Merge mozilla-central to autoland. on a CLOSED TREE
authorAndreea Pavel <apavel@mozilla.com>
Thu, 07 Mar 2019 11:58:53 +0200
changeset 462896 44d8a4dbe146fb84464b66634e94c6c00a8d066d
parent 462895 5fb9ad2446bc49615d9d658108d2f52747ad1f9a (current diff)
parent 462822 c89f024c023fa816d700b151e8e0cbb9a1907cb8 (diff)
child 462897 6645f91d0adcf8266d52971822d8e90644dd6f35
push id112349
push useraiakab@mozilla.com
push dateThu, 07 Mar 2019 22:20:12 +0000
treeherdermozilla-inbound@25b446bf18bc [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Merge mozilla-central to autoland. on a CLOSED TREE
--- a/security/manager/ssl/RootHashes.inc
+++ b/security/manager/ssl/RootHashes.inc
@@ -95,16 +95,22 @@ static const struct CertAuthorityHash RO
   },
   {
     /* Class_2_Primary_CA */
     { 0x0F, 0x99, 0x3C, 0x8A, 0xEF, 0x97, 0xBA, 0xAF, 0x56, 0x87, 0x14, 0x0E, 0xD5, 0x9A, 0xD1, 0x82,
       0x1B, 0xB4, 0xAF, 0xAC, 0xF0, 0xAA, 0x9A, 0x58, 0xB5, 0xD5, 0x7A, 0x33, 0x8A, 0x3A, 0xFB, 0xCB },
       51 /* Bin Number */
   },
   {
+    /* emSign_Root_CA___C1 */
+    { 0x12, 0x56, 0x09, 0xAA, 0x30, 0x1D, 0xA0, 0xA2, 0x49, 0xB9, 0x7A, 0x82, 0x39, 0xCB, 0x6A, 0x34,
+      0x21, 0x6F, 0x44, 0xDC, 0xAC, 0x9F, 0x39, 0x54, 0xB1, 0x42, 0x92, 0xF2, 0xE8, 0xC8, 0x60, 0x8F },
+      208 /* Bin Number */
+  },
+  {
     /* Global_Chambersign_Root___2008 */
     { 0x13, 0x63, 0x35, 0x43, 0x93, 0x34, 0xA7, 0x69, 0x80, 0x16, 0xA0, 0xD3, 0x24, 0xDE, 0x72, 0x28,
       0x4E, 0x07, 0x9D, 0x7B, 0x52, 0x20, 0xBB, 0x8F, 0xBD, 0x74, 0x78, 0x16, 0xEE, 0xBE, 0xBA, 0xCA },
       105 /* Bin Number */
   },
   {
     /* OU_Starfield_Class_2_Certification_Authority_O__Starfield_Technologies__Inc___C_US */
     { 0x14, 0x65, 0xFA, 0x20, 0x53, 0x97, 0xB8, 0x76, 0xFA, 0xA6, 0xF0, 0xA9, 0x95, 0x8E, 0x55, 0x90,
@@ -305,16 +311,22 @@ static const struct CertAuthorityHash RO
   },
   {
     /* Trusted_Certificate_Services */
     { 0x3F, 0x06, 0xE5, 0x56, 0x81, 0xD4, 0x96, 0xF5, 0xBE, 0x16, 0x9E, 0xB5, 0x38, 0x9F, 0x9F, 0x2B,
       0x8F, 0xF6, 0x1E, 0x17, 0x08, 0xDF, 0x68, 0x81, 0x72, 0x48, 0x49, 0xCD, 0x5D, 0x27, 0xCB, 0x69 },
       30 /* Bin Number */
   },
   {
+    /* emSign_Root_CA___G1 */
+    { 0x40, 0xF6, 0xAF, 0x03, 0x46, 0xA9, 0x9A, 0xA1, 0xCD, 0x1D, 0x55, 0x5A, 0x4E, 0x9C, 0xCE, 0x62,
+      0xC7, 0xF9, 0x63, 0x46, 0x03, 0xEE, 0x40, 0x66, 0x15, 0x83, 0x3D, 0xC8, 0xC8, 0xD0, 0x03, 0x67 },
+      206 /* Bin Number */
+  },
+  {
     /* OISTE_WISeKey_Global_Root_GA_CA */
     { 0x41, 0xC9, 0x23, 0x86, 0x6A, 0xB4, 0xCA, 0xD6, 0xB7, 0xAD, 0x57, 0x80, 0x81, 0x58, 0x2E, 0x02,
       0x07, 0x97, 0xA6, 0xCB, 0xDF, 0x4F, 0xFF, 0x78, 0xCE, 0x83, 0x96, 0xB3, 0x89, 0x37, 0xD7, 0xF5 },
       69 /* Bin Number */
   },
   {
     /* Secure_Global_CA */
     { 0x42, 0x00, 0xF5, 0x04, 0x3A, 0xC8, 0x59, 0x0E, 0xBB, 0x52, 0x7D, 0x20, 0x9E, 0xD1, 0x50, 0x30,
@@ -443,16 +455,22 @@ static const struct CertAuthorityHash RO
   },
   {
     /* TWCA_Global_Root_CA */
     { 0x59, 0x76, 0x90, 0x07, 0xF7, 0x68, 0x5D, 0x0F, 0xCD, 0x50, 0x87, 0x2F, 0x9F, 0x95, 0xD5, 0x75,
       0x5A, 0x5B, 0x2B, 0x45, 0x7D, 0x81, 0xF3, 0x69, 0x2B, 0x61, 0x0A, 0x98, 0x67, 0x2F, 0x0E, 0x1B },
       139 /* Bin Number */
   },
   {
+    /* Hongkong_Post_Root_CA_3 */
+    { 0x5A, 0x2F, 0xC0, 0x3F, 0x0C, 0x83, 0xB0, 0x90, 0xBB, 0xFA, 0x40, 0x60, 0x4B, 0x09, 0x88, 0x44,
+      0x6C, 0x76, 0x36, 0x18, 0x3D, 0xF9, 0x84, 0x6E, 0x17, 0x10, 0x1A, 0x44, 0x7F, 0xB8, 0xEF, 0xD6 },
+      210 /* Bin Number */
+  },
+  {
     /* TrustCor_ECA_1 */
     { 0x5A, 0x88, 0x5D, 0xB1, 0x9C, 0x01, 0xD9, 0x12, 0xC5, 0x75, 0x93, 0x88, 0x93, 0x8C, 0xAF, 0xBB,
       0xDF, 0x03, 0x1A, 0xB2, 0xD4, 0x8E, 0x91, 0xEE, 0x15, 0x58, 0x9B, 0x42, 0x97, 0x1D, 0x03, 0x9C },
       192 /* Bin Number */
   },
   {
     /* Certum_Trusted_Network_CA */
     { 0x5C, 0x58, 0x46, 0x8D, 0x55, 0xF5, 0x8E, 0x49, 0x7E, 0x74, 0x39, 0x82, 0xD2, 0xB5, 0x00, 0x10,
@@ -653,16 +671,22 @@ static const struct CertAuthorityHash RO
   },
   {
     /* UTN___DATACorp_SGC */
     { 0x85, 0xFB, 0x2F, 0x91, 0xDD, 0x12, 0x27, 0x5A, 0x01, 0x45, 0xB6, 0x36, 0x53, 0x4F, 0x84, 0x02,
       0x4A, 0xD6, 0x8B, 0x69, 0xB8, 0xEE, 0x88, 0x68, 0x4F, 0xF7, 0x11, 0x37, 0x58, 0x05, 0xB3, 0x48 },
       37 /* Bin Number */
   },
   {
+    /* emSign_ECC_Root_CA___G3 */
+    { 0x86, 0xA1, 0xEC, 0xBA, 0x08, 0x9C, 0x4A, 0x8D, 0x3B, 0xBE, 0x27, 0x34, 0xC6, 0x12, 0xBA, 0x34,
+      0x1D, 0x81, 0x3E, 0x04, 0x3C, 0xF9, 0xE8, 0xA8, 0x62, 0xCD, 0x5C, 0x57, 0xA3, 0x6B, 0xBE, 0x6B },
+      207 /* Bin Number */
+  },
+  {
     /* EC_ACC */
     { 0x88, 0x49, 0x7F, 0x01, 0x60, 0x2F, 0x31, 0x54, 0x24, 0x6A, 0xE2, 0x8C, 0x4D, 0x5A, 0xEF, 0x10,
       0xF1, 0xD8, 0x7E, 0xBB, 0x76, 0x62, 0x6F, 0x4A, 0xE0, 0xB7, 0xF9, 0x5B, 0xA7, 0x96, 0x87, 0x99 },
       119 /* Bin Number */
   },
   {
     /* QuoVadis_Root_CA_3_G3 */
     { 0x88, 0xEF, 0x81, 0xDE, 0x20, 0x2E, 0xB0, 0x18, 0x45, 0x2E, 0x43, 0xF8, 0x64, 0x72, 0x5C, 0xEA,
@@ -893,16 +917,22 @@ static const struct CertAuthorityHash RO
   },
   {
     /* Hellenic_Academic_and_Research_Institutions_RootCA_2011 */
     { 0xBC, 0x10, 0x4F, 0x15, 0xA4, 0x8B, 0xE7, 0x09, 0xDC, 0xA5, 0x42, 0xA7, 0xE1, 0xD4, 0xB9, 0xDF,
       0x6F, 0x05, 0x45, 0x27, 0xE8, 0x02, 0xEA, 0xA9, 0x2D, 0x59, 0x54, 0x44, 0x25, 0x8A, 0xFE, 0x71 },
       120 /* Bin Number */
   },
   {
+    /* emSign_ECC_Root_CA___C3 */
+    { 0xBC, 0x4D, 0x80, 0x9B, 0x15, 0x18, 0x9D, 0x78, 0xDB, 0x3E, 0x1D, 0x8C, 0xF4, 0xF9, 0x72, 0x6A,
+      0x79, 0x5D, 0xA1, 0x64, 0x3C, 0xA5, 0xF1, 0x35, 0x8E, 0x1D, 0xDB, 0x0E, 0xDC, 0x0D, 0x7E, 0xB3 },
+      209 /* Bin Number */
+  },
+  {
     /* AffirmTrust_Premium_ECC */
     { 0xBD, 0x71, 0xFD, 0xF6, 0xDA, 0x97, 0xE4, 0xCF, 0x62, 0xD1, 0x64, 0x7A, 0xDD, 0x25, 0x81, 0xB0,
       0x7D, 0x79, 0xAD, 0xF8, 0x39, 0x7E, 0xB4, 0xEC, 0xBA, 0x9C, 0x5E, 0x84, 0x88, 0x82, 0x14, 0x23 },
       112 /* Bin Number */
   },
   {
     /* Secure_Certificate_Services */
     { 0xBD, 0x81, 0xCE, 0x3B, 0x4F, 0x65, 0x91, 0xD1, 0x1A, 0x67, 0xB5, 0xFC, 0x7A, 0x47, 0xFD, 0xEF,
--- a/security/manager/tools/KnownRootHashes.json
+++ b/security/manager/tools/KnownRootHashes.json
@@ -1028,12 +1028,37 @@
       "label": "UCA_Extended_Validation_Root",
       "binNumber": 204,
       "sha256Fingerprint": "1Dr5s1RzdVyWhPwG19jLcO5cKOdz+ylOtB7nFyKSTSQ="
     },
     {
       "label": "Certigna_Root_CA",
       "binNumber": 205,
       "sha256Fingerprint": "1I09I+7bUKRZ5VGXYBwnd0udexjJTVoFlRGhAlC5MWg="
+    },
+    {
+      "label": "emSign_Root_CA___G1",
+      "binNumber": 206,
+      "sha256Fingerprint": "QPavA0apmqHNHVVaTpzOYsf5Y0YD7kBmFYM9yMjQA2c="
+    },
+    {
+      "label": "emSign_ECC_Root_CA___G3",
+      "binNumber": 207,
+      "sha256Fingerprint": "hqHsugicSo07vic0xhK6NB2BPgQ8+eioYs1cV6Nrvms="
+    },
+    {
+      "label": "emSign_Root_CA___C1",
+      "binNumber": 208,
+      "sha256Fingerprint": "ElYJqjAdoKJJuXqCOctqNCFvRNysnzlUsUKS8ujIYI8="
+    },
+    {
+      "label": "emSign_ECC_Root_CA___C3",
+      "binNumber": 209,
+      "sha256Fingerprint": "vE2AmxUYnXjbPh2M9PlyanldoWQ8pfE1jh3bDtwNfrM="
+    },
+    {
+      "label": "Hongkong_Post_Root_CA_3",
+      "binNumber": 210,
+      "sha256Fingerprint": "Wi/APwyDsJC7+kBgSwmIRGx2Nhg9+YRuFxAaRH+479Y="
     }
   ],
-  "maxBin": 205
+  "maxBin": 210
 }
\ No newline at end of file
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-536fd7c9db5a
+a306d84e4c70
--- a/security/nss/cmd/strsclnt/strsclnt.c
+++ b/security/nss/cmd/strsclnt/strsclnt.c
@@ -116,16 +116,19 @@ static PRBool disableLocking = PR_FALSE;
 static PRBool ignoreErrors = PR_FALSE;
 static PRBool enableSessionTickets = PR_FALSE;
 static PRBool enableCompression = PR_FALSE;
 static PRBool enableFalseStart = PR_FALSE;
 static PRBool enableCertStatus = PR_FALSE;
 
