Merge NSS trunk onto NSS_TLS13_DRAFT19_BRANCH NSS_TLS13_DRAFT19_BRANCH
authorMartin Thomson <martin.thomson@gmail.com>
Fri, 28 Jul 2017 12:14:10 +1000
branchNSS_TLS13_DRAFT19_BRANCH
changeset 13480 9cc76d4ce5067785c5044d4934e5a2ec454fc88b
parent 13465 1bca0a132021760b7df57dc6953ad02d7c4a2c88 (current diff)
parent 13479 df096339f92531ae3e79b7931702334371a0ecc9 (diff)
child 13481 e63b527213546bbabeed4f5daae26acea340ae30
push id2286
push usermartin.thomson@gmail.com
push dateFri, 28 Jul 2017 02:16:06 +0000
Merge NSS trunk onto NSS_TLS13_DRAFT19_BRANCH
gtests/ssl_gtest/manifest.mn
gtests/ssl_gtest/ssl_0rtt_unittest.cc
gtests/ssl_gtest/ssl_gtest.gyp
gtests/ssl_gtest/tls_connect.cc
lib/ssl/SSLerrs.h
lib/ssl/manifest.mn
lib/ssl/ssl.def
lib/ssl/ssl.h
lib/ssl/sslerr.h
lib/ssl/sslsock.c
--- a/automation/abi-check/previous-nss-release
+++ b/automation/abi-check/previous-nss-release
@@ -1,1 +1,1 @@
-NSS_3_31_BRANCH
+NSS_3_32_BRANCH
--- a/coreconf/coreconf.dep
+++ b/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/fuzz/config/git-copy.sh
+++ b/fuzz/config/git-copy.sh
@@ -1,32 +1,33 @@
-#!/bin/sh
+#!/usr/bin/env bash
 
 set -e
 
 if [ $# -lt 3 ]; then
   echo "Usage: $0 <repo> <branch> <directory>" 1>&2
   exit 2
 fi
 
 REPO=$1
 COMMIT=$2
 DIR=$3
 
 echo "Copy '$COMMIT' from '$REPO' to '$DIR'"
 if [ -f $DIR/.git-copy ]; then
   CURRENT=$(cat $DIR/.git-copy)
   if [ $(echo -n $COMMIT | wc -c) != "40" ]; then
+    # On the off chance that $COMMIT is a remote head.
     ACTUAL=$(git ls-remote $REPO $COMMIT | cut -c 1-40 -)
   else
     ACTUAL=$COMMIT
   fi
-  if [ CURRENT = ACTUAL ]; then
+  if [ "$CURRENT" = "$ACTUAL" ]; then
     echo "Up to date."
+    exit
   fi
 fi
 
-mkdir -p $DIR
-git -C $DIR init -q
+git init -q $DIR
 git -C $DIR fetch -q --depth=1 $REPO $COMMIT:git-copy-tmp
 git -C $DIR reset --hard git-copy-tmp
-git -C $DIR show-ref HEAD | cut -c 1-40 - > $DIR/.git-copy
+git -C $DIR rev-parse --verify HEAD > $DIR/.git-copy
 rm -rf $DIR/.git
--- a/gtests/ssl_gtest/manifest.mn
+++ b/gtests/ssl_gtest/manifest.mn
@@ -26,16 +26,17 @@ CPPSRCS = \
       ssl_exporter_unittest.cc \
       ssl_extension_unittest.cc \
       ssl_fragment_unittest.cc \
       ssl_fuzz_unittest.cc \
       ssl_gather_unittest.cc \
       ssl_gtest.cc \
       ssl_hrr_unittest.cc \
       ssl_loopback_unittest.cc \
+      ssl_misc_unittest.cc \
       ssl_record_unittest.cc \
       ssl_resumption_unittest.cc \
       ssl_skip_unittest.cc \
       ssl_staticrsa_unittest.cc \
       ssl_v2_client_hello_unittest.cc \
       ssl_version_unittest.cc \
       ssl_versionpolicy_unittest.cc \
       selfencrypt_unittest.cc \
--- a/gtests/ssl_gtest/ssl_0rtt_unittest.cc
+++ b/gtests/ssl_gtest/ssl_0rtt_unittest.cc
@@ -2,16 +2,17 @@
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "secerr.h"
 #include "ssl.h"
 #include "sslerr.h"
+#include "sslexp.h"
 #include "sslproto.h"
 
 extern "C" {
 // This is not something that should make you happy.
 #include "libssl_internals.h"
 }
 
 #include "gtest_utils.h"
--- a/gtests/ssl_gtest/ssl_gtest.gyp
+++ b/gtests/ssl_gtest/ssl_gtest.gyp
@@ -27,16 +27,17 @@
         'ssl_exporter_unittest.cc',
         'ssl_extension_unittest.cc',
         'ssl_fuzz_unittest.cc',
         'ssl_fragment_unittest.cc',
         'ssl_gather_unittest.cc',
         'ssl_gtest.cc',
         'ssl_hrr_unittest.cc',
         'ssl_loopback_unittest.cc',
+        'ssl_misc_unittest.cc',
         'ssl_record_unittest.cc',
         'ssl_resumption_unittest.cc',
         'ssl_skip_unittest.cc',
         'ssl_staticrsa_unittest.cc',
         'ssl_v2_client_hello_unittest.cc',
         'ssl_version_unittest.cc',
         'ssl_versionpolicy_unittest.cc',
         'test_io.cc',
new file mode 100644
--- /dev/null
+++ b/gtests/ssl_gtest/ssl_misc_unittest.cc
@@ -0,0 +1,20 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "sslexp.h"
+
+#include "gtest_utils.h"
+
+namespace nss_test {
+
+class MiscTest : public ::testing::Test {};
+
+TEST_F(MiscTest, NonExistentExperimentalAPI) {
+  EXPECT_EQ(nullptr, SSL_GetExperimentalAPI("blah"));
+  EXPECT_EQ(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API, PORT_GetError());
+}
+
+}  // namespace nss_test
--- a/gtests/ssl_gtest/tls_connect.cc
+++ b/gtests/ssl_gtest/tls_connect.cc
@@ -1,15 +1,16 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "tls_connect.h"
+#include "sslexp.h"
 extern "C" {
 #include "libssl_internals.h"
 }
 
