Bug 1334127 - land NSS 01d6c0dff06f, r=me
authorFranziskus Kiefer <franziskuskiefer@gmail.com>
Mon, 13 Feb 2017 14:27:06 +0100
changeset 342761 6d5a6e5b4716
parent 342760 dfe816af3015
child 342762 0189f0cccfdc
push id31363
push userkwierso@gmail.com
push dateTue, 14 Feb 2017 21:12:30 +0000
treeherdermozilla-central@1060668405a9 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersme
bugs1334127
milestone54.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1334127 - land NSS 01d6c0dff06f, r=me
security/nss/TAG-INFO
security/nss/automation/ossfuzz/build.sh
security/nss/automation/taskcluster/graph/src/extend.js
security/nss/automation/taskcluster/scripts/fuzz.sh
security/nss/automation/taskcluster/scripts/run_clang_format.sh
security/nss/cmd/addbuiltin/addbuiltin.c
security/nss/cmd/lib/secutil.c
security/nss/coreconf/coreconf.dep
security/nss/cpputil/.clang-format
security/nss/cpputil/README
security/nss/cpputil/cpputil.gyp
security/nss/cpputil/dummy_io.cc
security/nss/cpputil/dummy_io.h
security/nss/cpputil/dummy_io_fwd.cc
security/nss/cpputil/scoped_ptrs.h
security/nss/fuzz/certDN.options
security/nss/fuzz/fuzz.gyp
security/nss/fuzz/hash.options
security/nss/fuzz/mpi-add.options
security/nss/fuzz/mpi-addmod.options
security/nss/fuzz/mpi-div.options
security/nss/fuzz/mpi-expmod.options
security/nss/fuzz/mpi-mod.options
security/nss/fuzz/mpi-mulmod.options
security/nss/fuzz/mpi-sqr.options
security/nss/fuzz/mpi-sqrmod.options
security/nss/fuzz/mpi-sub.options
security/nss/fuzz/mpi-submod.options
security/nss/fuzz/mpi_add_target.cc
security/nss/fuzz/mpi_addmod_target.cc
security/nss/fuzz/mpi_div_target.cc
security/nss/fuzz/mpi_expmod_target.cc
security/nss/fuzz/mpi_helper.cc
security/nss/fuzz/mpi_helper.h
security/nss/fuzz/mpi_mod_target.cc
security/nss/fuzz/mpi_mulmod_target.cc
security/nss/fuzz/mpi_sqr_target.cc
security/nss/fuzz/mpi_sqrmod_target.cc
security/nss/fuzz/mpi_sub_target.cc
security/nss/fuzz/mpi_submod_target.cc
security/nss/fuzz/mpi_target.cc
security/nss/fuzz/quickder.options
security/nss/fuzz/tls-client.options
security/nss/fuzz/tls_client_socket.cc
security/nss/fuzz/tls_client_socket.h
security/nss/fuzz/tls_client_target.cc
security/nss/gtests/common/gtest.gypi
security/nss/gtests/common/manifest.mn
security/nss/gtests/common/scoped_ptrs.h
security/nss/gtests/der_gtest/der_gtest.gyp
security/nss/gtests/der_gtest/manifest.mn
security/nss/gtests/freebl_gtest/freebl_gtest.gyp
security/nss/gtests/google_test/google_test.gyp
security/nss/gtests/pk11_gtest/manifest.mn
security/nss/gtests/pk11_gtest/pk11_gtest.gyp
security/nss/gtests/ssl_gtest/manifest.mn
security/nss/gtests/ssl_gtest/ssl_gtest.gyp
security/nss/gtests/ssl_gtest/ssl_hrr_unittest.cc
security/nss/gtests/ssl_gtest/test_io.cc
security/nss/gtests/ssl_gtest/test_io.h
security/nss/gtests/ssl_gtest/tls_agent.cc
security/nss/gtests/util_gtest/manifest.mn
security/nss/gtests/util_gtest/util_gtest.gyp
security/nss/lib/ckfw/builtins/certdata.txt
security/nss/lib/nss/nss.def
security/nss/lib/ssl/tls13exthandle.c
security/nss/lib/util/pkcs11n.h
security/nss/nss-tool/common/scoped_ptrs.h
security/nss/nss-tool/nss_tool.gyp
security/nss/readme.md
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-e3bca65235d5
+tip
--- a/security/nss/automation/ossfuzz/build.sh
+++ b/security/nss/automation/ossfuzz/build.sh
@@ -8,16 +8,19 @@
 
 # List of targets disabled for oss-fuzz.
 declare -A disabled=([pkcs8]=1)
 
 # Build the library.
 CXX="$CXX -stdlib=libc++" LDFLAGS="$CFLAGS" \
     ./build.sh -c -v --fuzz=oss --fuzz=tls --disable-tests
 
+# Copy libFuzzer options
+cp fuzz/*.options $OUT/
+
 # Find fuzzing targets.
 for fuzzer in $(find ../dist/Debug/bin -name "nssfuzz-*" -printf "%f\n"); do
     name=${fuzzer:8}
     [ -n "${disabled[$name]:-}" ] && continue;
 
     # Copy the binary.
     cp ../dist/Debug/bin/$fuzzer $OUT/$name
 
--- a/security/nss/automation/taskcluster/graph/src/extend.js
+++ b/security/nss/automation/taskcluster/graph/src/extend.js
@@ -246,16 +246,33 @@ async function scheduleLinux(name, base)
     symbol: "modular"
   }));
 
   return queue.submit();
 }
 
 /*****************************************************************************/
 
+function scheduleFuzzingRun(base, name, target, max_len, symbol = null) {
+  const MAX_FUZZ_TIME = 300;
+
+  queue.scheduleTask(merge(base, {
+    name,
+    command: [
+      "/bin/bash",
+      "-c",
+      "bin/checkout.sh && nss/automation/taskcluster/scripts/fuzz.sh " +
+        `${target} nss/fuzz/corpus/${target} ` +
+        `-max_total_time=${MAX_FUZZ_TIME} ` +
+        `-max_len=${max_len}`
+    ],
+    symbol: symbol || name
+  }));
+}
+
 async function scheduleFuzzing() {
   let base = {
     env: {
       ASAN_OPTIONS: "allocator_may_return_null=1",
       UBSAN_OPTIONS: "print_stacktrace=1",
       NSS_DISABLE_ARENA_FREE_LIST: "1",
       NSS_DISABLE_UNLOAD: "1",
       CC: "clang",
@@ -302,67 +319,33 @@ async function scheduleFuzzing() {
     ],
     env: {GTESTFILTER: "*Fuzz*"},
     tests: "ssl_gtests gtests",
     cycle: "standard",
     symbol: "Gtest",
     kind: "test"
   }));
 
-  queue.scheduleTask(merge(base, {
-    parent: task_build,
-    name: "Hash",
-    command: [
-      "/bin/bash",
-      "-c",
-      "bin/checkout.sh && nss/automation/taskcluster/scripts/fuzz.sh " +
-        "hash nss/fuzz/corpus/hash -max_total_time=300 -max_len=4096"
-    ],
-    symbol: "Hash",
-    kind: "test"
-  }));
-
-  queue.scheduleTask(merge(base, {
-    parent: task_build,
-    name: "QuickDER",
-    command: [
-      "/bin/bash",
-      "-c",
-      "bin/checkout.sh && nss/automation/taskcluster/scripts/fuzz.sh " +
-        "quickder nss/fuzz/corpus/quickder -max_total_time=300 -max_len=10000"
-    ],
-    symbol: "QuickDER",
-    kind: "test"
-  }));
+  // Schedule fuzzing runs.
+  let run_base = merge(base, {parent: task_build, kind: "test"});
+  scheduleFuzzingRun(run_base, "CertDN", "certDN", 4096);
+  scheduleFuzzingRun(run_base, "Hash", "hash", 4096);
+  scheduleFuzzingRun(run_base, "QuickDER", "quickder", 10000);
 
-  queue.scheduleTask(merge(base, {
-    parent: task_build,
-    name: "MPI",
-    command: [
-      "/bin/bash",
-      "-c",
-      "bin/checkout.sh && nss/automation/taskcluster/scripts/fuzz.sh " +
-        "mpi nss/fuzz/corpus/mpi -max_total_time=300 -max_len=2048"
-    ],
-    symbol: "MPI",
-    kind: "test"
-  }));
+  // Schedule MPI fuzzing runs.
+  let mpi_base = merge(run_base, {group: "MPI"});
+  let mpi_names = ["add", "addmod", "div", "expmod", "mod", "mulmod", "sqr",
+                   "sqrmod", "sub", "submod"];
+  for (let name of mpi_names) {
+    scheduleFuzzingRun(mpi_base, `MPI (${name})`, `mpi-${name}`, 4096, name);
+  }
 
-  queue.scheduleTask(merge(base, {
-    parent: task_build,
-    name: "CertDN",
-    command: [
-      "/bin/bash",
-      "-c",
-      "bin/checkout.sh && nss/automation/taskcluster/scripts/fuzz.sh " +
-        "certDN nss/fuzz/corpus/certDN -max_total_time=300 -max_len=4096"
-    ],
-    symbol: "CertDN",
-    kind: "test"
-  }));
+  // Schedule TLS fuzzing runs.
+  let tls_base = merge(run_base, {group: "TLS"});
+  scheduleFuzzingRun(tls_base, "TLS Client", "tls-client", 20000, "client");
 
   return queue.submit();
 }
 
 /*****************************************************************************/
 
 async function scheduleTestBuilds() {
   let base = {
--- a/security/nss/automation/taskcluster/scripts/fuzz.sh
+++ b/security/nss/automation/taskcluster/scripts/fuzz.sh
@@ -10,19 +10,23 @@ fetch_dist
 
 # Clone corpus.
 ./nss/fuzz/clone_corpus.sh
 
 # Ensure we have a corpus.
 if [ ! -d "nss/fuzz/corpus/$type" ]; then
   mkdir -p nss/fuzz/corpus/$type
 
+  set +x
+
   # Create a corpus out of what we have.
   for f in $(find nss/fuzz/corpus -type f); do
     cp $f "nss/fuzz/corpus/$type"
   done
+
+  set -x
 fi
 
 # Fetch objdir name.
 objdir=$(cat dist/latest)
 
 # Run nssfuzz.
 dist/$objdir/bin/nssfuzz-"$type" "$@"
--- a/security/nss/automation/taskcluster/scripts/run_clang_format.sh
+++ b/security/nss/automation/taskcluster/scripts/run_clang_format.sh
@@ -37,16 +37,17 @@ else
          "$top/lib/util" \
          "$top/gtests/common" \
          "$top/gtests/der_gtest" \
          "$top/gtests/freebl_gtest" \
          "$top/gtests/pk11_gtest" \
          "$top/gtests/ssl_gtest" \
          "$top/gtests/util_gtest" \
          "$top/nss-tool" \
+         "$top/cpputil" \
     )
 fi
 
 for dir in "${dirs[@]}"; do
     find "$dir" -type f \( -name '*.[ch]' -o -name '*.cc' \) -exec clang-format -i {} \+
 done
 
 TMPFILE=$(mktemp /tmp/$(basename $0).XXXXXX)
--- a/security/nss/cmd/addbuiltin/addbuiltin.c
+++ b/security/nss/cmd/addbuiltin/addbuiltin.c
@@ -26,16 +26,39 @@ dumpbytes(unsigned char *buf, int len)
         if ((i != 0) && ((i & 0xf) == 0)) {
             printf("\n");
         }
         printf("\\%03o", buf[i]);
     }
     printf("\n");
 }
 
+int
+hasPositiveTrust(unsigned int trust)
+{
+    if (trust & CERTDB_TRUSTED) {
+        if (trust & CERTDB_TRUSTED_CA) {
+            return PR_TRUE;
+        } else {
+            return PR_FALSE;
+        }
+    } else {
+        if (trust & CERTDB_TRUSTED_CA) {
+            return PR_TRUE;
+        } else if (trust & CERTDB_VALID_CA) {
+            return PR_TRUE;
+        } else if (trust & CERTDB_TERMINAL_RECORD) {
+            return PR_FALSE;
+        } else {
+            return PR_FALSE;
+        }
+    }
+    return PR_FALSE;
+}
+
 char *
 getTrustString(unsigned int trust)
 {
     if (trust & CERTDB_TRUSTED) {
         if (trust & CERTDB_TRUSTED_CA) {
             return "CKT_NSS_TRUSTED_DELEGATOR";
         } else {
             return "CKT_NSS_TRUSTED";
@@ -197,16 +220,21 @@ ConvertCertificate(SECItem *sdder, char 
         dumpbytes(cert->derIssuer.data, cert->derIssuer.len);
         printf("END\n");
         printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
         dumpbytes(serial->data, serial->len);
         printf("END\n");
         printf("CKA_VALUE MULTILINE_OCTAL\n");
         dumpbytes(sdder->data, sdder->len);
         printf("END\n");
+        if (hasPositiveTrust(trust->sslFlags) ||
+            hasPositiveTrust(trust->emailFlags) ||
+            hasPositiveTrust(trust->objectSigningFlags)) {
+            printf("CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE\n");
+        }
     }
 
     if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags) ==
         CERTDB_TERMINAL_RECORD)
         trust_info = "Distrust";
     else
         trust_info = "Trust for";
 
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -27,17 +27,17 @@
 #include <unistd.h>
 #endif
 
 /* for SEC_TraverseNames */
 #include "cert.h"
 #include "certt.h"
 #include "certdb.h"
 
-/* #include "secmod.h" */
+#include "secmod.h"
 #include "pk11func.h"
 #include "secoid.h"
 
 static char consoleName[] = {
 #ifdef XP_UNIX
     "/dev/tty"
 #else
 #ifdef XP_OS2
@@ -3224,25 +3224,55 @@ SECU_PrintSignedContent(FILE *out, SECIt
 SECStatus
 SEC_PrintCertificateAndTrust(CERTCertificate *cert,
                              const char *label,
                              CERTCertTrust *trust)
 {
     SECStatus rv;
     SECItem data;
     CERTCertTrust certTrust;
+    PK11SlotList *slotList;
+    const char *moz_policy_ca_info = NULL;
 
     data.data = cert->derCert.data;
     data.len = cert->derCert.len;
 
     rv = SECU_PrintSignedData(stdout, &data, label, 0,
                               (SECU_PPFunc)SECU_PrintCertificate);
     if (rv) {
         return (SECFailure);
     }
+
+    slotList = PK11_GetAllSlotsForCert(cert, NULL);
+    if (slotList) {
+        PK11SlotListElement *se = PK11_GetFirstSafe(slotList);
+        for (; se; se = PK11_GetNextSafe(slotList, se, PR_FALSE)) {
+            CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(se->slot, cert, NULL);
+            if (handle != CK_INVALID_HANDLE) {
+                PORT_SetError(0);
+                if (PK11_HasAttributeSet(se->slot, handle,
+                                         CKA_NSS_MOZILLA_CA_POLICY, PR_FALSE)) {
+                    moz_policy_ca_info = "true (attribute present)";
+                } else {
+                    if (PORT_GetError() != 0) {
+                        moz_policy_ca_info = "false (attribute missing)";
+                    } else {
+                        moz_policy_ca_info = "false (attribute present)";
+                    }
+                }
+            }
+        }
+        PK11_FreeSlotList(slotList);
+    }
+
+    if (moz_policy_ca_info) {
+        SECU_Indent(stdout, 1);
+        printf("Mozilla-CA-Policy: %s\n", moz_policy_ca_info);
+    }
+
     if (trust) {
         SECU_PrintTrustFlags(stdout, trust,
                              "Certificate Trust Flags", 1);
     } else if (CERT_GetCertTrust(cert, &certTrust) == SECSuccess) {
         SECU_PrintTrustFlags(stdout, &certTrust,
                              "Certificate Trust Flags", 1);
     }
 
