Merge mozilla-inbound to mozilla-central. a=merge
authorCosmin Sabou <csabou@mozilla.com>
Wed, 27 Mar 2019 06:45:13 +0200
changeset 466278 7f816aa10a2053973c4e6977c5d6f6bf15f38820
parent 466277 bc572aee49b6e53346fc45fecbf7f136f980f541 (current diff)
parent 466156 596886805d4ea444c892651be2939360be3561df (diff)
child 466279 528eacf3d3f64eb49bd53a7e16ca2c9103bdbad9
child 466304 ad7b7f4d2796749171e43ef46a7f695e44f28735
push id112571
push usercsabou@mozilla.com
push dateWed, 27 Mar 2019 05:03:16 +0000
treeherdermozilla-inbound@528eacf3d3f6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmerge
milestone68.0a1
first release with
nightly linux32
7f816aa10a20 / 68.0a1 / 20190327044526 / files
nightly linux64
7f816aa10a20 / 68.0a1 / 20190327044526 / files
nightly mac
7f816aa10a20 / 68.0a1 / 20190327044526 / files
nightly win32
7f816aa10a20 / 68.0a1 / 20190327044526 / files
nightly win64
7f816aa10a20 / 68.0a1 / 20190327044526 / files
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
releases
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Merge mozilla-inbound to mozilla-central. a=merge
devtools/client/debugger/new/src/reducers/breakpoints.js
dom/base/nsGlobalWindowInner.cpp
js/src/vm/Debugger.cpp
layout/base/nsLayoutUtils.cpp
security/nss/tests/libpkix/certs/nss2alice
--- a/devtools/client/debugger/new/src/actions/breakpoints/addBreakpoint.js
+++ b/devtools/client/debugger/new/src/actions/breakpoints/addBreakpoint.js
@@ -1,16 +1,15 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at <http://mozilla.org/MPL/2.0/>. */
 
 // @flow
 import { setBreakpointPositions } from "./breakpointPositions";
 import {
-  breakpointExists,
   assertBreakpoint,
   createBreakpoint,
   getASTLocation,
   makeBreakpointId,
   makeBreakpointLocation
 } from "../../utils/breakpoint";
 import { PROMISE } from "../utils/middleware/promise";
 import {
@@ -31,38 +30,31 @@ import type {
 import type { ThunkArgs } from "../types";
 
 async function addBreakpointPromise(getState, client, sourceMaps, breakpoint) {
   const state = getState();
   const { location, generatedLocation } = breakpoint;
   const source = getSourceFromId(state, location.sourceId);
   const generatedSource = getSourceFromId(state, generatedLocation.sourceId);
 
-  if (breakpointExists(state, location)) {
-    const newBreakpoint = { ...breakpoint, location, generatedLocation };
-    assertBreakpoint(newBreakpoint);
-    return newBreakpoint;
-  }
-
   const breakpointLocation = makeBreakpointLocation(
     getState(),
     generatedLocation
   );
   await client.setBreakpoint(breakpointLocation, breakpoint.options);
 
   const symbols = getSymbols(getState(), source);
   const astLocation = await getASTLocation(source, symbols, location);
 
   const originalText = getTextAtPosition(source, location);
   const text = getTextAtPosition(generatedSource, generatedLocation);
 
   const newBreakpoint = {
     id: makeBreakpointId(generatedLocation),
     disabled: false,
-    loading: false,
     options: breakpoint.options,
     location,
     astLocation,
     generatedLocation,
     text,
     originalText
   };
 
@@ -74,20 +66,16 @@ async function addBreakpointPromise(getS
 export function addHiddenBreakpoint(location: SourceLocation) {
   return ({ dispatch }: ThunkArgs) => {
     return dispatch(addBreakpoint(location, { hidden: true }));
   };
 }
 
 export function enableBreakpoint(breakpoint: Breakpoint) {
   return async ({ dispatch, getState, client, sourceMaps }: ThunkArgs) => {
-    if (breakpoint.loading) {
-      return;
-    }
-
     // To instantly reflect in the UI, we optimistically enable the breakpoint
     const enabledBreakpoint = { ...breakpoint, disabled: false };
 
     return dispatch({
       type: "ENABLE_BREAKPOINT",
       breakpoint: enabledBreakpoint,
       [PROMISE]: addBreakpointPromise(getState, client, sourceMaps, breakpoint)
     });
--- a/devtools/client/debugger/new/src/actions/breakpoints/index.js
+++ b/devtools/client/debugger/new/src/actions/breakpoints/index.js
@@ -61,20 +61,16 @@ async function removeBreakpointsPromise(
 /**
  * Remove a single breakpoint
  *
  * @memberof actions/breakpoints
  * @static
  */
 export function removeBreakpoint(breakpoint: Breakpoint) {
   return ({ dispatch, getState, client }: ThunkArgs) => {
-    if (breakpoint.loading) {
-      return;
-    }
-
     recordEvent("remove_breakpoint");
 
     // If the breakpoint is already disabled, we don't need to communicate
     // with the server. We just need to dispatch an action
     // simulating a successful server request
     if (breakpoint.disabled) {
       return dispatch(
         ({ type: "REMOVE_BREAKPOINT", breakpoint, status: "done" }: Action)
@@ -93,20 +89,16 @@ export function removeBreakpoint(breakpo
 /**
  * Disable a single breakpoint
  *
  * @memberof actions/breakpoints
  * @static
  */
 export function disableBreakpoint(breakpoint: Breakpoint) {
   return async ({ dispatch, getState, client }: ThunkArgs) => {
-    if (breakpoint.loading) {
-      return;
-    }
-
     await removeBreakpointsPromise(client, getState(), breakpoint);
 
     const newBreakpoint: Breakpoint = { ...breakpoint, disabled: true };
 
     return dispatch(
       ({ type: "DISABLE_BREAKPOINT", breakpoint: newBreakpoint }: Action)
     );
   };
@@ -295,20 +287,16 @@ export function setBreakpointOptions(
   options: BreakpointOptions = {}
 ) {
   return async ({ dispatch, getState, client, sourceMaps }: ThunkArgs) => {
     const bp = getBreakpoint(getState(), location);
     if (!bp) {
       return dispatch(addBreakpoint(location, options));
     }
 
-    if (bp.loading) {
-      return;
-    }
-
     if (bp.disabled) {
       await dispatch(enableBreakpoint(bp));
     }
 
     const breakpointLocation = makeBreakpointLocation(
       getState(),
       bp.generatedLocation
     );
@@ -334,17 +322,17 @@ export function toggleBreakpointAtLine(l
 
     if (!selectedSource) {
       return;
     }
 
     const bp = getBreakpointAtLocation(state, { line, column: undefined });
     const isEmptyLine = isEmptyLineInSource(state, line, selectedSource.id);
 
-    if ((!bp && isEmptyLine) || (bp && bp.loading)) {
+    if (!bp && isEmptyLine) {
       return;
     }
 
     if (getConditionalPanelLocation(getState())) {
       dispatch(closeConditionalPanel());
     }
 
     if (bp) {
@@ -410,20 +398,16 @@ export function enableBreakpointsAtLine(
       line
     );
     return dispatch(toggleBreakpoints(false, breakpointsAtLine));
   };
 }
 
 export function toggleDisabledBreakpoint(breakpoint: Breakpoint) {
   return ({ dispatch, getState, client, sourceMaps }: ThunkArgs) => {
-    if (breakpoint.loading) {
-      return;
-    }
-
     if (!breakpoint.disabled) {
       return dispatch(disableBreakpoint(breakpoint));
     }
     return dispatch(enableBreakpoint(breakpoint));
   };
 }
 
 export function enableXHRBreakpoint(index: number, bp?: XHRBreakpoint) {
--- a/devtools/client/debugger/new/src/actions/breakpoints/tests/__snapshots__/breakpoints.spec.js.snap
+++ b/devtools/client/debugger/new/src/actions/breakpoints/tests/__snapshots__/breakpoints.spec.js.snap
@@ -18,17 +18,16 @@ Array [
         "disabled": false,
         "generatedLocation": Object {
           "column": 1,
           "line": 2,
           "sourceId": "a",
           "sourceUrl": "http://localhost:8000/examples/a",
         },
         "id": "a:2:1",
-        "loading": false,
         "location": Object {
           "column": 1,
           "line": 2,
           "sourceId": "a",
           "sourceUrl": "http://localhost:8000/examples/a",
         },
         "options": Object {
           "condition": null,
@@ -76,17 +75,16 @@ Object {
   "disabled": false,
   "generatedLocation": Object {
     "column": 0,
     "line": 1,
     "sourceId": "a.js",
     "sourceUrl": "http://localhost:8000/examples/a.js",
   },
   "id": "a.js:1:",
-  "loading": false,
   "location": Object {
     "column": 0,
     "line": 1,
     "sourceId": "a.js/originalSource-d6d70368d5c252598541e693a7ad6c27",
     "sourceUrl": "http://localhost:8000/examples/a.js:formatted",
   },
   "options": Object {
     "condition": null,
@@ -116,17 +114,16 @@ Array [
         "disabled": true,
         "generatedLocation": Object {
           "column": 1,
           "line": 5,
           "sourceId": "a",
           "sourceUrl": "http://localhost:8000/examples/a",
         },
         "id": "a:5:1",
-        "loading": false,
         "location": Object {
           "column": 1,
           "line": 5,
           "sourceId": "a",
           "sourceUrl": "http://localhost:8000/examples/a",
         },
         "options": Object {
           "condition": null,
--- a/devtools/client/debugger/new/src/actions/tests/helpers/breakpoints.js
+++ b/devtools/client/debugger/new/src/actions/tests/helpers/breakpoints.js
@@ -35,17 +35,16 @@ export function mockPendingBreakpoint(ov
 
 export function generateBreakpoint(
   filename: string,
   line: number = 5,
   column: number = 0
 ) {
   return {
     id: "breakpoint",
-    loading: false,
     originalText: "",
     text: "",
     location: {
       sourceUrl: `http://localhost:8000/examples/${filename}`,
       sourceId: `${filename}`,
       line,
       column
     },
--- a/devtools/client/debugger/new/src/components/Editor/Breakpoint.js
+++ b/devtools/client/debugger/new/src/components/Editor/Breakpoint.js
@@ -35,18 +35,18 @@ class Breakpoint extends PureComponent<P
     this.addBreakpoint();
   }
 
   componentDidUpdate() {
     this.addBreakpoint();
   }
 
   componentWillUnmount() {
-    const { breakpoint, selectedSource } = this.props;
-    if (!selectedSource || breakpoint.loading) {
+    const { selectedSource } = this.props;
+    if (!selectedSource) {
       return;
     }
 
     const sourceId = selectedSource.id;
     const doc = getDocument(sourceId);
 
     if (!doc) {
       return;
@@ -123,19 +123,17 @@ class Breakpoint extends PureComponent<P
   addBreakpoint = () => {
     const { breakpoint, editor, selectedSource } = this.props;
 
     // Hidden Breakpoints are never rendered on the client
     if (breakpoint.options.hidden) {
       return;
     }
 
-    // NOTE: we need to wait for the breakpoint to be loaded
-    // to get the generated location
-    if (!selectedSource || breakpoint.loading) {
+    if (!selectedSource) {
       return;
     }
 
     const sourceId = selectedSource.id;
     const line = toEditorLine(sourceId, this.selectedLocation.line);
     const doc = getDocument(sourceId);
 
     doc.setGutterMarker(line, "breakpoints", this.makeMarker());
--- a/devtools/client/debugger/new/src/components/SecondaryPanes/index.js
+++ b/devtools/client/debugger/new/src/components/SecondaryPanes/index.js
@@ -9,17 +9,16 @@ import { isGeneratedId } from "devtools-
 import { connect } from "../../utils/connect";
 import { List } from "immutable";
 
 import actions from "../../actions";
 import {
   getTopFrame,
   getBreakpointsList,
   getBreakpointsDisabled,
-  getBreakpointsLoading,
   getExpressions,
   getIsWaitingOnBreak,
   getMapScopes,
   getSelectedFrame,
   getShouldPauseOnExceptions,
   getShouldPauseOnCaughtExceptions,
   getWorkers,
   getCurrentThread
@@ -74,17 +73,16 @@ type State = {
 
 type Props = {
   expressions: List<Expression>,
   hasFrames: boolean,
   horizontal: boolean,
   breakpoints: Object,
   selectedFrame: ?Frame,
   breakpointsDisabled: boolean,
-  breakpointsLoading: boolean,
   isWaitingOnBreak: boolean,
   shouldMapScopes: boolean,
   shouldPauseOnExceptions: boolean,
   shouldPauseOnCaughtExceptions: boolean,
   workers: WorkerList,
   toggleShortcutsModal: () => void,
   toggleAllBreakpoints: typeof actions.toggleAllBreakpoints,
   toggleMapScopes: typeof actions.toggleMapScopes,
@@ -113,33 +111,32 @@ class SecondaryPanes extends Component<P
   onXHRAdded = () => {
     this.setState({ showXHRInput: false });
   };
 
   renderBreakpointsToggle() {
     const {
       toggleAllBreakpoints,
       breakpoints,
-      breakpointsDisabled,
-      breakpointsLoading
+      breakpointsDisabled
     } = this.props;
     const isIndeterminate =
       !breakpointsDisabled && breakpoints.some(x => x.disabled);
 
     if (features.skipPausing || breakpoints.length === 0) {
       return null;
     }
 
     const inputProps = {
       type: "checkbox",
       "aria-label": breakpointsDisabled
         ? L10N.getStr("breakpoints.enable")
         : L10N.getStr("breakpoints.disable"),
       className: "breakpoints-toggle",
-      disabled: breakpointsLoading,
+      disabled: false,
       key: "breakpoints-toggle",
       onChange: e => {
         e.stopPropagation();
         toggleAllBreakpoints(!breakpointsDisabled);
       },
       onClick: e => e.stopPropagation(),
       checked: !breakpointsDisabled && !isIndeterminate,
       ref: input => {
@@ -464,17 +461,16 @@ class SecondaryPanes extends Component<P
 const mapStateToProps = state => {
   const thread = getCurrentThread(state);
 
   return {
     expressions: getExpressions(state),
     hasFrames: !!getTopFrame(state, thread),
     breakpoints: getBreakpointsList(state),
     breakpointsDisabled: getBreakpointsDisabled(state),
-    breakpointsLoading: getBreakpointsLoading(state),
     isWaitingOnBreak: getIsWaitingOnBreak(state, thread),
     selectedFrame: getSelectedFrame(state, thread),
     shouldMapScopes: getMapScopes(state),
     shouldPauseOnExceptions: getShouldPauseOnExceptions(state),
     shouldPauseOnCaughtExceptions: getShouldPauseOnCaughtExceptions(state),
     workers: getWorkers(state)
   };
 };
--- a/devtools/client/debugger/new/src/reducers/breakpoints.js
+++ b/devtools/client/debugger/new/src/reducers/breakpoints.js
@@ -365,22 +365,16 @@ export function getBreakpoint(
   return breakpoints[makeBreakpointId(location)];
 }
 
 export function getBreakpointsDisabled(state: OuterState): boolean {
   const breakpoints = getBreakpointsList(state);
   return breakpoints.every(breakpoint => breakpoint.disabled);
 }
 
-export function getBreakpointsLoading(state: OuterState): boolean {
-  const breakpoints = getBreakpointsList(state);
-  const isLoading = breakpoints.some(breakpoint => breakpoint.loading);
-  return breakpoints.length > 0 && isLoading;
-}
-
 export function getBreakpointsForSource(
   state: OuterState,
   sourceId: string,
   line: ?number
 ): Breakpoint[] {
   if (!sourceId) {
     return [];
   }
--- a/devtools/client/debugger/new/src/selectors/breakpointSources.js
+++ b/devtools/client/debugger/new/src/selectors/breakpointSources.js
@@ -27,17 +27,16 @@ function getBreakpointsForSource(
   source: Source,
   selectedSource: ?Source,
   breakpoints: Breakpoint[]
 ) {
   return sortSelectedBreakpoints(breakpoints, selectedSource)
     .filter(
       bp =>
         !bp.options.hidden &&
-        !bp.loading &&
         (bp.text || bp.originalText || bp.options.condition || bp.disabled)
     )
     .filter(
       bp => getSelectedLocation(bp, selectedSource).sourceId == source.id
     );
 }
 
 function findBreakpointSources(
--- a/devtools/client/debugger/new/src/selectors/test/__snapshots__/visibleColumnBreakpoints.spec.js.snap
+++ b/devtools/client/debugger/new/src/selectors/test/__snapshots__/visibleColumnBreakpoints.spec.js.snap
@@ -7,17 +7,16 @@ Array [
       "astLocation": null,
       "disabled": false,
       "generatedLocation": Object {
         "column": 1,
         "line": 1,
         "sourceId": "foo",
       },
       "id": "breakpoint",
-      "loading": false,
       "location": Object {
         "column": 1,
         "line": 1,
         "sourceId": "foo",
       },
       "options": Object {},
       "originalText": "text",
       "text": "text",
@@ -46,17 +45,16 @@ Array [
       "astLocation": null,
       "disabled": false,
       "generatedLocation": Object {
         "column": 1,
         "line": 1,
         "sourceId": "foo",
       },
       "id": "breakpoint",
-      "loading": false,
       "location": Object {
         "column": 1,
         "line": 1,
         "sourceId": "foo",
       },
       "options": Object {},
       "originalText": "text",
       "text": "text",
@@ -85,17 +83,16 @@ Array [
       "astLocation": null,
       "disabled": false,
       "generatedLocation": Object {
         "column": 1,
         "line": 1,
         "sourceId": "foo",
       },
       "id": "breakpoint",
-      "loading": false,
       "location": Object {
         "column": 1,
         "line": 1,
         "sourceId": "foo",
       },
       "options": Object {},
       "originalText": "text",
       "text": "text",
--- a/devtools/client/debugger/new/src/types.js
+++ b/devtools/client/debugger/new/src/types.js
@@ -113,17 +113,16 @@ export type ASTLocation = {|
  * @memberof types
  * @static
  */
 export type Breakpoint = {|
   +id: BreakpointId,
   +location: SourceLocation,
   +astLocation: ?ASTLocation,
   +generatedLocation: SourceLocation,
-  +loading: boolean,
   +disabled: boolean,
   +text: string,
   +originalText: string,
   +options: BreakpointOptions
 |};
 
 /**
  * Options for a breakpoint that can be modified by the user.
@@ -169,17 +168,16 @@ export type BreakpointResult = {
  *
  * @memberof types
  * @static
  */
 export type PendingBreakpoint = {
   +location: PendingLocation,
   +astLocation: ASTLocation,
   +generatedLocation: PendingLocation,
-  +loading: boolean,
   +disabled: boolean,
   +text: string,
   +options: BreakpointOptions
 };
 
 /**
  * Frame ID
  *
--- a/devtools/client/debugger/new/src/utils/breakpoint/index.js
+++ b/devtools/client/debugger/new/src/utils/breakpoint/index.js
@@ -171,17 +171,16 @@ export function createBreakpoint(
     id: makeBreakpointId(mappedLocation.location),
     ...mappedLocation,
     options: {
       condition: options.condition || null,
       logValue: options.logValue || null,
       hidden: options.hidden || false
     },
     disabled: disabled || false,
-    loading: false,
     astLocation: astLocation || defaultASTLocation,
     text,
     originalText
   };
 
   return properties;
 }
 
--- a/devtools/client/debugger/new/src/utils/test-mockup.js
+++ b/devtools/client/debugger/new/src/utils/test-mockup.js
@@ -97,17 +97,16 @@ function makeMockBreakpoint(
   const location = column
     ? { sourceId: source.id, line, column }
     : { sourceId: source.id, line };
   return {
     id: "breakpoint",
     location,
     astLocation: null,
     generatedLocation: location,
-    loading: false,
     disabled: false,
     text: "text",
     originalText: "text",
     options: {}
   };
 }
 
 function makeMockFrame(
--- a/devtools/client/inspector/markup/test/browser_markup_events_04.js
+++ b/devtools/client/inspector/markup/test/browser_markup_events_04.js
@@ -120,17 +120,17 @@ const TEST_DATA = [ // eslint-disable-li
     expected: [
       {
         type: "click",
         filename: "[native code]",
         attributes: [
           "Bubbling",
           "DOM2",
         ],
-        handler: "function sort(arr, comparefn) {\n" +
+        handler: "function sort(, ) {\n" +
                  "  [native code]\n" +
                  "}",
       },
     ],
   },
   {
     selector: "#handleEvent",
     expected: [
--- a/dom/svg/SVGElement.h
+++ b/dom/svg/SVGElement.h
@@ -72,29 +72,16 @@ class SVGElement : public SVGElementBase
                          already_AddRefed<mozilla::dom::NodeInfo>&& aNodeInfo));
   nsresult Init();
   virtual ~SVGElement();
 
  public:
   virtual nsresult Clone(mozilla::dom::NodeInfo*,
                          nsINode** aResult) const MOZ_MUST_OVERRIDE override;
 
