000\224
++\253\107\311\015\322\166\307\206\237\035\007\323\266\264\273\010
++\170\257\151\322\013\111\336\063\305\254\255\302\210\002\175\006
++\267\065\002\301\140\311\277\304\350\224\336\324\323\251\023\045
++\132\376\156\242\256\175\005\334\175\363\154\360\176\246\215\356
++\331\327\316\130\027\350\251\051\256\163\110\207\347\233\312\156
++\051\241\144\137\031\023\367\256\006\020\377\121\306\233\115\125
++\045\117\223\231\020\001\123\165\361\023\316\307\246\101\101\322
++\277\210\245\177\105\374\254\270\245\265\063\014\202\304\373\007
++\366\152\345\045\204\137\006\312\301\206\071\021\333\130\315\167
++\073\054\302\114\017\136\232\343\360\253\076\141\033\120\044\302
++\300\364\361\031\360\021\051\266\245\030\002\233\327\143\114\160
++\214\107\243\003\103\134\271\135\106\240\015\157\377\131\216\276
++\335\237\162\303\133\053\337\214\133\316\345\014\106\154\222\262
++\012\243\114\124\102\030\025\022\030\275\332\374\272\164\156\377
++\301\266\240\144\330\251\137\125\256\237\134\152\166\226\330\163
++\147\207\373\115\177\134\356\151\312\163\020\373\212\251\375\236
++\275\066\070\111\111\207\364\016\024\360\351\207\270\077\247\117
++\172\132\216\171\324\223\344\273\150\122\204\254\154\351\363\230
++\160\125\162\062\371\064\253\053\111\265\315\040\142\344\072\172
++\147\143\253\226\334\155\256\227\354\374\237\166\126\210\056\146
++\317\133\266\311\244\260\327\005\272\341\047\057\223\273\046\052
++\242\223\260\033\363\216\276\035\100\243\271\066\217\076\202\032
++\032\136\210\352\120\370\131\342\203\106\051\013\343\104\134\341
++\225\266\151\220\232\024\157\227\256\201\317\150\357\231\232\276
++\265\347\341\177\370\372\023\107\026\114\314\155\010\100\347\213
++\170\157\120\202\104\120\077\146\006\212\253\103\204\126\112\017
++\040\055\206\016\365\322\333\322\172\212\113\315\245\350\116\361
++\136\046\045\001\131\043\240\176\322\366\176\041\127\327\047\274
++\025\127\114\244\106\301\340\203\036\014\114\115\037\117\006\031
++\342\371\250\364\072\202\241\262\171\103\171\326\255\157\172\047
++\220\003\244\352\044\207\077\331\275\331\351\362\137\120\111\034
++\356\354\327\056
++END
++
++# Trust for "Staat der Nederlanden EV Root CA"
++# Issuer: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
++# Serial Number: 10000013 (0x98968d)
++# Subject: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
++# Not Valid Before: Wed Dec 08 11:19:29 2010
++# Not Valid After : Thu Dec 08 11:10:28 2022
++# Fingerprint (SHA-256): 4D:24:91:41:4C:FE:95:67:46:EC:4C:EF:A6:CF:6F:72:E2:8A:13:29:43:2F:9D:8A:90:7A:C4:CB:5D:AD:C1:5A
++# Fingerprint (SHA1): 76:E2:7E:C1:4F:DB:82:C1:C0:A6:75:B5:05:BE:3D:29:B4:ED:DB:BB
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "Staat der Nederlanden EV Root CA"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\166\342\176\301\117\333\202\301\300\246\165\265\005\276\075\051
++\264\355\333\273
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\374\006\257\173\350\032\361\232\264\350\322\160\037\300\365\272
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\130\061\013\060\011\006\003\125\004\006\023\002\116\114\061
++\036\060\034\006\003\125\004\012\014\025\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061
++\051\060\047\006\003\125\004\003\014\040\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
++\105\126\040\122\157\157\164\040\103\101
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\004\000\230\226\215
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "IdenTrust Commercial Root CA 1"
++#
++# Issuer: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US
++# Serial Number:0a:01:42:80:00:00:01:45:23:c8:44:b5:00:00:00:02
++# Subject: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US
++# Not Valid Before: Thu Jan 16 18:12:23 2014
++# Not Valid After : Mon Jan 16 18:12:23 2034
++# Fingerprint (SHA-256): 5D:56:49:9B:E4:D2:E0:8B:CF:CA:D0:8A:3E:38:72:3D:50:50:3B:DE:70:69:48:E4:2F:55:60:30:19:E5:28:AE
++# Fingerprint (SHA1): DF:71:7E:AA:4A:D9:4E:C9:55:84:99:60:2D:48:DE:5F:BC:F0:3A:25
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "IdenTrust Commercial Root CA 1"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\112\061\013\060\011\006\003\125\004\006\023\002\125\123\061
++\022\060\020\006\003\125\004\012\023\011\111\144\145\156\124\162
++\165\163\164\061\047\060\045\006\003\125\004\003\023\036\111\144
++\145\156\124\162\165\163\164\040\103\157\155\155\145\162\143\151
++\141\154\040\122\157\157\164\040\103\101\040\061
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\112\061\013\060\011\006\003\125\004\006\023\002\125\123\061
++\022\060\020\006\003\125\004\012\023\011\111\144\145\156\124\162
++\165\163\164\061\047\060\045\006\003\125\004\003\023\036\111\144
++\145\156\124\162\165\163\164\040\103\157\155\155\145\162\143\151
++\141\154\040\122\157\157\164\040\103\101\040\061
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\020\012\001\102\200\000\000\001\105\043\310\104\265\000\000
++\000\002
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\005\140\060\202\003\110\240\003\002\001\002\002\020\012
++\001\102\200\000\000\001\105\043\310\104\265\000\000\000\002\060
++\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\112
++\061\013\060\011\006\003\125\004\006\023\002\125\123\061\022\060
++\020\006\003\125\004\012\023\011\111\144\145\156\124\162\165\163
++\164\061\047\060\045\006\003\125\004\003\023\036\111\144\145\156
++\124\162\165\163\164\040\103\157\155\155\145\162\143\151\141\154
++\040\122\157\157\164\040\103\101\040\061\060\036\027\015\061\064
++\060\061\061\066\061\070\061\062\062\063\132\027\015\063\064\060
++\061\061\066\061\070\061\062\062\063\132\060\112\061\013\060\011
++\006\003\125\004\006\023\002\125\123\061\022\060\020\006\003\125
++\004\012\023\011\111\144\145\156\124\162\165\163\164\061\047\060
++\045\006\003\125\004\003\023\036\111\144\145\156\124\162\165\163
++\164\040\103\157\155\155\145\162\143\151\141\154\040\122\157\157
++\164\040\103\101\040\061\060\202\002\042\060\015\006\011\052\206
++\110\206\367\015\001\001\001\005\000\003\202\002\017\000\060\202
++\002\012\002\202\002\001\000\247\120\031\336\077\231\075\324\063
++\106\361\157\121\141\202\262\251\117\217\147\211\135\204\331\123
++\335\014\050\331\327\360\377\256\225\103\162\231\371\265\135\174
++\212\301\102\341\061\120\164\321\201\015\174\315\233\041\253\103
++\342\254\255\136\206\156\363\011\212\037\132\062\275\242\353\224
++\371\350\134\012\354\377\230\322\257\161\263\264\123\237\116\207
++\357\222\274\275\354\117\062\060\210\113\027\136\127\304\123\302
++\366\002\227\215\331\142\053\277\044\037\142\215\337\303\270\051
++\113\111\170\074\223\140\210\042\374\231\332\066\310\302\242\324
++\054\124\000\147\065\156\163\277\002\130\360\244\335\345\260\242
++\046\172\312\340\066\245\031\026\365\375\267\357\256\077\100\365
++\155\132\004\375\316\064\312\044\334\164\043\033\135\063\023\022