 PRIntervalTime maxInterval = PR_INTERVAL_NO_TIMEOUT;
 
+static const SSLSignatureScheme *enabledSigSchemes = NULL;
+static unsigned int enabledSigSchemeCount = 0;
+
 char *progName;
 
 secuPWData pwdata = { PW_NONE, 0 };
 
 int stopping;
 int verbose;
 SECItem bigBuf;
 
@@ -138,17 +141,18 @@ SECItem bigBuf;
 
 static void
 Usage(void)
 {
     fprintf(stderr,
             "Usage: %s [-n nickname] [-p port] [-d dbdir] [-c connections]\n"
             "          [-BDNovqs] [-f filename] [-N | -P percentage]\n"
             "          [-w dbpasswd] [-C cipher(s)] [-t threads] [-W pwfile]\n"
-            "          [-V [min-version]:[max-version]] [-a sniHostName] hostname\n"
+            "          [-V [min-version]:[max-version]] [-a sniHostName]\n"
+            "          [-J signatureschemes] hostname\n"
             " where -v means verbose\n"
             "       -o flag is interpreted as follows:\n"
             "          1 -o   means override the result of server certificate validation.\n"
             "          2 -o's mean skip server certificate validation altogether.\n"
             "       -D means no TCP delays\n"
             "       -q means quit when server gone (timeout rather than retry forever)\n"
             "       -s means disable SSL socket locking\n"
             "       -N means no session reuse\n"
@@ -156,17 +160,27 @@ Usage(void)
             "       -V [min]:[max] restricts the set of enabled SSL/TLS protocols versions.\n"
             "          All versions are enabled by default.\n"
             "          Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n"
             "          Example: \"-V ssl3:\" enables SSL 3 and newer.\n"
             "       -U means enable throttling up threads\n"
             "       -T enable the cert_status extension (OCSP stapling)\n"
             "       -u enable TLS Session Ticket extension\n"
             "       -z enable compression\n"
-            "       -g enable false start\n",
+            "       -g enable false start\n"
+            "       -J enable signature schemes\n"
+            "          This takes a comma separated list of signature schemes in preference\n"
+            "          order.\n"
+            "          Possible values are:\n"
+            "          rsa_pkcs1_sha1, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512,\n"
+            "          ecdsa_sha1, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384,\n"
+            "          ecdsa_secp521r1_sha512,\n"
+            "          rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,\n"
+            "          rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,\n"
+            "          dsa_sha1, dsa_sha256, dsa_sha384, dsa_sha512\n",
             progName);
     exit(1);
 }
 
 static void
 errWarn(char *funcString)
 {
     PRErrorCode perr = PR_GetError();
@@ -1153,16 +1167,24 @@ client_main(
         errExit("SSL_OptionSet SSL_SECURITY");
     }
 
     rv = SSL_VersionRangeSet(model_sock, &enabledVersions);
     if (rv != SECSuccess) {
         errExit("error setting SSL/TLS version range ");
     }
 
+    if (enabledSigSchemes) {
+        rv = SSL_SignatureSchemePrefSet(model_sock, enabledSigSchemes,
+                                        enabledSigSchemeCount);
+        if (rv < 0) {
+            errExit("SSL_SignatureSchemePrefSet");
+        }
+    }
+
     if (bigBuf.data) { /* doing FDX */
         rv = SSL_OptionSet(model_sock, SSL_ENABLE_FDX, 1);
         if (rv < 0) {
             errExit("SSL_OptionSet SSL_ENABLE_FDX");
         }
     }
 
     if (NoReuse) {
@@ -1311,30 +1333,39 @@ main(int argc, char **argv)
     tmp = strrchr(argv[0], '/');
     tmp = tmp ? tmp + 1 : argv[0];
     progName = strrchr(tmp, '\\');
     progName = progName ? progName + 1 : tmp;
 
     /* XXX: 'B' was used in the past but removed in 3.28,
      *      please leave some time before resuing it. */
     optstate = PL_CreateOptState(argc, argv,
-                                 "C:DNP:TUV:W:a:c:d:f:gin:op:qst:uvw:z");
+                                 "C:DJ:NP:TUV:W:a:c:d:f:gin:op:qst:uvw:z");
     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
         switch (optstate->option) {
             case 'C':
                 cipherString = optstate->value;
                 break;
 
             case 'D':
                 NoDelay = PR_TRUE;
                 break;
 
             case 'I': /* reserved for OCSP multi-stapling */
                 break;
 
+            case 'J':
+                rv = parseSigSchemeList(optstate->value, &enabledSigSchemes, &enabledSigSchemeCount);
+                if (rv != SECSuccess) {
+                    PL_DestroyOptState(optstate);
+                    fprintf(stderr, "Bad signature scheme specified.\n");
+                    Usage();
+                }
+                break;
+
             case 'N':
                 NoReuse = 1;
                 break;
 
             case 'P':
                 fullhs = PORT_Atoi(optstate->value);
                 break;
 
@@ -1511,16 +1542,18 @@ main(int argc, char **argv)
         PL_strfree(Cert_And_Key.nickname);
     }
     if (sniHostName) {
         PL_strfree(sniHostName);
     }
 
     PL_strfree(hostName);
 
+    PORT_Free((SSLSignatureScheme *)enabledSigSchemes);
+
     /* some final stats. */
     printf(
         "strsclnt: %ld cache hits; %ld cache misses, %ld cache not reusable\n"
         "          %ld stateless resumes\n",
         ssl3stats->hsh_sid_cache_hits,
         ssl3stats->hsh_sid_cache_misses,
         ssl3stats->hsh_sid_cache_not_ok,
         ssl3stats->hsh_sid_stateless_resumes);
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cpputil/scoped_ptrs_smime.h
@@ -0,0 +1,34 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef scoped_ptrs_smime_h__
+#define scoped_ptrs_smime_h__
+
+#include <memory>
+#include "smime.h"
+
+struct ScopedDeleteSmime {
+  void operator()(NSSCMSMessage* id) { NSS_CMSMessage_Destroy(id); }
+};
+
+template <class T>
+struct ScopedMaybeDeleteSmime {
+  void operator()(T* ptr) {
+    if (ptr) {
+      ScopedDeleteSmime del;
+      del(ptr);
+    }
+  }
+};
+
+#define SCOPED(x) \
+  typedef std::unique_ptr<x, ScopedMaybeDeleteSmime<x> > Scoped##x
+
+SCOPED(NSSCMSMessage);
+
+#undef SCOPED
+
+#endif  // scoped_ptrs_smime_h__
--- a/security/nss/doc/Makefile
+++ b/security/nss/doc/Makefile
@@ -16,17 +16,17 @@ COMPILE.html = xmlto -o html html
 name = nss-man
 date = `date +"%Y%m%d"`
 
 all: prepare all-man all-html
 
 prepare: date-and-version
 	mkdir -p html
 	mkdir -p nroff
-	
+
 clean:
 	rm -f date.xml version.xml *.tar.bz2
 	rm -f html/*.proc
 	rm -fr $(name) ascii
 
 date-and-version: date.xml version.xml
 
 date.xml:
@@ -40,30 +40,30 @@ version.xml:
 .PHONY : $(TXTPAGES)
 
 #--------------------------------------------------------
 # manpages
 #--------------------------------------------------------
 
 nroff/%.1 : %.xml
 	$(COMPILE.1) $<
-	
+
 MANPAGES = \
 nroff/certutil.1 nroff/cmsutil.1 nroff/crlutil.1 nroff/pk12util.1 \
 nroff/modutil.1 nroff/ssltap.1 nroff/derdump.1 nroff/signtool.1 nroff/signver.1 \
-nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1
+nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1 nroff/nss-policy-check.1
 
 all-man: prepare $(MANPAGES)
 
 #--------------------------------------------------------
 # html pages
 #--------------------------------------------------------
 
 html/%.html : %.xml
 	$(COMPILE.html) $<
 	mv html/index.html $@
 
 HTMLPAGES = \
 html/certutil.html html/cmsutil.html html/crlutil.html html/pk12util.html html/modutil.html \
 html/ssltap.html html/derdump.html html/signtool.html html/signver.html html/pp.html \
-html/vfychain.html html/vfyserv.html
+html/vfychain.html html/vfyserv.html html/nss-policy-check.html
 
 all-html: prepare $(HTMLPAGES)
--- a/security/nss/doc/certutil.xml
+++ b/security/nss/doc/certutil.xml
@@ -175,16 +175,20 @@ Use the -a argument to specify ASCII out
 	<variablelist>
       <varlistentry>
         <term>-a</term>
         <listitem><para>Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC 1113. 
 For certificate requests, ASCII output defaults to standard output unless redirected.</para></listitem>
       </varlistentry>
 
       <varlistentry>
+	<term>--simple-self-signed</term>
+	<listitem><para>When printing the certificate chain, don't search for a chain if issuer name equals to subject name.</para></listitem>
+      </varlistentry>
+      <varlistentry>
         <term>-b validity-time</term>
         <listitem><para>Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the <option>-V</option> option. The format of the <emphasis>validity-time</emphasis> argument is <emphasis>YYMMDDHHMMSS[+HHMM|-HHMM|Z]</emphasis>, which allows offsets to be set relative to the validity end time. Specifying seconds (<emphasis>SS</emphasis>) is optional. When specifying an explicit time, use a Z at the end of the term, <emphasis>YYMMDDHHMMSSZ</emphasis>, to close it. When specifying an offset time, use <emphasis>YYMMDDHHMMSS+HHMM</emphasis> or <emphasis>YYMMDDHHMMSS-HHMM</emphasis> for adding or subtracting time, respectively.
 </para>
 <para>
 If this option is not used, the validity check defaults to the current system time.</para></listitem>
       </varlistentry>
 