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
new file mode 100644
--- /dev/null
+++ b/security/nss/cpputil/.clang-format
@@ -0,0 +1,4 @@
+---
+Language: Cpp
+BasedOnStyle: Google
+...
new file mode 100644
--- /dev/null
+++ b/security/nss/cpputil/README
@@ -0,0 +1,11 @@
+######################################
+## PLEASE READ BEFORE USING CPPUTIL ##
+######################################
+
+This is a static library supposed to be mainly used by NSS internally. We use
+it for testing, fuzzing, and a few new tools written in C++ that we're
+experimenting with.
+
+You might find it handy to use for your own projects but please be aware that
+we will make no promises your application won't break in the future. We will
+provide no support if you decide to link against it.
new file mode 100644
--- /dev/null
+++ b/security/nss/cpputil/cpputil.gyp
@@ -0,0 +1,27 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+  'includes': [
+    '../coreconf/config.gypi',
+  ],
+  'targets': [
+    {
+      'target_name': 'cpputil',
+      'type': 'static_library',
+      'sources': [
+        'dummy_io.cc',
+        'dummy_io_fwd.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+      ],
+      'direct_dependent_settings': {
+        'include_dirs': [
+          '<(DEPTH)/cpputil',
+        ],
+      },
+    },
+  ],
+}
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cpputil/dummy_io.cc
@@ -0,0 +1,221 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <assert.h>
+#include <iostream>
+
+#include "prerror.h"
+#include "prio.h"
+
+#include "dummy_io.h"
+
+#define UNIMPLEMENTED()                                        \
+  std::cerr << "Unimplemented: " << __FUNCTION__ << std::endl; \
+  assert(false);
+
+extern const struct PRIOMethods DummyMethodsForward;
+
+ScopedPRFileDesc DummyIOLayerMethods::CreateFD(PRDescIdentity id,
+                                               DummyIOLayerMethods *methods) {
+  ScopedPRFileDesc fd(PR_CreateIOLayerStub(id, &DummyMethodsForward));
+  fd->secret = reinterpret_cast<PRFilePrivate *>(methods);
+  return fd;
+}
+
+PRStatus DummyIOLayerMethods::Close(PRFileDesc *f) {
+  f->secret = nullptr;
+  f->dtor(f);
+  return PR_SUCCESS;
+}
+
+int32_t DummyIOLayerMethods::Read(PRFileDesc *f, void *buf, int32_t length) {
+  UNIMPLEMENTED();
+  return -1;
+}
+
+int32_t DummyIOLayerMethods::Write(PRFileDesc *f, const void *buf,
+                                   int32_t length) {
+  UNIMPLEMENTED();
+  return -1;
+}
+
+int32_t DummyIOLayerMethods::Available(PRFileDesc *f) {
+  UNIMPLEMENTED();
+  return -1;
+}
+
+int64_t DummyIOLayerMethods::Available64(PRFileDesc *f) {
+  UNIMPLEMENTED();
+  return -1;
+}
+
+PRStatus DummyIOLayerMethods::Sync(PRFileDesc *f) {
+  UNIMPLEMENTED();
+  return PR_FAILURE;
+}
+
+int32_t DummyIOLayerMethods::Seek(PRFileDesc *f, int32_t offset,
+                                  PRSeekWhence how) {
+  UNIMPLEMENTED();
+  return -1;
+}
+
+int64_t DummyIOLayerMethods::Seek64(PRFileDesc *f, int64_t offset,
+                                    PRSeekWhence how) {
+  UNIMPLEMENTED();
+  return -1;
+}
+
+PRStatus DummyIOLayerMethods::FileInfo(PRFileDesc *f, PRFileInfo *info) {
+  UNIMPLEMENTED();
+  return PR_FAILURE;
+}
+
+PRStatus DummyIOLayerMethods::FileInfo64(PRFileDesc *f, PRFileInfo64 *info) {
+  UNIMPLEMENTED();
+  return PR_FAILURE;
+}
+
+int32_t DummyIOLayerMethods::Writev(PRFileDesc *f, const PRIOVec *iov,
+                                    int32_t iov_size, PRIntervalTime to) {
+  UNIMPLEMENTED();
+  return -1;
+}
+
+PRStatus DummyIOLayerMethods::Connect(PRFileDesc *f, const PRNetAddr *addr,
+                                      PRIntervalTime to) {
+  UNIMPLEMENTED();
+  return PR_FAILURE;
+}
+
+PRFileDesc *DummyIOLayerMethods::Accept(PRFileDesc *sd, PRNetAddr *addr,
+                                        PRIntervalTime to) {
+  UNIMPLEMENTED();
+  return nullptr;
+}
+
+PRStatus DummyIOLayerMethods::Bind(PRFileDesc *f, const PRNetAddr *addr) {
+  UNIMPLEMENTED();
+  return PR_FAILURE;
+}
+
+PRStatus DummyIOLayerMethods::Listen(PRFileDesc *f, int32_t depth) {
+  UNIMPLEMENTED();
+  return PR_FAILURE;
+}
+
+PRStatus DummyIOLayerMethods::Shutdown(PRFileDesc *f, int32_t how) {
+  return PR_SUCCESS;
+}
+
+int32_t DummyIOLayerMethods::Recv(PRFileDesc *f, void *buf, int32_t buflen,
+                                  int32_t flags, PRIntervalTime to) {
+  UNIMPLEMENTED();
+  return -1;
+}
+
+// Note: this is always nonblocking and assumes a zero timeout.
+int32_t DummyIOLayerMethods::Send(PRFileDesc *f, const void *buf,
+                                  int32_t amount, int32_t flags,
+                                  PRIntervalTime to) {
+  return Write(f, buf, amount);
+}
+
+int32_t DummyIOLayerMethods::Recvfrom(PRFileDesc *f, void *buf, int32_t amount,
+                                      int32_t flags, PRNetAddr *addr,
+                                      PRIntervalTime to) {
+  UNIMPLEMENTED();
+  return -1;
+}
+
+int32_t DummyIOLayerMethods::Sendto(PRFileDesc *f, const void *buf,
+                                    int32_t amount, int32_t flags,
+                                    const PRNetAddr *addr, PRIntervalTime to) {
+  UNIMPLEMENTED();
+  return -1;
+}
+
+int16_t DummyIOLayerMethods::Poll(PRFileDesc *f, int16_t in_flags,
+                                  int16_t *out_flags) {
+  UNIMPLEMENTED();
+  return -1;
+}
+
+int32_t DummyIOLayerMethods::AcceptRead(PRFileDesc *sd, PRFileDesc **nd,
+                                        PRNetAddr **raddr, void *buf,
+                                        int32_t amount, PRIntervalTime t) {
+  UNIMPLEMENTED();
+  return -1;
+}
+
+int32_t DummyIOLayerMethods::TransmitFile(PRFileDesc *sd, PRFileDesc *f,
+                                          const void *headers, int32_t hlen,
+                                          PRTransmitFileFlags flags,
+                                          PRIntervalTime t) {
+  UNIMPLEMENTED();
+  return -1;
+}
+
+// TODO: Modify to return unique names for each channel
+// somehow, as opposed to always the same static address. The current
+// implementation messes up the session cache, which is why it's off
+// elsewhere
+PRStatus DummyIOLayerMethods::Getpeername(PRFileDesc *f, PRNetAddr *addr) {
+  addr->inet.family = PR_AF_INET;
+  addr->inet.port = 0;
+  addr->inet.ip = 0;
+
+  return PR_SUCCESS;
+}
+
+PRStatus DummyIOLayerMethods::Getsockname(PRFileDesc *f, PRNetAddr *addr) {
+  UNIMPLEMENTED();
+  return PR_FAILURE;
+}
+
+PRStatus DummyIOLayerMethods::Getsockoption(PRFileDesc *f,
+                                            PRSocketOptionData *opt) {
+  switch (opt->option) {
+    case PR_SockOpt_Nonblocking:
+      opt->value.non_blocking = PR_TRUE;
+      return PR_SUCCESS;
+    default:
+      UNIMPLEMENTED();
+      break;
+  }
+
+  return PR_FAILURE;
+}
+
+PRStatus DummyIOLayerMethods::Setsockoption(PRFileDesc *f,
+                                            const PRSocketOptionData *opt) {
+  switch (opt->option) {
+    case PR_SockOpt_Nonblocking:
+      return PR_SUCCESS;
+    case PR_SockOpt_NoDelay:
+      return PR_SUCCESS;
+    default:
+      UNIMPLEMENTED();
+      break;
+  }
+
+  return PR_FAILURE;
+}
+
+int32_t DummyIOLayerMethods::Sendfile(PRFileDesc *out, PRSendFileData *in,
+                                      PRTransmitFileFlags flags,
+                                      PRIntervalTime to) {
+  UNIMPLEMENTED();
+  return -1;
+}
+
+PRStatus DummyIOLayerMethods::ConnectContinue(PRFileDesc *f, int16_t flags) {
+  UNIMPLEMENTED();
+  return PR_FAILURE;
+}
+
+int32_t DummyIOLayerMethods::Reserved(PRFileDesc *f) {
+  UNIMPLEMENTED();
+  return -1;
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/cpputil/dummy_io.h
@@ -0,0 +1,62 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef dummy_io_h__
+#define dummy_io_h__
+
+#include "prerror.h"
+#include "prio.h"
+
+#include "scoped_ptrs.h"
+
+class DummyIOLayerMethods {
+ public:
+  static ScopedPRFileDesc CreateFD(PRDescIdentity id,
+                                   DummyIOLayerMethods *methods);
+
+  virtual PRStatus Close(PRFileDesc *f);
+  virtual int32_t Read(PRFileDesc *f, void *buf, int32_t length);
+  virtual int32_t Write(PRFileDesc *f, const void *buf, int32_t length);
+  virtual int32_t Available(PRFileDesc *f);
+  virtual int64_t Available64(PRFileDesc *f);
+  virtual PRStatus Sync(PRFileDesc *f);
+  virtual int32_t Seek(PRFileDesc *f, int32_t offset, PRSeekWhence how);
+  virtual int64_t Seek64(PRFileDesc *f, int64_t offset, PRSeekWhence how);
+  virtual PRStatus FileInfo(PRFileDesc *f, PRFileInfo *info);
+  virtual PRStatus FileInfo64(PRFileDesc *f, PRFileInfo64 *info);
+  virtual int32_t Writev(PRFileDesc *f, const PRIOVec *iov, int32_t iov_size,
+                         PRIntervalTime to);
+  virtual PRStatus Connect(PRFileDesc *f, const PRNetAddr *addr,
+                           PRIntervalTime to);
+  virtual PRFileDesc *Accept(PRFileDesc *sd, PRNetAddr *addr,
+                             PRIntervalTime to);
+  virtual PRStatus Bind(PRFileDesc *f, const PRNetAddr *addr);
+  virtual PRStatus Listen(PRFileDesc *f, int32_t depth);
+  virtual PRStatus Shutdown(PRFileDesc *f, int32_t how);
+  virtual int32_t Recv(PRFileDesc *f, void *buf, int32_t buflen, int32_t flags,
+                       PRIntervalTime to);
+  virtual int32_t Send(PRFileDesc *f, const void *buf, int32_t amount,
+                       int32_t flags, PRIntervalTime to);
+  virtual int32_t Recvfrom(PRFileDesc *f, void *buf, int32_t amount,
+                           int32_t flags, PRNetAddr *addr, PRIntervalTime to);
+  virtual int32_t Sendto(PRFileDesc *f, const void *buf, int32_t amount,
+                         int32_t flags, const PRNetAddr *addr,
+                         PRIntervalTime to);
+  virtual int16_t Poll(PRFileDesc *f, int16_t in_flags, int16_t *out_flags);
+  virtual int32_t AcceptRead(PRFileDesc *sd, PRFileDesc **nd, PRNetAddr **raddr,
+                             void *buf, int32_t amount, PRIntervalTime t);
+  virtual int32_t TransmitFile(PRFileDesc *sd, PRFileDesc *f,
+                               const void *headers, int32_t hlen,
+                               PRTransmitFileFlags flags, PRIntervalTime t);
+  virtual PRStatus Getpeername(PRFileDesc *f, PRNetAddr *addr);
+  virtual PRStatus Getsockname(PRFileDesc *f, PRNetAddr *addr);
+  virtual PRStatus Getsockoption(PRFileDesc *f, PRSocketOptionData *opt);
+  virtual PRStatus Setsockoption(PRFileDesc *f, const PRSocketOptionData *opt);
+  virtual int32_t Sendfile(PRFileDesc *out, PRSendFileData *in,
+                           PRTransmitFileFlags flags, PRIntervalTime to);
+  virtual PRStatus ConnectContinue(PRFileDesc *f, int16_t flags);
+  virtual int32_t Reserved(PRFileDesc *f);
+};
+
+#endif  // dummy_io_h__
new file mode 100644
--- /dev/null
+++ b/security/nss/cpputil/dummy_io_fwd.cc
@@ -0,0 +1,162 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "prio.h"
+
+#include "dummy_io.h"
+
+static DummyIOLayerMethods *ToMethods(PRFileDesc *f) {
+  return reinterpret_cast<DummyIOLayerMethods *>(f->secret);
+}
+
+static PRStatus DummyClose(PRFileDesc *f) { return ToMethods(f)->Close(f); }
+
+static int32_t DummyRead(PRFileDesc *f, void *buf, int32_t length) {
+  return ToMethods(f)->Read(f, buf, length);
+}
+
+static int32_t DummyWrite(PRFileDesc *f, const void *buf, int32_t length) {
+  return ToMethods(f)->Write(f, buf, length);
+}
+
+static int32_t DummyAvailable(PRFileDesc *f) {
+  return ToMethods(f)->Available(f);
+}
+
+static int64_t DummyAvailable64(PRFileDesc *f) {
+  return ToMethods(f)->Available64(f);
+}
+
+static PRStatus DummySync(PRFileDesc *f) { return ToMethods(f)->Sync(f); }
+
+static int32_t DummySeek(PRFileDesc *f, int32_t offset, PRSeekWhence how) {
+  return ToMethods(f)->Seek(f, offset, how);
+}
+
+static int64_t DummySeek64(PRFileDesc *f, int64_t offset, PRSeekWhence how) {
+  return ToMethods(f)->Seek64(f, offset, how);
+}
+
+static PRStatus DummyFileInfo(PRFileDesc *f, PRFileInfo *info) {
+  return ToMethods(f)->FileInfo(f, info);
+}
+
+static PRStatus DummyFileInfo64(PRFileDesc *f, PRFileInfo64 *info) {
+  return ToMethods(f)->FileInfo64(f, info);
+}
+
+static int32_t DummyWritev(PRFileDesc *f, const PRIOVec *iov, int32_t iov_size,
+                           PRIntervalTime to) {
+  return ToMethods(f)->Writev(f, iov, iov_size, to);
+}
+
+static PRStatus DummyConnect(PRFileDesc *f, const PRNetAddr *addr,
+                             PRIntervalTime to) {
+  return ToMethods(f)->Connect(f, addr, to);
+}
+
+static PRFileDesc *DummyAccept(PRFileDesc *f, PRNetAddr *addr,
+                               PRIntervalTime to) {
+  return ToMethods(f)->Accept(f, addr, to);
+}
+
+static PRStatus DummyBind(PRFileDesc *f, const PRNetAddr *addr) {
+  return ToMethods(f)->Bind(f, addr);
+}
+
+static PRStatus DummyListen(PRFileDesc *f, int32_t depth) {
+  return ToMethods(f)->Listen(f, depth);
+}
+
+static PRStatus DummyShutdown(PRFileDesc *f, int32_t how) {
+  return ToMethods(f)->Shutdown(f, how);
+}
+
+static int32_t DummyRecv(PRFileDesc *f, void *buf, int32_t buflen,
+                         int32_t flags, PRIntervalTime to) {
+  return ToMethods(f)->Recv(f, buf, buflen, flags, to);
+}
+
+static int32_t DummySend(PRFileDesc *f, const void *buf, int32_t amount,
+                         int32_t flags, PRIntervalTime to) {
+  return ToMethods(f)->Send(f, buf, amount, flags, to);
+}
+
+static int32_t DummyRecvfrom(PRFileDesc *f, void *buf, int32_t amount,
+                             int32_t flags, PRNetAddr *addr,
+                             PRIntervalTime to) {
+  return ToMethods(f)->Recvfrom(f, buf, amount, flags, addr, to);
+}
+
+static int32_t DummySendto(PRFileDesc *f, const void *buf, int32_t amount,
+                           int32_t flags, const PRNetAddr *addr,
+                           PRIntervalTime to) {
+  return ToMethods(f)->Sendto(f, buf, amount, flags, addr, to);
+}
+
+static int16_t DummyPoll(PRFileDesc *f, int16_t in_flags, int16_t *out_flags) {
+  return ToMethods(f)->Poll(f, in_flags, out_flags);
+}
+
+static int32_t DummyAcceptRead(PRFileDesc *f, PRFileDesc **nd,
+                               PRNetAddr **raddr, void *buf, int32_t amount,
+                               PRIntervalTime t) {
+  return ToMethods(f)->AcceptRead(f, nd, raddr, buf, amount, t);
+}
+
+static int32_t DummyTransmitFile(PRFileDesc *sd, PRFileDesc *f,
+                                 const void *headers, int32_t hlen,
+                                 PRTransmitFileFlags flags, PRIntervalTime t) {
+  return ToMethods(f)->TransmitFile(sd, f, headers, hlen, flags, t);
+}
+
+static PRStatus DummyGetpeername(PRFileDesc *f, PRNetAddr *addr) {
+  return ToMethods(f)->Getpeername(f, addr);
+}
+
+static PRStatus DummyGetsockname(PRFileDesc *f, PRNetAddr *addr) {
+  return ToMethods(f)->Getsockname(f, addr);
+}
+
+static PRStatus DummyGetsockoption(PRFileDesc *f, PRSocketOptionData *opt) {
+  return ToMethods(f)->Getsockoption(f, opt);
+}
+
+static PRStatus DummySetsockoption(PRFileDesc *f,
+                                   const PRSocketOptionData *opt) {
+  return ToMethods(f)->Setsockoption(f, opt);
+}
+
+static int32_t DummySendfile(PRFileDesc *f, PRSendFileData *in,
+                             PRTransmitFileFlags flags, PRIntervalTime to) {
+  return ToMethods(f)->Sendfile(f, in, flags, to);
+}
+
+static PRStatus DummyConnectContinue(PRFileDesc *f, int16_t flags) {
+  return ToMethods(f)->ConnectContinue(f, flags);
+}
+
+static int32_t DummyReserved(PRFileDesc *f) {
+  return ToMethods(f)->Reserved(f);
+}
+
+extern const struct PRIOMethods DummyMethodsForward = {
+    PR_DESC_LAYERED,    DummyClose,
+    DummyRead,          DummyWrite,
+    DummyAvailable,     DummyAvailable64,
+    DummySync,          DummySeek,
+    DummySeek64,        DummyFileInfo,
+    DummyFileInfo64,    DummyWritev,
+    DummyConnect,       DummyAccept,
+    DummyBind,          DummyListen,
+    DummyShutdown,      DummyRecv,
+    DummySend,          DummyRecvfrom,
+    DummySendto,        DummyPoll,
+    DummyAcceptRead,    DummyTransmitFile,
+    DummyGetsockname,   DummyGetpeername,
+    DummyReserved,      DummyReserved,
+    DummyGetsockoption, DummySetsockoption,
+    DummySendfile,      DummyConnectContinue,
+    DummyReserved,      DummyReserved,
+    DummyReserved,      DummyReserved};
new file mode 100644
--- /dev/null
+++ b/security/nss/cpputil/scoped_ptrs.h
@@ -0,0 +1,59 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef scoped_ptrs_h__
+#define scoped_ptrs_h__
+
+#include <memory>
+#include "cert.h"
+#include "keyhi.h"
+#include "pk11pub.h"
+
+struct ScopedDelete {
+  void operator()(CERTCertificate* cert) { CERT_DestroyCertificate(cert); }
+  void operator()(CERTCertificateList* list) {
+    CERT_DestroyCertificateList(list);
+  }
+  void operator()(CERTCertList* list) { CERT_DestroyCertList(list); }
+  void operator()(CERTSubjectPublicKeyInfo* spki) {
+    SECKEY_DestroySubjectPublicKeyInfo(spki);
+  }
+  void operator()(PK11SlotInfo* slot) { PK11_FreeSlot(slot); }
+  void operator()(PK11SymKey* key) { PK11_FreeSymKey(key); }
+  void operator()(PRFileDesc* fd) { PR_Close(fd); }
+  void operator()(SECAlgorithmID* id) { SECOID_DestroyAlgorithmID(id, true); }
+  void operator()(SECItem* item) { SECITEM_FreeItem(item, true); }
+  void operator()(SECKEYPublicKey* key) { SECKEY_DestroyPublicKey(key); }
+  void operator()(SECKEYPrivateKey* key) { SECKEY_DestroyPrivateKey(key); }
+};
+
+template <class T>
+struct ScopedMaybeDelete {
+  void operator()(T* ptr) {
+    if (ptr) {
+      ScopedDelete del;
+      del(ptr);
+    }
+  }
+};
+
+#define SCOPED(x) typedef std::unique_ptr<x, ScopedMaybeDelete<x> > Scoped##x
+
+SCOPED(CERTCertificate);
+SCOPED(CERTCertificateList);
+SCOPED(CERTCertList);
+SCOPED(CERTSubjectPublicKeyInfo);
+SCOPED(PK11SlotInfo);
+SCOPED(PK11SymKey);
+SCOPED(PRFileDesc);
+SCOPED(SECAlgorithmID);
+SCOPED(SECItem);
+SCOPED(SECKEYPublicKey);
+SCOPED(SECKEYPrivateKey);
+
+#undef SCOPED
+
+#endif  // scoped_ptrs_h__
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/certDN.options
@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 4096
+
--- a/security/nss/fuzz/fuzz.gyp
+++ b/security/nss/fuzz/fuzz.gyp
@@ -24,16 +24,17 @@
   },
   'targets': [
     {
       'target_name': 'fuzz_base',
       'dependencies': [
         '<(DEPTH)/lib/certdb/certdb.gyp:certdb',
         '<(DEPTH)/lib/certhigh/certhigh.gyp:certhi',
         '<(DEPTH)/lib/cryptohi/cryptohi.gyp:cryptohi',
+        '<(DEPTH)/lib/ssl/ssl.gyp:ssl',
         '<(DEPTH)/lib/base/base.gyp:nssb',
         '<(DEPTH)/lib/dev/dev.gyp:nssdev',
         '<(DEPTH)/lib/pki/pki.gyp:nsspki',
         '<(DEPTH)/lib/util/util.gyp:nssutil',
         '<(DEPTH)/lib/nss/nss.gyp:nss_static',
         '<(DEPTH)/lib/pkcs7/pkcs7.gyp:pkcs7',
         # This is a static build of pk11wrap, softoken, and freebl.
         '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap_static',
@@ -47,30 +48,52 @@
           'cflags/': [
             ['exclude', '-fsanitize-coverage'],
           ],
           'xcode_settings': {
             'OTHER_CFLAGS/': [
               ['exclude', '-fsanitize-coverage'],
             ],
           },
-          'direct_dependent_settings': {
-            'include_dirs': [
-              'libFuzzer',
-            ],
-          },
         }, {
           'type': 'none',
-          'direct_dependent_settings': {
+          'all_dependent_settings': {
             'libraries': ['-lFuzzingEngine'],
           }
         }]
       ],
     },
     {
+      'target_name': 'nssfuzz-mpi-base',
+      'type': 'none',
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'fuzz_base',
+      ],
+      'direct_dependent_settings': {
+        'include_dirs': [
+          '<(DEPTH)/lib/freebl/mpi',
+        ],
+        'sources': [
+          'mpi_helper.cc',
+        ],
+        'conditions': [
+          [ 'fuzz_oss==1', {
+            'libraries': [
+              '/usr/lib/x86_64-linux-gnu/libcrypto.a',
+            ],
+          }, {
+            'libraries': [
+              '-lcrypto',
+            ],
+          }],
+        ],
+      },
+    },
+    {
       'target_name': 'nssfuzz-pkcs8',
       'type': 'executable',
       'sources': [
         'asn1_mutators.cc',
         'pkcs8_target.cc',
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
@@ -96,62 +119,173 @@
         'hash_target.cc',
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
         'fuzz_base',
       ],
     },
     {
-      'target_name': 'nssfuzz-mpi',
-      'type': 'executable',
-      'sources': [
-        'mpi_target.cc',
-      ],
-      'dependencies': [
-        '<(DEPTH)/exports.gyp:nss_exports',
-        'fuzz_base',
-      ],
-      'conditions': [
-        [ 'fuzz_oss==1', {
-          'libraries': [
-            '/usr/lib/x86_64-linux-gnu/libcrypto.a',
-          ],
-        }, {
-          'libraries': [
-            '-lcrypto',
-          ],
-        }],
-      ],
-      'include_dirs': [
-        '<(DEPTH)/lib/freebl/mpi',
-      ],
-    },
-    {
       'target_name': 'nssfuzz-certDN',
       'type': 'executable',
       'sources': [
         'certDN_target.cc',
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
         'fuzz_base',
       ],
     },
     {
+      'target_name': 'nssfuzz-mpi-add',
+      'type': 'executable',
+      'sources': [
+        'mpi_add_target.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'nssfuzz-mpi-base',
+      ],
+    },
+    {
+      'target_name': 'nssfuzz-mpi-sub',
+      'type': 'executable',
+      'sources': [
+        'mpi_sub_target.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'nssfuzz-mpi-base',
+      ],
+    },
+    {
+      'target_name': 'nssfuzz-mpi-sqr',
+      'type': 'executable',
+      'sources': [
+        'mpi_sqr_target.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'nssfuzz-mpi-base',
+      ],
+    },
+    {
+      'target_name': 'nssfuzz-mpi-div',
+      'type': 'executable',
+      'sources': [
+        'mpi_div_target.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'nssfuzz-mpi-base',
+      ],
+    },
+    {
+      'target_name': 'nssfuzz-mpi-mod',
+      'type': 'executable',
+      'sources': [
+        'mpi_mod_target.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'nssfuzz-mpi-base',
+      ],
+    },
+    {
+      'target_name': 'nssfuzz-mpi-sqrmod',
+      'type': 'executable',
+      'sources': [
+        'mpi_sqrmod_target.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'nssfuzz-mpi-base',
+      ],
+    },
+    {
+      'target_name': 'nssfuzz-mpi-addmod',
+      'type': 'executable',
+      'sources': [
+        'mpi_addmod_target.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'nssfuzz-mpi-base',
+      ],
+    },
+    {
+      'target_name': 'nssfuzz-mpi-submod',
+      'type': 'executable',
+      'sources': [
+        'mpi_submod_target.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'nssfuzz-mpi-base',
+      ],
+    },
+    {
+      'target_name': 'nssfuzz-mpi-mulmod',
+      'type': 'executable',
+      'sources': [
+        'mpi_mulmod_target.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'nssfuzz-mpi-base',
+      ],
+    },
+    {
+      'target_name': 'nssfuzz-mpi-expmod',
+      'type': 'executable',
+      'sources': [
+        'mpi_expmod_target.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'nssfuzz-mpi-base',
+      ],
+    },
+    {
+      'target_name': 'nssfuzz-tls-client',
+      'type': 'executable',
+      'sources': [
+        'tls_client_socket.cc',
+        'tls_client_target.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/cpputil/cpputil.gyp:cpputil',
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'fuzz_base',
+      ],
+      'include_dirs': [
+        '<(DEPTH)/lib/freebl',
+      ],
+    },
+    {
       'target_name': 'nssfuzz',
       'type': 'none',
       'dependencies': [
         'nssfuzz-certDN',
         'nssfuzz-hash',
         'nssfuzz-pkcs8',
         'nssfuzz-quickder',
+        'nssfuzz-tls-client',
       ],
       'conditions': [
         ['OS=="linux"', {
           'dependencies': [
-            'nssfuzz-mpi',
+            'nssfuzz-mpi-add',
+            'nssfuzz-mpi-addmod',
+            'nssfuzz-mpi-div',
+            'nssfuzz-mpi-expmod',
+            'nssfuzz-mpi-mod',
+            'nssfuzz-mpi-mulmod',
+            'nssfuzz-mpi-sqr',
+            'nssfuzz-mpi-sqrmod',
+            'nssfuzz-mpi-sub',
+            'nssfuzz-mpi-submod',
           ],
         }],
       ],
     }
   ],
 }
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/hash.options
@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 4096
+
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi-add.options
@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 2048
+
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi-addmod.options
@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 2048
+
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi-div.options
@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 2048
+
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi-expmod.options
@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 2048
+
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi-mod.options
@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 2048
+
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi-mulmod.options
@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 2048
+
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi-sqr.options
@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 2048
+
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi-sqrmod.options
@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 2048
+
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi-sub.options
@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 2048
+
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi-submod.options
@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 2048
+
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_add_target.cc
@@ -0,0 +1,42 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * This target fuzzes NSS mpi against openssl bignum.
+ * It therefore requires openssl to be installed.
+ */
+
+#include "mpi_helper.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  // We require at least size 3 to get two integers from Data.
+  if (size < 3) {
+    return 0;
+  }
+  INIT_NUMBERS
+
+  // Compare with OpenSSL addition
+  assert(mp_add(&a, &b, &c) == MP_OKAY);
+  (void)BN_add(C, A, B);
+  check_equal(C, &c, max_size);
+
+  // Check a + b == a - -b
+  mp_neg(&b, &b);
+  assert(mp_sub(&a, &b, &r) == MP_OKAY);
+  bool eq = mp_cmp(&r, &c) == 0;
+  if (!eq) {
+    char rC[max_size], cC[max_size], aC[max_size], bC[max_size];
+    mp_tohex(&r, rC);
+    mp_tohex(&c, cC);
+    mp_tohex(&a, aC);
+    mp_tohex(&b, bC);
+    std::cout << "a = " << std::hex << aC << std::endl;
+    std::cout << "-b = " << std::hex << bC << std::endl;
+    std::cout << "a + b = " << std::hex << cC << std::endl;
+    std::cout << "a - -b = " << std::hex << rC << std::endl;
+  }
+  assert(eq);
+
+  CLEANUP_AND_RETURN
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_addmod_target.cc
@@ -0,0 +1,27 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * This target fuzzes NSS mpi against openssl bignum.
+ * It therefore requires openssl to be installed.
+ */
+
+#include "mpi_helper.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  // We require at least size 3 to get two integers from Data.
+  if (size < 3) {
+    return 0;
+  }
+  INIT_NUMBERS
+
+  auto modulus = get_modulus(data, size, ctx);
+  // Compare with OpenSSL add mod
+  m1 = &std::get<1>(modulus);
+  assert(mp_addmod(&a, &b, m1, &c) == MP_OKAY);
+  (void)BN_mod_add(C, A, B, std::get<0>(modulus), ctx);
+  check_equal(C, &c, max_size);
+
+  CLEANUP_AND_RETURN
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_div_target.cc
@@ -0,0 +1,36 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * This target fuzzes NSS mpi against openssl bignum.
+ * It therefore requires openssl to be installed.
+ */
+
+#include "mpi_helper.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  // We require at least size 3 to get two integers from Data.
+  if (size < 3) {
+    return 0;
+  }
+  INIT_NUMBERS
+
+  // We can't divide by 0.
+  if (mp_cmp_z(&b) == 0) {
+    CLEANUP_AND_RETURN
+  }
+
+  // Compare with OpenSSL division
+  assert(mp_div(&a, &b, &c, &r) == MP_OKAY);
+  BN_div(C, R, A, B, ctx);
+  check_equal(C, &c, max_size);
+  check_equal(R, &r, max_size);
+
+  // Check c * b + r == a
+  assert(mp_mul(&c, &b, &c) == MP_OKAY);
+  assert(mp_add(&c, &r, &c) == MP_OKAY);
+  assert(mp_cmp(&c, &a) == 0);
+
+  CLEANUP_AND_RETURN
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_expmod_target.cc
@@ -0,0 +1,27 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * This target fuzzes NSS mpi against openssl bignum.
+ * It therefore requires openssl to be installed.
+ */
+
+#include "mpi_helper.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  // We require at least size 3 to get two integers from Data.
+  if (size < 3) {
+    return 0;
+  }
+  INIT_NUMBERS
+
+  auto modulus = get_modulus(data, size, ctx);
+  // Compare with OpenSSL exp mod
+  m1 = &std::get<1>(modulus);
+  assert(mp_exptmod(&a, &b, m1, &c) == MP_OKAY);
+  (void)BN_mod_exp(C, A, B, std::get<0>(modulus), ctx);
+  check_equal(C, &c, 2 * max_size);
+
+  CLEANUP_AND_RETURN
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_helper.cc
@@ -0,0 +1,100 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* Helper functions for MPI fuzzing targets. */
+
+#include "mpi_helper.h"
+#include <cstdlib>
+#include <random>
+
+char *to_char(const uint8_t *x) {
+  return reinterpret_cast<char *>(const_cast<unsigned char *>(x));
+}
+
+// Check that the two numbers are equal.
+void check_equal(BIGNUM *b, mp_int *m, size_t max_size) {
+  char *bnBc = BN_bn2hex(b);
+  char mpiMc[max_size];
+  mp_tohex(m, mpiMc);
+  std::string bnA(bnBc);
+  std::string mpiA(mpiMc);
+  OPENSSL_free(bnBc);
+  // We have to strip leading zeros from bignums, ignoring the sign.
+  if (bnA.at(0) != '-') {
+    bnA.erase(0, std::min(bnA.find_first_not_of('0'), bnA.size() - 1));
+  } else if (bnA.at(1) == '0') {
+    bnA.erase(1, std::min(bnA.find_first_not_of('0', 1) - 1, bnA.size() - 1));
+  }
+
+  if (mpiA != bnA) {
+    std::cout << "openssl: " << std::hex << bnA << std::endl;
+    std::cout << "nss:     " << std::hex << mpiA << std::endl;
+  }
+
+  assert(mpiA == bnA);
+}
+
+// Parse data into two numbers for MPI and OpenSSL Bignum.
+void parse_input(const uint8_t *data, size_t size, BIGNUM *A, BIGNUM *B,
+                 mp_int *a, mp_int *b) {
+  // Note that b might overlap a.
+  size_t len = (size_t)size / 2;
+  assert(mp_read_raw(a, to_char(data), len) == MP_OKAY);
+  assert(mp_read_raw(b, to_char(data) + len, len) == MP_OKAY);
+  // Force a positive sign.
+  // TODO: add tests for negatives.
+  MP_SIGN(a) = MP_ZPOS;
+  MP_SIGN(b) = MP_ZPOS;
+
+  // Skip the first byte as it's interpreted as sign by NSS.
+  assert(BN_bin2bn(data + 1, len - 1, A) != nullptr);
+  assert(BN_bin2bn(data + len + 1, len - 1, B) != nullptr);
+
+  check_equal(A, a, 2 * size + 1);
+  check_equal(B, b, 2 * size + 1);
+}
+
+// Parse data into a number for MPI and OpenSSL Bignum.
+void parse_input(const uint8_t *data, size_t size, BIGNUM *A, mp_int *a) {
+  assert(mp_read_raw(a, to_char(data), size) == MP_OKAY);
+
+  // Force a positive sign.
+  // TODO: add tests for negatives.
+  MP_SIGN(a) = MP_ZPOS;
+
+  // Skip the first byte as it's interpreted as sign by NSS.
+  assert(BN_bin2bn(data + 1, size - 1, A) != nullptr);
+
+  check_equal(A, a, 4 * size + 1);
+}
+
+// Take a chunk in the middle of data and use it as modulus.
+std::tuple<BIGNUM *, mp_int> get_modulus(const uint8_t *data, size_t size,
+                                         BN_CTX *ctx) {
+  BIGNUM *r1 = BN_CTX_get(ctx);
+  mp_int r2;
+  assert(mp_init(&r2) == MP_OKAY);
+
+  size_t len = static_cast<size_t>(size / 4);
+  if (len != 0) {
+    assert(mp_read_raw(&r2, to_char(data + len), len) == MP_OKAY);
+    MP_SIGN(&r2) = MP_ZPOS;
+
+    assert(BN_bin2bn(data + len + 1, len - 1, r1) != nullptr);
+    check_equal(r1, &r2, 2 * len + 1);
+  }
+
+  // If we happen to get 0 for the modulus, take a random number.
+  if (mp_cmp_z(&r2) == 0 || len == 0) {
+    mp_zero(&r2);
+    BN_zero(r1);
+    std::mt19937 rng(data[0]);
+    std::uniform_int_distribution<mp_digit> dist(1, MP_DIGIT_MAX);
+    mp_digit x = dist(rng);
+    mp_add_d(&r2, x, &r2);
+    BN_add_word(r1, x);
+  }
+
+  return std::make_tuple(r1, r2);
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_helper.h
@@ -0,0 +1,60 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* Helper functions for MPI fuzzing targets. */
+
+#ifndef mpi_helper_h__
+#define mpi_helper_h__
+
+#include <iostream>
+#include <string>
+#include <tuple>
+#include <vector>
+
+#include "hasht.h"
+#include "mpi.h"
+
+#include <openssl/bn.h>
+
+void check_equal(BIGNUM *b, mp_int *m, size_t max_size);
+void parse_input(const uint8_t *data, size_t size, BIGNUM *A, BIGNUM *B,
+                 mp_int *a, mp_int *b);
+void parse_input(const uint8_t *data, size_t size, BIGNUM *A, mp_int *a);
+std::tuple<BIGNUM *, mp_int> get_modulus(const uint8_t *data, size_t size,
+                                         BN_CTX *ctx);
+
+// Initialise MPI and BN variables
+// XXX: Also silence unused variable warnings for R.
+#define INIT_NUMBERS                     \
+  mp_int a, b, c, r;                     \
+  mp_int *m1 = nullptr;                  \
+  BN_CTX *ctx = BN_CTX_new();            \
+  BN_CTX_start(ctx);                     \
+  BIGNUM *A = BN_CTX_get(ctx);           \
+  BIGNUM *B = BN_CTX_get(ctx);           \
+  BIGNUM *C = BN_CTX_get(ctx);           \
+  BIGNUM *R = BN_CTX_get(ctx);           \
+  assert(mp_init(&a) == MP_OKAY);        \
+  assert(mp_init(&b) == MP_OKAY);        \
+  assert(mp_init(&c) == MP_OKAY);        \
+  assert(mp_init(&r) == MP_OKAY);        \
+  size_t max_size = 2 * size + 1;        \
+  parse_input(data, size, A, B, &a, &b); \
+  do {                                   \
+    (void)(R);                           \
+  } while (0);
+
+#define CLEANUP_AND_RETURN \
+  mp_clear(&a);            \
+  mp_clear(&b);            \
+  mp_clear(&c);            \
+  mp_clear(&r);            \
+  if (m1) {                \
+    mp_clear(m1);          \
+  }                        \
+  BN_CTX_end(ctx);         \
+  BN_CTX_free(ctx);        \
+  return 0;
+
+#endif  // mpi_helper_h__
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_mod_target.cc
@@ -0,0 +1,36 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * This target fuzzes NSS mpi against openssl bignum.
+ * It therefore requires openssl to be installed.
+ */
+
+#include "mpi_helper.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  // We require at least size 3 to get two integers from Data.
+  if (size < 3) {
+    return 0;
+  }
+  INIT_NUMBERS
+
+  // We can't divide by 0.
+  if (mp_cmp_z(&b) == 0) {
+    CLEANUP_AND_RETURN
+  }
+
+  // Compare with OpenSSL mod
+  assert(mp_mod(&a, &b, &c) == MP_OKAY);
+  (void)BN_mod(C, A, B, ctx);
+  check_equal(C, &c, max_size);
+
+  // Check a mod b = a - floor(a / b) * b
+  assert(mp_div(&a, &b, &r, nullptr) == MP_OKAY);
+  assert(mp_mul(&r, &b, &r) == MP_OKAY);
+  assert(mp_sub(&a, &r, &r) == MP_OKAY);
+  assert(mp_cmp(&c, &r) == 0);
+
+  CLEANUP_AND_RETURN
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_mulmod_target.cc
@@ -0,0 +1,27 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * This target fuzzes NSS mpi against openssl bignum.
+ * It therefore requires openssl to be installed.
+ */
+
+#include "mpi_helper.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  // We require at least size 3 to get two integers from Data.
+  if (size < 3) {
+    return 0;
+  }
+  INIT_NUMBERS
+
+  auto modulus = get_modulus(data, size, ctx);
+  // Compare with OpenSSL mul mod
+  m1 = &std::get<1>(modulus);
+  assert(mp_mulmod(&a, &b, m1, &c) == MP_OKAY);
+  (void)BN_mod_mul(C, A, B, std::get<0>(modulus), ctx);
+  check_equal(C, &c, max_size);
+
+  CLEANUP_AND_RETURN
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_sqr_target.cc
@@ -0,0 +1,53 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * This target fuzzes NSS mpi against openssl bignum.
+ * It therefore requires openssl to be installed.
+ */
+
+#include "mpi_helper.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  // We require at least size 2 to get an integers from Data.
+  if (size < 2) {
+    return 0;
+  }
+  mp_int a, c, r;
+  BN_CTX *ctx = BN_CTX_new();
+  BN_CTX_start(ctx);
+  BIGNUM *A = BN_CTX_get(ctx);
+  BIGNUM *C = BN_CTX_get(ctx);
+  assert(mp_init(&a) == MP_OKAY);
+  assert(mp_init(&c) == MP_OKAY);
+  assert(mp_init(&r) == MP_OKAY);
+  size_t max_size = 4 * size + 1;
+  parse_input(data, size, A, &a);
+
+  // Compare with OpenSSL sqr
+  assert(mp_sqr(&a, &c) == MP_OKAY);
+  (void)BN_sqr(C, A, ctx);
+  check_equal(C, &c, max_size);
+
+  // Check a * a == a**2
+  assert(mp_mul(&a, &a, &r) == MP_OKAY);
+  bool eq = mp_cmp(&r, &c) == 0;
+  if (!eq) {
+    char rC[max_size], cC[max_size], aC[max_size];
+    mp_tohex(&r, rC);
+    mp_tohex(&c, cC);
+    mp_tohex(&a, aC);
+    std::cout << "a = " << std::hex << aC << std::endl;
+    std::cout << "a * a = " << std::hex << cC << std::endl;
+    std::cout << "a ** 2 = " << std::hex << rC << std::endl;
+  }
+  assert(eq);
+  mp_clear(&a);
+  mp_clear(&c);
+  mp_clear(&r);
+  BN_CTX_end(ctx);
+  BN_CTX_free(ctx);
+
+  return 0;
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_sqrmod_target.cc
@@ -0,0 +1,51 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * This target fuzzes NSS mpi against openssl bignum.
+ * It therefore requires openssl to be installed.
+ */
+
+#include "mpi_helper.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  // We require at least size 3 to get two integers from Data.
+  if (size < 3) {
+    return 0;
+  }
+  mp_int a, b, c;
+  BN_CTX *ctx = BN_CTX_new();
+  BN_CTX_start(ctx);
+  BIGNUM *A = BN_CTX_get(ctx);
+  BIGNUM *B = BN_CTX_get(ctx);
+  BIGNUM *C = BN_CTX_get(ctx);
+  assert(mp_init(&a) == MP_OKAY);
+  assert(mp_init(&b) == MP_OKAY);
+  assert(mp_init(&c) == MP_OKAY);
+  size_t max_size = 4 * size + 1;
+  parse_input(data, size, A, &a);
+
+  // We can't divide by 0.
+  if (mp_cmp_z(&b) == 0) {
+    mp_clear(&a);
+    mp_clear(&b);
+    mp_clear(&c);
+    BN_CTX_end(ctx);
+    BN_CTX_free(ctx);
+    return 0;
+  }
+
+  // Compare with OpenSSL square mod
+  assert(mp_sqrmod(&a, &b, &c) == MP_OKAY);
+  (void)BN_mod_sqr(C, A, B, ctx);
+  check_equal(C, &c, max_size);
+
+  mp_clear(&a);
+  mp_clear(&b);
+  mp_clear(&c);
+  BN_CTX_end(ctx);
+  BN_CTX_free(ctx);
+
+  return 0;
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_sub_target.cc
@@ -0,0 +1,42 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * This target fuzzes NSS mpi against openssl bignum.
+ * It therefore requires openssl to be installed.
+ */
+
+#include "mpi_helper.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  // We require at least size 3 to get two integers from Data.
+  if (size < 3) {
+    return 0;
+  }
+  INIT_NUMBERS
+
+  // Compare with OpenSSL subtraction
+  assert(mp_sub(&a, &b, &c) == MP_OKAY);
+  (void)BN_sub(C, A, B);
+  check_equal(C, &c, max_size);
+
+  // Check a - b == a + -b
+  mp_neg(&b, &b);
+  assert(mp_add(&a, &b, &r) == MP_OKAY);
+  bool eq = mp_cmp(&r, &c) == 0;
+  if (!eq) {
+    char rC[max_size], cC[max_size], aC[max_size], bC[max_size];
+    mp_tohex(&r, rC);
+    mp_tohex(&c, cC);
+    mp_tohex(&a, aC);
+    mp_tohex(&b, bC);
+    std::cout << "a = " << std::hex << aC << std::endl;
+    std::cout << "-b = " << std::hex << bC << std::endl;
+    std::cout << "a - b = " << std::hex << cC << std::endl;
+    std::cout << "a + -b = " << std::hex << rC << std::endl;
+  }
+  assert(eq);
+
+  CLEANUP_AND_RETURN
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_submod_target.cc
@@ -0,0 +1,27 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * This target fuzzes NSS mpi against openssl bignum.
+ * It therefore requires openssl to be installed.
+ */
+
+#include "mpi_helper.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  // We require at least size 3 to get two integers from Data.
+  if (size < 3) {
+    return 0;
+  }
+  INIT_NUMBERS
+
+  auto modulus = get_modulus(data, size, ctx);
+  // Compare with OpenSSL sub mod
+  m1 = &std::get<1>(modulus);
+  assert(mp_submod(&a, &b, m1, &c) == MP_OKAY);
+  (void)BN_mod_sub(C, A, B, std::get<0>(modulus), ctx);
+  check_equal(C, &c, 2 * max_size);
+
+  CLEANUP_AND_RETURN
+}
deleted file mode 100644
--- a/security/nss/fuzz/mpi_target.cc
+++ /dev/null
@@ -1,177 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-/*
- * This target fuzzes NSS mpi against openssl bignum.
- * It therefore requires openssl to be installed.
- */
-
-#include <algorithm>
-#include <iostream>
-#include <string>
-
-#include "hasht.h"
-#include "mpi.h"
-#include "shared.h"
-
-#include <openssl/bn.h>
-
-#define CLEAR_NUMS \
-  mp_zero(&c);     \
-  BN_zero(C);      \
-  mp_zero(&r);     \
-  BN_zero(R);
-
-// Check that the two numbers are equal.
-void check_equal(BIGNUM *b, mp_int *m, size_t max_size) {
-  char *bnBc = BN_bn2hex(b);
-  char mpiMc[max_size];
-  mp_tohex(m, mpiMc);
-  std::string bnA(bnBc);
-  std::string mpiA(mpiMc);
-  OPENSSL_free(bnBc);
-  // We have to strip leading zeros from bignums, ignoring the sign.
-  if (bnA.at(0) != '-') {
-    bnA.erase(0, std::min(bnA.find_first_not_of('0'), bnA.size() - 1));
-  } else if (bnA.at(1) == '0') {
-    bnA.erase(1, std::min(bnA.find_first_not_of('0', 1) - 1, bnA.size() - 1));
-  }
-
-  if (mpiA != bnA) {
-    std::cout << "openssl: " << std::hex << bnA << std::endl;
-    std::cout << "nss:     " << std::hex << mpiA << std::endl;
-  }
-
-  assert(mpiA == bnA);
-}
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-  // We require at least size 3 to get two integers from Data.
-  if (size <= 3) {
-    return 0;
-  }
-  size_t max_size = 2 * size + 1;
-
-  mp_int a, b, c, r;
-  BN_CTX *ctx = BN_CTX_new();
-  BN_CTX_start(ctx);
-  BIGNUM *A = BN_CTX_get(ctx);
-  BIGNUM *B = BN_CTX_get(ctx);
-  BIGNUM *C = BN_CTX_get(ctx);
-  BIGNUM *R = BN_CTX_get(ctx);
-  assert(mp_init(&a) == MP_OKAY);
-  assert(mp_init(&b) == MP_OKAY);
-  assert(mp_init(&c) == MP_OKAY);
-  assert(mp_init(&r) == MP_OKAY);
-
-  // Note that b might overlap a.
-  size_t len = (size_t)size / 2;
-  assert(mp_read_raw(
-             &a, reinterpret_cast<char *>(const_cast<unsigned char *>(data)),
-             len) == MP_OKAY);
-  assert(mp_read_raw(
-             &b,
-             reinterpret_cast<char *>(const_cast<unsigned char *>(data)) + len,
-             len) == MP_OKAY);
-  // Force a positive sign.
-  // TODO: add tests for negatives.
-  MP_SIGN(&a) = MP_ZPOS;
-  MP_SIGN(&b) = MP_ZPOS;
-
-  // Skip the first byte as it's interpreted as sign by NSS.
-  assert(BN_bin2bn(data + 1, len - 1, A) != nullptr);
-  assert(BN_bin2bn(data + len + 1, len - 1, B) != nullptr);
-
-  check_equal(A, &a, max_size);
-  check_equal(B, &b, max_size);
-
-  // Addition
-  assert(mp_add(&a, &b, &c) == MP_OKAY);
-  (void)BN_add(C, A, B);
-  check_equal(C, &c, max_size);
-
-  // Subtraction
-  CLEAR_NUMS
-  assert(mp_sub(&a, &b, &c) == MP_OKAY);
-  (void)BN_sub(C, A, B);
-  check_equal(C, &c, max_size);
-
-  // Sqr
-  CLEAR_NUMS
-  assert(mp_sqr(&a, &c) == MP_OKAY);
-  (void)BN_sqr(C, A, ctx);
-  check_equal(C, &c, max_size);
-
-  // We can't divide by 0.
-  if (mp_cmp_z(&b) != 0) {
-    CLEAR_NUMS
-    assert(mp_div(&a, &b, &c, &r) == MP_OKAY);
-    BN_div(C, R, A, B, ctx);
-    check_equal(C, &c, max_size);
-    check_equal(R, &r, max_size);
-
-    // Modulo
-    CLEAR_NUMS
-    assert(mp_mod(&a, &b, &c) == MP_OKAY);
-    (void)BN_mod(C, A, B, ctx);
-    check_equal(C, &c, max_size);
-
-    // Mod sqr
-    CLEAR_NUMS
-    assert(mp_sqrmod(&a, &b, &c) == MP_OKAY);
-    (void)BN_mod_sqr(C, A, B, ctx);
-    check_equal(C, &c, max_size);
-  }
-
-  // Mod add
-  CLEAR_NUMS
-  mp_add(&a, &b, &r);
-  (void)BN_add(R, A, B);
-  assert(mp_addmod(&a, &b, &r, &c) == MP_OKAY);
-  (void)BN_mod_add(C, A, B, R, ctx);
-  check_equal(C, &c, max_size);
-
-  // Mod sub
-  CLEAR_NUMS
-  mp_add(&a, &b, &r);
-  (void)BN_add(R, A, B);
-  assert(mp_submod(&a, &b, &r, &c) == MP_OKAY);
-  (void)BN_mod_sub(C, A, B, R, ctx);
-  check_equal(C, &c, max_size);
-
-  // Mod mul
-  CLEAR_NUMS
-  mp_add(&a, &b, &r);
-  (void)BN_add(R, A, B);
-  assert(mp_mulmod(&a, &b, &r, &c) == MP_OKAY);
-  (void)BN_mod_mul(C, A, B, R, ctx);
-  check_equal(C, &c, max_size);
-
-  // Mod exp
-  // NOTE: This must be the last test as we change b!
-  CLEAR_NUMS
-  mp_add(&a, &b, &r);
-  mp_add_d(&r, 1, &r);  // NSS doesn't allow 0 as modulus here.
-  size_t num = MP_USED(&b) * MP_DIGIT_BIT;
-  mp_div_2d(&b, num, &b, nullptr);  // make the exponent smaller, larger
-                                    // exponents need too much memory
-  MP_USED(&b) = 1;
-  (void)BN_add(R, A, B);
-  BN_add_word(R, 1);
-  BN_rshift(B, B, num);
-  check_equal(B, &b, max_size);
-  assert(mp_exptmod(&a, &b, &r, &c) == MP_OKAY);
-  (void)BN_mod_exp(C, A, B, R, ctx);
-  check_equal(C, &c, max_size);
-
-  mp_clear(&a);
-  mp_clear(&b);
-  mp_clear(&c);
-  mp_clear(&r);
-
-  BN_CTX_end(ctx);
-  BN_CTX_free(ctx);
-
-  return 0;
-}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/quickder.options
@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 10000
+
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/tls-client.options
@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 20000
+
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/tls_client_socket.cc
@@ -0,0 +1,34 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <assert.h>
+#include <string.h>
+#include <algorithm>
+
+#include "prerror.h"
+#include "prio.h"
+
+#include "tls_client_socket.h"
+
+int32_t DummyPrSocket::Read(PRFileDesc *f, void *data, int32_t len) {
+  assert(data && len > 0);
+
+  int32_t amount = std::min(len, static_cast<int32_t>(len_));
+  memcpy(data, buf_, amount);
+
+  buf_ += amount;
+  len_ -= amount;
+
+  return amount;
+}
+
+int32_t DummyPrSocket::Write(PRFileDesc *f, const void *buf, int32_t length) {
+  return length;
+}
+
+int32_t DummyPrSocket::Recv(PRFileDesc *f, void *buf, int32_t buflen,
+                            int32_t flags, PRIntervalTime to) {
+  assert(flags == 0);
+  return Read(f, buf, buflen);
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/tls_client_socket.h
@@ -0,0 +1,24 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef tls_client_socket_h__
+#define tls_client_socket_h__
+
+#include "dummy_io.h"
+
+class DummyPrSocket : public DummyIOLayerMethods {
+ public:
+  DummyPrSocket(const uint8_t *buf, size_t len) : buf_(buf), len_(len) {}
+
+  int32_t Read(PRFileDesc *f, void *data, int32_t len) override;
+  int32_t Write(PRFileDesc *f, const void *buf, int32_t length) override;
+  int32_t Recv(PRFileDesc *f, void *buf, int32_t buflen, int32_t flags,
+               PRIntervalTime to) override;
+
+ private:
+  const uint8_t *buf_;
+  size_t len_;
+};
+
+#endif  // tls_client_socket_h__
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/tls_client_target.cc
@@ -0,0 +1,113 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <assert.h>
+#include <stdint.h>
+#include <memory>
+
+#include "blapi.h"
+#include "prinit.h"
+#include "ssl.h"
+
+#include "shared.h"
+#include "tls_client_socket.h"
+
+static PRStatus EnableAllProtocolVersions() {
+  SSLVersionRange supported;
+
+  SECStatus rv = SSL_VersionRangeGetSupported(ssl_variant_stream, &supported);
+  assert(rv == SECSuccess);
+
+  rv = SSL_VersionRangeSetDefault(ssl_variant_stream, &supported);
+  assert(rv == SECSuccess);
+
+  return PR_SUCCESS;
+}
+
+static SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checksig,
+                                     PRBool isServer) {
+  return SECSuccess;
+}
+
+static void SetSocketOptions(PRFileDesc* fd) {
+  // Disable session cache for now.
+  SECStatus rv = SSL_OptionSet(fd, SSL_NO_CACHE, true);
+  assert(rv == SECSuccess);
+
+  rv = SSL_OptionSet(fd, SSL_ENABLE_EXTENDED_MASTER_SECRET, true);
+  assert(rv == SECSuccess);
+
+  rv = SSL_OptionSet(fd, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, true);
+  assert(rv == SECSuccess);
+
+  rv = SSL_OptionSet(fd, SSL_ENABLE_FALLBACK_SCSV, true);
+  assert(rv == SECSuccess);
+
+  rv = SSL_OptionSet(fd, SSL_ENABLE_ALPN, true);
+  assert(rv == SECSuccess);
+
+  rv =
+      SSL_OptionSet(fd, SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_UNRESTRICTED);
+  assert(rv == SECSuccess);
+}
+
+static void EnableAllCipherSuites(PRFileDesc* fd) {
+  for (uint16_t i = 0; i < SSL_NumImplementedCiphers; ++i) {
+    SECStatus rv = SSL_CipherPrefSet(fd, SSL_ImplementedCiphers[i], true);
+    assert(rv == SECSuccess);
+  }
+}
+
+static void SetupAuthCertificateHook(PRFileDesc* fd) {
+  SECStatus rv = SSL_AuthCertificateHook(fd, AuthCertificateHook, nullptr);
+  assert(rv == SECSuccess);
+}
+
+static void DoHandshake(PRFileDesc* fd) {
+  SECStatus rv = SSL_ResetHandshake(fd, false /* asServer */);
+  assert(rv == SECSuccess);
+
+  do {
+    rv = SSL_ForceHandshake(fd);
+  } while (rv != SECSuccess && PR_GetError() == PR_WOULD_BLOCK_ERROR);
+
+  // If the handshake succeeds, let's read some data from the server, if any.
+  if (rv == SECSuccess) {
+    uint8_t block[1024];
+    int32_t nb;
+
+    // Read application data and echo it back.
+    while ((nb = PR_Read(fd, block, sizeof(block))) > 0) {
+      PR_Write(fd, block, nb);
+    }
+  }
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t len) {
+  static std::unique_ptr<NSSDatabase> db(new NSSDatabase());
+  assert(db != nullptr);
+
+  EnableAllProtocolVersions();
+
+  // Reset the RNG state.
+  SECStatus rv = RNG_ResetForFuzzing();
+  assert(rv == SECSuccess);
+
+  // Create and import dummy socket.
+  std::unique_ptr<DummyPrSocket> socket(new DummyPrSocket(data, len));
+  static PRDescIdentity id = PR_GetUniqueIdentity("fuzz-client");
+  ScopedPRFileDesc fd(DummyIOLayerMethods::CreateFD(id, socket.get()));
+  PRFileDesc* ssl_fd = SSL_ImportFD(nullptr, fd.get());
+  assert(ssl_fd == fd.get());
+
+  // Probably not too important for clients.
+  SSL_SetURL(ssl_fd, "server");
+
+  SetSocketOptions(ssl_fd);
+  EnableAllCipherSuites(ssl_fd);
+  SetupAuthCertificateHook(ssl_fd);
+  DoHandshake(ssl_fd);
+
+  return 0;
+}
--- a/security/nss/gtests/common/gtest.gypi
+++ b/security/nss/gtests/common/gtest.gypi
@@ -1,13 +1,18 @@
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 {
   'target_defaults': {
+    'include_dirs': [
+      '<(DEPTH)/gtests/google_test/gtest/include',
+      '<(DEPTH)/gtests/common',
+      '<(DEPTH)/cpputil',
+    ],
     'cflags': [
       '-Wsign-compare',
     ],
     'xcode_settings': {
       'OTHER_CFLAGS': [
         '-Wsign-compare',
       ],
     },
--- a/security/nss/gtests/common/manifest.mn
+++ b/security/nss/gtests/common/manifest.mn
@@ -6,16 +6,17 @@ CORE_DEPTH = ../..
 DEPTH      = ../..
 MODULE = nss
 
 CPPSRCS = \
       gtests.cc \
       $(NULL)
 
 INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
-            -I$(CORE_DEPTH)/gtests/common
+            -I$(CORE_DEPTH)/gtests/common \
+            -I$(CORE_DEPTH)/cpputil
 
 REQUIRES = gtest
 
 EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX)
 
 # NOTE: this is not actually used but required to build gtests.o
 PROGRAM = gtests
deleted file mode 100644
--- a/security/nss/gtests/common/scoped_ptrs.h
+++ /dev/null
@@ -1,63 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef scoped_ptrs_h__
-#define scoped_ptrs_h__
-
-#include <memory>
-#include "cert.h"
-#include "keyhi.h"
-#include "pk11pub.h"
-
-namespace nss_test {
-
-struct ScopedDelete {
-  void operator()(CERTCertificate* cert) { CERT_DestroyCertificate(cert); }
-  void operator()(CERTCertificateList* list) {
-    CERT_DestroyCertificateList(list);
-  }
-  void operator()(CERTCertList* list) { CERT_DestroyCertList(list); }
-  void operator()(CERTSubjectPublicKeyInfo* spki) {
-    SECKEY_DestroySubjectPublicKeyInfo(spki);
-  }
-  void operator()(PK11SlotInfo* slot) { PK11_FreeSlot(slot); }
-  void operator()(PK11SymKey* key) { PK11_FreeSymKey(key); }
-  void operator()(PRFileDesc* fd) { PR_Close(fd); }
-  void operator()(SECAlgorithmID* id) { SECOID_DestroyAlgorithmID(id, true); }
-  void operator()(SECItem* item) { SECITEM_FreeItem(item, true); }
-  void operator()(SECKEYPublicKey* key) { SECKEY_DestroyPublicKey(key); }
-  void operator()(SECKEYPrivateKey* key) { SECKEY_DestroyPrivateKey(key); }
-};
-
-template <class T>
-struct ScopedMaybeDelete {
-  void operator()(T* ptr) {
-    if (ptr) {
-      ScopedDelete del;
-      del(ptr);
-    }
-  }
-};
-
-#define SCOPED(x) typedef std::unique_ptr<x, ScopedMaybeDelete<x> > Scoped##x
-
-SCOPED(CERTCertificate);
-SCOPED(CERTCertificateList);
-SCOPED(CERTCertList);
-SCOPED(CERTSubjectPublicKeyInfo);
-SCOPED(PK11SlotInfo);
-SCOPED(PK11SymKey);
-SCOPED(PRFileDesc);
-SCOPED(SECAlgorithmID);
-SCOPED(SECItem);
-SCOPED(SECKEYPublicKey);
-SCOPED(SECKEYPrivateKey);
-
-#undef SCOPED
-
-}  // namespace nss_test
-
-#endif
--- a/security/nss/gtests/der_gtest/der_gtest.gyp
+++ b/security/nss/gtests/der_gtest/der_gtest.gyp
@@ -19,18 +19,12 @@
         '<(DEPTH)/exports.gyp:nss_exports',
         '<(DEPTH)/gtests/google_test/google_test.gyp:gtest',
         '<(DEPTH)/lib/util/util.gyp:nssutil3',
         '<(DEPTH)/lib/ssl/ssl.gyp:ssl3',
         '<(DEPTH)/lib/nss/nss.gyp:nss3',
       ]
     }
   ],
-  'target_defaults': {
-    'include_dirs': [
-      '../../gtests/google_test/gtest/include',
-      '../../gtests/common'
-    ]
-  },
   'variables': {
     'module': 'nss'
   }
 }
--- a/security/nss/gtests/der_gtest/manifest.mn
+++ b/security/nss/gtests/der_gtest/manifest.mn
@@ -7,16 +7,17 @@ DEPTH      = ../..
 MODULE = nss
 
 CPPSRCS = \
       der_getint_unittest.cc \
       der_private_key_import_unittest.cc \
       $(NULL)
 
 INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
-            -I$(CORE_DEPTH)/gtests/common
+            -I$(CORE_DEPTH)/gtests/common \
+            -I$(CORE_DEPTH)/cpputil
 
 REQUIRES = nspr nss libdbm gtest
 
 PROGRAM = der_gtest
 
 EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) $(EXTRA_OBJS) \
              ../common/$(OBJDIR)/gtests$(OBJ_SUFFIX)
--- a/security/nss/gtests/freebl_gtest/freebl_gtest.gyp
+++ b/security/nss/gtests/freebl_gtest/freebl_gtest.gyp
@@ -34,17 +34,15 @@
             'CT_VERIF',
           ],
         }],
       ],
     }
   ],
   'target_defaults': {
     'include_dirs': [
-      '<(DEPTH)/gtests/google_test/gtest/include',
-      '<(DEPTH)/gtests/common',
       '<(DEPTH)/lib/freebl/mpi',
     ]
   },
   'variables': {
     'module': 'nss'
   }
 }
--- a/security/nss/gtests/google_test/google_test.gyp
+++ b/security/nss/gtests/google_test/google_test.gyp
@@ -12,16 +12,15 @@
       'type': 'static_library',
       'sources': [
         'gtest/src/gtest-all.cc'
       ],
     },
   ],
   'target_defaults': {
     'include_dirs': [
-      'gtest/include/',
       'gtest'
     ],
   },
   'variables': {
     'module': 'gtest'
   }
 }
--- a/security/nss/gtests/pk11_gtest/manifest.mn
+++ b/security/nss/gtests/pk11_gtest/manifest.mn
@@ -13,17 +13,18 @@ CPPSRCS = \
       pk11_export_unittest.cc \
       pk11_pbkdf2_unittest.cc \
       pk11_prf_unittest.cc \
       pk11_prng_unittest.cc \
       pk11_rsapss_unittest.cc \
       $(NULL)
 
 INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
-            -I$(CORE_DEPTH)/gtests/common
+            -I$(CORE_DEPTH)/gtests/common \
+            -I$(CORE_DEPTH)/cpputil
 
 REQUIRES = nspr nss libdbm gtest
 
 PROGRAM = pk11_gtest
 
 EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) $(EXTRA_OBJS) \
              ../common/$(OBJDIR)/gtests$(OBJ_SUFFIX)
 
--- a/security/nss/gtests/pk11_gtest/pk11_gtest.gyp
+++ b/security/nss/gtests/pk11_gtest/pk11_gtest.gyp
@@ -42,18 +42,12 @@
           'dependencies': [
             '<(DEPTH)/lib/nss/nss.gyp:nss3',
             '<(DEPTH)/lib/ssl/ssl.gyp:ssl3',
           ],
         }],
       ],
     }
   ],
-  'target_defaults': {
-    'include_dirs': [
-      '../../gtests/google_test/gtest/include',
-      '../../gtests/common'
-    ]
-  },
   'variables': {
     'module': 'nss'
   }
 }
--- a/security/nss/gtests/ssl_gtest/manifest.mn
+++ b/security/nss/gtests/ssl_gtest/manifest.mn
@@ -7,16 +7,18 @@ DEPTH      = ../..
 MODULE = nss
 
 # These sources have access to libssl internals
 CSRCS = \
       libssl_internals.c \
       $(NULL)
 
 CPPSRCS = \
+      $(CORE_DEPTH)/cpputil/dummy_io.cc \
+      $(CORE_DEPTH)/cpputil/dummy_io_fwd.cc \
       ssl_0rtt_unittest.cc \
       ssl_agent_unittest.cc \
       ssl_auth_unittest.cc \
       ssl_cert_ext_unittest.cc \
       ssl_ciphersuite_unittest.cc \
       ssl_damage_unittest.cc \
       ssl_dhe_unittest.cc \
       ssl_drop_unittest.cc \
@@ -41,16 +43,17 @@ CPPSRCS = \
       tls_connect.cc \
       tls_hkdf_unittest.cc \
       tls_filter.cc \
       tls_parser.cc \
       tls_protect.cc \
       $(NULL)
 
 INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
-            -I$(CORE_DEPTH)/gtests/common
+            -I$(CORE_DEPTH)/gtests/common \
+            -I$(CORE_DEPTH)/cpputil
 
 REQUIRES = nspr nss libdbm gtest
 
 PROGRAM = ssl_gtest
 EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX)
 
 USE_STATIC_LIBS = 1
--- a/security/nss/gtests/ssl_gtest/ssl_gtest.gyp
+++ b/security/nss/gtests/ssl_gtest/ssl_gtest.gyp
@@ -54,17 +54,18 @@
         '<(DEPTH)/lib/pkcs12/pkcs12.gyp:pkcs12',
         '<(DEPTH)/lib/pkcs7/pkcs7.gyp:pkcs7',
         '<(DEPTH)/lib/certhigh/certhigh.gyp:certhi',
         '<(DEPTH)/lib/cryptohi/cryptohi.gyp:cryptohi',
         '<(DEPTH)/lib/certdb/certdb.gyp:certdb',
         '<(DEPTH)/lib/pki/pki.gyp:nsspki',
         '<(DEPTH)/lib/dev/dev.gyp:nssdev',
         '<(DEPTH)/lib/base/base.gyp:nssb',
-        '<(DEPTH)/lib/zlib/zlib.gyp:nss_zlib'
+        '<(DEPTH)/lib/zlib/zlib.gyp:nss_zlib',
+        '<(DEPTH)/cpputil/cpputil.gyp:cpputil',
       ],
       'conditions': [
         [ 'test_build==1', {
           'dependencies': [
             '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap_static',
           ],
         }, {
           'dependencies': [
@@ -94,18 +95,16 @@
             '<(DEPTH)/lib/libpkix/pkix_pl_nss/pki/pki.gyp:pkixpki',
           ],
         }],
       ],
     }
   ],
   'target_defaults': {
     'include_dirs': [
-      '../../gtests/google_test/gtest/include',
-      '../../gtests/common',
       '../../lib/ssl'
     ],
     'defines': [
       'NSS_USE_STATIC_LIBS'
     ],
   },
   'variables': {
     'module': 'nss',
--- a/security/nss/gtests/ssl_gtest/ssl_hrr_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_hrr_unittest.cc
@@ -62,16 +62,97 @@ TEST_P(TlsConnectTls13, HelloRetryReques
   // Complete the handshake successfully
   Handshake();
   ExpectEarlyDataAccepted(false);  // The server should reject 0-RTT
   CheckConnected();
   SendReceive();
   EXPECT_FALSE(capture_early_data->captured());
 }
 
+// This filter only works for DTLS 1.3 where there is exactly one handshake
+// packet. If the record is split into two packets, or there are multiple
+// handshake packets, this will break.
+class CorrectMessageSeqAfterHrrFilter : public TlsRecordFilter {
+ protected:
+  PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
+                                    const DataBuffer& record, size_t* offset,
+                                    DataBuffer* output) {
+    if (filtered_packets() > 0 || header.content_type() != content_handshake) {
+      return KEEP;
+    }
+
+    DataBuffer buffer(record);
+    TlsRecordHeader new_header = {header.version(), header.content_type(),
+                                  header.sequence_number() + 1};
+
+    // Correct message_seq.
+    buffer.Write(4, 1U, 2);
+
+    *offset = new_header.Write(output, *offset, buffer);
+    return CHANGE;
+  }
+};
+
+TEST_P(TlsConnectTls13, SecondClientHelloRejectEarlyDataXtn) {
+  static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1,
+                                                    ssl_grp_ec_secp521r1};
+
+  SetupForZeroRtt();
+  ExpectResumption(RESUME_TICKET);
+
+  client_->ConfigNamedGroups(groups);
+  server_->ConfigNamedGroups(groups);
+  client_->Set0RttEnabled(true);
+  server_->Set0RttEnabled(true);
+
+  // A new client that tries to resume with 0-RTT but doesn't send the
+  // correct key share(s). The server will respond with an HRR.
+  auto orig_client =
+      std::make_shared<TlsAgent>(client_->name(), TlsAgent::CLIENT, mode_);
+  client_.swap(orig_client);
+  client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
+                           SSL_LIBRARY_VERSION_TLS_1_3);
+  client_->ConfigureSessionCache(RESUME_BOTH);
+  client_->Set0RttEnabled(true);
+  client_->StartConnect();
+
+  // Swap in the new client.
+  client_->SetPeer(server_);
+  server_->SetPeer(client_);
+
+  // Send the ClientHello.
+  client_->Handshake();
+  // Process the CH, send an HRR.
+  server_->Handshake();
+
+  // Swap the client we created manually with the one that successfully
+  // received a PSK, and try to resume with 0-RTT. The client doesn't know
+  // about the HRR so it will send the early_data xtn as well as 0-RTT data.
+  client_.swap(orig_client);
+  orig_client.reset();
+
+  // Correct the DTLS message sequence number after an HRR.
+  if (mode_ == DGRAM) {
+    client_->SetPacketFilter(
+        std::make_shared<CorrectMessageSeqAfterHrrFilter>());
+  }
+
+  server_->SetPeer(client_);
+  client_->Handshake();
+
+  // Send 0-RTT data.
+  const char* k0RttData = "ABCDEF";
+  const PRInt32 k0RttDataLen = static_cast<PRInt32>(strlen(k0RttData));
+  PRInt32 rv = PR_Write(client_->ssl_fd(), k0RttData, k0RttDataLen);
+  EXPECT_EQ(k0RttDataLen, rv);
+
+  Handshake();
+  client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT);
+}
+
 class KeyShareReplayer : public TlsExtensionFilter {
  public:
   KeyShareReplayer() {}
 
   virtual PacketFilter::Action FilterExtension(uint16_t extension_type,
                                                const DataBuffer& input,
                                                DataBuffer* output) {
     if (extension_type != ssl_tls13_key_share_xtn) {
--- a/security/nss/gtests/ssl_gtest/test_io.cc
+++ b/security/nss/gtests/ssl_gtest/test_io.cc
@@ -14,270 +14,37 @@
 #include "prerror.h"
 #include "prlog.h"
 #include "prthread.h"
 
 extern bool g_ssl_gtest_verbose;
 
 namespace nss_test {
 
-static PRDescIdentity test_fd_identity = PR_INVALID_IO_LAYER;
-
-#define UNIMPLEMENTED()                                                        \
-  std::cerr << "Call to unimplemented function " << __FUNCTION__ << std::endl; \
-  PR_ASSERT(PR_FALSE);                                                         \
-  PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0)
-
 #define LOG(a) std::cerr << name_ << ": " << a << std::endl
 #define LOGV(a)                      \
   do {                               \
     if (g_ssl_gtest_verbose) LOG(a); \
   } while (false)
 
-// Implementation of NSPR methods
-static PRStatus DummyClose(PRFileDesc *f) {
-  f->secret = nullptr;
-  f->dtor(f);
-  return PR_SUCCESS;
-}
-
-static int32_t DummyRead(PRFileDesc *f, void *buf, int32_t length) {
-  DummyPrSocket *io = reinterpret_cast<DummyPrSocket *>(f->secret);
-  return io->Read(buf, length);
-}
-
-static int32_t DummyWrite(PRFileDesc *f, const void *buf, int32_t length) {
-  DummyPrSocket *io = reinterpret_cast<DummyPrSocket *>(f->secret);
-  return io->Write(buf, length);
-}
-
-static int32_t DummyAvailable(PRFileDesc *f) {
-  UNIMPLEMENTED();
-  return -1;
-}
-
-static int64_t DummyAvailable64(PRFileDesc *f) {
-  UNIMPLEMENTED();
-  return -1;
-}
-
-static PRStatus DummySync(PRFileDesc *f) {
-  UNIMPLEMENTED();
-  return PR_FAILURE;
-}
-
-static int32_t DummySeek(PRFileDesc *f, int32_t offset, PRSeekWhence how) {
-  UNIMPLEMENTED();
-  return -1;
-}
-
-static int64_t DummySeek64(PRFileDesc *f, int64_t offset, PRSeekWhence how) {
-  UNIMPLEMENTED();
-  return -1;
-}
-
-static PRStatus DummyFileInfo(PRFileDesc *f, PRFileInfo *info) {
-  UNIMPLEMENTED();
-  return PR_FAILURE;
-}
-
-static PRStatus DummyFileInfo64(PRFileDesc *f, PRFileInfo64 *info) {
-  UNIMPLEMENTED();
-  return PR_FAILURE;
-}
-
-static int32_t DummyWritev(PRFileDesc *f, const PRIOVec *iov, int32_t iov_size,
-                           PRIntervalTime to) {
-  UNIMPLEMENTED();
-  return -1;
-}
-
-static PRStatus DummyConnect(PRFileDesc *f, const PRNetAddr *addr,
-                             PRIntervalTime to) {
-  UNIMPLEMENTED();
-  return PR_FAILURE;
-}
-
-static PRFileDesc *DummyAccept(PRFileDesc *sd, PRNetAddr *addr,
-                               PRIntervalTime to) {
-  UNIMPLEMENTED();
-  return nullptr;
-}
-
-static PRStatus DummyBind(PRFileDesc *f, const PRNetAddr *addr) {
-  UNIMPLEMENTED();
-  return PR_FAILURE;
-}
-
-static PRStatus DummyListen(PRFileDesc *f, int32_t depth) {
-  UNIMPLEMENTED();
-  return PR_FAILURE;
-}
-
-static PRStatus DummyShutdown(PRFileDesc *f, int32_t how) { return PR_SUCCESS; }
-
-// This function does not support peek.
-static int32_t DummyRecv(PRFileDesc *f, void *buf, int32_t buflen,
-                         int32_t flags, PRIntervalTime to) {
-  PR_ASSERT(flags == 0);
-  if (flags != 0) {
-    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    return -1;
-  }
-
-  DummyPrSocket *io = reinterpret_cast<DummyPrSocket *>(f->secret);
-
-  if (io->mode() == DGRAM) {
-    return io->Recv(buf, buflen);
-  } else {
-    return io->Read(buf, buflen);
-  }
-}
-
-// Note: this is always nonblocking and assumes a zero timeout.
-static int32_t DummySend(PRFileDesc *f, const void *buf, int32_t amount,
-                         int32_t flags, PRIntervalTime to) {
-  int32_t written = DummyWrite(f, buf, amount);
-  return written;
-}
-
-static int32_t DummyRecvfrom(PRFileDesc *f, void *buf, int32_t amount,
-                             int32_t flags, PRNetAddr *addr,
-                             PRIntervalTime to) {
-  UNIMPLEMENTED();
-  return -1;
-}
-
-static int32_t DummySendto(PRFileDesc *f, const void *buf, int32_t amount,
-                           int32_t flags, const PRNetAddr *addr,
-                           PRIntervalTime to) {
-  UNIMPLEMENTED();
-  return -1;
-}
-
-static int16_t DummyPoll(PRFileDesc *f, int16_t in_flags, int16_t *out_flags) {
-  UNIMPLEMENTED();
-  return -1;
-}
-
-static int32_t DummyAcceptRead(PRFileDesc *sd, PRFileDesc **nd,
-                               PRNetAddr **raddr, void *buf, int32_t amount,
-                               PRIntervalTime t) {
-  UNIMPLEMENTED();
-  return -1;
-}
-
-static int32_t DummyTransmitFile(PRFileDesc *sd, PRFileDesc *f,
-                                 const void *headers, int32_t hlen,
-                                 PRTransmitFileFlags flags, PRIntervalTime t) {
-  UNIMPLEMENTED();
-  return -1;
-}
-
-static PRStatus DummyGetpeername(PRFileDesc *f, PRNetAddr *addr) {
-  // TODO: Modify to return unique names for each channel
-  // somehow, as opposed to always the same static address. The current
-  // implementation messes up the session cache, which is why it's off
-  // elsewhere
-  addr->inet.family = PR_AF_INET;
-  addr->inet.port = 0;
-  addr->inet.ip = 0;
-
-  return PR_SUCCESS;
-}
-
-static PRStatus DummyGetsockname(PRFileDesc *f, PRNetAddr *addr) {
-  UNIMPLEMENTED();
-  return PR_FAILURE;
-}
-
-static PRStatus DummyGetsockoption(PRFileDesc *f, PRSocketOptionData *opt) {
-  switch (opt->option) {
-    case PR_SockOpt_Nonblocking:
-      opt->value.non_blocking = PR_TRUE;
-      return PR_SUCCESS;
-    default:
-      UNIMPLEMENTED();
-      break;
-  }
-
-  return PR_FAILURE;
-}
-
-// Imitate setting socket options. These are mostly noops.
-static PRStatus DummySetsockoption(PRFileDesc *f,
-                                   const PRSocketOptionData *opt) {
-  switch (opt->option) {
-    case PR_SockOpt_Nonblocking:
-      return PR_SUCCESS;
-    case PR_SockOpt_NoDelay:
-      return PR_SUCCESS;
-    default:
-      UNIMPLEMENTED();
-      break;
-  }
-
-  return PR_FAILURE;
-}
-
-static int32_t DummySendfile(PRFileDesc *out, PRSendFileData *in,
-                             PRTransmitFileFlags flags, PRIntervalTime to) {
-  UNIMPLEMENTED();
-  return -1;
-}
-
-static PRStatus DummyConnectContinue(PRFileDesc *f, int16_t flags) {
-  UNIMPLEMENTED();
-  return PR_FAILURE;
-}
-
-static int32_t DummyReserved(PRFileDesc *f) {
-  UNIMPLEMENTED();
-  return -1;
-}
-
 void DummyPrSocket::SetPacketFilter(std::shared_ptr<PacketFilter> filter) {
   filter_ = filter;
 }
 
-static const struct PRIOMethods DummyMethods = {
-    PR_DESC_LAYERED,    DummyClose,
-    DummyRead,          DummyWrite,
-    DummyAvailable,     DummyAvailable64,
-    DummySync,          DummySeek,
-    DummySeek64,        DummyFileInfo,
-    DummyFileInfo64,    DummyWritev,
-    DummyConnect,       DummyAccept,
-    DummyBind,          DummyListen,
-    DummyShutdown,      DummyRecv,
-    DummySend,          DummyRecvfrom,
-    DummySendto,        DummyPoll,
-    DummyAcceptRead,    DummyTransmitFile,
-    DummyGetsockname,   DummyGetpeername,
-    DummyReserved,      DummyReserved,
-    DummyGetsockoption, DummySetsockoption,
-    DummySendfile,      DummyConnectContinue,
-    DummyReserved,      DummyReserved,
-    DummyReserved,      DummyReserved};
-
 ScopedPRFileDesc DummyPrSocket::CreateFD() {
-  if (test_fd_identity == PR_INVALID_IO_LAYER) {
-    test_fd_identity = PR_GetUniqueIdentity("testtransportadapter");
-  }
-
-  ScopedPRFileDesc fd(PR_CreateIOLayerStub(test_fd_identity, &DummyMethods));
-  fd->secret = reinterpret_cast<PRFilePrivate *>(this);
-  return fd;
+  static PRDescIdentity test_fd_identity =
+      PR_GetUniqueIdentity("testtransportadapter");
+  return DummyIOLayerMethods::CreateFD(test_fd_identity, this);
 }
 
 void DummyPrSocket::PacketReceived(const DataBuffer &packet) {
   input_.push(Packet(packet));
 }
 
-int32_t DummyPrSocket::Read(void *data, int32_t len) {
+int32_t DummyPrSocket::Read(PRFileDesc *f, void *data, int32_t len) {
   PR_ASSERT(mode_ == STREAM);
 
   if (mode_ != STREAM) {
     PR_SetError(PR_INVALID_METHOD_ERROR, 0);
     return -1;
   }
 
   if (input_.empty()) {
@@ -295,17 +62,28 @@ int32_t DummyPrSocket::Read(void *data, 
 
   if (!front.remaining()) {
     input_.pop();
   }
 
   return static_cast<int32_t>(to_read);
 }
 
-int32_t DummyPrSocket::Recv(void *buf, int32_t buflen) {
+int32_t DummyPrSocket::Recv(PRFileDesc *f, void *buf, int32_t buflen,
+                            int32_t flags, PRIntervalTime to) {
+  PR_ASSERT(flags == 0);
+  if (flags != 0) {
+    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+    return -1;
+  }
+
+  if (mode() != DGRAM) {
+    return Read(f, buf, buflen);
+  }
+
   if (input_.empty()) {
     PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
     return -1;
   }
 
   auto &front = input_.front();
   if (static_cast<size_t>(buflen) < front.len()) {
     PR_ASSERT(false);
@@ -315,17 +93,17 @@ int32_t DummyPrSocket::Recv(void *buf, i
 
   size_t count = front.len();
   memcpy(buf, front.data(), count);
 
   input_.pop();
   return static_cast<int32_t>(count);
 }
 
-int32_t DummyPrSocket::Write(const void *buf, int32_t length) {
+int32_t DummyPrSocket::Write(PRFileDesc *f, const void *buf, int32_t length) {
   auto peer = peer_.lock();
   if (!peer || !writeable_) {
     PR_SetError(PR_IO_ERROR, 0);
     return -1;
   }
 
   DataBuffer packet(static_cast<const uint8_t *>(buf),
                     static_cast<size_t>(length));
--- a/security/nss/gtests/ssl_gtest/test_io.h
+++ b/security/nss/gtests/ssl_gtest/test_io.h
@@ -10,16 +10,17 @@
 #include <string.h>
 #include <map>
 #include <memory>
 #include <ostream>
 #include <queue>
 #include <string>
 
 #include "databuffer.h"
+#include "dummy_io.h"
 #include "prio.h"
 #include "scoped_ptrs.h"
 
 namespace nss_test {
 
 class DataBuffer;
 class DummyPrSocket;  // Fwd decl.
 
@@ -44,17 +45,17 @@ class PacketFilter {
 };
 
 enum Mode { STREAM, DGRAM };
 
 inline std::ostream& operator<<(std::ostream& os, Mode m) {
   return os << ((m == STREAM) ? "TLS" : "DTLS");
 }
 
-class DummyPrSocket {
+class DummyPrSocket : public DummyIOLayerMethods {
  public:
   DummyPrSocket(const std::string& name, Mode mode)
       : name_(name),
         mode_(mode),
         peer_(),
         input_(),
         filter_(nullptr),
         writeable_(true) {}
@@ -66,19 +67,20 @@ class DummyPrSocket {
 
   std::weak_ptr<DummyPrSocket>& peer() { return peer_; }
   void SetPeer(const std::shared_ptr<DummyPrSocket>& peer) { peer_ = peer; }
   void SetPacketFilter(std::shared_ptr<PacketFilter> filter);
   // Drops peer, packet filter and any outstanding packets.
   void Reset();
 
   void PacketReceived(const DataBuffer& data);
-  int32_t Read(void* data, int32_t len);
-  int32_t Recv(void* buf, int32_t buflen);
-  int32_t Write(const void* buf, int32_t length);
+  int32_t Read(PRFileDesc* f, void* data, int32_t len) override;
+  int32_t Recv(PRFileDesc* f, void* buf, int32_t buflen, int32_t flags,
+               PRIntervalTime to) override;
+  int32_t Write(PRFileDesc* f, const void* buf, int32_t length) override;
   void CloseWrites() { writeable_ = false; }
 
   Mode mode() const { return mode_; }
   bool readable() const { return !input_.empty(); }
 
  private:
   class Packet : public DataBuffer {
    public:
@@ -136,16 +138,17 @@ class Poller {
 
  private:
   Poller() : waiters_(), timers_() {}
   ~Poller() {}
 
   class Waiter {
    public:
     Waiter(std::shared_ptr<DummyPrSocket> io) : io_(io) {
+      memset(&targets_[0], 0, sizeof(targets_));
       memset(&callbacks_[0], 0, sizeof(callbacks_));
     }
 
     void WaitFor(Event event, PollCallback callback);
 
     std::shared_ptr<DummyPrSocket> io_;
     PollTarget* targets_[TIMER_EVENT];
     PollCallback callbacks_[TIMER_EVENT];
--- a/security/nss/gtests/ssl_gtest/tls_agent.cc
+++ b/security/nss/gtests/ssl_gtest/tls_agent.cc
@@ -645,16 +645,20 @@ void TlsAgent::CheckCallbacks() const {
 }
 
 void TlsAgent::ResetPreliminaryInfo() {
   expected_version_ = 0;
   expected_cipher_suite_ = 0;
 }
 
 void TlsAgent::Connected() {
+  if (state_ == STATE_CONNECTED) {
+    return;
+  }
+
   LOG("Handshake success");
   CheckPreliminaryInfo();
   CheckCallbacks();
 
   SECStatus rv = SSL_GetChannelInfo(ssl_fd(), &info_, sizeof(info_));
   EXPECT_EQ(SECSuccess, rv);
   EXPECT_EQ(sizeof(info_), info_.length);
 
@@ -736,21 +740,17 @@ void TlsAgent::SetDowngradeCheckVersion(
   SECStatus rv = SSL_SetDowngradeCheckVersion(ssl_fd(), version);
   ASSERT_EQ(SECSuccess, rv);
 }
 
 void TlsAgent::Handshake() {
   LOGV("Handshake");
   SECStatus rv = SSL_ForceHandshake(ssl_fd());
   if (rv == SECSuccess) {
-    if (!falsestart_enabled_) {
-      EXPECT_EQ(STATE_CONNECTED, state_)
-          << "the handshake callback should have been called already";
-    }
-
+    Connected();
     Poller::Instance()->Wait(READABLE_EVENT, adapter_, this,
                              &TlsAgent::ReadableCallback);
     return;
   }
 
   int32_t err = PR_GetError();
   if (err == PR_WOULD_BLOCK_ERROR) {
     LOGV("Would have blocked");
--- a/security/nss/gtests/util_gtest/manifest.mn
+++ b/security/nss/gtests/util_gtest/manifest.mn
@@ -8,16 +8,17 @@ MODULE = nss
 
 CPPSRCS = \
 	util_utf8_unittest.cc \
 	$(NULL)
 
 INCLUDES += \
 	-I$(CORE_DEPTH)/gtests/google_test/gtest/include \
 	-I$(CORE_DEPTH)/gtests/common \
+	-I$(CORE_DEPTH)/cpputil \
 	$(NULL)
 