++\135\304\001\045\366\060\335\002\135\237\340\325\107\275\264\353
++\033\241\273\111\111\330\237\133\002\363\212\344\044\220\344\142
++\117\117\301\257\213\016\164\027\250\321\162\210\152\172\001\111
++\314\264\106\171\306\027\261\332\230\036\007\131\372\165\041\205
++\145\335\220\126\316\373\253\245\140\235\304\235\371\122\260\213
++\275\207\371\217\053\043\012\043\166\073\367\063\341\311\000\363
++\151\371\113\242\340\116\274\176\223\071\204\007\367\104\160\176
++\376\007\132\345\261\254\321\030\314\362\065\345\111\111\010\312
++\126\311\075\373\017\030\175\213\073\301\023\302\115\217\311\117
++\016\067\351\037\241\016\152\337\142\056\313\065\006\121\171\054
++\310\045\070\364\372\113\247\211\134\234\322\343\015\071\206\112
++\164\174\325\131\207\302\077\116\014\134\122\364\075\367\122\202
++\361\352\243\254\375\111\064\032\050\363\101\210\072\023\356\350
++\336\377\231\035\137\272\313\350\036\362\271\120\140\300\061\323
++\163\345\357\276\240\355\063\013\164\276\040\040\304\147\154\360
++\010\003\172\125\200\177\106\116\226\247\364\036\076\341\366\330
++\011\341\063\144\053\143\327\062\136\237\371\300\173\017\170\157
++\227\274\223\232\371\234\022\220\170\172\200\207\025\327\162\164
++\234\125\164\170\261\272\341\156\160\004\272\117\240\272\150\303
++\173\377\061\360\163\075\075\224\052\261\013\101\016\240\376\115
++\210\145\153\171\063\264\327\002\003\001\000\001\243\102\060\100
++\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006
++\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001
++\377\060\035\006\003\125\035\016\004\026\004\024\355\104\031\300
++\323\360\006\213\356\244\173\276\102\347\046\124\310\216\066\166
++\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003
++\202\002\001\000\015\256\220\062\366\246\113\174\104\166\031\141
++\036\047\050\315\136\124\357\045\274\343\010\220\371\051\327\256
++\150\010\341\224\000\130\357\056\056\176\123\122\214\266\134\007
++\352\210\272\231\213\120\224\327\202\200\337\141\011\000\223\255
++\015\024\346\316\301\362\067\224\170\260\137\234\263\242\163\270
++\217\005\223\070\315\215\076\260\270\373\300\317\261\362\354\055
++\055\033\314\354\252\232\263\252\140\202\033\055\073\303\204\075
++\127\212\226\036\234\165\270\323\060\315\140\010\203\220\323\216
++\124\361\115\146\300\135\164\003\100\243\356\205\176\302\037\167
++\234\006\350\301\247\030\135\122\225\355\311\335\045\236\155\372
++\251\355\243\072\064\320\131\173\332\355\120\363\065\277\355\353
++\024\115\061\307\140\364\332\361\207\234\342\110\342\306\305\067
++\373\006\020\372\165\131\146\061\107\051\332\166\232\034\351\202
++\256\357\232\271\121\367\210\043\232\151\225\142\074\345\125\200
++\066\327\124\002\377\361\271\135\316\324\043\157\330\105\204\112
++\133\145\357\211\014\335\024\247\040\313\030\245\045\264\015\371
++\001\360\242\322\364\000\310\164\216\241\052\110\216\145\333\023
++\304\342\045\027\175\353\276\207\133\027\040\124\121\223\112\123
++\003\013\354\135\312\063\355\142\375\105\307\057\133\334\130\240
++\200\071\346\372\327\376\023\024\246\355\075\224\112\102\164\324
++\303\167\131\163\315\217\106\276\125\070\357\372\350\221\062\352
++\227\130\004\042\336\070\303\314\274\155\311\063\072\152\012\151
++\077\240\310\352\162\217\214\143\206\043\275\155\074\226\236\225
++\340\111\114\252\242\271\052\033\234\066\201\170\355\303\350\106
++\342\046\131\104\165\036\331\165\211\121\315\020\204\235\141\140
++\313\135\371\227\042\115\216\230\346\343\177\366\133\273\256\315
++\312\112\201\153\136\013\363\121\341\164\053\351\176\047\247\331
++\231\111\116\370\245\200\333\045\017\034\143\142\212\311\063\147
++\153\074\020\203\306\255\336\250\315\026\216\215\360\007\067\161
++\237\362\253\374\101\365\301\213\354\000\067\135\011\345\116\200
++\357\372\261\134\070\006\245\033\112\341\334\070\055\074\334\253
++\037\220\032\325\112\234\356\321\160\154\314\356\364\127\370\030
++\272\204\156\207
++END
++
++# Trust for "IdenTrust Commercial Root CA 1"
++# Issuer: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US
++# Serial Number:0a:01:42:80:00:00:01:45:23:c8:44:b5:00:00:00:02
++# Subject: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US
++# Not Valid Before: Thu Jan 16 18:12:23 2014
++# Not Valid After : Mon Jan 16 18:12:23 2034
++# Fingerprint (SHA-256): 5D:56:49:9B:E4:D2:E0:8B:CF:CA:D0:8A:3E:38:72:3D:50:50:3B:DE:70:69:48:E4:2F:55:60:30:19:E5:28:AE
++# Fingerprint (SHA1): DF:71:7E:AA:4A:D9:4E:C9:55:84:99:60:2D:48:DE:5F:BC:F0:3A:25
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "IdenTrust Commercial Root CA 1"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\337\161\176\252\112\331\116\311\125\204\231\140\055\110\336\137
++\274\360\072\045
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\263\076\167\163\165\356\240\323\343\176\111\143\111\131\273\307
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\112\061\013\060\011\006\003\125\004\006\023\002\125\123\061
++\022\060\020\006\003\125\004\012\023\011\111\144\145\156\124\162
++\165\163\164\061\047\060\045\006\003\125\004\003\023\036\111\144
++\145\156\124\162\165\163\164\040\103\157\155\155\145\162\143\151
++\141\154\040\122\157\157\164\040\103\101\040\061
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\020\012\001\102\200\000\000\001\105\043\310\104\265\000\000
++\000\002
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "IdenTrust Public Sector Root CA 1"
++#
++# Issuer: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US
++# Serial Number:0a:01:42:80:00:00:01:45:23:cf:46:7c:00:00:00:02
++# Subject: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US
++# Not Valid Before: Thu Jan 16 17:53:32 2014
++# Not Valid After : Mon Jan 16 17:53:32 2034
++# Fingerprint (SHA-256): 30:D0:89:5A:9A:44:8A:26:20:91:63:55:22:D1:F5:20:10:B5:86:7A:CA:E1:2C:78:EF:95:8F:D4:F4:38:9F:2F
++# Fingerprint (SHA1): BA:29:41:60:77:98:3F:F4:F3:EF:F2:31:05:3B:2E:EA:6D:4D:45:FD
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "IdenTrust Public Sector Root CA 1"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061
++\022\060\020\006\003\125\004\012\023\011\111\144\145\156\124\162
++\165\163\164\061\052\060\050\006\003\125\004\003\023\041\111\144
++\145\156\124\162\165\163\164\040\120\165\142\154\151\143\040\123
++\145\143\164\157\162\040\122\157\157\164\040\103\101\040\061
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061
++\022\060\020\006\003\125\004\012\023\011\111\144\145\156\124\162
++\165\163\164\061\052\060\050\006\003\125\004\003\023\041\111\144
++\145\156\124\162\165\163\164\040\120\165\142\154\151\143\040\123
++\145\143\164\157\162\040\122\157\157\164\040\103\101\040\061
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\020\012\001\102\200\000\000\001\105\043\317\106\174\000\000
++\000\002
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\005\146\060\202\003\116\240\003\002\001\002\002\020\012