 #include <iostream>
 
 #include "databuffer.h"
 #include "gtest_utils.h"
--- a/lib/ckfw/builtins/certdata.txt
+++ b/lib/ckfw/builtins/certdata.txt
@@ -221,17 +221,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147
 \156\040\122\157\157\164\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\013\004\000\000\000\000\001\025\113\132\303\224
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "GlobalSign Root CA - R2"
 #
 # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
 # Serial Number:04:00:00:00:00:01:0f:86:26:e6:0d
 # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
@@ -354,17 +354,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125
 \004\003\023\012\107\154\157\142\141\154\123\151\147\156
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\013\004\000\000\000\000\001\017\206\046\346\015
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
 #
 # Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:00:8b:5b:75:56:84:54:85:0b:00:cf:af:38:48:ce:b1:a4
 # Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
@@ -849,17 +849,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \165\164\150\157\162\151\164\171\040\055\040\107\063
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\000\233\176\006\111\243\076\142\271\325\356\220\110\161
 \051\357\127
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 # Distrust "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 1/3)"
 # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:4c:00:36:1b:e5:08:2b:a9:aa:ce:74:0a:05:3e:fb:34
 # Subject: CN=Egypt Trust Class 3 Managed PKI Enterprise Administrator CA,OU=Terms of use at https://www.egypttrust.com/repository/rpa (c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG
 # Not Valid Before: Sun May 18 00:00:00 2008
 # Not Valid After : Thu May 17 23:59:59 2018
@@ -1122,17 +1122,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
 \040\050\062\060\064\070\051
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\070\143\336\370
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Baltimore CyberTrust Root"
 #
 # Issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
 # Serial Number: 33554617 (0x20000b9)
 # Subject: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
@@ -1397,17 +1397,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
 \167\157\162\153\061\041\060\037\006\003\125\004\003\023\030\101
 \144\144\124\162\165\163\164\040\103\154\141\163\163\040\061\040
 \103\101\040\122\157\157\164
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "AddTrust External Root"
 #
 # Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
@@ -1549,308 +1549,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157
 \164
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "AddTrust Public Services Root"
-#
-# Issuer: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
-# Serial Number: 1 (0x1)
-# Subject: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
-# Not Valid Before: Tue May 30 10:41:50 2000
-# Not Valid After : Sat May 30 10:41:50 2020
-# Fingerprint (MD5): C1:62:3E:23:C5:82:73:9C:03:59:4B:2B:E9:77:49:7F
-# Fingerprint (SHA1): 2A:B6:28:48:5E:78:FB:F3:AD:9E:79:10:DD:6B:DF:99:72:2C:96:E5
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AddTrust Public Services Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
-\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
-\167\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101
-\144\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103
-\101\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
-\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
-\167\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101
-\144\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103
-\101\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\025\060\202\002\375\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024
-\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163
-\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101
-\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167
-\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101\144
-\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103\101
-\040\122\157\157\164\060\036\027\015\060\060\060\065\063\060\061
-\060\064\061\065\060\132\027\015\062\060\060\065\063\060\061\060
-\064\061\065\060\132\060\144\061\013\060\011\006\003\125\004\006
-\023\002\123\105\061\024\060\022\006\003\125\004\012\023\013\101
-\144\144\124\162\165\163\164\040\101\102\061\035\060\033\006\003
-\125\004\013\023\024\101\144\144\124\162\165\163\164\040\124\124
-\120\040\116\145\164\167\157\162\153\061\040\060\036\006\003\125
-\004\003\023\027\101\144\144\124\162\165\163\164\040\120\165\142
-\154\151\143\040\103\101\040\122\157\157\164\060\202\001\042\060
-\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202
-\001\017\000\060\202\001\012\002\202\001\001\000\351\032\060\217
-\203\210\024\301\040\330\074\233\217\033\176\003\164\273\332\151
-\323\106\245\370\216\302\014\021\220\121\245\057\146\124\100\125
-\352\333\037\112\126\356\237\043\156\364\071\313\241\271\157\362
-\176\371\135\207\046\141\236\034\370\342\354\246\201\370\041\305
-\044\314\021\014\077\333\046\162\172\307\001\227\007\027\371\327
-\030\054\060\175\016\172\036\142\036\306\113\300\375\175\142\167
-\323\104\036\047\366\077\113\104\263\267\070\331\071\037\140\325
-\121\222\163\003\264\000\151\343\363\024\116\356\321\334\011\317
-\167\064\106\120\260\370\021\362\376\070\171\367\007\071\376\121
-\222\227\013\133\010\137\064\206\001\255\210\227\353\146\315\136
-\321\377\334\175\362\204\332\272\167\255\334\200\010\307\247\207
-\326\125\237\227\152\350\310\021\144\272\347\031\051\077\021\263
-\170\220\204\040\122\133\021\357\170\320\203\366\325\110\220\320
-\060\034\317\200\371\140\376\171\344\210\362\335\000\353\224\105
-\353\145\224\151\100\272\300\325\264\270\272\175\004\021\250\353
-\061\005\226\224\116\130\041\216\237\320\140\375\002\003\001\000
-\001\243\201\321\060\201\316\060\035\006\003\125\035\016\004\026
-\004\024\201\076\067\330\222\260\037\167\237\134\264\253\163\252
-\347\366\064\140\057\372\060\013\006\003\125\035\017\004\004\003
-\002\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060
-\003\001\001\377\060\201\216\006\003\125\035\043\004\201\206\060
-\201\203\200\024\201\076\067\330\222\260\037\167\237\134\264\253
-\163\252\347\366\064\140\057\372\241\150\244\146\060\144\061\013
-\060\011\006\003\125\004\006\023\002\123\105\061\024\060\022\006
-\003\125\004\012\023\013\101\144\144\124\162\165\163\164\040\101
-\102\061\035\060\033\006\003\125\004\013\023\024\101\144\144\124
-\162\165\163\164\040\124\124\120\040\116\145\164\167\157\162\153
-\061\040\060\036\006\003\125\004\003\023\027\101\144\144\124\162
-\165\163\164\040\120\165\142\154\151\143\040\103\101\040\122\157
-\157\164\202\001\001\060\015\006\011\052\206\110\206\367\015\001
-\001\005\005\000\003\202\001\001\000\003\367\025\112\370\044\332
-\043\126\026\223\166\335\066\050\271\256\033\270\303\361\144\272
-\040\030\170\225\051\047\127\005\274\174\052\364\271\121\125\332
-\207\002\336\017\026\027\061\370\252\171\056\011\023\273\257\262
-\040\031\022\345\223\371\113\371\203\350\104\325\262\101\045\277
-\210\165\157\377\020\374\112\124\320\137\360\372\357\066\163\175
-\033\066\105\306\041\155\264\025\270\116\317\234\134\245\075\132
-\000\216\006\343\074\153\062\173\362\237\360\266\375\337\360\050
-\030\110\360\306\274\320\277\064\200\226\302\112\261\155\216\307
-\220\105\336\057\147\254\105\004\243\172\334\125\222\311\107\146
-\330\032\214\307\355\234\116\232\340\022\273\265\152\114\204\341
-\341\042\015\207\000\144\376\214\175\142\071\145\246\357\102\266
-\200\045\022\141\001\250\044\023\160\000\021\046\137\372\065\120
-\305\110\314\006\107\350\047\330\160\215\137\144\346\241\104\046
-\136\042\354\222\315\377\102\232\104\041\155\134\305\343\042\035
-\137\107\022\347\316\137\135\372\330\252\261\063\055\331\166\362
-\116\072\063\014\053\263\055\220\006
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "AddTrust Public Services Root"
-# Issuer: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
-# Serial Number: 1 (0x1)
-# Subject: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
-# Not Valid Before: Tue May 30 10:41:50 2000
-# Not Valid After : Sat May 30 10:41:50 2020
-# Fingerprint (MD5): C1:62:3E:23:C5:82:73:9C:03:59:4B:2B:E9:77:49:7F
-# Fingerprint (SHA1): 2A:B6:28:48:5E:78:FB:F3:AD:9E:79:10:DD:6B:DF:99:72:2C:96:E5
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AddTrust Public Services Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\052\266\050\110\136\170\373\363\255\236\171\020\335\153\337\231
-\162\054\226\345
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\301\142\076\043\305\202\163\234\003\131\113\053\351\167\111\177
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
-\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
-\167\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101
-\144\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103
-\101\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "AddTrust Qualified Certificates Root"
-#
-# Issuer: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
-# Serial Number: 1 (0x1)
-# Subject: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
-# Not Valid Before: Tue May 30 10:44:50 2000
-# Not Valid After : Sat May 30 10:44:50 2020
-# Fingerprint (MD5): 27:EC:39:47:CD:DA:5A:AF:E2:9A:01:65:21:A9:4C:BB
-# Fingerprint (SHA1): 4D:23:78:EC:91:95:39:B5:00:7F:75:8F:03:3B:21:1E:C5:4D:8B:CF
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AddTrust Qualified Certificates Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
-\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
-\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101
-\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145
-\144\040\103\101\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
-\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
-\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101
-\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145
-\144\040\103\101\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\036\060\202\003\006\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024
-\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163
-\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101
-\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167
-\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101\144
-\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145\144
-\040\103\101\040\122\157\157\164\060\036\027\015\060\060\060\065
-\063\060\061\060\064\064\065\060\132\027\015\062\060\060\065\063
-\060\061\060\064\064\065\060\132\060\147\061\013\060\011\006\003
-\125\004\006\023\002\123\105\061\024\060\022\006\003\125\004\012
-\023\013\101\144\144\124\162\165\163\164\040\101\102\061\035\060
-\033\006\003\125\004\013\023\024\101\144\144\124\162\165\163\164
-\040\124\124\120\040\116\145\164\167\157\162\153\061\043\060\041
-\006\003\125\004\003\023\032\101\144\144\124\162\165\163\164\040
-\121\165\141\154\151\146\151\145\144\040\103\101\040\122\157\157
-\164\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001
-\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001
-\001\000\344\036\232\376\334\011\132\207\244\237\107\276\021\137
-\257\204\064\333\142\074\171\170\267\351\060\265\354\014\034\052
-\304\026\377\340\354\161\353\212\365\021\156\355\117\015\221\322
-\022\030\055\111\025\001\302\244\042\023\307\021\144\377\042\022
-\232\271\216\134\057\010\317\161\152\263\147\001\131\361\135\106
-\363\260\170\245\366\016\102\172\343\177\033\314\320\360\267\050
-\375\052\352\236\263\260\271\004\252\375\366\307\264\261\270\052
-\240\373\130\361\031\240\157\160\045\176\076\151\112\177\017\042
-\330\357\255\010\021\232\051\231\341\252\104\105\232\022\136\076
-\235\155\122\374\347\240\075\150\057\360\113\160\174\023\070\255
-\274\025\045\361\326\316\253\242\300\061\326\057\237\340\377\024
-\131\374\204\223\331\207\174\114\124\023\353\237\321\055\021\370
-\030\072\072\336\045\331\367\323\100\355\244\006\022\304\073\341
-\221\301\126\065\360\024\334\145\066\011\156\253\244\007\307\065
-\321\302\003\063\066\133\165\046\155\102\361\022\153\103\157\113
-\161\224\372\064\035\355\023\156\312\200\177\230\057\154\271\145
-\330\351\002\003\001\000\001\243\201\324\060\201\321\060\035\006
-\003\125\035\016\004\026\004\024\071\225\213\142\213\134\311\324
-\200\272\130\017\227\077\025\010\103\314\230\247\060\013\006\003
-\125\035\017\004\004\003\002\001\006\060\017\006\003\125\035\023
-\001\001\377\004\005\060\003\001\001\377\060\201\221\006\003\125
-\035\043\004\201\211\060\201\206\200\024\071\225\213\142\213\134
-\311\324\200\272\130\017\227\077\025\010\103\314\230\247\241\153
-\244\151\060\147\061\013\060\011\006\003\125\004\006\023\002\123
-\105\061\024\060\022\006\003\125\004\012\023\013\101\144\144\124
-\162\165\163\164\040\101\102\061\035\060\033\006\003\125\004\013
-\023\024\101\144\144\124\162\165\163\164\040\124\124\120\040\116
-\145\164\167\157\162\153\061\043\060\041\006\003\125\004\003\023
-\032\101\144\144\124\162\165\163\164\040\121\165\141\154\151\146
-\151\145\144\040\103\101\040\122\157\157\164\202\001\001\060\015
-\006\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001
-\001\000\031\253\165\352\370\213\145\141\225\023\272\151\004\357
-\206\312\023\240\307\252\117\144\033\077\030\366\250\055\054\125
-\217\005\267\060\352\102\152\035\300\045\121\055\247\277\014\263
-\355\357\010\177\154\074\106\032\352\030\103\337\166\314\371\146
-\206\234\054\150\365\351\027\370\061\263\030\304\326\110\175\043
-\114\150\301\176\273\001\024\157\305\331\156\336\273\004\102\152
-\370\366\134\175\345\332\372\207\353\015\065\122\147\320\236\227
-\166\005\223\077\225\307\001\346\151\125\070\177\020\141\231\311
-\343\137\246\312\076\202\143\110\252\342\010\110\076\252\362\262
-\205\142\246\264\247\331\275\067\234\150\265\055\126\175\260\267
-\077\240\261\007\326\351\117\334\336\105\161\060\062\177\033\056
-\011\371\277\122\241\356\302\200\076\006\134\056\125\100\301\033
-\365\160\105\260\334\135\372\366\162\132\167\322\143\315\317\130
-\211\000\102\143\077\171\071\320\104\260\202\156\101\031\350\335
-\340\301\210\132\321\036\161\223\037\044\060\164\345\036\250\336
-\074\047\067\177\203\256\236\167\317\360\060\261\377\113\231\350
-\306\241
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "AddTrust Qualified Certificates Root"
-# Issuer: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
-# Serial Number: 1 (0x1)
-# Subject: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
-# Not Valid Before: Tue May 30 10:44:50 2000
-# Not Valid After : Sat May 30 10:44:50 2020
-# Fingerprint (MD5): 27:EC:39:47:CD:DA:5A:AF:E2:9A:01:65:21:A9:4C:BB
-# Fingerprint (SHA1): 4D:23:78:EC:91:95:39:B5:00:7F:75:8F:03:3B:21:1E:C5:4D:8B:CF
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AddTrust Qualified Certificates Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\115\043\170\354\221\225\071\265\000\177\165\217\003\073\041\036
-\305\115\213\317
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\047\354\071\107\315\332\132\257\342\232\001\145\041\251\114\273
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
-\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
-\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101
-\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145
-\144\040\103\101\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Entrust Root Certification Authority"
 #
 # Issuer: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
 # Serial Number: 1164660820 (0x456b5054)
 # Subject: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
@@ -2135,145 +1844,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \023\022\107\145\157\124\162\165\163\164\040\107\154\157\142\141
 \154\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\003\002\064\126
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "GeoTrust Global CA 2"
-#
-# Issuer: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
-# Serial Number: 1 (0x1)
-# Subject: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
-# Not Valid Before: Thu Mar 04 05:00:00 2004
-# Not Valid After : Mon Mar 04 05:00:00 2019
-# Fingerprint (MD5): 0E:40:A7:6C:DE:03:5D:8F:D1:0F:E4:D1:8D:F9:6C:A9
-# Fingerprint (SHA1): A9:E9:78:08:14:37:58:88:F2:05:19:B0:6D:2B:0D:2B:60:16:90:7D
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GeoTrust Global CA 2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\104\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165
-\163\164\040\111\156\143\056\061\035\060\033\006\003\125\004\003
-\023\024\107\145\157\124\162\165\163\164\040\107\154\157\142\141
-\154\040\103\101\040\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\104\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165
-\163\164\040\111\156\143\056\061\035\060\033\006\003\125\004\003
-\023\024\107\145\157\124\162\165\163\164\040\107\154\157\142\141
-\154\040\103\101\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\146\060\202\002\116\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\104\061\013\060\011\006\003\125\004\006\023\002\125\123\061\026
-\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165\163
-\164\040\111\156\143\056\061\035\060\033\006\003\125\004\003\023
-\024\107\145\157\124\162\165\163\164\040\107\154\157\142\141\154
-\040\103\101\040\062\060\036\027\015\060\064\060\063\060\064\060
-\065\060\060\060\060\132\027\015\061\071\060\063\060\064\060\065
-\060\060\060\060\132\060\104\061\013\060\011\006\003\125\004\006
-\023\002\125\123\061\026\060\024\006\003\125\004\012\023\015\107
-\145\157\124\162\165\163\164\040\111\156\143\056\061\035\060\033
-\006\003\125\004\003\023\024\107\145\157\124\162\165\163\164\040
-\107\154\157\142\141\154\040\103\101\040\062\060\202\001\042\060
-\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202
-\001\017\000\060\202\001\012\002\202\001\001\000\357\074\115\100
-\075\020\337\073\123\000\341\147\376\224\140\025\076\205\210\361
-\211\015\220\310\050\043\231\005\350\053\040\235\306\363\140\106
-\330\301\262\325\214\061\331\334\040\171\044\201\277\065\062\374
-\143\151\333\261\052\153\356\041\130\362\010\351\170\313\157\313
-\374\026\122\310\221\304\377\075\163\336\261\076\247\302\175\146
-\301\365\176\122\044\032\342\325\147\221\320\202\020\327\170\113
-\117\053\102\071\275\144\055\100\240\260\020\323\070\110\106\210
-\241\014\273\072\063\052\142\230\373\000\235\023\131\177\157\073
-\162\252\356\246\017\206\371\005\141\352\147\177\014\067\226\213
-\346\151\026\107\021\302\047\131\003\263\246\140\302\041\100\126
-\372\240\307\175\072\023\343\354\127\307\263\326\256\235\211\200
-\367\001\347\054\366\226\053\023\015\171\054\331\300\344\206\173
-\113\214\014\162\202\212\373\027\315\000\154\072\023\074\260\204
-\207\113\026\172\051\262\117\333\035\324\013\363\146\067\275\330
-\366\127\273\136\044\172\270\074\213\271\372\222\032\032\204\236
-\330\164\217\252\033\177\136\364\376\105\042\041\002\003\001\000
-\001\243\143\060\141\060\017\006\003\125\035\023\001\001\377\004
-\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026\004
-\024\161\070\066\362\002\061\123\107\053\156\272\145\106\251\020
-\025\130\040\005\011\060\037\006\003\125\035\043\004\030\060\026
-\200\024\161\070\066\362\002\061\123\107\053\156\272\145\106\251
-\020\025\130\040\005\011\060\016\006\003\125\035\017\001\001\377
-\004\004\003\002\001\206\060\015\006\011\052\206\110\206\367\015
-\001\001\005\005\000\003\202\001\001\000\003\367\265\053\253\135
-\020\374\173\262\262\136\254\233\016\176\123\170\131\076\102\004
-\376\165\243\255\254\201\116\327\002\213\136\304\055\310\122\166
-\307\054\037\374\201\062\230\321\113\306\222\223\063\065\061\057
-\374\330\035\104\335\340\201\177\235\351\213\341\144\221\142\013
-\071\010\214\254\164\235\131\331\172\131\122\227\021\271\026\173
-\157\105\323\226\331\061\175\002\066\017\234\073\156\317\054\015
-\003\106\105\353\240\364\177\110\104\306\010\100\314\336\033\160
-\265\051\255\272\213\073\064\145\165\033\161\041\035\054\024\012
-\260\226\225\270\326\352\362\145\373\051\272\117\352\221\223\164
-\151\266\362\377\341\032\320\014\321\166\205\313\212\045\275\227
-\136\054\157\025\231\046\347\266\051\377\042\354\311\002\307\126
-\000\315\111\271\263\154\173\123\004\032\342\250\311\252\022\005
-\043\302\316\347\273\004\002\314\300\107\242\344\304\051\057\133
-\105\127\211\121\356\074\353\122\010\377\007\065\036\237\065\152
-\107\112\126\230\321\132\205\037\214\365\042\277\253\316\203\363
-\342\042\051\256\175\203\100\250\272\154
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "GeoTrust Global CA 2"
-# Issuer: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
-# Serial Number: 1 (0x1)
-# Subject: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
-# Not Valid Before: Thu Mar 04 05:00:00 2004
-# Not Valid After : Mon Mar 04 05:00:00 2019
-# Fingerprint (MD5): 0E:40:A7:6C:DE:03:5D:8F:D1:0F:E4:D1:8D:F9:6C:A9
-# Fingerprint (SHA1): A9:E9:78:08:14:37:58:88:F2:05:19:B0:6D:2B:0D:2B:60:16:90:7D
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GeoTrust Global CA 2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\251\351\170\010\024\067\130\210\362\005\031\260\155\053\015\053
-\140\026\220\175
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\016\100\247\154\336\003\135\217\321\017\344\321\215\371\154\251
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\104\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165
-\163\164\040\111\156\143\056\061\035\060\033\006\003\125\004\003
-\023\024\107\145\157\124\162\165\163\164\040\107\154\157\142\141
-\154\040\103\101\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "GeoTrust Universal CA"
 #
 # Issuer: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US
 # Serial Number: 1 (0x1)
 # Subject: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US
@@ -2423,17 +2004,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \023\025\107\145\157\124\162\165\163\164\040\125\156\151\166\145
 \162\163\141\154\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "GeoTrust Universal CA 2"
 #
 # Issuer: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US
 # Serial Number: 1 (0x1)
 # Subject: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US
@@ -2583,17 +2164,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \023\027\107\145\157\124\162\165\163\164\040\125\156\151\166\145
 \162\163\141\154\040\103\101\040\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Visa eCommerce Root"
 #
 # Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
 # Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
 # Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
@@ -2723,17 +2304,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \103\157\155\155\145\162\143\145\040\122\157\157\164
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220
 \034\142
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Certum Root CA"
 #
 # Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
 # Serial Number: 65568 (0x10020)
 # Subject: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
@@ -2842,17 +2423,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \157\040\123\160\056\040\172\040\157\056\157\056\061\022\060\020
 \006\003\125\004\003\023\011\103\145\162\164\165\155\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\003\001\000\040
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Comodo AAA Services root"
 #
 # Issuer: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Serial Number: 1 (0x1)
 # Subject: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
@@ -2992,322 +2573,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \125\004\003\014\030\101\101\101\040\103\145\162\164\151\146\151
 \143\141\164\145\040\123\145\162\166\151\143\145\163
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Comodo Secure Services root"
-#
-# Issuer: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
-# Serial Number: 1 (0x1)
-# Subject: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
-# Not Valid Before: Thu Jan 01 00:00:00 2004
-# Not Valid After : Sun Dec 31 23:59:59 2028
-# Fingerprint (MD5): D3:D9:BD:AE:9F:AC:67:24:B3:C8:1B:52:E1:B9:A9:BD
-# Fingerprint (SHA1): 4A:65:D5:F4:1D:EF:39:B8:B8:90:4A:4A:D3:64:81:33:CF:C7:A1:D1
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Comodo Secure Services root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003
-\125\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164
-\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003
-\125\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164
-\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\077\060\202\003\047\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061\033
-\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145\162
-\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016\006
-\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032\060
-\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040\103
-\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003\125
-\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164\151
-\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163\060
-\036\027\015\060\064\060\061\060\061\060\060\060\060\060\060\132
-\027\015\062\070\061\062\063\061\062\063\065\071\065\071\132\060
-\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061\033
-\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145\162
-\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016\006
-\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032\060
-\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040\103
-\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003\125
-\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164\151
