Bug 1334127 - land NSS 2acb84c21d9d, r=me
☠☠ backed out by d3f5466ed29b ☠ ☠
authorFranziskus Kiefer <franziskuskiefer@gmail.com>
Fri, 10 Feb 2017 06:00:45 +0100
changeset 341799 e9dca250a3d3
parent 341798 8f45843772d1
child 341800 d4c677b0b92f
push id31343
push usercbook@mozilla.com
push dateFri, 10 Feb 2017 12:50:15 +0000
treeherdermozilla-central@b9c6246f13ea [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersme
bugs1334127
milestone54.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1334127 - land NSS 2acb84c21d9d, r=me
security/nss/TAG-INFO
security/nss/automation/taskcluster/graph/src/extend.js
security/nss/cmd/addbuiltin/addbuiltin.c
security/nss/cmd/lib/secutil.c
security/nss/coreconf/coreconf.dep
security/nss/fuzz/fuzz.gyp
security/nss/fuzz/mpi_add_target.cc
security/nss/fuzz/mpi_addmod_target.cc
security/nss/fuzz/mpi_div_target.cc
security/nss/fuzz/mpi_expmod_target.cc
security/nss/fuzz/mpi_helper.cc
security/nss/fuzz/mpi_helper.h
security/nss/fuzz/mpi_mod_target.cc
security/nss/fuzz/mpi_mulmod_target.cc
security/nss/fuzz/mpi_sqr_target.cc
security/nss/fuzz/mpi_sqrmod_target.cc
security/nss/fuzz/mpi_sub_target.cc
security/nss/fuzz/mpi_submod_target.cc
security/nss/fuzz/mpi_target.cc
security/nss/gtests/ssl_gtest/ssl_hrr_unittest.cc
security/nss/lib/ckfw/builtins/certdata.txt
security/nss/lib/nss/nss.def
security/nss/lib/pk11wrap/pk11slot.c
security/nss/lib/ssl/tls13exthandle.c
security/nss/lib/util/pkcs11n.h
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-e3bca65235d5
+2acb84c21d9d
--- a/security/nss/automation/taskcluster/graph/src/extend.js
+++ b/security/nss/automation/taskcluster/graph/src/extend.js
@@ -246,16 +246,33 @@ async function scheduleLinux(name, base)
     symbol: "modular"
   }));
 
   return queue.submit();
 }
 
 /*****************************************************************************/
 
+function scheduleFuzzingRun(base, name, target, max_len, symbol = null) {
+  const MAX_FUZZ_TIME = 300;
+
+  queue.scheduleTask(merge(base, {
+    name,
+    command: [
+      "/bin/bash",
+      "-c",
+      "bin/checkout.sh && nss/automation/taskcluster/scripts/fuzz.sh " +
+        `${target} nss/fuzz/corpus/${target} ` +
+        `-max_total_time=${MAX_FUZZ_TIME} ` +
+        `-max_len=${max_len}`
+    ],
+    symbol: symbol || name
+  }));
+}
+
 async function scheduleFuzzing() {
   let base = {
     env: {
       ASAN_OPTIONS: "allocator_may_return_null=1",
       UBSAN_OPTIONS: "print_stacktrace=1",
       NSS_DISABLE_ARENA_FREE_LIST: "1",
       NSS_DISABLE_UNLOAD: "1",
       CC: "clang",
@@ -302,67 +319,27 @@ async function scheduleFuzzing() {
     ],
     env: {GTESTFILTER: "*Fuzz*"},
     tests: "ssl_gtests gtests",
     cycle: "standard",
     symbol: "Gtest",
     kind: "test"
   }));
 
-  queue.scheduleTask(merge(base, {
-    parent: task_build,
-    name: "Hash",
-    command: [
-      "/bin/bash",
-      "-c",
-      "bin/checkout.sh && nss/automation/taskcluster/scripts/fuzz.sh " +
-        "hash nss/fuzz/corpus/hash -max_total_time=300 -max_len=4096"
-    ],
-    symbol: "Hash",
-    kind: "test"
-  }));
-
-  queue.scheduleTask(merge(base, {
-    parent: task_build,
-    name: "QuickDER",
-    command: [
-      "/bin/bash",
-      "-c",
-      "bin/checkout.sh && nss/automation/taskcluster/scripts/fuzz.sh " +
-        "quickder nss/fuzz/corpus/quickder -max_total_time=300 -max_len=10000"
-    ],
-    symbol: "QuickDER",
-    kind: "test"
-  }));
-
-  queue.scheduleTask(merge(base, {
-    parent: task_build,
-    name: "MPI",
-    command: [
-      "/bin/bash",
-      "-c",
-      "bin/checkout.sh && nss/automation/taskcluster/scripts/fuzz.sh " +
-        "mpi nss/fuzz/corpus/mpi -max_total_time=300 -max_len=2048"
-    ],
-    symbol: "MPI",
-    kind: "test"
-  }));
-
-  queue.scheduleTask(merge(base, {
-    parent: task_build,
-    name: "CertDN",
-    command: [
-      "/bin/bash",
-      "-c",
-      "bin/checkout.sh && nss/automation/taskcluster/scripts/fuzz.sh " +
-        "certDN nss/fuzz/corpus/certDN -max_total_time=300 -max_len=4096"
-    ],
-    symbol: "CertDN",
-    kind: "test"
-  }));
+  // Schedule fuzzing runs.
+  let run_base = merge(base, {parent: task_build, kind: "test"});
+  let mpi_base = merge(run_base, {group: "MPI"});
+  scheduleFuzzingRun(run_base, "CertDN", "certDN", 4096);
+  scheduleFuzzingRun(run_base, "Hash", "hash", 4096);
+  scheduleFuzzingRun(run_base, "QuickDER", "quickder", 10000);
+  for (let mpi_name of ["add", "addmod", "div", "expmod", "mod", "mulmod",
+                        "sqr", "sqrmod", "sub", "submod"]) {
+    scheduleFuzzingRun(mpi_base, `MPI (${mpi_name})`, `mpi-${mpi_name}`,
+                       4096, mpi_name);
+  }
 
   return queue.submit();
 }
 
 /*****************************************************************************/
 
 async function scheduleTestBuilds() {
   let base = {
--- a/security/nss/cmd/addbuiltin/addbuiltin.c
+++ b/security/nss/cmd/addbuiltin/addbuiltin.c
@@ -26,16 +26,39 @@ dumpbytes(unsigned char *buf, int len)
         if ((i != 0) && ((i & 0xf) == 0)) {
             printf("\n");
         }
         printf("\\%03o", buf[i]);
     }
     printf("\n");
 }
 
+int
+hasPositiveTrust(unsigned int trust)
+{
+    if (trust & CERTDB_TRUSTED) {
+        if (trust & CERTDB_TRUSTED_CA) {
+            return PR_TRUE;
+        } else {
+            return PR_FALSE;
+        }
+    } else {
+        if (trust & CERTDB_TRUSTED_CA) {
+            return PR_TRUE;
+        } else if (trust & CERTDB_VALID_CA) {
+            return PR_TRUE;
+        } else if (trust & CERTDB_TERMINAL_RECORD) {
+            return PR_FALSE;
+        } else {
+            return PR_FALSE;
+        }
+    }
+    return PR_FALSE;
+}
+
 char *
 getTrustString(unsigned int trust)
 {
     if (trust & CERTDB_TRUSTED) {
         if (trust & CERTDB_TRUSTED_CA) {
             return "CKT_NSS_TRUSTED_DELEGATOR";
         } else {
             return "CKT_NSS_TRUSTED";
@@ -197,16 +220,21 @@ ConvertCertificate(SECItem *sdder, char 
         dumpbytes(cert->derIssuer.data, cert->derIssuer.len);
         printf("END\n");
         printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
         dumpbytes(serial->data, serial->len);
         printf("END\n");
         printf("CKA_VALUE MULTILINE_OCTAL\n");
         dumpbytes(sdder->data, sdder->len);
         printf("END\n");
+        if (hasPositiveTrust(trust->sslFlags) ||
+            hasPositiveTrust(trust->emailFlags) ||
+            hasPositiveTrust(trust->objectSigningFlags)) {
+            printf("CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE\n");
+        }
     }
 
     if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags) ==
         CERTDB_TERMINAL_RECORD)
         trust_info = "Distrust";
     else
         trust_info = "Trust for";
 
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -27,17 +27,17 @@
 #include <unistd.h>
 #endif
 
 /* for SEC_TraverseNames */
 #include "cert.h"
 #include "certt.h"
 #include "certdb.h"
 
-/* #include "secmod.h" */
+#include "secmod.h"
 #include "pk11func.h"
 #include "secoid.h"
 
 static char consoleName[] = {
 #ifdef XP_UNIX
     "/dev/tty"
 #else
 #ifdef XP_OS2
@@ -3224,25 +3224,55 @@ SECU_PrintSignedContent(FILE *out, SECIt
 SECStatus
 SEC_PrintCertificateAndTrust(CERTCertificate *cert,
                              const char *label,
                              CERTCertTrust *trust)
 {
     SECStatus rv;
     SECItem data;
     CERTCertTrust certTrust;
+    PK11SlotList *slotList;
+    const char *moz_policy_ca_info = NULL;
 
     data.data = cert->derCert.data;
     data.len = cert->derCert.len;
 
     rv = SECU_PrintSignedData(stdout, &data, label, 0,
                               (SECU_PPFunc)SECU_PrintCertificate);
     if (rv) {
         return (SECFailure);
     }
+
+    slotList = PK11_GetAllSlotsForCert(cert, NULL);
+    if (slotList) {
+        PK11SlotListElement *se = PK11_GetFirstSafe(slotList);
+        for (; se; se = PK11_GetNextSafe(slotList, se, PR_FALSE)) {
+            CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(se->slot, cert, NULL);
+            if (handle != CK_INVALID_HANDLE) {
+                PORT_SetError(0);
+                if (PK11_HasAttributeSet(se->slot, handle,
+                                         CKA_NSS_MOZILLA_CA_POLICY, PR_FALSE)) {
+                    moz_policy_ca_info = "true (attribute present)";
+                } else {
+                    if (PORT_GetError() != 0) {
+                        moz_policy_ca_info = "false (attribute missing)";
+                    } else {
+                        moz_policy_ca_info = "false (attribute present)";
+                    }
+                }
+            }
+        }
+        PK11_FreeSlotList(slotList);
+    }
+
+    if (moz_policy_ca_info) {
+        SECU_Indent(stdout, 1);
+        printf("Mozilla-CA-Policy: %s\n", moz_policy_ca_info);
+    }
+
     if (trust) {
         SECU_PrintTrustFlags(stdout, trust,
                              "Certificate Trust Flags", 1);
     } else if (CERT_GetCertTrust(cert, &certTrust) == SECSuccess) {
         SECU_PrintTrustFlags(stdout, &certTrust,
                              "Certificate Trust Flags", 1);
     }
 
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
--- a/security/nss/fuzz/fuzz.gyp
+++ b/security/nss/fuzz/fuzz.gyp
@@ -47,30 +47,52 @@
           'cflags/': [
             ['exclude', '-fsanitize-coverage'],
           ],
           'xcode_settings': {
             'OTHER_CFLAGS/': [
               ['exclude', '-fsanitize-coverage'],
             ],
           },
-          'direct_dependent_settings': {
-            'include_dirs': [
-              'libFuzzer',
-            ],
-          },
         }, {
           'type': 'none',
-          'direct_dependent_settings': {
+          'all_dependent_settings': {
             'libraries': ['-lFuzzingEngine'],
           }
         }]
       ],
     },
     {
+      'target_name': 'nssfuzz-mpi-base',
+      'type': 'none',
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'fuzz_base',
+      ],
+      'direct_dependent_settings': {
+        'include_dirs': [
+          '<(DEPTH)/lib/freebl/mpi',
+        ],
+        'sources': [
+          'mpi_helper.cc',
+        ],
+        'conditions': [
+          [ 'fuzz_oss==1', {
+            'libraries': [
+              '/usr/lib/x86_64-linux-gnu/libcrypto.a',
+            ],
+          }, {
+            'libraries': [
+              '-lcrypto',
+            ],
+          }],
+        ],
+      },
+    },
+    {
       'target_name': 'nssfuzz-pkcs8',
       'type': 'executable',
       'sources': [
         'asn1_mutators.cc',
         'pkcs8_target.cc',
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
@@ -96,62 +118,156 @@
         'hash_target.cc',
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
         'fuzz_base',
       ],
     },
     {
-      'target_name': 'nssfuzz-mpi',
-      'type': 'executable',
-      'sources': [
-        'mpi_target.cc',
-      ],
-      'dependencies': [
-        '<(DEPTH)/exports.gyp:nss_exports',
-        'fuzz_base',
-      ],
-      'conditions': [
-        [ 'fuzz_oss==1', {
-          'libraries': [
-            '/usr/lib/x86_64-linux-gnu/libcrypto.a',
-          ],
-        }, {
-          'libraries': [
-            '-lcrypto',
-          ],
-        }],
-      ],
-      'include_dirs': [
-        '<(DEPTH)/lib/freebl/mpi',
-      ],
-    },
-    {
       'target_name': 'nssfuzz-certDN',
       'type': 'executable',
       'sources': [
         'certDN_target.cc',
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
         'fuzz_base',
       ],
     },
     {
+      'target_name': 'nssfuzz-mpi-add',
+      'type': 'executable',
+      'sources': [
+        'mpi_add_target.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'nssfuzz-mpi-base',
+      ],
+    },
+    {
+      'target_name': 'nssfuzz-mpi-sub',
+      'type': 'executable',
+      'sources': [
+        'mpi_sub_target.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'nssfuzz-mpi-base',
+      ],
+    },
+    {
+      'target_name': 'nssfuzz-mpi-sqr',
+      'type': 'executable',
+      'sources': [
+        'mpi_sqr_target.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'nssfuzz-mpi-base',
+      ],
+    },
+    {
+      'target_name': 'nssfuzz-mpi-div',
+      'type': 'executable',
+      'sources': [
+        'mpi_div_target.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'nssfuzz-mpi-base',
+      ],
+    },
+    {
+      'target_name': 'nssfuzz-mpi-mod',
+      'type': 'executable',
+      'sources': [
+        'mpi_mod_target.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'nssfuzz-mpi-base',
+      ],
+    },
+    {
+      'target_name': 'nssfuzz-mpi-sqrmod',
+      'type': 'executable',
+      'sources': [
+        'mpi_sqrmod_target.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'nssfuzz-mpi-base',
+      ],
+    },
+    {
+      'target_name': 'nssfuzz-mpi-addmod',
+      'type': 'executable',
+      'sources': [
+        'mpi_addmod_target.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'nssfuzz-mpi-base',
+      ],
+    },
+    {
+      'target_name': 'nssfuzz-mpi-submod',
+      'type': 'executable',
+      'sources': [
+        'mpi_submod_target.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'nssfuzz-mpi-base',
+      ],
+    },
+    {
+      'target_name': 'nssfuzz-mpi-mulmod',
+      'type': 'executable',
+      'sources': [
+        'mpi_mulmod_target.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'nssfuzz-mpi-base',
+      ],
+    },
+    {
+      'target_name': 'nssfuzz-mpi-expmod',
+      'type': 'executable',
+      'sources': [
+        'mpi_expmod_target.cc',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        'nssfuzz-mpi-base',
+      ],
+    },
+    {
       'target_name': 'nssfuzz',
       'type': 'none',
       'dependencies': [
         'nssfuzz-certDN',
         'nssfuzz-hash',
         'nssfuzz-pkcs8',
         'nssfuzz-quickder',
       ],
       'conditions': [
         ['OS=="linux"', {
           'dependencies': [
-            'nssfuzz-mpi',
+            'nssfuzz-mpi-add',
+            'nssfuzz-mpi-addmod',
+            'nssfuzz-mpi-div',
+            'nssfuzz-mpi-expmod',
+            'nssfuzz-mpi-mod',
+            'nssfuzz-mpi-mulmod',
+            'nssfuzz-mpi-sqr',
+            'nssfuzz-mpi-sqrmod',
+            'nssfuzz-mpi-sub',
+            'nssfuzz-mpi-submod',
           ],
         }],
       ],
     }
   ],
 }
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_add_target.cc
@@ -0,0 +1,42 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * This target fuzzes NSS mpi against openssl bignum.
+ * It therefore requires openssl to be installed.
+ */
+
+#include "mpi_helper.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  // We require at least size 3 to get two integers from Data.
+  if (size < 3) {
+    return 0;
+  }
+  INIT_NUMBERS
+
+  // Compare with OpenSSL addition
+  assert(mp_add(&a, &b, &c) == MP_OKAY);
+  (void)BN_add(C, A, B);
+  check_equal(C, &c, max_size);
+
+  // Check a + b == a - -b
+  mp_neg(&b, &b);
+  assert(mp_sub(&a, &b, &r) == MP_OKAY);
+  bool eq = mp_cmp(&r, &c) == 0;
+  if (!eq) {
+    char rC[max_size], cC[max_size], aC[max_size], bC[max_size];
+    mp_tohex(&r, rC);
+    mp_tohex(&c, cC);
+    mp_tohex(&a, aC);
+    mp_tohex(&b, bC);
+    std::cout << "a = " << std::hex << aC << std::endl;
+    std::cout << "-b = " << std::hex << bC << std::endl;
+    std::cout << "a + b = " << std::hex << cC << std::endl;
+    std::cout << "a - -b = " << std::hex << rC << std::endl;
+  }
+  assert(eq);
+
+  CLEANUP_AND_RETURN
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_addmod_target.cc
@@ -0,0 +1,27 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * This target fuzzes NSS mpi against openssl bignum.
+ * It therefore requires openssl to be installed.
+ */
+
+#include "mpi_helper.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  // We require at least size 3 to get two integers from Data.
+  if (size < 3) {
+    return 0;
+  }
+  INIT_NUMBERS
+
+  auto modulus = get_modulus(data, size, ctx);
+  // Compare with OpenSSL add mod
+  m1 = &std::get<1>(modulus);
+  assert(mp_addmod(&a, &b, m1, &c) == MP_OKAY);
+  (void)BN_mod_add(C, A, B, std::get<0>(modulus), ctx);
+  check_equal(C, &c, max_size);
+
+  CLEANUP_AND_RETURN
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_div_target.cc
@@ -0,0 +1,36 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * This target fuzzes NSS mpi against openssl bignum.
+ * It therefore requires openssl to be installed.
+ */
+
+#include "mpi_helper.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  // We require at least size 3 to get two integers from Data.
+  if (size < 3) {
+    return 0;
+  }
+  INIT_NUMBERS
+
+  // We can't divide by 0.
+  if (mp_cmp_z(&b) == 0) {
+    CLEANUP_AND_RETURN
+  }
+
+  // Compare with OpenSSL division
+  assert(mp_div(&a, &b, &c, &r) == MP_OKAY);
+  BN_div(C, R, A, B, ctx);
+  check_equal(C, &c, max_size);
+  check_equal(R, &r, max_size);
+
+  // Check c * b + r == a
+  assert(mp_mul(&c, &b, &c) == MP_OKAY);
+  assert(mp_add(&c, &r, &c) == MP_OKAY);
+  assert(mp_cmp(&c, &a) == 0);
+
+  CLEANUP_AND_RETURN
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_expmod_target.cc
@@ -0,0 +1,27 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * This target fuzzes NSS mpi against openssl bignum.
+ * It therefore requires openssl to be installed.
+ */
+
+#include "mpi_helper.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  // We require at least size 3 to get two integers from Data.
+  if (size < 3) {
+    return 0;
+  }
+  INIT_NUMBERS
+
+  auto modulus = get_modulus(data, size, ctx);
+  // Compare with OpenSSL exp mod
+  m1 = &std::get<1>(modulus);
+  assert(mp_exptmod(&a, &b, m1, &c) == MP_OKAY);
+  (void)BN_mod_exp(C, A, B, std::get<0>(modulus), ctx);
+  check_equal(C, &c, 2 * max_size);
+
+  CLEANUP_AND_RETURN
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_helper.cc
@@ -0,0 +1,100 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* Helper functions for MPI fuzzing targets. */
+
+#include "mpi_helper.h"
+#include <cstdlib>
+#include <random>
+
+char *to_char(const uint8_t *x) {
+  return reinterpret_cast<char *>(const_cast<unsigned char *>(x));
+}
+
+// Check that the two numbers are equal.
+void check_equal(BIGNUM *b, mp_int *m, size_t max_size) {
+  char *bnBc = BN_bn2hex(b);
+  char mpiMc[max_size];
+  mp_tohex(m, mpiMc);
+  std::string bnA(bnBc);
+  std::string mpiA(mpiMc);
+  OPENSSL_free(bnBc);
+  // We have to strip leading zeros from bignums, ignoring the sign.
+  if (bnA.at(0) != '-') {
+    bnA.erase(0, std::min(bnA.find_first_not_of('0'), bnA.size() - 1));
+  } else if (bnA.at(1) == '0') {
+    bnA.erase(1, std::min(bnA.find_first_not_of('0', 1) - 1, bnA.size() - 1));
+  }
+
+  if (mpiA != bnA) {
+    std::cout << "openssl: " << std::hex << bnA << std::endl;
+    std::cout << "nss:     " << std::hex << mpiA << std::endl;
+  }
+
+  assert(mpiA == bnA);
+}
+
+// Parse data into two numbers for MPI and OpenSSL Bignum.
+void parse_input(const uint8_t *data, size_t size, BIGNUM *A, BIGNUM *B,
+                 mp_int *a, mp_int *b) {
+  // Note that b might overlap a.
+  size_t len = (size_t)size / 2;
+  assert(mp_read_raw(a, to_char(data), len) == MP_OKAY);
+  assert(mp_read_raw(b, to_char(data) + len, len) == MP_OKAY);
+  // Force a positive sign.
+  // TODO: add tests for negatives.
+  MP_SIGN(a) = MP_ZPOS;
+  MP_SIGN(b) = MP_ZPOS;
+
+  // Skip the first byte as it's interpreted as sign by NSS.
+  assert(BN_bin2bn(data + 1, len - 1, A) != nullptr);
+  assert(BN_bin2bn(data + len + 1, len - 1, B) != nullptr);
+
+  check_equal(A, a, 2 * size + 1);
+  check_equal(B, b, 2 * size + 1);
+}
+
+// Parse data into a number for MPI and OpenSSL Bignum.
+void parse_input(const uint8_t *data, size_t size, BIGNUM *A, mp_int *a) {
+  assert(mp_read_raw(a, to_char(data), size) == MP_OKAY);
+
+  // Force a positive sign.
+  // TODO: add tests for negatives.
+  MP_SIGN(a) = MP_ZPOS;
+
+  // Skip the first byte as it's interpreted as sign by NSS.
+  assert(BN_bin2bn(data + 1, size - 1, A) != nullptr);
+
+  check_equal(A, a, 4 * size + 1);
+}
+
+// Take a chunk in the middle of data and use it as modulus.
+std::tuple<BIGNUM *, mp_int> get_modulus(const uint8_t *data, size_t size,
+                                         BN_CTX *ctx) {
+  BIGNUM *r1 = BN_CTX_get(ctx);
+  mp_int r2;
+  assert(mp_init(&r2) == MP_OKAY);
+
+  size_t len = static_cast<size_t>(size / 4);
+  if (len != 0) {
+    assert(mp_read_raw(&r2, to_char(data + len), len) == MP_OKAY);
+    MP_SIGN(&r2) = MP_ZPOS;
+
+    assert(BN_bin2bn(data + len + 1, len - 1, r1) != nullptr);
+    check_equal(r1, &r2, 2 * len + 1);
+  }
+
+  // If we happen to get 0 for the modulus, take a random number.
+  if (mp_cmp_z(&r2) == 0 || len == 0) {
+    mp_zero(&r2);
+    BN_zero(r1);
+    std::mt19937 rng(data[0]);
+    std::uniform_int_distribution<mp_digit> dist(1, MP_DIGIT_MAX);
+    mp_digit x = dist(rng);
+    mp_add_d(&r2, x, &r2);
+    BN_add_word(r1, x);
+  }
+
+  return std::make_tuple(r1, r2);
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_helper.h
@@ -0,0 +1,60 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* Helper functions for MPI fuzzing targets. */
+
+#ifndef mpi_helper_h__
+#define mpi_helper_h__
+
+#include <iostream>
+#include <string>
+#include <tuple>
+#include <vector>
+
+#include "hasht.h"
+#include "mpi.h"
+
+#include <openssl/bn.h>
+
+void check_equal(BIGNUM *b, mp_int *m, size_t max_size);
+void parse_input(const uint8_t *data, size_t size, BIGNUM *A, BIGNUM *B,
+                 mp_int *a, mp_int *b);
+void parse_input(const uint8_t *data, size_t size, BIGNUM *A, mp_int *a);
+std::tuple<BIGNUM *, mp_int> get_modulus(const uint8_t *data, size_t size,
+                                         BN_CTX *ctx);
+
+// Initialise MPI and BN variables
+// XXX: Also silence unused variable warnings for R.
+#define INIT_NUMBERS                     \
+  mp_int a, b, c, r;                     \
+  mp_int *m1 = nullptr;                  \
+  BN_CTX *ctx = BN_CTX_new();            \
+  BN_CTX_start(ctx);                     \
+  BIGNUM *A = BN_CTX_get(ctx);           \
+  BIGNUM *B = BN_CTX_get(ctx);           \
+  BIGNUM *C = BN_CTX_get(ctx);           \
+  BIGNUM *R = BN_CTX_get(ctx);           \
+  assert(mp_init(&a) == MP_OKAY);        \
+  assert(mp_init(&b) == MP_OKAY);        \
+  assert(mp_init(&c) == MP_OKAY);        \
+  assert(mp_init(&r) == MP_OKAY);        \
+  size_t max_size = 2 * size + 1;        \
+  parse_input(data, size, A, B, &a, &b); \
+  do {                                   \
+    (void)(R);                           \
+  } while (0);
+
+#define CLEANUP_AND_RETURN \
+  mp_clear(&a);            \
+  mp_clear(&b);            \
+  mp_clear(&c);            \
+  mp_clear(&r);            \
+  if (m1) {                \
+    mp_clear(m1);          \
+  }                        \
+  BN_CTX_end(ctx);         \
+  BN_CTX_free(ctx);        \
+  return 0;
+
+#endif  // mpi_helper_h__
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_mod_target.cc
@@ -0,0 +1,36 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * This target fuzzes NSS mpi against openssl bignum.
+ * It therefore requires openssl to be installed.
+ */
+
+#include "mpi_helper.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  // We require at least size 3 to get two integers from Data.
+  if (size < 3) {
+    return 0;
+  }
+  INIT_NUMBERS
+
+  // We can't divide by 0.
+  if (mp_cmp_z(&b) == 0) {
+    CLEANUP_AND_RETURN
+  }
+
+  // Compare with OpenSSL mod
+  assert(mp_mod(&a, &b, &c) == MP_OKAY);
+  (void)BN_mod(C, A, B, ctx);
+  check_equal(C, &c, max_size);
+
+  // Check a mod b = a - floor(a / b) * b
+  assert(mp_div(&a, &b, &r, nullptr) == MP_OKAY);
+  assert(mp_mul(&r, &b, &r) == MP_OKAY);
+  assert(mp_sub(&a, &r, &r) == MP_OKAY);
+  assert(mp_cmp(&c, &r) == 0);
+
+  CLEANUP_AND_RETURN
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_mulmod_target.cc
@@ -0,0 +1,27 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * This target fuzzes NSS mpi against openssl bignum.
+ * It therefore requires openssl to be installed.
+ */
+
+#include "mpi_helper.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  // We require at least size 3 to get two integers from Data.
+  if (size < 3) {
+    return 0;
+  }
+  INIT_NUMBERS
+
+  auto modulus = get_modulus(data, size, ctx);
+  // Compare with OpenSSL mul mod
+  m1 = &std::get<1>(modulus);
+  assert(mp_mulmod(&a, &b, m1, &c) == MP_OKAY);
+  (void)BN_mod_mul(C, A, B, std::get<0>(modulus), ctx);
+  check_equal(C, &c, max_size);
+
+  CLEANUP_AND_RETURN
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_sqr_target.cc
@@ -0,0 +1,53 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * This target fuzzes NSS mpi against openssl bignum.
+ * It therefore requires openssl to be installed.
+ */
+
+#include "mpi_helper.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  // We require at least size 2 to get an integers from Data.
+  if (size < 2) {
+    return 0;
+  }
+  mp_int a, c, r;
+  BN_CTX *ctx = BN_CTX_new();
+  BN_CTX_start(ctx);
+  BIGNUM *A = BN_CTX_get(ctx);
+  BIGNUM *C = BN_CTX_get(ctx);
+  assert(mp_init(&a) == MP_OKAY);
+  assert(mp_init(&c) == MP_OKAY);
+  assert(mp_init(&r) == MP_OKAY);
+  size_t max_size = 4 * size + 1;
+  parse_input(data, size, A, &a);
+
+  // Compare with OpenSSL sqr
+  assert(mp_sqr(&a, &c) == MP_OKAY);
+  (void)BN_sqr(C, A, ctx);
+  check_equal(C, &c, max_size);
+
+  // Check a * a == a**2
+  assert(mp_mul(&a, &a, &r) == MP_OKAY);
+  bool eq = mp_cmp(&r, &c) == 0;
+  if (!eq) {
+    char rC[max_size], cC[max_size], aC[max_size];
+    mp_tohex(&r, rC);
+    mp_tohex(&c, cC);
+    mp_tohex(&a, aC);
+    std::cout << "a = " << std::hex << aC << std::endl;
+    std::cout << "a * a = " << std::hex << cC << std::endl;
+    std::cout << "a ** 2 = " << std::hex << rC << std::endl;
+  }
+  assert(eq);
+  mp_clear(&a);
+  mp_clear(&c);
+  mp_clear(&r);
+  BN_CTX_end(ctx);
+  BN_CTX_free(ctx);
+
+  return 0;
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_sqrmod_target.cc
@@ -0,0 +1,51 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * This target fuzzes NSS mpi against openssl bignum.
+ * It therefore requires openssl to be installed.
+ */
+
+#include "mpi_helper.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  // We require at least size 3 to get two integers from Data.
+  if (size < 3) {
+    return 0;
+  }
+  mp_int a, b, c;
+  BN_CTX *ctx = BN_CTX_new();
+  BN_CTX_start(ctx);
+  BIGNUM *A = BN_CTX_get(ctx);
+  BIGNUM *B = BN_CTX_get(ctx);
+  BIGNUM *C = BN_CTX_get(ctx);
+  assert(mp_init(&a) == MP_OKAY);
+  assert(mp_init(&b) == MP_OKAY);
+  assert(mp_init(&c) == MP_OKAY);
+  size_t max_size = 4 * size + 1;
+  parse_input(data, size, A, &a);
+
+  // We can't divide by 0.
+  if (mp_cmp_z(&b) == 0) {
+    mp_clear(&a);
+    mp_clear(&b);
+    mp_clear(&c);
+    BN_CTX_end(ctx);
+    BN_CTX_free(ctx);
+    return 0;
+  }
+
+  // Compare with OpenSSL square mod
+  assert(mp_sqrmod(&a, &b, &c) == MP_OKAY);
+  (void)BN_mod_sqr(C, A, B, ctx);
+  check_equal(C, &c, max_size);
+
+  mp_clear(&a);
+  mp_clear(&b);
+  mp_clear(&c);
+  BN_CTX_end(ctx);
+  BN_CTX_free(ctx);
+
+  return 0;
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_sub_target.cc
@@ -0,0 +1,42 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * This target fuzzes NSS mpi against openssl bignum.
+ * It therefore requires openssl to be installed.
+ */
+
+#include "mpi_helper.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  // We require at least size 3 to get two integers from Data.
+  if (size < 3) {
+    return 0;
+  }
+  INIT_NUMBERS
+
+  // Compare with OpenSSL subtraction
+  assert(mp_sub(&a, &b, &c) == MP_OKAY);
+  (void)BN_sub(C, A, B);
+  check_equal(C, &c, max_size);
+
+  // Check a - b == a + -b
+  mp_neg(&b, &b);
+  assert(mp_add(&a, &b, &r) == MP_OKAY);
+  bool eq = mp_cmp(&r, &c) == 0;
+  if (!eq) {
+    char rC[max_size], cC[max_size], aC[max_size], bC[max_size];
+    mp_tohex(&r, rC);
+    mp_tohex(&c, cC);
+    mp_tohex(&a, aC);
+    mp_tohex(&b, bC);
+    std::cout << "a = " << std::hex << aC << std::endl;
+    std::cout << "-b = " << std::hex << bC << std::endl;
+    std::cout << "a - b = " << std::hex << cC << std::endl;
+    std::cout << "a + -b = " << std::hex << rC << std::endl;
+  }
+  assert(eq);
+
+  CLEANUP_AND_RETURN
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/fuzz/mpi_submod_target.cc
@@ -0,0 +1,27 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * This target fuzzes NSS mpi against openssl bignum.
+ * It therefore requires openssl to be installed.
+ */
+
+#include "mpi_helper.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  // We require at least size 3 to get two integers from Data.
+  if (size < 3) {
+    return 0;
+  }
+  INIT_NUMBERS
+
+  auto modulus = get_modulus(data, size, ctx);
+  // Compare with OpenSSL sub mod
+  m1 = &std::get<1>(modulus);
+  assert(mp_submod(&a, &b, m1, &c) == MP_OKAY);
+  (void)BN_mod_sub(C, A, B, std::get<0>(modulus), ctx);
+  check_equal(C, &c, 2 * max_size);
+
+  CLEANUP_AND_RETURN
+}
deleted file mode 100644
--- a/security/nss/fuzz/mpi_target.cc
+++ /dev/null
@@ -1,177 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-/*
- * This target fuzzes NSS mpi against openssl bignum.
- * It therefore requires openssl to be installed.
- */
-
-#include <algorithm>
-#include <iostream>
-#include <string>
-
-#include "hasht.h"
-#include "mpi.h"
-#include "shared.h"
-
-#include <openssl/bn.h>
-
-#define CLEAR_NUMS \
-  mp_zero(&c);     \
-  BN_zero(C);      \
-  mp_zero(&r);     \
-  BN_zero(R);
-
-// Check that the two numbers are equal.
-void check_equal(BIGNUM *b, mp_int *m, size_t max_size) {
-  char *bnBc = BN_bn2hex(b);
-  char mpiMc[max_size];
-  mp_tohex(m, mpiMc);
-  std::string bnA(bnBc);
-  std::string mpiA(mpiMc);
-  OPENSSL_free(bnBc);
-  // We have to strip leading zeros from bignums, ignoring the sign.
-  if (bnA.at(0) != '-') {
-    bnA.erase(0, std::min(bnA.find_first_not_of('0'), bnA.size() - 1));
-  } else if (bnA.at(1) == '0') {
-    bnA.erase(1, std::min(bnA.find_first_not_of('0', 1) - 1, bnA.size() - 1));
-  }
-
-  if (mpiA != bnA) {
-    std::cout << "openssl: " << std::hex << bnA << std::endl;
-    std::cout << "nss:     " << std::hex << mpiA << std::endl;
-  }
-
-  assert(mpiA == bnA);
-}
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-  // We require at least size 3 to get two integers from Data.
-  if (size <= 3) {
-    return 0;
-  }
-  size_t max_size = 2 * size + 1;
-
-  mp_int a, b, c, r;
-  BN_CTX *ctx = BN_CTX_new();
-  BN_CTX_start(ctx);
-  BIGNUM *A = BN_CTX_get(ctx);
-  BIGNUM *B = BN_CTX_get(ctx);
-  BIGNUM *C = BN_CTX_get(ctx);
-  BIGNUM *R = BN_CTX_get(ctx);
-  assert(mp_init(&a) == MP_OKAY);
-  assert(mp_init(&b) == MP_OKAY);
-  assert(mp_init(&c) == MP_OKAY);
-  assert(mp_init(&r) == MP_OKAY);
-
-  // Note that b might overlap a.
-  size_t len = (size_t)size / 2;
-  assert(mp_read_raw(
-             &a, reinterpret_cast<char *>(const_cast<unsigned char *>(data)),
-             len) == MP_OKAY);
-  assert(mp_read_raw(
-             &b,
-             reinterpret_cast<char *>(const_cast<unsigned char *>(data)) + len,
-             len) == MP_OKAY);
-  // Force a positive sign.
-  // TODO: add tests for negatives.
-  MP_SIGN(&a) = MP_ZPOS;
-  MP_SIGN(&b) = MP_ZPOS;
-
-  // Skip the first byte as it's interpreted as sign by NSS.
-  assert(BN_bin2bn(data + 1, len - 1, A) != nullptr);
-  assert(BN_bin2bn(data + len + 1, len - 1, B) != nullptr);
-
-  check_equal(A, &a, max_size);
-  check_equal(B, &b, max_size);
-
-  // Addition
-  assert(mp_add(&a, &b, &c) == MP_OKAY);
-  (void)BN_add(C, A, B);
-  check_equal(C, &c, max_size);
-
-  // Subtraction
-  CLEAR_NUMS
-  assert(mp_sub(&a, &b, &c) == MP_OKAY);
-  (void)BN_sub(C, A, B);
-  check_equal(C, &c, max_size);
-
-  // Sqr
-  CLEAR_NUMS
-  assert(mp_sqr(&a, &c) == MP_OKAY);
-  (void)BN_sqr(C, A, ctx);
-  check_equal(C, &c, max_size);
-
-  // We can't divide by 0.
-  if (mp_cmp_z(&b) != 0) {
-    CLEAR_NUMS
-    assert(mp_div(&a, &b, &c, &r) == MP_OKAY);
-    BN_div(C, R, A, B, ctx);
-    check_equal(C, &c, max_size);
-    check_equal(R, &r, max_size);
-
-    // Modulo
-    CLEAR_NUMS
-    assert(mp_mod(&a, &b, &c) == MP_OKAY);
-    (void)BN_mod(C, A, B, ctx);
-    check_equal(C, &c, max_size);
-
-    // Mod sqr
-    CLEAR_NUMS
-    assert(mp_sqrmod(&a, &b, &c) == MP_OKAY);
-    (void)BN_mod_sqr(C, A, B, ctx);
-    check_equal(C, &c, max_size);
-  }
-
-  // Mod add
-  CLEAR_NUMS
-  mp_add(&a, &b, &r);
-  (void)BN_add(R, A, B);
-  assert(mp_addmod(&a, &b, &r, &c) == MP_OKAY);
-  (void)BN_mod_add(C, A, B, R, ctx);
-  check_equal(C, &c, max_size);
-
-  // Mod sub
-  CLEAR_NUMS
-  mp_add(&a, &b, &r);
-  (void)BN_add(R, A, B);
-  assert(mp_submod(&a, &b, &r, &c) == MP_OKAY);
-  (void)BN_mod_sub(C, A, B, R, ctx);
-  check_equal(C, &c, max_size);
-
-  // Mod mul
-  CLEAR_NUMS
-  mp_add(&a, &b, &r);
-  (void)BN_add(R, A, B);
-  assert(mp_mulmod(&a, &b, &r, &c) == MP_OKAY);
-  (void)BN_mod_mul(C, A, B, R, ctx);
-  check_equal(C, &c, max_size);
-
-  // Mod exp
-  // NOTE: This must be the last test as we change b!
-  CLEAR_NUMS
-  mp_add(&a, &b, &r);
-  mp_add_d(&r, 1, &r);  // NSS doesn't allow 0 as modulus here.
-  size_t num = MP_USED(&b) * MP_DIGIT_BIT;
-  mp_div_2d(&b, num, &b, nullptr);  // make the exponent smaller, larger
-                                    // exponents need too much memory
-  MP_USED(&b) = 1;
-  (void)BN_add(R, A, B);
-  BN_add_word(R, 1);
-  BN_rshift(B, B, num);
-  check_equal(B, &b, max_size);
-  assert(mp_exptmod(&a, &b, &r, &c) == MP_OKAY);
-  (void)BN_mod_exp(C, A, B, R, ctx);
-  check_equal(C, &c, max_size);
-
-  mp_clear(&a);
-  mp_clear(&b);
-  mp_clear(&c);
-  mp_clear(&r);
-
-  BN_CTX_end(ctx);
-  BN_CTX_free(ctx);
-
-  return 0;
-}
--- a/security/nss/gtests/ssl_gtest/ssl_hrr_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_hrr_unittest.cc
@@ -62,16 +62,97 @@ TEST_P(TlsConnectTls13, HelloRetryReques
   // Complete the handshake successfully
   Handshake();
   ExpectEarlyDataAccepted(false);  // The server should reject 0-RTT
   CheckConnected();
   SendReceive();
   EXPECT_FALSE(capture_early_data->captured());
 }
 
