Merge mozilla-central to mozilla-inbound
authorEd Morley <bmo@edmorley.co.uk>
Mon, 05 Sep 2011 01:18:16 +0100
changeset 76541 6f99ff6c4c8655362961d4115428e5e581702bdc
parent 76540 f3174373103972bd7f0a51e517dc991909d428d7 (current diff)
parent 76525 a4a584a110e08a97287f71ac825598c2fddc8288 (diff)
child 76542 7fb15a645955ee2b808e639f2245b344833be6e1
push id3
push userfelipc@gmail.com
push dateFri, 30 Sep 2011 20:09:13 +0000
milestone9.0a1
Merge mozilla-central to mozilla-inbound
browser/base/content/test/tabview/browser_tabview_bug604699.js
browser/base/content/test/tabview/browser_tabview_bug627239.js
content/base/src/nsDocument.cpp
content/canvas/src/WebGLValidateStrings.h
content/html/content/test/Makefile.in
dom/base/nsGlobalWindow.cpp
memory/jemalloc/fixcrt.py
memory/jemalloc/jemalloc.def
mobile/chrome/content/content.js
--- a/browser/base/content/tabview/content.js
+++ b/browser/base/content/tabview/content.js
@@ -29,18 +29,161 @@
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
-addEventListener("DOMWillOpenModalDialog", function (event) {
-  // (event.isTrusted == true) when the event is generated by a user action
-  // and does not originate from a script.
-  if (event.isTrusted) {
+"use strict";
+
+const Cu = Components.utils;
+
+Cu.import("resource:///modules/tabview/utils.jsm");
+
+// Bug 671101 - directly using webProgress in this context
+// causes docShells to leak
+__defineGetter__("webProgress", function () {
+  let ifaceReq = docShell.QueryInterface(Ci.nsIInterfaceRequestor);
+  return ifaceReq.getInterface(Ci.nsIWebProgress);
+});
+
+// ----------
+// WindowEventHandler
+//
+// Handles events dispatched by the content window.
+let WindowEventHandler = {
+  // ----------
+  // Function: onDOMContentLoaded
+  // Sends an asynchronous message when the "onDOMContentLoaded" event for the
+  // current page is fired.
+  onDOMContentLoaded: function WEH_onDOMContentLoaded(event) {
+    sendAsyncMessage("Panorama:DOMContentLoaded");
+  },
+
+  // ----------
+  // Function: onDOMWillOpenModalDialog
+  // Sends a synchronous message when the "onDOMWillOpenModalDialog" event
+  // is fired right before a modal dialog will be opened by the current page.
+  onDOMWillOpenModalDialog: function WEH_onDOMWillOpenModalDialog(event) {
+    // (event.isTrusted == true) when the event is generated by a user action
+    // and does not originate from a script.
+    if (!event.isTrusted)
+      return;
+
     // we're intentionally sending a synchronous message to handle this event
     // as quick as possible, switch the selected tab and hide the tabview
     // before the modal dialog is shown
     sendSyncMessage("Panorama:DOMWillOpenModalDialog");
   }
-}, true);
+};
+
+// add event listeners
+addEventListener("DOMContentLoaded", WindowEventHandler.onDOMContentLoaded, false);
+addEventListener("DOMWillOpenModalDialog", WindowEventHandler.onDOMWillOpenModalDialog, false);
+
+// ----------
+// WindowMessageHandler
+//
+// Handles messages sent by the chrome process.
+let WindowMessageHandler = {
+  // ----------
+  // Function: isDocumentLoaded
+  // Checks if the currently active document is loaded.
+  isDocumentLoaded: function WMH_isDocumentLoaded(cx) {
+    let isLoaded = (content.document.readyState == "complete" &&
+                    !webProgress.isLoadingDocument);
+
+    sendAsyncMessage(cx.name, {isLoaded: isLoaded});
+  }
+};
+
+// add message listeners
+addMessageListener("Panorama:isDocumentLoaded", WindowMessageHandler.isDocumentLoaded);
+
+// ----------
+// WebProgressListener
+//
+// Observe the web progress of content pages loaded into this browser. When the
+// state of a page changes we check if we're still allowed to store page
+// information permanently.
+let WebProgressListener = {
+  // ----------
+  // Function: onStateChange
+  // Called by the webProgress when its state changes.
+  onStateChange: function WPL_onStateChange(webProgress, request, flag, status) {
+    // The browser just started loading (again). Explicitly grant storage
+    // because the browser might have been blocked before (e.g. when navigating
+    // from a https-page to a http-page).
+    if (flag & Ci.nsIWebProgressListener.STATE_START) {
+      // ensure the dom window is the top one
+      if (this._isTopWindow(webProgress))
+        sendAsyncMessage("Panorama:StoragePolicy:granted");
+    }
+
+    // The browser finished loading - check the cache control headers. Send
+    // a message if we're not allowed to store information about this page.
+    if (flag & Ci.nsIWebProgressListener.STATE_STOP) {
+      // ensure the dom window is the top one
+      if (this._isTopWindow(webProgress) &&
+          request && request instanceof Ci.nsIHttpChannel) {
+        request.QueryInterface(Ci.nsIHttpChannel);
+
+        let exclude = false;
+        let reason = "";
+
+        // Check if the "Cache-Control" header is "no-store". In this case we're
+        // not allowed to store information about the current page.
+        if (this._isNoStoreResponse(request)) {
+          exclude = true;
+          reason = "no-store";
+        }
+        // Otherwise we'll deny storage if we're currently viewing a https
+        // page without a "Cache-Control: public" header.
+        else if (request.URI.schemeIs("https")) {
+          let cacheControlHeader = this._getCacheControlHeader(request);
+          if (cacheControlHeader && !(/public/i).test(cacheControlHeader)) {
+            exclude = true;
+            reason = "https";
+          }
+        }
+
+        if (exclude)
+          sendAsyncMessage("Panorama:StoragePolicy:denied", {reason: reason});
+      }
+    }
+  },
+
+  // ----------
+  // Function: _isTopWindow
+  // Returns whether the DOMWindow associated with the webProgress is the
+  // top content window (and not an iframe or similar).
+  _isTopWindow: function WPL__isTopWindow(webProgress) {
+    // can throw if there's no associated DOMWindow
+    return !!Utils.attempt(function () webProgress.DOMWindow == content);
+  },
+
+  // ----------
+  // Function: _isNoStoreResponse
+  // Checks if the "Cache-Control" header is "no-store".
+  _isNoStoreResponse: function WPL__isNoStoreResponse(req) {
+    // can throw if called before the response has been received
+    return !!Utils.attempt(function () req.isNoStoreResponse());
+  },
+
+  // ----------
+  // Function: _getCacheControlHeader
+  // Returns the value of the "Cache-Control" header.
+  _getCacheControlHeader: function WPL__getCacheControlHeader(req) {
+    // can throw when the "Cache-Control" header doesn't exist
+    return Utils.attempt(function () req.getResponseHeader("Cache-Control"));
+  },
+
+  // ----------
+  // Implements progress listener interface.
+  QueryInterface: XPCOMUtils.generateQI([Ci.nsIWebProgressListener,
+                                         Ci.nsISupportsWeakReference,
+                                         Ci.nsISupports])
+};
+
+// add web progress listener
+webProgress.addProgressListener(WebProgressListener, Ci.nsIWebProgress.NOTIFY_STATE_WINDOW);
--- a/browser/base/content/tabview/modules/utils.jsm
+++ b/browser/base/content/tabview/modules/utils.jsm
@@ -771,10 +771,27 @@ let Utils = {
           if (copy !== undefined)
             target[name] = copy;
         }
       }
     }
 
     // Return the modified object
     return target;
+  },
+
+  // ----------
+  // Function: attempt
+  // Tries to execute a number of functions. Returns immediately the return
+  // value of the first non-failed function without executing successive
+  // functions, or null.
+  attempt: function () {
+    let args = arguments;
+
+    for (let i = 0; i < args.length; i++) {
+      try {
+        return args[i]();
+      } catch (e) {}
+    }
+
+    return null;
   }
 };
--- a/browser/base/content/tabview/storage.js
+++ b/browser/base/content/tabview/storage.js
@@ -94,57 +94,37 @@ let Storage = {
   },
 
   // ----------
   // Function: saveTab
   // Saves the data for a single tab.
   saveTab: function Storage_saveTab(tab, data) {
     Utils.assert(tab, "tab");
 
-    if (data != null) {
-      let imageData = data.imageData;
-      // Remove imageData from payload
-      delete data.imageData;
-
-      if (imageData != null)
-        ThumbnailStorage.saveThumbnail(tab, imageData);
-    }
-
     this._sessionStore.setTabValue(tab, this.TAB_DATA_IDENTIFIER,
       JSON.stringify(data));
   },
 
   // ----------
   // Function: getTabData
-  // Load tab data from session store and return it. Asynchrously loads the tab's
-  // thumbnail from the cache and calls <callback>(imageData) when done.
-  getTabData: function Storage_getTabData(tab, callback) {
+  // Load tab data from session store and return it.
+  getTabData: function Storage_getTabData(tab) {
     Utils.assert(tab, "tab");
-    Utils.assert(typeof callback == "function", "callback arg must be a function");
 
     let existingData = null;
 
     try {
       let tabData = this._sessionStore.getTabValue(tab, this.TAB_DATA_IDENTIFIER);
-      if (tabData != "") {
+      if (tabData != "")
         existingData = JSON.parse(tabData);
-      }
     } catch (e) {
       // getTabValue will fail if the property doesn't exist.
       Utils.log(e);
     }
 
-    if (existingData) {
-      ThumbnailStorage.loadThumbnail(
-        tab, existingData.url,
-        function(status, imageData) { 
-          callback(imageData);
-        }
-      );
-    }
     return existingData;
   },
 
   // ----------
   // Function: saveGroupItem
   // Saves the data for a single groupItem, associated with a specific window.
   saveGroupItem: function Storage_saveGroupItem(win, data) {
     var id = data.id;
new file mode 100644
--- /dev/null
+++ b/browser/base/content/tabview/storagePolicy.js
@@ -0,0 +1,208 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is storagePolicy.js.
+ *
+ * The Initial Developer of the Original Code is
+ * the Mozilla Foundation.
+ * Portions created by the Initial Developer are Copyright (C) 2011
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ * Tim Taubert <ttaubert@mozilla.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+// **********
+// Title: storagePolicy.js
+
+// ##########
+// Class: StoragePolicy
+// Singleton for implementing a storage policy for sensitive data.
+let StoragePolicy = {
+  // Pref that controls whether we can store SSL content on disk
+  PREF_DISK_CACHE_SSL: "browser.cache.disk_cache_ssl",
+
+  // Used to keep track of disk_cache_ssl preference
+  _enablePersistentHttpsCaching: null,
+
+  // Used to keep track of browsers whose data we shouldn't store permanently
+  _deniedBrowsers: [],
+
+  // ----------
+  // Function: toString
+  // Prints [StoragePolicy] for debug use.
+  toString: function StoragePolicy_toString() {
+    return "[StoragePolicy]";
+  },
+
+  // ----------
+  // Function: init
+  // Initializes the StoragePolicy object.
+  init: function StoragePolicy_init() {
+    // store the preference value
+    this._enablePersistentHttpsCaching =
+      Services.prefs.getBoolPref(this.PREF_DISK_CACHE_SSL);
+
+    Services.prefs.addObserver(this.PREF_DISK_CACHE_SSL, this, false);
+
+    // tabs are already loaded before UI is initialized so cache-control
+    // values are unknown. We add browsers with https to the list for now.
+    if (!this._enablePersistentHttpsCaching)
+      Array.forEach(gBrowser.browsers, this._initializeBrowser.bind(this));
+
+    // make sure to remove tab browsers when tabs get closed
+    this._onTabClose = this._onTabClose.bind(this);
+    gBrowser.tabContainer.addEventListener("TabClose", this._onTabClose, false);
+
+    let mm = gWindow.messageManager;
+
+    // add message listeners for storage granted
+    this._onGranted = this._onGranted.bind(this);
+    mm.addMessageListener("Panorama:StoragePolicy:granted", this._onGranted);
+
+    // add message listeners for storage denied
+    this._onDenied = this._onDenied.bind(this);
+    mm.addMessageListener("Panorama:StoragePolicy:denied", this._onDenied);
+  },
+
+  // ----------
+  // Function: _initializeBrowser
+  // Initializes the given browser and checks if we need to add it to our
+  // internal exclusion list.
+  _initializeBrowser: function StoragePolicy__initializeBrowser(browser) {
+    let self = this;
+
+    function checkExclusion() {
+      if (browser.currentURI.schemeIs("https"))
+        self._deniedBrowsers.push(browser);
+    }
+
+    function waitForDocumentLoad() {
+      let mm = browser.messageManager;
+
+      mm.addMessageListener("Panorama:DOMContentLoaded", function onLoad(cx) {
+        mm.removeMessageListener(cx.name, onLoad);
+        checkExclusion(browser);
+      });
+    }
+
+    this._isDocumentLoaded(browser, function (isLoaded) {
+      if (isLoaded)
+        checkExclusion();
+      else
+        waitForDocumentLoad();
+    });
+  },
+
+  // ----------
+  // Function: _isDocumentLoaded
+  // Check if the given browser's document is loaded.
+  _isDocumentLoaded: function StoragePolicy__isDocumentLoaded(browser, callback) {
+    let mm = browser.messageManager;
+    let message = "Panorama:isDocumentLoaded";
+
+    mm.addMessageListener(message, function onMessage(cx) {
+      mm.removeMessageListener(cx.name, onMessage);
+      callback(cx.json.isLoaded);
+    });
+
+    mm.sendAsyncMessage(message);
+  },
+
+  // ----------
+  // Function: uninit
+  // Is called by UI.init() when the browser windows is closed.
+  uninit: function StoragePolicy_uninit() {
+    Services.prefs.removeObserver(this.PREF_DISK_CACHE_SSL, this);
+    gBrowser.removeTabsProgressListener(this);
+    gBrowser.tabContainer.removeEventListener("TabClose", this._onTabClose, false);
+
+    let mm = gWindow.messageManager;
+
+    // remove message listeners
+    mm.removeMessageListener("Panorama:StoragePolicy:granted", this._onGranted);
+    mm.removeMessageListener("Panorama:StoragePolicy:denied", this._onDenied);
+  },
+
+  // ----------
+  // Function: _onGranted
+  // Handle the 'granted' message and remove the given browser from the list
+  // of denied browsers.
+  _onGranted: function StoragePolicy__onGranted(cx) {
+    let index = this._deniedBrowsers.indexOf(cx.target);
+
+    if (index > -1)
+      this._deniedBrowsers.splice(index, 1);
+  },
+
+  // ----------
+  // Function: _onDenied
+  // Handle the 'denied' message and add the given browser to the list of denied
+  // browsers.
+  _onDenied: function StoragePolicy__onDenied(cx) {
+    // exclusion is optional because cache-control is not no-store or public and
+    // the protocol is https. don't exclude when persistent https caching is
+    // enabled.
+    if ("https" == cx.json.reason && this._enablePersistentHttpsCaching)
+      return;
+
+    let browser = cx.target;
+
+    if (this._deniedBrowsers.indexOf(browser) == -1)
+      this._deniedBrowsers.push(browser);
+  },
+
+  // ----------
+  // Function: _onTabClose
+  // Remove the browser from our internal exclusion list when a tab gets closed.
+  _onTabClose: function StoragePolicy__onTabClose(event) {
+    let browser = event.target.linkedBrowser;
+    let index = this._deniedBrowsers.indexOf(browser);
+
+    if (index > -1)
+      this._deniedBrowsers.splice(index, 1);
+  },
+
+  // ----------
+  // Function: canStoreThumbnailForTab
+  // Returns whether we're allowed to store the thumbnail of the given tab.
+  canStoreThumbnailForTab: function StoragePolicy_canStoreThumbnailForTab(tab) {
+    // deny saving thumbnails in private browsing mode
+    if (gPrivateBrowsing.privateBrowsingEnabled &&
+        UI._privateBrowsing.transitionMode != "enter")
+      return false;
+
+    return (this._deniedBrowsers.indexOf(tab.linkedBrowser) == -1);
+  },
+
+  // ----------
+  // Function: observe
+  // Observe pref changes.
+  observe: function StoragePolicy_observe(subject, topic, data) {
+    this._enablePersistentHttpsCaching =
+      Services.prefs.getBoolPref(this.PREF_DISK_CACHE_SSL);
+  }
+};
--- a/browser/base/content/tabview/tabitems.js
+++ b/browser/base/content/tabview/tabitems.js
@@ -64,40 +64,45 @@ function TabItem(tab, options) {
   document.body.appendChild(TabItems.fragment().cloneNode(true));
   
   // The document fragment contains just one Node
   // As per DOM3 appendChild: it will then be the last child
   let div = document.body.lastChild;
   let $div = iQ(div);
 
   this._cachedImageData = null;
+  this._thumbnailNeedsSaving = false;
   this.canvasSizeForced = false;
   this.$thumb = iQ('.thumb', $div);
   this.$fav   = iQ('.favicon', $div);
   this.$tabTitle = iQ('.tab-title', $div);
   this.$canvas = iQ('.thumb canvas', $div);
   this.$cachedThumb = iQ('img.cached-thumb', $div);
   this.$favImage = iQ('.favicon>img', $div);
   this.$close = iQ('.close', $div);
 
   this.tabCanvas = new TabCanvas(this.tab, this.$canvas[0]);
 
+  let self = this;
+
+  // when we paint onto the canvas make sure our thumbnail gets saved
+  this.tabCanvas.addSubscriber("painted", function () {
+    self._thumbnailNeedsSaving = true;
+  });
+
   this.defaultSize = new Point(TabItems.tabWidth, TabItems.tabHeight);
   this._hidden = false;
   this.isATabItem = true;
   this.keepProportional = true;
   this._hasBeenDrawn = false;
   this._reconnected = false;
+  this.isDragging = false;
   this.isStacked = false;
   this.url = "";
 
-  var self = this;
-
-  this.isDragging = false;
-
   // Read off the total vertical and horizontal padding on the tab container
   // and cache this value, as it must be the same for every TabItem.
   if (Utils.isEmptyObject(TabItems.tabItemPadding)) {
     TabItems.tabItemPadding.x = parseInt($div.css('padding-left'))
         + parseInt($div.css('padding-right'));
   
     TabItems.tabItemPadding.y = parseInt($div.css('padding-top'))
         + parseInt($div.css('padding-bottom'));
@@ -189,107 +194,162 @@ TabItem.prototype = Utils.extend(new Ite
 
   // ----------
   // Function: showCachedData
   // Shows the cached data i.e. image and title.  Note: this method should only
   // be called at browser startup with the cached data avaliable.
   //
   // Parameters:
   //   tabData - the tab data
-  showCachedData: function TabItem_showCachedData(tabData) {
-    this._cachedImageData = tabData.imageData;
+  //   imageData - the image data
+  showCachedData: function TabItem_showCachedData(tabData, imageData) {
+    this._cachedImageData = imageData;
     this.$cachedThumb.attr("src", this._cachedImageData).show();
-    this.$canvas.css({opacity: 0.0});
+    this.$canvas.css({opacity: 0});
     this.$tabTitle.text(tabData.title ? tabData.title : "");
+
+    this._sendToSubscribers("showingCachedData");
   },
 
   // ----------
   // Function: hideCachedData
   // Hides the cached data i.e. image and title and show the canvas.
   hideCachedData: function TabItem_hideCachedData() {
     this.$cachedThumb.hide();
     this.$canvas.css({opacity: 1.0});
     if (this._cachedImageData)
       this._cachedImageData = null;
   },
 
   // ----------
   // Function: getStorageData
   // Get data to be used for persistent storage of this object.
-  //
-  // Parameters:
-  //   getImageData - true to include thumbnail pixels (and page title as well); default false
-  getStorageData: function TabItem_getStorageData(getImageData) {
-    let imageData = null;
-
-    if (getImageData) { 
-      if (this._cachedImageData)
-        imageData = this._cachedImageData;
-      else if (this.tabCanvas)
-        imageData = this.tabCanvas.toImageData();
-    }
-
+  getStorageData: function TabItem_getStorageData() {
     return {
       url: this.tab.linkedBrowser.currentURI.spec,
       groupID: (this.parent ? this.parent.id : 0),
-      imageData: imageData,
-      title: getImageData && this.tab.label || null
+      title: this.tab.label
     };
   },
 
   // ----------
   // Function: save
   // Store persistent for this object.
-  //
-  // Parameters:
-  //   saveImageData - true to include thumbnail pixels (and page title as well); default false
-  save: function TabItem_save(saveImageData) {
-    try{
+  save: function TabItem_save() {
+    try {
       if (!this.tab || this.tab.parentNode == null || !this._reconnected) // too soon/late to save
         return;
 
-      var data = this.getStorageData(saveImageData);
+      let data = this.getStorageData();
       if (TabItems.storageSanity(data))
         Storage.saveTab(this.tab, data);
     } catch(e) {
       Utils.log("Error in saving tab value: "+e);
     }
   },
 
   // ----------
+  // Function: loadThumbnail
+  // Loads the tabItems thumbnail.
+  loadThumbnail: function TabItem_loadThumbnail(tabData) {
+    Utils.assert(tabData, "invalid or missing argument <tabData>");
+
+    let self = this;
+
+    function TabItem_loadThumbnail_callback(error, imageData) {
+      // we could have been unlinked while waiting for the thumbnail to load
+      if (error || !imageData || !self.tab)
+        return;
+
+      self._sendToSubscribers("loadedCachedImageData");
+
+      // If we have a cached image, then show it if the loaded URL matches
+      // what the cache is from, OR the loaded URL is blank, which means
+      // that the page hasn't loaded yet.
+      let currentUrl = self.tab.linkedBrowser.currentURI.spec;
+      if (tabData.url == currentUrl || currentUrl == "about:blank")
+        self.showCachedData(tabData, imageData);
+    }
+
+    ThumbnailStorage.loadThumbnail(tabData.url, TabItem_loadThumbnail_callback);
+  },
+
+  // ----------
+  // Function: saveThumbnail
+  // Saves the tabItems thumbnail.
+  saveThumbnail: function TabItem_saveThumbnail(options) {
+    if (!this.tabCanvas)
+      return;
+
+    // nothing to do if the thumbnail hasn't changed
+    if (!this._thumbnailNeedsSaving)
+      return;
+
+    // check the storage policy to see if we're allowed to store the thumbnail
+    if (!StoragePolicy.canStoreThumbnailForTab(this.tab)) {
+      this._sendToSubscribers("deniedToSaveImageData");
+      return;
+    }
+
+    let url = this.tab.linkedBrowser.currentURI.spec;
+    let delayed = this._saveThumbnailDelayed;
+    let synchronously = (options && options.synchronously);
+
+    // is there a delayed save waiting?
+    if (delayed) {
+      // check if url has changed since last call to saveThumbnail
+      if (!synchronously && url == delayed.url)
+        return;
+
+      // url has changed in the meantime, clear the timeout
+      clearTimeout(delayed.timeout);
+    }
+
+    let self = this;
+
+    function callback(error) {
+      if (!error) {
+        self._thumbnailNeedsSaving = false;
+        self._sendToSubscribers("savedCachedImageData");
+      }
+    }
+
+    function doSaveThumbnail() {
+      self._saveThumbnailDelayed = null;
+
+      // we could have been unlinked in the meantime
+      if (!self.tabCanvas)
+        return;
+
+      let imageData = self.tabCanvas.toImageData();
+      ThumbnailStorage.saveThumbnail(url, imageData, callback, options);
+    }
+
+    if (synchronously) {
+      doSaveThumbnail();
+    } else {
+      let timeout = setTimeout(doSaveThumbnail, 2000);
+      this._saveThumbnailDelayed = {url: url, timeout: timeout};
+    }
+  },
+
+  // ----------
   // Function: _reconnect
   // Load the reciever's persistent data from storage. If there is none, 
   // treats it as a new tab. 
   _reconnect: function TabItem__reconnect() {
     Utils.assertThrow(!this._reconnected, "shouldn't already be reconnected");
     Utils.assertThrow(this.tab, "should have a xul:tab");
 
-    let tabData = null;
     let self = this;
-    let imageDataCb = function(imageData) {
-      // we could have been unlinked while waiting for the thumbnail to load
-      if (!self.tab)
-        return;
-
-      Utils.assertThrow(tabData, "tabData");
-      tabData.imageData = imageData;
+    let tabData = Storage.getTabData(this.tab);
 
-      let currentUrl = self.tab.linkedBrowser.currentURI.spec;
-      // If we have a cached image, then show it if the loaded URL matches
-      // what the cache is from, OR the loaded URL is blank, which means
-      // that the page hasn't loaded yet.
-      if (tabData.imageData &&
-          (tabData.url == currentUrl || currentUrl == 'about:blank')) {
-        self.showCachedData(tabData);
-      }
-    };
-    // getTabData returns the sessionstore contents, but passes
-    // a callback to run when the thumbnail is finally loaded.
-    tabData = Storage.getTabData(this.tab, imageDataCb);
     if (tabData && TabItems.storageSanity(tabData)) {
+      this.loadThumbnail(tabData);
+
       if (self.parent)
         self.parent.remove(self, {immediately: true});
 
       let groupItem;
 
       if (tabData.groupID) {
         groupItem = GroupItems.groupItem(tabData.groupID);
       } else {
@@ -931,16 +991,17 @@ let TabItems = {
           tabItem.$canvas[0].height = h;
         }
       }
 
       this._lastUpdateTime = Date.now();
       tabItem._lastTabUpdateTime = this._lastUpdateTime;
 
       tabItem.tabCanvas.paint();
+      tabItem.saveThumbnail();
 
       // ___ cache
       if (tabItem.isShowingCachedData())
         tabItem.hideCachedData();
 
       // ___ notify subscribers that a full update has completed.
       tabItem._sendToSubscribers("updated");
     } catch(e) {
@@ -1141,23 +1202,32 @@ let TabItems = {
   // Returns a copy of the master array of <TabItem>s.
   getItems: function TabItems_getItems() {
     return Utils.copy(this.items);
   },
 
   // ----------
   // Function: saveAll
   // Saves all open <TabItem>s.
-  //
-  // Parameters:
-  //   saveImageData - true to include thumbnail pixels (and page title as well); default false
-  saveAll: function TabItems_saveAll(saveImageData) {
-    var items = this.getItems();
-    items.forEach(function(item) {
-      item.save(saveImageData);
+  saveAll: function TabItems_saveAll() {
+    let tabItems = this.getItems();
+
+    tabItems.forEach(function TabItems_saveAll_forEach(tabItem) {
+      tabItem.save();
+    });
+  },
+
+  // ----------
+  // Function: saveAllThumbnails
+  // Saves thumbnails of all open <TabItem>s.
+  saveAllThumbnails: function TabItems_saveAllThumbnails(options) {
+    let tabItems = this.getItems();
+
+    tabItems.forEach(function TabItems_saveAllThumbnails_forEach(tabItem) {
+      tabItem.saveThumbnail(options);
     });
   },
 
   // ----------
   // Function: storageSanity
   // Checks the specified data (as returned by TabItem.getStorageData or loaded from storage)
   // and returns true if it looks valid.
   // TODO: this is a stub, please implement
@@ -1337,17 +1407,17 @@ TabPriorityQueue.prototype = {
 // Class: TabCanvas
 // Takes care of the actual canvas for the tab thumbnail
 // Does not need to be accessed from outside of tabitems.js
 function TabCanvas(tab, canvas) {
   this.tab = tab;
   this.canvas = canvas;
 };
 
-TabCanvas.prototype = {
+TabCanvas.prototype = Utils.extend(new Subscribable(), {
   // ----------
   // Function: toString
   // Prints [TabCanvas (tab)] for debug use
   toString: function TabCanvas_toString() {
     return "[TabCanvas (" + this.tab + ")]";
   },
 
   // ----------
@@ -1381,16 +1451,18 @@ TabCanvas.prototype = {
       } catch (e) {
         Utils.error('paint', e);
       }
     } else {
       // General case where nearest neighbor algorithm looks good
       // Draw directly to the destination canvas
       this._drawWindow(ctx, w, h, bgColor);
     }
+
+    this._sendToSubscribers("painted");
   },
 
   // ----------
   // Function: _fillCanvasBackground
   // Draws a rectangle of <width>x<height> with color <bgColor> to the given
   // canvas context.
   _fillCanvasBackground: function TabCanvas__fillCanvasBackground(ctx, width, height, bgColor) {
     ctx.fillStyle = bgColor;
@@ -1449,9 +1521,9 @@ TabCanvas.prototype = {
     return new Rect(left, top, width, height);
   },
 
   // ----------
   // Function: toImageData
   toImageData: function TabCanvas_toImageData() {
     return this.canvas.toDataURL("image/png");
   }
-};
+});
--- a/browser/base/content/tabview/tabview.js
+++ b/browser/base/content/tabview/tabview.js
@@ -66,16 +66,17 @@ let AllTabs = {
     gBrowser.tabContainer.removeEventListener(this._events[eventName], callback, false);
   }
 };
 
 # NB: Certain files need to evaluate before others
 
 #include iq.js
 #include storage.js
+#include storagePolicy.js
 #include items.js
 #include groupitems.js
 #include tabitems.js
 #include drag.js
 #include trench.js
 #include thumbnailStorage.js
 #include ui.js
 #include search.js
--- a/browser/base/content/tabview/thumbnailStorage.js
+++ b/browser/base/content/tabview/thumbnailStorage.js
@@ -39,36 +39,26 @@
 // Title: thumbnailStorage.js
 
 // ##########
 // Class: ThumbnailStorage
 // Singleton for persistent storage of thumbnail data.
 let ThumbnailStorage = {
   CACHE_CLIENT_IDENTIFIER: "tabview-cache",
   CACHE_PREFIX: "moz-panorama:",
-  PREF_DISK_CACHE_SSL: "browser.cache.disk_cache_ssl",
 