 REQUIRES = nspr gtest
 
 PROGRAM = util_gtest
 
 EXTRA_LIBS = \
 	$(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \
--- a/security/nss/gtests/util_gtest/util_gtest.gyp
+++ b/security/nss/gtests/util_gtest/util_gtest.gyp
@@ -27,17 +27,15 @@
         '<(DEPTH)/lib/dev/dev.gyp:nssdev',
         '<(DEPTH)/lib/pki/pki.gyp:nsspki',
         '<(DEPTH)/lib/ssl/ssl.gyp:ssl',
       ]
     }
   ],
   'target_defaults': {
     'include_dirs': [
-      '../../gtests/google_test/gtest/include',
-      '../../gtests/common',
       '../../lib/util'
     ]
   },
   'variables': {
     'module': 'nss'
   }
 }
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -186,16 +186,17 @@ CKA_VALUE MULTILINE_OCTAL
 \034\161\142\356\312\310\227\254\027\135\212\302\370\107\206\156
 \052\304\126\061\225\320\147\211\205\053\371\154\246\135\106\235
 \014\252\202\344\231\121\335\160\267\333\126\075\141\344\152\341
 \134\326\366\376\075\336\101\314\007\256\143\122\277\123\123\364
 \053\351\307\375\266\367\202\137\205\322\101\030\333\201\263\004
 \034\305\037\244\200\157\025\040\311\336\014\210\012\035\326\146
 \125\342\374\110\311\051\046\151\340
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "GlobalSign Root CA"
 # Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
 # Serial Number:04:00:00:00:00:01:15:4b:5a:c3:94
 # Subject: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
 # Not Valid Before: Tue Sep 01 12:00:00 1998
 # Not Valid After : Fri Jan 28 12:00:00 2028
 # Fingerprint (MD5): 3E:45:52:15:09:51:92:E1:B7:5D:37:9F:B1:87:29:8A
@@ -319,16 +320,17 @@ CKA_VALUE MULTILINE_OCTAL
 \176\273\363\171\030\221\273\364\157\235\301\360\214\065\214\135
 \001\373\303\155\271\357\104\155\171\106\061\176\012\376\251\202
 \301\377\357\253\156\040\304\120\311\137\235\115\233\027\214\014
 \345\001\311\240\101\152\163\123\372\245\120\264\156\045\017\373
 \114\030\364\375\122\331\216\151\261\350\021\017\336\210\330\373
 \035\111\367\252\336\225\317\040\170\302\140\022\333\045\100\214
 \152\374\176\102\070\100\144\022\367\236\201\341\223\056
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "GlobalSign Root CA - R2"
 # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
 # Serial Number:04:00:00:00:00:01:0f:86:26:e6:0d
 # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
 # Not Valid Before: Fri Dec 15 08:00:00 2006
 # Not Valid After : Wed Dec 15 08:00:00 2021
 # Fingerprint (MD5): 94:14:77:7E:3E:5E:FD:8F:30:BD:41:B0:CF:E7:D0:30
@@ -474,16 +476,17 @@ CKA_VALUE MULTILINE_OCTAL
 \114\015\046\145\342\104\200\036\307\237\343\335\350\012\332\354
 \245\040\200\151\150\241\117\176\341\153\317\007\101\372\203\216
 \274\070\335\260\056\021\261\153\262\102\314\232\274\371\110\042
 \171\112\031\017\262\034\076\040\164\331\152\303\276\362\050\170
 \023\126\171\117\155\120\352\033\260\265\127\261\067\146\130\043
 \363\334\017\337\012\207\304\357\206\005\325\070\024\140\231\243
 \113\336\006\226\161\054\362\333\266\037\244\357\077\356
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
 # Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:00:8b:5b:75:56:84:54:85:0b:00:cf:af:38:48:ce:b1:a4
 # Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Not Valid Before: Fri Oct 01 00:00:00 1999
 # Not Valid After : Wed Jul 16 23:59:59 2036
 # Fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73
@@ -638,16 +641,17 @@ CKA_VALUE MULTILINE_OCTAL
 \301\062\163\042\041\213\130\201\173\025\221\172\272\343\144\110
 \260\177\373\066\045\332\225\320\361\044\024\027\335\030\200\153
 \106\043\071\124\365\216\142\011\004\035\224\220\246\233\346\045
 \342\102\105\252\270\220\255\276\010\217\251\013\102\030\224\317
 \162\071\341\261\103\340\050\317\267\347\132\154\023\153\111\263
 \377\343\030\174\211\213\063\135\254\063\327\247\371\332\072\125
 \311\130\020\371\252\357\132\266\317\113\113\337\052
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
 # Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:61:70:cb:49:8c:5f:98:45:29:e7:b0:a6:d9:50:5b:7a
 # Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Not Valid Before: Fri Oct 01 00:00:00 1999
 # Not Valid After : Wed Jul 16 23:59:59 2036
 # Fingerprint (MD5): F8:BE:C4:63:22:C9:A8:46:74:8B:B8:1D:1E:4A:2B:F6
@@ -802,16 +806,17 @@ CKA_VALUE MULTILINE_OCTAL
 \022\032\022\150\270\373\146\231\024\024\105\134\256\347\256\151
 \027\201\053\132\067\311\136\052\364\306\342\241\134\124\233\246
 \124\000\317\360\361\301\307\230\060\032\073\066\026\333\243\156
 \352\375\255\262\302\332\357\002\107\023\212\300\361\263\061\255
 \117\034\341\117\234\257\017\014\235\367\170\015\330\364\065\126
 \200\332\267\155\027\217\235\036\201\144\341\376\305\105\272\255
 \153\271\012\172\116\117\113\204\356\113\361\175\335\021
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
 # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:00:9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57
 # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Not Valid Before: Fri Oct 01 00:00:00 1999
 # Not Valid After : Wed Jul 16 23:59:59 2036
 # Fingerprint (MD5): CD:68:B6:A7:C7:C4:CE:75:E0:1D:4F:57:44:61:92:09
@@ -1076,16 +1081,17 @@ CKA_VALUE MULTILINE_OCTAL
 \273\377\043\357\150\031\313\022\223\047\134\003\055\157\060\320
 \036\266\032\254\336\132\367\321\252\250\047\246\376\171\201\304
 \171\231\063\127\272\022\260\251\340\102\154\223\312\126\336\376
 \155\204\013\010\213\176\215\352\327\230\041\306\363\347\074\171
 \057\136\234\321\114\025\215\341\354\042\067\314\232\103\013\227
 \334\200\220\215\263\147\233\157\110\010\025\126\317\277\361\053
 \174\136\232\166\351\131\220\305\174\203\065\021\145\121
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Entrust.net Premium 2048 Secure Server CA"
 # Issuer: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
 # Serial Number: 946069240 (0x3863def8)
 # Subject: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
 # Not Valid Before: Fri Dec 24 17:50:51 1999
 # Not Valid After : Tue Jul 24 14:15:12 2029
 # Fingerprint (MD5): EE:29:31:BC:32:7E:9A:E6:E8:B5:F7:51:B4:34:71:90
@@ -1213,16 +1219,17 @@ CKA_VALUE MULTILINE_OCTAL
 \056\310\244\236\116\010\024\113\155\375\160\155\153\032\143\275
 \144\346\037\267\316\360\362\237\056\273\033\267\362\120\210\163
 \222\302\342\343\026\215\232\062\002\253\216\030\335\351\020\021
 \356\176\065\253\220\257\076\060\224\172\320\063\075\247\145\017
 \365\374\216\236\142\317\107\104\054\001\135\273\035\265\062\322
 \107\322\070\056\320\376\201\334\062\152\036\265\356\074\325\374
 \347\201\035\031\303\044\102\352\143\071\251
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Baltimore CyberTrust Root"
 # Issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
 # Serial Number: 33554617 (0x20000b9)
 # Subject: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
 # Not Valid Before: Fri May 12 18:46:00 2000
 # Not Valid After : Mon May 12 23:59:00 2025
 # Fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
@@ -1356,16 +1363,17 @@ CKA_VALUE MULTILINE_OCTAL
 \213\375\273\034\126\066\362\376\262\266\345\166\273\325\042\145
 \247\077\376\321\146\255\013\274\153\231\206\357\077\175\363\030
 \062\312\173\306\343\253\144\106\225\370\046\151\331\125\203\173
 \054\226\007\377\131\054\104\243\306\345\351\251\334\241\143\200
 \132\041\136\041\317\123\124\360\272\157\211\333\250\252\225\317
 \213\343\161\314\036\033\040\104\010\300\172\266\100\375\304\344
 \065\341\035\026\034\320\274\053\216\326\161\331
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "AddTrust Low-Value Services Root"
 # Issuer: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
 # Serial Number: 1 (0x1)
 # Subject: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
 # Not Valid Before: Tue May 30 10:38:31 2000
 # Not Valid After : Sat May 30 10:38:31 2020
 # Fingerprint (MD5): 1E:42:95:02:33:92:6B:B9:5F:C0:7F:DA:D6:B2:4B:FC
@@ -1504,16 +1512,17 @@ CKA_VALUE MULTILINE_OCTAL
 \335\217\212\303\366\366\214\032\102\005\121\324\105\365\237\247
 \142\041\150\025\040\103\074\231\347\174\275\044\330\251\221\027
 \163\210\077\126\033\061\070\030\264\161\017\232\315\310\016\236
 \216\056\033\341\214\230\203\313\037\061\361\104\114\306\004\163
 \111\166\140\017\307\370\275\027\200\153\056\351\314\114\016\132
 \232\171\017\040\012\056\325\236\143\046\036\125\222\224\330\202
 \027\132\173\320\274\307\217\116\206\004
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "AddTrust External Root"
 # Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
 # Serial Number: 1 (0x1)
 # Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
 # Not Valid Before: Tue May 30 10:48:38 2000
 # Not Valid After : Sat May 30 10:48:38 2020
 # Fingerprint (MD5): 1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3F
@@ -1649,16 +1658,17 @@ CKA_VALUE MULTILINE_OCTAL
 \330\032\214\307\355\234\116\232\340\022\273\265\152\114\204\341
 \341\042\015\207\000\144\376\214\175\142\071\145\246\357\102\266
 \200\045\022\141\001\250\044\023\160\000\021\046\137\372\065\120
 \305\110\314\006\107\350\047\330\160\215\137\144\346\241\104\046
 \136\042\354\222\315\377\102\232\104\041\155\134\305\343\042\035
 \137\107\022\347\316\137\135\372\330\252\261\063\055\331\166\362
 \116\072\063\014\053\263\055\220\006
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "AddTrust Public Services Root"
 # Issuer: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
 # Serial Number: 1 (0x1)
 # Subject: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
 # Not Valid Before: Tue May 30 10:41:50 2000
 # Not Valid After : Sat May 30 10:41:50 2020
 # Fingerprint (MD5): C1:62:3E:23:C5:82:73:9C:03:59:4B:2B:E9:77:49:7F
@@ -1794,16 +1804,17 @@ CKA_VALUE MULTILINE_OCTAL
 \077\240\261\007\326\351\117\334\336\105\161\060\062\177\033\056
 \011\371\277\122\241\356\302\200\076\006\134\056\125\100\301\033
 \365\160\105\260\334\135\372\366\162\132\167\322\143\315\317\130
 \211\000\102\143\077\171\071\320\104\260\202\156\101\031\350\335
 \340\301\210\132\321\036\161\223\037\044\060\164\345\036\250\336
 \074\047\067\177\203\256\236\167\317\360\060\261\377\113\231\350
 \306\241
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "AddTrust Qualified Certificates Root"
 # Issuer: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
 # Serial Number: 1 (0x1)
 # Subject: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
 # Not Valid Before: Tue May 30 10:44:50 2000
 # Not Valid After : Sat May 30 10:44:50 2020
 # Fingerprint (MD5): 27:EC:39:47:CD:DA:5A:AF:E2:9A:01:65:21:A9:4C:BB
@@ -1956,16 +1967,17 @@ CKA_VALUE MULTILINE_OCTAL
 \175\352\261\355\060\045\301\204\332\064\322\133\170\203\126\354
 \234\066\303\046\342\021\366\147\111\035\222\253\214\373\353\377
 \172\356\205\112\247\120\200\360\247\134\112\224\056\137\005\231
 \074\122\101\340\315\264\143\317\001\103\272\234\203\334\217\140
 \073\363\132\264\264\173\256\332\013\220\070\165\357\201\035\146
 \322\367\127\160\066\263\277\374\050\257\161\045\205\133\023\376
 \036\177\132\264\074
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Entrust Root Certification Authority"
 # Issuer: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
 # Serial Number: 1164660820 (0x456b5054)
 # Subject: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
 # Not Valid Before: Mon Nov 27 20:23:42 2006
 # Not Valid After : Fri Nov 27 20:53:42 2026
 # Fingerprint (MD5): D6:A5:C3:ED:5D:DD:3E:00:C1:3D:87:92:1F:1D:3F:E4
@@ -2089,16 +2101,17 @@ CKA_VALUE MULTILINE_OCTAL
 \270\234\344\035\266\253\346\224\245\301\307\203\255\333\365\047
 \207\016\004\154\325\377\335\240\135\355\207\122\267\053\025\002
 \256\071\246\152\164\351\332\304\347\274\115\064\036\251\134\115
 \063\137\222\011\057\210\146\135\167\227\307\035\166\023\251\325
 \345\361\026\011\021\065\325\254\333\044\161\160\054\230\126\013
 \331\027\264\321\343\121\053\136\165\350\325\320\334\117\064\355
 \302\005\146\200\241\313\346\063
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "GeoTrust Global CA"
 # Issuer: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
 # Serial Number: 144470 (0x23456)
 # Subject: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
 # Not Valid Before: Tue May 21 04:00:00 2002
 # Not Valid After : Sat May 21 04:00:00 2022
 # Fingerprint (MD5): F7:75:AB:29:FB:51:4E:B7:77:5E:FF:05:3C:99:8E:F5
@@ -2216,16 +2229,17 @@ CKA_VALUE MULTILINE_OCTAL
 \151\266\362\377\341\032\320\014\321\166\205\313\212\045\275\227
 \136\054\157\025\231\046\347\266\051\377\042\354\311\002\307\126
 \000\315\111\271\263\154\173\123\004\032\342\250\311\252\022\005
 \043\302\316\347\273\004\002\314\300\107\242\344\304\051\057\133
 \105\127\211\121\356\074\353\122\010\377\007\065\036\237\065\152
 \107\112\126\230\321\132\205\037\214\365\042\277\253\316\203\363
 \342\042\051\256\175\203\100\250\272\154
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "GeoTrust Global CA 2"
 # Issuer: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
 # Serial Number: 1 (0x1)
 # Subject: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
 # Not Valid Before: Thu Mar 04 05:00:00 2004
 # Not Valid After : Mon Mar 04 05:00:00 2019
 # Fingerprint (MD5): 0E:40:A7:6C:DE:03:5D:8F:D1:0F:E4:D1:8D:F9:6C:A9
@@ -2375,16 +2389,17 @@ CKA_VALUE MULTILINE_OCTAL
 \121\173\327\251\234\006\241\066\335\325\211\224\274\331\344\055
 \014\136\011\154\010\227\174\243\075\174\223\377\077\241\024\247
 \317\265\135\353\333\333\034\304\166\337\210\271\275\105\005\225
 \033\256\374\106\152\114\257\110\343\316\256\017\322\176\353\346
 \154\234\117\201\152\172\144\254\273\076\325\347\313\166\056\305
 \247\110\301\134\220\017\313\310\077\372\346\062\341\215\033\157
 \244\346\216\330\371\051\110\212\316\163\376\054
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "GeoTrust Universal CA"
 # Issuer: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US
 # Serial Number: 1 (0x1)
 # Subject: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US
 # Not Valid Before: Thu Mar 04 05:00:00 2004
 # Not Valid After : Sun Mar 04 05:00:00 2029
 # Fingerprint (MD5): 92:65:58:8B:A2:1A:31:72:73:68:5C:B4:A5:7A:07:48
@@ -2534,16 +2549,17 @@ CKA_VALUE MULTILINE_OCTAL
 \227\124\167\332\075\022\267\340\036\357\010\006\254\371\205\207
 \351\242\334\257\176\030\022\203\375\126\027\101\056\325\051\202
 \175\231\364\061\366\161\251\317\054\001\047\245\005\271\252\262
 \110\116\052\357\237\223\122\121\225\074\122\163\216\126\114\027
 \100\300\011\050\344\213\152\110\123\333\354\315\125\125\361\306
 \370\351\242\054\114\246\321\046\137\176\257\132\114\332\037\246
 \362\034\054\176\256\002\026\322\126\320\057\127\123\107\350\222
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "GeoTrust Universal CA 2"
 # Issuer: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US
 # Serial Number: 1 (0x1)
 # Subject: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US
 # Not Valid Before: Thu Mar 04 05:00:00 2004
 # Not Valid After : Sun Mar 04 05:00:00 2029
 # Fingerprint (MD5): 34:FC:B8:D0:36:DB:9E:14:B3:C2:F2:DB:8F:E4:94:C7
@@ -2670,16 +2686,17 @@ CKA_VALUE MULTILINE_OCTAL
 \022\074\154\151\227\333\256\137\071\232\160\057\005\074\031\106
 \004\231\040\066\320\140\156\141\006\273\026\102\214\160\367\060
 \373\340\333\146\243\000\001\275\346\054\332\221\137\240\106\213
 \115\152\234\075\075\335\005\106\376\166\277\240\012\074\344\000
 \346\047\267\377\204\055\336\272\042\047\226\020\161\353\042\355
 \337\337\063\234\317\343\255\256\216\324\216\346\117\121\257\026
 \222\340\134\366\007\017
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Visa eCommerce Root"
 # Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
 # Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
 # Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
 # Not Valid Before: Wed Jun 26 02:18:36 2002
 # Not Valid After : Fri Jun 24 00:16:12 2022
 # Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02
@@ -2792,16 +2809,17 @@ CKA_VALUE MULTILINE_OCTAL
 \012\072\223\023\233\073\024\043\023\143\234\077\321\207\047\171
 \345\114\121\343\001\255\205\135\032\073\261\325\163\020\244\323
 \362\274\156\144\365\132\126\220\250\307\016\114\164\017\056\161
 \073\367\310\107\364\151\157\025\362\021\136\203\036\234\174\122
 \256\375\002\332\022\250\131\147\030\333\274\160\335\233\261\151
 \355\200\316\211\100\110\152\016\065\312\051\146\025\041\224\054
 \350\140\052\233\205\112\100\363\153\212\044\354\006\026\054\163
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Certum Root CA"
 # Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
 # Serial Number: 65568 (0x10020)
 # Subject: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
 # Not Valid Before: Tue Jun 11 10:46:39 2002
 # Not Valid After : Fri Jun 11 10:46:39 2027
 # Fingerprint (MD5): 2C:8F:9F:66:1D:18:90:B1:47:26:9D:8E:86:82:8C:A9
@@ -2937,16 +2955,17 @@ CKA_VALUE MULTILINE_OCTAL
 \154\354\351\041\163\354\233\003\241\340\067\255\240\025\030\217
 \372\272\002\316\247\054\251\020\023\054\324\345\010\046\253\042
 \227\140\370\220\136\164\324\242\232\123\275\362\251\150\340\242
 \156\302\327\154\261\243\017\236\277\353\150\347\126\362\256\362
 \343\053\070\072\011\201\265\153\205\327\276\055\355\077\032\267
 \262\143\342\365\142\054\202\324\152\000\101\120\361\071\203\237
 \225\351\066\226\230\156
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Comodo AAA Services root"
 # Issuer: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Serial Number: 1 (0x1)
 # Subject: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Not Valid Before: Thu Jan 01 00:00:00 2004
 # Not Valid After : Sun Dec 31 23:59:59 2028
 # Fingerprint (MD5): 49:79:04:B0:EB:87:19:AC:47:B0:BC:11:51:9B:74:D0
@@ -3087,16 +3106,17 @@ CKA_VALUE MULTILINE_OCTAL
 \223\367\252\023\313\322\023\342\267\056\073\315\153\120\027\011
 \150\076\265\046\127\356\266\340\266\335\271\051\200\171\175\217
 \243\360\244\050\244\025\304\205\364\047\324\153\277\345\134\344
 \145\002\166\124\264\343\067\146\044\323\031\141\310\122\020\345
 \213\067\232\271\251\371\035\277\352\231\222\141\226\377\001\315
 \241\137\015\274\161\274\016\254\013\035\107\105\035\301\354\174
 \354\375\051
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Comodo Secure Services root"
 # Issuer: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Serial Number: 1 (0x1)
 # Subject: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Not Valid Before: Thu Jan 01 00:00:00 2004
 # Not Valid After : Sun Dec 31 23:59:59 2028
 # Fingerprint (MD5): D3:D9:BD:AE:9F:AC:67:24:B3:C8:1B:52:E1:B9:A9:BD
@@ -3239,16 +3259,17 @@ CKA_VALUE MULTILINE_OCTAL
 \201\170\057\050\300\176\323\314\102\012\365\256\120\240\321\076
 \306\241\161\354\077\240\040\214\146\072\211\264\216\324\330\261
 \115\045\107\356\057\210\310\265\341\005\105\300\276\024\161\336
 \172\375\216\173\175\115\010\226\245\022\163\360\055\312\067\047
 \164\022\047\114\313\266\227\351\331\256\010\155\132\071\100\335
 \005\107\165\152\132\041\263\243\030\317\116\367\056\127\267\230
 \160\136\310\304\170\260\142
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Comodo Trusted Services root"
 # Issuer: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Serial Number: 1 (0x1)
 # Subject: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Not Valid Before: Thu Jan 01 00:00:00 2004
 # Not Valid After : Sun Dec 31 23:59:59 2028
 # Fingerprint (MD5): 91:1B:3F:6E:CD:9E:AB:EE:07:FE:1F:71:D2:B3:61:27
@@ -3417,16 +3438,17 @@ CKA_VALUE MULTILINE_OCTAL
 \231\003\072\212\314\124\045\071\061\201\173\023\042\121\272\106
 \154\241\273\236\372\004\154\111\046\164\217\322\163\353\314\060
 \242\346\352\131\042\207\370\227\365\016\375\352\314\222\244\026
 \304\122\030\352\041\316\261\361\346\204\201\345\272\251\206\050
 \362\103\132\135\022\235\254\036\331\250\345\012\152\247\177\240
 \207\051\317\362\211\115\324\354\305\342\346\172\320\066\043\212
 \112\164\066\371
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "QuoVadis Root CA"
 # Issuer: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
 # Serial Number: 985026699 (0x3ab6508b)
 # Subject: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
 # Not Valid Before: Mon Mar 19 18:33:33 2001
 # Not Valid After : Wed Mar 17 18:33:33 2021
 # Fingerprint (MD5): 27:DE:36:FE:72:B7:00:03:00:9D:F4:F0:1E:6C:04:24
@@ -3585,16 +3607,17 @@ CKA_VALUE MULTILINE_OCTAL
 \226\136\234\307\357\047\142\010\342\221\031\134\322\361\041\335
 \272\027\102\202\227\161\201\123\061\251\237\366\175\142\277\162
 \341\243\223\035\314\212\046\132\011\070\320\316\327\015\200\026
 \264\170\245\072\207\114\215\212\245\325\106\227\362\054\020\271
 \274\124\042\300\001\120\151\103\236\364\262\357\155\370\354\332
 \361\343\261\357\337\221\217\124\052\013\045\301\046\031\304\122
 \020\005\145\325\202\020\352\302\061\315\056
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "QuoVadis Root CA 2"
 # Issuer: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
 # Serial Number: 1289 (0x509)
 # Subject: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
 # Not Valid Before: Fri Nov 24 18:27:00 2006
 # Not Valid After : Mon Nov 24 18:23:33 2031
 # Fingerprint (MD5): 5E:39:7B:DD:F8:BA:EC:82:E9:AC:62:BA:0C:54:00:2B
@@ -3764,16 +3787,17 @@ CKA_VALUE MULTILINE_OCTAL
 \340\164\053\262\353\175\276\101\033\265\300\106\305\241\042\313
 \137\116\301\050\222\336\030\272\325\052\050\273\021\213\027\223
 \230\231\140\224\134\043\317\132\047\227\136\013\005\006\223\067
 \036\073\151\066\353\251\236\141\035\217\062\332\216\014\326\164
 \076\173\011\044\332\001\167\107\304\073\315\064\214\231\365\312
 \341\045\141\063\262\131\033\342\156\327\067\127\266\015\251\022
 \332
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "QuoVadis Root CA 3"
 # Issuer: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM
 # Serial Number: 1478 (0x5c6)
 # Subject: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM
 # Not Valid Before: Fri Nov 24 19:11:23 2006
 # Not Valid After : Mon Nov 24 19:06:44 2031
 # Fingerprint (MD5): 31:85:3C:62:94:97:63:B9:AA:FD:89:4E:AF:6F:E0:CF
@@ -3892,16 +3916,17 @@ CKA_VALUE MULTILINE_OCTAL
 \161\245\062\252\057\306\211\166\103\100\023\023\147\075\242\124
 \045\020\313\361\072\362\331\372\333\111\126\273\246\376\247\101
 \065\303\340\210\141\311\210\307\337\066\020\042\230\131\352\260
 \112\373\126\026\163\156\254\115\367\042\241\117\255\035\172\055
 \105\047\345\060\301\136\362\332\023\313\045\102\121\225\107\003
 \214\154\041\314\164\102\355\123\377\063\213\217\017\127\001\026
 \057\317\246\356\311\160\042\024\275\375\276\154\013\003
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Security Communication Root CA"
 # Issuer: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
 # Serial Number: 0 (0x0)
 # Subject: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
 # Not Valid Before: Tue Sep 30 04:20:49 2003
 # Not Valid After : Sat Sep 30 04:20:49 2023
 # Fingerprint (MD5): F1:BC:63:6A:54:E0:B5:27:F5:CD:E7:1A:E3:4D:6E:4A
@@ -4014,16 +4039,17 @@ CKA_VALUE MULTILINE_OCTAL
 \066\276\246\133\015\152\154\232\037\221\173\371\371\357\102\272
 \116\116\236\314\014\215\224\334\331\105\234\136\354\102\120\143
 \256\364\135\304\261\022\334\312\073\250\056\235\024\132\005\165
 \267\354\327\143\342\272\065\266\004\010\221\350\332\235\234\366
 \146\265\030\254\012\246\124\046\064\063\322\033\301\324\177\032
 \072\216\013\252\062\156\333\374\117\045\237\331\062\307\226\132
 \160\254\337\114
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Sonera Class 2 Root CA"
 # Issuer: CN=Sonera Class2 CA,O=Sonera,C=FI
 # Serial Number: 29 (0x1d)
 # Subject: CN=Sonera Class2 CA,O=Sonera,C=FI
 # Not Valid Before: Fri Apr 06 07:29:40 2001
 # Not Valid After : Tue Apr 06 07:29:40 2021
 # Fingerprint (MD5): A3:EC:75:0F:2E:88:DF:FA:48:01:4E:0B:5C:48:6F:FB
@@ -4175,16 +4201,17 @@ CKA_VALUE MULTILINE_OCTAL
 \211\272\061\035\305\020\150\122\236\337\242\205\305\134\010\246
 \170\346\123\117\261\350\267\323\024\236\223\246\303\144\343\254
 \176\161\315\274\237\351\003\033\314\373\351\254\061\301\257\174
 \025\164\002\231\303\262\107\246\302\062\141\327\307\157\110\044
 \121\047\241\325\207\125\362\173\217\230\075\026\236\356\165\266
 \370\320\216\362\363\306\256\050\133\247\360\363\066\027\374\303
 \005\323\312\003\112\124
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "UTN USERFirst Email Root CA"
 # Issuer: CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
 # Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:25:25:67:c9:89
 # Subject: CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
 # Not Valid Before: Fri Jul 09 17:28:50 1999
 # Not Valid After : Tue Jul 09 17:36:58 2019
 # Fingerprint (MD5): D7:34:3D:EF:1D:27:09:28:E1:31:02:5B:13:2B:DD:F7
@@ -4338,16 +4365,17 @@ CKA_VALUE MULTILINE_OCTAL
 \370\323\157\133\036\226\343\340\164\167\164\173\212\242\156\055
 \335\166\326\071\060\202\360\253\234\122\362\052\307\257\111\136
 \176\307\150\345\202\201\310\152\047\371\047\210\052\325\130\120
 \225\037\360\073\034\127\273\175\024\071\142\053\232\311\224\222
 \052\243\042\014\377\211\046\175\137\043\053\107\327\025\035\251
 \152\236\121\015\052\121\236\201\371\324\073\136\160\022\177\020
 \062\234\036\273\235\370\146\250
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "UTN USERFirst Hardware Root CA"
 # Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
 # Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2a:fe:65:0a:fd
 # Subject: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
 # Not Valid Before: Fri Jul 09 18:10:42 1999
 # Not Valid After : Tue Jul 09 18:19:22 2019
 # Fingerprint (MD5): 4C:56:41:E5:0D:BB:2B:E8:CA:A3:ED:18:08:AD:43:39
@@ -4498,16 +4526,17 @@ CKA_VALUE MULTILINE_OCTAL
 \261\104\252\152\317\027\172\317\157\017\324\370\044\125\137\360
 \064\026\111\146\076\120\106\311\143\161\070\061\142\270\142\271
 \363\123\255\154\265\053\242\022\252\031\117\011\332\136\347\223
 \306\216\024\010\376\360\060\200\030\240\206\205\115\310\175\327
 \213\003\376\156\325\367\235\026\254\222\054\240\043\345\234\221
 \122\037\224\337\027\224\163\303\263\301\301\161\005\040\000\170
 \275\023\122\035\250\076\315\000\037\310
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "UTN USERFirst Object Root CA"
 # Issuer: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
 # Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2d:e0:b3:5f:1b
 # Subject: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
 # Not Valid Before: Fri Jul 09 18:31:20 1999
 # Not Valid After : Tue Jul 09 18:40:36 2019
 # Fingerprint (MD5): A7:F2:E4:16:06:41:11:50:30:6B:9C:E3:B4:9C:B0:C9
@@ -4661,16 +4690,17 @@ CKA_VALUE MULTILINE_OCTAL
 \210\351\007\106\101\316\357\101\201\256\130\337\203\242\256\312
 \327\167\037\347\000\074\235\157\216\344\062\011\035\115\170\064
 \170\064\074\224\233\046\355\117\161\306\031\172\275\040\042\110
 \132\376\113\175\003\267\347\130\276\306\062\116\164\036\150\335
 \250\150\133\263\076\356\142\175\331\200\350\012\165\172\267\356
 \264\145\232\041\220\340\252\320\230\274\070\265\163\074\213\370
 \334
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Camerfirma Chambers of Commerce Root"
 # Issuer: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
 # Serial Number: 0 (0x0)
 # Subject: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
 # Not Valid Before: Tue Sep 30 16:13:43 2003
 # Not Valid After : Wed Sep 30 16:13:44 2037
 # Fingerprint (MD5): B0:01:EE:14:D9:AF:29:18:94:76:8E:F1:69:33:2A:84
@@ -4820,16 +4850,17 @@ CKA_VALUE MULTILINE_OCTAL
 \222\025\323\137\076\306\000\111\072\156\130\262\321\321\047\015
 \045\310\062\370\040\021\315\175\062\063\110\224\124\114\335\334
 \171\304\060\237\353\216\270\125\265\327\210\134\305\152\044\075
 \262\323\005\003\121\306\007\357\314\024\162\164\075\156\162\316
 \030\050\214\112\240\167\345\011\053\105\104\107\254\267\147\177
 \001\212\005\132\223\276\241\301\377\370\347\016\147\244\107\111
 \166\135\165\220\032\365\046\217\360
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Camerfirma Global Chambersign Root"
 # Issuer: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
 # Serial Number: 0 (0x0)
 # Subject: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
 # Not Valid Before: Tue Sep 30 16:14:18 2003
 # Not Valid After : Wed Sep 30 16:14:18 2037
 # Fingerprint (MD5): C5:E6:7B:BF:06:D0:4F:43:ED:C4:7A:65:8A:FB:6B:19
@@ -4972,16 +5003,17 @@ CKA_VALUE MULTILINE_OCTAL
 \212\144\101\061\270\016\154\220\044\244\233\134\161\217\272\273
 \176\034\033\333\152\200\017\041\274\351\333\246\267\100\364\262
 \213\251\261\344\357\232\032\320\075\151\231\356\250\050\243\341
 \074\263\360\262\021\234\317\174\100\346\335\347\103\175\242\330
 \072\265\251\215\362\064\231\304\324\020\341\006\375\011\204\020
 \073\356\304\114\364\354\047\174\102\302\164\174\202\212\011\311
 \264\003\045\274
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "XRamp Global CA Root"
 # Issuer: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
 # Serial Number:50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad
 # Subject: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
 # Not Valid Before: Mon Nov 01 17:14:04 2004
 # Not Valid After : Mon Jan 01 05:37:19 2035
 # Fingerprint (MD5): A1:0B:44:B3:CA:10:D8:00:6E:9D:0F:D8:0F:92:0A:D1
@@ -5118,16 +5150,17 @@ CKA_VALUE MULTILINE_OCTAL
 \216\222\204\162\071\353\040\352\203\355\203\315\227\156\010\274
 \353\116\046\266\163\053\344\323\366\114\376\046\161\342\141\021
 \164\112\377\127\032\207\017\165\110\056\317\121\151\027\240\002
 \022\141\225\325\321\100\262\020\114\356\304\254\020\103\246\245
 \236\012\325\225\142\232\015\317\210\202\305\062\014\344\053\237
 \105\346\015\237\050\234\261\271\052\132\127\255\067\017\257\035
 \177\333\275\237
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Go Daddy Class 2 CA"
 # Issuer: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US
 # Serial Number: 0 (0x0)
 # Subject: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US
 # Not Valid Before: Tue Jun 29 17:06:20 2004
 # Not Valid After : Thu Jun 29 17:06:20 2034
 # Fingerprint (MD5): 91:DE:06:25:AB:DA:FD:32:17:0C:BB:25:17:2A:84:67
@@ -5262,16 +5295,17 @@ CKA_VALUE MULTILINE_OCTAL
 \055\225\276\365\161\220\103\314\215\037\232\000\012\207\051\351
 \125\042\130\000\043\352\343\022\103\051\133\107\010\335\214\101
 \152\145\006\250\345\041\252\101\264\225\041\225\271\175\321\064
 \253\023\326\255\274\334\342\075\071\315\275\076\165\160\241\030
 \131\003\311\042\264\217\234\325\136\052\327\245\266\324\012\155
 \370\267\100\021\106\232\037\171\016\142\277\017\227\354\340\057
 \037\027\224
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Starfield Class 2 CA"
 # Issuer: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US
 # Serial Number: 0 (0x0)
 # Subject: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US
 # Not Valid Before: Tue Jun 29 17:39:16 2004
 # Not Valid After : Thu Jun 29 17:39:16 2034
 # Fingerprint (MD5): 32:4A:4B:BB:C8:63:69:9B:BE:74:9A:C6:DD:1D:46:24
@@ -5467,16 +5501,17 @@ CKA_VALUE MULTILINE_OCTAL
 \115\340\167\055\341\145\231\162\151\004\032\107\011\346\017\001
 \126\044\373\037\277\016\171\251\130\056\271\304\011\001\176\225
 \272\155\000\006\076\262\352\112\020\071\330\320\053\365\277\354
 \165\277\227\002\305\011\033\010\334\125\067\342\201\373\067\204
 \103\142\040\312\347\126\113\145\352\376\154\301\044\223\044\241
 \064\353\005\377\232\042\256\233\175\077\361\145\121\012\246\060
 \152\263\364\210\034\200\015\374\162\212\350\203\136
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "StartCom Certification Authority"
 # Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
 # Serial Number: 1 (0x1)
 # Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
 # Not Valid Before: Sun Sep 17 19:46:36 2006
 # Not Valid After : Wed Sep 17 19:46:36 2036
 # Fingerprint (MD5): 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
@@ -5631,16 +5666,17 @@ CKA_VALUE MULTILINE_OCTAL
 \262\304\060\231\043\116\135\362\110\241\022\014\334\022\220\011
 \220\124\221\003\074\107\345\325\311\145\340\267\113\175\354\107
 \323\263\013\076\255\236\320\164\000\016\353\275\121\255\300\336
 \054\300\303\152\376\357\334\013\247\372\106\337\140\333\234\246
 \131\120\165\043\151\163\223\262\371\374\002\323\107\346\161\316
 \020\002\356\047\214\204\377\254\105\015\023\134\203\062\340\045
 \245\206\054\174\364\022
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Taiwan GRCA"
 # Issuer: O=Government Root Certification Authority,C=TW
 # Serial Number:1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6
 # Subject: O=Government Root Certification Authority,C=TW
 # Not Valid Before: Thu Dec 05 13:23:33 2002
 # Not Valid After : Sun Dec 05 13:23:33 2032
 # Fingerprint (MD5): 37:85:44:53:32:45:1F:20:F0:F3:95:E1:25:C4:43:4E
@@ -5803,16 +5839,17 @@ CKA_VALUE MULTILINE_OCTAL
 \204\126\141\276\161\027\376\035\023\017\376\306\207\105\351\376
 \062\240\032\015\023\244\224\125\161\245\026\213\272\312\211\260
 \262\307\374\217\330\124\265\223\142\235\316\317\131\373\075\030
 \316\052\313\065\025\202\135\377\124\042\133\161\122\373\267\311
 \376\140\233\000\101\144\360\252\052\354\266\102\103\316\211\146
 \201\310\213\237\071\124\003\045\323\026\065\216\204\320\137\372
 \060\032\365\232\154\364\016\123\371\072\133\321\034
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Swisscom Root CA 1"
 # Issuer: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
 # Serial Number:5c:0b:85:5c:0b:e7:59:41:df:57:cc:3f:7f:9d:a8:36
 # Subject: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
 # Not Valid Before: Thu Aug 18 12:06:20 2005
 # Not Valid After : Mon Aug 18 22:06:20 2025
 # Fingerprint (MD5): F8:38:7C:77:88:DF:2C:16:68:2E:C2:E2:52:4B:B8:F9
@@ -5943,16 +5980,17 @@ CKA_VALUE MULTILINE_OCTAL
 \102\267\372\214\036\335\142\361\276\120\147\267\154\275\363\361
 \037\153\014\066\007\026\177\067\174\251\133\155\172\361\022\106
 \140\203\327\047\004\276\113\316\227\276\303\147\052\150\021\337
 \200\347\014\063\146\277\023\015\024\156\363\177\037\143\020\036
 \372\215\033\045\155\154\217\245\267\141\001\261\322\243\046\241
 \020\161\235\255\342\303\371\303\231\121\267\053\007\010\316\056
 \346\120\262\247\372\012\105\057\242\360\362
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "DigiCert Assured ID Root CA"
 # Issuer: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:0c:e7:e0:e5:17:d8:46:fe:8f:e5:60:fc:1b:f0:30:39
 # Subject: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Not Valid Before: Fri Nov 10 00:00:00 2006
 # Not Valid After : Mon Nov 10 00:00:00 2031
 # Fingerprint (MD5): 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72
@@ -6083,16 +6121,17 @@ CKA_VALUE MULTILINE_OCTAL
 \076\052\271\066\123\317\072\120\006\367\056\350\304\127\111\154
 \141\041\030\325\004\255\170\074\054\072\200\153\247\353\257\025
 \024\351\330\211\301\271\070\154\342\221\154\212\377\144\271\167
 \045\127\060\300\033\044\243\341\334\351\337\107\174\265\264\044
 \010\005\060\354\055\275\013\277\105\277\120\271\251\363\353\230
 \001\022\255\310\210\306\230\064\137\215\012\074\306\351\325\225
 \225\155\336
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "DigiCert Global Root CA"
 # Issuer: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
 # Subject: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Not Valid Before: Fri Nov 10 00:00:00 2006
 # Not Valid After : Mon Nov 10 00:00:00 2031
 # Fingerprint (MD5): 79:E4:A9:84:0D:7D:3A:96:D7:C0:4F:E2:43:4C:89:2E
@@ -6224,16 +6263,17 @@ CKA_VALUE MULTILINE_OCTAL
 \143\070\275\104\244\177\344\046\053\012\304\227\151\015\351\214
 \342\300\020\127\270\310\166\022\221\125\362\110\151\330\274\052
 \002\133\017\104\324\040\061\333\364\272\160\046\135\220\140\236
 \274\113\027\011\057\264\313\036\103\150\311\007\047\301\322\134
 \367\352\041\271\150\022\234\074\234\277\236\374\200\134\233\143
 \315\354\107\252\045\047\147\240\067\363\000\202\175\124\327\251
 \370\351\056\023\243\167\350\037\112
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "DigiCert High Assurance EV Root CA"
 # Issuer: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
 # Subject: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Not Valid Before: Fri Nov 10 00:00:00 2006
 # Not Valid After : Mon Nov 10 00:00:00 2031
 # Fingerprint (MD5): D4:74:DE:57:5C:39:B2:D3:9C:85:83:C5:C0:65:49:8A
@@ -6356,16 +6396,17 @@ CKA_VALUE MULTILINE_OCTAL
 \311\273\211\176\156\200\210\036\057\024\264\003\044\250\062\157
 \003\232\107\054\060\276\126\306\247\102\002\160\033\352\100\330
 \272\005\003\160\007\244\226\377\375\110\063\012\341\334\245\201
 \220\233\115\335\175\347\347\262\315\134\310\152\225\370\245\366
 \215\304\135\170\010\276\173\006\326\111\317\031\066\120\043\056
 \010\346\236\005\115\107\030\325\026\351\261\326\266\020\325\273
 \227\277\242\216\264\124
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Certplus Class 2 Primary CA"
 # Issuer: CN=Class 2 Primary CA,O=Certplus,C=FR
 # Serial Number:00:85:bd:4b:f3:d8:da:e3:69:f6:94:d7:5f:c3:a5:44:23
 # Subject: CN=Class 2 Primary CA,O=Certplus,C=FR
 # Not Valid Before: Wed Jul 07 17:05:00 1999
 # Not Valid After : Sat Jul 06 23:59:59 2019
 # Fingerprint (MD5): 88:2C:8C:52:B8:A2:3C:F3:F7:BB:03:EA:AE:AC:42:0B
@@ -6482,16 +6523,17 @@ CKA_VALUE MULTILINE_OCTAL
 \162\062\207\306\360\104\273\123\162\155\103\365\046\110\232\122
 \147\267\130\253\376\147\166\161\170\333\015\242\126\024\023\071
 \044\061\205\242\250\002\132\060\107\341\335\120\007\274\002\011
 \220\000\353\144\143\140\233\026\274\210\311\022\346\322\175\221
 \213\371\075\062\215\145\264\351\174\261\127\166\352\305\266\050
 \071\277\025\145\034\310\366\167\226\152\012\215\167\013\330\221
 \013\004\216\007\333\051\266\012\356\235\202\065\065\020
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "DST Root CA X3"
 # Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
 # Serial Number:44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
 # Subject: CN=DST Root CA X3,O=Digital Signature Trust Co.
 # Not Valid Before: Sat Sep 30 21:12:19 2000
 # Not Valid After : Thu Sep 30 14:01:15 2021
 # Fingerprint (MD5): 41:03:52:DC:0F:F7:50:1B:16:F0:02:8E:BA:6F:45:C5
@@ -6623,16 +6665,17 @@ CKA_VALUE MULTILINE_OCTAL
 \343\062\213\372\340\301\206\115\162\074\056\330\223\170\012\052
 \370\330\322\047\075\031\211\137\132\173\212\073\314\014\332\121
 \256\307\013\367\053\260\067\005\354\274\127\043\342\070\322\233
 \150\363\126\022\210\117\102\174\270\061\304\265\333\344\310\041
 \064\351\110\021\065\356\372\307\222\127\305\237\064\344\307\366
 \367\016\013\114\234\150\170\173\161\061\307\353\036\340\147\101
 \363\267\240\247\315\345\172\063\066\152\372\232\053
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "DST ACES CA X6"
 # Issuer: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
 # Serial Number:0d:5e:99:0a:d6:9d:b7:78:ec:d8:07:56:3b:86:15:d9
 # Subject: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
 # Not Valid Before: Thu Nov 20 21:19:58 2003
 # Not Valid After : Mon Nov 20 21:19:58 2017
 # Fingerprint (MD5): 21:D8:4C:82:2B:99:09:33:A2:EB:14:24:8D:8E:5F:E8
@@ -6790,16 +6833,17 @@ CKA_VALUE MULTILINE_OCTAL
 \137\373\140\130\321\373\304\301\155\211\242\273\040\037\235\161
 \221\313\062\233\023\075\076\175\222\122\065\254\222\224\242\323
 \030\302\174\307\352\257\166\005\026\335\147\047\302\176\034\007
 \042\041\363\100\012\033\064\007\104\023\302\204\152\216\337\031
 \132\277\177\353\035\342\032\070\321\134\257\107\222\153\200\265
 \060\245\311\215\330\253\061\201\037\337\302\146\067\323\223\251
 \205\206\171\145\322
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "SwissSign Platinum CA - G2"
 # Issuer: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH
 # Serial Number:4e:b2:00:67:0c:03:5d:4f
 # Subject: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH
 # Not Valid Before: Wed Oct 25 08:36:00 2006
 # Not Valid After : Sat Oct 25 08:36:00 2036
 # Fingerprint (MD5): C9:98:27:77:28:1E:3D:0E:15:3C:84:00:B8:85:03:E6
@@ -6954,16 +6998,17 @@ CKA_VALUE MULTILINE_OCTAL
 \001\320\277\150\236\143\140\153\065\115\013\155\272\241\075\300