       <varlistentry>
new file mode 100644
--- /dev/null
+++ b/security/nss/doc/nss-policy-check.xml
@@ -0,0 +1,97 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="nss-policy-check">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>NSS Security Tools</title>
+    <productname>nss-tools</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>NSS-POLICY-CHECK</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>nss-policy-check</refname>
+    <refpurpose>nss-policy-check policy-file</refpurpose>
+  </refnamediv>
+
+ <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>nss-policy-check</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection id="description">
+    <title>Description</title>
+    <para><command>nss-policy-check</command> verifies crypto-policy configuration that controls certain crypto algorithms are allowed/disallowed to use in the NSS library.</para>
+
+    <para>The crypto-policy configuration can be stored in either a system-wide configuration file, specified with the POLICY_PATH and POLICY_FILE build options, or in the pkcs11.txt in NSS database.</para>
+  </refsection>
+
+  <refsection id="basic-usage">
+    <title>Usage and Examples</title>
+    <para>To check the global crypto-policy configuration in <filename>/etc/crypto-policies/back-ends/nss.config</filename>:
+    </para>
+    <programlisting>$ nss-policy-check /etc/crypto-policies/back-ends/nss.config
+NSS-POLICY-INFO: LOADED-SUCCESSFULLY
+NSS-POLICY-INFO: PRIME256V1 is enabled for KX
+NSS-POLICY-INFO: PRIME256V1 is enabled for CERT-SIGNATURE
+NSS-POLICY-INFO: SECP256R1 is enabled for KX
+NSS-POLICY-INFO: SECP256R1 is enabled for CERT-SIGNATURE
+NSS-POLICY-INFO: SECP384R1 is enabled for KX
+NSS-POLICY-INFO: SECP384R1 is enabled for CERT-SIGNATURE
+...
+NSS-POLICY-INFO: NUMBER-OF-SSL-ALG-KX: 13
+NSS-POLICY-INFO: NUMBER-OF-SSL-ALG: 9
+NSS-POLICY-INFO: NUMBER-OF-CERT-SIG: 9
+...
+NSS-POLICY-INFO: ciphersuite TLS_AES_128_GCM_SHA256 is enabled
+NSS-POLICY-INFO: ciphersuite TLS_CHACHA20_POLY1305_SHA256 is enabled
+NSS-POLICY-INFO: ciphersuite TLS_AES_256_GCM_SHA384 is enabled
+...
+NSS-POLICY-INFO: NUMBER-OF-CIPHERSUITES: 24
+NSS-POLICY-INFO: NUMBER-OF-TLS-VERSIONS: 3
+NSS-POLICY-INFO: NUMBER-OF-DTLS-VERSIONS: 2
+    </programlisting>
+    <para>If there is a failure or warning, it will be prefixed with
+    NSS-POLICY-FAIL or NSS-POLICY_WARN.
+    </para>
+    <para><command>nss-policy-check</command> exits with 2 if any
+    failure is found, 1 if any warning is found, or 0 if no errors are
+    found.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="resources">
+    <title>Additional Resources</title>
+	<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
+	<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
+	<para>IRC: Freenode at #dogtag-pki</para>
+  </refsection>
+
+<!-- fill in your name first; keep the other names for reference -->
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
+    </para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+  </refsection>
+
+</refentry>
--- a/security/nss/doc/pk12util.xml
+++ b/security/nss/doc/pk12util.xml
@@ -103,17 +103,17 @@
       </varlistentry>
 
       <varlistentry>
         <term>-m | --key-len  keyLength</term>
         <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the private key.</para></listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-n | --cert-key-len  certKeyLength</term>
+        <term>--cert-key-len  certKeyLength</term>
         <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-n certname</term>
         <listitem><para>Specify the nickname of the cert and private key to export.</para>
 	<para>The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512.</para></listitem>
       </varlistentry>
--- a/security/nss/gtests/manifest.mn
+++ b/security/nss/gtests/manifest.mn
@@ -19,16 +19,17 @@ endif
 ifneq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
 ifneq ($(NSS_BUILD_UTIL_ONLY),1)
 NSS_SRCDIRS = \
 	certdb_gtest \
 	certhigh_gtest \
 	cryptohi_gtest \
 	der_gtest \
 	pk11_gtest \
+	smime_gtest \
 	softoken_gtest \
 	ssl_gtest \
 	$(SYSINIT_GTEST) \
 	nss_bogo_shim \
 	$(NULL)
 endif
 endif
 
new file mode 100644
--- /dev/null
+++ b/security/nss/gtests/smime_gtest/Makefile
@@ -0,0 +1,43 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../common/gtest.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
new file mode 100644
--- /dev/null
+++ b/security/nss/gtests/smime_gtest/manifest.mn
@@ -0,0 +1,22 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+CORE_DEPTH = ../..
+DEPTH      = ../..
+MODULE = nss
+
+CPPSRCS = \
+      smime_unittest.cc \
+      $(NULL)
+
+INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
+            -I$(CORE_DEPTH)/gtests/common \
+            -I$(CORE_DEPTH)/cpputil
+
+REQUIRES = nspr gtest
+
+PROGRAM = smime_gtest
+
+EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) $(EXTRA_OBJS) \
+             $(DIST)/lib/$(LIB_PREFIX)gtestutil.$(LIB_SUFFIX)
new file mode 100644
--- /dev/null
+++ b/security/nss/gtests/smime_gtest/smime_gtest.gyp
@@ -0,0 +1,30 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+  'includes': [
+    '../../coreconf/config.gypi',
+    '../common/gtest.gypi',
+  ],
+  'targets': [
+    {
+      'target_name': 'smime_gtest',
+      'type': 'executable',
+      'sources': [
+        'smime_unittest.cc',
+        '<(DEPTH)/gtests/common/gtests.cc'
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        '<(DEPTH)/gtests/google_test/google_test.gyp:gtest',
+        '<(DEPTH)/lib/util/util.gyp:nssutil3',
+        '<(DEPTH)/lib/nss/nss.gyp:nss3',
+        '<(DEPTH)/lib/smime/smime.gyp:smime',
+        '<(DEPTH)/lib/ssl/ssl.gyp:ssl3',
+      ]
+    }
+  ],
+  'variables': {
+    'module': 'nss'
+  }
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/gtests/smime_gtest/smime_unittest.cc
@@ -0,0 +1,137 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License v. 2.0. If a copy of the MPL was not distributed with this file
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <string>
+
+#include "gtest/gtest.h"
+
+#include "scoped_ptrs_smime.h"
+#include "smime.h"
+
+namespace nss_test {
+
+// See bug 1507174; this is a CMS serialization (RFC 5652) that claims to be
+// 12336 bytes long, which ensures CMS validates the streaming decoder's
+// incorrect length.
+static const unsigned char kHugeLenAsn1[] = {
+    0x30, 0x82, 0x30, 0x30, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
+    0x0D, 0x01, 0x07, 0x02, 0xA0, 0x82, 0x02, 0x30, 0x30, 0x30, 0x02,
+    0x01, 0x30, 0x31, 0x0F, 0x30, 0x0D, 0x06, 0x09, 0x30, 0x30, 0x30,
+    0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x00, 0x30, 0x0B, 0x06,
+    0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x05};
+
+// secp256r1 signature with no certs and no attrs
+static unsigned char kValidSignature[] = {
+    0x30, 0x81, 0xFE, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
+    0x07, 0x02, 0xA0, 0x81, 0xF0, 0x30, 0x81, 0xED, 0x02, 0x01, 0x01, 0x31,
+    0x0F, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04,
+    0x02, 0x01, 0x05, 0x00, 0x30, 0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
+    0xF7, 0x0D, 0x01, 0x07, 0x01, 0x31, 0x81, 0xC9, 0x30, 0x81, 0xC6, 0x02,
+    0x01, 0x01, 0x30, 0x5D, 0x30, 0x45, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03,
+    0x55, 0x04, 0x06, 0x13, 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06,
+    0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 0x53, 0x6F, 0x6D, 0x65, 0x2D, 0x53,
+    0x74, 0x61, 0x74, 0x65, 0x31, 0x21, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x04,
+    0x0A, 0x0C, 0x18, 0x49, 0x6E, 0x74, 0x65, 0x72, 0x6E, 0x65, 0x74, 0x20,
+    0x57, 0x69, 0x64, 0x67, 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20,
+    0x4C, 0x74, 0x64, 0x02, 0x14, 0x6B, 0x22, 0xCA, 0x91, 0xE0, 0x71, 0x97,
+    0xEB, 0x45, 0x0D, 0x68, 0xC0, 0xD4, 0xB6, 0xE9, 0x45, 0x38, 0x4C, 0xDD,
+    0xA3, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04,
+    0x02, 0x01, 0x05, 0x00, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE,
+    0x3D, 0x04, 0x03, 0x02, 0x04, 0x47, 0x30, 0x45, 0x02, 0x20, 0x48, 0xEB,
+    0xE6, 0xBA, 0xFC, 0xFD, 0x83, 0xB3, 0xA2, 0xB5, 0x59, 0x35, 0x0C, 0xA1,
+    0x31, 0x0E, 0x2F, 0xE3, 0x8D, 0x81, 0xD8, 0xF5, 0x33, 0xE4, 0x83, 0x87,
+    0xB1, 0xFD, 0x43, 0x9D, 0x95, 0x7D, 0x02, 0x21, 0x00, 0xD0, 0x05, 0x0E,
+    0x05, 0xA6, 0x80, 0x3C, 0x1A, 0xFE, 0x51, 0xFC, 0x4D, 0x1A, 0x25, 0x05,
+    0x78, 0xB5, 0x42, 0xF5, 0xDE, 0x4E, 0x8A, 0xF8, 0xE3, 0xD8, 0x52, 0xDC,
+    0x2B, 0x73, 0x80, 0x4A, 0x1A};
+
+// See bug 1507135; this is a CMS signature that contains only the OID
+static unsigned char kTruncatedSignature[] = {0x30, 0x0B, 0x06, 0x09, 0x2A,
+                                              0x86, 0x48, 0x86, 0xF7, 0x0D,
+                                              0x01, 0x07, 0x02};
+
+// secp256r1 signature that's truncated by one byte.
+static unsigned char kSlightlyTruncatedSignature[] = {
+    0x30, 0x81, 0xFE, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
+    0x07, 0x02, 0xA0, 0x81, 0xF0, 0x30, 0x81, 0xED, 0x02, 0x01, 0x01, 0x31,
+    0x0F, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04,
+    0x02, 0x01, 0x05, 0x00, 0x30, 0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
+    0xF7, 0x0D, 0x01, 0x07, 0x01, 0x31, 0x81, 0xC9, 0x30, 0x81, 0xC6, 0x02,
+    0x01, 0x01, 0x30, 0x5D, 0x30, 0x45, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03,
+    0x55, 0x04, 0x06, 0x13, 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06,
+    0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 0x53, 0x6F, 0x6D, 0x65, 0x2D, 0x53,
+    0x74, 0x61, 0x74, 0x65, 0x31, 0x21, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x04,
+    0x0A, 0x0C, 0x18, 0x49, 0x6E, 0x74, 0x65, 0x72, 0x6E, 0x65, 0x74, 0x20,
+    0x57, 0x69, 0x64, 0x67, 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20,
+    0x4C, 0x74, 0x64, 0x02, 0x14, 0x6B, 0x22, 0xCA, 0x91, 0xE0, 0x71, 0x97,
+    0xEB, 0x45, 0x0D, 0x68, 0xC0, 0xD4, 0xB6, 0xE9, 0x45, 0x38, 0x4C, 0xDD,
+    0xA3, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04,
+    0x02, 0x01, 0x05, 0x00, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE,
+    0x3D, 0x04, 0x03, 0x02, 0x04, 0x47, 0x30, 0x45, 0x02, 0x20, 0x48, 0xEB,
+    0xE6, 0xBA, 0xFC, 0xFD, 0x83, 0xB3, 0xA2, 0xB5, 0x59, 0x35, 0x0C, 0xA1,
+    0x31, 0x0E, 0x2F, 0xE3, 0x8D, 0x81, 0xD8, 0xF5, 0x33, 0xE4, 0x83, 0x87,
+    0xB1, 0xFD, 0x43, 0x9D, 0x95, 0x7D, 0x02, 0x21, 0x00, 0xD0, 0x05, 0x0E,
+    0x05, 0xA6, 0x80, 0x3C, 0x1A, 0xFE, 0x51, 0xFC, 0x4D, 0x1A, 0x25, 0x05,
+    0x78, 0xB5, 0x42, 0xF5, 0xDE, 0x4E, 0x8A, 0xF8, 0xE3, 0xD8, 0x52, 0xDC,
+    0x2B, 0x73, 0x80, 0x4A};
+
+class SMimeTest : public ::testing::Test {};
+
+TEST_F(SMimeTest, InvalidDER) {
+  PK11SymKey* bulk_key = nullptr;
+  NSSCMSDecoderContext* dcx =
+      NSS_CMSDecoder_Start(nullptr, nullptr, nullptr, /* content callback  */
+                           nullptr, nullptr,          /* password callback */
+                           nullptr,                   /* key callback      */
+                           bulk_key);
+  ASSERT_NE(nullptr, dcx);
+  EXPECT_EQ(SECSuccess, NSS_CMSDecoder_Update(
+                            dcx, reinterpret_cast<const char*>(kHugeLenAsn1),
+                            sizeof(kHugeLenAsn1)));
+  EXPECT_EQ(nullptr, bulk_key);
+  ASSERT_FALSE(NSS_CMSDecoder_Finish(dcx));
+}
+
+TEST_F(SMimeTest, IsSignedValid) {
+  SECItem sig_der_item = {siBuffer, kValidSignature, sizeof(kValidSignature)};
+
+  ScopedNSSCMSMessage cms_msg(NSS_CMSMessage_CreateFromDER(
+      &sig_der_item, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr));
+
+  ASSERT_TRUE(cms_msg);
+
+  ASSERT_TRUE(NSS_CMSMessage_IsSigned(cms_msg.get()));
+}
+
+TEST_F(SMimeTest, TruncatedCmsSignature) {
+  SECItem sig_der_item = {siBuffer, kTruncatedSignature,
+                          sizeof(kTruncatedSignature)};
+
+  ScopedNSSCMSMessage cms_msg(NSS_CMSMessage_CreateFromDER(
+      &sig_der_item, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr));
+
+  ASSERT_TRUE(cms_msg);
+
+  ASSERT_FALSE(NSS_CMSMessage_IsSigned(cms_msg.get()));
+}
+
+TEST_F(SMimeTest, SlightlyTruncatedCmsSignature) {
+  SECItem sig_der_item = {siBuffer, kSlightlyTruncatedSignature,
+                          sizeof(kSlightlyTruncatedSignature)};
+
+  ScopedNSSCMSMessage cms_msg(NSS_CMSMessage_CreateFromDER(
+      &sig_der_item, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr));
+
+  ASSERT_FALSE(cms_msg);
+
+  ASSERT_FALSE(NSS_CMSMessage_IsSigned(cms_msg.get()));
+}
+
+TEST_F(SMimeTest, IsSignedNull) {
+  ASSERT_FALSE(NSS_CMSMessage_IsSigned(nullptr));
+}
+
+}  // namespace nss_test
--- a/security/nss/gtests/ssl_gtest/tls_hkdf_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/tls_hkdf_unittest.cc
@@ -178,25 +178,22 @@ class TlsHkdfTest : public ::testing::Te
 