++\001\102\200\000\000\001\105\043\317\106\174\000\000\000\002\060
++\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\115
++\061\013\060\011\006\003\125\004\006\023\002\125\123\061\022\060
++\020\006\003\125\004\012\023\011\111\144\145\156\124\162\165\163
++\164\061\052\060\050\006\003\125\004\003\023\041\111\144\145\156
++\124\162\165\163\164\040\120\165\142\154\151\143\040\123\145\143
++\164\157\162\040\122\157\157\164\040\103\101\040\061\060\036\027
++\015\061\064\060\061\061\066\061\067\065\063\063\062\132\027\015
++\063\064\060\061\061\066\061\067\065\063\063\062\132\060\115\061
++\013\060\011\006\003\125\004\006\023\002\125\123\061\022\060\020
++\006\003\125\004\012\023\011\111\144\145\156\124\162\165\163\164
++\061\052\060\050\006\003\125\004\003\023\041\111\144\145\156\124
++\162\165\163\164\040\120\165\142\154\151\143\040\123\145\143\164
++\157\162\040\122\157\157\164\040\103\101\040\061\060\202\002\042
++\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
++\202\002\017\000\060\202\002\012\002\202\002\001\000\266\042\224
++\374\244\110\257\350\107\153\012\373\047\166\344\362\077\212\073
++\172\112\054\061\052\214\215\260\251\303\061\153\250\167\166\204
++\046\266\254\201\102\015\010\353\125\130\273\172\370\274\145\175
++\362\240\155\213\250\107\351\142\166\036\021\356\010\024\321\262
++\104\026\364\352\320\372\036\057\136\333\313\163\101\256\274\000
++\260\112\053\100\262\254\341\073\113\302\055\235\344\241\233\354
++\032\072\036\360\010\263\320\344\044\065\007\237\234\264\311\122
++\155\333\007\312\217\265\133\360\203\363\117\307\055\245\310\255
++\313\225\040\244\061\050\127\130\132\344\215\033\232\253\236\015
++\014\362\012\063\071\042\071\012\227\056\363\123\167\271\104\105
++\375\204\313\066\040\201\131\055\232\157\155\110\110\141\312\114
++\337\123\321\257\122\274\104\237\253\057\153\203\162\357\165\200
++\332\006\063\033\135\310\332\143\306\115\315\254\146\061\315\321
++\336\076\207\020\066\341\271\244\172\357\140\120\262\313\312\246
++\126\340\067\257\253\064\023\071\045\350\071\146\344\230\172\252
++\022\230\234\131\146\206\076\255\361\260\312\076\006\017\173\360
++\021\113\067\240\104\155\173\313\250\214\161\364\325\265\221\066
++\314\360\025\306\053\336\121\027\261\227\114\120\075\261\225\131
++\174\005\175\055\041\325\000\277\001\147\242\136\173\246\134\362
++\367\042\361\220\015\223\333\252\104\121\146\314\175\166\003\353
++\152\250\052\070\031\227\166\015\153\212\141\371\274\366\356\166
++\375\160\053\335\051\074\370\012\036\133\102\034\213\126\057\125
++\033\034\241\056\265\307\026\346\370\252\074\222\216\151\266\001
++\301\265\206\235\211\017\013\070\224\124\350\352\334\236\075\045
++\274\123\046\355\325\253\071\252\305\100\114\124\253\262\264\331
++\331\370\327\162\333\034\274\155\275\145\137\357\210\065\052\146
++\057\356\366\263\145\360\063\215\174\230\101\151\106\017\103\034
++\151\372\233\265\320\141\152\315\312\113\331\114\220\106\253\025
++\131\241\107\124\051\056\203\050\137\034\302\242\253\162\027\000
++\006\216\105\354\213\342\063\075\177\332\031\104\344\142\162\303
++\337\042\306\362\126\324\335\137\225\162\355\155\137\367\110\003
++\133\375\305\052\240\366\163\043\204\020\033\001\347\002\003\001
++\000\001\243\102\060\100\060\016\006\003\125\035\017\001\001\377
++\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377
++\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026
++\004\024\343\161\340\236\330\247\102\331\333\161\221\153\224\223
++\353\303\243\321\024\243\060\015\006\011\052\206\110\206\367\015
++\001\001\013\005\000\003\202\002\001\000\107\372\335\012\260\021
++\221\070\255\115\135\367\345\016\227\124\031\202\110\207\124\214
++\252\144\231\330\132\376\210\001\305\130\245\231\261\043\124\043
++\267\152\035\040\127\345\001\142\101\027\323\011\333\165\313\156
++\124\220\165\376\032\237\201\012\302\335\327\367\011\320\133\162
++\025\344\036\011\152\075\063\363\041\232\346\025\176\255\121\325
++\015\020\355\175\102\300\217\356\300\232\010\325\101\326\134\016
++\041\151\156\200\141\016\025\300\270\317\305\111\022\122\314\276
++\072\314\324\056\070\005\336\065\375\037\157\270\200\150\230\075
++\115\240\312\100\145\322\163\174\365\213\331\012\225\077\330\077
++\043\155\032\321\052\044\031\331\205\263\027\357\170\156\251\130
++\321\043\323\307\023\355\162\045\177\135\261\163\160\320\177\006
++\227\011\204\051\200\141\035\372\136\377\163\254\240\343\211\270
++\034\161\025\306\336\061\177\022\334\341\155\233\257\347\350\237
++\165\170\114\253\106\073\232\316\277\005\030\135\115\025\074\026
++\232\031\120\004\232\262\232\157\145\213\122\137\074\130\004\050
++\045\300\146\141\061\176\271\340\165\271\032\250\201\326\162\027
++\263\305\003\061\065\021\170\170\242\340\351\060\214\177\200\337
++\130\337\074\272\047\226\342\200\064\155\343\230\323\144\047\254
++\110\176\050\167\134\306\045\141\045\370\205\014\145\372\304\062
++\057\245\230\005\344\370\013\147\026\026\306\202\270\062\031\371
++\371\271\171\334\037\315\353\257\253\016\335\033\333\105\344\172
++\347\002\342\225\135\374\151\360\123\151\141\225\165\171\013\136
++\125\346\070\034\224\251\131\063\236\310\161\164\171\177\121\211
++\266\310\152\270\060\310\152\070\303\156\236\341\067\026\352\005
++\142\114\133\022\107\355\247\264\263\130\126\307\111\363\177\022
++\150\011\061\161\360\155\370\116\107\373\326\205\356\305\130\100
++\031\244\035\247\371\113\103\067\334\150\132\117\317\353\302\144
++\164\336\264\025\331\364\124\124\032\057\034\327\227\161\124\220
++\216\331\040\235\123\053\177\253\217\342\352\060\274\120\067\357
++\361\107\265\175\174\054\004\354\150\235\264\111\104\020\364\162
++\113\034\144\347\374\346\153\220\335\151\175\151\375\000\126\245
++\267\254\266\255\267\312\076\001\357\234
++END
++
++# Trust for "IdenTrust Public Sector Root CA 1"
++# Issuer: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US
++# Serial Number:0a:01:42:80:00:00:01:45:23:cf:46:7c:00:00:00:02
++# Subject: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US
++# Not Valid Before: Thu Jan 16 17:53:32 2014
++# Not Valid After : Mon Jan 16 17:53:32 2034
++# Fingerprint (SHA-256): 30:D0:89:5A:9A:44:8A:26:20:91:63:55:22:D1:F5:20:10:B5:86:7A:CA:E1:2C:78:EF:95:8F:D4:F4:38:9F:2F
++# Fingerprint (SHA1): BA:29:41:60:77:98:3F:F4:F3:EF:F2:31:05:3B:2E:EA:6D:4D:45:FD
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "IdenTrust Public Sector Root CA 1"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\272\051\101\140\167\230\077\364\363\357\362\061\005\073\056\352
++\155\115\105\375
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\067\006\245\260\374\211\235\272\364\153\214\032\144\315\325\272
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061
++\022\060\020\006\003\125\004\012\023\011\111\144\145\156\124\162
++\165\163\164\061\052\060\050\006\003\125\004\003\023\041\111\144