   // Holds the cache session reference
   _cacheSession: null,
 
   // Holds the string input stream reference
   _stringInputStream: null,
 
   // Holds the storage stream reference
   _storageStream: null,
 
-  // Holds the progress listener reference
-  _progressListener: null,
-
-  // Used to keep track of disk_cache_ssl preference
-  enablePersistentHttpsCaching: null,
-
-  // Used to keep track of browsers whose thumbs we shouldn't save
-  excludedBrowsers: [],
-
   // ----------
   // Function: toString
   // Prints [ThumbnailStorage] for debug use.
   toString: function ThumbnailStorage_toString() {
     return "[ThumbnailStorage]";
   },
 
   // ----------
@@ -82,174 +72,132 @@ let ThumbnailStorage = {
     this._cacheSession = cacheService.createSession(
       this.CACHE_CLIENT_IDENTIFIER, Ci.nsICache.STORE_ON_DISK, true);
     this._stringInputStream = Components.Constructor(
       "@mozilla.org/io/string-input-stream;1", "nsIStringInputStream",
       "setData");
     this._storageStream = Components.Constructor(
       "@mozilla.org/storagestream;1", "nsIStorageStream", 
       "init");
-
-    // store the preference value
-    this.enablePersistentHttpsCaching =
-      Services.prefs.getBoolPref(this.PREF_DISK_CACHE_SSL);
-
-    Services.prefs.addObserver(this.PREF_DISK_CACHE_SSL, this, false);
-
-    let self = this;
-    // tabs are already loaded before UI is initialized so cache-control
-    // values are unknown.  We add browsers with https to the list for now.
-    gBrowser.browsers.forEach(function(browser) {
-      let checkAndAddToList = function(browserObj) {
-        if (!self.enablePersistentHttpsCaching &&
-            browserObj.currentURI.schemeIs("https"))
-          self.excludedBrowsers.push(browserObj);
-      };
-      if (browser.contentDocument.readyState != "complete" ||
-          browser.webProgress.isLoadingDocument) {
-        browser.addEventListener("load", function onLoad() {
-          browser.removeEventListener("load", onLoad, true);
-          checkAndAddToList(browser);
-        }, true);
-      } else {
-        checkAndAddToList(browser);
-      }
-    });
-    gBrowser.addTabsProgressListener(this);
-  },
-
-  // Function: uninit
-  // Should be called when window is unloaded.
-  uninit: function ThumbnailStorage_uninit() {
-    gBrowser.removeTabsProgressListener(this);
-    Services.prefs.removeObserver(this.PREF_DISK_CACHE_SSL, this);
   },
 
   // ----------
   // Function: _openCacheEntry
   // Opens a cache entry for the given <url> and requests access <access>.
   // Calls <successCallback>(entry) when the entry was successfully opened with
   // requested access rights. Otherwise calls <errorCallback>().
-  _openCacheEntry: function ThumbnailStorage__openCacheEntry(url, access, successCallback, errorCallback) {
-    let onCacheEntryAvailable = function(entry, accessGranted, status) {
+  //
+  // Parameters:
+  //   url - the url to use as the storage key
+  //   access - access flags, see Ci.nsICache.ACCESS_*
+  //   successCallback - the callback to be called on success
+  //   errorCallback - the callback to be called when an error occured
+  //   options - an object with additional parameters, see below
+  //
+  // Possible options:
+  //   synchronously - set to true to force sync mode
+  _openCacheEntry:
+    function ThumbnailStorage__openCacheEntry(url, access, successCallback,
+                                              errorCallback, options) {
+    Utils.assert(url, "invalid or missing argument <url>");
+    Utils.assert(access, "invalid or missing argument <access>");
+    Utils.assert(successCallback, "invalid or missing argument <successCallback>");
+    Utils.assert(errorCallback, "invalid or missing argument <errorCallback>");
+
+    function onCacheEntryAvailable(entry, accessGranted, status) {
       if (entry && access == accessGranted && Components.isSuccessCode(status)) {
         successCallback(entry);
       } else {
-        entry && entry.close();
+        if (entry)
+          entry.close();
+
         errorCallback();
       }
     }
 
     let key = this.CACHE_PREFIX + url;
 
-    // switch to synchronous mode if parent window is about to close
-    if (UI.isDOMWindowClosing) {
+    if (options && options.synchronously) {
       let entry = this._cacheSession.openCacheEntry(key, access, true);
       let status = Cr.NS_OK;
       onCacheEntryAvailable(entry, entry.accessGranted, status);
     } else {
       let listener = new CacheListener(onCacheEntryAvailable);
       this._cacheSession.asyncOpenCacheEntry(key, access, listener);
     }
   },
 
-  // Function: _shouldSaveThumbnail
-  // Checks whether to save tab's thumbnail or not.
-  _shouldSaveThumbnail : function ThumbnailStorage__shouldSaveThumbnail(tab) {
-    return (this.excludedBrowsers.indexOf(tab.linkedBrowser) == -1);
-  },
-
   // ----------
   // Function: saveThumbnail
-  // Saves the <imageData> to the cache using the given <url> as key.
-  // Calls <callback>(status, data) when finished, passing true or false
-  // (indicating whether the operation succeeded).
-  saveThumbnail: function ThumbnailStorage_saveThumbnail(tab, imageData, callback) {
-    Utils.assert(tab, "tab");
-    Utils.assert(imageData, "imageData");
-    
-    if (!this._shouldSaveThumbnail(tab)) {
-      tab._tabViewTabItem._sendToSubscribers("deniedToCacheImageData");
-      if (callback)
-        callback(false);
-      return;
-    }
+  // Saves the given thumbnail in the cache.
+  //
+  // Parameters:
+  //   url - the url to use as the storage key
+  //   imageData - the image data to save for the given key
+  //   callback - the callback that is called when the operation is finished
+  //   options - an object with additional parameters, see below
+  //
+  // Possible options:
+  //   synchronously - set to true to force sync mode
+  saveThumbnail:
+    function ThumbnailStorage_saveThumbnail(url, imageData, callback, options) {
+    Utils.assert(url, "invalid or missing argument <url>");
+    Utils.assert(imageData, "invalid or missing argument <imageData>");
+    Utils.assert(callback, "invalid or missing argument <callback>");
 
+    let synchronously = (options && options.synchronously);
     let self = this;
 
-    let completed = function(status) {
-      if (callback)
-        callback(status);
-
-      if (status) {
-        // Notify subscribers
-        tab._tabViewTabItem._sendToSubscribers("savedCachedImageData");
-      } else {
-        Utils.log("Error while saving thumbnail: " + e);
-      }
-    };
-
-    let onCacheEntryAvailable = function(entry) {
+    function onCacheEntryAvailable(entry) {
       let outputStream = entry.openOutputStream(0);
 
-      let cleanup = function() {
+      function cleanup() {
         outputStream.close();
         entry.close();
       }
 
-      // switch to synchronous mode if parent window is about to close
-      if (UI.isDOMWindowClosing) {
+      // synchronous mode
+      if (synchronously) {
         outputStream.write(imageData, imageData.length);
         cleanup();
-        completed(true);
+        callback();
         return;
       }
 
       // asynchronous mode
       let inputStream = new self._stringInputStream(imageData, imageData.length);
       gNetUtil.asyncCopy(inputStream, outputStream, function (result) {
         cleanup();
         inputStream.close();
-        completed(Components.isSuccessCode(result));
+        callback(Components.isSuccessCode(result) ? "" : "failure");
       });
     }
 
-    let onCacheEntryUnavailable = function() {
-      completed(false);
+    function onCacheEntryUnavailable() {
+      callback("unavailable");
     }
 
-    this._openCacheEntry(tab.linkedBrowser.currentURI.spec, 
-        Ci.nsICache.ACCESS_WRITE, onCacheEntryAvailable, 
-        onCacheEntryUnavailable);
+    this._openCacheEntry(url, Ci.nsICache.ACCESS_WRITE, onCacheEntryAvailable,
+                         onCacheEntryUnavailable, options);
   },
 
   // ----------
   // Function: loadThumbnail
-  // Asynchrously loads image data from the cache using the given <url> as key.
-  // Calls <callback>(status, data) when finished, passing true or false
-  // (indicating whether the operation succeeded) and the retrieved image data.
-  loadThumbnail: function ThumbnailStorage_loadThumbnail(tab, url, callback) {
-    Utils.assert(tab, "tab");
-    Utils.assert(url, "url");
-    Utils.assert(typeof callback == "function", "callback arg must be a function");
+  // Loads a thumbnail from the cache.
+  //
+  // Parameters:
+  //   url - the url to use as the storage key
+  //   callback - the callback that is called when the operation is finished
+  loadThumbnail: function ThumbnailStorage_loadThumbnail(url, callback) {
+    Utils.assert(url, "invalid or missing argument <url>");
+    Utils.assert(callback, "invalid or missing argument <callback>");
 
     let self = this;
 
-    let completed = function(status, imageData) {
-      callback(status, imageData);
-
-      if (status) {
-        // Notify subscribers
-        tab._tabViewTabItem._sendToSubscribers("loadedCachedImageData");
-      } else {
-        Utils.log("Error while loading thumbnail");
-      }
-    }
-
-    let onCacheEntryAvailable = function(entry) {
+    function onCacheEntryAvailable(entry) {
       let imageChunks = [];
       let nativeInputStream = entry.openInputStream(0);
 
       const CHUNK_SIZE = 0x10000; // 65k
       const PR_UINT32_MAX = 0xFFFFFFFF;
       let storageStream = new self._storageStream(CHUNK_SIZE, PR_UINT32_MAX, null);
       let storageOutStream = storageStream.getOutputStream(0);
 
@@ -273,81 +221,26 @@ let ThumbnailStorage = {
         if (isSuccess) {
           let storageInStream = storageStream.newInputStream(0);
           imageData = gNetUtil.readInputStreamToString(storageInStream,
             storageInStream.available());
           storageInStream.close();
         }
 
         cleanup();
-        completed(isSuccess, imageData);
+        callback(isSuccess ? "" : "failure", imageData);
       });
     }
 
-    let onCacheEntryUnavailable = function() {
-      completed(false);
+    function onCacheEntryUnavailable() {
+      callback("unavailable");
     }
 
-    this._openCacheEntry(url, Ci.nsICache.ACCESS_READ,
-        onCacheEntryAvailable, onCacheEntryUnavailable);
-  },
-
-  // ----------
-  // Function: observe
-  // Implements the observer interface.
-  observe: function ThumbnailStorage_observe(subject, topic, data) {
-    this.enablePersistentHttpsCaching =
-      Services.prefs.getBoolPref(this.PREF_DISK_CACHE_SSL);
-  },
-
-  // ----------
-  // Implements progress listener interface.
-  QueryInterface: XPCOMUtils.generateQI([Ci.nsIWebProgressListener,
-                                         Ci.nsISupportsWeakReference,
-                                         Ci.nsISupports]),
-
-  onStateChange: function ThumbnailStorage_onStateChange(
-    browser, webProgress, request, flag, status) {
-    if (flag & Ci.nsIWebProgressListener.STATE_START &&
-        flag & Ci.nsIWebProgressListener.STATE_IS_WINDOW) {
-      // ensure the dom window is the top one
-      if (webProgress.DOMWindow.parent == webProgress.DOMWindow) {
-        let index = this.excludedBrowsers.indexOf(browser);
-        if (index != -1)
-          this.excludedBrowsers.splice(index, 1);
-      }
-    }
-    if (flag & Ci.nsIWebProgressListener.STATE_STOP &&
-        flag & Ci.nsIWebProgressListener.STATE_IS_WINDOW) {
-      // ensure the dom window is the top one
-      if (webProgress.DOMWindow.parent == webProgress.DOMWindow &&
-          request && request instanceof Ci.nsIHttpChannel) {
-        request.QueryInterface(Ci.nsIHttpChannel);
-
-        let inhibitPersistentThumb = false;
-        if (request.isNoStoreResponse()) {
-           inhibitPersistentThumb = true;
-        } else if (!this.enablePersistentHttpsCaching &&
-                   request.URI.schemeIs("https")) {
-          let cacheControlHeader;
-          try {
-            cacheControlHeader = request.getResponseHeader("Cache-Control");
-          } catch(e) {
-            // this error would occur when "Cache-Control" doesn't exist in
-            // the eaders
-          }
-          if (cacheControlHeader && !(/public/i).test(cacheControlHeader))
-            inhibitPersistentThumb = true;
-        }
-
-        if (inhibitPersistentThumb &&
-            this.excludedBrowsers.indexOf(browser) == -1)
-          this.excludedBrowsers.push(browser);
-      }
-    }
+    this._openCacheEntry(url, Ci.nsICache.ACCESS_READ, onCacheEntryAvailable,
+                         onCacheEntryUnavailable);
   }
 }
 
 // ##########
 // Class: CacheListener
 // Generic CacheListener for feeding to asynchronous cache calls.
 // Calls <callback>(entry, access, status) when the requested cache entry
 // is available.
--- a/browser/base/content/tabview/ui.js
+++ b/browser/base/content/tabview/ui.js
@@ -170,16 +170,19 @@ let UI = {
       this._initPageDirection();
 
       // ___ thumbnail storage
       ThumbnailStorage.init();
 
       // ___ storage
       Storage.init();
 
+      // ___ storage policy
+      StoragePolicy.init();
+
       if (Storage.readWindowBusyState(gWindow))
         this.storageBusy();
 
       let data = Storage.readUIData(gWindow);
       this._storageSanity(data);
       this._pageBounds = data.pageBounds;
 
       // ___ currentTab
@@ -275,23 +278,26 @@ let UI = {
       iQ(window).resize(function() {
         self._resize();
       });
 
       // ___ setup event listener to save canvas images
       gWindow.addEventListener("SSWindowClosing", function onWindowClosing() {
         gWindow.removeEventListener("SSWindowClosing", onWindowClosing, false);
 
+        // XXX bug #635975 - don't unlink the tab if the dom window is closing.
         self.isDOMWindowClosing = true;
 
         if (self.isTabViewVisible())
           GroupItems.removeHiddenGroups();
 
+        TabItems.saveAll();
+        TabItems.saveAllThumbnails({synchronously: true});
+
         Storage.saveActiveGroupName(gWindow);
-        TabItems.saveAll(true);
         self._save();
       }, false);
 
       // ___ load frame script
       let frameScript = "chrome://browser/content/tabview-content.js";
       gWindow.messageManager.loadFrameScript(frameScript, true);
 
       // ___ Done
@@ -318,17 +324,17 @@ let UI = {
       func();
     });
     this._cleanupFunctions = [];
 
     // additional clean up
     TabItems.uninit();
     GroupItems.uninit();
     Storage.uninit();
-    ThumbnailStorage.uninit();
+    StoragePolicy.uninit();
 
     this._removeTabActionHandlers();
     this._currentTab = null;
     this._pageBounds = null;
     this._reorderTabItemsOnShow = null;
     this._reorderTabsOnHide = null;
     this._frameInitialized = false;
   },
@@ -708,16 +714,21 @@ let UI = {
           self._privateBrowsing.wasInTabView = self.isTabViewVisible();
           if (self.isTabViewVisible())
             self.goToTab(gBrowser.selectedTab);
         }
       } else if (topic == "private-browsing-change-granted") {
         if (data == "enter" || data == "exit") {
           hideSearch();
           self._privateBrowsing.transitionMode = data;
+
+          // make sure to save all thumbnails that haven't been saved yet
+          // before we enter the private browsing mode
+          if (data == "enter")
+            TabItems.saveAllThumbnails({synchronously: true});
         }
       } else if (topic == "private-browsing-transition-complete") {
         // We use .transitionMode here, as aData is empty.
         if (self._privateBrowsing.transitionMode == "exit" &&
             self._privateBrowsing.wasInTabView)
           self.showTabView(false);
 
         self._privateBrowsing.transitionMode = "";
--- a/browser/base/content/test/tabview/Makefile.in
+++ b/browser/base/content/test/tabview/Makefile.in
@@ -77,17 +77,16 @@ include $(topsrcdir)/config/rules.mk
                  browser_tabview_bug597980.js \
                  browser_tabview_bug598375.js \
                  browser_tabview_bug598600.js \
                  browser_tabview_bug599626.js \
                  browser_tabview_bug600645.js \
                  browser_tabview_bug600812.js \
                  browser_tabview_bug602432.js \
                  browser_tabview_bug604098.js \
-                 browser_tabview_bug604699.js \
                  browser_tabview_bug606657.js \
                  browser_tabview_bug606905.js \
                  browser_tabview_bug607108.js \
                  browser_tabview_bug608037.js \
                  browser_tabview_bug608184.js \
                  browser_tabview_bug608158.js \
                  browser_tabview_bug608405.js \
                  browser_tabview_bug610208.js \
@@ -109,17 +108,16 @@ include $(topsrcdir)/config/rules.mk
                  browser_tabview_bug624953.js \
                  browser_tabview_bug625195.js \
                  browser_tabview_bug625269.js \
                  browser_tabview_bug625424.js \
                  browser_tabview_bug626368.js \
                  browser_tabview_bug626455.js \
                  browser_tabview_bug626525.js \
                  browser_tabview_bug626791.js \
-                 browser_tabview_bug627239.js \
                  browser_tabview_bug627288.js \
                  browser_tabview_bug627736.js \
                  browser_tabview_bug628061.js \
                  browser_tabview_bug628165.js \
                  browser_tabview_bug628270.js \
                  browser_tabview_bug628887.js \
                  browser_tabview_bug629189.js \
                  browser_tabview_bug629195.js \
@@ -150,31 +148,34 @@ include $(topsrcdir)/config/rules.mk
                  browser_tabview_bug656778.js \
                  browser_tabview_bug656913.js \
                  browser_tabview_bug662266.js \
                  browser_tabview_bug663421.js \
                  browser_tabview_bug665502.js \
                  browser_tabview_bug669694.js \
                  browser_tabview_bug673196.js \
                  browser_tabview_bug673729.js \
+                 browser_tabview_bug677310.js \
                  browser_tabview_bug679853.js \
                  browser_tabview_bug681599.js \
                  browser_tabview_click_group.js \
                  browser_tabview_dragdrop.js \
                  browser_tabview_exit_button.js \
                  browser_tabview_expander.js \
                  browser_tabview_firstrun_pref.js \
                  browser_tabview_group.js \
                  browser_tabview_launch.js \
                  browser_tabview_multiwindow_search.js \
                  browser_tabview_privatebrowsing.js \
                  browser_tabview_rtl.js \
                  browser_tabview_search.js \
                  browser_tabview_snapping.js \
                  browser_tabview_startup_transitions.js \
+                 browser_tabview_storage_policy.js \
+                 browser_tabview_thumbnail_storage.js \
                  browser_tabview_undo_group.js \
                  dummy_page.html \
                  head.js \
                  search1.html \
                  search2.html \
                  test_bug600645.html \
                  test_bug644097.html \
                  $(NULL)
--- a/browser/base/content/test/tabview/browser_tabview_bug597248.js
+++ b/browser/base/content/test/tabview/browser_tabview_bug597248.js
@@ -29,17 +29,19 @@ function setupTwo(win) {
 
   let tabItems = contentWindow.TabItems.getItems();
   is(tabItems.length, 3, "There should be 3 tab items before closing");
 
   let numTabsToSave = tabItems.length;
 
   // force all canvases to update, and hook in imageData save detection
   tabItems.forEach(function(tabItem) {
-    contentWindow.TabItems.update(tabItem.tab);
+    // mark thumbnail as dirty
+    tabItem.tabCanvas.paint();
+
     tabItem.addSubscriber("savedCachedImageData", function onSaved(item) {
       item.removeSubscriber("savedCachedImageData", onSaved);
 
       if (!--numTabsToSave)
         restoreWindow();
     });
   });
 
@@ -76,18 +78,18 @@ function setupTwo(win) {
             else
               frameInitialized = true;
           }
 
           let tabItems = restoredContentWindow.TabItems.getItems();
           let count = tabItems.length;
 
           tabItems.forEach(function(tabItem) {
-            tabItem.addSubscriber("loadedCachedImageData", function onLoaded() {
-              tabItem.removeSubscriber("loadedCachedImageData", onLoaded);
+            tabItem.addSubscriber("showingCachedData", function onLoaded() {
+              tabItem.removeSubscriber("showingCachedData", onLoaded);
               ok(tabItem.isShowingCachedData(),
                 "Tab item is showing cached data and is just connected. " +
                 tabItem.tab.linkedBrowser.currentURI.spec);
               if (--count == 0)
                 nextStep();
             });
           });
         }
deleted file mode 100644
--- a/browser/base/content/test/tabview/browser_tabview_bug604699.js
+++ /dev/null
@@ -1,85 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
-   http://creativecommons.org/publicdomain/zero/1.0/ */
-
-function test() {
-  let url = "http://www.example.com/";
-  let cw;
-  let tab = gBrowser.tabs[0];
-
-  let finishTest = function () {
-    is(1, gBrowser.tabs.length, "there is one tab, only");
-    ok(!TabView.isVisible(), "tabview is not visible");
-    finish();
-  }
-
-  waitForExplicitFinish();
-
-  let testErroneousLoading = function () {
-    cw.ThumbnailStorage.loadThumbnail(tab, url, function (status, data) {
-      ok(!status, "thumbnail entry failed to load");
-      is(null, data, "no thumbnail data received");
-      next();
-    });
-  }
-
-  let testAsynchronousSaving = function () {
-    let saved = false;
-    let data = "thumbnail-data-asynchronous";
-
-    cw.ThumbnailStorage.saveThumbnail(tab, data, function (status) {
-      ok(status, "thumbnail entry was saved");
-      ok(saved, "thumbnail was saved asynchronously");
-
-      cw.ThumbnailStorage.loadThumbnail(tab, url, function (status, imageData) {
-        ok(status, "thumbnail entry was loaded");
-        is(imageData, data, "valid thumbnail data received");
-        next();
-      });
-    });
-
-    saved = true;
-  }
-
-  let testSynchronousSaving = function () {
-    let saved = false;
-    let data = "thumbnail-data-synchronous";
-
-    cw.UI.isDOMWindowClosing = true;
-    registerCleanupFunction(function () cw.UI.isDOMWindowClosing = false);
-
-    cw.ThumbnailStorage.saveThumbnail(tab, data, function (status) {
-      ok(status, "thumbnail entry was saved");
-      ok(!saved, "thumbnail was saved synchronously");
-
-      cw.ThumbnailStorage.loadThumbnail(tab, url, function (status, imageData) {
-        ok(status, "thumbnail entry was loaded");
-        is(imageData, data, "valid thumbnail data received");
-
-        cw.UI.isDOMWindowClosing = false;
-        next();
-      });
-    });
-
-    saved = true;
-  }
-
-  let tests = [testErroneousLoading, testAsynchronousSaving, testSynchronousSaving];
-
-  let next = function () {
-    let test = tests.shift();
-    if (test)
-      test();
-    else
-      hideTabView(finishTest);
-  }
-
-  tab.linkedBrowser.loadURI(url);
-  afterAllTabsLoaded(function() {
-    showTabView(function () {
-      registerCleanupFunction(function () TabView.hide());
-      cw = TabView.getContentWindow();
-
-      next();
-    });
-  });
-}
--- a/browser/base/content/test/tabview/browser_tabview_bug627288.js
+++ b/browser/base/content/test/tabview/browser_tabview_bug627288.js
@@ -17,27 +17,28 @@ function test() {
       tab = gBrowser.loadOneTab('http://mochi.test:8888/', {inBackground: true});
 
       afterAllTabsLoaded(function () {
         tabItem = tab._tabViewTabItem;
 
         tabItem.addSubscriber("savedCachedImageData", function onSaved() {
           tabItem.removeSubscriber("savedCachedImageData", onSaved);
 
-          tabItem.addSubscriber("loadedCachedImageData", function onLoaded() {
-            tabItem.removeSubscriber("loadedCachedImageData", onLoaded);
+          tabItem.addSubscriber("showingCachedData", function onLoaded() {
+            tabItem.removeSubscriber("showingCachedData", onLoaded);
 
             ok(tabItem.isShowingCachedData(), 'tabItem shows cached data');
             testChangeUrlAfterReconnect();
           });
 
           cw.TabItems.resumeReconnecting();
         });
 
         cw.Storage.saveTab(tab, data);
+        tabItem.saveThumbnail();
       });
     });
   }
 
   let testChangeUrlAfterReconnect = function () {
     tab.linkedBrowser.loadURI('http://mochi.test:8888/browser/');
 
     whenTabAttrModified(tab, function () {
new file mode 100644
--- /dev/null
+++ b/browser/base/content/test/tabview/browser_tabview_bug677310.js
@@ -0,0 +1,48 @@
+/* Any copyright is dedicated to the Public Domain.
+   http://creativecommons.org/publicdomain/zero/1.0/ */
+
+let pb = Cc["@mozilla.org/privatebrowsing;1"].
+         getService(Ci.nsIPrivateBrowsingService);
+
+function test() {
+  let thumbnailsSaved = false;
+
+  waitForExplicitFinish();
+
+  registerCleanupFunction(function () {
+    ok(thumbnailsSaved, "thumbs have been saved before entering pb mode");
+    pb.privateBrowsingEnabled = false;
+  });
+
+  afterAllTabsLoaded(function () {
+    showTabView(function () {
+      hideTabView(function () {
+        let numConditions = 2;
+
+        function check() {
+          if (--numConditions)
+            return;
+
+          togglePrivateBrowsing(finish);
+        }
+
+        let tabItem = gBrowser.tabs[0]._tabViewTabItem;
+
+        // save all thumbnails synchronously to cancel all delayed thumbnail
+        // saves that might be active
+        tabItem.saveThumbnail({synchronously: true});
+
+        // force a tabCanvas paint to flag the thumbnail as dirty
+        tabItem.tabCanvas.paint();
+
+        tabItem.addSubscriber("savedCachedImageData", function onSaved() {
+          tabItem.removeSubscriber("savedCachedImageData", onSaved);
+          thumbnailsSaved = true;
+          check();
+        });
+
+        togglePrivateBrowsing(check);
+      });
+    });
+  });
+}
rename from browser/base/content/test/tabview/browser_tabview_bug627239.js
rename to browser/base/content/test/tabview/browser_tabview_storage_policy.js
--- a/browser/base/content/test/tabview/browser_tabview_bug627239.js
+++ b/browser/base/content/test/tabview/browser_tabview_storage_policy.js
@@ -1,127 +1,145 @@
 /* Any copyright is dedicated to the Public Domain.
    http://creativecommons.org/publicdomain/zero/1.0/ */
+
+const PREF_DISK_CACHE_SSL = "browser.cache.disk_cache_ssl";
+
+let pb = Cc["@mozilla.org/privatebrowsing;1"].
+         getService(Ci.nsIPrivateBrowsingService);
+
 let contentWindow;
-let enablePersistentHttpsCaching;
 let newTab;
 
 function test() {
   waitForExplicitFinish();
 
   newTab = gBrowser.addTab();
 
   HttpRequestObserver.register();
 
   registerCleanupFunction(function () {
     HttpRequestObserver.unregister();
     if (gBrowser.tabs[1])
       gBrowser.removeTab(gBrowser.tabs[1]);
     hideTabView();
 
-    contentWindow.ThumbnailStorage.enablePersistentHttpsCaching =
-        enablePersistentHttpsCaching;
+    Services.prefs.clearUserPref(PREF_DISK_CACHE_SSL);
+    pb.privateBrowsingEnabled = false;
   });
 
   showTabView(function() {
     contentWindow = TabView.getContentWindow();
     test1();
   });
 }
 
 
 function test1() {
   // page with cache-control: no-store, should not save thumbnail
   HttpRequestObserver.cacheControlValue = "no-store";
-  newTab.linkedBrowser.loadURI("http://www.example.com/browser/browser/base/content/test/tabview/dummy_page.html");
 
-  afterAllTabsLoaded(function() {
+  whenStorageDenied(newTab, function () {
     let tabItem = newTab._tabViewTabItem;
 
-    ok(!contentWindow.ThumbnailStorage._shouldSaveThumbnail(newTab), 
+    ok(!contentWindow.StoragePolicy.canStoreThumbnailForTab(newTab), 
        "Should not save the thumbnail for tab");
 
-    whenDeniedToCacheImageData(tabItem, test2);
-    tabItem.save(true);
+    whenDeniedToSaveImageData(tabItem, test2);
+    tabItem.saveThumbnail({synchronously: true});
     HttpRequestObserver.cacheControlValue = null;
   });
+
+  newTab.linkedBrowser.loadURI("http://www.example.com/browser/browser/base/content/test/tabview/dummy_page.html");
 }
 
 function test2() {
   // page with cache-control: private, should save thumbnail
   HttpRequestObserver.cacheControlValue = "private";
 
   newTab.linkedBrowser.loadURI("http://www.example.com/");
   afterAllTabsLoaded(function() {
     let tabItem = newTab._tabViewTabItem;
 
-    ok(contentWindow.ThumbnailStorage._shouldSaveThumbnail(newTab), 
+    ok(contentWindow.StoragePolicy.canStoreThumbnailForTab(newTab), 
        "Should save the thumbnail for tab");
 
     whenSavedCachedImageData(tabItem, test3);
-    tabItem.save(true);
+    tabItem.saveThumbnail({synchronously: true});
   });
 }
 
 function test3() {
   // page with cache-control: private with https caching enabled, should save thumbnail
   HttpRequestObserver.cacheControlValue = "private";
 
-  enablePersistentHttpsCaching =
-    contentWindow.ThumbnailStorage.enablePersistentHttpsCaching;
-  contentWindow.ThumbnailStorage.enablePersistentHttpsCaching = true;
+  Services.prefs.setBoolPref(PREF_DISK_CACHE_SSL, true);
 
   newTab.linkedBrowser.loadURI("https://example.com/browser/browser/base/content/test/tabview/dummy_page.html");
   afterAllTabsLoaded(function() {
     let tabItem = newTab._tabViewTabItem;
 