 \223\340\177\043\263\125\255\162\045\116\106\371\322\026\357\260
 \144\301\001\236\351\312\240\152\230\016\317\330\140\362\057\111
 \270\344\102\341\070\065\026\364\310\156\117\367\201\126\350\272
 \243\276\043\257\256\375\157\003\340\002\073\060\166\372\033\155
 \101\317\001\261\351\270\311\146\364\333\046\363\072\244\164\362
 \111\044\133\311\260\320\127\301\372\076\172\341\227\311
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "SwissSign Gold CA - G2"
 # Issuer: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
 # Serial Number:00:bb:40:1c:43:f5:5e:4f:b0
 # Subject: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
 # Not Valid Before: Wed Oct 25 08:30:35 2006
 # Not Valid After : Sat Oct 25 08:30:35 2036
 # Fingerprint (MD5): 24:77:D9:A8:91:D1:3B:FA:88:2D:C2:FF:F8:CD:33:93
@@ -7119,16 +7164,17 @@ CKA_VALUE MULTILINE_OCTAL
 \212\060\372\215\345\232\153\025\001\116\147\252\332\142\126\076
 \204\010\146\322\304\066\175\247\076\020\374\210\340\324\200\345
 \000\275\252\363\116\006\243\172\152\371\142\162\343\011\117\353
 \233\016\001\043\361\237\273\174\334\334\154\021\227\045\262\362
 \264\143\024\322\006\052\147\214\203\365\316\352\007\330\232\152
 \036\354\344\012\273\052\114\353\011\140\071\316\312\142\330\056
 \156
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "SwissSign Silver CA - G2"
 # Issuer: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
 # Serial Number:4f:1b:d4:2f:54:bb:2f:4b
 # Subject: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
 # Not Valid Before: Wed Oct 25 08:32:46 2006
 # Not Valid After : Sat Oct 25 08:32:46 2036
 # Fingerprint (MD5): E0:06:A1:C9:7D:CF:C9:FC:0D:C0:56:75:96:D8:62:13
@@ -7250,16 +7296,17 @@ CKA_VALUE MULTILINE_OCTAL
 \254\257\031\240\163\022\055\374\302\101\272\201\221\332\026\132
 \061\267\371\264\161\200\022\110\231\162\163\132\131\123\301\143
 \122\063\355\247\311\322\071\002\160\372\340\261\102\146\051\252
 \233\121\355\060\124\042\024\137\331\253\035\301\344\224\360\370
 \365\053\367\352\312\170\106\326\270\221\375\246\015\053\032\024
 \001\076\200\360\102\240\225\007\136\155\315\314\113\244\105\215
 \253\022\350\263\336\132\345\240\174\350\017\042\035\132\351\131
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "GeoTrust Primary Certification Authority"
 # Issuer: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
 # Serial Number:18:ac:b5:6a:fd:69:b6:15:3a:63:6c:af:da:fa:c4:a1
 # Subject: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
 # Not Valid Before: Mon Nov 27 00:00:00 2006
 # Not Valid After : Wed Jul 16 23:59:59 2036
 # Fingerprint (MD5): 02:26:C3:01:5E:08:30:37:43:A9:D0:7D:CF:37:E6:BF
@@ -7404,16 +7451,17 @@ CKA_VALUE MULTILINE_OCTAL
 \376\254\100\171\345\254\020\157\075\217\033\171\166\213\304\067
 \263\041\030\204\345\066\000\353\143\040\231\271\351\376\063\004
 \273\101\310\301\002\371\104\143\040\236\201\316\102\323\326\077
 \054\166\323\143\234\131\335\217\246\341\016\240\056\101\367\056
 \225\107\317\274\375\063\363\366\013\141\176\176\221\053\201\107
 \302\047\060\356\247\020\135\067\217\134\071\053\344\004\360\173
 \215\126\214\150
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "thawte Primary Root CA"
 # Issuer: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
 # Serial Number:34:4e:d5:57:20:d5:ed:ec:49:f4:2f:ce:37:db:2b:6d
 # Subject: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
 # Not Valid Before: Fri Nov 17 00:00:00 2006
 # Not Valid After : Wed Jul 16 23:59:59 2036
 # Fingerprint (MD5): 8C:CA:DC:0B:22:CE:F5:BE:72:AC:41:1A:11:A8:D8:12
@@ -7578,16 +7626,17 @@ CKA_VALUE MULTILINE_OCTAL
 \336\375\250\202\052\155\050\037\015\013\304\345\347\032\046\031
 \341\364\021\157\020\265\225\374\347\102\005\062\333\316\235\121
 \136\050\266\236\205\323\133\357\245\175\105\100\162\216\267\016
 \153\016\006\373\063\065\110\161\270\235\047\213\304\145\137\015
 \206\166\234\104\172\366\225\134\366\135\062\010\063\244\124\266
 \030\077\150\134\362\102\112\205\070\124\203\137\321\350\054\362
 \254\021\326\250\355\143\152
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
 # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
 # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Not Valid Before: Wed Nov 08 00:00:00 2006
 # Not Valid After : Wed Jul 16 23:59:59 2036
 # Fingerprint (MD5): CB:17:E4:31:67:3E:E2:09:FE:45:57:93:F3:0A:FA:1C
@@ -7720,16 +7769,17 @@ CKA_VALUE MULTILINE_OCTAL
 \144\122\066\137\140\147\331\234\305\005\164\013\347\147\043\322
 \010\374\210\351\256\213\177\341\060\364\067\176\375\306\062\332
 \055\236\104\060\060\154\356\007\336\322\064\374\322\377\100\366
 \113\364\146\106\006\124\246\362\062\012\143\046\060\153\233\321
 \334\213\107\272\341\271\325\142\320\242\240\364\147\005\170\051
 \143\032\157\004\326\370\306\114\243\232\261\067\264\215\345\050
 \113\035\236\054\302\270\150\274\355\002\356\061
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "SecureTrust CA"
 # Issuer: CN=SecureTrust CA,O=SecureTrust Corporation,C=US
 # Serial Number:0c:f0:8e:5c:08:16:a5:ad:42:7f:f0:eb:27:18:59:d0
 # Subject: CN=SecureTrust CA,O=SecureTrust Corporation,C=US
 # Not Valid Before: Tue Nov 07 19:31:18 2006
 # Not Valid After : Mon Dec 31 19:40:55 2029
 # Fingerprint (MD5): DC:32:C3:A7:6D:25:57:C7:68:09:9D:EA:2D:A9:A2:D1
@@ -7854,16 +7904,17 @@ CKA_VALUE MULTILINE_OCTAL
 \103\265\113\055\024\237\371\334\046\015\277\246\107\164\006\330
 \210\321\072\051\060\204\316\322\071\200\142\033\250\307\127\111
 \274\152\125\121\147\025\112\276\065\007\344\325\165\230\067\171
 \060\024\333\051\235\154\305\151\314\107\125\242\060\367\314\134
 \177\302\303\230\034\153\116\026\200\353\172\170\145\105\242\000
 \032\257\014\015\125\144\064\110\270\222\271\361\264\120\051\362
 \117\043\037\332\154\254\037\104\341\335\043\170\121\133\307\026
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Secure Global CA"
 # Issuer: CN=Secure Global CA,O=SecureTrust Corporation,C=US
 # Serial Number:07:56:22:a4:e8:d4:8a:89:4d:f4:13:c8:f0:f8:ea:a5
 # Subject: CN=Secure Global CA,O=SecureTrust Corporation,C=US
 # Not Valid Before: Tue Nov 07 19:42:28 2006
 # Not Valid After : Mon Dec 31 19:52:06 2029
 # Fingerprint (MD5): CF:F4:27:0D:D4:ED:DC:65:16:49:6D:3D:DA:BF:6E:DE
@@ -8003,16 +8054,17 @@ CKA_VALUE MULTILINE_OCTAL
 \314\225\122\223\360\160\045\131\234\040\147\304\356\371\213\127
 \141\364\222\166\175\077\204\215\125\267\350\345\254\325\361\365
 \031\126\246\132\373\220\034\257\223\353\345\034\324\147\227\135
 \004\016\276\013\203\246\027\203\271\060\022\240\305\063\025\005
 \271\015\373\307\005\166\343\330\112\215\374\064\027\243\306\041
 \050\276\060\105\061\036\307\170\276\130\141\070\254\073\342\001
 \145
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "COMODO Certification Authority"
 # Issuer: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Serial Number:4e:81:2d:8a:82:65:e0:0b:02:ee:3e:35:02:46:e5:3d
 # Subject: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Not Valid Before: Fri Dec 01 00:00:00 2006
 # Not Valid After : Mon Dec 31 23:59:59 2029
 # Fingerprint (MD5): 5C:48:DC:F7:42:72:EC:56:94:6D:1C:CC:71:35:80:75
@@ -8148,16 +8200,17 @@ CKA_VALUE MULTILINE_OCTAL
 \056\044\137\313\130\017\353\050\354\257\021\226\363\334\173\157
 \300\247\210\362\123\167\263\140\136\256\256\050\332\065\054\157
 \064\105\323\046\341\336\354\133\117\047\153\026\174\275\104\004
 \030\202\263\211\171\027\020\161\075\172\242\026\116\365\001\315
 \244\154\145\150\241\111\166\134\103\311\330\274\066\147\154\245
 \224\265\324\314\271\275\152\065\126\041\336\330\303\353\373\313
 \244\140\114\260\125\240\240\173\127\262
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Network Solutions Certificate Authority"
 # Issuer: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
 # Serial Number:57:cb:33:6f:c2:5c:16:e6:47:16:17:e3:90:31:68:e0
 # Subject: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
 # Not Valid Before: Fri Dec 01 00:00:00 2006
 # Not Valid After : Mon Dec 31 23:59:59 2029
 # Fingerprint (MD5): D3:F3:A6:16:C0:FA:6B:1D:59:B1:2D:96:4D:0E:11:2E
@@ -8308,16 +8361,17 @@ CKA_VALUE MULTILINE_OCTAL
 \332\245\223\127\216\076\155\065\046\010\131\325\347\104\327\166
 \040\143\347\254\023\147\303\155\261\160\106\174\325\226\021\075
 \211\157\135\250\241\353\215\012\332\303\035\063\154\243\352\147
 \031\232\231\177\113\075\203\121\052\035\312\057\206\014\242\176
 \020\055\053\324\026\225\013\007\252\056\024\222\111\267\051\157
 \330\155\061\175\365\374\241\020\007\207\316\057\131\334\076\130
 \333
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "WellsSecure Public Root Certificate Authority"
 # Issuer: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
 # Serial Number: 1 (0x1)
 # Subject: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
 # Not Valid Before: Thu Dec 13 17:07:54 2007
 # Not Valid After : Wed Dec 14 00:07:54 2022
 # Fingerprint (MD5): 15:AC:A5:C2:92:2D:79:BC:E8:7F:CB:67:ED:02:CF:36
@@ -8434,16 +8488,17 @@ CKA_VALUE MULTILINE_OCTAL
 \004\003\003\003\150\000\060\145\002\061\000\357\003\133\172\254
 \267\170\012\162\267\210\337\377\265\106\024\011\012\372\240\346
 \175\010\306\032\207\275\030\250\163\275\046\312\140\014\235\316
 \231\237\317\134\017\060\341\276\024\061\352\002\060\024\364\223
 \074\111\247\063\172\220\106\107\263\143\175\023\233\116\267\157
 \030\067\200\123\376\335\040\340\065\232\066\321\307\001\271\346
 \334\335\363\377\035\054\072\026\127\331\222\071\326
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "COMODO ECC Certification Authority"
 # Issuer: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Serial Number:1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a
 # Subject: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Not Valid Before: Thu Mar 06 00:00:00 2008
 # Not Valid After : Mon Jan 18 23:59:59 2038
 # Fingerprint (MD5): 7C:62:FF:74:9D:31:53:5E:68:4A:D5:78:AA:1E:BF:23
@@ -8741,16 +8796,17 @@ CKA_VALUE MULTILINE_OCTAL
 \250\215\376\206\076\007\026\222\341\173\347\035\354\063\166\176
 \102\056\112\205\371\221\211\150\204\003\201\245\233\232\276\343
 \067\305\124\253\126\073\030\055\101\244\014\370\102\333\231\240
 \340\162\157\273\135\341\026\117\123\012\144\371\116\364\277\116
 \124\275\170\154\210\352\277\234\023\044\302\160\151\242\177\017
 \310\074\255\010\311\260\230\100\243\052\347\210\203\355\167\217
 \164
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Security Communication EV RootCA1"
 # Issuer: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
 # Serial Number: 0 (0x0)
 # Subject: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
 # Not Valid Before: Wed Jun 06 02:12:32 2007
 # Not Valid After : Sat Jun 06 02:12:32 2037
 # Fingerprint (MD5): 22:2D:A6:01:EA:7C:0A:F7:F0:6C:56:43:3F:77:76:D3
@@ -8888,16 +8944,17 @@ CKA_VALUE MULTILINE_OCTAL
 \204\325\120\003\266\342\204\243\246\066\252\021\072\001\341\030
 \113\326\104\150\263\075\371\123\164\204\263\106\221\106\226\000
 \267\200\054\266\341\343\020\342\333\242\347\050\217\001\226\142
 \026\076\000\343\034\245\066\201\030\242\114\122\166\300\021\243
 \156\346\035\272\343\132\276\066\123\305\076\165\217\206\151\051
 \130\123\265\234\273\157\237\134\305\030\354\335\057\341\230\311
 \374\276\337\012\015
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "OISTE WISeKey Global Root GA CA"
 # Issuer: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH
 # Serial Number:41:3d:72:c7:f4:6b:1f:81:43:7d:f1:d2:28:54:df:9a
 # Subject: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH
 # Not Valid Before: Sun Dec 11 16:03:44 2005
 # Not Valid After : Fri Dec 11 16:09:51 2037
 # Fingerprint (MD5): BC:6C:51:33:A7:E9:D3:66:63:54:15:72:1B:21:92:93
@@ -9095,16 +9152,17 @@ CKA_VALUE MULTILINE_OCTAL
 \254\106\155\114\364\062\207\264\040\004\340\154\170\260\167\321
 \205\106\113\246\022\267\165\350\112\311\126\154\327\222\253\235
 \365\111\070\322\117\123\343\125\220\021\333\230\226\306\111\362
 \076\364\237\033\340\367\210\334\045\142\231\104\330\163\277\077
 \060\363\014\067\076\324\302\050\200\163\261\001\267\235\132\226
 \024\001\113\251\021\235\051\152\056\320\135\201\300\317\262\040
 \103\307\003\340\067\116\135\012\334\131\040\045
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Microsec e-Szigno Root CA"
 # Issuer: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
 # Serial Number:00:cc:b8:e7:bf:4e:29:1a:fd:a2:dc:66:a5:1c:2c:0f:11
 # Subject: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
 # Not Valid Before: Wed Apr 06 12:28:44 2005
 # Not Valid After : Thu Apr 06 12:28:44 2017
 # Fingerprint (MD5): F0:96:B6:2F:C5:10:D5:67:8E:83:25:32:E8:5E:2E:E5
@@ -9228,16 +9286,17 @@ CKA_VALUE MULTILINE_OCTAL
 \013\221\003\165\054\154\162\265\141\225\232\015\213\271\015\347
 \365\337\124\315\336\346\330\326\011\010\227\143\345\301\056\260
 \267\104\046\300\046\300\257\125\060\236\073\325\066\052\031\004
 \364\134\036\377\317\054\267\377\320\375\207\100\021\325\021\043
 \273\110\300\041\251\244\050\055\375\025\370\260\116\053\364\060
 \133\041\374\021\221\064\276\101\357\173\235\227\165\377\227\225
 \300\226\130\057\352\273\106\327\273\344\331\056
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Certigna"
 # Issuer: CN=Certigna,O=Dhimyotis,C=FR
 # Serial Number:00:fe:dc:e3:01:0f:c9:48:ff
 # Subject: CN=Certigna,O=Dhimyotis,C=FR
 # Not Valid Before: Fri Jun 29 15:13:05 2007
 # Not Valid After : Tue Jun 29 15:13:05 2027
 # Fingerprint (MD5): AB:57:A6:5B:7D:42:82:19:B5:D8:58:26:28:5E:FD:FF
@@ -9409,16 +9468,17 @@ CKA_VALUE MULTILINE_OCTAL
 \104\276\141\106\241\204\075\010\047\114\201\040\167\211\010\352
 \147\100\136\154\010\121\137\064\132\214\226\150\315\327\367\211
 \302\034\323\062\000\257\122\313\323\140\133\052\072\107\176\153
 \060\063\241\142\051\177\112\271\341\055\347\024\043\016\016\030
 \107\341\171\374\025\125\320\261\374\045\161\143\165\063\034\043
 \053\257\134\331\355\107\167\140\016\073\017\036\322\300\334\144
 \005\211\374\170\326\134\054\046\103\251
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "AC Raiz Certicamara S.A."
 # Issuer: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
 # Serial Number:07:7e:52:93:7b:e0:15:e3:57:f0:69:8c:cb:ec:0c
 # Subject: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
 # Not Valid Before: Mon Nov 27 20:46:29 2006
 # Not Valid After : Tue Apr 02 21:42:02 2030
 # Fingerprint (MD5): 93:2A:3E:F6:FD:23:69:0D:71:20:D4:2B:47:99:2B:A6
@@ -9566,16 +9626,17 @@ CKA_VALUE MULTILINE_OCTAL
 \334\071\361\305\162\243\021\003\375\073\102\122\051\333\350\001
 \367\233\136\214\326\215\206\116\031\372\274\034\276\305\041\245
 \207\236\170\056\066\333\011\161\243\162\064\370\154\343\006\011
 \362\136\126\245\323\335\230\372\324\346\006\364\360\266\040\143
 \113\352\051\275\252\202\146\036\373\201\252\247\067\255\023\030
 \346\222\303\201\301\063\273\210\036\241\347\342\264\275\061\154
 \016\121\075\157\373\226\126\200\342\066\027\321\334\344
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "TC TrustCenter Class 3 CA II"
 # Issuer: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
 # Serial Number:4a:47:00:01:00:02:e5:a0:5d:d6:3f:00:51:bf
 # Subject: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
 # Not Valid Before: Thu Jan 12 14:41:57 2006
 # Not Valid After : Wed Dec 31 22:59:59 2025
 # Fingerprint (MD5): 56:5F:AA:80:61:12:17:F6:67:21:E6:2B:6D:61:56:8E
@@ -9706,16 +9767,17 @@ CKA_VALUE MULTILINE_OCTAL
 \332\347\212\067\041\276\131\143\340\362\205\210\061\123\324\124
 \024\205\160\171\364\056\006\167\047\165\057\037\270\212\371\376
 \305\272\330\066\344\203\354\347\145\267\277\143\132\363\106\257
 \201\224\067\324\101\214\326\043\326\036\317\365\150\033\104\143
 \242\132\272\247\065\131\241\345\160\005\233\016\043\127\231\224
 \012\155\272\071\143\050\206\222\363\030\204\330\373\321\317\005
 \126\144\127
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Deutsche Telekom Root CA 2"
 # Issuer: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
 # Serial Number: 38 (0x26)
 # Subject: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
 # Not Valid Before: Fri Jul 09 12:11:00 1999
 # Not Valid After : Tue Jul 09 23:59:00 2019
 # Fingerprint (MD5): 74:01:4A:91:B1:08:C4:58:CE:47:CD:F0:DD:11:53:08
@@ -9838,16 +9900,17 @@ CKA_VALUE MULTILINE_OCTAL
 \205\272\115\355\050\062\353\371\141\112\344\304\066\036\031\334
 \157\204\021\037\225\365\203\050\030\250\063\222\103\047\335\135
 \023\004\105\117\207\325\106\315\075\250\272\360\363\270\126\044
 \105\353\067\307\341\166\117\162\071\030\337\176\164\162\307\163
 \055\071\352\140\346\255\021\242\126\207\173\303\150\232\376\370
 \214\160\250\337\145\062\364\244\100\214\241\302\104\003\016\224
 \000\147\240\161\000\202\110
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "ComSign CA"
 # Issuer: C=IL,O=ComSign,CN=ComSign CA
 # Serial Number:14:13:96:83:14:55:8c:ea:7b:63:e5:fc:34:87:77:44
 # Subject: C=IL,O=ComSign,CN=ComSign CA
 # Not Valid Before: Wed Mar 24 11:32:18 2004
 # Not Valid After : Mon Mar 19 15:02:18 2029
 # Fingerprint (MD5): CD:F4:39:F3:B5:18:50:D7:3E:A4:C5:91:A0:3E:21:4B
@@ -9968,16 +10031,17 @@ CKA_VALUE MULTILINE_OCTAL
 \275\224\000\231\277\021\245\334\340\171\305\026\013\175\002\141
 \035\352\205\371\002\025\117\347\132\211\116\024\157\343\067\113
 \205\365\301\074\141\340\375\005\101\262\222\177\303\035\240\320
 \256\122\144\140\153\030\306\046\234\330\365\144\344\066\032\142
 \237\212\017\076\377\155\116\031\126\116\040\221\154\237\064\063
 \072\064\127\120\072\157\201\136\006\306\365\076\174\116\216\053
 \316\145\006\056\135\322\052\123\164\136\323\156\047\236\217
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "ComSign Secured CA"
 # Issuer: C=IL,O=ComSign,CN=ComSign Secured CA
 # Serial Number:00:c7:28:47:09:b3:b8:6c:45:8c:1d:fa:24:f5:36:4e:e9
 # Subject: C=IL,O=ComSign,CN=ComSign Secured CA
 # Not Valid Before: Wed Mar 24 11:37:20 2004
 # Not Valid After : Fri Mar 16 15:04:56 2029
 # Fingerprint (MD5): 40:01:25:06:8D:21:43:6A:0E:43:00:9C:E7:43:F3:D5
@@ -10097,16 +10161,17 @@ CKA_VALUE MULTILINE_OCTAL
 \017\124\335\203\273\237\321\217\247\123\163\303\313\377\060\354
 \174\004\270\330\104\037\223\137\161\011\042\267\156\076\352\034
 \003\116\235\032\040\141\373\201\067\354\136\374\012\105\253\327
 \347\027\125\320\240\352\140\233\246\366\343\214\133\051\302\006
 \140\024\235\055\227\114\251\223\025\235\141\304\001\137\110\326
 \130\275\126\061\022\116\021\310\041\340\263\021\221\145\333\264
 \246\210\070\316\125
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Cybertrust Global Root"
 # Issuer: CN=Cybertrust Global Root,O="Cybertrust, Inc"
 # Serial Number:04:00:00:00:00:01:0f:85:aa:2d:48
 # Subject: CN=Cybertrust Global Root,O="Cybertrust, Inc"
 # Not Valid Before: Fri Dec 15 08:00:00 2006
 # Not Valid After : Wed Dec 15 08:00:00 2021
 # Fingerprint (MD5): 72:E4:4A:87:E3:69:40:80:77:EA:BC:E3:F4:FF:F0:E1
@@ -10263,16 +10328,17 @@ CKA_VALUE MULTILINE_OCTAL
 \115\343\061\325\307\354\350\362\260\376\222\036\026\012\032\374
 \331\363\370\047\266\311\276\035\264\154\144\220\177\364\344\304
 \133\327\067\256\102\016\335\244\032\157\174\210\124\305\026\156
 \341\172\150\056\370\072\277\015\244\074\211\073\170\247\116\143
 \203\004\041\010\147\215\362\202\111\320\133\375\261\315\017\203
 \204\324\076\040\205\367\112\075\053\234\375\052\012\011\115\352
 \201\370\021\234
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "ePKI Root Certification Authority"
 # Issuer: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW
 # Serial Number:15:c8:bd:65:47:5c:af:b8:97:00:5e:e4:06:d2:bc:9d
 # Subject: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW
 # Not Valid Before: Mon Dec 20 02:31:27 2004
 # Not Valid After : Wed Dec 20 02:31:27 2034
 # Fingerprint (MD5): 1B:2E:00:CA:26:06:90:3D:AD:FE:6F:15:68:D3:6B:B3
@@ -10447,16 +10513,17 @@ CKA_VALUE MULTILINE_OCTAL
 \200\262\136\014\112\023\236\040\330\142\100\253\220\352\144\112
 \057\254\015\001\022\171\105\250\057\207\031\150\310\342\205\307
 \060\262\165\371\070\077\262\300\223\264\153\342\003\104\316\147
 \240\337\211\326\255\214\166\243\023\303\224\141\053\153\331\154
 \301\007\012\042\007\205\154\205\044\106\251\276\077\213\170\204
 \202\176\044\014\235\375\201\067\343\045\250\355\066\116\225\054
 \311\234\220\332\354\251\102\074\255\266\002
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
 # Issuer: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
 # Serial Number: 17 (0x11)
 # Subject: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
 # Not Valid Before: Fri Aug 24 11:37:07 2007
 # Not Valid After : Mon Aug 21 11:37:07 2017
 # Fingerprint (MD5): ED:41:F5:8C:50:C5:2B:9C:73:E6:EE:6C:EB:C2:A8:26
@@ -10583,16 +10650,17 @@ CKA_VALUE MULTILINE_OCTAL
 \045\335\141\047\043\034\265\061\007\004\066\264\032\220\275\240
 \164\161\120\211\155\274\024\343\017\206\256\361\253\076\307\240
 \011\314\243\110\321\340\333\144\347\222\265\317\257\162\103\160
 \213\371\303\204\074\023\252\176\222\233\127\123\223\372\160\302
 \221\016\061\371\233\147\135\351\226\070\136\137\263\163\116\210
 \025\147\336\236\166\020\142\040\276\125\151\225\103\000\071\115
 \366\356\260\132\116\111\104\124\130\137\102\203
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "certSIGN ROOT CA"
 # Issuer: OU=certSIGN ROOT CA,O=certSIGN,C=RO
 # Serial Number:20:06:05:16:70:02
 # Subject: OU=certSIGN ROOT CA,O=certSIGN,C=RO
 # Not Valid Before: Tue Jul 04 17:20:04 2006
 # Not Valid After : Fri Jul 04 17:20:04 2031
 # Fingerprint (MD5): 18:98:C0:D6:E9:3A:FC:F9:B0:F5:0C:F7:4B:01:44:17
@@ -10706,16 +10774,17 @@ CKA_VALUE MULTILINE_OCTAL
 \125\171\373\116\206\231\270\224\332\206\070\152\223\243\347\313
 \156\345\337\352\041\125\211\234\175\175\177\230\365\000\211\356
 \343\204\300\134\226\265\305\106\352\106\340\205\125\266\033\311
 \022\326\301\315\315\200\363\002\001\074\310\151\313\105\110\143
 \330\224\320\354\205\016\073\116\021\145\364\202\214\246\075\256
 \056\042\224\011\310\134\352\074\201\135\026\052\003\227\026\125
 \011\333\212\101\202\236\146\233\021
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "CNNIC ROOT"
 # Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN
 # Serial Number: 1228079105 (0x49330001)
 # Subject: CN=CNNIC ROOT,O=CNNIC,C=CN
 # Not Valid Before: Mon Apr 16 07:09:14 2007
 # Not Valid After : Fri Apr 16 07:09:14 2027
 # Fingerprint (MD5): 21:BC:82:AB:49:C4:13:3B:4B:B2:2B:5C:6B:90:9C:19
@@ -10836,16 +10905,17 @@ CKA_VALUE MULTILINE_OCTAL
 \246\176\264\222\027\374\043\224\201\275\156\247\305\214\302\353
 \021\105\333\370\101\311\226\166\352\160\137\171\022\153\344\243
 \007\132\005\357\047\111\317\041\237\212\114\011\160\146\251\046
 \301\053\021\116\063\322\016\374\326\154\322\016\062\144\150\377
 \255\005\170\137\003\035\250\343\220\254\044\340\017\100\247\113
 \256\213\050\267\202\312\030\007\346\267\133\164\351\040\031\177
 \262\033\211\124
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "ApplicationCA - Japanese Government"
 # Issuer: OU=ApplicationCA,O=Japanese Government,C=JP
 # Serial Number: 49 (0x31)
 # Subject: OU=ApplicationCA,O=Japanese Government,C=JP
 # Not Valid Before: Wed Dec 12 15:00:00 2007
 # Not Valid After : Tue Dec 12 15:00:00 2017
 # Fingerprint (MD5): 7E:23:4E:5B:A7:A5:B4:25:E9:00:07:74:11:62:AE:D6
@@ -10984,16 +11054,17 @@ CKA_VALUE MULTILINE_OCTAL
 \207\174\015\015\317\056\010\134\112\100\015\076\354\201\141\346
 \044\333\312\340\016\055\007\262\076\126\334\215\365\101\205\007
 \110\233\014\013\313\111\077\175\354\267\375\313\215\147\211\032
 \253\355\273\036\243\000\010\010\027\052\202\134\061\135\106\212
 \055\017\206\233\164\331\105\373\324\100\261\172\252\150\055\206
 \262\231\042\341\301\053\307\234\370\363\137\250\202\022\353\031
 \021\055
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "GeoTrust Primary Certification Authority - G3"
 # Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
 # Serial Number:15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f
 # Subject: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
 # Not Valid Before: Wed Apr 02 00:00:00 2008
 # Not Valid After : Tue Dec 01 23:59:59 2037
 # Fingerprint (MD5): B5:E8:34:36:C9:10:44:58:48:70:6D:2E:83:D4:B8:05
@@ -11112,16 +11183,17 @@ CKA_VALUE MULTILINE_OCTAL
 \003\003\151\000\060\146\002\061\000\335\370\340\127\107\133\247
 \346\012\303\275\365\200\212\227\065\015\033\211\074\124\206\167
 \050\312\241\364\171\336\265\346\070\260\360\145\160\214\177\002
 \124\302\277\377\330\241\076\331\317\002\061\000\304\215\224\374
 \334\123\322\334\235\170\026\037\025\063\043\123\122\343\132\061
 \135\235\312\256\275\023\051\104\015\047\133\250\347\150\234\022
 \367\130\077\056\162\002\127\243\217\241\024\056
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "thawte Primary Root CA - G2"
 # Issuer: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US
 # Serial Number:35:fc:26:5c:d9:84:4f:c9:3d:26:3d:57:9b:ae:d7:56
 # Subject: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US
 # Not Valid Before: Mon Nov 05 00:00:00 2007
 # Not Valid After : Mon Jan 18 23:59:59 2038
 # Fingerprint (MD5): 74:9D:EA:60:24:C4:FD:22:53:3E:CC:3A:72:D9:29:4F
@@ -11271,16 +11343,17 @@ CKA_VALUE MULTILINE_OCTAL
 \051\101\221\042\074\151\247\273\002\362\266\134\047\003\211\364
 \006\352\233\344\162\202\343\241\011\301\351\000\031\323\076\324
 \160\153\272\161\246\252\130\256\364\273\351\154\266\357\207\314
 \233\273\377\071\346\126\141\323\012\247\304\134\114\140\173\005
 \167\046\172\277\330\007\122\054\142\367\160\143\331\071\274\157
 \034\302\171\334\166\051\257\316\305\054\144\004\136\210\066\156
 \061\324\100\032\142\064\066\077\065\001\256\254\143\240
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "thawte Primary Root CA - G3"
 # Issuer: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
 # Serial Number:60:01:97:b7:46:a7:ea:b4:b4:9a:d6:4b:2f:f7:90:fb
 # Subject: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
 # Not Valid Before: Wed Apr 02 00:00:00 2008
 # Not Valid After : Tue Dec 01 23:59:59 2037
 # Fingerprint (MD5): FB:1B:5D:43:8A:94:CD:44:C6:76:F2:43:4B:47:E7:31
@@ -11406,16 +11479,17 @@ CKA_VALUE MULTILINE_OCTAL
 \144\226\131\246\350\011\336\213\272\372\132\210\210\360\037\221
 \323\106\250\362\112\114\002\143\373\154\137\070\333\056\101\223
 \251\016\346\235\334\061\034\262\240\247\030\034\171\341\307\066
 \002\060\072\126\257\232\164\154\366\373\203\340\063\323\010\137
 \241\234\302\133\237\106\326\266\313\221\006\143\242\006\347\063
 \254\076\250\201\022\320\313\272\320\222\013\266\236\226\252\004
 \017\212
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "GeoTrust Primary Certification Authority - G2"
 # Issuer: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
 # Serial Number:3c:b2:f4:48:0a:00:e2:fe:eb:24:3b:5e:60:3e:c3:6b
 # Subject: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
 # Not Valid Before: Mon Nov 05 00:00:00 2007
 # Not Valid After : Mon Jan 18 23:59:59 2038
 # Fingerprint (MD5): 01:5E:D8:6B:BD:6F:3D:8E:A1:31:F8:12:E0:98:73:6A
@@ -11575,16 +11649,17 @@ CKA_VALUE MULTILINE_OCTAL
 \007\021\360\325\333\335\345\214\360\325\062\260\203\346\127\342
 \217\277\276\241\252\277\075\035\265\324\070\352\327\260\134\072
 \117\152\077\217\300\146\154\143\252\351\331\244\026\364\201\321
 \225\024\016\175\315\225\064\331\322\217\160\163\201\173\234\176
 \275\230\141\330\105\207\230\220\305\353\206\060\306\065\277\360
 \377\303\125\210\203\113\357\005\222\006\161\362\270\230\223\267
 \354\315\202\141\361\070\346\117\227\230\052\132\215
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "VeriSign Universal Root Certification Authority"
 # Issuer: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:40:1a:c4:64:21:b3:13:21:03:0e:bb:e4:12:1a:c5:1d
 # Subject: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Not Valid Before: Wed Apr 02 00:00:00 2008
 # Not Valid After : Tue Dec 01 23:59:59 2037
 # Fingerprint (MD5): 8E:AD:B5:01:AA:4D:81:E4:8C:1D:D1:E1:14:00:95:19
@@ -11729,16 +11804,17 @@ CKA_VALUE MULTILINE_OCTAL
 \000\060\145\002\060\146\041\014\030\046\140\132\070\173\126\102
 \340\247\374\066\204\121\221\040\054\166\115\103\075\304\035\204
 \043\320\254\326\174\065\006\316\315\151\275\220\015\333\154\110
 \102\035\016\252\102\002\061\000\234\075\110\071\043\071\130\032
 \025\022\131\152\236\357\325\131\262\035\122\054\231\161\315\307
 \051\337\033\052\141\173\161\321\336\363\300\345\015\072\112\252
 \055\247\330\206\052\335\056\020
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
 # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:2f:80:fe:23:8c:0e:22:0f:48:67:12:28:91:87:ac:b3
 # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon Nov 05 00:00:00 2007
 # Not Valid After : Mon Jan 18 23:59:59 2038
 # Fingerprint (MD5): 3A:52:E1:E7:FD:6F:3A:E3:6F:F3:6F:99:1B:F9:22:41
@@ -11888,16 +11964,17 @@ CKA_VALUE MULTILINE_OCTAL
 \276\245\025\143\241\324\225\207\361\236\271\363\211\363\075\205
 \270\270\333\276\265\271\051\371\332\067\005\000\111\224\003\204
 \104\347\277\103\061\317\165\213\045\321\364\246\144\365\222\366
 \253\005\353\075\351\245\013\066\142\332\314\006\137\066\213\266
 \136\061\270\052\373\136\366\161\337\104\046\236\304\346\015\221
 \264\056\165\225\200\121\152\113\060\246\260\142\241\223\361\233
 \330\316\304\143\165\077\131\107\261
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "NetLock Arany (Class Gold) Főtanúsítvány"
 # Issuer: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
 # Serial Number:49:41:2c:e4:00:10
 # Subject: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
 # Not Valid Before: Thu Dec 11 15:08:21 2008
 # Not Valid After : Wed Dec 06 15:08:21 2028
 # Fingerprint (MD5): C5:A1:B7:FF:73:DD:D6:D7:34:32:18:DF:FC:3C:AD:88
@@ -12061,16 +12138,17 @@ CKA_VALUE MULTILINE_OCTAL
 \120\346\105\020\107\170\266\116\322\145\311\303\067\337\341\102
 \143\260\127\067\105\055\173\212\234\277\005\352\145\125\063\367
 \071\020\305\050\052\041\172\033\212\304\044\371\077\025\310\232
 \025\040\365\125\142\226\355\155\223\120\274\344\252\170\255\331
 \313\012\145\207\246\146\301\304\201\243\167\072\130\036\013\356
 \203\213\235\036\322\122\244\314\035\157\260\230\155\224\061\265
 \370\161\012\334\271\374\175\062\140\346\353\257\212\001
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Staat der Nederlanden Root CA - G2"
 # Issuer: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
 # Serial Number: 10000012 (0x98968c)
 # Subject: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
 # Not Valid Before: Wed Mar 26 11:18:17 2008
 # Not Valid After : Wed Mar 25 11:03:10 2020
 # Fingerprint (MD5): 7C:A5:0F:F8:5B:9A:7D:6D:30:AE:54:5A:E3:42:A2:8A
@@ -12186,16 +12264,17 @@ CKA_VALUE MULTILINE_OCTAL
 \022\024\344\141\215\254\020\220\236\204\120\273\360\226\157\105
 \237\212\363\312\154\117\372\021\072\025\025\106\303\315\037\203
 \133\055\101\022\355\120\147\101\023\075\041\253\224\212\252\116
 \174\301\261\373\247\326\265\047\057\227\253\156\340\035\342\321
 \034\054\037\104\342\374\276\221\241\234\373\326\051\123\163\206
 \237\123\330\103\016\135\326\143\202\161\035\200\164\312\366\342
 \002\153\331\132
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Hongkong Post Root CA 1"
 # Issuer: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
 # Serial Number: 1000 (0x3e8)
 # Subject: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
 # Not Valid Before: Thu May 15 05:13:14 2003
 # Not Valid After : Mon May 15 04:52:29 2023
 # Fingerprint (MD5): A8:0D:6F:39:78:B9:43:6D:77:42:6D:98:5A:CC:23:CA
@@ -12316,16 +12395,17 @@ CKA_VALUE MULTILINE_OCTAL
 \143\173\132\151\226\002\041\250\275\122\131\351\175\065\313\310
 \122\312\177\201\376\331\153\323\367\021\355\045\337\370\347\371
 \244\372\162\227\204\123\015\245\320\062\030\121\166\131\024\154
 \017\353\354\137\200\214\165\103\203\303\205\230\377\114\236\055
 \015\344\167\203\223\116\265\226\007\213\050\023\233\214\031\215
 \101\047\111\100\356\336\346\043\104\071\334\241\042\326\272\003
 \362
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "SecureSign RootCA11"
 # Issuer: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP
 # Serial Number: 1 (0x1)
 # Subject: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP
 # Not Valid Before: Wed Apr 08 04:56:47 2009
 # Not Valid After : Sun Apr 08 04:56:47 2029
 # Fingerprint (MD5): B7:52:74:E2:92:B4:80:93:F2:75:E4:CC:D7:F2:EA:26
@@ -12481,16 +12561,17 @@ CKA_VALUE MULTILINE_OCTAL
 \307\202\066\076\247\070\143\251\060\054\027\020\140\222\237\125
 \207\022\131\020\302\017\147\151\021\314\116\036\176\112\232\255
 \257\100\250\165\254\126\220\164\270\240\234\245\171\157\334\351
 \032\310\151\005\351\272\372\003\263\174\344\340\116\302\316\235
 \350\266\106\015\156\176\127\072\147\224\302\313\037\234\167\112
 \147\116\151\206\103\223\070\373\266\333\117\203\221\324\140\176
 \113\076\053\070\007\125\230\136\244
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "ACEDICOM Root"
 # Issuer: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root
 # Serial Number:61:8d:c7:86:3b:01:82:05
 # Subject: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root
 # Not Valid Before: Fri Apr 18 16:24:22 2008
 # Not Valid After : Thu Apr 13 16:24:22 2028
 # Fingerprint (MD5): 42:81:A0:E2:1C:E3:55:10:DE:55:89:42:65:96:22:E6
@@ -12627,16 +12708,17 @@ CKA_VALUE MULTILINE_OCTAL
 \255\234\032\303\004\074\355\002\141\326\036\006\363\137\072\207
 \362\053\361\105\207\345\075\254\321\307\127\204\275\153\256\334
 \330\371\266\033\142\160\013\075\066\311\102\362\062\327\172\141
 \346\322\333\075\317\310\251\311\233\334\333\130\104\327\157\070
 \257\177\170\323\243\255\032\165\272\034\301\066\174\217\036\155
 \034\303\165\106\256\065\005\246\366\134\075\041\356\126\360\311
 \202\042\055\172\124\253\160\303\175\042\145\202\160\226
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Microsec e-Szigno Root CA 2009"
 # Issuer: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
 # Serial Number:00:c2:7e:43:04:4e:47:3f:19
 # Subject: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
 # Not Valid Before: Tue Jun 16 11:30:18 2009
 # Not Valid After : Sun Dec 30 11:30:18 2029
 # Fingerprint (MD5): F8:49:F4:03:BC:44:2D:83:BE:48:69:7D:29:64:FC:B1
@@ -12758,16 +12840,17 @@ CKA_VALUE MULTILINE_OCTAL
 \231\302\037\172\016\343\055\010\255\012\034\054\377\074\253\125
 \016\017\221\176\066\353\303\127\111\276\341\056\055\174\140\213
 \303\101\121\023\043\235\316\367\062\153\224\001\250\231\347\054
 \063\037\072\073\045\322\206\100\316\073\054\206\170\311\141\057
 \024\272\356\333\125\157\337\204\356\005\011\115\275\050\330\162
 \316\323\142\120\145\036\353\222\227\203\061\331\263\265\312\107
 \130\077\137
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "GlobalSign Root CA - R3"
 # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
 # Serial Number:04:00:00:00:00:01:21:58:53:08:a2
 # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
 # Not Valid Before: Wed Mar 18 10:00:00 2009
 # Not Valid After : Sun Mar 18 10:00:00 2029
 # Fingerprint (MD5): C5:DF:B8:49:CA:05:13:55:EE:2D:BA:1A:C3:3E:B0:28
@@ -12930,16 +13013,17 @@ CKA_VALUE MULTILINE_OCTAL
 \330\153\044\254\227\130\104\107\255\131\030\361\041\145\160\336
 \316\064\140\250\100\361\363\074\244\303\050\043\214\376\047\063
 \103\100\240\027\074\353\352\073\260\162\246\243\271\112\113\136
 \026\110\364\262\274\310\214\222\305\235\237\254\162\066\274\064
 \200\064\153\251\213\222\300\270\027\355\354\166\123\365\044\001
 \214\263\042\350\113\174\125\306\235\372\243\024\273\145\205\156
 \156\117\022\176\012\074\235\225
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
 # Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
 # Serial Number:53:ec:3b:ee:fb:b2:48:5f
 # Subject: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
 # Not Valid Before: Wed May 20 08:38:15 2009
 # Not Valid After : Tue Dec 31 08:38:15 2030
 # Fingerprint (MD5): 73:3A:74:7A:EC:BB:A3:96:A6:C2:E4:E2:C8:9B:C0:C3
@@ -13098,16 +13182,17 @@ CKA_VALUE MULTILINE_OCTAL
 \150\103\110\262\333\353\163\044\347\221\177\124\244\266\200\076
 \235\243\074\114\162\302\127\304\240\324\314\070\047\316\325\006
 \236\242\110\331\351\237\316\202\160\066\223\232\073\337\226\041
 \343\131\267\014\332\221\067\360\375\131\132\263\231\310\151\154
 \103\046\001\065\143\140\125\211\003\072\165\330\272\112\331\124
 \377\356\336\200\330\055\321\070\325\136\055\013\230\175\076\154
 \333\374\046\210\307
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Izenpe.com"
 # Issuer: CN=Izenpe.com,O=IZENPE S.A.,C=ES
 # Serial Number:00:b0:b7:5a:16:48:5f:bf:e1:cb:f5:8b:d7:19:e6:7d
 # Subject: CN=Izenpe.com,O=IZENPE S.A.,C=ES
 # Not Valid Before: Thu Dec 13 13:08:28 2007
 # Not Valid After : Sun Dec 13 08:27:25 2037
 # Fingerprint (MD5): A6:B0:CD:85:80:DA:5C:50:34:A3:39:90:2F:55:67:73
@@ -13302,16 +13387,17 @@ CKA_VALUE MULTILINE_OCTAL
 \176\030\230\265\105\073\366\171\264\350\367\032\173\006\203\373
 \320\213\332\273\307\275\030\253\010\157\074\200\153\100\077\031
 \031\272\145\212\346\276\325\134\323\066\327\357\100\122\044\140
 \070\147\004\061\354\217\363\202\306\336\271\125\363\073\061\221
 \132\334\265\010\025\255\166\045\012\015\173\056\207\342\014\246
 \006\274\046\020\155\067\235\354\335\170\214\174\200\305\360\331
 \167\110\320
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Chambers of Commerce Root - 2008"
 # Issuer: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
 # Serial Number:00:a3:da:42:7e:a4:b1:ae:da
 # Subject: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
 # Not Valid Before: Fri Aug 01 12:29:50 2008
 # Not Valid After : Sat Jul 31 12:29:50 2038
 # Fingerprint (MD5): 5E:80:9E:84:5A:0E:65:0B:17:02:F3:55:18:2A:3E:D7
@@ -13510,16 +13596,17 @@ CKA_VALUE MULTILINE_OCTAL
 \223\256\231\240\357\045\152\163\230\211\133\072\056\023\210\036
 \277\300\222\224\064\033\343\047\267\213\036\157\102\377\347\351
 \067\233\120\035\055\242\371\002\356\313\130\130\072\161\274\150
 \343\252\301\257\034\050\037\242\334\043\145\077\201\352\256\231
 \323\330\060\317\023\015\117\025\311\204\274\247\110\055\370\060
 \043\167\330\106\113\171\155\366\214\355\072\177\140\021\170\364
 \351\233\256\325\124\300\164\200\321\013\102\237\301
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Global Chambersign Root - 2008"
 # Issuer: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
 # Serial Number:00:c9:cd:d3:e9:d5:7d:23:ce
 # Subject: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
 # Not Valid Before: Fri Aug 01 12:31:40 2008
 # Not Valid After : Sat Jul 31 12:31:40 2038
 # Fingerprint (MD5): 9E:80:FF:78:01:0C:2E:C1:36:BD:FE:96:90:6E:08:F3
@@ -15376,16 +15463,17 @@ CKA_VALUE MULTILINE_OCTAL
 \330\144\363\054\176\024\374\002\352\237\315\377\007\150\027\333
 \042\220\070\055\172\215\321\124\361\151\343\137\063\312\172\075
 \173\012\343\312\177\137\071\345\342\165\272\305\166\030\063\316
 \054\360\057\114\255\367\261\347\316\117\250\304\233\112\124\006
 \305\177\175\325\010\017\342\034\376\176\027\270\254\136\366\324
 \026\262\103\011\014\115\366\247\153\264\231\204\145\312\172\210
 \342\342\104\276\134\367\352\034\365
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Go Daddy Root Certificate Authority - G2"
 # Issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
 # Serial Number: 0 (0x0)
 # Subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
 # Not Valid Before: Tue Sep 01 00:00:00 2009
 # Not Valid After : Thu Dec 31 23:59:59 2037
 # Fingerprint (MD5): 80:3A:BC:22:C1:E6:FB:8D:9B:3B:27:4A:32:1B:9A:01
@@ -15525,16 +15613,17 @@ CKA_VALUE MULTILINE_OCTAL
 \037\305\354\372\234\176\317\176\261\361\007\055\266\374\277\312
 \244\277\320\227\005\112\274\352\030\050\002\220\275\124\170\011
 \041\161\323\321\175\035\331\026\260\251\141\075\320\012\000\042
 \374\307\173\313\011\144\105\013\073\100\201\367\175\174\062\365
 \230\312\130\216\175\052\356\220\131\163\144\371\066\164\136\045
 \241\365\146\005\056\177\071\025\251\052\373\120\213\216\205\151
 \364
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Starfield Root Certificate Authority - G2"