++\145\156\124\162\165\163\164\040\120\165\142\154\151\143\040\123
++\145\143\164\157\162\040\122\157\157\164\040\103\101\040\061
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\020\012\001\102\200\000\000\001\105\043\317\106\174\000\000
++\000\002
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "S-TRUST Universal Root CA"
++#
++# Issuer: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
++# Serial Number:60:56:c5:4b:23:40:5b:64:d4:ed:25:da:d9:d6:1e:1e
++# Subject: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
++# Not Valid Before: Tue Oct 22 00:00:00 2013
++# Not Valid After : Thu Oct 21 23:59:59 2038
++# Fingerprint (SHA-256): D8:0F:EF:91:0A:E3:F1:04:72:3B:04:5C:EC:2D:01:9F:44:1C:E6:21:3A:DF:15:67:91:E7:0C:17:90:11:0A:31
++# Fingerprint (SHA1): 1B:3D:11:14:EA:7A:0F:95:58:54:41:95:BF:6B:25:82:AB:40:CE:9A
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "S-TRUST Universal Root CA"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\201\205\061\013\060\011\006\003\125\004\006\023\002\104\105
++\061\051\060\047\006\003\125\004\012\023\040\104\145\165\164\163
++\143\150\145\162\040\123\160\141\162\153\141\163\163\145\156\040
++\126\145\162\154\141\147\040\107\155\142\110\061\047\060\045\006
++\003\125\004\013\023\036\123\055\124\122\125\123\124\040\103\145
++\162\164\151\146\151\143\141\164\151\157\156\040\123\145\162\166
++\151\143\145\163\061\042\060\040\006\003\125\004\003\023\031\123
++\055\124\122\125\123\124\040\125\156\151\166\145\162\163\141\154
++\040\122\157\157\164\040\103\101
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\201\205\061\013\060\011\006\003\125\004\006\023\002\104\105
++\061\051\060\047\006\003\125\004\012\023\040\104\145\165\164\163
++\143\150\145\162\040\123\160\141\162\153\141\163\163\145\156\040
++\126\145\162\154\141\147\040\107\155\142\110\061\047\060\045\006
++\003\125\004\013\023\036\123\055\124\122\125\123\124\040\103\145
++\162\164\151\146\151\143\141\164\151\157\156\040\123\145\162\166
++\151\143\145\163\061\042\060\040\006\003\125\004\003\023\031\123
++\055\124\122\125\123\124\040\125\156\151\166\145\162\163\141\154
++\040\122\157\157\164\040\103\101
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\020\140\126\305\113\043\100\133\144\324\355\045\332\331\326
++\036\036
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\003\330\060\202\002\300\240\003\002\001\002\002\020\140
++\126\305\113\043\100\133\144\324\355\045\332\331\326\036\036\060
++\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\201
++\205\061\013\060\011\006\003\125\004\006\023\002\104\105\061\051
++\060\047\006\003\125\004\012\023\040\104\145\165\164\163\143\150
++\145\162\040\123\160\141\162\153\141\163\163\145\156\040\126\145
++\162\154\141\147\040\107\155\142\110\061\047\060\045\006\003\125
++\004\013\023\036\123\055\124\122\125\123\124\040\103\145\162\164
++\151\146\151\143\141\164\151\157\156\040\123\145\162\166\151\143
++\145\163\061\042\060\040\006\003\125\004\003\023\031\123\055\124
++\122\125\123\124\040\125\156\151\166\145\162\163\141\154\040\122
++\157\157\164\040\103\101\060\036\027\015\061\063\061\060\062\062
++\060\060\060\060\060\060\132\027\015\063\070\061\060\062\061\062
++\063\065\071\065\071\132\060\201\205\061\013\060\011\006\003\125
++\004\006\023\002\104\105\061\051\060\047\006\003\125\004\012\023
++\040\104\145\165\164\163\143\150\145\162\040\123\160\141\162\153
++\141\163\163\145\156\040\126\145\162\154\141\147\040\107\155\142
++\110\061\047\060\045\006\003\125\004\013\023\036\123\055\124\122
++\125\123\124\040\103\145\162\164\151\146\151\143\141\164\151\157
++\156\040\123\145\162\166\151\143\145\163\061\042\060\040\006\003
++\125\004\003\023\031\123\055\124\122\125\123\124\040\125\156\151
++\166\145\162\163\141\154\040\122\157\157\164\040\103\101\060\202
++\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005
++\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000\250
++\343\013\337\021\067\205\202\232\265\154\146\174\141\077\300\107
++\032\035\106\343\260\125\144\345\270\202\071\050\007\176\027\377
++\364\233\212\360\221\201\352\070\077\041\170\154\110\354\153\057
++\242\323\212\162\262\247\327\331\352\177\264\300\111\153\060\045
++\211\214\353\267\325\100\141\230\342\334\074\040\222\315\145\112
++\162\237\032\216\214\372\045\025\277\363\041\203\050\015\213\257
++\131\021\202\103\134\233\115\045\121\177\130\030\143\140\073\263
++\265\212\213\130\143\067\110\110\220\104\302\100\335\135\367\103
++\151\051\230\134\022\145\136\253\220\222\113\146\337\325\165\022
++\123\124\030\246\336\212\326\273\127\003\071\131\231\030\005\014
++\371\375\025\306\220\144\106\027\202\327\302\112\101\075\375\000
++\276\127\162\030\224\167\033\123\132\211\001\366\063\162\016\223
++\072\334\350\036\375\005\005\326\274\163\340\210\334\253\117\354
++\265\030\206\117\171\204\016\110\052\146\052\335\062\310\170\145
++\310\013\235\130\001\005\161\355\201\365\150\027\156\313\015\264
++\113\330\241\354\256\070\353\034\130\057\241\145\003\064\057\002
++\003\001\000\001\243\102\060\100\060\017\006\003\125\035\023\001
++\001\377\004\005\060\003\001\001\377\060\016\006\003\125\035\017
++\001\001\377\004\004\003\002\001\006\060\035\006\003\125\035\016
++\004\026\004\024\232\175\327\353\353\177\124\230\105\051\264\040
++\253\155\013\226\043\031\244\302\060\015\006\011\052\206\110\206
++\367\015\001\001\013\005\000\003\202\001\001\000\116\226\022\333
++\176\167\136\222\047\236\041\027\030\202\166\330\077\274\245\011
++\004\146\210\211\255\333\125\263\063\152\306\145\304\217\115\363
++\062\066\334\171\004\226\251\167\062\321\227\365\030\153\214\272
++\355\316\021\320\104\307\222\361\264\104\216\355\210\122\110\236
++\325\375\131\370\243\036\121\373\001\122\345\137\345\172\335\252
++\044\117\042\213\335\166\106\366\245\240\017\065\330\312\017\230
++\271\060\135\040\157\302\201\036\275\275\300\376\025\323\070\052
++\011\223\230\047\033\223\173\320\053\064\136\150\245\025\117\321
++\122\303\240\312\240\203\105\035\365\365\267\131\163\135\131\001
++\217\252\302\107\057\024\161\325\051\343\020\265\107\223\045\314
++\043\051\332\267\162\330\221\324\354\033\110\212\042\344\301\052
++\367\072\150\223\237\105\031\156\103\267\314\376\270\221\232\141
++\032\066\151\143\144\222\050\363\157\141\222\205\023\237\311\007
++\054\213\127\334\353\236\171\325\302\336\010\325\124\262\127\116
++\052\062\215\241\342\072\321\020\040\042\071\175\064\105\157\161
++\073\303\035\374\377\262\117\250\342\366\060\036
++END
++
++# Trust for "S-TRUST Universal Root CA"
++# Issuer: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
++# Serial Number:60:56:c5:4b:23:40:5b:64:d4:ed:25:da:d9:d6:1e:1e
++# Subject: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
++# Not Valid Before: Tue Oct 22 00:00:00 2013
++# Not Valid After : Thu Oct 21 23:59:59 2038
++# Fingerprint (SHA-256): D8:0F:EF:91:0A:E3:F1:04:72:3B:04:5C:EC:2D:01:9F:44:1C:E6:21:3A:DF:15:67:91:E7:0C:17:90:11:0A:31