-\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163\060
-\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001
-\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000
-\300\161\063\202\212\320\160\353\163\207\202\100\325\035\344\313
-\311\016\102\220\371\336\064\271\241\272\021\364\045\205\363\314
-\162\155\362\173\227\153\263\007\361\167\044\221\137\045\217\366
-\164\075\344\200\302\370\074\015\363\277\100\352\367\310\122\321
-\162\157\357\310\253\101\270\156\056\027\052\225\151\014\315\322
-\036\224\173\055\224\035\252\165\327\263\230\313\254\274\144\123
-\100\274\217\254\254\066\313\134\255\273\335\340\224\027\354\321
-\134\320\277\357\245\225\311\220\305\260\254\373\033\103\337\172
-\010\135\267\270\362\100\033\053\047\236\120\316\136\145\202\210
-\214\136\323\116\014\172\352\010\221\266\066\252\053\102\373\352
-\302\243\071\345\333\046\070\255\213\012\356\031\143\307\034\044
-\337\003\170\332\346\352\301\107\032\013\013\106\011\335\002\374
-\336\313\207\137\327\060\143\150\241\256\334\062\241\272\276\376
-\104\253\150\266\245\027\025\375\275\325\247\247\232\344\104\063
-\351\210\216\374\355\121\353\223\161\116\255\001\347\104\216\253
-\055\313\250\376\001\111\110\360\300\335\307\150\330\222\376\075
-\002\003\001\000\001\243\201\307\060\201\304\060\035\006\003\125
-\035\016\004\026\004\024\074\330\223\210\302\300\202\011\314\001
-\231\006\223\040\351\236\160\011\143\117\060\016\006\003\125\035
-\017\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035
-\023\001\001\377\004\005\060\003\001\001\377\060\201\201\006\003
-\125\035\037\004\172\060\170\060\073\240\071\240\067\206\065\150
-\164\164\160\072\057\057\143\162\154\056\143\157\155\157\144\157
-\143\141\056\143\157\155\057\123\145\143\165\162\145\103\145\162
-\164\151\146\151\143\141\164\145\123\145\162\166\151\143\145\163
-\056\143\162\154\060\071\240\067\240\065\206\063\150\164\164\160
-\072\057\057\143\162\154\056\143\157\155\157\144\157\056\156\145
-\164\057\123\145\143\165\162\145\103\145\162\164\151\146\151\143
-\141\164\145\123\145\162\166\151\143\145\163\056\143\162\154\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003\202
-\001\001\000\207\001\155\043\035\176\133\027\175\301\141\062\317
-\217\347\363\212\224\131\146\340\236\050\250\136\323\267\364\064
-\346\252\071\262\227\026\305\202\157\062\244\351\214\347\257\375
-\357\302\350\271\113\252\243\364\346\332\215\145\041\373\272\200
-\353\046\050\205\032\376\071\214\336\133\004\004\264\124\371\243
-\147\236\101\372\011\122\314\005\110\250\311\077\041\004\036\316
-\110\153\374\205\350\302\173\257\177\267\314\370\137\072\375\065
-\306\015\357\227\334\114\253\021\341\153\313\061\321\154\373\110
-\200\253\334\234\067\270\041\024\113\015\161\075\354\203\063\156
-\321\156\062\026\354\230\307\026\213\131\246\064\253\005\127\055
-\223\367\252\023\313\322\023\342\267\056\073\315\153\120\027\011
-\150\076\265\046\127\356\266\340\266\335\271\051\200\171\175\217
-\243\360\244\050\244\025\304\205\364\047\324\153\277\345\134\344
-\145\002\166\124\264\343\067\146\044\323\031\141\310\122\020\345
-\213\067\232\271\251\371\035\277\352\231\222\141\226\377\001\315
-\241\137\015\274\161\274\016\254\013\035\107\105\035\301\354\174
-\354\375\051
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "Comodo Secure Services root"
-# Issuer: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
-# Serial Number: 1 (0x1)
-# Subject: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
-# Not Valid Before: Thu Jan 01 00:00:00 2004
-# Not Valid After : Sun Dec 31 23:59:59 2028
-# Fingerprint (MD5): D3:D9:BD:AE:9F:AC:67:24:B3:C8:1B:52:E1:B9:A9:BD
-# Fingerprint (SHA1): 4A:65:D5:F4:1D:EF:39:B8:B8:90:4A:4A:D3:64:81:33:CF:C7:A1:D1
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Comodo Secure Services root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\112\145\325\364\035\357\071\270\270\220\112\112\323\144\201\063
-\317\307\241\321
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\323\331\275\256\237\254\147\044\263\310\033\122\341\271\251\275
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003
-\125\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164
-\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Comodo Trusted Services root"
-#
-# Issuer: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
-# Serial Number: 1 (0x1)
-# Subject: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
-# Not Valid Before: Thu Jan 01 00:00:00 2004
-# Not Valid After : Sun Dec 31 23:59:59 2028
-# Fingerprint (MD5): 91:1B:3F:6E:CD:9E:AB:EE:07:FE:1F:71:D2:B3:61:27
-# Fingerprint (SHA1): E1:9F:E3:0E:8B:84:60:9E:80:9B:17:0D:72:A8:C5:BA:6E:14:09:BD
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Comodo Trusted Services root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003
-\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162
-\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145
-\163
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003
-\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162
-\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145
-\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\103\060\202\003\053\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061\033
-\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145\162
-\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016\006
-\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032\060
-\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040\103
-\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003\125
-\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162\164
-\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163
-\060\036\027\015\060\064\060\061\060\061\060\060\060\060\060\060
-\132\027\015\062\070\061\062\063\061\062\063\065\071\065\071\132
-\060\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003
-\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162
-\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145
-\163\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001
-\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001
-\001\000\337\161\157\066\130\123\132\362\066\124\127\200\304\164
-\010\040\355\030\177\052\035\346\065\232\036\045\254\234\345\226
-\176\162\122\240\025\102\333\131\335\144\172\032\320\270\173\335
-\071\025\274\125\110\304\355\072\000\352\061\021\272\362\161\164
-\032\147\270\317\063\314\250\061\257\243\343\327\177\277\063\055
-\114\152\074\354\213\303\222\322\123\167\044\164\234\007\156\160
-\374\275\013\133\166\272\137\362\377\327\067\113\112\140\170\367
-\360\372\312\160\264\352\131\252\243\316\110\057\251\303\262\013
-\176\027\162\026\014\246\007\014\033\070\317\311\142\267\077\240
-\223\245\207\101\362\267\160\100\167\330\276\024\174\343\250\300
-\172\216\351\143\152\321\017\232\306\322\364\213\072\024\004\126
-\324\355\270\314\156\365\373\342\054\130\275\177\117\153\053\367
-\140\044\130\044\316\046\357\064\221\072\325\343\201\320\262\360
-\004\002\327\133\267\076\222\254\153\022\212\371\344\005\260\073
-\221\111\134\262\353\123\352\370\237\107\206\356\277\225\300\300
-\006\237\322\133\136\021\033\364\307\004\065\051\322\125\134\344
-\355\353\002\003\001\000\001\243\201\311\060\201\306\060\035\006
-\003\125\035\016\004\026\004\024\305\173\130\275\355\332\045\151
-\322\367\131\026\250\263\062\300\173\047\133\364\060\016\006\003
-\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003
-\125\035\023\001\001\377\004\005\060\003\001\001\377\060\201\203
-\006\003\125\035\037\004\174\060\172\060\074\240\072\240\070\206
-\066\150\164\164\160\072\057\057\143\162\154\056\143\157\155\157
-\144\157\143\141\056\143\157\155\057\124\162\165\163\164\145\144
-\103\145\162\164\151\146\151\143\141\164\145\123\145\162\166\151
-\143\145\163\056\143\162\154\060\072\240\070\240\066\206\064\150
-\164\164\160\072\057\057\143\162\154\056\143\157\155\157\144\157
-\056\156\145\164\057\124\162\165\163\164\145\144\103\145\162\164
-\151\146\151\143\141\164\145\123\145\162\166\151\143\145\163\056
-\143\162\154\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\003\202\001\001\000\310\223\201\073\211\264\257\270\204
-\022\114\215\322\360\333\160\272\127\206\025\064\020\271\057\177
-\036\260\250\211\140\241\212\302\167\014\120\112\233\000\213\330
-\213\364\101\342\320\203\212\112\034\024\006\260\243\150\005\160
-\061\060\247\123\233\016\351\112\240\130\151\147\016\256\235\366
-\245\054\101\277\074\006\153\344\131\314\155\020\361\226\157\037
-\337\364\004\002\244\237\105\076\310\330\372\066\106\104\120\077
-\202\227\221\037\050\333\030\021\214\052\344\145\203\127\022\022
-\214\027\077\224\066\376\135\260\300\004\167\023\270\364\025\325
-\077\070\314\224\072\125\320\254\230\365\272\000\137\340\206\031
-\201\170\057\050\300\176\323\314\102\012\365\256\120\240\321\076
-\306\241\161\354\077\240\040\214\146\072\211\264\216\324\330\261
-\115\045\107\356\057\210\310\265\341\005\105\300\276\024\161\336
-\172\375\216\173\175\115\010\226\245\022\163\360\055\312\067\047
-\164\022\047\114\313\266\227\351\331\256\010\155\132\071\100\335
-\005\107\165\152\132\041\263\243\030\317\116\367\056\127\267\230
-\160\136\310\304\170\260\142
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "Comodo Trusted Services root"
-# Issuer: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
-# Serial Number: 1 (0x1)
-# Subject: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
-# Not Valid Before: Thu Jan 01 00:00:00 2004
-# Not Valid After : Sun Dec 31 23:59:59 2028
-# Fingerprint (MD5): 91:1B:3F:6E:CD:9E:AB:EE:07:FE:1F:71:D2:B3:61:27
-# Fingerprint (SHA1): E1:9F:E3:0E:8B:84:60:9E:80:9B:17:0D:72:A8:C5:BA:6E:14:09:BD
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Comodo Trusted Services root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\341\237\343\016\213\204\140\236\200\233\027\015\162\250\305\272
-\156\024\011\275
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\221\033\077\156\315\236\253\356\007\376\037\161\322\263\141\047
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003
-\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162
-\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145
-\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "QuoVadis Root CA"
 #
 # Issuer: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
 # Serial Number: 985026699 (0x3ab6508b)
 # Subject: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
@@ -3476,17 +2752,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
 \171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\072\266\120\213
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "QuoVadis Root CA 2"
 #
 # Issuer: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
 # Serial Number: 1289 (0x509)
 # Subject: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
@@ -3641,17 +2917,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \125\004\003\023\022\121\165\157\126\141\144\151\163\040\122\157
 \157\164\040\103\101\040\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\002\005\011
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "QuoVadis Root CA 3"
 #
 # Issuer: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM
 # Serial Number: 1478 (0x5c6)
 # Subject: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM
@@ -3821,17 +3097,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \125\004\003\023\022\121\165\157\126\141\144\151\163\040\122\157
 \157\164\040\103\101\040\063
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\002\005\306
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Security Communication Root CA"
 #
 # Issuer: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
 # Serial Number: 0 (0x0)
 # Subject: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
@@ -3951,17 +3227,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \155\165\156\151\143\141\164\151\157\156\040\122\157\157\164\103
 \101\061
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Sonera Class 2 Root CA"
 #
 # Issuer: CN=Sonera Class2 CA,O=Sonera,C=FI
 # Serial Number: 29 (0x1d)
 # Subject: CN=Sonera Class2 CA,O=Sonera,C=FI
@@ -4247,339 +3523,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \311\211
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "UTN USERFirst Hardware Root CA"
-#
-# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
-# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2a:fe:65:0a:fd
-# Subject: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
-# Not Valid Before: Fri Jul 09 18:10:42 1999
-# Not Valid After : Tue Jul 09 18:19:22 2019
-# Fingerprint (MD5): 4C:56:41:E5:0D:BB:2B:E8:CA:A3:ED:18:08:AD:43:39
-# Fingerprint (SHA1): 04:83:ED:33:99:AC:36:08:05:87:22:ED:BC:5E:46:00:E3:BE:F9:D7
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "UTN USERFirst Hardware Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\227\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\037\060\035\006\003\125
-\004\003\023\026\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\110\141\162\144\167\141\162\145
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\227\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\037\060\035\006\003\125
-\004\003\023\026\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\110\141\162\144\167\141\162\145
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\104\276\014\213\120\000\044\264\021\323\066\052\376\145
-\012\375
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\164\060\202\003\134\240\003\002\001\002\002\020\104
-\276\014\213\120\000\044\264\021\323\066\052\376\145\012\375\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201
-\227\061\013\060\011\006\003\125\004\006\023\002\125\123\061\013
-\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025\006
-\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145\040
-\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025\124
-\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145\164
-\167\157\162\153\061\041\060\037\006\003\125\004\013\023\030\150
-\164\164\160\072\057\057\167\167\167\056\165\163\145\162\164\162
-\165\163\164\056\143\157\155\061\037\060\035\006\003\125\004\003
-\023\026\125\124\116\055\125\123\105\122\106\151\162\163\164\055
-\110\141\162\144\167\141\162\145\060\036\027\015\071\071\060\067
-\060\071\061\070\061\060\064\062\132\027\015\061\071\060\067\060
-\071\061\070\061\071\062\062\132\060\201\227\061\013\060\011\006
-\003\125\004\006\023\002\125\123\061\013\060\011\006\003\125\004
-\010\023\002\125\124\061\027\060\025\006\003\125\004\007\023\016
-\123\141\154\164\040\114\141\153\145\040\103\151\164\171\061\036
-\060\034\006\003\125\004\012\023\025\124\150\145\040\125\123\105
-\122\124\122\125\123\124\040\116\145\164\167\157\162\153\061\041
-\060\037\006\003\125\004\013\023\030\150\164\164\160\072\057\057
-\167\167\167\056\165\163\145\162\164\162\165\163\164\056\143\157
-\155\061\037\060\035\006\003\125\004\003\023\026\125\124\116\055
-\125\123\105\122\106\151\162\163\164\055\110\141\162\144\167\141
-\162\145\060\202\001\042\060\015\006\011\052\206\110\206\367\015
-\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202
-\001\001\000\261\367\303\070\077\264\250\177\317\071\202\121\147
-\320\155\237\322\377\130\363\347\237\053\354\015\211\124\231\271
-\070\231\026\367\340\041\171\110\302\273\141\164\022\226\035\074
-\152\162\325\074\020\147\072\071\355\053\023\315\146\353\225\011
-\063\244\154\227\261\350\306\354\301\165\171\234\106\136\215\253
-\320\152\375\271\052\125\027\020\124\263\031\360\232\366\361\261
-\135\266\247\155\373\340\161\027\153\242\210\373\000\337\376\032
-\061\167\014\232\001\172\261\062\343\053\001\007\070\156\303\245
-\136\043\274\105\233\173\120\301\311\060\217\333\345\053\172\323
-\133\373\063\100\036\240\325\230\027\274\213\207\303\211\323\135
-\240\216\262\252\252\366\216\151\210\006\305\372\211\041\363\010
-\235\151\056\011\063\233\051\015\106\017\214\314\111\064\260\151
-\121\275\371\006\315\150\255\146\114\274\076\254\141\275\012\210
-\016\310\337\075\356\174\004\114\235\012\136\153\221\326\356\307
-\355\050\215\253\115\207\211\163\320\156\244\320\036\026\213\024
-\341\166\104\003\177\143\254\344\315\111\234\305\222\364\253\062
-\241\110\133\002\003\001\000\001\243\201\271\060\201\266\060\013
-\006\003\125\035\017\004\004\003\002\001\306\060\017\006\003\125
-\035\023\001\001\377\004\005\060\003\001\001\377\060\035\006\003
-\125\035\016\004\026\004\024\241\162\137\046\033\050\230\103\225
-\135\007\067\325\205\226\235\113\322\303\105\060\104\006\003\125
-\035\037\004\075\060\073\060\071\240\067\240\065\206\063\150\164
-\164\160\072\057\057\143\162\154\056\165\163\145\162\164\162\165
-\163\164\056\143\157\155\057\125\124\116\055\125\123\105\122\106
-\151\162\163\164\055\110\141\162\144\167\141\162\145\056\143\162
-\154\060\061\006\003\125\035\045\004\052\060\050\006\010\053\006
-\001\005\005\007\003\001\006\010\053\006\001\005\005\007\003\005
-\006\010\053\006\001\005\005\007\003\006\006\010\053\006\001\005
-\005\007\003\007\060\015\006\011\052\206\110\206\367\015\001\001
-\005\005\000\003\202\001\001\000\107\031\017\336\164\306\231\227
-\257\374\255\050\136\165\216\353\055\147\356\116\173\053\327\014
-\377\366\336\313\125\242\012\341\114\124\145\223\140\153\237\022
-\234\255\136\203\054\353\132\256\300\344\055\364\000\143\035\270
-\300\154\362\317\111\273\115\223\157\006\246\012\042\262\111\142
-\010\116\377\310\310\024\262\210\026\135\347\001\344\022\225\345
-\105\064\263\213\151\275\317\264\205\217\165\121\236\175\072\070
-\072\024\110\022\306\373\247\073\032\215\015\202\100\007\350\004
-\010\220\241\211\313\031\120\337\312\034\001\274\035\004\031\173
-\020\166\227\073\356\220\220\312\304\016\037\026\156\165\357\063
-\370\323\157\133\036\226\343\340\164\167\164\173\212\242\156\055
-\335\166\326\071\060\202\360\253\234\122\362\052\307\257\111\136
-\176\307\150\345\202\201\310\152\047\371\047\210\052\325\130\120
-\225\037\360\073\034\127\273\175\024\071\142\053\232\311\224\222
-\052\243\042\014\377\211\046\175\137\043\053\107\327\025\035\251
-\152\236\121\015\052\121\236\201\371\324\073\136\160\022\177\020
-\062\234\036\273\235\370\146\250
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "UTN USERFirst Hardware Root CA"
-# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
-# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2a:fe:65:0a:fd
-# Subject: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
-# Not Valid Before: Fri Jul 09 18:10:42 1999
-# Not Valid After : Tue Jul 09 18:19:22 2019
-# Fingerprint (MD5): 4C:56:41:E5:0D:BB:2B:E8:CA:A3:ED:18:08:AD:43:39
-# Fingerprint (SHA1): 04:83:ED:33:99:AC:36:08:05:87:22:ED:BC:5E:46:00:E3:BE:F9:D7
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "UTN USERFirst Hardware Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\004\203\355\063\231\254\066\010\005\207\042\355\274\136\106\000
-\343\276\371\327
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\114\126\101\345\015\273\053\350\312\243\355\030\010\255\103\071
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\227\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\037\060\035\006\003\125
-\004\003\023\026\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\110\141\162\144\167\141\162\145
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\104\276\014\213\120\000\044\264\021\323\066\052\376\145
-\012\375
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "UTN USERFirst Object Root CA"
-#
-# Issuer: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
-# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2d:e0:b3:5f:1b
-# Subject: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
-# Not Valid Before: Fri Jul 09 18:31:20 1999
-# Not Valid After : Tue Jul 09 18:40:36 2019
-# Fingerprint (MD5): A7:F2:E4:16:06:41:11:50:30:6B:9C:E3:B4:9C:B0:C9
-# Fingerprint (SHA1): E1:2D:FB:4B:41:D7:D9:C3:2B:30:51:4B:AC:1D:81:D8:38:5E:2D:46
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "UTN USERFirst Object Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\225\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\035\060\033\006\003\125
-\004\003\023\024\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\117\142\152\145\143\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\225\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\035\060\033\006\003\125
-\004\003\023\024\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\117\142\152\145\143\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\104\276\014\213\120\000\044\264\021\323\066\055\340\263
-\137\033
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\146\060\202\003\116\240\003\002\001\002\002\020\104
-\276\014\213\120\000\044\264\021\323\066\055\340\263\137\033\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201
-\225\061\013\060\011\006\003\125\004\006\023\002\125\123\061\013
-\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025\006
-\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145\040
-\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025\124
-\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145\164
-\167\157\162\153\061\041\060\037\006\003\125\004\013\023\030\150
-\164\164\160\072\057\057\167\167\167\056\165\163\145\162\164\162
-\165\163\164\056\143\157\155\061\035\060\033\006\003\125\004\003
-\023\024\125\124\116\055\125\123\105\122\106\151\162\163\164\055
-\117\142\152\145\143\164\060\036\027\015\071\071\060\067\060\071
-\061\070\063\061\062\060\132\027\015\061\071\060\067\060\071\061
-\070\064\060\063\066\132\060\201\225\061\013\060\011\006\003\125
-\004\006\023\002\125\123\061\013\060\011\006\003\125\004\010\023
-\002\125\124\061\027\060\025\006\003\125\004\007\023\016\123\141
-\154\164\040\114\141\153\145\040\103\151\164\171\061\036\060\034
-\006\003\125\004\012\023\025\124\150\145\040\125\123\105\122\124
-\122\125\123\124\040\116\145\164\167\157\162\153\061\041\060\037
-\006\003\125\004\013\023\030\150\164\164\160\072\057\057\167\167
-\167\056\165\163\145\162\164\162\165\163\164\056\143\157\155\061
-\035\060\033\006\003\125\004\003\023\024\125\124\116\055\125\123
-\105\122\106\151\162\163\164\055\117\142\152\145\143\164\060\202
-\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005
-\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000\316
-\252\201\077\243\243\141\170\252\061\000\125\225\021\236\047\017
-\037\034\337\072\233\202\150\060\300\112\141\035\361\057\016\372
-\276\171\367\245\043\357\125\121\226\204\315\333\343\271\156\076
-\061\330\012\040\147\307\364\331\277\224\353\107\004\076\002\316
-\052\242\135\207\004\011\366\060\235\030\212\227\262\252\034\374
-\101\322\241\066\313\373\075\221\272\347\331\160\065\372\344\347
-\220\303\233\243\233\323\074\365\022\231\167\261\267\011\340\150
-\346\034\270\363\224\143\210\152\152\376\013\166\311\276\364\042
-\344\147\271\253\032\136\167\301\205\007\335\015\154\277\356\006
-\307\167\152\101\236\247\017\327\373\356\224\027\267\374\205\276
-\244\253\304\034\061\335\327\266\321\344\360\357\337\026\217\262
-\122\223\327\241\324\211\241\007\056\277\341\001\022\102\036\032
-\341\330\225\064\333\144\171\050\377\272\056\021\302\345\350\133
-\222\110\373\107\013\302\154\332\255\062\203\101\363\245\345\101
-\160\375\145\220\155\372\372\121\304\371\275\226\053\031\004\054
-\323\155\247\334\360\177\157\203\145\342\152\253\207\206\165\002
-\003\001\000\001\243\201\257\060\201\254\060\013\006\003\125\035
-\017\004\004\003\002\001\306\060\017\006\003\125\035\023\001\001
-\377\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004
-\026\004\024\332\355\144\164\024\234\024\074\253\335\231\251\275
-\133\050\115\213\074\311\330\060\102\006\003\125\035\037\004\073
-\060\071\060\067\240\065\240\063\206\061\150\164\164\160\072\057
-\057\143\162\154\056\165\163\145\162\164\162\165\163\164\056\143
-\157\155\057\125\124\116\055\125\123\105\122\106\151\162\163\164
-\055\117\142\152\145\143\164\056\143\162\154\060\051\006\003\125
-\035\045\004\042\060\040\006\010\053\006\001\005\005\007\003\003
-\006\010\053\006\001\005\005\007\003\010\006\012\053\006\001\004
-\001\202\067\012\003\004\060\015\006\011\052\206\110\206\367\015
-\001\001\005\005\000\003\202\001\001\000\010\037\122\261\067\104
-\170\333\375\316\271\332\225\226\230\252\125\144\200\265\132\100
-\335\041\245\305\301\363\137\054\114\310\107\132\151\352\350\360
-\065\065\364\320\045\363\310\246\244\207\112\275\033\261\163\010
-\275\324\303\312\266\065\273\131\206\167\061\315\247\200\024\256
-\023\357\374\261\110\371\153\045\045\055\121\266\054\155\105\301
-\230\310\212\126\135\076\356\103\116\076\153\047\216\320\072\113
-\205\013\137\323\355\152\247\165\313\321\132\207\057\071\165\023
-\132\162\260\002\201\237\276\360\017\204\124\040\142\154\151\324
-\341\115\306\015\231\103\001\015\022\226\214\170\235\277\120\242
-\261\104\252\152\317\027\172\317\157\017\324\370\044\125\137\360
-\064\026\111\146\076\120\106\311\143\161\070\061\142\270\142\271
-\363\123\255\154\265\053\242\022\252\031\117\011\332\136\347\223
-\306\216\024\010\376\360\060\200\030\240\206\205\115\310\175\327
-\213\003\376\156\325\367\235\026\254\222\054\240\043\345\234\221
-\122\037\224\337\027\224\163\303\263\301\301\161\005\040\000\170
-\275\023\122\035\250\076\315\000\037\310
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "UTN USERFirst Object Root CA"
-# Issuer: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
-# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2d:e0:b3:5f:1b
-# Subject: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
-# Not Valid Before: Fri Jul 09 18:31:20 1999
-# Not Valid After : Tue Jul 09 18:40:36 2019
-# Fingerprint (MD5): A7:F2:E4:16:06:41:11:50:30:6B:9C:E3:B4:9C:B0:C9
-# Fingerprint (SHA1): E1:2D:FB:4B:41:D7:D9:C3:2B:30:51:4B:AC:1D:81:D8:38:5E:2D:46