 # Issuer: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
 # Serial Number: 0 (0x0)
 # Subject: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
 # Not Valid Before: Tue Sep 01 00:00:00 2009
 # Not Valid After : Thu Dec 31 23:59:59 2037
 # Fingerprint (MD5): D6:39:81:C6:52:7E:96:69:FC:FC:CA:66:ED:05:F2:96
@@ -15676,16 +15765,17 @@ CKA_VALUE MULTILINE_OCTAL
 \210\100\317\175\106\035\377\036\307\341\316\377\043\333\306\372
 \215\125\116\251\002\347\107\021\106\076\364\375\275\173\051\046
 \273\251\141\142\067\050\266\055\052\366\020\206\144\311\160\247
 \322\255\267\051\160\171\352\074\332\143\045\237\375\150\267\060
 \354\160\373\165\212\267\155\140\147\262\036\310\271\351\330\250
 \157\002\213\147\015\115\046\127\161\332\040\374\301\112\120\215
 \261\050\272
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Starfield Services Root Certificate Authority - G2"
 # Issuer: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
 # Serial Number: 0 (0x0)
 # Subject: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
 # Not Valid Before: Tue Sep 01 00:00:00 2009
 # Not Valid After : Thu Dec 31 23:59:59 2037
 # Fingerprint (MD5): 17:35:74:AF:7B:61:1C:EB:F4:F9:3C:E2:EE:40:F9:A2
@@ -15806,16 +15896,17 @@ CKA_VALUE MULTILINE_OCTAL
 \265\063\252\262\157\323\012\242\120\343\366\073\350\056\104\302
 \333\146\070\251\063\126\110\361\155\033\063\215\015\214\077\140
 \067\235\323\312\155\176\064\176\015\237\162\166\213\033\237\162
 \375\122\065\101\105\002\226\057\034\262\232\163\111\041\261\111
 \107\105\107\264\357\152\064\021\311\115\232\314\131\267\326\002
 \236\132\116\145\265\224\256\033\337\051\260\026\361\277\000\236
 \007\072\027\144\265\004\265\043\041\231\012\225\073\227\174\357
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "AffirmTrust Commercial"
 # Issuer: CN=AffirmTrust Commercial,O=AffirmTrust,C=US
 # Serial Number:77:77:06:27:26:a9:b1:7c
 # Subject: CN=AffirmTrust Commercial,O=AffirmTrust,C=US
 # Not Valid Before: Fri Jan 29 14:06:06 2010
 # Not Valid After : Tue Dec 31 14:06:06 2030
 # Fingerprint (MD5): 82:92:BA:5B:EF:CD:8A:6F:A6:3D:55:F9:84:F6:D6:B7
@@ -15931,16 +16022,17 @@ CKA_VALUE MULTILINE_OCTAL
 \115\207\165\155\267\130\226\132\335\155\322\000\240\364\233\110
 \276\303\067\244\272\066\340\174\207\205\227\032\025\242\336\056
 \242\133\275\257\030\371\220\120\315\160\131\370\047\147\107\313
 \307\240\007\072\175\321\054\135\154\031\072\146\265\175\375\221
 \157\202\261\276\010\223\333\024\107\361\242\067\307\105\236\074
 \307\167\257\144\250\223\337\366\151\203\202\140\362\111\102\064
 \355\132\000\124\205\034\026\066\222\014\134\372\246\255\277\333
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "AffirmTrust Networking"
 # Issuer: CN=AffirmTrust Networking,O=AffirmTrust,C=US
 # Serial Number:7c:4f:04:39:1c:d4:99:2d
 # Subject: CN=AffirmTrust Networking,O=AffirmTrust,C=US
 # Not Valid Before: Fri Jan 29 14:08:24 2010
 # Not Valid After : Tue Dec 31 14:08:24 2030
 # Fingerprint (MD5): 42:65:CA:BE:01:9A:9A:4C:A9:8C:41:49:CD:C0:D5:7F
@@ -16088,16 +16180,17 @@ CKA_VALUE MULTILINE_OCTAL
 \030\246\265\250\136\264\203\154\153\151\100\323\237\334\361\303
 \151\153\271\341\155\011\364\361\252\120\166\012\172\175\172\027
 \241\125\226\102\231\061\011\335\140\021\215\005\060\176\346\216
 \106\321\235\024\332\307\027\344\005\226\214\304\044\265\033\317
 \024\007\262\100\370\243\236\101\206\274\004\320\153\226\310\052
 \200\064\375\277\357\006\243\335\130\305\205\075\076\217\376\236
 \051\340\266\270\011\150\031\034\030\103
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "AffirmTrust Premium"
 # Issuer: CN=AffirmTrust Premium,O=AffirmTrust,C=US
 # Serial Number:6d:8c:14:46:b1:a6:0a:ee
 # Subject: CN=AffirmTrust Premium,O=AffirmTrust,C=US
 # Not Valid Before: Fri Jan 29 14:10:36 2010
 # Not Valid After : Mon Dec 31 14:10:36 2040
 # Fingerprint (MD5): C4:5D:0E:48:B6:AC:28:30:4E:0A:BC:F9:38:16:87:57
@@ -16193,16 +16286,17 @@ CKA_VALUE MULTILINE_OCTAL
 \027\011\363\207\210\120\132\257\310\300\102\277\107\137\365\154
 \152\206\340\304\047\164\344\070\123\327\005\177\033\064\343\306
 \057\263\312\011\074\067\235\327\347\270\106\361\375\241\342\161
 \002\060\102\131\207\103\324\121\337\272\323\011\062\132\316\210
 \176\127\075\234\137\102\153\365\007\055\265\360\202\223\371\131
 \157\256\144\372\130\345\213\036\343\143\276\265\201\315\157\002
 \214\171
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "AffirmTrust Premium ECC"
 # Issuer: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
 # Serial Number:74:97:25:8a:c7:3f:7a:54
 # Subject: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
 # Not Valid Before: Fri Jan 29 14:20:24 2010
 # Not Valid After : Mon Dec 31 14:20:24 2040
 # Fingerprint (MD5): 64:B0:09:55:CF:B1:D5:99:E2:BE:13:AB:A6:5D:EA:4D
@@ -16331,16 +16425,17 @@ CKA_VALUE MULTILINE_OCTAL
 \227\306\166\350\047\226\243\146\335\341\256\362\101\133\312\230
 \126\203\163\160\344\206\032\322\061\101\272\057\276\055\023\132
 \166\157\116\350\116\201\016\077\133\003\042\240\022\276\146\130
 \021\112\313\003\304\264\052\052\055\226\027\340\071\124\274\110
 \323\166\047\235\232\055\006\246\311\354\071\322\253\333\237\232
 \013\047\002\065\051\261\100\225\347\371\350\234\125\210\031\106
 \326\267\064\365\176\316\071\232\331\070\361\121\367\117\054
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Certum Trusted Network CA"
 # Issuer: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
 # Serial Number: 279744 (0x444c0)
 # Subject: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
 # Not Valid Before: Wed Oct 22 12:07:37 2008
 # Not Valid After : Mon Dec 31 12:07:37 2029
 # Fingerprint (MD5): D5:E9:81:40:C5:18:69:FC:46:2C:89:75:62:0F:AA:78
@@ -16500,16 +16595,17 @@ CKA_VALUE MULTILINE_OCTAL
 \032\050\364\041\003\356\056\331\301\200\352\271\331\202\326\133
 \166\302\313\073\265\322\000\360\243\016\341\255\156\100\367\333
 \240\264\320\106\256\025\327\104\302\115\065\371\322\013\362\027
 \366\254\146\325\044\262\117\321\034\231\300\156\365\175\353\164
 \004\270\371\115\167\011\327\264\317\007\060\011\361\270\000\126
 \331\027\026\026\012\053\206\337\217\001\031\032\345\273\202\143
 \377\276\013\166\026\136\067\067\346\330\164\227\242\231\105\171
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Certinomis - Autorité Racine"
 # Issuer: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
 # Serial Number: 1 (0x1)
 # Subject: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
 # Not Valid Before: Wed Sep 17 08:28:59 2008
 # Not Valid After : Sun Sep 17 08:28:59 2028
 # Fingerprint (MD5): 7F:30:78:8C:03:E3:CA:C9:0A:E2:C9:EA:1E:AA:55:1A
@@ -16634,16 +16730,17 @@ CKA_VALUE MULTILINE_OCTAL
 \172\162\132\203\263\171\157\357\264\374\320\012\245\130\117\106
 \337\373\155\171\131\362\204\042\122\256\017\314\373\174\073\347
 \152\312\107\141\303\172\370\323\222\004\037\270\040\204\341\066
 \124\026\307\100\336\073\212\163\334\337\306\011\114\337\354\332
 \377\324\123\102\241\311\362\142\035\042\203\074\227\305\371\031
 \142\047\254\145\042\327\323\074\306\345\216\262\123\314\111\316
 \274\060\376\173\016\063\220\373\355\322\024\221\037\007\257
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "TWCA Root Certification Authority"
 # Issuer: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
 # Serial Number: 1 (0x1)
 # Subject: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
 # Not Valid Before: Thu Aug 28 07:24:33 2008
 # Not Valid After : Tue Dec 31 15:59:59 2030
 # Fingerprint (MD5): AA:08:8F:F6:F9:7B:B7:F2:B1:A7:1E:9B:EA:EA:BD:79
@@ -18024,16 +18121,17 @@ CKA_VALUE MULTILINE_OCTAL
 \273\233\051\126\074\376\000\067\317\043\154\361\116\252\266\164
 \106\022\154\221\356\064\325\354\232\221\347\104\276\220\061\162
 \325\111\002\366\002\345\364\037\353\174\331\226\125\251\377\354
 \212\371\231\107\377\065\132\002\252\004\313\212\133\207\161\051
 \221\275\244\264\172\015\275\232\365\127\043\000\007\041\027\077
 \112\071\321\005\111\013\247\266\067\201\245\135\214\252\063\136
 \201\050\174\247\175\047\353\000\256\215\067
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Security Communication RootCA2"
 # Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
 # Serial Number: 0 (0x0)
 # Subject: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
 # Not Valid Before: Fri May 29 05:00:39 2009
 # Not Valid After : Tue May 29 05:00:39 2029
 # Fingerprint (MD5): 6C:39:7D:A4:0E:55:59:B2:3F:D6:41:B1:12:50:DE:43
@@ -18206,16 +18304,17 @@ CKA_VALUE MULTILINE_OCTAL
 \234\211\333\151\070\276\354\134\016\126\307\145\121\345\120\210
 \210\277\102\325\053\075\345\371\272\236\056\263\312\364\163\222
 \002\013\276\114\146\353\040\376\271\313\265\231\177\346\266\023
 \372\312\113\115\331\356\123\106\006\073\306\116\255\223\132\201
 \176\154\052\113\152\005\105\214\362\041\244\061\220\207\154\145
 \234\235\245\140\225\072\122\177\365\321\253\010\156\363\356\133
 \371\210\075\176\270\157\156\003\344\102
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "EC-ACC"
 # Issuer: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES
 # Serial Number:ee:2b:3d:eb:d4:21:de:14:a8:62:ac:04:f3:dd:c4:01
 # Subject: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES
 # Not Valid Before: Tue Jan 07 23:00:00 2003
 # Not Valid After : Tue Jan 07 22:59:59 2031
 # Fingerprint (MD5): EB:F5:9D:29:0D:61:F9:42:1F:7C:C2:BA:6D:E3:15:09
@@ -18368,16 +18467,17 @@ CKA_VALUE MULTILINE_OCTAL
 \372\363\003\022\226\170\006\215\261\147\355\216\077\276\237\117
 \002\365\263\011\057\363\114\207\337\052\313\225\174\001\314\254
 \066\172\277\242\163\172\367\217\301\265\232\241\024\262\217\063
 \237\015\357\042\334\146\173\204\275\105\027\006\075\074\312\271
 \167\064\217\312\352\317\077\061\076\343\210\343\200\111\045\310
 \227\265\235\232\231\115\260\074\370\112\000\233\144\335\237\071
 \113\321\047\327\270
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Hellenic Academic and Research Institutions RootCA 2011"
 # Issuer: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
 # Serial Number: 0 (0x0)
 # Subject: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
 # Not Valid Before: Tue Dec 06 13:49:52 2011
 # Not Valid After : Mon Dec 01 13:49:52 2031
 # Fingerprint (MD5): 73:9F:4C:4B:73:5B:79:E9:FA:BA:1C:EF:6E:CB:D5:C9
@@ -18603,16 +18703,17 @@ CKA_VALUE MULTILINE_OCTAL
 \177\244\101\041\220\101\167\246\071\037\352\236\343\237\320\146
 \157\005\354\252\166\176\277\153\026\240\353\265\307\374\222\124
 \057\053\021\047\045\067\170\114\121\152\260\363\314\130\135\024
 \361\152\110\025\377\302\007\266\261\215\017\216\134\120\106\263
 \075\277\001\230\117\262\131\124\107\076\064\173\170\155\126\223
 \056\163\352\146\050\170\315\035\024\277\240\217\057\056\270\056
 \216\362\024\212\314\351\265\174\373\154\235\014\245\341\226
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Actalis Authentication Root CA"
 # Issuer: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT
 # Serial Number:57:0a:11:97:42:c4:e3:cc
 # Subject: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT
 # Not Valid Before: Thu Sep 22 11:22:02 2011
 # Not Valid After : Sun Sep 22 11:22:02 2030
 # Fingerprint (MD5): 69:C1:0D:4F:07:A3:1B:C3:FE:56:3D:04:BC:11:F6:A6
@@ -18733,16 +18834,17 @@ CKA_VALUE MULTILINE_OCTAL
 \177\124\365\243\340\217\360\174\125\042\217\051\266\201\243\341
 \155\116\054\033\200\147\354\255\040\237\014\142\141\325\227\377
 \103\355\055\301\332\135\051\052\205\077\254\145\356\206\017\005
 \215\220\137\337\356\237\364\277\356\035\373\230\344\177\220\053
 \204\170\020\016\154\111\123\357\025\133\145\106\112\135\257\272
 \373\072\162\035\315\366\045\210\036\227\314\041\234\051\001\015
 \145\353\127\331\363\127\226\273\110\315\201
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Trustis FPS Root CA"
 # Issuer: OU=Trustis FPS Root CA,O=Trustis Limited,C=GB
 # Serial Number:1b:1f:ad:b6:20:f9:24:d3:36:6b:f7:c7:f1:8c:a0:59
 # Subject: OU=Trustis FPS Root CA,O=Trustis Limited,C=GB
 # Not Valid Before: Tue Dec 23 12:14:06 2003
 # Not Valid After : Sun Jan 21 11:36:54 2024
 # Fingerprint (MD5): 30:C9:E7:1E:6B:E6:14:EB:65:B2:16:69:20:31:67:4D
@@ -18933,16 +19035,17 @@ CKA_VALUE MULTILINE_OCTAL
 \046\161\304\205\136\161\044\312\245\033\154\330\141\323\032\340
 \124\333\316\272\251\062\265\042\366\163\101\011\135\270\027\135
 \016\017\231\220\326\107\332\157\012\072\142\050\024\147\202\331
 \361\320\200\131\233\313\061\330\233\017\214\167\116\265\150\212
 \362\154\366\044\016\055\154\160\305\163\321\336\024\320\161\217
 \266\323\173\002\366\343\270\324\011\156\153\236\165\204\071\346
 \177\045\245\362\110\000\300\244\001\332\077
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "StartCom Certification Authority"
 # Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
 # Serial Number: 45 (0x2d)
 # Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
 # Not Valid Before: Sun Sep 17 19:46:37 2006
 # Not Valid After : Wed Sep 17 19:46:36 2036
 # Fingerprint (MD5): C9:3B:0D:84:41:FC:A4:76:79:23:08:57:DE:10:19:16
@@ -19097,16 +19200,17 @@ CKA_VALUE MULTILINE_OCTAL
 \102\056\055\304\011\072\003\147\151\204\232\341\131\220\212\050
 \205\325\135\164\261\321\016\040\130\233\023\245\260\143\246\355
 \173\107\375\105\125\060\244\356\232\324\346\342\207\357\230\311
 \062\202\021\051\042\274\000\012\061\136\055\017\300\216\351\153
 \262\217\056\006\330\321\221\307\306\022\364\114\375\060\027\303
 \301\332\070\133\343\251\352\346\241\272\171\357\163\330\266\123
 \127\055\366\320\341\327\110
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "StartCom Certification Authority G2"
 # Issuer: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL
 # Serial Number: 59 (0x3b)
 # Subject: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL
 # Not Valid Before: Fri Jan 01 01:00:01 2010
 # Not Valid After : Sat Dec 31 23:59:01 2039
 # Fingerprint (MD5): 78:4B:FB:9E:64:82:0A:D3:B8:4C:62:F3:64:F2:90:64
@@ -19256,16 +19360,17 @@ CKA_VALUE MULTILINE_OCTAL
 \112\220\136\303\372\047\004\261\171\025\164\231\314\276\255\040
 \336\046\140\034\353\126\121\246\243\352\344\243\077\247\377\141
 \334\361\132\115\154\062\043\103\356\254\250\356\356\112\022\011
 \074\135\161\302\276\171\372\302\207\150\035\013\375\134\151\314
 \006\320\232\175\124\231\052\311\071\032\031\257\113\052\103\363
 \143\135\132\130\342\057\343\035\344\251\326\320\012\320\236\277
 \327\201\011\361\311\307\046\015\254\230\026\126\240
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Buypass Class 2 Root CA"
 # Issuer: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO
 # Serial Number: 2 (0x2)
 # Subject: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO
 # Not Valid Before: Tue Oct 26 08:38:03 2010
 # Not Valid After : Fri Oct 26 08:38:03 2040
 # Fingerprint (MD5): 46:A7:D2:FE:45:FB:64:5A:A8:59:90:9B:78:44:9B:29
@@ -19414,16 +19519,17 @@ CKA_VALUE MULTILINE_OCTAL
 \105\310\114\161\331\274\311\231\122\127\106\057\120\317\275\065
 \151\364\075\025\316\006\245\054\017\076\366\201\272\224\273\303
 \273\277\145\170\322\206\171\377\111\073\032\203\014\360\336\170
 \354\310\362\115\114\032\336\202\051\370\301\132\332\355\356\346
 \047\136\350\105\320\235\034\121\250\150\253\104\343\320\213\152
 \343\370\073\273\334\115\327\144\362\121\276\346\252\253\132\351
 \061\356\006\274\163\277\023\142\012\237\307\271\227
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Buypass Class 3 Root CA"
 # Issuer: CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO
 # Serial Number: 2 (0x2)
 # Subject: CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO
 # Not Valid Before: Tue Oct 26 08:28:58 2010
 # Not Valid After : Fri Oct 26 08:28:58 2040
 # Fingerprint (MD5): 3D:3B:18:9E:2C:64:5A:E8:D5:88:CE:0E:F9:37:C2:EC
@@ -19555,16 +19661,17 @@ CKA_VALUE MULTILINE_OCTAL
 \367\124\076\201\075\332\111\152\232\263\357\020\075\346\353\157
 \321\310\042\107\313\314\317\001\061\222\331\030\343\042\276\011
 \036\032\076\132\262\344\153\014\124\172\175\103\116\270\211\245
 \173\327\242\075\226\206\314\362\046\064\055\152\222\235\232\032
 \320\060\342\135\116\004\260\137\213\040\176\167\301\075\225\202
 \321\106\232\073\074\170\270\157\241\320\015\144\242\170\036\051
 \116\223\303\244\124\024\133
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "T-TeleSec GlobalRoot Class 3"
 # Issuer: CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
 # Serial Number: 1 (0x1)
 # Subject: CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
 # Not Valid Before: Wed Oct 01 10:29:56 2008
 # Not Valid After : Sat Oct 01 23:59:59 2033
 # Fingerprint (MD5): CA:FB:40:A8:4E:39:92:8A:1D:FE:8E:2F:C4:27:EA:EF
@@ -19703,16 +19810,17 @@ CKA_VALUE MULTILINE_OCTAL
 \346\164\163\224\135\026\230\023\225\376\373\333\261\104\345\072
 \160\254\067\153\346\263\063\162\050\311\263\127\240\366\002\026
 \210\006\013\266\246\113\040\050\324\336\075\213\255\067\005\123
 \164\376\156\314\274\103\027\161\136\371\305\314\032\251\141\356
 \367\166\014\363\162\364\162\255\317\162\002\066\007\107\317\357
 \031\120\211\140\314\351\044\225\017\302\313\035\362\157\166\220
 \307\314\165\301\226\305\235
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "EE Certification Centre Root CA"
 # Issuer: E=pki@sk.ee,CN=EE Certification Centre Root CA,O=AS Sertifitseerimiskeskus,C=EE
 # Serial Number:54:80:f9:a0:73:ed:3f:00:4c:ca:89:d8:e3:71:e6:4a
 # Subject: E=pki@sk.ee,CN=EE Certification Centre Root CA,O=AS Sertifitseerimiskeskus,C=EE
 # Not Valid Before: Sat Oct 30 10:10:30 2010
 # Not Valid After : Tue Dec 17 23:59:59 2030
 # Fingerprint (MD5): 43:5E:88:D4:7D:1A:4A:7E:FD:84:2E:52:EB:01:D4:6F
@@ -19932,16 +20040,17 @@ CKA_VALUE MULTILINE_OCTAL
 \005\332\143\127\213\345\263\252\333\300\056\034\220\104\333\032
 \135\030\244\356\276\004\133\231\325\161\137\125\145\144\142\325
 \242\233\004\131\206\310\142\167\347\174\202\105\152\075\027\277
 \354\235\165\014\256\243\157\132\323\057\230\066\364\360\365\031
 \253\021\135\310\246\343\052\130\152\102\011\303\275\222\046\146
 \062\015\135\010\125\164\377\214\230\320\012\246\204\152\321\071
 \175
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "TURKTRUST Certificate Services Provider Root 2007"
 # Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
 # Serial Number: 1 (0x1)
 # Subject: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
 # Not Valid Before: Tue Dec 25 18:37:19 2007
 # Not Valid After : Fri Dec 22 18:37:19 2017
 # Fingerprint (MD5): 2B:70:20:56:86:82:A0:18:C8:07:53:12:28:70:21:72
@@ -20080,16 +20189,17 @@ CKA_VALUE MULTILINE_OCTAL
 \310\154\353\202\123\004\246\344\114\042\115\215\214\272\316\133
 \163\354\144\124\120\155\321\234\125\373\151\303\066\303\214\274
 \074\205\246\153\012\046\015\340\223\230\140\256\176\306\044\227
 \212\141\137\221\216\146\222\011\207\066\315\213\233\055\076\366
 \121\324\120\324\131\050\275\203\362\314\050\173\123\206\155\330
 \046\210\160\327\352\221\315\076\271\312\300\220\156\132\306\136
 \164\145\327\134\376\243\342
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "D-TRUST Root Class 3 CA 2 2009"
 # Issuer: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
 # Serial Number: 623603 (0x983f3)
 # Subject: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
 # Not Valid Before: Thu Nov 05 08:35:58 2009
 # Not Valid After : Mon Nov 05 08:35:58 2029
 # Fingerprint (MD5): CD:E0:25:69:8D:47:AC:9C:89:35:90:F7:FD:51:3D:2F
@@ -20223,16 +20333,17 @@ CKA_VALUE MULTILINE_OCTAL
 \173\360\171\121\327\103\075\247\323\201\323\360\311\117\271\332
 \306\227\206\320\202\303\344\102\155\376\260\342\144\116\016\046
 \347\100\064\046\265\010\211\327\010\143\143\070\047\165\036\063
 \352\156\250\335\237\231\117\164\115\201\211\200\113\335\232\227
 \051\134\057\276\201\101\271\214\377\352\175\140\006\236\315\327
 \075\323\056\243\025\274\250\346\046\345\157\303\334\270\003\041
 \352\237\026\361\054\124\265
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "D-TRUST Root Class 3 CA 2 EV 2009"
 # Issuer: CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE
 # Serial Number: 623604 (0x983f4)
 # Subject: CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE
 # Not Valid Before: Thu Nov 05 08:50:46 2009
 # Not Valid After : Mon Nov 05 08:50:46 2029
 # Fingerprint (MD5): AA:C6:43:2C:5E:2D:CD:C4:34:C0:50:4F:11:02:4F:B6
@@ -20472,16 +20583,17 @@ CKA_VALUE MULTILINE_OCTAL
 \071\246\202\326\161\312\336\267\325\272\150\010\355\231\314\375
 \242\222\313\151\270\235\371\012\244\246\076\117\223\050\052\141
 \154\007\046\000\377\226\137\150\206\270\270\316\312\125\340\253
 \261\075\177\230\327\063\016\132\075\330\170\302\304\140\057\307
 \142\360\141\221\322\070\260\366\236\125\333\100\200\005\022\063
 \316\035\222\233\321\151\263\377\277\361\222\012\141\065\077\335
 \376\206\364\274\340\032\161\263\142\246
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "PSCProcert"
 # Issuer: E=acraiz@suscerte.gob.ve,OU=Superintendencia de Servicios de Certificacion Electronica,O=Sistema Nacional de Certificacion Electronica,ST=Distrito Capital,L=Caracas,C=VE,CN=Autoridad de Certificacion Raiz del Estado Venezolano
 # Serial Number: 11 (0xb)
 # Subject: CN=PSCProcert,C=VE,O=Sistema Nacional de Certificacion Electronica,OU=Proveedor de Certificados PROCERT,ST=Miranda,L=Chacao,E=contacto@procert.net.ve
 # Not Valid Before: Tue Dec 28 16:51:00 2010
 # Not Valid After : Fri Dec 25 23:59:59 2020
 # Fingerprint (MD5): E6:24:E9:12:01:AE:0C:DE:8E:85:C4:CE:A3:12:DD:EC
@@ -20630,16 +20742,17 @@ CKA_VALUE MULTILINE_OCTAL
 \146\102\107\302\130\044\231\341\345\076\345\165\054\216\103\326
 \135\074\170\036\250\225\202\051\120\321\321\026\272\357\301\276
 \172\331\264\330\314\036\114\106\341\167\261\061\253\275\052\310
 \316\217\156\241\135\177\003\165\064\344\255\211\105\124\136\276
 \256\050\245\273\077\170\171\353\163\263\012\015\375\276\311\367
 \126\254\366\267\355\057\233\041\051\307\070\266\225\304\004\362
 \303\055\375\024\052\220\231\271\007\314\237
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "China Internet Network Information Center EV Certificates Root"
 # Issuer: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
 # Serial Number: 1218379777 (0x489f0001)
 # Subject: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
 # Not Valid Before: Tue Aug 31 07:11:25 2010
 # Not Valid After : Sat Aug 31 07:11:25 2030
 # Fingerprint (MD5): 55:5D:63:00:97:BD:6A:97:F5:67:AB:4B:FB:6E:63:15
@@ -20805,16 +20918,17 @@ CKA_VALUE MULTILINE_OCTAL
 \361\377\246\100\005\205\005\134\312\007\031\134\013\023\050\114
 \130\177\302\245\357\105\332\140\323\256\145\141\235\123\203\164
 \302\256\362\134\302\026\355\222\076\204\076\163\140\210\274\166
 \364\054\317\320\175\175\323\270\136\321\221\022\020\351\315\335
 \312\045\343\325\355\231\057\276\165\201\113\044\371\105\106\224
 \311\051\041\123\234\046\105\252\023\027\344\347\315\170\342\071
 \301\053\022\236\246\236\033\305\346\016\331\061\331
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Swisscom Root CA 2"
 # Issuer: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
 # Serial Number:1e:9e:28:e8:48:f2:e5:ef:c3:7c:4a:1e:5a:18:67:b6
 # Subject: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
 # Not Valid Before: Fri Jun 24 08:38:14 2011
 # Not Valid After : Wed Jun 25 07:38:14 2031
 # Fingerprint (MD5): 5B:04:69:EC:A5:83:94:63:18:A7:86:D0:E4:F2:6E:19
@@ -20980,16 +21094,17 @@ CKA_VALUE MULTILINE_OCTAL
 \234\337\164\326\360\100\025\035\310\271\217\265\066\305\257\370
 \042\270\312\035\363\326\266\031\017\237\141\145\152\352\164\310
 \174\217\303\117\135\145\202\037\331\015\211\332\165\162\373\357
 \361\107\147\023\263\310\321\031\210\047\046\232\231\171\177\036
 \344\054\077\173\356\361\336\115\213\226\227\303\325\077\174\033
 \043\355\244\263\035\026\162\103\113\040\341\131\176\302\350\255
 \046\277\242\367
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Swisscom Root EV CA 2"
 # Issuer: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
 # Serial Number:00:f2:fa:64:e2:74:63:d3:8d:fd:10:1d:04:1f:76:ca:58
 # Subject: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
 # Not Valid Before: Fri Jun 24 09:45:08 2011
 # Not Valid After : Wed Jun 25 08:45:08 2031
 # Fingerprint (MD5): 7B:30:34:9F:DD:0A:4B:6B:35:CA:31:51:28:5D:AE:EC
@@ -21144,16 +21259,17 @@ CKA_VALUE MULTILINE_OCTAL
 \001\347\177\227\017\327\362\173\031\375\032\327\217\311\372\205
 \153\172\235\236\211\266\246\050\231\223\210\100\367\076\315\121
 \243\312\352\357\171\107\041\265\376\062\342\307\303\121\157\276
 \200\164\360\244\303\072\362\117\351\137\337\031\012\362\073\023
 \103\254\061\244\263\347\353\374\030\326\001\251\363\052\217\066
 \016\353\264\261\274\267\114\311\153\277\241\363\331\364\355\342
 \360\343\355\144\236\075\057\226\122\117\200\123\213
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "CA Disig Root R1"
 # Issuer: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
 # Serial Number:00:c3:03:9a:ee:50:90:6e:28
 # Subject: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
 # Not Valid Before: Thu Jul 19 09:06:56 2012
 # Not Valid After : Sat Jul 19 09:06:56 2042
 # Fingerprint (MD5): BE:EC:11:93:9A:F5:69:21:BC:D7:C1:C0:67:89:CC:2A
@@ -21306,16 +21422,17 @@ CKA_VALUE MULTILINE_OCTAL
 \233\116\166\300\216\175\375\244\045\307\107\355\377\037\163\254
 \314\303\245\351\157\012\216\233\145\302\120\205\265\243\240\123
 \022\314\125\207\141\363\201\256\020\106\141\275\104\041\270\302
 \075\164\317\176\044\065\372\034\007\016\233\075\042\312\357\061
 \057\214\254\022\275\357\100\050\374\051\147\237\262\023\117\146
 \044\304\123\031\351\036\051\025\357\346\155\260\177\055\147\375
 \363\154\033\165\106\243\345\112\027\351\244\327\013
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "CA Disig Root R2"
 # Issuer: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK
 # Serial Number:00:92:b8:88:db:b0:8a:c1:63
 # Subject: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK
 # Not Valid Before: Thu Jul 19 09:15:30 2012
 # Not Valid After : Sat Jul 19 09:15:30 2042
 # Fingerprint (MD5): 26:01:FB:D8:27:A7:17:9A:45:54:38:1A:43:01:3B:03
@@ -21505,16 +21622,17 @@ CKA_VALUE MULTILINE_OCTAL
 \346\301\232\351\036\002\107\237\052\250\155\251\133\317\354\105
 \167\177\230\047\232\062\135\052\343\204\356\305\230\146\057\226
 \040\035\335\330\303\047\327\260\371\376\331\175\315\320\237\217
 \013\024\130\121\237\057\213\303\070\055\336\350\217\326\215\207
 \244\365\126\103\026\231\054\364\244\126\264\064\270\141\067\311
 \302\130\200\033\240\227\241\374\131\215\351\021\366\321\017\113
 \125\064\106\052\213\206\073
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "ACCVRAIZ1"
 # Issuer: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
 # Serial Number:5e:c3:b7:a6:43:7f:a4:e0
 # Subject: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
 # Not Valid Before: Thu May 05 09:37:37 2011
 # Not Valid After : Tue Dec 31 09:37:37 2030
 # Fingerprint (MD5): D0:A0:5A:EE:05:B6:09:94:21:A1:7D:F1:B2:29:82:02
@@ -21664,16 +21782,17 @@ CKA_VALUE MULTILINE_OCTAL
 \301\255\175\204\003\074\020\170\206\033\171\343\304\363\362\004
 \225\040\256\043\202\304\263\072\000\142\277\346\066\044\341\127
 \272\307\036\220\165\325\137\077\225\141\053\301\073\315\345\263
 \150\141\320\106\046\251\041\122\151\055\353\056\307\353\167\316
 \246\072\265\003\063\117\166\321\347\134\124\001\135\313\170\364
 \311\014\277\317\022\216\027\055\043\150\224\347\253\376\251\262
 \053\006\320\004\315
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "TWCA Global Root CA"
 # Issuer: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
 # Serial Number: 3262 (0xcbe)
 # Subject: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
 # Not Valid Before: Wed Jun 27 06:28:33 2012
 # Not Valid After : Tue Dec 31 15:59:59 2030
 # Fingerprint (MD5): F9:03:7E:CF:E6:9E:3C:73:7A:2A:90:07:69:FF:2B:96
@@ -21820,16 +21939,17 @@ CKA_VALUE MULTILINE_OCTAL
 \255\316\364\370\151\024\144\071\373\243\270\272\160\100\307\047
 \034\277\304\126\123\372\143\145\320\363\034\016\026\365\153\206
 \130\115\030\324\344\015\216\245\235\133\221\334\166\044\120\077
 \306\052\373\331\267\234\265\326\346\320\331\350\031\213\025\161
 \110\255\267\352\330\131\210\324\220\277\026\263\331\351\254\131
 \141\124\310\034\272\312\301\312\341\271\040\114\217\072\223\211
 \245\240\314\277\323\366\165\244\165\226\155\126
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "TeliaSonera Root CA v1"
 # Issuer: CN=TeliaSonera Root CA v1,O=TeliaSonera
 # Serial Number:00:95:be:16:a0:f7:2e:46:f1:7b:39:82:72:fa:8b:cd:96
 # Subject: CN=TeliaSonera Root CA v1,O=TeliaSonera
 # Not Valid Before: Thu Oct 18 12:00:50 2007
 # Not Valid After : Mon Oct 18 12:00:50 2032
 # Fingerprint (MD5): 37:41:49:1B:18:56:9A:26:F5:AD:C2:66:FB:40:A5:4C
@@ -22007,16 +22127,17 @@ CKA_VALUE MULTILINE_OCTAL
 \237\211\213\375\067\137\137\072\316\070\131\206\113\257\161\013
 \264\330\362\160\117\237\062\023\343\260\247\127\345\332\332\103
 \313\204\064\362\050\304\352\155\364\052\357\301\153\166\332\373
 \176\273\205\074\322\123\302\115\276\161\341\105\321\375\043\147
 \015\023\165\373\317\145\147\042\235\256\260\011\321\011\377\035
 \064\277\376\043\227\067\322\071\372\075\015\006\013\264\333\073
 \243\253\157\134\035\266\176\350\263\202\064\355\006\134\044
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "E-Tugra Certification Authority"
 # Issuer: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR
 # Serial Number:6a:68:3e:9c:51:9b:cb:53
 # Subject: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR
 # Not Valid Before: Tue Mar 05 12:09:48 2013
 # Not Valid After : Fri Mar 03 12:09:48 2023
 # Fingerprint (MD5): B8:A1:03:63:B0:BD:21:71:70:8A:6F:13:3A:BB:79:49
@@ -22155,16 +22276,17 @@ CKA_VALUE MULTILINE_OCTAL
 \203\125\352\174\302\051\211\033\351\157\263\316\342\005\204\311
 \057\076\170\205\142\156\311\137\301\170\143\164\130\300\110\030
 \014\231\071\353\244\314\032\265\171\132\215\025\234\330\024\015
 \366\172\007\127\307\042\203\005\055\074\233\045\046\075\030\263
 \251\103\174\310\310\253\144\217\016\243\277\234\033\235\060\333
 \332\320\031\056\252\074\361\373\063\200\166\344\315\255\031\117
 \005\047\216\023\241\156\302
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "T-TeleSec GlobalRoot Class 2"
 # Issuer: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
 # Serial Number: 1 (0x1)
 # Subject: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
 # Not Valid Before: Wed Oct 01 10:40:14 2008
 # Not Valid After : Sat Oct 01 23:59:59 2033
 # Fingerprint (MD5): 2B:9B:9E:E4:7B:6C:1F:00:72:1A:CC:C1:77:79:DF:6A
@@ -22285,16 +22407,17 @@ CKA_VALUE MULTILINE_OCTAL
 \265\024\357\264\021\377\016\025\265\365\365\333\306\275\353\132
 \247\360\126\042\251\074\145\124\306\025\250\275\206\236\315\203
 \226\150\172\161\201\211\341\013\341\352\021\033\150\010\314\151
 \236\354\236\101\236\104\062\046\172\342\207\012\161\075\353\344
 \132\244\322\333\305\315\306\336\140\177\271\363\117\104\222\357
 \052\267\030\076\247\031\331\013\175\261\067\101\102\260\272\140
 \035\362\376\011\021\260\360\207\173\247\235
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Atos TrustedRoot 2011"
 # Issuer: C=DE,O=Atos,CN=Atos TrustedRoot 2011
 # Serial Number:5c:33:cb:62:2c:5f:b3:32
 # Subject: C=DE,O=Atos,CN=Atos TrustedRoot 2011
 # Not Valid Before: Thu Jul 07 14:58:30 2011
 # Not Valid After : Tue Dec 31 23:59:59 2030
 # Fingerprint (MD5): AE:B9:C4:32:4B:AC:7F:5D:66:CC:77:94:BB:2A:77:56
@@ -22444,16 +22567,17 @@ CKA_VALUE MULTILINE_OCTAL
 \353\134\237\336\263\257\147\003\263\037\335\155\135\151\150\151
 \253\136\072\354\174\151\274\307\073\205\116\236\025\271\264\025
 \117\303\225\172\130\327\311\154\351\154\271\363\051\143\136\264
 \054\360\055\075\355\132\145\340\251\133\100\302\110\231\201\155
 \236\037\006\052\074\022\264\213\017\233\242\044\360\246\215\326
 \172\340\113\266\144\226\143\225\204\302\112\315\034\056\044\207
 \063\140\345\303
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "QuoVadis Root CA 1 G3"
 # Issuer: CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM
 # Serial Number:78:58:5f:2e:ad:2c:19:4b:e3:37:07:35:34:13:28:b5:96:d4:65:93
 # Subject: CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM
 # Not Valid Before: Thu Jan 12 17:27:44 2012
 # Not Valid After : Sun Jan 12 17:27:44 2042
 # Fingerprint (SHA-256): 8A:86:6F:D1:B2:76:B5:7E:57:8E:92:1C:65:82:8A:2B:ED:58:E9:F2:F2:88:05:41:34:B7:F1:F4:BF:C9:CC:74
@@ -22605,16 +22729,17 @@ CKA_VALUE MULTILINE_OCTAL
 \374\267\003\111\002\133\310\045\346\342\124\070\365\171\207\214
 \035\123\262\116\205\173\006\070\307\054\370\370\260\162\215\045
 \345\167\122\364\003\034\110\246\120\137\210\040\060\156\362\202
 \103\253\075\227\204\347\123\373\041\301\117\017\042\232\206\270
 \131\052\366\107\075\031\210\055\350\205\341\236\354\205\010\152
 \261\154\064\311\035\354\110\053\073\170\355\146\304\216\171\151
 \203\336\177\214
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "QuoVadis Root CA 2 G3"
 # Issuer: CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM
 # Serial Number:44:57:34:24:5b:81:89:9b:35:f2:ce:b8:2b:3b:5b:a7:26:f0:75:28
 # Subject: CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM
 # Not Valid Before: Thu Jan 12 18:59:32 2012
 # Not Valid After : Sun Jan 12 18:59:32 2042
 # Fingerprint (SHA-256): 8F:E4:FB:0A:F9:3A:4D:0D:67:DB:0B:EB:B2:3E:37:C7:1B:F3:25:DC:BC:DD:24:0E:A0:4D:AF:58:B4:7E:18:40
@@ -22766,16 +22891,17 @@ CKA_VALUE MULTILINE_OCTAL
 \046\350\354\266\013\055\247\205\065\315\375\131\310\237\321\315
 \076\132\051\064\271\075\204\316\261\145\324\131\221\221\126\165
 \041\301\167\236\371\172\341\140\235\323\255\004\030\364\174\353
 \136\223\217\123\112\042\051\370\110\053\076\115\206\254\133\177
 \313\006\231\131\140\330\130\145\225\215\104\321\367\177\176\047
 \177\175\256\200\365\007\114\266\076\234\161\124\231\004\113\375
 \130\371\230\364
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "QuoVadis Root CA 3 G3"
 # Issuer: CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM
 # Serial Number:2e:f5:9b:02:28:a7:db:7a:ff:d5:a3:a9:ee:bd:03:a0:cf:12:6a:1d
 # Subject: CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM
 # Not Valid Before: Thu Jan 12 20:26:32 2012
 # Not Valid After : Sun Jan 12 20:26:32 2042
 # Fingerprint (SHA-256): 88:EF:81:DE:20:2E:B0:18:45:2E:43:F8:64:72:5C:EA:5F:BD:1F:C2:D9:D2:05:73:07:09:C5:D8:B8:69:0F:46
@@ -22902,16 +23028,17 @@ CKA_VALUE MULTILINE_OCTAL
 \007\234\242\272\331\001\162\134\363\115\301\335\016\261\034\015
 \304\143\276\255\364\024\373\211\354\242\101\016\114\314\310\127
 \100\320\156\003\252\315\014\216\211\231\231\154\360\074\060\257
 \070\337\157\274\243\276\051\040\047\253\164\377\023\042\170\336
 \227\122\125\036\203\265\124\040\003\356\256\300\117\126\336\067
 \314\303\177\252\004\047\273\323\167\270\142\333\027\174\234\050
 \042\023\163\154\317\046\365\212\051\347
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "DigiCert Assured ID Root G2"
 # Issuer: CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:0b:93:1c:3a:d6:39:67:ea:67:23:bf:c3:af:9a:f4:4b
 # Subject: CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Not Valid Before: Thu Aug 01 12:00:00 2013
 # Not Valid After : Fri Jan 15 12:00:00 2038
 # Fingerprint (SHA-256): 7D:05:EB:B6:82:33:9F:8C:94:51:EE:09:4E:EB:FE:FA:79:53:A1:14:ED:B2:F4:49:49:45:2F:AB:7D:2F:C1:85
@@ -23019,16 +23146,17 @@ CKA_VALUE MULTILINE_OCTAL
 \003\003\147\000\060\144\002\060\045\244\201\105\002\153\022\113
 \165\164\117\310\043\343\160\362\165\162\336\174\211\360\317\221
 \162\141\236\136\020\222\131\126\271\203\307\020\347\070\351\130
 \046\066\175\325\344\064\206\071\002\060\174\066\123\360\060\345
 \142\143\072\231\342\266\243\073\233\064\372\036\332\020\222\161
 \136\221\023\247\335\244\156\222\314\062\326\365\041\146\307\057
 \352\226\143\152\145\105\222\225\001\264
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "DigiCert Assured ID Root G3"
 # Issuer: CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:0b:a1:5a:fa:1d:df:a0:b5:49:44:af:cd:24:a0:6c:ec
 # Subject: CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Not Valid Before: Thu Aug 01 12:00:00 2013
 # Not Valid After : Fri Jan 15 12:00:00 2038
 # Fingerprint (SHA-256): 7E:37:CB:8B:4C:47:09:0C:AB:36:55:1B:A6:F4:5D:B8:40:68:0F:BA:16:6A:95:2D:B1:00:71:7F:43:05:3F:C2
@@ -23157,16 +23285,17 @@ CKA_VALUE MULTILINE_OCTAL
 \362\261\216\231\241\157\023\261\101\161\376\210\052\310\117\020
 \040\125\327\363\024\105\345\340\104\364\352\207\225\062\223\016
 \376\123\106\372\054\235\377\213\042\271\113\331\011\105\244\336
 \244\270\232\130\335\033\175\122\237\216\131\103\210\201\244\236
 \046\325\157\255\335\015\306\067\175\355\003\222\033\345\167\137
 \166\356\074\215\304\135\126\133\242\331\146\156\263\065\067\345
 \062\266
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "DigiCert Global Root G2"
 # Issuer: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5
 # Subject: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Not Valid Before: Thu Aug 01 12:00:00 2013
 # Not Valid After : Fri Jan 15 12:00:00 2038
 # Fingerprint (SHA-256): CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F
@@ -23274,16 +23403,17 @@ CKA_VALUE MULTILINE_OCTAL
 \000\255\274\362\154\077\022\112\321\055\071\303\012\011\227\163
 \364\210\066\214\210\047\273\346\210\215\120\205\247\143\371\236
 \062\336\146\223\017\361\314\261\011\217\335\154\253\372\153\177
 \240\002\060\071\146\133\302\144\215\270\236\120\334\250\325\111
 \242\355\307\334\321\111\177\027\001\270\310\206\217\116\214\210
 \053\250\232\251\212\305\321\000\275\370\124\342\232\345\133\174
 \263\047\027
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "DigiCert Global Root G3"
 # Issuer: CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:05:55:56:bc:f2:5e:a4:35:35:c3:a4:0f:d5:ab:45:72
 # Subject: CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Not Valid Before: Thu Aug 01 12:00:00 2013
 # Not Valid After : Fri Jan 15 12:00:00 2038
 # Fingerprint (SHA-256): 31:AD:66:48:F8:10:41:38:C7:38:F3:9E:A4:32:01:33:39:3E:3A:18:CC:02:29:6E:F9:7C:2A:C9:EF:67:31:D0
@@ -23444,16 +23574,17 @@ CKA_VALUE MULTILINE_OCTAL
 \102\154\311\012\274\356\103\372\072\161\245\310\115\046\245\065
 \375\211\135\274\205\142\035\062\322\240\053\124\355\232\127\301
 \333\372\020\317\031\267\213\112\033\217\001\266\047\225\123\350
 \266\211\155\133\274\150\324\043\350\213\121\242\126\371\360\246
 \200\240\326\036\263\274\017\017\123\165\051\252\352\023\167\344
 \336\214\201\041\255\007\020\107\021\255\207\075\007\321\165\274
 \317\363\146\176
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "DigiCert Trusted Root G4"
 # Issuer: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:05:9b:1b:57:9e:8e:21:32:e2:39:07:bd:a7:77:75:5c
 # Subject: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Not Valid Before: Thu Aug 01 12:00:00 2013
 # Not Valid After : Fri Jan 15 12:00:00 2038
 # Fingerprint (SHA-256): 55:2F:7B:DC:F1:A7:AF:9E:6C:E6:72:01:7F:4F:12:AB:F7:72:40:C7:8E:76:1A:C2:03:D1:D9:D2:0A:C8:99:88
@@ -23610,16 +23741,17 @@ CKA_VALUE MULTILINE_OCTAL
 \047\274\172\277\340\333\364\332\122\275\336\014\124\160\061\221
 \103\225\310\274\360\076\335\011\176\060\144\120\355\177\001\244
 \063\147\115\150\117\276\025\357\260\366\002\021\242\033\023\045
 \072\334\302\131\361\343\134\106\273\147\054\002\106\352\036\110
 \246\346\133\331\265\274\121\242\222\226\333\252\306\067\042\246
 \376\314\040\164\243\055\251\056\153\313\300\202\021\041\265\223
 \171\356\104\206\276\327\036\344\036\373
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "WoSign"
 # Issuer: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN
 # Serial Number:5e:68:d6:11:71:94:63:50:56:00:68:f3:3e:c9:c5:91
 # Subject: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN
 # Not Valid Before: Sat Aug 08 01:00:01 2009
 # Not Valid After : Mon Aug 08 01:00:01 2039
 # Fingerprint (SHA-256): 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08
@@ -23771,16 +23903,17 @@ CKA_VALUE MULTILINE_OCTAL
 \324\175\253\227\063\304\323\076\340\151\266\050\171\240\011\215
 \034\321\377\101\162\110\006\374\232\056\347\040\371\233\242\336