+// This filter only works for DTLS 1.3 where there is exactly one handshake
+// packet. If the record is split into two packets, or there are multiple
+// handshake packets, this will break.
+class CorrectMessageSeqAfterHrrFilter : public TlsRecordFilter {
+ protected:
+  PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
+                                    const DataBuffer& record, size_t* offset,
+                                    DataBuffer* output) {
+    if (filtered_packets() > 0 || header.content_type() != content_handshake) {
+      return KEEP;
+    }
+
+    DataBuffer buffer(record);
+    TlsRecordHeader new_header = {header.version(), header.content_type(),
+                                  header.sequence_number() + 1};
+
+    // Correct message_seq.
+    buffer.Write(4, 1U, 2);
+
+    *offset = new_header.Write(output, *offset, buffer);
+    return CHANGE;
+  }
+};
+
+TEST_P(TlsConnectTls13, SecondClientHelloRejectEarlyDataXtn) {
+  static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1,
+                                                    ssl_grp_ec_secp521r1};
+
+  SetupForZeroRtt();
+  ExpectResumption(RESUME_TICKET);
+
+  client_->ConfigNamedGroups(groups);
+  server_->ConfigNamedGroups(groups);
+  client_->Set0RttEnabled(true);
+  server_->Set0RttEnabled(true);
+
+  // A new client that tries to resume with 0-RTT but doesn't send the
+  // correct key share(s). The server will respond with an HRR.
+  auto orig_client =
+      std::make_shared<TlsAgent>(client_->name(), TlsAgent::CLIENT, mode_);
+  client_.swap(orig_client);
+  client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
+                           SSL_LIBRARY_VERSION_TLS_1_3);
+  client_->ConfigureSessionCache(RESUME_BOTH);
+  client_->Set0RttEnabled(true);
+  client_->StartConnect();
+
+  // Swap in the new client.
+  client_->SetPeer(server_);
+  server_->SetPeer(client_);
+
+  // Send the ClientHello.
+  client_->Handshake();
+  // Process the CH, send an HRR.
+  server_->Handshake();
+
+  // Swap the client we created manually with the one that successfully
+  // received a PSK, and try to resume with 0-RTT. The client doesn't know
+  // about the HRR so it will send the early_data xtn as well as 0-RTT data.
+  client_.swap(orig_client);
+  orig_client.reset();
+
+  // Correct the DTLS message sequence number after an HRR.
+  if (mode_ == DGRAM) {
+    client_->SetPacketFilter(
+        std::make_shared<CorrectMessageSeqAfterHrrFilter>());
+  }
+
+  server_->SetPeer(client_);
+  client_->Handshake();
+
+  // Send 0-RTT data.
+  const char* k0RttData = "ABCDEF";
+  const PRInt32 k0RttDataLen = static_cast<PRInt32>(strlen(k0RttData));
+  PRInt32 rv = PR_Write(client_->ssl_fd(), k0RttData, k0RttDataLen);
+  EXPECT_EQ(k0RttDataLen, rv);
+
+  Handshake();
+  client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT);
+}
+
 class KeyShareReplayer : public TlsExtensionFilter {
  public:
   KeyShareReplayer() {}
 