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "UTN USERFirst Object Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\341\055\373\113\101\327\331\303\053\060\121\113\254\035\201\330
-\070\136\055\106
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\247\362\344\026\006\101\021\120\060\153\234\343\264\234\260\311
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\225\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\035\060\033\006\003\125
-\004\003\023\024\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\117\142\152\145\143\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\104\276\014\213\120\000\044\264\021\323\066\055\340\263
-\137\033
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Camerfirma Chambers of Commerce Root"
 #
 # Issuer: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
 # Serial Number: 0 (0x0)
 # Subject: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
 # Not Valid Before: Tue Sep 30 16:13:43 2003
 # Not Valid After : Wed Sep 30 16:13:44 2037
 # Fingerprint (MD5): B0:01:EE:14:D9:AF:29:18:94:76:8E:F1:69:33:2A:84
@@ -4728,17 +3681,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \040\157\146\040\103\157\155\155\145\162\143\145\040\122\157\157
 \164
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Camerfirma Global Chambersign Root"
 #
 # Issuer: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
 # Serial Number: 0 (0x0)
 # Subject: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
@@ -4887,17 +3840,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \036\006\003\125\004\003\023\027\107\154\157\142\141\154\040\103
 \150\141\155\142\145\162\163\151\147\156\040\122\157\157\164
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "XRamp Global CA Root"
 #
 # Issuer: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
 # Serial Number:50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad
 # Subject: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
@@ -5042,17 +3995,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\120\224\154\354\030\352\325\234\115\325\227\357\165\217
 \240\255
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Go Daddy Class 2 CA"
 #
 # Issuer: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US
 # Serial Number: 0 (0x0)
 # Subject: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US
@@ -5186,17 +4139,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
 \157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Starfield Class 2 CA"
 #
 # Issuer: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US
 # Serial Number: 0 (0x0)
 # Subject: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US
@@ -5331,17 +4284,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \040\062\040\103\145\162\164\151\146\151\143\141\164\151\157\156
 \040\101\165\164\150\157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "StartCom Certification Authority"
 #
 # Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
 # Serial Number: 1 (0x1)
 # Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
@@ -5538,17 +4491,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \164\141\162\164\103\157\155\040\103\145\162\164\151\146\151\143
 \141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Taiwan GRCA"
 #
 # Issuer: O=Government Root Certification Authority,C=TW
 # Serial Number:1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6
 # Subject: O=Government Root Certification Authority,C=TW
@@ -5701,192 +4654,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\037\235\131\132\327\057\302\006\104\245\200\010\151\343
 \136\366
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Swisscom Root CA 1"
-#
-# Issuer: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
-# Serial Number:5c:0b:85:5c:0b:e7:59:41:df:57:cc:3f:7f:9d:a8:36
-# Subject: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
-# Not Valid Before: Thu Aug 18 12:06:20 2005
-# Not Valid After : Mon Aug 18 22:06:20 2025
-# Fingerprint (MD5): F8:38:7C:77:88:DF:2C:16:68:2E:C2:E2:52:4B:B8:F9
-# Fingerprint (SHA1): 5F:3A:FC:0A:8B:64:F6:86:67:34:74:DF:7E:A9:A2:FE:F9:FA:7A:51
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Swisscom Root CA 1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\144\061\013\060\011\006\003\125\004\006\023\002\143\150\061
-\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143
-\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147
-\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145
-\040\123\145\162\166\151\143\145\163\061\033\060\031\006\003\125
-\004\003\023\022\123\167\151\163\163\143\157\155\040\122\157\157
-\164\040\103\101\040\061
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\144\061\013\060\011\006\003\125\004\006\023\002\143\150\061
-\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143
-\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147
-\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145
-\040\123\145\162\166\151\143\145\163\061\033\060\031\006\003\125
-\004\003\023\022\123\167\151\163\163\143\157\155\040\122\157\157
-\164\040\103\101\040\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\134\013\205\134\013\347\131\101\337\127\314\077\177\235
-\250\066
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\331\060\202\003\301\240\003\002\001\002\002\020\134
-\013\205\134\013\347\131\101\337\127\314\077\177\235\250\066\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\144
-\061\013\060\011\006\003\125\004\006\023\002\143\150\061\021\060
-\017\006\003\125\004\012\023\010\123\167\151\163\163\143\157\155
-\061\045\060\043\006\003\125\004\013\023\034\104\151\147\151\164
-\141\154\040\103\145\162\164\151\146\151\143\141\164\145\040\123
-\145\162\166\151\143\145\163\061\033\060\031\006\003\125\004\003
-\023\022\123\167\151\163\163\143\157\155\040\122\157\157\164\040
-\103\101\040\061\060\036\027\015\060\065\060\070\061\070\061\062
-\060\066\062\060\132\027\015\062\065\060\070\061\070\062\062\060
-\066\062\060\132\060\144\061\013\060\011\006\003\125\004\006\023
-\002\143\150\061\021\060\017\006\003\125\004\012\023\010\123\167
-\151\163\163\143\157\155\061\045\060\043\006\003\125\004\013\023
-\034\104\151\147\151\164\141\154\040\103\145\162\164\151\146\151
-\143\141\164\145\040\123\145\162\166\151\143\145\163\061\033\060
-\031\006\003\125\004\003\023\022\123\167\151\163\163\143\157\155
-\040\122\157\157\164\040\103\101\040\061\060\202\002\042\060\015
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002
-\017\000\060\202\002\012\002\202\002\001\000\320\271\260\250\014
-\331\273\077\041\370\033\325\063\223\200\026\145\040\165\262\075
-\233\140\155\106\310\214\061\157\027\303\372\232\154\126\355\074
-\305\221\127\303\315\253\226\111\220\052\031\113\036\243\155\127
-\335\361\053\142\050\165\105\136\252\326\133\372\013\045\330\241
-\026\371\034\304\056\346\225\052\147\314\320\051\156\074\205\064
-\070\141\111\261\000\237\326\072\161\137\115\155\316\137\271\251
-\344\211\177\152\122\372\312\233\362\334\251\371\235\231\107\077
-\116\051\137\264\246\215\135\173\013\231\021\003\003\376\347\333
-\333\243\377\035\245\315\220\036\001\037\065\260\177\000\333\220
-\157\306\176\173\321\356\172\172\247\252\014\127\157\244\155\305
-\023\073\260\245\331\355\062\034\264\136\147\213\124\334\163\207
-\345\323\027\174\146\120\162\135\324\032\130\301\331\317\330\211
-\002\157\247\111\264\066\135\320\244\336\007\054\266\165\267\050
-\221\326\227\276\050\365\230\036\352\133\046\311\275\260\227\163
-\332\256\221\046\353\150\301\371\071\025\326\147\113\012\155\117
-\313\317\260\344\102\161\214\123\171\347\356\341\333\035\240\156
-\035\214\032\167\065\134\026\036\053\123\037\064\213\321\154\374
-\362\147\007\172\365\255\355\326\232\253\241\261\113\341\314\067
-\137\375\177\315\115\256\270\037\234\103\371\052\130\125\103\105
-\274\226\315\160\016\374\311\343\146\272\116\215\073\201\313\025
-\144\173\271\224\350\135\063\122\205\161\056\117\216\242\006\021
-\121\311\343\313\241\156\061\010\144\014\302\322\074\365\066\350
-\327\320\016\170\043\040\221\311\044\052\145\051\133\042\367\041
-\316\203\136\244\363\336\113\323\150\217\106\165\134\203\011\156
-\051\153\304\160\214\365\235\327\040\057\377\106\322\053\070\302
-\057\165\034\075\176\332\245\357\036\140\205\151\102\323\314\370
-\143\376\036\103\071\205\246\266\143\101\020\263\163\036\274\323
-\372\312\175\026\107\342\247\325\320\243\212\012\010\226\142\126
-\156\064\333\331\002\271\060\165\343\004\322\347\217\302\260\021
-\100\012\254\325\161\002\142\213\061\276\335\306\043\130\061\102
-\103\055\164\371\306\236\246\212\017\351\376\277\203\346\103\127
-\044\272\357\106\064\252\327\022\001\070\355\002\003\001\000\001
-\243\201\206\060\201\203\060\016\006\003\125\035\017\001\001\377
-\004\004\003\002\001\206\060\035\006\003\125\035\041\004\026\060
-\024\060\022\006\007\140\205\164\001\123\000\001\006\007\140\205
-\164\001\123\000\001\060\022\006\003\125\035\023\001\001\377\004
-\010\060\006\001\001\377\002\001\007\060\037\006\003\125\035\043
-\004\030\060\026\200\024\003\045\057\336\157\202\001\072\134\054
-\334\053\241\151\265\147\324\214\323\375\060\035\006\003\125\035
-\016\004\026\004\024\003\045\057\336\157\202\001\072\134\054\334
-\053\241\151\265\147\324\214\323\375\060\015\006\011\052\206\110
-\206\367\015\001\001\005\005\000\003\202\002\001\000\065\020\313
-\354\246\004\015\015\017\315\300\333\253\250\362\210\227\014\337
-\223\057\115\174\100\126\061\172\353\244\017\140\315\172\363\276
-\303\047\216\003\076\244\335\022\357\176\036\164\006\074\077\061
-\362\034\173\221\061\041\264\360\320\154\227\324\351\227\262\044
-\126\036\126\303\065\275\210\005\017\133\020\032\144\341\307\202
-\060\371\062\255\236\120\054\347\170\005\320\061\261\132\230\212
-\165\116\220\134\152\024\052\340\122\107\202\140\346\036\332\201
-\261\373\024\013\132\361\237\322\225\272\076\320\033\326\025\035
-\243\276\206\325\333\017\300\111\144\273\056\120\031\113\322\044
-\370\335\036\007\126\320\070\240\225\160\040\166\214\327\335\036
-\336\237\161\304\043\357\203\023\134\243\044\025\115\051\100\074
-\152\304\251\330\267\246\104\245\015\364\340\235\167\036\100\160
-\046\374\332\331\066\344\171\344\265\077\274\233\145\276\273\021
-\226\317\333\306\050\071\072\010\316\107\133\123\132\305\231\376
-\135\251\335\357\114\324\306\245\255\002\346\214\007\022\036\157
-\003\321\157\240\243\363\051\275\022\307\120\242\260\177\210\251
-\231\167\232\261\300\245\071\056\134\174\151\342\054\260\352\067
-\152\244\341\132\341\365\120\345\203\357\245\273\052\210\347\214
-\333\375\155\136\227\031\250\176\146\165\153\161\352\277\261\307
-\157\240\364\216\244\354\064\121\133\214\046\003\160\241\167\325
-\001\022\127\000\065\333\043\336\016\212\050\231\375\261\020\157
-\113\377\070\055\140\116\054\234\353\147\265\255\111\356\113\037
-\254\257\373\015\220\132\146\140\160\135\252\315\170\324\044\356
-\310\101\240\223\001\222\234\152\236\374\271\044\305\263\025\202
-\176\276\256\225\053\353\261\300\332\343\001\140\013\136\151\254
-\204\126\141\276\161\027\376\035\023\017\376\306\207\105\351\376
-\062\240\032\015\023\244\224\125\161\245\026\213\272\312\211\260
-\262\307\374\217\330\124\265\223\142\235\316\317\131\373\075\030
-\316\052\313\065\025\202\135\377\124\042\133\161\122\373\267\311
-\376\140\233\000\101\144\360\252\052\354\266\102\103\316\211\146
-\201\310\213\237\071\124\003\045\323\026\065\216\204\320\137\372
-\060\032\365\232\154\364\016\123\371\072\133\321\034
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "Swisscom Root CA 1"
-# Issuer: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
-# Serial Number:5c:0b:85:5c:0b:e7:59:41:df:57:cc:3f:7f:9d:a8:36
-# Subject: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
-# Not Valid Before: Thu Aug 18 12:06:20 2005
-# Not Valid After : Mon Aug 18 22:06:20 2025
-# Fingerprint (MD5): F8:38:7C:77:88:DF:2C:16:68:2E:C2:E2:52:4B:B8:F9
-# Fingerprint (SHA1): 5F:3A:FC:0A:8B:64:F6:86:67:34:74:DF:7E:A9:A2:FE:F9:FA:7A:51
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Swisscom Root CA 1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\137\072\374\012\213\144\366\206\147\064\164\337\176\251\242\376
-\371\372\172\121
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\370\070\174\167\210\337\054\026\150\056\302\342\122\113\270\371
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\144\061\013\060\011\006\003\125\004\006\023\002\143\150\061
-\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143
-\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147
-\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145
-\040\123\145\162\166\151\143\145\163\061\033\060\031\006\003\125
-\004\003\023\022\123\167\151\163\163\143\157\155\040\122\157\157
-\164\040\103\101\040\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\134\013\205\134\013\347\131\101\337\127\314\077\177\235
-\250\066
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "DigiCert Assured ID Root CA"
 #
 # Issuer: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:0c:e7:e0:e5:17:d8:46:fe:8f:e5:60:fc:1b:f0:30:39
 # Subject: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
@@ -6017,17 +4795,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \122\157\157\164\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\014\347\340\345\027\330\106\376\217\345\140\374\033\360
 \060\071
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "DigiCert Global Root CA"
 #
 # Issuer: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
 # Subject: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
@@ -6158,17 +4936,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\010\073\340\126\220\102\106\261\241\165\152\311\131\221
 \307\112
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "DigiCert High Assurance EV Root CA"
 #
 # Issuer: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
 # Subject: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
@@ -6300,17 +5078,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \156\143\145\040\105\126\040\122\157\157\164\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\002\254\134\046\152\013\100\233\217\013\171\362\256\106
 \045\167
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Certplus Class 2 Primary CA"
 #
 # Issuer: CN=Class 2 Primary CA,O=Certplus,C=FR
 # Serial Number:00:85:bd:4b:f3:d8:da:e3:69:f6:94:d7:5f:c3:a5:44:23
 # Subject: CN=Class 2 Primary CA,O=Certplus,C=FR
@@ -6867,17 +5645,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \032\123\167\151\163\163\123\151\147\156\040\120\154\141\164\151
 \156\165\155\040\103\101\040\055\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\116\262\000\147\014\003\135\117
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "SwissSign Gold CA - G2"
 #
 # Issuer: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
 # Serial Number:00:bb:40:1c:43:f5:5e:4f:b0
 # Subject: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
@@ -7032,17 +5810,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \026\123\167\151\163\163\123\151\147\156\040\107\157\154\144\040
 \103\101\040\055\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\011\000\273\100\034\103\365\136\117\260
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "SwissSign Silver CA - G2"
 #
 # Issuer: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
 # Serial Number:4f:1b:d4:2f:54:bb:2f:4b
 # Subject: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
@@ -7198,17 +5976,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \030\123\167\151\163\163\123\151\147\156\040\123\151\154\166\145
 \162\040\103\101\040\055\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\117\033\324\057\124\273\057\113
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "GeoTrust Primary Certification Authority"
 #
 # Issuer: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
 # Serial Number:18:ac:b5:6a:fd:69:b6:15:3a:63:6c:af:da:fa:c4:a1
 # Subject: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
@@ -7492,17 +6270,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \155\141\162\171\040\122\157\157\164\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\064\116\325\127\040\325\355\354\111\364\057\316\067\333
 \053\155
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
 #
 # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
 # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
@@ -7669,17 +6447,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \165\164\150\157\162\151\164\171\040\055\040\107\065
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\030\332\321\236\046\175\350\273\112\041\130\315\314\153
 \073\112
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "SecureTrust CA"
 #
 # Issuer: CN=SecureTrust CA,O=SecureTrust Corporation,C=US
 # Serial Number:0c:f0:8e:5c:08:16:a5:ad:42:7f:f0:eb:27:18:59:d0
 # Subject: CN=SecureTrust CA,O=SecureTrust Corporation,C=US
@@ -7804,17 +6582,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \162\145\124\162\165\163\164\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\014\360\216\134\010\026\245\255\102\177\360\353\047\030
 \131\320
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Secure Global CA"
 #
 # Issuer: CN=Secure Global CA,O=SecureTrust Corporation,C=US
 # Serial Number:07:56:22:a4:e8:d4:8a:89:4d:f4:13:c8:f0:f8:ea:a5
 # Subject: CN=Secure Global CA,O=SecureTrust Corporation,C=US
@@ -7939,17 +6717,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \162\145\040\107\154\157\142\141\154\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\007\126\042\244\350\324\212\211\115\364\023\310\360\370
 \352\245
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "COMODO Certification Authority"
 #
 # Issuer: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Serial Number:4e:81:2d:8a:82:65:e0:0b:02:ee:3e:35:02:46:e5:3d
 # Subject: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
@@ -8093,17 +6871,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\116\201\055\212\202\145\340\013\002\356\076\065\002\106
 \345\075
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Network Solutions Certificate Authority"
 #
 # Issuer: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
 # Serial Number:57:cb:33:6f:c2:5c:16:e6:47:16:17:e3:90:31:68:e0
 # Subject: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
@@ -8365,17 +7143,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \165\164\150\157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\037\107\257\252\142\000\160\120\124\114\001\236\233\143
 \231\052
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "MD5 Collisions Forged Rogue CA 25c3"
 #
 # Issuer: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Serial Number: 66 (0x42)
 # Subject: CN=MD5 Collisions Inc. (http://www.phreedom.org/md5)
@@ -9137,17 +7915,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \151\143\303\241\155\141\162\141\040\123\056\101\056
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\017\007\176\122\223\173\340\025\343\127\360\151\214\313\354
 \014
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "TC TrustCenter Class 3 CA II"
 #
 # Issuer: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
 # Serial Number:4a:47:00:01:00:02:e5:a0:5d:d6:3f:00:51:bf
 # Subject: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
@@ -9435,17 +8213,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \145\040\124\145\154\145\153\157\155\040\122\157\157\164\040\103
 \101\040\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\046
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "ComSign CA"
 #
 # Issuer: C=IL,O=ComSign,CN=ComSign CA
 # Serial Number:14:13:96:83:14:55:8c:ea:7b:63:e5:fc:34:87:77:44
 # Subject: C=IL,O=ComSign,CN=ComSign CA
@@ -9569,147 +8347,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \167\104
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "ComSign Secured CA"
-#
-# Issuer: C=IL,O=ComSign,CN=ComSign Secured CA
-# Serial Number:00:c7:28:47:09:b3:b8:6c:45:8c:1d:fa:24:f5:36:4e:e9
-# Subject: C=IL,O=ComSign,CN=ComSign Secured CA
-# Not Valid Before: Wed Mar 24 11:37:20 2004
-# Not Valid After : Fri Mar 16 15:04:56 2029
-# Fingerprint (MD5): 40:01:25:06:8D:21:43:6A:0E:43:00:9C:E7:43:F3:D5
-# Fingerprint (SHA1): F9:CD:0E:2C:DA:76:24:C1:8F:BD:F0:F0:AB:B6:45:B8:F7:FE:D5:7A
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ComSign Secured CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\074\061\033\060\031\006\003\125\004\003\023\022\103\157\155
-\123\151\147\156\040\123\145\143\165\162\145\144\040\103\101\061
-\020\060\016\006\003\125\004\012\023\007\103\157\155\123\151\147
-\156\061\013\060\011\006\003\125\004\006\023\002\111\114
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\074\061\033\060\031\006\003\125\004\003\023\022\103\157\155
-\123\151\147\156\040\123\145\143\165\162\145\144\040\103\101\061
-\020\060\016\006\003\125\004\012\023\007\103\157\155\123\151\147
-\156\061\013\060\011\006\003\125\004\006\023\002\111\114
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\307\050\107\011\263\270\154\105\214\035\372\044\365
-\066\116\351
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\253\060\202\002\223\240\003\002\001\002\002\021\000
-\307\050\107\011\263\270\154\105\214\035\372\044\365\066\116\351
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\074\061\033\060\031\006\003\125\004\003\023\022\103\157\155\123
-\151\147\156\040\123\145\143\165\162\145\144\040\103\101\061\020
-\060\016\006\003\125\004\012\023\007\103\157\155\123\151\147\156
-\061\013\060\011\006\003\125\004\006\023\002\111\114\060\036\027
-\015\060\064\060\063\062\064\061\061\063\067\062\060\132\027\015
-\062\071\060\063\061\066\061\065\060\064\065\066\132\060\074\061
-\033\060\031\006\003\125\004\003\023\022\103\157\155\123\151\147
-\156\040\123\145\143\165\162\145\144\040\103\101\061\020\060\016
-\006\003\125\004\012\023\007\103\157\155\123\151\147\156\061\013
-\060\011\006\003\125\004\006\023\002\111\114\060\202\001\042\060
-\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202
-\001\017\000\060\202\001\012\002\202\001\001\000\306\265\150\137
-\035\224\025\303\244\010\125\055\343\240\127\172\357\351\164\052
-\273\271\174\127\111\032\021\136\117\051\207\014\110\326\152\347
-\217\324\176\127\044\271\006\211\344\034\074\352\254\343\332\041
-\200\163\041\012\357\171\230\154\037\010\377\241\120\175\362\230
-\033\311\124\157\076\245\050\354\041\004\017\105\273\007\075\241
-\300\372\052\230\035\116\006\223\373\365\210\073\253\137\313\026
-\277\346\363\236\112\207\355\031\352\302\237\103\344\361\201\245
-\177\020\117\076\321\112\142\255\123\033\313\203\377\007\145\245
-\222\055\146\251\133\270\132\364\035\264\041\221\112\027\173\236
-\062\376\126\044\071\262\124\204\103\365\204\302\330\274\101\220
-\314\235\326\150\332\351\202\120\251\073\150\317\265\135\002\224
-\140\026\261\103\331\103\135\335\135\207\156\352\273\263\311\153
-\366\003\224\011\160\336\026\021\172\053\350\166\217\111\020\230
-\167\271\143\134\213\063\227\165\366\013\214\262\253\133\336\164
-\040\045\077\343\363\021\371\207\150\206\065\161\303\035\214\055
-\353\345\032\254\017\163\325\202\131\100\200\323\002\003\001\000
-\001\243\201\247\060\201\244\060\014\006\003\125\035\023\004\005
-\060\003\001\001\377\060\104\006\003\125\035\037\004\075\060\073
-\060\071\240\067\240\065\206\063\150\164\164\160\072\057\057\146
-\145\144\151\162\056\143\157\155\163\151\147\156\056\143\157\056
-\151\154\057\143\162\154\057\103\157\155\123\151\147\156\123\145
-\143\165\162\145\144\103\101\056\143\162\154\060\016\006\003\125
-\035\017\001\001\377\004\004\003\002\001\206\060\037\006\003\125
-\035\043\004\030\060\026\200\024\301\113\355\160\266\367\076\174
-\000\073\000\217\307\076\016\105\237\036\135\354\060\035\006\003
-\125\035\016\004\026\004\024\301\113\355\160\266\367\076\174\000
-\073\000\217\307\076\016\105\237\036\135\354\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\003\202\001\001\000\026
-\317\356\222\023\120\253\173\024\236\063\266\102\040\152\324\025
-\275\011\253\374\162\350\357\107\172\220\254\121\301\144\116\351
-\210\275\103\105\201\343\146\043\077\022\206\115\031\344\005\260
-\346\067\302\215\332\006\050\311\017\211\244\123\251\165\077\260
-\226\373\253\114\063\125\371\170\046\106\157\033\066\230\373\102
-\166\301\202\271\216\336\373\105\371\143\033\142\073\071\006\312
-\167\172\250\074\011\317\154\066\075\017\012\105\113\151\026\032
-\105\175\063\003\145\371\122\161\220\046\225\254\114\014\365\213
-\223\077\314\165\164\205\230\272\377\142\172\115\037\211\376\256
-\275\224\000\231\277\021\245\334\340\171\305\026\013\175\002\141
-\035\352\205\371\002\025\117\347\132\211\116\024\157\343\067\113
-\205\365\301\074\141\340\375\005\101\262\222\177\303\035\240\320
-\256\122\144\140\153\030\306\046\234\330\365\144\344\066\032\142
-\237\212\017\076\377\155\116\031\126\116\040\221\154\237\064\063
-\072\064\127\120\072\157\201\136\006\306\365\076\174\116\216\053
-\316\145\006\056\135\322\052\123\164\136\323\156\047\236\217
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "ComSign Secured CA"
-# Issuer: C=IL,O=ComSign,CN=ComSign Secured CA
-# Serial Number:00:c7:28:47:09:b3:b8:6c:45:8c:1d:fa:24:f5:36:4e:e9
-# Subject: C=IL,O=ComSign,CN=ComSign Secured CA
-# Not Valid Before: Wed Mar 24 11:37:20 2004
-# Not Valid After : Fri Mar 16 15:04:56 2029
-# Fingerprint (MD5): 40:01:25:06:8D:21:43:6A:0E:43:00:9C:E7:43:F3:D5
-# Fingerprint (SHA1): F9:CD:0E:2C:DA:76:24:C1:8F:BD:F0:F0:AB:B6:45:B8:F7:FE:D5:7A
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ComSign Secured CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\371\315\016\054\332\166\044\301\217\275\360\360\253\266\105\270
-\367\376\325\172
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\100\001\045\006\215\041\103\152\016\103\000\234\347\103\363\325
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\074\061\033\060\031\006\003\125\004\003\023\022\103\157\155