-    ok(contentWindow.ThumbnailStorage._shouldSaveThumbnail(newTab),
+    ok(contentWindow.StoragePolicy.canStoreThumbnailForTab(newTab),
        "Should save the thumbnail for tab");
 
     whenSavedCachedImageData(tabItem, test4);
-    tabItem.save(true);
+    tabItem.saveThumbnail({synchronously: true});
   });
 }
 
 function test4() {
   // page with cache-control: public with https caching disabled, should save thumbnail
   HttpRequestObserver.cacheControlValue = "public";
 
-  contentWindow.ThumbnailStorage.enablePersistentHttpsCaching = false;
+  Services.prefs.setBoolPref(PREF_DISK_CACHE_SSL, false);
 
   newTab.linkedBrowser.loadURI("https://example.com/browser/browser/base/content/test/tabview/");
   afterAllTabsLoaded(function() {
     let tabItem = newTab._tabViewTabItem;
 
-    ok(contentWindow.ThumbnailStorage._shouldSaveThumbnail(newTab),
+    ok(contentWindow.StoragePolicy.canStoreThumbnailForTab(newTab),
        "Should save the thumbnail for tab");
 
     whenSavedCachedImageData(tabItem, test5);
-    tabItem.save(true);
+    tabItem.saveThumbnail({synchronously: true});
   });
 }
 
 function test5() {
   // page with cache-control: private with https caching disabled, should not save thumbnail
   HttpRequestObserver.cacheControlValue = "private";
- 
-  newTab.linkedBrowser.loadURI("https://example.com/");
-  afterAllTabsLoaded(function() {
+
+  whenStorageDenied(newTab, function () {
     let tabItem = newTab._tabViewTabItem;
 
-    ok(!contentWindow.ThumbnailStorage._shouldSaveThumbnail(newTab),
-       "Should not the thumbnail for tab");
+    ok(!contentWindow.StoragePolicy.canStoreThumbnailForTab(newTab),
+       "Should not save the thumbnail for tab");
+
+    whenDeniedToSaveImageData(tabItem, function () {
+      gBrowser.removeTab(newTab);
+      test6();
+    });
+
+    tabItem.saveThumbnail({synchronously: true});
+  });
 
-    whenDeniedToCacheImageData(tabItem, function () {
-      hideTabView(function () {
-        gBrowser.removeTab(gBrowser.tabs[1]);
-        finish();
-      });
-    });
-    tabItem.save(true);
+  newTab.linkedBrowser.loadURI("https://example.com/");
+}
+
+// ensure that no thumbnails are saved while in private browsing mode
+function test6() {
+  HttpRequestObserver.cacheControlValue = "public";
+
+  togglePrivateBrowsing(function () {
+    let tab = gBrowser.tabs[0];
+
+    ok(!contentWindow.StoragePolicy.canStoreThumbnailForTab(tab),
+       "Should not save the thumbnail for tab");
+
+    togglePrivateBrowsing(finish);
   });
 }
 
 let HttpRequestObserver = {
   cacheControlValue: null,
 
   observe: function(subject, topic, data) {
     if (topic == "http-on-examine-response" && this.cacheControlValue) {
@@ -141,14 +159,23 @@ let HttpRequestObserver = {
 
 function whenSavedCachedImageData(tabItem, callback) {
   tabItem.addSubscriber("savedCachedImageData", function onSaved() {
     tabItem.removeSubscriber("savedCachedImageData", onSaved);
     callback();
   });
 }
 
-function whenDeniedToCacheImageData(tabItem, callback) {
-  tabItem.addSubscriber("deniedToCacheImageData", function onDenied() {
-    tabItem.removeSubscriber("deniedToCacheImageData", onDenied);
+function whenDeniedToSaveImageData(tabItem, callback) {
+  tabItem.addSubscriber("deniedToSaveImageData", function onDenied() {
+    tabItem.removeSubscriber("deniedToSaveImageData", onDenied);
     callback();
   });
 }
+
+function whenStorageDenied(tab, callback) {
+  let mm = tab.linkedBrowser.messageManager;
+
+  mm.addMessageListener("Panorama:StoragePolicy:denied", function onDenied() {
+    mm.removeMessageListener("Panorama:StoragePolicy:denied", onDenied);
+    executeSoon(callback);
+  });
+}
new file mode 100644
--- /dev/null
+++ b/browser/base/content/test/tabview/browser_tabview_thumbnail_storage.js
@@ -0,0 +1,161 @@
+/* Any copyright is dedicated to the Public Domain.
+   http://creativecommons.org/publicdomain/zero/1.0/ */
+
+let tests = [testRawSyncSave, testRawAsyncSave, testRawLoadError,
+             testAsyncSave, testSyncSave, testOverrideAsyncSave,
+             testSaveCleanThumbnail];
+
+function test() {
+  waitForExplicitFinish();
+  loadTabView(next);
+}
+
+function testRawSyncSave() {
+  let cw = TabView.getContentWindow();
+  let url = "http://example.com/sync-url";
+  let data = "thumbnail-data-sync";
+  let saved = false;
+
+  cw.ThumbnailStorage.saveThumbnail(url, data, function (error) {
+    ok(!error, "thumbnail entry was saved");
+    ok(!saved, "thumbnail was saved synchronously");
+
+    cw.ThumbnailStorage.loadThumbnail(url, function (error, imageData) {
+      ok(!error, "thumbnail entry was loaded");
+      is(imageData, data, "valid thumbnail data received");
+      next();
+    });
+  }, {synchronously: true});
+
+  saved = true;
+}
+
+function testRawAsyncSave() {
+  let cw = TabView.getContentWindow();
+  let url = "http://example.com/async-url";
+  let data = "thumbnail-data-async";
+  let saved = false;
+
+  cw.ThumbnailStorage.saveThumbnail(url, data, function (error) {
+    ok(!error, "thumbnail entry was saved");
+    ok(saved, "thumbnail was saved asynchronously");
+
+    cw.ThumbnailStorage.loadThumbnail(url, function (error, imageData) {
+      ok(!error, "thumbnail entry was loaded");
+      is(imageData, data, "valid thumbnail data received");
+      next();
+    });
+  });
+
+  saved = true;
+}
+
+function testRawLoadError() {
+  let cw = TabView.getContentWindow();
+
+  cw.ThumbnailStorage.loadThumbnail("non-existant-url", function (error, data) {
+    ok(error, "thumbnail entry failed to load");
+    is(null, data, "no thumbnail data received");
+    next();
+  });
+}
+
+function testSyncSave() {
+  let tabItem = gBrowser.tabs[0]._tabViewTabItem;
+
+  // set the thumbnail to dirty
+  tabItem.tabCanvas.paint();
+
+  let saved = false;
+
+  whenThumbnailSaved(tabItem, function () {
+    ok(!saved, "thumbnail was saved synchronously");
+    next();
+  });
+
+  tabItem.saveThumbnail({synchronously: true});
+  saved = true;
+}
+
+function testAsyncSave() {
+  let tabItem = gBrowser.tabs[0]._tabViewTabItem;
+
+  // set the thumbnail to dirty
+  tabItem.tabCanvas.paint();
+
+  let saved = false;
+
+  whenThumbnailSaved(tabItem, function () {
+    ok(saved, "thumbnail was saved asynchronously");
+    next();
+  });
+
+  tabItem.saveThumbnail();
+  saved = true;
+}
+
+function testOverrideAsyncSave() {
+  let tabItem = gBrowser.tabs[0]._tabViewTabItem;
+
+  // set the thumbnail to dirty
+  tabItem.tabCanvas.paint();
+
+  // initiate async save
+  tabItem.saveThumbnail();
+
+  let saveCount = 0;
+
+  whenThumbnailSaved(tabItem, function () {
+    saveCount = 1;
+  });
+
+  tabItem.saveThumbnail({synchronously: true});
+
+  is(saveCount, 1, "thumbnail got saved once");
+  next();
+}
+
+function testSaveCleanThumbnail() {
+  let tabItem = gBrowser.tabs[0]._tabViewTabItem;
+
+  // set the thumbnail to dirty
+  tabItem.tabCanvas.paint();
+
+  let saveCount = 0;
+
+  whenThumbnailSaved(tabItem, function () saveCount++);
+  tabItem.saveThumbnail({synchronously: true});
+  tabItem.saveThumbnail({synchronously: true});
+
+  is(saveCount, 1, "thumbnail got saved once, only");
+  next();
+}
+
+// ----------
+function whenThumbnailSaved(tabItem, callback) {
+  tabItem.addSubscriber("savedCachedImageData", function onSaved() {
+    tabItem.removeSubscriber("savedCachedImageData", onSaved);
+    callback();
+  });
+}
+
+// ----------
+function loadTabView(callback) {
+  afterAllTabsLoaded(function () {
+    showTabView(function () {
+      hideTabView(callback);
+    });
+  });
+}
+
+// ----------
+function next() {
+  let test = tests.shift();
+
+  if (test) {
+    info("* running " + test.name + "...");
+    test();
+  } else {
+    finish();
+  }
+}
--- a/browser/themes/pinstripe/browser/browser.css
+++ b/browser/themes/pinstripe/browser/browser.css
@@ -2574,8 +2574,53 @@ panel[dimmed="true"] {
   outline: 1px dashed rgba(255,255,255,0.5);
   outline-offset: -1px;
 }
 
 #highlighter-veil-transparentbox[locked] {
   box-shadow: 0 0 0 1px black;
   outline-color: white;
 }
+
+/* Highlighter toolbar */
+
+#inspector-toolbar {
+  -moz-appearance: none;
+  height: 32px;
+  padding: 0 3px;
+  border-top: 1px solid hsla(210, 8%, 5%, .65);
+  box-shadow: 0 1px 0 0 hsla(210, 16%, 76%, .2) inset;
+  background-image: -moz-linear-gradient(top, hsl(210,11%,36%), hsl(210,11%,18%));
+}
+
+#inspector-inspect-toolbutton,
+#inspector-tools > toolbarbutton {
+  -moz-appearance: none;
+  width: 78px;
+  margin: 3px 5px;
+  color: hsl(210,30%,85%);
+  text-shadow: 0 -1px 0 hsla(210,8%,5%,.45);
+  border: 1px solid hsla(210,8%,5%,.45);
+  border-radius: @toolbarbuttonCornerRadius@;
+  background: -moz-linear-gradient(hsla(212,7%,57%,.35), hsla(212,7%,57%,.1));
+  background-clip: padding-box;
+  box-shadow: 0 1px 0 hsla(210,16%,76%,.15) inset, 0 0 0 1px hsla(210,16%,76%,.15) inset, 0 1px 0 hsla(210,16%,76%,.15);
+}
+
+#inspector-inspect-toolbutton:not([checked]):hover:active,
+#inspector-tools > toolbarbutton:not([checked]):hover:active {
+  border-color: hsla(210,8%,5%,.6);
+  background: -moz-linear-gradient(hsla(220,6%,10%,.3), hsla(212,7%,57%,.15) 65%, hsla(212,7%,57%,.3));
+  box-shadow: 0 0 3px hsla(210,8%,5%,.25) inset, 0 1px 3px hsla(210,8%,5%,.25) inset, 0 1px 0 hsla(210,16%,76%,.15);
+}
+
+#inspector-inspect-toolbutton[checked],
+#inspector-tools > toolbarbutton[checked] {
+  color: hsl(208,100%,60%) !important;
+  border-color: hsla(210,8%,5%,.6);
+  background: -moz-linear-gradient(hsla(220,6%,10%,.6), hsla(210,11%,18%,.45) 75%, hsla(210,11%,30%,.4));
+  box-shadow: 0 1px 3px hsla(210,8%,5%,.25) inset, 0 1px 3px hsla(210,8%,5%,.25) inset, 0 1px 0 hsla(210,16%,76%,.15);
+}
+
+#inspector-inspect-toolbutton[checked]:hover:active,
+#inspector-tools > toolbarbutton[checked]:hover:active {
+  background-color: hsla(210,8%,5%,.2);
+}
--- a/content/base/public/nsINode.h
+++ b/content/base/public/nsINode.h
@@ -277,18 +277,18 @@ private:
 #define DOM_USER_DATA         1
 #define DOM_USER_DATA_HANDLER 2
 #ifdef MOZ_SMIL
 #define SMIL_MAPPED_ATTR_ANIMVAL 3
 #endif // MOZ_SMIL
 
 // IID for the nsINode interface
 #define NS_INODE_IID \
-{ 0x5572c8a9, 0xbda9, 0x4b78, \
-  { 0xb4, 0x1a, 0xdb, 0x1a, 0x83, 0xef, 0x53, 0x7e } }
+{ 0xb59269fe, 0x7f60, 0x4672, \
+  { 0x8e, 0x56, 0x01, 0x84, 0xb2, 0x58, 0x14, 0xb0 } }
 
 /**
  * An internal interface that abstracts some DOMNode-related parts that both
  * nsIContent and nsIDocument share.  An instance of this interface has a list
  * of nsIContent children and provides access to them.
  */
 class nsINode : public nsIDOMEventTarget,
                 public nsWrapperCache
@@ -1080,16 +1080,24 @@ public:
    * descendants of aRoot, not including aRoot itself, will be returned.
    * Returns null if there are no more nodes to traverse.
    */
   nsIContent* GetNextNonChildNode(const nsINode* aRoot = nsnull) const
   {
     return GetNextNodeImpl(aRoot, PR_TRUE);
   }
 
+  /**
+   * Returns true if 'this' is either document or element or
+   * document fragment and aOther is a descendant in the same
+   * anonymous tree.
+   */
+  PRBool Contains(const nsINode* aOther) const;
+  nsresult Contains(nsIDOMNode* aOther, PRBool* aReturn);
+
 private:
 
   nsIContent* GetNextNodeImpl(const nsINode* aRoot,
                               const PRBool aSkipChildren) const
   {
     // Can't use nsContentUtils::ContentIsDescendantOf here, since we
     // can't include it here.
 #ifdef DEBUG
--- a/content/base/src/nsDOMAttribute.cpp
+++ b/content/base/src/nsDOMAttribute.cpp
@@ -653,16 +653,22 @@ nsDOMAttribute::SetTextContent(const nsA
 NS_IMETHODIMP
 nsDOMAttribute::IsSameNode(nsIDOMNode *other, PRBool *aResult)
 {
   *aResult = other == this;
   return NS_OK;
 }
 
 NS_IMETHODIMP
+nsDOMAttribute::Contains(nsIDOMNode* aOther, PRBool* aReturn)
+{
+  return nsINode::Contains(aOther, aReturn);
+}
+
+NS_IMETHODIMP
 nsDOMAttribute::LookupPrefix(const nsAString & namespaceURI,
                              nsAString & aResult)
 {
   SetDOMStringToNull(aResult);
   return NS_OK;
 }
 
 NS_IMETHODIMP
--- a/content/base/src/nsDocument.cpp
+++ b/content/base/src/nsDocument.cpp
@@ -5874,16 +5874,22 @@ nsDocument::SetUserData(const nsAString 
 NS_IMETHODIMP
 nsDocument::GetUserData(const nsAString & key,
                         nsIVariant **aResult)
 {
   return nsINode::GetUserData(key, aResult);
 }
 
 NS_IMETHODIMP
+nsDocument::Contains(nsIDOMNode* aOther, PRBool* aReturn)
+{
+  return nsINode::Contains(aOther, aReturn);
+}
+
+NS_IMETHODIMP
 nsDocument::GetInputEncoding(nsAString& aInputEncoding)
 {
   if (mHaveInputEncoding) {
     return GetCharacterSet(aInputEncoding);
   }
 
   SetDOMStringToNull(aInputEncoding);
   return NS_OK;
--- a/content/base/src/nsGenericElement.cpp
+++ b/content/base/src/nsGenericElement.cpp
@@ -5525,8 +5525,49 @@ nsGenericElement::SizeOf() const
       return NS_OK;                                                          \
     }                                                                        \
     return elm->SetJSEventListenerToJsval(nsGkAtoms::on##name_, cx, obj, v); \
 }
 #define TOUCH_EVENT EVENT
 #include "nsEventNameList.h"
 #undef TOUCH_EVENT
 #undef EVENT
+
+PRBool
+nsINode::Contains(const nsINode* aOther) const
+{
+  if (!aOther ||
+      aOther == this ||
+      GetOwnerDoc() != aOther->GetOwnerDoc() ||
+      IsInDoc() != aOther->IsInDoc() ||
+      !(aOther->IsElement() ||
+        aOther->IsNodeOfType(nsINode::eCONTENT)) ||
+      !GetFirstChild()) {
+    return PR_FALSE;
+  }
+
+  const nsIContent* other = static_cast<const nsIContent*>(aOther);
+  if (this == GetOwnerDoc()) {
+    // document.contains(aOther) returns true if aOther is in the document,
+    // but is not in any anonymous subtree.
+    // IsInDoc() check is done already before this.
+    return !other->IsInAnonymousSubtree();
+  }
+
+  if (!IsElement() && !IsNodeOfType(nsINode::eDOCUMENT_FRAGMENT)) {
+    return PR_FALSE;
+  }
+
+  const nsIContent* thisContent = static_cast<const nsIContent*>(this);
+  if (thisContent->GetBindingParent() != other->GetBindingParent()) {
+    return PR_FALSE;
+  }
+
+  return nsContentUtils::ContentIsDescendantOf(other, this);
+}
+
+nsresult
+nsINode::Contains(nsIDOMNode* aOther, PRBool* aReturn)
+{
+  nsCOMPtr<nsINode> node = do_QueryInterface(aOther);
+  *aReturn = Contains(node);
+  return NS_OK;
+}
--- a/content/base/test/chrome/Makefile.in
+++ b/content/base/test/chrome/Makefile.in
@@ -64,15 +64,16 @@ include $(topsrcdir)/config/rules.mk
     file_bug616841.xul \
     test_bug635835.xul \
     test_fileconstructor.xul \
     fileconstructor_file.png \
     test_bug339494.xul \
     test_bug357450.xul \
     test_bug571390.xul \
     test_bug574596.html \
+    test_bug683852.xul \
     $(NULL)
 
 libs:: $(_TEST_FILES)
 	$(INSTALL) $(foreach f,$^,"$f") $(DEPTH)/_tests/testing/mochitest/tests/$(relativesrcdir)
 
 libs:: $(_CHROME_FILES)
 	$(INSTALL) $(foreach f,$^,"$f") $(DEPTH)/_tests/testing/mochitest/chrome/$(relativesrcdir)
new file mode 100644
--- /dev/null
+++ b/content/base/test/chrome/test_bug683852.xul
@@ -0,0 +1,67 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/css" href="chrome://global/skin"?>
+<?xml-stylesheet type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"?>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=683852
+-->
+<window title="Mozilla Bug 683852"
+        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
+  <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"/>
+  <button value="testbutton" id="testbutton"/>
+  <!-- test results are displayed in the html:body -->
+  <body xmlns="http://www.w3.org/1999/xhtml">
+  <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=683852"
+     target="_blank" id="link">Mozilla Bug 683852</a>
+  </body>
+
+  <!-- test code goes here -->
+  <script type="application/javascript">
+  <![CDATA[
+  /** Test for Bug 683852 **/
+  SimpleTest.waitForExplicitFinish();
+
+  function startTest() {
+    is(document.contains(document), false, "Document should not contain itself!");
+
+    var tb = document.getElementById("testbutton");
+    is(document.contains(tb), true, "Document should contain element in it!");
+    var anon = document.getAnonymousElementByAttribute(tb, "anonid", "button-box");
+    is(document.contains(anon), false, "Document should not contain anonymous element in it!");
+    is(tb.contains(anon), false, "Element should not contain anonymous element in it!");
+    is(document.documentElement.contains(tb), true, "Element should contain element in it!");
+    is(document.contains(document.createElement("foo")), false, "Document shouldn't contain element which is't in the document");
+    is(document.contains(document.createTextNode("foo")), false, "Document shouldn't contain text node which is't in the document");
+
+    var link = document.getElementById("link");
+    is(document.contains(link.firstChild), true,
+       "Document should contain a text node in it.");
+    is(link.contains(link.firstChild), true,
+       "Element should contain a text node in it.");
+    is(link.firstChild.contains(link), false, "text node shouldn't contain its parent.");
+
+    is(document.contains(null), false, "Document shouldn't contain null.");
+
+    var pi = document.createProcessingInstruction("adf", "asd");
+    is(pi.contains(document), false, "Processing instruction shouldn't contain document");
+    document.documentElement.appendChild(pi);
+    document.contains(pi, true, "Document should contain processing instruction");
+
+    var df = document.createRange().createContextualFragment("<div>foo</div>");
+    is(df.contains(df.firstChild), true, "Document fragment should contain its child");
+    is(df.contains(df.firstChild.firstChild), true,
+       "Document fragment should contain its descendant");
+    is(df.contains(df), false, "Document fragment shouldn't contain itself.");
+
+    var d = document.implementation.createHTMLDocument("");
+    is(document.contains(d), false,
+       "Document shouldn't contain another document.");
+    is(document.contains(d.createElement("div")), false,
+       "Document shouldn't contain an element from another document.");
+
+    SimpleTest.finish();
+  }
+
+  addLoadEvent(startTest);
+  ]]>
+  </script>
+</window>
--- a/content/canvas/src/WebGLContext.h
+++ b/content/canvas/src/WebGLContext.h
@@ -497,19 +497,17 @@ protected:
     PRBool ValidateFaceEnum(WebGLenum face, const char *info);
     PRBool ValidateBufferUsageEnum(WebGLenum target, const char *info);
     PRBool ValidateTexFormatAndType(WebGLenum format, WebGLenum type, int jsArrayType,
                                       PRUint32 *texelSize, const char *info);
     PRBool ValidateDrawModeEnum(WebGLenum mode, const char *info);
     PRBool ValidateAttribIndex(WebGLuint index, const char *info);
     PRBool ValidateStencilParamsForDrawCall();
     
-    bool ValidateGLSLVariableName(const nsAString& name, const char *info);
-    bool ValidateGLSLCharacter(PRUnichar c);
-    bool ValidateGLSLString(const nsAString& string, const char *info);
+    bool  ValidateGLSLIdentifier(const nsAString& name, const char *info);
 
     static PRUint32 GetTexelSize(WebGLenum format, WebGLenum type);
 
     void Invalidate();
     void DestroyResourcesAndContext();
 
     void MakeContextCurrent() { gl->MakeCurrent(); }
 
--- a/content/canvas/src/WebGLContextGL.cpp
+++ b/content/canvas/src/WebGLContextGL.cpp
@@ -57,17 +57,16 @@
 #include "jstypedarray.h"
 
 #if defined(USE_ANGLE)
 // shader translator
 #include "angle/ShaderLang.h"
 #endif
 
 #include "WebGLTexelConversions.h"
-#include "WebGLValidateStrings.h"
 
 using namespace mozilla;
 
 static PRBool BaseTypeAndSizeFromUniformType(WebGLenum uType, WebGLenum *baseType, WebGLint *unitSize);
 static WebGLenum InternalFormatForFormatAndType(WebGLenum format, WebGLenum type, bool isGLES2);
 
 /* Helper macros for when we're just wrapping a gl method, so that
  * we can avoid having to type this 500 times.  Note that these MUST
@@ -178,18 +177,18 @@ WebGLContext::AttachShader(nsIWebGLProgr
 
 NS_IMETHODIMP
 WebGLContext::BindAttribLocation(nsIWebGLProgram *pobj, WebGLuint location, const nsAString& name)
 {
     WebGLuint progname;
     if (!GetGLName<WebGLProgram>("bindAttribLocation: program", pobj, &progname))
         return NS_OK;
 
-    if (!ValidateGLSLVariableName(name, "bindAttribLocation"))
-        return NS_OK;
+    if (name.IsEmpty())
+        return ErrorInvalidValue("BindAttribLocation: name can't be null or empty");
 
     if (!ValidateAttribIndex(location, "bindAttribLocation"))
         return NS_OK;
 
     MakeContextCurrent();
 
     gl->fBindAttribLocation(progname, location, NS_LossyConvertUTF16toASCII(name).get());
 
@@ -1852,17 +1851,17 @@ WebGLContext::GetAttribLocation(nsIWebGL
                                 PRInt32 *retval)
 {
     *retval = 0;
 
     WebGLuint progname;
     if (!GetGLName<WebGLProgram>("getAttribLocation: program", pobj, &progname))
         return NS_OK;
 
-    if (!ValidateGLSLVariableName(name, "getAttribLocation"))
+    if (!ValidateGLSLIdentifier(name, "getAttribLocation"))
         return NS_OK; 
 
     MakeContextCurrent();
     *retval = gl->fGetAttribLocation(progname, NS_LossyConvertUTF16toASCII(name).get());
     return NS_OK;
 }
 
 NS_IMETHODIMP
@@ -2667,17 +2666,17 @@ WebGLContext::GetUniformLocation(nsIWebG
 {
     *retval = nsnull;
 
     WebGLuint progname;
     WebGLProgram *prog;
     if (!GetConcreteObjectAndGLName("getUniformLocation: program", pobj, &prog, &progname))
         return NS_OK;
 
-    if (!ValidateGLSLVariableName(name, "getUniformLocation"))
+    if (!ValidateGLSLIdentifier(name, "getUniformLocation"))
         return NS_OK; 
 
     MakeContextCurrent();
 
     GLint intlocation = gl->fGetUniformLocation(progname, NS_LossyConvertUTF16toASCII(name).get());
 
     nsRefPtr<nsIWebGLUniformLocation> loc = prog->GetUniformLocationObject(intlocation);
     *retval = loc.forget().get();
@@ -4133,20 +4132,17 @@ WebGLContext::GetShaderSource(nsIWebGLSh
 
 NS_IMETHODIMP
 WebGLContext::ShaderSource(nsIWebGLShader *sobj, const nsAString& source)
 {
     WebGLShader *shader;
     WebGLuint shadername;
     if (!GetConcreteObjectAndGLName("shaderSource: shader", sobj, &shader, &shadername))
         return NS_OK;
-
-    if (!ValidateGLSLString(source, "shaderSource"))
-        return NS_OK;
-
+    
     const nsPromiseFlatString& flatSource = PromiseFlatString(source);
 
     if (!NS_IsAscii(flatSource.get()))
         return ErrorInvalidValue("shaderSource: non-ascii characters found in source");
 
     const nsCString& sourceCString = NS_LossyConvertUTF16toASCII(flatSource);
     
     const PRUint32 maxSourceLength = (PRUint32(1)<<18) - 1;
--- a/content/canvas/src/WebGLContextValidate.cpp
+++ b/content/canvas/src/WebGLContextValidate.cpp
@@ -323,41 +323,24 @@ PRBool WebGLContext::ValidateDrawModeEnu
         case LOCAL_GL_LINES:
             return PR_TRUE;
         default:
             ErrorInvalidEnumInfo(info, mode);
             return PR_FALSE;
     }
 }
 
-bool WebGLContext::ValidateGLSLVariableName(const nsAString& name, const char *info)
+bool WebGLContext::ValidateGLSLIdentifier(const nsAString& name, const char *info)
 {
-    const PRUint32 maxSize = 255;
+    const PRUint32 maxSize = 4095;
     if (name.Length() > maxSize) {
         ErrorInvalidValue("%s: identifier is %d characters long, exceeds the maximum allowed length of %d characters",
                           info, name.Length(), maxSize);
         return false;
     }
-
-    if (!ValidateGLSLString(name, info)) {
-        return false;
-    }
-
-    return true;
-}
-
-bool WebGLContext::ValidateGLSLString(const nsAString& string, const char *info)
-{
-    for (PRUint32 i = 0; i < string.Length(); ++i) {
-        if (!ValidateGLSLCharacter(string.CharAt(i))) {
-             ErrorInvalidValue("%s: string contains the illegal character '%d'", info, string.CharAt(i));
-             return false;
-        }
-    }
-
     return true;
 }
 