-  typedef mozilla::SVGEnum SVGEnum;
-  typedef mozilla::SVGEnumMapping SVGEnumMapping;
-  typedef mozilla::SVGNumberList SVGNumberList;
-  typedef mozilla::SVGAnimatedNumberList SVGAnimatedNumberList;
-  typedef mozilla::SVGUserUnitList SVGUserUnitList;
-  typedef mozilla::SVGAnimatedLengthList SVGAnimatedLengthList;
-  typedef mozilla::SVGAnimatedPointList SVGAnimatedPointList;
-  typedef mozilla::SVGAnimatedPathSegList SVGAnimatedPathSegList;
-  typedef mozilla::SVGAnimatedPreserveAspectRatio
-      SVGAnimatedPreserveAspectRatio;
-  typedef mozilla::SVGAnimatedTransformList SVGAnimatedTransformList;
-  typedef mozilla::SVGStringList SVGStringList;
-
   // nsISupports
   NS_INLINE_DECL_REFCOUNTING_INHERITED(SVGElement, SVGElementBase)
 
   void DidAnimateClass();
 
   // nsIContent interface methods
 
   virtual nsresult BindToTree(Document* aDocument, nsIContent* aParent,
--- a/dom/svg/SVGTextPathElement.h
+++ b/dom/svg/SVGTextPathElement.h
@@ -4,18 +4,18 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef mozilla_dom_SVGTextPathElement_h
 #define mozilla_dom_SVGTextPathElement_h
 
 #include "SVGEnum.h"
 #include "nsSVGLength2.h"
+#include "SVGAnimatedPathSegList.h"
 #include "SVGString.h"
-#include "mozilla/dom/SVGAnimatedPathSegList.h"
 #include "mozilla/dom/SVGTextContentElement.h"
 
 class nsAtom;
 class nsIContent;
 
 nsresult NS_NewSVGTextPathElement(
     nsIContent** aResult, already_AddRefed<mozilla::dom::NodeInfo>&& aNodeInfo);
 
--- a/dom/svg/moz.build
+++ b/dom/svg/moz.build
@@ -14,17 +14,16 @@ EXPORTS.mozilla += [
     'SVGContentUtils.h',
     'SVGPreserveAspectRatio.h',
     'SVGStringList.h',
     'SVGTagList.h',
 ]
 
 EXPORTS.mozilla.dom += [
     'SVGAElement.h',
-    'SVGAnimatedPathSegList.h',
     'SVGAnimatedRect.h',
     'SVGAnimateElement.h',
     'SVGAnimateMotionElement.h',
     'SVGAnimateTransformElement.h',
     'SVGAnimationElement.h',
     'SVGCircleElement.h',
     'SVGClass.h',
     'SVGClipPathElement.h',
--- a/gfx/ipc/GPUProcessManager.cpp
+++ b/gfx/ipc/GPUProcessManager.cpp
@@ -799,18 +799,18 @@ bool GPUProcessManager::CreateContentCom
   if (NS_FAILED(rv)) {
     gfxCriticalNote << "Could not create content compositor manager: "
                     << hexa(int(rv));
     return false;
   }
 
   if (mGPUChild) {
     mGPUChild->SendNewContentCompositorManager(std::move(parentPipe));
-  } else {
-    CompositorManagerParent::Create(std::move(parentPipe));
+  } else if (!CompositorManagerParent::Create(std::move(parentPipe))) {
+    return false;
   }
 
   *aOutEndpoint = std::move(childPipe);
   return true;
 }
 
 bool GPUProcessManager::CreateContentImageBridge(
     base::ProcessId aOtherProcess,
--- a/gfx/ipc/VsyncBridgeChild.cpp
+++ b/gfx/ipc/VsyncBridgeChild.cpp
@@ -7,17 +7,17 @@
 #include "VsyncIOThreadHolder.h"
 #include "mozilla/dom/ContentChild.h"
 
 namespace mozilla {
 namespace gfx {
 
 VsyncBridgeChild::VsyncBridgeChild(RefPtr<VsyncIOThreadHolder> aThread,
                                    const uint64_t& aProcessToken)
-    : mThread(aThread), mLoop(nullptr), mProcessToken(aProcessToken) {}
+    : mThread(aThread), mProcessToken(aProcessToken) {}
 
 VsyncBridgeChild::~VsyncBridgeChild() {}
 
 /* static */
 RefPtr<VsyncBridgeChild> VsyncBridgeChild::Create(
     RefPtr<VsyncIOThreadHolder> aThread, const uint64_t& aProcessToken,
     Endpoint<PVsyncBridgeChild>&& aEndpoint) {
   RefPtr<VsyncBridgeChild> child = new VsyncBridgeChild(aThread, aProcessToken);
@@ -34,18 +34,16 @@ void VsyncBridgeChild::Open(Endpoint<PVs
   if (!aEndpoint.Bind(this)) {
     // The GPU Process Manager might be gone if we receive ActorDestroy very
     // late in shutdown.
     if (GPUProcessManager* gpm = GPUProcessManager::Get())
       gpm->NotifyRemoteActorDestroyed(mProcessToken);
     return;
   }
 
-  mLoop = MessageLoop::current();
-
   // Last reference is freed in DeallocPVsyncBridgeChild.
   AddRef();
 }
 
 class NotifyVsyncTask : public Runnable {
  public:
   NotifyVsyncTask(RefPtr<VsyncBridgeChild> aVsyncBridge,
                   const VsyncEvent& aVsync, const layers::LayersId& aLayersId)
@@ -61,43 +59,43 @@ class NotifyVsyncTask : public Runnable 
 
  private:
   RefPtr<VsyncBridgeChild> mVsyncBridge;
   VsyncEvent mVsync;
   layers::LayersId mLayersId;
 };
 
 bool VsyncBridgeChild::IsOnVsyncIOThread() const {
-  return MessageLoop::current() == mLoop;
+  return mThread->IsOnCurrentThread();
 }
 
 void VsyncBridgeChild::NotifyVsync(const VsyncEvent& aVsync,
                                    const layers::LayersId& aLayersId) {
   // This should be on the Vsync thread (not the Vsync I/O thread).
   MOZ_ASSERT(!IsOnVsyncIOThread());
 
   RefPtr<NotifyVsyncTask> task = new NotifyVsyncTask(this, aVsync, aLayersId);
-  mLoop->PostTask(task.forget());
+  mThread->Dispatch(task.forget());
 }
 
 void VsyncBridgeChild::NotifyVsyncImpl(const VsyncEvent& aVsync,
                                        const layers::LayersId& aLayersId) {
   // This should be on the Vsync I/O thread.
   MOZ_ASSERT(IsOnVsyncIOThread());
 
   if (!mProcessToken) {
     return;
   }
   SendNotifyVsync(aVsync, aLayersId);
 }
 
 void VsyncBridgeChild::Close() {
   if (!IsOnVsyncIOThread()) {
-    mLoop->PostTask(NewRunnableMethod("gfx::VsyncBridgeChild::Close", this,
-                                      &VsyncBridgeChild::Close));
+    mThread->Dispatch(NewRunnableMethod("gfx::VsyncBridgeChild::Close", this,
+                                        &VsyncBridgeChild::Close));
     return;
   }
 
   // We clear mProcessToken when the channel is closed.
   if (!mProcessToken) {
     return;
   }
 
--- a/gfx/ipc/VsyncBridgeChild.h
+++ b/gfx/ipc/VsyncBridgeChild.h
@@ -42,16 +42,15 @@ class VsyncBridgeChild final : public PV
 
   void NotifyVsyncImpl(const VsyncEvent& aVsync,
                        const layers::LayersId& aLayersId);
 
   bool IsOnVsyncIOThread() const;
 
  private:
   RefPtr<VsyncIOThreadHolder> mThread;
-  MessageLoop* mLoop;
   uint64_t mProcessToken;
 };
 
 }  // namespace gfx
 }  // namespace mozilla
 
 #endif  // include_gfx_ipc_VsyncBridgeChild_h
--- a/gfx/ipc/VsyncIOThreadHolder.h
+++ b/gfx/ipc/VsyncIOThreadHolder.h
@@ -18,16 +18,24 @@ class VsyncIOThreadHolder final {
   VsyncIOThreadHolder();
 
   NS_INLINE_DECL_THREADSAFE_REFCOUNTING(VsyncIOThreadHolder)
 
   bool Start();
 
   RefPtr<nsIThread> GetThread() const;
 
+  bool IsOnCurrentThread() const {
+    return mThread->IsOnCurrentThread();
+  }
+
+  void Dispatch(already_AddRefed<nsIRunnable> task) {
+    mThread->Dispatch(std::move(task), NS_DISPATCH_NORMAL);
+  }
+
  private:
   ~VsyncIOThreadHolder();
 
  private:
   RefPtr<nsIThread> mThread;
 };
 
 }  // namespace gfx
--- a/gfx/layers/ipc/CompositorManagerParent.cpp
+++ b/gfx/layers/ipc/CompositorManagerParent.cpp
@@ -44,31 +44,36 @@ CompositorManagerParent::CreateSameProce
   // process case because if we open from the child perspective, we can do it
   // on the main thread and complete before we return the manager handles.
   RefPtr<CompositorManagerParent> parent = new CompositorManagerParent();
   parent->SetOtherProcessId(base::GetCurrentProcId());
   return parent.forget();
 }
 
 /* static */
-void CompositorManagerParent::Create(
+bool CompositorManagerParent::Create(
     Endpoint<PCompositorManagerParent>&& aEndpoint) {
   MOZ_ASSERT(NS_IsMainThread());
 
   // We are creating a manager for the another process, inside the GPU process
   // (or UI process if it subsumbed the GPU process).
   MOZ_ASSERT(aEndpoint.OtherPid() != base::GetCurrentProcId());
 
+  if (!CompositorThreadHolder::IsActive()) {
+    return false;
+  }
+
   RefPtr<CompositorManagerParent> bridge = new CompositorManagerParent();
 
   RefPtr<Runnable> runnable =
       NewRunnableMethod<Endpoint<PCompositorManagerParent>&&>(
           "CompositorManagerParent::Bind", bridge,
           &CompositorManagerParent::Bind, std::move(aEndpoint));
   CompositorThreadHolder::Loop()->PostTask(runnable.forget());
+  return true;
 }
 
 /* static */
 already_AddRefed<CompositorBridgeParent>
 CompositorManagerParent::CreateSameProcessWidgetCompositorBridge(
     CSSToLayoutDeviceScale aScale, const CompositorOptions& aOptions,
     bool aUseExternalSurfaceSize, const gfx::IntSize& aSurfaceSize) {
   MOZ_ASSERT(XRE_IsParentProcess() || recordreplay::IsRecordingOrReplaying());
--- a/gfx/layers/ipc/CompositorManagerParent.h
+++ b/gfx/layers/ipc/CompositorManagerParent.h
@@ -25,17 +25,17 @@ class CompositorThreadHolder;
 #  define COMPOSITOR_MANAGER_PARENT_EXPLICIT_SHUTDOWN
 #endif
 
 class CompositorManagerParent final : public PCompositorManagerParent {
   NS_INLINE_DECL_THREADSAFE_REFCOUNTING(CompositorManagerParent)
 
  public:
   static already_AddRefed<CompositorManagerParent> CreateSameProcess();
-  static void Create(Endpoint<PCompositorManagerParent>&& aEndpoint);
+  static bool Create(Endpoint<PCompositorManagerParent>&& aEndpoint);
   static void Shutdown();
 
   static already_AddRefed<CompositorBridgeParent>
   CreateSameProcessWidgetCompositorBridge(CSSToLayoutDeviceScale aScale,
                                           const CompositorOptions& aOptions,
                                           bool aUseExternalSurfaceSize,
                                           const gfx::IntSize& aSurfaceSize);
 
--- a/gfx/layers/ipc/ImageBridgeParent.cpp
+++ b/gfx/layers/ipc/ImageBridgeParent.cpp
@@ -86,16 +86,20 @@ ImageBridgeParent* ImageBridgeParent::Cr
 }
 
 /* static */
 bool ImageBridgeParent::CreateForGPUProcess(
     Endpoint<PImageBridgeParent>&& aEndpoint) {
   MOZ_ASSERT(XRE_GetProcessType() == GeckoProcessType_GPU);
 
   MessageLoop* loop = CompositorThreadHolder::Loop();
+  if (!loop) {
+    return false;
+  }
+
   RefPtr<ImageBridgeParent> parent =
       new ImageBridgeParent(loop, aEndpoint.OtherPid());
 
   loop->PostTask(NewRunnableMethod<Endpoint<PImageBridgeParent>&&>(
       "layers::ImageBridgeParent::Bind", parent, &ImageBridgeParent::Bind,
       std::move(aEndpoint)));
 
   sImageBridgeParentSingleton = parent;
@@ -206,16 +210,19 @@ mozilla::ipc::IPCResult ImageBridgeParen
 
   return IPC_OK();
 }
 
 /* static */
 bool ImageBridgeParent::CreateForContent(
     Endpoint<PImageBridgeParent>&& aEndpoint) {
   MessageLoop* loop = CompositorThreadHolder::Loop();
+  if (!loop) {
+    return false;
+  }
 
   RefPtr<ImageBridgeParent> bridge =
       new ImageBridgeParent(loop, aEndpoint.OtherPid());
   loop->PostTask(NewRunnableMethod<Endpoint<PImageBridgeParent>&&>(
       "layers::ImageBridgeParent::Bind", bridge, &ImageBridgeParent::Bind,
       std::move(aEndpoint)));
 
   return true;
--- a/gfx/vr/ipc/VRManagerParent.cpp
+++ b/gfx/vr/ipc/VRManagerParent.cpp
@@ -69,16 +69,19 @@ void VRManagerParent::UnregisterFromMana
   VRManager* vm = VRManager::Get();
   vm->RemoveVRManagerParent(this);
   mVRManagerHolder = nullptr;
 }
 
 /* static */
 bool VRManagerParent::CreateForContent(Endpoint<PVRManagerParent>&& aEndpoint) {
   MessageLoop* loop = CompositorThreadHolder::Loop();
+  if (!loop) {
+    return false;
+  }
 
   RefPtr<VRManagerParent> vmp = new VRManagerParent(aEndpoint.OtherPid(), true);
   loop->PostTask(NewRunnableMethod<Endpoint<PVRManagerParent>&&>(
       "gfx::VRManagerParent::Bind", vmp, &VRManagerParent::Bind,
       std::move(aEndpoint)));
 
   return true;
 }
--- a/ipc/chromium/src/base/pickle.cc
+++ b/ipc/chromium/src/base/pickle.cc
@@ -486,17 +486,17 @@ void Pickle::BeginWrite(uint32_t length,
 
   if (padding) {
     MOZ_RELEASE_ASSERT(padding <= 8);
     static const char padding_data[8] = {
         kBytePaddingMarker, kBytePaddingMarker, kBytePaddingMarker,
         kBytePaddingMarker, kBytePaddingMarker, kBytePaddingMarker,
         kBytePaddingMarker, kBytePaddingMarker,
     };
-    buffers_.WriteBytes(padding_data, padding);
+    MOZ_ALWAYS_TRUE(buffers_.WriteBytes(padding_data, padding));
   }
 
   DCHECK((header_size_ + header_->payload_size + padding) % alignment == 0);
 
   header_->payload_size = new_size;
 }
 
 void Pickle::EndWrite(uint32_t length) {
@@ -506,17 +506,17 @@ void Pickle::EndWrite(uint32_t length) {
   if (padding) {
     MOZ_RELEASE_ASSERT(padding <= 4);
     static const char padding_data[4] = {
         kBytePaddingMarker,
         kBytePaddingMarker,
         kBytePaddingMarker,
         kBytePaddingMarker,
     };
-    buffers_.WriteBytes(padding_data, padding);
+    MOZ_ALWAYS_TRUE(buffers_.WriteBytes(padding_data, padding));
   }
 }
 
 bool Pickle::WriteBool(bool value) {
 #ifdef FUZZING
   mozilla::ipc::Faulty::instance().FuzzBool(&value);
 #endif
   return WriteInt(value ? 1 : 0);
@@ -622,17 +622,17 @@ bool Pickle::WriteBytesZeroCopy(void* da
 
 bool Pickle::WriteBytes(const void* data, uint32_t data_len,
                         uint32_t alignment) {
   DCHECK(alignment == 4 || alignment == 8);
   DCHECK(intptr_t(header_) % alignment == 0);
 
   BeginWrite(data_len, alignment);
 
-  buffers_.WriteBytes(reinterpret_cast<const char*>(data), data_len);
+  MOZ_ALWAYS_TRUE(buffers_.WriteBytes(reinterpret_cast<const char*>(data), data_len));
 
   EndWrite(data_len);
   return true;
 }
 
 bool Pickle::WriteString(const std::string& value) {
 #ifdef FUZZING
   std::string v(value);
@@ -662,17 +662,17 @@ bool Pickle::WriteWString(const std::wst
 #endif
 }
 
 bool Pickle::WriteData(const char* data, uint32_t length) {
   return WriteInt(length) && WriteBytes(data, length);
 }
 
 void Pickle::InputBytes(const char* data, uint32_t length) {
-  buffers_.WriteBytes(data, length);
+  MOZ_ALWAYS_TRUE(buffers_.WriteBytes(data, length));
 }
 
 int32_t* Pickle::GetInt32PtrForTest(uint32_t offset) {
   size_t pos = buffers_.Size() - offset;
   BufferList::IterImpl iter(buffers_);
   MOZ_RELEASE_ASSERT(iter.AdvanceAcrossSegments(buffers_, pos));
   return reinterpret_cast<int32_t*>(iter.Data());
 }
--- a/js/rust/build.rs
+++ b/js/rust/build.rs
@@ -216,16 +216,17 @@ const WHITELIST_TYPES: &'static [&'stati
     "JS::MutableHandleValue",
     "JS::NativeImpl",
     "js::ObjectOps",
     "JS::ObjectOpResult",
     "JS::PromiseState",
     "JS::PropertyDescriptor",
     "JS::Rooted",
     "JS::RootedObject",
+    "JS::RootedValue",
     "JS::RootingContext",
     "JS::RootKind",
     "js::Scalar::Type",
     "JS::ServoSizes",
     "js::shadow::Object",
     "js::shadow::ObjectGroup",
     "JS::SourceText",
     "js::StackFormat",
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/debug/Environment-selfhosted-builtins.js
@@ -0,0 +1,15 @@
+// The environment of self-hosted builtins is not exposed to the debugger and
+// instead is reported as |undefined| just like native builtins.
+
+let g = newGlobal({newCompartment: true});
+
+let dbg = new Debugger();
+let gw = dbg.addDebuggee(g);
+
+// Array is a known native builtin function.
+let nativeBuiltin = gw.makeDebuggeeValue(g.Array);
+assertEq(nativeBuiltin.environment, undefined);
+
+// Array.prototype[@@iterator] is a known self-hosted builtin function.
+let selfhostedBuiltin = gw.makeDebuggeeValue(g.Array.prototype[Symbol.iterator]);
+assertEq(selfhostedBuiltin.environment, undefined);
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/debug/Script-selfhosted-builtins.js
@@ -0,0 +1,15 @@
+// The script of self-hosted builtins is not exposed to the debugger and
+// instead is reported as |undefined| just like native builtins.
+
+let g = newGlobal({newCompartment: true});
+
+let dbg = new Debugger();
+let gw = dbg.addDebuggee(g);
+
+// Array is a known native builtin function.
+let nativeBuiltin = gw.makeDebuggeeValue(g.Array);
+assertEq(nativeBuiltin.script, undefined);
+
+// Array.prototype[@@iterator] is a known self-hosted builtin function.
+let selfhostedBuiltin = gw.makeDebuggeeValue(g.Array.prototype[Symbol.iterator]);
+assertEq(selfhostedBuiltin.script, undefined);
--- a/js/src/vm/Debugger.cpp
+++ b/js/src/vm/Debugger.cpp
@@ -197,27 +197,31 @@ static const ClassOps DebuggerSource_cla
 
 static const Class DebuggerSource_class = {
     "Source",
     JSCLASS_HAS_PRIVATE | JSCLASS_HAS_RESERVED_SLOTS(JSSLOT_DEBUGSOURCE_COUNT),
     &DebuggerSource_classOps};
 