-\123\151\147\156\040\123\145\143\165\162\145\144\040\103\101\061
-\020\060\016\006\003\125\004\012\023\007\103\157\155\123\151\147
-\156\061\013\060\011\006\003\125\004\006\023\002\111\114
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\307\050\107\011\263\270\154\105\214\035\372\044\365
-\066\116\351
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Cybertrust Global Root"
 #
 # Issuer: CN=Cybertrust Global Root,O="Cybertrust, Inc"
 # Serial Number:04:00:00:00:00:01:0f:85:aa:2d:48
 # Subject: CN=Cybertrust Global Root,O="Cybertrust, Inc"
 # Not Valid Before: Fri Dec 15 08:00:00 2006
 # Not Valid After : Wed Dec 15 08:00:00 2021
 # Fingerprint (MD5): 72:E4:4A:87:E3:69:40:80:77:EA:BC:E3:F4:FF:F0:E1
@@ -9995,17 +8642,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\025\310\275\145\107\134\257\270\227\000\136\344\006\322
 \274\235
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
 #
 # Issuer: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
 # Serial Number: 17 (0x11)
 # Subject: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
@@ -10314,140 +8961,16 @@ CKA_ISSUER MULTILINE_OCTAL
 \107\116\061\031\060\027\006\003\125\004\013\023\020\143\145\162
 \164\123\111\107\116\040\122\117\117\124\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\006\040\006\005\026\160\002
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "CNNIC ROOT"
-#
-# Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN
-# Serial Number: 1228079105 (0x49330001)
-# Subject: CN=CNNIC ROOT,O=CNNIC,C=CN
-# Not Valid Before: Mon Apr 16 07:09:14 2007
-# Not Valid After : Fri Apr 16 07:09:14 2027
-# Fingerprint (MD5): 21:BC:82:AB:49:C4:13:3B:4B:B2:2B:5C:6B:90:9C:19
-# Fingerprint (SHA1): 8B:AF:4C:9B:1D:F0:2A:92:F7:DA:12:8E:B9:1B:AC:F4:98:60:4B:6F
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "CNNIC ROOT"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\062\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-\016\060\014\006\003\125\004\012\023\005\103\116\116\111\103\061
-\023\060\021\006\003\125\004\003\023\012\103\116\116\111\103\040
-\122\117\117\124
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\062\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-\016\060\014\006\003\125\004\012\023\005\103\116\116\111\103\061
-\023\060\021\006\003\125\004\003\023\012\103\116\116\111\103\040
-\122\117\117\124
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\111\063\000\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\125\060\202\002\075\240\003\002\001\002\002\004\111
-\063\000\001\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\062\061\013\060\011\006\003\125\004\006\023\002\103
-\116\061\016\060\014\006\003\125\004\012\023\005\103\116\116\111
-\103\061\023\060\021\006\003\125\004\003\023\012\103\116\116\111
-\103\040\122\117\117\124\060\036\027\015\060\067\060\064\061\066
-\060\067\060\071\061\064\132\027\015\062\067\060\064\061\066\060
-\067\060\071\061\064\132\060\062\061\013\060\011\006\003\125\004
-\006\023\002\103\116\061\016\060\014\006\003\125\004\012\023\005
-\103\116\116\111\103\061\023\060\021\006\003\125\004\003\023\012
-\103\116\116\111\103\040\122\117\117\124\060\202\001\042\060\015
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001
-\017\000\060\202\001\012\002\202\001\001\000\323\065\367\077\163
-\167\255\350\133\163\027\302\321\157\355\125\274\156\352\350\244
-\171\262\154\303\243\357\341\237\261\073\110\205\365\232\134\041
-\042\020\054\305\202\316\332\343\232\156\067\341\207\054\334\271
-\014\132\272\210\125\337\375\252\333\037\061\352\001\361\337\071
-\001\301\023\375\110\122\041\304\125\337\332\330\263\124\166\272
-\164\261\267\175\327\300\350\366\131\305\115\310\275\255\037\024
-\332\337\130\104\045\062\031\052\307\176\176\216\256\070\260\060
-\173\107\162\011\061\360\060\333\303\033\166\051\273\151\166\116
-\127\371\033\144\242\223\126\267\157\231\156\333\012\004\234\021
-\343\200\037\313\143\224\020\012\251\341\144\202\061\371\214\047
-\355\246\231\000\366\160\223\030\370\241\064\206\243\335\172\302
-\030\171\366\172\145\065\317\220\353\275\063\223\237\123\253\163
-\073\346\233\064\040\057\035\357\251\035\143\032\240\200\333\003
-\057\371\046\032\206\322\215\273\251\276\122\072\207\147\110\015
-\277\264\240\330\046\276\043\137\163\067\177\046\346\222\004\243
-\177\317\040\247\267\363\072\312\313\231\313\002\003\001\000\001
-\243\163\060\161\060\021\006\011\140\206\110\001\206\370\102\001
-\001\004\004\003\002\000\007\060\037\006\003\125\035\043\004\030
-\060\026\200\024\145\362\061\255\052\367\367\335\122\226\012\307
-\002\301\016\357\246\325\073\021\060\017\006\003\125\035\023\001
-\001\377\004\005\060\003\001\001\377\060\013\006\003\125\035\017
-\004\004\003\002\001\376\060\035\006\003\125\035\016\004\026\004
-\024\145\362\061\255\052\367\367\335\122\226\012\307\002\301\016
-\357\246\325\073\021\060\015\006\011\052\206\110\206\367\015\001
-\001\005\005\000\003\202\001\001\000\113\065\356\314\344\256\277
-\303\156\255\237\225\073\113\077\133\036\337\127\051\242\131\312
-\070\342\271\032\377\236\346\156\062\335\036\256\352\065\267\365
-\223\221\116\332\102\341\303\027\140\120\362\321\134\046\271\202
-\267\352\155\344\234\204\347\003\171\027\257\230\075\224\333\307
-\272\000\347\270\277\001\127\301\167\105\062\014\073\361\264\034
-\010\260\375\121\240\241\335\232\035\023\066\232\155\267\307\074
-\271\341\305\331\027\372\203\325\075\025\240\074\273\036\013\342
-\310\220\077\250\206\014\374\371\213\136\205\313\117\133\113\142
-\021\107\305\105\174\005\057\101\261\236\020\151\033\231\226\340
-\125\171\373\116\206\231\270\224\332\206\070\152\223\243\347\313
-\156\345\337\352\041\125\211\234\175\175\177\230\365\000\211\356
-\343\204\300\134\226\265\305\106\352\106\340\205\125\266\033\311
-\022\326\301\315\315\200\363\002\001\074\310\151\313\105\110\143
-\330\224\320\354\205\016\073\116\021\145\364\202\214\246\075\256
-\056\042\224\011\310\134\352\074\201\135\026\052\003\227\026\125
-\011\333\212\101\202\236\146\233\021
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "CNNIC ROOT"
-# Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN
-# Serial Number: 1228079105 (0x49330001)
-# Subject: CN=CNNIC ROOT,O=CNNIC,C=CN
-# Not Valid Before: Mon Apr 16 07:09:14 2007
-# Not Valid After : Fri Apr 16 07:09:14 2027
-# Fingerprint (MD5): 21:BC:82:AB:49:C4:13:3B:4B:B2:2B:5C:6B:90:9C:19
-# Fingerprint (SHA1): 8B:AF:4C:9B:1D:F0:2A:92:F7:DA:12:8E:B9:1B:AC:F4:98:60:4B:6F
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "CNNIC ROOT"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\213\257\114\233\035\360\052\222\367\332\022\216\271\033\254\364
-\230\140\113\157
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\041\274\202\253\111\304\023\073\113\262\053\134\153\220\234\031
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\062\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-\016\060\014\006\003\125\004\012\023\005\103\116\116\111\103\061
-\023\060\021\006\003\125\004\003\023\012\103\116\116\111\103\040
-\122\117\117\124
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\111\063\000\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "GeoTrust Primary Certification Authority - G3"
 #
 # Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
 # Serial Number:15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f
@@ -10593,17 +9116,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \150\157\162\151\164\171\040\055\040\107\063
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\025\254\156\224\031\262\171\113\101\366\047\251\303\030
 \017\037
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "thawte Primary Root CA - G2"
 #
 # Issuer: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US
 # Serial Number:35:fc:26:5c:d9:84:4f:c9:3d:26:3d:57:9b:ae:d7:56
 # Subject: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US
@@ -10721,17 +9244,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \103\101\040\055\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\065\374\046\134\331\204\117\311\075\046\075\127\233\256
 \327\126
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "thawte Primary Root CA - G3"
 #
 # Issuer: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
 # Serial Number:60:01:97:b7:46:a7:ea:b4:b4:9a:d6:4b:2f:f7:90:fb
 # Subject: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
@@ -10884,17 +9407,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \063
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\140\001\227\267\106\247\352\264\264\232\326\113\057\367
 \220\373
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "GeoTrust Primary Certification Authority - G2"
 #
 # Issuer: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
 # Serial Number:3c:b2:f4:48:0a:00:e2:fe:eb:24:3b:5e:60:3e:c3:6b
 # Subject: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
@@ -11018,17 +9541,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \150\157\162\151\164\171\040\055\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\074\262\364\110\012\000\342\376\353\044\073\136\140\076
 \303\153
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "VeriSign Universal Root Certification Authority"
 #
 # Issuer: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:40:1a:c4:64:21:b3:13:21:03:0e:bb:e4:12:1a:c5:1d
 # Subject: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
@@ -11190,17 +9713,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\100\032\304\144\041\263\023\041\003\016\273\344\022\032
 \305\035
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
 #
 # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:2f:80:fe:23:8c:0e:22:0f:48:67:12:28:91:87:ac:b3
 # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
@@ -11346,17 +9869,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \165\164\150\157\162\151\164\171\040\055\040\107\064
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\057\200\376\043\214\016\042\017\110\147\022\050\221\207
 \254\263
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "NetLock Arany (Class Gold) Főtanúsítvány"
 #
 # Issuer: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
 # Serial Number:49:41:2c:e4:00:10
 # Subject: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
@@ -11503,17 +10026,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \163\163\040\107\157\154\144\051\040\106\305\221\164\141\156\303
 \272\163\303\255\164\166\303\241\156\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\006\111\101\054\344\000\020
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Staat der Nederlanden Root CA - G2"
 #
 # Issuer: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
 # Serial Number: 10000012 (0x98968c)
 # Subject: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
@@ -11672,17 +10195,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
 \122\157\157\164\040\103\101\040\055\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\000\230\226\214
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Hongkong Post Root CA 1"
 #
 # Issuer: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
 # Serial Number: 1000 (0x3e8)
 # Subject: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
@@ -12094,17 +10617,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \012\014\006\105\104\111\103\117\115\061\013\060\011\006\003\125
 \004\006\023\002\105\123
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\141\215\307\206\073\001\202\005
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 
 #
 # Certificate "Microsec e-Szigno Root CA 2009"
 #
 # Issuer: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
 # Serial Number:00:c2:7e:43:04:4e:47:3f:19
@@ -12245,17 +10768,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \001\011\001\026\020\151\156\146\157\100\145\055\163\172\151\147
 \156\157\056\150\165
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\011\000\302\176\103\004\116\107\077\031
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "GlobalSign Root CA - R3"
 #
 # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
 # Serial Number:04:00:00:00:00:01:21:58:53:08:a2
 # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
@@ -12373,17 +10896,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125
 \004\003\023\012\107\154\157\142\141\154\123\151\147\156
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\013\004\000\000\000\000\001\041\130\123\010\242
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
 #
 # Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
 # Serial Number:53:ec:3b:ee:fb:b2:48:5f
 # Subject: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
@@ -12547,17 +11070,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \151\157\156\141\154\040\103\111\106\040\101\066\062\066\063\064
 \060\066\070
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\123\354\073\356\373\262\110\137
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Izenpe.com"
 #
 # Issuer: CN=Izenpe.com,O=IZENPE S.A.,C=ES
 # Serial Number:00:b0:b7:5a:16:48:5f:bf:e1:cb:f5:8b:d7:19:e6:7d
 # Subject: CN=Izenpe.com,O=IZENPE S.A.,C=ES
@@ -12715,17 +11238,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \111\172\145\156\160\145\056\143\157\155
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\000\260\267\132\026\110\137\277\341\313\365\213\327\031
 \346\175
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Chambers of Commerce Root - 2008"
 #
 # Issuer: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
 # Serial Number:00:a3:da:42:7e:a4:b1:ae:da
 # Subject: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
@@ -12927,17 +11450,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \155\145\162\143\145\040\122\157\157\164\040\055\040\062\060\060
 \070
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\011\000\243\332\102\176\244\261\256\332
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Global Chambersign Root - 2008"
 #
 # Issuer: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
 # Serial Number:00:c9:cd:d3:e9:d5:7d:23:ce
 # Subject: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
@@ -13135,17 +11658,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \036\107\154\157\142\141\154\040\103\150\141\155\142\145\162\163
 \151\147\156\040\122\157\157\164\040\055\040\062\060\060\070
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\011\000\311\315\323\351\325\175\043\316
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Bogus Mozilla Addons"
 #
 # Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
 # Serial Number:00:92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43
 # Subject: CN=addons.mozilla.org,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
@@ -15000,17 +13523,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \151\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164
 \171\040\055\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Starfield Root Certificate Authority - G2"
 #
 # Issuer: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
 # Serial Number: 0 (0x0)
 # Subject: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
@@ -15151,17 +13674,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \141\164\145\040\101\165\164\150\157\162\151\164\171\040\055\040
 \107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Starfield Services Root Certificate Authority - G2"
 #
 # Issuer: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
 # Serial Number: 0 (0x0)
 # Subject: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
@@ -15303,17 +13826,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \040\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164
 \150\157\162\151\164\171\040\055\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "AffirmTrust Commercial"
 #
 # Issuer: CN=AffirmTrust Commercial,O=AffirmTrust,C=US
 # Serial Number:77:77:06:27:26:a9:b1:7c
 # Subject: CN=AffirmTrust Commercial,O=AffirmTrust,C=US
@@ -15961,17 +14484,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \006\003\125\004\003\023\031\103\145\162\164\165\155\040\124\162
 \165\163\164\145\144\040\116\145\164\167\157\162\153\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\003\004\104\300
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Certinomis - Autorité Racine"
 #
 # Issuer: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
 # Serial Number: 1 (0x1)
 # Subject: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
@@ -16265,17 +14788,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
 \171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Explicitly Distrust DigiNotar Root CA"
 #
 # Issuer: E=info@diginotar.nl,CN=DigiNotar Root CA,O=DigiNotar,C=NL
 # Serial Number:0f:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff
 # Subject: E=info@diginotar.nl,CN=DigiNotar Root CA,O=DigiNotar,C=NL
@@ -17655,17 +16178,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \036\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156
 \151\143\141\164\151\157\156\040\122\157\157\164\103\101\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "EC-ACC"
 #
 # Issuer: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES
 # Serial Number:ee:2b:3d:eb:d4:21:de:14:a8:62:ac:04:f3:dd:c4:01
 # Subject: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES
@@ -18005,17 +16528,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \111\156\163\164\151\164\165\164\151\157\156\163\040\122\157\157
 \164\103\101\040\062\060\061\061
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 # Explicitly Distrust "MITM subCA 1 issued by Trustwave", Bug 724929
 # Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
 # Serial Number: 1800000005 (0x6b49d205)
 # Not Before: Apr  7 15:37:15 2011 GMT
 # Not After : Apr  4 15:37:15 2021 GMT
 CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
@@ -18238,17 +16761,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \143\164\141\154\151\163\040\101\165\164\150\145\156\164\151\143
 \141\164\151\157\156\040\122\157\157\164\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\127\012\021\227\102\304\343\314
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Trustis FPS Root CA"
 #
 # Issuer: OU=Trustis FPS Root CA,O=Trustis Limited,C=GB
 # Serial Number:1b:1f:ad:b6:20:f9:24:d3:36:6b:f7:c7:f1:8c:a0:59
 # Subject: OU=Trustis FPS Root CA,O=Trustis Limited,C=GB
@@ -18571,17 +17094,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \164\141\162\164\103\157\155\040\103\145\162\164\151\146\151\143
 \141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\055
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "StartCom Certification Authority G2"
 #
 # Issuer: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL
 # Serial Number: 59 (0x3b)
 # Subject: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL
@@ -18734,17 +17257,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
 \164\171\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\073
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Buypass Class 2 Root CA"
 #
 # Issuer: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO
 # Serial Number: 2 (0x2)
 # Subject: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO
@@ -19347,17 +17870,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \151\100\163\153\056\145\145
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\124\200\371\240\163\355\077\000\114\312\211\330\343\161
 \346\112
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 # Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 1", Bug 825022
 # Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
 # Serial Number: 2087 (0x827)
 # Subject: CN=*.EGO.GOV.TR,OU=EGO BILGI ISLEM,O=EGO,L=ANKARA,ST=ANKARA,C=TR
 # Not Valid Before: Mon Aug 08 07:07:51 2011
 # Not Valid After : Tue Jul 06 07:07:51 2021
@@ -19581,17 +18104,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \056\040\050\143\051\040\101\162\141\154\304\261\153\040\062\060
 \060\067
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "D-TRUST Root Class 3 CA 2 2009"
 #
 # Issuer: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
 # Serial Number: 623603 (0x983f3)
 # Subject: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
@@ -20130,165 +18653,16 @@ CKA_ISSUER MULTILINE_OCTAL
 \151\172\100\163\165\163\143\145\162\164\145\056\147\157\142\056
 \166\145
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\013
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "China Internet Network Information Center EV Certificates Root"
-#
-# Issuer: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
-# Serial Number: 1218379777 (0x489f0001)
-# Subject: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
-# Not Valid Before: Tue Aug 31 07:11:25 2010
-# Not Valid After : Sat Aug 31 07:11:25 2030
-# Fingerprint (MD5): 55:5D:63:00:97:BD:6A:97:F5:67:AB:4B:FB:6E:63:15
-# Fingerprint (SHA1): 4F:99:AA:93:FB:2B:D1:37:26:A1:99:4A:CE:7F:F0:05:F2:93:5D:1E
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "China Internet Network Information Center EV Certificates Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\116
-\061\062\060\060\006\003\125\004\012\014\051\103\150\151\156\141
-\040\111\156\164\145\162\156\145\164\040\116\145\164\167\157\162
-\153\040\111\156\146\157\162\155\141\164\151\157\156\040\103\145
-\156\164\145\162\061\107\060\105\006\003\125\004\003\014\076\103
-\150\151\156\141\040\111\156\164\145\162\156\145\164\040\116\145
-\164\167\157\162\153\040\111\156\146\157\162\155\141\164\151\157
-\156\040\103\145\156\164\145\162\040\105\126\040\103\145\162\164
-\151\146\151\143\141\164\145\163\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\116
-\061\062\060\060\006\003\125\004\012\014\051\103\150\151\156\141
-\040\111\156\164\145\162\156\145\164\040\116\145\164\167\157\162
-\153\040\111\156\146\157\162\155\141\164\151\157\156\040\103\145
-\156\164\145\162\061\107\060\105\006\003\125\004\003\014\076\103
-\150\151\156\141\040\111\156\164\145\162\156\145\164\040\116\145
-\164\167\157\162\153\040\111\156\146\157\162\155\141\164\151\157
-\156\040\103\145\156\164\145\162\040\105\126\040\103\145\162\164
-\151\146\151\143\141\164\145\163\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\110\237\000\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\367\060\202\002\337\240\003\002\001\002\002\004\110
-\237\000\001\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\201\212\061\013\060\011\006\003\125\004\006\023\002
-\103\116\061\062\060\060\006\003\125\004\012\014\051\103\150\151
-\156\141\040\111\156\164\145\162\156\145\164\040\116\145\164\167
-\157\162\153\040\111\156\146\157\162\155\141\164\151\157\156\040
-\103\145\156\164\145\162\061\107\060\105\006\003\125\004\003\014
-\076\103\150\151\156\141\040\111\156\164\145\162\156\145\164\040
-\116\145\164\167\157\162\153\040\111\156\146\157\162\155\141\164
-\151\157\156\040\103\145\156\164\145\162\040\105\126\040\103\145
-\162\164\151\146\151\143\141\164\145\163\040\122\157\157\164\060
-\036\027\015\061\060\060\070\063\061\060\067\061\061\062\065\132
-\027\015\063\060\060\070\063\061\060\067\061\061\062\065\132\060
-\201\212\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-\062\060\060\006\003\125\004\012\014\051\103\150\151\156\141\040
-\111\156\164\145\162\156\145\164\040\116\145\164\167\157\162\153
-\040\111\156\146\157\162\155\141\164\151\157\156\040\103\145\156
-\164\145\162\061\107\060\105\006\003\125\004\003\014\076\103\150
-\151\156\141\040\111\156\164\145\162\156\145\164\040\116\145\164
-\167\157\162\153\040\111\156\146\157\162\155\141\164\151\157\156
-\040\103\145\156\164\145\162\040\105\126\040\103\145\162\164\151
-\146\151\143\141\164\145\163\040\122\157\157\164\060\202\001\042
-\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
-\202\001\017\000\060\202\001\012\002\202\001\001\000\233\176\163
-\356\275\073\170\252\144\103\101\365\120\337\224\362\056\262\215
-\112\216\106\124\322\041\022\310\071\062\102\006\351\203\325\237
-\122\355\345\147\003\073\124\301\214\231\231\314\351\300\017\377
-\015\331\204\021\262\270\321\313\133\334\036\371\150\061\144\341
-\233\372\164\353\150\271\040\225\367\306\017\215\107\254\132\006
-\335\141\253\342\354\330\237\027\055\234\312\074\065\227\125\161
-\315\103\205\261\107\026\365\054\123\200\166\317\323\000\144\275
-\100\231\335\314\330\333\304\237\326\023\137\101\203\213\371\015
-\207\222\126\064\154\032\020\013\027\325\132\034\227\130\204\074
-\204\032\056\134\221\064\156\031\137\177\027\151\305\145\357\153
-\041\306\325\120\072\277\141\271\005\215\357\157\064\072\262\157
-\024\143\277\026\073\233\251\052\375\267\053\070\146\006\305\054
-\342\252\147\036\105\247\215\004\146\102\366\217\053\357\210\040
-\151\217\062\214\024\163\332\053\206\221\143\042\232\362\247\333
-\316\211\213\253\135\307\024\301\133\060\152\037\261\267\236\056
-\201\001\002\355\317\226\136\143\333\250\346\070\267\002\003\001
-\000\001\243\143\060\141\060\037\006\003\125\035\043\004\030\060
-\026\200\024\174\162\113\071\307\300\333\142\245\117\233\252\030
-\064\222\242\312\203\202\131\060\017\006\003\125\035\023\001\001
-\377\004\005\060\003\001\001\377\060\016\006\003\125\035\017\001
-\001\377\004\004\003\002\001\006\060\035\006\003\125\035\016\004
-\026\004\024\174\162\113\071\307\300\333\142\245\117\233\252\030
-\064\222\242\312\203\202\131\060\015\006\011\052\206\110\206\367
-\015\001\001\005\005\000\003\202\001\001\000\052\303\307\103\067
-\217\335\255\244\262\014\356\334\024\155\217\050\244\230\111\313
-\014\200\352\363\355\043\146\165\175\305\323\041\147\171\321\163
-\305\265\003\267\130\254\014\124\057\306\126\023\017\061\332\006
-\347\145\073\035\157\066\333\310\035\371\375\200\006\312\243\075
-\146\026\250\235\114\026\175\300\225\106\265\121\344\342\037\327
-\352\006\115\143\215\226\214\357\347\063\127\102\072\353\214\301
-\171\310\115\166\175\336\366\261\267\201\340\240\371\241\170\106