 \211\355\256\074\011\257\312\127\263\222\211\160\100\344\057\117
 \302\160\203\100\327\044\054\153\347\011\037\323\325\307\301\010
 \364\333\016\073\034\007\013\103\021\204\041\206\351\200\324\165
 \330\253\361\002\142\301\261\176\125\141\317\023\327\046\260\327
 \234\313\051\213\070\112\013\016\220\215\272\241
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "WoSign China"
 # Issuer: CN=CA ...............,O=WoSign CA Limited,C=CN
 # Serial Number:50:70:6b:cd:d8:13:fc:1b:4e:3b:33:72:d2:11:48:8d
 # Subject: CN=CA ...............,O=WoSign CA Limited,C=CN
 # Not Valid Before: Sat Aug 08 01:00:01 2009
 # Not Valid After : Mon Aug 08 01:00:01 2039
 # Fingerprint (SHA-256): D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54
@@ -23947,16 +24080,17 @@ CKA_VALUE MULTILINE_OCTAL
 \100\350\123\262\047\235\112\271\300\167\041\215\377\207\362\336
 \274\214\357\027\337\267\111\013\321\362\156\060\013\032\016\116
 \166\355\021\374\365\351\126\262\175\277\307\155\012\223\214\245
 \320\300\266\035\276\072\116\224\242\327\156\154\013\302\212\174
 \372\040\363\304\344\345\315\015\250\313\221\222\261\174\205\354
 \265\024\151\146\016\202\347\315\316\310\055\246\121\177\041\301
 \065\123\205\006\112\135\237\255\273\033\137\164
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "COMODO RSA Certification Authority"
 # Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Serial Number:4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
 # Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Not Valid Before: Tue Jan 19 00:00:00 2010
 # Not Valid After : Mon Jan 18 23:59:59 2038
 # Fingerprint (SHA-256): 52:F0:E1:C4:E5:8E:C6:29:29:1B:60:31:7F:07:46:71:B8:5D:7E:A8:0D:5B:07:27:34:63:53:4B:32:B4:02:34
@@ -24128,16 +24262,17 @@ CKA_VALUE MULTILINE_OCTAL
 \245\233\267\220\307\014\007\337\365\211\066\164\062\326\050\301
 \260\260\013\340\234\114\303\034\326\374\343\151\265\107\106\201
 \057\242\202\253\323\143\104\160\304\215\377\055\063\272\255\217
 \173\265\160\210\256\076\031\317\100\050\330\374\310\220\273\135
 \231\042\365\122\346\130\305\037\210\061\103\356\210\035\327\306
 \216\074\103\152\035\247\030\336\175\075\026\361\142\371\312\220
 \250\375
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "USERTrust RSA Certification Authority"
 # Issuer: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
 # Serial Number:01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
 # Subject: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
 # Not Valid Before: Mon Feb 01 00:00:00 2010
 # Not Valid After : Mon Jan 18 23:59:59 2038
 # Fingerprint (SHA-256): E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2
@@ -24256,16 +24391,17 @@ CKA_VALUE MULTILINE_OCTAL
 \066\147\241\026\010\334\344\227\000\101\035\116\276\341\143\001
 \317\073\252\102\021\144\240\235\224\071\002\021\171\134\173\035
 \372\144\271\356\026\102\263\277\212\302\011\304\354\344\261\115
 \002\061\000\351\052\141\107\214\122\112\113\116\030\160\366\326
 \104\326\156\365\203\272\155\130\275\044\331\126\110\352\357\304
 \242\106\201\210\152\072\106\321\251\233\115\311\141\332\321\135
 \127\152\030
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "USERTrust ECC Certification Authority"
 # Issuer: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
 # Serial Number:5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26
 # Subject: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
 # Not Valid Before: Mon Feb 01 00:00:00 2010
 # Not Valid After : Mon Jan 18 23:59:59 2038
 # Fingerprint (SHA-256): 4F:F4:60:D5:4B:9C:86:DA:BF:BC:FC:57:12:E0:40:0D:2B:ED:3F:BC:4D:4F:BD:AA:86:E0:6A:DC:D2:A9:AD:7A
@@ -24367,16 +24503,17 @@ CKA_VALUE MULTILINE_OCTAL
 \270\342\100\177\373\012\156\373\276\063\311\074\243\204\325\060
 \012\006\010\052\206\110\316\075\004\003\002\003\110\000\060\105
 \002\041\000\334\222\241\240\023\246\317\003\260\346\304\041\227
 \220\372\024\127\055\003\354\356\074\323\156\312\250\154\166\274
 \242\336\273\002\040\047\250\205\047\065\233\126\306\243\362\107
 \322\267\156\033\002\000\027\252\147\246\025\221\336\372\224\354
 \173\013\370\237\204
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "GlobalSign ECC Root CA - R4"
 # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4
 # Serial Number:2a:38:a4:1c:96:0a:04:de:42:b2:28:a5:0b:e8:34:98:02
 # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4
 # Not Valid Before: Tue Nov 13 00:00:00 2012
 # Not Valid After : Tue Jan 19 03:14:07 2038
 # Fingerprint (SHA-256): BE:C9:49:11:C2:95:56:76:DB:6C:0A:55:09:86:D7:6E:3B:A0:05:66:7C:44:2C:97:62:B4:FB:B7:73:DE:22:8C
@@ -24479,16 +24616,17 @@ CKA_VALUE MULTILINE_OCTAL
 \345\151\022\311\156\333\306\061\272\011\101\341\227\370\373\375
 \232\342\175\022\311\355\174\144\323\313\005\045\213\126\331\240
 \347\136\135\116\013\203\234\133\166\051\240\011\046\041\152\142
 \002\060\161\322\265\217\134\352\073\341\170\011\205\250\165\222
 \073\310\134\375\110\357\015\164\042\250\010\342\156\305\111\316
 \307\014\274\247\141\151\361\367\073\341\052\313\371\053\363\146
 \220\067
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "GlobalSign ECC Root CA - R5"
 # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
 # Serial Number:60:59:49:e0:26:2e:bb:55:f9:0a:77:8a:71:f9:4a:d8:6c
 # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
 # Not Valid Before: Tue Nov 13 00:00:00 2012
 # Not Valid After : Tue Jan 19 03:14:07 2038
 # Fingerprint (SHA-256): 17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24
@@ -24653,16 +24791,17 @@ CKA_VALUE MULTILINE_OCTAL
 \107\234\167\307\045\341\254\064\005\115\363\202\176\101\043\272
 \264\127\363\347\306\001\145\327\115\211\231\034\151\115\136\170
 \366\353\162\161\075\262\304\225\001\237\135\014\267\057\045\246
 \134\171\101\357\236\304\147\074\241\235\177\161\072\320\225\227
 \354\170\102\164\230\156\276\076\150\114\127\074\250\223\101\207
 \013\344\271\257\221\373\120\114\014\272\300\044\047\321\025\333
 \145\110\041\012\057\327\334\176\240\314\145\176\171
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
 # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:2f:00:6e:cd:17:70:66:e7:5f:a3:82:0a:79:1f:05:ae
 # Subject: CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Not Valid Before: Thu Mar 26 00:00:00 2009
 # Not Valid After : Sun Mar 24 23:59:59 2019
 # Fingerprint (SHA-256): 0A:41:51:D5:E5:8B:84:B8:AC:E5:3A:5C:12:12:2A:C9:59:CD:69:91:FB:B3:8E:99:B5:76:C0:AB:DA:C3:58:14
@@ -24824,16 +24963,17 @@ CKA_VALUE MULTILINE_OCTAL
 \325\131\242\211\164\323\237\276\036\113\327\306\155\267\210\044
 \157\140\221\244\202\205\133\126\101\274\320\104\253\152\023\276
 \321\054\130\267\022\063\130\262\067\143\334\023\365\224\035\077
 \100\121\365\117\365\072\355\310\305\353\302\036\035\026\225\172
 \307\176\102\161\223\156\113\025\267\060\337\252\355\127\205\110
 \254\035\152\335\071\151\344\341\171\170\276\316\005\277\241\014
 \367\200\173\041\147\047\060\131
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Staat der Nederlanden Root CA - G3"
 # Issuer: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
 # Serial Number: 10003001 (0x98a239)
 # Subject: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
 # Not Valid Before: Thu Nov 14 11:28:42 2013
 # Not Valid After : Mon Nov 13 23:00:00 2028
 # Fingerprint (SHA-256): 3C:4F:B0:B9:5A:B8:B3:00:32:F4:32:B8:6F:53:5F:E1:72:C1:85:D0:FD:39:86:58:37:CF:36:18:7F:A6:F4:28
@@ -24987,16 +25127,17 @@ CKA_VALUE MULTILINE_OCTAL
 \170\157\120\202\104\120\077\146\006\212\253\103\204\126\112\017
 \040\055\206\016\365\322\333\322\172\212\113\315\245\350\116\361
 \136\046\045\001\131\043\240\176\322\366\176\041\127\327\047\274
 \025\127\114\244\106\301\340\203\036\014\114\115\037\117\006\031
 \342\371\250\364\072\202\241\262\171\103\171\326\255\157\172\047
 \220\003\244\352\044\207\077\331\275\331\351\362\137\120\111\034
 \356\354\327\056
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Staat der Nederlanden EV Root CA"
 # Issuer: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
 # Serial Number: 10000013 (0x98968d)
 # Subject: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
 # Not Valid Before: Wed Dec 08 11:19:29 2010
 # Not Valid After : Thu Dec 08 11:10:28 2022
 # Fingerprint (SHA-256): 4D:24:91:41:4C:FE:95:67:46:EC:4C:EF:A6:CF:6F:72:E2:8A:13:29:43:2F:9D:8A:90:7A:C4:CB:5D:AD:C1:5A
@@ -25148,16 +25289,17 @@ CKA_VALUE MULTILINE_OCTAL
 \312\112\201\153\136\013\363\121\341\164\053\351\176\047\247\331
 \231\111\116\370\245\200\333\045\017\034\143\142\212\311\063\147
 \153\074\020\203\306\255\336\250\315\026\216\215\360\007\067\161
 \237\362\253\374\101\365\301\213\354\000\067\135\011\345\116\200
 \357\372\261\134\070\006\245\033\112\341\334\070\055\074\334\253
 \037\220\032\325\112\234\356\321\160\154\314\356\364\127\370\030
 \272\204\156\207
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "IdenTrust Commercial Root CA 1"
 # Issuer: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US
 # Serial Number:0a:01:42:80:00:00:01:45:23:c8:44:b5:00:00:00:02
 # Subject: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US
 # Not Valid Before: Thu Jan 16 18:12:23 2014
 # Not Valid After : Mon Jan 16 18:12:23 2034
 # Fingerprint (SHA-256): 5D:56:49:9B:E4:D2:E0:8B:CF:CA:D0:8A:3E:38:72:3D:50:50:3B:DE:70:69:48:E4:2F:55:60:30:19:E5:28:AE
@@ -25309,16 +25451,17 @@ CKA_VALUE MULTILINE_OCTAL
 \150\011\061\161\360\155\370\116\107\373\326\205\356\305\130\100
 \031\244\035\247\371\113\103\067\334\150\132\117\317\353\302\144
 \164\336\264\025\331\364\124\124\032\057\034\327\227\161\124\220
 \216\331\040\235\123\053\177\253\217\342\352\060\274\120\067\357
 \361\107\265\175\174\054\004\354\150\235\264\111\104\020\364\162
 \113\034\144\347\374\346\153\220\335\151\175\151\375\000\126\245
 \267\254\266\255\267\312\076\001\357\234
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "IdenTrust Public Sector Root CA 1"
 # Issuer: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US
 # Serial Number:0a:01:42:80:00:00:01:45:23:cf:46:7c:00:00:00:02
 # Subject: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US
 # Not Valid Before: Thu Jan 16 17:53:32 2014
 # Not Valid After : Mon Jan 16 17:53:32 2034
 # Fingerprint (SHA-256): 30:D0:89:5A:9A:44:8A:26:20:91:63:55:22:D1:F5:20:10:B5:86:7A:CA:E1:2C:78:EF:95:8F:D4:F4:38:9F:2F
@@ -25453,16 +25596,17 @@ CKA_VALUE MULTILINE_OCTAL
 \217\252\302\107\057\024\161\325\051\343\020\265\107\223\045\314
 \043\051\332\267\162\330\221\324\354\033\110\212\042\344\301\052
 \367\072\150\223\237\105\031\156\103\267\314\376\270\221\232\141
 \032\066\151\143\144\222\050\363\157\141\222\205\023\237\311\007
 \054\213\127\334\353\236\171\325\302\336\010\325\124\262\127\116
 \052\062\215\241\342\072\321\020\040\042\071\175\064\105\157\161
 \073\303\035\374\377\262\117\250\342\366\060\036
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "S-TRUST Universal Root CA"
 # Issuer: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
 # Serial Number:60:56:c5:4b:23:40:5b:64:d4:ed:25:da:d9:d6:1e:1e
 # Subject: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
 # Not Valid Before: Tue Oct 22 00:00:00 2013
 # Not Valid After : Thu Oct 21 23:59:59 2038
 # Fingerprint (SHA-256): D8:0F:EF:91:0A:E3:F1:04:72:3B:04:5C:EC:2D:01:9F:44:1C:E6:21:3A:DF:15:67:91:E7:0C:17:90:11:0A:31
@@ -25615,16 +25759,17 @@ CKA_VALUE MULTILINE_OCTAL
 \274\075\320\204\350\352\006\162\260\115\071\062\170\277\076\021
 \234\013\244\235\232\041\363\360\233\013\060\170\333\301\334\207
 \103\376\274\143\232\312\305\302\034\311\307\215\377\073\022\130
 \010\346\266\075\354\172\054\116\373\203\226\316\014\074\151\207
 \124\163\244\163\302\223\377\121\020\254\025\124\001\330\374\005
 \261\211\241\177\164\203\232\111\327\334\116\173\212\110\157\213
 \105\366
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Entrust Root Certification Authority - G2"
 # Issuer: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
 # Serial Number: 1246989352 (0x4a538c28)
 # Subject: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
 # Not Valid Before: Tue Jul 07 17:25:54 2009
 # Not Valid After : Sat Dec 07 17:55:54 2030
 # Fingerprint (SHA-256): 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39
@@ -25759,16 +25904,17 @@ CKA_VALUE MULTILINE_OCTAL
 \075\004\003\003\003\147\000\060\144\002\060\141\171\330\345\102
 \107\337\034\256\123\231\027\266\157\034\175\341\277\021\224\321
 \003\210\165\344\215\211\244\212\167\106\336\155\141\357\002\365
 \373\265\337\314\376\116\377\376\251\346\247\002\060\133\231\327
 \205\067\006\265\173\010\375\353\047\213\112\224\371\341\372\247
 \216\046\010\350\174\222\150\155\163\330\157\046\254\041\002\270
 \231\267\046\101\133\045\140\256\320\110\032\356\006
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Entrust Root Certification Authority - EC1"
 # Issuer: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
 # Serial Number:00:a6:8b:79:29:00:00:00:00:50:d0:91:f9
 # Subject: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
 # Not Valid Before: Tue Dec 18 15:25:36 2012
 # Not Valid After : Fri Dec 18 15:55:36 2037
 # Fingerprint (SHA-256): 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5
@@ -25931,16 +26077,17 @@ CKA_VALUE MULTILINE_OCTAL
 \110\171\140\212\303\327\023\134\370\162\100\337\112\313\317\231
 \000\012\000\013\021\225\332\126\105\003\210\012\237\147\320\325
 \171\261\250\215\100\155\015\302\172\100\372\363\137\144\107\222
 \313\123\271\273\131\316\117\375\320\025\123\001\330\337\353\331
 \346\166\357\320\043\273\073\251\171\263\325\002\051\315\211\243
 \226\017\112\065\347\116\102\300\165\315\007\317\346\054\353\173
 \056
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "CFCA EV ROOT"
 # Issuer: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
 # Serial Number: 407555286 (0x184accd6)
 # Subject: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
 # Not Valid Before: Wed Aug 08 03:07:01 2012
 # Not Valid After : Mon Dec 31 03:07:01 2029
 # Fingerprint (SHA-256): 5C:C3:D7:8E:4E:1D:5E:45:54:7A:04:E6:87:3E:64:F9:0C:F9:53:6D:1C:CC:2E:F8:00:F3:55:C4:C5:FD:70:FD
@@ -26228,16 +26375,17 @@ CKA_VALUE MULTILINE_OCTAL
 \245\346\025\204\067\360\302\362\145\226\222\220\167\360\255\364
 \220\351\021\170\327\223\211\300\075\013\272\051\364\350\231\235
 \162\216\355\235\057\356\222\175\241\361\377\135\272\063\140\205
 \142\376\007\002\241\204\126\106\276\226\012\232\023\327\041\114
 \267\174\007\237\116\116\077\221\164\373\047\235\021\314\335\346
 \261\312\161\115\023\027\071\046\305\051\041\053\223\051\152\226
 \372\253\101\341\113\266\065\013\300\233\025
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
 # Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
 # Serial Number:00:8e:17:fe:24:20:81
 # Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
 # Not Valid Before: Tue Apr 30 08:07:01 2013
 # Not Valid After : Fri Apr 28 08:07:01 2023
 # Fingerprint (SHA-256): 49:35:1B:90:34:44:C1:85:CC:DC:5C:69:3D:24:D8:55:5C:B2:08:D6:A8:14:13:07:69:9F:4A:F0:63:19:9D:78
@@ -26388,16 +26536,17 @@ CKA_VALUE MULTILINE_OCTAL
 \200\216\255\176\121\000\116\307\226\206\373\103\230\167\175\050
 \307\217\330\052\156\347\204\157\227\101\051\000\026\136\115\342
 \023\352\131\300\143\147\072\104\373\230\374\004\323\060\162\246
 \366\207\011\127\255\166\246\035\143\232\375\327\145\310\170\203
 \053\165\073\245\133\270\015\135\177\276\043\256\126\125\224\130
 \357\037\201\214\052\262\315\346\233\143\236\030\274\345\153\006
 \264\013\230\113\050\136\257\210\130\313
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
 # Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
 # Serial Number:7d:a1:f2:65:ec:8a
 # Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
 # Not Valid Before: Wed Dec 18 09:04:10 2013
 # Not Valid After : Sat Dec 16 09:04:10 2023
 # Fingerprint (SHA-256): 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00
@@ -26559,16 +26708,17 @@ CKA_VALUE MULTILINE_OCTAL
 \307\132\141\315\217\201\140\025\115\200\335\220\342\175\304\120
 \362\214\073\156\112\307\306\346\200\053\074\201\274\021\200\026
 \020\047\327\360\315\077\171\314\163\052\303\176\123\221\326\156
 \370\365\363\307\320\121\115\216\113\245\133\346\031\027\073\326
 \201\011\334\042\334\356\216\271\304\217\123\341\147\273\063\270
 \210\025\106\317\355\151\065\377\165\015\106\363\316\161\341\305
 \153\206\102\006\271\101
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Certinomis - Root CA"
 # Issuer: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
 # Serial Number: 1 (0x1)
 # Subject: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
 # Not Valid Before: Mon Oct 21 09:17:18 2013
 # Not Valid After : Fri Oct 21 09:17:18 2033
 # Fingerprint (SHA-256): 2A:99:F5:BC:11:74:B7:3C:BB:1D:62:08:84:E0:1C:34:E5:1C:CB:39:78:DA:12:5F:0E:33:26:88:83:BF:41:58
@@ -26697,16 +26847,17 @@ CKA_VALUE MULTILINE_OCTAL
 \265\253\226\300\264\113\242\035\227\236\172\362\156\100\161\337
 \150\361\145\115\316\174\005\337\123\145\251\245\360\261\227\004
 \160\025\106\003\230\324\322\277\124\264\240\130\175\122\157\332
 \126\046\142\324\330\333\211\061\157\034\360\042\302\323\142\034
 \065\315\114\151\025\124\032\220\230\336\353\036\137\312\167\307
 \313\216\075\103\151\234\232\130\320\044\073\337\033\100\226\176
 \065\255\201\307\116\161\272\210\023
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "OISTE WISeKey Global Root GB CA"
 # Issuer: CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH
 # Serial Number:76:b1:20:52:74:f0:85:87:46:b3:f8:23:1a:f6:c2:c0
 # Subject: CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH
 # Not Valid Before: Mon Dec 01 15:00:32 2014
 # Not Valid After : Thu Dec 01 15:10:31 2039
 # Fingerprint (SHA-256): 6B:9C:08:E8:6E:B0:F7:67:CF:AD:65:CD:98:B6:21:49:E5:49:4A:67:F5:84:5E:7B:D1:ED:01:9F:27:B8:6B:D6
@@ -26831,16 +26982,17 @@ CKA_VALUE MULTILINE_OCTAL
 \171\266\063\131\272\017\304\013\342\160\240\113\170\056\372\310
 \237\375\257\221\145\012\170\070\025\345\227\027\024\335\371\340
 \054\064\370\070\320\204\042\000\300\024\121\030\053\002\334\060
 \132\360\350\001\174\065\072\043\257\010\344\257\252\216\050\102
 \111\056\360\365\231\064\276\355\017\113\030\341\322\044\074\273
 \135\107\267\041\362\215\321\012\231\216\343\156\076\255\160\340
 \217\271\312\314\156\201\061\366\173\234\172\171\344\147\161\030
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Certification Authority of WoSign G2"
 # Issuer: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN
 # Serial Number:6b:25:da:8a:88:9d:7c:bc:0f:05:b3:b1:7a:61:45:44
 # Subject: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN
 # Not Valid Before: Sat Nov 08 00:58:58 2014
 # Not Valid After : Tue Nov 08 00:58:58 2044
 # Fingerprint (SHA-256): D4:87:A5:6F:83:B0:74:82:E8:5E:96:33:94:C1:EC:C2:C9:E5:1D:09:03:EE:94:6B:02:C3:01:58:1E:D9:9E:16
@@ -26939,16 +27091,17 @@ CKA_VALUE MULTILINE_OCTAL
 \004\003\003\003\150\000\060\145\002\061\000\344\244\204\260\201
 \325\075\260\164\254\224\244\350\016\075\000\164\114\241\227\153
 \371\015\121\074\241\331\073\364\015\253\251\237\276\116\162\312
 \205\324\331\354\265\062\105\030\157\253\255\002\060\175\307\367
 \151\143\057\241\341\230\357\023\020\321\171\077\321\376\352\073
 \177\336\126\364\220\261\025\021\330\262\042\025\320\057\303\046
 \056\153\361\221\262\220\145\364\232\346\220\356\112
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "CA WoSign ECC Root"
 # Issuer: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN
 # Serial Number:68:4a:58:70:80:6b:f0:8f:02:fa:f6:de:e8:b0:90:90
 # Subject: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN
 # Not Valid Before: Sat Nov 08 00:58:58 2014
 # Not Valid After : Tue Nov 08 00:58:58 2044
 # Fingerprint (SHA-256): 8B:45:DA:1C:06:F7:91:EB:0C:AB:F2:6B:E5:88:F5:FB:23:16:5C:2E:61:4B:F8:85:56:2D:0D:CE:50:B2:9B:02
@@ -27071,16 +27224,17 @@ CKA_VALUE MULTILINE_OCTAL
 \322\324\141\372\325\025\333\327\237\207\121\124\353\245\343\353
 \311\205\240\045\040\067\373\216\316\014\064\204\341\074\201\262
 \167\116\103\245\210\137\206\147\241\075\346\264\134\141\266\076
 \333\376\267\050\305\242\007\256\265\312\312\215\052\022\357\227
 \355\302\060\244\311\052\172\373\363\115\043\033\231\063\064\240
 \056\365\251\013\077\324\135\341\317\204\237\342\031\302\137\212
 \326\040\036\343\163\267
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "SZAFIR ROOT CA2"
 # Issuer: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL
 # Serial Number:3e:8a:5d:07:ec:55:d2:32:d5:b7:e3:b6:5f:01:eb:2d:dc:e4:d6:e4
 # Subject: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL
 # Not Valid Before: Mon Oct 19 07:43:30 2015
 # Not Valid After : Fri Oct 19 07:43:30 2035
 # Fingerprint (SHA-256): A1:33:9D:33:28:1A:0B:56:E5:57:D3:D3:2B:1C:E7:F9:36:7E:B0:94:BD:5F:A7:2A:7E:50:04:C8:DE:D7:CA:FE
@@ -27248,16 +27402,17 @@ CKA_VALUE MULTILINE_OCTAL
 \134\002\312\054\330\157\112\007\331\311\065\332\100\165\362\304
 \247\031\157\236\102\020\230\165\346\225\213\140\274\355\305\022
 \327\212\316\325\230\134\126\226\003\305\356\167\006\065\377\317
 \344\356\077\023\141\356\333\332\055\205\360\315\256\235\262\030
 \011\105\303\222\241\162\027\374\107\266\240\013\054\361\304\336
 \103\150\010\152\137\073\360\166\143\373\314\006\054\246\306\342
 \016\265\271\276\044\217
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Certum Trusted Network CA 2"
 # Issuer: CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
 # Serial Number:21:d6:d0:4a:4f:25:0f:c9:32:37:fc:aa:5e:12:8d:e9
 # Subject: CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
 # Not Valid Before: Thu Oct 06 08:39:56 2011
 # Not Valid After : Sat Oct 06 08:39:56 2046
 # Fingerprint (SHA-256): B6:76:F2:ED:DA:E8:77:5C:D3:6C:B0:F6:3C:D1:D4:60:39:61:F4:9E:62:65:BA:01:3A:2F:03:07:B6:D0:B8:04
@@ -27434,16 +27589,17 @@ CKA_VALUE MULTILINE_OCTAL
 \245\314\073\330\167\067\060\242\117\331\157\321\362\100\255\101
 \172\027\305\326\112\065\211\267\101\325\174\206\177\125\115\203
 \112\245\163\040\300\072\257\220\361\232\044\216\331\216\161\312
 \173\270\206\332\262\217\231\076\035\023\015\022\021\356\324\253
 \360\351\025\166\002\344\340\337\252\040\036\133\141\205\144\100
 \251\220\227\015\255\123\322\132\035\207\152\000\227\145\142\264
 \276\157\152\247\365\054\102\355\062\255\266\041\236\276\274
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Hellenic Academic and Research Institutions RootCA 2015"
 # Issuer: CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR
 # Serial Number: 0 (0x0)
 # Subject: CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR
 # Not Valid Before: Tue Jul 07 10:11:21 2015
 # Not Valid After : Sat Jun 30 10:11:21 2040
 # Fingerprint (SHA-256): A0:40:92:9A:02:CE:53:B4:AC:F4:F2:FF:C6:98:1C:E4:49:6F:75:5E:6D:45:FE:0B:2A:69:2B:CD:52:52:3F:36
@@ -27569,16 +27725,17 @@ CKA_VALUE MULTILINE_OCTAL
 \000\060\144\002\060\147\316\026\142\070\242\254\142\105\247\251
 \225\044\300\032\047\234\062\073\300\300\325\272\251\347\370\004
 \103\123\205\356\122\041\336\235\365\045\203\076\236\130\113\057
 \327\147\023\016\041\002\060\005\341\165\001\336\150\355\052\037
 \115\114\011\010\015\354\113\255\144\027\050\347\165\316\105\145
 \162\041\027\313\042\101\016\214\023\230\070\232\124\155\233\312
 \342\174\352\002\130\042\221
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Hellenic Academic and Research Institutions ECC RootCA 2015"
 # Issuer: CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR
 # Serial Number: 0 (0x0)
 # Subject: CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR
 # Not Valid Before: Tue Jul 07 10:37:12 2015
 # Not Valid After : Sat Jun 30 10:37:12 2040
 # Fingerprint (SHA-256): 44:B5:45:AA:8A:25:E6:5A:73:CA:15:DC:27:FC:36:D2:4C:1C:B9:95:3A:06:65:39:B1:15:82:DC:48:7B:48:33
@@ -27733,16 +27890,17 @@ CKA_VALUE MULTILINE_OCTAL
 \040\222\334\102\204\277\001\253\207\300\325\040\202\333\306\271
 \203\205\102\134\017\103\073\152\111\065\325\230\364\025\277\372
 \141\201\014\011\040\030\322\320\027\014\313\110\000\120\351\166
 \202\214\144\327\072\240\007\125\314\036\061\300\357\072\264\145
 \373\343\277\102\153\236\017\250\275\153\230\334\330\333\313\213
 \244\335\327\131\364\156\335\376\252\303\221\320\056\102\007\300
 \014\115\123\315\044\261\114\133\036\121\364\337\351\222\372
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Certplus Root CA G1"
 # Issuer: CN=Certplus Root CA G1,O=Certplus,C=FR
 # Serial Number:11:20:55:83:e4:2d:3e:54:56:85:2d:83:37:b7:2c:dc:46:11
 # Subject: CN=Certplus Root CA G1,O=Certplus,C=FR
 # Not Valid Before: Mon May 26 00:00:00 2014
 # Not Valid After : Fri Jan 15 00:00:00 2038
 # Fingerprint (SHA-256): 15:2A:40:2B:FC:DF:2C:D5:48:05:4D:22:75:B3:9C:7F:CA:3E:C0:97:80:78:B0:F0:EA:76:E5:61:A6:C7:43:3E
@@ -27838,16 +27996,17 @@ CKA_VALUE MULTILINE_OCTAL
 \110\316\075\004\003\003\003\150\000\060\145\002\060\160\376\260
 \013\331\367\203\227\354\363\125\035\324\334\263\006\016\376\063
 \230\235\213\071\220\153\224\041\355\266\327\135\326\114\327\041
 \247\347\277\041\017\053\315\367\052\334\205\007\235\002\061\000
 \206\024\026\345\334\260\145\302\300\216\024\237\277\044\026\150
 \345\274\371\171\151\334\255\105\053\367\266\061\163\314\006\245
 \123\223\221\032\223\256\160\152\147\272\327\236\345\141\032\137
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Certplus Root CA G2"
 # Issuer: CN=Certplus Root CA G2,O=Certplus,C=FR
 # Serial Number:11:20:d9:91:ce:ae:a3:e8:c5:e7:ff:e9:02:af:cf:73:bc:55
 # Subject: CN=Certplus Root CA G2,O=Certplus,C=FR
 # Not Valid Before: Mon May 26 00:00:00 2014
 # Not Valid After : Fri Jan 15 00:00:00 2038
 # Fingerprint (SHA-256): 6C:C0:50:41:E6:44:5E:74:69:6C:4C:FB:C9:F8:0F:54:3B:7E:AB:BB:44:B4:CE:6F:78:7C:6A:99:71:C4:2F:17
@@ -27999,16 +28158,17 @@ CKA_VALUE MULTILINE_OCTAL
 \076\355\154\275\375\016\235\146\163\260\075\264\367\277\250\340
 \021\244\304\256\165\011\112\143\000\110\040\246\306\235\013\011
 \212\264\340\346\316\076\307\076\046\070\351\053\336\246\010\111
 \003\004\220\212\351\217\277\350\266\264\052\243\043\215\034\034
 \262\071\222\250\217\002\134\100\071\165\324\163\101\002\167\336
 \315\340\103\207\326\344\272\112\303\154\022\177\376\052\346\043
 \326\214\161
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "OpenTrust Root CA G1"
 # Issuer: CN=OpenTrust Root CA G1,O=OpenTrust,C=FR
 # Serial Number:11:20:b3:90:55:39:7d:7f:36:6d:64:c2:a7:9f:6b:63:8e:67
 # Subject: CN=OpenTrust Root CA G1,O=OpenTrust,C=FR
 # Not Valid Before: Mon May 26 08:45:50 2014
 # Not Valid After : Fri Jan 15 00:00:00 2038
 # Fingerprint (SHA-256): 56:C7:71:28:D9:8C:18:D9:1B:4C:FD:FF:BC:25:EE:91:03:D4:75:8E:A2:AB:AD:82:6A:90:F3:45:7D:46:0E:B4
@@ -28161,16 +28321,17 @@ CKA_VALUE MULTILINE_OCTAL
 \210\335\147\023\157\035\150\044\213\117\267\164\201\345\364\140
 \237\172\125\327\076\067\332\026\153\076\167\254\256\030\160\225
 \010\171\051\003\212\376\301\073\263\077\032\017\244\073\136\037
 \130\241\225\311\253\057\163\112\320\055\156\232\131\017\125\030
 \170\055\074\121\246\227\213\346\273\262\160\252\114\021\336\377
 \174\053\067\324\172\321\167\064\217\347\371\102\367\074\201\014
 \113\122\012
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "OpenTrust Root CA G2"
 # Issuer: CN=OpenTrust Root CA G2,O=OpenTrust,C=FR
 # Serial Number:11:20:a1:69:1b:bf:bd:b9:bd:52:96:8f:23:e8:48:bf:26:11
 # Subject: CN=OpenTrust Root CA G2,O=OpenTrust,C=FR
 # Not Valid Before: Mon May 26 00:00:00 2014
 # Not Valid After : Fri Jan 15 00:00:00 2038
 # Fingerprint (SHA-256): 27:99:58:29:FE:6A:75:15:C1:BF:E8:48:F9:C4:76:1D:B1:6C:22:59:29:25:7B:F4:0D:08:94:F2:9E:A8:BA:F2
@@ -28270,16 +28431,17 @@ CKA_VALUE MULTILINE_OCTAL
 \061\000\217\250\334\235\272\014\004\027\372\025\351\075\057\051
 \001\227\277\201\026\063\100\223\154\374\371\355\200\160\157\252
 \217\333\204\302\213\365\065\312\006\334\144\157\150\026\341\217
 \221\271\002\061\000\330\113\245\313\302\320\010\154\351\030\373
 \132\335\115\137\044\013\260\000\041\045\357\217\247\004\046\161
 \342\174\151\345\135\232\370\101\037\073\071\223\223\235\125\352
 \315\215\361\373\301
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "OpenTrust Root CA G3"
 # Issuer: CN=OpenTrust Root CA G3,O=OpenTrust,C=FR
 # Serial Number:11:20:e6:f8:4c:fc:24:b0:be:05:40:ac:da:83:1b:34:60:3f
 # Subject: CN=OpenTrust Root CA G3,O=OpenTrust,C=FR
 # Not Valid Before: Mon May 26 00:00:00 2014
 # Not Valid After : Fri Jan 15 00:00:00 2038
 # Fingerprint (SHA-256): B7:C3:62:31:70:6E:81:07:8C:36:7C:B8:96:19:8F:1E:32:08:DD:92:69:49:DD:8F:57:09:A4:10:F7:5B:62:92
@@ -28433,16 +28595,17 @@ CKA_VALUE MULTILINE_OCTAL
 \242\320\141\070\341\226\270\254\135\213\067\327\165\325\063\300
 \231\021\256\235\101\301\162\165\204\276\002\101\102\137\147\044
 \110\224\321\233\047\276\007\077\271\270\117\201\164\121\341\172
 \267\355\235\043\342\276\340\325\050\004\023\074\061\003\236\335
 \172\154\217\306\007\030\306\177\336\107\216\077\050\236\004\006
 \317\245\124\064\167\275\354\211\233\351\027\103\337\133\333\137
 \376\216\036\127\242\315\100\235\176\142\042\332\336\030\047
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "ISRG Root X1"
 # Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
 # Serial Number:00:82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
 # Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
 # Not Valid Before: Thu Jun 04 11:04:38 2015
 # Not Valid After : Mon Jun 04 11:04:38 2035
 # Fingerprint (SHA-256): 96:BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1:1A:8F:FC:EE:05:C0:BD:DF:08:C6
@@ -28595,16 +28758,17 @@ CKA_VALUE MULTILINE_OCTAL
 \152\260\272\061\222\102\100\152\276\072\323\162\341\152\067\125
 \274\254\035\225\267\151\141\362\103\221\164\346\240\323\012\044
 \106\241\010\257\326\332\105\031\226\324\123\035\133\204\171\360
 \300\367\107\357\213\217\305\006\256\235\114\142\235\377\106\004
 \370\323\311\266\020\045\100\165\376\026\252\311\112\140\206\057
 \272\357\060\167\344\124\342\270\204\231\130\200\252\023\213\121
 \072\117\110\366\213\266\263
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "AC RAIZ FNMT-RCM"
 # Issuer: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES
 # Serial Number:5d:93:8d:30:67:36:c8:06:1d:1a:c7:54:84:69:07
 # Subject: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES
 # Not Valid Before: Wed Oct 29 15:59:56 2008
 # Not Valid After : Tue Jan 01 00:00:00 2030
 # Fingerprint (SHA-256): EB:C5:57:0C:29:01:8C:4D:67:B1:AA:12:7B:AF:12:F7:03:B4:61:1E:BC:17:B7:DA:B5:57:38:94:17:9B:93:FA
@@ -28719,16 +28883,17 @@ CKA_VALUE MULTILINE_OCTAL
 \331\017\110\160\232\331\165\170\161\321\162\103\064\165\156\127
 \131\302\002\134\046\140\051\317\043\031\026\216\210\103\245\324
 \344\313\010\373\043\021\103\350\103\051\162\142\241\251\135\136
 \010\324\220\256\270\330\316\024\302\320\125\362\206\366\304\223
 \103\167\146\141\300\271\350\101\327\227\170\140\003\156\112\162
 \256\245\321\175\272\020\236\206\154\033\212\271\131\063\370\353
 \304\220\276\361\271
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Amazon Root CA 1"
 # Issuer: CN=Amazon Root CA 1,O=Amazon,C=US
 # Serial Number:06:6c:9f:cf:99:bf:8c:0a:39:e2:f0:78:8a:43:e6:96:36:5b:ca
 # Subject: CN=Amazon Root CA 1,O=Amazon,C=US
 # Not Valid Before: Tue May 26 00:00:00 2015
 # Not Valid After : Sun Jan 17 00:00:00 2038
 # Fingerprint (SHA-256): 8E:CD:E6:88:4F:3D:87:B1:12:5B:A3:1A:C3:FC:B1:3D:70:16:DE:7F:57:CC:90:4F:E1:CB:97:C6:AE:98:19:6E
@@ -28875,16 +29040,17 @@ CKA_VALUE MULTILINE_OCTAL
 \357\242\245\134\214\167\051\247\150\300\153\256\100\322\250\264
 \352\315\360\215\113\070\234\031\232\033\050\124\270\211\220\357
 \312\165\201\076\036\362\144\044\307\030\257\116\377\107\236\007
 \366\065\145\244\323\012\126\377\365\027\144\154\357\250\042\045
 \111\223\266\337\000\027\332\130\176\135\356\305\033\260\321\321
 \137\041\020\307\371\363\272\002\012\047\007\305\361\326\307\323
 \340\373\011\140\154
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Amazon Root CA 2"
 # Issuer: CN=Amazon Root CA 2,O=Amazon,C=US
 # Serial Number:06:6c:9f:d2:96:35:86:9f:0a:0f:e5:86:78:f8:5b:26:bb:8a:37
 # Subject: CN=Amazon Root CA 2,O=Amazon,C=US
 # Not Valid Before: Tue May 26 00:00:00 2015
 # Not Valid After : Sat May 26 00:00:00 2040
 # Fingerprint (SHA-256): 1B:A5:B2:AA:8C:65:40:1A:82:96:01:18:F8:0B:EC:4F:62:30:4D:83:CE:C4:71:3A:19:C3:9C:01:1E:A4:6D:B4
@@ -28974,16 +29140,17 @@ CKA_VALUE MULTILINE_OCTAL
 \266\333\327\006\236\067\254\060\206\007\221\160\307\234\304\031
 \261\170\300\060\012\006\010\052\206\110\316\075\004\003\002\003
 \111\000\060\106\002\041\000\340\205\222\243\027\267\215\371\053
 \006\245\223\254\032\230\150\141\162\372\341\241\320\373\034\170
 \140\246\103\231\305\270\304\002\041\000\234\002\357\361\224\234
 \263\226\371\353\306\052\370\266\054\376\072\220\024\026\327\214
 \143\044\110\034\337\060\175\325\150\073
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Amazon Root CA 3"
 # Issuer: CN=Amazon Root CA 3,O=Amazon,C=US
 # Serial Number:06:6c:9f:d5:74:97:36:66:3f:3b:0b:9a:d9:e8:9e:76:03:f2:4a
 # Subject: CN=Amazon Root CA 3,O=Amazon,C=US
 # Not Valid Before: Tue May 26 00:00:00 2015
 # Not Valid After : Sat May 26 00:00:00 2040
 # Fingerprint (SHA-256): 18:CE:6C:FE:7B:F1:4E:60:B2:E3:47:B8:DF:E8:68:CB:31:D0:2E:BB:3A:DA:27:15:69:F5:03:43:B4:6D:B3:A4
@@ -29077,16 +29244,17 @@ CKA_VALUE MULTILINE_OCTAL
 \145\002\060\072\213\041\361\275\176\021\255\320\357\130\226\057
 \326\353\235\176\220\215\053\317\146\125\303\054\343\050\251\160
 \012\107\016\360\067\131\022\377\055\231\224\050\116\052\117\065
 \115\063\132\002\061\000\352\165\000\116\073\304\072\224\022\221
 \311\130\106\235\041\023\162\247\210\234\212\344\114\112\333\226
 \324\254\213\153\153\111\022\123\063\255\327\344\276\044\374\265
 \012\166\324\245\274\020
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Amazon Root CA 4"
 # Issuer: CN=Amazon Root CA 4,O=Amazon,C=US
 # Serial Number:06:6c:9f:d7:c1:bb:10:4c:29:43:e5:71:7b:7b:2c:c8:1a:c1:0e
 # Subject: CN=Amazon Root CA 4,O=Amazon,C=US
 # Not Valid Before: Tue May 26 00:00:00 2015
 # Not Valid After : Sat May 26 00:00:00 2040
 # Fingerprint (SHA-256): E3:5D:28:41:9E:D0:20:25:CF:A6:90:38:CD:62:39:62:45:8D:A5:C6:95:FB:DE:A3:C2:2B:0B:FB:25:89:70:92
@@ -29243,16 +29411,17 @@ CKA_VALUE MULTILINE_OCTAL
 \105\111\231\164\221\260\004\157\343\004\132\261\253\052\253\376
 \307\320\226\266\332\341\112\144\006\156\140\115\275\102\116\377
 \170\332\044\312\033\264\327\226\071\154\256\361\016\252\247\175
 \110\213\040\114\317\144\326\270\227\106\260\116\321\052\126\072
 \240\223\275\257\200\044\340\012\176\347\312\325\312\350\205\125
 \334\066\052\341\224\150\223\307\146\162\104\017\200\041\062\154
 \045\307\043\200\203\012\353
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "LuxTrust Global Root 2"
 # Issuer: CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU
 # Serial Number:0a:7e:a6:df:4b:44:9e:da:6a:24:85:9e:e6:b8:15:d3:16:7f:bb:b1
 # Subject: CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU
 # Not Valid Before: Thu Mar 05 13:21:57 2015
 # Not Valid After : Mon Mar 05 13:21:57 2035
 # Fingerprint (SHA-256): 54:45:5F:71:29:C2:0B:14:47:C4:18:F9:97:16:8F:24:C5:8F:C5:02:3B:F5:DA:5B:E2:EB:6E:1D:D8:90:2E:D5
@@ -29391,16 +29560,17 @@ CKA_VALUE MULTILINE_OCTAL
 \347\066\321\041\150\113\055\070\346\123\256\034\045\126\010\126
 \003\147\204\235\306\303\316\044\142\307\114\066\317\260\006\104
 \267\365\137\002\335\331\124\351\057\220\116\172\310\116\203\100
 \014\232\227\074\067\277\277\354\366\360\264\205\167\050\301\013
 \310\147\202\020\027\070\242\267\006\352\233\277\072\370\351\043
 \007\277\164\340\230\070\025\125\170\356\162\000\134\031\243\364
 \322\063\340\377\275\321\124\071\051\017
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Symantec Class 1 Public Primary Certification Authority - G6"
 # Issuer: CN=Symantec Class 1 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
 # Serial Number:24:32:75:f2:1d:2f:d2:09:33:f7:b4:6a:ca:d0:f3:98
 # Subject: CN=Symantec Class 1 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
 # Not Valid Before: Tue Oct 18 00:00:00 2011
 # Not Valid After : Tue Dec 01 23:59:59 2037
 # Fingerprint (SHA-256): 9D:19:0B:2E:31:45:66:68:5B:E8:A8:89:E2:7A:A8:C7:D7:AE:1D:8A:AD:DB:A3:C1:EC:F9:D2:48:63:CD:34:B9
@@ -29544,16 +29714,17 @@ CKA_VALUE MULTILINE_OCTAL
 \111\315\245\243\214\151\171\045\256\270\114\154\213\100\146\113
 \026\077\317\002\032\335\341\154\153\007\141\152\166\025\051\231
 \177\033\335\210\200\301\277\265\217\163\305\246\226\043\204\246
 \050\206\044\063\152\001\056\127\163\045\266\136\277\217\346\035
 \141\250\100\051\147\035\207\233\035\177\233\237\231\315\061\326
 \124\276\142\273\071\254\150\022\110\221\040\245\313\261\335\376
 \157\374\132\344\202\125\131\257\061\251
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Symantec Class 2 Public Primary Certification Authority - G6"
 # Issuer: CN=Symantec Class 2 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
 # Serial Number:64:82:9e:fc:37:1e:74:5d:fc:97:ff:97:c8:b1:ff:41
 # Subject: CN=Symantec Class 2 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
 # Not Valid Before: Tue Oct 18 00:00:00 2011
 # Not Valid After : Tue Dec 01 23:59:59 2037
 # Fingerprint (SHA-256): CB:62:7D:18:B5:8A:D5:6D:DE:33:1A:30:45:6B:C6:5C:60:1A:4E:9B:18:DE:DC:EA:08:E7:DA:AA:07:81:5F:F0
@@ -29676,16 +29847,17 @@ CKA_VALUE MULTILINE_OCTAL
 \003\003\151\000\060\146\002\061\000\245\256\343\106\123\370\230
 \066\343\042\372\056\050\111\015\356\060\176\063\363\354\077\161
 \136\314\125\211\170\231\254\262\375\334\034\134\063\216\051\271
 \153\027\310\021\150\265\334\203\007\002\061\000\234\310\104\332
 \151\302\066\303\124\031\020\205\002\332\235\107\357\101\347\154
 \046\235\011\075\367\155\220\321\005\104\057\260\274\203\223\150
 \362\014\105\111\071\277\231\004\034\323\020\240
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Symantec Class 1 Public Primary Certification Authority - G4"
 # Issuer: CN=Symantec Class 1 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
 # Serial Number:21:6e:33:a5:cb:d3:88:a4:6f:29:07:b4:27:3c:c4:d8
 # Subject: CN=Symantec Class 1 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
 # Not Valid Before: Wed Oct 05 00:00:00 2011
 # Not Valid After : Mon Jan 18 23:59:59 2038
 # Fingerprint (SHA-256): 36:3F:3C:84:9E:AB:03:B0:A2:A0:F6:36:D7:B8:6D:04:D3:AC:7F:CF:E2:6A:0A:91:21:AB:97:95:F6:E1:76:DF
@@ -29808,16 +29980,17 @@ CKA_VALUE MULTILINE_OCTAL
 \003\003\151\000\060\146\002\061\000\310\246\251\257\101\177\265
 \311\021\102\026\150\151\114\134\270\047\030\266\230\361\300\177
 \220\155\207\323\214\106\027\360\076\117\374\352\260\010\304\172
 \113\274\010\057\307\342\247\157\145\002\061\000\326\131\336\206
 \316\137\016\312\124\325\306\320\025\016\374\213\224\162\324\216
 \000\130\123\317\176\261\113\015\345\120\206\353\236\153\337\377
 \051\246\330\107\331\240\226\030\333\362\105\263
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Symantec Class 2 Public Primary Certification Authority - G4"
 # Issuer: CN=Symantec Class 2 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
 # Serial Number:34:17:65:12:40:3b:b7:56:80:2d:80:cb:79:55:a6:1e
 # Subject: CN=Symantec Class 2 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
 # Not Valid Before: Wed Oct 05 00:00:00 2011
 # Not Valid After : Mon Jan 18 23:59:59 2038
 # Fingerprint (SHA-256): FE:86:3D:08:22:FE:7A:23:53:FA:48:4D:59:24:E8:75:65:6D:3D:C9:FB:58:77:1F:6F:61:6F:9D:57:1B:C5:92
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -1092,8 +1092,14 @@ SECMOD_CreateModuleEx;
 ;+};
 ;+NSS_3.22 { 	# NSS 3.22 release
 ;+    global:
 PK11_SignWithMechanism;
 PK11_VerifyWithMechanism;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.30 { 	# NSS 3.30 release
+;+    global:
+PK11_HasAttributeSet;
+;+    local:
+;+       *;
+;+};
--- a/security/nss/lib/ssl/tls13exthandle.c
+++ b/security/nss/lib/ssl/tls13exthandle.c
@@ -763,16 +763,22 @@ tls13_ServerHandleEarlyDataXtn(const ssl
     SSL_TRC(3, ("%d: TLS13[%d]: handle early_data extension",
                 SSL_GETPID(), ss->fd));
 