   virtual PacketFilter::Action FilterExtension(uint16_t extension_type,
                                                const DataBuffer& input,
                                                DataBuffer* output) {
     if (extension_type != ssl_tls13_key_share_xtn) {
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -186,16 +186,17 @@ CKA_VALUE MULTILINE_OCTAL
 \034\161\142\356\312\310\227\254\027\135\212\302\370\107\206\156
 \052\304\126\061\225\320\147\211\205\053\371\154\246\135\106\235
 \014\252\202\344\231\121\335\160\267\333\126\075\141\344\152\341
 \134\326\366\376\075\336\101\314\007\256\143\122\277\123\123\364
 \053\351\307\375\266\367\202\137\205\322\101\030\333\201\263\004
 \034\305\037\244\200\157\025\040\311\336\014\210\012\035\326\146
 \125\342\374\110\311\051\046\151\340
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "GlobalSign Root CA"
 # Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
 # Serial Number:04:00:00:00:00:01:15:4b:5a:c3:94
 # Subject: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
 # Not Valid Before: Tue Sep 01 12:00:00 1998
 # Not Valid After : Fri Jan 28 12:00:00 2028
 # Fingerprint (MD5): 3E:45:52:15:09:51:92:E1:B7:5D:37:9F:B1:87:29:8A
@@ -319,16 +320,17 @@ CKA_VALUE MULTILINE_OCTAL
 \176\273\363\171\030\221\273\364\157\235\301\360\214\065\214\135
 \001\373\303\155\271\357\104\155\171\106\061\176\012\376\251\202
 \301\377\357\253\156\040\304\120\311\137\235\115\233\027\214\014
 \345\001\311\240\101\152\163\123\372\245\120\264\156\045\017\373
 \114\030\364\375\122\331\216\151\261\350\021\017\336\210\330\373
 \035\111\367\252\336\225\317\040\170\302\140\022\333\045\100\214
 \152\374\176\102\070\100\144\022\367\236\201\341\223\056
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "GlobalSign Root CA - R2"
 # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
 # Serial Number:04:00:00:00:00:01:0f:86:26:e6:0d
 # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
 # Not Valid Before: Fri Dec 15 08:00:00 2006
 # Not Valid After : Wed Dec 15 08:00:00 2021
 # Fingerprint (MD5): 94:14:77:7E:3E:5E:FD:8F:30:BD:41:B0:CF:E7:D0:30
@@ -474,16 +476,17 @@ CKA_VALUE MULTILINE_OCTAL
 \114\015\046\145\342\104\200\036\307\237\343\335\350\012\332\354
 \245\040\200\151\150\241\117\176\341\153\317\007\101\372\203\216
 \274\070\335\260\056\021\261\153\262\102\314\232\274\371\110\042
 \171\112\031\017\262\034\076\040\164\331\152\303\276\362\050\170
 \023\126\171\117\155\120\352\033\260\265\127\261\067\146\130\043
 \363\334\017\337\012\207\304\357\206\005\325\070\024\140\231\243
 \113\336\006\226\161\054\362\333\266\037\244\357\077\356
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
 # Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:00:8b:5b:75:56:84:54:85:0b:00:cf:af:38:48:ce:b1:a4
 # Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Not Valid Before: Fri Oct 01 00:00:00 1999
 # Not Valid After : Wed Jul 16 23:59:59 2036
 # Fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73
@@ -638,16 +641,17 @@ CKA_VALUE MULTILINE_OCTAL
 \301\062\163\042\041\213\130\201\173\025\221\172\272\343\144\110
 \260\177\373\066\045\332\225\320\361\044\024\027\335\030\200\153
 \106\043\071\124\365\216\142\011\004\035\224\220\246\233\346\045
 \342\102\105\252\270\220\255\276\010\217\251\013\102\030\224\317
 \162\071\341\261\103\340\050\317\267\347\132\154\023\153\111\263
 \377\343\030\174\211\213\063\135\254\063\327\247\371\332\072\125
 \311\130\020\371\252\357\132\266\317\113\113\337\052
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
 # Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:61:70:cb:49:8c:5f:98:45:29:e7:b0:a6:d9:50:5b:7a
 # Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Not Valid Before: Fri Oct 01 00:00:00 1999
 # Not Valid After : Wed Jul 16 23:59:59 2036
 # Fingerprint (MD5): F8:BE:C4:63:22:C9:A8:46:74:8B:B8:1D:1E:4A:2B:F6
@@ -802,16 +806,17 @@ CKA_VALUE MULTILINE_OCTAL
 \022\032\022\150\270\373\146\231\024\024\105\134\256\347\256\151
 \027\201\053\132\067\311\136\052\364\306\342\241\134\124\233\246
 \124\000\317\360\361\301\307\230\060\032\073\066\026\333\243\156
 \352\375\255\262\302\332\357\002\107\023\212\300\361\263\061\255
 \117\034\341\117\234\257\017\014\235\367\170\015\330\364\065\126
 \200\332\267\155\027\217\235\036\201\144\341\376\305\105\272\255
 \153\271\012\172\116\117\113\204\356\113\361\175\335\021
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
 # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:00:9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57
 # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Not Valid Before: Fri Oct 01 00:00:00 1999
 # Not Valid After : Wed Jul 16 23:59:59 2036
 # Fingerprint (MD5): CD:68:B6:A7:C7:C4:CE:75:E0:1D:4F:57:44:61:92:09
@@ -1076,16 +1081,17 @@ CKA_VALUE MULTILINE_OCTAL
 \273\377\043\357\150\031\313\022\223\047\134\003\055\157\060\320
 \036\266\032\254\336\132\367\321\252\250\047\246\376\171\201\304
 \171\231\063\127\272\022\260\251\340\102\154\223\312\126\336\376
 \155\204\013\010\213\176\215\352\327\230\041\306\363\347\074\171
 \057\136\234\321\114\025\215\341\354\042\067\314\232\103\013\227
 \334\200\220\215\263\147\233\157\110\010\025\126\317\277\361\053
 \174\136\232\166\351\131\220\305\174\203\065\021\145\121
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Entrust.net Premium 2048 Secure Server CA"
 # Issuer: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
 # Serial Number: 946069240 (0x3863def8)
 # Subject: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
 # Not Valid Before: Fri Dec 24 17:50:51 1999
 # Not Valid After : Tue Jul 24 14:15:12 2029
 # Fingerprint (MD5): EE:29:31:BC:32:7E:9A:E6:E8:B5:F7:51:B4:34:71:90
@@ -1213,16 +1219,17 @@ CKA_VALUE MULTILINE_OCTAL
 \056\310\244\236\116\010\024\113\155\375\160\155\153\032\143\275
 \144\346\037\267\316\360\362\237\056\273\033\267\362\120\210\163
 \222\302\342\343\026\215\232\062\002\253\216\030\335\351\020\021
 \356\176\065\253\220\257\076\060\224\172\320\063\075\247\145\017
 \365\374\216\236\142\317\107\104\054\001\135\273\035\265\062\322
 \107\322\070\056\320\376\201\334\062\152\036\265\356\074\325\374
 \347\201\035\031\303\044\102\352\143\071\251
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Baltimore CyberTrust Root"
 # Issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
 # Serial Number: 33554617 (0x20000b9)
 # Subject: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
 # Not Valid Before: Fri May 12 18:46:00 2000
 # Not Valid After : Mon May 12 23:59:00 2025
 # Fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
@@ -1356,16 +1363,17 @@ CKA_VALUE MULTILINE_OCTAL
 \213\375\273\034\126\066\362\376\262\266\345\166\273\325\042\145
 \247\077\376\321\146\255\013\274\153\231\206\357\077\175\363\030
 \062\312\173\306\343\253\144\106\225\370\046\151\331\125\203\173
 \054\226\007\377\131\054\104\243\306\345\351\251\334\241\143\200
 \132\041\136\041\317\123\124\360\272\157\211\333\250\252\225\317
 \213\343\161\314\036\033\040\104\010\300\172\266\100\375\304\344
 \065\341\035\026\034\320\274\053\216\326\161\331
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "AddTrust Low-Value Services Root"
 # Issuer: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
 # Serial Number: 1 (0x1)
 # Subject: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
 # Not Valid Before: Tue May 30 10:38:31 2000
 # Not Valid After : Sat May 30 10:38:31 2020
 # Fingerprint (MD5): 1E:42:95:02:33:92:6B:B9:5F:C0:7F:DA:D6:B2:4B:FC
@@ -1504,16 +1512,17 @@ CKA_VALUE MULTILINE_OCTAL
 \335\217\212\303\366\366\214\032\102\005\121\324\105\365\237\247
 \142\041\150\025\040\103\074\231\347\174\275\044\330\251\221\027
 \163\210\077\126\033\061\070\030\264\161\017\232\315\310\016\236
 \216\056\033\341\214\230\203\313\037\061\361\104\114\306\004\163
 \111\166\140\017\307\370\275\027\200\153\056\351\314\114\016\132
 \232\171\017\040\012\056\325\236\143\046\036\125\222\224\330\202
 \027\132\173\320\274\307\217\116\206\004
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "AddTrust External Root"
 # Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
 # Serial Number: 1 (0x1)
 # Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
 # Not Valid Before: Tue May 30 10:48:38 2000
 # Not Valid After : Sat May 30 10:48:38 2020
 # Fingerprint (MD5): 1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3F
@@ -1649,16 +1658,17 @@ CKA_VALUE MULTILINE_OCTAL
 \330\032\214\307\355\234\116\232\340\022\273\265\152\114\204\341
 \341\042\015\207\000\144\376\214\175\142\071\145\246\357\102\266
 \200\045\022\141\001\250\044\023\160\000\021\046\137\372\065\120
 \305\110\314\006\107\350\047\330\160\215\137\144\346\241\104\046
 \136\042\354\222\315\377\102\232\104\041\155\134\305\343\042\035
 \137\107\022\347\316\137\135\372\330\252\261\063\055\331\166\362
 \116\072\063\014\053\263\055\220\006
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "AddTrust Public Services Root"
 # Issuer: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
 # Serial Number: 1 (0x1)
 # Subject: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
 # Not Valid Before: Tue May 30 10:41:50 2000
 # Not Valid After : Sat May 30 10:41:50 2020
 # Fingerprint (MD5): C1:62:3E:23:C5:82:73:9C:03:59:4B:2B:E9:77:49:7F
@@ -1794,16 +1804,17 @@ CKA_VALUE MULTILINE_OCTAL
 \077\240\261\007\326\351\117\334\336\105\161\060\062\177\033\056
 \011\371\277\122\241\356\302\200\076\006\134\056\125\100\301\033
 \365\160\105\260\334\135\372\366\162\132\167\322\143\315\317\130
 \211\000\102\143\077\171\071\320\104\260\202\156\101\031\350\335
 \340\301\210\132\321\036\161\223\037\044\060\164\345\036\250\336
 \074\047\067\177\203\256\236\167\317\360\060\261\377\113\231\350
 \306\241
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "AddTrust Qualified Certificates Root"
 # Issuer: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
 # Serial Number: 1 (0x1)
 # Subject: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
 # Not Valid Before: Tue May 30 10:44:50 2000
 # Not Valid After : Sat May 30 10:44:50 2020
 # Fingerprint (MD5): 27:EC:39:47:CD:DA:5A:AF:E2:9A:01:65:21:A9:4C:BB
@@ -1956,16 +1967,17 @@ CKA_VALUE MULTILINE_OCTAL
 \175\352\261\355\060\045\301\204\332\064\322\133\170\203\126\354
 \234\066\303\046\342\021\366\147\111\035\222\253\214\373\353\377
 \172\356\205\112\247\120\200\360\247\134\112\224\056\137\005\231
 \074\122\101\340\315\264\143\317\001\103\272\234\203\334\217\140
 \073\363\132\264\264\173\256\332\013\220\070\165\357\201\035\146
 \322\367\127\160\066\263\277\374\050\257\161\045\205\133\023\376
 \036\177\132\264\074
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Entrust Root Certification Authority"
 # Issuer: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
 # Serial Number: 1164660820 (0x456b5054)
 # Subject: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
 # Not Valid Before: Mon Nov 27 20:23:42 2006
 # Not Valid After : Fri Nov 27 20:53:42 2026
 # Fingerprint (MD5): D6:A5:C3:ED:5D:DD:3E:00:C1:3D:87:92:1F:1D:3F:E4
@@ -2089,16 +2101,17 @@ CKA_VALUE MULTILINE_OCTAL
 \270\234\344\035\266\253\346\224\245\301\307\203\255\333\365\047
 \207\016\004\154\325\377\335\240\135\355\207\122\267\053\025\002
 \256\071\246\152\164\351\332\304\347\274\115\064\036\251\134\115
 \063\137\222\011\057\210\146\135\167\227\307\035\166\023\251\325
 \345\361\026\011\021\065\325\254\333\044\161\160\054\230\126\013
 \331\027\264\321\343\121\053\136\165\350\325\320\334\117\064\355
 \302\005\146\200\241\313\346\063
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "GeoTrust Global CA"
 # Issuer: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
 # Serial Number: 144470 (0x23456)
 # Subject: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
 # Not Valid Before: Tue May 21 04:00:00 2002
 # Not Valid After : Sat May 21 04:00:00 2022
 # Fingerprint (MD5): F7:75:AB:29:FB:51:4E:B7:77:5E:FF:05:3C:99:8E:F5
@@ -2216,16 +2229,17 @@ CKA_VALUE MULTILINE_OCTAL
 \151\266\362\377\341\032\320\014\321\166\205\313\212\045\275\227
 \136\054\157\025\231\046\347\266\051\377\042\354\311\002\307\126
 \000\315\111\271\263\154\173\123\004\032\342\250\311\252\022\005
 \043\302\316\347\273\004\002\314\300\107\242\344\304\051\057\133
 \105\127\211\121\356\074\353\122\010\377\007\065\036\237\065\152
 \107\112\126\230\321\132\205\037\214\365\042\277\253\316\203\363
 \342\042\051\256\175\203\100\250\272\154
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "GeoTrust Global CA 2"
 # Issuer: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
 # Serial Number: 1 (0x1)
 # Subject: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
 # Not Valid Before: Thu Mar 04 05:00:00 2004
 # Not Valid After : Mon Mar 04 05:00:00 2019
 # Fingerprint (MD5): 0E:40:A7:6C:DE:03:5D:8F:D1:0F:E4:D1:8D:F9:6C:A9
@@ -2375,16 +2389,17 @@ CKA_VALUE MULTILINE_OCTAL
 \121\173\327\251\234\006\241\066\335\325\211\224\274\331\344\055
 \014\136\011\154\010\227\174\243\075\174\223\377\077\241\024\247
 \317\265\135\353\333\333\034\304\166\337\210\271\275\105\005\225
 \033\256\374\106\152\114\257\110\343\316\256\017\322\176\353\346
 \154\234\117\201\152\172\144\254\273\076\325\347\313\166\056\305
 \247\110\301\134\220\017\313\310\077\372\346\062\341\215\033\157
 \244\346\216\330\371\051\110\212\316\163\376\054
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "GeoTrust Universal CA"
 # Issuer: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US
 # Serial Number: 1 (0x1)
 # Subject: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US
 # Not Valid Before: Thu Mar 04 05:00:00 2004
 # Not Valid After : Sun Mar 04 05:00:00 2029
 # Fingerprint (MD5): 92:65:58:8B:A2:1A:31:72:73:68:5C:B4:A5:7A:07:48
@@ -2534,16 +2549,17 @@ CKA_VALUE MULTILINE_OCTAL
 \227\124\167\332\075\022\267\340\036\357\010\006\254\371\205\207
 \351\242\334\257\176\030\022\203\375\126\027\101\056\325\051\202
 \175\231\364\061\366\161\251\317\054\001\047\245\005\271\252\262
 \110\116\052\357\237\223\122\121\225\074\122\163\216\126\114\027
 \100\300\011\050\344\213\152\110\123\333\354\315\125\125\361\306
 \370\351\242\054\114\246\321\046\137\176\257\132\114\332\037\246
 \362\034\054\176\256\002\026\322\126\320\057\127\123\107\350\222
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "GeoTrust Universal CA 2"
 # Issuer: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US
 # Serial Number: 1 (0x1)
 # Subject: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US
 # Not Valid Before: Thu Mar 04 05:00:00 2004
 # Not Valid After : Sun Mar 04 05:00:00 2029
 # Fingerprint (MD5): 34:FC:B8:D0:36:DB:9E:14:B3:C2:F2:DB:8F:E4:94:C7
@@ -2670,16 +2686,17 @@ CKA_VALUE MULTILINE_OCTAL
 \022\074\154\151\227\333\256\137\071\232\160\057\005\074\031\106
 \004\231\040\066\320\140\156\141\006\273\026\102\214\160\367\060
 \373\340\333\146\243\000\001\275\346\054\332\221\137\240\106\213
 \115\152\234\075\075\335\005\106\376\166\277\240\012\074\344\000
 \346\047\267\377\204\055\336\272\042\047\226\020\161\353\042\355
 \337\337\063\234\317\343\255\256\216\324\216\346\117\121\257\026
 \222\340\134\366\007\017
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Visa eCommerce Root"
 # Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
 # Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
 # Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
 # Not Valid Before: Wed Jun 26 02:18:36 2002
 # Not Valid After : Fri Jun 24 00:16:12 2022
 # Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02
@@ -2792,16 +2809,17 @@ CKA_VALUE MULTILINE_OCTAL
 \012\072\223\023\233\073\024\043\023\143\234\077\321\207\047\171
 \345\114\121\343\001\255\205\135\032\073\261\325\163\020\244\323
 \362\274\156\144\365\132\126\220\250\307\016\114\164\017\056\161
 \073\367\310\107\364\151\157\025\362\021\136\203\036\234\174\122
 \256\375\002\332\022\250\131\147\030\333\274\160\335\233\261\151
 \355\200\316\211\100\110\152\016\065\312\051\146\025\041\224\054
 \350\140\052\233\205\112\100\363\153\212\044\354\006\026\054\163
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Certum Root CA"
 # Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
 # Serial Number: 65568 (0x10020)
 # Subject: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
 # Not Valid Before: Tue Jun 11 10:46:39 2002
 # Not Valid After : Fri Jun 11 10:46:39 2027
 # Fingerprint (MD5): 2C:8F:9F:66:1D:18:90:B1:47:26:9D:8E:86:82:8C:A9
@@ -2937,16 +2955,17 @@ CKA_VALUE MULTILINE_OCTAL
 \154\354\351\041\163\354\233\003\241\340\067\255\240\025\030\217
 \372\272\002\316\247\054\251\020\023\054\324\345\010\046\253\042
 \227\140\370\220\136\164\324\242\232\123\275\362\251\150\340\242
 \156\302\327\154\261\243\017\236\277\353\150\347\126\362\256\362
 \343\053\070\072\011\201\265\153\205\327\276\055\355\077\032\267
 \262\143\342\365\142\054\202\324\152\000\101\120\361\071\203\237
 \225\351\066\226\230\156
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Comodo AAA Services root"
 # Issuer: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Serial Number: 1 (0x1)
 # Subject: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Not Valid Before: Thu Jan 01 00:00:00 2004
 # Not Valid After : Sun Dec 31 23:59:59 2028
 # Fingerprint (MD5): 49:79:04:B0:EB:87:19:AC:47:B0:BC:11:51:9B:74:D0
@@ -3087,16 +3106,17 @@ CKA_VALUE MULTILINE_OCTAL
 \223\367\252\023\313\322\023\342\267\056\073\315\153\120\027\011
 \150\076\265\046\127\356\266\340\266\335\271\051\200\171\175\217
 \243\360\244\050\244\025\304\205\364\047\324\153\277\345\134\344
 \145\002\166\124\264\343\067\146\044\323\031\141\310\122\020\345
 \213\067\232\271\251\371\035\277\352\231\222\141\226\377\001\315
 \241\137\015\274\161\274\016\254\013\035\107\105\035\301\354\174
 \354\375\051
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Comodo Secure Services root"
 # Issuer: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Serial Number: 1 (0x1)
 # Subject: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Not Valid Before: Thu Jan 01 00:00:00 2004
 # Not Valid After : Sun Dec 31 23:59:59 2028
 # Fingerprint (MD5): D3:D9:BD:AE:9F:AC:67:24:B3:C8:1B:52:E1:B9:A9:BD
@@ -3239,16 +3259,17 @@ CKA_VALUE MULTILINE_OCTAL
 \201\170\057\050\300\176\323\314\102\012\365\256\120\240\321\076
 \306\241\161\354\077\240\040\214\146\072\211\264\216\324\330\261
 \115\045\107\356\057\210\310\265\341\005\105\300\276\024\161\336
 \172\375\216\173\175\115\010\226\245\022\163\360\055\312\067\047
 \164\022\047\114\313\266\227\351\331\256\010\155\132\071\100\335
 \005\107\165\152\132\041\263\243\030\317\116\367\056\127\267\230
 \160\136\310\304\170\260\142
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Comodo Trusted Services root"
 # Issuer: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Serial Number: 1 (0x1)
 # Subject: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Not Valid Before: Thu Jan 01 00:00:00 2004
 # Not Valid After : Sun Dec 31 23:59:59 2028
 # Fingerprint (MD5): 91:1B:3F:6E:CD:9E:AB:EE:07:FE:1F:71:D2:B3:61:27
@@ -3417,16 +3438,17 @@ CKA_VALUE MULTILINE_OCTAL
 \231\003\072\212\314\124\045\071\061\201\173\023\042\121\272\106
 \154\241\273\236\372\004\154\111\046\164\217\322\163\353\314\060
 \242\346\352\131\042\207\370\227\365\016\375\352\314\222\244\026
 \304\122\030\352\041\316\261\361\346\204\201\345\272\251\206\050
 \362\103\132\135\022\235\254\036\331\250\345\012\152\247\177\240
 \207\051\317\362\211\115\324\354\305\342\346\172\320\066\043\212
 \112\164\066\371
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "QuoVadis Root CA"
 # Issuer: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
 # Serial Number: 985026699 (0x3ab6508b)
 # Subject: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
 # Not Valid Before: Mon Mar 19 18:33:33 2001
 # Not Valid After : Wed Mar 17 18:33:33 2021
 # Fingerprint (MD5): 27:DE:36:FE:72:B7:00:03:00:9D:F4:F0:1E:6C:04:24
@@ -3585,16 +3607,17 @@ CKA_VALUE MULTILINE_OCTAL
 \226\136\234\307\357\047\142\010\342\221\031\134\322\361\041\335
 \272\027\102\202\227\161\201\123\061\251\237\366\175\142\277\162
 \341\243\223\035\314\212\046\132\011\070\320\316\327\015\200\026
 \264\170\245\072\207\114\215\212\245\325\106\227\362\054\020\271
 \274\124\042\300\001\120\151\103\236\364\262\357\155\370\354\332
 \361\343\261\357\337\221\217\124\052\013\045\301\046\031\304\122
 \020\005\145\325\202\020\352\302\061\315\056
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "QuoVadis Root CA 2"
 # Issuer: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
 # Serial Number: 1289 (0x509)
 # Subject: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
 # Not Valid Before: Fri Nov 24 18:27:00 2006
 # Not Valid After : Mon Nov 24 18:23:33 2031
 # Fingerprint (MD5): 5E:39:7B:DD:F8:BA:EC:82:E9:AC:62:BA:0C:54:00:2B
@@ -3764,16 +3787,17 @@ CKA_VALUE MULTILINE_OCTAL
 \340\164\053\262\353\175\276\101\033\265\300\106\305\241\042\313
 \137\116\301\050\222\336\030\272\325\052\050\273\021\213\027\223
 \230\231\140\224\134\043\317\132\047\227\136\013\005\006\223\067
 \036\073\151\066\353\251\236\141\035\217\062\332\216\014\326\164
 \076\173\011\044\332\001\167\107\304\073\315\064\214\231\365\312
 \341\045\141\063\262\131\033\342\156\327\067\127\266\015\251\022
 \332
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "QuoVadis Root CA 3"
 # Issuer: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM
 # Serial Number: 1478 (0x5c6)
 # Subject: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM
 # Not Valid Before: Fri Nov 24 19:11:23 2006
 # Not Valid After : Mon Nov 24 19:06:44 2031
 # Fingerprint (MD5): 31:85:3C:62:94:97:63:B9:AA:FD:89:4E:AF:6F:E0:CF
@@ -3892,16 +3916,17 @@ CKA_VALUE MULTILINE_OCTAL
 \161\245\062\252\057\306\211\166\103\100\023\023\147\075\242\124
 \045\020\313\361\072\362\331\372\333\111\126\273\246\376\247\101
 \065\303\340\210\141\311\210\307\337\066\020\042\230\131\352\260
 \112\373\126\026\163\156\254\115\367\042\241\117\255\035\172\055
 \105\047\345\060\301\136\362\332\023\313\045\102\121\225\107\003
 \214\154\041\314\164\102\355\123\377\063\213\217\017\127\001\026
 \057\317\246\356\311\160\042\024\275\375\276\154\013\003
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Security Communication Root CA"
 # Issuer: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
 # Serial Number: 0 (0x0)
 # Subject: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
 # Not Valid Before: Tue Sep 30 04:20:49 2003
 # Not Valid After : Sat Sep 30 04:20:49 2023
 # Fingerprint (MD5): F1:BC:63:6A:54:E0:B5:27:F5:CD:E7:1A:E3:4D:6E:4A
@@ -4014,16 +4039,17 @@ CKA_VALUE MULTILINE_OCTAL
 \066\276\246\133\015\152\154\232\037\221\173\371\371\357\102\272
 \116\116\236\314\014\215\224\334\331\105\234\136\354\102\120\143
 \256\364\135\304\261\022\334\312\073\250\056\235\024\132\005\165
 \267\354\327\143\342\272\065\266\004\010\221\350\332\235\234\366
 \146\265\030\254\012\246\124\046\064\063\322\033\301\324\177\032
 \072\216\013\252\062\156\333\374\117\045\237\331\062\307\226\132
 \160\254\337\114
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Sonera Class 2 Root CA"
 # Issuer: CN=Sonera Class2 CA,O=Sonera,C=FI
 # Serial Number: 29 (0x1d)
 # Subject: CN=Sonera Class2 CA,O=Sonera,C=FI
 # Not Valid Before: Fri Apr 06 07:29:40 2001
 # Not Valid After : Tue Apr 06 07:29:40 2021
 # Fingerprint (MD5): A3:EC:75:0F:2E:88:DF:FA:48:01:4E:0B:5C:48:6F:FB
@@ -4175,16 +4201,17 @@ CKA_VALUE MULTILINE_OCTAL
 \211\272\061\035\305\020\150\122\236\337\242\205\305\134\010\246
 \170\346\123\117\261\350\267\323\024\236\223\246\303\144\343\254
 \176\161\315\274\237\351\003\033\314\373\351\254\061\301\257\174
 \025\164\002\231\303\262\107\246\302\062\141\327\307\157\110\044
 \121\047\241\325\207\125\362\173\217\230\075\026\236\356\165\266
 \370\320\216\362\363\306\256\050\133\247\360\363\066\027\374\303
 \005\323\312\003\112\124
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "UTN USERFirst Email Root CA"
 # Issuer: CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
 # Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:25:25:67:c9:89
 # Subject: CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
 # Not Valid Before: Fri Jul 09 17:28:50 1999
 # Not Valid After : Tue Jul 09 17:36:58 2019
 # Fingerprint (MD5): D7:34:3D:EF:1D:27:09:28:E1:31:02:5B:13:2B:DD:F7
@@ -4338,16 +4365,17 @@ CKA_VALUE MULTILINE_OCTAL
 \370\323\157\133\036\226\343\340\164\167\164\173\212\242\156\055
 \335\166\326\071\060\202\360\253\234\122\362\052\307\257\111\136
 \176\307\150\345\202\201\310\152\047\371\047\210\052\325\130\120
 \225\037\360\073\034\127\273\175\024\071\142\053\232\311\224\222
 \052\243\042\014\377\211\046\175\137\043\053\107\327\025\035\251
 \152\236\121\015\052\121\236\201\371\324\073\136\160\022\177\020
 \062\234\036\273\235\370\146\250
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "UTN USERFirst Hardware Root CA"
 # Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
 # Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2a:fe:65:0a:fd
 # Subject: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
 # Not Valid Before: Fri Jul 09 18:10:42 1999
 # Not Valid After : Tue Jul 09 18:19:22 2019
 # Fingerprint (MD5): 4C:56:41:E5:0D:BB:2B:E8:CA:A3:ED:18:08:AD:43:39
@@ -4498,16 +4526,17 @@ CKA_VALUE MULTILINE_OCTAL
 \261\104\252\152\317\027\172\317\157\017\324\370\044\125\137\360
 \064\026\111\146\076\120\106\311\143\161\070\061\142\270\142\271
 \363\123\255\154\265\053\242\022\252\031\117\011\332\136\347\223
 \306\216\024\010\376\360\060\200\030\240\206\205\115\310\175\327
 \213\003\376\156\325\367\235\026\254\222\054\240\043\345\234\221
 \122\037\224\337\027\224\163\303\263\301\301\161\005\040\000\170
 \275\023\122\035\250\076\315\000\037\310
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "UTN USERFirst Object Root CA"
 # Issuer: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
 # Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2d:e0:b3:5f:1b
 # Subject: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
 # Not Valid Before: Fri Jul 09 18:31:20 1999
 # Not Valid After : Tue Jul 09 18:40:36 2019
 # Fingerprint (MD5): A7:F2:E4:16:06:41:11:50:30:6B:9C:E3:B4:9C:B0:C9
@@ -4661,16 +4690,17 @@ CKA_VALUE MULTILINE_OCTAL
 \210\351\007\106\101\316\357\101\201\256\130\337\203\242\256\312
 \327\167\037\347\000\074\235\157\216\344\062\011\035\115\170\064
 \170\064\074\224\233\046\355\117\161\306\031\172\275\040\042\110
 \132\376\113\175\003\267\347\130\276\306\062\116\164\036\150\335
 \250\150\133\263\076\356\142\175\331\200\350\012\165\172\267\356
 \264\145\232\041\220\340\252\320\230\274\070\265\163\074\213\370
 \334
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Camerfirma Chambers of Commerce Root"
 # Issuer: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
 # Serial Number: 0 (0x0)
 # Subject: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
 # Not Valid Before: Tue Sep 30 16:13:43 2003
 # Not Valid After : Wed Sep 30 16:13:44 2037
 # Fingerprint (MD5): B0:01:EE:14:D9:AF:29:18:94:76:8E:F1:69:33:2A:84
@@ -4820,16 +4850,17 @@ CKA_VALUE MULTILINE_OCTAL
 \222\025\323\137\076\306\000\111\072\156\130\262\321\321\047\015
 \045\310\062\370\040\021\315\175\062\063\110\224\124\114\335\334
 \171\304\060\237\353\216\270\125\265\327\210\134\305\152\044\075
 \262\323\005\003\121\306\007\357\314\024\162\164\075\156\162\316
 \030\050\214\112\240\167\345\011\053\105\104\107\254\267\147\177
 \001\212\005\132\223\276\241\301\377\370\347\016\147\244\107\111
 \166\135\165\220\032\365\046\217\360
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Camerfirma Global Chambersign Root"
 # Issuer: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
 # Serial Number: 0 (0x0)
 # Subject: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
 # Not Valid Before: Tue Sep 30 16:14:18 2003
 # Not Valid After : Wed Sep 30 16:14:18 2037
 # Fingerprint (MD5): C5:E6:7B:BF:06:D0:4F:43:ED:C4:7A:65:8A:FB:6B:19
@@ -4972,16 +5003,17 @@ CKA_VALUE MULTILINE_OCTAL
 \212\144\101\061\270\016\154\220\044\244\233\134\161\217\272\273
 \176\034\033\333\152\200\017\041\274\351\333\246\267\100\364\262
 \213\251\261\344\357\232\032\320\075\151\231\356\250\050\243\341
 \074\263\360\262\021\234\317\174\100\346\335\347\103\175\242\330
 \072\265\251\215\362\064\231\304\324\020\341\006\375\011\204\020
 \073\356\304\114\364\354\047\174\102\302\164\174\202\212\011\311
 \264\003\045\274
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "XRamp Global CA Root"
 # Issuer: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
 # Serial Number:50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad
 # Subject: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
 # Not Valid Before: Mon Nov 01 17:14:04 2004
 # Not Valid After : Mon Jan 01 05:37:19 2035
 # Fingerprint (MD5): A1:0B:44:B3:CA:10:D8:00:6E:9D:0F:D8:0F:92:0A:D1
@@ -5118,16 +5150,17 @@ CKA_VALUE MULTILINE_OCTAL
 \216\222\204\162\071\353\040\352\203\355\203\315\227\156\010\274
 \353\116\046\266\163\053\344\323\366\114\376\046\161\342\141\021
 \164\112\377\127\032\207\017\165\110\056\317\121\151\027\240\002
 \022\141\225\325\321\100\262\020\114\356\304\254\020\103\246\245
 \236\012\325\225\142\232\015\317\210\202\305\062\014\344\053\237
 \105\346\015\237\050\234\261\271\052\132\127\255\067\017\257\035
 \177\333\275\237
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Go Daddy Class 2 CA"
 # Issuer: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US
 # Serial Number: 0 (0x0)
 # Subject: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US
 # Not Valid Before: Tue Jun 29 17:06:20 2004
 # Not Valid After : Thu Jun 29 17:06:20 2034
 # Fingerprint (MD5): 91:DE:06:25:AB:DA:FD:32:17:0C:BB:25:17:2A:84:67
@@ -5262,16 +5295,17 @@ CKA_VALUE MULTILINE_OCTAL
 \055\225\276\365\161\220\103\314\215\037\232\000\012\207\051\351
 \125\042\130\000\043\352\343\022\103\051\133\107\010\335\214\101
 \152\145\006\250\345\041\252\101\264\225\041\225\271\175\321\064
 \253\023\326\255\274\334\342\075\071\315\275\076\165\160\241\030
 \131\003\311\042\264\217\234\325\136\052\327\245\266\324\012\155
 \370\267\100\021\106\232\037\171\016\142\277\017\227\354\340\057
 \037\027\224
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Starfield Class 2 CA"
 # Issuer: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US
 # Serial Number: 0 (0x0)
 # Subject: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US
 # Not Valid Before: Tue Jun 29 17:39:16 2004
 # Not Valid After : Thu Jun 29 17:39:16 2034
 # Fingerprint (MD5): 32:4A:4B:BB:C8:63:69:9B:BE:74:9A:C6:DD:1D:46:24
@@ -5467,16 +5501,17 @@ CKA_VALUE MULTILINE_OCTAL
 \115\340\167\055\341\145\231\162\151\004\032\107\011\346\017\001
 \126\044\373\037\277\016\171\251\130\056\271\304\011\001\176\225
 \272\155\000\006\076\262\352\112\020\071\330\320\053\365\277\354
 \165\277\227\002\305\011\033\010\334\125\067\342\201\373\067\204
 \103\142\040\312\347\126\113\145\352\376\154\301\044\223\044\241
 \064\353\005\377\232\042\256\233\175\077\361\145\121\012\246\060
 \152\263\364\210\034\200\015\374\162\212\350\203\136
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "StartCom Certification Authority"
 # Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
 # Serial Number: 1 (0x1)
 # Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
 # Not Valid Before: Sun Sep 17 19:46:36 2006
 # Not Valid After : Wed Sep 17 19:46:36 2036
 # Fingerprint (MD5): 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
@@ -5631,16 +5666,17 @@ CKA_VALUE MULTILINE_OCTAL
 \262\304\060\231\043\116\135\362\110\241\022\014\334\022\220\011
 \220\124\221\003\074\107\345\325\311\145\340\267\113\175\354\107
 \323\263\013\076\255\236\320\164\000\016\353\275\121\255\300\336
 \054\300\303\152\376\357\334\013\247\372\106\337\140\333\234\246
 \131\120\165\043\151\163\223\262\371\374\002\323\107\346\161\316
 \020\002\356\047\214\204\377\254\105\015\023\134\203\062\340\045
 \245\206\054\174\364\022
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Taiwan GRCA"
 # Issuer: O=Government Root Certification Authority,C=TW
 # Serial Number:1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6
 # Subject: O=Government Root Certification Authority,C=TW
 # Not Valid Before: Thu Dec 05 13:23:33 2002
 # Not Valid After : Sun Dec 05 13:23:33 2032
 # Fingerprint (MD5): 37:85:44:53:32:45:1F:20:F0:F3:95:E1:25:C4:43:4E
@@ -5803,16 +5839,17 @@ CKA_VALUE MULTILINE_OCTAL
 \204\126\141\276\161\027\376\035\023\017\376\306\207\105\351\376
 \062\240\032\015\023\244\224\125\161\245\026\213\272\312\211\260
 \262\307\374\217\330\124\265\223\142\235\316\317\131\373\075\030
 \316\052\313\065\025\202\135\377\124\042\133\161\122\373\267\311
 \376\140\233\000\101\144\360\252\052\354\266\102\103\316\211\146
 \201\310\213\237\071\124\003\045\323\026\065\216\204\320\137\372
 \060\032\365\232\154\364\016\123\371\072\133\321\034
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Swisscom Root CA 1"
 # Issuer: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
 # Serial Number:5c:0b:85:5c:0b:e7:59:41:df:57:cc:3f:7f:9d:a8:36
 # Subject: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
 # Not Valid Before: Thu Aug 18 12:06:20 2005
 # Not Valid After : Mon Aug 18 22:06:20 2025
 # Fingerprint (MD5): F8:38:7C:77:88:DF:2C:16:68:2E:C2:E2:52:4B:B8:F9
@@ -5943,16 +5980,17 @@ CKA_VALUE MULTILINE_OCTAL
 \102\267\372\214\036\335\142\361\276\120\147\267\154\275\363\361
 \037\153\014\066\007\026\177\067\174\251\133\155\172\361\022\106
 \140\203\327\047\004\276\113\316\227\276\303\147\052\150\021\337
 \200\347\014\063\146\277\023\015\024\156\363\177\037\143\020\036
 \372\215\033\045\155\154\217\245\267\141\001\261\322\243\046\241
 \020\161\235\255\342\303\371\303\231\121\267\053\007\010\316\056
 \346\120\262\247\372\012\105\057\242\360\362
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "DigiCert Assured ID Root CA"
 # Issuer: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:0c:e7:e0:e5:17:d8:46:fe:8f:e5:60:fc:1b:f0:30:39
 # Subject: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Not Valid Before: Fri Nov 10 00:00:00 2006
 # Not Valid After : Mon Nov 10 00:00:00 2031
 # Fingerprint (MD5): 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72
@@ -6083,16 +6121,17 @@ CKA_VALUE MULTILINE_OCTAL
 \076\052\271\066\123\317\072\120\006\367\056\350\304\127\111\154
 \141\041\030\325\004\255\170\074\054\072\200\153\247\353\257\025
 \024\351\330\211\301\271\070\154\342\221\154\212\377\144\271\167
 \045\127\060\300\033\044\243\341\334\351\337\107\174\265\264\044
 \010\005\060\354\055\275\013\277\105\277\120\271\251\363\353\230
 \001\022\255\310\210\306\230\064\137\215\012\074\306\351\325\225
 \225\155\336
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "DigiCert Global Root CA"
 # Issuer: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
 # Subject: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Not Valid Before: Fri Nov 10 00:00:00 2006
 # Not Valid After : Mon Nov 10 00:00:00 2031
 # Fingerprint (MD5): 79:E4:A9:84:0D:7D:3A:96:D7:C0:4F:E2:43:4C:89:2E
@@ -6224,16 +6263,17 @@ CKA_VALUE MULTILINE_OCTAL
 \143\070\275\104\244\177\344\046\053\012\304\227\151\015\351\214
 \342\300\020\127\270\310\166\022\221\125\362\110\151\330\274\052
 \002\133\017\104\324\040\061\333\364\272\160\046\135\220\140\236
 \274\113\027\011\057\264\313\036\103\150\311\007\047\301\322\134
 \367\352\041\271\150\022\234\074\234\277\236\374\200\134\233\143
 \315\354\107\252\045\047\147\240\067\363\000\202\175\124\327\251
 \370\351\056\023\243\167\350\037\112
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "DigiCert High Assurance EV Root CA"
 # Issuer: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
 # Subject: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Not Valid Before: Fri Nov 10 00:00:00 2006
 # Not Valid After : Mon Nov 10 00:00:00 2031
 # Fingerprint (MD5): D4:74:DE:57:5C:39:B2:D3:9C:85:83:C5:C0:65:49:8A
@@ -6356,16 +6396,17 @@ CKA_VALUE MULTILINE_OCTAL
 \311\273\211\176\156\200\210\036\057\024\264\003\044\250\062\157
 \003\232\107\054\060\276\126\306\247\102\002\160\033\352\100\330
 \272\005\003\160\007\244\226\377\375\110\063\012\341\334\245\201
 \220\233\115\335\175\347\347\262\315\134\310\152\225\370\245\366
 \215\304\135\170\010\276\173\006\326\111\317\031\066\120\043\056
 \010\346\236\005\115\107\030\325\026\351\261\326\266\020\325\273
 \227\277\242\216\264\124
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Certplus Class 2 Primary CA"
 # Issuer: CN=Class 2 Primary CA,O=Certplus,C=FR
 # Serial Number:00:85:bd:4b:f3:d8:da:e3:69:f6:94:d7:5f:c3:a5:44:23
 # Subject: CN=Class 2 Primary CA,O=Certplus,C=FR
 # Not Valid Before: Wed Jul 07 17:05:00 1999
 # Not Valid After : Sat Jul 06 23:59:59 2019
 # Fingerprint (MD5): 88:2C:8C:52:B8:A2:3C:F3:F7:BB:03:EA:AE:AC:42:0B
@@ -6482,16 +6523,17 @@ CKA_VALUE MULTILINE_OCTAL
 \162\062\207\306\360\104\273\123\162\155\103\365\046\110\232\122
 \147\267\130\253\376\147\166\161\170\333\015\242\126\024\023\071
 \044\061\205\242\250\002\132\060\107\341\335\120\007\274\002\011
 \220\000\353\144\143\140\233\026\274\210\311\022\346\322\175\221
 \213\371\075\062\215\145\264\351\174\261\127\166\352\305\266\050
 \071\277\025\145\034\310\366\167\226\152\012\215\167\013\330\221
 \013\004\216\007\333\051\266\012\356\235\202\065\065\020
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "DST Root CA X3"
 # Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
 # Serial Number:44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
 # Subject: CN=DST Root CA X3,O=Digital Signature Trust Co.
 # Not Valid Before: Sat Sep 30 21:12:19 2000
 # Not Valid After : Thu Sep 30 14:01:15 2021
 # Fingerprint (MD5): 41:03:52:DC:0F:F7:50:1B:16:F0:02:8E:BA:6F:45:C5
@@ -6623,16 +6665,17 @@ CKA_VALUE MULTILINE_OCTAL
 \343\062\213\372\340\301\206\115\162\074\056\330\223\170\012\052
 \370\330\322\047\075\031\211\137\132\173\212\073\314\014\332\121
 \256\307\013\367\053\260\067\005\354\274\127\043\342\070\322\233
 \150\363\126\022\210\117\102\174\270\061\304\265\333\344\310\041
 \064\351\110\021\065\356\372\307\222\127\305\237\064\344\307\366
 \367\016\013\114\234\150\170\173\161\061\307\353\036\340\147\101
 \363\267\240\247\315\345\172\063\066\152\372\232\053
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "DST ACES CA X6"
 # Issuer: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
 # Serial Number:0d:5e:99:0a:d6:9d:b7:78:ec:d8:07:56:3b:86:15:d9
 # Subject: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
 # Not Valid Before: Thu Nov 20 21:19:58 2003
 # Not Valid After : Mon Nov 20 21:19:58 2017
 # Fingerprint (MD5): 21:D8:4C:82:2B:99:09:33:A2:EB:14:24:8D:8E:5F:E8
@@ -6790,16 +6833,17 @@ CKA_VALUE MULTILINE_OCTAL
 \137\373\140\130\321\373\304\301\155\211\242\273\040\037\235\161
 \221\313\062\233\023\075\076\175\222\122\065\254\222\224\242\323
 \030\302\174\307\352\257\166\005\026\335\147\047\302\176\034\007
 \042\041\363\100\012\033\064\007\104\023\302\204\152\216\337\031
 \132\277\177\353\035\342\032\070\321\134\257\107\222\153\200\265
 \060\245\311\215\330\253\061\201\037\337\302\146\067\323\223\251
 \205\206\171\145\322
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "SwissSign Platinum CA - G2"
 # Issuer: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH
 # Serial Number:4e:b2:00:67:0c:03:5d:4f
 # Subject: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH
 # Not Valid Before: Wed Oct 25 08:36:00 2006
 # Not Valid After : Sat Oct 25 08:36:00 2036
 # Fingerprint (MD5): C9:98:27:77:28:1E:3D:0E:15:3C:84:00:B8:85:03:E6
@@ -6954,16 +6998,17 @@ CKA_VALUE MULTILINE_OCTAL
 \001\320\277\150\236\143\140\153\065\115\013\155\272\241\075\300
 \223\340\177\043\263\125\255\162\045\116\106\371\322\026\357\260
 \144\301\001\236\351\312\240\152\230\016\317\330\140\362\057\111
 \270\344\102\341\070\065\026\364\310\156\117\367\201\126\350\272
 \243\276\043\257\256\375\157\003\340\002\073\060\166\372\033\155
 \101\317\001\261\351\270\311\146\364\333\046\363\072\244\164\362
 \111\044\133\311\260\320\127\301\372\076\172\341\227\311
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "SwissSign Gold CA - G2"
 # Issuer: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
 # Serial Number:00:bb:40:1c:43:f5:5e:4f:b0
 # Subject: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
 # Not Valid Before: Wed Oct 25 08:30:35 2006
 # Not Valid After : Sat Oct 25 08:30:35 2036
 # Fingerprint (MD5): 24:77:D9:A8:91:D1:3B:FA:88:2D:C2:FF:F8:CD:33:93
@@ -7119,16 +7164,17 @@ CKA_VALUE MULTILINE_OCTAL
 \212\060\372\215\345\232\153\025\001\116\147\252\332\142\126\076
 \204\010\146\322\304\066\175\247\076\020\374\210\340\324\200\345
 \000\275\252\363\116\006\243\172\152\371\142\162\343\011\117\353
 \233\016\001\043\361\237\273\174\334\334\154\021\227\045\262\362
 \264\143\024\322\006\052\147\214\203\365\316\352\007\330\232\152
 \036\354\344\012\273\052\114\353\011\140\071\316\312\142\330\056
 \156
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "SwissSign Silver CA - G2"
 # Issuer: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
 # Serial Number:4f:1b:d4:2f:54:bb:2f:4b
 # Subject: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
 # Not Valid Before: Wed Oct 25 08:32:46 2006
 # Not Valid After : Sat Oct 25 08:32:46 2036
 # Fingerprint (MD5): E0:06:A1:C9:7D:CF:C9:FC:0D:C0:56:75:96:D8:62:13
@@ -7250,16 +7296,17 @@ CKA_VALUE MULTILINE_OCTAL
 \254\257\031\240\163\022\055\374\302\101\272\201\221\332\026\132
 \061\267\371\264\161\200\022\110\231\162\163\132\131\123\301\143
 \122\063\355\247\311\322\071\002\160\372\340\261\102\146\051\252
 \233\121\355\060\124\042\024\137\331\253\035\301\344\224\360\370
 \365\053\367\352\312\170\106\326\270\221\375\246\015\053\032\024
 \001\076\200\360\102\240\225\007\136\155\315\314\113\244\105\215
 \253\022\350\263\336\132\345\240\174\350\017\042\035\132\351\131
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "GeoTrust Primary Certification Authority"
 # Issuer: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
 # Serial Number:18:ac:b5:6a:fd:69:b6:15:3a:63:6c:af:da:fa:c4:a1
 # Subject: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
 # Not Valid Before: Mon Nov 27 00:00:00 2006
 # Not Valid After : Wed Jul 16 23:59:59 2036
 # Fingerprint (MD5): 02:26:C3:01:5E:08:30:37:43:A9:D0:7D:CF:37:E6:BF
@@ -7404,16 +7451,17 @@ CKA_VALUE MULTILINE_OCTAL
 \376\254\100\171\345\254\020\157\075\217\033\171\166\213\304\067
 \263\041\030\204\345\066\000\353\143\040\231\271\351\376\063\004
 \273\101\310\301\002\371\104\143\040\236\201\316\102\323\326\077
 \054\166\323\143\234\131\335\217\246\341\016\240\056\101\367\056
 \225\107\317\274\375\063\363\366\013\141\176\176\221\053\201\107
 \302\047\060\356\247\020\135\067\217\134\071\053\344\004\360\173
 \215\126\214\150
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "thawte Primary Root CA"
 # Issuer: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
 # Serial Number:34:4e:d5:57:20:d5:ed:ec:49:f4:2f:ce:37:db:2b:6d
 # Subject: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
 # Not Valid Before: Fri Nov 17 00:00:00 2006
 # Not Valid After : Wed Jul 16 23:59:59 2036
 # Fingerprint (MD5): 8C:CA:DC:0B:22:CE:F5:BE:72:AC:41:1A:11:A8:D8:12
@@ -7578,16 +7626,17 @@ CKA_VALUE MULTILINE_OCTAL
 \336\375\250\202\052\155\050\037\015\013\304\345\347\032\046\031
 \341\364\021\157\020\265\225\374\347\102\005\062\333\316\235\121
 \136\050\266\236\205\323\133\357\245\175\105\100\162\216\267\016
 \153\016\006\373\063\065\110\161\270\235\047\213\304\145\137\015
 \206\166\234\104\172\366\225\134\366\135\062\010\063\244\124\266
 \030\077\150\134\362\102\112\205\070\124\203\137\321\350\054\362
 \254\021\326\250\355\143\152
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
 # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
 # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Not Valid Before: Wed Nov 08 00:00:00 2006
 # Not Valid After : Wed Jul 16 23:59:59 2036
 # Fingerprint (MD5): CB:17:E4:31:67:3E:E2:09:FE:45:57:93:F3:0A:FA:1C
@@ -7720,16 +7769,17 @@ CKA_VALUE MULTILINE_OCTAL
 \144\122\066\137\140\147\331\234\305\005\164\013\347\147\043\322
 \010\374\210\351\256\213\177\341\060\364\067\176\375\306\062\332
 \055\236\104\060\060\154\356\007\336\322\064\374\322\377\100\366
 \113\364\146\106\006\124\246\362\062\012\143\046\060\153\233\321
 \334\213\107\272\341\271\325\142\320\242\240\364\147\005\170\051
 \143\032\157\004\326\370\306\114\243\232\261\067\264\215\345\050
 \113\035\236\054\302\270\150\274\355\002\356\061
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "SecureTrust CA"
 # Issuer: CN=SecureTrust CA,O=SecureTrust Corporation,C=US
 # Serial Number:0c:f0:8e:5c:08:16:a5:ad:42:7f:f0:eb:27:18:59:d0
 # Subject: CN=SecureTrust CA,O=SecureTrust Corporation,C=US
 # Not Valid Before: Tue Nov 07 19:31:18 2006
 # Not Valid After : Mon Dec 31 19:40:55 2029
 # Fingerprint (MD5): DC:32:C3:A7:6D:25:57:C7:68:09:9D:EA:2D:A9:A2:D1
@@ -7854,16 +7904,17 @@ CKA_VALUE MULTILINE_OCTAL
 \103\265\113\055\024\237\371\334\046\015\277\246\107\164\006\330
 \210\321\072\051\060\204\316\322\071\200\142\033\250\307\127\111
 \274\152\125\121\147\025\112\276\065\007\344\325\165\230\067\171
 \060\024\333\051\235\154\305\151\314\107\125\242\060\367\314\134
 \177\302\303\230\034\153\116\026\200\353\172\170\145\105\242\000
 \032\257\014\015\125\144\064\110\270\222\271\361\264\120\051\362
 \117\043\037\332\154\254\037\104\341\335\043\170\121\133\307\026
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Secure Global CA"
 # Issuer: CN=Secure Global CA,O=SecureTrust Corporation,C=US
 # Serial Number:07:56:22:a4:e8:d4:8a:89:4d:f4:13:c8:f0:f8:ea:a5
 # Subject: CN=Secure Global CA,O=SecureTrust Corporation,C=US
 # Not Valid Before: Tue Nov 07 19:42:28 2006
 # Not Valid After : Mon Dec 31 19:52:06 2029
 # Fingerprint (MD5): CF:F4:27:0D:D4:ED:DC:65:16:49:6D:3D:DA:BF:6E:DE
@@ -8003,16 +8054,17 @@ CKA_VALUE MULTILINE_OCTAL
 \314\225\122\223\360\160\045\131\234\040\147\304\356\371\213\127
 \141\364\222\166\175\077\204\215\125\267\350\345\254\325\361\365
 \031\126\246\132\373\220\034\257\223\353\345\034\324\147\227\135
 \004\016\276\013\203\246\027\203\271\060\022\240\305\063\025\005
 \271\015\373\307\005\166\343\330\112\215\374\064\027\243\306\041
 \050\276\060\105\061\036\307\170\276\130\141\070\254\073\342\001
 \145
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "COMODO Certification Authority"
 # Issuer: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Serial Number:4e:81:2d:8a:82:65:e0:0b:02:ee:3e:35:02:46:e5:3d
 # Subject: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Not Valid Before: Fri Dec 01 00:00:00 2006
 # Not Valid After : Mon Dec 31 23:59:59 2029
 # Fingerprint (MD5): 5C:48:DC:F7:42:72:EC:56:94:6D:1C:CC:71:35:80:75
@@ -8148,16 +8200,17 @@ CKA_VALUE MULTILINE_OCTAL
 \056\044\137\313\130\017\353\050\354\257\021\226\363\334\173\157
 \300\247\210\362\123\167\263\140\136\256\256\050\332\065\054\157
 \064\105\323\046\341\336\354\133\117\047\153\026\174\275\104\004
 \030\202\263\211\171\027\020\161\075\172\242\026\116\365\001\315
 \244\154\145\150\241\111\166\134\103\311\330\274\066\147\154\245
 \224\265\324\314\271\275\152\065\126\041\336\330\303\353\373\313
 \244\140\114\260\125\240\240\173\127\262
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Network Solutions Certificate Authority"
 # Issuer: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
 # Serial Number:57:cb:33:6f:c2:5c:16:e6:47:16:17:e3:90:31:68:e0
 # Subject: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
 # Not Valid Before: Fri Dec 01 00:00:00 2006
 # Not Valid After : Mon Dec 31 23:59:59 2029
 # Fingerprint (MD5): D3:F3:A6:16:C0:FA:6B:1D:59:B1:2D:96:4D:0E:11:2E
@@ -8308,16 +8361,17 @@ CKA_VALUE MULTILINE_OCTAL
 \332\245\223\127\216\076\155\065\046\010\131\325\347\104\327\166
 \040\143\347\254\023\147\303\155\261\160\106\174\325\226\021\075
 \211\157\135\250\241\353\215\012\332\303\035\063\154\243\352\147
 \031\232\231\177\113\075\203\121\052\035\312\057\206\014\242\176
 \020\055\053\324\026\225\013\007\252\056\024\222\111\267\051\157
 \330\155\061\175\365\374\241\020\007\207\316\057\131\334\076\130
 \333
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "WellsSecure Public Root Certificate Authority"
 # Issuer: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
 # Serial Number: 1 (0x1)
 # Subject: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
 # Not Valid Before: Thu Dec 13 17:07:54 2007
 # Not Valid After : Wed Dec 14 00:07:54 2022
 # Fingerprint (MD5): 15:AC:A5:C2:92:2D:79:BC:E8:7F:CB:67:ED:02:CF:36
@@ -8434,16 +8488,17 @@ CKA_VALUE MULTILINE_OCTAL
 \004\003\003\003\150\000\060\145\002\061\000\357\003\133\172\254
 \267\170\012\162\267\210\337\377\265\106\024\011\012\372\240\346
 \175\010\306\032\207\275\030\250\163\275\046\312\140\014\235\316
 \231\237\317\134\017\060\341\276\024\061\352\002\060\024\364\223
 \074\111\247\063\172\220\106\107\263\143\175\023\233\116\267\157
 \030\067\200\123\376\335\040\340\065\232\066\321\307\001\271\346
 \334\335\363\377\035\054\072\026\127\331\222\071\326
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "COMODO ECC Certification Authority"
 # Issuer: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Serial Number:1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a
 # Subject: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Not Valid Before: Thu Mar 06 00:00:00 2008
 # Not Valid After : Mon Jan 18 23:59:59 2038
 # Fingerprint (MD5): 7C:62:FF:74:9D:31:53:5E:68:4A:D5:78:AA:1E:BF:23
@@ -8741,16 +8796,17 @@ CKA_VALUE MULTILINE_OCTAL
 \250\215\376\206\076\007\026\222\341\173\347\035\354\063\166\176
 \102\056\112\205\371\221\211\150\204\003\201\245\233\232\276\343
 \067\305\124\253\126\073\030\055\101\244\014\370\102\333\231\240
 \340\162\157\273\135\341\026\117\123\012\144\371\116\364\277\116
 \124\275\170\154\210\352\277\234\023\044\302\160\151\242\177\017
 \310\074\255\010\311\260\230\100\243\052\347\210\203\355\167\217
 \164
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Security Communication EV RootCA1"
 # Issuer: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
 # Serial Number: 0 (0x0)
 # Subject: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
 # Not Valid Before: Wed Jun 06 02:12:32 2007
 # Not Valid After : Sat Jun 06 02:12:32 2037
 # Fingerprint (MD5): 22:2D:A6:01:EA:7C:0A:F7:F0:6C:56:43:3F:77:76:D3
@@ -8888,16 +8944,17 @@ CKA_VALUE MULTILINE_OCTAL
 \204\325\120\003\266\342\204\243\246\066\252\021\072\001\341\030
 \113\326\104\150\263\075\371\123\164\204\263\106\221\106\226\000
 \267\200\054\266\341\343\020\342\333\242\347\050\217\001\226\142
 \026\076\000\343\034\245\066\201\030\242\114\122\166\300\021\243
 \156\346\035\272\343\132\276\066\123\305\076\165\217\206\151\051
 \130\123\265\234\273\157\237\134\305\030\354\335\057\341\230\311
 \374\276\337\012\015
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "OISTE WISeKey Global Root GA CA"
 # Issuer: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH
 # Serial Number:41:3d:72:c7:f4:6b:1f:81:43:7d:f1:d2:28:54:df:9a
 # Subject: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH
 # Not Valid Before: Sun Dec 11 16:03:44 2005
 # Not Valid After : Fri Dec 11 16:09:51 2037
 # Fingerprint (MD5): BC:6C:51:33:A7:E9:D3:66:63:54:15:72:1B:21:92:93
@@ -9095,16 +9152,17 @@ CKA_VALUE MULTILINE_OCTAL
 \254\106\155\114\364\062\207\264\040\004\340\154\170\260\167\321
 \205\106\113\246\022\267\165\350\112\311\126\154\327\222\253\235
 \365\111\070\322\117\123\343\125\220\021\333\230\226\306\111\362
 \076\364\237\033\340\367\210\334\045\142\231\104\330\163\277\077
 \060\363\014\067\076\324\302\050\200\163\261\001\267\235\132\226
 \024\001\113\251\021\235\051\152\056\320\135\201\300\317\262\040
 \103\307\003\340\067\116\135\012\334\131\040\045
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Microsec e-Szigno Root CA"
 # Issuer: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
 # Serial Number:00:cc:b8:e7:bf:4e:29:1a:fd:a2:dc:66:a5:1c:2c:0f:11
 # Subject: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
 # Not Valid Before: Wed Apr 06 12:28:44 2005
 # Not Valid After : Thu Apr 06 12:28:44 2017
 # Fingerprint (MD5): F0:96:B6:2F:C5:10:D5:67:8E:83:25:32:E8:5E:2E:E5
@@ -9228,16 +9286,17 @@ CKA_VALUE MULTILINE_OCTAL
 \013\221\003\165\054\154\162\265\141\225\232\015\213\271\015\347
 \365\337\124\315\336\346\330\326\011\010\227\143\345\301\056\260
 \267\104\046\300\046\300\257\125\060\236\073\325\066\052\031\004
 \364\134\036\377\317\054\267\377\320\375\207\100\021\325\021\043
 \273\110\300\041\251\244\050\055\375\025\370\260\116\053\364\060
 \133\041\374\021\221\064\276\101\357\173\235\227\165\377\227\225
 \300\226\130\057\352\273\106\327\273\344\331\056
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Certigna"
 # Issuer: CN=Certigna,O=Dhimyotis,C=FR
 # Serial Number:00:fe:dc:e3:01:0f:c9:48:ff
 # Subject: CN=Certigna,O=Dhimyotis,C=FR
 # Not Valid Before: Fri Jun 29 15:13:05 2007
 # Not Valid After : Tue Jun 29 15:13:05 2027
 # Fingerprint (MD5): AB:57:A6:5B:7D:42:82:19:B5:D8:58:26:28:5E:FD:FF
@@ -9409,16 +9468,17 @@ CKA_VALUE MULTILINE_OCTAL
 \104\276\141\106\241\204\075\010\047\114\201\040\167\211\010\352
 \147\100\136\154\010\121\137\064\132\214\226\150\315\327\367\211
 \302\034\323\062\000\257\122\313\323\140\133\052\072\107\176\153
 \060\063\241\142\051\177\112\271\341\055\347\024\043\016\016\030
 \107\341\171\374\025\125\320\261\374\045\161\143\165\063\034\043
 \053\257\134\331\355\107\167\140\016\073\017\036\322\300\334\144
 \005\211\374\170\326\134\054\046\103\251
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "AC Raiz Certicamara S.A."
 # Issuer: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
 # Serial Number:07:7e:52:93:7b:e0:15:e3:57:f0:69:8c:cb:ec:0c
 # Subject: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
 # Not Valid Before: Mon Nov 27 20:46:29 2006
 # Not Valid After : Tue Apr 02 21:42:02 2030
 # Fingerprint (MD5): 93:2A:3E:F6:FD:23:69:0D:71:20:D4:2B:47:99:2B:A6
@@ -9566,16 +9626,17 @@ CKA_VALUE MULTILINE_OCTAL
 \334\071\361\305\162\243\021\003\375\073\102\122\051\333\350\001
 \367\233\136\214\326\215\206\116\031\372\274\034\276\305\041\245
 \207\236\170\056\066\333\011\161\243\162\064\370\154\343\006\011
 \362\136\126\245\323\335\230\372\324\346\006\364\360\266\040\143
 \113\352\051\275\252\202\146\036\373\201\252\247\067\255\023\030
 \346\222\303\201\301\063\273\210\036\241\347\342\264\275\061\154
 \016\121\075\157\373\226\126\200\342\066\027\321\334\344
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "TC TrustCenter Class 3 CA II"
 # Issuer: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
 # Serial Number:4a:47:00:01:00:02:e5:a0:5d:d6:3f:00:51:bf
 # Subject: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
 # Not Valid Before: Thu Jan 12 14:41:57 2006
 # Not Valid After : Wed Dec 31 22:59:59 2025
 # Fingerprint (MD5): 56:5F:AA:80:61:12:17:F6:67:21:E6:2B:6D:61:56:8E
@@ -9706,16 +9767,17 @@ CKA_VALUE MULTILINE_OCTAL
 \332\347\212\067\041\276\131\143\340\362\205\210\061\123\324\124
 \024\205\160\171\364\056\006\167\047\165\057\037\270\212\371\376
 \305\272\330\066\344\203\354\347\145\267\277\143\132\363\106\257
 \201\224\067\324\101\214\326\043\326\036\317\365\150\033\104\143
 \242\132\272\247\065\131\241\345\160\005\233\016\043\127\231\224
 \012\155\272\071\143\050\206\222\363\030\204\330\373\321\317\005
 \126\144\127
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Deutsche Telekom Root CA 2"
 # Issuer: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
 # Serial Number: 38 (0x26)
 # Subject: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
 # Not Valid Before: Fri Jul 09 12:11:00 1999
 # Not Valid After : Tue Jul 09 23:59:00 2019
 # Fingerprint (MD5): 74:01:4A:91:B1:08:C4:58:CE:47:CD:F0:DD:11:53:08
@@ -9838,16 +9900,17 @@ CKA_VALUE MULTILINE_OCTAL
 \205\272\115\355\050\062\353\371\141\112\344\304\066\036\031\334
 \157\204\021\037\225\365\203\050\030\250\063\222\103\047\335\135
 \023\004\105\117\207\325\106\315\075\250\272\360\363\270\126\044
 \105\353\067\307\341\166\117\162\071\030\337\176\164\162\307\163
 \055\071\352\140\346\255\021\242\126\207\173\303\150\232\376\370
 \214\160\250\337\145\062\364\244\100\214\241\302\104\003\016\224
 \000\147\240\161\000\202\110
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "ComSign CA"
 # Issuer: C=IL,O=ComSign,CN=ComSign CA
 # Serial Number:14:13:96:83:14:55:8c:ea:7b:63:e5:fc:34:87:77:44
 # Subject: C=IL,O=ComSign,CN=ComSign CA
 # Not Valid Before: Wed Mar 24 11:32:18 2004
 # Not Valid After : Mon Mar 19 15:02:18 2029
 # Fingerprint (MD5): CD:F4:39:F3:B5:18:50:D7:3E:A4:C5:91:A0:3E:21:4B
@@ -9968,16 +10031,17 @@ CKA_VALUE MULTILINE_OCTAL
 \275\224\000\231\277\021\245\334\340\171\305\026\013\175\002\141
 \035\352\205\371\002\025\117\347\132\211\116\024\157\343\067\113
 \205\365\301\074\141\340\375\005\101\262\222\177\303\035\240\320
 \256\122\144\140\153\030\306\046\234\330\365\144\344\066\032\142
 \237\212\017\076\377\155\116\031\126\116\040\221\154\237\064\063
 \072\064\127\120\072\157\201\136\006\306\365\076\174\116\216\053
 \316\145\006\056\135\322\052\123\164\136\323\156\047\236\217
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "ComSign Secured CA"
 # Issuer: C=IL,O=ComSign,CN=ComSign Secured CA
 # Serial Number:00:c7:28:47:09:b3:b8:6c:45:8c:1d:fa:24:f5:36:4e:e9
 # Subject: C=IL,O=ComSign,CN=ComSign Secured CA
 # Not Valid Before: Wed Mar 24 11:37:20 2004
 # Not Valid After : Fri Mar 16 15:04:56 2029
 # Fingerprint (MD5): 40:01:25:06:8D:21:43:6A:0E:43:00:9C:E7:43:F3:D5
@@ -10097,16 +10161,17 @@ CKA_VALUE MULTILINE_OCTAL
 \017\124\335\203\273\237\321\217\247\123\163\303\313\377\060\354
 \174\004\270\330\104\037\223\137\161\011\042\267\156\076\352\034
 \003\116\235\032\040\141\373\201\067\354\136\374\012\105\253\327
 \347\027\125\320\240\352\140\233\246\366\343\214\133\051\302\006
 \140\024\235\055\227\114\251\223\025\235\141\304\001\137\110\326
 \130\275\126\061\022\116\021\310\041\340\263\021\221\145\333\264
 \246\210\070\316\125
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Cybertrust Global Root"
 # Issuer: CN=Cybertrust Global Root,O="Cybertrust, Inc"
 # Serial Number:04:00:00:00:00:01:0f:85:aa:2d:48
 # Subject: CN=Cybertrust Global Root,O="Cybertrust, Inc"
 # Not Valid Before: Fri Dec 15 08:00:00 2006
 # Not Valid After : Wed Dec 15 08:00:00 2021
 # Fingerprint (MD5): 72:E4:4A:87:E3:69:40:80:77:EA:BC:E3:F4:FF:F0:E1
@@ -10263,16 +10328,17 @@ CKA_VALUE MULTILINE_OCTAL
 \115\343\061\325\307\354\350\362\260\376\222\036\026\012\032\374
 \331\363\370\047\266\311\276\035\264\154\144\220\177\364\344\304
 \133\327\067\256\102\016\335\244\032\157\174\210\124\305\026\156
 \341\172\150\056\370\072\277\015\244\074\211\073\170\247\116\143
 \203\004\041\010\147\215\362\202\111\320\133\375\261\315\017\203
 \204\324\076\040\205\367\112\075\053\234\375\052\012\011\115\352
 \201\370\021\234
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "ePKI Root Certification Authority"
 # Issuer: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW
 # Serial Number:15:c8:bd:65:47:5c:af:b8:97:00:5e:e4:06:d2:bc:9d
 # Subject: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW
 # Not Valid Before: Mon Dec 20 02:31:27 2004
 # Not Valid After : Wed Dec 20 02:31:27 2034
 # Fingerprint (MD5): 1B:2E:00:CA:26:06:90:3D:AD:FE:6F:15:68:D3:6B:B3
@@ -10447,16 +10513,17 @@ CKA_VALUE MULTILINE_OCTAL
 \200\262\136\014\112\023\236\040\330\142\100\253\220\352\144\112
 \057\254\015\001\022\171\105\250\057\207\031\150\310\342\205\307
 \060\262\165\371\070\077\262\300\223\264\153\342\003\104\316\147
 \240\337\211\326\255\214\166\243\023\303\224\141\053\153\331\154
 \301\007\012\042\007\205\154\205\044\106\251\276\077\213\170\204
 \202\176\044\014\235\375\201\067\343\045\250\355\066\116\225\054
 \311\234\220\332\354\251\102\074\255\266\002
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
 # Issuer: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
 # Serial Number: 17 (0x11)
 # Subject: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
 # Not Valid Before: Fri Aug 24 11:37:07 2007
 # Not Valid After : Mon Aug 21 11:37:07 2017
 # Fingerprint (MD5): ED:41:F5:8C:50:C5:2B:9C:73:E6:EE:6C:EB:C2:A8:26
@@ -10583,16 +10650,17 @@ CKA_VALUE MULTILINE_OCTAL
 \045\335\141\047\043\034\265\061\007\004\066\264\032\220\275\240
 \164\161\120\211\155\274\024\343\017\206\256\361\253\076\307\240
 \011\314\243\110\321\340\333\144\347\222\265\317\257\162\103\160
 \213\371\303\204\074\023\252\176\222\233\127\123\223\372\160\302
 \221\016\061\371\233\147\135\351\226\070\136\137\263\163\116\210
 \025\147\336\236\166\020\142\040\276\125\151\225\103\000\071\115
 \366\356\260\132\116\111\104\124\130\137\102\203
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "certSIGN ROOT CA"
 # Issuer: OU=certSIGN ROOT CA,O=certSIGN,C=RO
 # Serial Number:20:06:05:16:70:02
 # Subject: OU=certSIGN ROOT CA,O=certSIGN,C=RO
 # Not Valid Before: Tue Jul 04 17:20:04 2006
 # Not Valid After : Fri Jul 04 17:20:04 2031
 # Fingerprint (MD5): 18:98:C0:D6:E9:3A:FC:F9:B0:F5:0C:F7:4B:01:44:17
@@ -10706,16 +10774,17 @@ CKA_VALUE MULTILINE_OCTAL
 \125\171\373\116\206\231\270\224\332\206\070\152\223\243\347\313
 \156\345\337\352\041\125\211\234\175\175\177\230\365\000\211\356
 \343\204\300\134\226\265\305\106\352\106\340\205\125\266\033\311
 \022\326\301\315\315\200\363\002\001\074\310\151\313\105\110\143
 \330\224\320\354\205\016\073\116\021\145\364\202\214\246\075\256
 \056\042\224\011\310\134\352\074\201\135\026\052\003\227\026\125
 \011\333\212\101\202\236\146\233\021
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "CNNIC ROOT"
 # Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN
 # Serial Number: 1228079105 (0x49330001)
 # Subject: CN=CNNIC ROOT,O=CNNIC,C=CN
 # Not Valid Before: Mon Apr 16 07:09:14 2007
 # Not Valid After : Fri Apr 16 07:09:14 2027
 # Fingerprint (MD5): 21:BC:82:AB:49:C4:13:3B:4B:B2:2B:5C:6B:90:9C:19
@@ -10836,16 +10905,17 @@ CKA_VALUE MULTILINE_OCTAL
 \246\176\264\222\027\374\043\224\201\275\156\247\305\214\302\353
 \021\105\333\370\101\311\226\166\352\160\137\171\022\153\344\243
 \007\132\005\357\047\111\317\041\237\212\114\011\160\146\251\046
 \301\053\021\116\063\322\016\374\326\154\322\016\062\144\150\377
 \255\005\170\137\003\035\250\343\220\254\044\340\017\100\247\113
 \256\213\050\267\202\312\030\007\346\267\133\164\351\040\031\177
 \262\033\211\124
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "ApplicationCA - Japanese Government"
 # Issuer: OU=ApplicationCA,O=Japanese Government,C=JP
 # Serial Number: 49 (0x31)
 # Subject: OU=ApplicationCA,O=Japanese Government,C=JP
 # Not Valid Before: Wed Dec 12 15:00:00 2007
 # Not Valid After : Tue Dec 12 15:00:00 2017
 # Fingerprint (MD5): 7E:23:4E:5B:A7:A5:B4:25:E9:00:07:74:11:62:AE:D6
@@ -10984,16 +11054,17 @@ CKA_VALUE MULTILINE_OCTAL
 \207\174\015\015\317\056\010\134\112\100\015\076\354\201\141\346
 \044\333\312\340\016\055\007\262\076\126\334\215\365\101\205\007
 \110\233\014\013\313\111\077\175\354\267\375\313\215\147\211\032
 \253\355\273\036\243\000\010\010\027\052\202\134\061\135\106\212
 \055\017\206\233\164\331\105\373\324\100\261\172\252\150\055\206
 \262\231\042\341\301\053\307\234\370\363\137\250\202\022\353\031
 \021\055
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "GeoTrust Primary Certification Authority - G3"
 # Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
 # Serial Number:15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f
 # Subject: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
 # Not Valid Before: Wed Apr 02 00:00:00 2008
 # Not Valid After : Tue Dec 01 23:59:59 2037
 # Fingerprint (MD5): B5:E8:34:36:C9:10:44:58:48:70:6D:2E:83:D4:B8:05
@@ -11112,16 +11183,17 @@ CKA_VALUE MULTILINE_OCTAL
 \003\003\151\000\060\146\002\061\000\335\370\340\127\107\133\247
 \346\012\303\275\365\200\212\227\065\015\033\211\074\124\206\167
 \050\312\241\364\171\336\265\346\070\260\360\145\160\214\177\002
 \124\302\277\377\330\241\076\331\317\002\061\000\304\215\224\374
 \334\123\322\334\235\170\026\037\025\063\043\123\122\343\132\061
 \135\235\312\256\275\023\051\104\015\047\133\250\347\150\234\022
 \367\130\077\056\162\002\127\243\217\241\024\056
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "thawte Primary Root CA - G2"
 # Issuer: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US
 # Serial Number:35:fc:26:5c:d9:84:4f:c9:3d:26:3d:57:9b:ae:d7:56
 # Subject: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US
 # Not Valid Before: Mon Nov 05 00:00:00 2007
 # Not Valid After : Mon Jan 18 23:59:59 2038
 # Fingerprint (MD5): 74:9D:EA:60:24:C4:FD:22:53:3E:CC:3A:72:D9:29:4F
@@ -11271,16 +11343,17 @@ CKA_VALUE MULTILINE_OCTAL
 \051\101\221\042\074\151\247\273\002\362\266\134\047\003\211\364
 \006\352\233\344\162\202\343\241\011\301\351\000\031\323\076\324
 \160\153\272\161\246\252\130\256\364\273\351\154\266\357\207\314
 \233\273\377\071\346\126\141\323\012\247\304\134\114\140\173\005
 \167\046\172\277\330\007\122\054\142\367\160\143\331\071\274\157
 \034\302\171\334\166\051\257\316\305\054\144\004\136\210\066\156
 \061\324\100\032\142\064\066\077\065\001\256\254\143\240
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "thawte Primary Root CA - G3"
 # Issuer: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
 # Serial Number:60:01:97:b7:46:a7:ea:b4:b4:9a:d6:4b:2f:f7:90:fb
 # Subject: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
 # Not Valid Before: Wed Apr 02 00:00:00 2008
 # Not Valid After : Tue Dec 01 23:59:59 2037
 # Fingerprint (MD5): FB:1B:5D:43:8A:94:CD:44:C6:76:F2:43:4B:47:E7:31
@@ -11406,16 +11479,17 @@ CKA_VALUE MULTILINE_OCTAL
 \144\226\131\246\350\011\336\213\272\372\132\210\210\360\037\221
 \323\106\250\362\112\114\002\143\373\154\137\070\333\056\101\223
 \251\016\346\235\334\061\034\262\240\247\030\034\171\341\307\066
 \002\060\072\126\257\232\164\154\366\373\203\340\063\323\010\137
 \241\234\302\133\237\106\326\266\313\221\006\143\242\006\347\063
 \254\076\250\201\022\320\313\272\320\222\013\266\236\226\252\004
 \017\212
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "GeoTrust Primary Certification Authority - G2"
 # Issuer: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
 # Serial Number:3c:b2:f4:48:0a:00:e2:fe:eb:24:3b:5e:60:3e:c3:6b
 # Subject: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
 # Not Valid Before: Mon Nov 05 00:00:00 2007
 # Not Valid After : Mon Jan 18 23:59:59 2038
 # Fingerprint (MD5): 01:5E:D8:6B:BD:6F:3D:8E:A1:31:F8:12:E0:98:73:6A
@@ -11575,16 +11649,17 @@ CKA_VALUE MULTILINE_OCTAL
 \007\021\360\325\333\335\345\214\360\325\062\260\203\346\127\342
 \217\277\276\241\252\277\075\035\265\324\070\352\327\260\134\072
 \117\152\077\217\300\146\154\143\252\351\331\244\026\364\201\321
 \225\024\016\175\315\225\064\331\322\217\160\163\201\173\234\176
 \275\230\141\330\105\207\230\220\305\353\206\060\306\065\277\360
 \377\303\125\210\203\113\357\005\222\006\161\362\270\230\223\267
 \354\315\202\141\361\070\346\117\227\230\052\132\215
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "VeriSign Universal Root Certification Authority"
 # Issuer: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:40:1a:c4:64:21:b3:13:21:03:0e:bb:e4:12:1a:c5:1d
 # Subject: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Not Valid Before: Wed Apr 02 00:00:00 2008
 # Not Valid After : Tue Dec 01 23:59:59 2037
 # Fingerprint (MD5): 8E:AD:B5:01:AA:4D:81:E4:8C:1D:D1:E1:14:00:95:19
@@ -11729,16 +11804,17 @@ CKA_VALUE MULTILINE_OCTAL
 \000\060\145\002\060\146\041\014\030\046\140\132\070\173\126\102
 \340\247\374\066\204\121\221\040\054\166\115\103\075\304\035\204
 \043\320\254\326\174\065\006\316\315\151\275\220\015\333\154\110
 \102\035\016\252\102\002\061\000\234\075\110\071\043\071\130\032
 \025\022\131\152\236\357\325\131\262\035\122\054\231\161\315\307
 \051\337\033\052\141\173\161\321\336\363\300\345\015\072\112\252
 \055\247\330\206\052\335\056\020
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
 # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:2f:80:fe:23:8c:0e:22:0f:48:67:12:28:91:87:ac:b3
 # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon Nov 05 00:00:00 2007
 # Not Valid After : Mon Jan 18 23:59:59 2038
 # Fingerprint (MD5): 3A:52:E1:E7:FD:6F:3A:E3:6F:F3:6F:99:1B:F9:22:41
@@ -11888,16 +11964,17 @@ CKA_VALUE MULTILINE_OCTAL
 \276\245\025\143\241\324\225\207\361\236\271\363\211\363\075\205
 \270\270\333\276\265\271\051\371\332\067\005\000\111\224\003\204
 \104\347\277\103\061\317\165\213\045\321\364\246\144\365\222\366
 \253\005\353\075\351\245\013\066\142\332\314\006\137\066\213\266
 \136\061\270\052\373\136\366\161\337\104\046\236\304\346\015\221
 \264\056\165\225\200\121\152\113\060\246\260\142\241\223\361\233
 \330\316\304\143\165\077\131\107\261
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "NetLock Arany (Class Gold) Főtanúsítvány"
 # Issuer: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
 # Serial Number:49:41:2c:e4:00:10
 # Subject: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
 # Not Valid Before: Thu Dec 11 15:08:21 2008
 # Not Valid After : Wed Dec 06 15:08:21 2028
 # Fingerprint (MD5): C5:A1:B7:FF:73:DD:D6:D7:34:32:18:DF:FC:3C:AD:88
@@ -12061,16 +12138,17 @@ CKA_VALUE MULTILINE_OCTAL
 \120\346\105\020\107\170\266\116\322\145\311\303\067\337\341\102
 \143\260\127\067\105\055\173\212\234\277\005\352\145\125\063\367
 \071\020\305\050\052\041\172\033\212\304\044\371\077\025\310\232
 \025\040\365\125\142\226\355\155\223\120\274\344\252\170\255\331
 \313\012\145\207\246\146\301\304\201\243\167\072\130\036\013\356
 \203\213\235\036\322\122\244\314\035\157\260\230\155\224\061\265
 \370\161\012\334\271\374\175\062\140\346\353\257\212\001
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Staat der Nederlanden Root CA - G2"
 # Issuer: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
 # Serial Number: 10000012 (0x98968c)
 # Subject: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
 # Not Valid Before: Wed Mar 26 11:18:17 2008
 # Not Valid After : Wed Mar 25 11:03:10 2020
 # Fingerprint (MD5): 7C:A5:0F:F8:5B:9A:7D:6D:30:AE:54:5A:E3:42:A2:8A
@@ -12186,16 +12264,17 @@ CKA_VALUE MULTILINE_OCTAL
 \022\024\344\141\215\254\020\220\236\204\120\273\360\226\157\105
 \237\212\363\312\154\117\372\021\072\025\025\106\303\315\037\203
 \133\055\101\022\355\120\147\101\023\075\041\253\224\212\252\116
 \174\301\261\373\247\326\265\047\057\227\253\156\340\035\342\321
 \034\054\037\104\342\374\276\221\241\234\373\326\051\123\163\206
 \237\123\330\103\016\135\326\143\202\161\035\200\164\312\366\342
 \002\153\331\132
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Hongkong Post Root CA 1"
 # Issuer: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
 # Serial Number: 1000 (0x3e8)
 # Subject: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
 # Not Valid Before: Thu May 15 05:13:14 2003
 # Not Valid After : Mon May 15 04:52:29 2023
 # Fingerprint (MD5): A8:0D:6F:39:78:B9:43:6D:77:42:6D:98:5A:CC:23:CA
@@ -12316,16 +12395,17 @@ CKA_VALUE MULTILINE_OCTAL
 \143\173\132\151\226\002\041\250\275\122\131\351\175\065\313\310
 \122\312\177\201\376\331\153\323\367\021\355\045\337\370\347\371
 \244\372\162\227\204\123\015\245\320\062\030\121\166\131\024\154
 \017\353\354\137\200\214\165\103\203\303\205\230\377\114\236\055
 \015\344\167\203\223\116\265\226\007\213\050\023\233\214\031\215
 \101\047\111\100\356\336\346\043\104\071\334\241\042\326\272\003
 \362
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "SecureSign RootCA11"
 # Issuer: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP
 # Serial Number: 1 (0x1)
 # Subject: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP
 # Not Valid Before: Wed Apr 08 04:56:47 2009
 # Not Valid After : Sun Apr 08 04:56:47 2029
 # Fingerprint (MD5): B7:52:74:E2:92:B4:80:93:F2:75:E4:CC:D7:F2:EA:26
@@ -12481,16 +12561,17 @@ CKA_VALUE MULTILINE_OCTAL
 \307\202\066\076\247\070\143\251\060\054\027\020\140\222\237\125
 \207\022\131\020\302\017\147\151\021\314\116\036\176\112\232\255
 \257\100\250\165\254\126\220\164\270\240\234\245\171\157\334\351
 \032\310\151\005\351\272\372\003\263\174\344\340\116\302\316\235
 \350\266\106\015\156\176\127\072\147\224\302\313\037\234\167\112
 \147\116\151\206\103\223\070\373\266\333\117\203\221\324\140\176
 \113\076\053\070\007\125\230\136\244
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "ACEDICOM Root"
 # Issuer: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root
 # Serial Number:61:8d:c7:86:3b:01:82:05
 # Subject: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root
 # Not Valid Before: Fri Apr 18 16:24:22 2008
 # Not Valid After : Thu Apr 13 16:24:22 2028
 # Fingerprint (MD5): 42:81:A0:E2:1C:E3:55:10:DE:55:89:42:65:96:22:E6
@@ -12627,16 +12708,17 @@ CKA_VALUE MULTILINE_OCTAL
 \255\234\032\303\004\074\355\002\141\326\036\006\363\137\072\207
 \362\053\361\105\207\345\075\254\321\307\127\204\275\153\256\334
 \330\371\266\033\142\160\013\075\066\311\102\362\062\327\172\141
 \346\322\333\075\317\310\251\311\233\334\333\130\104\327\157\070
 \257\177\170\323\243\255\032\165\272\034\301\066\174\217\036\155
 \034\303\165\106\256\065\005\246\366\134\075\041\356\126\360\311
 \202\042\055\172\124\253\160\303\175\042\145\202\160\226
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Microsec e-Szigno Root CA 2009"
 # Issuer: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
 # Serial Number:00:c2:7e:43:04:4e:47:3f:19
 # Subject: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
 # Not Valid Before: Tue Jun 16 11:30:18 2009
 # Not Valid After : Sun Dec 30 11:30:18 2029
 # Fingerprint (MD5): F8:49:F4:03:BC:44:2D:83:BE:48:69:7D:29:64:FC:B1
@@ -12758,16 +12840,17 @@ CKA_VALUE MULTILINE_OCTAL
 \231\302\037\172\016\343\055\010\255\012\034\054\377\074\253\125
 \016\017\221\176\066\353\303\127\111\276\341\056\055\174\140\213
 \303\101\121\023\043\235\316\367\062\153\224\001\250\231\347\054
 \063\037\072\073\045\322\206\100\316\073\054\206\170\311\141\057
 \024\272\356\333\125\157\337\204\356\005\011\115\275\050\330\162
 \316\323\142\120\145\036\353\222\227\203\061\331\263\265\312\107
 \130\077\137
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "GlobalSign Root CA - R3"
 # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
 # Serial Number:04:00:00:00:00:01:21:58:53:08:a2
 # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
 # Not Valid Before: Wed Mar 18 10:00:00 2009
 # Not Valid After : Sun Mar 18 10:00:00 2029
 # Fingerprint (MD5): C5:DF:B8:49:CA:05:13:55:EE:2D:BA:1A:C3:3E:B0:28
@@ -12930,16 +13013,17 @@ CKA_VALUE MULTILINE_OCTAL
 \330\153\044\254\227\130\104\107\255\131\030\361\041\145\160\336
 \316\064\140\250\100\361\363\074\244\303\050\043\214\376\047\063
 \103\100\240\027\074\353\352\073\260\162\246\243\271\112\113\136
 \026\110\364\262\274\310\214\222\305\235\237\254\162\066\274\064
 \200\064\153\251\213\222\300\270\027\355\354\166\123\365\044\001
 \214\263\042\350\113\174\125\306\235\372\243\024\273\145\205\156
 \156\117\022\176\012\074\235\225
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
 # Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
 # Serial Number:53:ec:3b:ee:fb:b2:48:5f
 # Subject: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
 # Not Valid Before: Wed May 20 08:38:15 2009
 # Not Valid After : Tue Dec 31 08:38:15 2030
 # Fingerprint (MD5): 73:3A:74:7A:EC:BB:A3:96:A6:C2:E4:E2:C8:9B:C0:C3
@@ -13098,16 +13182,17 @@ CKA_VALUE MULTILINE_OCTAL
 \150\103\110\262\333\353\163\044\347\221\177\124\244\266\200\076
 \235\243\074\114\162\302\127\304\240\324\314\070\047\316\325\006
 \236\242\110\331\351\237\316\202\160\066\223\232\073\337\226\041
 \343\131\267\014\332\221\067\360\375\131\132\263\231\310\151\154
 \103\046\001\065\143\140\125\211\003\072\165\330\272\112\331\124
 \377\356\336\200\330\055\321\070\325\136\055\013\230\175\076\154
 \333\374\046\210\307
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Izenpe.com"
 # Issuer: CN=Izenpe.com,O=IZENPE S.A.,C=ES
 # Serial Number:00:b0:b7:5a:16:48:5f:bf:e1:cb:f5:8b:d7:19:e6:7d
 # Subject: CN=Izenpe.com,O=IZENPE S.A.,C=ES
 # Not Valid Before: Thu Dec 13 13:08:28 2007
 # Not Valid After : Sun Dec 13 08:27:25 2037
 # Fingerprint (MD5): A6:B0:CD:85:80:DA:5C:50:34:A3:39:90:2F:55:67:73
@@ -13302,16 +13387,17 @@ CKA_VALUE MULTILINE_OCTAL
 \176\030\230\265\105\073\366\171\264\350\367\032\173\006\203\373
 \320\213\332\273\307\275\030\253\010\157\074\200\153\100\077\031
 \031\272\145\212\346\276\325\134\323\066\327\357\100\122\044\140
 \070\147\004\061\354\217\363\202\306\336\271\125\363\073\061\221
 \132\334\265\010\025\255\166\045\012\015\173\056\207\342\014\246
 \006\274\046\020\155\067\235\354\335\170\214\174\200\305\360\331
 \167\110\320
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Chambers of Commerce Root - 2008"
 # Issuer: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
 # Serial Number:00:a3:da:42:7e:a4:b1:ae:da
 # Subject: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
 # Not Valid Before: Fri Aug 01 12:29:50 2008
 # Not Valid After : Sat Jul 31 12:29:50 2038
 # Fingerprint (MD5): 5E:80:9E:84:5A:0E:65:0B:17:02:F3:55:18:2A:3E:D7
@@ -13510,16 +13596,17 @@ CKA_VALUE MULTILINE_OCTAL
 \223\256\231\240\357\045\152\163\230\211\133\072\056\023\210\036
 \277\300\222\224\064\033\343\047\267\213\036\157\102\377\347\351
 \067\233\120\035\055\242\371\002\356\313\130\130\072\161\274\150
 \343\252\301\257\034\050\037\242\334\043\145\077\201\352\256\231
 \323\330\060\317\023\015\117\025\311\204\274\247\110\055\370\060
 \043\167\330\106\113\171\155\366\214\355\072\177\140\021\170\364
 \351\233\256\325\124\300\164\200\321\013\102\237\301
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Global Chambersign Root - 2008"
 # Issuer: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
 # Serial Number:00:c9:cd:d3:e9:d5:7d:23:ce
 # Subject: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
 # Not Valid Before: Fri Aug 01 12:31:40 2008
 # Not Valid After : Sat Jul 31 12:31:40 2038
 # Fingerprint (MD5): 9E:80:FF:78:01:0C:2E:C1:36:BD:FE:96:90:6E:08:F3
@@ -15376,16 +15463,17 @@ CKA_VALUE MULTILINE_OCTAL
 \330\144\363\054\176\024\374\002\352\237\315\377\007\150\027\333
 \042\220\070\055\172\215\321\124\361\151\343\137\063\312\172\075
 \173\012\343\312\177\137\071\345\342\165\272\305\166\030\063\316
 \054\360\057\114\255\367\261\347\316\117\250\304\233\112\124\006
 \305\177\175\325\010\017\342\034\376\176\027\270\254\136\366\324
 \026\262\103\011\014\115\366\247\153\264\231\204\145\312\172\210
 \342\342\104\276\134\367\352\034\365
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Go Daddy Root Certificate Authority - G2"
 # Issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
 # Serial Number: 0 (0x0)
 # Subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
 # Not Valid Before: Tue Sep 01 00:00:00 2009
 # Not Valid After : Thu Dec 31 23:59:59 2037
 # Fingerprint (MD5): 80:3A:BC:22:C1:E6:FB:8D:9B:3B:27:4A:32:1B:9A:01
@@ -15525,16 +15613,17 @@ CKA_VALUE MULTILINE_OCTAL
 \037\305\354\372\234\176\317\176\261\361\007\055\266\374\277\312
 \244\277\320\227\005\112\274\352\030\050\002\220\275\124\170\011
 \041\161\323\321\175\035\331\026\260\251\141\075\320\012\000\042
 \374\307\173\313\011\144\105\013\073\100\201\367\175\174\062\365
 \230\312\130\216\175\052\356\220\131\163\144\371\066\164\136\045
 \241\365\146\005\056\177\071\025\251\052\373\120\213\216\205\151
 \364
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Starfield Root Certificate Authority - G2"
 # Issuer: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
 # Serial Number: 0 (0x0)
 # Subject: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
 # Not Valid Before: Tue Sep 01 00:00:00 2009
 # Not Valid After : Thu Dec 31 23:59:59 2037
 # Fingerprint (MD5): D6:39:81:C6:52:7E:96:69:FC:FC:CA:66:ED:05:F2:96
@@ -15676,16 +15765,17 @@ CKA_VALUE MULTILINE_OCTAL
 \210\100\317\175\106\035\377\036\307\341\316\377\043\333\306\372
 \215\125\116\251\002\347\107\021\106\076\364\375\275\173\051\046
 \273\251\141\142\067\050\266\055\052\366\020\206\144\311\160\247
 \322\255\267\051\160\171\352\074\332\143\045\237\375\150\267\060
 \354\160\373\165\212\267\155\140\147\262\036\310\271\351\330\250
 \157\002\213\147\015\115\046\127\161\332\040\374\301\112\120\215
 \261\050\272
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Starfield Services Root Certificate Authority - G2"
 # Issuer: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
 # Serial Number: 0 (0x0)
 # Subject: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
 # Not Valid Before: Tue Sep 01 00:00:00 2009
 # Not Valid After : Thu Dec 31 23:59:59 2037
 # Fingerprint (MD5): 17:35:74:AF:7B:61:1C:EB:F4:F9:3C:E2:EE:40:F9:A2
@@ -15806,16 +15896,17 @@ CKA_VALUE MULTILINE_OCTAL
 \265\063\252\262\157\323\012\242\120\343\366\073\350\056\104\302
 \333\146\070\251\063\126\110\361\155\033\063\215\015\214\077\140
 \067\235\323\312\155\176\064\176\015\237\162\166\213\033\237\162
 \375\122\065\101\105\002\226\057\034\262\232\163\111\041\261\111
 \107\105\107\264\357\152\064\021\311\115\232\314\131\267\326\002
 \236\132\116\145\265\224\256\033\337\051\260\026\361\277\000\236
 \007\072\027\144\265\004\265\043\041\231\012\225\073\227\174\357
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "AffirmTrust Commercial"
 # Issuer: CN=AffirmTrust Commercial,O=AffirmTrust,C=US
 # Serial Number:77:77:06:27:26:a9:b1:7c
 # Subject: CN=AffirmTrust Commercial,O=AffirmTrust,C=US
 # Not Valid Before: Fri Jan 29 14:06:06 2010
 # Not Valid After : Tue Dec 31 14:06:06 2030
 # Fingerprint (MD5): 82:92:BA:5B:EF:CD:8A:6F:A6:3D:55:F9:84:F6:D6:B7
@@ -15931,16 +16022,17 @@ CKA_VALUE MULTILINE_OCTAL
 \115\207\165\155\267\130\226\132\335\155\322\000\240\364\233\110
 \276\303\067\244\272\066\340\174\207\205\227\032\025\242\336\056
 \242\133\275\257\030\371\220\120\315\160\131\370\047\147\107\313
 \307\240\007\072\175\321\054\135\154\031\072\146\265\175\375\221
 \157\202\261\276\010\223\333\024\107\361\242\067\307\105\236\074
 \307\167\257\144\250\223\337\366\151\203\202\140\362\111\102\064
 \355\132\000\124\205\034\026\066\222\014\134\372\246\255\277\333
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "AffirmTrust Networking"
 # Issuer: CN=AffirmTrust Networking,O=AffirmTrust,C=US
 # Serial Number:7c:4f:04:39:1c:d4:99:2d
 # Subject: CN=AffirmTrust Networking,O=AffirmTrust,C=US
 # Not Valid Before: Fri Jan 29 14:08:24 2010
 # Not Valid After : Tue Dec 31 14:08:24 2030
 # Fingerprint (MD5): 42:65:CA:BE:01:9A:9A:4C:A9:8C:41:49:CD:C0:D5:7F
@@ -16088,16 +16180,17 @@ CKA_VALUE MULTILINE_OCTAL
 \030\246\265\250\136\264\203\154\153\151\100\323\237\334\361\303
 \151\153\271\341\155\011\364\361\252\120\166\012\172\175\172\027
 \241\125\226\102\231\061\011\335\140\021\215\005\060\176\346\216
 \106\321\235\024\332\307\027\344\005\226\214\304\044\265\033\317
 \024\007\262\100\370\243\236\101\206\274\004\320\153\226\310\052
 \200\064\375\277\357\006\243\335\130\305\205\075\076\217\376\236
 \051\340\266\270\011\150\031\034\030\103
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "AffirmTrust Premium"
 # Issuer: CN=AffirmTrust Premium,O=AffirmTrust,C=US
 # Serial Number:6d:8c:14:46:b1:a6:0a:ee
 # Subject: CN=AffirmTrust Premium,O=AffirmTrust,C=US
 # Not Valid Before: Fri Jan 29 14:10:36 2010
 # Not Valid After : Mon Dec 31 14:10:36 2040
 # Fingerprint (MD5): C4:5D:0E:48:B6:AC:28:30:4E:0A:BC:F9:38:16:87:57
@@ -16193,16 +16286,17 @@ CKA_VALUE MULTILINE_OCTAL
 \027\011\363\207\210\120\132\257\310\300\102\277\107\137\365\154
 \152\206\340\304\047\164\344\070\123\327\005\177\033\064\343\306
 \057\263\312\011\074\067\235\327\347\270\106\361\375\241\342\161
 \002\060\102\131\207\103\324\121\337\272\323\011\062\132\316\210
 \176\127\075\234\137\102\153\365\007\055\265\360\202\223\371\131
 \157\256\144\372\130\345\213\036\343\143\276\265\201\315\157\002
 \214\171
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "AffirmTrust Premium ECC"
 # Issuer: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
 # Serial Number:74:97:25:8a:c7:3f:7a:54
 # Subject: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
 # Not Valid Before: Fri Jan 29 14:20:24 2010
 # Not Valid After : Mon Dec 31 14:20:24 2040
 # Fingerprint (MD5): 64:B0:09:55:CF:B1:D5:99:E2:BE:13:AB:A6:5D:EA:4D
@@ -16331,16 +16425,17 @@ CKA_VALUE MULTILINE_OCTAL
 \227\306\166\350\047\226\243\146\335\341\256\362\101\133\312\230
 \126\203\163\160\344\206\032\322\061\101\272\057\276\055\023\132
 \166\157\116\350\116\201\016\077\133\003\042\240\022\276\146\130
 \021\112\313\003\304\264\052\052\055\226\027\340\071\124\274\110
 \323\166\047\235\232\055\006\246\311\354\071\322\253\333\237\232
 \013\047\002\065\051\261\100\225\347\371\350\234\125\210\031\106
 \326\267\064\365\176\316\071\232\331\070\361\121\367\117\054
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Certum Trusted Network CA"
 # Issuer: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
 # Serial Number: 279744 (0x444c0)
 # Subject: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
 # Not Valid Before: Wed Oct 22 12:07:37 2008
 # Not Valid After : Mon Dec 31 12:07:37 2029
 # Fingerprint (MD5): D5:E9:81:40:C5:18:69:FC:46:2C:89:75:62:0F:AA:78
@@ -16500,16 +16595,17 @@ CKA_VALUE MULTILINE_OCTAL
 \032\050\364\041\003\356\056\331\301\200\352\271\331\202\326\133
 \166\302\313\073\265\322\000\360\243\016\341\255\156\100\367\333
 \240\264\320\106\256\025\327\104\302\115\065\371\322\013\362\027
 \366\254\146\325\044\262\117\321\034\231\300\156\365\175\353\164
 \004\270\371\115\167\011\327\264\317\007\060\011\361\270\000\126
 \331\027\026\026\012\053\206\337\217\001\031\032\345\273\202\143
 \377\276\013\166\026\136\067\067\346\330\164\227\242\231\105\171
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Certinomis - Autorité Racine"
 # Issuer: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
 # Serial Number: 1 (0x1)
 # Subject: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
 # Not Valid Before: Wed Sep 17 08:28:59 2008
 # Not Valid After : Sun Sep 17 08:28:59 2028
 # Fingerprint (MD5): 7F:30:78:8C:03:E3:CA:C9:0A:E2:C9:EA:1E:AA:55:1A
@@ -16634,16 +16730,17 @@ CKA_VALUE MULTILINE_OCTAL
 \172\162\132\203\263\171\157\357\264\374\320\012\245\130\117\106
 \337\373\155\171\131\362\204\042\122\256\017\314\373\174\073\347
 \152\312\107\141\303\172\370\323\222\004\037\270\040\204\341\066
 \124\026\307\100\336\073\212\163\334\337\306\011\114\337\354\332
 \377\324\123\102\241\311\362\142\035\042\203\074\227\305\371\031
 \142\047\254\145\042\327\323\074\306\345\216\262\123\314\111\316
 \274\060\376\173\016\063\220\373\355\322\024\221\037\007\257
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "TWCA Root Certification Authority"
 # Issuer: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
 # Serial Number: 1 (0x1)
 # Subject: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
 # Not Valid Before: Thu Aug 28 07:24:33 2008
 # Not Valid After : Tue Dec 31 15:59:59 2030
 # Fingerprint (MD5): AA:08:8F:F6:F9:7B:B7:F2:B1:A7:1E:9B:EA:EA:BD:79
@@ -18024,16 +18121,17 @@ CKA_VALUE MULTILINE_OCTAL
 \273\233\051\126\074\376\000\067\317\043\154\361\116\252\266\164
 \106\022\154\221\356\064\325\354\232\221\347\104\276\220\061\162
 \325\111\002\366\002\345\364\037\353\174\331\226\125\251\377\354
 \212\371\231\107\377\065\132\002\252\004\313\212\133\207\161\051
 \221\275\244\264\172\015\275\232\365\127\043\000\007\041\027\077
 \112\071\321\005\111\013\247\266\067\201\245\135\214\252\063\136
 \201\050\174\247\175\047\353\000\256\215\067
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Security Communication RootCA2"
 # Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
 # Serial Number: 0 (0x0)
 # Subject: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
 # Not Valid Before: Fri May 29 05:00:39 2009
 # Not Valid After : Tue May 29 05:00:39 2029
 # Fingerprint (MD5): 6C:39:7D:A4:0E:55:59:B2:3F:D6:41:B1:12:50:DE:43
@@ -18206,16 +18304,17 @@ CKA_VALUE MULTILINE_OCTAL
 \234\211\333\151\070\276\354\134\016\126\307\145\121\345\120\210
 \210\277\102\325\053\075\345\371\272\236\056\263\312\364\163\222
 \002\013\276\114\146\353\040\376\271\313\265\231\177\346\266\023
 \372\312\113\115\331\356\123\106\006\073\306\116\255\223\132\201
 \176\154\052\113\152\005\105\214\362\041\244\061\220\207\154\145
 \234\235\245\140\225\072\122\177\365\321\253\010\156\363\356\133
 \371\210\075\176\270\157\156\003\344\102
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "EC-ACC"
 # Issuer: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES
 # Serial Number:ee:2b:3d:eb:d4:21:de:14:a8:62:ac:04:f3:dd:c4:01
 # Subject: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES
 # Not Valid Before: Tue Jan 07 23:00:00 2003
 # Not Valid After : Tue Jan 07 22:59:59 2031
 # Fingerprint (MD5): EB:F5:9D:29:0D:61:F9:42:1F:7C:C2:BA:6D:E3:15:09
@@ -18368,16 +18467,17 @@ CKA_VALUE MULTILINE_OCTAL
 \372\363\003\022\226\170\006\215\261\147\355\216\077\276\237\117
 \002\365\263\011\057\363\114\207\337\052\313\225\174\001\314\254
 \066\172\277\242\163\172\367\217\301\265\232\241\024\262\217\063
 \237\015\357\042\334\146\173\204\275\105\027\006\075\074\312\271
 \167\064\217\312\352\317\077\061\076\343\210\343\200\111\045\310
 \227\265\235\232\231\115\260\074\370\112\000\233\144\335\237\071
 \113\321\047\327\270
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for Certificate "Hellenic Academic and Research Institutions RootCA 2011"
 # Issuer: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
 # Serial Number: 0 (0x0)
 # Subject: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
 # Not Valid Before: Tue Dec 06 13:49:52 2011
 # Not Valid After : Mon Dec 01 13:49:52 2031
 # Fingerprint (MD5): 73:9F:4C:4B:73:5B:79:E9:FA:BA:1C:EF:6E:CB:D5:C9
@@ -18603,16 +18703,17 @@ CKA_VALUE MULTILINE_OCTAL
 \177\244\101\041\220\101\167\246\071\037\352\236\343\237\320\146
 \157\005\354\252\166\176\277\153\026\240\353\265\307\374\222\124
 \057\053\021\047\045\067\170\114\121\152\260\363\314\130\135\024
 \361\152\110\025\377\302\007\266\261\215\017\216\134\120\106\263
 \075\277\001\230\117\262\131\124\107\076\064\173\170\155\126\223
 \056\163\352\146\050\170\315\035\024\277\240\217\057\056\270\056
 \216\362\024\212\314\351\265\174\373\154\235\014\245\341\226
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Actalis Authentication Root CA"
 # Issuer: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT
 # Serial Number:57:0a:11:97:42:c4:e3:cc
 # Subject: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT
 # Not Valid Before: Thu Sep 22 11:22:02 2011
 # Not Valid After : Sun Sep 22 11:22:02 2030
 # Fingerprint (MD5): 69:C1:0D:4F:07:A3:1B:C3:FE:56:3D:04:BC:11:F6:A6
@@ -18733,16 +18834,17 @@ CKA_VALUE MULTILINE_OCTAL
 \177\124\365\243\340\217\360\174\125\042\217\051\266\201\243\341
 \155\116\054\033\200\147\354\255\040\237\014\142\141\325\227\377
 \103\355\055\301\332\135\051\052\205\077\254\145\356\206\017\005
 \215\220\137\337\356\237\364\277\356\035\373\230\344\177\220\053
 \204\170\020\016\154\111\123\357\025\133\145\106\112\135\257\272
 \373\072\162\035\315\366\045\210\036\227\314\041\234\051\001\015
 \145\353\127\331\363\127\226\273\110\315\201
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Trustis FPS Root CA"
 # Issuer: OU=Trustis FPS Root CA,O=Trustis Limited,C=GB
 # Serial Number:1b:1f:ad:b6:20:f9:24:d3:36:6b:f7:c7:f1:8c:a0:59
 # Subject: OU=Trustis FPS Root CA,O=Trustis Limited,C=GB
 # Not Valid Before: Tue Dec 23 12:14:06 2003
 # Not Valid After : Sun Jan 21 11:36:54 2024
 # Fingerprint (MD5): 30:C9:E7:1E:6B:E6:14:EB:65:B2:16:69:20:31:67:4D
@@ -18933,16 +19035,17 @@ CKA_VALUE MULTILINE_OCTAL
 \046\161\304\205\136\161\044\312\245\033\154\330\141\323\032\340
 \124\333\316\272\251\062\265\042\366\163\101\011\135\270\027\135
 \016\017\231\220\326\107\332\157\012\072\142\050\024\147\202\331
 \361\320\200\131\233\313\061\330\233\017\214\167\116\265\150\212
 \362\154\366\044\016\055\154\160\305\163\321\336\024\320\161\217
 \266\323\173\002\366\343\270\324\011\156\153\236\165\204\071\346
 \177\045\245\362\110\000\300\244\001\332\077
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "StartCom Certification Authority"
 # Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
 # Serial Number: 45 (0x2d)
 # Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
 # Not Valid Before: Sun Sep 17 19:46:37 2006
 # Not Valid After : Wed Sep 17 19:46:36 2036
 # Fingerprint (MD5): C9:3B:0D:84:41:FC:A4:76:79:23:08:57:DE:10:19:16
@@ -19097,16 +19200,17 @@ CKA_VALUE MULTILINE_OCTAL
 \102\056\055\304\011\072\003\147\151\204\232\341\131\220\212\050
 \205\325\135\164\261\321\016\040\130\233\023\245\260\143\246\355
 \173\107\375\105\125\060\244\356\232\324\346\342\207\357\230\311
 \062\202\021\051\042\274\000\012\061\136\055\017\300\216\351\153
 \262\217\056\006\330\321\221\307\306\022\364\114\375\060\027\303
 \301\332\070\133\343\251\352\346\241\272\171\357\163\330\266\123
 \127\055\366\320\341\327\110
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "StartCom Certification Authority G2"
 # Issuer: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL
 # Serial Number: 59 (0x3b)
 # Subject: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL
 # Not Valid Before: Fri Jan 01 01:00:01 2010
 # Not Valid After : Sat Dec 31 23:59:01 2039
 # Fingerprint (MD5): 78:4B:FB:9E:64:82:0A:D3:B8:4C:62:F3:64:F2:90:64
@@ -19256,16 +19360,17 @@ CKA_VALUE MULTILINE_OCTAL
 \112\220\136\303\372\047\004\261\171\025\164\231\314\276\255\040
 \336\046\140\034\353\126\121\246\243\352\344\243\077\247\377\141
 \334\361\132\115\154\062\043\103\356\254\250\356\356\112\022\011
 \074\135\161\302\276\171\372\302\207\150\035\013\375\134\151\314
 \006\320\232\175\124\231\052\311\071\032\031\257\113\052\103\363
 \143\135\132\130\342\057\343\035\344\251\326\320\012\320\236\277
 \327\201\011\361\311\307\046\015\254\230\026\126\240
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Buypass Class 2 Root CA"
 # Issuer: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO
 # Serial Number: 2 (0x2)
 # Subject: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO
 # Not Valid Before: Tue Oct 26 08:38:03 2010
 # Not Valid After : Fri Oct 26 08:38:03 2040
 # Fingerprint (MD5): 46:A7:D2:FE:45:FB:64:5A:A8:59:90:9B:78:44:9B:29
@@ -19414,16 +19519,17 @@ CKA_VALUE MULTILINE_OCTAL
 \105\310\114\161\331\274\311\231\122\127\106\057\120\317\275\065
 \151\364\075\025\316\006\245\054\017\076\366\201\272\224\273\303
 \273\277\145\170\322\206\171\377\111\073\032\203\014\360\336\170
 \354\310\362\115\114\032\336\202\051\370\301\132\332\355\356\346
 \047\136\350\105\320\235\034\121\250\150\253\104\343\320\213\152
 \343\370\073\273\334\115\327\144\362\121\276\346\252\253\132\351
 \061\356\006\274\163\277\023\142\012\237\307\271\227
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Buypass Class 3 Root CA"
 # Issuer: CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO
 # Serial Number: 2 (0x2)
 # Subject: CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO
 # Not Valid Before: Tue Oct 26 08:28:58 2010
 # Not Valid After : Fri Oct 26 08:28:58 2040
 # Fingerprint (MD5): 3D:3B:18:9E:2C:64:5A:E8:D5:88:CE:0E:F9:37:C2:EC
@@ -19555,16 +19661,17 @@ CKA_VALUE MULTILINE_OCTAL
 \367\124\076\201\075\332\111\152\232\263\357\020\075\346\353\157
 \321\310\042\107\313\314\317\001\061\222\331\030\343\042\276\011
 \036\032\076\132\262\344\153\014\124\172\175\103\116\270\211\245
 \173\327\242\075\226\206\314\362\046\064\055\152\222\235\232\032
 \320\060\342\135\116\004\260\137\213\040\176\167\301\075\225\202
 \321\106\232\073\074\170\270\157\241\320\015\144\242\170\036\051
 \116\223\303\244\124\024\133
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "T-TeleSec GlobalRoot Class 3"
 # Issuer: CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
 # Serial Number: 1 (0x1)
 # Subject: CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
 # Not Valid Before: Wed Oct 01 10:29:56 2008
 # Not Valid After : Sat Oct 01 23:59:59 2033
 # Fingerprint (MD5): CA:FB:40:A8:4E:39:92:8A:1D:FE:8E:2F:C4:27:EA:EF
@@ -19703,16 +19810,17 @@ CKA_VALUE MULTILINE_OCTAL
 \346\164\163\224\135\026\230\023\225\376\373\333\261\104\345\072
 \160\254\067\153\346\263\063\162\050\311\263\127\240\366\002\026
 \210\006\013\266\246\113\040\050\324\336\075\213\255\067\005\123
 \164\376\156\314\274\103\027\161\136\371\305\314\032\251\141\356
 \367\166\014\363\162\364\162\255\317\162\002\066\007\107\317\357
 \031\120\211\140\314\351\044\225\017\302\313\035\362\157\166\220
 \307\314\165\301\226\305\235
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "EE Certification Centre Root CA"
 # Issuer: E=pki@sk.ee,CN=EE Certification Centre Root CA,O=AS Sertifitseerimiskeskus,C=EE
 # Serial Number:54:80:f9:a0:73:ed:3f:00:4c:ca:89:d8:e3:71:e6:4a
 # Subject: E=pki@sk.ee,CN=EE Certification Centre Root CA,O=AS Sertifitseerimiskeskus,C=EE
 # Not Valid Before: Sat Oct 30 10:10:30 2010
 # Not Valid After : Tue Dec 17 23:59:59 2030
 # Fingerprint (MD5): 43:5E:88:D4:7D:1A:4A:7E:FD:84:2E:52:EB:01:D4:6F
@@ -19932,16 +20040,17 @@ CKA_VALUE MULTILINE_OCTAL
 \005\332\143\127\213\345\263\252\333\300\056\034\220\104\333\032
 \135\030\244\356\276\004\133\231\325\161\137\125\145\144\142\325
 \242\233\004\131\206\310\142\167\347\174\202\105\152\075\027\277
 \354\235\165\014\256\243\157\132\323\057\230\066\364\360\365\031
 \253\021\135\310\246\343\052\130\152\102\011\303\275\222\046\146
 \062\015\135\010\125\164\377\214\230\320\012\246\204\152\321\071
 \175
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "TURKTRUST Certificate Services Provider Root 2007"
 # Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
 # Serial Number: 1 (0x1)
 # Subject: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
 # Not Valid Before: Tue Dec 25 18:37:19 2007
 # Not Valid After : Fri Dec 22 18:37:19 2017
 # Fingerprint (MD5): 2B:70:20:56:86:82:A0:18:C8:07:53:12:28:70:21:72
@@ -20080,16 +20189,17 @@ CKA_VALUE MULTILINE_OCTAL
 \310\154\353\202\123\004\246\344\114\042\115\215\214\272\316\133
 \163\354\144\124\120\155\321\234\125\373\151\303\066\303\214\274
 \074\205\246\153\012\046\015\340\223\230\140\256\176\306\044\227
 \212\141\137\221\216\146\222\011\207\066\315\213\233\055\076\366
 \121\324\120\324\131\050\275\203\362\314\050\173\123\206\155\330
 \046\210\160\327\352\221\315\076\271\312\300\220\156\132\306\136
 \164\145\327\134\376\243\342
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "D-TRUST Root Class 3 CA 2 2009"
 # Issuer: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
 # Serial Number: 623603 (0x983f3)
 # Subject: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
 # Not Valid Before: Thu Nov 05 08:35:58 2009
 # Not Valid After : Mon Nov 05 08:35:58 2029
 # Fingerprint (MD5): CD:E0:25:69:8D:47:AC:9C:89:35:90:F7:FD:51:3D:2F
@@ -20223,16 +20333,17 @@ CKA_VALUE MULTILINE_OCTAL
 \173\360\171\121\327\103\075\247\323\201\323\360\311\117\271\332
 \306\227\206\320\202\303\344\102\155\376\260\342\144\116\016\046
 \347\100\064\046\265\010\211\327\010\143\143\070\047\165\036\063
 \352\156\250\335\237\231\117\164\115\201\211\200\113\335\232\227
 \051\134\057\276\201\101\271\214\377\352\175\140\006\236\315\327
 \075\323\056\243\025\274\250\346\046\345\157\303\334\270\003\041
 \352\237\026\361\054\124\265
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "D-TRUST Root Class 3 CA 2 EV 2009"
 # Issuer: CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE
 # Serial Number: 623604 (0x983f4)
 # Subject: CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE
 # Not Valid Before: Thu Nov 05 08:50:46 2009
 # Not Valid After : Mon Nov 05 08:50:46 2029
 # Fingerprint (MD5): AA:C6:43:2C:5E:2D:CD:C4:34:C0:50:4F:11:02:4F:B6
@@ -20472,16 +20583,17 @@ CKA_VALUE MULTILINE_OCTAL
 \071\246\202\326\161\312\336\267\325\272\150\010\355\231\314\375
 \242\222\313\151\270\235\371\012\244\246\076\117\223\050\052\141
 \154\007\046\000\377\226\137\150\206\270\270\316\312\125\340\253
 \261\075\177\230\327\063\016\132\075\330\170\302\304\140\057\307
 \142\360\141\221\322\070\260\366\236\125\333\100\200\005\022\063
 \316\035\222\233\321\151\263\377\277\361\222\012\141\065\077\335
 \376\206\364\274\340\032\161\263\142\246
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "PSCProcert"
 # Issuer: E=acraiz@suscerte.gob.ve,OU=Superintendencia de Servicios de Certificacion Electronica,O=Sistema Nacional de Certificacion Electronica,ST=Distrito Capital,L=Caracas,C=VE,CN=Autoridad de Certificacion Raiz del Estado Venezolano
 # Serial Number: 11 (0xb)
 # Subject: CN=PSCProcert,C=VE,O=Sistema Nacional de Certificacion Electronica,OU=Proveedor de Certificados PROCERT,ST=Miranda,L=Chacao,E=contacto@procert.net.ve
 # Not Valid Before: Tue Dec 28 16:51:00 2010
 # Not Valid After : Fri Dec 25 23:59:59 2020
 # Fingerprint (MD5): E6:24:E9:12:01:AE:0C:DE:8E:85:C4:CE:A3:12:DD:EC
@@ -20630,16 +20742,17 @@ CKA_VALUE MULTILINE_OCTAL
 \146\102\107\302\130\044\231\341\345\076\345\165\054\216\103\326
 \135\074\170\036\250\225\202\051\120\321\321\026\272\357\301\276
 \172\331\264\330\314\036\114\106\341\167\261\061\253\275\052\310
 \316\217\156\241\135\177\003\165\064\344\255\211\105\124\136\276
 \256\050\245\273\077\170\171\353\163\263\012\015\375\276\311\367
 \126\254\366\267\355\057\233\041\051\307\070\266\225\304\004\362
 \303\055\375\024\052\220\231\271\007\314\237
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "China Internet Network Information Center EV Certificates Root"
 # Issuer: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
 # Serial Number: 1218379777 (0x489f0001)
 # Subject: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
 # Not Valid Before: Tue Aug 31 07:11:25 2010
 # Not Valid After : Sat Aug 31 07:11:25 2030
 # Fingerprint (MD5): 55:5D:63:00:97:BD:6A:97:F5:67:AB:4B:FB:6E:63:15
@@ -20805,16 +20918,17 @@ CKA_VALUE MULTILINE_OCTAL
 \361\377\246\100\005\205\005\134\312\007\031\134\013\023\050\114
 \130\177\302\245\357\105\332\140\323\256\145\141\235\123\203\164
 \302\256\362\134\302\026\355\222\076\204\076\163\140\210\274\166
 \364\054\317\320\175\175\323\270\136\321\221\022\020\351\315\335
 \312\045\343\325\355\231\057\276\165\201\113\044\371\105\106\224
 \311\051\041\123\234\046\105\252\023\027\344\347\315\170\342\071
 \301\053\022\236\246\236\033\305\346\016\331\061\331
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Swisscom Root CA 2"
 # Issuer: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
 # Serial Number:1e:9e:28:e8:48:f2:e5:ef:c3:7c:4a:1e:5a:18:67:b6
 # Subject: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
 # Not Valid Before: Fri Jun 24 08:38:14 2011
 # Not Valid After : Wed Jun 25 07:38:14 2031
 # Fingerprint (MD5): 5B:04:69:EC:A5:83:94:63:18:A7:86:D0:E4:F2:6E:19
@@ -20980,16 +21094,17 @@ CKA_VALUE MULTILINE_OCTAL
 \234\337\164\326\360\100\025\035\310\271\217\265\066\305\257\370
 \042\270\312\035\363\326\266\031\017\237\141\145\152\352\164\310
 \174\217\303\117\135\145\202\037\331\015\211\332\165\162\373\357
 \361\107\147\023\263\310\321\031\210\047\046\232\231\171\177\036
 \344\054\077\173\356\361\336\115\213\226\227\303\325\077\174\033
 \043\355\244\263\035\026\162\103\113\040\341\131\176\302\350\255
 \046\277\242\367
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Swisscom Root EV CA 2"
 # Issuer: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
 # Serial Number:00:f2:fa:64:e2:74:63:d3:8d:fd:10:1d:04:1f:76:ca:58
 # Subject: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
 # Not Valid Before: Fri Jun 24 09:45:08 2011
 # Not Valid After : Wed Jun 25 08:45:08 2031
 # Fingerprint (MD5): 7B:30:34:9F:DD:0A:4B:6B:35:CA:31:51:28:5D:AE:EC
@@ -21144,16 +21259,17 @@ CKA_VALUE MULTILINE_OCTAL
 \001\347\177\227\017\327\362\173\031\375\032\327\217\311\372\205
 \153\172\235\236\211\266\246\050\231\223\210\100\367\076\315\121
 \243\312\352\357\171\107\041\265\376\062\342\307\303\121\157\276
 \200\164\360\244\303\072\362\117\351\137\337\031\012\362\073\023
 \103\254\061\244\263\347\353\374\030\326\001\251\363\052\217\066
 \016\353\264\261\274\267\114\311\153\277\241\363\331\364\355\342
 \360\343\355\144\236\075\057\226\122\117\200\123\213
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "CA Disig Root R1"
 # Issuer: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
 # Serial Number:00:c3:03:9a:ee:50:90:6e:28
 # Subject: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
 # Not Valid Before: Thu Jul 19 09:06:56 2012
 # Not Valid After : Sat Jul 19 09:06:56 2042
 # Fingerprint (MD5): BE:EC:11:93:9A:F5:69:21:BC:D7:C1:C0:67:89:CC:2A
@@ -21306,16 +21422,17 @@ CKA_VALUE MULTILINE_OCTAL
 \233\116\166\300\216\175\375\244\045\307\107\355\377\037\163\254
 \314\303\245\351\157\012\216\233\145\302\120\205\265\243\240\123
 \022\314\125\207\141\363\201\256\020\106\141\275\104\041\270\302
 \075\164\317\176\044\065\372\034\007\016\233\075\042\312\357\061
 \057\214\254\022\275\357\100\050\374\051\147\237\262\023\117\146
 \044\304\123\031\351\036\051\025\357\346\155\260\177\055\147\375
 \363\154\033\165\106\243\345\112\027\351\244\327\013
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "CA Disig Root R2"
 # Issuer: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK
 # Serial Number:00:92:b8:88:db:b0:8a:c1:63
 # Subject: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK
 # Not Valid Before: Thu Jul 19 09:15:30 2012
 # Not Valid After : Sat Jul 19 09:15:30 2042
 # Fingerprint (MD5): 26:01:FB:D8:27:A7:17:9A:45:54:38:1A:43:01:3B:03
@@ -21505,16 +21622,17 @@ CKA_VALUE MULTILINE_OCTAL
 \346\301\232\351\036\002\107\237\052\250\155\251\133\317\354\105
 \167\177\230\047\232\062\135\052\343\204\356\305\230\146\057\226
 \040\035\335\330\303\047\327\260\371\376\331\175\315\320\237\217
 \013\024\130\121\237\057\213\303\070\055\336\350\217\326\215\207
 \244\365\126\103\026\231\054\364\244\126\264\064\270\141\067\311
 \302\130\200\033\240\227\241\374\131\215\351\021\366\321\017\113
 \125\064\106\052\213\206\073
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "ACCVRAIZ1"
 # Issuer: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
 # Serial Number:5e:c3:b7:a6:43:7f:a4:e0
 # Subject: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
 # Not Valid Before: Thu May 05 09:37:37 2011
 # Not Valid After : Tue Dec 31 09:37:37 2030
 # Fingerprint (MD5): D0:A0:5A:EE:05:B6:09:94:21:A1:7D:F1:B2:29:82:02
@@ -21664,16 +21782,17 @@ CKA_VALUE MULTILINE_OCTAL
 \301\255\175\204\003\074\020\170\206\033\171\343\304\363\362\004
 \225\040\256\043\202\304\263\072\000\142\277\346\066\044\341\127
 \272\307\036\220\165\325\137\077\225\141\053\301\073\315\345\263
 \150\141\320\106\046\251\041\122\151\055\353\056\307\353\167\316
 \246\072\265\003\063\117\166\321\347\134\124\001\135\313\170\364
 \311\014\277\317\022\216\027\055\043\150\224\347\253\376\251\262
 \053\006\320\004\315
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "TWCA Global Root CA"
 # Issuer: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
 # Serial Number: 3262 (0xcbe)
 # Subject: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
 # Not Valid Before: Wed Jun 27 06:28:33 2012
 # Not Valid After : Tue Dec 31 15:59:59 2030
 # Fingerprint (MD5): F9:03:7E:CF:E6:9E:3C:73:7A:2A:90:07:69:FF:2B:96
@@ -21820,16 +21939,17 @@ CKA_VALUE MULTILINE_OCTAL
 \255\316\364\370\151\024\144\071\373\243\270\272\160\100\307\047
 \034\277\304\126\123\372\143\145\320\363\034\016\026\365\153\206
 \130\115\030\324\344\015\216\245\235\133\221\334\166\044\120\077
 \306\052\373\331\267\234\265\326\346\320\331\350\031\213\025\161
 \110\255\267\352\330\131\210\324\220\277\026\263\331\351\254\131
 \141\124\310\034\272\312\301\312\341\271\040\114\217\072\223\211
 \245\240\314\277\323\366\165\244\165\226\155\126
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "TeliaSonera Root CA v1"
 # Issuer: CN=TeliaSonera Root CA v1,O=TeliaSonera
 # Serial Number:00:95:be:16:a0:f7:2e:46:f1:7b:39:82:72:fa:8b:cd:96
 # Subject: CN=TeliaSonera Root CA v1,O=TeliaSonera
 # Not Valid Before: Thu Oct 18 12:00:50 2007
 # Not Valid After : Mon Oct 18 12:00:50 2032
 # Fingerprint (MD5): 37:41:49:1B:18:56:9A:26:F5:AD:C2:66:FB:40:A5:4C
@@ -22007,16 +22127,17 @@ CKA_VALUE MULTILINE_OCTAL
 \237\211\213\375\067\137\137\072\316\070\131\206\113\257\161\013
 \264\330\362\160\117\237\062\023\343\260\247\127\345\332\332\103
 \313\204\064\362\050\304\352\155\364\052\357\301\153\166\332\373
 \176\273\205\074\322\123\302\115\276\161\341\105\321\375\043\147
 \015\023\165\373\317\145\147\042\235\256\260\011\321\011\377\035
 \064\277\376\043\227\067\322\071\372\075\015\006\013\264\333\073
 \243\253\157\134\035\266\176\350\263\202\064\355\006\134\044
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "E-Tugra Certification Authority"
 # Issuer: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR
 # Serial Number:6a:68:3e:9c:51:9b:cb:53
 # Subject: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR
 # Not Valid Before: Tue Mar 05 12:09:48 2013
 # Not Valid After : Fri Mar 03 12:09:48 2023
 # Fingerprint (MD5): B8:A1:03:63:B0:BD:21:71:70:8A:6F:13:3A:BB:79:49
@@ -22155,16 +22276,17 @@ CKA_VALUE MULTILINE_OCTAL
 \203\125\352\174\302\051\211\033\351\157\263\316\342\005\204\311
 \057\076\170\205\142\156\311\137\301\170\143\164\130\300\110\030
 \014\231\071\353\244\314\032\265\171\132\215\025\234\330\024\015
 \366\172\007\127\307\042\203\005\055\074\233\045\046\075\030\263
 \251\103\174\310\310\253\144\217\016\243\277\234\033\235\060\333
 \332\320\031\056\252\074\361\373\063\200\166\344\315\255\031\117
 \005\047\216\023\241\156\302
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "T-TeleSec GlobalRoot Class 2"
 # Issuer: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
 # Serial Number: 1 (0x1)
 # Subject: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
 # Not Valid Before: Wed Oct 01 10:40:14 2008
 # Not Valid After : Sat Oct 01 23:59:59 2033
 # Fingerprint (MD5): 2B:9B:9E:E4:7B:6C:1F:00:72:1A:CC:C1:77:79:DF:6A
@@ -22285,16 +22407,17 @@ CKA_VALUE MULTILINE_OCTAL
 \265\024\357\264\021\377\016\025\265\365\365\333\306\275\353\132
 \247\360\126\042\251\074\145\124\306\025\250\275\206\236\315\203
 \226\150\172\161\201\211\341\013\341\352\021\033\150\010\314\151
 \236\354\236\101\236\104\062\046\172\342\207\012\161\075\353\344
 \132\244\322\333\305\315\306\336\140\177\271\363\117\104\222\357
 \052\267\030\076\247\031\331\013\175\261\067\101\102\260\272\140
 \035\362\376\011\021\260\360\207\173\247\235
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Atos TrustedRoot 2011"
 # Issuer: C=DE,O=Atos,CN=Atos TrustedRoot 2011
 # Serial Number:5c:33:cb:62:2c:5f:b3:32
 # Subject: C=DE,O=Atos,CN=Atos TrustedRoot 2011
 # Not Valid Before: Thu Jul 07 14:58:30 2011
 # Not Valid After : Tue Dec 31 23:59:59 2030
 # Fingerprint (MD5): AE:B9:C4:32:4B:AC:7F:5D:66:CC:77:94:BB:2A:77:56
@@ -22444,16 +22567,17 @@ CKA_VALUE MULTILINE_OCTAL
 \353\134\237\336\263\257\147\003\263\037\335\155\135\151\150\151
 \253\136\072\354\174\151\274\307\073\205\116\236\025\271\264\025
 \117\303\225\172\130\327\311\154\351\154\271\363\051\143\136\264
 \054\360\055\075\355\132\145\340\251\133\100\302\110\231\201\155
 \236\037\006\052\074\022\264\213\017\233\242\044\360\246\215\326
 \172\340\113\266\144\226\143\225\204\302\112\315\034\056\044\207
 \063\140\345\303
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "QuoVadis Root CA 1 G3"
 # Issuer: CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM
 # Serial Number:78:58:5f:2e:ad:2c:19:4b:e3:37:07:35:34:13:28:b5:96:d4:65:93
 # Subject: CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM
 # Not Valid Before: Thu Jan 12 17:27:44 2012
 # Not Valid After : Sun Jan 12 17:27:44 2042
 # Fingerprint (SHA-256): 8A:86:6F:D1:B2:76:B5:7E:57:8E:92:1C:65:82:8A:2B:ED:58:E9:F2:F2:88:05:41:34:B7:F1:F4:BF:C9:CC:74
@@ -22605,16 +22729,17 @@ CKA_VALUE MULTILINE_OCTAL
 \374\267\003\111\002\133\310\045\346\342\124\070\365\171\207\214
 \035\123\262\116\205\173\006\070\307\054\370\370\260\162\215\045
 \345\167\122\364\003\034\110\246\120\137\210\040\060\156\362\202
 \103\253\075\227\204\347\123\373\041\301\117\017\042\232\206\270
 \131\052\366\107\075\031\210\055\350\205\341\236\354\205\010\152
 \261\154\064\311\035\354\110\053\073\170\355\146\304\216\171\151
 \203\336\177\214
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "QuoVadis Root CA 2 G3"
 # Issuer: CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM
 # Serial Number:44:57:34:24:5b:81:89:9b:35:f2:ce:b8:2b:3b:5b:a7:26:f0:75:28
 # Subject: CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM
 # Not Valid Before: Thu Jan 12 18:59:32 2012
 # Not Valid After : Sun Jan 12 18:59:32 2042
 # Fingerprint (SHA-256): 8F:E4:FB:0A:F9:3A:4D:0D:67:DB:0B:EB:B2:3E:37:C7:1B:F3:25:DC:BC:DD:24:0E:A0:4D:AF:58:B4:7E:18:40
@@ -22766,16 +22891,17 @@ CKA_VALUE MULTILINE_OCTAL
 \046\350\354\266\013\055\247\205\065\315\375\131\310\237\321\315
 \076\132\051\064\271\075\204\316\261\145\324\131\221\221\126\165
 \041\301\167\236\371\172\341\140\235\323\255\004\030\364\174\353
 \136\223\217\123\112\042\051\370\110\053\076\115\206\254\133\177
 \313\006\231\131\140\330\130\145\225\215\104\321\367\177\176\047
 \177\175\256\200\365\007\114\266\076\234\161\124\231\004\113\375
 \130\371\230\364
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "QuoVadis Root CA 3 G3"
 # Issuer: CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM
 # Serial Number:2e:f5:9b:02:28:a7:db:7a:ff:d5:a3:a9:ee:bd:03:a0:cf:12:6a:1d
 # Subject: CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM
 # Not Valid Before: Thu Jan 12 20:26:32 2012
 # Not Valid After : Sun Jan 12 20:26:32 2042
 # Fingerprint (SHA-256): 88:EF:81:DE:20:2E:B0:18:45:2E:43:F8:64:72:5C:EA:5F:BD:1F:C2:D9:D2:05:73:07:09:C5:D8:B8:69:0F:46
@@ -22902,16 +23028,17 @@ CKA_VALUE MULTILINE_OCTAL
 \007\234\242\272\331\001\162\134\363\115\301\335\016\261\034\015
 \304\143\276\255\364\024\373\211\354\242\101\016\114\314\310\127
 \100\320\156\003\252\315\014\216\211\231\231\154\360\074\060\257
 \070\337\157\274\243\276\051\040\047\253\164\377\023\042\170\336
 \227\122\125\036\203\265\124\040\003\356\256\300\117\126\336\067
 \314\303\177\252\004\047\273\323\167\270\142\333\027\174\234\050
 \042\023\163\154\317\046\365\212\051\347
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "DigiCert Assured ID Root G2"
 # Issuer: CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:0b:93:1c:3a:d6:39:67:ea:67:23:bf:c3:af:9a:f4:4b
 # Subject: CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Not Valid Before: Thu Aug 01 12:00:00 2013
 # Not Valid After : Fri Jan 15 12:00:00 2038
 # Fingerprint (SHA-256): 7D:05:EB:B6:82:33:9F:8C:94:51:EE:09:4E:EB:FE:FA:79:53:A1:14:ED:B2:F4:49:49:45:2F:AB:7D:2F:C1:85
@@ -23019,16 +23146,17 @@ CKA_VALUE MULTILINE_OCTAL
 \003\003\147\000\060\144\002\060\045\244\201\105\002\153\022\113
 \165\164\117\310\043\343\160\362\165\162\336\174\211\360\317\221
 \162\141\236\136\020\222\131\126\271\203\307\020\347\070\351\130
 \046\066\175\325\344\064\206\071\002\060\174\066\123\360\060\345
 \142\143\072\231\342\266\243\073\233\064\372\036\332\020\222\161
 \136\221\023\247\335\244\156\222\314\062\326\365\041\146\307\057
 \352\226\143\152\145\105\222\225\001\264
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "DigiCert Assured ID Root G3"
 # Issuer: CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:0b:a1:5a:fa:1d:df:a0:b5:49:44:af:cd:24:a0:6c:ec
 # Subject: CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Not Valid Before: Thu Aug 01 12:00:00 2013
 # Not Valid After : Fri Jan 15 12:00:00 2038
 # Fingerprint (SHA-256): 7E:37:CB:8B:4C:47:09:0C:AB:36:55:1B:A6:F4:5D:B8:40:68:0F:BA:16:6A:95:2D:B1:00:71:7F:43:05:3F:C2
@@ -23157,16 +23285,17 @@ CKA_VALUE MULTILINE_OCTAL
 \362\261\216\231\241\157\023\261\101\161\376\210\052\310\117\020
 \040\125\327\363\024\105\345\340\104\364\352\207\225\062\223\016
 \376\123\106\372\054\235\377\213\042\271\113\331\011\105\244\336
 \244\270\232\130\335\033\175\122\237\216\131\103\210\201\244\236
 \046\325\157\255\335\015\306\067\175\355\003\222\033\345\167\137
 \166\356\074\215\304\135\126\133\242\331\146\156\263\065\067\345
 \062\266
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "DigiCert Global Root G2"
 # Issuer: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5
 # Subject: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Not Valid Before: Thu Aug 01 12:00:00 2013
 # Not Valid After : Fri Jan 15 12:00:00 2038
 # Fingerprint (SHA-256): CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F
@@ -23274,16 +23403,17 @@ CKA_VALUE MULTILINE_OCTAL
 \000\255\274\362\154\077\022\112\321\055\071\303\012\011\227\163
 \364\210\066\214\210\047\273\346\210\215\120\205\247\143\371\236
 \062\336\146\223\017\361\314\261\011\217\335\154\253\372\153\177
 \240\002\060\071\146\133\302\144\215\270\236\120\334\250\325\111
 \242\355\307\334\321\111\177\027\001\270\310\206\217\116\214\210
 \053\250\232\251\212\305\321\000\275\370\124\342\232\345\133\174
 \263\047\027
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "DigiCert Global Root G3"
 # Issuer: CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:05:55:56:bc:f2:5e:a4:35:35:c3:a4:0f:d5:ab:45:72
 # Subject: CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Not Valid Before: Thu Aug 01 12:00:00 2013
 # Not Valid After : Fri Jan 15 12:00:00 2038
 # Fingerprint (SHA-256): 31:AD:66:48:F8:10:41:38:C7:38:F3:9E:A4:32:01:33:39:3E:3A:18:CC:02:29:6E:F9:7C:2A:C9:EF:67:31:D0
@@ -23444,16 +23574,17 @@ CKA_VALUE MULTILINE_OCTAL
 \102\154\311\012\274\356\103\372\072\161\245\310\115\046\245\065
 \375\211\135\274\205\142\035\062\322\240\053\124\355\232\127\301
 \333\372\020\317\031\267\213\112\033\217\001\266\047\225\123\350
 \266\211\155\133\274\150\324\043\350\213\121\242\126\371\360\246
 \200\240\326\036\263\274\017\017\123\165\051\252\352\023\167\344
 \336\214\201\041\255\007\020\107\021\255\207\075\007\321\165\274
 \317\363\146\176
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "DigiCert Trusted Root G4"
 # Issuer: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:05:9b:1b:57:9e:8e:21:32:e2:39:07:bd:a7:77:75:5c
 # Subject: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Not Valid Before: Thu Aug 01 12:00:00 2013
 # Not Valid After : Fri Jan 15 12:00:00 2038
 # Fingerprint (SHA-256): 55:2F:7B:DC:F1:A7:AF:9E:6C:E6:72:01:7F:4F:12:AB:F7:72:40:C7:8E:76:1A:C2:03:D1:D9:D2:0A:C8:99:88
@@ -23610,16 +23741,17 @@ CKA_VALUE MULTILINE_OCTAL
 \047\274\172\277\340\333\364\332\122\275\336\014\124\160\061\221
 \103\225\310\274\360\076\335\011\176\060\144\120\355\177\001\244
 \063\147\115\150\117\276\025\357\260\366\002\021\242\033\023\045
 \072\334\302\131\361\343\134\106\273\147\054\002\106\352\036\110
 \246\346\133\331\265\274\121\242\222\226\333\252\306\067\042\246
 \376\314\040\164\243\055\251\056\153\313\300\202\021\041\265\223
 \171\356\104\206\276\327\036\344\036\373
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "WoSign"
 # Issuer: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN
 # Serial Number:5e:68:d6:11:71:94:63:50:56:00:68:f3:3e:c9:c5:91
 # Subject: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN
 # Not Valid Before: Sat Aug 08 01:00:01 2009
 # Not Valid After : Mon Aug 08 01:00:01 2039
 # Fingerprint (SHA-256): 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08
@@ -23771,16 +23903,17 @@ CKA_VALUE MULTILINE_OCTAL
 \324\175\253\227\063\304\323\076\340\151\266\050\171\240\011\215
 \034\321\377\101\162\110\006\374\232\056\347\040\371\233\242\336
 \211\355\256\074\011\257\312\127\263\222\211\160\100\344\057\117
 \302\160\203\100\327\044\054\153\347\011\037\323\325\307\301\010
 \364\333\016\073\034\007\013\103\021\204\041\206\351\200\324\165
 \330\253\361\002\142\301\261\176\125\141\317\023\327\046\260\327
 \234\313\051\213\070\112\013\016\220\215\272\241
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "WoSign China"
 # Issuer: CN=CA ...............,O=WoSign CA Limited,C=CN
 # Serial Number:50:70:6b:cd:d8:13:fc:1b:4e:3b:33:72:d2:11:48:8d
 # Subject: CN=CA ...............,O=WoSign CA Limited,C=CN
 # Not Valid Before: Sat Aug 08 01:00:01 2009
 # Not Valid After : Mon Aug 08 01:00:01 2039
 # Fingerprint (SHA-256): D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54
@@ -23947,16 +24080,17 @@ CKA_VALUE MULTILINE_OCTAL
 \100\350\123\262\047\235\112\271\300\167\041\215\377\207\362\336
 \274\214\357\027\337\267\111\013\321\362\156\060\013\032\016\116
 \166\355\021\374\365\351\126\262\175\277\307\155\012\223\214\245
 \320\300\266\035\276\072\116\224\242\327\156\154\013\302\212\174
 \372\040\363\304\344\345\315\015\250\313\221\222\261\174\205\354
 \265\024\151\146\016\202\347\315\316\310\055\246\121\177\041\301
 \065\123\205\006\112\135\237\255\273\033\137\164
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "COMODO RSA Certification Authority"
 # Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Serial Number:4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
 # Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Not Valid Before: Tue Jan 19 00:00:00 2010
 # Not Valid After : Mon Jan 18 23:59:59 2038
 # Fingerprint (SHA-256): 52:F0:E1:C4:E5:8E:C6:29:29:1B:60:31:7F:07:46:71:B8:5D:7E:A8:0D:5B:07:27:34:63:53:4B:32:B4:02:34
@@ -24128,16 +24262,17 @@ CKA_VALUE MULTILINE_OCTAL
 \245\233\267\220\307\014\007\337\365\211\066\164\062\326\050\301
 \260\260\013\340\234\114\303\034\326\374\343\151\265\107\106\201
 \057\242\202\253\323\143\104\160\304\215\377\055\063\272\255\217
 \173\265\160\210\256\076\031\317\100\050\330\374\310\220\273\135
 \231\042\365\122\346\130\305\037\210\061\103\356\210\035\327\306
 \216\074\103\152\035\247\030\336\175\075\026\361\142\371\312\220
 \250\375
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "USERTrust RSA Certification Authority"
 # Issuer: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
 # Serial Number:01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
 # Subject: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
 # Not Valid Before: Mon Feb 01 00:00:00 2010
 # Not Valid After : Mon Jan 18 23:59:59 2038
 # Fingerprint (SHA-256): E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2
@@ -24256,16 +24391,17 @@ CKA_VALUE MULTILINE_OCTAL
 \066\147\241\026\010\334\344\227\000\101\035\116\276\341\143\001
 \317\073\252\102\021\144\240\235\224\071\002\021\171\134\173\035
 \372\144\271\356\026\102\263\277\212\302\011\304\354\344\261\115
 \002\061\000\351\052\141\107\214\122\112\113\116\030\160\366\326
 \104\326\156\365\203\272\155\130\275\044\331\126\110\352\357\304
 \242\106\201\210\152\072\106\321\251\233\115\311\141\332\321\135
 \127\152\030
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "USERTrust ECC Certification Authority"
 # Issuer: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
 # Serial Number:5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26
 # Subject: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
 # Not Valid Before: Mon Feb 01 00:00:00 2010
 # Not Valid After : Mon Jan 18 23:59:59 2038
 # Fingerprint (SHA-256): 4F:F4:60:D5:4B:9C:86:DA:BF:BC:FC:57:12:E0:40:0D:2B:ED:3F:BC:4D:4F:BD:AA:86:E0:6A:DC:D2:A9:AD:7A
@@ -24367,16 +24503,17 @@ CKA_VALUE MULTILINE_OCTAL
 \270\342\100\177\373\012\156\373\276\063\311\074\243\204\325\060
 \012\006\010\052\206\110\316\075\004\003\002\003\110\000\060\105
 \002\041\000\334\222\241\240\023\246\317\003\260\346\304\041\227
 \220\372\024\127\055\003\354\356\074\323\156\312\250\154\166\274
 \242\336\273\002\040\047\250\205\047\065\233\126\306\243\362\107
 \322\267\156\033\002\000\027\252\147\246\025\221\336\372\224\354
 \173\013\370\237\204
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "GlobalSign ECC Root CA - R4"
 # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4
 # Serial Number:2a:38:a4:1c:96:0a:04:de:42:b2:28:a5:0b:e8:34:98:02
 # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4
 # Not Valid Before: Tue Nov 13 00:00:00 2012
 # Not Valid After : Tue Jan 19 03:14:07 2038
 # Fingerprint (SHA-256): BE:C9:49:11:C2:95:56:76:DB:6C:0A:55:09:86:D7:6E:3B:A0:05:66:7C:44:2C:97:62:B4:FB:B7:73:DE:22:8C
@@ -24479,16 +24616,17 @@ CKA_VALUE MULTILINE_OCTAL
 \345\151\022\311\156\333\306\061\272\011\101\341\227\370\373\375
 \232\342\175\022\311\355\174\144\323\313\005\045\213\126\331\240
 \347\136\135\116\013\203\234\133\166\051\240\011\046\041\152\142
 \002\060\161\322\265\217\134\352\073\341\170\011\205\250\165\222
 \073\310\134\375\110\357\015\164\042\250\010\342\156\305\111\316
 \307\014\274\247\141\151\361\367\073\341\052\313\371\053\363\146
 \220\067
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "GlobalSign ECC Root CA - R5"
 # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
 # Serial Number:60:59:49:e0:26:2e:bb:55:f9:0a:77:8a:71:f9:4a:d8:6c
 # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
 # Not Valid Before: Tue Nov 13 00:00:00 2012
 # Not Valid After : Tue Jan 19 03:14:07 2038
 # Fingerprint (SHA-256): 17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24
@@ -24653,16 +24791,17 @@ CKA_VALUE MULTILINE_OCTAL
 \107\234\167\307\045\341\254\064\005\115\363\202\176\101\043\272
 \264\127\363\347\306\001\145\327\115\211\231\034\151\115\136\170
 \366\353\162\161\075\262\304\225\001\237\135\014\267\057\045\246
 \134\171\101\357\236\304\147\074\241\235\177\161\072\320\225\227
 \354\170\102\164\230\156\276\076\150\114\127\074\250\223\101\207
 \013\344\271\257\221\373\120\114\014\272\300\044\047\321\025\333
 \145\110\041\012\057\327\334\176\240\314\145\176\171
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
 # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:2f:00:6e:cd:17:70:66:e7:5f:a3:82:0a:79:1f:05:ae
 # Subject: CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Not Valid Before: Thu Mar 26 00:00:00 2009
 # Not Valid After : Sun Mar 24 23:59:59 2019
 # Fingerprint (SHA-256): 0A:41:51:D5:E5:8B:84:B8:AC:E5:3A:5C:12:12:2A:C9:59:CD:69:91:FB:B3:8E:99:B5:76:C0:AB:DA:C3:58:14
@@ -24824,16 +24963,17 @@ CKA_VALUE MULTILINE_OCTAL
 \325\131\242\211\164\323\237\276\036\113\327\306\155\267\210\044
 \157\140\221\244\202\205\133\126\101\274\320\104\253\152\023\276
 \321\054\130\267\022\063\130\262\067\143\334\023\365\224\035\077
 \100\121\365\117\365\072\355\310\305\353\302\036\035\026\225\172
 \307\176\102\161\223\156\113\025\267\060\337\252\355\127\205\110
 \254\035\152\335\071\151\344\341\171\170\276\316\005\277\241\014
 \367\200\173\041\147\047\060\131
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Staat der Nederlanden Root CA - G3"
 # Issuer: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
 # Serial Number: 10003001 (0x98a239)
 # Subject: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
 # Not Valid Before: Thu Nov 14 11:28:42 2013
 # Not Valid After : Mon Nov 13 23:00:00 2028
 # Fingerprint (SHA-256): 3C:4F:B0:B9:5A:B8:B3:00:32:F4:32:B8:6F:53:5F:E1:72:C1:85:D0:FD:39:86:58:37:CF:36:18:7F:A6:F4:28
@@ -24987,16 +25127,17 @@ CKA_VALUE MULTILINE_OCTAL
 \170\157\120\202\104\120\077\146\006\212\253\103\204\126\112\017
 \040\055\206\016\365\322\333\322\172\212\113\315\245\350\116\361
 \136\046\045\001\131\043\240\176\322\366\176\041\127\327\047\274
 \025\127\114\244\106\301\340\203\036\014\114\115\037\117\006\031
 \342\371\250\364\072\202\241\262\171\103\171\326\255\157\172\047
 \220\003\244\352\044\207\077\331\275\331\351\362\137\120\111\034
 \356\354\327\056
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Staat der Nederlanden EV Root CA"
 # Issuer: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
 # Serial Number: 10000013 (0x98968d)
 # Subject: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
 # Not Valid Before: Wed Dec 08 11:19:29 2010
 # Not Valid After : Thu Dec 08 11:10:28 2022
 # Fingerprint (SHA-256): 4D:24:91:41:4C:FE:95:67:46:EC:4C:EF:A6:CF:6F:72:E2:8A:13:29:43:2F:9D:8A:90:7A:C4:CB:5D:AD:C1:5A
@@ -25148,16 +25289,17 @@ CKA_VALUE MULTILINE_OCTAL
 \312\112\201\153\136\013\363\121\341\164\053\351\176\047\247\331
 \231\111\116\370\245\200\333\045\017\034\143\142\212\311\063\147
 \153\074\020\203\306\255\336\250\315\026\216\215\360\007\067\161
 \237\362\253\374\101\365\301\213\354\000\067\135\011\345\116\200
 \357\372\261\134\070\006\245\033\112\341\334\070\055\074\334\253
 \037\220\032\325\112\234\356\321\160\154\314\356\364\127\370\030
 \272\204\156\207
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "IdenTrust Commercial Root CA 1"
 # Issuer: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US
 # Serial Number:0a:01:42:80:00:00:01:45:23:c8:44:b5:00:00:00:02
 # Subject: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US
 # Not Valid Before: Thu Jan 16 18:12:23 2014
 # Not Valid After : Mon Jan 16 18:12:23 2034
 # Fingerprint (SHA-256): 5D:56:49:9B:E4:D2:E0:8B:CF:CA:D0:8A:3E:38:72:3D:50:50:3B:DE:70:69:48:E4:2F:55:60:30:19:E5:28:AE
@@ -25309,16 +25451,17 @@ CKA_VALUE MULTILINE_OCTAL
 \150\011\061\161\360\155\370\116\107\373\326\205\356\305\130\100
 \031\244\035\247\371\113\103\067\334\150\132\117\317\353\302\144
 \164\336\264\025\331\364\124\124\032\057\034\327\227\161\124\220
 \216\331\040\235\123\053\177\253\217\342\352\060\274\120\067\357
 \361\107\265\175\174\054\004\354\150\235\264\111\104\020\364\162
 \113\034\144\347\374\346\153\220\335\151\175\151\375\000\126\245
 \267\254\266\255\267\312\076\001\357\234
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "IdenTrust Public Sector Root CA 1"
 # Issuer: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US
 # Serial Number:0a:01:42:80:00:00:01:45:23:cf:46:7c:00:00:00:02
 # Subject: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US
 # Not Valid Before: Thu Jan 16 17:53:32 2014
 # Not Valid After : Mon Jan 16 17:53:32 2034
 # Fingerprint (SHA-256): 30:D0:89:5A:9A:44:8A:26:20:91:63:55:22:D1:F5:20:10:B5:86:7A:CA:E1:2C:78:EF:95:8F:D4:F4:38:9F:2F
@@ -25453,16 +25596,17 @@ CKA_VALUE MULTILINE_OCTAL
 \217\252\302\107\057\024\161\325\051\343\020\265\107\223\045\314
 \043\051\332\267\162\330\221\324\354\033\110\212\042\344\301\052
 \367\072\150\223\237\105\031\156\103\267\314\376\270\221\232\141
 \032\066\151\143\144\222\050\363\157\141\222\205\023\237\311\007
 \054\213\127\334\353\236\171\325\302\336\010\325\124\262\127\116
 \052\062\215\241\342\072\321\020\040\042\071\175\064\105\157\161
 \073\303\035\374\377\262\117\250\342\366\060\036
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "S-TRUST Universal Root CA"
 # Issuer: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
 # Serial Number:60:56:c5:4b:23:40:5b:64:d4:ed:25:da:d9:d6:1e:1e
 # Subject: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
 # Not Valid Before: Tue Oct 22 00:00:00 2013
 # Not Valid After : Thu Oct 21 23:59:59 2038
 # Fingerprint (SHA-256): D8:0F:EF:91:0A:E3:F1:04:72:3B:04:5C:EC:2D:01:9F:44:1C:E6:21:3A:DF:15:67:91:E7:0C:17:90:11:0A:31
@@ -25615,16 +25759,17 @@ CKA_VALUE MULTILINE_OCTAL
 \274\075\320\204\350\352\006\162\260\115\071\062\170\277\076\021
 \234\013\244\235\232\041\363\360\233\013\060\170\333\301\334\207
 \103\376\274\143\232\312\305\302\034\311\307\215\377\073\022\130
 \010\346\266\075\354\172\054\116\373\203\226\316\014\074\151\207
 \124\163\244\163\302\223\377\121\020\254\025\124\001\330\374\005
 \261\211\241\177\164\203\232\111\327\334\116\173\212\110\157\213
 \105\366
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Entrust Root Certification Authority - G2"
 # Issuer: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
 # Serial Number: 1246989352 (0x4a538c28)
 # Subject: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
 # Not Valid Before: Tue Jul 07 17:25:54 2009
 # Not Valid After : Sat Dec 07 17:55:54 2030
 # Fingerprint (SHA-256): 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39
@@ -25759,16 +25904,17 @@ CKA_VALUE MULTILINE_OCTAL
 \075\004\003\003\003\147\000\060\144\002\060\141\171\330\345\102
 \107\337\034\256\123\231\027\266\157\034\175\341\277\021\224\321
 \003\210\165\344\215\211\244\212\167\106\336\155\141\357\002\365
 \373\265\337\314\376\116\377\376\251\346\247\002\060\133\231\327
 \205\067\006\265\173\010\375\353\047\213\112\224\371\341\372\247
 \216\046\010\350\174\222\150\155\163\330\157\046\254\041\002\270
 \231\267\046\101\133\045\140\256\320\110\032\356\006
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Entrust Root Certification Authority - EC1"
 # Issuer: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
 # Serial Number:00:a6:8b:79:29:00:00:00:00:50:d0:91:f9
 # Subject: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
 # Not Valid Before: Tue Dec 18 15:25:36 2012
 # Not Valid After : Fri Dec 18 15:55:36 2037
 # Fingerprint (SHA-256): 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5
@@ -25931,16 +26077,17 @@ CKA_VALUE MULTILINE_OCTAL
 \110\171\140\212\303\327\023\134\370\162\100\337\112\313\317\231
 \000\012\000\013\021\225\332\126\105\003\210\012\237\147\320\325
 \171\261\250\215\100\155\015\302\172\100\372\363\137\144\107\222
 \313\123\271\273\131\316\117\375\320\025\123\001\330\337\353\331
 \346\166\357\320\043\273\073\251\171\263\325\002\051\315\211\243
 \226\017\112\065\347\116\102\300\165\315\007\317\346\054\353\173
 \056
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "CFCA EV ROOT"
 # Issuer: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
 # Serial Number: 407555286 (0x184accd6)
 # Subject: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
 # Not Valid Before: Wed Aug 08 03:07:01 2012
 # Not Valid After : Mon Dec 31 03:07:01 2029
 # Fingerprint (SHA-256): 5C:C3:D7:8E:4E:1D:5E:45:54:7A:04:E6:87:3E:64:F9:0C:F9:53:6D:1C:CC:2E:F8:00:F3:55:C4:C5:FD:70:FD
@@ -26228,16 +26375,17 @@ CKA_VALUE MULTILINE_OCTAL
 \245\346\025\204\067\360\302\362\145\226\222\220\167\360\255\364
 \220\351\021\170\327\223\211\300\075\013\272\051\364\350\231\235
 \162\216\355\235\057\356\222\175\241\361\377\135\272\063\140\205
 \142\376\007\002\241\204\126\106\276\226\012\232\023\327\041\114
 \267\174\007\237\116\116\077\221\164\373\047\235\021\314\335\346
 \261\312\161\115\023\027\071\046\305\051\041\053\223\051\152\226
 \372\253\101\341\113\266\065\013\300\233\025
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
 # Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
 # Serial Number:00:8e:17:fe:24:20:81
 # Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
 # Not Valid Before: Tue Apr 30 08:07:01 2013
 # Not Valid After : Fri Apr 28 08:07:01 2023
 # Fingerprint (SHA-256): 49:35:1B:90:34:44:C1:85:CC:DC:5C:69:3D:24:D8:55:5C:B2:08:D6:A8:14:13:07:69:9F:4A:F0:63:19:9D:78
@@ -26388,16 +26536,17 @@ CKA_VALUE MULTILINE_OCTAL
 \200\216\255\176\121\000\116\307\226\206\373\103\230\167\175\050
 \307\217\330\052\156\347\204\157\227\101\051\000\026\136\115\342
 \023\352\131\300\143\147\072\104\373\230\374\004\323\060\162\246
 \366\207\011\127\255\166\246\035\143\232\375\327\145\310\170\203
 \053\165\073\245\133\270\015\135\177\276\043\256\126\125\224\130
 \357\037\201\214\052\262\315\346\233\143\236\030\274\345\153\006
 \264\013\230\113\050\136\257\210\130\313
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
 # Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
 # Serial Number:7d:a1:f2:65:ec:8a
 # Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
 # Not Valid Before: Wed Dec 18 09:04:10 2013
 # Not Valid After : Sat Dec 16 09:04:10 2023
 # Fingerprint (SHA-256): 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00
@@ -26559,16 +26708,17 @@ CKA_VALUE MULTILINE_OCTAL
 \307\132\141\315\217\201\140\025\115\200\335\220\342\175\304\120
 \362\214\073\156\112\307\306\346\200\053\074\201\274\021\200\026
 \020\047\327\360\315\077\171\314\163\052\303\176\123\221\326\156
 \370\365\363\307\320\121\115\216\113\245\133\346\031\027\073\326
 \201\011\334\042\334\356\216\271\304\217\123\341\147\273\063\270
 \210\025\106\317\355\151\065\377\165\015\106\363\316\161\341\305
 \153\206\102\006\271\101
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Certinomis - Root CA"
 # Issuer: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
 # Serial Number: 1 (0x1)
 # Subject: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
 # Not Valid Before: Mon Oct 21 09:17:18 2013
 # Not Valid After : Fri Oct 21 09:17:18 2033
 # Fingerprint (SHA-256): 2A:99:F5:BC:11:74:B7:3C:BB:1D:62:08:84:E0:1C:34:E5:1C:CB:39:78:DA:12:5F:0E:33:26:88:83:BF:41:58
@@ -26697,16 +26847,17 @@ CKA_VALUE MULTILINE_OCTAL
 \265\253\226\300\264\113\242\035\227\236\172\362\156\100\161\337
 \150\361\145\115\316\174\005\337\123\145\251\245\360\261\227\004
 \160\025\106\003\230\324\322\277\124\264\240\130\175\122\157\332
 \126\046\142\324\330\333\211\061\157\034\360\042\302\323\142\034
 \065\315\114\151\025\124\032\220\230\336\353\036\137\312\167\307
 \313\216\075\103\151\234\232\130\320\044\073\337\033\100\226\176
 \065\255\201\307\116\161\272\210\023
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "OISTE WISeKey Global Root GB CA"
 # Issuer: CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH
 # Serial Number:76:b1:20:52:74:f0:85:87:46:b3:f8:23:1a:f6:c2:c0
 # Subject: CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH
 # Not Valid Before: Mon Dec 01 15:00:32 2014
 # Not Valid After : Thu Dec 01 15:10:31 2039
 # Fingerprint (SHA-256): 6B:9C:08:E8:6E:B0:F7:67:CF:AD:65:CD:98:B6:21:49:E5:49:4A:67:F5:84:5E:7B:D1:ED:01:9F:27:B8:6B:D6
@@ -26831,16 +26982,17 @@ CKA_VALUE MULTILINE_OCTAL
 \171\266\063\131\272\017\304\013\342\160\240\113\170\056\372\310
 \237\375\257\221\145\012\170\070\025\345\227\027\024\335\371\340
 \054\064\370\070\320\204\042\000\300\024\121\030\053\002\334\060
 \132\360\350\001\174\065\072\043\257\010\344\257\252\216\050\102
 \111\056\360\365\231\064\276\355\017\113\030\341\322\044\074\273
 \135\107\267\041\362\215\321\012\231\216\343\156\076\255\160\340
 \217\271\312\314\156\201\061\366\173\234\172\171\344\147\161\030
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Certification Authority of WoSign G2"
 # Issuer: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN
 # Serial Number:6b:25:da:8a:88:9d:7c:bc:0f:05:b3:b1:7a:61:45:44
 # Subject: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN
 # Not Valid Before: Sat Nov 08 00:58:58 2014
 # Not Valid After : Tue Nov 08 00:58:58 2044
 # Fingerprint (SHA-256): D4:87:A5:6F:83:B0:74:82:E8:5E:96:33:94:C1:EC:C2:C9:E5:1D:09:03:EE:94:6B:02:C3:01:58:1E:D9:9E:16
@@ -26939,16 +27091,17 @@ CKA_VALUE MULTILINE_OCTAL
 \004\003\003\003\150\000\060\145\002\061\000\344\244\204\260\201
 \325\075\260\164\254\224\244\350\016\075\000\164\114\241\227\153
 \371\015\121\074\241\331\073\364\015\253\251\237\276\116\162\312
 \205\324\331\354\265\062\105\030\157\253\255\002\060\175\307\367
 \151\143\057\241\341\230\357\023\020\321\171\077\321\376\352\073
 \177\336\126\364\220\261\025\021\330\262\042\025\320\057\303\046
 \056\153\361\221\262\220\145\364\232\346\220\356\112
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "CA WoSign ECC Root"
 # Issuer: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN
 # Serial Number:68:4a:58:70:80:6b:f0:8f:02:fa:f6:de:e8:b0:90:90
 # Subject: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN
 # Not Valid Before: Sat Nov 08 00:58:58 2014
 # Not Valid After : Tue Nov 08 00:58:58 2044
 # Fingerprint (SHA-256): 8B:45:DA:1C:06:F7:91:EB:0C:AB:F2:6B:E5:88:F5:FB:23:16:5C:2E:61:4B:F8:85:56:2D:0D:CE:50:B2:9B:02
@@ -27071,16 +27224,17 @@ CKA_VALUE MULTILINE_OCTAL
 \322\324\141\372\325\025\333\327\237\207\121\124\353\245\343\353
 \311\205\240\045\040\067\373\216\316\014\064\204\341\074\201\262
 \167\116\103\245\210\137\206\147\241\075\346\264\134\141\266\076
 \333\376\267\050\305\242\007\256\265\312\312\215\052\022\357\227
 \355\302\060\244\311\052\172\373\363\115\043\033\231\063\064\240
 \056\365\251\013\077\324\135\341\317\204\237\342\031\302\137\212
 \326\040\036\343\163\267
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "SZAFIR ROOT CA2"
 # Issuer: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL
 # Serial Number:3e:8a:5d:07:ec:55:d2:32:d5:b7:e3:b6:5f:01:eb:2d:dc:e4:d6:e4
 # Subject: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL
 # Not Valid Before: Mon Oct 19 07:43:30 2015
 # Not Valid After : Fri Oct 19 07:43:30 2035
 # Fingerprint (SHA-256): A1:33:9D:33:28:1A:0B:56:E5:57:D3:D3:2B:1C:E7:F9:36:7E:B0:94:BD:5F:A7:2A:7E:50:04:C8:DE:D7:CA:FE
@@ -27248,16 +27402,17 @@ CKA_VALUE MULTILINE_OCTAL
 \134\002\312\054\330\157\112\007\331\311\065\332\100\165\362\304
 \247\031\157\236\102\020\230\165\346\225\213\140\274\355\305\022
 \327\212\316\325\230\134\126\226\003\305\356\167\006\065\377\317
 \344\356\077\023\141\356\333\332\055\205\360\315\256\235\262\030
 \011\105\303\222\241\162\027\374\107\266\240\013\054\361\304\336
 \103\150\010\152\137\073\360\166\143\373\314\006\054\246\306\342
 \016\265\271\276\044\217
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Certum Trusted Network CA 2"
 # Issuer: CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
 # Serial Number:21:d6:d0:4a:4f:25:0f:c9:32:37:fc:aa:5e:12:8d:e9
 # Subject: CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
 # Not Valid Before: Thu Oct 06 08:39:56 2011
 # Not Valid After : Sat Oct 06 08:39:56 2046
 # Fingerprint (SHA-256): B6:76:F2:ED:DA:E8:77:5C:D3:6C:B0:F6:3C:D1:D4:60:39:61:F4:9E:62:65:BA:01:3A:2F:03:07:B6:D0:B8:04
@@ -27434,16 +27589,17 @@ CKA_VALUE MULTILINE_OCTAL
 \245\314\073\330\167\067\060\242\117\331\157\321\362\100\255\101
 \172\027\305\326\112\065\211\267\101\325\174\206\177\125\115\203
 \112\245\163\040\300\072\257\220\361\232\044\216\331\216\161\312
 \173\270\206\332\262\217\231\076\035\023\015\022\021\356\324\253
 \360\351\025\166\002\344\340\337\252\040\036\133\141\205\144\100
 \251\220\227\015\255\123\322\132\035\207\152\000\227\145\142\264
 \276\157\152\247\365\054\102\355\062\255\266\041\236\276\274
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Hellenic Academic and Research Institutions RootCA 2015"
 # Issuer: CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR
 # Serial Number: 0 (0x0)
 # Subject: CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR
 # Not Valid Before: Tue Jul 07 10:11:21 2015
 # Not Valid After : Sat Jun 30 10:11:21 2040
 # Fingerprint (SHA-256): A0:40:92:9A:02:CE:53:B4:AC:F4:F2:FF:C6:98:1C:E4:49:6F:75:5E:6D:45:FE:0B:2A:69:2B:CD:52:52:3F:36
@@ -27569,16 +27725,17 @@ CKA_VALUE MULTILINE_OCTAL
 \000\060\144\002\060\147\316\026\142\070\242\254\142\105\247\251
 \225\044\300\032\047\234\062\073\300\300\325\272\251\347\370\004
 \103\123\205\356\122\041\336\235\365\045\203\076\236\130\113\057
 \327\147\023\016\041\002\060\005\341\165\001\336\150\355\052\037
 \115\114\011\010\015\354\113\255\144\027\050\347\165\316\105\145
 \162\041\027\313\042\101\016\214\023\230\070\232\124\155\233\312
 \342\174\352\002\130\042\221
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Hellenic Academic and Research Institutions ECC RootCA 2015"
 # Issuer: CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR
 # Serial Number: 0 (0x0)
 # Subject: CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR
 # Not Valid Before: Tue Jul 07 10:37:12 2015
 # Not Valid After : Sat Jun 30 10:37:12 2040
 # Fingerprint (SHA-256): 44:B5:45:AA:8A:25:E6:5A:73:CA:15:DC:27:FC:36:D2:4C:1C:B9:95:3A:06:65:39:B1:15:82:DC:48:7B:48:33
@@ -27733,16 +27890,17 @@ CKA_VALUE MULTILINE_OCTAL
 \040\222\334\102\204\277\001\253\207\300\325\040\202\333\306\271
 \203\205\102\134\017\103\073\152\111\065\325\230\364\025\277\372
 \141\201\014\011\040\030\322\320\027\014\313\110\000\120\351\166
 \202\214\144\327\072\240\007\125\314\036\061\300\357\072\264\145
 \373\343\277\102\153\236\017\250\275\153\230\334\330\333\313\213
 \244\335\327\131\364\156\335\376\252\303\221\320\056\102\007\300
 \014\115\123\315\044\261\114\133\036\121\364\337\351\222\372
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Certplus Root CA G1"
 # Issuer: CN=Certplus Root CA G1,O=Certplus,C=FR
 # Serial Number:11:20:55:83:e4:2d:3e:54:56:85:2d:83:37:b7:2c:dc:46:11
 # Subject: CN=Certplus Root CA G1,O=Certplus,C=FR
 # Not Valid Before: Mon May 26 00:00:00 2014
 # Not Valid After : Fri Jan 15 00:00:00 2038
 # Fingerprint (SHA-256): 15:2A:40:2B:FC:DF:2C:D5:48:05:4D:22:75:B3:9C:7F:CA:3E:C0:97:80:78:B0:F0:EA:76:E5:61:A6:C7:43:3E
@@ -27838,16 +27996,17 @@ CKA_VALUE MULTILINE_OCTAL
 \110\316\075\004\003\003\003\150\000\060\145\002\060\160\376\260
 \013\331\367\203\227\354\363\125\035\324\334\263\006\016\376\063
 \230\235\213\071\220\153\224\041\355\266\327\135\326\114\327\041
 \247\347\277\041\017\053\315\367\052\334\205\007\235\002\061\000
 \206\024\026\345\334\260\145\302\300\216\024\237\277\044\026\150
 \345\274\371\171\151\334\255\105\053\367\266\061\163\314\006\245
 \123\223\221\032\223\256\160\152\147\272\327\236\345\141\032\137
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Certplus Root CA G2"
 # Issuer: CN=Certplus Root CA G2,O=Certplus,C=FR
 # Serial Number:11:20:d9:91:ce:ae:a3:e8:c5:e7:ff:e9:02:af:cf:73:bc:55
 # Subject: CN=Certplus Root CA G2,O=Certplus,C=FR
 # Not Valid Before: Mon May 26 00:00:00 2014
 # Not Valid After : Fri Jan 15 00:00:00 2038
 # Fingerprint (SHA-256): 6C:C0:50:41:E6:44:5E:74:69:6C:4C:FB:C9:F8:0F:54:3B:7E:AB:BB:44:B4:CE:6F:78:7C:6A:99:71:C4:2F:17
@@ -27999,16 +28158,17 @@ CKA_VALUE MULTILINE_OCTAL
 \076\355\154\275\375\016\235\146\163\260\075\264\367\277\250\340
 \021\244\304\256\165\011\112\143\000\110\040\246\306\235\013\011
 \212\264\340\346\316\076\307\076\046\070\351\053\336\246\010\111
 \003\004\220\212\351\217\277\350\266\264\052\243\043\215\034\034
 \262\071\222\250\217\002\134\100\071\165\324\163\101\002\167\336
 \315\340\103\207\326\344\272\112\303\154\022\177\376\052\346\043
 \326\214\161
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "OpenTrust Root CA G1"
 # Issuer: CN=OpenTrust Root CA G1,O=OpenTrust,C=FR
 # Serial Number:11:20:b3:90:55:39:7d:7f:36:6d:64:c2:a7:9f:6b:63:8e:67
 # Subject: CN=OpenTrust Root CA G1,O=OpenTrust,C=FR
 # Not Valid Before: Mon May 26 08:45:50 2014
 # Not Valid After : Fri Jan 15 00:00:00 2038
 # Fingerprint (SHA-256): 56:C7:71:28:D9:8C:18:D9:1B:4C:FD:FF:BC:25:EE:91:03:D4:75:8E:A2:AB:AD:82:6A:90:F3:45:7D:46:0E:B4
@@ -28161,16 +28321,17 @@ CKA_VALUE MULTILINE_OCTAL
 \210\335\147\023\157\035\150\044\213\117\267\164\201\345\364\140
 \237\172\125\327\076\067\332\026\153\076\167\254\256\030\160\225
 \010\171\051\003\212\376\301\073\263\077\032\017\244\073\136\037
 \130\241\225\311\253\057\163\112\320\055\156\232\131\017\125\030
 \170\055\074\121\246\227\213\346\273\262\160\252\114\021\336\377
 \174\053\067\324\172\321\167\064\217\347\371\102\367\074\201\014
 \113\122\012
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "OpenTrust Root CA G2"
 # Issuer: CN=OpenTrust Root CA G2,O=OpenTrust,C=FR
 # Serial Number:11:20:a1:69:1b:bf:bd:b9:bd:52:96:8f:23:e8:48:bf:26:11
 # Subject: CN=OpenTrust Root CA G2,O=OpenTrust,C=FR
 # Not Valid Before: Mon May 26 00:00:00 2014
 # Not Valid After : Fri Jan 15 00:00:00 2038
 # Fingerprint (SHA-256): 27:99:58:29:FE:6A:75:15:C1:BF:E8:48:F9:C4:76:1D:B1:6C:22:59:29:25:7B:F4:0D:08:94:F2:9E:A8:BA:F2
@@ -28270,16 +28431,17 @@ CKA_VALUE MULTILINE_OCTAL
 \061\000\217\250\334\235\272\014\004\027\372\025\351\075\057\051
 \001\227\277\201\026\063\100\223\154\374\371\355\200\160\157\252
 \217\333\204\302\213\365\065\312\006\334\144\157\150\026\341\217
 \221\271\002\061\000\330\113\245\313\302\320\010\154\351\030\373
 \132\335\115\137\044\013\260\000\041\045\357\217\247\004\046\161
 \342\174\151\345\135\232\370\101\037\073\071\223\223\235\125\352
 \315\215\361\373\301
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "OpenTrust Root CA G3"
 # Issuer: CN=OpenTrust Root CA G3,O=OpenTrust,C=FR
 # Serial Number:11:20:e6:f8:4c:fc:24:b0:be:05:40:ac:da:83:1b:34:60:3f
 # Subject: CN=OpenTrust Root CA G3,O=OpenTrust,C=FR
 # Not Valid Before: Mon May 26 00:00:00 2014
 # Not Valid After : Fri Jan 15 00:00:00 2038
 # Fingerprint (SHA-256): B7:C3:62:31:70:6E:81:07:8C:36:7C:B8:96:19:8F:1E:32:08:DD:92:69:49:DD:8F:57:09:A4:10:F7:5B:62:92
@@ -28433,16 +28595,17 @@ CKA_VALUE MULTILINE_OCTAL
 \242\320\141\070\341\226\270\254\135\213\067\327\165\325\063\300
 \231\021\256\235\101\301\162\165\204\276\002\101\102\137\147\044
 \110\224\321\233\047\276\007\077\271\270\117\201\164\121\341\172
 \267\355\235\043\342\276\340\325\050\004\023\074\061\003\236\335
 \172\154\217\306\007\030\306\177\336\107\216\077\050\236\004\006
 \317\245\124\064\167\275\354\211\233\351\027\103\337\133\333\137
 \376\216\036\127\242\315\100\235\176\142\042\332\336\030\047
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "ISRG Root X1"
 # Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
 # Serial Number:00:82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
 # Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
 # Not Valid Before: Thu Jun 04 11:04:38 2015
 # Not Valid After : Mon Jun 04 11:04:38 2035
 # Fingerprint (SHA-256): 96:BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1:1A:8F:FC:EE:05:C0:BD:DF:08:C6
@@ -28595,16 +28758,17 @@ CKA_VALUE MULTILINE_OCTAL
 \152\260\272\061\222\102\100\152\276\072\323\162\341\152\067\125
 \274\254\035\225\267\151\141\362\103\221\164\346\240\323\012\044
 \106\241\010\257\326\332\105\031\226\324\123\035\133\204\171\360
 \300\367\107\357\213\217\305\006\256\235\114\142\235\377\106\004
 \370\323\311\266\020\045\100\165\376\026\252\311\112\140\206\057
 \272\357\060\167\344\124\342\270\204\231\130\200\252\023\213\121
 \072\117\110\366\213\266\263
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "AC RAIZ FNMT-RCM"
 # Issuer: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES
 # Serial Number:5d:93:8d:30:67:36:c8:06:1d:1a:c7:54:84:69:07
 # Subject: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES
 # Not Valid Before: Wed Oct 29 15:59:56 2008
 # Not Valid After : Tue Jan 01 00:00:00 2030
 # Fingerprint (SHA-256): EB:C5:57:0C:29:01:8C:4D:67:B1:AA:12:7B:AF:12:F7:03:B4:61:1E:BC:17:B7:DA:B5:57:38:94:17:9B:93:FA
@@ -28719,16 +28883,17 @@ CKA_VALUE MULTILINE_OCTAL
 \331\017\110\160\232\331\165\170\161\321\162\103\064\165\156\127
 \131\302\002\134\046\140\051\317\043\031\026\216\210\103\245\324
 \344\313\010\373\043\021\103\350\103\051\162\142\241\251\135\136
 \010\324\220\256\270\330\316\024\302\320\125\362\206\366\304\223
 \103\167\146\141\300\271\350\101\327\227\170\140\003\156\112\162
 \256\245\321\175\272\020\236\206\154\033\212\271\131\063\370\353
 \304\220\276\361\271
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Amazon Root CA 1"
 # Issuer: CN=Amazon Root CA 1,O=Amazon,C=US
 # Serial Number:06:6c:9f:cf:99:bf:8c:0a:39:e2:f0:78:8a:43:e6:96:36:5b:ca
 # Subject: CN=Amazon Root CA 1,O=Amazon,C=US
 # Not Valid Before: Tue May 26 00:00:00 2015
 # Not Valid After : Sun Jan 17 00:00:00 2038
 # Fingerprint (SHA-256): 8E:CD:E6:88:4F:3D:87:B1:12:5B:A3:1A:C3:FC:B1:3D:70:16:DE:7F:57:CC:90:4F:E1:CB:97:C6:AE:98:19:6E
@@ -28875,16 +29040,17 @@ CKA_VALUE MULTILINE_OCTAL
 \357\242\245\134\214\167\051\247\150\300\153\256\100\322\250\264
 \352\315\360\215\113\070\234\031\232\033\050\124\270\211\220\357
 \312\165\201\076\036\362\144\044\307\030\257\116\377\107\236\007
 \366\065\145\244\323\012\126\377\365\027\144\154\357\250\042\045
 \111\223\266\337\000\027\332\130\176\135\356\305\033\260\321\321
 \137\041\020\307\371\363\272\002\012\047\007\305\361\326\307\323
 \340\373\011\140\154
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Amazon Root CA 2"
 # Issuer: CN=Amazon Root CA 2,O=Amazon,C=US
 # Serial Number:06:6c:9f:d2:96:35:86:9f:0a:0f:e5:86:78:f8:5b:26:bb:8a:37
 # Subject: CN=Amazon Root CA 2,O=Amazon,C=US
 # Not Valid Before: Tue May 26 00:00:00 2015
 # Not Valid After : Sat May 26 00:00:00 2040
 # Fingerprint (SHA-256): 1B:A5:B2:AA:8C:65:40:1A:82:96:01:18:F8:0B:EC:4F:62:30:4D:83:CE:C4:71:3A:19:C3:9C:01:1E:A4:6D:B4
@@ -28974,16 +29140,17 @@ CKA_VALUE MULTILINE_OCTAL
 \266\333\327\006\236\067\254\060\206\007\221\160\307\234\304\031
 \261\170\300\060\012\006\010\052\206\110\316\075\004\003\002\003
 \111\000\060\106\002\041\000\340\205\222\243\027\267\215\371\053
 \006\245\223\254\032\230\150\141\162\372\341\241\320\373\034\170
 \140\246\103\231\305\270\304\002\041\000\234\002\357\361\224\234
 \263\226\371\353\306\052\370\266\054\376\072\220\024\026\327\214
 \143\044\110\034\337\060\175\325\150\073
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Amazon Root CA 3"
 # Issuer: CN=Amazon Root CA 3,O=Amazon,C=US
 # Serial Number:06:6c:9f:d5:74:97:36:66:3f:3b:0b:9a:d9:e8:9e:76:03:f2:4a
 # Subject: CN=Amazon Root CA 3,O=Amazon,C=US
 # Not Valid Before: Tue May 26 00:00:00 2015
 # Not Valid After : Sat May 26 00:00:00 2040
 # Fingerprint (SHA-256): 18:CE:6C:FE:7B:F1:4E:60:B2:E3:47:B8:DF:E8:68:CB:31:D0:2E:BB:3A:DA:27:15:69:F5:03:43:B4:6D:B3:A4
@@ -29077,16 +29244,17 @@ CKA_VALUE MULTILINE_OCTAL
 \145\002\060\072\213\041\361\275\176\021\255\320\357\130\226\057
 \326\353\235\176\220\215\053\317\146\125\303\054\343\050\251\160
 \012\107\016\360\067\131\022\377\055\231\224\050\116\052\117\065
 \115\063\132\002\061\000\352\165\000\116\073\304\072\224\022\221
 \311\130\106\235\041\023\162\247\210\234\212\344\114\112\333\226
 \324\254\213\153\153\111\022\123\063\255\327\344\276\044\374\265
 \012\166\324\245\274\020
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Amazon Root CA 4"
 # Issuer: CN=Amazon Root CA 4,O=Amazon,C=US
 # Serial Number:06:6c:9f:d7:c1:bb:10:4c:29:43:e5:71:7b:7b:2c:c8:1a:c1:0e
 # Subject: CN=Amazon Root CA 4,O=Amazon,C=US
 # Not Valid Before: Tue May 26 00:00:00 2015
 # Not Valid After : Sat May 26 00:00:00 2040
 # Fingerprint (SHA-256): E3:5D:28:41:9E:D0:20:25:CF:A6:90:38:CD:62:39:62:45:8D:A5:C6:95:FB:DE:A3:C2:2B:0B:FB:25:89:70:92
@@ -29243,16 +29411,17 @@ CKA_VALUE MULTILINE_OCTAL
 \105\111\231\164\221\260\004\157\343\004\132\261\253\052\253\376
 \307\320\226\266\332\341\112\144\006\156\140\115\275\102\116\377
 \170\332\044\312\033\264\327\226\071\154\256\361\016\252\247\175
 \110\213\040\114\317\144\326\270\227\106\260\116\321\052\126\072
 \240\223\275\257\200\044\340\012\176\347\312\325\312\350\205\125
 \334\066\052\341\224\150\223\307\146\162\104\017\200\041\062\154
 \045\307\043\200\203\012\353
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "LuxTrust Global Root 2"
 # Issuer: CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU
 # Serial Number:0a:7e:a6:df:4b:44:9e:da:6a:24:85:9e:e6:b8:15:d3:16:7f:bb:b1
 # Subject: CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU
 # Not Valid Before: Thu Mar 05 13:21:57 2015
 # Not Valid After : Mon Mar 05 13:21:57 2035
 # Fingerprint (SHA-256): 54:45:5F:71:29:C2:0B:14:47:C4:18:F9:97:16:8F:24:C5:8F:C5:02:3B:F5:DA:5B:E2:EB:6E:1D:D8:90:2E:D5
@@ -29391,16 +29560,17 @@ CKA_VALUE MULTILINE_OCTAL
 \347\066\321\041\150\113\055\070\346\123\256\034\045\126\010\126
 \003\147\204\235\306\303\316\044\142\307\114\066\317\260\006\104
 \267\365\137\002\335\331\124\351\057\220\116\172\310\116\203\100
 \014\232\227\074\067\277\277\354\366\360\264\205\167\050\301\013
 \310\147\202\020\027\070\242\267\006\352\233\277\072\370\351\043
 \007\277\164\340\230\070\025\125\170\356\162\000\134\031\243\364
 \322\063\340\377\275\321\124\071\051\017
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Symantec Class 1 Public Primary Certification Authority - G6"
 # Issuer: CN=Symantec Class 1 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
 # Serial Number:24:32:75:f2:1d:2f:d2:09:33:f7:b4:6a:ca:d0:f3:98
 # Subject: CN=Symantec Class 1 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
 # Not Valid Before: Tue Oct 18 00:00:00 2011
 # Not Valid After : Tue Dec 01 23:59:59 2037
 # Fingerprint (SHA-256): 9D:19:0B:2E:31:45:66:68:5B:E8:A8:89:E2:7A:A8:C7:D7:AE:1D:8A:AD:DB:A3:C1:EC:F9:D2:48:63:CD:34:B9
@@ -29544,16 +29714,17 @@ CKA_VALUE MULTILINE_OCTAL
 \111\315\245\243\214\151\171\045\256\270\114\154\213\100\146\113
 \026\077\317\002\032\335\341\154\153\007\141\152\166\025\051\231
 \177\033\335\210\200\301\277\265\217\163\305\246\226\043\204\246
 \050\206\044\063\152\001\056\127\163\045\266\136\277\217\346\035
 \141\250\100\051\147\035\207\233\035\177\233\237\231\315\061\326
 \124\276\142\273\071\254\150\022\110\221\040\245\313\261\335\376
 \157\374\132\344\202\125\131\257\061\251
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Symantec Class 2 Public Primary Certification Authority - G6"
 # Issuer: CN=Symantec Class 2 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
 # Serial Number:64:82:9e:fc:37:1e:74:5d:fc:97:ff:97:c8:b1:ff:41
 # Subject: CN=Symantec Class 2 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
 # Not Valid Before: Tue Oct 18 00:00:00 2011
 # Not Valid After : Tue Dec 01 23:59:59 2037
 # Fingerprint (SHA-256): CB:62:7D:18:B5:8A:D5:6D:DE:33:1A:30:45:6B:C6:5C:60:1A:4E:9B:18:DE:DC:EA:08:E7:DA:AA:07:81:5F:F0
@@ -29676,16 +29847,17 @@ CKA_VALUE MULTILINE_OCTAL
 \003\003\151\000\060\146\002\061\000\245\256\343\106\123\370\230
 \066\343\042\372\056\050\111\015\356\060\176\063\363\354\077\161
 \136\314\125\211\170\231\254\262\375\334\034\134\063\216\051\271
 \153\027\310\021\150\265\334\203\007\002\061\000\234\310\104\332
 \151\302\066\303\124\031\020\205\002\332\235\107\357\101\347\154
 \046\235\011\075\367\155\220\321\005\104\057\260\274\203\223\150
 \362\014\105\111\071\277\231\004\034\323\020\240
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Symantec Class 1 Public Primary Certification Authority - G4"
 # Issuer: CN=Symantec Class 1 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
 # Serial Number:21:6e:33:a5:cb:d3:88:a4:6f:29:07:b4:27:3c:c4:d8
 # Subject: CN=Symantec Class 1 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
 # Not Valid Before: Wed Oct 05 00:00:00 2011
 # Not Valid After : Mon Jan 18 23:59:59 2038
 # Fingerprint (SHA-256): 36:3F:3C:84:9E:AB:03:B0:A2:A0:F6:36:D7:B8:6D:04:D3:AC:7F:CF:E2:6A:0A:91:21:AB:97:95:F6:E1:76:DF
@@ -29808,16 +29980,17 @@ CKA_VALUE MULTILINE_OCTAL
 \003\003\151\000\060\146\002\061\000\310\246\251\257\101\177\265
 \311\021\102\026\150\151\114\134\270\047\030\266\230\361\300\177
 \220\155\207\323\214\106\027\360\076\117\374\352\260\010\304\172
 \113\274\010\057\307\342\247\157\145\002\061\000\326\131\336\206
 \316\137\016\312\124\325\306\320\025\016\374\213\224\162\324\216
 \000\130\123\317\176\261\113\015\345\120\206\353\236\153\337\377
 \051\246\330\107\331\240\226\030\333\362\105\263
 END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
 
 # Trust for "Symantec Class 2 Public Primary Certification Authority - G4"
 # Issuer: CN=Symantec Class 2 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
 # Serial Number:34:17:65:12:40:3b:b7:56:80:2d:80:cb:79:55:a6:1e
 # Subject: CN=Symantec Class 2 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
 # Not Valid Before: Wed Oct 05 00:00:00 2011
 # Not Valid After : Mon Jan 18 23:59:59 2038
 # Fingerprint (SHA-256): FE:86:3D:08:22:FE:7A:23:53:FA:48:4D:59:24:E8:75:65:6D:3D:C9:FB:58:77:1F:6F:61:6F:9D:57:1B:C5:92
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -1092,8 +1092,14 @@ SECMOD_CreateModuleEx;
 ;+};
 ;+NSS_3.22 { 	# NSS 3.22 release
 ;+    global:
 PK11_SignWithMechanism;
 PK11_VerifyWithMechanism;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.30 { 	# NSS 3.30 release
+;+    global:
+PK11_HasAttributeSet;
+;+    local:
+;+       *;
+;+};
--- a/security/nss/lib/pk11wrap/pk11slot.c
+++ b/security/nss/lib/pk11wrap/pk11slot.c
@@ -1081,58 +1081,57 @@ PK11_MakeString(PLArenaPool *arena, char
  */
 SECStatus
 PK11_ReadMechanismList(PK11SlotInfo *slot)
 {
     CK_ULONG count;
     CK_RV crv;
     PRUint32 i;
 