 /*** Utils ******************************************************************/
 
+static inline bool IsInterpretedNonSelfHostedFunction(JSFunction* fun) {
+  return fun->isInterpreted() && !fun->isSelfHostedBuiltin();
+}
+
 static inline bool EnsureFunctionHasScript(JSContext* cx, HandleFunction fun) {
   if (fun->isInterpretedLazy()) {
     AutoRealm ar(cx, fun);
     return !!JSFunction::getOrCreateScript(cx, fun);
   }
   return true;
 }
 
 static inline JSScript* GetOrCreateFunctionScript(JSContext* cx,
                                                   HandleFunction fun) {
-  MOZ_ASSERT(fun->isInterpreted());
+  MOZ_ASSERT(IsInterpretedNonSelfHostedFunction(fun));
   if (!EnsureFunctionHasScript(cx, fun)) {
     return nullptr;
   }
   return fun->nonLazyScript();
 }
 
 static bool ValueToIdentifier(JSContext* cx, HandleValue v,
                               MutableHandleId id) {
@@ -6327,18 +6331,18 @@ static bool DebuggerScript_getChildScrip
     // It is not really a child script of this script, so skip it using
     // innerObjectsStart().
     RootedFunction fun(cx);
     RootedScript funScript(cx);
     RootedObject s(cx);
     for (const GCPtrObject& obj : script->objects()) {
       if (obj->is<JSFunction>()) {
         fun = &obj->as<JSFunction>();
-        // The inner function could be a wasm native.
-        if (fun->isNative()) {
+        // The inner function could be an asm.js native.
+        if (!IsInterpretedNonSelfHostedFunction(fun)) {
           continue;
         }
         funScript = GetOrCreateFunctionScript(cx, fun);
         if (!funScript) {
           return false;
         }
         s = dbg->wrapScript(cx, funScript);
         if (!s || !NewbornArrayPush(cx, result, ObjectValue(*s))) {
@@ -10313,17 +10317,17 @@ bool DebuggerObject::scriptGetter(JSCont
   THIS_DEBUGOBJECT_OWNER_REFERENT(cx, argc, vp, "get script", args, dbg, obj);
 
   if (!obj->is<JSFunction>()) {
     args.rval().setUndefined();
     return true;
   }
 
   RootedFunction fun(cx, &obj->as<JSFunction>());
-  if (!fun->isInterpreted()) {
+  if (!IsInterpretedNonSelfHostedFunction(fun)) {
     args.rval().setUndefined();
     return true;
   }
 
   RootedScript script(cx, GetOrCreateFunctionScript(cx, fun));
   if (!script) {
     return false;
   }
@@ -10352,17 +10356,17 @@ bool DebuggerObject::environmentGetter(J
   // Don't bother switching compartments just to check obj's type and get its
   // env.
   if (!obj->is<JSFunction>()) {
     args.rval().setUndefined();
     return true;
   }
 
   RootedFunction fun(cx, &obj->as<JSFunction>());
-  if (!fun->isInterpreted()) {
+  if (!IsInterpretedNonSelfHostedFunction(fun)) {
     args.rval().setUndefined();
     return true;
   }
 
   // Only hand out environments of debuggee functions.
   if (!dbg->observesGlobal(&fun->global())) {
     args.rval().setNull();
     return true;
@@ -11464,17 +11468,17 @@ bool DebuggerObject::getParameterNames(J
                                        MutableHandle<StringVector> result) {
   MOZ_ASSERT(object->isDebuggeeFunction());
 
   RootedFunction referent(cx, &object->referent()->as<JSFunction>());
 
   if (!result.growBy(referent->nargs())) {
     return false;
   }
-  if (referent->isInterpreted()) {
+  if (IsInterpretedNonSelfHostedFunction(referent)) {
     RootedScript script(cx, GetOrCreateFunctionScript(cx, referent));
     if (!script) {
       return false;
     }
 
     MOZ_ASSERT(referent->nargs() == script->numArgs());
 
     if (referent->nargs() > 0) {
--- a/layout/base/nsLayoutUtils.cpp
+++ b/layout/base/nsLayoutUtils.cpp
@@ -9590,18 +9590,17 @@ static nsRect ComputeSVGReferenceRect(ns
 
       if (svgElement && svgElement->HasViewBoxRect()) {
         // If a `viewBox` attribute is specified for the SVG viewport creating
         // element:
         // 1. The reference box is positioned at the origin of the coordinate
         //    system established by the `viewBox` attribute.
         // 2. The dimension of the reference box is set to the width and height
         //    values of the `viewBox` attribute.
-        SVGViewBox* viewBox = svgElement->GetViewBox();
-        const SVGViewBoxRect& value = viewBox->GetAnimValue();
+        const SVGViewBoxRect& value = svgElement->GetViewBox()->GetAnimValue();
         r = nsRect(nsPresContext::CSSPixelsToAppUnits(value.x),
                    nsPresContext::CSSPixelsToAppUnits(value.y),
                    nsPresContext::CSSPixelsToAppUnits(value.width),
                    nsPresContext::CSSPixelsToAppUnits(value.height));
       } else {
         // No viewBox is specified, uses the nearest SVG viewport as reference
         // box.
         svgFloatSize viewportSize = svgElement->GetViewportSize();
--- a/mfbt/BufferList.h
+++ b/mfbt/BufferList.h
@@ -302,17 +302,17 @@ class BufferList : private AllocPolicy {
     return mSegments[0].mData;
   }
   const char* Start() const { return mSegments[0].mData; }
 
   IterImpl Iter() const { return IterImpl(*this); }
 
   // Copies aSize bytes from aData into the BufferList. The storage for these
   // bytes may be split across multiple buffers. Size() is increased by aSize.
-  inline bool WriteBytes(const char* aData, size_t aSize);
+  inline MOZ_MUST_USE bool WriteBytes(const char* aData, size_t aSize);
 
   // Allocates a buffer of at most |aMaxBytes| bytes and, if successful, returns
   // that buffer, and places its size in |aSize|. If unsuccessful, returns null
   // and leaves |aSize| undefined.
   inline char* AllocateBytes(size_t aMaxSize, size_t* aSize);
 
   // Copies possibly non-contiguous byte range starting at aIter into
   // aData. aIter is advanced by aSize bytes. Returns false if it runs out of
@@ -394,17 +394,17 @@ class BufferList : private AllocPolicy {
 
   bool mOwning;
   Vector<Segment, 1, AllocPolicy> mSegments;
   size_t mSize;
   size_t mStandardCapacity;
 };
 
 template <typename AllocPolicy>
-bool BufferList<AllocPolicy>::WriteBytes(const char* aData, size_t aSize) {
+MOZ_MUST_USE bool BufferList<AllocPolicy>::WriteBytes(const char* aData, size_t aSize) {
   MOZ_RELEASE_ASSERT(mOwning);
   MOZ_RELEASE_ASSERT(mStandardCapacity);
 
   size_t copied = 0;
   while (copied < aSize) {
     size_t toCopy;
     char* data = AllocateBytes(aSize - copied, &toCopy);
     if (!data) {
--- a/mfbt/Vector.h
+++ b/mfbt/Vector.h
@@ -398,17 +398,24 @@ class MOZ_NON_PARAM Vector final : priva
   };
 
   template <size_t Dummy>
   struct CRAndStorage<0, Dummy> : CapacityAndReserved {
     explicit CRAndStorage(size_t aCapacity, size_t aReserved)
         : CapacityAndReserved(aCapacity, aReserved) {}
     CRAndStorage() = default;
 
-    T* storage() { return nullptr; }
+    T* storage() {
+      // If this returns |nullptr|, functions like |Vector::begin()| would too,
+      // breaking callers that pass a vector's elements as pointer/length to
+      // code that bounds its operation by length but (even just as a sanity
+      // check) always wants a non-null pointer.  Fake up an aligned, non-null
+      // pointer to support these callers.
+      return reinterpret_cast<T*>(sizeof(T));
+    }
   };
 
   CRAndStorage<kInlineCapacity, 0> mTail;
 
 #ifdef _MSC_VER
 #  pragma warning(pop)
 #endif  // _MSC_VER
 
--- a/mfbt/tests/TestBufferList.cpp
+++ b/mfbt/tests/TestBufferList.cpp
@@ -75,17 +75,17 @@ int main(void) {
   MOZ_RELEASE_ASSERT(iter.Done());
 
   // Writing to the buffer.
 
   const size_t kSmallWrite = 16;
 
   char toWrite[kSmallWrite];
   memset(toWrite, 0x0a, kSmallWrite);
-  bl.WriteBytes(toWrite, kSmallWrite);
+  MOZ_ALWAYS_TRUE(bl.WriteBytes(toWrite, kSmallWrite));
 
   MOZ_RELEASE_ASSERT(bl.Size() == kInitialSize + kSmallWrite);
 
   iter = bl.Iter();
   iter.Advance(bl, kInitialSize);
   MOZ_RELEASE_ASSERT(!iter.Done());
   MOZ_RELEASE_ASSERT(iter.RemainingInSegment() ==
                      kInitialCapacity - kInitialSize);
@@ -135,17 +135,17 @@ int main(void) {
                      kInitialCapacity - kInitialSize);
 
   const size_t kBigWrite = 1024;
 
   char* toWriteBig = static_cast<char*>(malloc(kBigWrite));
   for (unsigned i = 0; i < kBigWrite; i++) {
     toWriteBig[i] = i % 37;
   }
-  bl.WriteBytes(toWriteBig, kBigWrite);
+  MOZ_ALWAYS_TRUE(bl.WriteBytes(toWriteBig, kBigWrite));
 
   char* toReadBig = static_cast<char*>(malloc(kBigWrite));
   iter = bl.Iter();
   MOZ_RELEASE_ASSERT(
       iter.AdvanceAcrossSegments(bl, kInitialSize + kSmallWrite));
   bl.ReadBytes(iter, toReadBig, kBigWrite);
   MOZ_RELEASE_ASSERT(memcmp(toReadBig, toWriteBig, kBigWrite) == 0);
   MOZ_RELEASE_ASSERT(iter.Done());
@@ -184,19 +184,19 @@ int main(void) {
   MOZ_RELEASE_ASSERT(bl.Size() == 0);
   MOZ_RELEASE_ASSERT(bl.Iter().Done());
 
   // Move assignment.
 
   const size_t kSmallCapacity = 8;
 
   BufferList bl2(0, kSmallCapacity, kSmallCapacity);
-  bl2.WriteBytes(toWrite, kSmallWrite);
-  bl2.WriteBytes(toWrite, kSmallWrite);
-  bl2.WriteBytes(toWrite, kSmallWrite);
+  MOZ_ALWAYS_TRUE(bl2.WriteBytes(toWrite, kSmallWrite));
+  MOZ_ALWAYS_TRUE(bl2.WriteBytes(toWrite, kSmallWrite));
+  MOZ_ALWAYS_TRUE(bl2.WriteBytes(toWrite, kSmallWrite));
 
   bl = std::move(bl2);
   MOZ_RELEASE_ASSERT(bl2.Size() == 0);
   MOZ_RELEASE_ASSERT(bl2.Iter().Done());
 
   iter = bl.Iter();
   MOZ_RELEASE_ASSERT(iter.AdvanceAcrossSegments(bl, kSmallWrite * 3));
   MOZ_RELEASE_ASSERT(iter.Done());
@@ -257,48 +257,48 @@ int main(void) {
   BufferList bl3 = bl.Extract(iter, kExtractOverSize, &success);
   MOZ_RELEASE_ASSERT(!success);
 
   iter = bl2.Iter();
   MOZ_RELEASE_ASSERT(iter.AdvanceAcrossSegments(bl2, kExtractSize));
   MOZ_RELEASE_ASSERT(iter.Done());
 
   BufferList bl4(8, 8, 8);
-  bl4.WriteBytes("abcd1234", 8);
+  MOZ_ALWAYS_TRUE(bl4.WriteBytes("abcd1234", 8));
   iter = bl4.Iter();
   iter.Advance(bl4, 8);
 
   BufferList bl5 = bl4.Extract(iter, kExtractSize, &success);
   MOZ_RELEASE_ASSERT(!success);
 
   BufferList bl6(0, 0, 16);
-  bl6.WriteBytes("abcdefgh12345678", 16);
-  bl6.WriteBytes("ijklmnop87654321", 16);
+  MOZ_ALWAYS_TRUE(bl6.WriteBytes("abcdefgh12345678", 16));
+  MOZ_ALWAYS_TRUE(bl6.WriteBytes("ijklmnop87654321", 16));
   iter = bl6.Iter();
   iter.Advance(bl6, 8);
   BufferList bl7 = bl6.Extract(iter, 16, &success);
   MOZ_RELEASE_ASSERT(success);
   char data[16];
   MOZ_RELEASE_ASSERT(bl6.ReadBytes(iter, data, 8));
   MOZ_RELEASE_ASSERT(memcmp(data, "87654321", 8) == 0);
   iter = bl7.Iter();
   MOZ_RELEASE_ASSERT(bl7.ReadBytes(iter, data, 16));
   MOZ_RELEASE_ASSERT(memcmp(data, "12345678ijklmnop", 16) == 0);
 
   BufferList bl8(0, 0, 16);
-  bl8.WriteBytes("abcdefgh12345678", 16);
+  MOZ_ALWAYS_TRUE(bl8.WriteBytes("abcdefgh12345678", 16));
   iter = bl8.Iter();
   BufferList bl9 = bl8.Extract(iter, 8, &success);
   MOZ_RELEASE_ASSERT(success);
   MOZ_RELEASE_ASSERT(bl9.Size() == 8);
   MOZ_RELEASE_ASSERT(!iter.Done());
 
   BufferList bl10(0, 0, 8);
-  bl10.WriteBytes("abcdefgh", 8);
-  bl10.WriteBytes("12345678", 8);
+  MOZ_ALWAYS_TRUE(bl10.WriteBytes("abcdefgh", 8));
+  MOZ_ALWAYS_TRUE(bl10.WriteBytes("12345678", 8));
   iter = bl10.Iter();
   BufferList bl11 = bl10.Extract(iter, 16, &success);
   MOZ_RELEASE_ASSERT(success);
   MOZ_RELEASE_ASSERT(bl11.Size() == 16);
   MOZ_RELEASE_ASSERT(iter.Done());
   iter = bl11.Iter();
   MOZ_RELEASE_ASSERT(bl11.ReadBytes(iter, data, 16));
   MOZ_RELEASE_ASSERT(memcmp(data, "abcdefgh12345678", 16) == 0);
--- a/mfbt/tests/TestVector.cpp
+++ b/mfbt/tests/TestVector.cpp
@@ -501,19 +501,81 @@ static_assert(sizeof(Vector<S, 0>) == si
 
 static_assert(sizeof(Vector<Incomplete, 0>) ==
                   sizeof(NoInlineStorageLayout<Incomplete>),
               "Vector of an incomplete class without inline storage shouldn't "
               "occupy dead space for that absence of storage");
 
 #endif  // DEBUG
 
+static void TestVectorBeginNonNull() {
+  // Vector::begin() should never return nullptr, to accommodate callers that
+  // (either for hygiene, or for semantic reasons) need a non-null pointer even
+  // for zero elements.
+
+  Vector<bool, 0> bvec0;
+  MOZ_RELEASE_ASSERT(bvec0.length() == 0);
+  MOZ_RELEASE_ASSERT(bvec0.begin() != nullptr);
+
+  Vector<bool, 1> bvec1;
+  MOZ_RELEASE_ASSERT(bvec1.length() == 0);
+  MOZ_RELEASE_ASSERT(bvec1.begin() != nullptr);
+
+  Vector<bool, 64> bvec64;
+  MOZ_RELEASE_ASSERT(bvec64.length() == 0);
+  MOZ_RELEASE_ASSERT(bvec64.begin() != nullptr);
+
+  Vector<int, 0> ivec0;
+  MOZ_RELEASE_ASSERT(ivec0.length() == 0);
+  MOZ_RELEASE_ASSERT(ivec0.begin() != nullptr);
+
+  Vector<int, 1> ivec1;
+  MOZ_RELEASE_ASSERT(ivec1.length() == 0);
+  MOZ_RELEASE_ASSERT(ivec1.begin() != nullptr);
+
+  Vector<int, 64> ivec64;
+  MOZ_RELEASE_ASSERT(ivec64.length() == 0);
+  MOZ_RELEASE_ASSERT(ivec64.begin() != nullptr);
+
+  Vector<long, 0> lvec0;
+  MOZ_RELEASE_ASSERT(lvec0.length() == 0);
+  MOZ_RELEASE_ASSERT(lvec0.begin() != nullptr);
+
+  Vector<long, 1> lvec1;
+  MOZ_RELEASE_ASSERT(lvec1.length() == 0);
+  MOZ_RELEASE_ASSERT(lvec1.begin() != nullptr);
+
+  Vector<long, 64> lvec64;
+  MOZ_RELEASE_ASSERT(lvec64.length() == 0);
+  MOZ_RELEASE_ASSERT(lvec64.begin() != nullptr);
+
+  // Vector<T, N> doesn't guarantee N inline elements -- the actual count is
+  // capped so that any Vector fits in a not-crazy amount of space -- so the
+  // code below won't overflow stacks or anything crazy.
+  struct VeryBig {
+    int array[16 * 1024 * 1024];
+  };
+
+  Vector<VeryBig, 0> vbvec0;
+  MOZ_RELEASE_ASSERT(vbvec0.length() == 0);
+  MOZ_RELEASE_ASSERT(vbvec0.begin() != nullptr);
+
+  Vector<VeryBig, 1> vbvec1;
+  MOZ_RELEASE_ASSERT(vbvec1.length() == 0);
+  MOZ_RELEASE_ASSERT(vbvec1.begin() != nullptr);
+
+  Vector<VeryBig, 64> vbvec64;
+  MOZ_RELEASE_ASSERT(vbvec64.length() == 0);
+  MOZ_RELEASE_ASSERT(vbvec64.begin() != nullptr);
+}
+
 int main() {
   VectorTesting::testReserved();
   VectorTesting::testConstRange();
   VectorTesting::testEmplaceBack();
   VectorTesting::testReverse();
   VectorTesting::testExtractRawBuffer();
   VectorTesting::testExtractOrCopyRawBuffer();
   VectorTesting::testReplaceRawBuffer();
   VectorTesting::testInsert();
   VectorTesting::testPodResizeToFit();
+  TestVectorBeginNonNull();
 }
--- a/old-configure.in
+++ b/old-configure.in
@@ -1533,17 +1533,17 @@ dnl = If NSS was not detected in the sys
 dnl = use the one in the source tree (mozilla/security/nss)
 dnl ========================================================
 
 MOZ_ARG_WITH_BOOL(system-nss,
 [  --with-system-nss       Use system installed NSS],
     _USE_SYSTEM_NSS=1 )
 
 if test -n "$_USE_SYSTEM_NSS"; then
-    AM_PATH_NSS(3.42, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
+    AM_PATH_NSS(3.44, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
 fi
 