++# Fingerprint (SHA1): 1B:3D:11:14:EA:7A:0F:95:58:54:41:95:BF:6B:25:82:AB:40:CE:9A
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "S-TRUST Universal Root CA"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\033\075\021\024\352\172\017\225\130\124\101\225\277\153\045\202
++\253\100\316\232
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\130\366\101\001\256\365\133\121\231\116\134\041\350\117\324\146
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\201\205\061\013\060\011\006\003\125\004\006\023\002\104\105
++\061\051\060\047\006\003\125\004\012\023\040\104\145\165\164\163
++\143\150\145\162\040\123\160\141\162\153\141\163\163\145\156\040
++\126\145\162\154\141\147\040\107\155\142\110\061\047\060\045\006
++\003\125\004\013\023\036\123\055\124\122\125\123\124\040\103\145
++\162\164\151\146\151\143\141\164\151\157\156\040\123\145\162\166
++\151\143\145\163\061\042\060\040\006\003\125\004\003\023\031\123
++\055\124\122\125\123\124\040\125\156\151\166\145\162\163\141\154
++\040\122\157\157\164\040\103\101
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\020\140\126\305\113\043\100\133\144\324\355\045\332\331\326
++\036\036
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "Entrust Root Certification Authority - G2"
++#
++# Issuer: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
++# Serial Number: 1246989352 (0x4a538c28)
++# Subject: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
++# Not Valid Before: Tue Jul 07 17:25:54 2009
++# Not Valid After : Sat Dec 07 17:55:54 2030
++# Fingerprint (SHA-256): 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39
++# Fingerprint (SHA1): 8C:F4:27:FD:79:0C:3A:D1:66:06:8D:E8:1E:57:EF:BB:93:22:72:D4
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "Entrust Root Certification Authority - G2"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\201\276\061\013\060\011\006\003\125\004\006\023\002\125\123
++\061\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165
++\163\164\054\040\111\156\143\056\061\050\060\046\006\003\125\004
++\013\023\037\123\145\145\040\167\167\167\056\145\156\164\162\165
++\163\164\056\156\145\164\057\154\145\147\141\154\055\164\145\162
++\155\163\061\071\060\067\006\003\125\004\013\023\060\050\143\051
++\040\062\060\060\071\040\105\156\164\162\165\163\164\054\040\111
++\156\143\056\040\055\040\146\157\162\040\141\165\164\150\157\162
++\151\172\145\144\040\165\163\145\040\157\156\154\171\061\062\060
++\060\006\003\125\004\003\023\051\105\156\164\162\165\163\164\040
++\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164\151
++\157\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107
++\062
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\201\276\061\013\060\011\006\003\125\004\006\023\002\125\123
++\061\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165
++\163\164\054\040\111\156\143\056\061\050\060\046\006\003\125\004
++\013\023\037\123\145\145\040\167\167\167\056\145\156\164\162\165
++\163\164\056\156\145\164\057\154\145\147\141\154\055\164\145\162
++\155\163\061\071\060\067\006\003\125\004\013\023\060\050\143\051
++\040\062\060\060\071\040\105\156\164\162\165\163\164\054\040\111
++\156\143\056\040\055\040\146\157\162\040\141\165\164\150\157\162
++\151\172\145\144\040\165\163\145\040\157\156\154\171\061\062\060
++\060\006\003\125\004\003\023\051\105\156\164\162\165\163\164\040
++\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164\151
++\157\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107
++\062
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\004\112\123\214\050
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\004\076\060\202\003\046\240\003\002\001\002\002\004\112
++\123\214\050\060\015\006\011\052\206\110\206\367\015\001\001\013
++\005\000\060\201\276\061\013\060\011\006\003\125\004\006\023\002
++\125\123\061\026\060\024\006\003\125\004\012\023\015\105\156\164
++\162\165\163\164\054\040\111\156\143\056\061\050\060\046\006\003
++\125\004\013\023\037\123\145\145\040\167\167\167\056\145\156\164
++\162\165\163\164\056\156\145\164\057\154\145\147\141\154\055\164
++\145\162\155\163\061\071\060\067\006\003\125\004\013\023\060\050
++\143\051\040\062\060\060\071\040\105\156\164\162\165\163\164\054
++\040\111\156\143\056\040\055\040\146\157\162\040\141\165\164\150
++\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171\061
++\062\060\060\006\003\125\004\003\023\051\105\156\164\162\165\163
++\164\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141
++\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040\055
++\040\107\062\060\036\027\015\060\071\060\067\060\067\061\067\062
++\065\065\064\132\027\015\063\060\061\062\060\067\061\067\065\065
++\065\064\132\060\201\276\061\013\060\011\006\003\125\004\006\023
++\002\125\123\061\026\060\024\006\003\125\004\012\023\015\105\156
++\164\162\165\163\164\054\040\111\156\143\056\061\050\060\046\006
++\003\125\004\013\023\037\123\145\145\040\167\167\167\056\145\156
++\164\162\165\163\164\056\156\145\164\057\154\145\147\141\154\055
++\164\145\162\155\163\061\071\060\067\006\003\125\004\013\023\060
++\050\143\051\040\062\060\060\071\040\105\156\164\162\165\163\164
++\054\040\111\156\143\056\040\055\040\146\157\162\040\141\165\164
++\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171
++\061\062\060\060\006\003\125\004\003\023\051\105\156\164\162\165
++\163\164\040\122\157\157\164\040\103\145\162\164\151\146\151\143
++\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040
++\055\040\107\062\060\202\001\042\060\015\006\011\052\206\110\206
++\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012
++\002\202\001\001\000\272\204\266\162\333\236\014\153\342\231\351
++\060\001\247\166\352\062\270\225\101\032\311\332\141\116\130\162
++\317\376\366\202\171\277\163\141\006\012\245\047\330\263\137\323
++\105\116\034\162\326\116\062\362\162\212\017\367\203\031\320\152
++\200\200\000\105\036\260\307\347\232\277\022\127\047\034\243\150
++\057\012\207\275\152\153\016\136\145\363\034\167\325\324\205\215
++\160\041\264\263\062\347\213\242\325\206\071\002\261\270\322\107
++\316\344\311\111\304\073\247\336\373\124\175\127\276\360\350\156
++\302\171\262\072\013\125\342\120\230\026\062\023\134\057\170\126
++\301\302\224\263\362\132\344\047\232\237\044\327\306\354\320\233
++\045\202\343\314\302\304\105\305\214\227\172\006\153\052\021\237
++\251\012\156\110\073\157\333\324\021\031\102\367\217\007\277\365
++\123\137\234\076\364\027\054\346\151\254\116\062\114\142\167\352
++\267\350\345\273\064\274\031\213\256\234\121\347\267\176\265\123
++\261\063\042\345\155\317\160\074\032\372\342\233\147\266\203\364
++\215\245\257\142\114\115\340\130\254\144\064\022\003\370\266\215
++\224\143\044\244\161\002\003\001\000\001\243\102\060\100\060\016
++\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060\017