 PRUint32 WebGLContext::GetTexelSize(WebGLenum format, WebGLenum type)
 {
     if (type == LOCAL_GL_UNSIGNED_BYTE || type == LOCAL_GL_FLOAT) {
         int multiplier = type == LOCAL_GL_FLOAT ? 4 : 1;
         switch (format) {
deleted file mode 100644
--- a/content/canvas/src/WebGLValidateStrings.h
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Copyright (C) 2011 Apple Inc. All rights reserved.
- * Copyright (C) 2011 Mozilla Corporation. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE COMPUTER, INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef WEBGLVALIDATESTRINGS_H_
-#define WEBGLVALIDATESTRINGS_H_
-
-#include "WebGLContext.h"
-
-namespace mozilla {
-
-// The following function was taken from the WebKit WebGL implementation,
-// which can be found here:
-// http://trac.webkit.org/browser/trunk/Source/WebCore/html/canvas/WebGLRenderingContext.cpp#L123
-/****** BEGIN CODE TAKEN FROM WEBKIT ******/
-bool WebGLContext::ValidateGLSLCharacter(PRUnichar c)
-{
-    // Printing characters are valid except " $ ` @ \ ' DEL.
-    if (c >= 32 && c <= 126 &&
-        c != '"' && c != '$' && c != '`' && c != '@' && c != '\\' && c != '\'')
-    {
-        return true;
-    }
-
-    // Horizontal tab, line feed, vertical tab, form feed, carriage return are also valid.
-    if (c >= 9 && c <= 13) {
-        return true;
-    }
-
-    return false;
-}
-/****** END CODE TAKEN FROM WEBKIT ******/
-
-} // end namespace mozilla
-
-#endif // WEBGLVALIDATESTRINGS_H_
--- a/content/canvas/test/webgl/failing_tests_linux.txt
+++ b/content/canvas/test/webgl/failing_tests_linux.txt
@@ -7,16 +7,17 @@ conformance/shaders/glsl-features/../../
 conformance/shaders/glsl-features/../../glsl-features.html?feature=abs-vert-vec4&refvs=shaders/glsl-features/abs-vec4-ref.vert&testvs=shaders/glsl-features/abs-vec4.vert
 conformance/shaders/glsl-features/../../glsl-features.html?feature=sign-frag-vec4&reffs=shaders/glsl-features/sign-vec4-ref.frag&testfs=shaders/glsl-features/sign-vec4.frag
 conformance/shaders/glsl-features/../../glsl-features.html?feature=sign-vert-vec4&refvs=shaders/glsl-features/sign-vec4-ref.vert&testvs=shaders/glsl-features/sign-vec4.vert
 conformance/gl-get-active-attribute.html
 conformance/gl-getshadersource.html
 conformance/gl-uniform-bool.html
 conformance/glsl-conformance.html
 conformance/glsl-long-variable-names.html
+conformance/invalid-passed-params.html
 conformance/premultiplyalpha-test.html
 conformance/read-pixels-test.html
 conformance/uninitialized-test.html
 conformance/more/conformance/quickCheckAPI.html
 conformance/more/functions/copyTexImage2D.html
 conformance/more/functions/copyTexSubImage2D.html
 conformance/more/functions/deleteBufferBadArgs.html
 conformance/more/functions/uniformfArrayLen1.html
--- a/content/canvas/test/webgl/failing_tests_mac.txt
+++ b/content/canvas/test/webgl/failing_tests_mac.txt
@@ -1,16 +1,17 @@
 conformance/context-attributes-alpha-depth-stencil-antialias.html
 conformance/drawingbuffer-static-canvas-test.html
 conformance/drawingbuffer-test.html
 conformance/framebuffer-object-attachment.html
 conformance/gl-getshadersource.html
 conformance/gl-object-get-calls.html
 conformance/glsl-conformance.html
 conformance/glsl-long-variable-names.html
+conformance/invalid-passed-params.html
 conformance/premultiplyalpha-test.html
 conformance/program-test.html
 conformance/read-pixels-test.html
 conformance/tex-input-validation.html
 conformance/texture-npot.html
 conformance/more/conformance/quickCheckAPI.html
 conformance/more/functions/copyTexImage2D.html
 conformance/more/functions/copyTexSubImage2D.html
--- a/content/canvas/test/webgl/failing_tests_windows.txt
+++ b/content/canvas/test/webgl/failing_tests_windows.txt
@@ -1,13 +1,14 @@
 conformance/drawingbuffer-static-canvas-test.html
 conformance/drawingbuffer-test.html
 conformance/framebuffer-object-attachment.html
 conformance/gl-getshadersource.html
 conformance/glsl-conformance.html
 conformance/glsl-long-variable-names.html
+conformance/invalid-passed-params.html
 conformance/premultiplyalpha-test.html
 conformance/read-pixels-test.html
 conformance/more/conformance/quickCheckAPI.html
 conformance/more/functions/copyTexImage2D.html
 conformance/more/functions/copyTexSubImage2D.html
 conformance/more/functions/deleteBufferBadArgs.html
 conformance/more/functions/uniformfArrayLen1.html
--- a/content/html/content/test/test_bug430392.html
+++ b/content/html/content/test/test_bug430392.html
@@ -35,14 +35,13 @@ function test() {
   is(edit.innerHTML, html,
      "adding and then deleting returns should not change text");
 
   SimpleTest.finish();
 }
 
 SimpleTest.waitForExplicitFinish();
 addLoadEvent(test);
-addLoadEvent(SimpleTest.finish);
 
 </script>
 </pre>
 </body>
 </html>
--- a/dom/base/nsGlobalWindow.cpp
+++ b/dom/base/nsGlobalWindow.cpp
@@ -981,16 +981,18 @@ nsGlobalWindow::~nsGlobalWindow()
   // We have to check if sWindowsById isn't null because ::Shutdown might have
   // been called.
   if (sWindowsById) {
     NS_ASSERTION(sWindowsById->Get(mWindowID),
                  "This window should be in the hash table");
     sWindowsById->Remove(mWindowID);
   }
 
+  --gRefCnt;
+
 #ifdef DEBUG
   if (!PR_GetEnv("MOZ_QUIET")) {
     nsCAutoString url;
     if (mLastOpenedURI) {
       mLastOpenedURI->GetSpec(url);
     }
 
     printf("--DOMWINDOW == %d (%p) [serial = %d] [outer = %p] [url = %s]\n",
--- a/dom/interfaces/core/nsIDOMNode.idl
+++ b/dom/interfaces/core/nsIDOMNode.idl
@@ -47,17 +47,17 @@ interface nsIDOMUserDataHandler;
  * The nsIDOMNode interface is the primary datatype for the entire 
  * Document Object Model.
  * It represents a single node in the document tree.
  *
  * For more information on this interface please see 
  * http://dvcs.w3.org/hg/domcore/raw-file/tip/Overview.html
  */
 
-[scriptable, uuid(29a95243-c73e-454c-a996-272f6727b03c)]
+[scriptable, uuid(af9b19f7-7c88-4d16-9a3a-97390f824c58)]
 interface nsIDOMNode : nsISupports
 {
   const unsigned short      ELEMENT_NODE       = 1;
   const unsigned short      ATTRIBUTE_NODE     = 2;
   const unsigned short      TEXT_NODE          = 3;
   const unsigned short      CDATA_SECTION_NODE = 4;
   const unsigned short      ENTITY_REFERENCE_NODE = 5;
   const unsigned short      ENTITY_NODE        = 6;
@@ -141,9 +141,11 @@ interface nsIDOMNode : nsISupports
   // Introduced in DOM Level 3:
   boolean            isEqualNode(in nsIDOMNode arg);
   // Introduced in DOM Level 3:
   nsIVariant         setUserData(in DOMString key, 
                                  in nsIVariant data, 
                                  in nsIDOMUserDataHandler handler);
   // Introduced in DOM Level 3:
   nsIVariant         getUserData(in DOMString key);
+
+  boolean            contains(in nsIDOMNode aOther);
 };
--- a/dom/plugins/base/nsPluginNativeWindowWin.cpp
+++ b/dom/plugins/base/nsPluginNativeWindowWin.cpp
@@ -490,25 +490,33 @@ SetWindowLongWHook(HWND hWnd,
   return proc;
 }
 
 static void
 HookSetWindowLongPtr()
 {
   sUser32Intercept.Init("user32.dll");
 #ifdef _WIN64
-  sUser32Intercept.AddHook("SetWindowLongPtrA", reinterpret_cast<intptr_t>(SetWindowLongPtrAHook),
-                           (void**) &sUser32SetWindowLongAHookStub);
-  sUser32Intercept.AddHook("SetWindowLongPtrW", reinterpret_cast<intptr_t>(SetWindowLongPtrWHook),
-                           (void**) &sUser32SetWindowLongWHookStub);
+  if (!sUser32SetWindowLongAHookStub)
+    sUser32Intercept.AddHook("SetWindowLongPtrA",
+                             reinterpret_cast<intptr_t>(SetWindowLongPtrAHook),
+                             (void**) &sUser32SetWindowLongAHookStub);
+  if (!sUser32SetWindowLongWHookStub)
+    sUser32Intercept.AddHook("SetWindowLongPtrW",
+                             reinterpret_cast<intptr_t>(SetWindowLongPtrWHook),
+                             (void**) &sUser32SetWindowLongWHookStub);
 #else
-  sUser32Intercept.AddHook("SetWindowLongA", reinterpret_cast<intptr_t>(SetWindowLongAHook),
-                           (void**) &sUser32SetWindowLongAHookStub);
-  sUser32Intercept.AddHook("SetWindowLongW", reinterpret_cast<intptr_t>(SetWindowLongWHook),
-                           (void**) &sUser32SetWindowLongWHookStub);
+  if (!sUser32SetWindowLongAHookStub)
+    sUser32Intercept.AddHook("SetWindowLongA",
+                             reinterpret_cast<intptr_t>(SetWindowLongAHook),
+                             (void**) &sUser32SetWindowLongAHookStub);
+  if (!sUser32SetWindowLongWHookStub)
+    sUser32Intercept.AddHook("SetWindowLongW",
+                             reinterpret_cast<intptr_t>(SetWindowLongWHook),
+                             (void**) &sUser32SetWindowLongWHookStub);
 #endif
 }
 
 /**
  *   nsPluginNativeWindowWin implementation
  */
 nsPluginNativeWindowWin::nsPluginNativeWindowWin() : nsPluginNativeWindow()
 {
--- a/dom/plugins/ipc/PluginInstanceChild.cpp
+++ b/dom/plugins/ipc/PluginInstanceChild.cpp
@@ -1486,25 +1486,29 @@ PluginInstanceChild::SetWindowLongWHook(
 void
 PluginInstanceChild::HookSetWindowLongPtr()
 {
     if (!(GetQuirks() & PluginModuleChild::QUIRK_FLASH_HOOK_SETLONGPTR))
         return;
 
     sUser32Intercept.Init("user32.dll");
 #ifdef _WIN64
-    sUser32Intercept.AddHook("SetWindowLongPtrA", reinterpret_cast<intptr_t>(SetWindowLongPtrAHook),
-                             (void**) &sUser32SetWindowLongAHookStub);
-    sUser32Intercept.AddHook("SetWindowLongPtrW", reinterpret_cast<intptr_t>(SetWindowLongPtrWHook),
-                             (void**) &sUser32SetWindowLongWHookStub);
+    if (!sUser32SetWindowLongAHookStub)
+        sUser32Intercept.AddHook("SetWindowLongPtrA", reinterpret_cast<intptr_t>(SetWindowLongPtrAHook),
+                                 (void**) &sUser32SetWindowLongAHookStub);
+    if (!sUser32SetWindowLongWHookStub)
+        sUser32Intercept.AddHook("SetWindowLongPtrW", reinterpret_cast<intptr_t>(SetWindowLongPtrWHook),
+                                 (void**) &sUser32SetWindowLongWHookStub);
 #else
-    sUser32Intercept.AddHook("SetWindowLongA", reinterpret_cast<intptr_t>(SetWindowLongAHook),
-                             (void**) &sUser32SetWindowLongAHookStub);
-    sUser32Intercept.AddHook("SetWindowLongW", reinterpret_cast<intptr_t>(SetWindowLongWHook),
-                             (void**) &sUser32SetWindowLongWHookStub);
+    if (!sUser32SetWindowLongAHookStub)
+        sUser32Intercept.AddHook("SetWindowLongA", reinterpret_cast<intptr_t>(SetWindowLongAHook),
+                                 (void**) &sUser32SetWindowLongAHookStub);
+    if (!sUser32SetWindowLongWHookStub)
+        sUser32Intercept.AddHook("SetWindowLongW", reinterpret_cast<intptr_t>(SetWindowLongWHook),
+                                 (void**) &sUser32SetWindowLongWHookStub);
 #endif
 }
 
 /* windowless track popup menu helpers */
 
 BOOL
 WINAPI
 PluginInstanceChild::TrackPopupHookProc(HMENU hMenu,
@@ -1566,19 +1570,21 @@ PluginInstanceChild::InitPopupMenuHook()
     if (!(GetQuirks() & PluginModuleChild::QUIRK_WINLESS_TRACKPOPUP_HOOK) ||
         sUser32TrackPopupMenuStub)
         return;
 
     // Note, once WindowsDllInterceptor is initialized for a module,
     // it remains initialized for that particular module for it's
     // lifetime. Additional instances are needed if other modules need
     // to be hooked.
-    sUser32Intercept.Init("user32.dll");
-    sUser32Intercept.AddHook("TrackPopupMenu", reinterpret_cast<intptr_t>(TrackPopupHookProc),
-                             (void**) &sUser32TrackPopupMenuStub);
+    if (!sUser32TrackPopupMenuStub) {
+        sUser32Intercept.Init("user32.dll");
+        sUser32Intercept.AddHook("TrackPopupMenu", reinterpret_cast<intptr_t>(TrackPopupHookProc),
+                                 (void**) &sUser32TrackPopupMenuStub);
+    }
 }
 
 void
 PluginInstanceChild::CreateWinlessPopupSurrogate()
 {
     // already initialized
     if (mWinlessPopupSurrogateHWND)
         return;
--- a/dom/plugins/ipc/PluginModuleChild.cpp
+++ b/dom/plugins/ipc/PluginModuleChild.cpp
@@ -1908,17 +1908,18 @@ PluginModuleChild::AllocPPluginInstance(
                                         NPError* rv)
 {
     PLUGIN_LOG_DEBUG_METHOD;
     AssertPluginThread();
 
     InitQuirksModes(aMimeType);
 
 #ifdef XP_WIN
-    if (mQuirks & QUIRK_FLASH_HOOK_GETWINDOWINFO) {
+    if ((mQuirks & QUIRK_FLASH_HOOK_GETWINDOWINFO) &&
+        !sGetWindowInfoPtrStub) {
         sUser32Intercept.Init("user32.dll");
         sUser32Intercept.AddHook("GetWindowInfo", reinterpret_cast<intptr_t>(PMCGetWindowInfoHook),
                                  (void**) &sGetWindowInfoPtrStub);
     }
 #endif
 
     nsAutoPtr<PluginInstanceChild> childInstance(
         new PluginInstanceChild(&mFunctions));
--- a/embedding/android/GeckoApp.java
+++ b/embedding/android/GeckoApp.java
@@ -136,17 +136,16 @@ abstract public class GeckoApp
         if (!checkAndSetLaunchState(LaunchState.Launching, LaunchState.Launched))
             return false;
 
         if (intent == null)
             intent = getIntent();
         final Intent i = intent;
         new Thread() {
             public void run() {
-                long startup_time = System.currentTimeMillis();
                 try {
                     if (mLibLoadThread != null)
                         mLibLoadThread.join();
                 } catch (InterruptedException ie) {}
                 surfaceView.mSplashStatusMsg =
                     getResources().getString(R.string.splash_screen_loading);
                 surfaceView.drawSplashScreen();
                 // unpack files in the components directory
@@ -455,22 +454,25 @@ abstract public class GeckoApp
     }
 
     abstract public String getPackageName();
     abstract public String getContentProcessName();
 
     protected void unpackComponents()
         throws IOException, FileNotFoundException
     {
-        ZipFile zip;
-        InputStream listStream;
+        File applicationPackage = new File(getApplication().getPackageResourcePath());
+        File componentsDir = new File(sGREDir, "components");
+        if (componentsDir.lastModified() == applicationPackage.lastModified())
+            return;
 
-        File componentsDir = new File(sGREDir, "components");
         componentsDir.mkdir();
-        zip = new ZipFile(getApplication().getPackageResourcePath());
+        componentsDir.setLastModified(applicationPackage.lastModified());
+
+        ZipFile zip = new ZipFile(applicationPackage);
 
         byte[] buf = new byte[8192];
         try {
             if (unpackFile(zip, buf, null, "removed-files"))
                 removeFiles();
         } catch (Exception ex) {
             // This file may not be there, so just log any errors and move on
             Log.w(LOG_FILE_NAME, "error removing files", ex);
--- a/js/src/xpconnect/src/dom_quickstubs.qsconf
+++ b/js/src/xpconnect/src/dom_quickstubs.qsconf
@@ -834,16 +834,22 @@ customMethodCalls = {
         'arg0Type': 'nsINode',
         'code': '    PRBool result = self->IsEqualTo(arg0);',
         'canFail': False
         },
     'nsIDOMNode_GetUserData': {
         'thisType': 'nsINode',
         'canFail': False
         },
+    'nsIDOMNode_Contains': {
+        'thisType': 'nsINode',
+        'arg0Type': 'nsINode',
+        'code': '    PRBool result = self->Contains(arg0);',
+        'canFail': False
+        },
     'nsIDOMNSHTMLElement_': {
         'thisType': 'nsGenericHTMLElement'
         },
     'nsIDOMHTMLElement_': {
         'thisType': 'nsGenericHTMLElement'
         },
     'nsIDOMElementCSSInlineStyle_GetStyle': {
         'thisType': 'nsStyledElement',
--- a/mobile/chrome/content/browser.js
+++ b/mobile/chrome/content/browser.js
@@ -177,17 +177,17 @@ var Browser = {
     // XXX change
 
     /* handles dispatching clicks on browser into clicks in content or zooms */
     Elements.browsers.customDragger = new Browser.MainDragger();
 
     /* handles web progress management for open browsers */
     Elements.browsers.webProgress = new Browser.WebProgress();
 
-    this.keyFilter = new KeyFilter(Elements.browsers);
+    this.keySender = new ContentCustomKeySender(Elements.browsers);
     let mouseModule = new MouseModule();
     let gestureModule = new GestureModule(Elements.browsers);
     let scrollWheelModule = new ScrollwheelModule(Elements.browsers);
 
     ContentTouchHandler.init();
 
     // Warning, total hack ahead. All of the real-browser related scrolling code
     // lies in a pretend scrollbox here. Let's not land this as-is. Maybe it's time
@@ -1221,29 +1221,24 @@ var Browser = {
         // a message for this particular tab
         setTimeout(function(self) {
           let tab = self.getTabForBrowser(browser);
           self._doCloseTab(tab);
         }, 0, this);
         break;
       }
 
-      case "Browser:KeyPress": {
-        let keyset = document.getElementById("mainKeyset");
-        keyset.setAttribute("disabled", "false");
-        if (json.preventDefault)
-          break;
-
+      case "Browser:KeyPress":
         let event = document.createEvent("KeyEvents");
         event.initKeyEvent("keypress", true, true, null,
                            json.ctrlKey, json.altKey, json.shiftKey, json.metaKey,
                            json.keyCode, json.charCode);
-        keyset.dispatchEvent(event);
+        document.getElementById("mainKeyset").dispatchEvent(event);
         break;
-      }
+
       case "Browser:ZoomToPoint:Return":
         if (json.zoomTo) {
           let rect = Rect.fromRect(json.zoomTo);
           this.zoomToPoint(json.x, json.y, rect);
         } else {
           this.zoomFromPoint(json.x, json.y);
         }
         break;
@@ -1974,36 +1969,57 @@ const ContentTouchHandler = {
   },
 
   toString: function toString() {
     return "[ContentTouchHandler] { }";
   }
 };
 
 
-/** Prevent chrome from consuming key events before remote content has a chance. */
-function KeyFilter(container) {
+/** Watches for mouse events in chrome and sends them to content. */
+function ContentCustomKeySender(container) {
   container.addEventListener("keypress", this, false);
   container.addEventListener("keyup", this, false);
   container.addEventListener("keydown", this, false);
 }
 
-KeyFilter.prototype = {
+ContentCustomKeySender.prototype = {
   handleEvent: function handleEvent(aEvent) {
     if (Elements.contentShowing.getAttribute("disabled") == "true")
       return;
 
     let browser = getBrowser();
     if (browser && browser.active && browser.getAttribute("remote") == "true") {
-        document.getElementById("mainKeyset").setAttribute("disabled", "true");
+      aEvent.stopPropagation();
+      aEvent.preventDefault();
+
+      let fl = browser.QueryInterface(Ci.nsIFrameLoaderOwner).frameLoader;
+      fl.sendCrossProcessKeyEvent(aEvent.type,
+                                  aEvent.keyCode,
+                                  (aEvent.type != "keydown") ? aEvent.charCode : null,
+                                  this._parseModifiers(aEvent));
     }
   },
 
+  _parseModifiers: function _parseModifiers(aEvent) {
+    const masks = Ci.nsIDOMNSEvent;
+    let mval = 0;
+    if (aEvent.shiftKey)
+      mval |= masks.SHIFT_MASK;
+    if (aEvent.ctrlKey)
+      mval |= masks.CONTROL_MASK;
+    if (aEvent.altKey)
+      mval |= masks.ALT_MASK;
+    if (aEvent.metaKey)
+      mval |= masks.META_MASK;
+    return mval;
+  },
+
   toString: function toString() {
-    return "[KeyFilter] { }";
+    return "[ContentCustomKeySender] { }";
   }
 };
 
 
 /**
  * Utility class to handle manipulations of the identity indicators in the UI
  */
 function IdentityHandler() {
@@ -2896,16 +2912,17 @@ Tab.prototype = {
     notification.appendChild(browser);
     Elements.browsers.insertBefore(notification, aInsertBefore);
 
     // stop about:blank from loading
     browser.stop();
 
     let fl = browser.QueryInterface(Ci.nsIFrameLoaderOwner).frameLoader;
     fl.renderMode = Ci.nsIFrameLoader.RENDER_MODE_ASYNC_SCROLL;
+    fl.eventMode = Ci.nsIFrameLoader.EVENT_MODE_DONT_FORWARD_TO_CHILD;
 
     return browser;
   },
 
   _destroyBrowser: function _destroyBrowser() {
     if (this._browser) {
       let notification = this._notification;
       let browser = this._browser;
--- a/mobile/chrome/content/common-ui.js
+++ b/mobile/chrome/content/common-ui.js
@@ -811,17 +811,17 @@ var FormHelperUI = {
         }
 
         // If the focus is not on the browser element, the key will not be sent
         // to the content so do it ourself
         let focusedElement = gFocusManager.getFocusedElementForWindow(window, true, {});
         if (focusedElement && focusedElement.localName == "browser")
           return;
 
-        Browser.keyFilter.handleEvent(aEvent);
+        Browser.keySender.handleEvent(aEvent);
         break;
 
       case "SizeChanged":
         setTimeout(function(self) {
           SelectHelperUI.sizeToContent();
           self._zoom(self._currentElementRect, self._currentCaretRect);
         }, 0, this);
         break;
--- a/mobile/chrome/content/content.js
+++ b/mobile/chrome/content/content.js
@@ -294,24 +294,26 @@ let Content = {
   },
 
   handleEvent: function handleEvent(aEvent) {
     switch (aEvent.type) {
       // If the keypress is a trusted event and has not been consume by content
       // let's send it back to the chrome process to have it handle shortcuts
       case "keypress":
         let timer = new Util.Timeout(function() {
+          if(aEvent.getPreventDefault())
+            return;
+
           let eventData = {
             ctrlKey: aEvent.ctrlKey,
             altKey: aEvent.altKey,
             shiftKey: aEvent.shiftKey,
             metaKey: aEvent.metaKey,
             keyCode: aEvent.keyCode,
-            charCode: aEvent.charCode,
-            preventDefault: aEvent.getPreventDefault()
+            charCode: aEvent.charCode
           };
           sendAsyncMessage("Browser:KeyPress", eventData);
         });
         timer.once(0);
         break;
 
       case "DOMActivate": {
         // In a local tab, open remote links in new tabs.
--- a/netwerk/dns/effective_tld_names.dat
+++ b/netwerk/dns/effective_tld_names.dat
@@ -4402,17 +4402,16 @@ ne.ug
 or.ug
 
 // uk : http://en.wikipedia.org/wiki/.uk
 *.uk
 *.sch.uk
 !bl.uk
 !british-library.uk
 !icnet.uk
-!gov.uk
 !jet.uk
 !mod.uk
 !nel.uk
 !nhs.uk
 !nic.uk
 !nls.uk
 !national-library-scotland.uk
 !parliament.uk
--- a/parser/html/nsHtml5TreeOpExecutor.cpp
+++ b/parser/html/nsHtml5TreeOpExecutor.cpp
@@ -53,16 +53,19 @@
 #include "nsContentUtils.h"
 #include "mozAutoDocUpdate.h"
 #include "nsNetUtil.h"
 #include "nsHtml5Parser.h"
 #include "nsHtml5Tokenizer.h"
 #include "nsHtml5TreeBuilder.h"
 #include "nsHtml5StreamParser.h"
 #include "mozilla/css/Loader.h"
+#include "mozilla/Util.h" // DebugOnly
+
+using namespace mozilla;
 
 NS_IMPL_CYCLE_COLLECTION_CLASS(nsHtml5TreeOpExecutor)
 
 NS_INTERFACE_TABLE_HEAD_CYCLE_COLLECTION_INHERITED(nsHtml5TreeOpExecutor)
   NS_INTERFACE_TABLE_INHERITED1(nsHtml5TreeOpExecutor, 
                                 nsIContentSink)
 NS_INTERFACE_TABLE_TAIL_INHERITING(nsContentSink)
 
@@ -126,17 +129,17 @@ nsHtml5TreeOpExecutor::DidBuildModel(PRB
     
     // If the above caused a call to nsIParser::Terminate(), let that call
     // win.
     if (!mParser) {
       return NS_OK;
     }
   }
   
-  static_cast<nsHtml5Parser*> (mParser.get())->DropStreamParser();
+  GetParser()->DropStreamParser();
 
   // This comes from nsXMLContentSink and nsHTMLContentSink
   DidBuildModelImpl(aTerminated);
 
   if (!mLayoutStarted) {
     // We never saw the body, and layout never got started. Force
     // layout *now*, to get an initial reflow.
 
@@ -264,17 +267,17 @@ void
 nsHtml5TreeOpExecutor::UpdateChildCounts()
 {
   // No-op
 }
 
 nsresult
 nsHtml5TreeOpExecutor::FlushTags()
 {
-    return NS_OK;
+  return NS_OK;
 }
 
 void
 nsHtml5TreeOpExecutor::PostEvaluateScript(nsIScriptElement *aElement)
 {
   nsCOMPtr<nsIHTMLDocument> htmlDocument = do_QueryInterface(mDocument);
   NS_ASSERTION(htmlDocument, "Document didn't QI into HTML document.");
   htmlDocument->ScriptExecuted(aElement);
@@ -311,17 +314,17 @@ nsHtml5TreeOpExecutor::UpdateStyleSheet(
   nsresult rv = ssle->UpdateStyleSheet(mFragmentMode ? nsnull : this,
                                        &willNotify,
                                        &isAlternate);
   if (NS_SUCCEEDED(rv) && willNotify && !isAlternate && !mFragmentMode) {
     ++mPendingSheetCount;
     mScriptLoader->AddExecuteBlocker();
   }
 
-  if (aElement->IsHTML() && aElement->Tag() == nsGkAtoms::link) {
+  if (aElement->IsHTML(nsGkAtoms::link)) {
     // look for <link rel="next" href="url">
     nsAutoString relVal;
     aElement->GetAttr(kNameSpaceID_None, nsGkAtoms::rel, relVal);
     if (!relVal.IsEmpty()) {
       // XXX seems overkill to generate this string array
       nsAutoTArray<nsString, 4> linkTypes;
       nsStyleLinkElement::ParseLinkTypes(relVal, linkTypes);
       PRBool hasPrefetch = linkTypes.Contains(NS_LITERAL_STRING("prefetch"));
@@ -351,18 +354,18 @@ nsHtml5TreeOpExecutor::FlushSpeculativeL
 {
   if (NS_UNLIKELY(!mParser)) {
     return;
   }
   nsTArray<nsHtml5SpeculativeLoad> speculativeLoadQueue;
   mStage.MoveSpeculativeLoadsTo(speculativeLoadQueue);
   const nsHtml5SpeculativeLoad* start = speculativeLoadQueue.Elements();
   const nsHtml5SpeculativeLoad* end = start + speculativeLoadQueue.Length();
-  for (nsHtml5SpeculativeLoad* iter = (nsHtml5SpeculativeLoad*)start;
-       iter < end; 
+  for (nsHtml5SpeculativeLoad* iter = const_cast<nsHtml5SpeculativeLoad*>(start);
+       iter < end;
        ++iter) {
     iter->Perform(this);
   }
 }
 
 class nsHtml5FlushLoopGuard
 {
   private:
@@ -453,20 +456,20 @@ nsHtml5TreeOpExecutor::RunFlushLoop()
       }
     } else {
       FlushSpeculativeLoads(); // Make sure speculative loads never start after
                                // the corresponding normal loads for the same
                                // URLs.
       // Not sure if this grip is still needed, but previously, the code
       // gripped before calling ParseUntilBlocked();
       nsRefPtr<nsHtml5StreamParser> streamKungFuDeathGrip = 
-        static_cast<nsHtml5Parser*> (mParser.get())->GetStreamParser();
+        GetParser()->GetStreamParser();
       // Now parse content left in the document.write() buffer queue if any.
       // This may generate tree ops on its own or dequeue a speculation.
-      static_cast<nsHtml5Parser*> (mParser.get())->ParseUntilBlocked();
+      GetParser()->ParseUntilBlocked();
     }
 
     if (mOpQueue.IsEmpty()) {
       // Avoid bothering the rest of the engine with a doc update if there's 
       // nothing to do.
       return;
     }
 
@@ -477,17 +480,17 @@ nsHtml5TreeOpExecutor::RunFlushLoop()
     BeginDocUpdate();
 
     PRUint32 numberOfOpsToFlush = mOpQueue.Length();
 
     mElementsSeenInThisAppendBatch.SetCapacity(numberOfOpsToFlush * 2);
 
     const nsHtml5TreeOperation* first = mOpQueue.Elements();
     const nsHtml5TreeOperation* last = first + numberOfOpsToFlush - 1;
-    for (nsHtml5TreeOperation* iter = (nsHtml5TreeOperation*)first;;) {
+    for (nsHtml5TreeOperation* iter = const_cast<nsHtml5TreeOperation*>(first);;) {
       if (NS_UNLIKELY(!mParser)) {
         // The previous tree op caused a call to nsIParser::Terminate().
         break;
       }
       NS_ASSERTION(mFlushState == eInDocUpdate, 
         "Tried to perform tree op outside update batch.");
       iter->Perform(this, &scriptElement);
 
@@ -576,18 +579,18 @@ nsHtml5TreeOpExecutor::FlushDocumentWrit
   BeginDocUpdate();
 
   PRUint32 numberOfOpsToFlush = mOpQueue.Length();
 
   mElementsSeenInThisAppendBatch.SetCapacity(numberOfOpsToFlush * 2);
 
   const nsHtml5TreeOperation* start = mOpQueue.Elements();
   const nsHtml5TreeOperation* end = start + numberOfOpsToFlush;
-  for (nsHtml5TreeOperation* iter = (nsHtml5TreeOperation*)start;
-       iter < end; 
+  for (nsHtml5TreeOperation* iter = const_cast<nsHtml5TreeOperation*>(start);
+       iter < end;
        ++iter) {
     if (NS_UNLIKELY(!mParser)) {
       // The previous tree op caused a call to nsIParser::Terminate().
       break;
     }
     NS_ASSERTION(mFlushState == eInDocUpdate, 
       "Tried to perform tree op outside update batch.");
     iter->Perform(this, &scriptElement);
@@ -658,17 +661,17 @@ nsHtml5TreeOpExecutor::SetDocumentMode(n
 void
 nsHtml5TreeOpExecutor::StartLayout() {
   if (mLayoutStarted || !mDocument) {
     return;
   }
 
   EndDocUpdate();
 
-  if(NS_UNLIKELY(!mParser)) {
+  if (NS_UNLIKELY(!mParser)) {
     // got terminate
     return;
   }
 
   nsContentSink::StartLayout(PR_FALSE);
 
   BeginDocUpdate();
 }
@@ -769,17 +772,17 @@ nsHtml5TreeOpExecutor::Start()
 }
 
 void
 nsHtml5TreeOpExecutor::NeedsCharsetSwitchTo(const char* aEncoding,
                                             PRInt32 aSource)
 {
   EndDocUpdate();
 
-  if(NS_UNLIKELY(!mParser)) {
+  if (NS_UNLIKELY(!mParser)) {
     // got terminate
     return;
   }
   
   nsCOMPtr<nsIWebShellServices> wss = do_QueryInterface(mDocShell);
   if (!wss) {
     return;
   }
@@ -791,25 +794,31 @@ nsHtml5TreeOpExecutor::NeedsCharsetSwitc
   // if the charset switch was accepted, wss has called Terminate() on the
   // parser by now
 
   if (!mParser) {
     // success
     return;
   }
 
-  (static_cast<nsHtml5Parser*> (mParser.get()))->ContinueAfterFailedCharsetSwitch();
+  GetParser()->ContinueAfterFailedCharsetSwitch();
 
   BeginDocUpdate();
 }
 
+nsHtml5Parser*
+nsHtml5TreeOpExecutor::GetParser()
+{
+  return static_cast<nsHtml5Parser*>(mParser.get());
+}
+
 nsHtml5Tokenizer*
 nsHtml5TreeOpExecutor::GetTokenizer()
 {
-  return (static_cast<nsHtml5Parser*> (mParser.get()))->GetTokenizer();
+  return GetParser()->GetTokenizer();
 }
 
 void
 nsHtml5TreeOpExecutor::Reset()
 {
   DropHeldElements();
   mReadingFromStage = PR_FALSE;
   mOpQueue.Clear();
@@ -839,17 +848,17 @@ nsHtml5TreeOpExecutor::MoveOpsFrom(nsTAr
     return;
   }
   mOpQueue.MoveElementsFrom(aOpQueue);
 }
 
 void
 nsHtml5TreeOpExecutor::InitializeDocWriteParserState(nsAHtml5TreeBuilderState* aState, PRInt32 aLine)
 {
-  static_cast<nsHtml5Parser*> (mParser.get())->InitializeDocWriteParserState(aState, aLine);
+  GetParser()->InitializeDocWriteParserState(aState, aLine);
 }
 
 // Speculative loading
 
 already_AddRefed<nsIURI>
 nsHtml5TreeOpExecutor::ConvertIfNotPreloadedYet(const nsAString& aURL)
 {
   // The URL of the document without <base>
@@ -872,19 +881,17 @@ nsHtml5TreeOpExecutor::ConvertIfNotPrelo
     return nsnull;
   }
   nsCAutoString spec;
   uri->GetSpec(spec);
   if (mPreloadedURLs.Contains(spec)) {
     return nsnull;
   }
   mPreloadedURLs.Put(spec);
-  nsIURI* retURI = uri;
-  NS_ADDREF(retURI);
-  return retURI;
+  return uri.forget();
 }
 
 void
 nsHtml5TreeOpExecutor::PreloadScript(const nsAString& aURL,
                                      const nsAString& aCharset,
                                      const nsAString& aType)
 {
   nsCOMPtr<nsIURI> uri = ConvertIfNotPreloadedYet(aURL);
@@ -919,21 +926,19 @@ nsHtml5TreeOpExecutor::PreloadImage(cons
 void
 nsHtml5TreeOpExecutor::SetSpeculationBase(const nsAString& aURL)
 {
   if (mSpeculationBaseURI) {
     // the first one wins
     return;
   }
   const nsCString& charset = mDocument->GetDocumentCharacterSet();
-  nsresult rv = NS_NewURI(getter_AddRefs(mSpeculationBaseURI), aURL,
-      charset.get(), mDocument->GetDocumentURI());
-  if (NS_FAILED(rv)) {
-    NS_WARNING("Failed to create a URI");
-  }
+  DebugOnly<nsresult> rv = NS_NewURI(getter_AddRefs(mSpeculationBaseURI), aURL,
+                                     charset.get(), mDocument->GetDocumentURI());
+  NS_WARN_IF_FALSE(NS_SUCCEEDED(rv), "Failed to create a URI");
 }
 
 #ifdef DEBUG_NS_HTML5_TREE_OP_EXECUTOR_FLUSH
 PRUint32 nsHtml5TreeOpExecutor::sAppendBatchMaxSize = 0;
 PRUint32 nsHtml5TreeOpExecutor::sAppendBatchSlotsExamined = 0;
 PRUint32 nsHtml5TreeOpExecutor::sAppendBatchExaminations = 0;
 PRUint32 nsHtml5TreeOpExecutor::sLongestTimeOffTheEventLoop = 0;
 PRUint32 nsHtml5TreeOpExecutor::sTimesFlushLoopInterrupted = 0;
--- a/parser/html/nsHtml5TreeOpExecutor.h
+++ b/parser/html/nsHtml5TreeOpExecutor.h
@@ -54,16 +54,17 @@
 #include "nsIScriptElement.h"
 #include "nsIParser.h"
 #include "nsCOMArray.h"
 #include "nsAHtml5TreeOpSink.h"
 #include "nsHtml5TreeOpStage.h"
 #include "nsHashSets.h"
 #include "nsIURI.h"
 
+class nsHtml5Parser;
 class nsHtml5TreeBuilder;
 class nsHtml5Tokenizer;
 class nsHtml5StreamParser;
 
 typedef nsIContent* nsIContentPtr;
 
 enum eHtml5FlushState {
   eNotFlushing = 0,  // not flushing
@@ -397,16 +398,17 @@ class nsHtml5TreeOpExecutor : public nsC
 
     void PreloadStyle(const nsAString& aURL, const nsAString& aCharset);
 
     void PreloadImage(const nsAString& aURL, const nsAString& aCrossOrigin);
 
     void SetSpeculationBase(const nsAString& aURL);
 
   private:
+    nsHtml5Parser* GetParser();
 
     nsHtml5Tokenizer* GetTokenizer();
 
     /**
      * Get a nsIURI for an nsString if the URL hasn't been preloaded yet.
      */
     already_AddRefed<nsIURI> ConvertIfNotPreloadedYet(const nsAString& aURL);
 
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
@@ -1033,62 +1033,77 @@ static struct nsSerialBinaryBlacklistEnt
   { 16, "\x3e\x75\xce\xd4\x6b\x69\x30\x21\x21\x88\x30\xae\x86\xa8\x2a\x71" },
   { 17, "\x00\xe9\x02\x8b\x95\x78\xe4\x15\xdc\x1a\x71\x0a\x2b\x88\x15\x44\x47" },
   { 17, "\x00\xd7\x55\x8f\xda\xf5\xf1\x10\x5b\xb2\x13\x28\x2b\x70\x77\x29\xa3" },
   { 16, "\x04\x7e\xcb\xe9\xfc\xa5\x5f\x7b\xd0\x9e\xae\x36\xe1\x0c\xae\x1e" },
   { 17, "\x00\xf5\xc8\x6a\xf3\x61\x62\xf1\x3a\x64\xf5\x4f\x6d\xc9\x58\x7c\x06" },
   { 0, 0 } // end marker
 };
 
-// Bug 682927: Do not trust any DigiNotar-issued certificates.
-// We do this check after normal certificate validation because we do not
-// want to override a "revoked" OCSP response.
+// Call this if we have already decided that a cert should be treated as INVALID,
+// in order to check if we to worsen the error to REVOKED.
+PRErrorCode
+PSM_SSL_DigiNotarTreatAsRevoked(CERTCertificate * serverCert,
+                                CERTCertList * serverCertChain)
+{
+  // If any involved cert was issued by DigiNotar, 
+  // and serverCert was issued after 01-JUL-2011,
+  // then worsen the error to revoked.
+  
+  PRTime cutoff = 0;
+  PRStatus status = PR_ParseTimeString("01-JUL-2011 00:00", PR_TRUE, &cutoff);
+  if (status != PR_SUCCESS) {
+    NS_ASSERTION(status == PR_SUCCESS, "PR_ParseTimeString failed");
+    // be safe, assume it's afterwards, keep going
+  } else {
+    PRTime notBefore = 0, notAfter = 0;
+    if (CERT_GetCertTimes(serverCert, &notBefore, &notAfter) == SECSuccess &&
+           notBefore < cutoff) {
+      // no worsening for certs issued before the cutoff date
+      return 0;
+    }
+  }
+  
+  for (CERTCertListNode *node = CERT_LIST_HEAD(serverCertChain);
+       !CERT_LIST_END(node, serverCertChain);
+       node = CERT_LIST_NEXT(node)) {
+    if (node->cert->issuerName &&
+        strstr(node->cert->issuerName, "CN=DigiNotar")) {
+      return SEC_ERROR_REVOKED_CERTIFICATE;
+    }
+  }
+  
+  return 0;
+}
+
+// Call this only if a cert has been reported by NSS as VALID
 PRErrorCode
 PSM_SSL_BlacklistDigiNotar(CERTCertificate * serverCert,
                            CERTCertList * serverCertChain)
 {
   PRBool isDigiNotarIssuedCert = PR_FALSE;
 
   for (CERTCertListNode *node = CERT_LIST_HEAD(serverCertChain);
        !CERT_LIST_END(node, serverCertChain);
        node = CERT_LIST_NEXT(node)) {
     if (!node->cert->issuerName)
       continue;
 
     if (strstr(node->cert->issuerName, "CN=DigiNotar")) {
       isDigiNotarIssuedCert = PR_TRUE;
-      // Do not let the user override the error if the cert was
-      // chained from the "DigiNotar Root CA" cert and the cert was issued
-      // within the time window in which we think the mis-issuance(s) occurred.
-      if (strstr(node->cert->issuerName, "CN=DigiNotar Root CA")) {
-        PRTime cutoff = 0, notBefore = 0, notAfter = 0;
-        PRStatus status = PR_ParseTimeString("01-JUL-2011 00:00", PR_TRUE, &cutoff);
-        NS_ASSERTION(status == PR_SUCCESS, "PR_ParseTimeString failed");
-        if (status != PR_SUCCESS ||
-           CERT_GetCertTimes(serverCert, &notBefore, &notAfter) != SECSuccess ||
-           notBefore >= cutoff) {
-          return SEC_ERROR_REVOKED_CERTIFICATE;
-        }
-      }
     }
-
-    // By request of the Dutch government
-    if ((!strcmp(node->cert->issuerName,
-                "CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL") ||
-         !strcmp(node->cert->issuerName,
-                "CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL")) &&
-        CERT_LIST_END(CERT_LIST_NEXT(node), serverCertChain)) {
-      return 0;
-    }
   }
 
-  if (isDigiNotarIssuedCert)
-    return SEC_ERROR_UNTRUSTED_ISSUER; // user can override this
-  else
-    return 0; // No DigiNotor cert => carry on as normal
+  if (isDigiNotarIssuedCert) {
+    // let's see if we want to worsen the error code to revoked.
+    PRErrorCode revoked_code = PSM_SSL_DigiNotarTreatAsRevoked(serverCert, serverCertChain);
+    return (revoked_code != 0) ? revoked_code : SEC_ERROR_UNTRUSTED_ISSUER;
+  }
+
+  return 0;
 }
 
 
 SECStatus PR_CALLBACK AuthCertificateCallback(void* client_data, PRFileDesc* fd,
                                               PRBool checksig, PRBool isServer) {
   nsNSSShutDownPreventionLock locker;
 
   CERTCertificate *serverCert = SSL_PeerCertificate(fd);
@@ -1144,28 +1159,37 @@ SECStatus PR_CALLBACK AuthCertificateCal
     nsRefPtr<nsSSLStatus> status = infoObject->SSLStatus();
     nsRefPtr<nsNSSCertificate> nsc;
 
     if (!status || !status->mServerCert) {
       nsc = nsNSSCertificate::Create(serverCert);
     }
 
     CERTCertList *certList = nsnull;
-    if (rv == SECSuccess) {
-      certList = CERT_GetCertChainFromCert(serverCert, PR_Now(), certUsageSSLCA);
-      if (!certList) {
+    certList = CERT_GetCertChainFromCert(serverCert, PR_Now(), certUsageSSLCA);
+    if (!certList) {
+      rv = SECFailure;
+    } else {
+      PRErrorCode blacklistErrorCode;
+      if (rv == SECSuccess) { // PSM_SSL_PKIX_AuthCertificate said "valid cert"
+        blacklistErrorCode = PSM_SSL_BlacklistDigiNotar(serverCert, certList);
+      } else { // PSM_SSL_PKIX_AuthCertificate said "invalid cert"
+        PRErrorCode savedErrorCode = PORT_GetError();
+        // Check if we want to worsen the error code to "revoked".
+        blacklistErrorCode = PSM_SSL_DigiNotarTreatAsRevoked(serverCert, certList);
+        if (blacklistErrorCode == 0) {
+          // we don't worsen the code, let's keep the original error code from NSS
+          PORT_SetError(savedErrorCode);
+        }
+      }
+      
+      if (blacklistErrorCode != 0) {
+        infoObject->SetCertIssuerBlacklisted();
+        PORT_SetError(blacklistErrorCode);
         rv = SECFailure;
-      } else {
-        PRErrorCode blacklistErrorCode = PSM_SSL_BlacklistDigiNotar(serverCert,
-                                                                    certList);
-        if (blacklistErrorCode != 0) {
-          infoObject->SetCertIssuerBlacklisted();
-          PORT_SetError(blacklistErrorCode);
-          rv = SECFailure;
-        }
       }
     }
 
     if (rv == SECSuccess) {
       if (nsc) {
         PRBool dummyIsEV;
         nsc->GetIsExtendedValidation(&dummyIsEV); // the nsc object will cache the status
       }
--- a/security/nss/lib/ckfw/builtins/certdata.c
+++ b/security/nss/lib/ckfw/builtins/certdata.c
@@ -1034,16 +1034,52 @@ static const CK_ATTRIBUTE_TYPE nss_built
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_326 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
 };
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_327 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
 };
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_328 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_329 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_330 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_331 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_332 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_333 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_334 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_335 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_336 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_337 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_338 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_339 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
+};
 #ifdef DEBUG
 static const NSSItem nss_builtins_items_0 [] = {
   { (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"CVS ID", (PRUint32)7 },
   { (void *)"NSS", (PRUint32)4 },
@@ -21754,16 +21790,821 @@ static const NSSItem nss_builtins_items_
 , (PRUint32)97 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
   { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ckt_nss_must_verify_trust, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
+static const NSSItem nss_builtins_items_328 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Explicitly Distrust DigiNotar Root CA", (PRUint32)38 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\116\114\061"
+"\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157"
+"\164\141\162\061\032\060\030\006\003\125\004\003\023\021\104\151"
+"\147\151\116\157\164\141\162\040\122\157\157\164\040\103\101\061"
+"\040\060\036\006\011\052\206\110\206\367\015\001\011\001\026\021"
+"\151\156\146\157\100\144\151\147\151\156\157\164\141\162\056\156"
+"\154"
+, (PRUint32)97 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\116\114\061"
+"\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157"
+"\164\141\162\061\032\060\030\006\003\125\004\003\023\021\104\151"
+"\147\151\116\157\164\141\162\040\122\157\157\164\040\103\101\061"
+"\040\060\036\006\011\052\206\110\206\367\015\001\011\001\026\021"
+"\151\156\146\157\100\144\151\147\151\156\157\164\141\162\056\156"
+"\154"
+, (PRUint32)97 },
+  { (void *)"\002\020\017\377\377\377\377\377\377\377\377\377\377\377\377\377"
+"\377\377"
+, (PRUint32)18 },
+  { (void *)"\060\202\005\212\060\202\003\162\240\003\002\001\002\002\020\017"
+"\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\060"
+"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\137"
+"\061\013\060\011\006\003\125\004\006\023\002\116\114\061\022\060"
+"\020\006\003\125\004\012\023\011\104\151\147\151\116\157\164\141"
+"\162\061\032\060\030\006\003\125\004\003\023\021\104\151\147\151"
+"\116\157\164\141\162\040\122\157\157\164\040\103\101\061\040\060"
+"\036\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156"
+"\146\157\100\144\151\147\151\156\157\164\141\162\056\156\154\060"
+"\036\027\015\060\067\060\067\062\067\061\067\061\071\063\067\132"
+"\027\015\062\065\060\063\063\061\061\070\061\071\062\062\132\060"
+"\137\061\013\060\011\006\003\125\004\006\023\002\116\114\061\022"
+"\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157\164"
+"\141\162\061\032\060\030\006\003\125\004\003\023\021\104\151\147"
+"\151\116\157\164\141\162\040\122\157\157\164\040\103\101\061\040"
+"\060\036\006\011\052\206\110\206\367\015\001\011\001\026\021\151"
+"\156\146\157\100\144\151\147\151\156\157\164\141\162\056\156\154"
+"\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001"
+"\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001"
+"\000\254\260\130\301\000\275\330\041\010\013\053\232\376\156\126"
+"\060\005\237\033\167\220\020\101\134\303\015\207\021\167\216\201"
+"\361\312\174\351\214\152\355\070\164\065\273\332\337\371\273\300"
+"\011\067\264\226\163\201\175\063\032\230\071\367\223\157\225\177"
+"\075\271\261\165\207\272\121\110\350\213\160\076\225\004\305\330"
+"\266\303\026\331\210\260\261\207\035\160\332\206\264\017\024\213"
+"\172\317\020\321\164\066\242\022\173\167\206\112\171\346\173\337"
+"\002\021\150\245\116\206\256\064\130\233\044\023\170\126\042\045"
+"\036\001\213\113\121\161\373\202\314\131\226\151\210\132\150\123"
+"\305\271\015\002\067\313\113\274\146\112\220\176\052\013\005\007"
+"\355\026\137\125\220\165\330\106\311\033\203\342\010\276\361\043"
+"\314\231\035\326\052\017\203\040\025\130\047\202\056\372\342\042"
+"\302\111\261\271\001\201\152\235\155\235\100\167\150\166\116\041"
+"\052\155\204\100\205\116\166\231\174\202\363\363\267\002\131\324"
+"\046\001\033\216\337\255\123\006\321\256\030\335\342\262\072\313"
+"\327\210\070\216\254\133\051\271\031\323\230\371\030\003\317\110"
+"\202\206\146\013\033\151\017\311\353\070\210\172\046\032\005\114"
+"\222\327\044\324\226\362\254\122\055\243\107\325\122\366\077\376"
+"\316\204\006\160\246\252\076\242\362\266\126\064\030\127\242\344"
+"\201\155\347\312\360\152\323\307\221\153\002\203\101\174\025\357"
+"\153\232\144\136\343\320\074\345\261\353\173\135\206\373\313\346"
+"\167\111\315\243\145\334\367\271\234\270\344\013\137\223\317\314"
+"\060\032\062\034\316\034\143\225\245\371\352\341\164\213\236\351"
+"\053\251\060\173\240\030\037\016\030\013\345\133\251\323\321\154"
+"\036\007\147\217\221\113\251\212\274\322\146\252\223\001\210\262"
+"\221\372\061\134\325\246\301\122\010\011\315\012\143\242\323\042"
+"\246\350\241\331\071\006\227\365\156\215\002\220\214\024\173\077"
+"\200\315\033\234\272\304\130\162\043\257\266\126\237\306\172\102"
+"\063\051\007\077\202\311\346\037\005\015\315\114\050\066\213\323"
+"\310\076\034\306\210\357\136\356\211\144\351\035\353\332\211\176"
+"\062\246\151\321\335\314\210\237\321\320\311\146\041\334\006\147"
+"\305\224\172\232\155\142\114\175\314\340\144\200\262\236\107\216"
+"\243\002\003\001\000\001\243\102\060\100\060\017\006\003\125\035"
+"\023\001\001\377\004\005\060\003\001\001\377\060\016\006\003\125"
+"\035\017\001\001\377\004\004\003\002\001\006\060\035\006\003\125"
+"\035\016\004\026\004\024\210\150\277\340\216\065\304\073\070\153"
+"\142\367\050\073\204\201\310\014\327\115\060\015\006\011\052\206"
+"\110\206\367\015\001\001\005\005\000\003\202\002\001\000\073\002"
+"\215\313\074\060\350\156\240\255\362\163\263\137\236\045\023\004"
+"\005\323\366\343\213\273\013\171\316\123\336\344\226\305\321\257"
+"\163\274\325\303\320\100\125\174\100\177\315\033\137\011\325\362"
+"\174\237\150\035\273\135\316\172\071\302\214\326\230\173\305\203"
+"\125\250\325\175\100\312\340\036\367\211\136\143\135\241\023\302"
+"\135\212\266\212\174\000\363\043\303\355\205\137\161\166\360\150"
+"\143\252\105\041\071\110\141\170\066\334\361\103\223\324\045\307"
+"\362\200\145\341\123\002\165\121\374\172\072\357\067\253\204\050"
+"\127\014\330\324\324\231\126\154\343\242\376\131\204\264\061\350"
+"\063\370\144\224\224\121\227\253\071\305\113\355\332\335\200\013"
+"\157\174\051\015\304\216\212\162\015\347\123\024\262\140\101\075"
+"\204\221\061\150\075\047\104\333\345\336\364\372\143\105\310\114"
+"\076\230\365\077\101\272\116\313\067\015\272\146\230\361\335\313"
+"\237\134\367\124\066\202\153\054\274\023\141\227\102\370\170\273"
+"\314\310\242\237\312\360\150\275\153\035\262\337\215\157\007\235"
+"\332\216\147\307\107\036\312\271\277\052\102\221\267\143\123\146"
+"\361\102\243\341\364\132\115\130\153\265\344\244\063\255\134\160"
+"\035\334\340\362\353\163\024\221\232\003\301\352\000\145\274\007"
+"\374\317\022\021\042\054\256\240\275\072\340\242\052\330\131\351"
+"\051\323\030\065\244\254\021\137\031\265\265\033\377\042\112\134"
+"\306\172\344\027\357\040\251\247\364\077\255\212\247\232\004\045"
+"\235\016\312\067\346\120\375\214\102\051\004\232\354\271\317\113"
+"\162\275\342\010\066\257\043\057\142\345\312\001\323\160\333\174"
+"\202\043\054\026\061\014\306\066\007\220\172\261\037\147\130\304"
+"\073\130\131\211\260\214\214\120\263\330\206\313\150\243\304\012"
+"\347\151\113\040\316\301\036\126\113\225\251\043\150\330\060\330"
+"\303\353\260\125\121\315\345\375\053\270\365\273\021\237\123\124"
+"\366\064\031\214\171\011\066\312\141\027\045\027\013\202\230\163"
+"\014\167\164\303\325\015\307\250\022\114\307\247\124\161\107\056"
+"\054\032\175\311\343\053\073\110\336\047\204\247\143\066\263\175"
+"\217\240\144\071\044\015\075\173\207\257\146\134\164\033\113\163"
+"\262\345\214\360\206\231\270\345\305\337\204\301\267\353"
+, (PRUint32)1422 }
+};
+static const NSSItem nss_builtins_items_329 [] = {
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Explicitly Distrust DigiNotar Root CA", (PRUint32)38 },
+  { (void *)"\301\167\313\113\340\264\046\216\365\307\317\105\231\042\271\260"
+"\316\272\041\057"
+, (PRUint32)20 },
+  { (void *)"\012\244\325\314\272\264\373\243\131\343\346\001\335\123\331\116"
+, (PRUint32)16 },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\116\114\061"
+"\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157"
+"\164\141\162\061\032\060\030\006\003\125\004\003\023\021\104\151"
+"\147\151\116\157\164\141\162\040\122\157\157\164\040\103\101\061"
+"\040\060\036\006\011\052\206\110\206\367\015\001\011\001\026\021"
+"\151\156\146\157\100\144\151\147\151\156\157\164\141\162\056\156"
+"\154"
+, (PRUint32)97 },
+  { (void *)"\002\020\017\377\377\377\377\377\377\377\377\377\377\377\377\377"
+"\377\377"
+, (PRUint32)18 },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
+};
+static const NSSItem nss_builtins_items_330 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Explicitly Distrust DigiNotar Services 1024 CA", (PRUint32)47 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\150\061\013\060\011\006\003\125\004\006\023\002\116\114\061"
+"\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157"
+"\164\141\162\061\043\060\041\006\003\125\004\003\023\032\104\151"
+"\147\151\116\157\164\141\162\040\123\145\162\166\151\143\145\163"
+"\040\061\060\062\064\040\103\101\061\040\060\036\006\011\052\206"
+"\110\206\367\015\001\011\001\026\021\151\156\146\157\100\144\151"
+"\147\151\156\157\164\141\162\056\156\154"
+, (PRUint32)106 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\150\061\013\060\011\006\003\125\004\006\023\002\116\114\061"
+"\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157"
+"\164\141\162\061\043\060\041\006\003\125\004\003\023\032\104\151"
+"\147\151\116\157\164\141\162\040\123\145\162\166\151\143\145\163"
+"\040\061\060\062\064\040\103\101\061\040\060\036\006\011\052\206"
+"\110\206\367\015\001\011\001\026\021\151\156\146\157\100\144\151"
+"\147\151\156\157\164\141\162\056\156\154"
+, (PRUint32)106 },
+  { (void *)"\002\004\017\377\377\377"
+, (PRUint32)6 },
+  { (void *)"\060\202\003\161\060\202\002\332\240\003\002\001\002\002\004\017"
+"\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\060\150\061\013\060\011\006\003\125\004\006\023\002\116"
+"\114\061\022\060\020\006\003\125\004\012\023\011\104\151\147\151"
+"\116\157\164\141\162\061\043\060\041\006\003\125\004\003\023\032"
+"\104\151\147\151\116\157\164\141\162\040\123\145\162\166\151\143"
+"\145\163\040\061\060\062\064\040\103\101\061\040\060\036\006\011"
+"\052\206\110\206\367\015\001\011\001\026\021\151\156\146\157\100"
+"\144\151\147\151\156\157\164\141\162\056\156\154\060\036\027\015"
+"\060\067\060\067\062\066\061\065\065\071\060\061\132\027\015\061"
+"\063\060\070\062\066\061\066\062\071\060\061\132\060\150\061\013"
+"\060\011\006\003\125\004\006\023\002\116\114\061\022\060\020\006"
+"\003\125\004\012\023\011\104\151\147\151\116\157\164\141\162\061"
+"\043\060\041\006\003\125\004\003\023\032\104\151\147\151\116\157"
+"\164\141\162\040\123\145\162\166\151\143\145\163\040\061\060\062"
+"\064\040\103\101\061\040\060\036\006\011\052\206\110\206\367\015"
+"\001\011\001\026\021\151\156\146\157\100\144\151\147\151\156\157"
+"\164\141\162\056\156\154\060\201\237\060\015\006\011\052\206\110"
+"\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002"
+"\201\201\000\332\233\115\135\074\371\321\342\213\306\306\010\040"
+"\305\331\036\110\354\146\130\147\171\142\053\101\143\364\211\215"
+"\150\332\257\270\224\066\213\031\044\244\240\223\322\231\017\262"
+"\255\055\065\115\315\057\152\341\371\233\031\053\274\004\032\176"
+"\055\075\122\144\315\361\076\147\017\211\056\350\362\117\256\246"
+"\010\241\205\376\241\251\011\346\306\253\076\103\374\257\172\003"
+"\221\332\246\071\246\141\356\230\117\030\250\323\263\257\146\202"
+"\351\237\274\335\162\371\006\004\275\022\331\030\044\347\253\223"
+"\123\213\131\002\003\001\000\001\243\202\001\046\060\202\001\042"
+"\060\022\006\003\125\035\023\001\001\377\004\010\060\006\001\001"
+"\377\002\001\000\060\047\006\003\125\035\045\004\040\060\036\006"
+"\010\053\006\001\005\005\007\003\001\006\010\053\006\001\005\005"
+"\007\003\002\006\010\053\006\001\005\005\007\003\004\060\021\006"
+"\003\125\035\040\004\012\060\010\060\006\006\004\125\035\040\000"
+"\060\063\006\010\053\006\001\005\005\007\001\001\004\047\060\045"
+"\060\043\006\010\053\006\001\005\005\007\060\001\206\027\150\164"
+"\164\160\072\057\057\157\143\163\160\056\145\156\164\162\165\163"
+"\164\056\156\145\164\060\063\006\003\125\035\037\004\054\060\052"
+"\060\050\240\046\240\044\206\042\150\164\164\160\072\057\057\143"
+"\162\154\056\145\156\164\162\165\163\164\056\156\145\164\057\163"
+"\145\162\166\145\162\061\056\143\162\154\060\035\006\003\125\035"
+"\016\004\026\004\024\376\334\224\111\014\157\357\134\177\306\361"
+"\022\231\117\026\111\255\373\202\145\060\013\006\003\125\035\017"
+"\004\004\003\002\001\006\060\037\006\003\125\035\043\004\030\060"
+"\026\200\024\360\027\142\023\125\075\263\377\012\000\153\373\120"
+"\204\227\363\355\142\320\032\060\031\006\011\052\206\110\206\366"
+"\175\007\101\000\004\014\060\012\033\004\126\067\056\061\003\002"
+"\000\201\060\015\006\011\052\206\110\206\367\015\001\001\005\005"
+"\000\003\201\201\000\143\164\152\067\251\077\226\234\146\310\130"
+"\254\011\311\357\365\145\224\177\243\002\304\070\061\275\135\043"
+"\207\354\324\126\262\311\262\156\344\005\006\374\354\365\372\210"
+"\160\131\324\356\346\335\265\172\240\243\140\057\002\014\253\336"
+"\022\135\257\360\065\113\252\212\107\221\032\365\205\054\102\307"
+"\035\357\225\103\263\136\270\225\223\245\332\305\050\252\255\162"
+"\055\061\255\231\153\154\377\214\041\047\257\255\232\221\053\307"
+"\335\130\303\156\007\305\237\171\322\307\214\125\277\114\307\047"
+"\136\121\026\053\076"
+, (PRUint32)885 }
+};
+static const NSSItem nss_builtins_items_331 [] = {
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Explicitly Distrust DigiNotar Services 1024 CA", (PRUint32)47 },
+  { (void *)"\022\073\352\312\146\147\167\141\340\353\150\362\376\355\242\017"
+"\040\005\125\160"
+, (PRUint32)20 },
+  { (void *)"\057\026\150\227\114\150\117\316\122\212\354\123\217\223\111\370"
+, (PRUint32)16 },
+  { (void *)"\060\150\061\013\060\011\006\003\125\004\006\023\002\116\114\061"
+"\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157"
+"\164\141\162\061\043\060\041\006\003\125\004\003\023\032\104\151"
+"\147\151\116\157\164\141\162\040\123\145\162\166\151\143\145\163"
+"\040\061\060\062\064\040\103\101\061\040\060\036\006\011\052\206"
+"\110\206\367\015\001\011\001\026\021\151\156\146\157\100\144\151"
+"\147\151\156\157\164\141\162\056\156\154"
+, (PRUint32)106 },
+  { (void *)"\002\004\017\377\377\377"
+, (PRUint32)6 },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
+};
+static const NSSItem nss_builtins_items_332 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Explicitly Distrust DigiNotar Cyber CA", (PRUint32)39 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\140\061\013\060\011\006\003\125\004\006\023\002\116\114\061"
+"\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157"
+"\164\141\162\061\033\060\031\006\003\125\004\003\023\022\104\151"
+"\147\151\116\157\164\141\162\040\103\171\142\145\162\040\103\101"
+"\061\040\060\036\006\011\052\206\110\206\367\015\001\011\001\026"
+"\021\151\156\146\157\100\144\151\147\151\156\157\164\141\162\056"
+"\156\154"
+, (PRUint32)98 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\140\061\013\060\011\006\003\125\004\006\023\002\116\114\061"
+"\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157"
+"\164\141\162\061\033\060\031\006\003\125\004\003\023\022\104\151"
+"\147\151\116\157\164\141\162\040\103\171\142\145\162\040\103\101"
+"\061\040\060\036\006\011\052\206\110\206\367\015\001\011\001\026"
+"\021\151\156\146\157\100\144\151\147\151\156\157\164\141\162\056"
+"\156\154"
+, (PRUint32)98 },
+  { (void *)"\002\004\017\377\377\377"
+, (PRUint32)6 },
+  { (void *)"\060\202\005\105\060\202\004\256\240\003\002\001\002\002\004\017"
+"\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\060\140\061\013\060\011\006\003\125\004\006\023\002\116"
+"\114\061\022\060\020\006\003\125\004\012\023\011\104\151\147\151"
+"\116\157\164\141\162\061\033\060\031\006\003\125\004\003\023\022"
+"\104\151\147\151\116\157\164\141\162\040\103\171\142\145\162\040"
+"\103\101\061\040\060\036\006\011\052\206\110\206\367\015\001\011"
+"\001\026\021\151\156\146\157\100\144\151\147\151\156\157\164\141"
+"\162\056\156\154\060\036\027\015\060\066\061\060\060\064\061\060"
+"\065\064\061\062\132\027\015\061\061\061\060\060\064\061\060\065"
+"\063\061\062\132\060\140\061\013\060\011\006\003\125\004\006\023"
+"\002\116\114\061\022\060\020\006\003\125\004\012\023\011\104\151"
+"\147\151\116\157\164\141\162\061\033\060\031\006\003\125\004\003"
+"\023\022\104\151\147\151\116\157\164\141\162\040\103\171\142\145"
+"\162\040\103\101\061\040\060\036\006\011\052\206\110\206\367\015"
+"\001\011\001\026\021\151\156\146\157\100\144\151\147\151\156\157"
+"\164\141\162\056\156\154\060\202\002\042\060\015\006\011\052\206"
+"\110\206\367\015\001\001\001\005\000\003\202\002\017\000\060\202"
+"\002\012\002\202\002\001\000\322\316\025\012\055\250\136\204\147"
+"\255\375\276\357\106\307\310\271\317\163\374\364\064\271\371\054"
+"\103\347\140\023\075\172\343\262\317\073\147\154\220\255\300\271"
+"\077\204\122\360\065\102\334\164\334\050\073\275\122\264\247\254"
+"\162\105\027\306\360\211\353\264\252\045\362\135\113\136\321\331"
+"\207\272\326\175\174\365\316\062\237\020\063\305\261\112\273\136"
+"\221\061\302\320\351\101\302\221\144\176\011\101\073\333\213\010"
+"\067\152\252\312\122\336\265\071\036\300\210\003\245\077\213\231"
+"\023\141\103\265\233\202\263\356\040\157\317\241\104\242\352\057"
+"\153\100\237\217\053\127\255\241\123\302\205\042\151\235\240\077"
+"\121\337\013\101\221\015\245\341\250\252\134\111\010\135\275\336"
+"\160\101\261\017\311\143\153\323\177\064\164\002\057\064\132\170"
+"\165\034\150\172\201\147\212\363\332\100\360\140\143\364\222\040"
+"\327\003\246\075\243\036\147\304\204\033\101\245\311\214\346\275"
+"\352\110\266\005\026\010\263\067\022\132\367\141\074\367\070\157"
+"\056\227\340\157\126\070\124\323\050\265\255\024\156\056\113\144"
+"\265\047\145\267\165\045\011\266\007\075\225\126\002\012\202\140"
+"\262\163\105\340\063\046\121\164\232\271\324\120\034\366\115\133"
+"\133\122\122\023\132\246\177\247\016\341\350\101\124\147\230\214"
+"\207\325\311\323\154\313\323\124\222\006\011\064\101\367\201\157"
+"\077\236\311\174\165\125\260\347\301\263\167\350\303\304\000\065"
+"\225\100\160\020\112\005\336\045\273\237\131\245\144\274\107\140"
+"\277\140\343\166\213\023\125\335\341\164\172\271\317\044\246\152"
+"\177\336\144\042\104\130\150\202\152\020\371\075\345\076\033\271"
+"\275\374\042\364\140\004\211\273\125\155\050\125\372\336\216\215"
+"\033\041\024\327\067\213\064\173\115\366\262\262\020\317\063\261"
+"\175\034\142\231\110\313\053\154\166\226\125\277\031\015\035\037"
+"\273\145\252\033\216\231\265\306\050\220\345\202\055\170\120\040"
+"\232\375\171\057\044\177\360\211\051\151\364\175\315\163\276\263"
+"\355\116\301\321\355\122\136\217\367\270\327\215\207\255\262\331"
+"\033\121\022\377\126\263\341\257\064\175\134\244\170\210\020\236"
+"\235\003\306\245\252\242\044\121\367\111\024\305\261\356\131\103"
+"\225\337\253\150\050\060\077\002\003\001\000\001\243\202\001\206"
+"\060\202\001\202\060\022\006\003\125\035\023\001\001\377\004\010"
+"\060\006\001\001\377\002\001\001\060\123\006\003\125\035\040\004"
+"\114\060\112\060\110\006\011\053\006\001\004\001\261\076\001\000"
+"\060\073\060\071\006\010\053\006\001\005\005\007\002\001\026\055"
+"\150\164\164\160\072\057\057\167\167\167\056\160\165\142\154\151"
+"\143\055\164\162\165\163\164\056\143\157\155\057\103\120\123\057"
+"\117\155\156\151\122\157\157\164\056\150\164\155\154\060\016\006"
+"\003\125\035\017\001\001\377\004\004\003\002\001\006\060\201\240"
+"\006\003\125\035\043\004\201\230\060\201\225\200\024\246\014\035"
+"\237\141\377\007\027\265\277\070\106\333\103\060\325\216\260\122"
+"\006\241\171\244\167\060\165\061\013\060\011\006\003\125\004\006"
+"\023\002\125\123\061\030\060\026\006\003\125\004\012\023\017\107"
+"\124\105\040\103\157\162\160\157\162\141\164\151\157\156\061\047"
+"\060\045\006\003\125\004\013\023\036\107\124\105\040\103\171\142"
+"\145\162\124\162\165\163\164\040\123\157\154\165\164\151\157\156"
+"\163\054\040\111\156\143\056\061\043\060\041\006\003\125\004\003"
+"\023\032\107\124\105\040\103\171\142\145\162\124\162\165\163\164"
+"\040\107\154\157\142\141\154\040\122\157\157\164\202\002\001\245"
+"\060\105\006\003\125\035\037\004\076\060\074\060\072\240\070\240"
+"\066\206\064\150\164\164\160\072\057\057\167\167\167\056\160\165"
+"\142\154\151\143\055\164\162\165\163\164\056\143\157\155\057\143"
+"\147\151\055\142\151\156\057\103\122\114\057\062\060\061\070\057"
+"\143\144\160\056\143\162\154\060\035\006\003\125\035\016\004\026"
+"\004\024\253\371\150\337\317\112\067\327\173\105\214\137\162\336"
+"\100\104\303\145\273\302\060\015\006\011\052\206\110\206\367\015"
+"\001\001\005\005\000\003\201\201\000\217\150\153\245\133\007\272"
+"\104\146\016\034\250\134\060\173\063\344\012\046\004\374\357\236"
+"\032\070\326\056\241\037\320\231\107\302\165\144\044\375\236\073"
+"\050\166\271\046\050\141\221\014\155\054\370\004\237\174\120\001"
+"\325\343\151\257\357\025\322\105\233\044\011\052\146\005\117\045"
+"\201\312\135\276\252\301\131\047\256\063\216\202\367\337\164\260"
+"\125\263\216\370\347\067\310\156\252\126\104\366\275\123\201\043"
+"\226\075\264\372\062\212\123\146\104\045\242\045\306\246\074\045"
+"\214\360\340\050\006\042\267\046\101"
+, (PRUint32)1353 }
+};
+static const NSSItem nss_builtins_items_333 [] = {
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Explicitly Distrust DigiNotar Cyber CA", (PRUint32)39 },
+  { (void *)"\245\216\240\354\366\104\126\065\031\035\150\133\307\240\344\034"
+"\260\115\171\056"
+, (PRUint32)20 },
+  { (void *)"\274\275\211\022\264\377\345\371\046\107\310\140\066\133\331\124"
+, (PRUint32)16 },
+  { (void *)"\060\140\061\013\060\011\006\003\125\004\006\023\002\116\114\061"
+"\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157"
+"\164\141\162\061\033\060\031\006\003\125\004\003\023\022\104\151"
+"\147\151\116\157\164\141\162\040\103\171\142\145\162\040\103\101"
+"\061\040\060\036\006\011\052\206\110\206\367\015\001\011\001\026"
+"\021\151\156\146\157\100\144\151\147\151\156\157\164\141\162\056"
+"\156\154"
+, (PRUint32)98 },
+  { (void *)"\002\004\017\377\377\377"
+, (PRUint32)6 },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
+};
+static const NSSItem nss_builtins_items_334 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Explicitly Distrust DigiNotar Cyber CA 2nd", (PRUint32)43 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\076\061\013\060\011\006\003\125\004\006\023\002\116\114\061"
+"\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157"
+"\164\141\162\061\033\060\031\006\003\125\004\003\023\022\104\151"
+"\147\151\116\157\164\141\162\040\103\171\142\145\162\040\103\101"
+, (PRUint32)64 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\076\061\013\060\011\006\003\125\004\006\023\002\116\114\061"
+"\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157"
+"\164\141\162\061\033\060\031\006\003\125\004\003\023\022\104\151"
+"\147\151\116\157\164\141\162\040\103\171\142\145\162\040\103\101"
+, (PRUint32)64 },
+  { (void *)"\002\004\017\377\377\377"
+, (PRUint32)6 },
+  { (void *)"\060\202\005\001\060\202\004\152\240\003\002\001\002\002\004\017"
+"\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\060\076\061\013\060\011\006\003\125\004\006\023\002\116"
+"\114\061\022\060\020\006\003\125\004\012\023\011\104\151\147\151"
+"\116\157\164\141\162\061\033\060\031\006\003\125\004\003\023\022"
+"\104\151\147\151\116\157\164\141\162\040\103\171\142\145\162\040"
+"\103\101\060\036\027\015\060\066\060\071\062\067\061\060\065\063"
+"\065\063\132\027\015\061\063\060\071\062\060\060\071\064\064\060"
+"\067\132\060\076\061\013\060\011\006\003\125\004\006\023\002\116"
+"\114\061\022\060\020\006\003\125\004\012\023\011\104\151\147\151"
+"\116\157\164\141\162\061\033\060\031\006\003\125\004\003\023\022"
+"\104\151\147\151\116\157\164\141\162\040\103\171\142\145\162\040"
+"\103\101\060\202\002\042\060\015\006\011\052\206\110\206\367\015"
+"\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202"
+"\002\001\000\322\316\025\012\055\250\136\204\147\255\375\276\357"
+"\106\307\310\271\317\163\374\364\064\271\371\054\103\347\140\023"
+"\075\172\343\262\317\073\147\154\220\255\300\271\077\204\122\360"
+"\065\102\334\164\334\050\073\275\122\264\247\254\162\105\027\306"
+"\360\211\353\264\252\045\362\135\113\136\321\331\207\272\326\175"
+"\174\365\316\062\237\020\063\305\261\112\273\136\221\061\302\320"
+"\351\101\302\221\144\176\011\101\073\333\213\010\067\152\252\312"
+"\122\336\265\071\036\300\210\003\245\077\213\231\023\141\103\265"
+"\233\202\263\356\040\157\317\241\104\242\352\057\153\100\237\217"
+"\053\127\255\241\123\302\205\042\151\235\240\077\121\337\013\101"
+"\221\015\245\341\250\252\134\111\010\135\275\336\160\101\261\017"
+"\311\143\153\323\177\064\164\002\057\064\132\170\165\034\150\172"
+"\201\147\212\363\332\100\360\140\143\364\222\040\327\003\246\075"
+"\243\036\147\304\204\033\101\245\311\214\346\275\352\110\266\005"
+"\026\010\263\067\022\132\367\141\074\367\070\157\056\227\340\157"
+"\126\070\124\323\050\265\255\024\156\056\113\144\265\047\145\267"
+"\165\045\011\266\007\075\225\126\002\012\202\140\262\163\105\340"
+"\063\046\121\164\232\271\324\120\034\366\115\133\133\122\122\023"
+"\132\246\177\247\016\341\350\101\124\147\230\214\207\325\311\323"
+"\154\313\323\124\222\006\011\064\101\367\201\157\077\236\311\174"
+"\165\125\260\347\301\263\167\350\303\304\000\065\225\100\160\020"
+"\112\005\336\045\273\237\131\245\144\274\107\140\277\140\343\166"
+"\213\023\125\335\341\164\172\271\317\044\246\152\177\336\144\042"
+"\104\130\150\202\152\020\371\075\345\076\033\271\275\374\042\364"
+"\140\004\211\273\125\155\050\125\372\336\216\215\033\041\024\327"
+"\067\213\064\173\115\366\262\262\020\317\063\261\175\034\142\231"
+"\110\313\053\154\166\226\125\277\031\015\035\037\273\145\252\033"
+"\216\231\265\306\050\220\345\202\055\170\120\040\232\375\171\057"
+"\044\177\360\211\051\151\364\175\315\163\276\263\355\116\301\321"
+"\355\122\136\217\367\270\327\215\207\255\262\331\033\121\022\377"
+"\126\263\341\257\064\175\134\244\170\210\020\236\235\003\306\245"
+"\252\242\044\121\367\111\024\305\261\356\131\103\225\337\253\150"
+"\050\060\077\002\003\001\000\001\243\202\001\206\060\202\001\202"
+"\060\022\006\003\125\035\023\001\001\377\004\010\060\006\001\001"
+"\377\002\001\001\060\123\006\003\125\035\040\004\114\060\112\060"
+"\110\006\011\053\006\001\004\001\261\076\001\000\060\073\060\071"
+"\006\010\053\006\001\005\005\007\002\001\026\055\150\164\164\160"
+"\072\057\057\167\167\167\056\160\165\142\154\151\143\055\164\162"
+"\165\163\164\056\143\157\155\057\103\120\123\057\117\155\156\151"
+"\122\157\157\164\056\150\164\155\154\060\016\006\003\125\035\017"
+"\001\001\377\004\004\003\002\001\006\060\201\240\006\003\125\035"
+"\043\004\201\230\060\201\225\200\024\246\014\035\237\141\377\007"
+"\027\265\277\070\106\333\103\060\325\216\260\122\006\241\171\244"
+"\167\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103"
+"\157\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003"
+"\125\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162"
+"\165\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111"
+"\156\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124"
+"\105\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157"
+"\142\141\154\040\122\157\157\164\202\002\001\245\060\105\006\003"
+"\125\035\037\004\076\060\074\060\072\240\070\240\066\206\064\150"
+"\164\164\160\072\057\057\167\167\167\056\160\165\142\154\151\143"
+"\055\164\162\165\163\164\056\143\157\155\057\143\147\151\055\142"
+"\151\156\057\103\122\114\057\062\060\061\070\057\143\144\160\056"
+"\143\162\154\060\035\006\003\125\035\016\004\026\004\024\253\371"
+"\150\337\317\112\067\327\173\105\214\137\162\336\100\104\303\145"
+"\273\302\060\015\006\011\052\206\110\206\367\015\001\001\005\005"
+"\000\003\201\201\000\011\312\142\017\215\273\112\340\324\172\065"
+"\053\006\055\321\050\141\266\254\001\373\203\111\274\256\324\057"
+"\055\206\256\031\203\245\326\035\023\342\027\276\376\062\164\351"
+"\172\024\070\312\224\136\367\051\001\151\161\033\221\032\375\243"
+"\273\252\035\312\173\342\026\375\241\243\016\363\014\137\262\341"
+"\040\061\224\053\136\222\166\355\372\351\265\043\246\277\012\073"
+"\003\251\157\122\140\124\315\137\351\267\057\174\242\047\375\101"
+"\203\165\266\015\373\170\046\363\261\105\351\062\225\052\032\065"
+"\041\225\305\242\165"
+, (PRUint32)1285 }
+};
+static const NSSItem nss_builtins_items_335 [] = {
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Explicitly Distrust DigiNotar Cyber CA 2nd", (PRUint32)43 },
+  { (void *)"\210\036\105\005\017\230\331\131\373\012\065\371\114\016\050\227"
+"\125\026\051\263"
+, (PRUint32)20 },
+  { (void *)"\360\256\251\075\362\054\210\334\174\205\033\226\175\132\034\021"
+, (PRUint32)16 },
+  { (void *)"\060\076\061\013\060\011\006\003\125\004\006\023\002\116\114\061"
+"\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157"
+"\164\141\162\061\033\060\031\006\003\125\004\003\023\022\104\151"
+"\147\151\116\157\164\141\162\040\103\171\142\145\162\040\103\101"
+, (PRUint32)64 },
+  { (void *)"\002\004\017\377\377\377"
+, (PRUint32)6 },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
+};
+static const NSSItem nss_builtins_items_336 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Explicitly Distrusted DigiNotar PKIoverheid", (PRUint32)44 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\116\114\061"
+"\027\060\025\006\003\125\004\012\023\016\104\151\147\151\116\157"
+"\164\141\162\040\102\056\126\056\061\067\060\065\006\003\125\004"
+"\003\023\056\104\151\147\151\116\157\164\141\162\040\120\113\111"
+"\157\166\145\162\150\145\151\144\040\103\101\040\117\166\145\162"
+"\150\145\151\144\040\145\156\040\102\145\144\162\151\152\166\145"
+"\156"
+, (PRUint32)97 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\116\114\061"
+"\027\060\025\006\003\125\004\012\023\016\104\151\147\151\116\157"
+"\164\141\162\040\102\056\126\056\061\067\060\065\006\003\125\004"
+"\003\023\056\104\151\147\151\116\157\164\141\162\040\120\113\111"
+"\157\166\145\162\150\145\151\144\040\103\101\040\117\166\145\162"
+"\150\145\151\144\040\145\156\040\102\145\144\162\151\152\166\145"
+"\156"
+, (PRUint32)97 },
+  { (void *)"\002\004\017\377\377\377"
+, (PRUint32)6 },
+  { (void *)"\060\202\004\216\060\202\003\166\240\003\002\001\002\002\004\017"
+"\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\060\137\061\013\060\011\006\003\125\004\006\023\002\116"
+"\114\061\027\060\025\006\003\125\004\012\023\016\104\151\147\151"
+"\116\157\164\141\162\040\102\056\126\056\061\067\060\065\006\003"
+"\125\004\003\023\056\104\151\147\151\116\157\164\141\162\040\120"
+"\113\111\157\166\145\162\150\145\151\144\040\103\101\040\117\166"
+"\145\162\150\145\151\144\040\145\156\040\102\145\144\162\151\152"
+"\166\145\156\060\036\027\015\060\067\060\067\060\065\060\070\064"
+"\062\060\070\132\027\015\061\065\060\067\062\067\060\070\063\071"
+"\064\067\132\060\137\061\013\060\011\006\003\125\004\006\023\002"
+"\116\114\061\027\060\025\006\003\125\004\012\023\016\104\151\147"
+"\151\116\157\164\141\162\040\102\056\126\056\061\067\060\065\006"
+"\003\125\004\003\023\056\104\151\147\151\116\157\164\141\162\040"
+"\120\113\111\157\166\145\162\150\145\151\144\040\103\101\040\117"
+"\166\145\162\150\145\151\144\040\145\156\040\102\145\144\162\151"
+"\152\166\145\156\060\202\001\042\060\015\006\011\052\206\110\206"
+"\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012"
+"\002\202\001\001\000\334\275\322\247\116\152\012\273\073\242\205"
+"\341\177\000\255\276\264\060\150\230\007\315\240\172\304\224\317"
+"\161\371\212\067\344\123\353\127\166\314\213\346\154\376\356\207"
+"\125\310\076\273\004\071\000\247\200\170\254\133\117\176\364\275"
+"\270\124\270\161\073\007\061\111\071\223\124\174\040\073\171\053"
+"\217\273\141\220\175\261\254\346\037\220\056\235\105\001\251\144"
+"\055\115\303\057\271\347\120\325\116\052\134\253\166\166\067\106"
+"\327\171\354\102\231\367\242\354\244\211\160\334\070\053\207\246"
+"\252\044\346\235\222\044\033\276\366\375\324\057\031\027\172\346"
+"\062\007\224\124\005\123\103\351\154\274\257\107\313\274\313\375"
+"\275\073\104\022\201\361\153\113\273\355\264\317\253\045\117\030"
+"\322\314\002\374\243\117\265\102\063\313\131\315\011\334\323\120"
+"\375\240\166\214\254\176\146\212\102\366\255\034\222\363\266\373"
+"\024\106\353\115\327\057\060\340\155\356\133\066\276\104\164\267"
+"\040\005\127\205\115\350\000\031\242\366\014\346\256\241\300\102"
+"\337\247\254\202\135\307\150\267\030\346\211\113\232\153\372\316"
+"\171\371\363\054\247\002\003\001\000\001\243\202\001\120\060\202"
+"\001\114\060\110\006\003\125\035\040\004\101\060\077\060\075\006"
+"\004\125\035\040\000\060\065\060\063\006\010\053\006\001\005\005"
+"\007\002\001\026\047\150\164\164\160\072\057\057\167\167\167\056"
+"\144\151\147\151\156\157\164\141\162\056\156\154\057\143\160\163"
+"\057\160\153\151\157\166\145\162\150\145\151\144\060\017\006\003"
+"\125\035\023\001\001\377\004\005\060\003\001\001\377\060\016\006"
+"\003\125\035\017\001\001\377\004\004\003\002\001\006\060\201\200"
+"\006\003\125\035\043\004\171\060\167\200\024\013\206\326\017\167"
+"\243\150\261\373\144\011\303\210\156\134\004\034\127\351\075\241"
+"\131\244\127\060\125\061\013\060\011\006\003\125\004\006\023\002"
+"\116\114\061\036\060\034\006\003\125\004\012\023\025\123\164\141"
+"\141\164\040\144\145\162\040\116\145\144\145\162\154\141\156\144"
+"\145\156\061\046\060\044\006\003\125\004\003\023\035\123\164\141"
+"\141\164\040\144\145\162\040\116\145\144\145\162\154\141\156\144"
+"\145\156\040\122\157\157\164\040\103\101\202\004\000\230\232\171"
+"\060\075\006\003\125\035\037\004\066\060\064\060\062\240\060\240"
+"\056\206\054\150\164\164\160\072\057\057\143\162\154\056\160\153"
+"\151\157\166\145\162\150\145\151\144\056\156\154\057\104\157\155"
+"\117\166\114\141\164\145\163\164\103\122\114\056\143\162\154\060"
+"\035\006\003\125\035\016\004\026\004\024\114\010\311\215\166\361"
+"\230\307\076\337\074\327\057\165\015\261\166\171\227\314\060\015"
+"\006\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001"
+"\001\000\014\224\207\032\277\115\343\205\342\356\327\330\143\171"
+"\016\120\337\306\204\133\322\273\331\365\061\012\032\065\227\164"
+"\337\024\372\052\017\076\355\240\343\010\366\325\116\133\257\246"
+"\256\045\342\105\153\042\017\267\124\050\176\222\336\215\024\154"
+"\321\034\345\156\164\004\234\267\357\064\104\105\337\311\203\035"
+"\031\037\300\051\151\337\211\325\077\302\260\123\155\345\116\027"
+"\344\163\141\043\023\046\161\103\375\114\131\313\303\337\042\252"
+"\041\053\331\277\225\021\032\212\244\342\253\247\135\113\157\051"
+"\365\122\321\344\322\025\261\213\376\360\003\317\247\175\351\231"
+"\207\070\263\015\163\024\344\162\054\341\316\365\255\006\110\144"
+"\372\323\051\271\242\330\273\364\325\013\245\100\104\103\216\240"
+"\277\316\132\245\122\114\144\323\027\061\141\314\350\244\212\350"
+"\344\210\373\351\345\057\006\063\063\233\224\146\146\261\253\120"
+"\072\241\011\201\164\123\132\047\271\246\322\045\317\323\303\247"
+"\377\226\320\057\352\340\036\215\122\351\030\034\040\012\107\240"
+"\226\126\016\100\220\121\104\254\032\375\361\356\205\037\367\102"
+"\132\145"
+, (PRUint32)1170 }
+};
+static const NSSItem nss_builtins_items_337 [] = {
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Explicitly Distrusted DigiNotar PKIoverheid", (PRUint32)44 },
+  { (void *)"\247\250\311\254\364\137\220\222\166\206\270\300\242\016\223\130"
+"\175\336\060\344"
+, (PRUint32)20 },
+  { (void *)"\243\317\263\377\371\117\247\261\353\072\165\130\116\056\237\352"
+, (PRUint32)16 },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\116\114\061"
+"\027\060\025\006\003\125\004\012\023\016\104\151\147\151\116\157"
+"\164\141\162\040\102\056\126\056\061\067\060\065\006\003\125\004"
+"\003\023\056\104\151\147\151\116\157\164\141\162\040\120\113\111"
+"\157\166\145\162\150\145\151\144\040\103\101\040\117\166\145\162"
+"\150\145\151\144\040\145\156\040\102\145\144\162\151\152\166\145"
+"\156"
+, (PRUint32)97 },
+  { (void *)"\002\004\017\377\377\377"
+, (PRUint32)6 },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
+};
+static const NSSItem nss_builtins_items_338 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Explicitly Distrusted DigiNotar PKIoverheid G2", (PRUint32)47 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061"
+"\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157"
+"\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004"
+"\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111"
+"\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141"
+"\156\151\163\141\164\151\145\040\055\040\107\062"
+, (PRUint32)92 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061"
+"\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157"
+"\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004"
+"\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111"
+"\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141"
+"\156\151\163\141\164\151\145\040\055\040\107\062"
+, (PRUint32)92 },
+  { (void *)"\002\004\017\377\377\377"
+, (PRUint32)6 },
+  { (void *)"\060\202\006\225\060\202\004\175\240\003\002\001\002\002\004\017"
+"\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\013"
+"\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\116"
+"\114\061\027\060\025\006\003\125\004\012\014\016\104\151\147\151"
+"\116\157\164\141\162\040\102\056\126\056\061\062\060\060\006\003"
+"\125\004\003\014\051\104\151\147\151\116\157\164\141\162\040\120"
+"\113\111\157\166\145\162\150\145\151\144\040\103\101\040\117\162"
+"\147\141\156\151\163\141\164\151\145\040\055\040\107\062\060\036"
+"\027\015\061\060\060\065\061\062\060\070\065\061\063\071\132\027"
+"\015\062\060\060\063\062\063\060\071\065\060\060\065\132\060\132"
+"\061\013\060\011\006\003\125\004\006\023\002\116\114\061\027\060"
+"\025\006\003\125\004\012\014\016\104\151\147\151\116\157\164\141"
+"\162\040\102\056\126\056\061\062\060\060\006\003\125\004\003\014"
+"\051\104\151\147\151\116\157\164\141\162\040\120\113\111\157\166"
+"\145\162\150\145\151\144\040\103\101\040\117\162\147\141\156\151"
+"\163\141\164\151\145\040\055\040\107\062\060\202\002\042\060\015"
+"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002"
+"\017\000\060\202\002\012\002\202\002\001\000\261\023\031\017\047"
+"\346\154\324\125\206\113\320\354\211\212\105\221\170\254\107\275"
+"\107\053\344\374\105\353\117\264\046\163\133\067\323\303\177\366"
+"\343\336\327\243\370\055\150\305\010\076\113\224\326\344\207\045"
+"\066\153\204\265\030\164\363\050\130\163\057\233\152\317\274\004"
+"\036\366\336\335\257\374\113\252\365\333\146\142\045\001\045\202"
+"\336\362\227\132\020\156\335\135\251\042\261\004\251\043\163\072"
+"\370\161\255\035\317\204\104\353\107\321\257\155\310\174\050\253"
+"\307\362\067\172\164\137\137\305\002\024\212\243\132\343\033\154"
+"\001\343\135\216\331\150\326\364\011\033\062\334\221\265\054\365"
+"\040\353\214\003\155\046\111\270\223\304\205\135\330\322\233\257"
+"\126\152\314\005\063\314\240\102\236\064\125\104\234\153\240\324"
+"\022\320\053\124\315\267\211\015\345\366\353\350\373\205\001\063"
+"\117\172\153\361\235\162\063\226\016\367\262\204\245\245\047\304"
+"\047\361\121\163\051\167\272\147\156\376\114\334\264\342\241\241"
+"\201\057\071\111\215\103\070\023\316\320\245\134\302\207\072\000"
+"\147\145\102\043\361\066\131\012\035\243\121\310\274\243\224\052"
+"\061\337\343\074\362\235\032\074\004\260\357\261\012\060\023\163"
+"\266\327\363\243\114\001\165\024\205\170\300\327\212\071\130\205"
+"\120\372\056\346\305\276\317\213\077\257\217\066\324\045\011\055"
+"\322\017\254\162\223\362\277\213\324\120\263\371\025\120\233\231"
+"\365\024\331\373\213\221\243\062\046\046\240\370\337\073\140\201"
+"\206\203\171\133\053\353\023\075\051\072\301\155\335\275\236\216"
+"\207\326\112\256\064\227\005\356\024\246\366\334\070\176\112\351"
+"\044\124\007\075\227\150\067\106\153\015\307\250\041\257\023\124"
+"\344\011\152\361\115\106\012\311\135\373\233\117\275\336\373\267"
+"\124\313\270\070\234\247\071\373\152\055\300\173\215\253\245\247"
+"\127\354\112\222\212\063\305\341\040\134\163\330\220\222\053\200"
+"\325\017\206\030\151\174\071\117\204\206\274\367\114\133\363\325"
+"\264\312\240\302\360\067\042\312\171\122\037\123\346\252\363\220"
+"\260\073\335\362\050\375\254\353\305\006\044\240\311\324\057\017"
+"\130\375\265\236\354\017\317\262\131\320\242\004\172\070\152\256"
+"\162\373\275\360\045\142\224\011\247\005\013\002\003\001\000\001"
+"\243\202\001\141\060\202\001\135\060\110\006\003\125\035\040\004"
+"\101\060\077\060\075\006\004\125\035\040\000\060\065\060\063\006"
+"\010\053\006\001\005\005\007\002\001\026\047\150\164\164\160\072"
+"\057\057\167\167\167\056\144\151\147\151\156\157\164\141\162\056"
+"\156\154\057\143\160\163\057\160\153\151\157\166\145\162\150\145"
+"\151\144\060\017\006\003\125\035\023\001\001\377\004\005\060\003"
+"\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003"
+"\002\001\006\060\201\205\006\003\125\035\043\004\176\060\174\200"
+"\024\071\020\213\111\222\134\333\141\022\040\315\111\235\032\216"
+"\332\234\147\100\271\241\136\244\134\060\132\061\013\060\011\006"
+"\003\125\004\006\023\002\116\114\061\036\060\034\006\003\125\004"
+"\012\014\025\123\164\141\141\164\040\144\145\162\040\116\145\144"
+"\145\162\154\141\156\144\145\156\061\053\060\051\006\003\125\004"
+"\003\014\042\123\164\141\141\164\040\144\145\162\040\116\145\144"
+"\145\162\154\141\156\144\145\156\040\122\157\157\164\040\103\101"
+"\040\055\040\107\062\202\004\000\230\226\364\060\111\006\003\125"
+"\035\037\004\102\060\100\060\076\240\074\240\072\206\070\150\164"
+"\164\160\072\057\057\143\162\154\056\160\153\151\157\166\145\162"
+"\150\145\151\144\056\156\154\057\104\157\155\117\162\147\141\156"
+"\151\163\141\164\151\145\114\141\164\145\163\164\103\122\114\055"
+"\107\062\056\143\162\154\060\035\006\003\125\035\016\004\026\004"
+"\024\274\135\224\073\331\253\173\003\045\163\141\302\333\055\356"
+"\374\253\217\145\241\060\015\006\011\052\206\110\206\367\015\001"
+"\001\013\005\000\003\202\002\001\000\217\374\055\114\267\331\055"
+"\325\037\275\357\313\364\267\150\027\165\235\116\325\367\335\234"
+"\361\052\046\355\237\242\266\034\003\325\123\263\354\010\317\064"
+"\342\343\303\364\265\026\057\310\303\276\327\323\163\253\000\066"
+"\371\032\112\176\326\143\351\136\106\272\245\266\216\025\267\243"
+"\052\330\103\035\357\135\310\037\201\205\263\213\367\377\074\364"
+"\331\364\106\010\077\234\274\035\240\331\250\114\315\045\122\116"
+"\012\261\040\367\037\351\103\331\124\106\201\023\232\300\136\164"
+"\154\052\230\062\352\374\167\273\015\245\242\061\230\042\176\174"
+"\174\347\332\244\255\354\267\056\032\031\161\370\110\120\332\103"
+"\217\054\204\335\301\100\047\343\265\360\025\116\226\324\370\134"
+"\343\206\051\106\053\327\073\007\353\070\177\310\206\127\227\323"
+"\357\052\063\304\027\120\325\144\151\153\053\153\105\136\135\057"
+"\027\312\132\116\317\303\327\071\074\365\073\237\106\271\233\347"
+"\016\111\227\235\326\325\343\033\017\352\217\001\116\232\023\224"
+"\131\012\002\007\110\113\032\140\253\177\117\355\013\330\125\015"
+"\150\157\125\234\151\145\025\102\354\300\334\335\154\254\303\026"
+"\316\013\035\126\233\244\304\304\322\056\340\017\342\104\047\053"
+"\120\151\244\334\142\350\212\041\051\102\154\314\000\072\226\166"
+"\233\357\100\300\244\136\167\204\062\154\046\052\071\146\256\135"
+"\343\271\271\262\054\150\037\036\232\220\003\071\360\252\263\244"
+"\314\111\213\030\064\351\067\311\173\051\307\204\174\157\104\025"
+"\057\354\141\131\004\311\105\313\242\326\122\242\174\177\051\222"
+"\326\112\305\213\102\250\324\376\352\330\307\207\043\030\344\235"
+"\172\175\163\100\122\230\240\256\156\343\005\077\005\017\340\245"
+"\306\155\115\355\203\067\210\234\307\363\334\102\232\152\266\327"
+"\041\111\066\167\362\357\030\117\305\160\331\236\351\336\267\053"
+"\213\364\274\176\050\337\015\100\311\205\134\256\235\305\061\377"
+"\320\134\016\265\250\176\360\351\057\272\257\210\256\345\265\321"
+"\130\245\257\234\161\247\051\001\220\203\151\067\202\005\272\374"
+"\011\301\010\156\214\170\073\303\063\002\200\077\104\205\010\035"
+"\337\125\126\010\255\054\205\055\135\261\003\341\256\252\164\305"
+"\244\363\116\272\067\230\173\202\271"
+, (PRUint32)1689 }
+};
+static const NSSItem nss_builtins_items_339 [] = {
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Explicitly Distrusted DigiNotar PKIoverheid G2", (PRUint32)47 },
+  { (void *)"\325\362\127\251\277\055\320\077\213\106\127\371\053\311\244\306"
+"\222\341\102\102"
+, (PRUint32)20 },
+  { (void *)"\056\141\242\321\170\316\356\277\131\063\260\043\024\017\224\034"
+, (PRUint32)16 },
+  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061"
+"\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157"
+"\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004"
+"\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111"
+"\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141"
+"\156\151\163\141\164\151\145\040\055\040\107\062"
+, (PRUint32)92 },
+  { (void *)"\002\004\017\377\377\377"
+, (PRUint32)6 },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
+};
 