 NSS_CFLAGS="$NSS_CFLAGS -I${DIST}/include/nss"
 if test -z "$MOZ_SYSTEM_NSS"; then
    case "${OS_ARCH}" in
         # Only few platforms have been tested with GYP
         WINNT|Darwin|Linux|DragonFly|FreeBSD|NetBSD|OpenBSD|SunOS)
             ;;
--- a/security/nss/.taskcluster.yml
+++ b/security/nss/.taskcluster.yml
@@ -19,34 +19,33 @@ tasks:
       # ensure there's no trailing `/` on the repo URL
       repoUrl:
         $if: 'repository.url[-1] == "/"'
         then: {$eval: 'repository.url[:-1]'}
         else: {$eval: 'repository.url'}
     in:
       taskId: '${ownTaskId}'
       taskGroupId: '${ownTaskId}'
-      schedulerId: 'gecko-level-nss'
+      schedulerId: 'nss-level-${repository.level}'
       created: {$fromNow: ''}
       deadline: {$fromNow: '1 day'}
       expires: {$fromNow: '14 days'}
 
       metadata:
         owner: mozilla-taskcluster-maintenance@mozilla.com
         source: "${repository.url}"
         name: "NSS Decision Task"
         description: |
             The task that creates all of the other tasks in the task graph
 
       workerType: "hg-worker"
       provisionerId: "aws-provisioner-v1"
 
       scopes:
         - 'assume:repo:${repoUrl[8:]}:branch:default'
-        - 'queue:route:notify.email.${ownerEmail}.*'
       tags:
         createdForUser: "${ownerEmail}"
 
       routes:
         - "tc-treeherder-stage.v2.${repository.project}.${push.revision}.${push.pushlog_id}"
         - "tc-treeherder.v2.${repository.project}.${push.revision}.${push.pushlog_id}"
 
       payload:
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_43_RTM
+67c41e385581
--- a/security/nss/automation/abi-check/expected-report-libnss3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libnss3.so.txt
@@ -1,5 +1,5 @@
 
 1 Added function:
 
-  'function SECOidTag HASH_GetHashOidTagByHashType(HASH_HashType)'    {HASH_GetHashOidTagByHashType@@NSS_3.43}
+  'function SECStatus CERT_GetCertificateDer(const CERTCertificate*, SECItem*)'    {CERT_GetCertificateDer@@NSS_3.44}
 
--- a/security/nss/automation/abi-check/expected-report-libssl3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libssl3.so.txt
@@ -1,20 +0,0 @@
-
-2 functions with some indirect sub-type change:
-
-  [C]'function SECStatus SSL_GetCipherSuiteInfo(PRUint16, SSLCipherSuiteInfo*, PRUintn)' at sslinfo.c:326:1 has some indirect sub-type changes:
-    parameter 2 of type 'SSLCipherSuiteInfo*' has sub-type changes:
-      in pointed to type 'typedef SSLCipherSuiteInfo' at sslt.h:433:1:
-        underlying type 'struct SSLCipherSuiteInfoStr' at sslt.h:366:1 changed:
-          type size changed from 768 to 832 (in bits)
-          1 data member insertion:
-            'SSLHashType SSLCipherSuiteInfoStr::kdfHash', at offset 768 (in bits) at sslt.h:429:1
-
-  [C]'function SECStatus SSL_GetPreliminaryChannelInfo(PRFileDesc*, SSLPreliminaryChannelInfo*, PRUintn)' at sslinfo.c:111:1 has some indirect sub-type changes:
-    parameter 2 of type 'SSLPreliminaryChannelInfo*' has sub-type changes:
-      in pointed to type 'typedef SSLPreliminaryChannelInfo' at sslt.h:379:1:
-        underlying type 'struct SSLPreliminaryChannelInfoStr' at sslt.h:333:1 changed:
-          type size changed from 160 to 192 (in bits)
-          1 data member insertion:
-            'PRUint16 SSLPreliminaryChannelInfoStr::zeroRttCipherSuite', at offset 160 (in bits) at sslt.h:375:1
-
-
--- a/security/nss/automation/abi-check/previous-nss-release
+++ b/security/nss/automation/abi-check/previous-nss-release
@@ -1,1 +1,1 @@
-NSS_3_42_BRANCH
+NSS_3_43_BRANCH
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
new file mode 100644
--- /dev/null
+++ b/security/nss/gtests/certdb_gtest/cert_unittest.cc
@@ -0,0 +1,47 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "gtest/gtest.h"
+
+#include "nss.h"
+#include "secerr.h"
+#include "pk11pub.h"
+#include "nss_scoped_ptrs.h"
+
+namespace nss_test {
+
+class CertTest : public ::testing::Test {};
+
+// Tests CERT_GetCertificateDer for the certs we have.
+TEST_F(CertTest, GetCertDer) {
+  // Listing all the certs should get us the default trust anchors.
+  ScopedCERTCertList certs(PK11_ListCerts(PK11CertListAll, nullptr));
+  ASSERT_FALSE(PR_CLIST_IS_EMPTY(&certs->list));
+
+  for (PRCList* cursor = PR_NEXT_LINK(&certs->list); cursor != &certs->list;
+       cursor = PR_NEXT_LINK(cursor)) {
+    CERTCertListNode* node = (CERTCertListNode*)cursor;
+    SECItem der;
+    ASSERT_EQ(SECSuccess, CERT_GetCertificateDer(node->cert, &der));
+    ASSERT_EQ(0, SECITEM_CompareItem(&der, &node->cert->derCert));
+  }
+}
+
+TEST_F(CertTest, GetCertDerBad) {
+  EXPECT_EQ(SECFailure, CERT_GetCertificateDer(nullptr, nullptr));
+  EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
+
+  ScopedCERTCertList certs(PK11_ListCerts(PK11CertListAll, nullptr));
+  ASSERT_FALSE(PR_CLIST_IS_EMPTY(&certs->list));
+  CERTCertListNode* node = (CERTCertListNode*)PR_NEXT_LINK(&certs->list);
+  EXPECT_EQ(SECFailure, CERT_GetCertificateDer(node->cert, nullptr));
+  EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
+
+  SECItem der;
+  EXPECT_EQ(SECFailure, CERT_GetCertificateDer(nullptr, &der));
+  EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
+}
+}
--- a/security/nss/gtests/certdb_gtest/certdb_gtest.gyp
+++ b/security/nss/gtests/certdb_gtest/certdb_gtest.gyp
@@ -7,23 +7,26 @@
     '../common/gtest.gypi',
   ],
   'targets': [
     {
       'target_name': 'certdb_gtest',
       'type': 'executable',
       'sources': [
         'alg1485_unittest.cc',
+        'cert_unittest.cc',
+        'decode_certs_unittest.cc',
         '<(DEPTH)/gtests/common/gtests.cc'
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
         '<(DEPTH)/gtests/google_test/google_test.gyp:gtest',
         '<(DEPTH)/lib/util/util.gyp:nssutil3',
         '<(DEPTH)/lib/ssl/ssl.gyp:ssl3',
         '<(DEPTH)/lib/nss/nss.gyp:nss3',
+        '<(DEPTH)/lib/smime/smime.gyp:smime3',
       ]
     }
   ],
   'variables': {
     'module': 'nss'
   }
 }
new file mode 100644
--- /dev/null
+++ b/security/nss/gtests/certdb_gtest/decode_certs_unittest.cc
@@ -0,0 +1,28 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "gtest/gtest.h"
+
+#include "cert.h"
+#include "prerror.h"
+#include "secerr.h"
+
+class DecodeCertsTest : public ::testing::Test {};
+
+TEST_F(DecodeCertsTest, EmptyCertPackage) {
+  // This represents a PKCS#7 ContentInfo with a contentType of
+  // '2.16.840.1.113730.2.5' (Netscape data-type cert-sequence) and a content
+  // consisting of an empty SEQUENCE. This is valid ASN.1, but it contains no
+  // certificates, so CERT_DecodeCertFromPackage should just return a null
+  // pointer.
+  unsigned char emptyCertPackage[] = {0x30, 0x0f, 0x06, 0x09, 0x60, 0x86,
+                                      0x48, 0x01, 0x86, 0xf8, 0x42, 0x02,
+                                      0x05, 0xa0, 0x02, 0x30, 0x00};
+  EXPECT_EQ(nullptr, CERT_DecodeCertFromPackage(
+                         reinterpret_cast<char*>(emptyCertPackage),
+                         sizeof(emptyCertPackage)));
+  EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
+}
--- a/security/nss/gtests/certdb_gtest/manifest.mn
+++ b/security/nss/gtests/certdb_gtest/manifest.mn
@@ -3,16 +3,18 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 CORE_DEPTH = ../..
 DEPTH      = ../..
 MODULE = nss
 
 CPPSRCS = \
       alg1485_unittest.cc \
+      cert_unittest.cc \
+      decode_certs_unittest.cc \
       $(NULL)
 
 INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
             -I$(CORE_DEPTH)/gtests/common \
             -I$(CORE_DEPTH)/cpputil
 
 REQUIRES = nspr nss libdbm gtest
 
--- a/security/nss/gtests/ssl_gtest/ssl_recordsep_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_recordsep_unittest.cc
@@ -437,16 +437,58 @@ TEST_P(TlsConnectStream, ReplaceRecordLa
     server_stage.ForwardAll(client_, TlsAgent::STATE_CONNECTED);
   }
   CheckKeys();
 
   // Reading and writing application data should work.
   SendForwardReceive(client_, client_stage, server_);
 }
 
+TEST_F(TlsConnectStreamTls13, ReplaceRecordLayerAsyncPostHandshake) {
+  StartConnect();
+  client_->SetServerKeyBits(server_->server_key_bits());
+
+  BadPrSocket bad_layer_client(client_);
+  BadPrSocket bad_layer_server(server_);
+  StagedRecords client_stage(client_);
+  StagedRecords server_stage(server_);
+
+  client_->SetAuthCertificateCallback(AuthCompleteBlock);
+
+  server_stage.ForwardAll(client_, TlsAgent::STATE_CONNECTING);
+  client_stage.ForwardAll(server_, TlsAgent::STATE_CONNECTING);
+  server_stage.ForwardAll(client_, TlsAgent::STATE_CONNECTING);
+
+  ASSERT_TRUE(client_stage.empty());
+  client_->Handshake();
+  ASSERT_TRUE(client_stage.empty());
+  EXPECT_EQ(TlsAgent::STATE_CONNECTING, client_->state());
+
+  // Now declare the certificate good.
+  EXPECT_EQ(SECSuccess, SSL_AuthCertificateComplete(client_->ssl_fd(), 0));
+  client_->Handshake();
+  ASSERT_FALSE(client_stage.empty());
+
+  if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
+    EXPECT_EQ(TlsAgent::STATE_CONNECTED, client_->state());
+    client_stage.ForwardAll(server_, TlsAgent::STATE_CONNECTED);
+  } else {
+    client_stage.ForwardAll(server_, TlsAgent::STATE_CONNECTED);
+    server_stage.ForwardAll(client_, TlsAgent::STATE_CONNECTED);
+  }
+  CheckKeys();
+
+  // Reading and writing application data should work.
+  SendForwardReceive(client_, client_stage, server_);
+
+  // Post-handshake messages should work here.
+  EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), nullptr, 0));
+  SendForwardReceive(server_, server_stage, client_);
+}
+
 // This test ensures that data is correctly forwarded when the handshake is
 // resumed after asynchronous server certificate authentication, when
 // SSL_AuthCertificateComplete() is called.  The logic for resuming the
 // handshake involves a different code path than the usual one, so this test
 // exercises that code fully.
 TEST_F(TlsConnectStreamTls13, ReplaceRecordLayerAsyncEarlyAuth) {
   StartConnect();
   client_->SetServerKeyBits(server_->server_key_bits());
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@@ -210,16 +210,22 @@ extern CERTCertificate *CERT_CreateCerti
 extern void CERT_DestroyCertificate(CERTCertificate *cert);
 
 /*
 ** Make a shallow copy of a certificate "c". Just increments the
 ** reference count on "c".
 */
 extern CERTCertificate *CERT_DupCertificate(CERTCertificate *c);
 
+/* Access the DER of the certificate. This only creates a reference to the DER
+ * in the outparam not a copy.  To avoid the pointer becoming invalid, use
+ * CERT_DupCertificate() and keep a reference to the duplicate alive.
+ */
+extern SECStatus CERT_GetCertificateDer(const CERTCertificate *c, SECItem *der);
+
 /*
 ** Create a new certificate request. This result must be wrapped with an
 ** CERTSignedData to create a signed certificate request.
 **	"name" the subject name (who the certificate request is from)
 **	"spki" describes/defines the public key the certificate is for
 **	"attributes" if non-zero, some optional attribute data
 */
 extern CERTCertificateRequest *CERT_CreateCertificateRequest(
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -1309,16 +1309,27 @@ CERT_DupCertificate(CERTCertificate *c)
 {
     if (c) {
         NSSCertificate *tmp = STAN_GetNSSCertificate(c);
         nssCertificate_AddRef(tmp);
     }
     return c;
 }
 
+SECStatus
+CERT_GetCertificateDer(const CERTCertificate *c, SECItem *der)
+{
+    if (!c || !der) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    *der = c->derCert;
+    return SECSuccess;
+}
+
 /*
  * Allow use of default cert database, so that apps(such as mozilla) don't
  * have to pass the handle all over the place.
  */
 static CERTCertDBHandle *default_cert_db_handle = 0;
 
 void
 CERT_SetDefaultCertDB(CERTCertDBHandle *handle)
--- a/security/nss/lib/freebl/blinit.c
+++ b/security/nss/lib/freebl/blinit.c
@@ -87,33 +87,42 @@ CheckX86CPUSupport()
     avx_support_ = (PRBool)((ecx & AVX_BITS) == AVX_BITS) && check_xcr0_ymm() &&
                    disable_avx == NULL;
     ssse3_support_ = (PRBool)((ecx & ECX_SSSE3) != 0 &&
                               disable_ssse3 == NULL);
 }
 #endif /* NSS_X86_OR_X64 */
 
 /* clang-format off */
-#if (defined(__aarch64__) || defined(__arm__)) && !defined(__ANDROID__)
+#if defined(__aarch64__) || defined(__arm__)
 #ifndef __has_include
 #define __has_include(x) 0
 #endif
 #if (__has_include(<sys/auxv.h>) || defined(__linux__)) && \
     defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__)
+/* This might be conflict with host compiler */
+#if !defined(__ANDROID__)
 #include <sys/auxv.h>
+#endif
 extern unsigned long getauxval(unsigned long type) __attribute__((weak));
 #else
 static unsigned long (*getauxval)(unsigned long) = NULL;
-#define AT_HWCAP2 0
-#define AT_HWCAP 0
 #endif /* defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__)*/
-#endif /* (defined(__aarch64__) || defined(__arm__)) && !defined(__ANDROID__) */
+
+#ifndef AT_HWCAP2
+#define AT_HWCAP2 26
+#endif
+#ifndef AT_HWCAP
+#define AT_HWCAP 16
+#endif
+
+#endif /* defined(__aarch64__) || defined(__arm__) */
 /* clang-format on */
 
-#if defined(__aarch64__) && !defined(__ANDROID__)
+#if defined(__aarch64__)
 // Defines from hwcap.h in Linux kernel - ARM64
 #ifndef HWCAP_AES
 #define HWCAP_AES (1 << 3)
 #endif
 #ifndef HWCAP_PMULL
 #define HWCAP_PMULL (1 << 4)
 #endif
 #ifndef HWCAP_SHA1
@@ -133,19 +142,19 @@ CheckARMSupport()
         arm_aes_support_ = hwcaps & HWCAP_AES && disable_hw_aes == NULL;
         arm_pmull_support_ = hwcaps & HWCAP_PMULL;
         arm_sha1_support_ = hwcaps & HWCAP_SHA1;
         arm_sha2_support_ = hwcaps & HWCAP_SHA2;
     }
     /* aarch64 must support NEON. */
     arm_neon_support_ = disable_arm_neon == NULL;
 }
-#endif /* defined(__aarch64__) && !defined(__ANDROID__) */
+#endif /* defined(__aarch64__) */
 
-#if defined(__arm__) && !defined(__ANDROID__)
+#if defined(__arm__)
 // Defines from hwcap.h in Linux kernel - ARM
 /*
  * HWCAP flags - for elf_hwcap (in kernel) and AT_HWCAP
  */
 #ifndef HWCAP_NEON
 #define HWCAP_NEON (1 << 12)
 #endif
 
@@ -160,33 +169,68 @@ CheckARMSupport()
 #endif
 #ifndef HWCAP2_SHA1
 #define HWCAP2_SHA1 (1 << 2)
 #endif
 #ifndef HWCAP2_SHA2
 #define HWCAP2_SHA2 (1 << 3)
 #endif
 
+PRBool
+GetNeonSupport()
+{
+    char *disable_arm_neon = PR_GetEnvSecure("NSS_DISABLE_ARM_NEON");
+    if (disable_arm_neon) {
+        return PR_FALSE;
+    }
+#if defined(__ARM_NEON) || defined(__ARM_NEON__)
+    // Compiler generates NEON instruction as default option.
+    // If no getauxval, compiler generate NEON instruction by default,
+    // we should allow NOEN support.
+    return PR_TRUE;
+#elif !defined(__ANDROID__)
+    // Android's cpu-features.c detects features by the following logic
+    //
+    // - Call getauxval(AT_HWCAP)
+    // - Parse /proc/self/auxv if getauxval is nothing or returns 0
+    // - Parse /proc/cpuinfo if both cannot detect features
+    //
+    // But we don't use it for Android since Android document
+    // (https://developer.android.com/ndk/guides/cpu-features) says
+    // one problem with AT_HWCAP sometimes devices (Nexus 4 and emulator)
+    // are mistaken for IDIV.
+    if (getauxval) {
+        return (getauxval(AT_HWCAP) & HWCAP_NEON);
+    }
+#endif /* defined(__ARM_NEON) || defined(__ARM_NEON__) */
+    return PR_FALSE;
+}
+
 void
 CheckARMSupport()
 {
-    char *disable_arm_neon = PR_GetEnvSecure("NSS_DISABLE_ARM_NEON");
     char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
     if (getauxval) {
+        // Android's cpu-features.c uses AT_HWCAP2 for newer features.
+        // AT_HWCAP2 is implemented on newer devices / kernel, so we can trust
+        // it since cpu-features.c doesn't have workaround / fallback.
+        // Also, AT_HWCAP2 is supported by glibc 2.18+ on Linux/arm, If
+        // AT_HWCAP2 isn't supported by glibc or Linux kernel, getauxval will
+        // returns 0.
         long hwcaps = getauxval(AT_HWCAP2);
         arm_aes_support_ = hwcaps & HWCAP2_AES && disable_hw_aes == NULL;
         arm_pmull_support_ = hwcaps & HWCAP2_PMULL;
         arm_sha1_support_ = hwcaps & HWCAP2_SHA1;
         arm_sha2_support_ = hwcaps & HWCAP2_SHA2;
-        arm_neon_support_ = hwcaps & HWCAP_NEON && disable_arm_neon == NULL;
     }
+    arm_neon_support_ = GetNeonSupport();
 }
-#endif /* defined(__arm__) && !defined(__ANDROID__) */
+#endif /* defined(__arm__) */
 
-// Enable when Firefox can use it.
+// Enable when Firefox can use it for Android API 16 and 17.
 // #if defined(__ANDROID__) && (defined(__arm__) || defined(__aarch64__))
 // #include <cpu-features.h>
 // void
 // CheckARMSupport()
 // {
 //     char *disable_arm_neon = PR_GetEnvSecure("NSS_DISABLE_ARM_NEON");
 //     char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
 //     AndroidCpuFamily family = android_getCpuFamily();
@@ -257,17 +301,17 @@ arm_sha2_support()
     return arm_sha2_support_;
 }
 
 static PRStatus
 FreeblInit(void)
 {
 #ifdef NSS_X86_OR_X64
     CheckX86CPUSupport();
-#elif (defined(__aarch64__) || defined(__arm__)) && !defined(__ANDROID__)
+#elif (defined(__aarch64__) || defined(__arm__))
     CheckARMSupport();
 #endif
     return PR_SUCCESS;
 }
 