-\027\032\126\230\360\116\075\253\034\355\354\071\334\007\110\367
-\143\376\006\256\302\244\134\152\133\062\210\305\307\063\205\254
-\146\102\107\302\130\044\231\341\345\076\345\165\054\216\103\326
-\135\074\170\036\250\225\202\051\120\321\321\026\272\357\301\276
-\172\331\264\330\314\036\114\106\341\167\261\061\253\275\052\310
-\316\217\156\241\135\177\003\165\064\344\255\211\105\124\136\276
-\256\050\245\273\077\170\171\353\163\263\012\015\375\276\311\367
-\126\254\366\267\355\057\233\041\051\307\070\266\225\304\004\362
-\303\055\375\024\052\220\231\271\007\314\237
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "China Internet Network Information Center EV Certificates Root"
-# Issuer: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
-# Serial Number: 1218379777 (0x489f0001)
-# Subject: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
-# Not Valid Before: Tue Aug 31 07:11:25 2010
-# Not Valid After : Sat Aug 31 07:11:25 2030
-# Fingerprint (MD5): 55:5D:63:00:97:BD:6A:97:F5:67:AB:4B:FB:6E:63:15
-# Fingerprint (SHA1): 4F:99:AA:93:FB:2B:D1:37:26:A1:99:4A:CE:7F:F0:05:F2:93:5D:1E
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "China Internet Network Information Center EV Certificates Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\117\231\252\223\373\053\321\067\046\241\231\112\316\177\360\005
-\362\223\135\036
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\125\135\143\000\227\275\152\227\365\147\253\113\373\156\143\025
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\116
-\061\062\060\060\006\003\125\004\012\014\051\103\150\151\156\141
-\040\111\156\164\145\162\156\145\164\040\116\145\164\167\157\162
-\153\040\111\156\146\157\162\155\141\164\151\157\156\040\103\145
-\156\164\145\162\061\107\060\105\006\003\125\004\003\014\076\103
-\150\151\156\141\040\111\156\164\145\162\156\145\164\040\116\145
-\164\167\157\162\153\040\111\156\146\157\162\155\141\164\151\157
-\156\040\103\145\156\164\145\162\040\105\126\040\103\145\162\164
-\151\146\151\143\141\164\145\163\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\110\237\000\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Swisscom Root CA 2"
 #
 # Issuer: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
 # Serial Number:1e:9e:28:e8:48:f2:e5:ef:c3:7c:4a:1e:5a:18:67:b6
@@ -20452,195 +18826,19 @@ CKA_ISSUER MULTILINE_OCTAL
 \040\123\145\162\166\151\143\145\163\061\033\060\031\006\003\125
 \004\003\023\022\123\167\151\163\163\143\157\155\040\122\157\157
 \164\040\103\101\040\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\036\236\050\350\110\362\345\357\303\174\112\036\132\030
 \147\266
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Swisscom Root EV CA 2"
-#
-# Issuer: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
-# Serial Number:00:f2:fa:64:e2:74:63:d3:8d:fd:10:1d:04:1f:76:ca:58
-# Subject: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
-# Not Valid Before: Fri Jun 24 09:45:08 2011
-# Not Valid After : Wed Jun 25 08:45:08 2031
-# Fingerprint (MD5): 7B:30:34:9F:DD:0A:4B:6B:35:CA:31:51:28:5D:AE:EC
-# Fingerprint (SHA1): E7:A1:90:29:D3:D5:52:DC:0D:0F:C6:92:D3:EA:88:0D:15:2E:1A:6B
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Swisscom Root EV CA 2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\147\061\013\060\011\006\003\125\004\006\023\002\143\150\061
-\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143
-\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147
-\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145
-\040\123\145\162\166\151\143\145\163\061\036\060\034\006\003\125
-\004\003\023\025\123\167\151\163\163\143\157\155\040\122\157\157
-\164\040\105\126\040\103\101\040\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\147\061\013\060\011\006\003\125\004\006\023\002\143\150\061
-\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143
-\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147
-\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145
-\040\123\145\162\166\151\143\145\163\061\036\060\034\006\003\125
-\004\003\023\025\123\167\151\163\163\143\157\155\040\122\157\157
-\164\040\105\126\040\103\101\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\362\372\144\342\164\143\323\215\375\020\035\004\037
-\166\312\130
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\340\060\202\003\310\240\003\002\001\002\002\021\000
-\362\372\144\342\164\143\323\215\375\020\035\004\037\166\312\130
-\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060
-\147\061\013\060\011\006\003\125\004\006\023\002\143\150\061\021
-\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143\157
-\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147\151
-\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145\040
-\123\145\162\166\151\143\145\163\061\036\060\034\006\003\125\004
-\003\023\025\123\167\151\163\163\143\157\155\040\122\157\157\164
-\040\105\126\040\103\101\040\062\060\036\027\015\061\061\060\066
-\062\064\060\071\064\065\060\070\132\027\015\063\061\060\066\062
-\065\060\070\064\065\060\070\132\060\147\061\013\060\011\006\003
-\125\004\006\023\002\143\150\061\021\060\017\006\003\125\004\012
-\023\010\123\167\151\163\163\143\157\155\061\045\060\043\006\003
-\125\004\013\023\034\104\151\147\151\164\141\154\040\103\145\162
-\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145
-\163\061\036\060\034\006\003\125\004\003\023\025\123\167\151\163
-\163\143\157\155\040\122\157\157\164\040\105\126\040\103\101\040
-\062\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001
-\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002
-\001\000\304\367\035\057\127\352\127\154\367\160\135\143\260\161
-\122\011\140\104\050\063\243\172\116\012\372\330\352\154\213\121
-\026\032\125\256\124\046\304\314\105\007\101\117\020\171\177\161
-\322\172\116\077\070\116\263\000\306\225\312\133\315\301\052\203
-\327\047\037\061\016\043\026\267\045\313\034\264\271\200\062\136
-\032\235\223\361\350\074\140\054\247\136\127\031\130\121\136\274
-\054\126\013\270\330\357\213\202\264\074\270\302\044\250\023\307
-\240\041\066\033\172\127\051\050\247\056\277\161\045\220\363\104
-\203\151\120\244\344\341\033\142\031\224\011\243\363\303\274\357
-\364\275\354\333\023\235\317\235\110\011\122\147\300\067\051\021
-\036\373\322\021\247\205\030\164\171\344\117\205\024\353\122\067
-\342\261\105\330\314\015\103\177\256\023\322\153\053\077\247\302
-\342\250\155\166\133\103\237\276\264\235\263\046\206\073\037\177
-\345\362\350\146\050\026\045\320\113\227\070\247\344\317\011\321
-\066\303\013\276\332\073\104\130\215\276\361\236\011\153\076\363
-\062\307\053\207\306\354\136\234\366\207\145\255\063\051\304\057
-\211\331\271\313\311\003\235\373\154\224\121\227\020\033\206\013
-\032\033\077\366\002\176\173\324\305\121\144\050\235\365\323\254
-\203\201\210\323\164\264\131\235\301\353\141\063\132\105\321\313
-\071\320\006\152\123\140\035\257\366\373\151\274\152\334\001\317
-\275\371\217\331\275\133\301\072\137\216\332\017\113\251\233\235
-\052\050\153\032\012\174\074\253\042\013\345\167\055\161\366\202
-\065\201\256\370\173\201\346\352\376\254\364\032\233\164\134\350
-\217\044\366\135\235\106\304\054\322\036\053\041\152\203\047\147
-\125\112\244\343\310\062\227\146\220\162\332\343\324\144\056\137
-\343\241\152\366\140\324\347\065\315\312\304\150\215\327\161\310
-\323\044\063\163\261\154\371\152\341\050\333\137\306\075\350\276
-\125\346\067\033\355\044\331\017\031\217\137\143\030\130\120\201
-\121\145\157\362\237\176\152\004\347\064\044\161\272\166\113\130
-\036\031\275\025\140\105\252\014\022\100\001\235\020\342\307\070
-\007\162\012\145\300\266\273\045\051\332\026\236\213\065\213\141
-\355\345\161\127\203\265\074\161\237\343\117\277\176\036\201\237
-\101\227\002\003\001\000\001\243\201\206\060\201\203\060\016\006
-\003\125\035\017\001\001\377\004\004\003\002\001\206\060\035\006
-\003\125\035\041\004\026\060\024\060\022\006\007\140\205\164\001
-\123\002\002\006\007\140\205\164\001\123\002\002\060\022\006\003
-\125\035\023\001\001\377\004\010\060\006\001\001\377\002\001\003
-\060\035\006\003\125\035\016\004\026\004\024\105\331\245\201\156
-\075\210\115\215\161\322\106\301\156\105\036\363\304\200\235\060
-\037\006\003\125\035\043\004\030\060\026\200\024\105\331\245\201
-\156\075\210\115\215\161\322\106\301\156\105\036\363\304\200\235
-\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003
-\202\002\001\000\224\072\163\006\237\122\113\060\134\324\376\261
-\134\045\371\327\216\157\365\207\144\237\355\024\216\270\004\216
-\050\113\217\252\173\216\071\264\331\130\366\173\241\065\012\241
-\235\212\367\143\345\353\275\071\202\324\343\172\055\157\337\023
-\074\272\376\176\126\230\013\363\124\237\315\104\116\156\074\341
-\076\025\277\006\046\235\344\360\220\266\324\302\236\060\056\037
-\357\307\172\304\120\307\352\173\332\120\313\172\046\313\000\264
-\132\253\265\223\037\200\211\204\004\225\215\215\177\011\223\277
-\324\250\250\344\143\155\331\144\344\270\051\132\010\277\120\341
-\204\017\125\173\137\010\042\033\365\275\231\036\024\366\316\364
-\130\020\202\263\012\075\031\301\277\133\253\252\231\330\362\061
-\275\345\070\146\334\130\005\307\355\143\032\056\012\227\174\207
-\223\053\262\212\343\361\354\030\345\165\266\051\207\347\334\213
-\032\176\264\330\311\323\212\027\154\175\051\104\276\212\252\365
-\176\072\056\150\061\223\271\152\332\232\340\333\351\056\245\204
-\315\034\012\270\112\010\371\234\361\141\046\230\223\267\173\146
-\354\221\136\335\121\077\333\163\017\255\004\130\011\335\004\002
-\225\012\076\323\166\337\246\020\036\200\075\350\315\244\144\321
-\063\307\222\307\342\116\104\343\011\311\116\302\135\207\016\022
-\236\277\017\311\005\020\336\172\243\261\074\362\077\245\252\047
-\171\255\061\175\037\375\374\031\151\305\335\271\077\174\315\306
-\264\302\060\036\176\156\222\327\177\141\166\132\217\353\225\115
-\274\021\156\041\174\131\067\231\320\006\274\371\006\155\062\026
-\245\331\151\250\341\334\074\200\036\140\121\334\327\124\041\036
-\312\142\167\117\372\330\217\263\053\072\015\170\162\311\150\101
-\132\107\112\302\243\353\032\327\012\253\074\062\125\310\012\021
-\234\337\164\326\360\100\025\035\310\271\217\265\066\305\257\370
-\042\270\312\035\363\326\266\031\017\237\141\145\152\352\164\310
-\174\217\303\117\135\145\202\037\331\015\211\332\165\162\373\357
-\361\107\147\023\263\310\321\031\210\047\046\232\231\171\177\036
-\344\054\077\173\356\361\336\115\213\226\227\303\325\077\174\033
-\043\355\244\263\035\026\162\103\113\040\341\131\176\302\350\255
-\046\277\242\367
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "Swisscom Root EV CA 2"
-# Issuer: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
-# Serial Number:00:f2:fa:64:e2:74:63:d3:8d:fd:10:1d:04:1f:76:ca:58
-# Subject: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
-# Not Valid Before: Fri Jun 24 09:45:08 2011
-# Not Valid After : Wed Jun 25 08:45:08 2031
-# Fingerprint (MD5): 7B:30:34:9F:DD:0A:4B:6B:35:CA:31:51:28:5D:AE:EC
-# Fingerprint (SHA1): E7:A1:90:29:D3:D5:52:DC:0D:0F:C6:92:D3:EA:88:0D:15:2E:1A:6B
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Swisscom Root EV CA 2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\347\241\220\051\323\325\122\334\015\017\306\222\323\352\210\015
-\025\056\032\153
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\173\060\064\237\335\012\113\153\065\312\061\121\050\135\256\354
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\147\061\013\060\011\006\003\125\004\006\023\002\143\150\061
-\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143
-\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147
-\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145
-\040\123\145\162\166\151\143\145\163\061\036\060\034\006\003\125
-\004\003\023\025\123\167\151\163\163\143\157\155\040\122\157\157
-\164\040\105\126\040\103\101\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\362\372\144\342\164\143\323\215\375\020\035\004\037
-\166\312\130
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "CA Disig Root R1"
 #
 # Issuer: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
 # Serial Number:00:c3:03:9a:ee:50:90:6e:28
 # Subject: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
@@ -20793,17 +18991,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157
 \164\040\122\061
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\011\000\303\003\232\356\120\220\156\050
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "CA Disig Root R2"
 #
 # Issuer: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK
 # Serial Number:00:92:b8:88:db:b0:8a:c1:63
 # Subject: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK
@@ -20956,17 +19154,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157
 \164\040\122\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\011\000\222\270\210\333\260\212\301\143
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "ACCVRAIZ1"
 #
 # Issuer: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
 # Serial Number:5e:c3:b7:a6:43:7f:a4:e0
 # Subject: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
@@ -21155,17 +19353,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \012\014\004\101\103\103\126\061\013\060\011\006\003\125\004\006
 \023\002\105\123
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\136\303\267\246\103\177\244\340
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "TWCA Global Root CA"
 #
 # Issuer: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
 # Serial Number: 3262 (0xcbe)
 # Subject: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
@@ -21316,17 +19514,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \124\127\103\101\040\107\154\157\142\141\154\040\122\157\157\164
 \040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\002\014\276
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "TeliaSonera Root CA v1"
 #
 # Issuer: CN=TeliaSonera Root CA v1,O=TeliaSonera
 # Serial Number:00:95:be:16:a0:f7:2e:46:f1:7b:39:82:72:fa:8b:cd:96
 # Subject: CN=TeliaSonera Root CA v1,O=TeliaSonera
@@ -21667,17 +19865,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
 \157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\152\150\076\234\121\233\313\123
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "T-TeleSec GlobalRoot Class 2"
 #
 # Issuer: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
 # Serial Number: 1 (0x1)
 # Subject: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
@@ -21939,17 +20137,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \061\061\061\015\060\013\006\003\125\004\012\014\004\101\164\157
 \163\061\013\060\011\006\003\125\004\006\023\002\104\105
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\134\063\313\142\054\137\263\062
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "QuoVadis Root CA 1 G3"
 #
 # Issuer: CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM
 # Serial Number:78:58:5f:2e:ad:2c:19:4b:e3:37:07:35:34:13:28:b5:96:d4:65:93
 # Subject: CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM
@@ -22101,17 +20299,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \157\164\040\103\101\040\061\040\107\063
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\024\170\130\137\056\255\054\031\113\343\067\007\065\064\023
 \050\265\226\324\145\223
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "QuoVadis Root CA 2 G3"
 #
 # Issuer: CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM
 # Serial Number:44:57:34:24:5b:81:89:9b:35:f2:ce:b8:2b:3b:5b:a7:26:f0:75:28
 # Subject: CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM
@@ -22263,17 +20461,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \157\164\040\103\101\040\062\040\107\063
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\024\104\127\064\044\133\201\211\233\065\362\316\270\053\073
 \133\247\046\360\165\050
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "QuoVadis Root CA 3 G3"
 #
 # Issuer: CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM
 # Serial Number:2e:f5:9b:02:28:a7:db:7a:ff:d5:a3:a9:ee:bd:03:a0:cf:12:6a:1d
 # Subject: CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM
@@ -22425,17 +20623,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \157\164\040\103\101\040\063\040\107\063
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\024\056\365\233\002\050\247\333\172\377\325\243\251\356\275
 \003\240\317\022\152\035
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "DigiCert Assured ID Root G2"
 #
 # Issuer: CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:0b:93:1c:3a:d6:39:67:ea:67:23:bf:c3:af:9a:f4:4b
 # Subject: CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
@@ -22564,17 +20762,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \122\157\157\164\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\013\223\034\072\326\071\147\352\147\043\277\303\257\232
 \364\113
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "DigiCert Assured ID Root G3"
 #
 # Issuer: CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:0b:a1:5a:fa:1d:df:a0:b5:49:44:af:cd:24:a0:6c:ec
 # Subject: CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
@@ -22682,17 +20880,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \122\157\157\164\040\107\063
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\013\241\132\372\035\337\240\265\111\104\257\315\044\240
 \154\354
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "DigiCert Global Root G2"
 #
 # Issuer: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5
 # Subject: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
@@ -22821,17 +21019,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\003\072\361\346\247\021\251\240\273\050\144\261\035\011
 \372\345
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "DigiCert Global Root G3"
 #
 # Issuer: CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:05:55:56:bc:f2:5e:a4:35:35:c3:a4:0f:d5:ab:45:72
 # Subject: CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
@@ -22939,17 +21137,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \040\107\063
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\005\125\126\274\362\136\244\065\065\303\244\017\325\253
 \105\162
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "DigiCert Trusted Root G4"
 #
 # Issuer: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:05:9b:1b:57:9e:8e:21:32:e2:39:07:bd:a7:77:75:5c
 # Subject: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US
@@ -23110,17 +21308,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \164\040\107\064
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\005\233\033\127\236\216\041\062\342\071\007\275\247\167
 \165\134
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "WoSign"
 #
 # Issuer: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN
 # Serial Number:5e:68:d6:11:71:94:63:50:56:00:68:f3:3e:c9:c5:91
 # Subject: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN
@@ -23276,17 +21474,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \040\127\157\123\151\147\156
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\136\150\326\021\161\224\143\120\126\000\150\363\076\311
 \305\221
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "WoSign China"
 #
 # Issuer: CN=CA ...............,O=WoSign CA Limited,C=CN
 # Serial Number:50:70:6b:cd:d8:13:fc:1b:4e:3b:33:72:d2:11:48:8d
 # Subject: CN=CA ...............,O=WoSign CA Limited,C=CN
@@ -23437,17 +21635,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \240\271\350\257\201\344\271\246
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\120\160\153\315\330\023\374\033\116\073\063\162\322\021
 \110\215
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "COMODO RSA Certification Authority"
 #
 # Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Serial Number:4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
 # Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
@@ -23618,17 +21816,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \165\164\150\157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\114\252\371\312\333\143\157\340\037\367\116\330\133\003
 \206\235
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "USERTrust RSA Certification Authority"
 #
 # Issuer: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
 # Serial Number:01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
 # Subject: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
@@ -23800,17 +21998,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \156\040\101\165\164\150\157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\001\375\155\060\374\243\312\121\250\033\274\144\016\065
 \003\055
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "USERTrust ECC Certification Authority"
 #
 # Issuer: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
 # Serial Number:5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26
 # Subject: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
@@ -23929,17 +22127,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \156\040\101\165\164\150\157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\134\213\231\305\132\224\305\322\161\126\336\315\211\200
 \314\046
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "GlobalSign ECC Root CA - R4"
 #
 # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4
 # Serial Number:2a:38:a4:1c:96:0a:04:de:42:b2:28:a5:0b:e8:34:98:02
 # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4
@@ -24038,17 +22236,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \147\156
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\052\070\244\034\226\012\004\336\102\262\050\245\013\350
 \064\230\002
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "GlobalSign ECC Root CA - R5"
 #
 # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
 # Serial Number:60:59:49:e0:26:2e:bb:55:f9:0a:77:8a:71:f9:4a:d8:6c
 # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
@@ -24151,17 +22349,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \147\156
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\140\131\111\340\046\056\273\125\371\012\167\212\161\371
 \112\330\154
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
 #
 # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:2f:00:6e:cd:17:70:66:e7:5f:a3:82:0a:79:1f:05:ae
 # Subject: CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
@@ -25300,17 +23498,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \157\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107
 \062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\112\123\214\050
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Entrust Root Certification Authority - EC1"
 #
 # Issuer: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
 # Serial Number:00:a6:8b:79:29:00:00:00:00:50:d0:91:f9
 # Subject: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
@@ -25445,17 +23643,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \157\156\040\101\165\164\150\157\162\151\164\171\040\055\040\105
 \103\061
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\015\000\246\213\171\051\000\000\000\000\120\320\221\371
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "CFCA EV ROOT"
 #
 # Issuer: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
 # Serial Number: 407555286 (0x184accd6)
 # Subject: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
@@ -25915,17 +24113,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304
 \261\040\110\065
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\007\000\216\027\376\044\040\201
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Certinomis - Root CA"
 #
 # Issuer: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
 # Serial Number: 1 (0x1)
 # Subject: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
@@ -26222,17 +24420,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \157\142\141\154\040\122\157\157\164\040\107\102\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\166\261\040\122\164\360\205\207\106\263\370\043\032\366
 \302\300
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Certification Authority of WoSign G2"
 #
 # Issuer: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN
 # Serial Number:6b:25:da:8a:88:9d:7c:bc:0f:05:b3:b1:7a:61:45:44
 # Subject: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN
@@ -26356,17 +24554,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \040\127\157\123\151\147\156\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\153\045\332\212\210\235\174\274\017\005\263\261\172\141
 \105\104
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "CA WoSign ECC Root"
 #
 # Issuer: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN
 # Serial Number:68:4a:58:70:80:6b:f0:8f:02:fa:f6:de:e8:b0:90:90
 # Subject: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN
@@ -26464,17 +24662,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \105\103\103\040\122\157\157\164
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\150\112\130\160\200\153\360\217\002\372\366\336\350\260
 \220\220
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "SZAFIR ROOT CA2"
 #
 # Issuer: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL
 # Serial Number:3e:8a:5d:07:ec:55:d2:32:d5:b7:e3:b6:5f:01:eb:2d:dc:e4:d6:e4
 # Subject: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL
--- a/lib/ckfw/builtins/nssckbi.h
+++ b/lib/ckfw/builtins/nssckbi.h
@@ -41,18 +41,18 @@
  *   made on that branch.
  *
  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
  * whether we may use its full range (0-255) or only 0-99 because
  * of the comment in the CK_VERSION type definition.
  * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 14
-#define NSS_BUILTINS_LIBRARY_VERSION "2.14"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 16
+#define NSS_BUILTINS_LIBRARY_VERSION "2.16"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
 #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
 