 builtinsInternalObject
 nss_builtins_data[] = {
 #ifdef DEBUG
   { 7, nss_builtins_types_0, nss_builtins_items_0, {NULL} },
 #endif /* DEBUG */
   { 5, nss_builtins_types_1, nss_builtins_items_1, {NULL} },
   { 11, nss_builtins_types_2, nss_builtins_items_2, {NULL} },
@@ -22086,16 +22927,28 @@ nss_builtins_data[] = {
   { 13, nss_builtins_types_319, nss_builtins_items_319, {NULL} },
   { 11, nss_builtins_types_320, nss_builtins_items_320, {NULL} },
   { 13, nss_builtins_types_321, nss_builtins_items_321, {NULL} },
   { 11, nss_builtins_types_322, nss_builtins_items_322, {NULL} },
   { 13, nss_builtins_types_323, nss_builtins_items_323, {NULL} },
   { 11, nss_builtins_types_324, nss_builtins_items_324, {NULL} },
   { 13, nss_builtins_types_325, nss_builtins_items_325, {NULL} },
   { 11, nss_builtins_types_326, nss_builtins_items_326, {NULL} },
-  { 13, nss_builtins_types_327, nss_builtins_items_327, {NULL} }
+  { 13, nss_builtins_types_327, nss_builtins_items_327, {NULL} },
+  { 11, nss_builtins_types_328, nss_builtins_items_328, {NULL} },
+  { 13, nss_builtins_types_329, nss_builtins_items_329, {NULL} },
+  { 11, nss_builtins_types_330, nss_builtins_items_330, {NULL} },
+  { 13, nss_builtins_types_331, nss_builtins_items_331, {NULL} },
+  { 11, nss_builtins_types_332, nss_builtins_items_332, {NULL} },
+  { 13, nss_builtins_types_333, nss_builtins_items_333, {NULL} },
+  { 11, nss_builtins_types_334, nss_builtins_items_334, {NULL} },
+  { 13, nss_builtins_types_335, nss_builtins_items_335, {NULL} },
+  { 11, nss_builtins_types_336, nss_builtins_items_336, {NULL} },
+  { 13, nss_builtins_types_337, nss_builtins_items_337, {NULL} },
+  { 11, nss_builtins_types_338, nss_builtins_items_338, {NULL} },
+  { 13, nss_builtins_types_339, nss_builtins_items_339, {NULL} }
 };
 const PRUint32
 #ifdef DEBUG
-  nss_builtins_nObjects = 327+1;
+  nss_builtins_nObjects = 339+1;
 #else
-  nss_builtins_nObjects = 327;
+  nss_builtins_nObjects = 339;
 #endif /* DEBUG */
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -22429,8 +22429,873 @@ CKA_ISSUER MULTILINE_OCTAL
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "Explicitly Distrust DigiNotar Root CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Explicitly Distrust DigiNotar Root CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157
+\164\141\162\061\032\060\030\006\003\125\004\003\023\021\104\151
+\147\151\116\157\164\141\162\040\122\157\157\164\040\103\101\061
+\040\060\036\006\011\052\206\110\206\367\015\001\011\001\026\021
+\151\156\146\157\100\144\151\147\151\156\157\164\141\162\056\156
+\154
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157
+\164\141\162\061\032\060\030\006\003\125\004\003\023\021\104\151
+\147\151\116\157\164\141\162\040\122\157\157\164\040\103\101\061
+\040\060\036\006\011\052\206\110\206\367\015\001\011\001\026\021
+\151\156\146\157\100\144\151\147\151\156\157\164\141\162\056\156
+\154
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\017\377\377\377\377\377\377\377\377\377\377\377\377\377
+\377\377
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\212\060\202\003\162\240\003\002\001\002\002\020\017
+\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\060
+\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\137
+\061\013\060\011\006\003\125\004\006\023\002\116\114\061\022\060
+\020\006\003\125\004\012\023\011\104\151\147\151\116\157\164\141
+\162\061\032\060\030\006\003\125\004\003\023\021\104\151\147\151
+\116\157\164\141\162\040\122\157\157\164\040\103\101\061\040\060
+\036\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156
+\146\157\100\144\151\147\151\156\157\164\141\162\056\156\154\060
+\036\027\015\060\067\060\067\062\067\061\067\061\071\063\067\132
+\027\015\062\065\060\063\063\061\061\070\061\071\062\062\132\060
+\137\061\013\060\011\006\003\125\004\006\023\002\116\114\061\022
+\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157\164
+\141\162\061\032\060\030\006\003\125\004\003\023\021\104\151\147
+\151\116\157\164\141\162\040\122\157\157\164\040\103\101\061\040
+\060\036\006\011\052\206\110\206\367\015\001\011\001\026\021\151
+\156\146\157\100\144\151\147\151\156\157\164\141\162\056\156\154
+\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001
+\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001
+\000\254\260\130\301\000\275\330\041\010\013\053\232\376\156\126
+\060\005\237\033\167\220\020\101\134\303\015\207\021\167\216\201
+\361\312\174\351\214\152\355\070\164\065\273\332\337\371\273\300
+\011\067\264\226\163\201\175\063\032\230\071\367\223\157\225\177
+\075\271\261\165\207\272\121\110\350\213\160\076\225\004\305\330
+\266\303\026\331\210\260\261\207\035\160\332\206\264\017\024\213
+\172\317\020\321\164\066\242\022\173\167\206\112\171\346\173\337
+\002\021\150\245\116\206\256\064\130\233\044\023\170\126\042\045
+\036\001\213\113\121\161\373\202\314\131\226\151\210\132\150\123
+\305\271\015\002\067\313\113\274\146\112\220\176\052\013\005\007
+\355\026\137\125\220\165\330\106\311\033\203\342\010\276\361\043
+\314\231\035\326\052\017\203\040\025\130\047\202\056\372\342\042
+\302\111\261\271\001\201\152\235\155\235\100\167\150\166\116\041
+\052\155\204\100\205\116\166\231\174\202\363\363\267\002\131\324
+\046\001\033\216\337\255\123\006\321\256\030\335\342\262\072\313
+\327\210\070\216\254\133\051\271\031\323\230\371\030\003\317\110
+\202\206\146\013\033\151\017\311\353\070\210\172\046\032\005\114
+\222\327\044\324\226\362\254\122\055\243\107\325\122\366\077\376
+\316\204\006\160\246\252\076\242\362\266\126\064\030\127\242\344
+\201\155\347\312\360\152\323\307\221\153\002\203\101\174\025\357
+\153\232\144\136\343\320\074\345\261\353\173\135\206\373\313\346
+\167\111\315\243\145\334\367\271\234\270\344\013\137\223\317\314
+\060\032\062\034\316\034\143\225\245\371\352\341\164\213\236\351
+\053\251\060\173\240\030\037\016\030\013\345\133\251\323\321\154
+\036\007\147\217\221\113\251\212\274\322\146\252\223\001\210\262
+\221\372\061\134\325\246\301\122\010\011\315\012\143\242\323\042
+\246\350\241\331\071\006\227\365\156\215\002\220\214\024\173\077
+\200\315\033\234\272\304\130\162\043\257\266\126\237\306\172\102
+\063\051\007\077\202\311\346\037\005\015\315\114\050\066\213\323
+\310\076\034\306\210\357\136\356\211\144\351\035\353\332\211\176
+\062\246\151\321\335\314\210\237\321\320\311\146\041\334\006\147
+\305\224\172\232\155\142\114\175\314\340\144\200\262\236\107\216
+\243\002\003\001\000\001\243\102\060\100\060\017\006\003\125\035
+\023\001\001\377\004\005\060\003\001\001\377\060\016\006\003\125
+\035\017\001\001\377\004\004\003\002\001\006\060\035\006\003\125
+\035\016\004\026\004\024\210\150\277\340\216\065\304\073\070\153
+\142\367\050\073\204\201\310\014\327\115\060\015\006\011\052\206
+\110\206\367\015\001\001\005\005\000\003\202\002\001\000\073\002
+\215\313\074\060\350\156\240\255\362\163\263\137\236\045\023\004
+\005\323\366\343\213\273\013\171\316\123\336\344\226\305\321\257
+\163\274\325\303\320\100\125\174\100\177\315\033\137\011\325\362
+\174\237\150\035\273\135\316\172\071\302\214\326\230\173\305\203
+\125\250\325\175\100\312\340\036\367\211\136\143\135\241\023\302
+\135\212\266\212\174\000\363\043\303\355\205\137\161\166\360\150
+\143\252\105\041\071\110\141\170\066\334\361\103\223\324\045\307
+\362\200\145\341\123\002\165\121\374\172\072\357\067\253\204\050
+\127\014\330\324\324\231\126\154\343\242\376\131\204\264\061\350
+\063\370\144\224\224\121\227\253\071\305\113\355\332\335\200\013
+\157\174\051\015\304\216\212\162\015\347\123\024\262\140\101\075
+\204\221\061\150\075\047\104\333\345\336\364\372\143\105\310\114
+\076\230\365\077\101\272\116\313\067\015\272\146\230\361\335\313
+\237\134\367\124\066\202\153\054\274\023\141\227\102\370\170\273
+\314\310\242\237\312\360\150\275\153\035\262\337\215\157\007\235
+\332\216\147\307\107\036\312\271\277\052\102\221\267\143\123\146
+\361\102\243\341\364\132\115\130\153\265\344\244\063\255\134\160
+\035\334\340\362\353\163\024\221\232\003\301\352\000\145\274\007
+\374\317\022\021\042\054\256\240\275\072\340\242\052\330\131\351
+\051\323\030\065\244\254\021\137\031\265\265\033\377\042\112\134
+\306\172\344\027\357\040\251\247\364\077\255\212\247\232\004\045
+\235\016\312\067\346\120\375\214\102\051\004\232\354\271\317\113
+\162\275\342\010\066\257\043\057\142\345\312\001\323\160\333\174
+\202\043\054\026\061\014\306\066\007\220\172\261\037\147\130\304
+\073\130\131\211\260\214\214\120\263\330\206\313\150\243\304\012
+\347\151\113\040\316\301\036\126\113\225\251\043\150\330\060\330
+\303\353\260\125\121\315\345\375\053\270\365\273\021\237\123\124
+\366\064\031\214\171\011\066\312\141\027\045\027\013\202\230\163
+\014\167\164\303\325\015\307\250\022\114\307\247\124\161\107\056
+\054\032\175\311\343\053\073\110\336\047\204\247\143\066\263\175
+\217\240\144\071\044\015\075\173\207\257\146\134\164\033\113\163
+\262\345\214\360\206\231\270\345\305\337\204\301\267\353
+END
+
+# Trust for Certificate "Explicitly Distrust DigiNotar Root CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Explicitly Distrust DigiNotar Root CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\301\167\313\113\340\264\046\216\365\307\317\105\231\042\271\260
+\316\272\041\057
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\012\244\325\314\272\264\373\243\131\343\346\001\335\123\331\116
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157
+\164\141\162\061\032\060\030\006\003\125\004\003\023\021\104\151
+\147\151\116\157\164\141\162\040\122\157\157\164\040\103\101\061
+\040\060\036\006\011\052\206\110\206\367\015\001\011\001\026\021
+\151\156\146\157\100\144\151\147\151\156\157\164\141\162\056\156
+\154
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\017\377\377\377\377\377\377\377\377\377\377\377\377\377
+\377\377
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "Explicitly Distrust DigiNotar Services 1024 CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Explicitly Distrust DigiNotar Services 1024 CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\150\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157
+\164\141\162\061\043\060\041\006\003\125\004\003\023\032\104\151
+\147\151\116\157\164\141\162\040\123\145\162\166\151\143\145\163
+\040\061\060\062\064\040\103\101\061\040\060\036\006\011\052\206
+\110\206\367\015\001\011\001\026\021\151\156\146\157\100\144\151
+\147\151\156\157\164\141\162\056\156\154
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\150\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157
+\164\141\162\061\043\060\041\006\003\125\004\003\023\032\104\151
+\147\151\116\157\164\141\162\040\123\145\162\166\151\143\145\163
+\040\061\060\062\064\040\103\101\061\040\060\036\006\011\052\206
+\110\206\367\015\001\011\001\026\021\151\156\146\157\100\144\151
+\147\151\156\157\164\141\162\056\156\154
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\017\377\377\377
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\161\060\202\002\332\240\003\002\001\002\002\004\017
+\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\060\150\061\013\060\011\006\003\125\004\006\023\002\116
+\114\061\022\060\020\006\003\125\004\012\023\011\104\151\147\151
+\116\157\164\141\162\061\043\060\041\006\003\125\004\003\023\032
+\104\151\147\151\116\157\164\141\162\040\123\145\162\166\151\143
+\145\163\040\061\060\062\064\040\103\101\061\040\060\036\006\011
+\052\206\110\206\367\015\001\011\001\026\021\151\156\146\157\100
+\144\151\147\151\156\157\164\141\162\056\156\154\060\036\027\015
+\060\067\060\067\062\066\061\065\065\071\060\061\132\027\015\061
+\063\060\070\062\066\061\066\062\071\060\061\132\060\150\061\013
+\060\011\006\003\125\004\006\023\002\116\114\061\022\060\020\006
+\003\125\004\012\023\011\104\151\147\151\116\157\164\141\162\061
+\043\060\041\006\003\125\004\003\023\032\104\151\147\151\116\157
+\164\141\162\040\123\145\162\166\151\143\145\163\040\061\060\062
+\064\040\103\101\061\040\060\036\006\011\052\206\110\206\367\015
+\001\011\001\026\021\151\156\146\157\100\144\151\147\151\156\157
+\164\141\162\056\156\154\060\201\237\060\015\006\011\052\206\110
+\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
+\201\201\000\332\233\115\135\074\371\321\342\213\306\306\010\040
+\305\331\036\110\354\146\130\147\171\142\053\101\143\364\211\215
+\150\332\257\270\224\066\213\031\044\244\240\223\322\231\017\262
+\255\055\065\115\315\057\152\341\371\233\031\053\274\004\032\176
+\055\075\122\144\315\361\076\147\017\211\056\350\362\117\256\246
+\010\241\205\376\241\251\011\346\306\253\076\103\374\257\172\003
+\221\332\246\071\246\141\356\230\117\030\250\323\263\257\146\202
+\351\237\274\335\162\371\006\004\275\022\331\030\044\347\253\223
+\123\213\131\002\003\001\000\001\243\202\001\046\060\202\001\042
+\060\022\006\003\125\035\023\001\001\377\004\010\060\006\001\001
+\377\002\001\000\060\047\006\003\125\035\045\004\040\060\036\006
+\010\053\006\001\005\005\007\003\001\006\010\053\006\001\005\005
+\007\003\002\006\010\053\006\001\005\005\007\003\004\060\021\006
+\003\125\035\040\004\012\060\010\060\006\006\004\125\035\040\000
+\060\063\006\010\053\006\001\005\005\007\001\001\004\047\060\045
+\060\043\006\010\053\006\001\005\005\007\060\001\206\027\150\164
+\164\160\072\057\057\157\143\163\160\056\145\156\164\162\165\163
+\164\056\156\145\164\060\063\006\003\125\035\037\004\054\060\052
+\060\050\240\046\240\044\206\042\150\164\164\160\072\057\057\143
+\162\154\056\145\156\164\162\165\163\164\056\156\145\164\057\163
+\145\162\166\145\162\061\056\143\162\154\060\035\006\003\125\035
+\016\004\026\004\024\376\334\224\111\014\157\357\134\177\306\361
+\022\231\117\026\111\255\373\202\145\060\013\006\003\125\035\017
+\004\004\003\002\001\006\060\037\006\003\125\035\043\004\030\060
+\026\200\024\360\027\142\023\125\075\263\377\012\000\153\373\120
+\204\227\363\355\142\320\032\060\031\006\011\052\206\110\206\366
+\175\007\101\000\004\014\060\012\033\004\126\067\056\061\003\002
+\000\201\060\015\006\011\052\206\110\206\367\015\001\001\005\005
+\000\003\201\201\000\143\164\152\067\251\077\226\234\146\310\130
+\254\011\311\357\365\145\224\177\243\002\304\070\061\275\135\043
+\207\354\324\126\262\311\262\156\344\005\006\374\354\365\372\210
+\160\131\324\356\346\335\265\172\240\243\140\057\002\014\253\336
+\022\135\257\360\065\113\252\212\107\221\032\365\205\054\102\307
+\035\357\225\103\263\136\270\225\223\245\332\305\050\252\255\162
+\055\061\255\231\153\154\377\214\041\047\257\255\232\221\053\307
+\335\130\303\156\007\305\237\171\322\307\214\125\277\114\307\047
+\136\121\026\053\076
+END
+
+# Trust for Certificate "Explicitly Distrust DigiNotar Services 1024 CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Explicitly Distrust DigiNotar Services 1024 CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\022\073\352\312\146\147\167\141\340\353\150\362\376\355\242\017
+\040\005\125\160
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\057\026\150\227\114\150\117\316\122\212\354\123\217\223\111\370
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\150\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157
+\164\141\162\061\043\060\041\006\003\125\004\003\023\032\104\151
+\147\151\116\157\164\141\162\040\123\145\162\166\151\143\145\163
+\040\061\060\062\064\040\103\101\061\040\060\036\006\011\052\206
+\110\206\367\015\001\011\001\026\021\151\156\146\157\100\144\151
+\147\151\156\157\164\141\162\056\156\154
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\017\377\377\377
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "Explicitly Distrust DigiNotar Cyber CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Explicitly Distrust DigiNotar Cyber CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\140\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157
+\164\141\162\061\033\060\031\006\003\125\004\003\023\022\104\151
+\147\151\116\157\164\141\162\040\103\171\142\145\162\040\103\101
+\061\040\060\036\006\011\052\206\110\206\367\015\001\011\001\026
+\021\151\156\146\157\100\144\151\147\151\156\157\164\141\162\056
+\156\154
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\140\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157
+\164\141\162\061\033\060\031\006\003\125\004\003\023\022\104\151
+\147\151\116\157\164\141\162\040\103\171\142\145\162\040\103\101
+\061\040\060\036\006\011\052\206\110\206\367\015\001\011\001\026
+\021\151\156\146\157\100\144\151\147\151\156\157\164\141\162\056
+\156\154
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\017\377\377\377
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\105\060\202\004\256\240\003\002\001\002\002\004\017
+\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\060\140\061\013\060\011\006\003\125\004\006\023\002\116
+\114\061\022\060\020\006\003\125\004\012\023\011\104\151\147\151
+\116\157\164\141\162\061\033\060\031\006\003\125\004\003\023\022
+\104\151\147\151\116\157\164\141\162\040\103\171\142\145\162\040
+\103\101\061\040\060\036\006\011\052\206\110\206\367\015\001\011
+\001\026\021\151\156\146\157\100\144\151\147\151\156\157\164\141
+\162\056\156\154\060\036\027\015\060\066\061\060\060\064\061\060
+\065\064\061\062\132\027\015\061\061\061\060\060\064\061\060\065
+\063\061\062\132\060\140\061\013\060\011\006\003\125\004\006\023
+\002\116\114\061\022\060\020\006\003\125\004\012\023\011\104\151
+\147\151\116\157\164\141\162\061\033\060\031\006\003\125\004\003
+\023\022\104\151\147\151\116\157\164\141\162\040\103\171\142\145
+\162\040\103\101\061\040\060\036\006\011\052\206\110\206\367\015
+\001\011\001\026\021\151\156\146\157\100\144\151\147\151\156\157
+\164\141\162\056\156\154\060\202\002\042\060\015\006\011\052\206
+\110\206\367\015\001\001\001\005\000\003\202\002\017\000\060\202
+\002\012\002\202\002\001\000\322\316\025\012\055\250\136\204\147
+\255\375\276\357\106\307\310\271\317\163\374\364\064\271\371\054
+\103\347\140\023\075\172\343\262\317\073\147\154\220\255\300\271
+\077\204\122\360\065\102\334\164\334\050\073\275\122\264\247\254
+\162\105\027\306\360\211\353\264\252\045\362\135\113\136\321\331
+\207\272\326\175\174\365\316\062\237\020\063\305\261\112\273\136
+\221\061\302\320\351\101\302\221\144\176\011\101\073\333\213\010
+\067\152\252\312\122\336\265\071\036\300\210\003\245\077\213\231
+\023\141\103\265\233\202\263\356\040\157\317\241\104\242\352\057
+\153\100\237\217\053\127\255\241\123\302\205\042\151\235\240\077
+\121\337\013\101\221\015\245\341\250\252\134\111\010\135\275\336
+\160\101\261\017\311\143\153\323\177\064\164\002\057\064\132\170
+\165\034\150\172\201\147\212\363\332\100\360\140\143\364\222\040
+\327\003\246\075\243\036\147\304\204\033\101\245\311\214\346\275
+\352\110\266\005\026\010\263\067\022\132\367\141\074\367\070\157
+\056\227\340\157\126\070\124\323\050\265\255\024\156\056\113\144
+\265\047\145\267\165\045\011\266\007\075\225\126\002\012\202\140
+\262\163\105\340\063\046\121\164\232\271\324\120\034\366\115\133
+\133\122\122\023\132\246\177\247\016\341\350\101\124\147\230\214
+\207\325\311\323\154\313\323\124\222\006\011\064\101\367\201\157
+\077\236\311\174\165\125\260\347\301\263\167\350\303\304\000\065
+\225\100\160\020\112\005\336\045\273\237\131\245\144\274\107\140
+\277\140\343\166\213\023\125\335\341\164\172\271\317\044\246\152
+\177\336\144\042\104\130\150\202\152\020\371\075\345\076\033\271
+\275\374\042\364\140\004\211\273\125\155\050\125\372\336\216\215
+\033\041\024\327\067\213\064\173\115\366\262\262\020\317\063\261
+\175\034\142\231\110\313\053\154\166\226\125\277\031\015\035\037
+\273\145\252\033\216\231\265\306\050\220\345\202\055\170\120\040
+\232\375\171\057\044\177\360\211\051\151\364\175\315\163\276\263
+\355\116\301\321\355\122\136\217\367\270\327\215\207\255\262\331
+\033\121\022\377\126\263\341\257\064\175\134\244\170\210\020\236
+\235\003\306\245\252\242\044\121\367\111\024\305\261\356\131\103
+\225\337\253\150\050\060\077\002\003\001\000\001\243\202\001\206
+\060\202\001\202\060\022\006\003\125\035\023\001\001\377\004\010
+\060\006\001\001\377\002\001\001\060\123\006\003\125\035\040\004
+\114\060\112\060\110\006\011\053\006\001\004\001\261\076\001\000
+\060\073\060\071\006\010\053\006\001\005\005\007\002\001\026\055
+\150\164\164\160\072\057\057\167\167\167\056\160\165\142\154\151
+\143\055\164\162\165\163\164\056\143\157\155\057\103\120\123\057
+\117\155\156\151\122\157\157\164\056\150\164\155\154\060\016\006
+\003\125\035\017\001\001\377\004\004\003\002\001\006\060\201\240
+\006\003\125\035\043\004\201\230\060\201\225\200\024\246\014\035
+\237\141\377\007\027\265\277\070\106\333\103\060\325\216\260\122
+\006\241\171\244\167\060\165\061\013\060\011\006\003\125\004\006
+\023\002\125\123\061\030\060\026\006\003\125\004\012\023\017\107
+\124\105\040\103\157\162\160\157\162\141\164\151\157\156\061\047
+\060\045\006\003\125\004\013\023\036\107\124\105\040\103\171\142
+\145\162\124\162\165\163\164\040\123\157\154\165\164\151\157\156
+\163\054\040\111\156\143\056\061\043\060\041\006\003\125\004\003
+\023\032\107\124\105\040\103\171\142\145\162\124\162\165\163\164
+\040\107\154\157\142\141\154\040\122\157\157\164\202\002\001\245
+\060\105\006\003\125\035\037\004\076\060\074\060\072\240\070\240
+\066\206\064\150\164\164\160\072\057\057\167\167\167\056\160\165
+\142\154\151\143\055\164\162\165\163\164\056\143\157\155\057\143
+\147\151\055\142\151\156\057\103\122\114\057\062\060\061\070\057
+\143\144\160\056\143\162\154\060\035\006\003\125\035\016\004\026
+\004\024\253\371\150\337\317\112\067\327\173\105\214\137\162\336
+\100\104\303\145\273\302\060\015\006\011\052\206\110\206\367\015
+\001\001\005\005\000\003\201\201\000\217\150\153\245\133\007\272
+\104\146\016\034\250\134\060\173\063\344\012\046\004\374\357\236
+\032\070\326\056\241\037\320\231\107\302\165\144\044\375\236\073
+\050\166\271\046\050\141\221\014\155\054\370\004\237\174\120\001
+\325\343\151\257\357\025\322\105\233\044\011\052\146\005\117\045
+\201\312\135\276\252\301\131\047\256\063\216\202\367\337\164\260
+\125\263\216\370\347\067\310\156\252\126\104\366\275\123\201\043
+\226\075\264\372\062\212\123\146\104\045\242\045\306\246\074\045
+\214\360\340\050\006\042\267\046\101
+END
+
+# Trust for Certificate "Explicitly Distrust DigiNotar Cyber CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Explicitly Distrust DigiNotar Cyber CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\245\216\240\354\366\104\126\065\031\035\150\133\307\240\344\034
+\260\115\171\056
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\274\275\211\022\264\377\345\371\046\107\310\140\066\133\331\124
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\140\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157
+\164\141\162\061\033\060\031\006\003\125\004\003\023\022\104\151
+\147\151\116\157\164\141\162\040\103\171\142\145\162\040\103\101
+\061\040\060\036\006\011\052\206\110\206\367\015\001\011\001\026
+\021\151\156\146\157\100\144\151\147\151\156\157\164\141\162\056
+\156\154
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\017\377\377\377
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "Explicitly Distrust DigiNotar Cyber CA 2nd"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Explicitly Distrust DigiNotar Cyber CA 2nd"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\076\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157
+\164\141\162\061\033\060\031\006\003\125\004\003\023\022\104\151
+\147\151\116\157\164\141\162\040\103\171\142\145\162\040\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\076\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157
+\164\141\162\061\033\060\031\006\003\125\004\003\023\022\104\151
+\147\151\116\157\164\141\162\040\103\171\142\145\162\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\017\377\377\377
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\001\060\202\004\152\240\003\002\001\002\002\004\017
+\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\060\076\061\013\060\011\006\003\125\004\006\023\002\116
+\114\061\022\060\020\006\003\125\004\012\023\011\104\151\147\151
+\116\157\164\141\162\061\033\060\031\006\003\125\004\003\023\022
+\104\151\147\151\116\157\164\141\162\040\103\171\142\145\162\040
+\103\101\060\036\027\015\060\066\060\071\062\067\061\060\065\063
+\065\063\132\027\015\061\063\060\071\062\060\060\071\064\064\060
+\067\132\060\076\061\013\060\011\006\003\125\004\006\023\002\116
+\114\061\022\060\020\006\003\125\004\012\023\011\104\151\147\151
+\116\157\164\141\162\061\033\060\031\006\003\125\004\003\023\022
+\104\151\147\151\116\157\164\141\162\040\103\171\142\145\162\040
+\103\101\060\202\002\042\060\015\006\011\052\206\110\206\367\015
+\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202
+\002\001\000\322\316\025\012\055\250\136\204\147\255\375\276\357
+\106\307\310\271\317\163\374\364\064\271\371\054\103\347\140\023
+\075\172\343\262\317\073\147\154\220\255\300\271\077\204\122\360
+\065\102\334\164\334\050\073\275\122\264\247\254\162\105\027\306
+\360\211\353\264\252\045\362\135\113\136\321\331\207\272\326\175
+\174\365\316\062\237\020\063\305\261\112\273\136\221\061\302\320
+\351\101\302\221\144\176\011\101\073\333\213\010\067\152\252\312
+\122\336\265\071\036\300\210\003\245\077\213\231\023\141\103\265
+\233\202\263\356\040\157\317\241\104\242\352\057\153\100\237\217
+\053\127\255\241\123\302\205\042\151\235\240\077\121\337\013\101
+\221\015\245\341\250\252\134\111\010\135\275\336\160\101\261\017
+\311\143\153\323\177\064\164\002\057\064\132\170\165\034\150\172
+\201\147\212\363\332\100\360\140\143\364\222\040\327\003\246\075
+\243\036\147\304\204\033\101\245\311\214\346\275\352\110\266\005
+\026\010\263\067\022\132\367\141\074\367\070\157\056\227\340\157
+\126\070\124\323\050\265\255\024\156\056\113\144\265\047\145\267
+\165\045\011\266\007\075\225\126\002\012\202\140\262\163\105\340
+\063\046\121\164\232\271\324\120\034\366\115\133\133\122\122\023
+\132\246\177\247\016\341\350\101\124\147\230\214\207\325\311\323
+\154\313\323\124\222\006\011\064\101\367\201\157\077\236\311\174
+\165\125\260\347\301\263\167\350\303\304\000\065\225\100\160\020
+\112\005\336\045\273\237\131\245\144\274\107\140\277\140\343\166
+\213\023\125\335\341\164\172\271\317\044\246\152\177\336\144\042
+\104\130\150\202\152\020\371\075\345\076\033\271\275\374\042\364
+\140\004\211\273\125\155\050\125\372\336\216\215\033\041\024\327
+\067\213\064\173\115\366\262\262\020\317\063\261\175\034\142\231
+\110\313\053\154\166\226\125\277\031\015\035\037\273\145\252\033
+\216\231\265\306\050\220\345\202\055\170\120\040\232\375\171\057
+\044\177\360\211\051\151\364\175\315\163\276\263\355\116\301\321
+\355\122\136\217\367\270\327\215\207\255\262\331\033\121\022\377
+\126\263\341\257\064\175\134\244\170\210\020\236\235\003\306\245
+\252\242\044\121\367\111\024\305\261\356\131\103\225\337\253\150
+\050\060\077\002\003\001\000\001\243\202\001\206\060\202\001\202
+\060\022\006\003\125\035\023\001\001\377\004\010\060\006\001\001
+\377\002\001\001\060\123\006\003\125\035\040\004\114\060\112\060
+\110\006\011\053\006\001\004\001\261\076\001\000\060\073\060\071
+\006\010\053\006\001\005\005\007\002\001\026\055\150\164\164\160
+\072\057\057\167\167\167\056\160\165\142\154\151\143\055\164\162
+\165\163\164\056\143\157\155\057\103\120\123\057\117\155\156\151
+\122\157\157\164\056\150\164\155\154\060\016\006\003\125\035\017
+\001\001\377\004\004\003\002\001\006\060\201\240\006\003\125\035
+\043\004\201\230\060\201\225\200\024\246\014\035\237\141\377\007
+\027\265\277\070\106\333\103\060\325\216\260\122\006\241\171\244
+\167\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103
+\157\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003
+\125\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162
+\165\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111
+\156\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124
+\105\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157
+\142\141\154\040\122\157\157\164\202\002\001\245\060\105\006\003
+\125\035\037\004\076\060\074\060\072\240\070\240\066\206\064\150
+\164\164\160\072\057\057\167\167\167\056\160\165\142\154\151\143
+\055\164\162\165\163\164\056\143\157\155\057\143\147\151\055\142
+\151\156\057\103\122\114\057\062\060\061\070\057\143\144\160\056
+\143\162\154\060\035\006\003\125\035\016\004\026\004\024\253\371
+\150\337\317\112\067\327\173\105\214\137\162\336\100\104\303\145
+\273\302\060\015\006\011\052\206\110\206\367\015\001\001\005\005
+\000\003\201\201\000\011\312\142\017\215\273\112\340\324\172\065
+\053\006\055\321\050\141\266\254\001\373\203\111\274\256\324\057
+\055\206\256\031\203\245\326\035\023\342\027\276\376\062\164\351
+\172\024\070\312\224\136\367\051\001\151\161\033\221\032\375\243
+\273\252\035\312\173\342\026\375\241\243\016\363\014\137\262\341
+\040\061\224\053\136\222\166\355\372\351\265\043\246\277\012\073
+\003\251\157\122\140\124\315\137\351\267\057\174\242\047\375\101
+\203\165\266\015\373\170\046\363\261\105\351\062\225\052\032\065
+\041\225\305\242\165
+END
+
+# Trust for Certificate "Explicitly Distrust DigiNotar Cyber CA 2nd"
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Explicitly Distrust DigiNotar Cyber CA 2nd"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\210\036\105\005\017\230\331\131\373\012\065\371\114\016\050\227
+\125\026\051\263
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\360\256\251\075\362\054\210\334\174\205\033\226\175\132\034\021
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\076\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157
+\164\141\162\061\033\060\031\006\003\125\004\003\023\022\104\151
+\147\151\116\157\164\141\162\040\103\171\142\145\162\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\017\377\377\377
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "Explicitly Distrusted DigiNotar PKIoverheid"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\027\060\025\006\003\125\004\012\023\016\104\151\147\151\116\157
+\164\141\162\040\102\056\126\056\061\067\060\065\006\003\125\004
+\003\023\056\104\151\147\151\116\157\164\141\162\040\120\113\111
+\157\166\145\162\150\145\151\144\040\103\101\040\117\166\145\162
+\150\145\151\144\040\145\156\040\102\145\144\162\151\152\166\145
+\156
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\027\060\025\006\003\125\004\012\023\016\104\151\147\151\116\157
+\164\141\162\040\102\056\126\056\061\067\060\065\006\003\125\004
+\003\023\056\104\151\147\151\116\157\164\141\162\040\120\113\111
+\157\166\145\162\150\145\151\144\040\103\101\040\117\166\145\162
+\150\145\151\144\040\145\156\040\102\145\144\162\151\152\166\145
+\156
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\017\377\377\377
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\216\060\202\003\166\240\003\002\001\002\002\004\017
+\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\060\137\061\013\060\011\006\003\125\004\006\023\002\116
+\114\061\027\060\025\006\003\125\004\012\023\016\104\151\147\151
+\116\157\164\141\162\040\102\056\126\056\061\067\060\065\006\003
+\125\004\003\023\056\104\151\147\151\116\157\164\141\162\040\120
+\113\111\157\166\145\162\150\145\151\144\040\103\101\040\117\166
+\145\162\150\145\151\144\040\145\156\040\102\145\144\162\151\152
+\166\145\156\060\036\027\015\060\067\060\067\060\065\060\070\064
+\062\060\070\132\027\015\061\065\060\067\062\067\060\070\063\071
+\064\067\132\060\137\061\013\060\011\006\003\125\004\006\023\002
+\116\114\061\027\060\025\006\003\125\004\012\023\016\104\151\147
+\151\116\157\164\141\162\040\102\056\126\056\061\067\060\065\006
+\003\125\004\003\023\056\104\151\147\151\116\157\164\141\162\040
+\120\113\111\157\166\145\162\150\145\151\144\040\103\101\040\117
+\166\145\162\150\145\151\144\040\145\156\040\102\145\144\162\151
+\152\166\145\156\060\202\001\042\060\015\006\011\052\206\110\206
+\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012
+\002\202\001\001\000\334\275\322\247\116\152\012\273\073\242\205
+\341\177\000\255\276\264\060\150\230\007\315\240\172\304\224\317
+\161\371\212\067\344\123\353\127\166\314\213\346\154\376\356\207
+\125\310\076\273\004\071\000\247\200\170\254\133\117\176\364\275
+\270\124\270\161\073\007\061\111\071\223\124\174\040\073\171\053
+\217\273\141\220\175\261\254\346\037\220\056\235\105\001\251\144
+\055\115\303\057\271\347\120\325\116\052\134\253\166\166\067\106
+\327\171\354\102\231\367\242\354\244\211\160\334\070\053\207\246
+\252\044\346\235\222\044\033\276\366\375\324\057\031\027\172\346
+\062\007\224\124\005\123\103\351\154\274\257\107\313\274\313\375
+\275\073\104\022\201\361\153\113\273\355\264\317\253\045\117\030
+\322\314\002\374\243\117\265\102\063\313\131\315\011\334\323\120
+\375\240\166\214\254\176\146\212\102\366\255\034\222\363\266\373
+\024\106\353\115\327\057\060\340\155\356\133\066\276\104\164\267
+\040\005\127\205\115\350\000\031\242\366\014\346\256\241\300\102
+\337\247\254\202\135\307\150\267\030\346\211\113\232\153\372\316
+\171\371\363\054\247\002\003\001\000\001\243\202\001\120\060\202
+\001\114\060\110\006\003\125\035\040\004\101\060\077\060\075\006
+\004\125\035\040\000\060\065\060\063\006\010\053\006\001\005\005
+\007\002\001\026\047\150\164\164\160\072\057\057\167\167\167\056
+\144\151\147\151\156\157\164\141\162\056\156\154\057\143\160\163
+\057\160\153\151\157\166\145\162\150\145\151\144\060\017\006\003
+\125\035\023\001\001\377\004\005\060\003\001\001\377\060\016\006
+\003\125\035\017\001\001\377\004\004\003\002\001\006\060\201\200
+\006\003\125\035\043\004\171\060\167\200\024\013\206\326\017\167
+\243\150\261\373\144\011\303\210\156\134\004\034\127\351\075\241
+\131\244\127\060\125\061\013\060\011\006\003\125\004\006\023\002
+\116\114\061\036\060\034\006\003\125\004\012\023\025\123\164\141
+\141\164\040\144\145\162\040\116\145\144\145\162\154\141\156\144
+\145\156\061\046\060\044\006\003\125\004\003\023\035\123\164\141
+\141\164\040\144\145\162\040\116\145\144\145\162\154\141\156\144
+\145\156\040\122\157\157\164\040\103\101\202\004\000\230\232\171
+\060\075\006\003\125\035\037\004\066\060\064\060\062\240\060\240
+\056\206\054\150\164\164\160\072\057\057\143\162\154\056\160\153
+\151\157\166\145\162\150\145\151\144\056\156\154\057\104\157\155
+\117\166\114\141\164\145\163\164\103\122\114\056\143\162\154\060
+\035\006\003\125\035\016\004\026\004\024\114\010\311\215\166\361
+\230\307\076\337\074\327\057\165\015\261\166\171\227\314\060\015
+\006\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001
+\001\000\014\224\207\032\277\115\343\205\342\356\327\330\143\171
+\016\120\337\306\204\133\322\273\331\365\061\012\032\065\227\164
+\337\024\372\052\017\076\355\240\343\010\366\325\116\133\257\246
+\256\045\342\105\153\042\017\267\124\050\176\222\336\215\024\154
+\321\034\345\156\164\004\234\267\357\064\104\105\337\311\203\035
+\031\037\300\051\151\337\211\325\077\302\260\123\155\345\116\027
+\344\163\141\043\023\046\161\103\375\114\131\313\303\337\042\252
+\041\053\331\277\225\021\032\212\244\342\253\247\135\113\157\051
+\365\122\321\344\322\025\261\213\376\360\003\317\247\175\351\231
+\207\070\263\015\163\024\344\162\054\341\316\365\255\006\110\144
+\372\323\051\271\242\330\273\364\325\013\245\100\104\103\216\240
+\277\316\132\245\122\114\144\323\027\061\141\314\350\244\212\350
+\344\210\373\351\345\057\006\063\063\233\224\146\146\261\253\120
+\072\241\011\201\164\123\132\047\271\246\322\045\317\323\303\247
+\377\226\320\057\352\340\036\215\122\351\030\034\040\012\107\240
+\226\126\016\100\220\121\104\254\032\375\361\356\205\037\367\102
+\132\145
+END
+
+# Trust for Certificate "Explicitly Distrusted DigiNotar PKIoverheid"
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\247\250\311\254\364\137\220\222\166\206\270\300\242\016\223\130
+\175\336\060\344
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\243\317\263\377\371\117\247\261\353\072\165\130\116\056\237\352
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\027\060\025\006\003\125\004\012\023\016\104\151\147\151\116\157
+\164\141\162\040\102\056\126\056\061\067\060\065\006\003\125\004
+\003\023\056\104\151\147\151\116\157\164\141\162\040\120\113\111
+\157\166\145\162\150\145\151\144\040\103\101\040\117\166\145\162
+\150\145\151\144\040\145\156\040\102\145\144\162\151\152\166\145
+\156
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\017\377\377\377
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
+\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
+\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
+\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
+\156\151\163\141\164\151\145\040\055\040\107\062
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
+\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
+\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
+\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
+\156\151\163\141\164\151\145\040\055\040\107\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\017\377\377\377
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\006\225\060\202\004\175\240\003\002\001\002\002\004\017
+\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\013
+\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\116
+\114\061\027\060\025\006\003\125\004\012\014\016\104\151\147\151
+\116\157\164\141\162\040\102\056\126\056\061\062\060\060\006\003
+\125\004\003\014\051\104\151\147\151\116\157\164\141\162\040\120
+\113\111\157\166\145\162\150\145\151\144\040\103\101\040\117\162
+\147\141\156\151\163\141\164\151\145\040\055\040\107\062\060\036
+\027\015\061\060\060\065\061\062\060\070\065\061\063\071\132\027
+\015\062\060\060\063\062\063\060\071\065\060\060\065\132\060\132
+\061\013\060\011\006\003\125\004\006\023\002\116\114\061\027\060
+\025\006\003\125\004\012\014\016\104\151\147\151\116\157\164\141
+\162\040\102\056\126\056\061\062\060\060\006\003\125\004\003\014
+\051\104\151\147\151\116\157\164\141\162\040\120\113\111\157\166
+\145\162\150\145\151\144\040\103\101\040\117\162\147\141\156\151
+\163\141\164\151\145\040\055\040\107\062\060\202\002\042\060\015
+\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002
+\017\000\060\202\002\012\002\202\002\001\000\261\023\031\017\047
+\346\154\324\125\206\113\320\354\211\212\105\221\170\254\107\275
+\107\053\344\374\105\353\117\264\046\163\133\067\323\303\177\366
+\343\336\327\243\370\055\150\305\010\076\113\224\326\344\207\045
+\066\153\204\265\030\164\363\050\130\163\057\233\152\317\274\004
+\036\366\336\335\257\374\113\252\365\333\146\142\045\001\045\202
+\336\362\227\132\020\156\335\135\251\042\261\004\251\043\163\072
+\370\161\255\035\317\204\104\353\107\321\257\155\310\174\050\253
+\307\362\067\172\164\137\137\305\002\024\212\243\132\343\033\154
+\001\343\135\216\331\150\326\364\011\033\062\334\221\265\054\365
+\040\353\214\003\155\046\111\270\223\304\205\135\330\322\233\257
+\126\152\314\005\063\314\240\102\236\064\125\104\234\153\240\324
+\022\320\053\124\315\267\211\015\345\366\353\350\373\205\001\063
+\117\172\153\361\235\162\063\226\016\367\262\204\245\245\047\304
+\047\361\121\163\051\167\272\147\156\376\114\334\264\342\241\241
+\201\057\071\111\215\103\070\023\316\320\245\134\302\207\072\000
+\147\145\102\043\361\066\131\012\035\243\121\310\274\243\224\052
+\061\337\343\074\362\235\032\074\004\260\357\261\012\060\023\163
+\266\327\363\243\114\001\165\024\205\170\300\327\212\071\130\205
+\120\372\056\346\305\276\317\213\077\257\217\066\324\045\011\055
+\322\017\254\162\223\362\277\213\324\120\263\371\025\120\233\231
+\365\024\331\373\213\221\243\062\046\046\240\370\337\073\140\201
+\206\203\171\133\053\353\023\075\051\072\301\155\335\275\236\216
+\207\326\112\256\064\227\005\356\024\246\366\334\070\176\112\351
+\044\124\007\075\227\150\067\106\153\015\307\250\041\257\023\124
+\344\011\152\361\115\106\012\311\135\373\233\117\275\336\373\267
+\124\313\270\070\234\247\071\373\152\055\300\173\215\253\245\247
+\127\354\112\222\212\063\305\341\040\134\163\330\220\222\053\200
+\325\017\206\030\151\174\071\117\204\206\274\367\114\133\363\325
+\264\312\240\302\360\067\042\312\171\122\037\123\346\252\363\220
+\260\073\335\362\050\375\254\353\305\006\044\240\311\324\057\017
+\130\375\265\236\354\017\317\262\131\320\242\004\172\070\152\256
+\162\373\275\360\045\142\224\011\247\005\013\002\003\001\000\001
+\243\202\001\141\060\202\001\135\060\110\006\003\125\035\040\004
+\101\060\077\060\075\006\004\125\035\040\000\060\065\060\063\006
+\010\053\006\001\005\005\007\002\001\026\047\150\164\164\160\072
+\057\057\167\167\167\056\144\151\147\151\156\157\164\141\162\056
+\156\154\057\143\160\163\057\160\153\151\157\166\145\162\150\145
+\151\144\060\017\006\003\125\035\023\001\001\377\004\005\060\003
+\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003
+\002\001\006\060\201\205\006\003\125\035\043\004\176\060\174\200
+\024\071\020\213\111\222\134\333\141\022\040\315\111\235\032\216
+\332\234\147\100\271\241\136\244\134\060\132\061\013\060\011\006
+\003\125\004\006\023\002\116\114\061\036\060\034\006\003\125\004
+\012\014\025\123\164\141\141\164\040\144\145\162\040\116\145\144
+\145\162\154\141\156\144\145\156\061\053\060\051\006\003\125\004
+\003\014\042\123\164\141\141\164\040\144\145\162\040\116\145\144
+\145\162\154\141\156\144\145\156\040\122\157\157\164\040\103\101
+\040\055\040\107\062\202\004\000\230\226\364\060\111\006\003\125
+\035\037\004\102\060\100\060\076\240\074\240\072\206\070\150\164
+\164\160\072\057\057\143\162\154\056\160\153\151\157\166\145\162
+\150\145\151\144\056\156\154\057\104\157\155\117\162\147\141\156
+\151\163\141\164\151\145\114\141\164\145\163\164\103\122\114\055
+\107\062\056\143\162\154\060\035\006\003\125\035\016\004\026\004
+\024\274\135\224\073\331\253\173\003\045\163\141\302\333\055\356
+\374\253\217\145\241\060\015\006\011\052\206\110\206\367\015\001
+\001\013\005\000\003\202\002\001\000\217\374\055\114\267\331\055
+\325\037\275\357\313\364\267\150\027\165\235\116\325\367\335\234
+\361\052\046\355\237\242\266\034\003\325\123\263\354\010\317\064
+\342\343\303\364\265\026\057\310\303\276\327\323\163\253\000\066
+\371\032\112\176\326\143\351\136\106\272\245\266\216\025\267\243
+\052\330\103\035\357\135\310\037\201\205\263\213\367\377\074\364
+\331\364\106\010\077\234\274\035\240\331\250\114\315\045\122\116
+\012\261\040\367\037\351\103\331\124\106\201\023\232\300\136\164
+\154\052\230\062\352\374\167\273\015\245\242\061\230\042\176\174
+\174\347\332\244\255\354\267\056\032\031\161\370\110\120\332\103
+\217\054\204\335\301\100\047\343\265\360\025\116\226\324\370\134
+\343\206\051\106\053\327\073\007\353\070\177\310\206\127\227\323
+\357\052\063\304\027\120\325\144\151\153\053\153\105\136\135\057
+\027\312\132\116\317\303\327\071\074\365\073\237\106\271\233\347
+\016\111\227\235\326\325\343\033\017\352\217\001\116\232\023\224
+\131\012\002\007\110\113\032\140\253\177\117\355\013\330\125\015
+\150\157\125\234\151\145\025\102\354\300\334\335\154\254\303\026
+\316\013\035\126\233\244\304\304\322\056\340\017\342\104\047\053
+\120\151\244\334\142\350\212\041\051\102\154\314\000\072\226\166
+\233\357\100\300\244\136\167\204\062\154\046\052\071\146\256\135
+\343\271\271\262\054\150\037\036\232\220\003\071\360\252\263\244
+\314\111\213\030\064\351\067\311\173\051\307\204\174\157\104\025
+\057\354\141\131\004\311\105\313\242\326\122\242\174\177\051\222
+\326\112\305\213\102\250\324\376\352\330\307\207\043\030\344\235
+\172\175\163\100\122\230\240\256\156\343\005\077\005\017\340\245
+\306\155\115\355\203\067\210\234\307\363\334\102\232\152\266\327
+\041\111\066\167\362\357\030\117\305\160\331\236\351\336\267\053
+\213\364\274\176\050\337\015\100\311\205\134\256\235\305\061\377
+\320\134\016\265\250\176\360\351\057\272\257\210\256\345\265\321
+\130\245\257\234\161\247\051\001\220\203\151\067\202\005\272\374
+\011\301\010\156\214\170\073\303\063\002\200\077\104\205\010\035
+\337\125\126\010\255\054\205\055\135\261\003\341\256\252\164\305
+\244\363\116\272\067\230\173\202\271
+END
+
+# Trust for Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\325\362\127\251\277\055\320\077\213\106\127\371\053\311\244\306
+\222\341\102\102
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\056\141\242\321\170\316\356\277\131\063\260\043\024\017\224\034
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
+\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
+\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
+\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
+\156\151\163\141\164\151\145\040\055\040\107\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\017\377\377\377
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--- a/security/nss/lib/ckfw/builtins/nssckbi.h
+++ b/security/nss/lib/ckfw/builtins/nssckbi.h
@@ -72,18 +72,18 @@
  *     ...
  *   - NSS 3.29 branch: 250-255
  *
  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
  * whether we may use its full range (0-255) or only 0-99 because
  * of the comment in the CK_VERSION type definition.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 85
-#define NSS_BUILTINS_LIBRARY_VERSION "1.85"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 87
+#define NSS_BUILTINS_LIBRARY_VERSION "1.87"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
 #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
 
 /* These version numbers detail the semantic changes to ckbi itself 
  * (new PKCS #11 objects), etc. */
 #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
--- a/xpcom/idl-parser/typelib.py
+++ b/xpcom/idl-parser/typelib.py
@@ -89,17 +89,19 @@ def build_interface(iface, ifaces):
             else:
                   tag = TypeMap[type.name]
                   isPtr = (tag == xpt.Type.Tags.char_ptr or tag == xpt.Type.Tags.wchar_t_ptr)
                   return xpt.SimpleType(tag,
                                         pointer=isPtr,
                                         reference=False)
 
         if isinstance(type, xpidl.Array):
-            return xpt.ArrayType(get_type(type.type, calltype), size_is,
+            # NB: For an Array<T> we pass down the iid_is to get the type of T.
+            #     This allows Arrays of InterfaceIs types to work.
+            return xpt.ArrayType(get_type(type.type, calltype, iid_is), size_is,
                                  #XXXkhuey length_is duplicates size_is (bug 677788),
                                  size_is)
 
         if isinstance(type, xpidl.Interface) or isinstance(type, xpidl.Forward):
             xptiface = None
             for i in ifaces:
                 if i.name == type.name:
                     xptiface = i