 SECStatus
 BL_Init()
 {
--- a/security/nss/lib/freebl/crypto_primitives.c
+++ b/security/nss/lib/freebl/crypto_primitives.c
@@ -17,17 +17,17 @@
 __inline__ PRUint64
 swap8b(PRUint64 value)
 {
     __asm__("bswapq %0"
             : "+r"(value));
     return (value);
 }
 
-#elif !defined(_MSC_VER)
+#elif !defined(_MSC_VER) && !__has_builtin(__builtin_bswap64)
 
 PRUint64
 swap8b(PRUint64 x)
 {
     PRUint64 t1 = x;
     t1 = ((t1 & SHA_MASK8) << 8) | ((t1 >> 8) & SHA_MASK8);
     t1 = ((t1 & SHA_MASK16) << 16) | ((t1 >> 16) & SHA_MASK16);
     return (t1 >> 32) | (t1 << 32);
--- a/security/nss/lib/freebl/crypto_primitives.h
+++ b/security/nss/lib/freebl/crypto_primitives.h
@@ -6,16 +6,21 @@
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 
 #include <stdlib.h>
 #include "prtypes.h"
 
+/* For non-clang platform */
+#ifndef __has_builtin
+#define __has_builtin(x) 0
+#endif
+
 /* Unfortunately this isn't always set when it should be. */
 #if defined(HAVE_LONG_LONG)
 
 /*
  * ROTR64/ROTL64(x, n): rotate a 64-bit integer x by n bites to the right/left.
  */
 #if defined(_MSC_VER)
 #pragma intrinsic(_rotr64, _rotl64)
@@ -24,28 +29,37 @@
 #else
 #define ROTR64(x, n) (((x) >> (n)) | ((x) << (64 - (n))))
 #define ROTL64(x, n) (((x) << (n)) | ((x) >> (64 - (n))))
 #endif
 
 /*
  * FREEBL_HTONLL(x): swap bytes in a 64-bit integer.
  */
+#if defined(IS_LITTLE_ENDIAN)
 #if defined(_MSC_VER)
 
 #pragma intrinsic(_byteswap_uint64)
 #define FREEBL_HTONLL(x) _byteswap_uint64(x)
 
+#elif __has_builtin(__builtin_bswap64)
+
+#define FREEBL_HTONLL(x) __builtin_bswap64(x)
+
 #elif defined(__GNUC__) && (defined(__x86_64__) || defined(__x86_64))
 
 PRUint64 swap8b(PRUint64 value);
 #define FREEBL_HTONLL(x) swap8b(x)
 
 #else
 
 #define SHA_MASK16 0x0000FFFF0000FFFFULL
 #define SHA_MASK8 0x00FF00FF00FF00FFULL
 PRUint64 swap8b(PRUint64 x);
 #define FREEBL_HTONLL(x) swap8b(x)
 
 #endif /* _MSC_VER */
 
-#endif /* HAVE_LONG_LONG */
\ No newline at end of file
+#else /* IS_LITTLE_ENDIAN */
+#define FREEBL_HTONLL(x) (x)
+#endif
+
+#endif /* HAVE_LONG_LONG */
--- a/security/nss/lib/freebl/freebl.gyp
+++ b/security/nss/lib/freebl/freebl.gyp
@@ -71,21 +71,21 @@
           'cflags_mozilla': [
             '-mssse3'
           ],
           # GCC doesn't define this.
           'defines': [
             '__SSSE3__',
           ],
         }],
-        [ 'OS=="android"', {
-          # On Android we can't use any of the hardware acceleration :(
-          'defines!': [
-            '__ARM_NEON__',
-            '__ARM_NEON',
+        [ 'target_arch=="arm"', {
+          # Gecko doesn't support non-NEON platform on Android, but tier-3
+          # platform such as Linux/arm will need it
+          'cflags_mozilla': [
+            '-mfpu=neon'
           ],
         }],
       ],
     },
     {
       'target_name': 'gcm-aes-x86_c_lib',
       'type': 'static_library',
       'sources': [
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -1140,8 +1140,14 @@ CERT_GetCertKeyType;
 ;+       *;
 ;+};
 ;+NSS_3.43 { 	# NSS 3.43 release
 ;+    global:
 HASH_GetHashOidTagByHashType;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.44 { 	# NSS 3.44 release
+;+    global:
+CERT_GetCertificateDer;
+;+    local:
+;+       *;
+;+};
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -17,22 +17,22 @@
 
 /*
  * NSS's major version, minor version, patch level, build number, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION "3.43" _NSS_CUSTOMIZED
+#define NSS_VERSION "3.44" _NSS_CUSTOMIZED " Beta"
 #define NSS_VMAJOR 3
-#define NSS_VMINOR 43
+#define NSS_VMINOR 44
 #define NSS_VPATCH 0
 #define NSS_VBUILD 0
-#define NSS_BETA PR_FALSE
+#define NSS_BETA PR_TRUE
 
 #ifndef RC_INVOKED
 
 #include "seccomon.h"
 
 typedef struct NSSInitParametersStr NSSInitParameters;
 
 /*
--- a/security/nss/lib/pkcs7/certread.c
+++ b/security/nss/lib/pkcs7/certread.c
@@ -487,24 +487,26 @@ loser:
 typedef struct {
     PLArenaPool *arena;
     SECItem cert;
 } collect_args;
 
 static SECStatus
 collect_certs(void *arg, SECItem **certs, int numcerts)
 {
-    SECStatus rv;
-    collect_args *collectArgs;
-
-    collectArgs = (collect_args *)arg;
-
-    rv = SECITEM_CopyItem(collectArgs->arena, &collectArgs->cert, *certs);
-
-    return (rv);
+    collect_args *collectArgs = (collect_args *)arg;
+    if (!collectArgs || !collectArgs->arena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    if (numcerts < 1 || !certs || !*certs) {
+        PORT_SetError(SEC_ERROR_BAD_DER);
+        return SECFailure;
+    }
+    return SECITEM_CopyItem(collectArgs->arena, &collectArgs->cert, *certs);
 }
 
 /*
  * read an old style ascii or binary certificate
  */
 CERTCertificate *
 CERT_DecodeCertFromPackage(char *certbuf, int certlen)
 {
--- a/security/nss/lib/softoken/sdb.c
+++ b/security/nss/lib/softoken/sdb.c
@@ -853,82 +853,98 @@ sdb_FindObjectsFinal(SDB *sdb, SDBFind *
         sdb_closeDBLocal(sdb_p, sqlDB);
     }
     PORT_Free(sdbFind);
 
     UNLOCK_SQLITE()
     return sdb_mapSQLError(sdb_p->type, sqlerr);
 }
 
-static const char GET_ATTRIBUTE_CMD[] = "SELECT ALL %s FROM %s WHERE id=$ID;";
 CK_RV
 sdb_GetAttributeValueNoLock(SDB *sdb, CK_OBJECT_HANDLE object_id,
                             CK_ATTRIBUTE *template, CK_ULONG count)
 {
     SDBPrivate *sdb_p = sdb->private;
     sqlite3 *sqlDB = NULL;
     sqlite3_stmt *stmt = NULL;
-    char *getStr = NULL;
-    char *newStr = NULL;
     const char *table = NULL;
     int sqlerr = SQLITE_OK;
     CK_RV error = CKR_OK;
     int found = 0;
     int retry = 0;
     unsigned int i;
 
+    if (count == 0) {
+        error = CKR_OBJECT_HANDLE_INVALID;
+        goto loser;
+    }
+
     /* open a new db if necessary */
     error = sdb_openDBLocal(sdb_p, &sqlDB, &table);
     if (error != CKR_OK) {
         goto loser;
     }
 
+    char *columns = NULL;
     for (i = 0; i < count; i++) {
-        getStr = sqlite3_mprintf("a%x", template[i].type);
-
-        if (getStr == NULL) {
-            error = CKR_HOST_MEMORY;
-            goto loser;
+        char *newColumns;
+        if (columns) {
+            newColumns = sqlite3_mprintf("%s, a%x", columns, template[i].type);
+            sqlite3_free(columns);
+            columns = NULL;
+        } else {
+            newColumns = sqlite3_mprintf("a%x", template[i].type);
         }
-
-        newStr = sqlite3_mprintf(GET_ATTRIBUTE_CMD, getStr, table);
-        sqlite3_free(getStr);
-        getStr = NULL;
-        if (newStr == NULL) {
+        if (!newColumns) {
             error = CKR_HOST_MEMORY;
             goto loser;
         }
+        columns = newColumns;
+    }
+    if (!columns) {
+        error = CKR_OBJECT_HANDLE_INVALID;
+        goto loser;
+    }
 
-        sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &stmt, NULL);
-        sqlite3_free(newStr);
-        newStr = NULL;
-        if (sqlerr == SQLITE_ERROR) {
-            template[i].ulValueLen = -1;
-            error = CKR_ATTRIBUTE_TYPE_INVALID;
-            continue;
-        } else if (sqlerr != SQLITE_OK) {
-            goto loser;
-        }
+    char *statement = sqlite3_mprintf("SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;",
+                                      columns, table);
+    sqlite3_free(columns);
+    columns = NULL;
+    if (!statement) {
+        error = CKR_HOST_MEMORY;
+        goto loser;
+    }
 
-        sqlerr = sqlite3_bind_int(stmt, 1, object_id);
-        if (sqlerr != SQLITE_OK) {
-            goto loser;
-        }
+    sqlerr = sqlite3_prepare_v2(sqlDB, statement, -1, &stmt, NULL);
+    sqlite3_free(statement);
+    statement = NULL;
+    if (sqlerr != SQLITE_OK) {
+        goto loser;
+    }
 
-        do {
-            sqlerr = sqlite3_step(stmt);
-            if (sqlerr == SQLITE_BUSY) {
-                PR_Sleep(SDB_BUSY_RETRY_TIME);
-            }
-            if (sqlerr == SQLITE_ROW) {
+    // NB: indices in sqlite3_bind_int are 1-indexed
+    sqlerr = sqlite3_bind_int(stmt, 1, object_id);
+    if (sqlerr != SQLITE_OK) {
+        goto loser;
+    }
+
+    do {
+        sqlerr = sqlite3_step(stmt);
+        if (sqlerr == SQLITE_BUSY) {
+            PR_Sleep(SDB_BUSY_RETRY_TIME);
+        }
+        if (sqlerr == SQLITE_ROW) {
+            PORT_Assert(!found);
+            for (i = 0; i < count; i++) {
                 unsigned int blobSize;
                 const char *blobData;
 
-                blobSize = sqlite3_column_bytes(stmt, 0);
-                blobData = sqlite3_column_blob(stmt, 0);
+                // NB: indices in sqlite_column_{bytes,blob} are 0-indexed
+                blobSize = sqlite3_column_bytes(stmt, i);
+                blobData = sqlite3_column_blob(stmt, i);
                 if (blobData == NULL) {
                     template[i].ulValueLen = -1;
                     error = CKR_ATTRIBUTE_TYPE_INVALID;
                     break;
                 }
                 /* If the blob equals our explicit NULL value, then the
                  * attribute is a NULL. */
                 if ((blobSize == SQLITE_EXPLICIT_NULL_LEN) &&
@@ -940,23 +956,23 @@ sdb_GetAttributeValueNoLock(SDB *sdb, CK
                     if (template[i].ulValueLen < blobSize) {
                         template[i].ulValueLen = -1;
                         error = CKR_BUFFER_TOO_SMALL;
                         break;
                     }
                     PORT_Memcpy(template[i].pValue, blobData, blobSize);
                 }
                 template[i].ulValueLen = blobSize;
-                found = 1;
             }
-        } while (!sdb_done(sqlerr, &retry));
-        sqlite3_reset(stmt);
-        sqlite3_finalize(stmt);
-        stmt = NULL;
-    }
+            found = 1;
+        }
+    } while (!sdb_done(sqlerr, &retry));
+    sqlite3_reset(stmt);
+    sqlite3_finalize(stmt);
+    stmt = NULL;
 
 loser:
     /* fix up the error if necessary */
     if (error == CKR_OK) {
         error = sdb_mapSQLError(sdb_p->type, sqlerr);
         if (!found && error == CKR_OK) {
             error = CKR_OBJECT_HANDLE_INVALID;
         }
--- a/security/nss/lib/softoken/sftkpwd.c
+++ b/security/nss/lib/softoken/sftkpwd.c
@@ -854,217 +854,156 @@ sftkdb_PWCached(SFTKDBHandle *keydb)
 {
     return keydb->passwordKey.data ? SECSuccess : SECFailure;
 }
 
 static CK_RV
 sftk_updateMacs(PLArenaPool *arena, SFTKDBHandle *handle,
                 CK_OBJECT_HANDLE id, SECItem *newKey)
 {
-    CK_ATTRIBUTE authAttrs[] = {
-        { CKA_MODULUS, NULL, 0 },
-        { CKA_PUBLIC_EXPONENT, NULL, 0 },
-        { CKA_CERT_SHA1_HASH, NULL, 0 },
-        { CKA_CERT_MD5_HASH, NULL, 0 },
-        { CKA_TRUST_SERVER_AUTH, NULL, 0 },
-        { CKA_TRUST_CLIENT_AUTH, NULL, 0 },
-        { CKA_TRUST_EMAIL_PROTECTION, NULL, 0 },
-        { CKA_TRUST_CODE_SIGNING, NULL, 0 },
-        { CKA_TRUST_STEP_UP_APPROVED, NULL, 0 },
-        { CKA_NSS_OVERRIDE_EXTENSIONS, NULL, 0 },
-    };
-    CK_ULONG authAttrCount = sizeof(authAttrs) / sizeof(CK_ATTRIBUTE);
-    unsigned int i, count;
     SFTKDBHandle *keyHandle = handle;
     SDB *keyTarget = NULL;
-
-    id &= SFTK_OBJ_ID_MASK;
-
     if (handle->type != SFTK_KEYDB_TYPE) {
         keyHandle = handle->peerDB;
     }
-
     if (keyHandle == NULL) {
         return CKR_OK;
     }
-
-    /* old DB's don't have meta data, finished with MACs */
+    // Old DBs don't have metadata, so we can return early here.
     keyTarget = SFTK_GET_SDB(keyHandle);
     if ((keyTarget->sdb_flags & SDB_HAS_META) == 0) {
         return CKR_OK;
     }
 
-    /*
-     * STEP 1: find the MACed attributes of this object
-     */
-    (void)sftkdb_GetAttributeValue(handle, id, authAttrs, authAttrCount);
-    count = 0;
-    /* allocate space for the attributes */
-    for (i = 0; i < authAttrCount; i++) {
-        if ((authAttrs[i].ulValueLen == -1) || (authAttrs[i].ulValueLen == 0)) {
+    id &= SFTK_OBJ_ID_MASK;
+
+    CK_ATTRIBUTE_TYPE authAttrTypes[] = {
+        CKA_MODULUS,
+        CKA_PUBLIC_EXPONENT,
+        CKA_CERT_SHA1_HASH,
+        CKA_CERT_MD5_HASH,
+        CKA_TRUST_SERVER_AUTH,
+        CKA_TRUST_CLIENT_AUTH,
+        CKA_TRUST_EMAIL_PROTECTION,
+        CKA_TRUST_CODE_SIGNING,
+        CKA_TRUST_STEP_UP_APPROVED,
+        CKA_NSS_OVERRIDE_EXTENSIONS,
+    };
+    const CK_ULONG authAttrTypeCount = sizeof(authAttrTypes) / sizeof(authAttrTypes[0]);
+
+    // We don't know what attributes this object has, so we update them one at a
+    // time.
+    unsigned int i;
+    for (i = 0; i < authAttrTypeCount; i++) {
+        CK_ATTRIBUTE authAttr = { authAttrTypes[i], NULL, 0 };
+        CK_RV rv = sftkdb_GetAttributeValue(handle, id, &authAttr, 1);
+        if (rv != CKR_OK) {
+            continue;
+        }
+        if ((authAttr.ulValueLen == -1) || (authAttr.ulValueLen == 0)) {
             continue;
         }
-        count++;
-        authAttrs[i].pValue = PORT_ArenaAlloc(arena, authAttrs[i].ulValueLen);
-        if (authAttrs[i].pValue == NULL) {
-            break;
+        authAttr.pValue = PORT_ArenaAlloc(arena, authAttr.ulValueLen);
+        if (authAttr.pValue == NULL) {
+            return CKR_HOST_MEMORY;
+        }
+        rv = sftkdb_GetAttributeValue(handle, id, &authAttr, 1);
+        if (rv != CKR_OK) {
+            return rv;
         }
-    }
-
-    /* if count was zero, none were found, finished with MACs */
-    if (count == 0) {
-        return CKR_OK;
-    }
-
-    (void)sftkdb_GetAttributeValue(handle, id, authAttrs, authAttrCount);
-    /* ignore error code, we expect some possible errors */
-
-    /* GetAttributeValue just verified the old macs, safe to write
-     * them out then... */
-    for (i = 0; i < authAttrCount; i++) {
+        if ((authAttr.ulValueLen == -1) || (authAttr.ulValueLen == 0)) {
+            return CKR_GENERAL_ERROR;
+        }
+        // GetAttributeValue just verified the old macs, so it is safe to write
+        // them out now.
+        if (authAttr.ulValueLen == sizeof(CK_ULONG) &&
+            sftkdb_isULONGAttribute(authAttr.type)) {
+            CK_ULONG value = *(CK_ULONG *)authAttr.pValue;
+            sftk_ULong2SDBULong(authAttr.pValue, value);
+            authAttr.ulValueLen = SDB_ULONG_SIZE;
+        }
         SECItem *signText;
         SECItem plainText;
-        SECStatus rv;
-
-        if ((authAttrs[i].ulValueLen == -1) || (authAttrs[i].ulValueLen == 0)) {
-            continue;
-        }
-
-        if (authAttrs[i].ulValueLen == sizeof(CK_ULONG) &&
-            sftkdb_isULONGAttribute(authAttrs[i].type)) {
-            CK_ULONG value = *(CK_ULONG *)authAttrs[i].pValue;
-            sftk_ULong2SDBULong(authAttrs[i].pValue, value);
-            authAttrs[i].ulValueLen = SDB_ULONG_SIZE;
-        }
-
-        plainText.data = authAttrs[i].pValue;
-        plainText.len = authAttrs[i].ulValueLen;
-        rv = sftkdb_SignAttribute(arena, newKey, id,
-                                  authAttrs[i].type, &plainText, &signText);
-        if (rv != SECSuccess) {
+        plainText.data = authAttr.pValue;
+        plainText.len = authAttr.ulValueLen;
+        if (sftkdb_SignAttribute(arena, newKey, id, authAttr.type, &plainText,
+                                 &signText) != SECSuccess) {
             return CKR_GENERAL_ERROR;
         }
-        rv = sftkdb_PutAttributeSignature(handle, keyTarget, id,
-                                          authAttrs[i].type, signText);
-        if (rv != SECSuccess) {
+        if (sftkdb_PutAttributeSignature(handle, keyTarget, id, authAttr.type,
+                                         signText) != SECSuccess) {
             return CKR_GENERAL_ERROR;
         }
     }
 
     return CKR_OK;
 }
 
 static CK_RV
 sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb,
                      CK_OBJECT_HANDLE id, SECItem *newKey)
 {
-    CK_RV crv = CKR_OK;
-    CK_RV crv2;
-    CK_ATTRIBUTE *first, *last;
-    CK_ATTRIBUTE privAttrs[] = {
-        { CKA_VALUE, NULL, 0 },
-        { CKA_PRIVATE_EXPONENT, NULL, 0 },
-        { CKA_PRIME_1, NULL, 0 },
-        { CKA_PRIME_2, NULL, 0 },
-        { CKA_EXPONENT_1, NULL, 0 },
-        { CKA_EXPONENT_2, NULL, 0 },
-        { CKA_COEFFICIENT, NULL, 0 }
+    CK_ATTRIBUTE_TYPE privAttrTypes[] = {
+        CKA_VALUE,
+        CKA_PRIVATE_EXPONENT,
+        CKA_PRIME_1,
+        CKA_PRIME_2,
+        CKA_EXPONENT_1,
+        CKA_EXPONENT_2,
+        CKA_COEFFICIENT,
     };
-    CK_ULONG privAttrCount = sizeof(privAttrs) / sizeof(CK_ATTRIBUTE);
-    unsigned int i, count;
-
-    /*
-     * STEP 1. Read the old attributes in the clear.
-     */
+    const CK_ULONG privAttrCount = sizeof(privAttrTypes) / sizeof(privAttrTypes[0]);
 