     /* If we are doing < TLS 1.3, then ignore this. */
     if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
         return SECSuccess;
     }
 
+    if (ss->ssl3.hs.helloRetry) {
+        ssl3_ExtSendAlert(ss, alert_fatal, unsupported_extension);
+        PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION);
+        return SECFailure;
+    }
+
     if (data->len) {
         PORT_SetError(SSL_ERROR_MALFORMED_EARLY_DATA);
         return SECFailure;
     }
 
     xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
 
     return SECSuccess;
--- a/security/nss/lib/util/pkcs11n.h
+++ b/security/nss/lib/util/pkcs11n.h
@@ -88,16 +88,18 @@
 #define CKA_NSS_JPAKE_PEERID (CKA_NSS + 27)
 #define CKA_NSS_JPAKE_GX1 (CKA_NSS + 28)
 #define CKA_NSS_JPAKE_GX2 (CKA_NSS + 29)
 #define CKA_NSS_JPAKE_GX3 (CKA_NSS + 30)
 #define CKA_NSS_JPAKE_GX4 (CKA_NSS + 31)
 #define CKA_NSS_JPAKE_X2 (CKA_NSS + 32)
 #define CKA_NSS_JPAKE_X2S (CKA_NSS + 33)
 
+#define CKA_NSS_MOZILLA_CA_POLICY (CKA_NSS + 34)
+
 /*
  * Trust attributes:
  *
  * If trust goes standard, these probably will too.  So I'll
  * put them all in one place.
  */
 
 #define CKA_TRUST (CKA_NSS + 0x2000)
deleted file mode 100644
--- a/security/nss/nss-tool/common/scoped_ptrs.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef scoped_ptrs_h__
-#define scoped_ptrs_h__
-
-#include <memory>
-#include "cert.h"
-#include "keyhi.h"
-#include "pk11pub.h"
-
-struct ScopedDelete {
-  void operator()(CERTCertificate* cert) { CERT_DestroyCertificate(cert); }
-  void operator()(CERTCertificateList* list) {
-    CERT_DestroyCertificateList(list);
-  }
-  void operator()(CERTSubjectPublicKeyInfo* spki) {
-    SECKEY_DestroySubjectPublicKeyInfo(spki);
-  }
-  void operator()(PK11SlotInfo* slot) { PK11_FreeSlot(slot); }
-  void operator()(PK11SymKey* key) { PK11_FreeSymKey(key); }
-  void operator()(SECAlgorithmID* id) { SECOID_DestroyAlgorithmID(id, true); }
-  void operator()(SECItem* item) { SECITEM_FreeItem(item, true); }
-  void operator()(SECKEYPublicKey* key) { SECKEY_DestroyPublicKey(key); }
-  void operator()(SECKEYPrivateKey* key) { SECKEY_DestroyPrivateKey(key); }
-
-  void operator()(CERTCertList* list) { CERT_DestroyCertList(list); }
-};
-
-template <class T>
-struct ScopedMaybeDelete {
-  void operator()(T* ptr) {
-    if (ptr) {
-      ScopedDelete del;
-      del(ptr);
-    }
-  }
-};
-
-#define SCOPED(x) typedef std::unique_ptr<x, ScopedMaybeDelete<x> > Scoped##x
-
-SCOPED(CERTCertificate);
-SCOPED(CERTCertificateList);
-SCOPED(CERTSubjectPublicKeyInfo);
-SCOPED(PK11SlotInfo);
-SCOPED(PK11SymKey);
-SCOPED(SECAlgorithmID);
-SCOPED(SECItem);
-SCOPED(SECKEYPublicKey);
-SCOPED(SECKEYPrivateKey);
-
-SCOPED(CERTCertList);
-
-#undef SCOPED
-
-#endif
--- a/security/nss/nss-tool/nss_tool.gyp
+++ b/security/nss/nss-tool/nss_tool.gyp
@@ -14,14 +14,15 @@
         'nss_tool.cc',
         'common/argparse.cc',
         'db/dbtool.cc',
       ],
       'include_dirs': [
         'common',
       ],
       'dependencies' : [
+        '<(DEPTH)/cpputil/cpputil.gyp:cpputil',
         '<(DEPTH)/exports.gyp:dbm_exports',
-        '<(DEPTH)/exports.gyp:nss_exports'
+        '<(DEPTH)/exports.gyp:nss_exports',
       ],
     }
   ],
 }
--- a/security/nss/readme.md
+++ b/security/nss/readme.md
@@ -10,18 +10,19 @@ standards.
 
 In order to get started create a new directory on that you will be uses as your
 local work area, and check out NSS and NSPR. (Note that there's no git mirror of
 NSPR and you require mercurial to get the latest NSPR source.)
 
     git clone https://github.com/nss-dev/nss.git
     hg clone https://hg.mozilla.org/projects/nspr
 
-NSS can also be cloned with mercurial `
-    hg clone https://hg.mozilla.org/projects/nspr`
+NSS can also be cloned with mercurial
+
+    hg clone https://hg.mozilla.org/projects/nss
 
 ## Building NSS
 
 **This build system is under development. It does not yet support all the
 features or platforms that NSS supports. To build on anything other than Mac or
 Linux please use the legacy build system as described below.**
 
 Build requirements: