Bug 967153: Update NSS to NSS 3.16 beta 1 (NSS_3_16_BETA1), r=me
authorBrian Smith <brian@briansmith.org>
Sun, 09 Feb 2014 16:29:50 -0800
changeset 167803 9e5d07c8c87b
parent 167802 2925006239ec
child 167804 5b5e7559cda5
push id26186
push usercbook@mozilla.com
push dateMon, 10 Feb 2014 11:48:02 +0000
treeherdermozilla-central@063a9e3da435 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersme
bugs967153
milestone30.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 967153: Update NSS to NSS 3.16 beta 1 (NSS_3_16_BETA1), r=me
security/nss/TAG-INFO
security/nss/coreconf/config.mk
security/nss/coreconf/coreconf.dep
security/nss/lib/certhigh/certvfy.c
security/nss/lib/ckfw/builtins/certdata.txt
security/nss/lib/ckfw/builtins/nssckbi.h
security/nss/lib/freebl/config.mk
security/nss/lib/freebl/rsapkcs.c
security/nss/lib/freebl/sysrand.c
security/nss/lib/freebl/win_rand.c
security/nss/lib/libpkix/include/pkix_errorstrings.h
security/nss/lib/libpkix/include/pkix_pl_pki.h
security/nss/lib/libpkix/include/pkix_sample_modules.h
security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c
security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c
security/nss/lib/libpkix/pkix/params/pkix_trustanchor.c
security/nss/lib/libpkix/pkix/top/pkix_build.h
security/nss/lib/libpkix/pkix_pl_nss/module/config.mk
security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.c
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.h
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.h
security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_common.h
security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c
security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.h
security/nss/lib/nss/nss.h
security/nss/lib/softoken/sdb.c
security/nss/lib/softoken/softkver.h
security/nss/lib/ssl/sslsock.c
security/nss/lib/util/nssutil.h
security/nss/tests/chains/scenarios/nameconstraints.cfg
security/nss/tests/libpkix/certs/NameConstraints.ca.cert
security/nss/tests/libpkix/certs/NameConstraints.intermediate.cert
security/nss/tests/libpkix/certs/NameConstraints.server1.cert
security/nss/tests/libpkix/certs/NameConstraints.server2.cert
security/nss/tests/libpkix/certs/NameConstraints.server3.cert
security/nss/tests/libpkix/certs/make-nc
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_15_5_RC0
+NSS_3_16_BETA1
--- a/security/nss/coreconf/config.mk
+++ b/security/nss/coreconf/config.mk
@@ -161,16 +161,20 @@ endif
 ifdef BUILD_LIBPKIX_TESTS
 DEFINES += -DBUILD_LIBPKIX_TESTS
 endif
 
 ifdef NSS_DISABLE_DBM
 DEFINES += -DNSS_DISABLE_DBM
 endif
 
+ifdef NSS_PKIX_NO_LDAP
+DEFINES += -DNSS_PKIX_NO_LDAP
+endif
+
 # Avoid building object leak test code for optimized library
 ifndef BUILD_OPT
 ifdef PKIX_OBJECT_LEAK_TEST
 DEFINES += -DPKIX_OBJECT_LEAK_TEST
 endif
 endif
 
 # This allows all library and tools code to use the util function
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
--- a/security/nss/lib/certhigh/certvfy.c
+++ b/security/nss/lib/certhigh/certvfy.c
@@ -501,17 +501,28 @@ cert_VerifyCertChainOld(CERTCertDBHandle
 	    pathLengthLimit = basicConstraint.pathLenConstraint;
 	    isca = PR_TRUE;
 	}    
 	/* make sure that the path len constraint is properly set.*/
 	if (pathLengthLimit >= 0 && currentPathLen > pathLengthLimit) {
 	    PORT_SetError (SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID);
 	    LOG_ERROR_OR_EXIT(log, issuerCert, count+1, pathLengthLimit);
 	}
-	
+
+        /* make sure that the entire chain is within the name space of the
+         * current issuer certificate.
+         */
+        rv = CERT_CompareNameSpace(issuerCert, namesList, certsList,
+                                   arena, &badCert);
+        if (rv != SECSuccess || badCert != NULL) {
+            PORT_SetError(SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
+            LOG_ERROR_OR_EXIT(log, badCert, count + 1, 0);
+            goto loser;
+        }
+
 	/* XXX - the error logging may need to go down into CRL stuff at some
 	 * point
 	 */
 	/* check revoked list (issuer) */
         rv = SEC_CheckCRL(handle, subjectCert, issuerCert, t, wincx);
         if (rv == SECFailure) {
             if (revoked) {
                 *revoked = PR_TRUE;
@@ -623,26 +634,16 @@ cert_VerifyCertChainOld(CERTCertDBHandle
 
 	    /* make sure key usage allows cert signing */
 	    if (CERT_CheckKeyUsage(issuerCert, requiredCAKeyUsage) != SECSuccess) {
 		PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
 		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,requiredCAKeyUsage);
 	    }
 	}
 
-	/* make sure that the entire chain is within the name space of the 
-	** current issuer certificate.
-	*/
-	rv = CERT_CompareNameSpace(issuerCert, namesList, certsList, 
-	                           arena, &badCert);
-	if (rv != SECSuccess || badCert != NULL) {
-	    PORT_SetError(SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
-            LOG_ERROR_OR_EXIT(log, badCert, count + 1, 0);
-	    goto loser;
-	}
 	/* make sure that the issuer is not self signed.  If it is, then
 	 * stop here to prevent looping.
 	 */
 	if (issuerCert->isRoot) {
 	    PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
 	    LOG_ERROR(log, issuerCert, count+1, 0);
 	    goto loser;
 	} 
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -65,135 +65,16 @@
 BEGINDATA
 CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "Mozilla Builtin Roots"
 
 #
-# Certificate "GTE CyberTrust Global Root"
-#
-# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
-# Serial Number: 421 (0x1a5)
-# Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
-# Not Valid Before: Thu Aug 13 00:29:00 1998
-# Not Valid After : Mon Aug 13 23:59:00 2018
-# Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
-# Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GTE CyberTrust Global Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
-\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
-\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
-\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
-\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
-\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
-\141\154\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
-\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
-\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
-\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
-\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
-\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
-\141\154\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\001\245
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\132\060\202\001\303\002\002\001\245\060\015\006\011
-\052\206\110\206\367\015\001\001\004\005\000\060\165\061\013\060
-\011\006\003\125\004\006\023\002\125\123\061\030\060\026\006\003
-\125\004\012\023\017\107\124\105\040\103\157\162\160\157\162\141
-\164\151\157\156\061\047\060\045\006\003\125\004\013\023\036\107
-\124\105\040\103\171\142\145\162\124\162\165\163\164\040\123\157
-\154\165\164\151\157\156\163\054\040\111\156\143\056\061\043\060
-\041\006\003\125\004\003\023\032\107\124\105\040\103\171\142\145
-\162\124\162\165\163\164\040\107\154\157\142\141\154\040\122\157
-\157\164\060\036\027\015\071\070\060\070\061\063\060\060\062\071
-\060\060\132\027\015\061\070\060\070\061\063\062\063\065\071\060
-\060\132\060\165\061\013\060\011\006\003\125\004\006\023\002\125
-\123\061\030\060\026\006\003\125\004\012\023\017\107\124\105\040
-\103\157\162\160\157\162\141\164\151\157\156\061\047\060\045\006
-\003\125\004\013\023\036\107\124\105\040\103\171\142\145\162\124
-\162\165\163\164\040\123\157\154\165\164\151\157\156\163\054\040
-\111\156\143\056\061\043\060\041\006\003\125\004\003\023\032\107
-\124\105\040\103\171\142\145\162\124\162\165\163\164\040\107\154
-\157\142\141\154\040\122\157\157\164\060\201\237\060\015\006\011
-\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
-\201\211\002\201\201\000\225\017\240\266\360\120\234\350\172\307
-\210\315\335\027\016\056\260\224\320\033\075\016\366\224\300\212
-\224\307\006\310\220\227\310\270\144\032\172\176\154\074\123\341
-\067\050\163\140\177\262\227\123\007\237\123\371\155\130\224\322
-\257\215\155\210\147\200\346\355\262\225\317\162\061\312\245\034
-\162\272\134\002\347\144\102\347\371\251\054\326\072\015\254\215
-\102\252\044\001\071\346\234\077\001\205\127\015\130\207\105\370
-\323\205\252\223\151\046\205\160\110\200\077\022\025\307\171\264
-\037\005\057\073\142\231\002\003\001\000\001\060\015\006\011\052
-\206\110\206\367\015\001\001\004\005\000\003\201\201\000\155\353
-\033\011\351\136\331\121\333\147\042\141\244\052\074\110\167\343
-\240\174\246\336\163\242\024\003\205\075\373\253\016\060\305\203
-\026\063\201\023\010\236\173\064\116\337\100\310\164\327\271\175
-\334\364\166\125\175\233\143\124\030\351\360\352\363\134\261\331
-\213\102\036\271\300\225\116\272\372\325\342\174\365\150\141\277
-\216\354\005\227\137\133\260\327\243\205\064\304\044\247\015\017
-\225\223\357\313\224\330\236\037\235\134\205\155\307\252\256\117
-\037\042\265\315\225\255\272\247\314\371\253\013\172\177
-END
-
-# Trust for Certificate "GTE CyberTrust Global Root"
-# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
-# Serial Number: 421 (0x1a5)
-# Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
-# Not Valid Before: Thu Aug 13 00:29:00 1998
-# Not Valid After : Mon Aug 13 23:59:00 2018
-# Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
-# Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GTE CyberTrust Global Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\227\201\171\120\330\034\226\160\314\064\330\011\317\171\104\061
-\066\176\364\164
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\312\075\323\150\361\003\134\320\062\372\270\053\131\350\132\333
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
-\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
-\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
-\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
-\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
-\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
-\141\154\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\001\245
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Thawte Server CA"
 #
 # Issuer: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Serial Number: 1 (0x1)
 # Subject: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Not Valid Before: Thu Aug 01 00:00:00 1996
 # Not Valid After : Thu Dec 31 23:59:59 2020
 # Fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
@@ -1669,436 +1550,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\013\004\000\000\000\000\001\017\206\046\346\015
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "ValiCert Class 1 VA"
-#
-# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Serial Number: 1 (0x1)
-# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Not Valid Before: Fri Jun 25 22:23:48 1999
-# Not Valid After : Tue Jun 25 22:23:48 2019
-# Fingerprint (MD5): 65:58:AB:15:AD:57:6C:1E:A8:A7:B5:69:AC:BF:FF:EB
-# Fingerprint (SHA1): E5:DF:74:3C:B6:01:C4:9B:98:43:DC:AB:8C:E8:6A:81:10:9F:E4:8E
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ValiCert Class 1 VA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060
-\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164
-\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167
-\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141
-\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063
-\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040
-\103\154\141\163\163\040\061\040\120\157\154\151\143\171\040\126
-\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164
-\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162
-\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206
-\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151
-\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066
-\062\065\062\062\062\063\064\070\132\027\015\061\071\060\066\062
-\065\062\062\062\063\064\070\132\060\201\273\061\044\060\042\006
-\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126
-\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162
-\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151
-\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003
-\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154
-\141\163\163\040\061\040\120\157\154\151\143\171\040\126\141\154
-\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160
-\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056
-\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015
-\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145
-\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110
-\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
-\201\201\000\330\131\202\172\211\270\226\272\246\057\150\157\130
-\056\247\124\034\006\156\364\352\215\110\274\061\224\027\360\363
-\116\274\262\270\065\222\166\260\320\245\245\001\327\000\003\022
-\042\031\010\370\377\021\043\233\316\007\365\277\151\032\046\376
-\116\351\321\177\235\054\100\035\131\150\156\246\370\130\260\235
-\032\217\323\077\361\334\031\006\201\250\016\340\072\335\310\123
-\105\011\006\346\017\160\303\372\100\246\016\342\126\005\017\030
-\115\374\040\202\321\163\125\164\215\166\162\240\035\235\035\300
-\335\077\161\002\003\001\000\001\060\015\006\011\052\206\110\206
-\367\015\001\001\005\005\000\003\201\201\000\120\150\075\111\364
-\054\034\006\224\337\225\140\177\226\173\027\376\117\161\255\144
-\310\335\167\322\357\131\125\350\077\350\216\005\052\041\362\007
-\322\265\247\122\376\234\261\266\342\133\167\027\100\352\162\326
-\043\313\050\201\062\303\000\171\030\354\131\027\211\311\306\152
-\036\161\311\375\267\164\245\045\105\151\305\110\253\031\341\105
-\212\045\153\031\356\345\273\022\365\177\367\246\215\121\303\360
-\235\164\267\251\076\240\245\377\266\111\003\023\332\042\314\355
-\161\202\053\231\317\072\267\365\055\162\310
-END
-
-# Trust for Certificate "ValiCert Class 1 VA"
-# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Serial Number: 1 (0x1)
-# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Not Valid Before: Fri Jun 25 22:23:48 1999
-# Not Valid After : Tue Jun 25 22:23:48 2019
-# Fingerprint (MD5): 65:58:AB:15:AD:57:6C:1E:A8:A7:B5:69:AC:BF:FF:EB
-# Fingerprint (SHA1): E5:DF:74:3C:B6:01:C4:9B:98:43:DC:AB:8C:E8:6A:81:10:9F:E4:8E
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ValiCert Class 1 VA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\345\337\164\074\266\001\304\233\230\103\334\253\214\350\152\201
-\020\237\344\216
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\145\130\253\025\255\127\154\036\250\247\265\151\254\277\377\353
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "ValiCert Class 2 VA"
-#
-# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Serial Number: 1 (0x1)
-# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Not Valid Before: Sat Jun 26 00:19:54 1999
-# Not Valid After : Wed Jun 26 00:19:54 2019
-# Fingerprint (MD5): A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
-# Fingerprint (SHA1): 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ValiCert Class 2 VA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060
-\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164
-\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167
-\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141
-\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063
-\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040
-\103\154\141\163\163\040\062\040\120\157\154\151\143\171\040\126
-\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164
-\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162
-\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206
-\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151
-\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066
-\062\066\060\060\061\071\065\064\132\027\015\061\071\060\066\062
-\066\060\060\061\071\065\064\132\060\201\273\061\044\060\042\006
-\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126
-\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162
-\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151
-\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003
-\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154
-\141\163\163\040\062\040\120\157\154\151\143\171\040\126\141\154
-\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160
-\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056
-\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015
-\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145
-\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110
-\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
-\201\201\000\316\072\161\312\345\253\310\131\222\125\327\253\330
-\164\016\371\356\331\366\125\107\131\145\107\016\005\125\334\353
-\230\066\074\134\123\135\323\060\317\070\354\275\101\211\355\045
-\102\011\044\153\012\136\263\174\335\122\055\114\346\324\326\175
-\132\131\251\145\324\111\023\055\044\115\034\120\157\265\301\205
-\124\073\376\161\344\323\134\102\371\200\340\221\032\012\133\071
-\066\147\363\077\125\174\033\077\264\137\144\163\064\343\264\022
-\277\207\144\370\332\022\377\067\047\301\263\103\273\357\173\156
-\056\151\367\002\003\001\000\001\060\015\006\011\052\206\110\206
-\367\015\001\001\005\005\000\003\201\201\000\073\177\120\157\157
-\120\224\231\111\142\070\070\037\113\370\245\310\076\247\202\201
-\366\053\307\350\305\316\350\072\020\202\313\030\000\216\115\275
-\250\130\177\241\171\000\265\273\351\215\257\101\331\017\064\356
-\041\201\031\240\062\111\050\364\304\216\126\325\122\063\375\120
-\325\176\231\154\003\344\311\114\374\313\154\253\146\263\112\041
-\214\345\265\014\062\076\020\262\314\154\241\334\232\230\114\002
-\133\363\316\271\236\245\162\016\112\267\077\074\346\026\150\370
-\276\355\164\114\274\133\325\142\037\103\335
-END
-
-# Trust for Certificate "ValiCert Class 2 VA"
-# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Serial Number: 1 (0x1)
-# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Not Valid Before: Sat Jun 26 00:19:54 1999
-# Not Valid After : Wed Jun 26 00:19:54 2019
-# Fingerprint (MD5): A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
-# Fingerprint (SHA1): 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ValiCert Class 2 VA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\061\172\052\320\177\053\063\136\365\241\303\116\113\127\350\267
-\330\361\374\246
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\251\043\165\233\272\111\066\156\061\302\333\362\347\146\272\207
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "RSA Root Certificate 1"
-#
-# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Serial Number: 1 (0x1)
-# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Not Valid Before: Sat Jun 26 00:22:33 1999
-# Not Valid After : Wed Jun 26 00:22:33 2019
-# Fingerprint (MD5): A2:6F:53:B7:EE:40:DB:4A:68:E7:FA:18:D9:10:4B:72
-# Fingerprint (SHA1): 69:BD:8C:F4:9C:D3:00:FB:59:2E:17:93:CA:55:6A:F3:EC:AA:35:FB
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "RSA Root Certificate 1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060
-\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164
-\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167
-\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141
-\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063
-\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040
-\103\154\141\163\163\040\063\040\120\157\154\151\143\171\040\126
-\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164
-\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162
-\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206
-\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151
-\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066
-\062\066\060\060\062\062\063\063\132\027\015\061\071\060\066\062
-\066\060\060\062\062\063\063\132\060\201\273\061\044\060\042\006
-\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126
-\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162
-\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151
-\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003
-\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154
-\141\163\163\040\063\040\120\157\154\151\143\171\040\126\141\154
-\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160
-\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056
-\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015
-\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145
-\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110
-\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
-\201\201\000\343\230\121\226\034\350\325\261\006\201\152\127\303
-\162\165\223\253\317\236\246\374\363\026\122\326\055\115\237\065
-\104\250\056\004\115\007\111\212\070\051\365\167\067\347\267\253
-\135\337\066\161\024\231\217\334\302\222\361\347\140\222\227\354
-\330\110\334\277\301\002\040\306\044\244\050\114\060\132\166\155
-\261\134\363\335\336\236\020\161\241\210\307\133\233\101\155\312
-\260\270\216\025\356\255\063\053\317\107\004\134\165\161\012\230
-\044\230\051\247\111\131\245\335\370\267\103\142\141\363\323\342
-\320\125\077\002\003\001\000\001\060\015\006\011\052\206\110\206
-\367\015\001\001\005\005\000\003\201\201\000\126\273\002\130\204
-\147\010\054\337\037\333\173\111\063\365\323\147\235\364\264\012
-\020\263\311\305\054\342\222\152\161\170\047\362\160\203\102\323
-\076\317\251\124\364\361\330\222\026\214\321\004\313\113\253\311
-\237\105\256\074\212\251\260\161\063\135\310\305\127\337\257\250
-\065\263\177\211\207\351\350\045\222\270\177\205\172\256\326\274
-\036\067\130\052\147\311\221\317\052\201\076\355\306\071\337\300
-\076\031\234\031\314\023\115\202\101\265\214\336\340\075\140\010
-\040\017\105\176\153\242\177\243\214\025\356
-END
-
-# Trust for Certificate "RSA Root Certificate 1"
-# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Serial Number: 1 (0x1)
-# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Not Valid Before: Sat Jun 26 00:22:33 1999
-# Not Valid After : Wed Jun 26 00:22:33 2019
-# Fingerprint (MD5): A2:6F:53:B7:EE:40:DB:4A:68:E7:FA:18:D9:10:4B:72
-# Fingerprint (SHA1): 69:BD:8C:F4:9C:D3:00:FB:59:2E:17:93:CA:55:6A:F3:EC:AA:35:FB
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "RSA Root Certificate 1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\151\275\214\364\234\323\000\373\131\056\027\223\312\125\152\363
-\354\252\065\373
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\242\157\123\267\356\100\333\112\150\347\372\030\331\020\113\162
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
 #
 # Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:00:8b:5b:75:56:84:54:85:0b:00:cf:af:38:48:ce:b1:a4
 # Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Not Valid Before: Fri Oct 01 00:00:00 1999
 # Not Valid After : Wed Jul 16 23:59:59 2036
 # Fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73
@@ -2745,190 +2206,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \224\136\327
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "Entrust.net Secure Server CA"
-#
-# Issuer: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
-# Serial Number: 927650371 (0x374ad243)
-# Subject: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
-# Not Valid Before: Tue May 25 16:09:40 1999
-# Not Valid After : Sat May 25 16:39:40 2019
-# Fingerprint (MD5): DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE
-# Fingerprint (SHA1): 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Entrust.net Secure Server CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
-\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023
-\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
-\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040
-\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141
-\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143
-\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156
-\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003
-\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164
-\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
-\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023
-\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
-\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040
-\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141
-\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143
-\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156
-\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003
-\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164
-\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\067\112\322\103
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\330\060\202\004\101\240\003\002\001\002\002\004\067
-\112\322\103\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\201\303\061\013\060\011\006\003\125\004\006\023\002
-\125\123\061\024\060\022\006\003\125\004\012\023\013\105\156\164
-\162\165\163\164\056\156\145\164\061\073\060\071\006\003\125\004
-\013\023\062\167\167\167\056\145\156\164\162\165\163\164\056\156
-\145\164\057\103\120\123\040\151\156\143\157\162\160\056\040\142
-\171\040\162\145\146\056\040\050\154\151\155\151\164\163\040\154
-\151\141\142\056\051\061\045\060\043\006\003\125\004\013\023\034
-\050\143\051\040\061\071\071\071\040\105\156\164\162\165\163\164
-\056\156\145\164\040\114\151\155\151\164\145\144\061\072\060\070
-\006\003\125\004\003\023\061\105\156\164\162\165\163\164\056\156
-\145\164\040\123\145\143\165\162\145\040\123\145\162\166\145\162
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\060\036\027\015\071\071\060\065
-\062\065\061\066\060\071\064\060\132\027\015\061\071\060\065\062
-\065\061\066\063\071\064\060\132\060\201\303\061\013\060\011\006
-\003\125\004\006\023\002\125\123\061\024\060\022\006\003\125\004
-\012\023\013\105\156\164\162\165\163\164\056\156\145\164\061\073
-\060\071\006\003\125\004\013\023\062\167\167\167\056\145\156\164
-\162\165\163\164\056\156\145\164\057\103\120\123\040\151\156\143
-\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151
-\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006
-\003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105
-\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164
-\145\144\061\072\060\070\006\003\125\004\003\023\061\105\156\164
-\162\165\163\164\056\156\145\164\040\123\145\143\165\162\145\040
-\123\145\162\166\145\162\040\103\145\162\164\151\146\151\143\141
-\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060\201
-\235\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000
-\003\201\213\000\060\201\207\002\201\201\000\315\050\203\064\124
-\033\211\363\017\257\067\221\061\377\257\061\140\311\250\350\262
-\020\150\355\237\347\223\066\361\012\144\273\107\365\004\027\077
-\043\107\115\305\047\031\201\046\014\124\162\015\210\055\331\037
-\232\022\237\274\263\161\323\200\031\077\107\146\173\214\065\050
-\322\271\012\337\044\332\234\326\120\171\201\172\132\323\067\367
-\302\112\330\051\222\046\144\321\344\230\154\072\000\212\365\064
-\233\145\370\355\343\020\377\375\270\111\130\334\240\336\202\071
-\153\201\261\026\031\141\271\124\266\346\103\002\001\003\243\202
-\001\327\060\202\001\323\060\021\006\011\140\206\110\001\206\370
-\102\001\001\004\004\003\002\000\007\060\202\001\031\006\003\125
-\035\037\004\202\001\020\060\202\001\014\060\201\336\240\201\333
-\240\201\330\244\201\325\060\201\322\061\013\060\011\006\003\125
-\004\006\023\002\125\123\061\024\060\022\006\003\125\004\012\023
-\013\105\156\164\162\165\163\164\056\156\145\164\061\073\060\071
-\006\003\125\004\013\023\062\167\167\167\056\145\156\164\162\165
-\163\164\056\156\145\164\057\103\120\123\040\151\156\143\157\162
-\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155\151
-\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003\125
-\004\013\023\034\050\143\051\040\061\071\071\071\040\105\156\164
-\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145\144
-\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162\165
-\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123\145
-\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\101\165\164\150\157\162\151\164\171\061\015\060\013
-\006\003\125\004\003\023\004\103\122\114\061\060\051\240\047\240
-\045\206\043\150\164\164\160\072\057\057\167\167\167\056\145\156
-\164\162\165\163\164\056\156\145\164\057\103\122\114\057\156\145
-\164\061\056\143\162\154\060\053\006\003\125\035\020\004\044\060
-\042\200\017\061\071\071\071\060\065\062\065\061\066\060\071\064
-\060\132\201\017\062\060\061\071\060\065\062\065\061\066\060\071
-\064\060\132\060\013\006\003\125\035\017\004\004\003\002\001\006
-\060\037\006\003\125\035\043\004\030\060\026\200\024\360\027\142
-\023\125\075\263\377\012\000\153\373\120\204\227\363\355\142\320
-\032\060\035\006\003\125\035\016\004\026\004\024\360\027\142\023
-\125\075\263\377\012\000\153\373\120\204\227\363\355\142\320\032
-\060\014\006\003\125\035\023\004\005\060\003\001\001\377\060\031
-\006\011\052\206\110\206\366\175\007\101\000\004\014\060\012\033
-\004\126\064\056\060\003\002\004\220\060\015\006\011\052\206\110
-\206\367\015\001\001\005\005\000\003\201\201\000\220\334\060\002
-\372\144\164\302\247\012\245\174\041\215\064\027\250\373\107\016
-\377\045\174\215\023\012\373\344\230\265\357\214\370\305\020\015
-\367\222\276\361\303\325\325\225\152\004\273\054\316\046\066\145
-\310\061\306\347\356\077\343\127\165\204\172\021\357\106\117\030
-\364\323\230\273\250\207\062\272\162\366\074\342\075\237\327\035
-\331\303\140\103\214\130\016\042\226\057\142\243\054\037\272\255
-\005\357\253\062\170\207\240\124\163\031\265\134\005\371\122\076
-\155\055\105\013\367\012\223\352\355\006\371\262
-END
-
-# Trust for Certificate "Entrust.net Secure Server CA"
-# Issuer: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
-# Serial Number: 927650371 (0x374ad243)
-# Subject: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
-# Not Valid Before: Tue May 25 16:09:40 1999
-# Not Valid After : Sat May 25 16:39:40 2019
-# Fingerprint (MD5): DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE
-# Fingerprint (SHA1): 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Entrust.net Secure Server CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\231\246\233\346\032\376\210\153\115\053\202\000\174\270\124\374
-\061\176\025\071
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\337\362\200\163\314\361\346\141\163\374\365\102\351\305\174\356
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
-\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023
-\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
-\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040
-\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141
-\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143
-\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156
-\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003
-\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164
-\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\067\112\322\103
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Entrust.net Premium 2048 Secure Server CA"
 #
 # Issuer: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
 # Serial Number: 946069240 (0x3863def8)
 # Subject: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
 # Not Valid Before: Fri Dec 24 17:50:51 1999
 # Not Valid After : Tue Jul 24 14:15:12 2029
 # Fingerprint (MD5): EE:29:31:BC:32:7E:9A:E6:E8:B5:F7:51:B4:34:71:90
@@ -7231,167 +6518,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\072\314\245\114
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "TDC OCES Root CA"
-#
-# Issuer: CN=TDC OCES CA,O=TDC,C=DK
-# Serial Number: 1044954564 (0x3e48bdc4)
-# Subject: CN=TDC OCES CA,O=TDC,C=DK
-# Not Valid Before: Tue Feb 11 08:39:30 2003
-# Not Valid After : Wed Feb 11 09:09:30 2037
-# Fingerprint (MD5): 93:7F:90:1C:ED:84:67:17:A4:65:5F:9B:CB:30:02:97
-# Fingerprint (SHA1): 87:81:C2:5A:96:BD:C2:FB:4C:65:06:4F:F9:39:0B:26:04:8A:0E:01
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "TDC OCES Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\061\061\013\060\011\006\003\125\004\006\023\002\104\113\061
-\014\060\012\006\003\125\004\012\023\003\124\104\103\061\024\060
-\022\006\003\125\004\003\023\013\124\104\103\040\117\103\105\123
-\040\103\101
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\061\061\013\060\011\006\003\125\004\006\023\002\104\113\061
-\014\060\012\006\003\125\004\012\023\003\124\104\103\061\024\060
-\022\006\003\125\004\003\023\013\124\104\103\040\117\103\105\123
-\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\076\110\275\304
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\031\060\202\004\001\240\003\002\001\002\002\004\076
-\110\275\304\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\061\061\013\060\011\006\003\125\004\006\023\002\104
-\113\061\014\060\012\006\003\125\004\012\023\003\124\104\103\061
-\024\060\022\006\003\125\004\003\023\013\124\104\103\040\117\103
-\105\123\040\103\101\060\036\027\015\060\063\060\062\061\061\060
-\070\063\071\063\060\132\027\015\063\067\060\062\061\061\060\071
-\060\071\063\060\132\060\061\061\013\060\011\006\003\125\004\006
-\023\002\104\113\061\014\060\012\006\003\125\004\012\023\003\124
-\104\103\061\024\060\022\006\003\125\004\003\023\013\124\104\103
-\040\117\103\105\123\040\103\101\060\202\001\042\060\015\006\011
-\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000
-\060\202\001\012\002\202\001\001\000\254\142\366\141\040\262\317
-\300\306\205\327\343\171\346\314\355\362\071\222\244\227\056\144
-\243\204\133\207\234\114\375\244\363\304\137\041\275\126\020\353
-\333\056\141\354\223\151\343\243\314\275\231\303\005\374\006\270
-\312\066\034\376\220\216\111\114\304\126\232\057\126\274\317\173
-\014\361\157\107\246\015\103\115\342\351\035\071\064\315\215\054
-\331\022\230\371\343\341\301\112\174\206\070\304\251\304\141\210
-\322\136\257\032\046\115\325\344\240\042\107\204\331\144\267\031
-\226\374\354\031\344\262\227\046\116\112\114\313\217\044\213\124
-\030\034\110\141\173\325\210\150\332\135\265\352\315\032\060\301
-\200\203\166\120\252\117\321\324\335\070\360\357\026\364\341\014
-\120\006\277\352\373\172\111\241\050\053\034\366\374\025\062\243
-\164\152\217\251\303\142\051\161\061\345\073\244\140\027\136\164
-\346\332\023\355\351\037\037\033\321\262\150\163\306\020\064\165
-\106\020\020\343\220\000\166\100\313\213\267\103\011\041\377\253
-\116\223\306\130\351\245\202\333\167\304\072\231\261\162\225\111
-\004\360\267\053\372\173\131\216\335\002\003\001\000\001\243\202
-\002\067\060\202\002\063\060\017\006\003\125\035\023\001\001\377
-\004\005\060\003\001\001\377\060\016\006\003\125\035\017\001\001
-\377\004\004\003\002\001\006\060\201\354\006\003\125\035\040\004
-\201\344\060\201\341\060\201\336\006\010\052\201\120\201\051\001
-\001\001\060\201\321\060\057\006\010\053\006\001\005\005\007\002
-\001\026\043\150\164\164\160\072\057\057\167\167\167\056\143\145
-\162\164\151\146\151\153\141\164\056\144\153\057\162\145\160\157
-\163\151\164\157\162\171\060\201\235\006\010\053\006\001\005\005
-\007\002\002\060\201\220\060\012\026\003\124\104\103\060\003\002
-\001\001\032\201\201\103\145\162\164\151\146\151\153\141\164\145
-\162\040\146\162\141\040\144\145\156\156\145\040\103\101\040\165
-\144\163\164\145\144\145\163\040\165\156\144\145\162\040\117\111
-\104\040\061\056\062\056\062\060\070\056\061\066\071\056\061\056
-\061\056\061\056\040\103\145\162\164\151\146\151\143\141\164\145
-\163\040\146\162\157\155\040\164\150\151\163\040\103\101\040\141
-\162\145\040\151\163\163\165\145\144\040\165\156\144\145\162\040
-\117\111\104\040\061\056\062\056\062\060\070\056\061\066\071\056
-\061\056\061\056\061\056\060\021\006\011\140\206\110\001\206\370
-\102\001\001\004\004\003\002\000\007\060\201\201\006\003\125\035
-\037\004\172\060\170\060\110\240\106\240\104\244\102\060\100\061
-\013\060\011\006\003\125\004\006\023\002\104\113\061\014\060\012
-\006\003\125\004\012\023\003\124\104\103\061\024\060\022\006\003
-\125\004\003\023\013\124\104\103\040\117\103\105\123\040\103\101
-\061\015\060\013\006\003\125\004\003\023\004\103\122\114\061\060
-\054\240\052\240\050\206\046\150\164\164\160\072\057\057\143\162
-\154\056\157\143\145\163\056\143\145\162\164\151\146\151\153\141
-\164\056\144\153\057\157\143\145\163\056\143\162\154\060\053\006
-\003\125\035\020\004\044\060\042\200\017\062\060\060\063\060\062
-\061\061\060\070\063\071\063\060\132\201\017\062\060\063\067\060
-\062\061\061\060\071\060\071\063\060\132\060\037\006\003\125\035
-\043\004\030\060\026\200\024\140\265\205\354\126\144\176\022\031
-\047\147\035\120\025\113\163\256\073\371\022\060\035\006\003\125
-\035\016\004\026\004\024\140\265\205\354\126\144\176\022\031\047
-\147\035\120\025\113\163\256\073\371\022\060\035\006\011\052\206
-\110\206\366\175\007\101\000\004\020\060\016\033\010\126\066\056
-\060\072\064\056\060\003\002\004\220\060\015\006\011\052\206\110
-\206\367\015\001\001\005\005\000\003\202\001\001\000\012\272\046
-\046\106\323\163\250\011\363\153\013\060\231\375\212\341\127\172
-\021\323\270\224\327\011\020\156\243\261\070\003\321\266\362\103
-\101\051\142\247\162\330\373\174\005\346\061\160\047\124\030\116
-\212\174\116\345\321\312\214\170\210\317\033\323\220\213\346\043
-\370\013\016\063\103\175\234\342\012\031\217\311\001\076\164\135
-\164\311\213\034\003\345\030\310\001\114\077\313\227\005\135\230
-\161\246\230\157\266\174\275\067\177\276\341\223\045\155\157\360
-\012\255\027\030\341\003\274\007\051\310\255\046\350\370\141\360
-\375\041\011\176\232\216\251\150\175\110\142\162\275\000\352\001
-\231\270\006\202\121\201\116\361\365\264\221\124\271\043\172\000
-\232\237\135\215\340\074\144\271\032\022\222\052\307\202\104\162
-\071\334\342\074\306\330\125\365\025\116\310\005\016\333\306\320
-\142\246\354\025\264\265\002\202\333\254\214\242\201\360\233\231
-\061\365\040\040\250\210\141\012\007\237\224\374\320\327\033\314
-\056\027\363\004\047\166\147\353\124\203\375\244\220\176\006\075
-\004\243\103\055\332\374\013\142\352\057\137\142\123
-END
-
-# Trust for Certificate "TDC OCES Root CA"
-# Issuer: CN=TDC OCES CA,O=TDC,C=DK
-# Serial Number: 1044954564 (0x3e48bdc4)
-# Subject: CN=TDC OCES CA,O=TDC,C=DK
-# Not Valid Before: Tue Feb 11 08:39:30 2003
-# Not Valid After : Wed Feb 11 09:09:30 2037
-# Fingerprint (MD5): 93:7F:90:1C:ED:84:67:17:A4:65:5F:9B:CB:30:02:97
-# Fingerprint (SHA1): 87:81:C2:5A:96:BD:C2:FB:4C:65:06:4F:F9:39:0B:26:04:8A:0E:01
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "TDC OCES Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\207\201\302\132\226\275\302\373\114\145\006\117\371\071\013\046
-\004\212\016\001
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\223\177\220\034\355\204\147\027\244\145\137\233\313\060\002\227
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\061\061\013\060\011\006\003\125\004\006\023\002\104\113\061
-\014\060\012\006\003\125\004\012\023\003\124\104\103\061\024\060
-\022\006\003\125\004\003\023\013\124\104\103\040\117\103\105\123
-\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\076\110\275\304
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "UTN DATACorp SGC Root CA"
 #
 # Issuer: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
 # Serial Number:44:be:0c:8b:50:00:21:b4:11:d3:2a:68:06:a9:ad:69
 # Subject: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
 # Not Valid Before: Thu Jun 24 18:57:21 1999
 # Not Valid After : Mon Jun 24 19:06:30 2019
 # Fingerprint (MD5): B3:A5:3E:77:21:6D:AC:4A:C0:C9:FB:D5:41:3D:CA:06
@@ -8922,19 +8058,19 @@ CKA_ISSUER MULTILINE_OCTAL
 \156\171\153\151\141\144\157\153\061\062\060\060\006\003\125\004
 \003\023\051\116\145\164\114\157\143\153\040\125\172\154\145\164
 \151\040\050\103\154\141\163\163\040\102\051\040\124\141\156\165
 \163\151\164\166\141\156\171\153\151\141\144\157
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\151
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "NetLock Express (Class C) Root"
 #
 # Issuer: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Serial Number: 104 (0x68)
 # Subject: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
@@ -9095,19 +8231,19 @@ CKA_ISSUER MULTILINE_OCTAL
 \156\171\153\151\141\144\157\153\061\064\060\062\006\003\125\004
 \003\023\053\116\145\164\114\157\143\153\040\105\170\160\162\145
 \163\163\172\040\050\103\154\141\163\163\040\103\051\040\124\141
 \156\165\163\151\164\166\141\156\171\153\151\141\144\157
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\150
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "XRamp Global CA Root"
 #
 # Issuer: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
 # Serial Number:50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad
 # Subject: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
@@ -9910,173 +9046,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \136\366
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "Firmaprofesional Root CA"
-#
-# Issuer: E=ca@firmaprofesional.com,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,L=C/ Muntaner 244 Barcelona,C=ES
-# Serial Number: 1 (0x1)
-# Subject: E=ca@firmaprofesional.com,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,L=C/ Muntaner 244 Barcelona,C=ES
-# Not Valid Before: Wed Oct 24 22:00:00 2001
-# Not Valid After : Thu Oct 24 22:00:00 2013
-# Fingerprint (MD5): 11:92:79:40:3C:B1:83:40:E5:AB:66:4A:67:92:80:DF
-# Fingerprint (SHA1): A9:62:8F:4B:98:A9:1B:48:35:BA:D2:C1:46:32:86:BB:66:64:6A:8C
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Firmaprofesional Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\235\061\013\060\011\006\003\125\004\006\023\002\105\123
-\061\042\060\040\006\003\125\004\007\023\031\103\057\040\115\165
-\156\164\141\156\145\162\040\062\064\064\040\102\141\162\143\145
-\154\157\156\141\061\102\060\100\006\003\125\004\003\023\071\101
-\165\164\157\162\151\144\141\144\040\144\145\040\103\145\162\164
-\151\146\151\143\141\143\151\157\156\040\106\151\162\155\141\160
-\162\157\146\145\163\151\157\156\141\154\040\103\111\106\040\101
-\066\062\066\063\064\060\066\070\061\046\060\044\006\011\052\206
-\110\206\367\015\001\011\001\026\027\143\141\100\146\151\162\155
-\141\160\162\157\146\145\163\151\157\156\141\154\056\143\157\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\235\061\013\060\011\006\003\125\004\006\023\002\105\123
-\061\042\060\040\006\003\125\004\007\023\031\103\057\040\115\165
-\156\164\141\156\145\162\040\062\064\064\040\102\141\162\143\145
-\154\157\156\141\061\102\060\100\006\003\125\004\003\023\071\101
-\165\164\157\162\151\144\141\144\040\144\145\040\103\145\162\164
-\151\146\151\143\141\143\151\157\156\040\106\151\162\155\141\160
-\162\157\146\145\163\151\157\156\141\154\040\103\111\106\040\101
-\066\062\066\063\064\060\066\070\061\046\060\044\006\011\052\206
-\110\206\367\015\001\011\001\026\027\143\141\100\146\151\162\155
-\141\160\162\157\146\145\163\151\157\156\141\154\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\127\060\202\003\077\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\201\235\061\013\060\011\006\003\125\004\006\023\002\105\123\061
-\042\060\040\006\003\125\004\007\023\031\103\057\040\115\165\156
-\164\141\156\145\162\040\062\064\064\040\102\141\162\143\145\154
-\157\156\141\061\102\060\100\006\003\125\004\003\023\071\101\165
-\164\157\162\151\144\141\144\040\144\145\040\103\145\162\164\151
-\146\151\143\141\143\151\157\156\040\106\151\162\155\141\160\162
-\157\146\145\163\151\157\156\141\154\040\103\111\106\040\101\066
-\062\066\063\064\060\066\070\061\046\060\044\006\011\052\206\110
-\206\367\015\001\011\001\026\027\143\141\100\146\151\162\155\141
-\160\162\157\146\145\163\151\157\156\141\154\056\143\157\155\060
-\036\027\015\060\061\061\060\062\064\062\062\060\060\060\060\132
-\027\015\061\063\061\060\062\064\062\062\060\060\060\060\132\060
-\201\235\061\013\060\011\006\003\125\004\006\023\002\105\123\061
-\042\060\040\006\003\125\004\007\023\031\103\057\040\115\165\156
-\164\141\156\145\162\040\062\064\064\040\102\141\162\143\145\154
-\157\156\141\061\102\060\100\006\003\125\004\003\023\071\101\165
-\164\157\162\151\144\141\144\040\144\145\040\103\145\162\164\151
-\146\151\143\141\143\151\157\156\040\106\151\162\155\141\160\162
-\157\146\145\163\151\157\156\141\154\040\103\111\106\040\101\066
-\062\066\063\064\060\066\070\061\046\060\044\006\011\052\206\110
-\206\367\015\001\011\001\026\027\143\141\100\146\151\162\155\141
-\160\162\157\146\145\163\151\157\156\141\154\056\143\157\155\060
-\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001
-\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000
-\347\043\003\157\157\043\245\136\170\316\225\054\355\224\036\156
-\012\236\001\307\352\060\321\054\235\335\067\350\233\230\171\126
-\323\374\163\337\320\212\336\125\217\121\371\132\352\336\265\160
-\304\355\244\355\377\243\015\156\017\144\120\061\257\001\047\130
-\256\376\154\247\112\057\027\055\323\163\325\023\034\217\131\245
-\064\054\035\124\004\105\315\150\270\240\300\003\245\317\205\102
-\107\225\050\133\317\357\200\154\340\220\227\212\001\074\035\363
-\207\020\060\046\110\175\327\374\351\235\221\161\377\101\232\251
-\100\265\067\234\051\040\117\037\122\343\240\175\023\155\124\267
-\012\336\351\152\116\007\254\254\031\137\334\176\142\164\366\262
-\005\000\272\205\240\375\035\070\156\313\132\273\206\274\224\147
-\063\065\203\054\037\043\315\370\310\221\161\314\227\213\357\256
-\017\334\051\003\033\300\071\353\160\355\301\156\016\330\147\013
-\211\251\274\065\344\357\266\064\264\245\266\304\055\245\276\320
-\303\224\044\110\333\337\226\323\000\265\146\032\213\146\005\017
-\335\077\077\313\077\252\136\232\112\370\264\112\357\225\067\033
-\002\003\001\000\001\243\201\237\060\201\234\060\052\006\003\125
-\035\021\004\043\060\041\206\037\150\164\164\160\072\057\057\167
-\167\167\056\146\151\162\155\141\160\162\157\146\145\163\151\157
-\156\141\154\056\143\157\155\060\022\006\003\125\035\023\001\001
-\377\004\010\060\006\001\001\377\002\001\001\060\053\006\003\125
-\035\020\004\044\060\042\200\017\062\060\060\061\061\060\062\064
-\062\062\060\060\060\060\132\201\017\062\060\061\063\061\060\062
-\064\062\062\060\060\060\060\132\060\016\006\003\125\035\017\001
-\001\377\004\004\003\002\001\006\060\035\006\003\125\035\016\004
-\026\004\024\063\013\240\146\321\352\332\316\336\142\223\004\050
-\122\265\024\177\070\150\267\060\015\006\011\052\206\110\206\367
-\015\001\001\005\005\000\003\202\001\001\000\107\163\376\215\047
-\124\360\365\324\167\234\047\171\127\127\267\025\126\354\307\330
-\130\267\001\002\364\063\355\223\120\210\236\174\106\261\275\077
-\024\157\361\263\107\110\213\214\227\006\327\352\176\243\134\052
-\273\115\057\107\342\370\071\006\311\234\056\061\032\003\170\364
-\274\070\306\042\213\063\061\360\026\004\004\175\371\166\344\113
-\327\300\346\203\354\131\314\077\336\377\117\153\267\147\176\246
-\206\201\062\043\003\235\310\367\137\301\112\140\245\222\251\261
-\244\240\140\303\170\207\263\042\363\052\353\133\251\355\005\253
-\067\017\261\342\323\225\166\143\126\164\214\130\162\033\067\345
-\144\241\276\115\014\223\230\014\227\366\207\155\263\077\347\313
-\200\246\355\210\307\137\120\142\002\350\231\164\026\320\346\264
-\071\361\047\313\310\100\326\343\206\020\251\043\022\222\340\151
-\101\143\247\257\045\013\300\305\222\313\036\230\243\132\272\305
-\063\017\240\227\001\335\177\340\173\326\006\124\317\241\342\115
-\070\353\113\120\265\313\046\364\312\332\160\112\152\241\342\171
-\252\341\247\063\366\375\112\037\366\331\140
-END
-
-# Trust for Certificate "Firmaprofesional Root CA"
-# Issuer: E=ca@firmaprofesional.com,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,L=C/ Muntaner 244 Barcelona,C=ES
-# Serial Number: 1 (0x1)
-# Subject: E=ca@firmaprofesional.com,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,L=C/ Muntaner 244 Barcelona,C=ES
-# Not Valid Before: Wed Oct 24 22:00:00 2001
-# Not Valid After : Thu Oct 24 22:00:00 2013
-# Fingerprint (MD5): 11:92:79:40:3C:B1:83:40:E5:AB:66:4A:67:92:80:DF
-# Fingerprint (SHA1): A9:62:8F:4B:98:A9:1B:48:35:BA:D2:C1:46:32:86:BB:66:64:6A:8C
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Firmaprofesional Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\251\142\217\113\230\251\033\110\065\272\322\301\106\062\206\273
-\146\144\152\214
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\021\222\171\100\074\261\203\100\345\253\146\112\147\222\200\337
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\235\061\013\060\011\006\003\125\004\006\023\002\105\123
-\061\042\060\040\006\003\125\004\007\023\031\103\057\040\115\165
-\156\164\141\156\145\162\040\062\064\064\040\102\141\162\143\145
-\154\157\156\141\061\102\060\100\006\003\125\004\003\023\071\101
-\165\164\157\162\151\144\141\144\040\144\145\040\103\145\162\164
-\151\146\151\143\141\143\151\157\156\040\106\151\162\155\141\160
-\162\157\146\145\163\151\157\156\141\154\040\103\111\106\040\101
-\066\062\066\063\064\060\066\070\061\046\060\044\006\011\052\206
-\110\206\367\015\001\011\001\026\027\143\141\100\146\151\162\155
-\141\160\162\157\146\145\163\151\157\156\141\154\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Swisscom Root CA 1"
 #
 # Issuer: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
 # Serial Number:5c:0b:85:5c:0b:e7:59:41:df:57:cc:3f:7f:9d:a8:36
 # Subject: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
 # Not Valid Before: Thu Aug 18 12:06:20 2005
 # Not Valid After : Mon Aug 18 22:06:20 2025
 # Fingerprint (MD5): F8:38:7C:77:88:DF:2C:16:68:2E:C2:E2:52:4B:B8:F9
@@ -28964,8 +27943,627 @@ CKA_ISSUER MULTILINE_OCTAL
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\002\014\276
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "TeliaSonera Root CA v1"
+#
+# Issuer: CN=TeliaSonera Root CA v1,O=TeliaSonera
+# Serial Number:00:95:be:16:a0:f7:2e:46:f1:7b:39:82:72:fa:8b:cd:96
+# Subject: CN=TeliaSonera Root CA v1,O=TeliaSonera
+# Not Valid Before: Thu Oct 18 12:00:50 2007
+# Not Valid After : Mon Oct 18 12:00:50 2032
+# Fingerprint (MD5): 37:41:49:1B:18:56:9A:26:F5:AD:C2:66:FB:40:A5:4C
+# Fingerprint (SHA1): 43:13:BB:96:F1:D5:86:9B:C1:4E:6A:92:F6:CF:F6:34:69:87:82:37
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TeliaSonera Root CA v1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\067\061\024\060\022\006\003\125\004\012\014\013\124\145\154
+\151\141\123\157\156\145\162\141\061\037\060\035\006\003\125\004
+\003\014\026\124\145\154\151\141\123\157\156\145\162\141\040\122
+\157\157\164\040\103\101\040\166\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\067\061\024\060\022\006\003\125\004\012\014\013\124\145\154
+\151\141\123\157\156\145\162\141\061\037\060\035\006\003\125\004
+\003\014\026\124\145\154\151\141\123\157\156\145\162\141\040\122
+\157\157\164\040\103\101\040\166\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\021\000\225\276\026\240\367\056\106\361\173\071\202\162\372
+\213\315\226
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\070\060\202\003\040\240\003\002\001\002\002\021\000
+\225\276\026\240\367\056\106\361\173\071\202\162\372\213\315\226
+\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+\067\061\024\060\022\006\003\125\004\012\014\013\124\145\154\151
+\141\123\157\156\145\162\141\061\037\060\035\006\003\125\004\003
+\014\026\124\145\154\151\141\123\157\156\145\162\141\040\122\157
+\157\164\040\103\101\040\166\061\060\036\027\015\060\067\061\060
+\061\070\061\062\060\060\065\060\132\027\015\063\062\061\060\061
+\070\061\062\060\060\065\060\132\060\067\061\024\060\022\006\003
+\125\004\012\014\013\124\145\154\151\141\123\157\156\145\162\141
+\061\037\060\035\006\003\125\004\003\014\026\124\145\154\151\141
+\123\157\156\145\162\141\040\122\157\157\164\040\103\101\040\166
+\061\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001
+\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002
+\001\000\302\276\353\047\360\041\243\363\151\046\125\176\235\305
+\125\026\221\134\375\357\041\277\123\200\172\055\322\221\214\143
+\061\360\354\044\360\303\245\322\162\174\020\155\364\067\267\345
+\346\174\171\352\214\265\202\213\256\110\266\254\000\334\145\165
+\354\052\115\137\301\207\365\040\145\053\201\250\107\076\211\043
+\225\060\026\220\177\350\127\007\110\347\031\256\277\105\147\261
+\067\033\006\052\376\336\371\254\175\203\373\136\272\344\217\227
+\147\276\113\216\215\144\007\127\070\125\151\064\066\075\023\110
+\357\117\342\323\146\036\244\317\032\267\136\066\063\324\264\006
+\275\030\001\375\167\204\120\000\105\365\214\135\350\043\274\176
+\376\065\341\355\120\173\251\060\215\031\323\011\216\150\147\135
+\277\074\227\030\123\273\051\142\305\312\136\162\301\307\226\324
+\333\055\240\264\037\151\003\354\352\342\120\361\014\074\360\254
+\363\123\055\360\034\365\355\154\071\071\163\200\026\310\122\260
+\043\315\340\076\334\335\074\107\240\273\065\212\342\230\150\213
+\276\345\277\162\356\322\372\245\355\022\355\374\230\030\251\046
+\166\334\050\113\020\040\034\323\177\026\167\055\355\157\200\367
+\111\273\123\005\273\135\150\307\324\310\165\026\077\211\132\213
+\367\027\107\324\114\361\322\211\171\076\115\075\230\250\141\336
+\072\036\322\370\136\003\340\301\311\034\214\323\215\115\323\225
+\066\263\067\137\143\143\233\063\024\360\055\046\153\123\174\211
+\214\062\302\156\354\075\041\000\071\311\241\150\342\120\203\056
+\260\072\053\363\066\240\254\057\344\157\141\302\121\011\071\076
+\213\123\271\273\147\332\334\123\271\166\131\066\235\103\345\040
+\340\075\062\140\205\042\121\267\307\063\273\335\025\057\244\170
+\246\007\173\201\106\066\004\206\335\171\065\307\225\054\073\260
+\243\027\065\345\163\037\264\134\131\357\332\352\020\145\173\172
+\320\177\237\263\264\052\067\073\160\213\233\133\271\053\267\354
+\262\121\022\227\123\051\132\324\360\022\020\334\117\002\273\022
+\222\057\142\324\077\151\103\174\015\326\374\130\165\001\210\235
+\130\026\113\336\272\220\377\107\001\211\006\152\366\137\262\220
+\152\263\002\246\002\210\277\263\107\176\052\331\325\372\150\170
+\065\115\002\003\001\000\001\243\077\060\075\060\017\006\003\125
+\035\023\001\001\377\004\005\060\003\001\001\377\060\013\006\003
+\125\035\017\004\004\003\002\001\006\060\035\006\003\125\035\016
+\004\026\004\024\360\217\131\070\000\263\365\217\232\226\014\325
+\353\372\173\252\027\350\023\022\060\015\006\011\052\206\110\206
+\367\015\001\001\005\005\000\003\202\002\001\000\276\344\134\142
+\116\044\364\014\010\377\360\323\014\150\344\223\111\042\077\104
+\047\157\273\155\336\203\146\316\250\314\015\374\365\232\006\345
+\167\024\221\353\235\101\173\231\052\204\345\377\374\041\301\135
+\360\344\037\127\267\165\251\241\137\002\046\377\327\307\367\116
+\336\117\370\367\034\106\300\172\117\100\054\042\065\360\031\261
+\320\153\147\054\260\250\340\300\100\067\065\366\204\134\134\343
+\257\102\170\376\247\311\015\120\352\015\204\166\366\121\357\203
+\123\306\172\377\016\126\111\056\217\172\326\014\346\047\124\343
+\115\012\140\162\142\315\221\007\326\245\277\310\231\153\355\304
+\031\346\253\114\021\070\305\157\061\342\156\111\310\077\166\200
+\046\003\046\051\340\066\366\366\040\123\343\027\160\064\027\235
+\143\150\036\153\354\303\115\206\270\023\060\057\135\106\015\107
+\103\325\033\252\131\016\271\134\215\006\110\255\164\207\137\307
+\374\061\124\101\023\342\307\041\016\236\340\036\015\341\300\173
+\103\205\220\305\212\130\306\145\012\170\127\362\306\043\017\001
+\331\040\113\336\017\373\222\205\165\052\134\163\215\155\173\045
+\221\312\356\105\256\006\113\000\314\323\261\131\120\332\072\210
+\073\051\103\106\136\227\053\124\316\123\157\215\112\347\226\372
+\277\161\016\102\213\174\375\050\240\320\110\312\332\304\201\114
+\273\242\163\223\046\310\353\014\326\046\210\266\300\044\317\273
+\275\133\353\165\175\351\010\216\206\063\054\171\167\011\151\245
+\211\374\263\160\220\207\166\217\323\042\273\102\316\275\163\013
+\040\046\052\320\233\075\160\036\044\154\315\207\166\251\027\226
+\267\317\015\222\373\216\030\251\230\111\321\236\376\140\104\162
+\041\271\031\355\302\365\061\361\071\110\210\220\044\165\124\026
+\255\316\364\370\151\024\144\071\373\243\270\272\160\100\307\047
+\034\277\304\126\123\372\143\145\320\363\034\016\026\365\153\206
+\130\115\030\324\344\015\216\245\235\133\221\334\166\044\120\077
+\306\052\373\331\267\234\265\326\346\320\331\350\031\213\025\161
+\110\255\267\352\330\131\210\324\220\277\026\263\331\351\254\131
+\141\124\310\034\272\312\301\312\341\271\040\114\217\072\223\211
+\245\240\314\277\323\366\165\244\165\226\155\126
+END
+
+# Trust for "TeliaSonera Root CA v1"
+# Issuer: CN=TeliaSonera Root CA v1,O=TeliaSonera
+# Serial Number:00:95:be:16:a0:f7:2e:46:f1:7b:39:82:72:fa:8b:cd:96
+# Subject: CN=TeliaSonera Root CA v1,O=TeliaSonera
+# Not Valid Before: Thu Oct 18 12:00:50 2007
+# Not Valid After : Mon Oct 18 12:00:50 2032
+# Fingerprint (MD5): 37:41:49:1B:18:56:9A:26:F5:AD:C2:66:FB:40:A5:4C
+# Fingerprint (SHA1): 43:13:BB:96:F1:D5:86:9B:C1:4E:6A:92:F6:CF:F6:34:69:87:82:37
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TeliaSonera Root CA v1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\103\023\273\226\361\325\206\233\301\116\152\222\366\317\366\064
+\151\207\202\067
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\067\101\111\033\030\126\232\046\365\255\302\146\373\100\245\114
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\067\061\024\060\022\006\003\125\004\012\014\013\124\145\154
+\151\141\123\157\156\145\162\141\061\037\060\035\006\003\125\004
+\003\014\026\124\145\154\151\141\123\157\156\145\162\141\040\122
+\157\157\164\040\103\101\040\166\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\021\000\225\276\026\240\367\056\106\361\173\071\202\162\372
+\213\315\226
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "E-Tugra Certification Authority"
+#
+# Issuer: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR
+# Serial Number:6a:68:3e:9c:51:9b:cb:53
+# Subject: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR
+# Not Valid Before: Tue Mar 05 12:09:48 2013
+# Not Valid After : Fri Mar 03 12:09:48 2023
+# Fingerprint (MD5): B8:A1:03:63:B0:BD:21:71:70:8A:6F:13:3A:BB:79:49
+# Fingerprint (SHA1): 51:C6:E7:08:49:06:6E:F3:92:D4:5C:A0:0D:6D:A3:62:8F:C3:52:39
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "E-Tugra Certification Authority"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\262\061\013\060\011\006\003\125\004\006\023\002\124\122
+\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
+\141\061\100\060\076\006\003\125\004\012\014\067\105\055\124\165
+\304\237\162\141\040\105\102\107\040\102\151\154\151\305\237\151
+\155\040\124\145\153\156\157\154\157\152\151\154\145\162\151\040
+\166\145\040\110\151\172\155\145\164\154\145\162\151\040\101\056
+\305\236\056\061\046\060\044\006\003\125\004\013\014\035\105\055
+\124\165\147\162\141\040\123\145\162\164\151\146\151\153\141\163
+\171\157\156\040\115\145\162\153\145\172\151\061\050\060\046\006
+\003\125\004\003\014\037\105\055\124\165\147\162\141\040\103\145
+\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
+\157\162\151\164\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\262\061\013\060\011\006\003\125\004\006\023\002\124\122
+\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
+\141\061\100\060\076\006\003\125\004\012\014\067\105\055\124\165
+\304\237\162\141\040\105\102\107\040\102\151\154\151\305\237\151
+\155\040\124\145\153\156\157\154\157\152\151\154\145\162\151\040
+\166\145\040\110\151\172\155\145\164\154\145\162\151\040\101\056
+\305\236\056\061\046\060\044\006\003\125\004\013\014\035\105\055
+\124\165\147\162\141\040\123\145\162\164\151\146\151\153\141\163
+\171\157\156\040\115\145\162\153\145\172\151\061\050\060\046\006
+\003\125\004\003\014\037\105\055\124\165\147\162\141\040\103\145
+\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
+\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\152\150\076\234\121\233\313\123
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\006\113\060\202\004\063\240\003\002\001\002\002\010\152
+\150\076\234\121\233\313\123\060\015\006\011\052\206\110\206\367
+\015\001\001\013\005\000\060\201\262\061\013\060\011\006\003\125
+\004\006\023\002\124\122\061\017\060\015\006\003\125\004\007\014
+\006\101\156\153\141\162\141\061\100\060\076\006\003\125\004\012
+\014\067\105\055\124\165\304\237\162\141\040\105\102\107\040\102
+\151\154\151\305\237\151\155\040\124\145\153\156\157\154\157\152
+\151\154\145\162\151\040\166\145\040\110\151\172\155\145\164\154
+\145\162\151\040\101\056\305\236\056\061\046\060\044\006\003\125
+\004\013\014\035\105\055\124\165\147\162\141\040\123\145\162\164
+\151\146\151\153\141\163\171\157\156\040\115\145\162\153\145\172
+\151\061\050\060\046\006\003\125\004\003\014\037\105\055\124\165
+\147\162\141\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\060\036\027\015\061
+\063\060\063\060\065\061\062\060\071\064\070\132\027\015\062\063
+\060\063\060\063\061\062\060\071\064\070\132\060\201\262\061\013
+\060\011\006\003\125\004\006\023\002\124\122\061\017\060\015\006
+\003\125\004\007\014\006\101\156\153\141\162\141\061\100\060\076
+\006\003\125\004\012\014\067\105\055\124\165\304\237\162\141\040
+\105\102\107\040\102\151\154\151\305\237\151\155\040\124\145\153
+\156\157\154\157\152\151\154\145\162\151\040\166\145\040\110\151
+\172\155\145\164\154\145\162\151\040\101\056\305\236\056\061\046
+\060\044\006\003\125\004\013\014\035\105\055\124\165\147\162\141
+\040\123\145\162\164\151\146\151\153\141\163\171\157\156\040\115
+\145\162\153\145\172\151\061\050\060\046\006\003\125\004\003\014
+\037\105\055\124\165\147\162\141\040\103\145\162\164\151\146\151
+\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
+\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001
+\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001
+\000\342\365\077\223\005\121\036\205\142\124\136\172\013\365\030
+\007\203\256\176\257\174\367\324\212\153\245\143\103\071\271\113
+\367\303\306\144\211\075\224\056\124\200\122\071\071\007\113\113
+\335\205\007\166\207\314\277\057\225\114\314\175\247\075\274\107
+\017\230\160\370\214\205\036\164\216\222\155\033\100\321\231\015
+\273\165\156\310\251\153\232\300\204\061\257\312\103\313\353\053
+\064\350\217\227\153\001\233\325\016\112\010\252\133\222\164\205
+\103\323\200\256\241\210\133\256\263\352\136\313\026\232\167\104
+\310\241\366\124\150\316\336\217\227\053\272\133\100\002\014\144
+\027\300\265\223\315\341\361\023\146\316\014\171\357\321\221\050
+\253\137\240\022\122\060\163\031\216\217\341\214\007\242\303\273
+\112\360\352\037\025\250\356\045\314\244\106\370\033\042\357\263
+\016\103\272\054\044\270\305\054\134\324\034\370\135\144\275\303
+\223\136\050\247\077\047\361\216\036\323\052\120\005\243\125\331
+\313\347\071\123\300\230\236\214\124\142\213\046\260\367\175\215
+\174\344\306\236\146\102\125\202\107\347\262\130\215\146\367\007
+\174\056\066\346\120\034\077\333\103\044\305\277\206\107\171\263
+\171\034\367\132\364\023\354\154\370\077\342\131\037\225\356\102
+\076\271\255\250\062\205\111\227\106\376\113\061\217\132\313\255
+\164\107\037\351\221\267\337\050\004\042\240\324\017\135\342\171
+\117\352\154\205\206\275\250\246\316\344\372\303\341\263\256\336
+\074\121\356\313\023\174\001\177\204\016\135\121\224\236\023\014
+\266\056\245\114\371\071\160\066\157\226\312\056\014\104\125\305
+\312\372\135\002\243\337\326\144\214\132\263\001\012\251\265\012
+\107\027\377\357\221\100\052\216\241\106\072\061\230\345\021\374
+\314\273\111\126\212\374\271\320\141\232\157\145\154\346\303\313
+\076\165\111\376\217\247\342\211\305\147\327\235\106\023\116\061
+\166\073\044\263\236\021\145\206\253\177\357\035\324\370\274\347
+\254\132\134\267\132\107\134\125\316\125\264\042\161\133\133\013
+\360\317\334\240\141\144\352\251\327\150\012\143\247\340\015\077
+\240\257\323\252\322\176\357\121\240\346\121\053\125\222\025\027
+\123\313\267\146\016\146\114\370\371\165\114\220\347\022\160\307
+\105\002\003\001\000\001\243\143\060\141\060\035\006\003\125\035
+\016\004\026\004\024\056\343\333\262\111\320\234\124\171\134\372
+\047\052\376\314\116\322\350\116\124\060\017\006\003\125\035\023
+\001\001\377\004\005\060\003\001\001\377\060\037\006\003\125\035
+\043\004\030\060\026\200\024\056\343\333\262\111\320\234\124\171
+\134\372\047\052\376\314\116\322\350\116\124\060\016\006\003\125
+\035\017\001\001\377\004\004\003\002\001\006\060\015\006\011\052
+\206\110\206\367\015\001\001\013\005\000\003\202\002\001\000\005
+\067\072\364\115\267\105\342\105\165\044\217\266\167\122\350\034
+\330\020\223\145\363\362\131\006\244\076\036\051\354\135\321\320
+\253\174\340\012\220\110\170\355\116\230\003\231\376\050\140\221
+\035\060\035\270\143\174\250\346\065\265\372\323\141\166\346\326
+\007\113\312\151\232\262\204\172\167\223\105\027\025\237\044\320
+\230\023\022\377\273\240\056\375\116\114\207\370\316\134\252\230
+\033\005\340\000\106\112\202\200\245\063\213\050\334\355\070\323
+\337\345\076\351\376\373\131\335\141\204\117\322\124\226\023\141
+\023\076\217\200\151\276\223\107\265\065\103\322\132\273\075\134
+\357\263\102\107\315\073\125\023\006\260\011\333\375\143\366\072
+\210\012\231\157\176\341\316\033\123\152\104\146\043\121\010\173
+\274\133\122\242\375\006\067\070\100\141\217\112\226\270\220\067
+\370\146\307\170\220\000\025\056\213\255\121\065\123\007\250\153
+\150\256\371\116\074\007\046\315\010\005\160\314\071\077\166\275
+\245\323\147\046\001\206\246\123\322\140\073\174\103\177\125\212
+\274\225\032\301\050\071\114\037\103\322\221\364\162\131\212\271
+\126\374\077\264\235\332\160\234\166\132\214\103\120\356\216\060
+\162\115\337\377\111\367\306\251\147\331\155\254\002\021\342\072
+\026\045\247\130\010\313\157\123\101\234\110\070\107\150\063\321
+\327\307\217\324\164\041\324\303\005\220\172\377\316\226\210\261
+\025\051\135\043\253\320\140\241\022\117\336\364\027\315\062\345
+\311\277\310\103\255\375\056\216\361\257\342\364\230\372\022\037
+\040\330\300\247\014\205\305\220\364\073\055\226\046\261\054\276
+\114\253\353\261\322\212\311\333\170\023\017\036\011\235\155\217
+\000\237\002\332\301\372\037\172\172\011\304\112\346\210\052\227
+\237\211\213\375\067\137\137\072\316\070\131\206\113\257\161\013
+\264\330\362\160\117\237\062\023\343\260\247\127\345\332\332\103
+\313\204\064\362\050\304\352\155\364\052\357\301\153\166\332\373
+\176\273\205\074\322\123\302\115\276\161\341\105\321\375\043\147
+\015\023\165\373\317\145\147\042\235\256\260\011\321\011\377\035
+\064\277\376\043\227\067\322\071\372\075\015\006\013\264\333\073
+\243\253\157\134\035\266\176\350\263\202\064\355\006\134\044
+END
+
+# Trust for "E-Tugra Certification Authority"
+# Issuer: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR
+# Serial Number:6a:68:3e:9c:51:9b:cb:53
+# Subject: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR
+# Not Valid Before: Tue Mar 05 12:09:48 2013
+# Not Valid After : Fri Mar 03 12:09:48 2023
+# Fingerprint (MD5): B8:A1:03:63:B0:BD:21:71:70:8A:6F:13:3A:BB:79:49
+# Fingerprint (SHA1): 51:C6:E7:08:49:06:6E:F3:92:D4:5C:A0:0D:6D:A3:62:8F:C3:52:39
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "E-Tugra Certification Authority"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\121\306\347\010\111\006\156\363\222\324\134\240\015\155\243\142
+\217\303\122\071
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\270\241\003\143\260\275\041\161\160\212\157\023\072\273\171\111
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\262\061\013\060\011\006\003\125\004\006\023\002\124\122
+\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
+\141\061\100\060\076\006\003\125\004\012\014\067\105\055\124\165
+\304\237\162\141\040\105\102\107\040\102\151\154\151\305\237\151
+\155\040\124\145\153\156\157\154\157\152\151\154\145\162\151\040
+\166\145\040\110\151\172\155\145\164\154\145\162\151\040\101\056
+\305\236\056\061\046\060\044\006\003\125\004\013\014\035\105\055
+\124\165\147\162\141\040\123\145\162\164\151\146\151\153\141\163
+\171\157\156\040\115\145\162\153\145\172\151\061\050\060\046\006
+\003\125\004\003\014\037\105\055\124\165\147\162\141\040\103\145
+\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
+\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\152\150\076\234\121\233\313\123
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "T-TeleSec GlobalRoot Class 2"
+#
+# Issuer: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
+# Serial Number: 1 (0x1)
+# Subject: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
+# Not Valid Before: Wed Oct 01 10:40:14 2008
+# Not Valid After : Sat Oct 01 23:59:59 2033
+# Fingerprint (MD5): 2B:9B:9E:E4:7B:6C:1F:00:72:1A:CC:C1:77:79:DF:6A
+# Fingerprint (SHA1): 59:0D:2D:7D:88:4F:40:2E:61:7E:A5:62:32:17:65:CF:17:D8:94:E9
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "T-TeleSec GlobalRoot Class 2"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\202\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\053\060\051\006\003\125\004\012\014\042\124\055\123\171\163
+\164\145\155\163\040\105\156\164\145\162\160\162\151\163\145\040
+\123\145\162\166\151\143\145\163\040\107\155\142\110\061\037\060
+\035\006\003\125\004\013\014\026\124\055\123\171\163\164\145\155
+\163\040\124\162\165\163\164\040\103\145\156\164\145\162\061\045
+\060\043\006\003\125\004\003\014\034\124\055\124\145\154\145\123
+\145\143\040\107\154\157\142\141\154\122\157\157\164\040\103\154
+\141\163\163\040\062
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\202\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\053\060\051\006\003\125\004\012\014\042\124\055\123\171\163
+\164\145\155\163\040\105\156\164\145\162\160\162\151\163\145\040
+\123\145\162\166\151\143\145\163\040\107\155\142\110\061\037\060
+\035\006\003\125\004\013\014\026\124\055\123\171\163\164\145\155
+\163\040\124\162\165\163\164\040\103\145\156\164\145\162\061\045
+\060\043\006\003\125\004\003\014\034\124\055\124\145\154\145\123
+\145\143\040\107\154\157\142\141\154\122\157\157\164\040\103\154
+\141\163\163\040\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\303\060\202\002\253\240\003\002\001\002\002\001\001
+\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060
+\201\202\061\013\060\011\006\003\125\004\006\023\002\104\105\061
+\053\060\051\006\003\125\004\012\014\042\124\055\123\171\163\164
+\145\155\163\040\105\156\164\145\162\160\162\151\163\145\040\123
+\145\162\166\151\143\145\163\040\107\155\142\110\061\037\060\035
+\006\003\125\004\013\014\026\124\055\123\171\163\164\145\155\163
+\040\124\162\165\163\164\040\103\145\156\164\145\162\061\045\060
+\043\006\003\125\004\003\014\034\124\055\124\145\154\145\123\145
+\143\040\107\154\157\142\141\154\122\157\157\164\040\103\154\141
+\163\163\040\062\060\036\027\015\060\070\061\060\060\061\061\060
+\064\060\061\064\132\027\015\063\063\061\060\060\061\062\063\065
+\071\065\071\132\060\201\202\061\013\060\011\006\003\125\004\006
+\023\002\104\105\061\053\060\051\006\003\125\004\012\014\042\124
+\055\123\171\163\164\145\155\163\040\105\156\164\145\162\160\162
+\151\163\145\040\123\145\162\166\151\143\145\163\040\107\155\142
+\110\061\037\060\035\006\003\125\004\013\014\026\124\055\123\171
+\163\164\145\155\163\040\124\162\165\163\164\040\103\145\156\164
+\145\162\061\045\060\043\006\003\125\004\003\014\034\124\055\124
+\145\154\145\123\145\143\040\107\154\157\142\141\154\122\157\157
+\164\040\103\154\141\163\163\040\062\060\202\001\042\060\015\006
+\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017
+\000\060\202\001\012\002\202\001\001\000\252\137\332\033\137\350
+\163\221\345\332\134\364\242\346\107\345\363\150\125\140\005\035
+\002\244\263\233\131\363\036\212\257\064\255\374\015\302\331\110
+\031\356\151\217\311\040\374\041\252\007\031\355\260\134\254\145
+\307\137\355\002\174\173\174\055\033\326\272\271\200\302\030\202
+\026\204\372\146\260\010\306\124\043\201\344\315\271\111\077\366
+\117\156\067\110\050\070\017\305\276\347\150\160\375\071\227\115
+\322\307\230\221\120\252\304\104\263\043\175\071\107\351\122\142
+\326\022\223\136\267\061\226\102\005\373\166\247\036\243\365\302
+\374\351\172\305\154\251\161\117\352\313\170\274\140\257\307\336
+\364\331\313\276\176\063\245\156\224\203\360\064\372\041\253\352
+\216\162\240\077\244\336\060\133\357\206\115\152\225\133\103\104
+\250\020\025\034\345\001\127\305\230\361\346\006\050\221\252\040
+\305\267\123\046\121\103\262\013\021\225\130\341\300\017\166\331
+\300\215\174\201\363\162\160\236\157\376\032\216\331\137\065\306
+\262\157\064\174\276\110\117\342\132\071\327\330\235\170\236\237
+\206\076\003\136\031\213\104\242\325\307\002\003\001\000\001\243
+\102\060\100\060\017\006\003\125\035\023\001\001\377\004\005\060
+\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004
+\003\002\001\006\060\035\006\003\125\035\016\004\026\004\024\277
+\131\040\066\000\171\240\240\042\153\214\325\362\141\322\270\054
+\313\202\112\060\015\006\011\052\206\110\206\367\015\001\001\013
+\005\000\003\202\001\001\000\061\003\242\141\013\037\164\350\162
+\066\306\155\371\115\236\372\042\250\341\201\126\317\315\273\237
+\352\253\221\031\070\257\252\174\025\115\363\266\243\215\245\364
+\216\366\104\251\247\350\041\225\255\076\000\142\026\210\360\002
+\272\374\141\043\346\063\233\060\172\153\066\142\173\255\004\043
+\204\130\145\342\333\053\212\347\045\123\067\142\123\137\274\332
+\001\142\051\242\246\047\161\346\072\042\176\301\157\035\225\160
+\040\112\007\064\337\352\377\025\200\345\272\327\172\330\133\165
+\174\005\172\051\107\176\100\250\061\023\167\315\100\073\264\121
+\107\172\056\021\343\107\021\336\235\146\320\213\325\124\146\372
+\203\125\352\174\302\051\211\033\351\157\263\316\342\005\204\311
+\057\076\170\205\142\156\311\137\301\170\143\164\130\300\110\030
+\014\231\071\353\244\314\032\265\171\132\215\025\234\330\024\015
+\366\172\007\127\307\042\203\005\055\074\233\045\046\075\030\263
+\251\103\174\310\310\253\144\217\016\243\277\234\033\235\060\333
+\332\320\031\056\252\074\361\373\063\200\166\344\315\255\031\117
+\005\047\216\023\241\156\302
+END
+
+# Trust for "T-TeleSec GlobalRoot Class 2"
+# Issuer: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
+# Serial Number: 1 (0x1)
+# Subject: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
+# Not Valid Before: Wed Oct 01 10:40:14 2008
+# Not Valid After : Sat Oct 01 23:59:59 2033
+# Fingerprint (MD5): 2B:9B:9E:E4:7B:6C:1F:00:72:1A:CC:C1:77:79:DF:6A
+# Fingerprint (SHA1): 59:0D:2D:7D:88:4F:40:2E:61:7E:A5:62:32:17:65:CF:17:D8:94:E9
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "T-TeleSec GlobalRoot Class 2"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\131\015\055\175\210\117\100\056\141\176\245\142\062\027\145\317
+\027\330\224\351
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\053\233\236\344\173\154\037\000\162\032\314\301\167\171\337\152
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\202\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\053\060\051\006\003\125\004\012\014\042\124\055\123\171\163
+\164\145\155\163\040\105\156\164\145\162\160\162\151\163\145\040
+\123\145\162\166\151\143\145\163\040\107\155\142\110\061\037\060
+\035\006\003\125\004\013\014\026\124\055\123\171\163\164\145\155
+\163\040\124\162\165\163\164\040\103\145\156\164\145\162\061\045
+\060\043\006\003\125\004\003\014\034\124\055\124\145\154\145\123
+\145\143\040\107\154\157\142\141\154\122\157\157\164\040\103\154
+\141\163\163\040\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "Atos TrustedRoot 2011"
+#
+# Issuer: C=DE,O=Atos,CN=Atos TrustedRoot 2011
+# Serial Number:5c:33:cb:62:2c:5f:b3:32
+# Subject: C=DE,O=Atos,CN=Atos TrustedRoot 2011
+# Not Valid Before: Thu Jul 07 14:58:30 2011
+# Not Valid After : Tue Dec 31 23:59:59 2030
+# Fingerprint (MD5): AE:B9:C4:32:4B:AC:7F:5D:66:CC:77:94:BB:2A:77:56
+# Fingerprint (SHA1): 2B:B1:F5:3E:55:0C:1D:C5:F1:D4:E6:B7:6A:46:4B:55:06:02:AC:21
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Atos TrustedRoot 2011"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\074\061\036\060\034\006\003\125\004\003\014\025\101\164\157
+\163\040\124\162\165\163\164\145\144\122\157\157\164\040\062\060
+\061\061\061\015\060\013\006\003\125\004\012\014\004\101\164\157
+\163\061\013\060\011\006\003\125\004\006\023\002\104\105
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\074\061\036\060\034\006\003\125\004\003\014\025\101\164\157
+\163\040\124\162\165\163\164\145\144\122\157\157\164\040\062\060
+\061\061\061\015\060\013\006\003\125\004\012\014\004\101\164\157
+\163\061\013\060\011\006\003\125\004\006\023\002\104\105
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\134\063\313\142\054\137\263\062
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\167\060\202\002\137\240\003\002\001\002\002\010\134
+\063\313\142\054\137\263\062\060\015\006\011\052\206\110\206\367
+\015\001\001\013\005\000\060\074\061\036\060\034\006\003\125\004
+\003\014\025\101\164\157\163\040\124\162\165\163\164\145\144\122
+\157\157\164\040\062\060\061\061\061\015\060\013\006\003\125\004
+\012\014\004\101\164\157\163\061\013\060\011\006\003\125\004\006
+\023\002\104\105\060\036\027\015\061\061\060\067\060\067\061\064
+\065\070\063\060\132\027\015\063\060\061\062\063\061\062\063\065
+\071\065\071\132\060\074\061\036\060\034\006\003\125\004\003\014
+\025\101\164\157\163\040\124\162\165\163\164\145\144\122\157\157
+\164\040\062\060\061\061\061\015\060\013\006\003\125\004\012\014
+\004\101\164\157\163\061\013\060\011\006\003\125\004\006\023\002
+\104\105\060\202\001\042\060\015\006\011\052\206\110\206\367\015
+\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202
+\001\001\000\225\205\073\227\157\052\073\056\073\317\246\363\051
+\065\276\317\030\254\076\252\331\370\115\240\076\032\107\271\274
+\232\337\362\376\314\076\107\350\172\226\302\044\216\065\364\251
+\014\374\202\375\155\301\162\142\047\275\352\153\353\347\212\314
+\124\076\220\120\317\200\324\225\373\350\265\202\324\024\305\266
+\251\125\045\127\333\261\120\366\260\140\144\131\172\151\317\003
+\267\157\015\276\312\076\157\164\162\352\252\060\052\163\142\276
+\111\221\141\310\021\376\016\003\052\367\152\040\334\002\025\015
+\136\025\152\374\343\202\301\265\305\235\144\011\154\243\131\230
+\007\047\307\033\226\053\141\164\161\154\103\361\367\065\211\020
+\340\236\354\125\241\067\042\242\207\004\005\054\107\175\264\034
+\271\142\051\146\050\312\267\341\223\365\244\224\003\231\271\160
+\205\265\346\110\352\215\120\374\331\336\314\157\007\016\335\013
+\162\235\200\060\026\007\225\077\050\016\375\305\165\117\123\326
+\164\232\264\044\056\216\002\221\317\166\305\233\036\125\164\234
+\170\041\261\360\055\361\013\237\302\325\226\030\037\360\124\042
+\172\214\007\002\003\001\000\001\243\175\060\173\060\035\006\003
+\125\035\016\004\026\004\024\247\245\006\261\054\246\011\140\356
+\321\227\351\160\256\274\073\031\154\333\041\060\017\006\003\125
+\035\023\001\001\377\004\005\060\003\001\001\377\060\037\006\003
+\125\035\043\004\030\060\026\200\024\247\245\006\261\054\246\011
+\140\356\321\227\351\160\256\274\073\031\154\333\041\060\030\006
+\003\125\035\040\004\021\060\017\060\015\006\013\053\006\001\004
+\001\260\055\003\004\001\001\060\016\006\003\125\035\017\001\001
+\377\004\004\003\002\001\206\060\015\006\011\052\206\110\206\367
+\015\001\001\013\005\000\003\202\001\001\000\046\167\064\333\224
+\110\206\052\101\235\054\076\006\220\140\304\214\254\013\124\270
+\037\271\173\323\007\071\344\372\076\173\262\075\116\355\237\043
+\275\227\363\153\134\357\356\375\100\246\337\241\223\241\012\206
+\254\357\040\320\171\001\275\170\367\031\330\044\061\064\004\001
+\246\272\025\232\303\047\334\330\117\017\314\030\143\377\231\017
+\016\221\153\165\026\341\041\374\330\046\307\107\267\246\317\130
+\162\161\176\272\341\115\225\107\073\311\257\155\241\264\301\354
+\211\366\264\017\070\265\342\144\334\045\317\246\333\353\232\134
+\231\241\305\010\336\375\346\332\325\326\132\105\014\304\267\302
+\265\024\357\264\021\377\016\025\265\365\365\333\306\275\353\132
+\247\360\126\042\251\074\145\124\306\025\250\275\206\236\315\203
+\226\150\172\161\201\211\341\013\341\352\021\033\150\010\314\151
+\236\354\236\101\236\104\062\046\172\342\207\012\161\075\353\344
+\132\244\322\333\305\315\306\336\140\177\271\363\117\104\222\357
+\052\267\030\076\247\031\331\013\175\261\067\101\102\260\272\140
+\035\362\376\011\021\260\360\207\173\247\235
+END
+
+# Trust for "Atos TrustedRoot 2011"
+# Issuer: C=DE,O=Atos,CN=Atos TrustedRoot 2011
+# Serial Number:5c:33:cb:62:2c:5f:b3:32
+# Subject: C=DE,O=Atos,CN=Atos TrustedRoot 2011
+# Not Valid Before: Thu Jul 07 14:58:30 2011
+# Not Valid After : Tue Dec 31 23:59:59 2030
+# Fingerprint (MD5): AE:B9:C4:32:4B:AC:7F:5D:66:CC:77:94:BB:2A:77:56
+# Fingerprint (SHA1): 2B:B1:F5:3E:55:0C:1D:C5:F1:D4:E6:B7:6A:46:4B:55:06:02:AC:21
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Atos TrustedRoot 2011"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\053\261\365\076\125\014\035\305\361\324\346\267\152\106\113\125
+\006\002\254\041
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\256\271\304\062\113\254\177\135\146\314\167\224\273\052\167\126
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\074\061\036\060\034\006\003\125\004\003\014\025\101\164\157
+\163\040\124\162\165\163\164\145\144\122\157\157\164\040\062\060
+\061\061\061\015\060\013\006\003\125\004\012\014\004\101\164\157
+\163\061\013\060\011\006\003\125\004\006\023\002\104\105
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\134\063\313\142\054\137\263\062
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--- a/security/nss/lib/ckfw/builtins/nssckbi.h
+++ b/security/nss/lib/ckfw/builtins/nssckbi.h
@@ -40,18 +40,18 @@
  *     ...
  *   - NSS 3.29 branch: 250-255
  *
  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
  * whether we may use its full range (0-255) or only 0-99 because
  * of the comment in the CK_VERSION type definition.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 96
-#define NSS_BUILTINS_LIBRARY_VERSION "1.96"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 97
+#define NSS_BUILTINS_LIBRARY_VERSION "1.97"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
 #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
 
 /* These version numbers detail the semantic changes to ckbi itself 
  * (new PKCS #11 objects), etc. */
 #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
--- a/security/nss/lib/freebl/config.mk
+++ b/security/nss/lib/freebl/config.mk
@@ -49,19 +49,19 @@ ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 
 # don't want the 32 in the shared library name
 SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
 
 RES     = $(OBJDIR)/$(LIBRARY_NAME).res
 RESNAME = freebl.rc
 
 ifdef NS_USE_GCC
-OS_LIBS += -lshell32
+OS_LIBS += -ladvapi32
 else
-OS_LIBS += shell32.lib
+OS_LIBS += advapi32.lib
 endif
 
 ifdef NS_USE_GCC
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
 	-L$(NSSUTIL_LIB_DIR) \
 	-lnssutil3 \
 	-L$(NSPR_LIB_DIR) \
--- a/security/nss/lib/freebl/rsapkcs.c
+++ b/security/nss/lib/freebl/rsapkcs.c
@@ -19,26 +19,24 @@
 #define RSA_BLOCK_MIN_PAD_LEN            8
 #define RSA_BLOCK_FIRST_OCTET            0x00
 #define RSA_BLOCK_PRIVATE_PAD_OCTET      0xff
 #define RSA_BLOCK_AFTER_PAD_OCTET        0x00
 
 /*
  * RSA block types
  *
- * The actual values are important -- they are fixed, *not* arbitrary.
- * The explicit value assignments are not needed (because C would give
- * us those same values anyway) but are included as a reminder...
+ * The values of RSA_BlockPrivate and RSA_BlockPublic are fixed.
+ * The value of RSA_BlockRaw isn't fixed by definition, but we are keeping
+ * the value that NSS has been using in the past.
  */
 typedef enum {
-    RSA_BlockUnused = 0,    /* unused */
     RSA_BlockPrivate = 1,   /* pad for a private-key operation */
     RSA_BlockPublic = 2,    /* pad for a public-key operation */
-    RSA_BlockRaw = 4,       /* simply justify the block appropriately */
-    RSA_BlockTotal
+    RSA_BlockRaw = 4        /* simply justify the block appropriately */
 } RSA_BlockType;
 
 /* Needed for RSA-PSS functions */
 static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
 
 /* Constant time comparison of a single byte.
  * Returns 1 iff a == b, otherwise returns 0.
  * Note: For ranges of bytes, use constantTimeCompare.
--- a/security/nss/lib/freebl/sysrand.c
+++ b/security/nss/lib/freebl/sysrand.c
@@ -3,28 +3,31 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 
 #include "seccomon.h"
 
+#ifndef XP_WIN
 static size_t rng_systemFromNoise(unsigned char *dest, size_t maxLen);
+#endif
 
 #if defined(XP_UNIX) || defined(XP_BEOS)
 #include "unix_rand.c"
 #endif
 #ifdef XP_WIN
 #include "win_rand.c"
 #endif
 #ifdef XP_OS2
 #include "os2_rand.c"
 #endif
 
+#ifndef XP_WIN
 /*
  * Normal RNG_SystemRNG() isn't available, use the system noise to collect
  * the required amount of entropy.
  */
 static size_t 
 rng_systemFromNoise(unsigned char *dest, size_t maxLen) 
 {
    size_t retBytes = maxLen;
@@ -38,9 +41,9 @@ rng_systemFromNoise(unsigned char *dest,
 	maxLen -= nbytes;
 
 	/* some hw op to try to introduce more entropy into the next
 	 * RNG_GetNoise call */
 	rng_systemJitter();
    }
    return retBytes;
 }
-
+#endif
--- a/security/nss/lib/freebl/win_rand.c
+++ b/security/nss/lib/freebl/win_rand.c
@@ -1,31 +1,17 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "secrng.h"
-#include "secerr.h"
 
 #ifdef XP_WIN
 #include <windows.h>
-#include <shlobj.h>     /* for CSIDL constants */
 #include <time.h>
-#include <io.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <stdio.h>
-#include "prio.h"
-#include "prerror.h"
-
-static PRInt32  filesToRead;
-static DWORD    totalFileBytes;
-static DWORD    maxFileBytes	= 250000;	/* 250 thousand */
-static DWORD    dwNumFiles, dwReadEvery, dwFileToRead;
-static PRBool   usedWindowsPRNG;
 
 static BOOL
 CurrentClockTickTime(LPDWORD lpdwHigh, LPDWORD lpdwLow)
 {
     LARGE_INTEGER   liCount;
 
     if (!QueryPerformanceCounter(&liCount))
         return FALSE;
@@ -79,178 +65,16 @@ size_t RNG_GetNoise(void *buf, size_t ma
     time(&sTime);
     nBytes = sizeof(sTime) > maxbuf ? maxbuf : sizeof(sTime);
     memcpy(((char *)buf) + n, &sTime, nBytes);
     n += nBytes;
 
     return n;
 }
 
-typedef PRInt32 (* Handler)(const PRUnichar *);
-#define MAX_DEPTH 2
-#define MAX_FOLDERS 4
-#define MAX_FILES 1024
-
-static void
-EnumSystemFilesInFolder(Handler func, PRUnichar* szSysDir, int maxDepth) 
-{
-    int                 iContinue;
-    unsigned int        uFolders  = 0;
-    unsigned int        uFiles    = 0;
-    HANDLE              lFindHandle;
-    WIN32_FIND_DATAW    fdData;
-    PRUnichar           szFileName[_MAX_PATH];
-
-    if (maxDepth < 0)
-    	return;
-    // append *.* so we actually look for files.
-    _snwprintf(szFileName, _MAX_PATH, L"%s\\*.*", szSysDir);
-    szFileName[_MAX_PATH - 1] = L'\0';
-
-    lFindHandle = FindFirstFileW(szFileName, &fdData);
-    if (lFindHandle == INVALID_HANDLE_VALUE)
-        return;
-    do {
-	iContinue = 1;
-	if (wcscmp(fdData.cFileName, L".") == 0 ||
-            wcscmp(fdData.cFileName, L"..") == 0) {
-	    // skip "." and ".."
-	} else {
-	    // pass the full pathname to the callback
-	    _snwprintf(szFileName, _MAX_PATH, L"%s\\%s", szSysDir, 
-		       fdData.cFileName);
-	    szFileName[_MAX_PATH - 1] = L'\0';
-	    if (fdData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
-		if (++uFolders <= MAX_FOLDERS)
-		    EnumSystemFilesInFolder(func, szFileName, maxDepth - 1);
-	    } else {
-		iContinue = (++uFiles <= MAX_FILES) && !(*func)(szFileName);
-	    }
-	}
-	if (iContinue)
-	    iContinue = FindNextFileW(lFindHandle, &fdData);
-    } while (iContinue);
-    FindClose(lFindHandle);
-}
-
-static BOOL
-EnumSystemFiles(Handler func)
-{
-    PRUnichar szSysDir[_MAX_PATH];
-    static const int folders[] = {
-    	CSIDL_BITBUCKET,  
-	CSIDL_RECENT,
-	CSIDL_INTERNET_CACHE, 
-	CSIDL_HISTORY,
-	0
-    };
-    int i = 0;
-    if (_MAX_PATH > (i = GetTempPathW(_MAX_PATH, szSysDir))) {
-        if (i > 0 && szSysDir[i-1] == L'\\')
-	    szSysDir[i-1] = L'\0'; // we need to lop off the trailing slash
-        EnumSystemFilesInFolder(func, szSysDir, MAX_DEPTH);
-    }
-    for(i = 0; folders[i]; i++) {
-        DWORD rv = SHGetSpecialFolderPathW(NULL, szSysDir, folders[i], 0);
-        if (szSysDir[0])
-            EnumSystemFilesInFolder(func, szSysDir, MAX_DEPTH);
-        szSysDir[0] =  L'\0';
-    }
-    return PR_TRUE;
-}
-
-static PRInt32
-CountFiles(const PRUnichar *file)
-{
-    dwNumFiles++;
-    return 0;
-}
-
-static int
-ReadSingleFile(const char *filename)
-{
-    PRFileDesc *    file;
-    unsigned char   buffer[1024];
-
-    file = PR_Open(filename, PR_RDONLY, 0);
-    if (file != NULL) {
-	while (PR_Read(file, buffer, sizeof buffer) > 0)
-	    ;
-        PR_Close(file);
-    }
-    return (file != NULL);
-}
-
-static PRInt32
-ReadOneFile(const PRUnichar *szFileName)
-{
-    char narrowFileName[_MAX_PATH];
-
-    if (dwNumFiles == dwFileToRead) {
-	int success = WideCharToMultiByte(CP_ACP, 0, szFileName, -1, 
-					  narrowFileName, _MAX_PATH, 
-					  NULL, NULL);
-	if (success)
-	    success = ReadSingleFile(narrowFileName);
-    	if (!success)
-	    dwFileToRead++; /* couldn't read this one, read the next one. */
-    }
-    dwNumFiles++;
-    return dwNumFiles > dwFileToRead;
-}
-
-static PRInt32
-ReadFiles(const PRUnichar *szFileName)
-{
-    char narrowFileName[_MAX_PATH];
-
-    if ((dwNumFiles % dwReadEvery) == 0) {
-	++filesToRead;
-    }
-    if (filesToRead) {
-	DWORD prevFileBytes = totalFileBytes;
-	int   iContinue     = WideCharToMultiByte(CP_ACP, 0, szFileName, -1, 
-						  narrowFileName, _MAX_PATH, 
-						  NULL, NULL);
-	if (iContinue) {
-	    RNG_FileForRNG(narrowFileName);
-	}
-	if (prevFileBytes < totalFileBytes) {
-	    --filesToRead;
-	}
-    }
-    dwNumFiles++;
-    return (totalFileBytes >= maxFileBytes);
-}
-
-static void
-ReadSystemFiles(void)
-{
-    // first count the number of files
-    dwNumFiles = 0;
-    if (!EnumSystemFiles(CountFiles))
-        return;
-
-    RNG_RandomUpdate(&dwNumFiles, sizeof(dwNumFiles));
-
-    // now read the first 10 readable files, then 10 or 11 files
-    // spread throughout the system directory
-    filesToRead = 10;
-    if (dwNumFiles == 0)
-        return;
-
-    dwReadEvery = dwNumFiles / 10;
-    if (dwReadEvery == 0)
-        dwReadEvery = 1;  // less than 10 files
-
-    dwNumFiles = 0;
-    totalFileBytes = 0;
-    EnumSystemFiles(ReadFiles);
-}
-
 void RNG_SystemInfoForRNG(void)
 {
     DWORD           dwVal;
     char            buffer[256];
     int             nBytes;
     MEMORYSTATUS    sMem;
     HANDLE          hVal;
     DWORD           dwSerialNum;
@@ -303,96 +127,33 @@ void RNG_SystemInfoForRNG(void)
     if (GetDiskFreeSpace(NULL, &dwSectors, &dwBytes, &dwFreeClusters, 
                          &dwNumClusters)) {
         RNG_RandomUpdate(&dwSectors,      sizeof(dwSectors));
         RNG_RandomUpdate(&dwBytes,        sizeof(dwBytes));
         RNG_RandomUpdate(&dwFreeClusters, sizeof(dwFreeClusters));
         RNG_RandomUpdate(&dwNumClusters,  sizeof(dwNumClusters));
     }
 
-    // Skip the potentially slow file scanning if the OS's PRNG worked.
-    if (!usedWindowsPRNG)
-	ReadSystemFiles();
-
-    nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
-    RNG_RandomUpdate(buffer, nBytes);
-}
-
-static void rng_systemJitter(void)
-{   
-    dwNumFiles = 0;
-    EnumSystemFiles(ReadOneFile);
-    dwFileToRead++;
-    if (dwFileToRead >= dwNumFiles) {
-	dwFileToRead = 0;
-    }
-}
-
-
-void RNG_FileForRNG(const char *filename)
-{
-    FILE*           file;
-    int             nBytes;
-    struct stat     stat_buf;
-    unsigned char   buffer[1024];
-
-    /* windows doesn't initialize all the bytes in the stat buf,
-     * so initialize them all here to avoid UMRs.
-     */
-    memset(&stat_buf, 0, sizeof stat_buf);
-
-    if (stat((char *)filename, &stat_buf) < 0)
-        return;
-
-    RNG_RandomUpdate((unsigned char*)&stat_buf, sizeof(stat_buf));
-
-    file = fopen((char *)filename, "r");
-    if (file != NULL) {
-        for (;;) {
-            size_t  bytes = fread(buffer, 1, sizeof(buffer), file);
-
-            if (bytes == 0)
-                break;
-
-            RNG_RandomUpdate(buffer, bytes);
-            totalFileBytes += bytes;
-            if (totalFileBytes > maxFileBytes)
-                break;
-        }
-
-        fclose(file);
-    }
-
     nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
     RNG_RandomUpdate(buffer, nBytes);
 }
 
 
 /*
- * Windows XP and Windows Server 2003 and later have RtlGenRandom,
- * which must be looked up by the name SystemFunction036.
+ * The RtlGenRandom function is declared in <ntsecapi.h>, but the
+ * declaration is missing a calling convention specifier. So we
+ * declare it manually here.
  */
-typedef BOOLEAN
-(APIENTRY *RtlGenRandomFn)(
+#define RtlGenRandom SystemFunction036
+DECLSPEC_IMPORT BOOLEAN WINAPI RtlGenRandom(
     PVOID RandomBuffer,
     ULONG RandomBufferLength);
 
 size_t RNG_SystemRNG(void *dest, size_t maxLen)
 {
-    HMODULE hModule;
-    RtlGenRandomFn pRtlGenRandom;
     size_t bytes = 0;
 
-    usedWindowsPRNG = PR_FALSE;
-    hModule = LoadLibrary("advapi32.dll");
-    if (hModule == NULL) {
-	return bytes;
+    if (RtlGenRandom(dest, maxLen)) {
+	bytes = maxLen;
     }
-    pRtlGenRandom = (RtlGenRandomFn)
-	GetProcAddress(hModule, "SystemFunction036");
-    if (pRtlGenRandom && pRtlGenRandom(dest, maxLen)) {
-	bytes = maxLen;
-	usedWindowsPRNG = PR_TRUE;
-    }
-    FreeLibrary(hModule);
     return bytes;
 }
 #endif  /* is XP_WIN */
--- a/security/nss/lib/libpkix/include/pkix_errorstrings.h
+++ b/security/nss/lib/libpkix/include/pkix_errorstrings.h
@@ -571,17 +571,19 @@ PKIX_ERRORENTRY(ILLEGALUSEOFAMP,Illegal 
 PKIX_ERRORENTRY(IMPOSSIBLECRITERIONFORCRLQUERY,Impossible criterion for Crl Query,SEC_ERROR_INVALID_ARGS),
 PKIX_ERRORENTRY(INDEXOUTOFBOUNDS,Index out of bounds,SEC_ERROR_LIBPKIX_INTERNAL),
 PKIX_ERRORENTRY(INESCAPEDASCII,in EscapedASCII,0),
 PKIX_ERRORENTRY(INFOACCESSCREATEFAILED,pkix_pl_InfoAccess_Create failed,0),
 PKIX_ERRORENTRY(INFOACCESSCREATELISTFAILED,pkix_pl_InfoAccess_CreateList failed,0),
 PKIX_ERRORENTRY(INFOACCESSGETLOCATIONFAILED,PKIX_PL_InfoAccess_GetLocation failed,0),
 PKIX_ERRORENTRY(INFOACCESSGETLOCATIONTYPEFAILED,PKIX_PL_InfoAccess_GetLocationType failed,0),
 PKIX_ERRORENTRY(INFOACCESSGETMETHODFAILED,PKIX_PL_InfoAccess_GetMethod failed,0),
+#ifndef NSS_PKIX_NO_LDAP
 PKIX_ERRORENTRY(INFOACCESSPARSELOCATIONFAILED,pkix_pl_InfoAccess_ParseLocation failed,SEC_ERROR_BAD_INFO_ACCESS_LOCATION),
+#endif
 PKIX_ERRORENTRY(INFOACCESSPARSETOKENSFAILED,pkix_pl_InfoAccess_ParseTokens failed,SEC_ERROR_BAD_INFO_ACCESS_LOCATION),
 PKIX_ERRORENTRY(INITIALIZECHECKERSFAILED,pkix_InitializeCheckers failed,0),
 PKIX_ERRORENTRY(INITIALIZEFAILED,PKIX_PL_Initialize failed,0),
 PKIX_ERRORENTRY(INPUTLISTMUSTBEHEADER,Input List must be header,SEC_ERROR_INVALID_ARGS),
 PKIX_ERRORENTRY(INPUTLISTSMUSTBELISTHEADERS,Input Lists must be list headers,SEC_ERROR_INVALID_ARGS),
 PKIX_ERRORENTRY(INSUFFICIENTCRITERIAFORCERTQUERY,Insufficient criteria for Cert query,0),
 PKIX_ERRORENTRY(INSUFFICIENTCRITERIAFORCRLQUERY,Insufficient criteria for Crl Query,0),
 PKIX_ERRORENTRY(INTRUSTEDCERT,in Trusted Cert,0),
--- a/security/nss/lib/libpkix/include/pkix_pl_pki.h
+++ b/security/nss/lib/libpkix/include/pkix_pl_pki.h
@@ -1264,29 +1264,33 @@ PKIX_PL_Cert_AreCertPoliciesCritical(
  *  does nothing.
  *
  * PARAMETERS:
  *  "cert"
  *      Address of Cert whose subject names are to be checked.
  *      Must be non-NULL.
  *  "nameConstraints"
  *      Address of CertNameConstraints that need to be satisfied.
+ *  "treatCommonNameAsDNSName"
+ *      PKIX_TRUE if the subject common name should be considered a dNSName
+ *      when evaluating name constraints.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns a Cert Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 PKIX_PL_Cert_CheckNameConstraints(
         PKIX_PL_Cert *cert,
         PKIX_PL_CertNameConstraints *nameConstraints,
+        PKIX_Boolean treatCommonNameAsDNSName,
         void *plContext);
 
 /*
  * FUNCTION: PKIX_PL_Cert_MergeNameConstraints
  * DESCRIPTION:
  *
  *  Merges the CertNameConstraints pointed to by "firstNC" and the
  *  CertNameConstraints pointed to by "secondNC" and stores the merged
@@ -1822,17 +1826,19 @@ PKIX_PL_Cert_GetCrlDp(PKIX_PL_Cert *cert
 
 #define PKIX_INFOACCESS_OCSP          1
 #define PKIX_INFOACCESS_CA_ISSUERS    2
 #define PKIX_INFOACCESS_TIMESTAMPING  3
 #define PKIX_INFOACCESS_CA_REPOSITORY 5
 
 #define PKIX_INFOACCESS_LOCATION_UNKNOWN 0
 #define PKIX_INFOACCESS_LOCATION_HTTP    1
+#ifndef NSS_PKIX_NO_LDAP
 #define PKIX_INFOACCESS_LOCATION_LDAP    2
+#endif
 
 /*
  * FUNCTION: PKIX_PL_InfoAccess_GetMethod
  * DESCRIPTION:
  *
  *  Stores the method of the Information Access from "infoAccess" and
  *  returns in "pMethod".
  *
--- a/security/nss/lib/libpkix/include/pkix_sample_modules.h
+++ b/security/nss/lib/libpkix/include/pkix_sample_modules.h
@@ -112,16 +112,17 @@ PKIX_PL_CollectionCertStore_Create(
  *  Returns a CertStore Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 PKIX_PL_Pk11CertStore_Create(
         PKIX_CertStore **pPk11CertStore,
         void *plContext);
 
+#ifndef NSS_PKIX_NO_LDAP
 /* PKIX_PL_LdapCertStore
  *
  * A PKIX_PL_LdapCertStore retrieves certificates and CRLs from an LDAP server
  * over a socket connection. It used the LDAP protocol as described in RFC1777.
  *
  * Once the caller has created the LdapCertStore object, the caller can call
  * pkix_pl_LdapCertStore_GetCert or pkix_pl_LdapCertStore_GetCert to obtain
  * a List of PKIX_PL_Certs or PKIX_PL_CRL objects, respectively.
@@ -244,16 +245,17 @@ PKIX_PL_LdapDefaultClient_CreateByName(
  *  Returns a CertStore Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 PKIX_PL_LdapCertStore_Create(
         PKIX_PL_LdapClient *client,
         PKIX_CertStore **pCertStore,
         void *plContext);
+#endif /* !NSS_PKIX_NO_LDAP */
 
 /* PKIX_PL_NssContext
  *
  * A PKIX_PL_NssContext provides an example showing how the "plContext"
  * argument, that is part of every libpkix function call, can be used.
  * The "plContext" is the Portability Layer Context, which can be used
  * to communicate layer-specific information from the application to the
  * underlying Portability Layer (while bypassing the Portable Code, which
--- a/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c
+++ b/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c
@@ -420,19 +420,23 @@ pkix_CertSelector_Match_NameConstraints(
         PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_NameConstraints");
         PKIX_NULLCHECK_THREE(params, cert, pResult);
 
         PKIX_CHECK(PKIX_ComCertSelParams_GetNameConstraints
                 (params, &nameConstraints, plContext),
                 PKIX_COMCERTSELPARAMSGETNAMECONSTRAINTSFAILED);
 
         if (nameConstraints != NULL) {
-
+                /* As only the end-entity certificate should have
+                 * the common name constrained as if it was a dNSName,
+                 * do not constrain the common name when building a
+                 * forward path.
+                 */
                 PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints
-                    (cert, nameConstraints, plContext),
+                    (cert, nameConstraints, PKIX_FALSE, plContext),
                     PKIX_CERTCHECKNAMECONSTRAINTSFAILED);
         }
 
 cleanup:
         if (PKIX_ERROR_RECEIVED) {
             *pResult = PKIX_FALSE;
         }
 
--- a/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c
@@ -162,41 +162,44 @@ pkix_NameConstraintsChecker_Check(
         PKIX_List *unresolvedCriticalExtensions,
         void **pNBIOContext,
         void *plContext)
 {
         pkix_NameConstraintsCheckerState *state = NULL;
         PKIX_PL_CertNameConstraints *nameConstraints = NULL;
         PKIX_PL_CertNameConstraints *mergedNameConstraints = NULL;
         PKIX_Boolean selfIssued = PKIX_FALSE;
+        PKIX_Boolean lastCert = PKIX_FALSE;
 
         PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameConstraintsChecker_Check");
         PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
 
         *pNBIOContext = NULL; /* we never block on pending I/O */
 
         PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
                     (checker, (PKIX_PL_Object **)&state, plContext),
                     PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
 
         state->certsRemaining--;
+        lastCert = state->certsRemaining == 0;
 
         /* Get status of self issued */
         PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext),
                     PKIX_ISCERTSELFISSUEDFAILED);
 
         /* Check on non self-issued and if so only for last cert */
         if (selfIssued == PKIX_FALSE ||
-            (selfIssued == PKIX_TRUE && state->certsRemaining == 0)) {
+            (selfIssued == PKIX_TRUE && lastCert)) {
                 PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints
-                    (cert, state->nameConstraints, plContext),
+                    (cert, state->nameConstraints, lastCert,
+                      plContext),
                     PKIX_CERTCHECKNAMECONSTRAINTSFAILED);
         }
 
-        if (state->certsRemaining != 0) {
+        if (!lastCert) {
 
             PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints
                     (cert, &nameConstraints, plContext),
                     PKIX_CERTGETNAMECONSTRAINTSFAILED);
 
             /* Merge with previous name constraints kept in state */
 
             if (nameConstraints != NULL) {
--- a/security/nss/lib/libpkix/pkix/params/pkix_trustanchor.c
+++ b/security/nss/lib/libpkix/pkix/params/pkix_trustanchor.c
@@ -364,17 +364,21 @@ PKIX_TrustAnchor_CreateWithCert(
             PKIX_PL_Cert_SetAsTrustAnchor(cert, plContext),
             PKIX_CERTSETASTRUSTANCHORFAILED);
 
         PKIX_INCREF(cert);
         anchor->trustedCert = cert;
 
         anchor->caName = NULL;
         anchor->caPubKey = NULL;
-        anchor->nameConstraints = NULL;
+
+        PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints
+                    (anchor->trustedCert, &anchor->nameConstraints, plContext),
+                    PKIX_CERTGETNAMECONSTRAINTSFAILED);
+
 
         *pAnchor = anchor;
         anchor = NULL;
 
 cleanup:
 
         PKIX_DECREF(anchor);
 
--- a/security/nss/lib/libpkix/pkix/top/pkix_build.h
+++ b/security/nss/lib/libpkix/pkix/top/pkix_build.h
@@ -6,17 +6,19 @@
  *
  * Header file for buildChain function
  *
  */
 
 #ifndef _PKIX_BUILD_H
 #define _PKIX_BUILD_H
 #include "pkix_tools.h"
+#ifndef NSS_PKIX_NO_LDAP
 #include "pkix_pl_ldapt.h"
+#endif
 #include "pkix_ekuchecker.h"
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
 typedef enum {
         BUILD_SHORTCUTPENDING,
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/config.mk
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/config.mk
@@ -8,8 +8,28 @@
 #  are specifed as dependencies within rules.mk.
 #
 
 TARGETS        = $(LIBRARY)
 SHARED_LIBRARY =
 IMPORT_LIBRARY =
 PROGRAM        =
 
+ifdef NSS_PKIX_NO_LDAP
+LDAP_HEADERS =
+LDAP_CSRCS =
+else
+LDAP_HEADERS = \
+	pkix_pl_ldapt.h \
+	pkix_pl_ldapcertstore.h \
+	pkix_pl_ldapresponse.h \
+	pkix_pl_ldaprequest.h \
+	pkix_pl_ldapdefaultclient.h \
+ 	$(NULL)
+ 
+LDAP_CSRCS = \
+	pkix_pl_ldaptemplates.c \
+	pkix_pl_ldapcertstore.c \
+	pkix_pl_ldapresponse.c \
+	pkix_pl_ldaprequest.c \
+	pkix_pl_ldapdefaultclient.c \
+ 	$(NULL)
+endif
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn
@@ -7,40 +7,32 @@ CORE_DEPTH = ../../../..
 EXPORTS = \
 	$(NULL)
 
 PRIVATE_EXPORTS = \
 	pkix_pl_aiamgr.h \
 	pkix_pl_colcertstore.h \
 	pkix_pl_httpcertstore.h \
 	pkix_pl_httpdefaultclient.h \
-	pkix_pl_ldapt.h \
-	pkix_pl_ldapcertstore.h \
-	pkix_pl_ldapresponse.h \
-	pkix_pl_ldaprequest.h \
-	pkix_pl_ldapdefaultclient.h \
+	$(LDAP_HEADERS) \
 	pkix_pl_nsscontext.h \
 	pkix_pl_pk11certstore.h \
 	pkix_pl_socket.h \
 	$(NULL)
 
 MODULE = nss
 
 DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSHLIB_VERSION=\"$(LIBRARY_VERSION)\"
 
 
 CSRCS = \
 	pkix_pl_aiamgr.c \
 	pkix_pl_colcertstore.c \
 	pkix_pl_httpcertstore.c \
 	pkix_pl_httpdefaultclient.c \
-	pkix_pl_ldaptemplates.c \
-	pkix_pl_ldapcertstore.c \
-	pkix_pl_ldapresponse.c \
-	pkix_pl_ldaprequest.c \
-	pkix_pl_ldapdefaultclient.c \
+	$(LDAP_CSRCS) \
 	pkix_pl_nsscontext.c \
 	pkix_pl_pk11certstore.c \
 	pkix_pl_socket.c \
 	$(NULL)
 
 LIBRARY_NAME = pkixmodule
 
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.c
@@ -6,16 +6,17 @@
  *
  * AIAMgr Object Definitions
  *
  */
 
 #include "pkix_pl_aiamgr.h"
 extern PKIX_PL_HashTable *aiaConnectionCache;
 
+#ifndef NSS_PKIX_NO_LDAP
 /* --Virtual-LdapClient-Functions------------------------------------ */
 
 PKIX_Error *
 PKIX_PL_LdapClient_InitiateRequest(
         PKIX_PL_LdapClient *client,
         LDAPRequestParams *requestParams,
         void **pNBIO,
         PKIX_List **pResponse,
@@ -46,16 +47,17 @@ PKIX_PL_LdapClient_ResumeRequest(
         PKIX_CHECK(client->resumeFcn
                 (client, pNBIO, pResponse, plContext),
                 PKIX_LDAPCLIENTRESUMEREQUESTFAILED);
 cleanup:
 
         PKIX_RETURN(LDAPCLIENT);
 
 }
+#endif /* !NSS_PKIX_NO_LDAP */
 
 /* --Private-AIAMgr-Functions----------------------------------*/
 
 /*
  * FUNCTION: pkix_pl_AIAMgr_Destroy
  * (see comments for PKIX_PL_DestructorCallback in pkix_pl_pki.h)
  */
 static PKIX_Error *
@@ -76,17 +78,19 @@ pkix_pl_AIAMgr_Destroy(
         /* pointer to cert cache */
         /* pointer to crl cache */
         aiaMgr->method = 0;
         aiaMgr->aiaIndex = 0;
         aiaMgr->numAias = 0;
         PKIX_DECREF(aiaMgr->aia);
         PKIX_DECREF(aiaMgr->location);
         PKIX_DECREF(aiaMgr->results);
+#ifndef NSS_PKIX_NO_LDAP
         PKIX_DECREF(aiaMgr->client.ldapClient);
+#endif
 
 cleanup:
 
         PKIX_RETURN(AIAMGR);
 }
 
 /*
  * FUNCTION: pkix_pl_AIAMgr_RegisterSelf
@@ -109,16 +113,17 @@ pkix_pl_AIAMgr_RegisterSelf(void *plCont
 
         entry->description = "AIAMgr";
         entry->typeObjectSize = sizeof(PKIX_PL_AIAMgr);
         entry->destructor = pkix_pl_AIAMgr_Destroy;
 
         PKIX_RETURN(AIAMGR);
 }
 
+#ifndef NSS_PKIX_NO_LDAP
 /*
  * FUNCTION: pkix_pl_AiaMgr_FindLDAPClient
  * DESCRIPTION:
  *
  *  This function checks the collection of LDAPClient connections held by the
  *  AIAMgr pointed to by "aiaMgr" for one matching the domain name given by
  *  "domainName". The string may include a port number: e.g., "betty.nist.gov"
  *  or "nss.red.iplanet.com:1389". If a match is found, that LDAPClient is
@@ -207,16 +212,17 @@ pkix_pl_AiaMgr_FindLDAPClient(
         *pClient = (PKIX_PL_LdapClient *)client;
 
 cleanup:
 
         PKIX_DECREF(domainString);
 
         PKIX_RETURN(AIAMGR);
 }
+#endif /* !NSS_PKIX_NO_LDAP */
 
 PKIX_Error *
 pkix_pl_AIAMgr_GetHTTPCerts(
         PKIX_PL_AIAMgr *aiaMgr,
 	PKIX_PL_InfoAccess *ia,
 	void **pNBIOContext,
 	PKIX_List **pCerts,
         void *plContext)
@@ -383,16 +389,17 @@ cleanup:
         }
         if (path) {
             PORT_Free(path);
         }
 
         PKIX_RETURN(AIAMGR);
 }
 
+#ifndef NSS_PKIX_NO_LDAP
 PKIX_Error *
 pkix_pl_AIAMgr_GetLDAPCerts(
         PKIX_PL_AIAMgr *aiaMgr,
 	PKIX_PL_InfoAccess *ia,
 	void **pNBIOContext,
 	PKIX_List **pCerts,
         void *plContext)
 {
@@ -491,16 +498,17 @@ cleanup:
         if (PKIX_ERROR_RECEIVED) {
 	        PKIX_DECREF(aiaMgr->client.ldapClient);
 	}
 
         PKIX_DECREF(location);
 
         PKIX_RETURN(AIAMGR);
 }
+#endif /* !NSS_PKIX_NO_LDAP */
 
 /*
  * FUNCTION: PKIX_PL_AIAMgr_Create
  * DESCRIPTION:
  *
  *  This function creates an AIAMgr, storing the result at "pAIAMgr".
  *
  * PARAMETERS:
@@ -627,20 +635,22 @@ PKIX_PL_AIAMgr_GetAIACerts(
                 PKIX_CHECK(PKIX_PL_InfoAccess_GetLocationType
                         (ia, &iaType, plContext),
                         PKIX_INFOACCESSGETLOCATIONTYPEFAILED);
 
                 if (iaType == PKIX_INFOACCESS_LOCATION_HTTP) {
 			PKIX_CHECK(pkix_pl_AIAMgr_GetHTTPCerts
 				(aiaMgr, ia, &nbio, &certs, plContext),
 				PKIX_AIAMGRGETHTTPCERTSFAILED);
+#ifndef NSS_PKIX_NO_LDAP
                 } else if (iaType == PKIX_INFOACCESS_LOCATION_LDAP) {
 			PKIX_CHECK(pkix_pl_AIAMgr_GetLDAPCerts
 				(aiaMgr, ia, &nbio, &certs, plContext),
 				PKIX_AIAMGRGETLDAPCERTSFAILED);
+#endif
                 } else {
                         /* We only support http and ldap requests. */
                         PKIX_DECREF(ia);
                         continue;
                 }
 
                 if (nbio != NULL) { /* WOULDBLOCK */
                         aiaMgr->aiaIndex = aiaIndex;
@@ -672,16 +682,18 @@ PKIX_PL_AIAMgr_GetAIACerts(
         *pCerts = aiaMgr->results;
         aiaMgr->results = NULL;
 
 cleanup:
 
         if (PKIX_ERROR_RECEIVED) {
                 PKIX_DECREF(aiaMgr->aia);
                 PKIX_DECREF(aiaMgr->results);
+#ifndef NSS_PKIX_NO_LDAP
                 PKIX_DECREF(aiaMgr->client.ldapClient);
+#endif
         }
 
         PKIX_DECREF(certs);
         PKIX_DECREF(ia);
 
         PKIX_RETURN(AIAMGR);
 }
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.h
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.h
@@ -22,40 +22,44 @@ struct PKIX_PL_AIAMgrStruct {
         /* pointer to crl cache */
         PKIX_UInt32 method;
         PKIX_UInt32 aiaIndex;
         PKIX_UInt32 numAias;
         PKIX_List *aia;
         PKIX_PL_GeneralName *location;
         PKIX_List *results;
 	union {
+#ifndef NSS_PKIX_NO_LDAP
 	        PKIX_PL_LdapClient *ldapClient;
+#endif
 		struct {
 		        const SEC_HttpClientFcn *httpClient;
 			SEC_HTTP_SERVER_SESSION serverSession;
 			SEC_HTTP_REQUEST_SESSION requestSession;
 			char *path;
 		} hdata;
 	} client;
 };
 
 /* see source file for function documentation */
 
 PKIX_Error *pkix_pl_AIAMgr_RegisterSelf(void *plContext);
 
+#ifndef NSS_PKIX_NO_LDAP
 PKIX_Error *PKIX_PL_LdapClient_InitiateRequest(
         PKIX_PL_LdapClient *client,
         LDAPRequestParams *requestParams,
         void **pPollDesc,
         PKIX_List **pResponse,
         void *plContext);
 
 PKIX_Error *PKIX_PL_LdapClient_ResumeRequest(
         PKIX_PL_LdapClient *client,
         void **pPollDesc,
         PKIX_List **pResponse,
         void *plContext);
+#endif /* !NSS_PKIX_NO_LDAP */
 
 #ifdef __cplusplus
 }
 #endif
 
 #endif /* _PKIX_PL_AIAMGR_H */
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
@@ -3130,37 +3130,41 @@ cleanup:
 /*
  * FUNCTION: PKIX_PL_Cert_CheckNameConstraints
  * (see comments in pkix_pl_pki.h)
  */
 PKIX_Error *
 PKIX_PL_Cert_CheckNameConstraints(
         PKIX_PL_Cert *cert,
         PKIX_PL_CertNameConstraints *nameConstraints,
+        PKIX_Boolean treatCommonNameAsDNSName,
         void *plContext)
 {
         PKIX_Boolean checkPass = PKIX_TRUE;
         CERTGeneralName *nssSubjectNames = NULL;
         PLArenaPool *arena = NULL;
 
         PKIX_ENTER(CERT, "PKIX_PL_Cert_CheckNameConstraints");
         PKIX_NULLCHECK_ONE(cert);
 
         if (nameConstraints != NULL) {
 
                 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
                 if (arena == NULL) {
                         PKIX_ERROR(PKIX_OUTOFMEMORY);
                 }
 
-                /* This NSS call returns both Subject and  Subject Alt Names */
+                /* This NSS call returns Subject Alt Names. If
+                 * treatCommonNameAsDNSName is true, it also returns the
+                 * Subject Common Name
+                 */
                 PKIX_CERT_DEBUG
                     ("\t\tCalling CERT_GetConstrainedCertificateNames\n");
                 nssSubjectNames = CERT_GetConstrainedCertificateNames
-                        (cert->nssCert, arena, PR_TRUE);
+                        (cert->nssCert, arena, treatCommonNameAsDNSName);
 
                 PKIX_CHECK(pkix_pl_CertNameConstraints_CheckNameSpaceNssNames
                         (nssSubjectNames,
                         nameConstraints,
                         &checkPass,
                         plContext),
                         PKIX_CERTNAMECONSTRAINTSCHECKNAMESPACENSSNAMESFAILED);
 
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
@@ -476,34 +476,37 @@ PKIX_PL_InfoAccess_GetLocationType(
                 PKIX_TOSTRING(infoAccess->location, &locationString, plContext,
                     PKIX_GENERALNAMETOSTRINGFAILED);
 
                 PKIX_CHECK(PKIX_PL_String_GetEncoded
                     (locationString, PKIX_ESCASCII, &location, &len, plContext),
                     PKIX_STRINGGETENCODEDFAILED);
 
                 PKIX_OID_DEBUG("\tCalling PORT_Strcmp).\n");
+#ifndef NSS_PKIX_NO_LDAP
                 if (PORT_Strncmp(location, "ldap:", 5) == 0){
                         type = PKIX_INFOACCESS_LOCATION_LDAP;
                 } else
+#endif
                 if (PORT_Strncmp(location, "http:", 5) == 0){
                         type = PKIX_INFOACCESS_LOCATION_HTTP;
                 }
         }
 
         *pType = type;
 
 cleanup:
 
         PKIX_PL_Free(location, plContext);
         PKIX_DECREF(locationString);
 
         PKIX_RETURN(INFOACCESS);
 }
 
+#ifndef NSS_PKIX_NO_LDAP
 /*
  * FUNCTION: pkix_pl_InfoAccess_ParseTokens
  * DESCRIPTION:
  *
  *  This function parses the string beginning at "startPos" into tokens using
  *  the separator contained in "separator" and the terminator contained in
  *  "terminator", copying the tokens into space allocated from the arena
  *  pointed to by "arena". It stores in "tokens" a null-terminated array of
@@ -863,8 +866,9 @@ pkix_pl_InfoAccess_ParseLocation(
 
 cleanup:
 
         PKIX_PL_Free(locationAscii, plContext);
         PKIX_DECREF(locationString);
 
         PKIX_RETURN(INFOACCESS);
 }
+#endif /* !NSS_PKIX_NO_LDAP */
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.h
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.h
@@ -27,21 +27,23 @@ struct PKIX_PL_InfoAccessStruct{
 PKIX_Error *pkix_pl_InfoAccess_RegisterSelf(void *plContext);
 
 PKIX_Error *
 pkix_pl_InfoAccess_CreateList(
         CERTAuthInfoAccess **authInfoAccess,
         PKIX_List **pAiaList, /* of PKIX_PL_InfoAccess */
         void *plContext);
 
+#ifndef NSS_PKIX_NO_LDAP
 PKIX_Error *
 pkix_pl_InfoAccess_ParseLocation(
         PKIX_PL_GeneralName *generalName,
         PLArenaPool *arena,
         LDAPRequestParams *request,
         char **pDomainName,
         void *plContext);
+#endif /* !NSS_PKIX_NO_LDAP */
 
 #ifdef __cplusplus
 }
 #endif
 
 #endif /* _PKIX_PL_INFOACCESS_H */
--- a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_common.h
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_common.h
@@ -33,17 +33,19 @@
 #include "prio.h"
 
 /* NSPR headers */
 #include "nspr.h"
 
 /* private PKIX_PL_NSS system headers */
 #include "pkix_pl_object.h"
 #include "pkix_pl_string.h"
+#ifndef NSS_PKIX_NO_LDAP
 #include "pkix_pl_ldapt.h"
+#endif /* !NSS_PKIX_NO_LDAP */
 #include "pkix_pl_aiamgr.h"
 #include "pkix_pl_bigint.h"
 #include "pkix_pl_oid.h"
 #include "pkix_pl_x500name.h"
 #include "pkix_pl_generalname.h"
 #include "pkix_pl_publickey.h"
 #include "pkix_pl_bytearray.h"
 #include "pkix_pl_date.h"
@@ -57,19 +59,21 @@
 #include "pkix_pl_crldp.h"
 #include "pkix_pl_crl.h"
 #include "pkix_pl_crlentry.h"
 #include "pkix_pl_nameconstraints.h"
 #include "pkix_pl_ocsprequest.h"
 #include "pkix_pl_ocspresponse.h"
 #include "pkix_pl_pk11certstore.h"
 #include "pkix_pl_socket.h"
+#ifndef NSS_PKIX_NO_LDAP
 #include "pkix_pl_ldapcertstore.h"
 #include "pkix_pl_ldaprequest.h"
 #include "pkix_pl_ldapresponse.h"
+#endif /* !NSS_PKIX_NO_LDAP */
 #include "pkix_pl_nsscontext.h"
 #include "pkix_pl_httpcertstore.h"
 #include "pkix_pl_httpdefaultclient.h"
 #include "pkix_pl_infoaccess.h"
 #include "pkix_sample_modules.h"
 
 #define MAX_DIGITS_32 (PKIX_UInt32) 10
 
--- a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c
@@ -199,19 +199,21 @@ PKIX_PL_Initialize(
         pkix_BasicConstraintsCheckerState_RegisterSelf(plContext);
         pkix_PolicyCheckerState_RegisterSelf(plContext);
 
         pkix_pl_CollectionCertStoreContext_RegisterSelf(plContext); /* 41-50 */
         pkix_CrlChecker_RegisterSelf(plContext);
         pkix_ForwardBuilderState_RegisterSelf(plContext);
         pkix_SignatureCheckerState_RegisterSelf(plContext);
         pkix_NameConstraintsCheckerState_RegisterSelf(plContext);
+#ifndef NSS_PKIX_NO_LDAP
         pkix_pl_LdapRequest_RegisterSelf(plContext);
         pkix_pl_LdapResponse_RegisterSelf(plContext);
         pkix_pl_LdapDefaultClient_RegisterSelf(plContext);
+#endif
         pkix_pl_Socket_RegisterSelf(plContext);
 
         pkix_ResourceLimits_RegisterSelf(plContext); /* 51-59 */
         pkix_pl_MonitorLock_RegisterSelf(plContext);
         pkix_pl_InfoAccess_RegisterSelf(plContext);
         pkix_pl_AIAMgr_RegisterSelf(plContext);
         pkix_OcspChecker_RegisterSelf(plContext);
         pkix_pl_OcspCertID_RegisterSelf(plContext);
--- a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.h
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.h
@@ -28,20 +28,22 @@
 #include "pkix_pl_date.h"
 #include "pkix_pl_basicconstraints.h"
 #include "pkix_pl_certpolicyinfo.h"
 #include "pkix_pl_certpolicymap.h"
 #include "pkix_pl_certpolicyqualifier.h"
 #include "pkix_pl_crlentry.h"
 #include "pkix_pl_crl.h"
 #include "pkix_pl_colcertstore.h"
+#ifndef NSS_PKIX_NO_LDAP
 #include "pkix_pl_ldapcertstore.h"
 #include "pkix_pl_ldapdefaultclient.h"
 #include "pkix_pl_ldaprequest.h"
 #include "pkix_pl_ldapresponse.h"
+#endif /* !NSS_PKIX_NO_LDAP */
 #include "pkix_pl_socket.h"
 #include "pkix_pl_infoaccess.h"
 #include "pkix_store.h"
 #include "pkix_error.h"
 #include "pkix_logger.h"
 #include "pkix_list.h"
 #include "pkix_trustanchor.h"
 #include "pkix_procparams.h"
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -28,20 +28,20 @@
 
 /*
  * NSS's major version, minor version, patch level, build number, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION  "3.15.5" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
+#define NSS_VERSION  "3.16" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
 #define NSS_VMAJOR   3
-#define NSS_VMINOR   15
-#define NSS_VPATCH   5
+#define NSS_VMINOR   16
+#define NSS_VPATCH   0
 #define NSS_VBUILD   0
 #define NSS_BETA     PR_TRUE
 
 #ifndef RC_INVOKED
 
 #include "seccomon.h"
 
 typedef struct NSSInitParametersStr NSSInitParameters;
--- a/security/nss/lib/softoken/sdb.c
+++ b/security/nss/lib/softoken/sdb.c
@@ -2007,17 +2007,27 @@ s_open(const char *directory, const char
 	    error = CKR_HOST_MEMORY;
 	    goto loser;
 	}
     }
 #endif
 
     /* how long does it take to test for a non-existant file in our working
      * directory? Allows us to test if we may be on a network file system */
-    accessOps = sdb_measureAccess(directory);
+    accessOps = 1;
+    {
+        char *env;
+        env = PR_GetEnv("NSS_SDB_USE_CACHE");
+        /* If the environment variable is set to yes or no, sdb_init() will
+         * ignore the value of accessOps, and we can skip the measuring.*/
+        if (!env || ((PORT_Strcasecmp(env, "no") != 0) &&
+                     (PORT_Strcasecmp(env, "yes") != 0))){
+           accessOps = sdb_measureAccess(directory);
+        }
+    }
 
     /*
      * open the cert data base
      */
     if (certdb) {
 	/* initialize Certificate database */
 	error = sdb_init(cert, "nssPublic", SDB_CERT, &inUpdate,
 			 newInit, flags, accessOps, certdb);
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -20,16 +20,16 @@
 
 /*
  * Softoken's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION  "3.15.5" SOFTOKEN_ECC_STRING " Beta"
+#define SOFTOKEN_VERSION  "3.16" SOFTOKEN_ECC_STRING " Beta"
 #define SOFTOKEN_VMAJOR   3
-#define SOFTOKEN_VMINOR   15
-#define SOFTOKEN_VPATCH   5
+#define SOFTOKEN_VMINOR   16
+#define SOFTOKEN_VPATCH   0
 #define SOFTOKEN_VBUILD   0
 #define SOFTOKEN_BETA     PR_TRUE
 
 #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -1343,20 +1343,23 @@ ssl_ImportFD(PRFileDesc *model, PRFileDe
     	return NULL;
 
     rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER);
     if (rv != PR_SUCCESS) {
 	ssl_FreeSocket(ns);
 	SET_ERROR_CODE
 	return NULL;
     }
-    ns = ssl_FindSocket(fd);
-    PORT_Assert(ns);
-    if (ns)
-	ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr));
+#if defined(DEBUG) || defined(FORCE_PR_ASSERT)
+    {
+	sslSocket * ss = ssl_FindSocket(fd);
+	PORT_Assert(ss == ns);
+    }
+#endif
+    ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr));
     return fd;
 }
 