-    /* Get the attribute sizes.
-     *  ignore the error code, we will have unknown attributes here */
-    crv2 = sftkdb_GetAttributeValue(keydb, id, privAttrs, privAttrCount);
-
-    /*
-     * find the valid block of attributes and fill allocate space for
-     * their data */
-    first = last = NULL;
+    // We don't know what attributes this object has, so we update them one at a
+    // time.
+    unsigned int i;
     for (i = 0; i < privAttrCount; i++) {
-        /* find the block of attributes that are appropriate for this
-          * objects. There should only be once contiguous block, if not
-          * there's an error.
-          *
-          * find the first and last good entry.
-          */
-        if ((privAttrs[i].ulValueLen == -1) || (privAttrs[i].ulValueLen == 0)) {
-            if (!first)
-                continue;
-            if (!last) {
-                /* previous entry was last good entry */
-                last = &privAttrs[i - 1];
-            }
+        // Read the old attribute in the clear.
+        CK_ATTRIBUTE privAttr = { privAttrTypes[i], NULL, 0 };
+        CK_RV crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
+        if (crv != CKR_OK) {
+            continue;
+        }
+        if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
             continue;
         }
-        if (!first) {
-            first = &privAttrs[i];
+        privAttr.pValue = PORT_ArenaAlloc(arena, privAttr.ulValueLen);
+        if (privAttr.pValue == NULL) {
+            return CKR_HOST_MEMORY;
+        }
+        crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
+        if (crv != CKR_OK) {
+            return crv;
+        }
+        if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
+            return CKR_GENERAL_ERROR;
         }
-        if (last) {
-            /* OOPS, we've found another good entry beyond the end of the
-             * last good entry, we need to fail here. */
-            crv = CKR_GENERAL_ERROR;
-            break;
+        SECItem plainText;
+        SECItem *result;
+        plainText.data = privAttr.pValue;
+        plainText.len = privAttr.ulValueLen;
+        if (sftkdb_EncryptAttribute(arena, newKey, &plainText, &result) != SECSuccess) {
+            return CKR_GENERAL_ERROR;
         }
-        privAttrs[i].pValue = PORT_ArenaAlloc(arena, privAttrs[i].ulValueLen);
-        if (privAttrs[i].pValue == NULL) {
-            crv = CKR_HOST_MEMORY;
-            break;
+        privAttr.pValue = result->data;
+        privAttr.ulValueLen = result->len;
+        // Clear sensitive data.
+        PORT_Memset(plainText.data, 0, plainText.len);
+
+        // Write the newly encrypted attributes out directly.
+        CK_OBJECT_HANDLE newId = id & SFTK_OBJ_ID_MASK;
+        keydb->newKey = newKey;
+        crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, newId, &privAttr, 1);
+        keydb->newKey = NULL;
+        if (crv != CKR_OK) {
+            return crv;
         }
     }
-    if (first == NULL) {
-        /* no valid entries found, return error based on crv2 */
-        return crv2;
-    }
-    if (last == NULL) {
-        last = &privAttrs[privAttrCount - 1];
-    }
-    if (crv != CKR_OK) {
-        return crv;
-    }
-    /* read the attributes */
-    count = (last - first) + 1;
-    crv = sftkdb_GetAttributeValue(keydb, id, first, count);
-    if (crv != CKR_OK) {
-        return crv;
-    }
 
-    /*
-     * STEP 2: read the encrypt the attributes with the new key.
-     */
-    for (i = 0; i < count; i++) {
-        SECItem plainText;
-        SECItem *result;
-        SECStatus rv;
-
-        plainText.data = first[i].pValue;
-        plainText.len = first[i].ulValueLen;
-        rv = sftkdb_EncryptAttribute(arena, newKey, &plainText, &result);
-        if (rv != SECSuccess) {
-            return CKR_GENERAL_ERROR;
-        }
-        first[i].pValue = result->data;
-        first[i].ulValueLen = result->len;
-        /* clear our sensitive data out */
-        PORT_Memset(plainText.data, 0, plainText.len);
-    }
-
-    /*
-     * STEP 3: write the newly encrypted attributes out directly
-     */
-    id &= SFTK_OBJ_ID_MASK;
-    keydb->newKey = newKey;
-    crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, id, first, count);
-    keydb->newKey = NULL;
-
-    return crv;
+    return CKR_OK;
 }
 
 static CK_RV
 sftk_convertAttributes(SFTKDBHandle *handle,
                        CK_OBJECT_HANDLE id, SECItem *newKey)
 {
     CK_RV crv = CKR_OK;
     PLArenaPool *arena = NULL;
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -12,16 +12,16 @@
 
 /*
  * Softoken's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION "3.43" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.44" SOFTOKEN_ECC_STRING " Beta"
 #define SOFTOKEN_VMAJOR 3
-#define SOFTOKEN_VMINOR 43
+#define SOFTOKEN_VMINOR 44
 #define SOFTOKEN_VPATCH 0
 #define SOFTOKEN_VBUILD 0
-#define SOFTOKEN_BETA PR_FALSE
+#define SOFTOKEN_BETA PR_TRUE
 
 #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -8620,16 +8620,55 @@ ssl3_HandleClientHello(sslSocket *ss, PR
 alert_loser:
     (void)SSL3_SendAlert(ss, level, desc);
 /* FALLTHRU */
 loser:
     PORT_SetError(errCode);
     return SECFailure;
 }
 
+/* unwrap helper function to handle the case where the wrapKey doesn't wind
+ * up in the correct token for the master secret */
+PK11SymKey *
+ssl_unwrapSymKey(PK11SymKey *wrapKey,
+                 CK_MECHANISM_TYPE wrapType, SECItem *param,
+                 SECItem *wrappedKey,
+                 CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
+                 int keySize, CK_FLAGS keyFlags, void *pinArg)
+{
+    PK11SymKey *unwrappedKey;
+
+    /* unwrap the master secret. */
+    unwrappedKey = PK11_UnwrapSymKeyWithFlags(wrapKey, wrapType, param,
+                                              wrappedKey, target, operation, keySize,
+                                              keyFlags);
+    if (!unwrappedKey) {
+        PK11SlotInfo *targetSlot = PK11_GetBestSlot(target, pinArg);
+        PK11SymKey *newWrapKey;
+
+        /* it's possible that we failed to unwrap because the wrapKey is in
+         * a slot that can't handle target. Move the wrapKey to a slot that
+         * can handle this mechanism and retry the operation */
+        if (targetSlot == NULL) {
+            return NULL;
+        }
+        newWrapKey = PK11_MoveSymKey(targetSlot, CKA_UNWRAP, 0,
+                                     PR_FALSE, wrapKey);
+        PK11_FreeSlot(targetSlot);
+        if (newWrapKey == NULL) {
+            return NULL;
+        }
+        unwrappedKey = PK11_UnwrapSymKeyWithFlags(newWrapKey, wrapType, param,
+                                                  wrappedKey, target, operation, keySize,
+                                                  keyFlags);
+        PK11_FreeSymKey(newWrapKey);
+    }
+    return unwrappedKey;
+}
+
 static SECStatus
 ssl3_UnwrapMasterSecretServer(sslSocket *ss, sslSessionID *sid, PK11SymKey **ms)
 {
     PK11SymKey *wrapKey;
     CK_FLAGS keyFlags = 0;
     SECItem wrappedMS = {
         siBuffer,
         sid->u.ssl3.keys.wrapped_master_secret,
@@ -8641,22 +8680,24 @@ ssl3_UnwrapMasterSecretServer(sslSocket 
     if (!wrapKey) {
         return SECFailure;
     }
 
     if (ss->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
         keyFlags = CKF_SIGN | CKF_VERIFY;
     }
 
-    /* unwrap the master secret. */
-    *ms = PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech,
-                                     NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
-                                     CKA_DERIVE, SSL3_MASTER_SECRET_LENGTH, keyFlags);
+    *ms = ssl_unwrapSymKey(wrapKey, sid->u.ssl3.masterWrapMech, NULL,
+                           &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
+                           CKA_DERIVE, SSL3_MASTER_SECRET_LENGTH,
+                           keyFlags, ss->pkcs11PinArg);
     PK11_FreeSymKey(wrapKey);
     if (!*ms) {
+        SSL_TRC(10, ("%d: SSL3[%d]: server wrapping key found, but couldn't unwrap MasterSecret. wrapMech=0x%0lx",
+                     SSL_GETPID(), ss->fd, sid->u.ssl3.masterWrapMech));
         return SECFailure;
     }
     return SECSuccess;
 }
 
 static SECStatus
 ssl3_HandleClientHelloPart2(sslSocket *ss,
                             SECItem *suites,
@@ -11869,17 +11910,17 @@ ssl3_HandleHandshake(sslSocket *ss, sslB
                 ss->ssl3.hs.msg_len = (ss->ssl3.hs.msg_len << 8) + t;
             if (ss->ssl3.hs.header_bytes < 4)
                 continue;
 
 #define MAX_HANDSHAKE_MSG_LEN 0x1ffff /* 128k - 1 */
             if (ss->ssl3.hs.msg_len > MAX_HANDSHAKE_MSG_LEN) {
                 (void)ssl3_DecodeError(ss);
                 PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
-                return SECFailure;
+                goto loser;
             }
 #undef MAX_HANDSHAKE_MSG_LEN
 
             /* If msg_len is zero, be sure we fall through,
             ** even if buf.len is zero.
             */
             if (ss->ssl3.hs.msg_len > 0)
                 continue;
@@ -11894,30 +11935,30 @@ ssl3_HandleHandshake(sslSocket *ss, sslB
             /* handle it from input buffer */
             rv = ssl3_HandleHandshakeMessage(ss, buf.buf, ss->ssl3.hs.msg_len,
                                              buf.len == ss->ssl3.hs.msg_len);
             buf.buf += ss->ssl3.hs.msg_len;
             buf.len -= ss->ssl3.hs.msg_len;
             ss->ssl3.hs.msg_len = 0;
             ss->ssl3.hs.header_bytes = 0;
             if (rv != SECSuccess) {
-                return rv;
+                goto loser;
             }
         } else {
             /* must be copied to msg_body and dealt with from there */
             unsigned int bytes;
 
             PORT_Assert(ss->ssl3.hs.msg_body.len < ss->ssl3.hs.msg_len);
             bytes = PR_MIN(buf.len, ss->ssl3.hs.msg_len - ss->ssl3.hs.msg_body.len);
 
             /* Grow the buffer if needed */
             rv = sslBuffer_Grow(&ss->ssl3.hs.msg_body, ss->ssl3.hs.msg_len);
             if (rv != SECSuccess) {
                 /* sslBuffer_Grow has set a memory error code. */
-                return SECFailure;
+                goto loser;
             }
 
             PORT_Memcpy(ss->ssl3.hs.msg_body.buf + ss->ssl3.hs.msg_body.len,
                         buf.buf, bytes);
             ss->ssl3.hs.msg_body.len += bytes;
             buf.buf += bytes;
             buf.len -= bytes;
 
@@ -11927,27 +11968,38 @@ ssl3_HandleHandshake(sslSocket *ss, sslB
             if (ss->ssl3.hs.msg_body.len == ss->ssl3.hs.msg_len) {
                 rv = ssl3_HandleHandshakeMessage(
                     ss, ss->ssl3.hs.msg_body.buf, ss->ssl3.hs.msg_len,
                     buf.len == 0);
                 ss->ssl3.hs.msg_body.len = 0;
                 ss->ssl3.hs.msg_len = 0;
                 ss->ssl3.hs.header_bytes = 0;
                 if (rv != SECSuccess) {
-                    return rv;
+                    goto loser;
                 }
             } else {
                 PORT_Assert(buf.len == 0);
                 break;
             }
         }
     } /* end loop */
 
     origBuf->len = 0; /* So ssl3_GatherAppDataRecord will keep looping. */
     return SECSuccess;
+
+loser : {
+    /* Make sure to remove any data that was consumed. */
+    unsigned int consumed = origBuf->len - buf.len;
+    PORT_Assert(consumed == buf.buf - origBuf->buf);
+    if (consumed > 0) {
+        memmove(origBuf->buf, origBuf->buf + consumed, buf.len);
+        origBuf->len = buf.len;
+    }
+}
+    return SECFailure;
 }
 
 /* These macros return the given value with the MSB copied to all the other
  * bits. They use the fact that arithmetic shift shifts-in the sign bit.
  * However, this is not ensured by the C standard so you may need to replace
  * them with something else for odd compilers. */
 #define DUPLICATE_MSB_TO_ALL(x) ((unsigned)((int)(x) >> (sizeof(int) * 8 - 1)))
 #define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x)))
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -1729,16 +1729,24 @@ PRBool ssl_AlpnTagAllowed(const sslSocke
 
 void ssl_Trace(const char *format, ...);
 
 void ssl_CacheExternalToken(sslSocket *ss);
 SECStatus ssl_DecodeResumptionToken(sslSessionID *sid, const PRUint8 *encodedTicket,
                                     PRUint32 encodedTicketLen);
 PRBool ssl_IsResumptionTokenUsable(sslSocket *ss, sslSessionID *sid);
 
+/* unwrap helper function to handle the case where the wrapKey doesn't wind
+ *  * up in the correct token for the master secret */
+PK11SymKey *ssl_unwrapSymKey(PK11SymKey *wrapKey,
+                             CK_MECHANISM_TYPE wrapType, SECItem *param,
+                             SECItem *wrappedKey,
+                             CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
+                             int keySize, CK_FLAGS keyFlags, void *pinArg);
+
 /* Remove when stable. */
 
 SECStatus SSLExp_SetResumptionTokenCallback(PRFileDesc *fd,
                                             SSLResumptionTokenCallback cb,
                                             void *ctx);
 SECStatus SSLExp_SetResumptionToken(PRFileDesc *fd, const PRUint8 *token,
                                     unsigned int len);
 
--- a/security/nss/lib/ssl/tls13con.c
+++ b/security/nss/lib/ssl/tls13con.c
@@ -976,23 +976,23 @@ tls13_RecoverWrappedSharedSecret(sslSock
     if (!wrapKey) {
         return SECFailure;
     }
 
     wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
     wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
 
     /* unwrap the "master secret" which is actually RMS. */
-    ss->ssl3.hs.resumptionMasterSecret = PK11_UnwrapSymKeyWithFlags(
+    ss->ssl3.hs.resumptionMasterSecret = ssl_unwrapSymKey(
         wrapKey, sid->u.ssl3.masterWrapMech,
         NULL, &wrappedMS,
         CKM_SSL3_MASTER_KEY_DERIVE,
         CKA_DERIVE,
         tls13_GetHashSizeForHash(hashType),
-        CKF_SIGN | CKF_VERIFY);
+        CKF_SIGN | CKF_VERIFY, ss->pkcs11PinArg);
     PK11_FreeSymKey(wrapKey);
     if (!ss->ssl3.hs.resumptionMasterSecret) {
         return SECFailure;
     }
 
     PRINT_KEY(50, (ss, "Recovered RMS", ss->ssl3.hs.resumptionMasterSecret));
 
     return SECSuccess;
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -14,22 +14,22 @@
 
 /*
  * NSS utilities's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION "3.43"
+#define NSSUTIL_VERSION "3.44 Beta"
 #define NSSUTIL_VMAJOR 3
-#define NSSUTIL_VMINOR 43
+#define NSSUTIL_VMINOR 44
 #define NSSUTIL_VPATCH 0
 #define NSSUTIL_VBUILD 0
-#define NSSUTIL_BETA PR_FALSE
+#define NSSUTIL_BETA PR_TRUE
 
 SEC_BEGIN_PROTOS
 
 /*
  * Returns a const string of the UTIL library version.
  */
 extern const char *NSSUTIL_GetVersion(void);
 
--- a/security/nss/tests/cert/cert.sh
+++ b/security/nss/tests/cert/cert.sh
@@ -312,17 +312,17 @@ cert_create_cert()
 #     generate request
 #     sign request
 #     import Cert
 #
 ########################################################################
 cert_add_cert()
 {
     CU_ACTION="Generate Cert Request for $CERTNAME"
-    CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
     certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
     if [ "$RET" -ne 0 ]; then
         return $RET
     fi
 
     CU_ACTION="Sign ${CERTNAME}'s Request"
     certu -C -c "TestCA" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
           -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
@@ -338,17 +338,17 @@ cert_add_cert()
     fi
 
     cert_log "SUCCESS: $CERTNAME's Cert Created"
 
 #
 #   Generate and add DSA cert
 #
 	CU_ACTION="Generate DSA Cert Request for $CERTNAME"
-	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \
 	    -z "${R_NOISE_FILE}" -o req  2>&1
 	if [ "$RET" -ne 0 ]; then
             return $RET
 	fi
 
 	CU_ACTION="Sign ${CERTNAME}'s DSA Request"
 	certu -C -c "TestCA-dsa" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
@@ -362,17 +362,17 @@ cert_add_cert()
 	    -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1
 	if [ "$RET" -ne 0 ]; then
             return $RET
 	fi
 	cert_log "SUCCESS: $CERTNAME's DSA Cert Created"
 
 #    Generate DSA certificate signed with RSA
 	CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME"
-	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \
 	    -z "${R_NOISE_FILE}" -o req  2>&1
 	if [ "$RET" -ne 0 ]; then
             return $RET
 	fi
 
 	CU_ACTION="Sign ${CERTNAME}'s DSA Request with RSA"
 # Avoid conflicting serial numbers with TestCA issuer by keeping
@@ -393,17 +393,17 @@ cert_add_cert()
 	fi
 	cert_log "SUCCESS: $CERTNAME's mixed DSA Cert Created"
 
 #
 #   Generate and add EC cert
 #
 	CURVE="secp384r1"
 	CU_ACTION="Generate EC Cert Request for $CERTNAME"
-	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
 	    -z "${R_NOISE_FILE}" -o req  2>&1
 	if [ "$RET" -ne 0 ]; then
             return $RET
 	fi
 
 	CU_ACTION="Sign ${CERTNAME}'s EC Request"
 	certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
@@ -417,17 +417,17 @@ cert_add_cert()
 	    -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
 	if [ "$RET" -ne 0 ]; then
             return $RET
 	fi
 	cert_log "SUCCESS: $CERTNAME's EC Cert Created"
 
 #    Generate EC certificate signed with RSA
 	CU_ACTION="Generate mixed EC Cert Request for $CERTNAME"
-	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
 	    -z "${R_NOISE_FILE}" -o req  2>&1
 	if [ "$RET" -ne 0 ]; then
             return $RET
 	fi
 
 	CU_ACTION="Sign ${CERTNAME}'s EC Request with RSA"
 # Avoid conflicting serial numbers with TestCA issuer by keeping
@@ -450,17 +450,17 @@ cert_add_cert()
 
 	echo "Importing RSA-PSS server certificate"
 	pk12u -i ${QADIR}/cert/TestUser-rsa-pss-interop.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${PROFILEDIR}
 	# Let's get the key ID of the imported private key.
 	KEYID=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \
 		grep 'TestUser-rsa-pss-interop$' | sed -n 's/^<.*> [^ ]\{1,\} *\([^ ]\{1,\}\).*/\1/p'`
 