     SECStatus rv = tls13_HkdfExpandLabelRaw(prk->get(), base_hash, session_hash,
                                             session_hash_len, label, label_len,
                                             &output[0], output.size());
     ASSERT_EQ(SECSuccess, rv);
     DumpData("Output", &output[0], output.size());
     EXPECT_EQ(0, memcmp(expected.data(), &output[0], expected.len()));
 
-    if (session_hash_len > 0) {
-      return;
-    }
-
     // Verify that the public API produces the same result.
     PRUint16 cs = GetSomeCipherSuiteForHash(base_hash);
     PK11SymKey* secret;
-    rv = SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_3, cs, prk->get(),
-                              label, label_len, &secret);
+    rv = SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_3, cs, prk->get(),
+                             session_hash, session_hash_len, label, label_len,
+                             &secret);
     EXPECT_EQ(SECSuccess, rv);
     ASSERT_NE(nullptr, prk);
     VerifyKey(ScopedPK11SymKey(secret), expected);
   }
 
  protected:
   ScopedPK11SymKey k1_;
   ScopedPK11SymKey k2_;
@@ -342,61 +339,72 @@ TEST_P(TlsHkdfTest, BadExtractWrapperInp
   EXPECT_EQ(SECFailure, SSL_HkdfExtract(SSL_LIBRARY_VERSION_TLS_1_3,
                                         TLS_RSA_WITH_AES_128_CBC_SHA, k1_.get(),
                                         k2_.get(), nullptr));
   EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
 
   EXPECT_EQ(nullptr, key);
 }
 
-TEST_P(TlsHkdfTest, BadDeriveSecretWrapperInput) {
+TEST_P(TlsHkdfTest, BadExpandLabelWrapperInput) {
   PK11SymKey* key = nullptr;
   static const char* kLabel = "label";
 
   // Bad version.
-  EXPECT_EQ(SECFailure, SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_2,
-                                             TLS_AES_128_GCM_SHA256, k1_.get(),
-                                             kLabel, strlen(kLabel), &key));
+  EXPECT_EQ(
+      SECFailure,
+      SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_2, TLS_AES_128_GCM_SHA256,
+                          k1_.get(), nullptr, 0, kLabel, strlen(kLabel), &key));
   EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
 
   // Bad ciphersuite.
-  EXPECT_EQ(SECFailure, SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_3,
-                                             TLS_RSA_WITH_NULL_MD5, k1_.get(),
-                                             kLabel, strlen(kLabel), &key));
+  EXPECT_EQ(
+      SECFailure,
+      SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_3, TLS_RSA_WITH_NULL_MD5,
+                          k1_.get(), nullptr, 0, kLabel, strlen(kLabel), &key));
   EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
 
   // Old ciphersuite.
   EXPECT_EQ(SECFailure,
-            SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_3,
-                                 TLS_RSA_WITH_AES_128_CBC_SHA, k1_.get(),
-                                 kLabel, strlen(kLabel), &key));
+            SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_3,
+                                TLS_RSA_WITH_AES_128_CBC_SHA, k1_.get(),
+                                nullptr, 0, kLabel, strlen(kLabel), &key));
   EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
 
   // Null PRK.
-  EXPECT_EQ(SECFailure, SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_2,
-                                             TLS_AES_128_GCM_SHA256, nullptr,
-                                             kLabel, strlen(kLabel), &key));
+  EXPECT_EQ(SECFailure, SSL_HkdfExpandLabel(
+                            SSL_LIBRARY_VERSION_TLS_1_2, TLS_AES_128_GCM_SHA256,
+                            nullptr, nullptr, 0, kLabel, strlen(kLabel), &key));
   EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
 
+  // Null, non-zero-length handshake hash.
+  EXPECT_EQ(
+      SECFailure,
+      SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_2, TLS_AES_128_GCM_SHA256,
+                          k1_.get(), nullptr, 2, kLabel, strlen(kLabel), &key));
+
+  EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
   // Null, non-zero-length label.
-  EXPECT_EQ(SECFailure, SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_3,
-                                             TLS_AES_128_GCM_SHA256, k1_.get(),
-                                             nullptr, strlen(kLabel), &key));
+  EXPECT_EQ(SECFailure,
+            SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_3,
+                                TLS_AES_128_GCM_SHA256, k1_.get(), nullptr, 0,
+                                nullptr, strlen(kLabel), &key));
   EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
 
   // Null, empty label.
-  EXPECT_EQ(SECFailure, SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_3,
-                                             TLS_AES_128_GCM_SHA256, k1_.get(),
-                                             nullptr, 0, &key));
+  EXPECT_EQ(SECFailure, SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_3,
+                                            TLS_AES_128_GCM_SHA256, k1_.get(),
+                                            nullptr, 0, nullptr, 0, &key));
   EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
 
   // Null key pointer..
-  EXPECT_EQ(SECFailure, SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_3,
-                                             TLS_AES_128_GCM_SHA256, k1_.get(),
-                                             kLabel, strlen(kLabel), nullptr));
+  EXPECT_EQ(SECFailure,
+            SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_3,
+                                TLS_AES_128_GCM_SHA256, k1_.get(), nullptr, 0,
+                                kLabel, strlen(kLabel), nullptr));
   EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
 
   EXPECT_EQ(nullptr, key);
 }
 
 static const SSLHashType kHashTypes[] = {ssl_hash_sha256, ssl_hash_sha384};
 INSTANTIATE_TEST_CASE_P(AllHashFuncs, TlsHkdfTest,
                         ::testing::ValuesIn(kHashTypes));
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -23148,8 +23148,683 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\000\312\351\033\211\361\125\003\015\243\346\101\155\304
 \343\246\341
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "emSign Root CA - G1"
+#
+# Issuer: CN=emSign Root CA - G1,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
+# Serial Number:31:f5:e4:62:0c:6c:58:ed:d6:d8
+# Subject: CN=emSign Root CA - G1,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
+# Not Valid Before: Sun Feb 18 18:30:00 2018
+# Not Valid After : Wed Feb 18 18:30:00 2043
+# Fingerprint (SHA-256): 40:F6:AF:03:46:A9:9A:A1:CD:1D:55:5A:4E:9C:CE:62:C7:F9:63:46:03:EE:40:66:15:83:3D:C8:C8:D0:03:67
+# Fingerprint (SHA1): 8A:C7:AD:8F:73:AC:4E:C1:B5:75:4D:A5:40:F4:FC:CF:7C:B5:8E:8C
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "emSign Root CA - G1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\147\061\013\060\011\006\003\125\004\006\023\002\111\116\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\045\060\043\006\003\125\004\012\023\034\145
+\115\165\144\150\162\141\040\124\145\143\150\156\157\154\157\147
+\151\145\163\040\114\151\155\151\164\145\144\061\034\060\032\006
+\003\125\004\003\023\023\145\155\123\151\147\156\040\122\157\157
+\164\040\103\101\040\055\040\107\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\147\061\013\060\011\006\003\125\004\006\023\002\111\116\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\045\060\043\006\003\125\004\012\023\034\145
+\115\165\144\150\162\141\040\124\145\143\150\156\157\154\157\147
+\151\145\163\040\114\151\155\151\164\145\144\061\034\060\032\006
+\003\125\004\003\023\023\145\155\123\151\147\156\040\122\157\157
+\164\040\103\101\040\055\040\107\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\012\061\365\344\142\014\154\130\355\326\330
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\224\060\202\002\174\240\003\002\001\002\002\012\061
+\365\344\142\014\154\130\355\326\330\060\015\006\011\052\206\110
+\206\367\015\001\001\013\005\000\060\147\061\013\060\011\006\003
+\125\004\006\023\002\111\116\061\023\060\021\006\003\125\004\013
+\023\012\145\155\123\151\147\156\040\120\113\111\061\045\060\043
+\006\003\125\004\012\023\034\145\115\165\144\150\162\141\040\124
+\145\143\150\156\157\154\157\147\151\145\163\040\114\151\155\151
+\164\145\144\061\034\060\032\006\003\125\004\003\023\023\145\155
+\123\151\147\156\040\122\157\157\164\040\103\101\040\055\040\107
+\061\060\036\027\015\061\070\060\062\061\070\061\070\063\060\060
+\060\132\027\015\064\063\060\062\061\070\061\070\063\060\060\060
+\132\060\147\061\013\060\011\006\003\125\004\006\023\002\111\116
+\061\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147
+\156\040\120\113\111\061\045\060\043\006\003\125\004\012\023\034
+\145\115\165\144\150\162\141\040\124\145\143\150\156\157\154\157
+\147\151\145\163\040\114\151\155\151\164\145\144\061\034\060\032
+\006\003\125\004\003\023\023\145\155\123\151\147\156\040\122\157
+\157\164\040\103\101\040\055\040\107\061\060\202\001\042\060\015
+\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001
+\017\000\060\202\001\012\002\202\001\001\000\223\113\273\351\146
+\212\356\235\133\325\064\223\320\033\036\303\347\236\270\144\063
+\177\143\170\150\264\315\056\161\165\327\233\040\306\115\051\274
+\266\150\140\212\367\041\232\126\065\132\363\166\275\330\315\232
+\377\223\126\113\245\131\006\241\223\064\051\335\026\064\165\116
+\362\201\264\307\226\116\255\031\025\122\112\376\074\160\165\160
+\315\257\053\253\025\232\063\074\252\263\213\252\315\103\375\365
+\352\160\377\355\317\021\073\224\316\116\062\026\323\043\100\052
+\167\263\257\074\001\054\154\355\231\054\213\331\116\151\230\262
+\367\217\101\260\062\170\141\326\015\137\303\372\242\100\222\035
+\134\027\346\160\076\065\347\242\267\302\142\342\253\244\070\114
+\265\071\065\157\352\003\151\372\072\124\150\205\155\326\362\057
+\103\125\036\221\015\016\330\325\152\244\226\321\023\074\054\170
+\120\350\072\222\322\027\126\345\065\032\100\034\076\215\054\355
+\071\337\102\340\203\101\164\337\243\315\302\206\140\110\150\343
+\151\013\124\000\213\344\166\151\041\015\171\116\064\010\136\024
+\302\314\261\267\255\327\174\160\212\307\205\002\003\001\000\001
+\243\102\060\100\060\035\006\003\125\035\016\004\026\004\024\373
+\357\015\206\236\260\343\335\251\271\361\041\027\177\076\374\360
+\167\053\032\060\016\006\003\125\035\017\001\001\377\004\004\003
+\002\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060
+\003\001\001\377\060\015\006\011\052\206\110\206\367\015\001\001
+\013\005\000\003\202\001\001\000\131\377\362\214\365\207\175\161
+\075\243\237\033\133\321\332\370\323\234\153\066\275\233\251\141
+\353\336\026\054\164\075\236\346\165\332\327\272\247\274\102\027
+\347\075\221\353\345\175\335\076\234\361\317\222\254\154\110\314
+\302\042\077\151\073\305\266\025\057\243\065\306\150\052\034\127
+\257\071\357\215\320\065\303\030\014\173\000\126\034\315\213\031
+\164\336\276\017\022\340\320\252\241\077\002\064\261\160\316\235
+\030\326\010\003\011\106\356\140\340\176\266\304\111\004\121\175
+\160\140\274\252\262\377\171\162\172\246\035\075\137\052\370\312
+\342\375\071\267\107\271\353\176\337\004\043\257\372\234\006\007
+\351\373\143\223\200\100\265\306\154\012\061\050\316\014\237\317
+\263\043\065\200\101\215\154\304\067\173\201\057\200\241\100\102
+\205\351\331\070\215\350\241\123\315\001\277\151\350\132\006\362
+\105\013\220\372\256\341\277\235\362\256\127\074\245\256\262\126
+\364\213\145\100\351\375\061\201\054\364\071\011\330\356\153\247
+\264\246\035\025\245\230\367\001\201\330\205\175\363\121\134\161
+\210\336\272\314\037\200\176\112
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "emSign Root CA - G1"
+# Issuer: CN=emSign Root CA - G1,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
+# Serial Number:31:f5:e4:62:0c:6c:58:ed:d6:d8
+# Subject: CN=emSign Root CA - G1,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
+# Not Valid Before: Sun Feb 18 18:30:00 2018
+# Not Valid After : Wed Feb 18 18:30:00 2043
+# Fingerprint (SHA-256): 40:F6:AF:03:46:A9:9A:A1:CD:1D:55:5A:4E:9C:CE:62:C7:F9:63:46:03:EE:40:66:15:83:3D:C8:C8:D0:03:67
+# Fingerprint (SHA1): 8A:C7:AD:8F:73:AC:4E:C1:B5:75:4D:A5:40:F4:FC:CF:7C:B5:8E:8C
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "emSign Root CA - G1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\212\307\255\217\163\254\116\301\265\165\115\245\100\364\374\317
+\174\265\216\214
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\234\102\204\127\335\313\013\247\056\225\255\266\363\332\274\254
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\147\061\013\060\011\006\003\125\004\006\023\002\111\116\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\045\060\043\006\003\125\004\012\023\034\145
+\115\165\144\150\162\141\040\124\145\143\150\156\157\154\157\147
+\151\145\163\040\114\151\155\151\164\145\144\061\034\060\032\006
+\003\125\004\003\023\023\145\155\123\151\147\156\040\122\157\157
+\164\040\103\101\040\055\040\107\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\012\061\365\344\142\014\154\130\355\326\330
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "emSign ECC Root CA - G3"
+#
+# Issuer: CN=emSign ECC Root CA - G3,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
+# Serial Number:3c:f6:07:a9:68:70:0e:da:8b:84
+# Subject: CN=emSign ECC Root CA - G3,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
+# Not Valid Before: Sun Feb 18 18:30:00 2018
+# Not Valid After : Wed Feb 18 18:30:00 2043
+# Fingerprint (SHA-256): 86:A1:EC:BA:08:9C:4A:8D:3B:BE:27:34:C6:12:BA:34:1D:81:3E:04:3C:F9:E8:A8:62:CD:5C:57:A3:6B:BE:6B
+# Fingerprint (SHA1): 30:43:FA:4F:F2:57:DC:A0:C3:80:EE:2E:58:EA:78:B2:3F:E6:BB:C1
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "emSign ECC Root CA - G3"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\153\061\013\060\011\006\003\125\004\006\023\002\111\116\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\045\060\043\006\003\125\004\012\023\034\145
+\115\165\144\150\162\141\040\124\145\143\150\156\157\154\157\147
+\151\145\163\040\114\151\155\151\164\145\144\061\040\060\036\006
+\003\125\004\003\023\027\145\155\123\151\147\156\040\105\103\103
+\040\122\157\157\164\040\103\101\040\055\040\107\063
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\153\061\013\060\011\006\003\125\004\006\023\002\111\116\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\045\060\043\006\003\125\004\012\023\034\145
+\115\165\144\150\162\141\040\124\145\143\150\156\157\154\157\147
+\151\145\163\040\114\151\155\151\164\145\144\061\040\060\036\006
+\003\125\004\003\023\027\145\155\123\151\147\156\040\105\103\103
+\040\122\157\157\164\040\103\101\040\055\040\107\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\012\074\366\007\251\150\160\016\332\213\204
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\116\060\202\001\323\240\003\002\001\002\002\012\074
+\366\007\251\150\160\016\332\213\204\060\012\006\010\052\206\110
+\316\075\004\003\003\060\153\061\013\060\011\006\003\125\004\006
+\023\002\111\116\061\023\060\021\006\003\125\004\013\023\012\145
+\155\123\151\147\156\040\120\113\111\061\045\060\043\006\003\125
+\004\012\023\034\145\115\165\144\150\162\141\040\124\145\143\150
+\156\157\154\157\147\151\145\163\040\114\151\155\151\164\145\144
+\061\040\060\036\006\003\125\004\003\023\027\145\155\123\151\147
+\156\040\105\103\103\040\122\157\157\164\040\103\101\040\055\040
+\107\063\060\036\027\015\061\070\060\062\061\070\061\070\063\060
+\060\060\132\027\015\064\063\060\062\061\070\061\070\063\060\060
+\060\132\060\153\061\013\060\011\006\003\125\004\006\023\002\111
+\116\061\023\060\021\006\003\125\004\013\023\012\145\155\123\151
+\147\156\040\120\113\111\061\045\060\043\006\003\125\004\012\023
+\034\145\115\165\144\150\162\141\040\124\145\143\150\156\157\154
+\157\147\151\145\163\040\114\151\155\151\164\145\144\061\040\060
+\036\006\003\125\004\003\023\027\145\155\123\151\147\156\040\105
+\103\103\040\122\157\157\164\040\103\101\040\055\040\107\063\060
+\166\060\020\006\007\052\206\110\316\075\002\001\006\005\053\201
+\004\000\042\003\142\000\004\043\245\014\270\055\022\365\050\363
+\261\262\335\342\002\022\200\236\071\137\111\115\237\311\045\064
+\131\164\354\273\006\034\347\300\162\257\350\256\057\341\101\124
+\207\024\250\112\262\350\174\202\346\133\152\265\334\263\165\316
+\213\006\320\206\043\277\106\325\216\017\077\004\364\327\034\222
+\176\366\245\143\302\365\137\216\056\117\241\030\031\002\053\062
+\012\202\144\175\026\223\321\243\102\060\100\060\035\006\003\125
+\035\016\004\026\004\024\174\135\002\204\023\324\314\212\233\201
+\316\027\034\056\051\036\234\110\143\102\060\016\006\003\125\035
+\017\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035
+\023\001\001\377\004\005\060\003\001\001\377\060\012\006\010\052
+\206\110\316\075\004\003\003\003\151\000\060\146\002\061\000\276
+\363\141\317\002\020\035\144\225\007\270\030\156\210\205\005\057
+\203\010\027\220\312\037\212\114\350\015\033\172\261\255\325\201
+\011\107\357\073\254\010\004\174\134\231\261\355\107\007\322\002
+\061\000\235\272\125\374\251\112\350\355\355\346\166\001\102\173