 /* These version numbers detail the semantic changes to ckbi itself
  * (new PKCS #11 objects), etc. */
 #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
--- a/lib/dev/devslot.c
+++ b/lib/dev/devslot.c
@@ -221,25 +221,26 @@ nssSlot_GetCryptokiEPV(
     return slot->epv;
 }
 
 NSS_IMPLEMENT NSSToken *
 nssSlot_GetToken(
     NSSSlot *slot)
 {
     NSSToken *rvToken = NULL;
-    nssSlot_EnterMonitor(slot);
 
-    /* Even if a token should be present, check `slot->token` too as it
-     * might be gone already. This would happen mostly on shutdown. */
-    if (nssSlot_IsTokenPresent(slot) && slot->token) {
-        rvToken = nssToken_AddRef(slot->token);
+    if (nssSlot_IsTokenPresent(slot)) {
+        /* Even if a token should be present, check `slot->token` too as it
+	 * might be gone already. This would happen mostly on shutdown. */
+        nssSlot_EnterMonitor(slot);
+        if (slot->token)
+            rvToken = nssToken_AddRef(slot->token);
+        nssSlot_ExitMonitor(slot);
     }
 
-    nssSlot_ExitMonitor(slot);
     return rvToken;
 }
 
 NSS_IMPLEMENT PRStatus
 nssSession_EnterMonitor(
     nssSession *s)
 {
     if (s->lock)
--- a/lib/nss/nss.h
+++ b/lib/nss/nss.h
@@ -17,19 +17,19 @@
 
 /*
  * NSS's major version, minor version, patch level, build number, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION "3.32" _NSS_CUSTOMIZED " Beta"
+#define NSS_VERSION "3.33" _NSS_CUSTOMIZED " Beta"
 #define NSS_VMAJOR 3
-#define NSS_VMINOR 32
+#define NSS_VMINOR 33
 #define NSS_VPATCH 0
 #define NSS_VBUILD 0
 #define NSS_BETA PR_TRUE
 
 #ifndef RC_INVOKED
 
 #include "seccomon.h"
 