 	CU_ACTION="Generate RSA-PSS Cert Request for $CERTNAME"
-	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-rsa-pss@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-rsa-pss@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	certu -R -d "${PROFILEDIR}" -k ${KEYID} -f "${R_PWFILE}" \
 	-z "${R_NOISE_FILE}" -o req 2>&1
 
 	CU_ACTION="Sign ${CERTNAME}'s RSA-PSS Request"
 	NEWSERIAL=`expr ${CERTSERIAL} + 30000`
 	certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \
 	      -i req -o "${CERTNAME}-rsa-pss.cert" -f "${R_PWFILE}" "$1" 2>&1
 
@@ -868,35 +868,35 @@ cert_smime_client()
 
   echo "$SCRIPTNAME: Creating Dave's Certificate -------------------------"
   cert_create_cert "${DAVEDIR}" Dave 50 ${D_DAVE}
 
 ## XXX With this new script merging ECC and non-ECC tests, the
 ## call to cert_create_cert ends up creating two separate certs
 ## one for Eve and another for Eve-ec but they both end up with
 ## the same Subject Alt Name Extension, i.e., both the cert for
-## Eve@bogus.com and the cert for Eve-ec@bogus.com end up 
-## listing eve@bogus.net in the Certificate Subject Alt Name extension. 
+## Eve@example.com and the cert for Eve-ec@example.com end up 
+## listing eve@example.net in the Certificate Subject Alt Name extension. 
 ## This can cause a problem later when cmsutil attempts to create
 ## enveloped data and accidently picks up the ECC cert (NSS currently
 ## does not support ECC for enveloped data creation). This script
 ## avoids the problem by ensuring that these conflicting certs are
 ## never added to the same cert database (see comment marked XXXX).
   echo "$SCRIPTNAME: Creating multiEmail's Certificate --------------------"
-  cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@bogus.net,eve@bogus.cc,beve@bogus.com"
+  cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@example.net,eve@example.org,beve@example.com"
 
   #echo "************* Copying CA files to ${SERVERDIR}"
   #cp ${CADIR}/*.db .
   #hw_acc
 
   #########################################################################
   #
   #cd ${CERTDIR}
   #CU_ACTION="Creating ${CERTNAME}'s Server Cert"
-  #CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
+  #CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
   #certu -S -n "${CERTNAME}" -c "TestCA" -t "u,u,u" -m "$CERTSERIAL" \
   #	-d ${PROFILEDIR} -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
 
   #CU_ACTION="Export Dave's Cert"
   #cd ${DAVEDIR}
   #certu -L -n "Dave" -r -d ${P_R_DAVE} -o Dave.cert
 
   ################# Importing Certificates for S/MIME tests ###############
@@ -970,17 +970,17 @@ cert_extended_ssl()
 
   CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
   certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
 
   CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
   modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
 
   CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
   cp ${CERTDIR}/req ${SERVER_CADIR}
   certu -C -c "chain-2-serverCA" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert  -t u,u,u (ext)"
@@ -990,17 +990,17 @@ cert_extended_ssl()
   CU_ACTION="Import Client Root CA -t T,, for $CERTNAME (ext.)"
   certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
           -i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1
 
 #
 #     Repeat the above for DSA certs
 #
       CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
       CU_ACTION="Sign ${CERTNAME}'s DSA Request (ext)"
       cp ${CERTDIR}/req ${SERVER_CADIR}
       certu -C -c "chain-2-serverCA-dsa" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
           -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" 2>&1
 
@@ -1012,17 +1012,17 @@ cert_extended_ssl()
       certu -A -n "clientCA-dsa" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
           -i "${CLIENT_CADIR}/clientCA-dsa.ca.cert" 2>&1
 #
 #     done with DSA certs
 #
 #     Repeat again for mixed DSA certs
 #
       CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
       CU_ACTION="Sign ${CERTNAME}'s mixed DSA Request (ext)"
       cp ${CERTDIR}/req ${SERVER_CADIR}
       certu -C -c "chain-2-serverCA" -m 202 -v 60 -d "${P_SERVER_CADIR}" \
           -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" 2>&1
 
@@ -1035,17 +1035,17 @@ cert_extended_ssl()
 #	  -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-dsamixed.ca.cert" \
 #	  2>&1
 
 #
 #     Repeat the above for EC certs
 #
       EC_CURVE="secp256r1"
       CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
       CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
       cp ${CERTDIR}/req ${SERVER_CADIR}
       certu -C -c "chain-2-serverCA-ec" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
           -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
 
@@ -1058,17 +1058,17 @@ cert_extended_ssl()
           -i "${CLIENT_CADIR}/clientCA-ec.ca.cert" 2>&1
 #
 #     done with EC certs
 #
 #     Repeat again for mixed EC certs
 #
       EC_CURVE="secp256r1"
       CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
       CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)"
       cp ${CERTDIR}/req ${SERVER_CADIR}
       certu -C -c "chain-2-serverCA" -m 201 -v 60 -d "${P_SERVER_CADIR}" \
           -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1
 
@@ -1119,17 +1119,17 @@ cert_extended_ssl()
 
   CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
   certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
 
   CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
   modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
 
   CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" \
       -o req 2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
   cp ${CERTDIR}/req ${CLIENT_CADIR}
   certu -C -c "chain-2-clientCA" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
 
@@ -1139,17 +1139,17 @@ cert_extended_ssl()
   CU_ACTION="Import Server Root CA -t C,C,C for $CERTNAME (ext.)"
   certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
           -i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1
 
 #
 #     Repeat the above for DSA certs
 #
       CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
       CU_ACTION="Sign ${CERTNAME}'s DSA Request (ext)"
       cp ${CERTDIR}/req ${CLIENT_CADIR}
       certu -C -c "chain-2-clientCA-dsa" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
           -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" 2>&1
 
@@ -1162,17 +1162,17 @@ cert_extended_ssl()
 	  -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-dsa.ca.cert" 2>&1
 #
 # done with DSA certs
 #
 #
 #     Repeat the above for mixed DSA certs
 #
       CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
       CU_ACTION="Sign ${CERTNAME}'s mixed DSA Request (ext)"
       cp ${CERTDIR}/req ${CLIENT_CADIR}
       certu -C -c "chain-2-clientCA" -m 302 -v 60 -d "${P_CLIENT_CADIR}" \
           -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" 2>&1
 
@@ -1186,17 +1186,17 @@ cert_extended_ssl()
 #
 # done with mixed DSA certs
 #
 
 #
 #     Repeat the above for EC certs
 #
       CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
       CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
       cp ${CERTDIR}/req ${CLIENT_CADIR}
       certu -C -c "chain-2-clientCA-ec" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
           -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
 
@@ -1209,17 +1209,17 @@ cert_extended_ssl()
 	  -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
 #
 # done with EC certs
 #
 #
 #     Repeat the above for mixed EC certs
 #
       CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
       CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)"
       cp ${CERTDIR}/req ${CLIENT_CADIR}
       certu -C -c "chain-2-clientCA" -m 301 -v 60 -d "${P_CLIENT_CADIR}" \
           -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1
 
@@ -1382,17 +1382,17 @@ MODSCRIPT
   certu -W -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -@ "${R_FIPSBADPWFILE}" 2>&1
   CU_ACTION="Attempt to generate a key with exponent of 3 (too small)"
   certu -G -k rsa -g 2048 -y 3 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" 
   CU_ACTION="Attempt to generate a key with exponent of 17 (too small)"
   certu -G -k rsa -g 2048 -y 17 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" 
   RETEXPECTED=0
 
   CU_ACTION="Generate Certificate for ${CERTNAME}"
-  CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=${CERTNAME}, E=fips@example.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
   certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1
   if [ "$RET" -eq 0 ]; then
     cert_log "SUCCESS: FIPS passed"
   fi
 
 }
 
 ########################## cert_rsa_exponent #################################
@@ -1434,17 +1434,17 @@ cert_eccurves()
     CERTSERIAL=2000
 
     for CURVE in ${CURVE_LIST}
     do
 	CERTFAILED=0
 	CERTNAME="Curve-${CURVE}"
 	CERTSERIAL=`expr $CERTSERIAL + 1 `
 	CU_ACTION="Generate EC Cert Request for $CERTNAME"
-	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
 		-z "${R_NOISE_FILE}" -o req  2>&1
 	
 	if [ $RET -eq 0 ] ; then
 	  CU_ACTION="Sign ${CERTNAME}'s EC Request"
 	  certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
 		-i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
 	fi
@@ -1459,17 +1459,17 @@ cert_eccurves()
 
 ########################### cert_extensions_test #############################
 # local shell function to test cert extensions generation
 ##############################################################################
 cert_extensions_test()
 {
     COUNT=`expr ${COUNT} + 1`
     CERTNAME=TestExt${COUNT}
-    CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 
     echo
     echo certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
         -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
         -z "${R_NOISE_FILE}" -${OPT} \< ${TARG_FILE}
     echo "certutil options:"
     cat ${TARG_FILE}
     ${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
@@ -2021,17 +2021,17 @@ cert_test_password()
   cert_CA ${DBPASSDIR} PasswordCA -x "CTu,CTu,CTu" ${D_DBPASS} "1"
 
   # now change the password
   CU_ACTION="Changing password on ${CERTNAME}'s Cert DB"
   certu -W -d "${PROFILEDIR}" -f "${R_PWFILE}" -@ "${R_FIPSPWFILE}" 2>&1
 
   # finally make sure we can use the old key with the new password
   CU_ACTION="Generate Certificate for ${CERTNAME} with new password"
-  CU_SUBJECT="CN=${CERTNAME}, E=password@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=${CERTNAME}, E=password@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -S -n PasswordCert -c PasswordCA -t "u,u,u" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -z "${R_NOISE_FILE}" 2>&1
   if [ "$RET" -eq 0 ]; then
     cert_log "SUCCESS: PASSWORD passed"
   fi
   CU_ACTION="Verify Certificate for ${CERTNAME} with new password"
   certu -V -n PasswordCert -u S -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
 }
 
@@ -2050,27 +2050,27 @@ cert_test_password()
 cert_test_distrust()
 {
   echo "$SCRIPTNAME: Creating Distrusted Certificate"
   cert_create_cert ${DISTRUSTDIR} "Distrusted" 2000 ${D_DISTRUST}
   CU_ACTION="Mark CERT as unstrusted"
   certu -M -n "Distrusted" -t p,p,p -d ${PROFILEDIR} -f "${R_PWFILE}" 2>&1
   echo "$SCRIPTNAME: Creating Distrusted Intermediate"
   CERTNAME="DistrustedCA"
-  ALL_CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  ALL_CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   cert_CA ${CADIR} "${CERTNAME}" "-c TestCA" ",," ${D_CA} 2010 2>&1
   CU_ACTION="Import Distrusted Intermediate"
   certu -A -n "${CERTNAME}" -t "p,p,p" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
           -i "${R_CADIR}/DistrustedCA.ca.cert" 2>&1
 
   # now create the last leaf signed by our distrusted CA
   # since it's not signed by TestCA it requires more steps.
   CU_ACTION="Generate Cert Request for Leaf Chained to Distrusted CA"
   CERTNAME="LeafChainedToDistrustedCA"
-  CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   cp ${CERTDIR}/req ${CADIR}
   certu -C -c "DistrustedCA" -m 100 -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert  -t u,u,u"
@@ -2200,17 +2200,17 @@ cert_test_rsapss()
   CERTSERIAL=200
 
   # Subject certificate: RSA
   # Issuer certificate: RSA
   # Signature: RSA-PSS (explicit, with --pss-sign)
   CERTNAME="TestUser-rsa-pss1"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert"
   certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
@@ -2231,17 +2231,17 @@ EOF
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   # Subject certificate: RSA
   # Issuer certificate: RSA
   # Signature: RSA-PSS (explict, with --pss-sign -Z SHA512)
   CERTNAME="TestUser-rsa-pss2"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   certu -C -c "TestCA" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert"
   certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
@@ -2262,17 +2262,17 @@ EOF
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   # Subject certificate: RSA
   # Issuer certificate: RSA-PSS
   # Signature: RSA-PSS
   CERTNAME="TestUser-rsa-pss3"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert"
   certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
@@ -2293,17 +2293,17 @@ EOF
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   # Subject certificate: RSA-PSS
   # Issuer certificate: RSA
   # Signature: RSA-PSS (explicit, with --pss-sign)
   CERTNAME="TestUser-rsa-pss4"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert"
   certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
@@ -2324,17 +2324,17 @@ EOF
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   # Subject certificate: RSA-PSS
   # Issuer certificate: RSA-PSS
   # Signature: RSA-PSS (explicit, with --pss-sign)
   CERTNAME="TestUser-rsa-pss5"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   certu -C -c "TestCA-rsa-pss" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert"
   certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
@@ -2355,17 +2355,17 @@ EOF
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   # Subject certificate: RSA-PSS
   # Issuer certificate: RSA-PSS
   # Signature: RSA-PSS (implicit, without --pss-sign)
   CERTNAME="TestUser-rsa-pss6"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   # Sign without --pss-sign nor -Z option
   certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert"
@@ -2387,34 +2387,34 @@ EOF
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   # Subject certificate: RSA-PSS
   # Issuer certificate: RSA-PSS
   # Signature: RSA-PSS (with conflicting hash algorithm)
   CERTNAME="TestUser-rsa-pss7"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   RETEXPECTED=255
   certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
   RETEXPECTED=0
 
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   # Subject certificate: RSA-PSS
   # Issuer certificate: RSA-PSS
   # Signature: RSA-PSS (with compatible hash algorithm)
   CERTNAME="TestUser-rsa-pss8"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert"
   certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
@@ -2435,17 +2435,17 @@ EOF
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   # Subject certificate: RSA
   # Issuer certificate: RSA
   # Signature: RSA-PSS (explict, with --pss-sign -Z SHA1)
   CERTNAME="TestUser-rsa-pss9"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert"
   certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
@@ -2466,17 +2466,17 @@ EOF
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   # Subject certificate: RSA-PSS
   # Issuer certificate: RSA-PSS
   # Signature: RSA-PSS (implicit, without --pss-sign, default parameters)
   CERTNAME="TestUser-rsa-pss10"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   # Sign without --pss-sign nor -Z option
   certu -C -c "TestCA-rsa-pss-sha1" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert"
@@ -2498,17 +2498,17 @@ EOF
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   # Subject certificate: RSA-PSS
   # Issuer certificate: RSA-PSS
   # Signature: RSA-PSS (with conflicting hash algorithm, default parameters)
   CERTNAME="TestUser-rsa-pss11"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   RETEXPECTED=255
   certu -C -c "TestCA-rsa-pss-sha1" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
   RETEXPECTED=0
 }
@@ -2566,17 +2566,17 @@ cert_test_rsapss_policy()
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   CERTNAME="TestUser-rsa-pss-policy"
 
   # Subject certificate: RSA-PSS
   # Issuer certificate: RSA
   # Signature: RSA-PSS (explicit, with --pss-sign and -Z SHA1)
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert"
   certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
--- a/security/nss/tests/common/certsetup.sh
+++ b/security/nss/tests/common/certsetup.sh
@@ -42,16 +42,17 @@ make_cert() {
     p521) type_args=(-q secp521r1);type=ec ;;
     rsa_ca) type_args=(-g 1024);trust='CT,CT,CT';type=rsa ;;
     rsa_chain) type_args=(-g 1024);sign=(-c rsa_ca);type=rsa;;
     rsapss_ca) type_args=(-g 1024 --pss);trust='CT,CT,CT';type=rsa ;;
     rsapss_chain) type_args=(-g 1024);sign=(-c rsa_pss_ca);type=rsa;;
     rsa_ca_rsapss_chain) type_args=(-g 1024 --pss-sign);sign=(-c rsa_ca);type=rsa;;
     ecdh_rsa) type_args=(-q nistp256);sign=(-c rsa_ca);type=ec ;;
   esac
+  msg="create certificate: $@"
   shift 2
   counter=$(($counter + 1))
   certscript $@ | ${BINDIR}/certutil -S \
-    -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \
+    -z "$R_NOISE_FILE" -d "$PROFILEDIR" \
     -n $name -s "CN=$name" -t "$trust" "${sign[@]}" -m "$counter" \
     -w -2 -v 120 -k "$type" "${type_args[@]}" "${sighash[@]}" -1 -2
-  html_msg $? 0 "create certificate: $@"
+  html_msg $? 0 "$msg"
 }
--- a/security/nss/tests/crmf/crmf.sh
+++ b/security/nss/tests/crmf/crmf.sh
@@ -53,22 +53,22 @@ crmf_init()
 
 ############################## crmf_main ##############################
 # local shell function to test basic CRMF request and CMMF responses
 # from 1 --> 2"
 ########################################################################
 crmf_main()
 {
   echo "$SCRIPTNAME: CRMF/CMMF Tests ------------------------------"
-  echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss crmf decode"
-  ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss crmf decode
+  echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@example.com -s TestCA -P nss crmf decode"
+  ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@example.com -s TestCA -P nss crmf decode
   html_msg $? 0 "CRMF test" "."
 
-  echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss cmmf"
-  ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss cmmf 
+  echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@example.com -s TestCA -P nss cmmf"
+  ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@example.com -s TestCA -P nss cmmf 
   html_msg $? 0 "CMMF test" "."
 