+\310\370\140\331\215\121\213\125\073\373\214\173\353\145\011\303
+\370\226\315\107\250\202\362\026\125\167\044\176\022\020\225\004
+\054\243
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "emSign ECC Root CA - G3"
+# Issuer: CN=emSign ECC Root CA - G3,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
+# Serial Number:3c:f6:07:a9:68:70:0e:da:8b:84
+# Subject: CN=emSign ECC Root CA - G3,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
+# Not Valid Before: Sun Feb 18 18:30:00 2018
+# Not Valid After : Wed Feb 18 18:30:00 2043
+# Fingerprint (SHA-256): 86:A1:EC:BA:08:9C:4A:8D:3B:BE:27:34:C6:12:BA:34:1D:81:3E:04:3C:F9:E8:A8:62:CD:5C:57:A3:6B:BE:6B
+# Fingerprint (SHA1): 30:43:FA:4F:F2:57:DC:A0:C3:80:EE:2E:58:EA:78:B2:3F:E6:BB:C1
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "emSign ECC Root CA - G3"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\060\103\372\117\362\127\334\240\303\200\356\056\130\352\170\262
+\077\346\273\301
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\316\013\162\321\237\210\216\320\120\003\350\343\270\213\147\100
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\153\061\013\060\011\006\003\125\004\006\023\002\111\116\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\045\060\043\006\003\125\004\012\023\034\145
+\115\165\144\150\162\141\040\124\145\143\150\156\157\154\157\147
+\151\145\163\040\114\151\155\151\164\145\144\061\040\060\036\006
+\003\125\004\003\023\027\145\155\123\151\147\156\040\105\103\103
+\040\122\157\157\164\040\103\101\040\055\040\107\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\012\074\366\007\251\150\160\016\332\213\204
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "emSign Root CA - C1"
+#
+# Issuer: CN=emSign Root CA - C1,O=eMudhra Inc,OU=emSign PKI,C=US
+# Serial Number:00:ae:cf:00:ba:c4:cf:32:f8:43:b2
+# Subject: CN=emSign Root CA - C1,O=eMudhra Inc,OU=emSign PKI,C=US
+# Not Valid Before: Sun Feb 18 18:30:00 2018
+# Not Valid After : Wed Feb 18 18:30:00 2043
+# Fingerprint (SHA-256): 12:56:09:AA:30:1D:A0:A2:49:B9:7A:82:39:CB:6A:34:21:6F:44:DC:AC:9F:39:54:B1:42:92:F2:E8:C8:60:8F
+# Fingerprint (SHA1): E7:2E:F1:DF:FC:B2:09:28:CF:5D:D4:D5:67:37:B1:51:CB:86:4F:01
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "emSign Root CA - C1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\126\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013\145
+\115\165\144\150\162\141\040\111\156\143\061\034\060\032\006\003
+\125\004\003\023\023\145\155\123\151\147\156\040\122\157\157\164
+\040\103\101\040\055\040\103\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\126\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013\145
+\115\165\144\150\162\141\040\111\156\143\061\034\060\032\006\003
+\125\004\003\023\023\145\155\123\151\147\156\040\122\157\157\164
+\040\103\101\040\055\040\103\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\013\000\256\317\000\272\304\317\062\370\103\262
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\163\060\202\002\133\240\003\002\001\002\002\013\000
+\256\317\000\272\304\317\062\370\103\262\060\015\006\011\052\206
+\110\206\367\015\001\001\013\005\000\060\126\061\013\060\011\006
+\003\125\004\006\023\002\125\123\061\023\060\021\006\003\125\004
+\013\023\012\145\155\123\151\147\156\040\120\113\111\061\024\060
+\022\006\003\125\004\012\023\013\145\115\165\144\150\162\141\040
+\111\156\143\061\034\060\032\006\003\125\004\003\023\023\145\155
+\123\151\147\156\040\122\157\157\164\040\103\101\040\055\040\103
+\061\060\036\027\015\061\070\060\062\061\070\061\070\063\060\060
+\060\132\027\015\064\063\060\062\061\070\061\070\063\060\060\060
+\132\060\126\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147
+\156\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013
+\145\115\165\144\150\162\141\040\111\156\143\061\034\060\032\006
+\003\125\004\003\023\023\145\155\123\151\147\156\040\122\157\157
+\164\040\103\101\040\055\040\103\061\060\202\001\042\060\015\006
+\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017
+\000\060\202\001\012\002\202\001\001\000\317\353\251\271\361\231
+\005\314\330\050\041\112\363\163\064\121\204\126\020\365\240\117
+\054\022\343\372\023\232\047\320\317\371\171\032\164\137\035\171
+\071\374\133\370\160\216\340\222\122\367\344\045\371\124\203\331
+\035\323\310\132\205\077\136\307\266\007\356\076\300\316\232\257
+\254\126\102\052\071\045\160\326\277\265\173\066\255\254\366\163
+\334\315\327\035\212\203\245\373\053\220\025\067\153\034\046\107
+\334\073\051\126\223\152\263\301\152\072\235\075\365\301\227\070
+\130\005\213\034\021\343\344\264\270\135\205\035\203\376\170\137
+\013\105\150\030\110\245\106\163\064\073\376\017\310\166\273\307
+\030\363\005\321\206\363\205\355\347\271\331\062\255\125\210\316
+\246\266\221\260\117\254\176\025\043\226\366\077\360\040\064\026
+\336\012\306\304\004\105\171\177\247\375\276\322\251\245\257\234
+\305\043\052\367\074\041\154\275\257\217\116\305\072\262\363\064
+\022\374\337\200\032\111\244\324\251\225\367\236\211\136\242\211
+\254\224\313\250\150\233\257\212\145\047\315\211\356\335\214\265
+\153\051\160\103\240\151\013\344\271\017\002\003\001\000\001\243
+\102\060\100\060\035\006\003\125\035\016\004\026\004\024\376\241
+\340\160\036\052\003\071\122\132\102\276\134\221\205\172\030\252
+\115\265\060\016\006\003\125\035\017\001\001\377\004\004\003\002
+\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060\003
+\001\001\377\060\015\006\011\052\206\110\206\367\015\001\001\013
+\005\000\003\202\001\001\000\302\112\126\372\025\041\173\050\242
+\351\345\035\373\370\055\304\071\226\101\114\073\047\054\304\154
+\030\025\200\306\254\257\107\131\057\046\013\343\066\260\357\073
+\376\103\227\111\062\231\022\025\133\337\021\051\377\253\123\370
+\273\301\170\017\254\234\123\257\127\275\150\214\075\151\063\360
+\243\240\043\143\073\144\147\042\104\255\325\161\313\126\052\170
+\222\243\117\022\061\066\066\342\336\376\000\304\243\140\017\047
+\255\240\260\212\265\066\172\122\241\275\047\364\040\047\142\350
+\115\224\044\023\344\012\004\351\074\253\056\310\103\011\112\306
+\141\004\345\111\064\176\323\304\310\365\017\300\252\351\272\124
+\136\363\143\053\117\117\120\324\376\271\173\231\214\075\300\056
+\274\002\053\323\304\100\344\212\007\061\036\233\316\046\231\023
+\373\021\352\232\042\014\021\031\307\136\033\201\120\060\310\226
+\022\156\347\313\101\177\221\073\242\107\267\124\200\033\334\000
+\314\232\220\352\303\303\120\006\142\014\060\300\025\110\247\250
+\131\174\341\256\042\242\342\012\172\017\372\142\253\122\114\341
+\361\337\312\276\203\015\102
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "emSign Root CA - C1"
+# Issuer: CN=emSign Root CA - C1,O=eMudhra Inc,OU=emSign PKI,C=US
+# Serial Number:00:ae:cf:00:ba:c4:cf:32:f8:43:b2
+# Subject: CN=emSign Root CA - C1,O=eMudhra Inc,OU=emSign PKI,C=US
+# Not Valid Before: Sun Feb 18 18:30:00 2018
+# Not Valid After : Wed Feb 18 18:30:00 2043
+# Fingerprint (SHA-256): 12:56:09:AA:30:1D:A0:A2:49:B9:7A:82:39:CB:6A:34:21:6F:44:DC:AC:9F:39:54:B1:42:92:F2:E8:C8:60:8F
+# Fingerprint (SHA1): E7:2E:F1:DF:FC:B2:09:28:CF:5D:D4:D5:67:37:B1:51:CB:86:4F:01
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "emSign Root CA - C1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\347\056\361\337\374\262\011\050\317\135\324\325\147\067\261\121
+\313\206\117\001
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\330\343\135\001\041\372\170\132\260\337\272\322\356\052\137\150
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\126\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013\145
+\115\165\144\150\162\141\040\111\156\143\061\034\060\032\006\003
+\125\004\003\023\023\145\155\123\151\147\156\040\122\157\157\164
+\040\103\101\040\055\040\103\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\013\000\256\317\000\272\304\317\062\370\103\262
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "emSign ECC Root CA - C3"
+#
+# Issuer: CN=emSign ECC Root CA - C3,O=eMudhra Inc,OU=emSign PKI,C=US
+# Serial Number:7b:71:b6:82:56:b8:12:7c:9c:a8
+# Subject: CN=emSign ECC Root CA - C3,O=eMudhra Inc,OU=emSign PKI,C=US
+# Not Valid Before: Sun Feb 18 18:30:00 2018
+# Not Valid After : Wed Feb 18 18:30:00 2043
+# Fingerprint (SHA-256): BC:4D:80:9B:15:18:9D:78:DB:3E:1D:8C:F4:F9:72:6A:79:5D:A1:64:3C:A5:F1:35:8E:1D:DB:0E:DC:0D:7E:B3
+# Fingerprint (SHA1): B6:AF:43:C2:9B:81:53:7D:F6:EF:6B:C3:1F:1F:60:15:0C:EE:48:66
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "emSign ECC Root CA - C3"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013\145
+\115\165\144\150\162\141\040\111\156\143\061\040\060\036\006\003
+\125\004\003\023\027\145\155\123\151\147\156\040\105\103\103\040
+\122\157\157\164\040\103\101\040\055\040\103\063
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013\145
+\115\165\144\150\162\141\040\111\156\143\061\040\060\036\006\003
+\125\004\003\023\027\145\155\123\151\147\156\040\105\103\103\040
+\122\157\157\164\040\103\101\040\055\040\103\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\012\173\161\266\202\126\270\022\174\234\250
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\053\060\202\001\261\240\003\002\001\002\002\012\173
+\161\266\202\126\270\022\174\234\250\060\012\006\010\052\206\110
+\316\075\004\003\003\060\132\061\013\060\011\006\003\125\004\006
+\023\002\125\123\061\023\060\021\006\003\125\004\013\023\012\145
+\155\123\151\147\156\040\120\113\111\061\024\060\022\006\003\125
+\004\012\023\013\145\115\165\144\150\162\141\040\111\156\143\061
+\040\060\036\006\003\125\004\003\023\027\145\155\123\151\147\156
+\040\105\103\103\040\122\157\157\164\040\103\101\040\055\040\103
+\063\060\036\027\015\061\070\060\062\061\070\061\070\063\060\060
+\060\132\027\015\064\063\060\062\061\070\061\070\063\060\060\060
+\132\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147
+\156\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013
+\145\115\165\144\150\162\141\040\111\156\143\061\040\060\036\006
+\003\125\004\003\023\027\145\155\123\151\147\156\040\105\103\103
+\040\122\157\157\164\040\103\101\040\055\040\103\063\060\166\060
+\020\006\007\052\206\110\316\075\002\001\006\005\053\201\004\000
+\042\003\142\000\004\375\245\141\256\173\046\020\035\351\267\042
+\060\256\006\364\201\263\261\102\161\225\071\274\323\122\343\257
+\257\371\362\227\065\222\066\106\016\207\225\215\271\071\132\351
+\273\337\320\376\310\007\101\074\273\125\157\203\243\152\373\142
+\260\201\211\002\160\175\110\305\112\343\351\042\124\042\115\223
+\273\102\014\257\167\234\043\246\175\327\141\021\316\145\307\370
+\177\376\365\362\251\243\102\060\100\060\035\006\003\125\035\016
+\004\026\004\024\373\132\110\320\200\040\100\362\250\351\000\007
+\151\031\167\247\346\303\364\317\060\016\006\003\125\035\017\001
+\001\377\004\004\003\002\001\006\060\017\006\003\125\035\023\001
+\001\377\004\005\060\003\001\001\377\060\012\006\010\052\206\110
+\316\075\004\003\003\003\150\000\060\145\002\061\000\264\330\057
+\002\211\375\266\114\142\272\103\116\023\204\162\265\256\335\034
+\336\326\265\334\126\217\130\100\132\055\336\040\114\042\203\312
+\223\250\176\356\022\100\307\326\207\117\370\337\205\002\060\034
+\024\144\344\174\226\203\021\234\260\321\132\141\113\246\017\111
+\323\000\374\241\374\344\245\377\177\255\327\060\320\307\167\177
+\276\201\007\125\060\120\040\024\365\127\070\012\250\061\121
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "emSign ECC Root CA - C3"