--- a/lib/pki/pki3hack.c
+++ b/lib/pki/pki3hack.c
@@ -175,26 +175,28 @@ STAN_AddModuleToDefaultTrustDomain(
 NSS_IMPLEMENT SECStatus
 STAN_RemoveModuleFromDefaultTrustDomain(
     SECMODModule *module)
 {
     NSSToken *token;
     NSSTrustDomain *td;
     int i;
     td = STAN_GetDefaultTrustDomain();
-    NSSRWLock_LockWrite(td->tokensLock);
     for (i = 0; i < module->slotCount; i++) {
         token = PK11Slot_GetNSSToken(module->slots[i]);
         if (token) {
             nssToken_NotifyCertsNotVisible(token);
+            NSSRWLock_LockWrite(td->tokensLock);
             nssList_Remove(td->tokenList, token);
+            NSSRWLock_UnlockWrite(td->tokensLock);
             PK11Slot_SetNSSToken(module->slots[i], NULL);
             nssToken_Destroy(token);
         }
     }
+    NSSRWLock_LockWrite(td->tokensLock);
     nssListIterator_Destroy(td->tokens);
     td->tokens = nssList_CreateIterator(td->tokenList);
     NSSRWLock_UnlockWrite(td->tokensLock);
     return SECSuccess;
 }
 
 NSS_IMPLEMENT PRStatus
 STAN_Shutdown()
--- a/lib/softoken/sdb.c
+++ b/lib/softoken/sdb.c
@@ -1861,40 +1861,39 @@ sdb_init(char *dbname, char *table, sdbD
 
     /* access to network filesystems are significantly slower than local ones
      * for database operations. In those cases we need to create a cached copy
      * of the database in a temporary location on the local disk. SQLITE
      * already provides a way to create a temporary table and initialize it,
      * so we use it for the cache (see sdb_buildCache for how it's done).*/
 
     /*
-      * we decide whether or not to use the cache based on the following input.
-      *
-      * NSS_SDB_USE_CACHE environment variable is non-existant or set to
-      *   anything other than "no" or "yes" ("auto", for instance).
-      *   This is the normal case. NSS will measure the performance of access
-      *   to the temp database versus the access to the users passed in
-      *   database location. If the temp database location is "significantly"
-      *   faster we will use the cache.
-      *
-      * NSS_SDB_USE_CACHE environment variable is set to "no": cache will not
-      *   be used.
-      *
-      * NSS_SDB_USE_CACHE environment variable is set to "yes": cache will
-      *   always be used.
-      *
-      * It is expected that most applications would use the "auto" selection,
-      * the environment variable is primarily to simplify testing, and to
-      * correct potential corner cases where  */
+     * we decide whether or not to use the cache based on the following input.
+     *
+     * NSS_SDB_USE_CACHE environment variable is set to anything other than
+     *   "yes" or "no" (for instance, "auto"): NSS will measure the performance
+     *   of access to the temp database versus the access to the user's
+     *   passed-in database location. If the temp database location is
+     *   "significantly" faster we will use the cache.
+     *
+     * NSS_SDB_USE_CACHE environment variable is nonexistent or set to "no":
+     *   cache will not be used.
+     *
+     * NSS_SDB_USE_CACHE environment variable is set to "yes": cache will
+     *   always be used.
+     *
+     * It is expected that most applications will not need this feature, and
+     * thus it is disabled by default.
+     */
 
     env = PR_GetEnvSecure("NSS_SDB_USE_CACHE");
 
-    if (env && PORT_Strcasecmp(env, "no") == 0) {
+    if (!env || PORT_Strcasecmp(env, "no") == 0) {
         enableCache = PR_FALSE;
-    } else if (env && PORT_Strcasecmp(env, "yes") == 0) {
+    } else if (PORT_Strcasecmp(env, "yes") == 0) {
         enableCache = PR_TRUE;
     } else {
         char *tempDir = NULL;
         PRUint32 tempOps = 0;
         /*
          *  Use PR_Access to determine how expensive it
          * is to check for the existance of a local file compared to the same
          * check in the temp directory. If the temp directory is faster, cache
@@ -2030,20 +2029,21 @@ s_open(const char *directory, const char
 #endif
 
     /* how long does it take to test for a non-existant file in our working
      * directory? Allows us to test if we may be on a network file system */
     accessOps = 1;
     {
         char *env;
         env = PR_GetEnvSecure("NSS_SDB_USE_CACHE");
-        /* If the environment variable is set to yes or no, sdb_init() will
-         * ignore the value of accessOps, and we can skip the measuring.*/
-        if (!env || ((PORT_Strcasecmp(env, "no") != 0) &&
-                     (PORT_Strcasecmp(env, "yes") != 0))) {
+        /* If the environment variable is undefined or set to yes or no,
+         * sdb_init() will ignore the value of accessOps, and we can skip the
+         * measuring.*/
+        if (env && PORT_Strcasecmp(env, "no") != 0 &&
+            PORT_Strcasecmp(env, "yes") != 0) {
             accessOps = sdb_measureAccess(directory);
         }
     }
 
     /*
      * open the cert data base
      */
     if (certdb) {
--- a/lib/softoken/softkver.h
+++ b/lib/softoken/softkver.h
@@ -16,16 +16,16 @@
 
 /*
  * Softoken's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION "3.32" SOFTOKEN_ECC_STRING " Beta"
+#define SOFTOKEN_VERSION "3.33" SOFTOKEN_ECC_STRING " Beta"
 #define SOFTOKEN_VMAJOR 3
-#define SOFTOKEN_VMINOR 32
+#define SOFTOKEN_VMINOR 33
 #define SOFTOKEN_VPATCH 0
 #define SOFTOKEN_VBUILD 0
 #define SOFTOKEN_BETA PR_TRUE
 
 #endif /* _SOFTKVER_H_ */
--- a/lib/ssl/SSLerrs.h
+++ b/lib/ssl/SSLerrs.h
@@ -511,8 +511,11 @@ ER3(SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA,
 ER3(SSL_ERROR_TOO_MUCH_EARLY_DATA, (SSL_ERROR_BASE + 161),
     "SSL received more early data than permitted.")
 
 ER3(SSL_ERROR_RX_UNEXPECTED_END_OF_EARLY_DATA, (SSL_ERROR_BASE + 162),
     "SSL received an unexpected End of Early Data message.")
 
 ER3(SSL_ERROR_RX_MALFORMED_END_OF_EARLY_DATA, (SSL_ERROR_BASE + 163),
     "SSL received a malformed End of Early Data message.")
+
+ER3(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API, (SSL_ERROR_BASE + 164),
+    "An experimental API was called, but not supported.")
--- a/lib/ssl/exports.gyp
+++ b/lib/ssl/exports.gyp
@@ -10,16 +10,17 @@
       'target_name': 'lib_ssl_exports',
       'type': 'none',
       'copies': [
         {
           'files': [
             'preenc.h',
             'ssl.h',
             'sslerr.h',
+            'sslexp.h',
             'sslproto.h',
             'sslt.h'
           ],
           'destination': '<(nss_public_dist_dir)/<(module)'
         }
       ]
     }
   ],
--- a/lib/ssl/manifest.mn
+++ b/lib/ssl/manifest.mn
@@ -5,16 +5,17 @@
 CORE_DEPTH = ../..
 
 # DEFINES = -DTRACE
 
 EXPORTS = \
         ssl.h \
         sslt.h \
         sslerr.h \
+        sslexp.h \
         sslproto.h \
         preenc.h \
         $(NULL)
 
 MODULE = nss
 MAPFILE = $(OBJDIR)/ssl.def
 
 CSRCS = \
--- a/lib/ssl/ssl.def
+++ b/lib/ssl/ssl.def
@@ -229,15 +229,16 @@ SSL_SetSessionTicketKeyPair;
 ;+};
 ;+NSS_3.30.0.1 { # Additional symbols for NSS 3.30 release
 ;+    global:
 SSL_AlertReceivedCallback;
 SSL_AlertSentCallback;
 ;+    local:
 ;+*;
 ;+};
-;+NSS_3.32 {    # NSS 3.32 release
+;+NSS_3.33 {    # NSS 3.33 release
 ;+    global:
+SSL_GetExperimentalAPI;
 SSL_GetExtensionSupport;
 SSL_InstallExtensionHooks;
 ;+    local:
 ;+*;
 ;+};
--- a/lib/ssl/ssl.h
+++ b/lib/ssl/ssl.h
@@ -1496,11 +1496,17 @@ typedef SECStatus(PR_CALLBACK *SSLExtens
     const PRUint8 *data, unsigned int len,
     SSLAlertDescription *alert, void *arg);
 
 SSL_IMPORT SECStatus
 SSL_InstallExtensionHooks(PRFileDesc *fd, PRUint16 extension,
                           SSLExtensionWriter writer, void *writerArg,
                           SSLExtensionHandler handler, void *handlerArg);
 
+/*
+ * This is used to access experimental APIs.  Don't call this directly.  This is
+ * used to enable the experimental APIs that are defined in "sslexp.h".
+ */
+SSL_IMPORT void *SSL_GetExperimentalAPI(const char *name);
+
 SEC_END_PROTOS
 
 #endif /* __ssl_h_ */
--- a/lib/ssl/sslerr.h
+++ b/lib/ssl/sslerr.h
@@ -244,15 +244,18 @@ typedef enum {
     SSL_ERROR_BAD_2ND_CLIENT_HELLO = (SSL_ERROR_BASE + 156),
     SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION = (SSL_ERROR_BASE + 157),
     SSL_ERROR_MALFORMED_PSK_KEY_EXCHANGE_MODES = (SSL_ERROR_BASE + 158),
     SSL_ERROR_MISSING_PSK_KEY_EXCHANGE_MODES = (SSL_ERROR_BASE + 159),
     SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA = (SSL_ERROR_BASE + 160),
     SSL_ERROR_TOO_MUCH_EARLY_DATA = (SSL_ERROR_BASE + 161),
     SSL_ERROR_RX_UNEXPECTED_END_OF_EARLY_DATA = (SSL_ERROR_BASE + 162),
     SSL_ERROR_RX_MALFORMED_END_OF_EARLY_DATA = (SSL_ERROR_BASE + 163),
+
+    SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API = (SSL_ERROR_BASE + 164),
+
     SSL_ERROR_END_OF_LIST   /* let the c compiler determine the value of this. */
 } SSLErrorCodes;
 #endif /* NO_SECURITY_ERROR_ENUM */
 
 /* clang-format on */
 
 #endif /* __SSL_ERR_H_ */
new file mode 100644
--- /dev/null
+++ b/lib/ssl/sslexp.h
@@ -0,0 +1,27 @@
+/*
+ * This file contains prototypes for experimental SSL functions.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef __sslexp_h_
+#define __sslexp_h_
+
+#include "ssl.h"
+#include "sslerr.h"
+
+SEC_BEGIN_PROTOS
+
+/* The functions in this header file are not guaranteed to remain available in
+ * future NSS versions. Code that uses these functions needs to safeguard
+ * against the function not being available. */
+
+#define SSL_EXPERIMENTAL_API(name, arglist, args)                   \
+    (SSL_GetExperimentalAPI(name)                                   \
+         ? ((SECStatus(*) arglist)SSL_GetExperimentalAPI(name))args \
+         : SECFailure)
+
+SEC_END_PROTOS
+
+#endif /* __sslexp_h_ */
--- a/lib/ssl/sslsock.c
+++ b/lib/ssl/sslsock.c
@@ -6,16 +6,17 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "seccomon.h"
 #include "cert.h"
 #include "keyhi.h"
 #include "ssl.h"
+#include "sslexp.h"
 #include "sslimpl.h"
 #include "sslproto.h"
 #include "nspr.h"
 #include "private/pprio.h"
 #include "nss.h"
 #include "pk11pqg.h"
 
 static const sslSocketOps ssl_default_ops = { /* No SSL. */
@@ -3870,8 +3871,52 @@ SSL_CanBypass(CERTCertificate *cert, SEC
 {
     if (!pcanbypass) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     *pcanbypass = PR_FALSE;
     return SECSuccess;
 }
+
+/* Functions that are truly experimental use EXP, functions that are no longer
+ * experimental use PUB.
+ *
+ * When initially defining a new API, add that API here using the EXP() macro
+ * and name the function with a SSLExp_ prefix.  Define the experimental API as
+ * a macro in sslexp.h using the SSL_EXPERIMENTAL_API() macro defined there.
+ *
+ * Once an API is stable and proven, move the macro definition in sslexp.h to a
+ * proper function declaration in ssl.h.  Keeping the function in this list
+ * ensures that code built against the release that contained the experimental
+ * API will continue to work; use PUB() to reference the public function.
+ */
+#define EXP(n)                \
+    {                         \
+        "SSL_" #n, SSLExp_##n \
+    }
+#define PUB(n)             \
+    {                      \
+        "SSL_" #n, SSL_##n \
+    }
+struct {
+    const char *const name;
+    void *function;
+} ssl_experimental_functions[] = {
+#ifndef SSL_DISABLE_EXPERIMENTAL_API
+#endif
+    { "", NULL }
+};
+#undef EXP
+#undef PUB
+
+void *
+SSL_GetExperimentalAPI(const char *name)
+{
+    unsigned int i;
+    for (i = 0; i < PR_ARRAY_SIZE(ssl_experimental_functions); ++i) {
+        if (strcmp(name, ssl_experimental_functions[i].name) == 0) {
+            return ssl_experimental_functions[i].function;
+        }
+    }
+    PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
+    return NULL;
+}
--- a/lib/util/nssutil.h
+++ b/lib/util/nssutil.h
@@ -14,19 +14,19 @@
 
 /*
  * NSS utilities's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION "3.32 Beta"
+#define NSSUTIL_VERSION "3.33 Beta"
 #define NSSUTIL_VMAJOR 3
-#define NSSUTIL_VMINOR 32
+#define NSSUTIL_VMINOR 33
 #define NSSUTIL_VPATCH 0
 #define NSSUTIL_VBUILD 0
 #define NSSUTIL_BETA PR_TRUE
 
 SEC_BEGIN_PROTOS
 
 /*
  * Returns a const string of the UTIL library version.
--- a/lib/util/secoid.c
+++ b/lib/util/secoid.c
@@ -1836,23 +1836,21 @@ secoid_HashDynamicOiddata(const SECOidDa
  * cheaper to rehash the table when it changes than it is to do the loop
  * each time.
  */
 static SECOidData *
 secoid_FindDynamic(const SECItem *key)
 {
     SECOidData *ret = NULL;
 
+    NSSRWLock_LockRead(dynOidLock);
     if (dynOidHash) {
-        NSSRWLock_LockRead(dynOidLock);
-        if (dynOidHash) { /* must check it again with lock held. */
-            ret = (SECOidData *)PL_HashTableLookup(dynOidHash, key);
-        }
-        NSSRWLock_UnlockRead(dynOidLock);
+        ret = (SECOidData *)PL_HashTableLookup(dynOidHash, key);
     }
+    NSSRWLock_UnlockRead(dynOidLock);
     if (ret == NULL) {
         PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
     }
     return ret;
 }
 
 static dynXOid *
 secoid_FindDynamicByTag(SECOidTag tagnum)
@@ -1861,24 +1859,22 @@ secoid_FindDynamicByTag(SECOidTag tagnum
     int tagNumDiff;
 
     if (tagnum < SEC_OID_TOTAL) {
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return NULL;
     }
     tagNumDiff = tagnum - SEC_OID_TOTAL;
 
-    if (dynOidTable) {
-        NSSRWLock_LockRead(dynOidLock);
-        if (dynOidTable != NULL && /* must check it again with lock held. */
-            tagNumDiff < dynOidEntriesUsed) {
-            dxo = dynOidTable[tagNumDiff];
-        }
-        NSSRWLock_UnlockRead(dynOidLock);
+    NSSRWLock_LockRead(dynOidLock);
+    if (dynOidTable != NULL &&
+        tagNumDiff < dynOidEntriesUsed) {
+        dxo = dynOidTable[tagNumDiff];
     }
+    NSSRWLock_UnlockRead(dynOidLock);
     if (dxo == NULL) {
         PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
     }
     return dxo;
 }
 
 /*
  * This routine is thread safe now.
--- a/tests/interop/interop.sh
+++ b/tests/interop/interop.sh
@@ -21,23 +21,25 @@ interop_init()
   fi
 
   mkdir -p "${HOSTDIR}/interop"
   cd "${HOSTDIR}/interop"
   INTEROP=${INTEROP:=tls_interop}
   if [ ! -d "$INTEROP" ]; then
     git clone -q https://github.com/mozilla/tls-interop "$INTEROP"
   fi
+  INTEROP=$(cd "$INTEROP";pwd -P)
 
   # We use the BoringSSL keyfiles
   BORING=${BORING:=boringssl}
   if [ ! -d "$BORING" ]; then
     git clone -q https://boringssl.googlesource.com/boringssl "$BORING"
     git -C "$BORING" checkout -q ea80f9d5df4c302de391e999395e1c87f9c786b3
   fi
+  BORING=$(cd "$BORING";pwd -P)
 
   SCRIPTNAME="interop.sh"
   html_head "interop test"
 }
 
 interop_cleanup()
 {
   html "</TABLE><BR>"
@@ -48,21 +50,21 @@ interop_cleanup()
 # Function so we can easily add other stacks
 interop_run()
 {
   test_name=$1
   client=$2
   server=$3
 
   (cd "$INTEROP";
-   cargo run -- --client ${client} --server ${server} --rootdir ../${BORING}/ssl/test/runner/ --test-cases cases.json) 2>interop-${test_name}.errors | tee interop-${test_name}.log
+   cargo run -- --client "$client" --server "$server" --rootdir "$BORING"/ssl/test/runner/ --test-cases cases.json) 2>interop-${test_name}.errors | tee interop-${test_name}.log
   html_msg "${PIPESTATUS[0]}" 0 "Interop" "Run successfully"
   grep -i 'FAILED\|Assertion failure' interop-${test_name}.errors
   html_msg $? 1 "Interop" "No failures"
 }
 
 cd "$(dirname "$0")"
 SOURCE_DIR="$PWD"/../..
 interop_init
-NSS_SHIM="${BINDIR}"/nss_bogo_shim
-BORING_SHIM="../${BORING}"/build/ssl/test/bssl_shim
+NSS_SHIM="$BINDIR"/nss_bogo_shim
+BORING_SHIM="$BORING"/build/ssl/test/bssl_shim
 interop_run "nss_nss" ${NSS_SHIM} ${NSS_SHIM}
 interop_cleanup