 # Add tests for key recovery and challange as crmftest's capabilities increase
 
 }
   
 ############################## crmf_cleanup ###########################
 # local shell function to finish this script (no exit since it might be
--- a/security/nss/tests/gtests/gtests.sh
+++ b/security/nss/tests/gtests/gtests.sh
@@ -18,76 +18,82 @@
 ########################################################################
 
 ############################## gtest_init ##############################
 # local shell function to initialize this script
 ########################################################################
 gtest_init()
 {
   cd "$(dirname "$1")"
+  pwd
   SOURCE_DIR="$PWD"/../..
   if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
       cd ../common
       . ./init.sh
   fi
 
   SCRIPTNAME=gtests.sh
+  . "${QADIR}"/common/certsetup.sh
 
   if [ -z "${CLEANUP}" ] ; then   # if nobody else is responsible for
     CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
   fi
 
+  mkdir -p "${GTESTDIR}"
+  cd "${GTESTDIR}"
 }
 
 ########################## gtest_start #############################
 # Local function to actually start the test
 ####################################################################
 gtest_start()
 {
   echo "gtests: ${GTESTS}"
   for i in ${GTESTS}; do
     if [ ! -f "${BINDIR}/$i" ]; then
       html_unknown "Skipping $i (not built)"
       continue
     fi
-    GTESTDIR="${HOSTDIR}/$i"
+    DIR="${GTESTDIR}/$i"
     html_head "$i"
-    if [ ! -d "$GTESTDIR" ]; then
-      mkdir -p "$GTESTDIR"
-      echo "${BINDIR}/certutil" -N -d "$GTESTDIR" --empty-password 2>&1
-      "${BINDIR}/certutil" -N -d "$GTESTDIR" --empty-password 2>&1
+    if [ ! -d "$DIR" ]; then
+      mkdir -p "$DIR"
+      echo "${BINDIR}/certutil" -N -d "$DIR" --empty-password 2>&1
+      "${BINDIR}/certutil" -N -d "$DIR" --empty-password 2>&1
+
+      PROFILEDIR="$DIR" make_cert dummy p256 sign
     fi
-    cd "$GTESTDIR"
-    GTESTREPORT="$GTESTDIR/report.xml"
-    PARSED_REPORT="$GTESTDIR/report.parsed"
+    pushd "$DIR"
+    GTESTREPORT="$DIR/report.xml"
+    PARSED_REPORT="$DIR/report.parsed"
     echo "executing $i"
     "${BINDIR}/$i" "${SOURCE_DIR}/gtests/freebl_gtest/kat/Hash_DRBG.rsp" \
-                 -d "$GTESTDIR" -w --gtest_output=xml:"${GTESTREPORT}" \
-                                   --gtest_filter="${GTESTFILTER:-*}"
+                 -d "$DIR" -w --gtest_output=xml:"${GTESTREPORT}" \
+                              --gtest_filter="${GTESTFILTER:-*}"
     html_msg $? 0 "$i run successfully"
     echo "test output dir: ${GTESTREPORT}"
     echo "executing sed to parse the xml report"
     sed -f "${COMMON}/parsegtestreport.sed" "$GTESTREPORT" > "$PARSED_REPORT"
     echo "processing the parsed report"
     cat "$PARSED_REPORT" | while read result name; do
       if [ "$result" = "notrun" ]; then
         echo "$name" SKIPPED
       elif [ "$result" = "run" ]; then
         html_passed_ignore_core "$name"
       else
         html_failed_ignore_core "$name"
       fi
     done
+    popd
   done
 }
 
 gtest_cleanup()
 {
   html "</TABLE><BR>"
-  cd "${QADIR}"
-  . common/cleanup.sh
+  . "${QADIR}"/common/cleanup.sh
 }
 
 ################## main #################################################
 GTESTS="${GTESTS:-prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest softoken_gtest sysinit_gtest blake2b_gtest smime_gtest}"
 gtest_init "$0"
 gtest_start
 gtest_cleanup
--- a/security/nss/tests/iopr/cert_iopr.sh
+++ b/security/nss/tests/iopr/cert_iopr.sh
@@ -247,17 +247,17 @@ download_install_certs() {
             fi
             
             #=======================================================
             # Creating server cert
             #
             CERTNAME=$HOSTADDR
             
             CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)"
-            CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, \
+            CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, \
                         L=Mountain View, ST=California, C=US"
             certu -R -d "${sslServerDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}"\
                 -o $sslServerDir/req 2>&1
             tmpFiles="$tmpFiles $sslServerDir/req"
 
             # NOTE:
             # For possible time synchronization problems (bug 444308) we generate
             # certificates valid also some time in past (-w -1)
--- a/security/nss/tests/iopr/server_scr/cert_gen.sh
+++ b/security/nss/tests/iopr/server_scr/cert_gen.sh
@@ -111,17 +111,17 @@ createSignedCert() {
     certName=$3
     certSN=$4
     certSubj=$5
     keyType=$6
     extList=$7
 
     echo Creating cert $certName-$keyType with SN=$certSN
 
-    CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
     repAndExec \
         certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \
                   -k $keyType -o $dir/req  2>&1
     [ "$RET" -ne 0 ] && return $RET
 
     signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList
     ret=$?
     [ "$ret" -ne 0 ] && return $ret
@@ -262,17 +262,17 @@ generateAndExportOCSPCerts() {
 
 generateAndExportCACert() {
     dir=$1
     certDirL=$2
     caName=$3
 
     certName=TestCA
     [ "$caName" ] && certName=$caName
-    CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
     repAndExec \
         certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \
         -f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <<EOF
 5
 6
 9
 n
 y
index 929b793d39d6cfab9f32a288cb31e798fa0428d2..627aead0e2cf314720058b69ac54d411c8d6a25a
GIT binary patch
literal 628
zc$_n6Vk$6bV!XM4nTe5!iILHOmyJ`a&7<u*FC!y2D}zCbA-4f18*?ZNn=n&ou%WPl
zAc(^u%;lVzlbM!Zl$V)kC}to65@Z+V_02EMD@n}EQwYmUEjJW05CDmD33EF6yN3oV
z_yq?WiWmri#F&M-fjotf)Z!8aXGa4Cab81910w?yLrYU5Q{yNJej@`jWC1$4qj5g6
z{~1{sm>YW;3>rI`8XFnb9=O}Z*gM^4wcf{nS`G*5c?1G^qgSc5%u3I0I`(Ii|LpE>
z=cc`zeS)>bqboUm&D9Q>-lGNc=CViK_{W;RFfd{hkJGKfL+$QdXT5%#Jd$teX*?<7
z;r;D}yrJBUXBJlBW)>4|+Kk`y>TeNC+udP%bMA^z#lEm5H-b_Rhg5xDdY_4zk%4is
zfq@>->zoN~9*k{2oERBdSeTg@*bR7qo{<%1VKrc8Wc+Wy4dU^Gq!`)IB9s~E6E=BM
z#hN>!;UeDq-?#fNIM%RR*LSajQch_@2zzQywU5J6{YCeFb-w<!FRDhkc!_FtT#Z8b
zw)AC7j~-%h?_V{&VzNbLhUxox|4;i$3rhDdo89yKXFW%ucg-`M>X&C7=k;W)OqrQw
g)_hZJ`|s&b?|prmIrByL-UThb?T)t7PyfjV01tG^i2wiq
index ed71727fa26eea01b41a688ac474f5f9ffafe14e..0ce25bb5de5d6328fb25485aa3606fde95b4f31b
GIT binary patch
literal 617
zc$_n6VoEh=Vm!BinTe5!iP6Y_myJ`a&7<u*FC!y2D}zCbA-4f18*?ZNn=n&ou%WPl
zAc(^u%;lVzlbM!Zl$V)kC}to65@Z+V_02EMD@n}EQwYmUEjJW05CDmD33EF6yN3oV
z_yq?WiWmri#F&M-fjotf)Z!8aXGa4Cab81917iadLrYU5Q{yNJej@`jO9Ml=fI(vy
zl^vpLpbYmZC!?4c$SI-4sYRv+4yhH1xdl0?ddc~@FngGVxey8r8s{Si6C*1Fb7L=q
zL1QOVV<W>_o>Qzk9W|Gd>cva%$Y0pNuA6@Uq;koue;<~IeYy6?P{lm^N=bEIp^Zu3
z)FTd0xaSFrOgQ-b#`C8Nk(1s%)wfwR`K?$K<KCB3_DmJGXZo<%`^T4McPy9#X2)0D
zu~GWop0Q>vkJ3vmx1~E)y?V^SGxxx||E*Q2hnl`i?JZ-Ta;uk#nUR4JEf$%9?y6|m
zlEIV~KC8K4^5dJwytg<$eE->9Kf(Os+LRKpYdSYrB40;T>4yIOy0MX^)uxy|I_}TM
z`4cws`{!8top8Q(beXHmgy>j<ExV*Uc6!g>p=fh#vDlNWXG@Mx-PmzJgZDhgXJ=(c
hfioZ08gd#%FWmBQcE;Dz)-9{oKHl|W?MaiH)c}RT)7k(4
index 1b45db286f34cb0ebf0bb2572ec3251af4721dbe..12c74e9f9792cd25a77e9c0fa8f630dfc9f027a9
GIT binary patch
literal 617
zc$_n6VoEh=Vm!BinTe5!iP6}AmyJ`a&7<u*FC!y2D}zCbA-4f18*?ZNn=n&ou%WPl
zAc(^u%;lVzlbM!Zl$V)kC}to65@Z+V_02EMD@n}EQwYmUEjJW05CDmD33EF6yN3oV
z_yq?WiWmri#F&M-fjotf)Z!8aXGa4Cab81917iadLrYU5Q<EqOej@`jO9Ml=fI(vy
zl^vpLpbYmZC!?4c$SI-4sYRxS4yhH1xdl0?ddc~@FngGVxey8r8s{Si6C*1Fb7L=q
zL1QOVV<W@ylP?6e8LzMW`h92Io{Lu;ZFcJSdT&m6Wf(h!Ba3gn-_L~ssVd2GwG$5(
zP5Dw1KTG)jsZ$THWf>Lc_ul?ic6Gyh^~9{-{9Skc)OTt*>r{N3z`I26N^DHT@AAsk
z{eGuUmfP1@FG<#O@>VaM*s{cVuCt*iV_T{8v1ju6XZ6f(CNnWJGBBdWA~Vok^8;UY
zH8?FU)o+ksV-7T8dMs2fy6Wte6$$KV!QO3qdjEg>DcAkOJf*j9Z|^O?jwbg#8y0yx
zc<=tD8NqJs{XA{kf$a<bU)!~lw=I~*rO21_{i5Ww(`~Oxk8ZhW{^z#EOinT0{raLG
fM2{XnpmpLoPv-C2Iwo<ElPvb9+|j-3e1;nUn6l3o
--- a/security/nss/tests/libpkix/certs/make-ca-u50-u51
+++ b/security/nss/tests/libpkix/certs/make-ca-u50-u51
@@ -21,17 +21,17 @@ y
 n
 5
 6
 7
 9
 n
 CERTSCRIPT
 
-certutil -S -z noise -g 1024 -d . -n u50 -s "CN=TestUser50,E=TestUser50@bogus.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 50 -v 598
+certutil -S -z noise -g 1024 -d . -n u50 -s "CN=TestUser50,E=TestUser50@example.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 50 -v 598
 
-certutil -S -z noise -g 1024 -d . -n u51 -s "CN=TestUser51,E=TestUser51@bogus.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 51 -v 598
+certutil -S -z noise -g 1024 -d . -n u51 -s "CN=TestUser51,E=TestUser51@example.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 51 -v 598
 
 certutil -d . -L -n ca -r > TestCA.ca.cert
 certutil -d . -L -n u50 -r > TestUser50.cert
 certutil -d . -L -n u51 -r > TestUser51.cert
 
 echo "Created multiple files in subdirectory tmp: TestCA.ca.cert TestUser50.cert TestUser51.cert"
old mode 100755
new mode 100644
index 48172a5ed51a3e364dc18ab8a8f02a8f980df5e0..07ebff7ab2be829ef9b4ba8174a49176f7911658
GIT binary patch
literal 605
zc$_n6Vv00qVm!2fnTe5!iILfWmyJ`a&7<u*FC!xhD}zCbA-4f18*?ZNn=n&ou%WPl
zAc(^u%;lVzlbM!Zl$V)kC}to65@Z+V_02EMD@n}EQwYmUEjJW05CDmD33EF6yN3oV
z_yq?WiWmri#F&M-fjotf)Z!8aXGa4$ab5#sLqkJjLo*XI1LG(l*V4cU&NXOkpt3U*
z4CLVc<YW{Rbj-<2PIXAFNX#wBN!3fv&o$&T;DI=l6)b1aI3GD^7+D#Z8+#cH8atU9
z8yP;$N%DCV{XgfrZsn0!r{dB^o5q)`vm8VdTce+y<URUx!~cKJ=RHb@5V{l-(LcRd
zXj{7+Gh4*;wACy**Y5P$zrL87&#V>q+T}|B^mV+Ut1jn1pKiHi&57Kfdv2JgZ5I3c
zq%7a`_P=wbEBr#*9)H>T^xE|stNZRRx%PhJD*-=^Xk8{|Mg~T-m}3UItGDCnQ4P<z
zvzE<FGG;!%r25Il{V#89Y<>67{;$eSuPs|XEw&0+8o;qCJZ%BThD#z5J1kZ#%u+sY
zRDF8q3dMTcgICq>#Pj^Km@Fh#_cPLdPRqm6W(F;fbNl`ToiJU$p_h5lzIE&h^HTQD
d-uiQcnO)|L)ptWo+~@O(bGe(PE5BUw9RLs+(%b+5
--- a/security/nss/tests/smime/bob.txt
+++ b/security/nss/tests/smime/bob.txt
@@ -1,6 +1,6 @@
 Date: Wed, 20 Sep 2000 00:00:01 -0700 (PDT)
-From: bob@bogus.com
+From: bob@example.com
 Subject: message Bob --> Alice
-To: alice@bogus.com
+To: alice@example.com
 
 This is a test message from Bob to Alice.
--- a/security/nss/tests/smime/smime.sh
+++ b/security/nss/tests/smime/smime.sh
@@ -102,18 +102,18 @@ cms_sign()
   html_msg $? 0 "Decode Alice's Attached Signature (ECDSA w/ ${HASH})" "."
 
   echo "diff alice.txt alice-ec.data.${HASH}"
   diff alice.txt alice-ec.data.${HASH}
   html_msg $? 0 "Compare Attached Signed Data and Original (ECDSA w/ ${HASH})" "."
 }
 
 header_mime_from_to_subject="MIME-Version: 1.0
-From: Alice@bogus.com
-To: Bob@bogus.com
+From: Alice@example.com
+To: Bob@example.com
 Subject: "
 
 header_opaque_signed="Content-Type: application/pkcs7-mime; name=smime.p7m;
     smime-type=signed-data
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment; filename=smime.p7m
 Content-Description: S/MIME Cryptographic Signature
 "
@@ -162,17 +162,17 @@ mime_init()
   OUT="tb/alice.textplain"
   echo "${header_plaintext}" >>${OUT}
   cat alice.txt >>${OUT}
   sed -i"" "s/\$/${CR}/" ${OUT}
 }
 
 smime_enveloped()
 {
-  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@bogus.com -i tb/alice.mime -d ${P_R_ALICEDIR} -p nss -o tb/alice.mime.env
+  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@example.com -i tb/alice.mime -d ${P_R_ALICEDIR} -p nss -o tb/alice.mime.env
 
   OUT="tb/alice.env.eml"
   echo -n "${header_mime_from_to_subject}" >>${OUT}
   echo "enveloped ${SIG}" >>${OUT}
   echo "${header_enveloped}" >>${OUT}
   cat "tb/alice.mime.env" | ${BINDIR}/btoa | sed 's/\r$//' >>${OUT}
   echo >>${OUT}
   sed -i"" "s/\$/${CR}/" ${OUT}
@@ -186,17 +186,17 @@ smime_signed_enveloped()
 
   OUT="tb/alice.d${SIG}.multipart"
   echo "${multipart_start}" | sed "s/HASHHASH/${HASH}/" >>${OUT}
   cat tb/alice.mime | sed 's/\r$//' >>${OUT}
   echo "${multipart_middle}" >>${OUT}
   cat tb/alice.mime.d${SIG} | ${BINDIR}/btoa | sed 's/\r$//' >>${OUT}
   echo "${multipart_end}" >>${OUT}
 
-  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@bogus.com -i ${OUT} -d ${P_R_ALICEDIR} -p nss -o ${OUT}.env
+  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@example.com -i ${OUT} -d ${P_R_ALICEDIR} -p nss -o ${OUT}.env
 
   OUT="tb/alice.d${SIG}.multipart.eml"
   echo -n "${header_mime_from_to_subject}" >>${OUT}
   echo "clear-signed ${SIG}" >>${OUT}
   cat "tb/alice.d${SIG}.multipart" >>${OUT}
   sed -i"" "s/\$/$CR/" ${OUT}
 
   OUT="tb/alice.d${SIG}.multipart.env.eml"
@@ -208,17 +208,17 @@ smime_signed_enveloped()
   sed -i"" "s/\$/$CR/" ${OUT}
 
   ${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice ${HASH_CMD} -i tb/alice.textplain -d ${P_R_ALICEDIR} -p nss -o tb/alice.textplain.${SIG}
 
   OUT="tb/alice.${SIG}.opaque"
   echo "$header_opaque_signed" >>${OUT}
   cat tb/alice.textplain.${SIG} | ${BINDIR}/btoa | sed 's/\r$//' >>${OUT}
 
-  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@bogus.com -i ${OUT} -d ${P_R_ALICEDIR} -p nss -o ${OUT}.env
+  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@example.com -i ${OUT} -d ${P_R_ALICEDIR} -p nss -o ${OUT}.env
 
   OUT="tb/alice.${SIG}.opaque.eml"
   echo -n "${header_mime_from_to_subject}" >>${OUT}
   echo "opaque-signed $SIG" >>${OUT}
   cat "tb/alice.${SIG}.opaque" >>${OUT}
   echo >>${OUT}
   sed -i"" "s/\$/$CR/" ${OUT}
 
@@ -296,49 +296,49 @@ smime_main()
   HASH="384"
   cms_sign
   smime_signed_enveloped
   HASH="512"
   cms_sign
   smime_signed_enveloped
 
   echo "$SCRIPTNAME: Enveloped Data Tests ------------------------------"
-  echo "cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss \\"
+  echo "cmsutil -E -r bob@example.com -i alice.txt -d ${P_R_ALICEDIR} -p nss \\"
   echo "        -o alice.env"
-  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.env
+  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@example.com -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.env
   html_msg $? 0 "Create Enveloped Data Alice" "."
 
   echo "cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1"
   ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1
   html_msg $? 0 "Decode Enveloped Data Alice" "."
 
   echo "diff alice.txt alice.data1"
   diff alice.txt alice.data1
   html_msg $? 0 "Compare Decoded Enveloped Data and Original" "."
 
   # multiple recip
   echo "$SCRIPTNAME: Testing multiple recipients ------------------------------"
   echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \\"
-  echo "        -r bob@bogus.com,dave@bogus.com"
+  echo "        -r bob@example.com,dave@example.com"
   ${PROFTOOL} ${BINDIR}/cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \
-          -r bob@bogus.com,dave@bogus.com
+          -r bob@example.com,dave@example.com
   ret=$?
   html_msg $ret 0 "Create Multiple Recipients Enveloped Data Alice" "."
   if [ $ret != 0 ] ; then
 	echo "certutil -L -d ${P_R_ALICEDIR}"
 	${BINDIR}/certutil -L -d ${P_R_ALICEDIR}
-	echo "certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com"
-	${BINDIR}/certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com
+	echo "certutil -L -d ${P_R_ALICEDIR} -n dave@example.com"
+	${BINDIR}/certutil -L -d ${P_R_ALICEDIR} -n dave@example.com
   fi
 
   echo "$SCRIPTNAME: Testing multiple email addrs ------------------------------"
   echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \\"
-  echo "        -r eve@bogus.net"
+  echo "        -r eve@example.net"
   ${PROFTOOL} ${BINDIR}/cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \
-          -r eve@bogus.net
+          -r eve@example.net
   ret=$?
   html_msg $ret 0 "Encrypt to a Multiple Email cert" "."
 
   echo "cmsutil -D -i alicecc.env -d ${P_R_BOBDIR} -p nss -o alice.data2"
   ${PROFTOOL} ${BINDIR}/cmsutil -D -i alicecc.env -d ${P_R_BOBDIR} -p nss -o alice.data2
   html_msg $? 0 "Decode Multiple Recipients Enveloped Data Alice by Bob" "."
 
   echo "cmsutil -D -i alicecc.env -d ${P_R_DAVEDIR} -p nss -o alice.data3"
@@ -354,30 +354,30 @@ smime_main()
 
   diff alice.txt alice.data3
   html_msg $? 0 "Compare Decoded Mult. Recipients Enveloped Data Alice/Dave" "."
 
   diff alice.txt alice.data4
   html_msg $? 0 "Compare Decoded with Multiple Email cert" "."
   
   echo "$SCRIPTNAME: Sending CERTS-ONLY Message ------------------------------"
-  echo "cmsutil -O -r \"Alice,bob@bogus.com,dave@bogus.com\" \\"
+  echo "cmsutil -O -r \"Alice,bob@example.com,dave@example.com\" \\"
   echo "        -d ${P_R_ALICEDIR} > co.der"
-  ${PROFTOOL} ${BINDIR}/cmsutil -O -r "Alice,bob@bogus.com,dave@bogus.com" -d ${P_R_ALICEDIR} > co.der
+  ${PROFTOOL} ${BINDIR}/cmsutil -O -r "Alice,bob@example.com,dave@example.com" -d ${P_R_ALICEDIR} > co.der
   html_msg $? 0 "Create Certs-Only Alice" "."
 
   echo "cmsutil -D -i co.der -d ${P_R_BOBDIR}"
   ${PROFTOOL} ${BINDIR}/cmsutil -D -i co.der -d ${P_R_BOBDIR}
   html_msg $? 0 "Verify Certs-Only by CA" "."
 
   echo "$SCRIPTNAME: Encrypted-Data Message ---------------------------------"
   echo "cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \\"
-  echo "        -r \"bob@bogus.com\" > alice.enc"
+  echo "        -r \"bob@example.com\" > alice.enc"
   ${PROFTOOL} ${BINDIR}/cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \
-          -r "bob@bogus.com" > alice.enc
+          -r "bob@example.com" > alice.enc
   html_msg $? 0 "Create Encrypted-Data" "."
 
   echo "cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss \\"
   echo "        -o alice.data2"
   ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss -o alice.data2
   html_msg $? 0 "Decode Encrypted-Data" "."
 
   diff alice.txt alice.data2