+# Issuer: CN=emSign ECC Root CA - C3,O=eMudhra Inc,OU=emSign PKI,C=US
+# Serial Number:7b:71:b6:82:56:b8:12:7c:9c:a8
+# Subject: CN=emSign ECC Root CA - C3,O=eMudhra Inc,OU=emSign PKI,C=US
+# Not Valid Before: Sun Feb 18 18:30:00 2018
+# Not Valid After : Wed Feb 18 18:30:00 2043
+# Fingerprint (SHA-256): BC:4D:80:9B:15:18:9D:78:DB:3E:1D:8C:F4:F9:72:6A:79:5D:A1:64:3C:A5:F1:35:8E:1D:DB:0E:DC:0D:7E:B3
+# Fingerprint (SHA1): B6:AF:43:C2:9B:81:53:7D:F6:EF:6B:C3:1F:1F:60:15:0C:EE:48:66
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "emSign ECC Root CA - C3"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\266\257\103\302\233\201\123\175\366\357\153\303\037\037\140\025
+\014\356\110\146
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\076\123\263\243\201\356\327\020\370\323\260\035\027\222\365\325
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013\145
+\115\165\144\150\162\141\040\111\156\143\061\040\060\036\006\003
+\125\004\003\023\027\145\155\123\151\147\156\040\105\103\103\040
+\122\157\157\164\040\103\101\040\055\040\103\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\012\173\161\266\202\126\270\022\174\234\250
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "Hongkong Post Root CA 3"
+#
+# Issuer: CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK
+# Serial Number:08:16:5f:8a:4c:a5:ec:00:c9:93:40:df:c4:c6:ae:23:b8:1c:5a:a4
+# Subject: CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK
+# Not Valid Before: Sat Jun 03 02:29:46 2017
+# Not Valid After : Tue Jun 03 02:29:46 2042
+# Fingerprint (SHA-256): 5A:2F:C0:3F:0C:83:B0:90:BB:FA:40:60:4B:09:88:44:6C:76:36:18:3D:F9:84:6E:17:10:1A:44:7F:B8:EF:D6
+# Fingerprint (SHA1): 58:A2:D0:EC:20:52:81:5B:C1:F3:F8:64:02:24:4E:C2:8E:02:4B:02
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Hongkong Post Root CA 3"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\157\061\013\060\011\006\003\125\004\006\023\002\110\113\061
+\022\060\020\006\003\125\004\010\023\011\110\157\156\147\040\113
+\157\156\147\061\022\060\020\006\003\125\004\007\023\011\110\157
+\156\147\040\113\157\156\147\061\026\060\024\006\003\125\004\012
+\023\015\110\157\156\147\153\157\156\147\040\120\157\163\164\061
+\040\060\036\006\003\125\004\003\023\027\110\157\156\147\153\157
+\156\147\040\120\157\163\164\040\122\157\157\164\040\103\101\040
+\063
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\157\061\013\060\011\006\003\125\004\006\023\002\110\113\061
+\022\060\020\006\003\125\004\010\023\011\110\157\156\147\040\113
+\157\156\147\061\022\060\020\006\003\125\004\007\023\011\110\157
+\156\147\040\113\157\156\147\061\026\060\024\006\003\125\004\012
+\023\015\110\157\156\147\153\157\156\147\040\120\157\163\164\061
+\040\060\036\006\003\125\004\003\023\027\110\157\156\147\153\157
+\156\147\040\120\157\163\164\040\122\157\157\164\040\103\101\040
+\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\024\010\026\137\212\114\245\354\000\311\223\100\337\304\306
+\256\043\270\034\132\244
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\317\060\202\003\267\240\003\002\001\002\002\024\010
+\026\137\212\114\245\354\000\311\223\100\337\304\306\256\043\270
+\034\132\244\060\015\006\011\052\206\110\206\367\015\001\001\013
+\005\000\060\157\061\013\060\011\006\003\125\004\006\023\002\110
+\113\061\022\060\020\006\003\125\004\010\023\011\110\157\156\147
+\040\113\157\156\147\061\022\060\020\006\003\125\004\007\023\011
+\110\157\156\147\040\113\157\156\147\061\026\060\024\006\003\125
+\004\012\023\015\110\157\156\147\153\157\156\147\040\120\157\163
+\164\061\040\060\036\006\003\125\004\003\023\027\110\157\156\147
+\153\157\156\147\040\120\157\163\164\040\122\157\157\164\040\103
+\101\040\063\060\036\027\015\061\067\060\066\060\063\060\062\062
+\071\064\066\132\027\015\064\062\060\066\060\063\060\062\062\071
+\064\066\132\060\157\061\013\060\011\006\003\125\004\006\023\002
+\110\113\061\022\060\020\006\003\125\004\010\023\011\110\157\156
+\147\040\113\157\156\147\061\022\060\020\006\003\125\004\007\023
+\011\110\157\156\147\040\113\157\156\147\061\026\060\024\006\003
+\125\004\012\023\015\110\157\156\147\153\157\156\147\040\120\157
+\163\164\061\040\060\036\006\003\125\004\003\023\027\110\157\156
+\147\153\157\156\147\040\120\157\163\164\040\122\157\157\164\040
+\103\101\040\063\060\202\002\042\060\015\006\011\052\206\110\206
+\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012
+\002\202\002\001\000\263\210\327\352\316\017\040\116\276\346\326
+\003\155\356\131\374\302\127\337\051\150\241\203\016\076\150\307
+\150\130\234\034\140\113\211\103\014\271\324\025\262\356\301\116
+\165\351\265\247\357\345\351\065\231\344\314\034\347\113\137\215
+\063\060\040\063\123\331\246\273\325\076\023\216\351\037\207\111
+\255\120\055\120\312\030\276\001\130\242\023\160\226\273\211\210
+\126\200\134\370\275\054\074\341\114\127\210\273\323\271\225\357
+\313\307\366\332\061\164\050\246\346\124\211\365\101\061\312\345
+\046\032\315\202\340\160\332\073\051\273\325\003\365\231\272\125
+\365\144\321\140\016\263\211\111\270\212\057\005\322\204\105\050
+\174\217\150\120\022\170\374\013\265\123\313\302\230\034\204\243
+\236\260\276\043\244\332\334\310\053\036\332\156\105\036\211\230
+\332\371\000\056\006\351\014\073\160\325\120\045\210\231\313\315
+\163\140\367\325\377\065\147\305\241\274\136\253\315\112\270\105
+\353\310\150\036\015\015\024\106\022\343\322\144\142\212\102\230
+\274\264\306\010\010\370\375\250\114\144\234\166\001\275\057\251
+\154\063\017\330\077\050\270\074\151\001\102\206\176\151\301\311
+\006\312\345\172\106\145\351\302\326\120\101\056\077\267\344\355
+\154\327\277\046\001\021\242\026\051\112\153\064\006\220\354\023
+\322\266\373\152\166\322\074\355\360\326\055\335\341\025\354\243
+\233\057\054\311\076\053\344\151\073\377\162\045\261\066\206\133
+\307\177\153\213\125\033\112\305\040\141\075\256\313\120\341\010
+\072\276\260\217\143\101\123\060\010\131\074\230\035\167\272\143
+\221\172\312\020\120\140\277\360\327\274\225\207\217\227\305\376
+\227\152\001\224\243\174\133\205\035\052\071\072\320\124\241\321
+\071\161\235\375\041\371\265\173\360\342\340\002\217\156\226\044
+\045\054\240\036\054\250\304\211\247\357\355\231\006\057\266\012
+\114\117\333\242\314\067\032\257\107\205\055\212\137\304\064\064
+\114\000\375\030\223\147\023\321\067\346\110\264\213\006\305\127
+\173\031\206\012\171\313\000\311\122\257\102\377\067\217\341\243
+\036\172\075\120\253\143\006\347\025\265\077\266\105\067\224\067
+\261\176\362\110\303\177\305\165\376\227\215\105\217\032\247\032
+\162\050\032\100\017\002\003\001\000\001\243\143\060\141\060\017
+\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060
+\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060
+\037\006\003\125\035\043\004\030\060\026\200\024\027\235\315\036
+\213\326\071\053\160\323\134\324\240\270\037\260\000\374\305\141
+\060\035\006\003\125\035\016\004\026\004\024\027\235\315\036\213
+\326\071\053\160\323\134\324\240\270\037\260\000\374\305\141\060
+\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003\202
+\002\001\000\126\325\173\156\346\042\001\322\102\233\030\325\016
+\327\146\043\134\343\376\240\307\222\322\351\224\255\113\242\306
+\354\022\174\164\325\110\322\131\024\231\300\353\271\321\353\364
+\110\060\133\255\247\127\163\231\251\323\345\267\321\056\131\044
+\130\334\150\056\056\142\330\152\344\160\013\055\040\120\040\244
+\062\225\321\000\230\273\323\375\367\062\362\111\256\306\172\340
+\107\276\156\316\313\243\162\072\055\151\135\313\310\350\105\071
+\324\372\102\301\021\114\167\135\222\373\152\377\130\104\345\353
+\201\236\257\240\231\255\276\251\001\146\313\070\035\074\337\103
+\037\364\115\156\264\272\027\106\374\175\375\207\201\171\152\015
+\063\017\372\057\370\024\271\200\263\135\115\252\227\341\371\344
+\030\305\370\325\070\214\046\074\375\362\050\342\356\132\111\210
+\054\337\171\075\216\236\220\074\275\101\112\072\335\133\366\232
+\264\316\077\045\060\177\062\175\242\003\224\320\334\172\241\122
+\336\156\223\215\030\046\375\125\254\275\217\233\322\317\257\347
+\206\054\313\037\011\157\243\157\251\204\324\163\277\115\241\164
+\033\116\043\140\362\314\016\252\177\244\234\114\045\250\262\146
+\073\070\377\331\224\060\366\162\204\276\150\125\020\017\306\163
+\054\026\151\223\007\376\261\105\355\273\242\125\152\260\332\265
+\112\002\045\047\205\327\267\267\206\104\026\211\154\200\053\076
+\227\251\234\325\176\125\114\306\336\105\020\034\352\351\073\237
+\003\123\356\356\172\001\002\026\170\324\350\302\276\106\166\210
+\023\077\042\273\110\022\035\122\000\264\002\176\041\032\036\234
+\045\364\363\075\136\036\322\034\371\263\055\266\367\067\134\306
+\313\041\116\260\367\231\107\030\205\301\053\272\125\256\006\352
+\320\007\262\334\253\320\202\226\165\316\322\120\376\231\347\317
+\057\237\347\166\321\141\052\373\041\273\061\320\252\237\107\244
+\262\042\312\026\072\120\127\304\133\103\147\305\145\142\003\111
+\001\353\103\331\330\370\236\255\317\261\143\016\105\364\240\132
+\054\233\055\305\246\300\255\250\107\364\047\114\070\015\056\033
+\111\073\122\364\350\210\203\053\124\050\324\362\065\122\264\062
+\203\142\151\144\014\221\234\237\227\352\164\026\375\037\021\006
+\232\233\364
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "Hongkong Post Root CA 3"
+# Issuer: CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK
+# Serial Number:08:16:5f:8a:4c:a5:ec:00:c9:93:40:df:c4:c6:ae:23:b8:1c:5a:a4
+# Subject: CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK
+# Not Valid Before: Sat Jun 03 02:29:46 2017
+# Not Valid After : Tue Jun 03 02:29:46 2042
+# Fingerprint (SHA-256): 5A:2F:C0:3F:0C:83:B0:90:BB:FA:40:60:4B:09:88:44:6C:76:36:18:3D:F9:84:6E:17:10:1A:44:7F:B8:EF:D6
+# Fingerprint (SHA1): 58:A2:D0:EC:20:52:81:5B:C1:F3:F8:64:02:24:4E:C2:8E:02:4B:02
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Hongkong Post Root CA 3"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\130\242\320\354\040\122\201\133\301\363\370\144\002\044\116\302
+\216\002\113\002
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\021\374\237\275\163\060\002\212\375\077\363\130\271\313\040\360
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\157\061\013\060\011\006\003\125\004\006\023\002\110\113\061
+\022\060\020\006\003\125\004\010\023\011\110\157\156\147\040\113
+\157\156\147\061\022\060\020\006\003\125\004\007\023\011\110\157
+\156\147\040\113\157\156\147\061\026\060\024\006\003\125\004\012
+\023\015\110\157\156\147\153\157\156\147\040\120\157\163\164\061
+\040\060\036\006\003\125\004\003\023\027\110\157\156\147\153\157
+\156\147\040\120\157\163\164\040\122\157\157\164\040\103\101\040
+\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\024\010\026\137\212\114\245\354\000\311\223\100\337\304\306
+\256\043\270\034\132\244
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--- a/security/nss/lib/ckfw/builtins/nssckbi.h
+++ b/security/nss/lib/ckfw/builtins/nssckbi.h
@@ -41,18 +41,18 @@
  *   made on that branch.
  *
  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
  * whether we may use its full range (0-255) or only 0-99 because
  * of the comment in the CK_VERSION type definition.
  * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 30
-#define NSS_BUILTINS_LIBRARY_VERSION "2.30"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 32
+#define NSS_BUILTINS_LIBRARY_VERSION "2.32"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
 #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
 