++\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060
++\035\006\003\125\035\016\004\026\004\024\152\162\046\172\320\036
++\357\175\347\073\151\121\324\154\215\237\220\022\146\253\060\015
++\006\011\052\206\110\206\367\015\001\001\013\005\000\003\202\001
++\001\000\171\237\035\226\306\266\171\077\042\215\207\323\207\003
++\004\140\152\153\232\056\131\211\163\021\254\103\321\365\023\377
++\215\071\053\300\362\275\117\160\214\251\057\352\027\304\013\124
++\236\324\033\226\230\063\074\250\255\142\242\000\166\253\131\151
++\156\006\035\176\304\271\104\215\230\257\022\324\141\333\012\031
++\106\107\363\353\367\143\301\100\005\100\245\322\267\364\265\232
++\066\277\251\210\166\210\004\125\004\053\234\207\177\032\067\074
++\176\055\245\032\330\324\211\136\312\275\254\075\154\330\155\257
++\325\363\166\017\315\073\210\070\042\235\154\223\232\304\075\277
++\202\033\145\077\246\017\135\252\374\345\262\025\312\265\255\306
++\274\075\320\204\350\352\006\162\260\115\071\062\170\277\076\021
++\234\013\244\235\232\041\363\360\233\013\060\170\333\301\334\207
++\103\376\274\143\232\312\305\302\034\311\307\215\377\073\022\130
++\010\346\266\075\354\172\054\116\373\203\226\316\014\074\151\207
++\124\163\244\163\302\223\377\121\020\254\025\124\001\330\374\005
++\261\211\241\177\164\203\232\111\327\334\116\173\212\110\157\213
++\105\366
++END
++
++# Trust for "Entrust Root Certification Authority - G2"
++# Issuer: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
++# Serial Number: 1246989352 (0x4a538c28)
++# Subject: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
++# Not Valid Before: Tue Jul 07 17:25:54 2009
++# Not Valid After : Sat Dec 07 17:55:54 2030
++# Fingerprint (SHA-256): 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39
++# Fingerprint (SHA1): 8C:F4:27:FD:79:0C:3A:D1:66:06:8D:E8:1E:57:EF:BB:93:22:72:D4
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "Entrust Root Certification Authority - G2"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\214\364\047\375\171\014\072\321\146\006\215\350\036\127\357\273
++\223\042\162\324
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\113\342\311\221\226\145\014\364\016\132\223\222\240\012\376\262
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\201\276\061\013\060\011\006\003\125\004\006\023\002\125\123
++\061\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165
++\163\164\054\040\111\156\143\056\061\050\060\046\006\003\125\004
++\013\023\037\123\145\145\040\167\167\167\056\145\156\164\162\165
++\163\164\056\156\145\164\057\154\145\147\141\154\055\164\145\162
++\155\163\061\071\060\067\006\003\125\004\013\023\060\050\143\051
++\040\062\060\060\071\040\105\156\164\162\165\163\164\054\040\111
++\156\143\056\040\055\040\146\157\162\040\141\165\164\150\157\162
++\151\172\145\144\040\165\163\145\040\157\156\154\171\061\062\060
++\060\006\003\125\004\003\023\051\105\156\164\162\165\163\164\040
++\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164\151
++\157\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107
++\062
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\004\112\123\214\050
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "Entrust Root Certification Authority - EC1"
++#
++# Issuer: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
++# Serial Number:00:a6:8b:79:29:00:00:00:00:50:d0:91:f9
++# Subject: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
++# Not Valid Before: Tue Dec 18 15:25:36 2012
++# Not Valid After : Fri Dec 18 15:55:36 2037
++# Fingerprint (SHA-256): 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5
++# Fingerprint (SHA1): 20:D8:06:40:DF:9B:25:F5:12:25:3A:11:EA:F7:59:8A:EB:14:B5:47
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "Entrust Root Certification Authority - EC1"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\201\277\061\013\060\011\006\003\125\004\006\023\002\125\123
++\061\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165
++\163\164\054\040\111\156\143\056\061\050\060\046\006\003\125\004
++\013\023\037\123\145\145\040\167\167\167\056\145\156\164\162\165
++\163\164\056\156\145\164\057\154\145\147\141\154\055\164\145\162
++\155\163\061\071\060\067\006\003\125\004\013\023\060\050\143\051
++\040\062\060\061\062\040\105\156\164\162\165\163\164\054\040\111
++\156\143\056\040\055\040\146\157\162\040\141\165\164\150\157\162
++\151\172\145\144\040\165\163\145\040\157\156\154\171\061\063\060
++\061\006\003\125\004\003\023\052\105\156\164\162\165\163\164\040
++\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164\151
++\157\156\040\101\165\164\150\157\162\151\164\171\040\055\040\105
++\103\061
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\201\277\061\013\060\011\006\003\125\004\006\023\002\125\123
++\061\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165
++\163\164\054\040\111\156\143\056\061\050\060\046\006\003\125\004
++\013\023\037\123\145\145\040\167\167\167\056\145\156\164\162\165
++\163\164\056\156\145\164\057\154\145\147\141\154\055\164\145\162
++\155\163\061\071\060\067\006\003\125\004\013\023\060\050\143\051
++\040\062\060\061\062\040\105\156\164\162\165\163\164\054\040\111
++\156\143\056\040\055\040\146\157\162\040\141\165\164\150\157\162
++\151\172\145\144\040\165\163\145\040\157\156\154\171\061\063\060
++\061\006\003\125\004\003\023\052\105\156\164\162\165\163\164\040
++\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164\151
++\157\156\040\101\165\164\150\157\162\151\164\171\040\055\040\105
++\103\061
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\015\000\246\213\171\051\000\000\000\000\120\320\221\371
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\002\371\060\202\002\200\240\003\002\001\002\002\015\000
++\246\213\171\051\000\000\000\000\120\320\221\371\060\012\006\010
++\052\206\110\316\075\004\003\003\060\201\277\061\013\060\011\006
++\003\125\004\006\023\002\125\123\061\026\060\024\006\003\125\004
++\012\023\015\105\156\164\162\165\163\164\054\040\111\156\143\056
++\061\050\060\046\006\003\125\004\013\023\037\123\145\145\040\167
++\167\167\056\145\156\164\162\165\163\164\056\156\145\164\057\154
++\145\147\141\154\055\164\145\162\155\163\061\071\060\067\006\003
++\125\004\013\023\060\050\143\051\040\062\060\061\062\040\105\156
++\164\162\165\163\164\054\040\111\156\143\056\040\055\040\146\157
++\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163\145
++\040\157\156\154\171\061\063\060\061\006\003\125\004\003\023\052
++\105\156\164\162\165\163\164\040\122\157\157\164\040\103\145\162
++\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
++\162\151\164\171\040\055\040\105\103\061\060\036\027\015\061\062
++\061\062\061\070\061\065\062\065\063\066\132\027\015\063\067\061
++\062\061\070\061\065\065\065\063\066\132\060\201\277\061\013\060
++\011\006\003\125\004\006\023\002\125\123\061\026\060\024\006\003