 PRFileDesc *
 SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd)
 {
     return ssl_ImportFD(model, fd, ssl_variant_stream);
 }
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -14,20 +14,20 @@
 
 /*
  * NSS utilities's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION  "3.15.5 Beta"
+#define NSSUTIL_VERSION  "3.16 Beta"
 #define NSSUTIL_VMAJOR   3
-#define NSSUTIL_VMINOR   15
-#define NSSUTIL_VPATCH   5
+#define NSSUTIL_VMINOR   16
+#define NSSUTIL_VPATCH   0
 #define NSSUTIL_VBUILD   0
 #define NSSUTIL_BETA     PR_TRUE
 
 SEC_BEGIN_PROTOS
 
 /*
  * Returns a const string of the UTIL library version.
  */
--- a/security/nss/tests/chains/scenarios/nameconstraints.cfg
+++ b/security/nss/tests/chains/scenarios/nameconstraints.cfg
@@ -2,21 +2,152 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 scenario TrustAnchors
 
 db trustanchors
 
 import NameConstraints.ca:x:CT,C,C
+import NameConstraints.ncca:x:CT,C,C
+# Name Constrained CA:  Name constrained to permited DNSName ".example"
 
+# Intermediate 1: Name constrained to permited DNSName ".example"
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
+# altDNS: test.invalid
+#   Fail: CN not in name constraints, altDNS not in name constraints
 verify NameConstraints.server1:x
   cert NameConstraints.intermediate:x
   result fail
 
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
+#   Fail: CN not in name constraints
 verify NameConstraints.server2:x
   cert NameConstraints.intermediate:x
   result fail
 
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
+# altDNS: test.example
 verify NameConstraints.server3:x
   cert NameConstraints.intermediate:x
   result pass
 
+# Intermediate 2: No name constraints, signed by Intermediate 1 (inherits name constraints)
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
+# altDNS: test.invalid
+#   Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server4:x
+  cert NameConstraints.intermediate2:x
+  cert NameConstraints.intermediate:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
+#   Fail: CN not in name constraints
+verify NameConstraints.server5:x
+  cert NameConstraints.intermediate2:x
+  cert NameConstraints.intermediate:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
+# altDNS: test.example
+verify NameConstraints.server6:x
+  cert NameConstraints.intermediate2:x
+  cert NameConstraints.intermediate:x
+  result pass
+
+# Intermediate 3: Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=NSS Intermediate CA3"
+#                 Name constrained to a permitted DirectoryName of "C=US, ST=CA, O=Foo"
+#                 and a permitted DNSName of "foo.example"
+
+# Intermediate 4: Subject: "C=US, ST=CA, O=Foo, CN=NSS Intermediate CA 2"
+#                 No name constraints present
+#                 Signed by Intermediate 3 (inherits name constraints)
+
+# Subject: "C=US, ST=CA, O=Foo, OU=bar, CN=bat.foo.example", no SAN
+verify NameConstraints.server7:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result pass
+
+# Subject: "C=US, ST=CA, O=Foo, CN=bat.foo.example", no SAN
+verify NameConstraints.server8:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result pass
+
+# Subject: "C=US, O=Foo, CN=bat.foo.example", no SAN
+#  Fail: ST is missing in the DirectoryName, thus not matching name constraints
+verify NameConstraints.server9:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=bar.example"
+#  Fail: CN not in name constraints
+verify NameConstraints.server10:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=site.example"
+# altDNS:foo.example
+#   Pass: Ignores CN constraint name violation because SAN is present
+verify NameConstraints.server11:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result pass
+
+# Subject: "C=US, ST=CA, O=Foo, CN=Honest Achmed"
+#   Fail: CN does not match DNS name constraints - even though is not 'DNS shaped'
+verify NameConstraints.server12:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Intermediate 5: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA 2"
+#                 No name constraints present
+#                 Signed by Intermediate 3.
+#                 Intermediate 5's subject is not in Intermediate 3's permitted
+#                 names, so all certs issued by it are invalid.
+
+# Subject: "C=US, ST=CA, O=OtherOrg, CN=bat.foo.example"
+#   Fail: Org matches Intermediate 5's name constraints, but does not match
+#         Intermediate 3' name constraints
+verify NameConstraints.server13:x
+  cert NameConstraints.intermediate5:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=another.foo.example"
+#  Fail: Matches Intermediate 5's name constraints, but fails because
+#        Intermediate 5 does not match Intermediate 3's name constraints
+verify NameConstraints.server14:x
+  cert NameConstraints.intermediate5:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Intermediate 6: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA6"
+#                 No name constraints present
+#                 Signed by Named Constrained CA (inherits root name constraints)
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=testfoo.invalid"
+# altDNS: testfoo.invalid
+#   Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server15:x
+  cert NameConstraints.intermediate6:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test3.invalid", no SAN
+#   Fail: CN not in name constraints
+verify NameConstraints.server16:x
+  cert NameConstraints.intermediate6:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example"
+# altDNS: test4.example
+verify NameConstraints.server17:x
+  cert NameConstraints.intermediate6:x
+  result pass
+
+
+
index 9e859a0aa00112279ac86c30416915f18bccff52..6d2e8469dd5565cd2be6e184a713807506fae355
GIT binary patch
literal 626
zc$_n6V#+gUV!Xb9nTe5!iILHOmyJ`a&7<u*FC!x>D}zCbA-4f18*?ZNn=n&ou%WPl
zAc(^u%;lVzlbM!Zl$V)kC}to65@Z+V_02EMD@n}EQwYmUEjJW05CDmD33EF6yN3oV
z_yq?WiWmri#F&M-fjotf)Z!8aXGa4$ab81XLn8wd14APtQ;R5ZUL#~Kom|m4AKCYe
ztPISJy$lA8olK353^x`f#!P7{S?h4|)wW%io_g~Ay2EkMfKTq!rrSF2TU43rC2kwN
zxhYZFYqY0r@~cTb#~&?KNoi*8l%Kw8nNxQ365e%zU16IySnymk+P;uAcw=chk8zm>
zli5SQ8`;Yf%+#uH&Ro3lZQ|0ucYKT&WE98moA#jc=&1tD$$`Ad<_Av}GBGnUFfKMQ
z&;xp%Goj6cvF(QwBO?n7GZO>50T0kKvcfE^2F#3%{|&f7JbsWABO6+DG6Q`wQ(ILl
z(Q0kE)1)`dx7$4wSGJ`$*v-5ve0^200Hbd$v-X8P=I#yKEx1*LN?a#Qow@DW+(){*
zH2NdMr4PDHUvR_Vva?0TbWMlzDv6pozPT#@ie*f6_wmYff6jT$bN#}xn4(jTB?ggG
e=1yga%=(pj>PuTu*Mi7xhN^2{XnnXCJ{17L?ZZa^
index 6fe77d198a640ce72c1b15c1d42235fb749fdc7e..a310aa1acd189597bb386504888c3bbf2bf334f0
GIT binary patch
literal 662
zc$_n6Vwz;o#Q1vwGZP~d6QhU$FB_*;n@8JsUPeY%RtAF<Lv903Hs(+kHesgFU_)U8
zK@f*Sn9DgaCo?U-C@(Y7P|QFCB*-qz>ziMiSCW{Srx2EzT5c$0AOI5Q66SRBcMlC#
z@Cyz$6fqD2i7^Xv19=J|sl_D<&W;9h;=G0?28ISeY-D6=5hc!RWNe7w8st#f6*2}=
z5LXC;T;Z8ll3J9Tnv$7Vk_vK7<9y^$U}R-rZtP_+XzXNaY-BjZ_xQFz_0&0s8IHY{
z+IBg|bbG+=5Pdt2lszoF{+Hjql>FI!&q?tZ$GEe+SN^jlEmao}zmdQDY3`Qg(w79p
zxG$V$zV~CV^<Uw>@O+sa8^o7csg)=nzW0ddbdh*0kIKIDrPgosg5`foFYb?<|141C
z;4ihfsTpBWh0Xg_7AswE5oTg$WMEwEW8ei00?vds55~41PK=B!EX+&{>|jsH%CP{0
zX92$fZxe@JYDHphK~8D|BZC1CNKTlA)qt6i@xK8#h{q4o#>j>i<;*}|HYzb%%-p@k
zkfC1Op6N|qbhVl3S)Rw*;V*BV_`|(6Lix1Yyy@#i8@?>~v_?_r_0mXH&$EdddO7^w
z<~z3qO`56iGJTVc<E!QBg|`={3Lg&O3O})1<&3zM`t|o!AJ!cc&WqY)b#HTX`Oax+
c>vpaB`o&O)>7WYN%3?!{|JxtP>wee^06zrIJpcdz
index 23088d1c82019e05069245854dfa1dff568048c9..60e8a1c698539c2806b32be68cbf65644fe8bb84
GIT binary patch
literal 660
zc$_n6Vwzyk#Q1XoGZP~d6QhO!FB_*;n@8JsUPeY%RtAF{Lv903Hs(+kHesgFU_)U8
zK@f*Sn9DgaCo?U-C@(Y7P|QFCB*-qz>ziMiSCW{Srx2EzT5c$0AOI5Q66SRBcMlC#
z@Cyz$lrfM3i7^Wc19=Lbc_pbuxv43ci6yBD&W;9h;=G0?21W)Z28KpPrWR4+yhg?b
zmT;~?DwSO$Y9I`84NpmGafx1LUK!Aw6obb3$icwK%D~*%%V5yh$<)}$@WOnq%B%g7
zee*&B=ej4P?%t(-SH3Xe(vb$okjHD^Pn^5r!!g&jxxd)hQWviEQq@;HRNT$*=(y4}
zf%>~1%N<pC`t0XyiMf~XI^b5>Q^(hlt7djN{@hS$b2I$=4uPcjZFgmRzP0Sn3@??v
znII;4!L6^dgF&>F>(=ov4K7M*FYdN7F*7nSF7`BVHxLIpT~?4qz<{p_)%k*KoC$3n
zjBP)h7#Ueun3>oP81R793NtePXJIm6FyIF9_(4+4JJ2GW8R*3tU7MGsN_y{&kC>^j
zr0i3<dxJ$FpqAU6J8oHVE3e@aN5#v57Weal7aseT|MAPcmjM>3J&Y417?o`pA9buh
zpU;1*=UTx@2FuT_8a;=51fHfxi{(hq^|?`f>#5>Ajk$#({u^4teNNO)ESYALUi>X8
Vb@x>%11C;{L(}$ZhwhCl0RWap(CGjG
index feac1139294801703731fb01204b5de0165fae2d..1c6e5510dd8bfd2dfbcf5c3c20f5245dc7444cbc
GIT binary patch
literal 643
zc$_n6VyZW2VtlcHnTe5!iBZ#lmyJ`a&7<u*FC!x>D}zCfA-4f18*?ZNn=n&ou%WPl
zAc(^u%;lVzlbM!Zl$V)kC}to65@Z+V_02EMD@n}EQwYmUEjJW05CDmD33EF6yN3oV
z_yq?W${0w2#F&MJfjkAzypq(S+|-oJ#FA76XGa4$ab80c10w?y14APtQ;R5ZUL#`z
zOE}jcm&&e@HIN3ohDRhZFTW%swJ5$MwYWqtGp`J2UW!5EeB|I@WMyD(>}4=$>||<e
zWH^5H&!#NTv$HFAewcnK?qg75#DWjMW|n=Bdh<l&QsVk69TA`HpPuV{Yv%7<7#la;
z_;!}>?#Z7FFTE=*%s#-eM!5gmXFsunt4~FSG%GIK@~K!szB8yz?DM8S=M*2mY__Y}
zwVH!br{lcFZZ;R6>mO`v(@Sy`oh0Iu{_J>BeEVgNGZQl-1LI-?13h3Ea3-{QFt+`0
zVq|1tVP;}GV88?Pm8>u$<9`+=0|o<b5RV@u#k>P8ewl$jS$q75^lITXVevaXum768
z_u@^CMauVYUOcp$^%CdjhV^cff1K85d6>xCxvkT*K;(0m;GeuBdV6$(72EQ9mK;7m
zODp)s%eL>_*~gaXv-E2#b$q#fui5bbX127hlc%H}EXn>YkvTIk?%k~qwPksks!0Nk
U&6A(&>L1>fsKvLe-gUJQ0RB$e?EnA(
index 5e69183e6d5f918c3a55ec66aabc6312455600e4..bd93572ddd17eef4cdae447bb1063dd45fb35771
GIT binary patch
literal 660
zc$_n6Vwzyk#Q1XoGZP~d6Qh;^FB_*;n@8JsUPeY%RtAF{Lv903Hs(+kHesgFU_)U8
zK@f*Sn9DgaCo?U-C@(Y7P|QFCB*-qz>ziMiSCW{Srx2EzT5c$0AOI5Q66SRBcMlC#
z@Cyz$lrfM3i7^Wc19=Lbc_pbuxv43ci6yBD&W;9h;=G0?21W)Z28KpPrWR4+yhg?b
zmT;~?DwSO$Y9I`84NpmGafx1PMPhD2PO3rUeB@wYWMyD(>}4=$>||<eWZ1o1rR>zD
zAGfA62Xx(=66M&PXyEY5;ayO&Laku!zT739(@fPH^jwZb#?^*pema>~dHgo}ogMFZ
z+_k#C^R4<<u_5F{$Hwj(`zzDfj$X_^yla2wtnFeN_iFBUEm#@1Y;~%<#vVgXIbY7b
z$4^zqn;x-rYT{0{j5D7<JD%eXbMALVCT2zk#>Jin?grvOr^^bm2pI4+p*mlXjWeOm
zgR$+06C)!F3o{ej0RtY8T46@U|13-f3<lgF9zRHmc?VjAGXuRS{)ClrC!dg|;o{1z
zTS5%=Ywd)Br*4ir?-QW(_d$$vLCIa6t<Fnjg7YJdgjjB^nDxsme06#Lt>eP$HfD4l
znRs~O^x8CK>C{%+cLCClPgh%sePhnM|J`h-+JmgaS+NzK9`a_6QMY7d)pyK__#4l_
VbL_Kpnrze`!-;F;Jt|o(vjKSY&7A-M
--- a/security/nss/tests/libpkix/certs/make-nc
+++ b/security/nss/tests/libpkix/certs/make-nc
@@ -89,15 +89,366 @@ n
 
 y
 0
 1
 9
 n
 CERTSCRIPT
 
+certutil -S -z noise -g 1024 -d . -n ica2 -s "CN=NSS Intermediate CA 2,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 21 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server4 -s "CN=test2.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica2 -m 50 -v 115 -1 -2 -5 -8 test.invalid <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server5 -s "CN=another_test2.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica2 -m 51 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+
+certutil -S -z noise -g 1024 -d . -n server6 -s "CN=test2.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica2 -m 52 -v 115 -1 -2 -5 -8 test.example <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica3 -s "CN=NSS Intermediate CA3,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 21 -w -1 -v 118 -1 -2 -5 --extNC <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+3
+foo.example
+1
+y
+5
+O=Foo,st=ca,c=us
+1
+n
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica4 -s "CN=NSS Intermediate CA 2,O=Foo,ST=CA,C=US" -t ,, -c ica3 -m 61 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server7 -s "CN=bat.foo.example,ou=bar,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 41 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server8 -s "CN=bat.foo.example,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 42 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server9 -s "CN=bat.foo.example,O=Foo,C=US" -t ,, -c ica4 -m 43 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server10 -s "CN=bar.example,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 44 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server11 -s "CN=site.example,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 45 -v 115 -1 -2 -5 -8 foo.example <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server12 -s "CN=Honest Achmed,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 46 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica5 -s "CN=NSS Intermediate CA 2,O=OtherOrg,ST=CA,C=US" -t ,, -c ica3 -m 62 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server13 -s "CN=bat.foo.example,O=OtherOrg,ST=CA,C=US" -t ,, -c ica5 -m 41 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server14 -s "CN=another.foo.example,O=Foo,ST=CA,C=US" -t ,, -c ica5 -m 490 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ncca -s "CN=NSS Name Constrained Root CA,O=BOGUS NSS,L=Mountain View,ST=CA,C=US" -t C,C,C -x -m 2 -w -1 -v 118 -1 -2 -5 --extNC <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+3
+.example
+1
+n
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica6 -s "CN=NSS Intermediate CA6,O=OtherOrg,ST=CA,C=US" -t ,, -c ncca -m 63 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server15 -s "CN=testfoo.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 64 -v 115 -1 -2 -5 -8 testfoo.invalid <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server16 -s "CN=another_test3.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 65 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server17 -s "CN=test4.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 66 -v 115 -1 -2 -5 -8 test4.example <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+
 certutil -d . -L -n ca -r > NameConstraints.ca.cert
 certutil -d . -L -n ica -r > NameConstraints.intermediate.cert
 certutil -d . -L -n server1 -r > NameConstraints.server1.cert
 certutil -d . -L -n server2 -r > NameConstraints.server2.cert
 certutil -d . -L -n server3 -r > NameConstraints.server3.cert
+certutil -d . -L -n ica2 -r > NameConstraints.intermediate2.cert
+certutil -d . -L -n server4 -r > NameConstraints.server4.cert
+certutil -d . -L -n server5 -r > NameConstraints.server5.cert
+certutil -d . -L -n server6 -r > NameConstraints.server6.cert
+certutil -d . -L -n ica3 -r > NameConstraints.intermediate3.cert
+certutil -d . -L -n ica4 -r > NameConstraints.intermediate4.cert
+certutil -d . -L -n server7 -r > NameConstraints.server7.cert
+certutil -d . -L -n server8 -r > NameConstraints.server8.cert
+certutil -d . -L -n server9 -r > NameConstraints.server9.cert
+certutil -d . -L -n server10 -r > NameConstraints.server10.cert
+certutil -d . -L -n server11 -r > NameConstraints.server11.cert
+certutil -d . -L -n server11 -r > NameConstraints.server11.cert
+certutil -d . -L -n server12 -r > NameConstraints.server12.cert
+certutil -d . -L -n ica5 -r > NameConstraints.intermediate5.cert
+certutil -d . -L -n server13 -r > NameConstraints.server13.cert
+certutil -d . -L -n server14 -r > NameConstraints.server14.cert
+certutil -d . -L -n ncca -r > NameConstraints.ncca.cert
+certutil -d . -L -n ica6 -r > NameConstraints.intermediate6.cert
+certutil -d . -L -n server15 -r > NameConstraints.server15.cert
+certutil -d . -L -n server16 -r > NameConstraints.server16.cert
+certutil -d . -L -n server17 -r > NameConstraints.server17.cert
 
-echo "Created multiple files in subdirectory tmp: NameConstraints.ca.cert NameConstraints.intermediate.cert NameConstraints.server1.cert NameConstraints.server2.cert NameConstraints.server3.cert"
+echo "Created multiple files in subdirectory tmp: NameConstraints.ca.cert NameConstraints.intermediate.cert NameConstraints.server1.cert NameConstraints.server2.cert NameConstraints.server3.cert NameConstraints.intermediate2.cert NameConstraints.server4.cert NameConstraints.server5.cert NameConstraints.server6.cert"