 /* These version numbers detail the semantic changes to ckbi itself
  * (new PKCS #11 objects), etc. */
 #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
--- a/security/nss/lib/ssl/sslexp.h
+++ b/security/nss/lib/ssl/sslexp.h
@@ -685,24 +685,25 @@ typedef struct SSLAeadContextStr SSLAead
  * use these TLS functions as a KDF. This is only supported for TLS 1.3. */
 #define SSL_HkdfExtract(version, cipherSuite, salt, ikm, keyp)      \
     SSL_EXPERIMENTAL_API("SSL_HkdfExtract",                         \
                          (PRUint16 _version, PRUint16 _cipherSuite, \
                           PK11SymKey * _salt, PK11SymKey * _ikm,    \
                           PK11SymKey * *_keyp),                     \
                          (version, cipherSuite, salt, ikm, keyp))
 
-#define SSL_HkdfDeriveSecret(version, cipherSuite, prk,               \
-                             label, labelLen, keyp)                   \
-    SSL_EXPERIMENTAL_API("SSL_HkdfDeriveSecret",                      \
-                         (PRUint16 _version, PRUint16 _cipherSuite,   \
-                          PK11SymKey * _prk,                          \
-                          const char *_label, unsigned int _labelLen, \
-                          PK11SymKey **_keyp),                        \
-                         (version, cipherSuite, prk,                  \
-                          label, labelLen, keyp))
+#define SSL_HkdfExpandLabel(version, cipherSuite, prk,                     \
+                            hsHash, hsHashLen, label, labelLen, keyp)      \
+    SSL_EXPERIMENTAL_API("SSL_HkdfExpandLabel",                            \
+                         (PRUint16 _version, PRUint16 _cipherSuite,        \
+                          PK11SymKey * _prk,                               \
+                          const PRUint8 *_hsHash, unsigned int _hsHashLen, \
+                          const char *_label, unsigned int _labelLen,      \
+                          PK11SymKey **_keyp),                             \
+                         (version, cipherSuite, prk,                       \
+                          hsHash, hsHashLen, label, labelLen, keyp))
 
 /* Deprecated experimental APIs */
 #define SSL_UseAltServerHelloType(fd, enable) SSL_DEPRECATED_EXPERIMENTAL_API
 
 SEC_END_PROTOS
 
 #endif /* __sslexp_h_ */
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -1770,19 +1770,20 @@ SECStatus SSLExp_AeadEncrypt(const SSLAe
                              PRUint8 *out, unsigned int *outLen, unsigned int maxOut);
 SECStatus SSLExp_AeadDecrypt(const SSLAeadContext *ctx, PRUint64 counter,
                              const PRUint8 *aad, unsigned int aadLen,
                              const PRUint8 *plaintext, unsigned int plaintextLen,
                              PRUint8 *out, unsigned int *outLen, unsigned int maxOut);
 
 SECStatus SSLExp_HkdfExtract(PRUint16 version, PRUint16 cipherSuite,
                              PK11SymKey *salt, PK11SymKey *ikm, PK11SymKey **keyp);
-SECStatus SSLExp_HkdfDeriveSecret(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *prk,
-                                  const char *label, unsigned int labelLen,
-                                  PK11SymKey **key);
+SECStatus SSLExp_HkdfExpandLabel(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *prk,
+                                 const PRUint8 *hsHash, unsigned int hsHashLen,
+                                 const char *label, unsigned int labelLen,
+                                 PK11SymKey **key);
 
 SEC_END_PROTOS
 
 #if defined(XP_UNIX) || defined(XP_OS2) || defined(XP_BEOS)
 #define SSL_GETPID getpid
 #elif defined(WIN32)
 extern int __cdecl _getpid(void);
 #define SSL_GETPID _getpid
--- a/security/nss/lib/ssl/sslprimitive.c
+++ b/security/nss/lib/ssl/sslprimitive.c
@@ -221,29 +221,30 @@ SSLExp_HkdfExtract(PRUint16 version, PRU
                                           &hash, &cipher);
     if (rv != SECSuccess) {
         return SECFailure; /* Code already set. */
     }
     return tls13_HkdfExtract(salt, ikm, hash, keyp);
 }
 
 SECStatus
-SSLExp_HkdfDeriveSecret(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *prk,
-                        const char *label, unsigned int labelLen,
-                        PK11SymKey **keyp)
+SSLExp_HkdfExpandLabel(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *prk,
+                       const PRUint8 *hsHash, unsigned int hsHashLen,
+                       const char *label, unsigned int labelLen,
+                       PK11SymKey **keyp)
 {
     if (prk == NULL || keyp == NULL ||
         label == NULL || labelLen == 0) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
     SSLHashType hash;
     const ssl3BulkCipherDef *cipher; /* Unused here. */
     SECStatus rv = tls13_GetHashAndCipher(version, cipherSuite,
                                           &hash, &cipher);
     if (rv != SECSuccess) {
         return SECFailure; /* Code already set. */
     }
-    return tls13_HkdfExpandLabel(prk, hash, NULL, 0, label, labelLen,
+    return tls13_HkdfExpandLabel(prk, hash, hsHash, hsHashLen, label, labelLen,
                                  tls13_GetHkdfMechanismForHash(hash),
                                  tls13_GetHashSizeForHash(hash), keyp);
 }
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -4048,17 +4048,17 @@ struct {
     EXP(EnableESNI),
     EXP(EncodeESNIKeys),
     EXP(GetCurrentEpoch),
     EXP(GetExtensionSupport),
     EXP(GetResumptionTokenInfo),
     EXP(HelloRetryRequestCallback),
     EXP(InstallExtensionHooks),
     EXP(HkdfExtract),
-    EXP(HkdfDeriveSecret),
+    EXP(HkdfExpandLabel),
     EXP(KeyUpdate),
     EXP(MakeAead),
     EXP(RecordLayerData),
     EXP(RecordLayerWriteCallback),
     EXP(SecretCallback),
     EXP(SendCertificateRequest),
     EXP(SendSessionTicket),
     EXP(SetESNIKeyPair),
--- a/security/nss/nss.gyp
+++ b/security/nss/nss.gyp
@@ -198,16 +198,17 @@
             'gtests/cryptohi_gtest/cryptohi_gtest.gyp:cryptohi_gtest',
             'gtests/der_gtest/der_gtest.gyp:der_gtest',
             'gtests/certdb_gtest/certdb_gtest.gyp:certdb_gtest',
             'gtests/freebl_gtest/freebl_gtest.gyp:prng_gtest',
             'gtests/freebl_gtest/freebl_gtest.gyp:blake2b_gtest',
             'gtests/mozpkix_gtest/mozpkix_gtest.gyp:mozpkix_gtest',
             'gtests/nss_bogo_shim/nss_bogo_shim.gyp:nss_bogo_shim',
             'gtests/pk11_gtest/pk11_gtest.gyp:pk11_gtest',
+            'gtests/smime_gtest/smime_gtest.gyp:smime_gtest',
             'gtests/softoken_gtest/softoken_gtest.gyp:softoken_gtest',
             'gtests/ssl_gtest/ssl_gtest.gyp:ssl_gtest',
             'gtests/util_gtest/util_gtest.gyp:util_gtest',
           ],
           'conditions': [
             [ 'OS=="linux"', {
               'dependencies': [
                 'cmd/lowhashtest/lowhashtest.gyp:lowhashtest',
--- a/security/nss/tests/gtests/gtests.sh
+++ b/security/nss/tests/gtests/gtests.sh
@@ -82,12 +82,12 @@ gtest_start()
 gtest_cleanup()
 {
   html "</TABLE><BR>"
   cd "${QADIR}"
   . common/cleanup.sh
 }
 
 ################## main #################################################
-GTESTS="${GTESTS:-prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest softoken_gtest sysinit_gtest blake2b_gtest}"
+GTESTS="${GTESTS:-prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest softoken_gtest sysinit_gtest blake2b_gtest smime_gtest}"
 gtest_init "$0"
 gtest_start
 gtest_cleanup
--- a/security/nss/tests/ssl/ssl.sh
+++ b/security/nss/tests/ssl/ssl.sh
@@ -1220,16 +1220,61 @@ ssl_scheme()
             kill_selfserv
         done
     done
     NO_ECC_CERTS=0
 
     html "</TABLE><BR>"
 }
 
+############################ ssl_scheme_stress ##########################
+# local shell function to test strsclnt and selfserv handling of signature schemes
+#########################################################################
+ssl_scheme_stress()
+{
+    if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
+        echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+        return 0
+    fi
+
+    html_head "SSL SCHEME $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+    NO_ECC_CERTS=1
+    schemes=("rsa_pkcs1_sha256" "rsa_pss_rsae_sha256" "rsa_pkcs1_sha256,rsa_pss_rsae_sha256")
+    for sscheme in "${schemes[@]}"; do
+        for cscheme in "${schemes[@]}"; do
+            testname="ssl_scheme server='$sscheme' client='$cscheme'"
+            echo "${testname}"
+
+            start_selfserv -V tls1.2:tls1.2 -J "$sscheme"
+
+            echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+            echo "         -V tls1.2:tls1.2 -J "$cscheme" ${HOSTADDR} < ${REQUEST_FILE}"
+            ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} ${CLIENT_OPTIONS} \
+                        -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -J "$cscheme" ${HOSTADDR} < ${REQUEST_FILE} 2>&1
+            ret=$?
+            # If both schemes include just one option and those options don't
+            # match, then the test should fail; otherwise, assume that it works.
+            if [ "${cscheme#*,}" = "$cscheme" -a \
+                 "${sscheme#*,}" = "$sscheme" -a \
+                 "$cscheme" != "$sscheme" ]; then
+                expected=1
+            else
+                expected=0
+            fi
+            html_msg $ret $expected "${testname}" \
+                     "produced a returncode of $ret, expected is $expected"
+            kill_selfserv
+        done
+    done
+    NO_ECC_CERTS=0
+
+    html "</TABLE><BR>"
+}
+
 ############################## ssl_cleanup #############################
 # local shell function to finish this script (no exit since it might be
 # sourced)
 ########################################################################
 ssl_cleanup()
 {
   rm $SERVERPID 2>/dev/null
   cd ${QADIR}
@@ -1262,16 +1307,17 @@ ssl_run()
         "stress")
             ssl_stress
             ;;
         "dtls")
             ssl_dtls
             ;;
         "scheme")
             ssl_scheme
+            ssl_scheme_stress
             ;;
          esac
     done
 }
 
 ############################ ssl_run_all ###############################
 # local shell function to run both standard and extended ssl tests
 ########################################################################