++\125\004\012\023\015\105\156\164\162\165\163\164\054\040\111\156
++\143\056\061\050\060\046\006\003\125\004\013\023\037\123\145\145
++\040\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
++\057\154\145\147\141\154\055\164\145\162\155\163\061\071\060\067
++\006\003\125\004\013\023\060\050\143\051\040\062\060\061\062\040
++\105\156\164\162\165\163\164\054\040\111\156\143\056\040\055\040
++\146\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165
++\163\145\040\157\156\154\171\061\063\060\061\006\003\125\004\003
++\023\052\105\156\164\162\165\163\164\040\122\157\157\164\040\103
++\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
++\150\157\162\151\164\171\040\055\040\105\103\061\060\166\060\020
++\006\007\052\206\110\316\075\002\001\006\005\053\201\004\000\042
++\003\142\000\004\204\023\311\320\272\155\101\173\342\154\320\353
++\125\137\146\002\032\044\364\133\211\151\107\343\270\302\175\361
++\362\002\305\237\240\366\133\325\213\006\031\206\117\123\020\155
++\007\044\047\241\240\370\325\107\031\141\114\175\312\223\047\352
++\164\014\357\157\226\011\376\143\354\160\135\066\255\147\167\256
++\311\235\174\125\104\072\242\143\121\037\365\343\142\324\251\107
++\007\076\314\040\243\102\060\100\060\016\006\003\125\035\017\001
++\001\377\004\004\003\002\001\006\060\017\006\003\125\035\023\001
++\001\377\004\005\060\003\001\001\377\060\035\006\003\125\035\016
++\004\026\004\024\267\143\347\032\335\215\351\010\246\125\203\244
++\340\152\120\101\145\021\102\111\060\012\006\010\052\206\110\316
++\075\004\003\003\003\147\000\060\144\002\060\141\171\330\345\102
++\107\337\034\256\123\231\027\266\157\034\175\341\277\021\224\321
++\003\210\165\344\215\211\244\212\167\106\336\155\141\357\002\365
++\373\265\337\314\376\116\377\376\251\346\247\002\060\133\231\327
++\205\067\006\265\173\010\375\353\047\213\112\224\371\341\372\247
++\216\046\010\350\174\222\150\155\163\330\157\046\254\041\002\270
++\231\267\046\101\133\045\140\256\320\110\032\356\006
++END
++
++# Trust for "Entrust Root Certification Authority - EC1"
++# Issuer: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
++# Serial Number:00:a6:8b:79:29:00:00:00:00:50:d0:91:f9
++# Subject: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
++# Not Valid Before: Tue Dec 18 15:25:36 2012
++# Not Valid After : Fri Dec 18 15:55:36 2037
++# Fingerprint (SHA-256): 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5
++# Fingerprint (SHA1): 20:D8:06:40:DF:9B:25:F5:12:25:3A:11:EA:F7:59:8A:EB:14:B5:47
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "Entrust Root Certification Authority - EC1"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\040\330\006\100\337\233\045\365\022\045\072\021\352\367\131\212
++\353\024\265\107
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\266\176\035\360\130\305\111\154\044\073\075\355\230\030\355\274
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\201\277\061\013\060\011\006\003\125\004\006\023\002\125\123
++\061\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165
++\163\164\054\040\111\156\143\056\061\050\060\046\006\003\125\004
++\013\023\037\123\145\145\040\167\167\167\056\145\156\164\162\165
++\163\164\056\156\145\164\057\154\145\147\141\154\055\164\145\162
++\155\163\061\071\060\067\006\003\125\004\013\023\060\050\143\051
++\040\062\060\061\062\040\105\156\164\162\165\163\164\054\040\111
++\156\143\056\040\055\040\146\157\162\040\141\165\164\150\157\162
++\151\172\145\144\040\165\163\145\040\157\156\154\171\061\063\060
++\061\006\003\125\004\003\023\052\105\156\164\162\165\163\164\040
++\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164\151
++\157\156\040\101\165\164\150\157\162\151\164\171\040\055\040\105
++\103\061
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\015\000\246\213\171\051\000\000\000\000\120\320\221\371
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "CFCA EV ROOT"
++#
++# Issuer: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
++# Serial Number: 407555286 (0x184accd6)
++# Subject: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
++# Not Valid Before: Wed Aug 08 03:07:01 2012
++# Not Valid After : Mon Dec 31 03:07:01 2029
++# Fingerprint (SHA-256): 5C:C3:D7:8E:4E:1D:5E:45:54:7A:04:E6:87:3E:64:F9:0C:F9:53:6D:1C:CC:2E:F8:00:F3:55:C4:C5:FD:70:FD
++# Fingerprint (SHA1): E2:B8:29:4B:55:84:AB:6B:58:C2:90:46:6C:AC:3F:B8:39:8F:84:83
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "CFCA EV ROOT"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\126\061\013\060\011\006\003\125\004\006\023\002\103\116\061
++\060\060\056\006\003\125\004\012\014\047\103\150\151\156\141\040
++\106\151\156\141\156\143\151\141\154\040\103\145\162\164\151\146
++\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
++\171\061\025\060\023\006\003\125\004\003\014\014\103\106\103\101
++\040\105\126\040\122\117\117\124
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\126\061\013\060\011\006\003\125\004\006\023\002\103\116\061
++\060\060\056\006\003\125\004\012\014\047\103\150\151\156\141\040
++\106\151\156\141\156\143\151\141\154\040\103\145\162\164\151\146
++\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
++\171\061\025\060\023\006\003\125\004\003\014\014\103\106\103\101
++\040\105\126\040\122\117\117\124
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\004\030\112\314\326
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\005\215\060\202\003\165\240\003\002\001\002\002\004\030
++\112\314\326\060\015\006\011\052\206\110\206\367\015\001\001\013
++\005\000\060\126\061\013\060\011\006\003\125\004\006\023\002\103
++\116\061\060\060\056\006\003\125\004\012\014\047\103\150\151\156
++\141\040\106\151\156\141\156\143\151\141\154\040\103\145\162\164
++\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
++\151\164\171\061\025\060\023\006\003\125\004\003\014\014\103\106
++\103\101\040\105\126\040\122\117\117\124\060\036\027\015\061\062
++\060\070\060\070\060\063\060\067\060\061\132\027\015\062\071\061
++\062\063\061\060\063\060\067\060\061\132\060\126\061\013\060\011
++\006\003\125\004\006\023\002\103\116\061\060\060\056\006\003\125
++\004\012\014\047\103\150\151\156\141\040\106\151\156\141\156\143
++\151\141\154\040\103\145\162\164\151\146\151\143\141\164\151\157
++\156\040\101\165\164\150\157\162\151\164\171\061\025\060\023\006
++\003\125\004\003\014\014\103\106\103\101\040\105\126\040\122\117
++\117\124\060\202\002\042\060\015\006\011\052\206\110\206\367\015
++\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202
++\002\001\000\327\135\153\315\020\077\037\005\131\325\005\115\067
++\261\016\354\230\053\216\025\035\372\223\113\027\202\041\161\020
++\122\327\121\144\160\026\302\125\151\115\216\025\155\237\277\014
++\033\302\340\243\147\326\014\254\317\042\256\257\167\124\052\113
++\114\212\123\122\172\303\356\056\336\263\161\045\301\351\135\075
++\356\241\057\243\367\052\074\311\043\035\152\253\035\241\247\361
++\363\354\240\325\104\317\025\317\162\057\035\143\227\350\231\371
++\375\223\244\124\200\114\122\324\122\253\056\111\337\220\315\270
++\137\276\077\336\241\312\115\040\324\045\350\204\051\123\267\261
++\210\037\377\372\332\220\237\012\251\055\101\077\261\361\030\051
++\356\026\131\054\064\111\032\250\006\327\250\210\322\003\162\172
++\062\342\352\150\115\156\054\226\145\173\312\131\372\362\342\335
++\356\060\054\373\314\106\254\304\143\353\157\177\066\053\064\163
++\022\224\177\337\314\046\236\361\162\135\120\145\131\217\151\263
++\207\136\062\157\303\030\212\265\225\217\260\172\067\336\132\105
++\073\307\066\341\357\147\321\071\323\227\133\163\142\031\110\055
++\207\034\006\373\164\230\040\111\163\360\005\322\033\261\240\243
++\267\033\160\323\210\151\271\132\326\070\364\142\334\045\213\170
++\277\370\350\176\270\134\311\225\117\137\247\055\271\040\153\317
++\153\335\365\015\364\202\267\364\262\146\056\020\050\366\227\132
++\173\226\026\217\001\031\055\154\156\177\071\130\006\144\203\001
++\203\203\303\115\222\335\062\306\207\244\067\351\026\316\252\055
++\150\257\012\201\145\072\160\301\233\255\115\155\124\312\052\055
++\113\205\033\263\200\346\160\105\015\153\136\065\360\177\073\270
++\234\344\004\160\211\022\045\223\332\012\231\042\140\152\143\140
++\116\166\006\230\116\275\203\255\035\130\212\045\205\322\307\145
++\036\055\216\306\337\266\306\341\177\212\004\041\025\051\164\360
++\076\234\220\235\014\056\361\212\076\132\252\014\011\036\307\325
++\074\243\355\227\303\036\064\372\070\371\010\016\343\300\135\053
++\203\321\126\152\311\266\250\124\123\056\170\062\147\075\202\177
++\164\320\373\341\266\005\140\271\160\333\216\013\371\023\130\157
++\161\140\020\122\020\271\301\101\011\357\162\037\147\061\170\377
++\226\005\215\002\003\001\000\001\243\143\060\141\060\037\006\003
++\125\035\043\004\030\060\026\200\024\343\376\055\375\050\320\013
++\265\272\266\242\304\277\006\252\005\214\223\373\057\060\017\006
++\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\016
++\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060\035
++\006\003\125\035\016\004\026\004\024\343\376\055\375\050\320\013
++\265\272\266\242\304\277\006\252\005\214\223\373\057\060\015\006
++\011\052\206\110\206\367\015\001\001\013\005\000\003\202\002\001
++\000\045\306\272\153\353\207\313\336\202\071\226\075\360\104\247
++\153\204\163\003\336\235\053\117\272\040\177\274\170\262\317\227
++\260\033\234\363\327\171\056\365\110\266\322\373\027\210\346\323
++\172\077\355\123\023\320\342\057\152\171\313\000\043\050\346\036
++\067\127\065\211\204\302\166\117\064\066\255\147\303\316\101\006
++\210\305\367\356\330\032\270\326\013\177\120\377\223\252\027\113
++\214\354\355\122\140\262\244\006\352\116\353\364\153\031\375\353
++\365\032\340\045\052\232\334\307\101\066\367\310\164\005\204\071
++\225\071\326\013\073\244\047\372\010\330\134\036\370\004\140\122
++\021\050\050\003\377\357\123\146\000\245\112\064\026\146\174\375
++\011\244\256\236\147\032\157\101\013\153\006\023\233\217\206\161
++\005\264\057\215\211\146\063\051\166\124\232\021\370\047\372\262
++\077\221\340\316\015\033\363\060\032\255\277\042\135\033\323\277
++\045\005\115\341\222\032\177\231\237\074\104\223\312\324\100\111
++\154\200\207\327\004\072\303\062\122\065\016\126\370\245\335\175
++\304\213\015\021\037\123\313\036\262\027\266\150\167\132\340\324
++\313\310\007\256\365\072\056\216\067\267\320\001\113\103\051\167
++\214\071\227\217\202\132\370\121\345\211\240\030\347\150\177\135
++\012\056\373\243\107\016\075\246\043\172\306\001\307\217\310\136
++\277\155\200\126\276\212\044\272\063\352\237\341\062\021\236\361
++\322\117\200\366\033\100\257\070\236\021\120\171\163\022\022\315
++\346\154\235\054\210\162\074\060\201\006\221\042\352\131\255\332
++\031\056\042\302\215\271\214\207\340\146\274\163\043\137\041\144
++\143\200\110\365\240\074\030\075\224\310\110\101\035\100\272\136
++\376\376\126\071\241\310\317\136\236\031\144\106\020\332\027\221
++\267\005\200\254\213\231\222\175\347\242\330\007\013\066\047\347
++\110\171\140\212\303\327\023\134\370\162\100\337\112\313\317\231
++\000\012\000\013\021\225\332\126\105\003\210\012\237\147\320\325
++\171\261\250\215\100\155\015\302\172\100\372\363\137\144\107\222
++\313\123\271\273\131\316\117\375\320\025\123\001\330\337\353\331
++\346\166\357\320\043\273\073\251\171\263\325\002\051\315\211\243
++\226\017\112\065\347\116\102\300\165\315\007\317\346\054\353\173
++\056
++END
++
++# Trust for "CFCA EV ROOT"
++# Issuer: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
++# Serial Number: 407555286 (0x184accd6)
++# Subject: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
++# Not Valid Before: Wed Aug 08 03:07:01 2012
++# Not Valid After : Mon Dec 31 03:07:01 2029
++# Fingerprint (SHA-256): 5C:C3:D7:8E:4E:1D:5E:45:54:7A:04:E6:87:3E:64:F9:0C:F9:53:6D:1C:CC:2E:F8:00:F3:55:C4:C5:FD:70:FD
++# Fingerprint (SHA1): E2:B8:29:4B:55:84:AB:6B:58:C2:90:46:6C:AC:3F:B8:39:8F:84:83
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "CFCA EV ROOT"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\342\270\051\113\125\204\253\153\130\302\220\106\154\254\077\270
++\071\217\204\203
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\164\341\266\355\046\172\172\104\060\063\224\253\173\047\201\060
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\126\061\013\060\011\006\003\125\004\006\023\002\103\116\061
++\060\060\056\006\003\125\004\012\014\047\103\150\151\156\141\040
++\106\151\156\141\156\143\151\141\154\040\103\145\162\164\151\146
++\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
++\171\061\025\060\023\006\003\125\004\003\014\014\103\106\103\101
++\040\105\126\040\122\117\117\124
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\004\030\112\314\326
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+diff --git a/lib/ckfw/builtins/nssckbi.h b/lib/ckfw/builtins/nssckbi.h
+--- a/lib/ckfw/builtins/nssckbi.h
++++ b/lib/ckfw/builtins/nssckbi.h
+@@ -40,18 +40,18 @@
+  *     ...
+  *   - NSS 3.29 branch: 250-255
+  *
+  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
+  * whether we may use its full range (0-255) or only 0-99 because
+  * of the comment in the CK_VERSION type definition.
+  */
+ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
+-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 2
+-#define NSS_BUILTINS_LIBRARY_VERSION "2.2"
++#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 3
++#define NSS_BUILTINS_LIBRARY_VERSION "2.3"
+ 
+ /* These version numbers detail the semantic changes to the ckfw engine. */
+ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
+ #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
+ 
+ /* These version numbers detail the semantic changes to ckbi itself 
+  * (new PKCS #11 objects), etc. */
+ #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
+