+    PK11_EnterSlotMonitor(slot);
+
     if (slot->mechanismList) {
         PORT_Free(slot->mechanismList);
         slot->mechanismList = NULL;
     }
     slot->mechanismCount = 0;
 
-    if (!slot->isThreadSafe)
-        PK11_EnterSlotMonitor(slot);
     crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID, NULL, &count);
     if (crv != CKR_OK) {
-        if (!slot->isThreadSafe)
-            PK11_ExitSlotMonitor(slot);
+        PK11_ExitSlotMonitor(slot);
         PORT_SetError(PK11_MapError(crv));
         return SECFailure;
     }
 
     slot->mechanismList = (CK_MECHANISM_TYPE *)
         PORT_Alloc(count * sizeof(CK_MECHANISM_TYPE));
     if (slot->mechanismList == NULL) {
-        if (!slot->isThreadSafe)
-            PK11_ExitSlotMonitor(slot);
+        PK11_ExitSlotMonitor(slot);
         return SECFailure;
     }
     crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,
                                                 slot->mechanismList, &count);
-    if (!slot->isThreadSafe)
-        PK11_ExitSlotMonitor(slot);
     if (crv != CKR_OK) {
         PORT_Free(slot->mechanismList);
         slot->mechanismList = NULL;
+        PK11_ExitSlotMonitor(slot);
         PORT_SetError(PK11_MapError(crv));
         return SECSuccess;
     }
     slot->mechanismCount = count;
     PORT_Memset(slot->mechanismBits, 0, sizeof(slot->mechanismBits));
 
     for (i = 0; i < count; i++) {
         CK_MECHANISM_TYPE mech = slot->mechanismList[i];
         if (mech < 0x7ff) {
             slot->mechanismBits[mech & 0xff] |= 1 << (mech >> 8);
         }
     }
+
+    PK11_ExitSlotMonitor(slot);
     return SECSuccess;
 }
 
 /*
  * initialize a new token
  * unlike initialize slot, this can be called multiple times in the lifetime
  * of NSS. It reads the information associated with a card or token,
  * that is not going to change unless the card or token changes.
@@ -1870,34 +1869,41 @@ PK11_GetInternalSlot(void)
 
 /*
  * check if a given slot supports the requested mechanism
  */
 PRBool
 PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type)
 {
     int i;
+    PRBool retval = PR_FALSE;
 
     /* CKM_FAKE_RANDOM is not a real PKCS mechanism. It's a marker to
      * tell us we're looking form someone that has implemented get
      * random bits */
     if (type == CKM_FAKE_RANDOM) {
         return slot->hasRandom;
     }
 
+    PK11_EnterSlotMonitor(slot);
+
     /* for most mechanism, bypass the linear lookup */
     if (type < 0x7ff) {
-        return (slot->mechanismBits[type & 0xff] & (1 << (type >> 8))) ? PR_TRUE : PR_FALSE;
+        PRBool doesMechanism = (PRBool)(slot->mechanismBits[type & 0xff] &
+                                        (1 << (type >> 8)));
+        PK11_ExitSlotMonitor(slot);
+        return doesMechanism;
     }
 
-    for (i = 0; i < (int)slot->mechanismCount; i++) {
-        if (slot->mechanismList[i] == type)
-            return PR_TRUE;
+    for (i = 0; i < (int)slot->mechanismCount && !retval; i++) {
+        retval = (PRBool)(slot->mechanismList[i] == type);
     }
-    return PR_FALSE;
+
+    PK11_ExitSlotMonitor(slot);
+    return retval;
 }
 
 /*
  * Return true if a token that can do the desired mechanism exists.
  * This allows us to have hardware tokens that can do function XYZ magically
  * allow SSL Ciphers to appear if they are plugged in.
  */
 PRBool
--- a/security/nss/lib/ssl/tls13exthandle.c
+++ b/security/nss/lib/ssl/tls13exthandle.c
@@ -763,16 +763,22 @@ tls13_ServerHandleEarlyDataXtn(const ssl
     SSL_TRC(3, ("%d: TLS13[%d]: handle early_data extension",
                 SSL_GETPID(), ss->fd));
 
     /* If we are doing < TLS 1.3, then ignore this. */
     if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
         return SECSuccess;
     }
 
+    if (ss->ssl3.hs.helloRetry) {
+        ssl3_ExtSendAlert(ss, alert_fatal, unsupported_extension);
+        PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION);
+        return SECFailure;
+    }
+
     if (data->len) {
         PORT_SetError(SSL_ERROR_MALFORMED_EARLY_DATA);
         return SECFailure;
     }
 
     xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
 
     return SECSuccess;
--- a/security/nss/lib/util/pkcs11n.h
+++ b/security/nss/lib/util/pkcs11n.h
@@ -88,16 +88,18 @@
 #define CKA_NSS_JPAKE_PEERID (CKA_NSS + 27)
 #define CKA_NSS_JPAKE_GX1 (CKA_NSS + 28)
 #define CKA_NSS_JPAKE_GX2 (CKA_NSS + 29)
 #define CKA_NSS_JPAKE_GX3 (CKA_NSS + 30)
 #define CKA_NSS_JPAKE_GX4 (CKA_NSS + 31)
 #define CKA_NSS_JPAKE_X2 (CKA_NSS + 32)
 #define CKA_NSS_JPAKE_X2S (CKA_NSS + 33)
 
+#define CKA_NSS_MOZILLA_CA_POLICY (CKA_NSS + 34)
+
 /*
  * Trust attributes:
  *
  * If trust goes standard, these probably will too.  So I'll
  * put them all in one place.
  */
 
 #define CKA_TRUST (CKA_NSS + 0x2000)